Engineering Cryptographic Applications: Using (and Misusing) Symmetric Ciphers

Stephen Kleene

Microstrategy Course11 October 2013

Engineering Cryptographic

Applications

Day 2: Using

(and Misusing)

Symmetric Ciphers

David EvansUniversity of Virginiawww.cs.virginia.edu/evans

Engineering Crypto Applications 3

Recap: Symmetric Encryption

[email protected]

AES AESPlaintextCiphertext

PlaintextInsecure Channel

Key Key

Correctness property: for all possible messages m, D(E(m)) = m

Security property: given c E(m), it is “hard” to learn anything interesting about m.

“hard” = if correctly implemented and used, even the NSA can’t do it unless they have made dozens of theoretical breakthroughs or have energy comparable to Trillions of massive nuclear explosions


Today: Using Symmetric Encryption

[email protected]



Key Key


Today: Using Symmetric Encryption

[email protected]



Key Key

1. How to generate a good (unpredictable) key: randomness

2. How to use symmetric encryption to do more interesting things than just send one block: building an encrypted file server

Engineering Crypto Applications [email protected]

Generating Randomness


01011000011110110000111011101000000001110110000000111011011001011111001101111001000001110000001110111000000011101010010001010000010100001001110111011111111001100010110101000000100110011100011000001101010000111001011001101110101111110110000010010111011010000000110110110011101100100101101001110111110100010001100011011000110001001101001010001110101000010010101001010100110001011000010000000001100010110111111010010100101000110011010110011101011001111001000000101111

01011010011010110000111011101010001001110110001000111011011001011011001101101001001001110010001110111001000011101010010001010100010100001001110111011010111001100010110101010000100110011100011001001101010000111001011001101110101110110110100010010111011010010000110110110011101100100101101001110110110100010001100011011000110001001101001010001110101000010010101001010100110001011000010010001001100010110110111010010100101000110011010110011101011001101001000100101111

Which is random?


01011000011110110000111011101000000001110110000000111011011001011111001101111001000001110000001110111000000011101010010001010000010100001001110111011111111001100010110101000000100110011100011000001101010000111001011001101110101111110110000010010111011010000000110110110011101100100101101001110111110100010001100011011000110001001101001010001110101000010010101001010100110001011000010000000001100010110111111010010100101000110011010110011101011001111001000000101111

01011010011010110000111011101010001001110110001000111011011001011011001101101001001001110010001110111001000011101010010001010100010100001001110111011010111001100010110101010000100110011100011001001101010000111001011001101110101110110110100010010111011010010000110110110011101100100101101001110110110100010001100011011000110001001101001010001110101000010010101001010100110001011000010010001001100010110110111010010100101000110011010110011101011001101001000100101111

Which is random?

C1 from Puzzle Challenge(message Crypto.Random)

C1 with sequences of 5 or more repeated symbols modified


Which is random?

[email protected]

Source of images: http://boallen.com/random-numbers.html


Which is random?

[email protected]

Source of images: http://boallen.com/random-numbers.html

PHP rand()(on Windows)

random.org(atmospheric noise)

Which should you use to generate cyrptographic keys?


Defining Non-Randomness

If you can find any predictable patterns in the sequence, it is definitely not

random.

[email protected]

I shall not today attempt further to define the kinds of material I understand to be embraced within that shorthand description; and perhaps I could never succeed in intelligibly doing so. But I know it when I see it, and the motion picture involved in this case is not that.

Supreme Court Justice Potter Stewart (or pornography)


Defining Randomness

[email protected]

Андр й Колмог рове́� о́�Andrey Kolmogorov

(1903-1987)

For a sequence s, its Kolmogorov Complexity K(s) = the length of the

shortest description of s

A sequence s is random, if K(s) = |s| + C

(This is a somewhat informal version. A real definition would need to be more careful about stating this asymptotically.)

“He was to probability theory what Euclid was to

geometry.” (Peter Lax)


Kolmogorov Complexities

s = 000000000000000…

[email protected]



s = 000000000000000…description = “N repeated 0s”K(s) = log |s| + C1 < |s| + Ct =

010011000111000011110000011111…

[email protected]



s = 000000000000000…description = “N repeated 0s”K(s) = log |s| + C1 < |s| + Ct =

010011000111000011110000011111…

[email protected]

description = “t = “”; int i, j;

for (i = 1; i < N; i++) { for (j = 0; j < i; j++) t += ‘0’; for (j = 0; j < i; j++) t += ‘1’; }”K(s) = log |s| + C1 < |s| + C



[email protected]

r=010110000111101100001110111010000000011101100000001110110110010111110011011110010000011100000011101110000000111010100100010100000101000010011101110111111110011000101…

"from Crypto.Random import randomdef random_sequence(n): return map(lambda x: random.choice([0, 1]), range(n)) " and state of random module (and any entropy added during generation)

Hmmm…maybe answer from earlier slide was wrong!


If your mind isn’t blown yet…

[email protected]

What is the smallest natural number that cannot be described in eleven words?


If your mind isn’t blown yet…

[email protected]

What is the smallest natural number that cannot be described in eleven words?

The smallest natural number that

cannot be described in eleven words.

1 2 3 4 5

6 7 8 9 10 11


Randomness is Essential• Kolmogorov provides a definition of randomness

but not a “useful” one: computing K(s) for an arbitrary s is undecidable (not just hard, theoretically impossible)

• Impossible for a program to generate true randomness: program can generate longer sequence than itself

• There are physical sources of randomness (or near randomness): quantum events, radioactive decay, thermal noise, lava lamps, key presses

[email protected]


Amplifying Physical Randomness

Pseudo-Random Number Generator

[email protected]

AES

k = f(physical randomness)0

k

AES1

k

AES2

k

output output output

AES3

Every once in a while, compute a new k using new physical randomness.


NIST SP 800-90: Recommendation for Random Number Generation Using

Deterministic Random Bit Generators (2006)

[email protected]

http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf


Dual-EC PRNG

[email protected]

sisi +1= φ(si ×P)s0 physical randomness

Update Internal State

P and Q are points on an elliptic curve

Generate Output Bits

ri = φ(si ×Q)16 least significant bits of ri’s x-coordinate


Elliptic Curves

[email protected]

y2 = x3 – 7 (mod p)

Addition: P + Q = intersection of curve with line through P and Q

Multiplication: repeated additionkP = P + P + … + P

Discrete values: x and y are integers!

Elliptic Curves are primarily used in asymmetric crypto – but also in Dual EC PRNG

https://www.wolframalpha.com/input/?i=y%5E2+=+x%5E3+++7


Elliptic Curves

[email protected]

y2 = x3 – 7 (mod p)

Addition: P + Q = negate intersection of curve with line through P and Q

Multiplication: repeated addition kP = P + P + … + P

Discrete values: x and y are integers!

PQ

P + Q



Elliptic Curves

Elliptic curve discrete logarithm problem: given points P and Q on an elliptic curve, it is hard to find an integer k such that Q = kP.

[email protected]

y2 = x3 – 7 (mod p)

P + Q = point on curve where line PQ intersectskP = P + P + … + P (multiplication is just repeated addition)



Curve Used by Dual-EC PRNG

[email protected]

NIST P-256 y2 = x3 + ax + b (mod p)p = 2256 − 2224 + 2192 + 296 − 1a = p − 3 = 115792089210356248762697446949407573530086143415290314195533631308867097853948b = 41058363725152142129326129780047268409114441015993725554835256314039467401291Elliptic curve operations are expensive! Dual-EC PRNG is 1000x slower than strong PRNG’s built using symmetric ciphers.


Why would anyone use Elliptic Curves as basis for PRNG?

• Easier to plant a back-door in it than designs based on symmetric ciphers

• Can be used to provide provable security properties based on number theory– But not done for Dual EC PRNG

[email protected]


Dual-EC PRNG Proposed as NIST standard (2005)

[email protected]

sisi +1= φ(si ×P)s0 randomness

Update Internal State

P and Q are (random?) points on P-256.

Generate Output Bits

ri = φ(si ×Q)16 least significant bits of ri’s x-coordinate


OpenSSL-FIPS Implementation (using NIST P and Q values)

Image credit: Matthew Green

http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html


“Rump session” talk at CRYPTO 2007:

You can choose Q such that: Q = dPthen, it is easy to find e such that: P = eQand then easy to learn state of PRNG from just one output!

http://rump2007.cr.yp.to/15-shumow.pdf


Shumow and Ferguson’s conclusion:


2013 Intelligence Budget Request

Snowden Leak (5 September 2013)2013 Intelligence Budget Request ($250M)

http://www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html?ref=us


September 2013

[email protected]



http://webcache.googleusercontent.com/search?q=cache:http://developer-content.emc.com/docs/rsashare/share_for_java/1.1/dev_guide/group__LEARNJSSE__RANDOM__ALGORITHM.html&hl=en&strip=1


Rand

omne

ss S

umm

ary

• All cryptosystems depend on randomness• No way to test is a value is really random• Physical randomness is limited: need

algorithms to amplify physical randomness• If you pseudorandom numbers are

predictable, all is (almost always) lost

[email protected]


Building an Encrypted File

System

[email protected]


Scenario

• Documents about plan to overthrow government stored on (easily-stolen) device

• Password/biometric-protected (assume that works, for now)

[email protected]

Data should not be readable to someone who steals the device and can physically extract its non-volatile (flash) storage


Electronic Codebook Mode

[email protected]

declaration.txt

divide into

128-bit blocks

block 1

block 2

block 3

block n-1block n

…block 4

AES

AES

AES

AES

AES

AES

kEncrypt each block with k

block 1

block 2

block 3

block n-1block n

…

block 4


Electronic Codebook Mode

[email protected]

declaration.txt

divide into

128-bit blocks

block 1

block 2

block 3

block n-1block n

…block 4

AES

AES

AES

AES

AES

AES

k

block 1

block 2

block 3

block n-1block n

…

block 4

If two blocks have the same plaintext, with ECB they have the same ciphertext!


Block Size

128 bits = 16 bytes

[email protected]

"Benjamin Frankli" (16 characters)

declaration.txt

pennsylvannians.txt

Mail

Almanack


Time-Space Tradeoffs

[email protected]

No-memory brute force attack:

known crib

AESknown

ciphertext

Try all keys until you find one that fits

Memory: 0Time: 2127

encryptions(1T nuclear mega-bombs)


Time-Space Tradeoffs

[email protected]

No-time (not) brute force attack:

Pre-compute table:

key AESkey(crib)

000…000 4d7b9328a582c

000…001 7ebc5137da5ff2

… …sort by ciphertext

Break intercepted ciphertext message:

one table lookup!

Time: 1Memory: 2132 bytes~$2 Decillion (1033)


Combination: Rainbow Tables

[email protected]

known crib

AESciphertext

1

Precompute:

AES ciphertext 264

… AES

known crib

AESciphertext

1AES ciphertext

264… AES

… …

Only store these:

Won’t quite work like this for AES, but with some more tricks.

Time: 264

Memory: 268 bytes (~$137 Trillion)

April 12, 2023 University of Virginia cs4414 45

46

NSA Meltdown?

“Experts estimate the new center in Utah can store data by the exabyte or zettabyte.” (Actual amount is highly classified.)


Cipher Block Chaining Mode (CBC)

[email protected]

block 1

k

Initi

aliza

tion

Vect

or AES

block 1

block 2

AES

block 2

block 3

AES

block 3

block 4

AES

block 4


Cipher Block Chaining Mode

[email protected]

block 1

k

Initi

aliza

tion

Vect

or AES

block 1

block 2

AES

block 2

block 3

AES

block 3

block 4

AES

block 4

Avoids leaking repeated plaintexts− Cannot encrypt in parallel


Counter Mode (CTR)

[email protected]

block 1

k

Nonce

AES

block 1

00000000

block 2

k

Nonce

AES

block 2

00000001

…

Increase counter for each block

Counter


Counter Mode (CTR)

[email protected]

block 1

k

Nonce

AES

block 1

00000000

block 2

k

Nonce

AES

block 2

00000001

…

Increase counter for each block

Counter

Avoids leaking repeated plaintexts Can encrypt and decrypt in parallel⁇ Systematic input


How should our young subversive store master key k and (per-file) nonces?


Storing the Key (?)

[email protected]

AESkstored encrypted k

Human-Remembered 4-Digit PIN 0704


Maybe this could work with a tamper-proof

device?

[email protected]


R2B2: $200 robot that can try all 10000 four-digit PINs in < 20 hours

http://www.youtube.com/watch?v=9R_D-zX3yP8


Higher Entropy Passwords

[email protected]

AESkstored encrypted k

Human-Remembered Long Password

(44 bits of entropy)


Scaling Work

[email protected]

AESkstored 1000xencrypted k

Human-Remembered Long Password


repeat 1000 times


Scaling Work

[email protected]

AESkstored 1000xencrypted k


repeat 1000 times

Time for one AES: 10 msTime for 244 AESs: 5000 years

(or 2 days with 1Mx computing power)

Time for 1000x AES: 10 sTime for 244 1000x AES: 5M years


Scaling to a Web Service


http://epetitions.direct.gov.uk/


http://petitions.whitehouse.gov


Early Password SchemesUserID Password

benf flyakite

samadams beer

tj Monti07cello04

… …

Login: tjPassword: wahooFailed login. Guess again.

authentication check:guess == users[userID].password


Early Password SchemesUserID Password

benf flyakite

samadams beer

tj Monti07cello04

… …

Login: tjPassword: wahooFailed login. Guess again.

authentication check:guess == users[userID].password

FAILsomeone who gets password file learns

all passwords


Encrypted Passwords Scheme

[email protected]

UserID Password

benf AESK(flyakite)

samadams AESK(beer)

tj AESK(Monti07cello04)

… …

authentication check:AESK(guess) == users[userID].password

Master key KStore passwords encrypted using K


Encrypted Passwords Scheme

[email protected]

UserID Password

benf AESK(flyakite)

samadams AESK(beer)

tj AESK(Monti07cello04)

… …

authentication check:AESK(guess) == users[userID].password

Master key KStore passwords encrypted using K

FAILsomeone who gets password file and K learns all passwords


Hashed Passwords Scheme

[email protected]

UserID Password

benf AESflyakite(0)

samadams AESbeer(0)

tj AESMonti07cello04(0)

… …

authentication check:AESguess(0) == users[userID].password

Store passwords by using them as key to encrypt 0


Hashed Passwords Scheme

[email protected]

UserID Password

benf AESflyakite(K)

samadams AESbeer(K)

tj AESMonti07cello04(K)

… …

authentication check:AESguess(K) == users[userID].password

Master key KStore passwords by using them to encrypt K

FAIL


“If they had consulted with anyone that knows anything about password security, this would not have happened,” said Paul Kocher, president of Cryptography Research, a San Francisco computer security firm.


86% of users are dumbSingle ASCII character 0.5%Two characters 2%

Three characters 14%

Four alphabetic letters 14%

Five same-case letters 21%

Six lowercase letters 18%

Words in dictionaries or names 15%

Other (possibly good passwords) 14%

(Morris/Thompson 79)

At Least


Dictionary AttacksSeed list

All 1-4 letter wordsList of common (dog) namesWords from dictionary

(4M words, 20+ languages)

Phone numbers, dates, etc.Rules for generating passwords

Combining words from seed listInserting numbers, symbolsReplacing “l” with “1”,

“ate” with “8”, etc.

[email protected]

http://www.openwall.com/john/

Anything written in any popular password advice document!


Aside: My 3-Word Password Advice

Unimportant Passwords: use “silly”(protect service, not user)

Important Passwords:

[email protected]

Write them down (but somewhat obfuscated and in a secure

place)

If you can memorize it, it is not secure! (unless you have a well-trained memory)


Making Dictionary Attacks Harder

[email protected]

UserID Password

benf AESflyakite(0)

samadams AESbeer(0)

tj AESMonti07cello04(0)

… …

1. Use a more expensive cryptographic hash function

Password

AESflyakite1000(0)

AESbeer1000 (0)

AESMonti07cello041000(0)

…


Making Dictionary Attacks Harder

[email protected]

UserID Salt (16 bits) Password

benf 52455 AESflyakite1000(52455)

samadams 50757 AESbeer1000 (50757)

tj 47101 AESMonti07cello041000(47101)

… …

2. Add “salt” – randomly selected (but non-secret) value for each user

AES x 1000 makes dictionary attack 1000 times harder16-bit salt makes dictionary attack 216 times harder (but doesn’t make targeted against one user harder)


Two Big Problems Remaining:1. Users are still morons

[email protected]


Two Big Problems Remaining:1. Users are still morons

[email protected]

Auditors called 100 IRS employees and managers, portraying themselves as personnel from the information technology help desk trying to correct a network problem. They asked the employees to provide their network logon name and temporarily change their password to one they suggested. “We were able to convince 35 managers and employees to provide us their username and change their password,” the report said.

GAO Audit of IRS (2005)

(Solving this is outside scope of this class.)


Two Big Problems Remaining:2. Transmitting password

[email protected]

petitions.govInsecure Channel

How does TJ know he’s really talking to petitions.gov?How can he establish a secure channel to transmit password?


[email protected]/crypto

Plan for Next WeekSolving these problems using asymmetric cryptography:- Public key cryptosystems- Digital signatures- Public key protocols (TLS)

open to requests!

[email protected]


Technology

Engineering Cryptographic Applications: Using (and Misusing) Symmetric Ciphers