Week 3 - Friday

 What did we talk about last time?  Modular arithmetic  Shift ciphers  Transposition ciphers  Substitution ciphers  Vigenère ciphers  One-time pad

 A One-Time Pad is similar to the Vigenère cipher, except that the key is as long as the message  What will this do to the index of coincidence?  Any given ciphertext could be decrypted into any plaintext, provided that you have the right key

 Key: THISISTHESECRETPASSWORD  Plaintext: SOMEBODY SHOUTED MCINTYRE  Now, use the key IFYOUDISSDRDRE to encrypt MELODY AND RHYME SOMEBODYSHOUTEDMCINTYRE THISISTHESECRETPASSWORD LVUWJGWFWZSWKIWBCAFPMIH

 Plaintext: SOMEBODY SHOUTED MCINTYRE  Find a key (never done that before, have we?) that will encrypt the plaintext to YOUCOULDFINDTHEABSTRACT

 A One-Time Pad has the property of perfect secrecy or Shannon secrecy  Perfect secrecy means that P(M) = P(M|C)  Remember that it is possible to find a key that would decrypt a ciphertext to any plaintext  Thus, learning the ciphertext tells you nothing about the plaintext

 You can only use it one time  Otherwise, recovering the key is trivial  Completely vulnerable to known plaintext attack  The key is as long as the message  If you have a way of sending a key that long securely, why not send the message the same way?  Generating keys with appropriate levels of randomness presents a problem

 Claude Shannon is the guy that invented Shannon secrecy and is considered the father of information theory  He proposed 5 characteristics for a good cipher: 1. The amount of secrecy needed should determine the amount of labor appropriate for encryption and decryption 2. The set of keys and the enciphering algorithm should be free from complexity 3. The implementation of the process should be as simple as possible 4. Errors in ciphering should not propagate and cause corruption of further information in the message 5. The size of the enciphered text should be no larger than the text of the original message

 Shannon was focused on hand encryption  Modern commercial users of cryptography want the following characteristics for their cryptosystems:  Based on sound mathematics  Analyzed by competent experts and found to be sound  Stood the test of time

 A common way of dividing ciphers is into stream ciphers and block ciphers  Block ciphers divide messages into fixed length parts (or blocks) and encipher each part with the same key  Stream ciphers encipher each message character by character  Some other authors define a stream cipher to be like a block cipher except that the key changes with each block based on the message

 Self-synchronous ciphers are stream ciphers that get the key from the message itself  The simplest such cipher is an autokey cipher that uses the message itself for the key  Essentially, this is similar to the Vigenère cipher with the key coming from the message  Example:  Message: THISISTHEREMIX  Key: QTHISISTHEREMI  Alternatively, the key can be drawn from the ciphertext  Message: THEBOYHASTHECAT  Key: XQXBCQOVVNGNRTT  Ciphertext: QXBCQOVVNGNRTTM

 Confusion is the property of a cryptosystem that changing a single character in the plaintext should not have a predictable effect  Diffusion is the property of a cryptosystem that each character in the plaintext should impact many characters in the ciphertext  Examples:  Caesar cipher has poor confusion and no diffusion  One time pad has good confusion but no diffusion  Auto-key ciphers may have poor confusion but good diffusion  AES and DES have good confusion and diffusion within a block

 We measure a cryptosystem based on its resistance to an adversary or attacker  Kinds of attacks:  Ciphertext only  Full or partial plaintext  Chosen plaintext  Chosen ciphertext  Ciphertext and plaintext pairs

 Attacker only has access to an encrypted message, with a goal of decrypting it  This is the assumption we have made so far when cryptanalyzing the classical ciphers  The world is filled with ciphertext data  This model gives the attacker very little to work with

 Attacker has access to a plaintext and its matching ciphertext, with a goal of discovering the key  It is possible that the full or partial plaintext is available because it is an encrypted broadcast of public (or soon to be public) information  Perhaps a secret transmission informed everyone of a new policy  Then, the policy is made public  Some messages are very common  “Nothing to report.”  If these messages are predictable, the ciphertext could be intercepted and the plaintext guessed

 Attacker may ask to encrypt any plaintext, with a goal of discovering the key  This model seems unusual, but it comes up in practice  Military forces seize a transmission room and start transmitting messages  Perhaps they don’t have enough knowledge to learn the encryption settings, but the known messages could be analyzed later  All public key cryptosystems allow this kind of attack, since anyone can generate encrypted messages

 It is unusual that an attacker can pick a ciphertext and ask for it to be decrypted  Why not just ask for any particular ciphertext that you’re interested in?  If you have access to code that can encrypt huge amounts of plaintext quickly, it is possible to attempt a brute force encryption that will approximate choosing the ciphertext

 As an extension of known plaintext, it may be the case that you have many ciphertext/plaintext pairs that are encrypted with the same key

 Humans allow some of the scenarios described above through error  Operators transmit the same message with two different keys  Operators transmit some information in the clear  Operators transmit a repeat of a message but make small mistakes the second time  As usual, humans are a problem

 A block cipher is a symmetric key cipher that works on a block of data of a given size  For compatibility with hardware, block sizes are often powers of two: 64 bits, 128 bits, 256 bits, etc.  Block ciphers are a fundamental part of many modern cryptosystems  To encrypt a message longer than a single block:  First break the message into blocks  Then, each block could be encrypted individually  Or data from the first block can be used in the encryption of the second, and so on

 Data Encryption Standard  DES is a typical block cipher  It was chosen as the government's standard for encryption in 1976 (but has since been deprecated)  DES works on blocks 64 bits in size  DES uses a 56 bit key  NSA helped design it… amidst some controversy

 In the 1970’s, the National Bureau of Standards (NBS) saw the need for a publicly available encryption standard  They called for proposals that met the following criteria:  High level of security  Easy to understand  Publishable (no security through obscurity)  Available to everyone  Adaptable for many applications  Economical to implement in hardware  Efficient to use  Able to be validated  Exportable  A cryptosystem called Lucifer developed by IBM was adapted into the resulting DES  NBS was reorganized into the National Institute of Standards and Technology in 1988

 After WWII (the birth of modern cryptography), many governments saw the immense value of crypto  Countries like the US with good crypto didn’t want their enemies to have it  Strong encryption was listed as an Auxiliary Weapons Technology on the US Munitions List  40 bit or weaker encryption could be exported  2 40 possibilities can be brute forced in days (or hours)  In 1996, Bill Clinton signed an executive order that moved commercial encryption from the Munitions List to the Commerce Control List  It is still technically possible to be arrested for exporting software that can perform strong encryption and decryption  But it is no longer illegal arms trafficking  Although DES is longer than 40 bits, its 56 bits seem to be in the range that never really posed a problem for the feds

 DES has 16 rounds  The book calls them cycles  In each round, the input is broken into 2 halves, manipulated, and combined with part of the key Input Permutation Left 0 Right 0 f f Key 1 Left 1 Right Left 0 Right 0

 DES uses bitwise operations as well as lookup tables  DES has 8 substitution boxes (S-boxes) which take 6 bits of data and give back 4

 The expansion permutation takes 32 input bits and expands them into 48 bits while permuting them  16 bits are repeated  These 48 bits are XORed with the round key  The resulting 48 bits are substituted through S-boxes which produces a 32 bit result  The final 32 bits are permuted Expansion Permutation XOR with Key S-boxP-box

 The encryption key is 64 bits, but only 56 bits are used  The other 8 bits are for parity  Each of the 16 rounds has a 48 bit round key  To produce the round key, the left and right halves of the 56 bit key are independently shifted by either 1 or 2 bits, depending on the round  48 bits are chosen and permuted by a key transformation box

 There is an initial permutation before the rounds  There is a final permutation after the rounds  Otherwise, each round feeds into the next one

 The NSA tinkered with DES  They shortened the key length from the original 128 bits of Lucifer to 56  They changed the S-boxes  People were concerned that the NSA had introduced a trapdoor so that they could read messages  Eventually, the NSA released information about the choice of S-boxes:  No S-box is a linear or affine function of its input  Changing 1 bit of the S-box input changes at least 2 bits of its output  If a single bit is held constant, changing the others should not radically change the total number of 1s or 0s in the output

 In 1990, researchers independently discovered differential cryptanalysis  It uses related plaintext-ciphertext pairs to trace small changes in input to the output  The changes the NSA made to the S-boxes made them significantly more resistant to differential cryptanalysis  Declassified explanations show that people at IBM and the NSA knew about differential cryptanalysis in the 1970s

 DES has four weak keys that are their own inverse  Encryption = decryption for these keys  They are all 1s, all 0s, or half and half  DES has six pairs of semiweak keys  Encryption with one key is the same as decryption with the other in the pair  Complements:  If c = DES(p, k) then  c = DES(  p,  k)  These problems are easily avoidable  Don’t use weak or semiweak keys  People are usually not encrypting the negation of a plaintext with the negation of a key

 DES is fast  Easy to implement in software or hardware  Encryption is the same as decryption  Triple DES is still standard for many financial applications  Resistant to differential and linear cryptanalysis (2 47 and 2 43 known pairs required, respectively)

 Short key size  Brute force attack by EFF in 1998 in 56 hours then in 1999 in just over 22 hours  Brute force attack by University of Bochum and Kiel in 9 days in 2006 (but, using a machine costing only $10,000)  If you could check 1,000,000,000 keys per second (which is unlikely with a commodity PC), it would take an average of 417 days to recover a key

 The short key size leaves DES vulnerable to brute force attacks  How can we make up for this weakness?  Possibilities:  Encrypt twice with DES  Encrypt three times with DES ……

 "DES is wrong if you listen to NIST, Double DES ain't no better, man, that got dissed" --MC Plus+  Double DES encrypts a plaintext with DES twice, using two different keys  Double DES is susceptible to a meet-in-the- middle attack  This attack uses a space-time tradeoff  Although two keys should mean = 112 bits of security or time for a brute force attack, the meet-in-the-middle attack can run in roughly 2 57 or 2 58 time, using 2 56 space

Encrypt P 1 Decrypt C 1  Two pairs of plaintexts and ciphertexts are needed  Encrypt P 1 with all possible keys and save them  Decrypt C 1 with all possible keys  If the result matches anything in the list, use the key to encrypt P 2  If that matches C 2, you win!  On the left, I show all the decryptions, but only the encryptions need to be stored

 Although susceptible to a brute force attack, DES has no other major weaknesses  Double DES can be defeated by an extension of the brute force attack  What about triple DES?  Let E K (X) and D K (X) be encryption and decryption using DES with key K  Triple DES uses keys K1, K2, and K3  C = E K1 (D K2 (E K3 (M)))  Setting K1 = K2 = K3 allows for compatibility with single DES systems  Triple DES is still a standard for financial transactions with no known practical attacks

 Finish DES  AES  Nick Viscardi presents

 Keep reading Sections 2.3 and 12.2  Work on Project 1  Due next Friday  Finish Assignment 1  Due tonight by midnight!  There's also a field trip to Cargas Systems in Lancaster today  Leaves Esbenshade at 3:30pm