david evans cs.virginia/evans

David Evanshttp://www.cs.virginia.edu/evans

CS588: Security and PrivacyUniversity of VirginiaComputer Science

Lecture 6: Striving for Confusion

Structures have been found in DES that were undoubtedly inserted to strengthen the system against certain types of attack. Structures have also been found that appear to weaken the system.

Lexar Corporation, “An Evalution of the DES”, 1976.

8 February 2005 University of Virginia CS 588 2

Menu

• PS1 Question 4b – Will return PS1 Thursday

• DES

• Strengthening DES

• Breaking DES

8 February 2005 University of Virginia CS 588 3

Permutation Cipher

How much information can be transmitted with perfect secrecy using symbols from the English alphabet (26 letters) with a transposition cipher with block size 8 and a permutation chosen randomly from all possible permutations?

8 February 2005 University of Virginia CS 588 4

Key Space

1 2 3 4 5 6 7 8

Random Permutation

8! KeysPerfect Cipher Keyspace Theorem:Cannot transmit more than 8! different message securely

8 February 2005 University of Virginia CS 588 5

8! Messages

M = { ABCDEFGH,

BACDEFGH,

CABDEFGH,

DABCEFGH,

EABCDFGH,

… }

Why couldn’t youalso includeIJKLMNOP?

What if therewere only 2 alphabetsymbols?(Note: can transmit as many blocks as you want)

Midterm Question

8 February 2005 University of Virginia CS 588 6

Feistel Cipher RecapPlaintext

Rou

nd

L0R0

F

K1

L1 R1

Last time:- Decryption works, as long as the keys are used in reverse order- Can provide confusion and diffusion (because of permutation), but only if F is confusing

Sub

stitu

tion

Per

mut

atio

n

8 February 2005 University of Virginia CS 588 7

DES• NIST (then NBS) sought standard for

data security (1973)

• IBM’s Lucifer only reasonable proposal

• Modified by NSA– Changed S-Boxes– Reduced key from 128 to 56 bits

• Adopted as standard in 1976

• More bits have been encrypted using DES than any other cipher

8 February 2005 University of Virginia CS 588 8

DES Algorithm• Feistel cipher with added initial

permutation

• Complex choice of F

• 16 rounds

• 56-bit key, shifts and permutations produce 48-bit subkeys for each round

8 February 2005 University of Virginia CS 588 9

DES’s F

Expand and Permute (using E table)

32 bits

48 bits

Kn

Substitute (using S boxes)32 bits

Permutation

The goal is confusion!

8 February 2005 University of Virginia CS 588 10

S-Boxes

S-Box

6 bits

4 bits

Example: 110011

1001

Critical to securityNSA changed choice of S-BoxesOnly non-linear step in DES

64 entry lookup table

E(11) E(01) + E(10)

8 February 2005 University of Virginia CS 588 11

DES AvalancheInput: ...............................................................* 1 Permuted: .......................................*........................ 1Round 1: .......*........................................................ 1Round 2: .*..*...*.....*........................*........................ 5Round 3: .*..*.*.**..*.*.*.*....**.....**.*..*...*.....*................. 18Round 4: ..*.*****.*.*****.*.*......*.....*..*.*.**..*.*.*.*....**.....** 28Round 5: *...**..*.*...*.*.*.*...*.***..*..*.*****.*.*****.*.*......*.... 29Round 6: ...*..**.....*.*..**.*.**...*..**...**..*.*...*.*.*.*...*.***..* 26Round 7: *****...***....**...*..*.*..*......*..**.....*.*..**.*.**...*..* Round 8: *.*.*.*.**.....*.*.*...**.*...*******...***....**...*..*.*..*... Round 9: ***.*.***...**.*.****.....**.*..*.*.*.*.**.....*.*.*...**.*...** Round 10: *.*..*.*.**.*..*.**.***.**.*...****.*.***...**.*.****.....**.*.. Round 11: ..******......*..******....*....*.*..*.*.**.*..*.**.***.**.*...* Round 12: *..***....*...*.*.*.***...****....******......*..******....*.... Round 13: **..*....*..******...*........*.*..***....*...*.*.*.***...****.. Round 14: *.**.*....*.*....**.*...*..**.****..*....*..******...*........*. Round 15: **.*....*.*.*...*.**.*..*.*.**.**.**.*....*.*....**.*...*..**.** Round 16: .*..*.*..*..*.**....**..*..*..****.*....*.*.*...*.**.*..*.*.**.* Output: ..*..**.*.*...*....***..***.**.*...*..*..*.*.*.**.*....*.*.*.**.

Source: Willem de Graaf, http://www-groups.dcs.st-and.ac.uk/~wdg/slides/node150.html

8 February 2005 University of Virginia CS 588 12

Key Schedule

• Need 16 48-bit keys– Best security: just use 16 independent keys– 768 key bits

• 56-bit key used (64 bits for parity checking)– Produce 48-bit round keys by shifting and

permuting

8 February 2005 University of Virginia CS 588 13

DES Keys

Ki = PC (Shift (Left (Ki-1))

|| Shift (Right (Ki-1)))

Key

Shift (1 or 2 bits) Shift (1 or 2 bits)

56 bits

28 bits28 bits

Compress/Permute

Kn

Next round

Are there any weak keys?

8 February 2005 University of Virginia CS 588 14

Is DES a perfect cipher?

• No: more messages than keys

• Even for 1 64-bit block

264 messages > 256 keys

8 February 2005 University of Virginia CS 588 15

Attacking DES: Brute Force• Key is 56 bits• 256 = 7.2 * 1016 = 72 quadrillion• Try 1 per second = 9 Billion years to

search entire space• Distributed attacks

– Steal/borrow idle cycles on networked PCs– Search half of key space with

100000 PCs * 1M keys/second in 25 days

8 February 2005 University of Virginia CS 588 16

Brute Force Attacks

• RSA DES challenges:– 1997: 96 days (using 70,000

machines)

– Feb 1998: 41 days (distributed.net)

8 February 2005 University of Virginia CS 588 17

Multiple Encryption

8 February 2005 University of Virginia CS 588 18

Multiple Encryption

• C = EK2 (EK1 (P))• Does it double the key space?

• Monoalphabetic cipher

Ci = K2[K1[Pi]]

= K3[Pi] for some K3

8 February 2005 University of Virginia CS 588 19

Double-VigenèreC = EK2 (EK1 (P))

Vigenère: Ci = (Pi + Ki mod N) mod Z

Ci = ((Pi + K1i mod N1 mod Z) + K2i mod N2) mod Z

= (Pi + K1i mod N1 + K2i mod N2 ) mod Zif N1 = N2:

= (Pi + K3i mod N) mod Z (K3 = K1 + K2)what if N1 N2?

8 February 2005 University of Virginia CS 588 20

Double-Vigenère

• K1 = "BOND"

• K2 = "JAMES" BONDBONDBONDBONDBONDBONDBOND

+ JAMESJAMESJAMESJAMESJAMESJAM= KOZHTXNPFGWDNSFMBARVKOZHTXNP• Effective key length: LCM (N1, N2) = 20

8 February 2005 University of Virginia CS 588 21

Double DES• C = EK2 (EK1 (P))• Is there a K3 such that C = EK3 (P)?

– There are 256 keys, and 264! mappings– If DES is good, keys map randomly to mappings. – Probability that a randomly chosen mapping

corresponds to a DES key: 256 / 264! << 1 / 263!

• Effective key size of Double DES? = 256 * 256 = 2112

WRONG!

8 February 2005 University of Virginia CS 588 22

Known Plaintext Attack

P E E

K1 K2

C

P E

try all possible keys

XK1

XK2

XK256

CD

try all possible keys

YK1

YK2

YK256

One XKi = YKj means K1 = Ki and K2 = Kj

8 February 2005 University of Virginia CS 588 23

Meet-in-the-Middle Attack• C = EK2 (EK1 (P))

• X = EK1 (P) = DK2 (C)

• Brute force attack (given one P/C pair):

calculate EK1 (P) for all keys (256 work)

calculate DK2 (C) for all keys (256 work)

the match gives the keys • Total work = 2 * 256 = 257

8 February 2005 University of Virginia CS 588 24

Hmmm…maybe thrice?

8 February 2005 University of Virginia CS 588 25

2-Key Triple DES• C = EK1 (DK2 (EK1 (P)))

• Why DK2 not EK2?– Backwards compatibility with DES– If K1 = K2: C = EK1 (DK1 (EK1 (P))) = EK1 (P)

• Actual key size = 56 + 56 bits = 112 bits• Meet-in-the-middle?

– X = EK1 (P) = DK1 (EK2 (C)) 256 need to try 2112

8 February 2005 University of Virginia CS 588 26

How secure is Triple-DES

• Brute force search: 2112 keys– Best DES attack: 245 B keys/second 6.7 * 1014 years (compared to 22 hours)– 1011 years = total lifetime of universe

(closed universe theory)

• Best known attack - reduces to 2120-log2n

– n = number of known P-C pairs– n = 264, work is 256

Realistic?

8 February 2005 University of Virginia CS 588 27

3-Key Triple DES

• C = EK3 (DK2 (EK1 (P)))

• H(K) = 168

• Used by PGP, S/MIME

• How much work to brute-force?– Meet-in-the-middle:

X = DK3 (C) = DK2 (EK1 (P))

256 + 2112

8 February 2005 University of Virginia CS 588 28

Cracking DES (1998)

90B keys per secondCost < $250K (in 1998)56 hours to solve RSA DES

Challenge

8 February 2005 University of Virginia CS 588 29

Cracking DES (2001)

• Mike Bond, Richard Clayton (University of Cambridge PhD Students)

• IBM 4578 “Cryptoprocessor” (used in banking security – generates PINs from account numbers)

• $995 for custom FPGA• 20 hours to extract key• Meet-in-the-middle attack (we’ll discuss this

next class)

8 February 2005 University of Virginia CS 588 30

Cracking DES (2005)

Girish Ratanpal

POWER ANALYSIS ATTACKS

Girish RatanpalElectrical & Computer Engineering

UVA

8 February 2005 University of Virginia CS 588 32

The Problem

• Mathematically secure Cryptographic algorithms.

• Implementations leak out information. • Side-channels

– Execution time– Power consumption– Radio frequencies– Electric/magnetic fields

8 February 2005 University of Virginia CS 588 33

The Power consumption side-channel

• Correlation between operation and power consumed. – E.g. MOV 0 v/s MOV FF

• Correlation between power consumed and bit transitions at the output of gates.– E.g. 01 v/s 10

8 February 2005 University of Virginia CS 588 34

DPA attack on DES

IIP

L16

L15 R15

R16

EPSP

K16

32 32

3232

64

484832

• Guess the 6-bit sub-key of K16

• Determine Ci, L15[0]

• Determine selection function D(Ci, b, K16)

8 February 2005 University of Virginia CS 588 35

DES attack contd.

• Collect power traces with k time samples for m cipher-texts.

• Divide the traces into two sets T0 and T1 using the selection function.

• Compute the average.•

• -this is the DPA trace

0][

][|0|

1][0

TkTi

i kTT

kA

1][

][|1|

1][1

TkTi

i kTT

kA

][0][1][ kAkAkS

8 February 2005 University of Virginia CS 588 36

S[k] with Correct Guess

8 February 2005 University of Virginia CS 588 37

S[k] with Incorrect Guess

8 February 2005 University of Virginia CS 588 38

Subkey for SBOX-5

8 February 2005 University of Virginia CS 588 39

Existing Countermeasures

1. Noise Insertion: Directly reduces SNR of S[k].

2. Temporal De-synchronization• Randomly varying clock• Dummy instructions• Randomized instruction stream

3. Algorithmic Countermeasure• Intermediate results masking

4. Supply Current Shielding• Off-chip capacitors

8 February 2005 University of Virginia CS 588 40

Existing Countermeasures

• Algorithmic & Temporal De-synchronization – affect implementation

• Need for a solution that– Puts minimal constraints on hardware

implementation– Can be integrated on-chip

8 February 2005 University of Virginia CS 588 41

Suppression circuit

• Voltage sensed by Rsense

• Current feedback to keep voltage constant.

• Cfilter for high frequency components.

Rsense

TshuntCfilterOPAMP

+

- Vref

Vdd

CircuitUnder

Protection

8 February 2005 University of Virginia CS 588 42

Result of Suppression

Suppression

0

0.001

0.002

0.003

0.004

0.005

0.006

0.00E+00

1.00E-05

2.00E-05

3.00E-05

4.00E-05

5.00E-05

6.00E-05

7.00E-05

8.00E-05

9.00E-05

1.00E-04

time (s)

I_su

pp

ly (

mA

) w

hth

an

d w

/o s

up

pre

ssio

n

8 February 2005 University of Virginia CS 588 43

DPA on Protected Device

8 February 2005 University of Virginia CS 588 44

Charge

• Deadline for project proposals delayed until Feb 17– Start using the forum to find project teams

• PS2 out today, due next Tuesday– Read the attached paper before

Thursday’s class– We’ll talk about it Thursday