1. March 2005 1R. Smith - University of St Thomas - Minnesota CISC 210 - Class Today Returning Homeworks 5 and 6Returning Homeworks 5 and 6 Recap: Crypto Building BlocksRecap: Crypto Building Blocks –One-way hash –Randomness –XOR for encryption –Keystream generation – pseudo-random number generation –Nonces Block CiphersBlock Ciphers

2. March 2005 2R. Smith - University of St Thomas - Minnesota Recap A rationale for file encryptionA rationale for file encryption –Bob is attacked by a Trojan Horse Encryption with XOREncryption with XOR –Stream ciphers and one-time pads Reusing keys in stream ciphersReusing keys in stream ciphers –What’s the big deal? –The Rosenbergs found it to be quite unfortunate File encryptionFile encryption –Making good use of the key’s entropy –Allowing us to use a key more than once –Confidentiality != integrity protection

3. March 2005 3R. Smith - University of St Thomas - Minnesota Crypto Building Blocks These are the basic functions we useThese are the basic functions we use –One-way hash –Randomness –XOR for encryption –Keystream generation – pseudo-random number generation –Nonces Take these capabilities and we can build some really effective crypto mechanismsTake these capabilities and we can build some really effective crypto mechanisms Each mechanism arises from a problem to solveEach mechanism arises from a problem to solve

4. March 2005 4R. Smith - University of St Thomas - Minnesota Problem: Match a secret w/o a secret We want to match a secret value, but we don’t want to store the secret valueWe want to match a secret value, but we don’t want to store the secret value If we store the value, it’s a riskIf we store the value, it’s a risk But, when presented with a secret value, we want to be able to confirm or deny that it’s the right secret valueBut, when presented with a secret value, we want to be able to confirm or deny that it’s the right secret value

5. March 2005 5R. Smith - University of St Thomas - Minnesota Solution: One-way Hash Example: storing passwordsExample: storing passwords –We store the hashed password –We hash the typed password – the two should match Hash featuresHash features –If the input changes a little, the hash changes a lot –Given a hash value, you can’t back-solve to deduce the input

6. March 2005 6R. Smith - University of St Thomas - Minnesota One-way Hash as a general function Takes arbitrarily large input textTakes arbitrarily large input text Generates fixed-size binary data itemGenerates fixed-size binary data item –Any input change makes large, unpredictable output change Same with making it longer or shorterSame with making it longer or shorter –Can’t easily construct 2 documents with same hash value –Can’t derive input information from the hash value

7. March 2005 7R. Smith - University of St Thomas - Minnesota Problem: Need Random Secrets We authenticate and we encryptWe authenticate and we encrypt Both rely on hard-to-guess secretsBoth rely on hard-to-guess secrets Can’t we just make up some words?Can’t we just make up some words? No, because such things are easy to guessNo, because such things are easy to guess

8. March 2005 8R. Smith - University of St Thomas - Minnesota Solution: Randomness and Entropy We choose secrets based on random actsWe choose secrets based on random acts –Intuitive choosing tends to be biased, even predictable –Make “Random Choices” in the statistical sense: rolling dice, other less-biased choices “Entropy” in a choice reflects its lack of bias“Entropy” in a choice reflects its lack of bias –Convenience is the bane of entropy –We make more complicated choices to increase entropy –Words have much less entropy than random keystrokes

9. March 2005 9R. Smith - University of St Thomas - Minnesota The Problem: Confidentiality How do we protect data that may be accessible by untrustworthy people?How do we protect data that may be accessible by untrustworthy people? Answer: encryption. But how?Answer: encryption. But how?

10. March 2005 10R. Smith - University of St Thomas - Minnesota Solution: XOR for encryption We apply XOR to encrypt and then to decryptWe apply XOR to encrypt and then to decrypt –PT xor KEY = CT –CT xor KEY = PT We apply it bit-by-bit to create a stream cipherWe apply it bit-by-bit to create a stream cipher

11. March 2005 11R. Smith - University of St Thomas - Minnesota XOR in general Strong PointsStrong Points –Very, very easy to implement –Works at the bit level –Handles data streams arbitrarily short or long Weak pointsWeak points –Easily inverts – can’t re-use a key stream –Whole stream must be random in some sense –A totally random stream is hard to manage

12. March 2005 12R. Smith - University of St Thomas - Minnesota Problem: The XOR Keystream How do we generate a good keystream for encrypting data?How do we generate a good keystream for encrypting data?

13. March 2005 13R. Smith - University of St Thomas - Minnesota Problem: the XOR keystream Properties It must not repeat itselfIt must not repeat itself We should be able to start it with a small amount of entropy (a couple hundred bits)We should be able to start it with a small amount of entropy (a couple hundred bits) It must not have “exploitable” patternsIt must not have “exploitable” patterns –Patterns that cryptanalysts can exploit to crack the encryption –“Enigma” – their ‘menu’ consisted of interlocked patterns relating plaintext letters to ciphertext letters

14. March 2005 14R. Smith - University of St Thomas - Minnesota Solution: Simple PRNG Design Use a one-way hash function with feedbackUse a one-way hash function with feedback InputsInputs –First time, use the seed or key as the input –All future times, use the previous output value as the input OutputOutput –For each call, the resulting hash value is the next block of output One-way hash Random input The ‘seed’ or ‘key’ The output or “keystream”

15. March 2005 15R. Smith - University of St Thomas - Minnesota Solution: Pseudo-random numbers Pseudo-random number generator (PRNG)Pseudo-random number generator (PRNG) –Function that generates an unpredictable sequence of data –Input: a small amount of entropy – the “seed” value –Output: arbitrary amounts of pseudo-random data Properties of a good PRNG or keystreamProperties of a good PRNG or keystream –Properties of a “cryptographic” PRNG Statistical PRNGs have much weaker requirementsStatistical PRNGs have much weaker requirements –One part of the sequence must not indicate what other parts of the sequence would look like (earlier or later) –If we have the sequence, we can’t figure out how it was generated – i.e. the seed value

16. March 2005 16R. Smith - University of St Thomas - Minnesota Simple Stream Cipher Design One-way hash generates the keystreamOne-way hash generates the keystream –Key serves as PRNG “seed” –“Key Autokey” cipher – later keystream based on earlier keystream The encrypted data has no effect on the keystreamThe encrypted data has no effect on the keystream ENIGMA is an autokey cipherENIGMA is an autokey cipher –Plaintext XORs with the ciphertext –Cisco uses this in TACACS products Repeat the process for decryptionRepeat the process for decryption One-way hash Key Plaintext Ciphertext

17. March 2005 17R. Smith - University of St Thomas - Minnesota Problem: Password as entropy Text is a sparse source of entropyText is a sparse source of entropy –1.5 bits per 8-bit character –How do we fit the entropy of a longer password or passphrase into the fixed size of an encryption key? (64, 128, 256 bits) If we truncate, we lose a lot of entropyIf we truncate, we lose a lot of entropy

18. March 2005 18R. Smith - University of St Thomas - Minnesota Solution: Apply a one-way hash Hash “compresses” the phraseHash “compresses” the phrase –Hash value’s size is closer to the algorithm’s key size –Apply hash again to previous output if we need a larger key

19. March 2005 19R. Smith - University of St Thomas - Minnesota Problem: Repeating Keystream We use the same passphrase to encrypt different data items (files, messages)We use the same passphrase to encrypt different data items (files, messages) Same phrase == same keystream, right?Same phrase == same keystream, right? How do we use a different stream with each encryption while using the same passphrase?How do we use a different stream with each encryption while using the same passphrase?

20. March 2005 20R. Smith - University of St Thomas - Minnesota Solution: Nonce Combine passphrase with changing “nonce”Combine passphrase with changing “nonce” Nonce = data that is different each time we encryptNonce = data that is different each time we encrypt

21. March 2005 21R. Smith - University of St Thomas - Minnesota Using a Nonce What is a nonce?What is a nonce? –Data that changes each time we need one NOT necessarily random, but Must NOT repeatNOT necessarily random, but Must NOT repeat Must NOT be chosen or controlled by an attackerMust NOT be chosen or controlled by an attacker What is the procedure?What is the procedure? –Attach it to the input of a one-way hash –Include the nonce as plaintext with the protected data Do NOT encrypt the nonce!Do NOT encrypt the nonce! How does it help?How does it help? –It provides data that changes in each crypto operation –We weaken our crypto if it’s exactly the same every time Especially repeated keystreams(!!)Especially repeated keystreams(!!)

22. March 2005 22R. Smith - University of St Thomas - Minnesota Block Encryption The ‘big league’ of symmetric encryptionThe ‘big league’ of symmetric encryption Works on fixed-size blocks of plaintextWorks on fixed-size blocks of plaintext –Output: equally-sized blocks of encrypted ciphertext –Each encryption/decryption is independent of others For a given key, each plaintext block encrypts into one particular ciphertext block, and vice versaFor a given key, each plaintext block encrypts into one particular ciphertext block, and vice versa The strongest ciphers are block ciphersThe strongest ciphers are block ciphers Block cipher algorithm Plaintext Ciphertext Key

23. March 2005 23R. Smith - University of St Thomas - Minnesota Classic Block Ciphers Oldies – used in PGP or other classicsOldies – used in PGP or other classics –Data Encryption Standard (DES), 1975 64-bit blocks, 56-bit keys64-bit blocks, 56-bit keys –International Data Encryption Algorithm (IDEA), 1991 64-bit blocks, 128-bit keys64-bit blocks, 128-bit keys –CAST (from Canada, acronym for inventors’ names), 1996 64-bit blocks, varying key sizes: 40-128 bits64-bit blocks, varying key sizes: 40-128 bits Advanced Encryption Standard (AES), 2002Advanced Encryption Standard (AES), 2002 –128-bit blocks –Three standard key sizes: 128, 192, 256 bits

24. March 2005 24R. Smith - University of St Thomas - Minnesota How Block Ciphers Work Basic operationsBasic operations –Permutations and Substitutions –Take some key bits and data bits and permute or substitute A “round”A “round” –Apply a set of permutations –Apply a set of substitutions –Keep going till the whole data block is transformed Apply rounds till data is ‘shuffled’Apply rounds till data is ‘shuffled’ –AES has 10 rounds for 128-bit keys, 12 rounds for 192-bit keys, and 14 rounds for 256-bit keys. –IDEA – 8 rounds –CAST – 12-16 rounds

25. March 2005 25R. Smith - University of St Thomas - Minnesota Analyzing block ciphers Limited round attacksLimited round attacks –AES: known attacks were on 7 rounds for 128-bit keys, 8 rounds for 192-bit keys, and 9 rounds for 256-bit keys

26. March 2005 26R. Smith - University of St Thomas - Minnesota Creative Commons License This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by- sa/3.0/us/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA.