CSE331 : COMPUTER SECURITY FUNDAMENTALS Case Study : Crypto 2 Overview • DES : Cracking a strong cipher [which has grown old] • Short history • Key size issue • Specialized hardware [Deep Crack] • AES : Competition to select the successor to DES • Selecting Finalists • Selected details on algorithm analysis Data Security: Case Study I : Dyn DDOS Attack (Mirai) [Tony Mione, SUNY Korea, 2020] 3 DES – Short history • Late 1960s, IBM works on developing a strong cipher • => Lucifer • IBM seeks help in strengthening algorithm from NSA (Nat. Security Agency) and other analysts • 1973 : NBS (National Bureau of Standards) puts out call for proposals of encryption algorithms • Modified Lucifer was proposed to the NBS as a national encryption standard • 1977 => Adopted by NBS and labeled DES (Data Encryption Standard) • FIPS 46 [Federal Information Processing Standard] Data Security: Case Study I : Dyn DDOS Attack (Mirai) [Tony Mione, SUNY Korea, 2020] 4 NSA Changes • Key size [128 => 56 bits] • Drew some criticism at the time due to small key size and possible brute force attack • DES used a 56-bit key, so there are 256, or 72,057,594,037,927,936 of them • Brute force attack became possible by late 1990s, several days to crack a key • S-Boxes redesigned • NSA would not comment on design rationale • Suspicion that NSA inserted a back-door • Actually, S-boxes were found to resist differential cryptanalysis (a technique discovered in the public crypto community in 1990) Data Security: Case Study I : Dyn DDOS Attack (Mirai) [Tony Mione, SUNY Korea, 2020] 5 DEEP CRACK 29 of these! • Developed in late 90s by EFF (Electronic Frontier Foundation) • Goal: Prove that DES keyspace was now too small to be secure • Cost: $250,000 • 1856 ‘Custom’ Deep Crack chips Data Security: Case Study I : Dyn DDOS Attack (Mirai) [Tony Mione, SUNY Korea, 2020] 6 DEEP CRACK • July, 1998 : Cracked a DES key in 56 hours • Designers: • Paul Kocher [Cryptography Research, Inc] • Advanced Wireless Technologies • EFF • Process driven by a single PC • Assigned key ranges to 1856 custom ASIC DeepCrack chips • Capable of testing 90 billion keys/sec! Data Security: Case Study I : Dyn DDOS Attack (Mirai) [Tony Mione, SUNY Korea, 2020] 7 In the meantime • The AES competition was started but would not be complete for a couple of years • DES Re-affirned as an encryption standard but Triple Des was recommended • 3DES did 3 DES encryptions • 2 key 3DES : E(Key1)=>D(Key2)=>E(Key1) : Effective keysize 112 bits • 3 key 3DES : E(Key1)=>D(Key2)=>E(Key3) : Effective keysize 168 bits • 3DES (due to multiple encryption/decryption steps) was much slower than DES Data Security: Case Study I : Dyn DDOS Attack (Mirai) [Tony Mione, SUNY Korea, 2020] 8 AES Competition • 1997 : NIST (National Institute of Standards and Testing) issues call for proposals • Goals: • Select a strong symmetric cipher to replace DES • Algorithm was to have an expected useful lifetime of about 30 years • => Note: We are about 20 years into that expected lifetime! Data Security: Case Study I : Dyn DDOS Attack (Mirai) [Tony Mione, SUNY Korea, 2020] 9 AES Competition • 1997 : NIST (National Institute of Standards and Testing) issues call for proposals • Symmetric crypto algorithms • Block size 128 bits, Key sizes 128, 192, and 256 bits • 15 Designs submitted from several countries CAST-256 MAGENTA CRYPTON MARS DEAL RC6 DFC Rijndael E2 SAFER+ FROG Serpent HPC Twofish. LOKI97 • Royalty-Free world wide availability (if chosen) Data Security: Case Study I : Dyn DDOS Attack (Mirai) [Tony Mione, SUNY Korea, 2020] 10 AES Competition • Criteria: • Security – highest importance • Efficiency – second only to Security • Size – space efficiency in constrained platforms [Smartcard] • Ease of impelmentation • Software Performance • Hardware Performance • Submissions included: • Complete Specification of algorithm • Estimate of computational efficiency • Known answer tests and code to generate those values • Statement of expected cryptographic strength • Analysis with respect to known attacks • Statement of advantages and limitations • Reference implementation in ANSI C • Optimized implementation in Java • Signed statement of : • Patents and patent applications pertinent to the IP • Provide for roylaty-free use if selected Data Security: Case Study I : Dyn DDOS Attack (Mirai) [Tony Mione, SUNY Korea, 2020] 11 AES Competition • Conferences: • 1st – Aug 20-22, 1998 • Present accepted submissions (21 entered, 6 discarded for incomplete package) • Inventors given time to describe their algorithm and analysisz • 2nd – Mar 20-23, 1999 • 3rd – Apr 13-14, 2000 • Public comment periods: • Round 1 : Aug 98? => Apr 1999 • =>Downselect to 5 ’Finalists’ • Round 2 : => May 15, 2000 • => Final Selection: 10/2/2000 : Rijndael selected Data Security: Case Study I : Dyn DDOS Attack (Mirai) [Tony Mione, SUNY Korea, 2020] 12 AES Competition • Finalists • MARS [IBM] • RC6 [RSA Labs/Ron Rivest] • Rijndael [Vincent Rijmen, Joan Daemon] • Serpent [Ross Anderson, Eli Biham, Lars Knudsen] • Twofish [Bruce Schneier] Data Security: Case Study I : Dyn DDOS Attack (Mirai) [Tony Mione, SUNY Korea, 2020] 13 AES Competition • Finalist Ranking 1. Rijndael – Winner 2. Serpent 3. Twofish 4. Mars 5. RC6 Data Security: Case Study I : Dyn DDOS Attack (Mirai) [Tony Mione, SUNY Korea, 2020] 14 Sources • http://www.umsl.edu/~siegelj/information_theory/projects/ des.netau.net/des%20history.html • https://www.technewsworld.com/story/70437.html • https://www.britannica.com/topic/Data-Encryption- Standard • https://csrc.nist.gov/projects/cryptographic-standards-and- guidelines/archived-crypto-projects/aes-development • https://en.wikipedia.org/wiki/EFF_DES_cracker Data Security: Case Study I : Dyn DDOS Attack (Mirai) [Tony Mione, SUNY Korea, 2020].