EE579T/2 #1 Spring 2003 © 2000-2003, Richard A. Stanley EE579T / CS525T Network Security 2:...
-
date post
20-Dec-2015 -
Category
Documents
-
view
215 -
download
1
Transcript of EE579T/2 #1 Spring 2003 © 2000-2003, Richard A. Stanley EE579T / CS525T Network Security 2:...
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #1
EE579T / CS525TNetwork Security
2: Symmetric Block Ciphers
Prof. Richard A. Stanley
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #2
Overview of Tonight’s Class
• Class list updates
• Course syllabus
• Course project introduction
• Review of last week’s class
• Introduction to network security issues
• An overview of block ciphers
• Introduction to key distribution
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #3
Syllabus (subject to adjustment)Class Worcester Waltham Topic
1 1/14/03 1/16/03 Introduction & Computer Security Review2 1/21/03 1/23/03 Symmetric Ciphers3 1/28/03 1/30/03 Asymmetric Ciphers4 2/4/03 2/6/03 Network Authentication5 2/11/03 2/13/03 IPSec6 2/18/03 2/20/03 SSL7 2/25/03 2/27/03 Vulnerability Assessment8 3/4/03 3/6/03 Introduction to Network-based Attacks 9 3/11/03 3/13/03 SNMP and security
10 3/18/03 3/20/03 Firewalls11 3/25/03 3/27/03 Wireless Networks and Security 12 4/1/03 4/3/03 Legal and Ethical Issues13 4/8/03 4/10/03 Project Presentations - 114 4/15/03 4/17/03 Project Presentations - 215 4/22/03 4/24/03 Contingency week
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #4
Course Projects Overview• Teams of 2-4 individuals, 4 preferred
• Identify, through research, a meaningful network security problem (reported on as historical or one you can hypothesize)
• Analyze the problem– Why did it occur?– How could you have prevented or mitigated it?
• Prepare report and present to the class
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #5
Last Week...• Computer security is a real need in real
systems
• Without computer security, network security is a pipedream
• Network security is an even more difficult problem than computer security, for a number of reasons
• Absolute security does not exist
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #6
Networks• A network is an interconnected group of
communicating devices.• Two primary network types
– Circuit-switched (connection oriented)– Packet-switched (connectionless)
• Span– WAN, MAN, LAN– So what?
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #7
Network Topology
• The topology of a network is a view of its interconnections, as they would be seen by an observer looking down from great height
• Topology is important because it has implications for security
• Three major topologies: – star
– buss
– ring
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #8
Some Network Security Issues• Users not necessarily registered at the node they
are accessing– How to authenticate users?
– What is basis for access control decisions?
• Some options:– User ID
– User address
– Service being invoked
– Cryptographic-based solutions
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #9
Internetworking• Internetworking is the interconnection of
networks
• The Internet is an internetwork; all internetworks are not the Internet
• Very few modern networks exist in isolation; most are internetworked
• This has important security and legal implications
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #10
Internetworking Concepts
• Networks are interconnected by routers or gateways– More about this later in the course
• Routers route a packet using the destination network address, not the destination host address– Analogous to the world postal system and how
letters are routed
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #11
Network Facts
• Most computers today are connected to a network (consider the Internet), at least for part of the time they are in operation
• Most local networks are internetworked
• How to provide authenticity, integrity, confidentiality, availability?
• Cryptography can help provide all the security services except availability
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #12
Encryption Primer• Cryptography = “secret writing”
• Input = plaintext
• Output = ciphertext
• Ciphertext = plaintext + key (in general)– Intention is that the cipher text be unintelligible to an eavesdropper
• Two basic types of cipher– Symmetric– Asymmetric
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #13
Definitions
• Encryption– The process of turning plaintext into ciphertext
• Decryption– The process of turning ciphertext into plaintext
• Cryptanalysis– The process of analyzing ciphertext with the
goal of recovering the plaintext, without the key
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #14
Attacks on Cryptosystems
• Ciphertext-only attack
• Known-plaintext attack
• Chosen-plaintext attack
• Adaptive-chosen-plaintext attack
• Chosen ciphertext attack
• Chosen-key attack (rare, difficult)
• Rubber-hose cryptanalysis (common, easy)Source: Bruce Schneier, Applied Cryptography--Second Edition, pp, 5-7
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #15
Crypto Algorithm Security
• Unconditionally secure if, no matter how much ciphertext a cryptanalysis has, there is not enough information to recover the plaintext
• Computationally secure if it cannot be broken with available resources, either current or future
Source: Bruce Schneier, Applied Cryptography--Second Edition, pg. 8
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #16
Encryption
• There are many ways to render plaintext into ciphertext
• Only ONE provably secure cryptosystem– One-time pad– Secure even if pad or operator captured– BUT…errors can lead to decryption– http://www.cia.gov/csi/books/venona/preface.htm
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #17
One Time Pad
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #18
Why Use Anything Except One-time Pads?
• Speed of encipherment
• Letters vs. numbers
• Logistics
• Usability
• Error rates
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #19
Other Crypto Systems
• Substitution ciphers– Most famous is the Caesar cipher:
monoalphabetic substitution with offset = 3– Children’s decoders usually in this category
• Book ciphers
• Codebooks
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #20
Problem Areas
• Languages have well-known statistics– E.g., “e” is most common letter in English– This can be exploited for cryptanalysis– Thus, substitution ciphers are not very secure– Similar problems plague book ciphers, etc.
• The only way to achieve true security is to make the ciphertext appear as random as possible
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #21
Modern Cryptography Uses Electronic Digital Systems
• Advantages:– Speed– Accuracy– Ability of using complex mathematics
• Disadvantages– Complex equipment– Electronic vulnerabilities– Key management
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #22
Kerckhoffs’ Assumption
• Secrecy must reside solely in the key– It is assumed that the attacker knows the
complete details of the cryptographic algorithm and implementation
• A. Kerckhoffs was a 19th century Dutch cryptographer
• Ergo, Security by obscurity doesn’t work!
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #23
Symmetric CryptographyAlice’s message
Shared private key
Bob
Alice’s message
Shared private key
algorithm
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #24
Cipher Example (Vernam)
• Encipher• Plain: 001 010 011 100
• +key: 111 011 010 101
• Cipher: 110 001 001 001
• Decipher• Cipher: 110 001 001 001
• +key: 111 011 010 101
• Plain: 001 010 011 100
The ciphertext is simply the plain text added to the key,
modulo 2. This is a reversible process, as seen above.
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #25
Why Does This Work?
• Cleartext is a function with known statistics, or even a deterministic function
• Key is a truly random data stream
• Sum of a random function and a non-random function is a random function
• So...crucial that the key be truly random
• This is not easy!
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #26
Vernam Cipher Weaknesses
• Two-way function– If any two of the inputs to the cryptographic
algorithm are known, the third can be calculated
– This allows recovery of the key if the attacker can obtain a plaintext and a ciphertext copy of the same message -- not often a hard task
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #27
Enigma
• Probably history’s most famous cipher machine
• Even today, a good cipher machine
• Capable of billions of billions of text permutations
• Codes broken!
• Depended on security by obscurity--a failure
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #28
Sigaba
Similar in theoryto Enigma.
Designed for strategic(fixed station) use; note
direct punching of teletypewriter paper
tape for transmission.
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #29
How to Achieve Good Cryptography?
• Well-reviewed algorithms– So weaknesses cannot “hide” until after
implementation
• Excellent key generation & management– To maintain secrecy of the key
• Algorithms that are sufficiently complex so as to not permit feasible exhaustive attacks
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #30
More Definitions• Block cipher
– Data is broken into fixed-size blocks, and encrypted a block at a time
– Blocks are padded out if necessary
• Stream cipher– Data is encrypted a bit at a time, as it is presented
to the encryption engine
• Most algorithms in use today are block ciphers
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #31
Feistel Ciphers: Characteristics• Special class of iterated block ciphers
• Ciphertext calculated from plaintext by repeated application of the same transformation or round function
• Encryption and decryption are structurally identical (subkey order reversed for decryption)
• Fast, even in software implementation
• Easily analyzed (i.e., deficiencies more readily found by analysis)
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #32
Feistel Ciphers: Step by Step• Plaintext split into two halves
• Round function f is applied to one half using a subkey
• Output of f is XOR’d with the other half of the plaintext
• Two halves are swapped
• Process repeated for n rounds
• No swap after last round
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #33
Subkey Generation
• Creating the subkeys in a Feistel cipher has a major effect on the overall security of the algorithm– Possible to create weak keys– Changes in the subkey algorithm can result in
effectively different realizations of the algorithm
• DES is based on Feistel rounds, and uses a complex method of subkey generation
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #34
Importance of Feistel Ciphers
• Basis of DES, other important algorithms– Horst Feistel worked for IBM in 1973– IBM’s Lucifer algorithm, based on Feistel
rounds, became the DES standard in 1977• Many other algorithm authors have used Feistel
rounds, or variants thereof, to realize block ciphers• Feistel ciphers are not the only kind of iterative
block cipher
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #35
DES: Feistel Applied
• DES: Data Encryption Standard• Formal specification -- FIPS PUB 46-3, last
affirmed 25 October 1999 http://www.csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf
• Describes two cryptographic algorithms– DES– TDEA (commonly referred to as 3DES)
• DES based on IBM Lucifer cipher of 1974
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #36
DES Characteristics• 64-bit block cipher• 56-bit key, with additional 8 bits used for
error checking (odd parity on each byte)• Four operating modes
– Electronic Codebook (ECB)– Cipher Block Chaining (CBC)– Cipher Feedback (CFB)– Output Feedback (OFB)
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #37
DES Enciphering Computation
Feistel round
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #38
Initial Permutation
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #39
Cipher Function, f(Rn,Kn)
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #40
How Can This Happen?
• Turn 32-bit plaintext into 48-bit output
• Add to 48-bit key
• Get 32-bit output
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #41
Crypto Function Details
• E-function takes the input to the Feistel round and expands it to 48 bits
• S-boxes (for selection, usually referred to as substitution) permute bits to produce the proper output
• P-function permutes 32-bit output of the S-boxes
• Inverse permutation (IP-1) restores bit order after the 16 Feistel rounds
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #42
E-function
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #43
P-Function
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #44
S-box Example
Result over 8 S-boxes: 48 bits 32 bits
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #45
Key Scheduling
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #46
Permuted Choice 1
C( )
D( )
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #47
Left Shift Schedule
NB: These are circular left shifts
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #48
Permuted Choice 2
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #49
DES Decryption• As DES is a Feistel cipher, decryption uses the
same engine as does encryption
• For decryption:– The DES engine is precisely the same as the
encryption engine -- it is not run in reverse (e.g. with the input coming in the “bottom”)
– Instead, the key schedule is run in reverse; i.e. the first subkey used is K16, then K15, etc., finishing with K1
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #50
Principal DES Operating Modes-1(FIPS PUB 81)
• Electronic Code Book (ECB)– Encrypts one block at a time with selected key– Simplest implementation of DES– Vulnerability: repeated plaintext can reveal
key, and then all cipher blocks can be decrypted
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #51
ECB
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #52
Principal DES Operating Modes-2(FIPS PUB 81)
• Cipher Block Chaining (CBC)– Input to each block is the output of the previous
block next plaintext block– Initial block XOR’d with an Initialization
Vector (IV)– This approach greatly improves the security of
DES against key searches
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #53
CBC
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #54
Additional DES Modes -1(FIPS PUB 81)
• Cipher Feedback Mode– previous ciphertext block encrypted and output
XOR’d with plaintext block to produce current ciphertext block
– can use feedback that is less than one full data block
– initialization vector used as “seed” for the process.
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #55
CFB
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #56
Additional DES Modes -2 (FIPS PUB 81)
• Output Feedback Mode (OFB)– similar to CFB mode except data XOR’d with
each plaintext block is generated independently of both the plaintext and ciphertext
– initialization vector s0 used as “seed” for a sequence of data blocks si
– each data block si derived from encryption of the previous data block si-1
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #57
OFB
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #58
Importance of DES
• Ubiquitous, U.S. federal standard
• When standardized, 56-bit made cipher computationally secure– This is no longer the case
– DES has been broken using brute force attacks in 56 hours, using recycled computer boards costing less than $250,000 (July 15, 1998)
• Immediate fix: Triple Data Encryption Algorithm (or Triple DES, 3DES)
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #59
TDEA
Encryption
Decryption
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #60
TDEA Realities
• Two keying options– Three separate keys (as shown previous slide)
– Two keys; EK1 = EK3
– Resultant key lengths of 168 or 112 bits• For mathematical reasons we won’t go into here, 3-
key TDEA is only about twice as secure as DES, not 3 times as secure
• Implemented in hardware, 3-key TDEA can achieve throughputs approaching 1 Gbps
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #61
TDEA Advantages
• Thoroughly analyzed, unlikely to have any hidden vulnerabilities
• Much less vulnerable to brute force attack than DES
• Can be implemented in silicon, with very fast throughput
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #62
TDEA Disadvantages
• Algorithm produces slow software implementations
• Limited to 64-bit block size
• Trebles the key distribution problem of DES
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #63
AES: The Next Generation• Advanced Encryption Standard (FIPS PUB 197)
– Established to counter weaknesses of DES– Based on Rijndael algorithm
• Joan Daemen and Vincent Rijmen, Belgians, authors
– U. S. standard adopted Nov. 26, 2001– Became effective May 26, 2002– Key lengths of 128, 192, and 256 bits– Block size of 128 bits
• In AES, Rijndael allows for other sizes
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #64
Rijndael Structure
• Rijndael is not a Feistel cipher; rather, it uses substitution boxes
• “...typically part of the bits of the intermediate state are simply transposed unchanged to another position”
• “...[each] round transformation is composed of three distinct invertible uniform transformations”
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #65
AES’ Future
• Clearly intended to replace DES & TDEA• Designed for efficient software
implementation• Not yet as thoroughly analyzed as DES• Expect implementations on the market this
year• Probably a long coexistence of TDEA & AES
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #66
Key Types
• Permanent – Used for a fixed, prearranged period of time– Typically used for applications such as key
distribution, government communications, etc.
• Session– Valid only for current communications session– Destroyed after session terminates
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #67
Key Distribution Problem
• Secret keys must be prepositioned at all locations before secure communications can occur.
• How to do this?– Secure physical transport– Secure electronic transport
• The search for a way to accomplish this led to the development of public key cryptography, which we will study next class
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #68
Summary -1
• Symmetric key cryptography uses one key, shared by all users of the cipher
• There are many weaknesses to basic crypto algorithms like the Vernam cipher
• Feistel ciphers provide a more complex algorithm that permits iterative encryption
• Feistel cipher decryption uses same process as encryption, making process simpler
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #69
Summary - 2
• Block ciphers are widely used• Most commonly used block cipher today is
TDEA, operating in one of 4 modes• TDEA is limited by 64-bit block and key
size, provides poor software implementation• AES chosen to replace TDEA• Should be several years of coexistence
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/2 #70
Homework
• Read Chapter 3 sections 3.3, 3.4, 3.6
• Do following exercises from text:– 2.1a,b– 2.4– 2.5– 2.7