21
Class Class 25: 25: Security Security through through Complexi Complexi ty? ty? Karsten Nohl Karsten Nohl cs302: Theory of Computation cs302: Theory of Computation University of Virginia, Computer University of Virginia, Computer Science Science PS6 is due today. Lorenz cipher used in WWII

Karsten Nohl

Embed Size (px)

DESCRIPTION

Class 25: Security through Complexity?. Karsten Nohl. PS6 is due today. Lorenz cipher used in WW II. cs302: Theory of Computation University of Virginia, Computer Science. Motivation. Many applications require certain tasks to be easy for some and hard for others - PowerPoint PPT Presentation

Citation preview

Page 1: Karsten Nohl

Class 25: Class 25: Security Security through through

Complexity?Complexity?

Karsten NohlKarsten Nohl

cs302: Theory of Computationcs302: Theory of ComputationUniversity of Virginia, Computer ScienceUniversity of Virginia, Computer Science

PS6 is due today.

Lorenz cipher used in WWII

Page 2: Karsten Nohl

2Lecture 25: Complex --> Secure?

Motivation

• Many applications require certain tasks to be easy for some and hard for others

• Example: Decryption of encrypted message is easy only when given a secret key

Cryptography is concerned with constructing algorithms that withstand abuse. -Goldreich

Complexity is a powerful tool to “lock out” adversaries.Basic Idea: Require hard problem to be solved, give hint as key.

Page 3: Karsten Nohl

3Lecture 25: Complex --> Secure?

NP can be useful

• So far, you learnt how to detect “unsolvable” problems (in NP) and solve them anyway by approximation (in P)

• For cryptography we want the opposite:problems that are almost always hard, i.e., cannot be approximated in P

Page 4: Karsten Nohl

4Lecture 25: Complex --> Secure?

[Breaking a strong cipher should require]“as much work as solving a system of simultaneous equations in a large number of unknowns of a complex type”

- Shannon, ‘49

Sounds NP-Complete, doesn’t it?

Page 5: Karsten Nohl

5Lecture 25: Complex --> Secure?

Goal: Encryption

• For almost all security schemes we need:– Encryption / one-way function

easy to compute:hard to find any part of:

• Often also required:– Decryption

enc(x,k) y

x,k enc 1(y)

secret key

dec(y,k) x

Make this an NP problem

Page 6: Karsten Nohl

6Lecture 25: Complex --> Secure?

Encryption build on Hardness• Knapsack problem is NP-Complete

– Problem of filing bag with best selection of items– Recall: Reducible from Subset-Sum

• Enable Encryption: Keep message secret by hiding it in a Knapsack instance

n

i

iiaxs1

bits of encryption key = knapsack instance

message bits

Decryption possible by knowing easy knapsack instance (secret key) that provides shortcut.

Page 7: Karsten Nohl

7Lecture 25: Complex --> Secure?

Flawed Security Argument

• Subset Sum is NP-Complete• Breaking knapsack cipher involves solving a

subset sum problem• Therefore, knapsack cipher is secure

Flaw: NP-Complete means there is no fast general solution. Some instances may be solved quickly. (Note: Adi Shamir broke knapsack cipher [1982])

Page 8: Karsten Nohl

8Lecture 25: Complex --> Secure?

Cipher Design

• NP-Completeness is not sufficient for cryptographic hardness Worst-case complexity

• Need solution to usually be hardAverage complexity

• Captured in new complexity class:All tractable problems are in BPP(which only makes sense if P≠NP) probabilistic:

can flip coins

Page 9: Karsten Nohl

9Lecture 25: Complex --> Secure?

Cipher Design (cont.)

• A “strong” cipher cannot be broken faster than exhaustive key search (brute force)

• Only possible shortcut:Trade space for time; e.g.:

Θ(2n) time

Θ(2n⅔) time + space

Page 10: Karsten Nohl

10Lecture 25: Complex --> Secure?

Results of Insufficient Hardness

• All broken cipher have a gap between worst-case and average hardness

• Estimating average hardness is often impossible (= finding best algorithm for instances of NP-complete problem)

• Next: Analyze cipher, identify complexity, and break it by finding tractable average solution.

Page 11: Karsten Nohl

11Lecture 25: Complex --> Secure?

Proprietary Cryptography(or: why “security-by-obscurity” never works)

Page 12: Karsten Nohl

12Lecture 25: Complex --> Secure?

First: Disclosure

• Secret algorithm can often be found:– Disassembling software– Hardware reverse-engineering

IDA Pro

This talk: Breaking a cipher once we found it.

This talk: Breaking a cipher once we found it.

Page 13: Karsten Nohl

13Lecture 25: Complex --> Secure?

Then: Exploitation

• Most secret ciphers are broken after disclosure

• Flaws are very similar in all DIY ciphers(and cryptanalyst spot them in a glimpse)

“No more weak ciphers. No more paranoia.” Sean O’Neil

Page 14: Karsten Nohl

14Lecture 25: Complex --> Secure?

The crux of most flaws

• Most weaknesses caused by insufficient non-linearity.

• At the heart of the problem:LFSRs (linear feedback shift register)

tmp = x[12]^x[15]^x[16]^x[17];for i=17:-1:1 x[i]=x[i-1];x[0] = tmp;

tmp = x[12]^x[15]^x[16]^x[17];for i=17:-1:1 x[i]=x[i-1];x[0] = tmp;

Page 15: Karsten Nohl

15Lecture 25: Complex --> Secure?

Non-Linearity

• System of equations that desribes n-bit cipher can have up to O(2n) terms.

• Only O(n) of these terms are linear.

Linear ≈ PNon-linear ≈ NP

Page 16: Karsten Nohl

16Lecture 25: Complex --> Secure?

Mifare Crypto-1

fc(∙)fc(∙)

High degree (20) generator, very non-linear! ✔

High degree (20) generator, very non-linear! ✔

Many taps in LFSR ✔Still linear ✗

Many taps in LFSR ✔Still linear ✗

Cascaded structure allows for low

degree description after all! :P

Cascaded structure allows for low

degree description after all! :P

Work with Nicolas Courtois, Sean O’Neil

Page 17: Karsten Nohl

17Lecture 25: Complex --> Secure?

fc(∙)fc(∙)

a[0] a[1] a[2] a[3] a[4]

tmp = x[0]^...^x[43];for i=1:47 x[i]=x[i+1];x[48] = tmp;

tmp = x[0]^...^x[43];for i=1:47 x[i]=x[i+1];x[48] = tmp;

a[0] = fa(x[7],x[9],x[11],x[13]);a[1] = ......y = fc(a[0],a[1],a[2],a[3],a[4])

a[0] = fa(x[7],x[9],x[11],x[13]);a[1] = ......y = fc(a[0],a[1],a[2],a[3],a[4])

Compute equations for first output bit:

Before computing next bit, shift LFSR:

y

Describes cipher as system of equations with 48+r5 unknowns, terms with degree ≤ 4!

Describes cipher as system of equations with 48+r5 unknowns, terms with degree ≤ 4!

Page 18: Karsten Nohl

18Lecture 25: Complex --> Secure?

Almost there …

1. Describe weak parts of cipher as system of equations

2. Brute-Force through complex parts: Guess-and-Determine attack.

3. Solve system of equations: MiniSAT is our friend

Solving for 48-bit Crypto-1 key takes 12 seconds;compared to month for brute-force.

Page 19: Karsten Nohl

19Lecture 25: Complex --> Secure?

Lessons Learned (Crypto)

• Obscurity and proprietary crypto add security only in the short-run– (but lack of peer-review hurts later)

• Constraints of small devices make good crypto extremely hard– Where are the best trade-offs?– How much security is needed?– How can we best introduce non-linearity?

Page 20: Karsten Nohl

20Lecture 25: Complex --> Secure?

Lessons Learned (Complexity)• Cannot rely on hardness of problems; gap

between average and worst-case instances often significant

• This is good news unless you are building cryptography: – Can solve many instances of NP-complete

problems in limited time• Mathematicians have done most of the work

already: start using MiniSAT

Page 21: Karsten Nohl

21Lecture 25: Complex --> Secure?

Don’t forget to hand in PS6.