Symmetric Key Crypto

1
Symmetric Key Crypto

• Alfred C. WeaverTom Horton
• CS453 Electronic Commerce

2

• Readings
• Chapter 13 of Treese and Stewart textbook
• Web resources
• Weavers References
• Bruce Schneier, Applied Cryptography, John
  Wiley Sons
• Andrew Tanenbaum, Computer Networks,
  Prentice-Hall
• Jim Kurose and Keith Ross, Computer Networking,
  Addison-Wesley

3
Symmetric Key Encryption
4
Evaluating SKC

• How do you break this strategy? Whats the risk?
• Odd question for the moment Is this the
  strategy we want for encrypting passwords for
  authentication?

5
Answers

• Question 1 How do you break this strategy?
  Whats the risk?
• Answer Attack the key! Can you guess it? Find
  it?
• Question 2 Is this the strategy we want for
  encrypting passwords for authentication?
• Answer No. Use a one-way hash to convert
  plain-text to cipher-text. Store cipher-text on
  system. At authentication, hash what the user
  types and compare two cipher-texts for match.
• How to attack? Same as above.

6
Topics

• What are some major (historical) SKC algorithms?
• DES, Triple-DES, IDEA, RC4, AES
• How do they work? (Hmm.)
• Where do they stand?
• How do they fit into larger systems?

7
Data Encryption Standard

• Government requested white papers on proposed
  cryptographic standard in early 1970s
• IBM responded with a clever design
• NSA approved (and changed) the design
• NBS (now NIST) certified the design in 1976 as
  Data Encryption Standard (DES)
• Recertified in 1987 and 1993
• Worlds most commonly used algorithm

8
DES

• Iterated block cipher with 56-bit key (although
  64 are specified, 8 are parity)
• Iterated
• multiple repetitions of basic algorithm
• DES uses 16 rounds
• Block cipher
• encrypts fixed-size data groups
• DES uses 8-byte (64-bit) blocks
• data divided into 64-bit chunks
• Key space
• 256 keys 72 x 1015 possible keys

9
DES

• Uses a combination of confusion and diffusion
• every bit of the key (56 bits) and every bit of
  the plaintext (64 bits) affects every bit of the
  ciphertext (64 bits)
• key is shifted and massaged each round to produce
  a subkey
• plaintext is permuted, shifted, selected, and
  massaged against a permuted, shifted, and
  selected subkey 16 times
• each 64-bit plaintext produces a 64-bit ciphertext

10
DES
Plaintext
Permutation
L0
R0

one round
K1
f
L1 R0
R1 L0 ? f (R0,K1)
..
L16 R15
R16 L15 ? f (R15,K16)
Permutation
Ciphertext
11
DES

• 1. Plaintext enters as 64-bit block
• 2. Bits are permuted and divided into left-hand
  side (L0) and right-hand side (R0)
• 3. Repeat 16 rounds of encryption
• (a) Key from previous round is divided into two
  28-bit halves
• (b) Each half of key is shifted and subjected to
  a compression permutation that selects 48 of the
  56 bits for propagation into the next round

12
DES

• (c) Right-hand side Ri from previous round
  subjected to expansion permutation that increases
  32 bits into 48 bits by selective repetition of
  certain bits
• (d) Expanded, permuted right-hand side Ri is
  exclusive-ORed with shifted, compressed key
• (e) Result goes through substitution box that
  moves the bits around and expands 32 bits into 48
  bits temporarily

13
DES

• (f) Temporary result goes through a permutation
  box that moves bits around and reduces 48 bits to
  32 bits
• (g) Left-hand side is exclusive-ORed with output
  of permutation box to produce a new right-hand
  side
• (h) New left-hand side is copied from right-hand
  side of previous round

14
DES

• At the end of 16 rounds
• 64-bit result permuted once more
• Final 64-bit ciphertext emitted
• Note no security due to secrecythe algorithm
  has been published and studied extensively since
  1975
• All the security is in the key

15
DES Decryption

• Use the ciphertext as the plaintext
• Use same initial key
• Run the algorithm backwards through 16 rounds,
  using subkeys in reverse order K16, K15, , K1
• DES outputs the plaintext
• Many companies now offer DES on a chip so it runs
  at wire speed

16
(No Transcript)
17
DES Implementation

• Java implementation of DES available at
  http//intercom.virginia.edu/crypto/crypto.html

18
A Brief IBM / NSA History

• IBM needed crypto for ATM
• Idea began as Lucifer with 128-bit key
• IBM needed an export license
• NSA agreed to vet the algorithm
• NSA probably changed the S-boxes
• NSA told IBM to reduce the key size
• IBM agreed to 64 bits
• Production reduced it to 56 bits plus parity
• IBM got its export license

19
Security of DES

• DES started in 1976
• It was secure then but not now
• Jan. 1997 RSA Data Security issued a
  cryptographic challenge
• Research project DESCHALL used distributed
  computing (14,000 unique computers over 3 months)
  to crack DES with 56-bit key
• http//www.interhack.net/projects/deschall/
• At its peak, DESCHALL was testing 7 billion
  keys/second

20
Security of DES

• July 1998 DES Challenge II
• Electronic Frontier Foundation (EFF) built a DES
  code-cracker for 250k
• Cracked DES in 3 days
• Jan. 1999 DES Challenge III
• Distributed.Net used EFF DES cracker plus 100,000
  PCs on the Internet to crack DES in 22 hours 15
  min.
• Testing 245 billion keys/sec when key was found

21
Security of DES

• Reported in late 90s that DES could be cracked
  in a few hours (presumably by NSA)
• Reasonable to assume that DES can now be cracked
  very quickly with special hardware and/or a
  distributed approach

22
Weak Keys

• Some 56-bit keys are known to be weak
• 0000000 0000000
• 0000000 FFFFFFF
• FFFFFFF 0000000
• FFFFFFF FFFFFFF
• Repeating bits do not stir well when shifted
• Also some possibly weak keys, but these are
  identified in the literature so dont use them

23
Triple-DES

• Triple-DES invented to boost security
• Uses three separate encryption and decryption
  cycles with two or three unique keys
• Two unique keys gives 2x56112 bit protection
• Three unique keys gives 3x56168 bit protection

24
Triple-DES
DES-1
DES
DES
Plaintext
Key-3
Ciphertext
Key-1
Key-2
DES-1
DES-1
DES
25
Triple-DES with Three Unique Keys

• Sender
• Encrypt with Key-1
• Decrypt with Key-2 (decryption has same
  scrambling power as encryption)
• Encrypt with Key-3
• Receiver
• Decrypt with Key-3
• Encrypt with Key-2
• Decrypt with Key-1
• Power 56x3168 bit key

26
Triple-DES with Two Unique Keys

• Sender
• Encrypt with Key-1
• Decrypt with Key-2
• Encrypt with Key-1 again
• Receiver
• Decrypt with Key-1
• Encrypt with Key-2
• Decrypt with Key-1
• Power 56x2112 bit key

27
Triple-DES with One Unique Key

• Sender
• Encrypt with Key-1
• Decrypt with Key-1
• Encrypt with Key-1
• Receiver
• Decrypt with Key-1
• Encrypt with Key-1
• Decrypt with Key-1
• Power 56 bit key (exactly equal to DES)

28
Triple-DES

• Why use three unique keys instead of one?
• thats easy!
• power of 168-bit key vs. 56-bit key
• many, many, many orders of magnitude harder to
  crack than DES
• Why use two keys instead of one?
• power of 112-bit key vs. 56-bit key
• many orders of magnitude harder to crack than DES
• two keys (112 bits) easier to manage than three
  (doubtful)
• 112-bit key is fairly secure today
• Why use one key instead of two or three?
• setting key1key2key3 makes 3DES interoperate
  with DES
• of course the power is just one 56-bit key
• only use would be for backward compatibility

29
Security of DES and Triple-DES

• Is DES suitable for commercial transactions?
• today the answer is no
• nevertheless it is in daily, wide-spread use
• Triple-DES very robust, very well suited to
  commercial activities

30
IDEA

• International Data Encryption Algorithm
• proposed 1992
• symmetric-key, 128 bits
• 64-bit blocks
• similar in design, but different in detail, from
  DES

31
IDEA

• Design philosophy is mixing operations from
  three algebraic groups
• XOR
• Addition modulo 216
• Multiplication modulo 216 1 (substitutes for
  DES S-box)
• About twice as fast as DES
• Used in PGP
• Very strong symmetric key encryption algorithm

32
AES

• NIST held a competition to replace DES
• Five serious entries, including 3DES
• Winner was Rijndael (pronounced Rhine-doll)
  from two co-inventors in Belgium
• AES is a 128-, 192-, or 256-bit block cipher
• Uses 128, 192, or 256 bit symmetric keys
• AES uses an affine transformation with a
  non-linear substitution box

33
AES

• 3.4 x 1038 128-bit keys
• 6.2 x 1057 192-bit keys
• 1.1 x 1077 256-bit keys
• Compare those to DESs 56-bit key with 7.2 x 1016
  keys
• Assume you could crack DES (i.e., full search of
  a 56-bit key space) in one second
• Then cracking AES with a 128-bit key would take
  149 trillion years
• The universe is 14 billion years old

34
AES

• AES is the way of the future
• Threats
• backdoor? (probably not)
• massive distributed computation
• quantum computing
• something we've not thought of

35
Others

• RC4
• Developed by Ron Rivest
• Will pop up in discussions of RSA, SSL
• Blowfish
• Developed by Bruce Schneier
• Free, fast
• Variable length key

36
Summary and Whats Next

• A set of historical algorithms
• Culminating in AES
• DES illustrates some of the controversies and
  social issues inherent in cryptography
• PGP too
• Weakness
• Keys must be shared
• An alternative
• Public Key Encryption, possibly combined with SKC