1. CS 5950/6030 Network Security Class 9 (W, 9/21/05) Leszek Lilien Department of Computer Science Western Michigan University [Using some slides prepared by: Prof. Aaron Striegel — at U. of Notre Dame Prof. Barbara Endicott-Popovsky and Prof. Deborah Frincke — at U. Washington Prof. Jussipekka Leiwo — at Vrije Universiteit (Free U.), Amsterdam, The Netherlands]

2. 2 Review of Class 8 Class 8 started with Correction of example from Class 7 (columnar transp. cipher as a block cipher)

3. 3 Symmetric and Asymmetric Cryptosystems (2b) Asymmetric encryption = public key encryption (PKE) K E ≠ K D — public and private keys PKE systems eliminate symmetric encr. problems Need no secure key distribution channel => easy key distribution

4. 4 2D. DES (Data Encryption Standard) Outline 2D.1. Background and History of DES 2D.2. Overview of DES 2D.3. Double and Triple DES 2D.4. Security of DES

5. 5 2E. The Clipper Story (1) ... Or: How not to set up a standard  A scenario  Only a single electronic copy of a corporation’s crucial (and sensitive) document  To prevent espionage, strong encryption used to protect that document  Only CEO knows the key  CEO gets hit by a truck  Is the document lost forever?  Key escrow (a depository) facilitates recovery of the document if the key is lost [cf. J. Leiwo]

6. 6 2F. AES... Or: How to set up a standard AES = Advanced Encryption Standard Outline 2F.1. The AES Contest 2F.2. Overview of Rijndael 2F.3. Strength of AES 2F.4. Comparison of DES and AES

7. 7 2F.1. The AES Contest (1) 1997 – NIST calls for proposals NIST Criteria: Unclassifed code Publicly disclosed Royalty-free worldwide Symmetric block cipher for 128-bit blocks Usable with keys of 128, 192, and 256 bits 1998 – 15 algorithms selected (Nat’l Institute of Standards and Technology)

8. 8 Class 8 ended here

9. 9 Section 2 – Class 9 2. Introduction to Cryptology... 2C. Making „Good” Ciphers... 2C.4. Symmetric and Asymm. Cryptosystems — PART 2 2D. The DES (Data Encryption Standard) Algorithm... 2E. The Clipper Story 2F. The AES (Advanced Encryption Standard) Algorithm 2F.1. The AES Contest 2F.2. Overview of Rijndael 2F.3. Strength of AES 2F.4. Comparison of DES and AES 2H. The Uses of Encryption 2H.1. Cryptographic Hash Functions – PART1 Class 8 Class 9

10. 10 2F.2. Overview of Rijndael/AES Similar to DES – cyclic type of approach 128-bit blocks of P # of iterations based on key length 128-bit key => 9 “rounds” (called rounds, not cycles) 192-bit key => 11 rounds 256-bit key => 13 rounds Basic ops for a round: Substitution – byte level (confusion) Shift row (transposition) – depends on key length (diff.) Mix columns – LSH and XOR (confusion +diffusion) Add subkey – XOR used (confusion)

11. 11 2F.3. Strengths of AES Not much experience so far (since 2001) But: Extensive cryptanalysis by US gov’t and independent experts Dutch inventors have no ties to NSA or other US gov’t bodies (less suspicion of trapdoor) Solid math basis Despite seemingly simple steps within rounds

12. 12 2F.4. Comparison of DES & AES (1) DESAES Date19761999 Block size [bits]64128 Key length [bits]56 (effect.)128, 192, 256, or more Encryptionsubstitution,substitution, shift, bit Primitivespermutationmixing Cryptographicconfusion,confusion, Primitivesdiffusiondiffusion Designopenopen Designclosedopen Rationale Selectionsecret secret, but accepted processpublic comments SourceIBM, enhan-independent Dutch ced by NSAcryptographers

13. 13 Comparison of DES & AES (2) Weaknesses in AES? 20+ yrs of experience with DES eliminated fears of its weakness (intentional or not) Might be naïve… Experts pored over AES for 2-year review period

14. 14 Comparison of DES & AES (3) Longevity of AES? DES is nearly 30 yrs old (1976) DES-encrypted message can be cracked in days Longevity of AES more difficult to answer Can extend key length to > 256 bits(DES: 56) 2 * key length => 4 * number of keys Can extend number of rounds(DES: 16) Extensible AES seems to be significantly better than DES, but.. Human ingenuity is unpredicatble! => Need to incessantly search for better and better encryption algorithms

15. 15 2G. Public Key Encryption (PKE) Recall: Two main types of cryptosystems: Classical (= symmetric) Public key (= asymmetric) Outline 2G.1. Motivation for PKE 2G.2. Characteristics of PKE 2G.3. RSA (Rivest-Shamir-Adelman) Encryption

16. 16 2G.1. Motivation for PKE (1) So far - cryptosystems with secret keys Problems: A lot of keys o(n 2 ) keys for n users (n * (n-1) /2 keys) — if each must be able to communicate with each Distributing so many keys securely Secure storage for the keys User with n keys can’t just memorize them Can have a system with significantly fewer keys? Yes!

17. 17 Motivation for PKE (2) 1976 — Diffie and Hellman — new kind of cryptosystem: public key cryptosystem = asymmetric cryptosystem Key pairs: Each user owns one private key Each user shares the corresponding public key with n-1 remaining users => n users share each public key Only 2n keys for n users 2n = n * (1 + n * 1/n) Forget the in-class „correction.” We go back to this original equation, since public key is shared by n people: 1 „owner” + (n-1) others = n Even if each communicates with each Reduction from o(n 2 ) to o(n) ! n key pairs are:,,...,

18. 18 2G.2. Characteristics of PKE (1)  PKE requirements 1.It must be computationally easy to encipher or decipher a message given the appropriate key 2.It must be computationally infeasible to derive k PRIV from k PUB 3.It must be computationally infeasible to determine k PRIV from a chosen plaintext attack [cf. Barbara Endicott-Popovsky, U. Washington]

19. 19 Characteristics of PKE (2) Key pair characteristics One key is inverse of the other key of the pair i.e., it can undo encryption provided by the other: D(k PRIV, E(k PUB, P)) = P D(k PUB, E(k PRIV, P)) = P One of the keys can be public since each key does only half of E ”+” D As shown above – need both E and D to get P back

20. 20 Characteristics of PKE (3) Two E/D possibilities for key pair P = D(k PRIV, E(k PUB, P)) User encrypts msg with k PUB (k PUB” ”locks”) Recipient decrypts msg with k PRIV (k PRIV ”unlocks”) OR P = D(k PUB, E(k PRIV, P))(e.g., in RSA) User encrypts msg with k PRIV (k PRIV ”locks”) Recipient decrypts msg with key k PUB (k PUB ”unlocks”) Do we still need symmetric encryption (SE) systems? Yes, PKEs are 10,000+ slower than SEs PKEs use exponentiation – involves multiplication and division SEs use only bit operations (add, XOR< substitute, shift) – much faster

21. 21 2G.3. RSA Encryption (1) RSA = Rivest, Shamir, and Adelman (MIT), 1978 Underlying hard problem: Number theory – determining prime factors of a given (large) number (ex. factoring of small #: 5  5, 6  2 *3) Arithmetic modulo n How secure is RSA? So far remains secure (after all these years...) Will sb propose a quick algorithm to factor large numbers? Will quantum computing break it? TBD

22. 22 RSA Encryption (2) In RSA: P = E (D(P)) = D(E(P)) (order of D/E does not matter) More precisely: P = E(k E, D(k D, P)) = D(k D, E(k E, P)) Encryption:C = P e mod nK E = e Given C, it is very difficult to find P without knowing K D Decryption:P = C d mod nK D = d

23. 23 2H. The Uses of Encryption PKE is much slower than SE (symmetric E) PKEs only for specialized, infrequent tasks SEs – a real workhorse Four applications of encryption (& outline)  Cryptographic Hash Functions (subsec. 2H.1)  Key Exchange (subsec. 2H.2)  Digital Signatures (subsec. 2H.3)  Certificates (subsec. 2H.4)

24. 24 2H.1. Cryptographic Hash Functions (1) Integrity: How can you be sure that a recived msg/doc was not modified by an attacker or malfunction? Answer: use cryptography to ensure integrity Idea: Wax seals on letters in Middle Ages — easy to see if broken Cryptographic „seal” on doc/msg — so that any change to it will be readily detected

25. 25 Cryptographic Hash Fcns (2) A technique: compute a hash fcn / checksum / msg digest More formally: Problem: How to send n-bit msg so that R can easily verify that it is intact Solution: Send a msg of n+k bits n bits — original msg k bits — checksum = msg digest Generated based on the n bits

26. 26 Cryptographic Hash Fcns (3) Simple Parity for Error Detection (1) Simple (non-cryptographic) technique: parity Add a single parity bit to detect if a message is correct Example 1: odd parity Force the block of data to have an odd # of 1’s Data = 1011— n = 4 Sent block = 10110— n+k = 4+1 — looked at ‘1011’, added 0 to have odd # of 1’s Data = 0110 Sent block= 01101 — looked at ‘0110’, added 1 to have odd # of 1’s Example 2: ASCII parity bit ASCII has 7 bits for data, 8th bit is single parity bit Either odd or even parity used [cf. A. Striegel, U. Notre Dame]

27. 27 How parity enhances msg integrity? Can detect error in 1 bit (or in odd # of bits) e,.g, if R gets 01001, R knows it’s wrong (S sent 01101) Cannot detect error in 2 bits (or in even # of bits) Bec. parity stays OK -> undetectable integrity violation e.g, if R gets 01011, R knows it’s wrong (S sent 01101) Cannot repair errors either E.g., R doesn’t know which bit in 01001 is wrong [cf. A. Striegel, U. Notre Dame] Cryptographic Hash Fcns (4) Simple Parity for Error Detection (2)

28. 28 Cryptographic Hash Fcns (5) Better Checksums against Errors & Attacks There are better checksums than simple odd/even parity Can detect multiple errors Can even repair multiple errors These checksums are to fix errors, not deal with attacks For attacks need cryptographic checksums / strong hash functions

29. 29 Cryptographic Hash Fcns (6) Strong Hash Function Formal definition: strong hash function (cryptographic checksum) is h: A -> B such that: 1)For any x  A, h(x) is easy to compute 2)For any y  B, it is computationally infeasible to find inverse of y, i.e., x  A such that h(x) = y 3)It is computationally infeasible to find a pair of colliding input values, i.e. x, x’  A such that x ≠ x’ and h(x) = h(x’) Alternate (stronger) form for (3): Given any x  A, it is computationally infeasible to find x’  A such that x ≠ x’ and h(x) = h(x’)  Due to (1) and (2), hash fcn is a one-way function [cf. A. Striegel, U. Notre Dame, Barbara Endicott-Popovsky, U. Washington]

30. 30 Cryptographic Hash Fcns (7) Collisions & Attacks on Msg Integrity (1) Note: n bits of msg (x) mapped into k bits of its checksum (y) k collisions must exist But it is computationally infeasible to find collisions for good hash fcns Goal of a successful attack on msg integrity: Change msg1 in such a way that checksum remains unchanged (so R doesn’t detect the forgery) I.e., find msg2 that collides with the original msg1 w.r.t. checksum value Finding msg2 is computationally infeasible (for good hash) => forging msg1 undetectably is computationally infeasible [cf. A. Striegel, U. Notre Dame]

31. 31 Pigeonhole principle n containers for n+1 objects (n pigeonholes for n+1 pigeons) => at least 1 container will hold two objects Example:  length(msg) = 5, length(hash)= 3  2 5 =32 possible msgs vs. 2 3 =8 possible hash values => at least 4 (= 32/8) different msgs hash into the same value (collisions!)  Real msgs and hash values are much longer than 5 or 3 bits! We know that collisions exist but: => much tougher to find collisions => much tougher to forge them [cf. A. Striegel, U. Notre Dame] Cryptographic Hash Fcns (8) Collisions & Attacks on Msg Integrity (2)

32. 32 Cryptographic Hash Fcns (9) File Checksum File checksum Calculated, a fcn defined on all bits of the file Result encrypted and stored with the file Each time file used by legitimate users, checksum recalculated, encrypted, stored with the file File sent to R When file received by R: R decrypts checksum c1 received in the file R independently calculates file checksum c2 If c1 = c2 => file integrity is OK Otherwise – file integrity violated

33. 33 End of Class 9