CNIT 141: 4. Block Ciphers
0 likes153 views
The document discusses the fundamentals of block ciphers, specifically focusing on the Advanced Encryption Standard (AES) and its implementation. It covers the construction of block ciphers, security goals, modes of operation including ECB and CBC, and the efficiency improvements in AES implementations. Additionally, it highlights potential vulnerabilities and attacks against encryption methods, such as padding oracle attacks and meet-in-the-middle attacks.
CNIT 141: 4. Block Ciphers
- 1. CNIT 141 Cryptography for Computer Networks 3. Cryptographic Security
- 2. Topics • What is a Block Cipher • How to Construct Block Ciphers • The Advanced Encryption Standard (AES) • Implementing AES • Modes of Operation • How Things Can Go Wrong
- 3. History • US: Federal standard: DES (1979 - 2005) • KGB: GOST 28147-89 (1990 - present) • in 2000, NIST selected AES, developed in Belgium • They are all block ciphers
- 4. What is a Block Cipher
- 5. Block Cipher E Encryption algorithm K Key P Plaintext block C Ciphertext block C = E(K, P) D Decryption algorithm P = D(K, C)
- 6. Security Goals • Block cipher should be a pseudorandom permutation (PRP) • Attacker can't compute output without the key • Attackers should be unable to find patterns in the inputs/output values • The ciphertext should appear random
- 7. Block Size • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook attack • Encrypt every possible plaintext, place in a codebook • Look up blocks of ciphertext in the codebook
- 8. How to Construct Block Ciphers
- 9. Two Techniques • Substitution-permutation (AES) • Feistel (DES)
- 10. Rounds • R is a round --in practice, a simple transformation • A block cipher with three rounds: • C = R3(R2(R1(P))) • iR is the inverse round function • I = iR1(iR2(iR3(C)))
- 11. Round Key • The round functions R1 R2 R3 use the same algorithm • But a different round key • Round keys are K1, K2, K3, ... derived from the main key K using a key schedule
- 12. The Slide Attack and Round Keys • Consider a block cipher with three rounds, and with all the round keys identical
- 13. The Slide Attack and Round Keys • If an attacker can find plaintext blocks with P2 = R(P1) • That implies C2 = R(C1) • Which often helps to deduce the key
- 14. The Slide Attack and Round Keys • The solution is to make all round keys different • Note: the key schedule in AES is not one-way • Attacker can compute K from any Ki • This exposes it to side-channel attacks, like measuring electromagnetic emanations
- 15. Substitution-Permutation Networks • Confusion means that each ciphertext bit depends on several key bits • Provided by substitution using S-boxes • Diffusion means that changing a bit of plaintext changes many bits in the ciphertext • Provided by permutation
- 16. Feistel Schemes • Only half the plaintext is encrypted in each round • By the F substitution- permutation function • Halves are swapped in each round • DES uses 16 Feistel rounds
- 18. The Advanced Encryption Standard (AES)
- 19. DES • DES had a 56-bit key • Cracked by brute force in 1997 • 3DES was a stronger version • Still considered strong, but slower than AES • AES approved as the NIST standard in 2000
- 20. • Link Ch 4a
- 24. AES in Python from Crypto.Cipher import AES plaintext = "DEAD MEN TELL NO" key = "AAAABBBBCCCCDDDD" cipher = AES.new(key) ciphertext = cipher.encrypt(plaintext) print ciphertext ??k٨?U?`??? print ciphertext.encode("hex") 8fc96bdbb85c8155896088b4ca201b7e print cipher.decrypt(ciphertext) DEAD MEN TELL NO
- 25. Implementing AES
- 26. Improving Efficiency • Implementing each step as a separate function works, but it's slow • Combining them with "table-based implementations" and "native instructions" is faster • Using XORs and table lookups
- 28. Timing Attacks • The time required for encryption depends on the key • Measuring timing leaks information about the key • This is a problem with any efficient coding • You could use slow code that wastes time • A better solution relies on hardware
- 29. Native Instructions • AES-NI • Processor provides dedicated assembly instructions that perform AES • Plaintext in register xmm0 • Round keys in xmm5 to xmm15 • Ten times faster with NI
- 30. Is AES Secure? • AES implements many good design principles • Proven to resist many classes of cryptoanalytic attacks • But no one can foresee all possible future attacks • So far, no significant weakness in AES-128 has been found
- 32. Electronic Code Book (ECB) • Each plaintext block is encrypted the same way • Identical plaintext blocks produce identical ciphertext blocks
- 33. AES-ECB • If plaintext repeats, so does ciphertext plaintext = "DEAD MEN TELL NODEAD MEN TELL NO" ciphertext = cipher.encrypt(plaintext) print ciphertext.encode("hex")
- 34. Staples Android App • Link Ch 4b
- 36. ECB Mode • Encrypted image retains large blocks of solid color
- 37. Cipher Block Chaining (CBC) • Uses a key and an initialization vector (IV) • Output of one block is the IV for the next block • IV is not secret; sent in the clear
- 38. CBC Mode • Encrypted image shows no patterns
- 39. Choosing IV • If the same IV is used every time • The first block is always encrypted the same way • Messages with the same first plaintext block will have identical first ciphertext blocks
- 40. Parallelism • ECB can be computed in parallel • Each block is independent • CBC requires serial processing • Output of each block used to encrypt the next block
- 41. Message Length • AES requires 16-byte blocks of plaintext • Messages must be padded to make them long enough
- 42. PKCS#7 Padding • The last byte of the plaintext is always between 'x00' and '10' • Discard that many bytes to get original plaintext
- 43. Padding Oracle Attack • Almost everything uses PKCS#7 padding • But if the system displays a "Padding Error" message the whole system shatters like glass • That message is sufficient side-channel information to allow an attacker to forge messages without the key
- 44. Ciphertext Stealing • Pad with zeroes • Swap last two blocks of ciphertext • Discard extra bytes at the end • Images on next slides from Wikipedia
- 47. Security of Ciphertext Stealing • No major problems • Inelegant and difficult to get right • NIST SP 800-38A specifies three different ways to implement it • Rarely used
- 49. C1 K E C2 K E C2 K E Counter (CTR) Mode • Produces a pseudorandom byte stream • XOR with plaintext to encrypt
- 50. Nonce • Nonce (N) used to produce C1, C2, C3, etc. • C1 = N ^ 1 • C2 = N ^ 2 • C3 = N ^ 3 • etc. • Use a different N for each message • N is not secret, sent in the clear
- 51. No Padding • CTR mode uses a block cipher to produce a pseudorandom byte stream • Creates a stream cipher • Message can have any length • No padding required
- 52. Parallelizing • CTR is faster than any other mode • Stream can be computed in advance, and in parallel • Before even knowing the plaintext
- 53. How Things Can Go Wrong
- 54. Two Attacks • Meet-in-the-middle • Padding oracle
- 55. Meet-in-the-Middle Attacks • 3DES does three rounds of DES • Why not 2DES? University of Houston
- 56. Attacking 2DES • Two 56-bit keys, total 112 bits • End-to-end brute force would take 2^112 calculations
- 57. Attacking 2DES • Attacker inputs known P and gets C • Wants to find K1, K2
- 58. Attacking 2DES • Make a list of E(K1, P) for all 2^56 values of K1 • Make a list of D(K2, P) for all 2^56 values of K2 • Find the item with the same values in each list • This finds K1 and K2 with 2^57 computations
- 59. Meet-in-the-Middle Attack on 3DES • One table has 2^56 entries • The other one has 2^112 entries • 3DES has 112 bits of security
- 60. Padding Oracle
- 61. Padding Oracle
- 62. Padding Oracle • Change the last byte in second block • This changes the 17 bytes shown in red
- 63. Padding Oracle • Try all 256 values of last byte in second block • One of them has valid padding of 'x01' • This determines the orange byte
- 64. Padding Oracle • Continue, 256 guesses finds the next orange byte