Cryptographic Algorithms March 2016 Bart Preneel Outline Cryptographic algorithms • 1. Cryptology: concepts and algorithms – symmetric algorithms for confidentiality – symmetric algorithms for data authentication Prof. Bart Preneel – public-key cryptology COSIC • 2. Cryptology: protocols Bart.Preneel(at)esatDOTkuleuven.be – identification/entity authentication http://homes.esat.kuleuven.be/~preneel – key establishment March 2016 • 3. Public-Key Infrastructure fundamentals © Bart Preneel. All rights reserved Outline (2) Definitions data entities Confidentiality confidentiality encryption anonymity Integrity Availability authentication data authentication identification • 4. Network security protocols – web (SSL/TLS) and Ipsec Authorisation • 5. Post-Snowden cryptography Non-repudiation of origin, receipt Don’t use the • 6. Cryptography best practices word Contract signing authentication without defining Notarisation and Timestamping it 4 Cryptology: basic principles Symmetric cryptology: confidentiality • old cipher systems: AliceEve Bob – transposition, substitution, rotor machines • the opponent and her power CRYP • the Vernam scheme CRYP %^C& %^C& Clear Clear TOB TOB @&^( @&^( text OX OX text • DES and triple-DES •AES • RC4 1 Cryptographic Algorithms March 2016 Bart Preneel Old cipher systems (pre 1900) Cryptanalysis example: TIPGK RERCP JZJZJ WLE GVCTX EREPC WMWMW JYR UJQHL SFSDQ KAKAK XMF HWDUY FSFQD XNXNX KZS • Caesar cipher: shift letters over k positions in VKRIM TGTER LBLBL YNG IXEVZ GTGRE YOYOY LAT the alphabet (k is the secret key) WLSJN UHUFS MCMCM ZOH JYFWA HUHSF ZPZPZ MBU XDTKO VOVGT NDNDN API KZGXB IVITG AQAQA NCV THIS IS THE CAESAR CIPHER YNULP WKWHU OEOEO BQJ LAHYC JWJUH BRBRB ODW WKLV LV WKH FDHVDU FLSKHU ZOVMQ XKXIV PFPFP CRK MBIZD KXKVI CSCSC PEX APWNR YLYJW QGQGQ DSL NCJAE LYLWJ DTDTD QFY BQXOS ZMXKX RHRHR ETM ODKBF MZMXK EUEUE RGZ • Julius Caesar never changed his key (k=3). CRYPT ANALY SISIS FUN PELCG NANYL FVFVF SHA DSZQU BOBMZ TJTJT GVO QFMDH OBOZM GWGWG TIB ETARV CPCNA UKUKU HWP RGNEI PCPAN HXHXH UJC FUBSW DQDOB VLVLV IXQ SHOFJ QDQBO IYIYI VKD 7 Plaintext? k = 17 8 Old cipher systems (pre 1900) (2) Security • there are n! different substitutions on an alphabet • Substitutions with n letters – ABCDEFGHIJKLMNOPQRSTUVWXYZ ! Easy to break using • there are n! different transpositions of n letters – MZNJSOAXFQGYKHLUCTDVWBIPER statistical • n=26: n!=403291461126605635584000000 = 4 . 1026 keys techniques • trying all possibilities at 1 nanosecond per key • Transpositions requires.... TRANS OIPSR 4.1026 /(109 . 105 . 4 102) = 1010 years POSIT NOTNT keys per seconds days per IONS OSAI second year 9 per day 10 Letter distributions Assumptions on Eve (the opponent) 12 • A scheme is broken if Eve can deduce the key 10 or obtain additional plaintext 8 • Eve can always try all keys till “meaningful” 6 plaintext appears: a brute force attack 4 – solution: large key space 2 • Eve will try to find shortcut attacks (faster 0 ABCDEFGH I…YZ than brute force) – history shows that designers are too optimistic Substitutions – ABCDEFGHIJKLMNOPQRSTUVW about the security of their cryptosystems XYZ – MZNJSOAXFQGYKHLUCTDVWBI 11 12 PER 2 Cryptographic Algorithms March 2016 Bart Preneel Assumptions on Eve (the opponent) New assumptions on Eve • Cryptology = cryptography + cryptanalysis • Eve may have access to side channels • Eve knows the algorithm, except for the key – timing attacks (Kerckhoffs’s principle) – simple power analysis • increasing capability of Eve: – differential power analysis – knows some information about the plaintext (e.g., in – acoustic attacks English) – electromagnetic interference – knows part of the plaintext – can choose (part of) the plaintext and look at the ciphertext • Eve may launch (semi-)invasive attacks – can choose (part of) the ciphertext and look at the plaintext – differential fault analysis – probing of memory or bus 13 14 Side channel analysis: power setup Side channel analysis: electromagnetic setup resistor smart card Measure voltage over a resistor to Use simple antenna to measure the current (and thus the measure radiation of an power consumption) of a smart FPGA computing a card public key operation card reader 15 16 Simple and differential power analysis: Cryptology + side channels DES block cipher DES on a smart card: power Eve consumption Alice Bob average power CRYP Clear CRYP %^C& %^C& Clear TOB TOB Correct key text @&^( @&^( text 2 correlation OX OX methods (example of success and failure) 17 18 Measurement data from 2 setups hence not comparable 3 Cryptographic Algorithms March 2016 Bart Preneel The Rotor machines (WW II) Life cycle of a cryptographic algorithm idea mathematical analysis publication public evaluation RIP OK hw/sw implementation standardization industrial products $$$ 20 19 take out of service Vernam scheme (1917) Shannon (1948) Mauborgne: one time pad (1917+x) Vernam scheme: Venona F. Miller (1882) •c= p + k key is random string, as long as the plaintext 1 1 information theoretic proof of security •c2 = p2 + k • then c1 –c2 = p1 –p2 10010 11001 11001 10010 • a skilled cryptanalyst can recover p1 and p2 C from p –p using the redundancy in the P P 1 2 language 01011 01011 22 Vernam scheme Three approaches in cryptography • 0 + 1 = 1 • information theoretic security • 1 + 0 = 1 – ciphertext only • 0 + 0 = 0 – part of ciphertext only • 1 + 1 = 0 – noisy version of ciphertext • system-based or practical security • identical – also known as “prayer theoretic” security mathematical symbols can result in different • complexity theoretic security: electrical signals model of computation, definition, proof – variant: quantum cryptography 23 24 4 Cryptographic Algorithms March 2016 Bart Preneel Synchronous Stream Cipher (SSC) Exhaustive key search IV IV • 2016: 240 instructions is easy, 260 is somewhat hard, 280 state state 128 init init is hard, 2 is completely infeasible – 1 million machines with 16 cores and a clock speed of 4 GHz 56 80 K next K next can do 2 instructions per second or 2 per year state state – trying 1 key requires typically a few 100 instructions function function • Moore’s “law”: speed of computers doubles every 18 months: key lengths need to grow in time – but adding 1 key bit doubles the work for the attacker output output function “looks” function • Key length recommendations in 2016 random – < 70 bits: insecure P C P – 80 bits: one year (but not for NSA) – 100 bits: 20 years 26 Exhaustive key search: multiple targets SSC: Specific properties • If one wants to recover 1 key out of 2t keys, the cost to recover a key is 2k-t < 2k • Recipient needs to be synchronized with sender • If one wants to recover all of 2t keys with t > k/3 • No error-propagation the cost per key can be reduced to 22k/3 – excellent for wireless communications k 2k/3 •2precomputation to fill a memory of size 2 • Key stream independent of data • on-line cost per key: 22k/3 encryptions • known as time/memory tradeoff or “rainbow tables” – key stream can be precomputed – particular model for cryptanalysis: attacker is not • So depending on the circumstances, a 128-bit key can able to influence the state become an 85-bit key 27 28 SSC: Avoid repeating key stream Practical stream ciphers • For a fixed key K and initial value IV, the stream cipher output is a deterministic function of the state. • A5/1 (GSM) (64 or 54) • A repetition of the state (for a given K, IV) leads to • E0 (Bluetooth) (128) a repetition of the key stream and plaintext recovery insecure! (think of the problem of Vernam encryption with • RC4 (browser) (40-128) reused key) • SNOW-3G (3GSM) (128) – hence state needs to be large and next state function • HC-128 (128) needs to guarantee a long period –IVcan be used to generate a different key stream for • Trivium (80) every packet in a packet-oriented communication setting • ChaCha20 (128) – old stream ciphers defined without IV are problematic in such a setting 29 30 5 Cryptographic Algorithms March 2016 Bart Preneel A5/1 stream cipher (GSM) A5/1 stream cipher (GSM) 64 54 18 0 • exhaustive key search: 2 (or rather 2 ) – hardware 10K$ < 1 minute ciphertext only • search 2 smallest registers: 245 steps 21 0 • [BWS00] 1 minute on a PC – 2 seconds of known plaintext –248 precomputation, 146 GB storage 22 0 • [BB05]: 10 minutes on a PC, – 3-4 minutes of ciphertext only • [Nohl-Paget’09]: rainbow tables Clock control: registers agreeing with – seconds with a few frames of ciphertext only majority are clocked (2 or 3) 31 32 Bluetooth stream cipher A simple cipher: RC4 (1987) • designed by Ron Rivest (MIT) • leaked in 1994 • S[0..255]: secret table derived from user key K for i=0 to 255 S[i]:=i j:=0 for i=0 to 255 j:=(j + S[i] + K[i]) mod 256 swap S[i] and S[j] brute force: 2128 steps i:=0, j:=0 24 38 33 [Lu+05] 24 known bits of 2 frames, 2 computations, 2 memory 34 33 A simple cipher: RC4 (1987) RC4: weaknesses Generate key stream which is added to plaintext • was often used with 40-bit key – US export restrictions until Q4/2000 i:=i+1 • best known general shortcut attack: 2241 j:=(j + S[i]) mod 256 [Maximov-Khovratovich’09] swap S[i] and S[j] • weak keys and key setup (shuffle theory) t:=(S[i] + S[j]) mod 256 output S[t] • large statistical deviations t – bias of output bytes (sometimes very large) – can recover 220 out of 256 bytes of plaintexts after sending the same 000 001 002 093 094 095 254 255 message 1 billion times (WPA/TLS) 205 162092 013 ... 033 92162 079 ... 099 143 • problem with resynchronization modes (WEP) i • problem with use in TLS j 36 35 6