1
Symmetric Key Crypto
Alfred C. WeaverTom Horton
CS453 Electronic Commerce
2
Readings: Chapter 13 of our textbook Web resources
Weaver’s References Bruce Schneier, “Applied Cryptography,” John
Wiley & Sons Andrew Tanenbaum, “Computer Networks,”
Prentice-Hall Jim Kurose and Keith Ross, “Computer
Networking,” Addison-Wesley
3
Symmetric Key Encryption
PlaintextOriginalPlaintextEncryption DecryptionCiphertext
Encryption Key
Decryption Key
4
Evaluating SKC
How do you break this strategy? What’s the risk?
Odd question for the moment: Is this the strategy we want for encrypting passwords for authentication?
5
Answers
Question 1: How do you break this strategy? What’s the risk? Answer: Attack the key! Can you guess it? Find it?
Question 2: Is this the strategy we want for encrypting passwords for authentication? Answer: No. Use a one-way hash to convert plain-text to
cipher-text. Store cipher-text on system. At authentication, hash what the user types and compare two cipher-texts for match.
How to attack? Same as above.
6
Topics
What are some major (historical) SKC algorithms? DES, Triple-DES, IDEA, RC4, AES How do they work? (Hmm.) Where do they stand? How do they fit into larger systems?
7
Data Encryption Standard
Government requested white papers on proposed cryptographic standard in early 1970s
IBM responded with a clever design NSA approved (and changed) the design NBS (now NIST) certified the design in 1976
as Data Encryption Standard (DES) Recertified in 1987 and 1993 World’s most commonly used algorithm
8
DES Iterated block cipher with 56-bit key
(although 64 are specified, 8 are parity) Iterated
multiple repetitions of basic algorithm DES uses 16 rounds
Block cipher encrypts fixed-size data groups DES uses 8-byte (64-bit) blocks data divided into 64-bit chunks
Key space 256 keys ~= 72 x 1015 possible keys
9
DES
Uses a combination of confusion and diffusion every bit of the key (56 bits) and every bit of the plaintext
(64 bits) affects every bit of the ciphertext (64 bits) key is shifted and massaged each round to produce a
subkey plaintext is permuted, shifted, selected, and massaged
against a permuted, shifted, and selected subkey 16 times each 64-bit plaintext produces a 64-bit ciphertext
10
DESPlaintext
Permutation
L0 R0
f
L1 = R0 R1 = L0 f (R0,K1)
L16 = R15 R16 = L15 f (R15,K16)
Permutation
Ciphertext
+
…..
oneround
K1
11
DES
1. Plaintext enters as 64-bit block 2. Bits are permuted and divided into left-
hand side (L0) and right-hand side (R0) 3. Repeat 16 rounds of encryption:
(a) Key from previous round is divided into two 28-bit halves
(b) Each half of key is shifted and subjected to a compression permutation that selects 48 of the 56 bits for propagation into the next round
12
DES
(c) Right-hand side Ri from previous round subjected to expansion permutation that increases 32 bits into 48 bits by selective repetition of certain bits
(d) Expanded, permuted right-hand side Ri is
exclusive-ORed with shifted, compressed key (e) Result goes through substitution box that
moves the bits around and expands 32 bits into 48 bits temporarily
13
DES
(f) Temporary result goes through a permutation box that moves bits around and reduces 48 bits to 32 bits
(g) Left-hand side is exclusive-ORed with output of permutation box to produce a new right-hand side
(h) New left-hand side is copied from right-hand side of previous round
14
DES
At the end of 16 rounds 64-bit result permuted once more Final 64-bit ciphertext emitted
Note: no security due to secrecy—the algorithm has been published and studied extensively since 1975
All the security is in the key
15
DES Decryption
Use the ciphertext as the plaintext Use same initial key Run the algorithm backwards through 16
rounds, using subkeys in reverse order K16, K15, …, K1
DES outputs the plaintext Many companies now offer DES on a chip so
it runs at wire speed
16
17
DES Implementation
Java implementation of DES available at http://intercom.virginia.edu/crypto/crypto.html
18
A Brief IBM / NSA History
IBM needed crypto for ATM Idea began as Lucifer with 128-bit key IBM needed an export license NSA agreed to vet the algorithm NSA probably changed the S-boxes NSA told IBM to reduce the key size IBM agreed to 64 bits Production reduced it to 56 bits plus parity IBM got its export license
19
Security of DES
DES started in 1976 It was secure then – but not now Jan. 1997: RSA Data Security issued a
cryptographic challenge Research project DESCHALL used distributed
computing (14,000 unique computers over 3 months) to crack DES with 56-bit key
http://www.interhack.net/projects/deschall/
At its peak, DESCHALL was testing 7 billion keys/second
20
Security of DES
July 1998: DES Challenge II Electronic Frontier Foundation (EFF) built a DES
code-cracker for $250k Cracked DES in 3 days Jan. 1999: DES Challenge III Distributed.Net used EFF DES cracker plus
100,000 PCs on the Internet to crack DES in 22 hours 15 min.
Testing 245 billion keys/sec when key was found
21
Security of DES
Reported in late 90s that DES could be cracked “in a few hours” (presumably by NSA)
Reasonable to assume that DES can now be cracked very quickly with special hardware and/or a distributed approach
22
Weak Keys
Some 56-bit keys are known to be weak 0000000 0000000 0000000 FFFFFFF FFFFFFF 0000000 FFFFFFF FFFFFFF
Repeating bits do not “stir” well when shifted Also some “possibly weak” keys, but these
are identified in the literature so don’t use them
23
Triple-DES
Triple-DES invented to boost security Uses three separate encryption and
decryption cycles with two or three unique keys
Two unique keys gives 2x56=112 bit protection
Three unique keys gives 3x56=168 bit protection
24
Triple-DES
DES
Plaintext Ciphertext
DES
DES-1 DES-
1
DES
Key-1 Key-2 Key-3
DES-1
25
Triple-DES with Three Unique Keys
Sender: Encrypt with Key-1 Decrypt with Key-2 (decryption has same
scrambling power as encryption) Encrypt with Key-3
Receiver: Decrypt with Key-3 Encrypt with Key-2 Decrypt with Key-1
Power: 56x3=168 bit key
26
Triple-DES with Two Unique Keys
Sender: Encrypt with Key-1 Decrypt with Key-2 Encrypt with Key-1 again
Receiver: Decrypt with Key-1 Encrypt with Key-2 Decrypt with Key-1
Power: 56x2=112 bit key
27
Triple-DES with One Unique Key
Sender: Encrypt with Key-1 Decrypt with Key-1 Encrypt with Key-1
Receiver: Decrypt with Key-1 Encrypt with Key-1 Decrypt with Key-1
Power: 56 bit key (exactly equal to DES)
28
Triple-DES Why use three unique keys instead of one?
that’s easy! power of 168-bit key vs. 56-bit key many, many, many orders of magnitude harder to crack than DES
Why use two keys instead of one? power of 112-bit key vs. 56-bit key many orders of magnitude harder to crack than DES two keys (112 bits) easier to manage than three (doubtful) 112-bit key is fairly secure today
Why use one key instead of two or three? setting key1=key2=key3 makes 3DES interoperate with DES of course the power is just one 56-bit key only use would be for backward compatibility
29
Security of DES and Triple-DES
Is DES suitable for commercial transactions? today the answer is no nevertheless it is in daily, wide-spread use
Triple-DES very robust, very well suited to commercial activities
30
IDEA
International Data Encryption Algorithm proposed 1992 symmetric-key, 128 bits 64-bit blocks similar in design, but different in detail, from DES
31
IDEA
Design philosophy is “mixing operations from three algebraic groups” XOR Addition modulo 216
Multiplication modulo 216 + 1 (substitutes for DES S-box)
About twice as fast as DES Used in PGP Very strong symmetric key encryption
algorithm
32
AES
NIST held a competition to replace DES Five serious entries, including 3DES Winner was Rijndael (pronounced “Rhine-
doll”) from two co-inventors in Belgium AES is a 128-, 192-, or 256-bit block cipher Uses 128, 192, or 256 bit symmetric keys AES uses an affine transformation with a
non-linear substitution box
33
AES
3.4 x 1038 128-bit keys 6.2 x 1057 192-bit keys 1.1 x 1077 256-bit keys Compare those to DES’s 56-bit key with 7.2 x 1016
keys Assume you could crack DES (i.e., full search of a
56-bit key space) in one second Then cracking AES with a 128-bit key would take
149 trillion years The universe is ~14 billion years old
34
AES
AES is the way of the future Threats:
backdoor? (probably not) massive distributed computation quantum computing something we've not thought of
35
Others
RC4 Developed by Ron Rivest Will pop up in discussions of RSA, SSL
Blowfish Developed by Bruce Schneier Free, fast Variable length key
36
Summary and What’s Next
A set of historical algorithms Culminating in AES DES illustrates some of the controversies and
social issues inherent in cryptography PGP too
Weakness Keys must be shared
An alternative Public Key Encryption, possibly combined with
SKC