Introduction to Cybersecurity Cryptography (Part 3) · 2016-12-16 · Cryptography (Part 3) Prof. Dr. Michael Backes. Lecture Summary Blockciphers • Review of DES • Attacks on

Introduction to CybersecurityCryptography (Part 3)Prof. Dr. Michael Backes

Lecture Summary

Blockciphers

• Review of DES

• Attacks on Blockciphers

• Advanced Encryption Standard (AES)

• Modes of Operation

MACs and Hashes

• Message Authentication Codes

• Hash Functions

• Compression Functions

• Merkle-Damgård Construction

• MACs from Hashes

1Introduction to Cybersecurity 2016/17

Review: Block Ciphers


E

D

m

K

K

c:= E(K,m)

c m:= D(K,c)

Msg-block

Short, e.g.,128 bits

CT-block

Also 128 bits

CT-block Msg-block

Feistel Networks

3Foundations of Cybersecurity 2016

Ld Rd

+ fd

Ld-1 Rd-1

Round d

Ciphertext

Review: DES

L0 R0

L1 R1

+ f1

L16 R16

+ fd

L15 R15

...

Plaintext

IP

IP-1

Ciphertext


InitialPermutation

16 Rounds FeistelNetwork

Inverse ofInitial Permutation

Exhaustive Search Attacks

Most simple attack conceivable

Given:

- a few PT/CT pairs 𝑚1, 𝑐1 , 𝑚2, 𝑐2 , … , i.e., 𝑐𝑖 = 𝐸 𝐾,𝑚𝑖 for 𝑖 = 1,2, …and 𝑚𝑖 random elements from 0,1 𝑛

Goal: Total break, i.e., find 𝐾 such that 𝑐𝑖 = 𝐸(𝐾,𝑚𝑖) for all 𝑖.

Note: No stream ciphers would resist this setting: multiple encryptions with the same key!

Introduction to Cybersecurity 2016/17 5

Exhaustive Search Attacks for DES

How many PT/CT pairs until 𝐾 is uniquely determined?

Theorem: For DES, given one random PT/CT pair (𝑚, 𝑐), there is a unique

𝐾 such that 𝐸 𝐾,𝑚 = 𝑐 with very high prob. (≥ 1 −1

256).

“Proof” (only heuristic by idealizing DES into an ideal cipher: collection of 256 random permutations on 0,1 64):

[proof in the lecture notes]

Consequence: Exhaustive search is possible on DES given only one PT/CT pair


DES Challenge

Exhaustive Search Challenge set by RSA Security

𝑚 = “The unknown message is: ----------”

CT = 𝑐1 𝑐2 𝑐3 𝑐4 𝑐5

Originally 10.000$ for solving this challenge

1997: Internet search: 3 months

1998: EFF (3 days), spent 250K$

1999: 22 hours


Some ways of saving DES: For instance, Triple DES

Avoiding Exhaustive Search: Triple DES (3DES)

General Method: Let (𝐾, 𝐸, 𝐷) be a cipher

Let 𝑇𝐸 𝐾1, 𝐾2, 𝐾3 , 𝑚 ≔ 𝐸(𝐾3, 𝐷 𝐾2, 𝐸 𝐾1, 𝑚 )

Why not 3 times 𝐸? backwards compatibility

Problem: 3 times slower than 𝐸

Key size: 3 ⋅ 56 = 168 bits


Why not Double DES (2DES)?

E(K1,×)m cE(K2,×)

DE((K1,K2), m) := E(K2, E(K1, m))

Attack by “meet-in-the-middle”


Meet-in-the-middle Attack

D(𝐾21,c)

D(𝐾22, c)

D(𝐾23, c)

…. ….

D(𝐾2256, c)

Given PT/CT pair (m,c), c = E(K2, E(K1, m))1. Set up the following table:

Takes time 256, then sort right column of the table


𝐾2256

𝐾23

𝐾22

𝐾21

Why not Double DES (2DES)?

E(K1,×)m cE(K2,×)

DE((K1,K2), m) := E(K2, E(K1, m))



Meet-in-the-middle (cont’d)

2. For each K1 of {0,1}56:

- Test if E(K1,m) is in the right column of the table

- If in column, then E(K1,m) = D(K2j, c)

for some j Key = (K1, K2

j )

Total time for exhaustive search (ignoring log-factors): 256 + 256 = 257

Effective key length less than 57 bits


Meet-in-the-Middle on 3-DES

E(K1,×)m cE(K3,×)D(K2,×)

Can we do meet-in-the-middle for 3-DES?


Time for meet-in-the-middle on 3-DES: 2112

Effective key length of 3-DES ≤ 112 bits


Sophisticated Attacks on BC (cont’d)

1. Linear & differential cryptanalysis (more in the core lectures)

2. Implementation attack (side-channel attack)


Sophisticated Attacks on BC

1. Linear and differential cryptanalysis

Basic idea of linear cryptanalysis:Suppose for random m, K and c = E(K,m):

E.g., the 5th S-box of DES has bias = 2-21

r bits of m v bits of c u bits of K

Pr 𝑚𝑖1 ⊕𝑚𝑖2 ⊕⋯⊕𝑚𝑖𝑟 ⊕𝑐𝑗1 ⊕⋯⊕ 𝑐𝑗𝑣 ⊕𝐾𝑙1 ⊕⋯⊕𝐾𝑙𝑢 = 1 ≥ ൗ1 2 + 𝜀


Sophisticated Attacks on BC

1. Linear and differential cryptanalysis

Basic idea of linear cryptanalysis:

- Suppose for random m, K and c = E(K,m):

(holds for DES with = 2-21)

- Then it holds:

Theorem: Given 1/2 PT/CT pairs. Then

will hold with probability ≥ 97.7%

Pr 𝑚𝑖1 ⊕𝑚𝑖2 ⊕⋯⊕𝑚𝑖𝑟 ⊕ 𝑐𝑗1 ⊕⋯⊕ 𝑐𝑗𝑣 ⊕𝐾𝑙1 ⊕⋯⊕𝐾𝑙𝑢 = 1 ≥ ൗ1 2 + 𝜀

Pr 𝑚𝑖1 ⊕𝑚𝑖2 ⊕⋯⊕𝑚𝑖𝑟 ⊕ 𝑐𝑗1 ⊕⋯⊕ 𝑐𝑗𝑣 = 𝐾𝑙1 ⊕⋯⊕𝐾𝑙𝑢 ≥ ൗ1 2 + 𝜀

𝐾𝑙1 ⊕⋯⊕𝐾𝑙𝑢 = MAJ𝑃𝑇/𝐶𝑇 𝑚𝑖1 ⊕𝑚𝑖2 ⊕⋯⊕𝑚𝑖𝑟 ⊕ 𝑐𝑗1 ⊕⋯⊕ 𝑐𝑗𝑣


Linear Cryptanalysis on DES

For DES: = 2-21

Given 1/2 = 242 PT/CT pairs, we get Kl1...Klu

In the same way, we can deduce 14 “bits” of the key using various other relations

Then exhaustive search on the remaining 256/214 = 242 bits

Time needed:

- 242 steps for using linearity to deduce 14 bits

- 242 steps for exhaustive search on remaining key space

243 steps total

Conclusion: Don’t (seriously) design block ciphers yourself!




Power cryptanalysis


Power-Consumption of DES




Power cryptanalysis

Electromagnetic emanation

Timing

Sound

Do not even (seriously) implement ciphers!


Today: DES gone. AES new

AES: Advanced Encryption Standard

1997: NIST publishes CFP

1998: 165 submissions, 5 susceptible to attacks

1999: NIST chooses 5 finalists

2000: Rijndael selected as the winner

Key sizes: 128, 192, or 256 bits

Block sizes: 128 bits


Parameters of Rijndael and AES

AES: September 2000

Rijndael (secure for the next 10-20 years?):

- Flexible key sizes: 128, 192, or 256 bits

- Flexible block sizes: 128, 192 or 256 bits

AES: required Rijndael to use blocks of size 128 bits, keys of 128 bits typical


The Rijndael Cipher (for 128-bit Key)

Rijndael Key K:

Rijndael state A:

k0,0 k0,1 k0,2 k0,3

k1,0 k1,1 k1,2 k1,3

k2,0 k2,1 k2,2 k2,3

k3,0 k3,1 k3,2 k3,3

a0,0 a0,1 a0,2 a0,3

a1,0 a1,1 a1,2 a1,3

a2,0 a2,1 a2,2 a2,3

a3,0 a3,1 a3,2 a3,3

4x4 matrix

of bytes

4x4 matrix

of bytes


The Rijndael Cipher (cont’d)

1) SubBytes

2) ShiftRows

3) MoveColumns

4) AddRoundkey

A1Plaintext

Round 2A2

...

Round 10 A10

ciphertext

A0


Details on AES (cont’d)

AES round:

1. SubBytes: A[i,j] s-box(A[i,j])


Details on AES

SubBytes: non-linear substitution step, each byte replaced according to a lookup table

S = 8-bit lookup table (Matrix from GF(28))



AES round:

1. SubBytes: A[i,j] s-box(A[i,j])(s-box based on inversion in GF(28))

2. ShiftRows: For i=0,1,2,3: Rotate left row i by i pos.



ShiftRows: transposition step, each row shifted cyclically a certain number of steps.



AES round:



3. MixColumns: Multiply each column to fixed matrix (over GF(28))



MixColumns: multiplication of columns by 4x4 matrix; mixing operating on columns combining four bytes in each column using a linear transformation.



AES round:



3. MixColumns: Multiply each column to fixed matrix (over GF(28)) Ai(3)

4. AddRoundKey:

• Ai+1 Ai(3) Ki

• Ki = i-th round key derived from 128-bit key K



AddRoundKey: XOR state with round key; round key derived from the key by explicit key schedule


Performance of DES+AES

Stream

ciphers

Block

ciphers


Using BC: Electronic Codebook

1. Electronic Codebook (ECB)Intuitive but naïve way (how not to do it)


m1 m2

c1 c2

EKEK

...

...

EK

...

...

EK

ml

cl

EK

ECB Reveals Patterns


ECB Encryption

Other mode of operation

Self-synchronization of ECB

Electronic Codebook (ECB)

- At least self-synchronizing (if block length are tolerated)


c1 c2

m1 m2

DKDK

...

...

DK

...

...

DK

cl

ml

DK

= Failure of 1 bit

= Failure of complete block

Using BC: Cipherblock Chaining

Cipherblock Chaining (CBC)

- Very often used, but main problem: Sequential

- Initial value randomly chosen and output as well

- Self-synchronizing after two blocks (if block length ok)


m1

E(K,×)

+IV

c1

m2

E(K,×)

+

c2

c1

D(K,×)

+IV

m1

c2

D(K,×)

+

m2

Using BC: Cipher Feedback

Cipher Feedback (CFB)

- CFB similar to stream ciphers

- Also self-synchronizing after two blocks (if block length ok)

- Note: No need for decryption operation here


m1 m2

c1 c2

E(K,×) E(K,×)+

IV

+

c1 c2

m1 m2

E(K,×) E(K,×)+

IV

+

Using BC: Output Feedback

Output Feedback (OFB)

- OFB similar to stream ciphers as well

- Strongly self-synchonizing (but loss of bits dramatical)



m1

E(K,×)

+

IV

c1

E(K,×)

m2

+

c2

E(K,×)

c1

E(K,×)

+

IV

m1

E(K,×)

c2

+

m2

E(K,×)

Using BC: Countermode

Countermode (CTR)

- Countermode similar to stream ciphers

- Note: Ok to use the same key for multiple messages if random IV (randCTR), for fixed IV (detCTR: IV=0) only one-time key usage


- Later: Better security than CBC


m1

+

IV

c1

m2

+

c2

IV+1 IV+2

E(K,×) E(K,×) c1

+

IV

m1

c2

+

m2

IV+1 IV+2

E(K,×) E(K,×)

Lecture Summary

Blockciphers

• Review of DES




MACs and Hashes


• Hash Functions





Message Integrity

Goal of message integrity:

Alice generates tag 𝑡 for message 𝑚, Bob verifies tag

Goal: Attacker cannot change message, i.e., attacker cannot generate any valid pair (𝑚, 𝑡)

41

AddMAC

Plaintext

Verify

Key KeyPlaintextwith MAC

Plaintext

Alice Bob

Introduction to Cybersecurity 2016/17

Definition of MACs

42

Definition: Message Authentication Codes

A message authentication code with message space ℳ and tag space 𝒯 is a triple of algorithms (𝐾, 𝑆, 𝑉) with the following properties:

The randomized key generation algorithm 𝐾 takes no input and returns a key 𝑘.

The (often randomized) signing algorithm 𝑆 takes a key 𝑘 ∈ [𝐾] and a message 𝑚 ∈ ℳ and returns a tag 𝑡 ∈ 𝒯.

The deterministic verification algorithm 𝑉 takes a key 𝑘 ∈ [𝐾], a message 𝑚 ∈ ℳ and a tag 𝑡 ∈ 𝒯 and returns a bit 𝑏 ∈ 0,1 .

Correctness:

The above algorithms have to satisfy the following property: For any key 𝑘 ∈ [𝐾], any message 𝑚 ∈ ℳ, and any tag𝑡 ∈ [𝑆 𝑘,𝑚 ], we have that 𝑉 𝑘,𝑚, 𝑡 = 1.


From small MACs to big MACs

Question: Given a small MAC, how to build a big MAC?

CBC-MAC:

Banking

ANSI X9.9, X9.19

ISO

FIPS 186-3

HMAC:

Internet: SSL, IPSec, SSHv2

43

512 bit 100 MB

MAC MAC


Let 𝐸:𝒦 × 𝒳 → 𝒴 be an encryption function

Define CBC-MAC 𝐼𝐸 as follows:

𝐼𝐸 is a function from 𝒦2 ×𝒳 𝐿 → 𝒴

44

(Encrypted) CBC-MAC

𝑚1 𝑚2 𝑚3 𝑚4

𝐸(𝑘1,⋅) 𝐸(𝑘1,⋅) 𝐸(𝑘1,⋅) 𝐸(𝑘1,⋅)

𝐸(𝑘2,⋅)


Why the last encryption?

Raw CBC-MAC is an insecure MAC!

Chosen-message attack:

1. Adv. picks random one-block-lengthmessage 𝑚 ∈ 𝒳𝑛

2. Adv. requests tag (MAC) for message 𝑚and gets 𝑡 ≔ 𝐸 𝑘,𝑚

3. Adv. outputs 𝑡 as MAC forgery on two-block-lengthmessage (𝑚 ǁ 𝑡𝑚)

45

Raw CBC-MAC

Raw CBC-MAC

𝑚1 𝑚2 𝑚3 𝑚4

𝐸(𝑘1,⋅) 𝐸(𝑘1,⋅) 𝐸(𝑘1,⋅) 𝐸(𝑘1,⋅)

𝐸(𝑘2,⋅)


On Raw CBC-MAC

Claim: The tag 𝑡 is really an existential forgery against Raw CBC-MAC. We have

CBC−MAC 𝑘,𝑚 = 𝐸 𝑘,𝑚 = 𝑡

and:

CBC−MAC 𝑘, 𝑚 ǁ 𝑡𝑚

= 𝐸 𝑘, 𝐸 𝑘,𝑚 𝑡𝑚

= 𝐸 𝑘, 𝑡 𝑡𝑚

= 𝐸 𝑘,𝑚= 𝑡

Note: Raw CBC-MAC is secure for fixed message size

Prepending message length also works, but not elegant


Examples of MACs

Popular example: CBC-MAC, used by banks, etc., sequential not discussed here (see lecture notes if you’re curious!)

Now: HMAC, used in lots of Internet protocols, incremental

First: Hash functions and collision resistance

47

HTTP IMAP FTP LDAP

SSL or TLS


Hash Functions

Let 𝐻:ℳ → 𝒯 be a hash function (non-keyed)(often 𝐻: 0,1 ∗ → 0,1 𝑛)

A collision for 𝐻 is a tuple (𝑚1, 𝑚2) with

𝐻 𝑚1 = 𝐻 𝑚2 ∧ 𝑚1 ≠ 𝑚2

Remark: Defining that “no efficient adversary exists that finds a collision” cannot be fulfilled


Definition: Collision Resistant Hash Function (CRHF)A hash function 𝐻 is collision resistant if no “efficient” algorithm is known that finds a collision for 𝐻 in suitable time.

Examples of CRHFs

Used to have lots of CRHFs examples

Broken:

MD5 (broken): 128-bits digest, 335 MB/s

SHA-1 (broken): 160-bits digest, 192 MB/s

Not only nonsensical collisions for MD5 but selective ones.

Currently still available

SHA-2 family, e.g. SHA-256: 256-bits digest, 139 MB/s

Whirlpool (AES): 512-bits digest, 37.8 MB/s

SHA-3 family, e.g. SHA3-256: 256-bits digest, 177 MB/s

How to build collision-resistant hash functions?


Birthday Paradox

Let 𝑟1, … , 𝑟𝑛 ∈ {1,… , 𝐵} be independently randomly chosen integers.

Theorem: Pr ∃𝑖 ≠ 𝑗: 𝑟𝑖 = 𝑟𝑗 = 1 −𝑛!⋅ 𝐵

𝑛

𝐵𝑛≈ 1 − 𝑒−𝑛(𝑛−1)/(2⋅𝐵)

In particular, if 𝑛 > 1.2 ⋅ 𝐵 then

Pr ∃𝑖 ≠ 𝑗: 𝑟𝑖 = 𝑟𝑗 ≥1


Students in classroom (= n) Probability of collision (B = 365)

5 2.7%

10 11.7%

20 41.1%

23 50.7%

30 70.6%

40 89.1%

70 99.9%

Generic attacks on CRHFs

Consequence: If hash output was 64 bits, i.e.,𝐻: 0,1 ∗ → 0,1 64

then the generic attack takes time only 232.

Typical hash output is 160 bit (SHA1) or 256 bit (SHA-256, SHA3-256) generic attack takes time 280 or 2128, respectively.

Best attack on SHA-1: estimated time 261 beats generic attack cost estimate $2.77M to break a single hash value by renting CPU power from cloud servers! (only $43K by 2021)


Constructing CRHFs

53

Merkle-Damgård (iterated construction)

𝑝𝑎𝑑 is the padding function (injective)

𝑓: 0,1 𝑘 × 0,1 𝑛 → 0,1 𝑛 is the compression function.

ℎ𝑖 are called chaining variables

𝐼𝑉 is the initial value

Message 𝑚

Padding 𝑝𝑎𝑑

Block 𝑏2 Block 𝑏3 Block 𝑏4Block 𝑏1Block 𝑏0

𝑓 𝑓 𝑓 𝑓 𝑓ℎ1 ℎ2 ℎ3 ℎ4ℎ0𝐼𝑉 Hash ℎ


Padding function 𝑝𝑎𝑑 encodes length of 𝑚 in last block 𝑏𝑙𝑎𝑠𝑡:

such that 𝑏𝑙𝑎𝑠𝑡 is in 0,1 𝑘

Called Merkle-Damgård strengthening


Padding for Merkle-Damgård

1000....................0 |𝑚|

64 bits

Theorem: Collision-resistance of Merkle-DamgårdIf compression function 𝑓 is collision-resistant, then the (strengthened) Merkle-Damgård construction 𝑀𝐷 is also collision-resistant.

Collision-resistance of Merkle-Damgård

Proof idea: show that breaking 𝑀𝐷 implies breaking 𝑓 (by induction).Assume 𝑀𝐷 𝑚 = 𝑀𝐷 𝑚′ , 𝑝𝑎𝑑 𝑚 = 𝑏0, … , 𝑏𝑙 and 𝑝𝑎𝑑 𝑚′ = 𝑏0′, … , 𝑏𝑙′.


Theorem: Collision-resistance of Merkle-DamgårdIf compression function 𝑓 is collision-resistant, then the (strengthened) Merkle-Damgård construction 𝑀𝐷 is also collision-resistant.

Corollary: To build a collision-resistant hash function, we only need to build a (small) collision-resistant compression function!

Block 𝑏2/𝑏2′ Block 𝑏3/𝑏3′ Block 𝑏4/𝑏4′Block 𝑏1/𝑏1′Block 𝑏0/𝑏0′

𝑓 𝑓 𝑓 𝑓 𝑓ℎ1 ℎ2 ℎ3 ℎ4ℎ0𝐼𝑉 Hash ℎ

2 Options:

1. (𝒉𝒊, 𝒃𝒊) ≠ (𝒉𝒊′, 𝒃𝒊′)→ found collision for f

2. (𝒉𝒊, 𝒃𝒊) = (𝒉𝒊′, 𝒃𝒊′)→ we can iterate

Hence: either both inputs are the same, or we find a collision for f!

More on this in core lecture!

ℎ0′ ℎ1′ ℎ2′ ℎ3′ ℎ4′

Examples

SHA-2: MD hash function using a Davies-Meyer compression function based on a cipher called SHACAL-2

Whirlpool: MD hash function using a Miyaguchi-Preneel compression function using a cipher called W (derived from AES)

SHA-3: sponge construction (more complex), but could be seen as chop-MD hash function (i.e., MD with a non-trivial number of bits chopped off the final hash value) with custom permutation-based compression function.


MACs from Hash Functions

Given MD hash function 𝐻:ℳ → 𝒯

Construction attempt:

𝑆 𝑘,𝑚 = 𝐻(𝑘 ∥ 𝑚)

Bad idea…

Construction attempt:

𝑆 𝑘,𝑚 = 𝐻(𝑚 ∥ 𝑘)

“Bad” idea in general but for a different reason…

(At least secure if 𝐻 is CRHF and comp. func. 𝑓 is a PRF)

Construction attempt (envelope method):

𝑆 𝑘1, 𝑘2 , 𝑚 = 𝐻(𝑘1 ∥ 𝑚 ∥ 𝑘2)

Secure if 𝑓 is a PRF (not often used in practice)


MACs from Hash Functions

Recommended method in practice: HMAC

𝑆 𝑘,𝑚 = 𝐻(𝑘opad ∥ 𝐻 𝑘ipad ∥ 𝑚 )

TLS 1.2: implementations must support HMAC–SHA1 (mandatory), HMAC–SHA256 (or stronger) is recommended.


Theorem: Strong unforgeability of HMACIf (sequence of) compression function(s) 𝑓(𝑥, 𝑦) is a secure PRF (when either input is used as the key), then HMAC is a strongly unforgeable MAC.

Lecture Summary

Blockciphers

• Review of DES




MACs and Hashes


• Hash Functions





Documents

Introduction to Cybersecurity Cryptography (Part 3) · 2016-12-16 · Cryptography (Part 3) Prof. Dr. Michael Backes. Lecture Summary Blockciphers • Review of DES • Attacks on