Processing with Block Ciphers. CSC/ECE 574 Computer and Network Security. Issues (Cont d) Issues for Block Chaining Modes. Electronic Code Book (ECB)

Transcription

1 rocessing with Block iphers S/ 574 omputer and Network Security Topic 3.2 Secret ryptography Modes of Operation Most ciphers work on blocks of fixed (small) size How to encrypt long messages? Modes of operation B (lectronic ode Book) B (ipher Block haining) OFB (Output Feedback) FB (ipher Feedback) TR (ounter) S/ 574 r. eng Ning 1 S/ 574 r. eng Ning 2 Issues for Block haining Modes Information leakage oes it reveal info about the plaintext blocks? iphertext manipulation an an attacker modify ciphertext block(s) in a way that will produce a predictable/desired change in the decrypted plaintext block(s)? Note: assume the structure of the plaintext is known, e.g., first block is employee #1 salary, second block is employee #2 salary, etc. Issues (ont d) arallel/sequential an blocks of plaintext (ciphertext) be encrypted (decrypted) in parallel? rror propagation If there is an error in a plaintext (ciphertext) block, will there be an encryption (decryption) error in more than one ciphertext (plaintext) block? S/ 574 r. eng Ning 3 S/ 574 r. eng Ning 4 lectronic ode Book (B) B ecryption laintext iphertext The easiest mode of operation; each block is independently encrypted S/ 574 r. eng Ning 5 ach block is independently decrypted S/ 574 r. eng Ning 6

2 B roperties oes information leak? an ciphertext be manipulated profitably? arallel processing possible? o ciphertext errors propagate? M 1 M 24 M 3 M S/ 574 r. eng Ning 7 ipher Block haining (B) Initialization Vector haining dependency: each ciphertext block depends on all preceding plaintext blocks S/ 574 r. eng Ning 8 Initialization Vectors Initialization Vector () Used along with the key; not secret For a given plaintext, changing either the key, or the, will produce a different ciphertext Why is that useful? generation and sharing Random; may transmit with the ciphertext Incremental; predictable by receivers S/ 574 r. eng Ning 9 B ecryption Initialization Vector How many ciphertext blocks does each plaintext block depend on? S/ 574 r. eng Ning 10 B roperties oes information leak? Identical plaintext blocks will produce different ciphertext blocks an ciphertext be manipulated profitably? arallel processing possible? no (encryption), yes (decryption) o ciphertext errors propagate? yes (encryption), a little (decryption) Output Feedback Mode (OFB) Initialization Vector seudo-random Number Generator one-time pad S/ 574 r. eng Ning 11 S/ 574 r. eng Ning 12

3 OFB ecryption one-time pad No block decryption required! S/ 574 r. eng Ning 13 OFB roperties oes information leak? identical plaintext blocks produce different ciphertext blocks an ciphertext be manipulated profitably? arallel processing possible? no (generating pad), yes (XORing with blocks) o ciphertext errors propagate? S/ 574 r. eng Ning 14 OFB (ont d) ipher Feedback Mode (FB) If you know one plaintext/ciphertext pair, can easily derive the one-time pad that was used i.e., should not reuse a one-time pad! onclusion: must be different every time iphertext block j depends on all preceding plaintext blocks S/ 574 r. eng Ning 15 S/ 574 r. eng Ning 16 FB ecryption FB roperties No block decryption required! oes information leak? Identical plaintext blocks produce different ciphertext blocks an ciphertext be manipulated profitably? arallel processing possible? no (encryption), yes (decryption) o ciphertext errors propagate? S/ 574 r. eng Ning 17 S/ 574 r. eng Ning 18

4 ounter Mode (TR) M 1 M 2 M 3 TR Mode roperties oes information leak? Identical plaintext block produce different ciphertext blocks an ciphertext be manipulated profitably arallel processing possible Yes (both generating pad and XORing) o ciphertext errors propagate? Allow decryption the ciphertext at any location Ideal for random access to ciphertext S/ 574 r. eng Ning 19 S 474 r. eng Ning 20 Stronger S S/ 574 omputer and Network Security Major limitation of S length is too short an we apply S multiple times to increase the strength of encryption? Topic 3.3 Secret ryptography Triple S S/ 574 r. eng Ning 21 S/ 574 r. eng Ning 22 ouble ncryption with S ncrypt the plaintext twice, using two different S keys Total key material increases to 112 bits is that the same as key strength of 112 bits? ncryption ecryption X 1 2 X Observation: X= 1 {}= {} oncerns About ouble S Wasn t clear at the time if S was a group (it s not) If it were, then k2 (k1()) k3 (), for all Not good? ossible attack (better than brute force): meet-in-the-middle A chosen plaintext attack S/ 574 r. eng Ning 23 S/ 574 r. eng Ning 24

5 The Meet-in-the-Middle Attack 1. hoose a plaintext and generate ciphertext, using double-s with + 2. Then a. encrypt using single-s for all possible 2 56 values 1 to generate all possible single-s ciphertexts for : X 1,X 2,,X 2 56 ; store these in a table indexed by ciphertex values b. decrypt using single-s for all possible 2 56 values 2 to generate all possible single-s plaintexts for : Y 1,Y 2,,Y 2 56 ; for each value, check the table Steps (ont d) 3. Meet-in-the-middle: each match (X i = Y j ) reveals a candidate keypair i + j there should be approx. (2 112 / 2 ) = 2 48 such pairs for one value of (,) possible keys, but there are only 2 X s 4. Repeat the above, for a second plaintext/ciphertext pair (, ), and find those 2 48 candidate keypairs i + j Why 2 48 (another view)? The table contains only 2 56 /2 = 1/2 8 of all possible -bit values there are 2 56 entries X i for each X i, there is only 1/2 8 chance there is a matching Y i S/ 574 r. eng Ning 25 S/ 574 r. eng Ning 26 Steps (ont d) 5. Look for an identical candidate keypair that produces collisions for both (,) and (, ) the probability the same candidate keypair occurs for both plaintexts, but is not the keypair used in the double-s encryption: 2 48 / 2 = 2-16! An expensive attack (computation + storage) still, enough of a threat to discourage use of double-s Why 2-16? there are about 2 48 candidate keypairs i + j at most one is +, the rest are imposters if i + j is an imposter, the probability using i + j that ( ) = ( ) is 1/2 S/ 574 r. eng Ning 27 Triple ncryption (Triple S-) ncryption ecryption Why not --? again, wasn t clear if S was a group Apply S encryption/decryption three times why not 3 different keys? why not the same key 3 times? 1 2 S/ 574 r. eng Ning 28 1 Triple S (ont d) 3S-: Outside haining Mode Widely used equivalent strength to using a 112 bit key strength about against M-I-T-M attack However: inefficient / expensive to compute one third as fast as S on the same platform, and S is already designed to be slow in software Next question: how is block chaining used with triple-s? S/ 574 r. eng Ning 29 What basic chaining mode is this? S/ 574 r. eng Ning 30

6 3S-: OM ecryption OM roperties S/ 574 r. eng Ning 31 oes information leak? identical plaintext blocks produce different ciphertext blocks an ciphertext be manipulated profitably? arallel processing possible? no (encryption), yes (decryption) o ciphertext errors propagate? S/ 574 r. eng Ning 32 3S-: Inside haining Mode 3S-: IM ecryption S/ 574 r. eng Ning 33 S/ 574 r. eng Ning 34 3S-: Inside haining Mode 3-S : IM ecryption S/ 574 r. eng Ning 35 S/ 574 r. eng Ning 36

7 Message Authentication S/ 574 omputer and Network Security Topic 3.4 Secret ryptography MA with Secret iphers ncryption easily provides confidentiality of messages only the party sharing the key (the key partner ) can decrypt the ciphertext How to use encryption to authenticate messages? That is, prove the message was created by the key partner prove the message wasn t modified by someone other than the key partner S/ 574 r. eng Ning 37 S/ 574 r. eng Ning 38 Approach #1 The quick and dirty approach If the decrypted plaintext looks plausible, then conclude ciphertext was produced by the key partner i.e., illegally modified ciphertext, or ciphertext encrypted with the wrong key, will probably decrypt to random-looking data But, is it easy to verify data is plausiblelooking? What if all data is plausible? S/ 574 r. eng Ning 39 Approach #2: laintext+iphertext Sender Send plaintext and ciphertext receiver encrypts plaintext, and compares result with received ciphertext forgeries / modifications easily detected any problems / drawbacks? Receiver S/ 574 r. eng Ning 40 ompare Accept /Reject Approach #3: Use Residue ncrypt plaintext using S B mode, with set to zero the last (final) ciphertext output block is called the residue = RSIU S/ 574 r. eng Ning 41 Approach #3 (ont d) Sender Transmit the plaintext and this residue receiver computes same residue, compares to the received residue forgeries / modifications highly likely to be detected Residue only Receiver ompare Residue only S/ 574 r. eng Ning 42

8 Message Authentication odes MA: a small fixed-size block (i.e., independent of message size) generated from a message using secret key cryptography also known as cryptographic checksum Requirements for MA 1. Given M and MA(M), it should be computationally infeasible (expensive) to construct (or find) another message M such that MA(M ) = MA(M) 2. MA(M) should be uniformly distributed in terms of M for randomly chosen messages M and M, ( MA(M)=MA(M ) ) = 2 -k, where k is the number of bits in the MA S/ 574 r. eng Ning 43 S/ 574 r. eng Ning 44 Requirements (cont d) 3. nowing MA(M1), MA(M2),... of some (known or chosen) messages M1, M2,..., it should be computationally infeasible for an attacker to find the MA of some other message M S.. rypto for onfidentiality AN Authenticity? So far we ve got confidentiality (encryption), or authenticity (MAs) an we get both at the same time with one cryptographic operation? S/ 574 r. eng Ning 45 S/ 574 r. eng Ning 46 Attempt #1 Attempt #1 (ont d) 1. Sender computes an error-correcting code or Frame-heck Sequence (FS) F() of the plaintext 2. Sender concatenates and F() and encrypts i.e., = ( F() ) 3. Receiver decrypts received ciphertext using, to get F 4. Receiver computes F( ) and compares to F to authenticate received message = How does this authenticate? Sender F() oncatenate FS F() { F()} The order (1) FS, then (2) encryption is critical why not (2), then (1)? Subtle weaknesses known in this approach, so not preferred Receiver F FS ompare F( ) S/ 574 r. eng Ning 47 S/ 574 r. eng Ning 48

9 Attempt #2 1. ompute residue (MA) using key 2. ncrypt plaintext message M using key to produce 3. Transmit MA to receiver 4. Receiver decrypts received with to get 5. Receiver computes MA( ) using, compares to received MA S/ 574 r. eng Ning 49 Attempt #2 (cont d) Sender Residue only Good (cryptographic) quality, but xpensive! Two separate, full encryptions with different keys are required Receiver Residue MA only ompare S/ 574 r. eng Ning 50 Summary 1. B mode is not secure B most commonly used mode of operation 2. Triple-S (with 2 keys) is much stronger than S usually uses in Outer haining Mode 3. MAs use crypto to authenticate messages at a small cost of additional storage / bandwidth but at a high computational cost S/ 574 r. eng Ning 51