network security - ailab.cs.nchu.edu.twailab.cs.nchu.edu.tw/course/networksecurity/103/ns03.pdf ·...
TRANSCRIPT
1
Network Security 網路安全
Lecture 3March 16, 2015
洪國寶
2
Outline
• Review: • Symmetric encryption -- Classical
techniques (Cont.)• Symmetric encryption -- Modern techniques
– secure encryption schemes– modern symmetric block encryption techniques
3
Review
• Introduction and terminologies• Definition of cryptosystem and cryptanalysis• Types of encryption
– operations– the number of keys used– the way the plaintext processed
• Symmetric encryption -- Classical techniques– substitution:
• monoalphabetic: Caesar, Playfair, Hill• polyalphabetic: Vigenere tableau
– transposition
4
Review: Steganography vsCryptography
• Types of transformation (in model for network communication security model)– Steganography: conceal the existence of the
secret message– Cryptography: render the secret message
unintelligible to outsiders
5
Review: Definition of cryptosystems
A cryptosystem is a five-tuple (P,C,K,E,D), where the following conditions are satisfied:
1. P is a finite set of possible plaintexts2. C is a finite set of possible ciphertexts3. K, the key space, is a finite set of possible keys4. For each k K, there is an encryption rule eKE
and a corresponding decryption rule dK D. Each eK :P C and dK : C P are functions such that dK(eK(x)) = x for every plaintext x P.
Example: Caesar cipher
6
Example: Caesar (shift) cipher
• P = {0(A), 1(B), …, 25(Z)}• C = {0(A), 1(B), …, 25(Z)}• K = { 0, 1, 2, …, 25}• ek(x) ≡ x + k mod 26• dk(y) ≡ y – k mod 26
7
Review: Attacking a cryptosystem
• Cryptanalysis approach: this type of attack exploits the characteristics of the algorithmplus perhaps some knowledge of the general characteristics of the plaintext or even some sample plaintext-ciphertext pairs.
• Brute force approach: an attacker tries every possible key on a piece of ciphertext until intelligible translation into plaintext is obtained.
8
Review: Kerkhoff’s principle
• It is hard (and often impossible), to keep a cryptosystem in use secret!
• Designing a good cryptosystem is hard! If you don’t publish, nobody will analyze your scheme . . . except for the bad guys!
• Distinguish system itself (= algorithm), from key:– Key: secret, easy to change, chosen at random from
large set of possible keys.• Assume: Bad guys know system but don’t
know key!
9
10
Review: More Definitions
• unconditional security– no matter how much computer power is
available, the cipher cannot be broken since the ciphertext provides insufficient information to uniquely determine the corresponding plaintext
• computational security– given limited computing resources (eg time
needed for calculations is greater than age of universe), the cipher cannot be broken
11
Review: Cryptographic systems
• can characterize by:– type of encryption operations used
• substitution / transposition / product
– number of keys used• single-key or private / two-key or public
– way in which plaintext is processed• block / stream
12
Review: Classical Substitution Ciphers
• where letters of plaintext are replaced by other letters or by numbers or symbols– monoalphabetic:
• Single letter: Caesar• Multiple letter: Playfair, Hill
– polyalphabetic: • Vigenere tableau
13
Review: Monoalphabetic Cipher
• shuffle the letters arbitrarily • each plaintext letter maps to a different random
ciphertext letter • hence key is 26 letters long, |K|=26!
Plain: abcdefghijklmnopqrstuvwxyzCipher: DKVQFIBJWPESCXHTMYAUOLRGZNPlaintext: ifwewishtoreplacelettersCiphertext: WIRFRWAJUHYFTSDVFSFUUFYA
14
Review: Monoalphabetic Cipher
Language Redundancy and Cryptanalysis• human languages are redundant
– eg "th lrd s m shphrd shll nt wnt" • letters are not equally commonly used
– in English e is by far the most common letter then T,R,N,I,O,A,S
– other letters Z,J,K,Q,X are fairly rare • have tables of single, double & triple letter
frequencies• Single letter monoalphabetic substitution
ciphers are insecure.
15
Review: Playfair Cipher: Key Matrix
• a 5X5 matrix of letters based on a keyword • fill in letters of keyword (sans duplicates) • fill rest of matrix with other letters• eg. using the keyword MONARCHY
MONARCHYBDEFGIKLPQSTUVWXZ
16
Review: Playfair Cipher Encrypting and Decrypting
• plaintext encrypted two letters at a time: 1. if a pair is a repeated letter, insert a filler like 'X',
eg. "balloon" encrypts as "ba lx lo on" 2. if both letters fall in the same row, replace each with
letter to right (wrapping back to start from end), eg. “ar" encrypts as "RM"
3. if both letters fall in the same column, replace each with the letter below it (again wrapping to top from bottom), eg. “mu" encrypts to "CM"
4. otherwise each letter is replaced by the one in its row in the column of the other letter of the pair, eg. “hs" encrypts to "BP", and “ea" to "IM" or "JM" (as desired)
17
Review: Hill cipher
• Hill 1929• The encryption algorithm takes m successive
plaintext letters and substitutes for them mciphertext letters.
• K = {m m invertible matrices over Z26 }• Hill cipher completely hides single letter
frequencies (i.e. Hill cipher is strong against ciphertext only attack.)
• Hill cipher can be easily broken with a known plaintext attack (only need m plaintext-ciphertextpairs).
18
Review: comparison
Known-plaintext attack
Multiple Hill cipher
Ciphertext-only attack (need more ciphertexts)
Multiple Playfair cipher
Ciphertext-only attack
Single Caesar cipher
Vulnerable toSingle/multiple letter substitution
19
Outline
• Review: • Symmetric encryption -- Classical
techniques (Cont.)• Symmetric encryption -- Modern techniques
– secure encryption schemes– modern symmetric block encryption techniques
20
Polyalphabetic Ciphers
• Polyalphabetic substitution cipher– Improves on the simple monoalphabetic technique by using
different monoalphabetic substitutions as one proceeds through the plaintext message
– makes cryptanalysis harder with more alphabets to guess and flatter frequency distribution
2121
Vigenère Cipher
• simplest polyalphabetic substitution cipher is the Vigenère Cipher (p. 64)
• effectively multiple caesar ciphers • key is multiple letters long K = k1 k2 ... kd
• ith letter specifies ith alphabet to use • use each alphabet in turn • repeat from start after d letters in message• decryption simply works in reverse
2222
Example
• write the plaintext out
• eg using keyword deceptivekey:plaintext: wearediscoveredsaveyourselfciphertext:
2323
Example
• write the plaintext out • write the keyword repeated above it
• eg using keyword deceptivekey: deceptivedeceptivedeceptiveplaintext: wearediscoveredsaveyourselfciphertext:
2424
Example
• write the plaintext out • write the keyword repeated above it• use each key letter as a caesar cipher key
encrypt the corresponding plaintext letter• eg using keyword deceptive
key: deceptivedeceptivedeceptiveplaintext: wearediscoveredsaveyourself
ciphertext:ZICVTWQNGRZGVTWAVZHCQYGLMGJ
2525
Aids
• simple aids can assist with en/decryption • expand into a Vigenère Tableau (see text
Table 2.3)
2626
2727
Security of Vigenère Ciphers
• have multiple ciphertext letters for each plaintext letter
• hence letter frequencies are obscured• but not totally lost• start with letter frequencies
– see if look monoalphabetic or not• if not, then need to determine number of
alphabets, since then can attach each
2828
Kasiski Method
• method developed by Babbage / Kasiski• repetitions in ciphertext give clues to period• so find same plaintext an exact period apart
which results in the same ciphertextof course, could also be random fluke
• eg repeated “VTW” in previous example– suggests size of 3 or 9– then attack each monoalphabetic cipher individually
using same techniques as before
2929
Example
• write the plaintext out • write the keyword repeated above it• use each key letter as a caesar cipher key • encrypt the corresponding plaintext letter• eg using keyword deceptive
key: deceptivedeceptivedeceptiveplaintext: wearediscoveredsaveyourselfciphertext:ZICVTWQNGRZGVTWAVZHCQYGLMGJ
3030
Vigenère Autokey System
• A keyword is concatenated with the plaintext itself to provide a running key
• Example:key: deceptivewearediscoveredsavplaintext: wearediscoveredsaveyourselfciphertext: ZICVTWQNGKZEIIGASXSTSLVVWLA
• Even this scheme is vulnerable to cryptanalysis– Because the key and the plaintext share the same frequency
distribution of letters, a statistical technique can be applied
3131
Vernam Cipher
3232
One-Time Pad (1/3)• If a truly random key as long as the message is used, the
cipher will be secure. • It is called a One-Time pad (OTP)
P=C=K=(Z2)n, n ≥1k = (k1, k2, …, kn ) x = (x1, x2, …, xn )y = (y1, y2, …, yn )
ek(x) = (x1 k1, x2 k2, …, xn kn)dk(y) = (y1 k1, y2 k2, …, yn kn)
3333
One-Time Pad (2/3)
• One-Time pad is unbreakable since if k is random then y is random too (that is, ciphertextbears no statistical relationship to the plaintext) and for any plaintext & any ciphertext there exists a key mapping one to other.
• In practice, two fundamental difficulties– Supplying truly random keys of large volumn is a
significant task– Key distribution and protection are problematic
3434
One-Time Pad (3/3)
• One-Time pad is of limited utility, and is useful primarily for low bandwidth channels requiring very high security.
35
Symmetric encryption -- Classical techniques (Cont.)
• Introduction and terminologies• Definition of cryptosystem and cryptanalysis• Types of encryption
– operations– the number of keys used– the way the plaintext processed
• Symmetric encryption -- Classical techniques– substitution:
• monoalphabetic: Caesar, Playfair, Hill• polyalphabetic: Vigenere tableau
– transposition
36
Transposition Ciphers
• now consider classical transposition or permutation ciphers
• these hide the message by rearranging the letter order
• without altering the actual letters used
37
Rail Fence cipher
• write message letters out diagonally over a number of rows
• eg. write message out as:m e m a t r h t g p r ye t e f e t e o a a t
38
Rail Fence cipher
• write message letters out diagonally over a number of rows
• then read off cipher row by row• eg. write message out as:
m e m a t r h t g p r ye t e f e t e o a a t
• giving ciphertextMEMATRHTGPRYETEFETEOAAT
39
Row Transposition Ciphers
• a more complex scheme• write letters of message out in rows over a
specified number of columns• then reorder the columns according to some key
before reading off the rowsKey: 4 3 1 2 5 6 7Plaintext: a t t a c k p
o s t p o n ed u n t i l tw o a m x y z
Ciphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ ■
40
Product Ciphers
• ciphers using substitutions or transpositions are not secure because of language characteristics
• hence consider using several ciphers in succession to make harder, but: – two substitutions make a more complex substitution – two transpositions make more complex transposition – but a substitution followed by a transposition makes a
new much harder cipher
• this is bridge from classical to modern ciphers
41
Outline
• Review: • Symmetric encryption -- Classical techniques
(Cont.)• Symmetric encryption -- Modern techniques
– secure encryption schemes– modern symmetric block encryption techniques
42
Symmetric cryptosystems : modern techniques
• secure encryption schemes– unconditionally secure/ computationally secure – shannon and modern cryptography – perfect secrecy and one time pad – confusion and diffusion
• modern symmetric block encryption techniques– introduction – Feisted Network – DES and its variants– Blowfish– RC5
43
Unconditionally secure/ Computationally secure
• A scheme is secure in– information theoretical sense (unconditional): no
matter how much computer power is available, the cipher cannot be broken since the ciphertext provides insufficient information to uniquely determine the corresponding plaintext
– computational sense: an attacker is computationally infeasible rather than information-theoretically impossible to recover a plaintext from its ciphertext. That is, given limited computing resources (eg time needed for calculations is greater than age of universe), the cipher cannot be broken. ■
44
Shannon and Modern Cryptography
• Claude Shannon, the creator of modern information theory – Born in 1916, died in 2001 – Collected papers in
http://www.research.att.com/~njas/doc/shannon.html• Two important papers about information theory
– Published in 1948 and 1949– Addressed two related problems: noisy channel
problem and the secrecy problem these – Form the basis of modern digital communication
system ■
45
Shannon and One-time-pad
• One time pad provides perfect secrecy.• Perfect secrecy:
– Ciphertext is indistinguishable from a random string
– There is no clues in the ciphertext that will make it any easier to get the key or the plaintext
• To define perfect secrecy mathematically involves probability theory. ■
46
Shannon and Perfect secrecy
• A cryptosystem provides perfect secrecy if and only if xP, yC, Pp(x|y) = Pp(x)– Equivalently Pc(y|x) = Pc(y)
Use blackboard
47
Shannon and Perfect secrecy
• A cryptosystem provides perfect secrecy if and only if xP, yC, Pp(x|y) = Pp(x)– Equivalently Pc(y|x) = Pc(y)
• Theorem Suppose (P,C,K,E,D) is a cryptosystem where |P|=|C|=|K|. Thenthe cryptosystem provides perfect secrecy
if and only if– every key is used with equal probability, and – xP, yC, a unique key k such that ek(x) = y ■
Use blackboard
48
Shannon and Perfect secrecy
• CorollaryOne time pad provides perfect secrecy against passive attacks. ■
49
Shannon and Substitution-Permutation Ciphers
• in 1949 Claude Shannon introduced idea of substitution-permutation (S-P) networks– modern substitution-transposition product cipher
• these form the basis of modern block ciphers • S-P networks are based on the two primitive
cryptographic operations we have seen before: – substitution (S-box)– permutation (P-box)
• provide confusion and diffusion of message ■
50
Diffusion and Confusion• Terms introduced by Claude Shannon to capture the two
basic building blocks for any cryptographic system– Shannon’s concern was to thwart cryptanalysis based on
statistical analysis
51
Symmetric cryptosystems : modern techniques
• secure encryption schemes – unconditionally secure/ computationally secure – shannon and modern cryptography – perfect secrecy and one time pad – confusion and diffusion
• modern symmetric block encryption techniques– introduction – Feisted Network – DES and its variants– Blowfish– RC5
52
Modern Block Ciphers: introduction
• Modern block ciphers – P = C = {binary strings of fixed length}– Can be regarded as substitution ciphers– Substitution tables?
• Classical substitution is vulnerable to statistical analysis (of the plaintext) and brute force attacks– Reason: |P| and |K| are too small ■
53
Modern Block Ciphers: introduction
• To make statistical analysis (of the plaintext) and brute force attacks infeasible– |P| and |K| must be large– For n-bit block, we need to choose
• Large n and • Arbitrary reversible substitution between P and C
– Reason: need a large amount of plaintexts and ciphertexts and space for statistical analysis ■
54
Modern Block Ciphers: introduction
• Problem: To determine the specific mapping from all possible mappings requires |K| = 2n!– Equivalently, the size of a key is n2n
– For n = 64, the size of a key is 64 264 = 1021
bits ■
55
Modern Block Ciphers: introduction
• Solution: confine ourselves to a subset of the 2n! possible mappings.– For example, Hill cipher – Utilize the concept of product cipher
• Shannon SPN• Feistel cipher structure ■
56
Symmetric cryptosystems : modern techniques
• secure encryption schemes – unconditionally secure/ computationally secure – shannon and modern cryptography – perfect secrecy and one time pad – confusion and diffusion
• modern symmetric block encryption techniques– introduction – Feisted Network– DES and its variants– Blowfish– RC5
57
Block Cipher Principles
• block ciphers look like an extremely large substitution
• would need table of 264 entries (each has 64 bits) for a 64-bit block
• instead create from smaller building blocks • using idea of a product cipher • most symmetric block ciphers are based on
a Feistel Cipher Structure
58
Feistel Cipher Structure
• Horst Feistel devised the feistel cipher– based on concept of invertible product cipher
• partitions input block into two halves– process through multiple rounds which– perform a substitution on left data half– based on round function of right half & subkey– then have permutation swapping halves
• implements Shannon’s substitution-permutation network concept ■
59
Feistel Cipher Structure
60
Feistel Cipher Design Principles• block size
– increasing size improves security, but slows cipher • key size
– increasing size improves security, makes exhaustive key searching harder, but may slow cipher
• number of rounds– increasing number improves security, but slows cipher
• subkey generation– greater complexity can make analysis harder, but slows cipher
• round function– greater complexity can make analysis harder, but slows cipher ■
61
Feistel Cipher Design Principles
• fast software en/decryption & ease of analysis– are more recent concerns for practical use and
testing ■
62
Feistel Cipher Decryption
63
Symmetric cryptosystems : modern techniques
• secure encryption schemes – unconditionally secure/ computationally secure – shannon and modern cryptography – perfect secrecy and one time pad – confusion and diffusion
• modern symmetric block encryption techniques– introduction – Feisted Network – DES and its variants– Blowfish– RC5
64
Data Encryption Standard (DES)
• most widely used block cipher in world • adopted in 1977 by NBS (now NIST)
– as FIPS PUB 46• encrypts 64-bit data using 56-bit key• has widespread use• has been considerable controversy over its
security ■
65
DES History
• IBM developed Lucifer cipher– by team led by Feistel– used 64-bit data blocks with 128-bit key
• then redeveloped as a commercial cipher with input from NSA and others
• in 1973 NBS issued request for proposals for a national cipher standard
• IBM submitted their revised Lucifer which was eventually accepted as the DES ■
66
DES Design Controversy
• although DES standard is public• was considerable controversy over design
– in choice of 56-bit key (vs Lucifer 128-bit)– and because design criteria were classified
• subsequent events and public analysis show in fact design was appropriate
• DES has become widely used, esp in financial applications ■
67
DES Encryption
68
Initial Permutation IP
• first step of the data computation • IP reorders the input data bits • even bits to LH half, odd bits to RH half • quite regular in structure (easy in h/w)• see text Table 3.2• example:
IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb)
Use blackboard
69
Permutation tables for DES (1/2)
70
DES Round Structure
• uses two 32-bit L & R halves• as for any Feistel cipher can describe as:
Li = Ri–1Ri = Li–1 xor F(Ri–1, Ki)
• takes 32-bit R half and 48-bit subkey and:– expands R to 48-bits using perm E– adds to subkey– passes through 8 S-boxes to get 32-bit result– finally permutes this using 32-bit perm P ■
71
Permutation tables for DES (2/2)
72
73
DES Round Structure
74
Substitution Boxes S
• have eight S-boxes which map 6 to 4 bits • each S-box is actually 4 little 4 bit boxes
– outer bits 1 & 6 (row bits) select one rows – inner bits 2-5 (col bits) are substituted – result is 8 lots of 4 bits, or 32 bits
• row selection depends on both data & key– feature known as autoclaving (autokeying)
• example:S(18 09 12 3d 11 17 38 39) = 5fd25e03
Use blackboard
75
76
DES Key Schedule
• forms subkeys used in each round• consists of:
– initial permutation of the key (PC1) which selects 56-bits in two 28-bit halves
– 16 stages consisting of: • selecting 24-bits from each half • permuting them by PC2 for use in function f, • rotating each half separately either 1 or 2 places
depending on the key rotation schedule K ■
77
Table 3.2
DES Example
Note: DES subkeys are shown as eight 6-bit values in hex format
(Table can be found on page 75 in textbook)
78
DES Decryption
• decrypt must unwind steps of data computation • with Feistel design, do encryption steps again • using subkeys in reverse order (SK16 … SK1)• note that IP undoes final FP step of encryption • 1st round with SK16 undoes 16th encrypt round• ….• 16th round with SK1 undoes 1st encrypt round • then final FP undoes initial encryption IP • thus recovering original data value ■
Use blackboard
79
Avalanche Effect
• key desirable property of encryption alg• where a change of one input or key bit
results in changing approx half output bits• DES exhibits strong avalanche ■
80
Avalanche Effect
• Example 1:– Two plaintexts that differ by one bit
0000000000000…. 0000000000001000000000000…..000000000000
– Key: 0000001 1001011 …0110010
81
Avalanche Effect
• Example 1:– Two plaintexts that differ by one bit
0000000000000…. 0000000000001000000000000…..000000000000
– Key: 0000001 1001011 …0110010• Example 2:
– Plaintext: 01101000 ….10100100– Two keys that differ by one bit
1110010 1111011 …. 110111000110010 1111011 …. 11011100
82
Avalanche Effect in DES
83
Strength of DES – Key Size
• 56-bit keys have 256 = 7.2 x 1016 values• brute force search looks hard• recent advances have shown is possible
– in 1997 on Internet in a few months – in 1998 on dedicated h/w (EFF) in a few days – in 1999 above combined in 22hrs!
• still must be able to recognize plaintext• now have alternatives to DES ■
84
Strength of DES – Timing Attacks
• attacks actual implementation of cipher• use knowledge of consequences of
implementation to derive knowledge of some/all subkey bits
• specifically use fact that calculations can take varying times depending on the value of the inputs to it
• particularly problematic on smartcards ■
85
Strength of DES – Analytic Attacks
• now have several analytic attacks on DES• these utilise some deep structure of the cipher
– by gathering information about encryptions – can eventually recover some/all of the sub-key bits – if necessary then exhaustively search for the rest
• generally these are statistical attacks• include
– differential cryptanalysis – linear cryptanalysis – related key attacks ■
86
Differential Cryptanalysis • Markov Ciphers and Differential Cryptanalysis (1991) J.
Lai, J. L. Massey, S. Murphy.• Main idea:
– This is a chosen plaintext attack, assumes than an attacker knows (plaintext, ciphertext) pairs
– Difference ∆P = P1 P2, ∆ C = C1 C2– Distribution of ∆ C’s given ∆ P may reveal
information about the key (certain key bits)– After finding several bits, use brute-force for the rest
of the bits to find the key.
87
Differential Cryptanalysis of DES
• Surprisingly … DES was resistant to differential cryptanalysis.
• At the time DES was designed, the authors knew about differential cryptanalysis. S-boxes were designed to resist differential cryptanalysis.
• Against 8-round DES, attack requires 238 known plaintext-ciphertext pairs.
• Against 16-round DES, attack requires 247 chosen plaintexts.
• Differential cryptanalysis not effective against DES !!!
88
Linear Cryptanalysis of DES• Another attack described in 1993 M. Matsui• Instead of looking for isolated points at which a block
cipher behaves like something simpler, it involves trying to create a simpler approximation to the block cipher as a whole.
• It is an attack that can be applied to an iterated cipher.
89
Basic idea of linear cryptanalysis
• Suppose that• (*) Pr [ Mi1Mi2 … Miu
Cj1Cj2 … Cjv Kp1kp2 … kpw =1] = 0.5 +
• Then one can recover some key bits given large number of PT/CT pairs
• For DES, exists (*) with =2-21
• Using this method, one can find 14 key bits using (221)2 PT/CT pairs
90
Linear Cryptanalysis of DES
• M. Matsui showed (1993/1994) that DES can be broke:– 8 rounds: 221 known plaintext– 16 rounds: 243 known plaintext, 40 days to
generate the pairs (plaintext, ciphertext) and 10 days to find the key
• The attack has no practical implication, requires too many pairs.
• The key size remains the main attack point.
91
DES Strength Against Various Attacks
247
255
For texts247
--255
Differential cryptanalysis
243
250
For texts--
243
238
Linear cryptanalysis
255negligible-1Exhaustive search
26(table lookup)
2561-Exhaustive precomputation
Processing complexity
Storage complexity
ChosenKnownAttackMethod
The weakest point of DES remains the size of the key (56 bits)!
92
DES Variants
• clear a replacement for DES was needed– theoretical attacks that can break it– demonstrated exhaustive key search attacks
• AES is a new cipher alternative• prior to this alternative was to use multiple
encryption with DES implementations ■
93
Double DES
94
Triple DES
95
Why Triple-DES?
• why not Double-DES?– NOT same as some other single-DES use, but have
• meet-in-the-middle attack– works whenever use a cipher twice– since X = EK1[P] = DK2[C]– attack by encrypting P with all keys and store– then decrypt C with keys and match X value– can show takes O(256) steps ■
Use blackboard
96
Triple-DES with Two-Keys
• hence must use 3 encryptions– would seem to need 3 distinct keys
• but can use 2 keys with E-D-E sequence– C = EK1[DK2[EK1[P]]]– encrypt & decrypt equivalent in security– if K1=K2 then can work with single DES
• standardized in ANSI X9.17 & ISO8732• no current known practical attacks ■
97
Triple-DES with Three-Keys
• although are no practical attacks on two-key Triple-DES have some indications
• can use Triple-DES with Three-Keys to avoid even these– C = EK3[DK2[EK1[P]]]
• has been adopted by some Internet applications, eg PGP, S/MIME ■
9898
Question?