View
43
Download
0
Category
Preview:
DESCRIPTION
King Mongkut’s Univerity of Technology Faculty of Information Technology Network Security Prof. Reuven Aviv. Conventional Encryption & Message Confidentiality. Acknowledgements for slides Henric Johnson Blekinge Institute of Technology, Sweden. Outline. - PowerPoint PPT Presentation
Citation preview
Dr. Reuven Aviv, Nov 2008
Conventional Encryption 1
Conventional Encryption & Message Confidentiality
Acknowledgements for slides Henric JohnsonBlekinge Institute of Technology, Sweden
King Mongkut’s Univerity of TechnologyKing Mongkut’s Univerity of TechnologyFaculty of Information TechnologyFaculty of Information Technology
Network SecurityNetwork SecurityProf. Reuven AvivProf. Reuven Aviv
Dr. Reuven Aviv, 2008 Conventional Encryption 2
Outline
• Conventional Encryption Principles
• Conventional Encryption Algorithms
• Cipher Block Modes of Operation
• Key Distribution
Prof Reuven Aviv, 2008 Conventional Encryption 3
Conventional Encryption Principles
• An encryption scheme has five ingredients:
– Plaintext
– Encryption algorithm
– Secret Key
– Ciphertext
– Decryption algorithm
• Security depends on the secrecy of the key, not the secrecy of the algorithm
Prof. Reuven Aviv, 2008 Conventional Encryption 4
Conventional Encryption Process
What do we require from the algorithm?
Prof. Reuven Aviv, 2008 Conventional Encryption 5
Requirements
• The Encryption algorithm should be strong– Opponent who knows the algorithm &
ciphertexts would be unable to reveal the plaintext or the key
• The key is to be distributed in a secure way
• Low cost chip implementation why?• Important for wide spread use• Secrecy of algorithm NOT required why?
Prof. Reuven Aviv, 2008 Conventional Encryption 6
Classification of Cryptographic Systems
• The type of operations used for transforming plaintext to ciphertext examples?
• The number of keys used
– symmetric (single key)
– asymmetric (two-keys, - public-key encryption)
• The way in which the plaintext is processed
– Block cipher, stream cipher
Dr. Reuven Aviv, June 2002 Conventional Encryption 7
A model for Encryption algorithm
• Horst Feistel of IBM in 1973
• Input –
– block of plaintext in two halves: (L0, R0)
– Secret Key K
• Encryption: N rounds of “processing”
– Li-1, Ri-1, Ki Li, Ri,Ki+1
– Sub-keys Ki derived from K
• One round of encryption:
– Ri = apply special F(Ki, Ri-1), XOR with Li-1
– Li = Ri-1 what is XOR?
Dr. Reuven Aviv, June 2002 Conventional Encryption 8
Dr. Reuven Aviv, June 2002 Conventional Encryption 9
Transmission and Decryption
• Transmission: Two halves of ciphertext
• Decryption at the receiver (receiver knows K)
• Input:
– Two halves of Ciphertext (Ln+1, Rn+1)
– Last sub-key: Kn How receiver knows this?
• Receiver uses same algorithm as encryption
– Each step: create Ki , (Li, Ri ) in reverse order
– Output: plaintext (L0, R0)
• how to make the algorithm stronger?
Dr. Reuven Aviv, June 2002 Conventional Encryption 10
Increasing the strength of the algorithm
• Larger Block size
• Larger Key Size
• Increasing Number of rounds
– Output bits depend on more input bits
• Complex Subkey generation algorithm
• More complex F()
• What’s the price of all this?
• All of the above reduce speed
• why is that important?
Dr. Reuven Aviv, June 2002 Conventional Encryption 11
Conventional Encryption Algorithms
• Data Encryption Standard (DES)
– The most widely used encryption scheme
– DES encrypts block after block (block cypher)
– The plaintext is processed in 64-bit blocks
– The key K is 56-bits in length
• Triple DES (TDES)
– 3 keys, three executions of DES
• Advanced Encryption Standard (AES)
Dr. Reuven Aviv, June 2002 Conventional Encryption 12
DES
• Encryption:– Initial permutation of the input 64-bit block ??– 16 rounds ( using a special F function)– Swap two halves– Inverse of initial permutation ciphertext
• Decryption– Initial permutation of ciphertext 64-bit block– 16 rounds (use sub-keys in reverse order)– Swap plaintext
Dr. Reuven Aviv, June 2002 Conventional Encryption 13
Dr. Reuven Aviv, June 2002 Conventional Encryption 14
Concerns about DES• algorithm vulnerable? (easy way to break?)
– No vulnerability found, but
– The function F is very complex
• Key length
– DES cracker built
– less $250,000, three days work to break (find key)
– Much faster cracking done using internet
• DES is not considered a strong algorithm
• What a cracker want? What does he do?
Dr. Reuven Aviv, June 2002 Conventional Encryption 15
Cracking methods
• If plaintext is really text– Use statistical distribution of letters, syllables– Use existence of structure: headers, …– In conjunction with brute force
• If plaintext is not text but a general binary file– Use structure if known– Brute force
• Note most files have some structure– E.g. program files– Otherwise attacker would not know if he
succeeded
Dr. Reuven Aviv, June 2002 Conventional Encryption 16
Cryptanalysis: Average time required for exhaustive key search
Key Size (bits)
Number of Alternative Keys
Time required at 106 Decryption/µs
32 232 = 4.3 x 109 2.15 milliseconds
56 256 = 7.2 x 1016 10 hours
128 2128 = 3.4 x 1038 5.4 x 1018 years
168 2168 = 3.7 x 1050 5.9 x 1030 years
Dr. Reuven Aviv, June 2002 Conventional Encryption 17
Triple DES
• Encryption: Use three keys and three executions of the DES algorithm (encrypt-decrypt-encrypt)
• P = Plaintext
• C = ciphertext
• EK[X] = encryption of X using key K
• DK[Y] = decryption of Y using key K
• Effective key length of 168 bits
• We use decryption in the middle. Why?
C = EK3[DK2[EK1[P]]]
Dr. Reuven Aviv, June 2002 Conventional Encryption 18
Triple DES
Dr. Reuven Aviv, June 2002 Conventional Encryption 19
TDES: Decryption
C = EK3[DK2[EK1[P]]]
DK3[C] = DK2[EK1[P]]
EK2[DK3[C] = EK1[P]
P = Dk1[EK2[DK3[C]]]
Encryption of Messages
Dr. Reuven Aviv, June 2002
Conventional Encryption 20
How a long message is encrypted?
Dr. Reuven Aviv, June 2002 Conventional Encryption 21
Cipher Block Operation: ECB mode
• “Electronic Code Book”
• Divide message into blocks; encrypt each block
• For every block a ciphertext block
– Like a gigantic table: plaintext, ciphertext
• plaintext blocks repeats? same ciphertext block
– cracker identifies blocks, easier to crack
• Improvement: design method so that repeat plaintext blocks different ciphertext blocks!
• How?
Dr. Reuven Aviv, June 2002 Conventional Encryption 22
Cipher Block Chaining Mode (CBC)
• Ciphertext block i , Ci:
• Do XOR of the current plaintext block Pi and the preceding ciphertext block, Ci-1
• Then encrypt
ii1i1iiK1i
i1iiK
i1iKKiK
i1iki
PPCC][CDC
)P(C][CD
)]P(C[ED][CD
]P[CEC
Dr. Reuven Aviv, June 2002
Conventional Encryption 23
CBC Encryption
Create “initial value” block XOR with first Plaintext block Encrypt first ciphertext block XOR with second plaintext block,…
Dr. Reuven Aviv, June 2002 Conventional Encryption 24
Decryption in CBC mode
• Decrypt first ciphertext block• XOR result with Initial Value Block
first Plaintext block• Decrypt second ciphertext block• XOR with first ciphertext block
second plaintext block. …
Dr. Reuven Aviv, June 2002 Conventional Encryption 25
The Initial Value block IV
• First ciphertext block C1 = EK (IVP1)
• First Plaintext block P1 = IVDK(C1)
• IV should be sent to receiver for decryption
Dr. Reuven Aviv, June 2002 Conventional Encryption 26
Intitial value attcak• Consider bit j of P1 :
– P1[j] = IV[j]DK(C1)[j]
– If IV[j] is inverted, so is P1[j]
• If attacker gets IV on the way, change it and re-send it to receiver, he can predictably change bits of P1
• What can we do to avoid this attack?
• Better encrypt IV on its way
• IV can be encrypted as a single block, with no chaining
Key Distribution
Dr. Reuven Aviv, June 2002
Conventional Encryption 27
Dr. Reuven Aviv, June 2002 Conventional Encryption 28
Types and Usages of Keys• Session key:
– Data encrypted with a short lived session key
– At the end of the session the key is destroyed
• Permanent (or Master) key:
– Used for distributing a (first/new) session key
– session key encrypted by master key, sent
– A (or B) can do this,
– or 3’rd party C with shared master keys Ka, Kb
• C is Key Distribution Center (KDC)
• How Ka, Kb, are created / distributed?
Dr. Reuven Aviv, June 2002 Conventional Encryption 29
Using KDC: 1. A KDC
• A sends non encrypted Request for a session Key for communicating with B
– Contents: { A id, B id, N1 Nonce}
• Identifier of sender (A) (e.g. Address | port)
• Identifier of intended party (B)
• A random string (Nonce) what’s that for?
• A expects that the nonce will be echoed by the receiver of this message (the KDC)
– It will be encrypted so that A will know that it was echoed by KDC and not by an imposter
Dr. Reuven Aviv, June 2002 Conventional Encryption 30
Using KDC: 2. KDC A
• 2 parts reply encrypted by master key Ka:
• Part I – to be used by A:
– One time (first/new) session key
– Original request (including the nonce)
• A now knows session key came from KDC
• A knows it’s not a replay of old reply why?
• Part II - encrypted by Kb, will be sent later to B:
• Session key and A id
Key Distribution Scenario
Dr. Reuven Aviv, June 2002
Conventional Encryption 31
Dr. Reuven Aviv, June 2002 Conventional Encryption 32
Using KDC: 3. A B
• A stores the session key, forwarding Part II to B
– Both A and B now know the session key
– B knows that session key was created by KDC
– But B is not sure whether A is not an imposter
– May be it is D, who stole part II, sends to B
– B checks if sender knows the session key how• 4. B A: nonce N2, encrypted by the session key
• 5. A B: some predefined function of N2 f(N2)
– B checks result, if OK, A knows the session key
• This is Challenge response authentication
Dr. Reuven Aviv, June 2002 Conventional Encryption 33
Key Distribution Scenario
Recommended