Presentation is loading. Please wait.

Presentation is loading. Please wait.

Practical Aspects of Modern Cryptography Josh Benaloh & Brian LaMacchia.

Published byLionel Holmes Modified over 8 years ago

Similar presentations

Presentation on theme: "Practical Aspects of Modern Cryptography Josh Benaloh & Brian LaMacchia."— Presentation transcript:

1 Practical Aspects of Modern Cryptography Josh Benaloh & Brian LaMacchia

2 Lecture 3: Symmetric Ciphers and Hash Functions

3 January 22, 2002Practical Aspects of Modern Cryptography3 Meet Alice and Bob BobAlice Message

4 January 22, 2002Practical Aspects of Modern Cryptography4 Modern Symmetric Ciphers Setup: Alice wants to send a private message to Bob. Precondition: Alice and Bob have previously shared some secret known only to them. The pre-shared secret is the encryption key Alice and Bob will use.

5 January 22, 2002Practical Aspects of Modern Cryptography5 Symmetric Encryption k Alice (sender) Bob (receiver) Bob knows secret key k Alice knows secret key k Plaintext P Dec(C,k) Ciphertext C Enc(P,k) Plaintext P

6 January 22, 2002Practical Aspects of Modern Cryptography6 What makes a cipher secure? Exhaustive search of keyspace must be infeasible More about this later… It must also be infeasible to find the key given: Sample ciphertext and corresponding plaintext (“known-plaintext attack”) The ability to feed ciphertext in and see what plaintext comes out (“chosen-ciphertext attack”) or the other way around (“chosen-plaintext attack”) If someone can find keys under any of these conditions, the cipher isn’t considered secure

7 January 22, 2002Practical Aspects of Modern Cryptography7 Some bad cipher ideas Repeated XOR mask Pick a key number. XOR with each plaintext XOR with key again to decrypt INSECURE: just one plaintext/ciphertext gives the key Monoalphabetic substitution Key is a table of letters and corresponding ciphertexts a=m, b-x, c=b, d=r, etc. encrypt/decrypt by substitution Exhaustive search is really hard (26! keys to try). INSECURE: statistical analysis of ciphertext frequency

8 January 22, 2002Practical Aspects of Modern Cryptography8 Symmetric Ciphers Private-key (symmetric) ciphers are usually divided into two classes. Block ciphers Stream ciphers

9 January 22, 2002Practical Aspects of Modern Cryptography9 Symmetric Ciphers Private-key (symmetric) ciphers are usually divided into two classes. Block ciphers Stream ciphers

10 January 22, 2002Practical Aspects of Modern Cryptography10 Block ciphers Encrypt fixed-size blocks ciphertext = Encrypt(key,cleartext) cleartext = Decrypt(key,ciphertext) Encrypt function converts blocks of cleartext bits to ciphertext bits Decrypt function converts back If the key is wrong, you get the wrong result Shouldn’t be possible to derive key given cleartext, ciphertext pairs Examples include DES, 3DES, AES

11 January 22, 2002Practical Aspects of Modern Cryptography11 Block Ciphers Block Cipher Plaintext DataCiphertext Key

12 January 22, 2002Practical Aspects of Modern Cryptography12 Block Ciphers Block Cipher Plaintext DataCiphertext Key Currently usually 8 bytes. AES uses 16 bytes.

13 January 22, 2002Practical Aspects of Modern Cryptography13 Fast Facts about Block Ciphers Encrypt/decrypt data a block at a time Encryption/decryption of sequential blocks may be related Mode of operation We always encrypt/decrypt full blocks No partial blocks allowed by the cipher! Our plaintext may not be an even multiple of blocks, so we may need to pad the last plaintext block

14 January 22, 2002Practical Aspects of Modern Cryptography14 Block Cipher Modes Electronic Code Book (ECB) Encryption: Block Cipher Block Cipher Block Cipher Block Cipher Plaintext Ciphertext

15 January 22, 2002Practical Aspects of Modern Cryptography15 Block Cipher Modes Electronic Code Book (ECB) Decryption: Inverse Cipher Inverse Cipher Inverse Cipher Inverse Cipher Plaintext Ciphertext

16 January 22, 2002Practical Aspects of Modern Cryptography16 Problems with ECB Patterns in plaintext preserved in ciphertext No basic integrity protection. Must add or: Cipher block substitution and rearrangement attacks Fabrication of information Block Cipher Block Cipher Block Cipher Block Cipher X0X0 X1X1 X2X2 X 3 = X 0 C0C0 C1C1 C2C2 C 3 = C 0

17 January 22, 2002Practical Aspects of Modern Cryptography17 Block Cipher Modes Cipher Block Chaining (CBC) Encryption: Block Cipher Block Cipher Block Cipher Block Cipher Plaintext Ciphertext IV

18 January 22, 2002Practical Aspects of Modern Cryptography18 Block Cipher Modes Cipher Block Chaining (CBC) Decryption: Inverse Cipher Inverse Cipher Inverse Cipher Inverse Cipher Plaintext Ciphertext IV

19 January 22, 2002Practical Aspects of Modern Cryptography19 How to Build a Block Cipher Block Cipher Plaintext Ciphertext Key

20 January 22, 2002Practical Aspects of Modern Cryptography20 Feistel Ciphers Ugly

21 January 22, 2002Practical Aspects of Modern Cryptography21 Feistel Ciphers Ugly

22 January 22, 2002Practical Aspects of Modern Cryptography22 Feistel Ciphers Ugly

23 January 22, 2002Practical Aspects of Modern Cryptography23 Ugly Feistel Ciphers

24 January 22, 2002Practical Aspects of Modern Cryptography24 Feistel Ciphers Ugly

25 January 22, 2002Practical Aspects of Modern Cryptography25 Feistel Ciphers Typically, most Feistel ciphers are iterated for about 16 rounds. Different “sub-keys” are used for each round. Sub-keys are derived from the master key or a derived key schedule Even a weak round function can yield a strong Feistel cipher if iterated sufficiently.

26 January 22, 2002Practical Aspects of Modern Cryptography26 Data Encryption Standard (DES) Block Cipher 64-bit Plaintext 64-bit Ciphertext 56-bit Key

27 January 22, 2002Practical Aspects of Modern Cryptography27 Data Encryption Standard (DES) 64-bit Plaintext 64-bit Ciphertext 56-bit Key 16 Feistel Rounds

28 January 22, 2002Practical Aspects of Modern Cryptography28 Data Encryption Standard (DES) 64-bit Plaintext 64-bit Ciphertext 56-bit Key 16 Feistel Rounds

29 January 22, 2002Practical Aspects of Modern Cryptography29 DES Round Ugly

30 January 22, 2002Practical Aspects of Modern Cryptography30 Simplified DES Round Function Sub-key 4-bit substitutions 32-bit permutation Ugly 32 bits

31 January 22, 2002Practical Aspects of Modern Cryptography31 Actual DES Round Function Sub-key 6/4-bit substitutions 32-bit permutation Ugly 32 bits 48 bits

32 January 22, 2002Practical Aspects of Modern Cryptography32 Padding Modes What do we do if the length of the plaintext is not an even multiple of the cipher’s block size? A: Drop the extra data on the floor (You really didn’t want it encrypted anyway) B: Throw an exception/return an error “User error” C: Pad the last block of plaintext so it’s a full block, then encrypt it normally

33 January 22, 2002Practical Aspects of Modern Cryptography33 Padding with Zero Add enough zeros to the end of the data so we have a full block to encrypt Example: last block is 31 D9 7B D7 Zero padding yields: 31 D9 7B D7 31 D9 7B D7 00 00 00 00

34 January 22, 2002Practical Aspects of Modern Cryptography34 Zero Padding What’s wrong with padding with zeros? If my plaintext can end in a zero, I cannot tell the plaintext data apart from the added pad Not always fatal, but in general zero is a legal plaintext value We need something else... 31 D9 7B 00

35 January 22, 2002Practical Aspects of Modern Cryptography35 PKCS Padding Idea: Pad the block with a value that depends on the amount of padding needed. This lets you tell the pad apart from the plaintext If you need n bytes of pad, pad with a value of n! Example: Need to pad the last four bytes? Use a value of 04: 31 D9 7B D7 04 04 04 04

36 January 22, 2002Practical Aspects of Modern Cryptography36 PKCS Padding Removing a PKCS pad is easy: Look at the last byte of the last block of plaintext – this is the pad value Remove that many bytes of padding 31 D9 7B D7 04 04 04 04 Value: 04 Remove last 4 bytes

37 January 22, 2002Practical Aspects of Modern Cryptography37 PKCS Padding What did I forget? What happens if the plaintext doesn’t need to be padded? (Last block is already full...) A7 9D 42 46 BE D4 37 B8 Value: B8 (decimal 184) Remove last 184 bytes!

38 January 22, 2002Practical Aspects of Modern Cryptography38 PKCS Padding If the last block is a full block, add an entire block’s worth of padding: A7 9D 42 46 BE D4 37 B8 08 08 08 08 08 08 08 08 Value: 08 Remove last 8 bytes (entire block)

39 January 22, 2002Practical Aspects of Modern Cryptography39 Block Ciphers in Use Today DES is not secure DES can be brute-forced (2^56 operations) In January 1998, a combination of the EFF DES Cracker and distributed.net brute-forced a challenge in less than 24 hours Today, the common choices are: Triple-DES (two-key or three-key) AES (Rijndael)

40 January 22, 2002Practical Aspects of Modern Cryptography40 Triple-DES (3DES) Triple-DES is DES run three times Sometimes called 3DES-EDE because it has three stages: encryption-decryption-encryption DES Encryption DES Decryption DES Encryption Ciphertext Plaintext Key K 1 Key K 2 Key K 3

41 January 22, 2002Practical Aspects of Modern Cryptography41 Triple-DES (3DES) Triple-DES can be run in either two-key or three- key modes In two-key mode, K1 = K3 In three-key mode, K1, K2, K3 are all distinct If K1 = K2 = K3, you have just DES DES Encryption DES Decryption DES Encryption Ciphertext Plaintext Key K 1 Key K 2 Key K 3

42 January 22, 2002Practical Aspects of Modern Cryptography42 Be Skeptical of New Ciphers The details are everything And there are a lot of details Cipher design is much harder than you’d think Don’t ever design and use your own cipher! It won’t be nearly as secure as existing designs like 3DES Don’t trust secret algorithms Need lots of review by skeptical experts to gain confidence in a cipher

43 January 22, 2002Practical Aspects of Modern Cryptography43 Symmetric Ciphers Private-key (symmetric) ciphers are usually divided into two classes. Block ciphers Stream ciphers

44 January 22, 2002Practical Aspects of Modern Cryptography44 An unconditionally secure cipher Problems: Number of random bits needed = sum of lengths of all messages to be encrypted (not reusable) Random bits must be known to both sender and recipient. Background: The One-Time Pad Key = random bits = 1100010011100100011… Message = bits = 1110011001100110001… Ciphertext = XOR of Key, Message = 0010001010000010010...

45 January 22, 2002Practical Aspects of Modern Cryptography45 Random Numbers Really good random numbers are hard to acquire Best bits come from physical systems Radioactive decay (http://www.fourmilab.ch/hotbits/) Noise diodes Lava Lamps Getting many truly random bits is slow Getting many shared truly random bits is more awkward Getting “good randomness” is important for many crypto algorithms Picking private key components & secret keys Some algorithms (e.g. DSA) require random input!

46 January 22, 2002Practical Aspects of Modern Cryptography46 So how do we get random numbers on a computer? It sounds so easy: “Just pick some random bytes” No good standard source of computer randomness OS state (time-of-day, PID) is very low entropy User keyboard input is very unreliable Best practical options aren’t very good Inter-event timing (keyboard, network), timing loops, fast clocks and interval timers Better would be /dev/random, or hardware generator Intel 850 chipset (for Pentium motherboards) has on-board hardware RNG

47 January 22, 2002Practical Aspects of Modern Cryptography47 Pseudo-Random Numbers How do we make a lot of “good” random bits from a smaller number of “really good” random bits? We want “pseudo-random bits” Pseudo-random bitstrings are “polynomial time indistinguishable” from truly random bitstrings In practice: use DES, hash functions to generate bits from a random seed (FIPS 186)

48 January 22, 2002Practical Aspects of Modern Cryptography48 Stream Ciphers Use the secret key as a seed to a pseudo- random number-generator. Take the stream of output bits from the PRNG and XOR it with the plaintext to form the ciphertext.

49 January 22, 2002Practical Aspects of Modern Cryptography49 Stream ciphers Generate mask bits ciphertext[i] = cleartext[i]+stream(key,state) cleartext[i] = ciphertext[i]-stream(key,state) Cipher produces a sequence of bits that is added to the cleartext to produce ciphertext Receiver can generate the same sequence and subtract from ciphertext to recover cleartext Must never re-use same part of stream Each bit is encrypted independently

50 January 22, 2002Practical Aspects of Modern Cryptography50 Stream Cipher Encryption Plaintext: PRNG(seed): Ciphertext:

51 January 22, 2002Practical Aspects of Modern Cryptography51 Stream Cipher Decryption Plaintext: PRNG(seed): Ciphertext:

52 January 22, 2002Practical Aspects of Modern Cryptography52 A PRNG: Alleged RC4 Initialization S[0..255] = 0,1,…,255 K[0..255] = Key,Key,Key,… for i = 0 to 255 j = (j + S[i] + K[i]) mod 256 swap S[i] and S[j]

53 January 22, 2002Practical Aspects of Modern Cryptography53 A PRNG: Alleged RC4 Iteration i = (i + 1) mod 256 j = (j + S[i]) mod 256 swap S[i] and S[j] t = (S[i] + S[j]) mod 256 Output S[t]

54 January 22, 2002Practical Aspects of Modern Cryptography54 Stream Cipher Integrity It is easy for an adversary (even one who can’t decrypt the ciphertext) to alter the plaintext in a known way. Bob to Bob’s Bank: Please transfer $0,000,002.00 to the account of my good friend Alice.

55 January 22, 2002Practical Aspects of Modern Cryptography55 Stream Cipher Integrity It is easy for an adversary (even one who can’t decrypt the ciphertext) to alter the plaintext in a known way. Bob to Bob’s Bank: Please transfer $1,000,002.00 to the account of my good friend Alice.

56 January 22, 2002Practical Aspects of Modern Cryptography56 Stream Cipher Integrity It is easy for an adversary (even one who can’t decrypt the ciphertext) to alter the plaintext in a known way. Bob to Bob’s Bank: Please transfer $1,000,002.00 to the account of my good friend Alice. This can be protected against by the careful addition of appropriate redundancy.

57 January 22, 2002Practical Aspects of Modern Cryptography57 One-Way Hash Functions The idea of a check sum is great, but it is designed to prevent accidental changes in a message. For cryptographic integrity, we need an integrity check that is resilient against a smart and determined adversary.

58 January 22, 2002Practical Aspects of Modern Cryptography58 One-Way Hash Functions Generally, a one-way hash function is a function H : {0,1}*  {0,1} k (typically k is 128 or 160) such that given an input value x, one cannot find a value x  x such H(x) = H(x ).

59 January 22, 2002Practical Aspects of Modern Cryptography59 One-Way Hash Functions There are many measures for one-way hashes. Non-invertability: given y, it’s difficult to find any x such that H(x) = y. Collision-intractability: one cannot find a pair of values x  x such that H(x) = H(x ).

60 January 22, 2002Practical Aspects of Modern Cryptography60 An Example Hash: SHA-1 SHA-1 was designed by the US Government as part of the Digital Signature Standard SHA-1 is the most-commonly used hash function today It’s the hash function in which we have the most faith right now SHA-1 takes any size input and produces a 160-bit output (the digest value)

61 January 22, 2002Practical Aspects of Modern Cryptography61 A Cryptographic Hash: SHA-1 Compression Function 160-bit Output 512-bit Input (IV)

62 January 22, 2002Practical Aspects of Modern Cryptography62 A Cryptographic Hash: SHA-1 160-bit512-bit One of 80 rounds

63 January 22, 2002Practical Aspects of Modern Cryptography63 A Cryptographic Hash: SHA-1 160-bit512-bit One of 80 rounds No Change

64 January 22, 2002Practical Aspects of Modern Cryptography64 A Cryptographic Hash: SHA-1 160-bit512-bit One of 80 rounds Rotate 30 bits

65 January 22, 2002Practical Aspects of Modern Cryptography65 A Cryptographic Hash: SHA-1 160-bit512-bit One of 80 rounds No Change

66 January 22, 2002Practical Aspects of Modern Cryptography66 A Cryptographic Hash: SHA-1 160-bit512-bit One of 80 rounds No Change

67 January 22, 2002Practical Aspects of Modern Cryptography67 A Cryptographic Hash: SHA-1 160-bit512-bit One of 80 rounds ?

68 January 22, 2002Practical Aspects of Modern Cryptography68 A Cryptographic Hash: SHA-1 What’s in the final 32-bit transform? Take the rightmost word. Add in the leftmost word rotated 5 bits. Add in a round-dependent function f of the middle three words.

69 January 22, 2002Practical Aspects of Modern Cryptography69 A Cryptographic Hash: SHA-1 160-bit512-bit One of 80 rounds f

70 January 22, 2002Practical Aspects of Modern Cryptography70 A Cryptographic Hash: SHA-1 Depending on the round, the “non-linear” function f is one of the following. f(X,Y,Z) = (X  Y)  ((  X)  Z) f(X,Y,Z) = (X  Y)  (X  Z)  (Y  Z) f(X,Y,Z) = X  Y  Z

71 January 22, 2002Practical Aspects of Modern Cryptography71 A Cryptographic Hash: SHA-1 What’s in the final 32-bit transform? Take the rightmost word. Add in the leftmost word rotated 5 bits. Add in a round-dependent function f of the middle three words.

72 January 22, 2002Practical Aspects of Modern Cryptography72 A Cryptographic Hash: SHA-1 What’s in the final 32-bit transform? Take the rightmost word. Add in the leftmost word rotated 5 bits. Add in a round-dependent function f of the middle three words. Add in a round-dependent constant.

73 January 22, 2002Practical Aspects of Modern Cryptography73 A Cryptographic Hash: SHA-1 What’s in the final 32-bit transform? Take the rightmost word. Add in the leftmost word rotated 5 bits. Add in a round-dependent function f of the middle three words. Add in a round-dependent constant. Add in a portion of the 512-bit message.

74 January 22, 2002Practical Aspects of Modern Cryptography74 A Cryptographic Hash: SHA-1 160-bit512-bit One of 80 rounds

75 January 22, 2002Practical Aspects of Modern Cryptography75 One-Way Hash Functions When using a stream cipher, a hash of the message can be appended to ensure integrity. [Message Authentication Code] When forming a digital signature, the signature need only be applied to a hash of the message. [Message Digest]

Download ppt "Practical Aspects of Modern Cryptography Josh Benaloh & Brian LaMacchia."

Similar presentations

“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.

Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.
Modern Symmetric-Key Ciphers

Modern Symmetric-Key Ciphers
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.

PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.
Block Ciphers 1 Block Ciphers Block Ciphers 2 Block Ciphers  Modern version of a codebook cipher  In effect, a block cipher algorithm yields a huge.

Block Ciphers 1 Block Ciphers Block Ciphers 2 Block Ciphers  Modern version of a codebook cipher  In effect, a block cipher algorithm yields a huge.
First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown and edited by Archana Chidanandan Cryptographic Tools.

First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown and edited by Archana Chidanandan Cryptographic Tools.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Chapter 5 Cryptography Protecting principals communication in systems.

Chapter 5 Cryptography Protecting principals communication in systems.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 1 Security PART VII.

McGraw-Hill©The McGraw-Hill Companies, Inc., Security PART VII.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Introduction to Symmetric Block Cipher Jing Deng Based on Prof. Rick Han’s Lecture Slides Dr. Andreas Steffen’s Security Tutorial.

Introduction to Symmetric Block Cipher Jing Deng Based on Prof. Rick Han’s Lecture Slides Dr. Andreas Steffen’s Security Tutorial.
15-441 Computer Networking Lecture 21: Security and Cryptography Thanks to various folks from 15-441, semester’s past and others.

Computer Networking Lecture 21: Security and Cryptography Thanks to various folks from , semester’s past and others.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
Computer Security CS 426 Lecture 3

Computer Security CS 426 Lecture 3
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
© Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro Computer Security: Principles and Practice Slides.

© Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro Computer Security: Principles and Practice Slides.

Similar presentations

Ads by Google