Engineering Cryptographic Applications: Using (and Misusing) Symmetric Ciphers

Stephen Kleene

Microstrategy Course11 October 2013

Engineering Cryptographic

Applications

Day 2: Using

(and Misusing)

Symmetric Ciphers

David EvansUniversity of Virginiawww.cs.virginia.edu/evans

Engineering Crypto Applications 3

Recap: Symmetric Encryption

evans@virginia.edu

AES AESPlaintextCiphertext

PlaintextInsecure Channel

Key Key

Correctness property: for all possible messages m, D(E(m)) = m

Security property: given c E(m), it is “hard” to learn anything interesting about m.

“hard” = if correctly implemented and used, even the NSA can’t do it unless they have made dozens of theoretical breakthroughs or have energy comparable to Trillions of massive nuclear explosions

Today: Using Symmetric Encryption

evans@virginia.edu

Key Key

Today: Using Symmetric Encryption

evans@virginia.edu

Key Key

1. How to generate a good (unpredictable) key: randomness

2. How to use symmetric encryption to do more interesting things than just send one block: building an encrypted file server

Engineering Crypto Applications 6evans@virginia.edu

Generating Randomness

01011000011110110000111011101000000001110110000000111011011001011111001101111001000001110000001110111000000011101010010001010000010100001001110111011111111001100010110101000000100110011100011000001101010000111001011001101110101111110110000010010111011010000000110110110011101100100101101001110111110100010001100011011000110001001101001010001110101000010010101001010100110001011000010000000001100010110111111010010100101000110011010110011101011001111001000000101111

01011010011010110000111011101010001001110110001000111011011001011011001101101001001001110010001110111001000011101010010001010100010100001001110111011010111001100010110101010000100110011100011001001101010000111001011001101110101110110110100010010111011010010000110110110011101100100101101001110110110100010001100011011000110001001101001010001110101000010010101001010100110001011000010010001001100010110110111010010100101000110011010110011101011001101001000100101111

Which is random?

01011000011110110000111011101000000001110110000000111011011001011111001101111001000001110000001110111000000011101010010001010000010100001001110111011111111001100010110101000000100110011100011000001101010000111001011001101110101111110110000010010111011010000000110110110011101100100101101001110111110100010001100011011000110001001101001010001110101000010010101001010100110001011000010000000001100010110111111010010100101000110011010110011101011001111001000000101111

01011010011010110000111011101010001001110110001000111011011001011011001101101001001001110010001110111001000011101010010001010100010100001001110111011010111001100010110101010000100110011100011001001101010000111001011001101110101110110110100010010111011010010000110110110011101100100101101001110110110100010001100011011000110001001101001010001110101000010010101001010100110001011000010010001001100010110110111010010100101000110011010110011101011001101001000100101111

Which is random?

C1 from Puzzle Challenge(message Crypto.Random)

C1 with sequences of 5 or more repeated symbols modified

Which is random?

evans@virginia.edu

Source of images: http://boallen.com/random-numbers.html

Which is random?

evans@virginia.edu

Source of images: http://boallen.com/random-numbers.html

PHP rand()(on Windows)

random.org(atmospheric noise)

Which should you use to generate cyrptographic keys?

Defining Non-Randomness

If you can find any predictable patterns in the sequence, it is definitely not

random.

evans@virginia.edu

I shall not today attempt further to define the kinds of material I understand to be embraced within that shorthand description; and perhaps I could never succeed in intelligibly doing so. But I know it when I see it, and the motion picture involved in this case is not that.

Supreme Court Justice Potter Stewart (or pornography)

Defining Randomness

evans@virginia.edu

Андр й Колмог рове́� о́�Andrey Kolmogorov

(1903-1987)

For a sequence s, its Kolmogorov Complexity K(s) = the length of the

shortest description of s

A sequence s is random, if K(s) = |s| + C

(This is a somewhat informal version. A real definition would need to be more careful about stating this asymptotically.)

“He was to probability theory what Euclid was to

geometry.” (Peter Lax)

Kolmogorov Complexities

s = 000000000000000…

evans@virginia.edu

s = 000000000000000…description = “N repeated 0s”K(s) = log |s| + C1 < |s| + Ct =

010011000111000011110000011111…

evans@virginia.edu

s = 000000000000000…description = “N repeated 0s”K(s) = log |s| + C1 < |s| + Ct =

010011000111000011110000011111…

evans@virginia.edu

description = “t = “”; int i, j;

for (i = 1; i < N; i++) { for (j = 0; j < i; j++) t += ‘0’; for (j = 0; j < i; j++) t += ‘1’; }”K(s) = log |s| + C1 < |s| + C

evans@virginia.edu

r=010110000111101100001110111010000000011101100000001110110110010111110011011110010000011100000011101110000000111010100100010100000101000010011101110111111110011000101…

"from Crypto.Random import randomdef random_sequence(n): return map(lambda x: random.choice([0, 1]), range(n)) " and state of random module (and any entropy added during generation)

Hmmm…maybe answer from earlier slide was wrong!

If your mind isn’t blown yet…

evans@virginia.edu

What is the smallest natural number that cannot be described in eleven words?

If your mind isn’t blown yet…

evans@virginia.edu

What is the smallest natural number that cannot be described in eleven words?

The smallest natural number that

cannot be described in eleven words.

1 2 3 4 5

6 7 8 9 10 11

Randomness is Essential• Kolmogorov provides a definition of randomness

but not a “useful” one: computing K(s) for an arbitrary s is undecidable (not just hard, theoretically impossible)

• Impossible for a program to generate true randomness: program can generate longer sequence than itself

• There are physical sources of randomness (or near randomness): quantum events, radioactive decay, thermal noise, lava lamps, key presses

evans@virginia.edu

Amplifying Physical Randomness

Pseudo-Random Number Generator

evans@virginia.edu

k = f(physical randomness)0

output output output

Every once in a while, compute a new k using new physical randomness.

NIST SP 800-90: Recommendation for Random Number Generation Using

Deterministic Random Bit Generators (2006)

evans@virginia.edu

Dual-EC PRNG

evans@virginia.edu

sisi +1= φ(si ×P)s0 physical randomness

Update Internal State

P and Q are points on an elliptic curve

Generate Output Bits

ri = φ(si ×Q)16 least significant bits of ri’s x-coordinate

Elliptic Curves

evans@virginia.edu

y2 = x3 – 7 (mod p)

Addition: P + Q = intersection of curve with line through P and Q

Multiplication: repeated additionkP = P + P + … + P

Discrete values: x and y are integers!

Elliptic Curves are primarily used in asymmetric crypto – but also in Dual EC PRNG

Elliptic Curves

evans@virginia.edu

y2 = x3 – 7 (mod p)

Addition: P + Q = negate intersection of curve with line through P and Q

Multiplication: repeated addition kP = P + P + … + P

Discrete values: x and y are integers!

Elliptic Curves

Elliptic curve discrete logarithm problem: given points P and Q on an elliptic curve, it is hard to find an integer k such that Q = kP.

evans@virginia.edu

y2 = x3 – 7 (mod p)

P + Q = point on curve where line PQ intersectskP = P + P + … + P (multiplication is just repeated addition)

Curve Used by Dual-EC PRNG

evans@virginia.edu

NIST P-256 y2 = x3 + ax + b (mod p)p = 2256 − 2224 + 2192 + 296 − 1a = p − 3 = 115792089210356248762697446949407573530086143415290314195533631308867097853948b = 41058363725152142129326129780047268409114441015993725554835256314039467401291Elliptic curve operations are expensive! Dual-EC PRNG is 1000x slower than strong PRNG’s built using symmetric ciphers.

Why would anyone use Elliptic Curves as basis for PRNG?

• Easier to plant a back-door in it than designs based on symmetric ciphers

• Can be used to provide provable security properties based on number theory– But not done for Dual EC PRNG

evans@virginia.edu

Dual-EC PRNG Proposed as NIST standard (2005)

evans@virginia.edu

sisi +1= φ(si ×P)s0 randomness

Update Internal State

P and Q are (random?) points on P-256.

Generate Output Bits

ri = φ(si ×Q)16 least significant bits of ri’s x-coordinate

OpenSSL-FIPS Implementation (using NIST P and Q values)

Image credit: Matthew Green

“Rump session” talk at CRYPTO 2007:

You can choose Q such that: Q = dPthen, it is easy to find e such that: P = eQand then easy to learn state of PRNG from just one output!

Shumow and Ferguson’s conclusion:

2013 Intelligence Budget Request

Snowden Leak (5 September 2013)2013 Intelligence Budget Request ($250M)

September 2013

evans@virginia.edu

• All cryptosystems depend on randomness• No way to test is a value is really random• Physical randomness is limited: need

algorithms to amplify physical randomness• If you pseudorandom numbers are

predictable, all is (almost always) lost

evans@virginia.edu

Building an Encrypted File

System

evans@virginia.edu

Scenario

• Documents about plan to overthrow government stored on (easily-stolen) device

• Password/biometric-protected (assume that works, for now)

evans@virginia.edu

Data should not be readable to someone who steals the device and can physically extract its non-volatile (flash) storage

Electronic Codebook Mode

evans@virginia.edu

declaration.txt

divide into

128-bit blocks

block 1

block 2

block 3

block n-1block n

…block 4

kEncrypt each block with k

block 1

block 2

block 3

block n-1block n

block 4

Electronic Codebook Mode

evans@virginia.edu

declaration.txt

divide into

128-bit blocks

block 1

block 2

block 3

block n-1block n

…block 4

block 1

block 2

block 3

block n-1block n

block 4

If two blocks have the same plaintext, with ECB they have the same ciphertext!

Block Size

128 bits = 16 bytes

evans@virginia.edu

"Benjamin Frankli" (16 characters)

declaration.txt

pennsylvannians.txt

Almanack

Time-Space Tradeoffs

evans@virginia.edu

No-memory brute force attack:

known crib

AESknown

ciphertext

Try all keys until you find one that fits

Memory: 0Time: 2127

encryptions(1T nuclear mega-bombs)

Time-Space Tradeoffs

evans@virginia.edu

No-time (not) brute force attack:

Pre-compute table:

key AESkey(crib)

000…000 4d7b9328a582c

000…001 7ebc5137da5ff2

… …sort by ciphertext

Break intercepted ciphertext message:

one table lookup!

Time: 1Memory: 2132 bytes~$2 Decillion (1033)

Combination: Rainbow Tables

evans@virginia.edu

known crib

AESciphertext

Precompute:

AES ciphertext 264

… AES

known crib

AESciphertext

1AES ciphertext

264… AES

… …

Only store these:

Won’t quite work like this for AES, but with some more tricks.

Time: 264

Memory: 268 bytes (~$137 Trillion)

April 12, 2023 University of Virginia cs4414 45

NSA Meltdown?

“Experts estimate the new center in Utah can store data by the exabyte or zettabyte.” (Actual amount is highly classified.)

Cipher Block Chaining Mode (CBC)

evans@virginia.edu

block 1

or AES

block 1

block 2

block 3

block 4

Cipher Block Chaining Mode

evans@virginia.edu

block 1

or AES

block 1

block 2

block 3

block 4

Avoids leaking repeated plaintexts− Cannot encrypt in parallel

Counter Mode (CTR)

evans@virginia.edu

block 1

00000000

block 2

00000001

Increase counter for each block

Counter

Counter Mode (CTR)

evans@virginia.edu

block 1

00000000

block 2

00000001

Increase counter for each block

Counter

Avoids leaking repeated plaintexts Can encrypt and decrypt in parallel⁇ Systematic input

How should our young subversive store master key k and (per-file) nonces?

Storing the Key (?)

evans@virginia.edu

AESkstored encrypted k

Human-Remembered 4-Digit PIN 0704

Maybe this could work with a tamper-proof

device?

evans@virginia.edu

R2B2: $200 robot that can try all 10000 four-digit PINs in < 20 hours

Higher Entropy Passwords

evans@virginia.edu

AESkstored encrypted k

Human-Remembered Long Password

(44 bits of entropy)

Scaling Work

evans@virginia.edu

AESkstored 1000xencrypted k

Human-Remembered Long Password

repeat 1000 times

Scaling Work

evans@virginia.edu

AESkstored 1000xencrypted k

repeat 1000 times

Time for one AES: 10 msTime for 244 AESs: 5000 years

(or 2 days with 1Mx computing power)

Time for 1000x AES: 10 sTime for 244 1000x AES: 5M years

Scaling to a Web Service

http://epetitions.direct.gov.uk/

http://petitions.whitehouse.gov

Early Password SchemesUserID Password

benf flyakite

samadams beer

tj Monti07cello04

… …

Login: tjPassword: wahooFailed login. Guess again.

authentication check:guess == users[userID].password

Early Password SchemesUserID Password

benf flyakite

samadams beer

tj Monti07cello04

… …

Login: tjPassword: wahooFailed login. Guess again.

authentication check:guess == users[userID].password

FAILsomeone who gets password file learns

all passwords

Encrypted Passwords Scheme

evans@virginia.edu

UserID Password

benf AESK(flyakite)

samadams AESK(beer)

tj AESK(Monti07cello04)

… …

authentication check:AESK(guess) == users[userID].password

Master key KStore passwords encrypted using K

Encrypted Passwords Scheme

evans@virginia.edu

UserID Password

benf AESK(flyakite)

samadams AESK(beer)

tj AESK(Monti07cello04)

… …

authentication check:AESK(guess) == users[userID].password

Master key KStore passwords encrypted using K

FAILsomeone who gets password file and K learns all passwords

Hashed Passwords Scheme

evans@virginia.edu

UserID Password

benf AESflyakite(0)

samadams AESbeer(0)

tj AESMonti07cello04(0)

… …

authentication check:AESguess(0) == users[userID].password

Store passwords by using them as key to encrypt 0

Hashed Passwords Scheme

evans@virginia.edu

UserID Password

benf AESflyakite(K)

samadams AESbeer(K)

tj AESMonti07cello04(K)

… …

authentication check:AESguess(K) == users[userID].password

Master key KStore passwords by using them to encrypt K

“If they had consulted with anyone that knows anything about password security, this would not have happened,” said Paul Kocher, president of Cryptography Research, a San Francisco computer security firm.

86% of users are dumbSingle ASCII character 0.5%Two characters 2%

Three characters 14%

Four alphabetic letters 14%

Five same-case letters 21%

Six lowercase letters 18%

Words in dictionaries or names 15%

Other (possibly good passwords) 14%

(Morris/Thompson 79)

At Least

Dictionary AttacksSeed list

All 1-4 letter wordsList of common (dog) namesWords from dictionary

(4M words, 20+ languages)

Phone numbers, dates, etc.Rules for generating passwords

Combining words from seed listInserting numbers, symbolsReplacing “l” with “1”,

“ate” with “8”, etc.

evans@virginia.edu

http://www.openwall.com/john/

Anything written in any popular password advice document!

Aside: My 3-Word Password Advice

Unimportant Passwords: use “silly”(protect service, not user)

Important Passwords:

evans@virginia.edu

Write them down (but somewhat obfuscated and in a secure

place)

If you can memorize it, it is not secure! (unless you have a well-trained memory)

Making Dictionary Attacks Harder

evans@virginia.edu

UserID Password

benf AESflyakite(0)

samadams AESbeer(0)

tj AESMonti07cello04(0)

… …

1. Use a more expensive cryptographic hash function

Password

AESflyakite1000(0)

AESbeer1000 (0)

AESMonti07cello041000(0)

Making Dictionary Attacks Harder

evans@virginia.edu

UserID Salt (16 bits) Password

benf 52455 AESflyakite1000(52455)

samadams 50757 AESbeer1000 (50757)

tj 47101 AESMonti07cello041000(47101)

… …

2. Add “salt” – randomly selected (but non-secret) value for each user

AES x 1000 makes dictionary attack 1000 times harder16-bit salt makes dictionary attack 216 times harder (but doesn’t make targeted against one user harder)

Two Big Problems Remaining:1. Users are still morons

evans@virginia.edu

Two Big Problems Remaining:1. Users are still morons

evans@virginia.edu

Auditors called 100 IRS employees and managers, portraying themselves as personnel from the information technology help desk trying to correct a network problem. They asked the employees to provide their network logon name and temporarily change their password to one they suggested. “We were able to convince 35 managers and employees to provide us their username and change their password,” the report said.

GAO Audit of IRS (2005)

(Solving this is outside scope of this class.)

Two Big Problems Remaining:2. Transmitting password

evans@virginia.edu

petitions.govInsecure Channel

How does TJ know he’s really talking to petitions.gov?How can he establish a secure channel to transmit password?

evans@virginia.eduMightBeEvil.com/crypto

Plan for Next WeekSolving these problems using asymmetric cryptography:- Public key cryptosystems- Digital signatures- Public key protocols (TLS)

open to requests!

evans@virginia.edu

Engineering Cryptographic Applications: Using (and Misusing) Symmetric Ciphers

Technology

1 University of Washington CSEP 590TU Œ Practical Aspects ......Security of Block Ciphers 2/7 Brian Cryptographic Protocols II 1/31 Brian Cryptographic Protocols I 1/24 Josh Public

Cryptographic Hash Functions Bart Preneel December 2010preneel/preneel_hash_icics10v1.pdf · • construction of MAC algorithms, stream ciphers, block ciphers,… 2005: 800 uses of

BotTorrent: Misusing BitTorrent to Launch DDoS Attacks

Cryptographic Properties of Bipermutive Cellular Automata Rules · 2014-07-16 · PRNG for stream ciphers, such as Wolfram’s generator. More precisely, we focus our attention on

Brief Overview of Cryptography. 2 Outline cryptographic primitives – symmetric key ciphers block ciphers stream ciphers – asymmetric key ciphers – cryptographic

Analysis and Exercises for Engaging Beginners in … Setup 3 Exercises ... Cryptographic Exercises Ciphers: symmetric (Caesar, Vigenere and AES), ... - To enable beginners to learn

Cryptography and Network Security Lecture 01 - Overview · 2013-03-27 · Chapter 0 – Reader’s Guide ... •Cryptographic algorithms –symmetric ciphers –asymmetric encryption

The Impact of Misusing Prescription Stimulants · The Impact of Misusing Prescription Stimulants Facilitator Talking Points GenerationRx.org | 1 The Impact of Misusing Prescription

Overview Crypto principles Historical ciphers Modern symmetric ciphers Modern asymmetric ciphers Cryptographic Hash Functions Authentication – Message

CS526Topic 3: Ciphers and Cipher Security 1 Information Security CS 526 Topic 3 Ciphers and Cipher Security: Stream Ciphers, Block Ciphers, Perfect Secrecy,

Cryptographic,Building,Blocks, - Amazon S3 · 2015-09-28 · Cryptographic,Building,Blocks, Symmetric, Ciphers Stream,ciphers, Blockciphers Hash,funcFons, Message, authenFcaon,codes,

Classical Cryptosystems Shift Ciphers (Caesar) y= x+k (mod 26) Affine Ciphers y=ax+b (mod 26) Vigenere Ciphers codes=(02,14,03,04,18) Substitution Ciphers

Stop Misusing Higher Education-Specific Price Indices

Please Stop Misusing Art for Science Communication

Using and Misusing Health Services Health psychology

Environmental impact of misusing pesticides

Stream ciphers...Stream ciphers Stream Ciphers are Psuedorandom Generators made practical! They are better than PRG’s! Are Stream Ciphers ciphers? Depends on who you ask. Some people

Twelve Profiles of Using, Misusing, and Addiction - SAGE Pub · Twelve Profiles of Using, Misusing, and Addiction ... Chapter 4 Twelve Profiles of Using, Misusing, and ... Sometimes

Length-Doubling Ciphers and Tweakable Ciphers

Network Security Chapter 8. Cryptography Introduction to Cryptography Substitution Ciphers Transposition Ciphers One-Time Pads Two Fundamental Cryptographic