david evans cs.virginia/evans
DESCRIPTION
Structures have been found in DES that were undoubtedly inserted to strengthen the system against certain types of attack. Structures have also been found that appear to weaken the system. Lexar Corporation, “An Evalution of the DES”, 1976. Lecture 6: Striving for Confusion. David Evans - PowerPoint PPT PresentationTRANSCRIPT
David Evanshttp://www.cs.virginia.edu/evans
CS588: Security and PrivacyUniversity of VirginiaComputer Science
Lecture 6: Striving for Confusion
Structures have been found in DES that were undoubtedly inserted to strengthen the system against certain types of attack. Structures have also been found that appear to weaken the system.
Lexar Corporation, “An Evalution of the DES”, 1976.
8 February 2005 University of Virginia CS 588 2
Menu
• PS1 Question 4b – Will return PS1 Thursday
• DES
• Strengthening DES
• Breaking DES
8 February 2005 University of Virginia CS 588 3
Permutation Cipher
How much information can be transmitted with perfect secrecy using symbols from the English alphabet (26 letters) with a transposition cipher with block size 8 and a permutation chosen randomly from all possible permutations?
8 February 2005 University of Virginia CS 588 4
Key Space
1 2 3 4 5 6 7 8
Random Permutation
8! KeysPerfect Cipher Keyspace Theorem:Cannot transmit more than 8! different message securely
8 February 2005 University of Virginia CS 588 5
8! Messages
M = { ABCDEFGH,
BACDEFGH,
CABDEFGH,
DABCEFGH,
EABCDFGH,
… }
Why couldn’t youalso includeIJKLMNOP?
What if therewere only 2 alphabetsymbols?(Note: can transmit as many blocks as you want)
Midterm Question
8 February 2005 University of Virginia CS 588 6
Feistel Cipher RecapPlaintext
Rou
nd
L0R0
F
K1
L1 R1
Last time:- Decryption works, as long as the keys are used in reverse order- Can provide confusion and diffusion (because of permutation), but only if F is confusing
Sub
stitu
tion
Per
mut
atio
n
8 February 2005 University of Virginia CS 588 7
DES• NIST (then NBS) sought standard for
data security (1973)
• IBM’s Lucifer only reasonable proposal
• Modified by NSA– Changed S-Boxes– Reduced key from 128 to 56 bits
• Adopted as standard in 1976
• More bits have been encrypted using DES than any other cipher
8 February 2005 University of Virginia CS 588 8
DES Algorithm• Feistel cipher with added initial
permutation
• Complex choice of F
• 16 rounds
• 56-bit key, shifts and permutations produce 48-bit subkeys for each round
8 February 2005 University of Virginia CS 588 9
DES’s F
Expand and Permute (using E table)
32 bits
48 bits
Kn
Substitute (using S boxes)32 bits
Permutation
The goal is confusion!
8 February 2005 University of Virginia CS 588 10
S-Boxes
S-Box
6 bits
4 bits
Example: 110011
1001
Critical to securityNSA changed choice of S-BoxesOnly non-linear step in DES
64 entry lookup table
E(11) E(01) + E(10)
8 February 2005 University of Virginia CS 588 11
DES AvalancheInput: ...............................................................* 1 Permuted: .......................................*........................ 1Round 1: .......*........................................................ 1Round 2: .*..*...*.....*........................*........................ 5Round 3: .*..*.*.**..*.*.*.*....**.....**.*..*...*.....*................. 18Round 4: ..*.*****.*.*****.*.*......*.....*..*.*.**..*.*.*.*....**.....** 28Round 5: *...**..*.*...*.*.*.*...*.***..*..*.*****.*.*****.*.*......*.... 29Round 6: ...*..**.....*.*..**.*.**...*..**...**..*.*...*.*.*.*...*.***..* 26Round 7: *****...***....**...*..*.*..*......*..**.....*.*..**.*.**...*..* Round 8: *.*.*.*.**.....*.*.*...**.*...*******...***....**...*..*.*..*... Round 9: ***.*.***...**.*.****.....**.*..*.*.*.*.**.....*.*.*...**.*...** Round 10: *.*..*.*.**.*..*.**.***.**.*...****.*.***...**.*.****.....**.*.. Round 11: ..******......*..******....*....*.*..*.*.**.*..*.**.***.**.*...* Round 12: *..***....*...*.*.*.***...****....******......*..******....*.... Round 13: **..*....*..******...*........*.*..***....*...*.*.*.***...****.. Round 14: *.**.*....*.*....**.*...*..**.****..*....*..******...*........*. Round 15: **.*....*.*.*...*.**.*..*.*.**.**.**.*....*.*....**.*...*..**.** Round 16: .*..*.*..*..*.**....**..*..*..****.*....*.*.*...*.**.*..*.*.**.* Output: ..*..**.*.*...*....***..***.**.*...*..*..*.*.*.**.*....*.*.*.**.
Source: Willem de Graaf, http://www-groups.dcs.st-and.ac.uk/~wdg/slides/node150.html
8 February 2005 University of Virginia CS 588 12
Key Schedule
• Need 16 48-bit keys– Best security: just use 16 independent keys– 768 key bits
• 56-bit key used (64 bits for parity checking)– Produce 48-bit round keys by shifting and
permuting
8 February 2005 University of Virginia CS 588 13
DES Keys
Ki = PC (Shift (Left (Ki-1))
|| Shift (Right (Ki-1)))
Key
Shift (1 or 2 bits) Shift (1 or 2 bits)
56 bits
28 bits28 bits
Compress/Permute
Kn
Next round
Are there any weak keys?
8 February 2005 University of Virginia CS 588 14
Is DES a perfect cipher?
• No: more messages than keys
• Even for 1 64-bit block
264 messages > 256 keys
8 February 2005 University of Virginia CS 588 15
Attacking DES: Brute Force• Key is 56 bits• 256 = 7.2 * 1016 = 72 quadrillion• Try 1 per second = 9 Billion years to
search entire space• Distributed attacks
– Steal/borrow idle cycles on networked PCs– Search half of key space with
100000 PCs * 1M keys/second in 25 days
8 February 2005 University of Virginia CS 588 16
Brute Force Attacks
• RSA DES challenges:– 1997: 96 days (using 70,000
machines)
– Feb 1998: 41 days (distributed.net)
8 February 2005 University of Virginia CS 588 17
Multiple Encryption
8 February 2005 University of Virginia CS 588 18
Multiple Encryption
• C = EK2 (EK1 (P))• Does it double the key space?
• Monoalphabetic cipher
Ci = K2[K1[Pi]]
= K3[Pi] for some K3
8 February 2005 University of Virginia CS 588 19
Double-VigenèreC = EK2 (EK1 (P))
Vigenère: Ci = (Pi + Ki mod N) mod Z
Ci = ((Pi + K1i mod N1 mod Z) + K2i mod N2) mod Z
= (Pi + K1i mod N1 + K2i mod N2 ) mod Zif N1 = N2:
= (Pi + K3i mod N) mod Z (K3 = K1 + K2)what if N1 N2?
8 February 2005 University of Virginia CS 588 20
Double-Vigenère
• K1 = "BOND"
• K2 = "JAMES" BONDBONDBONDBONDBONDBONDBOND
+ JAMESJAMESJAMESJAMESJAMESJAM= KOZHTXNPFGWDNSFMBARVKOZHTXNP• Effective key length: LCM (N1, N2) = 20
8 February 2005 University of Virginia CS 588 21
Double DES• C = EK2 (EK1 (P))• Is there a K3 such that C = EK3 (P)?
– There are 256 keys, and 264! mappings– If DES is good, keys map randomly to mappings. – Probability that a randomly chosen mapping
corresponds to a DES key: 256 / 264! << 1 / 263!
• Effective key size of Double DES? = 256 * 256 = 2112
WRONG!
8 February 2005 University of Virginia CS 588 22
Known Plaintext Attack
P E E
K1 K2
C
P E
try all possible keys
XK1
XK2
XK256
CD
try all possible keys
YK1
YK2
YK256
One XKi = YKj means K1 = Ki and K2 = Kj
8 February 2005 University of Virginia CS 588 23
Meet-in-the-Middle Attack• C = EK2 (EK1 (P))
• X = EK1 (P) = DK2 (C)
• Brute force attack (given one P/C pair):
calculate EK1 (P) for all keys (256 work)
calculate DK2 (C) for all keys (256 work)
the match gives the keys • Total work = 2 * 256 = 257
8 February 2005 University of Virginia CS 588 24
Hmmm…maybe thrice?
8 February 2005 University of Virginia CS 588 25
2-Key Triple DES• C = EK1 (DK2 (EK1 (P)))
• Why DK2 not EK2?– Backwards compatibility with DES– If K1 = K2: C = EK1 (DK1 (EK1 (P))) = EK1 (P)
• Actual key size = 56 + 56 bits = 112 bits• Meet-in-the-middle?
– X = EK1 (P) = DK1 (EK2 (C)) 256 need to try 2112
8 February 2005 University of Virginia CS 588 26
How secure is Triple-DES
• Brute force search: 2112 keys– Best DES attack: 245 B keys/second 6.7 * 1014 years (compared to 22 hours)– 1011 years = total lifetime of universe
(closed universe theory)
• Best known attack - reduces to 2120-log2n
– n = number of known P-C pairs– n = 264, work is 256
Realistic?
8 February 2005 University of Virginia CS 588 27
3-Key Triple DES
• C = EK3 (DK2 (EK1 (P)))
• H(K) = 168
• Used by PGP, S/MIME
• How much work to brute-force?– Meet-in-the-middle:
X = DK3 (C) = DK2 (EK1 (P))
256 + 2112
8 February 2005 University of Virginia CS 588 28
Cracking DES (1998)
90B keys per secondCost < $250K (in 1998)56 hours to solve RSA DES
Challenge
8 February 2005 University of Virginia CS 588 29
Cracking DES (2001)
• Mike Bond, Richard Clayton (University of Cambridge PhD Students)
• IBM 4578 “Cryptoprocessor” (used in banking security – generates PINs from account numbers)
• $995 for custom FPGA• 20 hours to extract key• Meet-in-the-middle attack (we’ll discuss this
next class)
8 February 2005 University of Virginia CS 588 30
Cracking DES (2005)
Girish Ratanpal
POWER ANALYSIS ATTACKS
Girish RatanpalElectrical & Computer Engineering
UVA
8 February 2005 University of Virginia CS 588 32
The Problem
• Mathematically secure Cryptographic algorithms.
• Implementations leak out information. • Side-channels
– Execution time– Power consumption– Radio frequencies– Electric/magnetic fields
8 February 2005 University of Virginia CS 588 33
The Power consumption side-channel
• Correlation between operation and power consumed. – E.g. MOV 0 v/s MOV FF
• Correlation between power consumed and bit transitions at the output of gates.– E.g. 01 v/s 10
8 February 2005 University of Virginia CS 588 34
DPA attack on DES
IIP
L16
L15 R15
R16
EPSP
K16
32 32
3232
64
484832
• Guess the 6-bit sub-key of K16
• Determine Ci, L15[0]
• Determine selection function D(Ci, b, K16)
8 February 2005 University of Virginia CS 588 35
DES attack contd.
• Collect power traces with k time samples for m cipher-texts.
• Divide the traces into two sets T0 and T1 using the selection function.
• Compute the average.•
• -this is the DPA trace
0][
][|0|
1][0
TkTi
i kTT
kA
1][
][|1|
1][1
TkTi
i kTT
kA
][0][1][ kAkAkS
8 February 2005 University of Virginia CS 588 36
S[k] with Correct Guess
8 February 2005 University of Virginia CS 588 37
S[k] with Incorrect Guess
8 February 2005 University of Virginia CS 588 38
Subkey for SBOX-5
8 February 2005 University of Virginia CS 588 39
Existing Countermeasures
1. Noise Insertion: Directly reduces SNR of S[k].
2. Temporal De-synchronization• Randomly varying clock• Dummy instructions• Randomized instruction stream
3. Algorithmic Countermeasure• Intermediate results masking
4. Supply Current Shielding• Off-chip capacitors
8 February 2005 University of Virginia CS 588 40
Existing Countermeasures
• Algorithmic & Temporal De-synchronization – affect implementation
• Need for a solution that– Puts minimal constraints on hardware
implementation– Can be integrated on-chip
8 February 2005 University of Virginia CS 588 41
Suppression circuit
• Voltage sensed by Rsense
• Current feedback to keep voltage constant.
• Cfilter for high frequency components.
Rsense
TshuntCfilterOPAMP
+
- Vref
Vdd
CircuitUnder
Protection
8 February 2005 University of Virginia CS 588 42
Result of Suppression
Suppression
0
0.001
0.002
0.003
0.004
0.005
0.006
0.00E+00
1.00E-05
2.00E-05
3.00E-05
4.00E-05
5.00E-05
6.00E-05
7.00E-05
8.00E-05
9.00E-05
1.00E-04
time (s)
I_su
pp
ly (
mA
) w
hth
an
d w
/o s
up
pre
ssio
n
8 February 2005 University of Virginia CS 588 43
DPA on Protected Device
8 February 2005 University of Virginia CS 588 44
Charge
• Deadline for project proposals delayed until Feb 17– Start using the forum to find project teams
• PS2 out today, due next Tuesday– Read the attached paper before
Thursday’s class– We’ll talk about it Thursday