Cryptographic algorithms

Prof. Bart Preneel

COSIC Bart.Preneel(at)esatDOTkuleuven.be

Bart Preneel. All rights reserved

Outline
1. Cryptology: concepts and algorithms
symmetric algorithms for confidentiality symmetric algorithms for data authentication public-key cryptology

2. Cryptology: protocols
identification/entity authentication
key establishment

3. Public-Key Infrastructure principles

Outline (2)

4. Networking protocols
email, web, IPsec, SSL/TLS

5. New developments in cryptology

6. How to use cryptography well 7. Hash functions

Definitions
data
Confidentiality Integrity Availability

entities anonymity identification

confidentiality authentication

encryption data authentication

Authorisation Non-repudiation of origin, receipt

Dont use the word authentication without defining it

Contract signing Notarisation and Timestamping

4

Cryptology: basic principles

Alice Eve Bob

Clear text

CRYP TOB OX

%^C& @&^(

%^C& @&^(

CRYP TOB OX

Clear text

Symmetric cryptology: confidentiality

old cipher systems:
transposition, substitution, rotor machines

the opponent and her power the Vernam scheme DES and triple-DES AES RC4

Old cipher systems (pre 1900)

Caesar cipher: shift letters over k positions in the alphabet (k is the secret key)
THIS IS THE CAESAR CIPHER

WKLV LV WKH FDHVDU FLSKHU

Julius Caesar never changed his key (k=3).

Cryptanalysis example:
TIPGK UJQHL VKRIM WLSJN XDTKO YNULP ZOVMQ APWNR BQXOS CRYPT DSZQU ETARV FUBSW RERCP SFSDQ TGTER UHUFS VOVGT WKWHU XKXIV YLYJW ZMXKX ANALY BOBMZ CPCNA DQDOB JZJZJ KAKAK LBLBL MCMCM NDNDN OEOEO PFPFP QGQGQ RHRHR SISIS TJTJT UKUKU VLVLV WLE XMF YNG ZOH API BQJ CRK DSL ETM FUN GVO HWP IXQ GVCTX HWDUY IXEVZ JYFWA KZGXB LAHYC MBIZD NCJAE ODKBF PELCG QFMDH RGNEI SHOFJ EREPC FSFQD GTGRE HUHSF IVITG JWJUH KXKVI LYLWJ MZMXK NANYL OBOZM PCPAN QDQBO WMWMW XNXNX YOYOY ZPZPZ AQAQA BRBRB CSCSC DTDTD EUEUE FVFVF GWGWG HXHXH IYIYI JYR KZS LAT MBU NCV ODW PEX QFY RGZ SHA TIB UJC VKD
8

Plaintext?

k = 17

Old cipher systems (pre 1900) (2)

Substitutions
ABCDEFGHIJKLMNOPQRSTUVWXYZ ! Easy to MZNJSOAXFQGYKHLUCTDVWBIPER

Transpositions
TRANS ORI S

break using statistical techniques

POSIT
IONS

NOTIT
OSANP
9

Security
there are n! different substitutions on an alphabet with n letters there are n! different transpositions of n letters n=26: n!=403291461126605635584000000 = 4 . 1026 keys trying all possibilities at 1 nanosecond per key requires.... 4.1026 /(109 . 105 . 4 102) = 1010 years
keys per second seconds per day days per year
10

Letter distributions
12 10 8 6 4 2 0 A B C D E F G H

I Y Z

11

Assumptions on Eve (the opponent)

A scheme is broken if Eve can deduce the key or obtain additional plaintext Eve can always try all keys till meaningful plaintext appears: a brute force attack
solution: large key space

Eve will try to find shortcut attacks (faster than brute force)
history shows that designers are too optimistic about the security of their cryptosystems
12

Assumptions on Eve (the opponent)

Cryptology = cryptography + cryptanalysis Eve knows the algorithm, except for the key (Kerckhoffss principle) increasing capability of Eve:
knows some information about the plaintext (e.g., in English) knows part of the plaintext can choose (part of) the plaintext and look at the ciphertext can choose (part of) the ciphertext and look at the plaintext
13

New assumptions on Eve

Eve may have access to side channels
timing attacks simple power analysis differential power analysis acoustic attacks electromagnetic interference

Eve may launch (semi-)invasive attacks

differential fault analysis probing of memory or bus
14

Side channel analysis

Oscilloscope files transfer Arm scope retrieve file

Scope trigger Current waveform acquisition Server store the files and run the Treatment software Main PC run the Acquisition software command emission
GCR R

on IO

Card extention

Card reader
Protection box

15

Timing attacks and power analysis

16

Side channel analysis: EMA

17

Cryptology + side channels

Eve Alice Bob
CRYP TOB OX

Clear text

CRYP TOB OX

%^C& @&^(

%^C& @&^(

Clear text

18

Mechanical: Hagelin C38

19

Problem: what is this?

Cryptogram [=14 January 1961 11.00 h] <AHQNE XVAZW IQFFR JENFV OUXBD LQWDB BXFRZ NJVYB QVGOZ KFYQV GEDBE HGMPS GAZJK RDJQC VJTEB XNZZH MEVGS ANLLB DQCGF PWCVR UOMWW LOGSO ZWVVV LDQNI YTZAA OIJDR UEAAV RWYXH PAWSV CHTYN HSUIY PKFPZ OSEAW SUZMY QDYEL FUVOA WLSSD ZVKPU ZSHKK PALWB SHXRR MLQOK AHQNE 11205 141100>

20

The answer
Plaintext [=14 January 1961 11.00 h] DOFGD VISWA WVISW JOSEP TERTI OWMIS SIONW BOMBO IRWTE LEXWC EWSUJ ETWAM GEWXX WJULE SWXXW BISEC SECVX XWRWV WMWPR INTEX RIMOW RIENW ENVOY EWRUS XWPOU VEZWR EGLER WXXWS OWREP RENDR EWDUR GENCE WBRAZ ZAWWC

HWXXW KOWVO BABEL TWTRE WXXWP URWWX ECUND WPLAN

21

The answer (in readable form)

Plaintext [=14 January 1961 11.00 h] TRESECV. R V M PRINTEX. PRIMO RIEN ENVOYE RUSUR. POUVEZ REGLER. SECUNDO REPRENDRE DURGENCE PLAN BRAZZA VIS A VIS JOSEP H. TERTIO MISSION BOMBOKO VOIR TELEX CE SUJET AMBABELGE. JULES.
22

The Rotor machines (WW II)

23

Life cycle of a cryptographic algorithm

idea mathematical analysis publication public evaluation

RIP

OK

hw/sw implementation
standardization industrial products $$$ take out of service
24

Vernam scheme or one-time pad (1917)

key is random string, as long as the plaintext provably secure, but impractical

10010

11001

11001

10010

01011

01011
25

Vernam scheme
0+1=1 1+0=1 0+0=0 1+1=0

identical mathematical symbols can result in different electrical signals

26

Three approaches in cryptography

information theoretic security
ciphertext only

part of ciphertext only

noisy version of ciphertext

system-based or practical security

also known as prayer theoretic security

complexity theoretic security: model of computation, definition, proof

variant: quantum cryptography
27

Model of a practical stream cipher

IV
next state function

IV
next state function

output function

looks random

output function

P
28

A5/1 stream cipher (GSM)

18 0

21

22

Clock control: registers agreeing with majority are clocked (2 or 3)

29

A5/1 stream cipher (GSM)

A5/1 attacks exhaustive key search: 264 (or rather 254)
Hardware 10K$ < 1 minute ciphertext only

search 2 smallest registers: 245 steps [BWS00] 1 minute on a PC

2 seconds of known plaintext 248 precomputation, 146 GB storage

[BB05]: 10 minutes on a PC,

3-4 minutes of ciphertext only
30

Bluetooth stream cipher

brute force: 2128 steps [Lu+05] 24 known bits of 224 frames, 238 computations, 233 memory
31

A simple cipher: RC4 (1987)

designed by Ron Rivest (MIT) leaked in 1994 S[0..255]: secret table derived from user key K
for i=0 to 255 S[i]:=i j:=0 for i=0 to 255 j:=(j + S[i] + K[i]) mod 256 swap S[i] and S[j] i:=0, j:=0
32

A simple cipher: RC4 (1987)

Generate key stream which is added to plaintext i:=i+1 j:=(j + S[i]) mod 256 swap S[i] and S[j] t:=(S[i] + S[j]) mod 256 output S[t] t
000 001 002 013 093 094 095 079 ... 254 099 255 143 205 162 092

...

033 92 162

i j
33

RC4: weaknesses
often used with 40-bit key
US export restrictions until Q4/2000

best known general shortcut attack: 2300 weak keys and key setup (shuffle theory) some statistical deviations
e.g., 2nd output byte is biased solution: drop first 256 bytes of output

problem with resynchronization modes (WEP)

34

Block cipher
large table: list n-bit ciphertext for each nbit plaintext
if n is large: very secure (codebook) but for an n-bit block: 2n values impractical if n 32

alternative n = 64 or 128
simplify the implementation repeat many simple operations
35

Block cipher (2)

P1
block cipher

P2
block cipher

P3
block cipher

C1
memoryless

C2

C3

larger data units: 64128 bits repeat simple operation (round) many times

36

Data Encryption Standard (1977)

encrypts 64 plaintext bits under control of a 56-bit key 16 iterations of a relatively simple mapping FIPS: US government standard for sensitive but unclassified data worldwide de facto standard since early 80ies surrounded by controversy
37

Security of DES (56 bit key)

PC: trying 1 DES key: 15 ns Trying all keys on 250 PCs: 1 month: 226 x 216 x 25 x 28= 255 M. Wieners design (1993): 1,000,000 $ machine: 3 hours
(in 2009: 10 seconds)

EFF Deep Crack (July 1998) 250,000 $ machine: 50 hours

38

DES: security (ctd)

Moores law: speed of computers doubles every 18 months
key lengths need to grow in time

Use new algorithms with longer keys

adding 1 key bits doubles the work for the attacker

Key length recommendations in 2009

< 64 bits: insecure 80 bits: 3-5 years 100 bits: 20-25 years

39

Federal Register, July 24, 2004

SUMMARY: The Data Encryption Standard (DES), currently specified in Federal National Institute of Standards and Information Processing Standard Technology (FIPS) 463, was evaluated [Docket No. 040602169 4169 01] pursuant to its scheduled review. At the conclusion of this review, Announcing Proposed Withdrawal of NIST determined that the Federal Information Processing strength of the DES algorithm is Standard (FIPS) for the Data no longer sufficient to Encryption Standard (DES) and adequately protect Federal Request for Comments government information. As a result, NIST proposes to withdraw AGENCY: National Institute of FIPS 463, and the associated Standards and Technology (NIST), FIPS 74 and FIPS 81. Future use Commerce. of DES by Federal agencies is to be permitted only as a component function of the Triple Data ACTION: Notice; request for comments. Encryption Algorithm (TDEA).
DEPARTMENT OF COMMERCE
40

3-DES: NIST Spec. Pub. 800-67

(May 2004) two-key triple DES: until 2009 three-key triple DES: until 2030

Clear text

DES

DES-1

DES

%^C& @&^(

3
41

Symmetric Key Lengths and Moores law

140 120 100 80 60 40 20 0

2-key 3DES DES

3-key 3DES

AES -128

19 76

19 88

20 00

20 12

20 24

20 36

20 48

Moores law: speed of computers doubles every 18 months

20 60

42

AES (Advanced Encryption Standard)

open competition launched by US government (Sept. 97) to replace DES 22 contenders including IBM, RSA, Deutsche Telekom 128-bit block cipher with key of 128/192/256 bits as strong as triple-DES, but more efficient royalty-free

A machine that cracks a DES key in 1 second would take 149 trillion years to crack a 128-bit key
43

AES: Rijndael
S S S S S S S S S S S S S S S S round Key Schedule round round
MixColumns MixColumns MixColumns MixColumns S S S S S S S S S S S S S S S S

. . . . .
round

Key length: 16/24/32 bytes Block length:

Rijndael: 16/24/32 bytes AES: 16 bytes only
44

AES Status
FIPS 197 published on November 6, 2001, effective May 26, 2002 mandatory for sensitive US govt. information fast adoption in the market (thousands of products)
Jan. 09 > 976 AES product certifications by NIST standardization: ISO, IETF, IEEE 802.11,

slower adoption in financial sector mid 2003: AES-128 also for classified information and AES-192/-256 for secret and top secret information! Intel will provide AES instruction from 2009
45

Symmetric cryptology: data authentication

the problem hash functions without a key
MDC: Manipulation Detection Codes

hash functions with a secret key

MAC: Message Authentication Codes

46

Data authentication: the problem

encryption provides confidentiality:
prevents Eve from learning information on the cleartext/plaintext but does not protect against modifications (active eavesdropping)

Bob wants to know:

the source of the information (data origin) that the information has not been modified (optionally) timeliness and sequence

data authentication is typically more complex 47 than data confidentiality

Data authentication: MAC algorithms

Replace protection of authenticty of (long) message by protection of secrecy of (short) key Add MAC to the plaintext
This is an input to a MAC algorithm. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional security conditions: it should be very hard for someone who does not know the secret key to compute the hash function on a new input.

CBC-MAC HMAC

7E6FD7198A198FB3C

48

MAC algorithms

Clear text

MAC

Clear text

Clear text

VER IFY

Clear text

49

Data authentication: MAC algorithms

typical MAC lengths: 32..96 bits
Forgery attacks: 2m steps with m the MAC length in bits

typical key lengths: (56)..112..160 bits

Exhaustive key search: 2k steps with k the key length in bits

birthday attacks: security level smaller than expected

50

MAC algorithms
Banking: CBC-MAC based on triple-DES Internet: HMAC and CBC-MAC based on AES

information theoretic secure MAC algorithms (authentication codes):

highly efficient rather long keys part of the key refreshed per message
51

CBC-MAC based on AES

P1 P2 P3

AES
C1
security level: 264

AES
C2

AES
C3

AES
select leftmost 64 bits
52

Data authentication: MDC

MDC (manipulation detection code) Protect short hash value rather than long text
This is an input to a cryptographic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional security conditions: it should be very hard to find an input hashing to a given value (a preimage) or to find two colliding inputs (a collision).

(MD5) (SHA-1), SHA256, SHA-512 RIPEMD-160

1A3FD4128A198FB3CA345932

53

MDC Security requirements (n-bit result)

preimage 2nd preimage x
collision

? h
h(x)

? h

?
h

? h

h
h(x)

= h(x)
2n

=
2n/2

2n

Data authentication: MDC

n-bit result preimage resistance: for given y, hard to find input x such that h(x) = y (2n operations) 2nd preimage resistance: hard to find x x such that h(x) = h(x) (2n operations) Collision resistance: hard to find (x,x) with x x such that h(x) = h(x) (2n/2 operations)

55

MD5 and SHA-1

SHA-1:
(2nd) preimage 2160 steps collisions 280 steps

60 M$ for 1 year

MD5

Shortcut: Aug. 2007: 260 steps

(2nd) preimage 2128 steps collisions 264 steps

15 K$ for 1 month Shortcut: Aug. 2004: 239 steps (today: seconds)

56

Public-key cryptology
the problem public-key encryption digital signatures an example: RSA advantages of public-key cryptology

57

Limitation of symmetric cryptology

Reduce security of information to security of keys

But: how to establish these secret keys?

Cumbersome and expensive Or risky: all keys in 1 place

Do we really need to establish secret keys?

58

Public key cryptology: encryption

Clear text

CRYP TOB OX

%^C& @&^(

%^C& @&^(

CRYP TOB OX

Clear text

Public key

Private key
59

Public key cryptology: digital signature

Clear text

SIGN

Clear text

Clear text

VER IFY

Clear text

Private key

Public key
60

A public-key distribution protocol: Diffie-Hellman

Before: Alice and Bob have never met and share no secrets; they know a public system parameter

generate x compute x compute k=( y)x

x
y

generate y compute y compute k=( x) y

After: Alice and Bob share a short term key k Eve cannot compute k : in several mathematical structures it is hard to derive x from x (this is known as the discrete logarithm problem)
61

RSA (78)
Choose 2 large prime numbers p and q modulus n = p.q compute (n) = lcm(p-1,q-1) choose e relatively prime w.r.t. (n) compute d = e-1 mod (n) The security of RSA is
based on the fact that it is easy to generate two large primes, but that it is hard to factor their product

public key = (e,n) private key = d of (p,q) encryption: c = me mod n decryption: m = cd mod n

try to factor 2419

62

Factorisation records
1 digit ~3.3 bits
200 180 160 140 120 100 80 60 40 20 0 64 68 72 76 80 84 88 92 96 100 104 2000
63

Size (digits) Effort (log)

663 bits 512 bits

4-channel Varian spectrometer

Picture of the11.7 T Oxford magnet, lab

room temperature bore

15=5x3
grad students in sunny California...
64

Advantages of public key cryptology

Reduce protection of information to protection of authenticity of public keys Confidentiality without establishing secret keys
extremely useful in an open environment

Data authentication without shared secret keys: digital signature

sender and receiver have different capability third party can resolve dispute between sender 65 and receiver

Disadvantages of public key cryptology

Calculations in software or hardware two to three orders of magnitude slower than symmetric algorithms Longer keys: 1024 bits rather than 56128 bits What if factoring is easy?

66

Crypto software libraries

C/C#
Botan Cryptlib Crypto Libgcrypt Miracl OpenSSL

Java
SunJCA/JCE BouncyCastle (BC) CryptixCrypto FlexiProvider GNU Crypto IAIK RSA JSafe

BouncyCastle (BC#)

Reading material
B. Preneel, Modern cryptology: an introduction.
This text corresponds more or less to the second half of these slides It covers in more detail how block ciphers are used in practice, and explains how DES works. It does not cover identification, key management and application to network security.
68

Selected books on cryptology

D. Stinson, Cryptography: Theory and Practice, CRC Press, 3rd Ed., 2005. Solid introduction, but only for the
mathematically inclined.

A.J. Menezes, P.C. van Oorschot, S.A. Vanstone, Handbook of Applied Cryptography, CRC Press, 1997. The bible of modern cryptography. Thorough and

complete reference work not suited as a first text book. Freely available at http://www.cacr.math.uwaterloo.ca/hac

N. Smart, Cryptography, An Introduction: 3rd Ed., 2008. Solid and up to date but on the mathematical side.
Freely available at http://www.cs.bris.ac.uk/~nigel/Crypto_Book/

B. Schneier, Applied Cryptography, Wiley, 1996.

Widely popular and very accessible make sure you get the errata.

Other authors: Johannes Buchmann, Serge Vaudenay

69

Books on network security and more

W. Stallings, Network and Internetwork Security: Priniples and Practice, Prentice Hall, 2004. Solid
background on network security. Explains basic concepts of cryptography. Tends to confuse terminology for decrypting and signing with RSA.

Nagand Doraswamy, Dan Harkins, IPsec - The New Security Standard for the Internet, Intranets, and Virtual Private Networks, Prentice Hall, 1999. A well
written overview of the IPsec protocol (but now outdated).

W. Diffie, S. Landau, Privacy on the line. The politics of wiretapping and encryption, MIT Press, 2007. The best book so far on the intricate politics of the
field.
70

More information: some links

IACR (International Association for

Cryptography faq: Counterpane links:

71