254542 Networks Management and

Security

Lecture 2

June 25th & 30th 2005

Cryptography

• E = Encryption, D = Decryption• K1 and K2 = Encryption and Decryption keys• m = message or plaintext• E(m, K1) = ciphertext• D(E(m, K1), K2) = m

E DPlaintext

K2K1

Ciphertext

Plaintext

• Both parties share the same key, K1 = K2

• a.k.a. Symmetric Cryptography

• Secrecy can be achieved by– Information theory e.g. One time pad– Computational complexity e.g. DES, AES, etc

Secret-Key Cryptography

Information Theoretical Secrecy

• A key is …– known to both parties– as long as the message– used only once for each message being sent

• Theoretically unbreakable

One Time Pad

• Let’s– A = Alice, B = Bob– m = message/plaintext, c = ciphertext, k = key– L = length of text, = bitwise exclusive-or – L(m) = L(k)

• Then– c = m k– c k = (m k) k = m

Advantages of One Time Pad

• Perfect secrecy

• If the pad is never used again, no more knowledge about m can be gained– If c is known, any message can be derived

using an arbitrary k (i.e. m = c k)

• Note: two time pad allows some knowledge of messages– c1 c2 = (m1 k) (m2 k) = m1 m2

Disadvantages of One Time Pad

• More keys are used up as more messages are sent

• Keys are too long

• Key management is difficult

• An alternative to achieve secrecy is by computation complexity

Computation Complexity

• Assumption “It is too hard and would take to long to decrypt a message”– Unproven but generally known to be true

• Easier to manage and implement

Computational Security

• Block cipher– Data Encryption Standard (DES)– Triple DES– Advanced Encryption Standard (AES)

• Rijndael encryption

• Stream cipher– RC4

Stream cipher

• Operate on small units of plaintext (bits)

• c1 may not be equal to c2 even if m1 = m2 and k1 = k2– Encryption time is also important

• Faster than block cipher

• Approximation of the one time pad

• Mostly synchronous stream cipher– K (keystream) is independent of m and c

DES

• Most widely used block cipher (e.g. in banking, government, etc)

• Both parties share a 64-bit key

• Every 8th bit in the key is unused (making only 56 bits effective)

• 64-bit blocks

• 16 rounds (iterative encryption)

First step of DES• M = 0000 0001 0010 0011 0100 0101 0110 0111 (L)

1000 1001 1010 1011 1100 1101 1110 1111 (R)(L and R are both 32 bits long)

• K64 = 00010011 00110100 01010111 01111001 10011011 10111100 11011111 11110001

after the PC-1 permutation

PC-1 57 49 41 33 25 17 9 1 58 50 42 34 26 18 10 2 59 51 43 35 27 9 11 3 60 52 44 36 63 55 47 39 31 23 15 7 62 54 46 38 30 22 14 6 61 53 45 37 29 21 13 5 28 20 12 4

K56 = 1111000 0110011 0010101 0101111 (C0)0101010 1011001 1001111 0001111 (D0)

* note: example from http://www.aci.net/kalliste/des.htm

Find Cn & Dnround #Left Shifts

1 1 2 1 3 2 4 2 5 2 6 2 7 2 8 2 9 1 10 2 11 2 12 2 13 2 14 2 15 2 16 1

Cn = Cn-1 << # of ith left shifts

Dn = Dn-1 << # of ith left shifts

1 <= n <= 16

C0 and D0 are known

Find Kn

• PC-2 14 17 11 24 1 5 3 28 15 6 21 10 23 19 12 4 26 8 16 7 27 20 13 2 41 52 31 37 47 55 30 40 51 45 33 48 44 49 39 56 34 53 46 42 50 36 29 32

• Kn = CnDn with PC-2 permutation

• Each Kn is 48 bits long

Initial Permutation (IP)

• Perform IP permutation on MIP 58 50 42 34 26 18 10 2

60 52 44 36 28 20 12 4

62 54 46 38 30 22 14 6

64 56 48 40 32 24 16 8

57 49 41 33 25 17 9 1

59 51 43 35 27 19 11 3

61 53 45 37 29 21 13 5

63 55 47 39 31 23 15 7

• Get L0 and R0 (32 bits each)

Encoding

• For n = 1 to 16 do– Ln = Rn-1– Rn = Ln-1 + f(Rn-1, Kn)

• This will result in L16R16

• Reverse to R16L16

• Apply final permutation IP-1

Modes of Operation

• Electronic Code Block (ECB)– Each block is encrypted

independently– Shortcoming???

• Chain Block Coding (CBC)– Most widely used– Avoid some problems in ECB

(how?)

• Cipher Feedback (CFB)– Allow shorter keys

++

++

kk

kk

kk

kk

kk

kk

m1m1

m2m2

m3m3

m1m1

m2m2

m3m3

c3c3

c2c2

c1c1

c1c1

c2c2

c3c3

m3m3

++

IVIV

Using DES securely

• Avoid using weak and semi-weak keys– 4 weak keys Ek(Ek(m)) = m– 12 semi-weak keys: Ek1 (Ek2 (m)) = m– Thus, 252 probability of picking weak and

semi-weak keys

• Change DES key frequently• But is it practical? (e.g. in encrypting

harddisk files)– Possible solutions?

Cracking DES

• Brute force – using exhaustive search in 256 key space

• Differential cryptanalysis– Chosen plaintext is encrypted– Reduce the number of keys to 247

• Linear cryptanalysis– Linear approximation of encryption key– 243 keys

Double DES

• Encrypt twice using two 56-bit keys = Regular DES with 112-bit key?Encrypt twice using two 56-bit keys = Regular DES with 112-bit key?

mmEEk1k1(m)(m)

EEk2k2(E(Ek1k1(m))(m))6464 6464 6464

k1k1 k2k25656 5656

• No, it is vulnerable to meet-in-the-middle attackNo, it is vulnerable to meet-in-the-middle attack

Encrypt with all possible K1sEncrypt with all possible K1s Decrypt with all possible K2sDecrypt with all possible K2s

• Effective search space = O(2Effective search space = O(25656))

Triple DES

• C = Ek1 (Dk2 (Ek1 (m)))

• Backward compatible

• If k1 = k2, it is a regular DES

• Key space = 2112

Authentication in Secret-key Cryptography

• Message Authentication Code (MAC) is computed (a.k.a. checksum) – Digital signature is for public-key cryptography

• Unconditionally secure MAC

– MAC(M, K’) where k’ = authentication key– k’ cannot be reused

message, Mmessage, M MAC(M, K’)MAC(M, K’)

Hash function-based MAC

• Hash function, H– Input can be of any length– Output is fix sized (smaller than m)– Output string is called hash value (or message

digest), h = H(m)– H is relatively easy to compute– One-way (When h = H(x), x is hard to find)– Collision free i.e. given x, y is hard to find such that

H(x) = H(y)

• Well known hash functions are MD2, MD5, SHA

ANSI X9.17• Key management standard for secret-key

cryptography• Primarily designed for financial institutions

– Large amount of transactions– Frequently updated keys

• Use three-level hierarchy of keys– Master key (KKM) is manually distributed– Key-encrypting keys (KEK) are distributed online– Data keys (KDs) are also distributed online

• X9.42 (for Diffie-Hellman), X9.44 (for RSA)

Public-Key Cryptography

• K1 ≠ K2, asymmetric cryptography

• Increase security and convenience• No key transmission• Slower than secret-key cryptography• Provide digital signature that cannot be repudiated

(unlike secret-key cryptography, why?)

mmEEpp(m)(m)

M = DM = Dss(E(Epp(m))(m))

Public key, pPublic key, p Private key, sPrivate key, s

Questions

• Which cryptography is suitable for a computer lab?

• Password file in unix?

• Large system?

• Hybrid scheme– Use public-key cryptography to establish a

secret key

Reading

• Michael j. Wiener, “Efficient DES key search,” 1993

• Phillip Rogaway, “The Security of DESX,” 1996