Computer Security Lecture 3 PDF
Document Details
Uploaded by ThankfulViolet9030
University of Surrey
Yangguang (Jack) Tian
Tags
Summary
This document is a lecture on computer security, focusing on symmetric cryptography, including DES (Data Encryption Standard), AES (Advanced Encryption Standard), and different modes of operation. It includes details of key schedules, structures of encryption/decryption, and discussions of hash functions, message authentication codes (MACs), and hash-based signatures.
Full Transcript
COM2041 Computer Security Lecture 3 Yangguang (Jack) Tian 1 Symmetric Cryptography (II) 2 Lecture 3 Review the previous lecture Block ciphers (e.g. DES and AES) Padding Modes of operation (e.g. ECB, CBC and CTR) It is used...
COM2041 Computer Security Lecture 3 Yangguang (Jack) Tian 1 Symmetric Cryptography (II) 2 Lecture 3 Review the previous lecture Block ciphers (e.g. DES and AES) Padding Modes of operation (e.g. ECB, CBC and CTR) It is used to build a stream cipher from a block cipher Error propagation Message Authentication Codes (MAC) MAC based on block cipher Authenticated encryption 3 Lecture 3 Structure of lecture Symmetric Cryptography (II) DES: Data Encryption Standard AES: Advanced Encryption Standard Hash functions MAC based on hash functions Hash-based signatures 4 Lecture 3 Structure of lecture Symmetric Cryptography (II) DES: Data Encryption Standard AES: Advanced Encryption Standard Hash functions MAC based on hash functions Hash-based signatures 5 Lecture 3 DES The Data Encryption Standard Adopted as standard by USA’s National Institute of Standards and Technology (NIST) in 1976, and ratified every 5 years Finally replaced in 2001 by AES (Advanced Encryption Standard) Uses keys of 56 bits (plus 8 for parity checks) Still no (known) better attacks than brute force, but 256 keys is not many these days It is a 64-bit block cipher: it encrypts in 64-bit (8-byte) blocks 6 Lecture 3 DES Components DES is made up of several components operations, each of which individually is quite simple: Exclusive or (XOR, “⊕”) Permutation Lookups Left bitshift Loops / repeated rounds All of these can be very efficiently implemented in hardware 7 Lecture 3 DES key A DES key is presented as 8 bytes, e.g. 9F 6D 32 6A 01 68 EC 5B This contains 64 bits. However 8 bits (the last one of each byte) are parity bits. Effectively they are not part of the key. In practice, they are usually ignored. The least significant bit of each byte is a parity bit, and should be set such that there is always an odd number of bits set (1's) in each key byte. The key therefore contains 56 bits of entropy. There are 56 bits that you need to know in order to do an encryption or decryption. 8 Lecture 3 DES schematic Round 16 P Round 1 C Round 2 Round 3 (64 bits) (64 bits) K1 (48 bits) K2 K3 DES K16 (48 bits) K (64 bits K Key schedule - 56 bits will be used) 9 Lecture 3 DES key schedule First from a 64-bit DES key, ignore the 8-bit parity: numbers 8, 16, 24, 32, 40, 48, 56, 64. The key schedule algorithm takes the remaining 56-bit DES key as input and generates 16 48-bit subkeys K1, K2, …, K16 Each subkey is used in one round. 10 Lecture 3 DES schematic P C (64 bits) (64 bits) K1 K2 K3 K16 (48 bits) (48 bits) K (56 bits) K Key schedule 11 Lecture 3 DES schematic Round 16 P Round 1 C Round 2 Round 3 IP IP-1 (64 bits) (64 bits) K1 K2 K3 K16 (48 bits) (48 bits) K (56 bits) K Key schedule 12 Lecture 3 Initial and final Permutations 13 Lecture 3 DES encryption round 32-bit Li 32-bit Ri mangler function Ki+1 ⊕ 32-bit Li+1 32-bit Ri+1 Each round takes a 64-bit message and 48-bit key as input and outputs a 64-bit message The left hand half of the output is simply the right hand half of the input The right hand half of the output is the left hand half of the input XORed with: the right hand half mangled with the key If you want to find the details of the mangler function, please check Appendix A below 14 Lecture 3 DES encryption: in a nutshell Generate sixteen 48-bit keys, one for each round, from the initial 56-bit key To encrypt a 64-bit block: Pass it through the initial permutation Then pass it through 16 rounds. Each round takes the output of the previous round, and processes it using the 48-bit key for that round in the `mangler’ function Finally, pass it through the final permutation 15 Lecture 3 DES Decryption How do we decrypt? We need to undo all the permutations and rounds. Permutations can just be reversed. To undo a round, we need to retrieve Li and Ri from Li+1 and Ri+1 Li+1 = Ri So Ri = Li+1 Ri+1 = Li ⊕ mangle (Ri, Ki+1) So Li = Ri+1 ⊕ mangle(Li+1, Ki+1) We never need to `undo’ the mangle function. We only use it in the forward direction. 16 Lecture 3 DES decryption schematic Round 16 C Round 1 P Round 2 Round 3 (64 bits) (64 bits) K16 K15 K14 K1 (48 bits) (48 bits) K (56 bits) K Key schedule DES decryption uses the same steps as DES encryption but with the key schedule in reverse 17 Lecture 3 DES decryption round Ri+1 Li+1 mangler function Ki+1 ⊕ Ri Li = Ri+1 ⊕ mangler(Li+1,Ki+1) The two halves are input into the round in the opposite order The output is also the two halves, in the opposite order 18 Lecture 3 TripleDES DES is now `retired’, but TripleDES is still even now in active use. Key size of 56 bits is too small. TripleDES provides a way of using DES with a longer key: 112 bits, or 168 bits. This makes it more resistant to brute-force attacks. 112-bit key: k = k1 || k2 Encryption of a block b in TripleDES consists of DES-encrypting it with k1, decrypting the result with k2, and then encrypting the result with k1. Ek(b) = Ek1(Dk2(Ek1(b))) 168-bit key: k can be divided into three 56 bit keys: k1 || k2 || k3 Ek(b) = Ek3(Dk2(Ek1(b))) Also backwards compatible with DES systems (use the DES key repeated to get DES encryption) But slower... 19 Lecture 3 Why not Double DES? DoubleDES: 112-bit key: k = k1 || k2 Encryption of a block b in DoubleDES consists of encrypting it with k1, and then encrypting the result with k2: Ek(b) = Ek1(Ek2(b)) If DES can be broken by a brute force attack, then DoubleDES can be broken by a “meet-in-the-middle” attack. Given a plaintext p and DoubleDES ciphertext c = Ek1(Ek2(p)) then brute force can work out the key: Generate all encryptions Ek(p) of p Generate all decryptions Ek-1(c) of c Find where they match Needs lots of storage, but only takes twice as long as brute-forcing DES 20 Lecture 3 Structure of lecture Symmetric Cryptography (II) DES: Data Encryption Standard AES: Advanced Encryption Standard Hash functions MAC based on hash functions Hash-based signatures 21 Lecture 3 AES – Advanced Encryption Standard Advanced Encryption Standard (AES) - the current standard. The National Institute of Standards and Technology (NIST) in US ran a competition for a successor to DES. Proposals from around the world. After several years of critical analysis and peer review, the winner was selected as Rijndael (pronounced “Rhine-Dahl”) by Joan Daemen and Vincent Rijmen. AES is a standardisation of Rijndael. Block size 128 bits. Key sizes 128 (AES-128), 192 (AES-192), or 256 (AES-256). Uses similar principles to DES, and some `beautiful mathematics’ to optimise performance. Fast in both hardware and software. 22 Lecture 3 AES – further materials Official definition: (NIST publication) http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf Youtube: AES – A conceptual overview, Gideon Samid, https://www.youtube.com/watch?v=liKXtikP9F0 Cartoon: For a lighter intro, see: A Stick Figure Guide to the Advanced Encryption Standard (see Acts 1-3. Act 4 is complex mathematics) http://www.moserware.com/2009/09/stick-figure-guide-to- advanced.html 23 Lecture 3 AES schematic P Round 1 C Round 2 Round 3 (128 bits, (128 bits) 4x4 bytes) K1 (48 bits) K2 K3 AES K16 (48 bits) K 128 bits K Key schedule 192 bits 256 bits 24 Lecture 3 AES key schedule Let n be the number of rounds, i.e., n = {10, 12, 14} The key schedule algorithm takes an AES key (128-bit, 192-bit or 256-bit) as input and generates n+1 128-bit subkeys K0, K1, …, Kn 25 Lecture 3 AES schematic P 10, 12 or 14 rounds C (128 bits) (128 bits) K0 K1 K2 K10 (128 bits) K12 K14 (128 bits) K 128 bits K Key schedule 192 bits 256 bits 26 Lecture 3 AES schematic P C Round n Round 1 Round 2 K1 K2 K0 Kn K K Key schedule 27 Lecture 3 AES encryption The complete encryption operation can be described as follows, which consists of a sequence of operations performed on a two- dimensional array of bytes called the State, S: (1) S = AddRoundKey(P, K0) (2) for i = 1 to n – 1: S = SubBytes(S) – also called substitute bytes S = ShiftRows(S) S = MixColumns(S) S = AddRoundKey(S, Ki) (3) S = SubBytes(S), S = ShiftRows(S) (4) C = AddRoundKey(S, Kn) 28 Lecture 3 AES S-box Given a byte, first 4 bits determine a row, and the last 4 bits determine a column; e.g., {53} goes to {ed} 29 Lecture 3 AES Round 1. Substitute Bytes 3. Mix Columns (not last round) It is written as a matrix multiplication S-box C(x) is fixed 2. Shift Rows (shift 0,1,2 or 4. Add Round Key 3 bytes) credit: diagrams from Wikipedia 30 Lecture 3 AES decryption The complete decryption operation can be described as follows: (1) S = AddRoundKey(C, Kn) (2) for i = n –1down to 1: S = ShiftRows-1(S) S = SubBytes-1(S) S = AddRoundKey(S, Ki) S = MixColumns-1(S) (3) S = ShiftRows-1(S) S = SubBytes-1(S) (4) P = AddRoundKey(S, K0) 31 Lecture 3 AES inverse S-box Follow the previous example, {ed} is back to {53} 32 Lecture 3 AES operations in the rounds For the details of these AES operations, see the AES demonstration in the Lab (CrypTool) For an explanation of MixColumns operation, you can also see https://en.wikipedia.org/wiki/Rijndael_MixColumns Another good reference is ISO/IEC 18033-3:2010 Information technology — Security techniques — Encryption algorithms — Part 3: Block ciphers 33 Lecture 3 Structure of lecture Symmetric Cryptography (II) DES: Data Encryption Standard AES: Advanced Encryption Standard Hash functions MAC based on hash functions Hash-based signatures 34 Lecture 3 Hash function Hash function: a function h that maps a variable length data x into a fixed- length value called a hash code y. This function is written as y = h(x). Note: a hash function does not use a key. To be used for cryptographic purposes, such as in an MAC or a digital signature, a hash function can support three properties: One-way property (also called pre-image): Given a string y, it is computationally infeasible to find any x such that h(x) = y. Second pre-image: For a given input, it is computationally infeasible to find a second input which maps to the same output. Collision-resistance: It should be computationally infeasible to find any two distinct messages x and x’ that hash to the same value: h(x) = h(x’). ISO/IEC 10118 Hash-functions 35 Lecture 3 One-way property Given h(m) it is computationally infeasible to work out m. [i.e. cannot reverse the effects of the hash function] If m is an n-bit data string, given y = h(m), how many searching operations are required to find m? The answer is 2n. 36 Lecture 3 Collision-resistance property It should be infeasible to find any two messages m and m’ that hash to the same value: h(m) = h(m’). If m and m’ are arbitrary data strings and hash outputs are k-bit data strings, how many searching operations are required to find a pair of m and m’ such that h(m) = h(m’)? The answer is that you'll need roughly 2k/2 hashes before you get a collision. 37 Lecture 3 Standard hash functions There are several hash functions that were/are widely used. These use manipulations similar to those used in symmetric-key cryptography, but with no input key. MD4, MD5 (MD stands for `message digest’) were widely used, though considered to have serious weaknesses, and the recommendation is not to use them. SHA-1: Secure Hash Algorithm, was a US standard and gives 160 bits output. In widespread use, though considered insecure against well-funded attackers. SHA-2: a family of 4 hash functions with different output lengths, 224, 256, 384 and 512 bits. These are the current recommendation. SHA-3: ‘Keccak’: NIST hash function competition winner, also have different output lengths, 224, 256, 384 and 512. 38 Lecture 3 Structure of lecture Symmetric Cryptography (II) DES: Data Encryption Standard AES: Advanced Encryption Standard Hash functions MAC based on hash functions Hash-based signatures 39 Lecture 3 MAC using a hash function Data integrity without considering confidentiality MACk(m) = h(k, m), where k is a key and m is a message m, MACkAB(m) cannot find another m’ with h(m)=h(m’) so cannot replace m with m’ 40 Lecture 3 HMAC: Hash-based Message Authentication Code It is hard to prove the security of MACk(m) = h(k, m), so a much more broadly used MAC is HMAC A hash function h is used with two secret keys for generating a MAC: If k1 and k2 are secret keys, and D is the data, then: HMAC = h(k1 || h(k2 || D)) A more practical approach is using a single key K (suppose B bytes long) ipad = the byte 0x36 repeated B times opad = the byte 0x5C repeated B times The HMAC is then computed as HMAC = h((K ⊕ ipad) || h(K ⊕ opad || D)) 41 Lecture 3 Structure of lecture Symmetric Cryptography (II) DES: Data Encryption Standard AES: Advanced Encryption Standard Hash functions MAC based on hash functions Hash-based signatures 42 Lecture 3 Lamport one-time signature The earliest hash-based signature scheme is by Lamport To sign an n-bits message, m = (m0, …, mn-1) Private key x is 2n random data strings, x = (x00, x01, …, xn-10, xn-11) Public key y is 2n hash values of x, i.e., y = (y00, y01, …, yn-10, yn-11), where yib = H(xib) for i = 0, …, n-1 and b = 0 or 1 and H is a hash function Signature is the revealed certain x values chosen by m, e.g., for a 2-bits message m = 01, signature is (x00, x11). The remaining hidden x values should never be revealed. Why? 43 Lecture 3 Winternitz one-time signature (WOTS) This signature scheme is proposed by Winternitz to avoid bit-wise signing To sign an n-bits message, m = (m0, …, mn-1), let W = 2n - 1 Private key is 2 random data strings, (x, xc) Public key is 2 hash values, (y, yc), such that y = HW(x) and yc = HW(xC), where H is a hash function and HW means applying H repeatedly W times Parse m into an unsigned integer, i, signature on m is (s, sc), where s = Hi(x) and sc = HW-i(xC) The following is an example for a 2-bits message m = 01. 44 Lecture 3 Merkle signature This signature scheme is proposed by Merkle to allow multiple signatures per key pair To sign n = 2k messages Private key is a random data string, sk, which can be derived to 2k data strings, sk0, …, skn-1 Public key is a single hash value, r, which is the root of the Merkle tree The following is an example for k = 2. 45 Lecture 3 Multi-level stateful signatures A combination of the Merkle Merkle tree signature scheme and an OTS scheme: OTS XMSS (eXtended Merkle Signature Scheme) Merkle tree LMS (Leighton–Micali OTS Signatures) XMSS and LMS are both stateful They are going to be an ISO/IEC Merkle tree standard soon OTS m message 46 Lecture 3 Multi-level stateless signatures An illustration of a (small) SPHINCS structure FTS – few time signature 47 Lecture 3 FORS signature This signature scheme is a few-time signature scheme, proposed by Bernstein et al. To sign a few n = kd bits messages, k Merkle trees are used, and each tree has 2d leaves Private key is a random data string, sk, which can be derived to multiple data strings, x values Public key is a single data string, pk, which is a hash value of all the Merkle tree roots The following is an example for k = 4 and d = 2, where message m = 10010011, and signature is (x2(0), x1(1), x0(2), x3(3)) 48 Lecture 3 SPHINCS+ The SPHINCS+ signature scheme: A secret signing key is a seed that is used to create a hyper-tree The corresponding public verification key is the root value of the tree The hyper-tree consists of multiple XMSS-type subtrees A message to be signed is arranged as an entry to the tree A signature is the authentication path of the message on the tree This scheme will be part of the NIST Post-Quantum Cryptography standard 49 Lecture 3 Standard hash based signatures More robust hash based signature schemes can be built by combining several simple hash based signature schemes Stateful signatures: a signer must maintain the state of signing keys. Two well-known examples are XMSS - eXtended Merkle Signature Scheme LMS - Leighton-Micali Signatures Stateless signatures: a signer does not need to maintain key states SPHINCS+, which has recently been selected by NIST as a new standard candidate 50 Lecture 3 International Standards ISO/IEC 18033 Information technology -- Security techniques -- Encryption algorithms ISO/IEC 10116 Information technology -- Security techniques -- Modes of operation for an n-bit block cipher ISO/IEC 19772 Information technology -- Security techniques – Authenticated encryption ISO/IEC 10118 Information technology – Security techniques – Hash-functions ISO/IEC 9797 Information technology -- Security techniques -- Message Authentication Codes (MACs) 51 Lecture 3 Summary of symmetric crypto content Block ciphers (e.g. DES, TripleDES and AES) Padding Modes of operation (e.g. ECB CBC and CTR) Error propagation Hash functions Message Authentication Codes (MAC) MAC based on block cipher MAC based on hash functions Authenticated encryption Hash-based signatures 52 Lecture 3 Lab: AES and Hash Functions This lab includes the following parts: Using CrypTool to explore AES Continuing to explore the JCE framework and focusing on AES as an example Exercising hash functions 53 Lecture 3 Appendices 54 Lecture 3 Appendix A Some details about DES 55 Lecture 3 Preliminaries: Permutations Reordering the bits. e.g. 4 6 1 8 2 7 3 5 denotes 1 2 3 4 5 6 7 8 4 6 1 8 2 7 3 5 56 Lecture 3 Preliminaries: Left Bitshift 57 Lecture 3 Key Schedule: The 56-bit key A DES key K is given with 64 bits 8 of the bits are parity bits: numbers 8, 16, 24, 32, 40, 48, 56, 64. They won’t be used. The key has 56 useful bits. DES will use this to produce a 48-bit key for each round. It will produce 16 keys in total, which we call K1... K16. DES first permutes the 56 useful bits, to generate K0 made up of two 28-bit values C0 and D0. Note that none of the parity bits are used in C0 or D0. C0 D0 58 Lecture 3 Key transformation in each round “Select 48 bits from the 56-bit key, and call this Ki+1” Rotate-left Ci and Di by 1 or 2 bits depending on the round (single bit for rounds 1, 2, 9, 16, otherwise 2 bits). e.g. 1110101010010000 rotate left by two bits moves the 11 at the beginning round to the end, giving 1010101001000011 Use the following permutations on the resulting rotations to obtain the two halves of Ki+1: 14 17 11 24 1 5 41 52 31 37 47 55 3 28 15 6 21 10 30 40 51 45 33 48 23 19 12 4 26 8 44 49 39 56 34 53 16 7 27 20 13 2 46 42 50 36 29 32 59 Lecture 3 Key selection (generates 16 keys for the 16 rounds) (28 bits) Ci-1 Di-1 (28 bits) rotate left rotate left 14 (28 bits) Ci Di 29 32 (28 bits) permutation permutation Ki (24 bits) (24 bits) (48 bits total) 60 Lecture 3 DES mangler function S S Expansion S S 48 bits + 32 bits mangler S 32 bits Ri S S S 48 bits Ki+1 61 Lecture 3 The mangler function Operates on the 48 bits of Ki+1 and the 32 bits of Ri Expands R to 48 bits i Combine these 48 bits with K using XOR i+1 Permute and compress the result back down to 32 bits, using S-Boxes Another permutation 62 Lecture 3 DES mangler function S S Expansion S S 48 bits + 32 bits P 32 bits S Ri S S S 48 bits S-boxes compress 6 bits to Ki+1 4 via lookup tables P – last permutation 63 Lecture 3 Expansion The 32 bits of Ri are expanded into 48 bits and also shuffled around. The function that does this is called an expansion permutation. It is defined as follows: This time instead of losing some bits we use every bit, and some more than once. 64 Lecture 3 The S-Boxes (substitution boxes – lookup tables) The 48-bit result is now converted into 32 bits. We take 6 bits (b0,b1,b2,b3,b4,b5) at a time, and convert them into 4 bits. We have to do this 8 times, and each time the conversion is different. For the ith conversion, we use the ith S-Box, which is a look-up table with 4 rows and sixteen columns. S-Box 1 runs as follows: (details of all S boxes in Stallings etc.) Column no 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Bits b0 and b5 determine the row; bits b1...b4 determine the column. So for this S-Box, 110100 is row 2, column 10, which comes out as 9, or 1001. 65 Lecture 3 One last permutation To complete the mangle function, a last permutation (P-Box) is applied. This is a permutation in the proper sense: no bits are duplicated, and no bits are lost. 66 Lecture 3 Overview of DES steps Put the 64-bit input block (plaintext) through the initial permutation to reorder the bits Split the resulting block into two 32-bit sub-blocks L0 and R0 Repeat the following procedure for 16 `rounds’ Select 48 bits from the 56-bit key, and call this Ki+1 Calculate mangle(Ri, Ki+1) Set Ri+1 = Li ⊕ mangler(Ri, Ki+1) (XOR) Set Li+1 to be Ri. Combine the two final 32-bit blocks L16 and R16 in reverse order: R16 || L16 Invert the initial permutation 67 Lecture 3 Appendix B Passwords We consider how to protect passwords as an example of using hash function, MAC and encryption 68 Password Strength (xkcd 936) 69 Lecture 3 Storing passwords (1) Passwords can be stored as plaintext. When a user enters a password, the system compares with the stored value If an attacker gains access to the password file then the passwords are lost. Absolutely NOT recommended – highly insecure 70 Lecture 3 Storing passwords (II) Passwords can be stored in hashed form hp. When a user enters a password p, the system hashes it h(p) and compares with the stored value hp In this case the password file only gives away the hash of the password if it is compromised This is subject to brute-force attacks: guessing likely passwords and seeing if their hash matches the stored hash. For a common hash function, these can be precomputed (rainbow tables) for more rapid password cracking. 71 Lecture 3 Storing passwords (III) Passwords can be stored in hashed form hp with a randomised value r called the salt. When a user enters a password p, the system adds the salt, hashes it to obtain h(p,s), and compares with the stored value hp Again the password file only gives away the hash of the password if it is compromised. This is subject to brute-force attacks: guessing likely passwords and seeing if their hash matches the stored hash. The salt prevents precomputing the hash values – there would be too many to compute. So brute force can only be done in real time. Brute-forcing can also be slowed down by using repeated hashing in the computation of what to store: hn(p,s) 72 Lecture 3 Storing passwords (IV) Passwords can be stored in encrypted form kp with a key k known only to the system. When a user enters a password p, the system encrypts it to obtain k(p), and compares with the stored value kp Again the password file only gives away the ciphertext of the password if it is compromised This is not subject to brute-force attacks. However, it does rely on maintaining secrecy of k 73 Lecture 3
