Menu. Lecture 5: DES Use and Analysis. DES Structure Plaintext Initial Permutation. DES s F. S-Boxes 48 bits Expansion/Permutation

Transcription

1 Lecture : Use and nalysis Menu Today s manifest: on line only Review Modes of Operation ttacks CS: Security and rivacy University of Virginia Computer Science David Evans Return S Sept University of Virginia CS x Round Substitution ermutation Structure laintext Initial ermutation L R L R Sept University of Virginia CS L = left half of plaintext R = right half of plaintext L i = R i - R i = L i - (R i -, i ) C = R n L n n is number of rounds (undo last permutation) bits bits s Expand and ermute (using E table) n Substitute (using S boxes) bits ermutation Sept University of Virginia CS Expansion/ermutation bits bits Sept University of Virginia CS S-Boxes bits bits 7 more different S-boxes for bits 7- - Nothing secret about the S-Boxes (but they are confusing) Sept University of Virginia CS

2 Modes of Operation Transmitting a long plaintext using : Modes of Operation = N Electronic Codebook Mode: C = E ( ) E ( ) E ( N ) roblems: ny identical blocks encrypted identically bits = SCII characters Lots of ciphertext encrypted with same Sept University of Virginia CS 7 Sept University of Virginia CS IV Cipher Block Chaining C C Cipher Block Chaining C i = E ( i C i - ) C = E ( IV) Decrypt: M i = D (C i ) C i - M = D (C ) IV D (E ( i C i - )) C i = i C i - C i = i Sept University of Virginia CS 9 Sept University of Virginia CS Cipher eedback Mode Output eedback Mode IV shift IV shift C C C C Sept University of Virginia CS Sept University of Virginia CS

3 Cipher/Output eedback -bit transmission error ctive eavesdropper erformance Multiple Encryption Sept University of Virginia CS Sept University of Virginia CS Multiple Encryption C = E (E ()) Does it double the key space? Monoalphabetic cipher C i = [ [ i ]] = [ i ] for some Double-Vigenère C = E (E ()) Vigenère: C i = ( i + i mod N ) mod Z C i = (( i + i mod N mod Z) + i mod N ) mod Z = ( i + i mod N + i mod N ) mod Z if N = N: = ( i + i mod N ) mod Z ( = + ) what if N N? Sept University of Virginia CS Sept University of Virginia CS Double-Vigenère = "BOND" = "JMES" BONDBONDBONDBONDBONDBONDBOND +JMESJMESJMESJMESJMESJM =OZHTXNGWDNSMBRVOZHTXN Effective key length: LCM (N, N) = Double C = E (E ()) Is there a such that C = E ()? There are keys, and! mappings If is good, keys map randomly to mappings. robability that a randomly chosen mapping corresponds to a key: /! << /! Effective key size of Double? = * = WRONG! Sept University of Virginia CS 7 Sept University of Virginia CS

4 nown laintext ttack E E C try all possible keys try all possible keys E X Y X Y X Y One X i = Y j means = i and = j D C Meet-in-the-Middle ttack C = E (E ()) X = E () = D (C) Brute force attack (given one /C pair): calculate E () for all keys ( work) calculate D (C) for all keys ( work) the match gives the keys Total work = * = 7 Sept University of Virginia CS 9 Sept University of Virginia CS -ey Triple C = E (D (E ())) Why D not E? Backwards compatibility with If = : C = E (D (E ())) = E () ctual key size = + bits = bits Meet-in-the-middle? X = E () = D (E (C)) need to try How secure is Triple- Brute force search: keys Best attack: B keys/second.7 * years (compared to hours) years = total lifetime of universe (closed universe theory) Best known attack - reduces to -log n n = number of known -C pairs n =, work is Realistic? Sept University of Virginia CS Sept University of Virginia CS -ey Triple C = E (D (E ())) H() = Used by G, S/MIME How much work to brute-force? Meet-in-the-middle: X = D (C) = D (E ()) + ttacks Last time: brute force Best result: hours But no where near good enough for Differential Cryptanalysis ower Cryptanalysis Sept University of Virginia CS Sept University of Virginia CS

5 Differential Cryptanalysis [Biham & Shamir, 99] Choose plaintext pairs with fixed difference: X = X X Use differences in resulting ciphertext to guess key probabilities With enough work ( 7 ) and enough chosen plaintexts ( 7 ) can find key (compared to brute force work) Takes years of.mbps encrypting chosen plaintext! Sept University of Virginia CS X X bits bits E/ E/ X bits X bits S bits n X X X X X One Round X = X X X i = iff X i = X i E/ preserves values: X i = X ep(i) = X ep(i) S where ep(i) is a function defined by X bits the E table preserves values: X i = X i n X i = X i n X i = X ep(i) = X ep(i) Sept University of Virginia CS X X X S One Round, cont. S X X X i = X ep(i) = X ep(i) X X i = X i X p(i) = X p(i) S-boxes are non-linear! X i = X s(ep(i)) = X s(ep(i)) But, maybe they do probabilistically: X i = p(x s(ep(i)) = X s(ep(i)) ) >.? p(x s(ep(i)) = X s(ep(i)) ) <.? (nown from ciphertext) Its a function of the key: p determined experimentally. Sept University of Virginia CS 7 S-box: S bits: x x x x x x x x x x select column x x 7 9 B C D E E D B C E D C B 9 E D B C 9 7 C 9 7 B E D inputs to S produce :,,, Sept University of Virginia CS artial pair XOR Distribution, S S-box: S Input XOR Output XOR 7 9 B C D E E D 7 E C E D 9 7 B D B 7 9 B C C C B 9 C 9 7 B E D 9 E 7 D Difference in last input bit difference in output bits + = ( XOR = ) + = (B XOR = E) Sept University of Virginia CS 9 Sept University of Virginia CS

6 Differential Cryptanalysis ropagate experimental probabilities for round through rounds fter enough -C pairs, one key becomes most probable Difficulty depends heavily on S-Box choices irst published in 99, but NS knew about it in 97! Differential Cryptanalysis Successful on up to rounds (better than exhaustive search) By th round, characteristics probabilities are - Very successful on variants (breaks G with chosen plaintexts) Very successful on EL (EL-, EL-, EL-N, EL-NX, ) Sept University of Virginia CS Sept University of Virginia CS ower Consumption Current (m) Time (ms) Rounds 7 9 Detail: Round Round rom /technical/index.html Microprocessors use different amount of power depending on what they are doing! Sept University of Virginia CS Sept University of Virginia CS ower nalysis Scenario ttacker has physical device that encrypts and decrypts using a secret key Is this realistic? Smart Cards (Mondex) Sept University of Virginia CS Side Channel Cryptanalysis Regular Cryptanalysis: mathematical ttacker sees inputs, outputs Side Channel Cryptanalysis ttacker sees something else: power consumption, encryption/decryption time, radiation, etc. Depends on implementation of algorithm Sept University of Virginia CS

7 Measuring ower Consumption dd a resistor between power source and device, measure voltage across resistor I = V/R Can sample at over GHz with < % error ower Use Reveals ey Current for a left shift depends on leftmost bit: if, need to set rightmost bit after key schedule uses shifts, can tell bits in key! Current for XOR may depend on number of switches Sept University of Virginia CS 7 Sept University of Virginia CS Defenses Reduce signal hysical shielding, microprocessor design (make all shifts use same power, etc.) Introduce random noise Change execution order, do random computation, etc. Design cryptosystems with D in mind Nonlinear key updates between transactions Charge Continue thinking about project ideas Each project group should send me or talk to me by next week about what you are considering Next time: modern block ciphers Read ES papers before next class Sept University of Virginia CS 9 Sept University of Virginia CS 7