Computer Security Set of slides 3 Dr Alexei Vernitski Another useful example of a Cipher Vigenere’s cipher (16th century) • It is like Caesar’s cipher • However, instead of one number acting as a key, a sequence of numbers is used, one for each letter of the plaintext • When you come to the end of the sequence, you start using it from the beginning again For discussion • Is Vigenere’s cipher more secure than Caesar’s cipher? • How does Vigenere’s cipher make the attacker’s statistical analysis of the cipher text difficult? • What statistical analysis can be applied to Vigenere’s cipher? • As to the key length of Vigenere’s cipher, what would you consider the safe length of the key? The key length The general conclusions: • If the key is longer, it is used fewer times in the encryption process, • therefore, the attacker can obtain less useful statistics from the cyphertext. • The ultimate case of this is the one-time pad, which is a key that is at least as long as the message. One-time pad • By a one-time pad we mean a Vigenere cipher whose key sequence (known as key stream) is as long as the message, and never reused. • A one-time pad cipher is unbreakable. Why? One-time pad • Venona project is an example of breaking incorrectly used one-time pads • Cryptanalysis by American and British codebreakers revealed that some of the one-time pad material had incorrectly been reused by the Soviets (specifically, entire pages, although not complete books), which allowed decryption (sometimes only partial) of a small part of the traffic. http://en.wikipedia.org/wiki/Venona_project Example: optical encryption • This is an unusual example of a one-time pad • This cipher is unbreakable • It can be used e.g. if one half is shown on the computer screen and the other is printed on a transparent film To encrypt a black pixel: The first slide either or The second slide and and To encrypt a white pixel: The first slide either or The second slide and and Towards ciphers in computers • • • • Caesar’s cipher Substitution cipher Vigenere’s cipher One-time pad (Vernam’s cipher) • In computers data is stored as bits, not as letters • How can one re-apply the principles of these classical ciphers to binary data? Substitution as XOR • Each bit of a block is either 0 or 1 • When you encrypt, one of two possible substitutions can be used: – Either 0 → 0, 1 → 1, – Or 0 → 1, 1 → 0. • Each of these two substitution can be produced by XORing this bit with 0 or 1 Bitwise XOR • • • • The same idea as in Vigenere’s cipher The key is a binary array The message is split in blocks The length of the block is the same as the length of the key • Each bit of the block is XORed with the corresponding bit of the key Bitwise XOR: example block 0 1 1 0 1 0 1 0 XOR 1 0 1 0 1 1 0 0 key XOR • Each computer cipher uses – either XOR (typically, so-called stream ciphers) – or bit-wise XOR (typically, so-called block ciphers) • In your opinion, what is the main design problem of stream ciphers? • In your opinion, what is the main design problem of block ciphers? Block cipher • A message is a sequence of bits, for example: 0110010100001011110… • We split the message in blocks of a fixed length • Each block is encrypted in exactly the same way, until the whole message is encrypted Block cipher • Each block is encrypted in exactly the same way, until the whole message is encrypted • Therefore, to make cryptoanalysis more difficult… • Each block should be sufficiently long (why?) • The encryption of each block should be good Permutation • Also called transposition • (but is NOT the same as substitution) • This is a rule directing how the order of bits should be changed, for example: 0 1 1 0 0 1 1 0 1 1 0 0 1 0 0 1 Permutation • Permutation makes ciphers stronger • For example, probably nobody can break the Dorabella cipher because it uses both substitution and permutation • However, there are techniques designed to break ciphers based on substitution and permutation: for example, differential cryptanalysis Differential cryptanalysis • It is called ‘differential’ because the attacker studies how a small change in the plaintext block affects the encrypted block • It can be attempted against every cipher, but is especially successful against ciphers based on substitution and permutation • We present it in the scenario of a known plaintext attack • For the sake of an example, we consider a cipher with block length merely 4 bits Example of differential cryptanalysis • We shall apply differential cryptanalysis against a block cipher based only on applying a fixed permutation to each block and XOR of each block with a fixed binary array. • Suppose the following known plaintext blocks 0000 1000 1100 0110 1111 • correspond to the following ciphertext blocks 1001 1000 0000 0101 0110. • Break the cipher by determining exactly what permutation was applied and what binary array was used to XOR with each block. S-box • S-box or a substitution box is a function producing a highly non-linear substitution of bits in a binary array • In books, S-boxes are normally represented as look-up tables S-box: an example (in the form of a table as S-boxes are often represented in books) *00* *01* *10* *11* 0**0 01 00 11 10 0**1 11 10 01 00 1**0 00 10 01 11 1**1 11 01 00 11 S-box: non-linearity *00* *01* *10* *11* 0**0 01 00 11 10 0**1 11 10 01 00 1**0 00 10 01 11 1**1 11 01 00 11 For example, does the first bit of the output depend on the third bit of the input? Yes in a half of the cases, No in the other half of the cases Famous block ciphers • DES • Triple DES • AES A round in a Feistel cipher Left-hand part of the block XOR Left-hand part of the block Right-hand part of the block F Right-hand part of the block Rounds in a Feistel cipher Left-hand part of the block XOR Right-hand part of the block F Left-hand part of the block Right-hand part of the block F Left-hand part of the block XOR Right-hand part of the block DES • DES stands for Data Encryption Standard • This is a block cipher with the block size 64 and the key size 56 • Number of S-boxes: 8 • Number of rounds: 16 • Which of these parameters make DES an insecure cipher? Breaking DES • In 1998, a purpose-built computer Deep Crack decrypted a DES-encrypted text in only 56 hours • In 2012, a cloud computing tool allows members of the general public to recover a DES key from a known plaintext-ciphertext pair in about 24 hours. Triple DES • The algorithm is easy: – Encrypt with DES using key 1 – Decrypt with DES using key 2 – Encrypt with DES using key 3 • Why is Triple DES stronger than DES? AES • AES has been created in the 1990s to provide the businesses worldwide with a new common secure cryptosystem instead of DES • It has been tested by many cryptologists and is very good • AES can work with keys consisting of 128 or 192 or 256 bits (which is much better than the 56-bit keys of DES) • A cute cartoon guide to AES: http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html Modes of operation (of block ciphers) • What if blocks repeat because of the peculiar nature of your data? • What if you are sending the same message again? • How can we improve security in these scenarios? Homework 1. You might read that triple DES is ‘too slow’. For example: In what sense and in what context can one be saying that triple DES is too slow? 2. Some experts think that the block length of DES is too short and, therefore, is insecure (why?). What is the block length of Triple DES? What is the block length of AES? http://1.bp.blogspot.com/_Zfbv3mHcYrc/SreojET_QBI/AAAAAAAABkc/knYwS6AsM04/s1600-h/aes_act_1_scene_11_triple_des_1100.png Sample exam questions • Describe how an attack based on differential cryptanalysis can be organised against a block cipher • Explain briefly what an S-box is and how it contributes to security Sample exam questions • You work as a computer consultant. Your customer asks you which vulnerabilities were discovered in DES that made it necessary to invent new ciphers to replace DES. What will you reply? • You work as a computer consultant. Your customer asks you about a computer cipher called Triple AES. What will you reply? Sample exam questions • Explain how the short key length makes DES a weak cipher • Explain how the short block length might make DES a weak cipher Sample exam questions • Explain the difference between DES, Triple DES and AES. • State which one of them you would recommend to use.