david evans cs.virginia/evans

David Evanshttp://www.cs.virginia.edu/evans

CS588: Security and PrivacyUniversity of VirginiaComputer Science

Lecture 6: Striving for Confusion

Structures have been found in DES that were undoubtedly inserted to strengthen the system against certain types of attack. Structures have also been found that appear to weaken the system.

Lexar Corporation, “An Evalution of the DES”, 1976.

8 February 2005 University of Virginia CS 588 2

Menu

• PS1 Question 4b – Will return PS1 Thursday

• DES

• Strengthening DES

• Breaking DES


Permutation Cipher

How much information can be transmitted with perfect secrecy using symbols from the English alphabet (26 letters) with a transposition cipher with block size 8 and a permutation chosen randomly from all possible permutations?


Key Space

1 2 3 4 5 6 7 8

Random Permutation

8! KeysPerfect Cipher Keyspace Theorem:Cannot transmit more than 8! different message securely


8! Messages

M = { ABCDEFGH,

BACDEFGH,

CABDEFGH,

DABCEFGH,

EABCDFGH,

… }

Why couldn’t youalso includeIJKLMNOP?

What if therewere only 2 alphabetsymbols?(Note: can transmit as many blocks as you want)

Midterm Question


Feistel Cipher RecapPlaintext

Rou

nd

L0R0

F

K1

L1 R1

Last time:- Decryption works, as long as the keys are used in reverse order- Can provide confusion and diffusion (because of permutation), but only if F is confusing

Sub

stitu

tion

Per

mut

atio

n


DES• NIST (then NBS) sought standard for

data security (1973)

• IBM’s Lucifer only reasonable proposal

• Modified by NSA– Changed S-Boxes– Reduced key from 128 to 56 bits

• Adopted as standard in 1976

• More bits have been encrypted using DES than any other cipher


DES Algorithm• Feistel cipher with added initial

permutation

• Complex choice of F

• 16 rounds

• 56-bit key, shifts and permutations produce 48-bit subkeys for each round


DES’s F

Expand and Permute (using E table)

32 bits

48 bits

Kn

Substitute (using S boxes)32 bits

Permutation

The goal is confusion!


S-Boxes

S-Box

6 bits

4 bits

Example: 110011

1001

Critical to securityNSA changed choice of S-BoxesOnly non-linear step in DES

64 entry lookup table

E(11) E(01) + E(10)


DES AvalancheInput: ...............................................................* 1 Permuted: .......................................*........................ 1Round 1: .......*........................................................ 1Round 2: .*..*...*.....*........................*........................ 5Round 3: .*..*.*.**..*.*.*.*....**.....**.*..*...*.....*................. 18Round 4: ..*.*****.*.*****.*.*......*.....*..*.*.**..*.*.*.*....**.....** 28Round 5: *...**..*.*...*.*.*.*...*.***..*..*.*****.*.*****.*.*......*.... 29Round 6: ...*..**.....*.*..**.*.**...*..**...**..*.*...*.*.*.*...*.***..* 26Round 7: *****...***....**...*..*.*..*......*..**.....*.*..**.*.**...*..* Round 8: *.*.*.*.**.....*.*.*...**.*...*******...***....**...*..*.*..*... Round 9: ***.*.***...**.*.****.....**.*..*.*.*.*.**.....*.*.*...**.*...** Round 10: *.*..*.*.**.*..*.**.***.**.*...****.*.***...**.*.****.....**.*.. Round 11: ..******......*..******....*....*.*..*.*.**.*..*.**.***.**.*...* Round 12: *..***....*...*.*.*.***...****....******......*..******....*.... Round 13: **..*....*..******...*........*.*..***....*...*.*.*.***...****.. Round 14: *.**.*....*.*....**.*...*..**.****..*....*..******...*........*. Round 15: **.*....*.*.*...*.**.*..*.*.**.**.**.*....*.*....**.*...*..**.** Round 16: .*..*.*..*..*.**....**..*..*..****.*....*.*.*...*.**.*..*.*.**.* Output: ..*..**.*.*...*....***..***.**.*...*..*..*.*.*.**.*....*.*.*.**.

Source: Willem de Graaf, http://www-groups.dcs.st-and.ac.uk/~wdg/slides/node150.html


Key Schedule

• Need 16 48-bit keys– Best security: just use 16 independent keys– 768 key bits

• 56-bit key used (64 bits for parity checking)– Produce 48-bit round keys by shifting and

permuting


DES Keys

Ki = PC (Shift (Left (Ki-1))

|| Shift (Right (Ki-1)))

Key

Shift (1 or 2 bits) Shift (1 or 2 bits)

56 bits

28 bits28 bits

Compress/Permute

Kn

Next round

Are there any weak keys?


Is DES a perfect cipher?

• No: more messages than keys

• Even for 1 64-bit block

264 messages > 256 keys


Attacking DES: Brute Force• Key is 56 bits• 256 = 7.2 * 1016 = 72 quadrillion• Try 1 per second = 9 Billion years to

search entire space• Distributed attacks

– Steal/borrow idle cycles on networked PCs– Search half of key space with

100000 PCs * 1M keys/second in 25 days


Brute Force Attacks

• RSA DES challenges:– 1997: 96 days (using 70,000

machines)

– Feb 1998: 41 days (distributed.net)


Multiple Encryption


Multiple Encryption

• C = EK2 (EK1 (P))• Does it double the key space?

• Monoalphabetic cipher

Ci = K2[K1[Pi]]

= K3[Pi] for some K3


Double-VigenèreC = EK2 (EK1 (P))

Vigenère: Ci = (Pi + Ki mod N) mod Z

Ci = ((Pi + K1i mod N1 mod Z) + K2i mod N2) mod Z

= (Pi + K1i mod N1 + K2i mod N2 ) mod Zif N1 = N2:

= (Pi + K3i mod N) mod Z (K3 = K1 + K2)what if N1 N2?


Double-Vigenère

• K1 = "BOND"

• K2 = "JAMES" BONDBONDBONDBONDBONDBONDBOND

+ JAMESJAMESJAMESJAMESJAMESJAM= KOZHTXNPFGWDNSFMBARVKOZHTXNP• Effective key length: LCM (N1, N2) = 20


Double DES• C = EK2 (EK1 (P))• Is there a K3 such that C = EK3 (P)?

– There are 256 keys, and 264! mappings– If DES is good, keys map randomly to mappings. – Probability that a randomly chosen mapping

corresponds to a DES key: 256 / 264! << 1 / 263!

• Effective key size of Double DES? = 256 * 256 = 2112

WRONG!


Known Plaintext Attack

P E E

K1 K2

C

P E

try all possible keys

XK1

XK2

XK256

CD

try all possible keys

YK1

YK2

YK256

One XKi = YKj means K1 = Ki and K2 = Kj


Meet-in-the-Middle Attack• C = EK2 (EK1 (P))

• X = EK1 (P) = DK2 (C)

• Brute force attack (given one P/C pair):

calculate EK1 (P) for all keys (256 work)

calculate DK2 (C) for all keys (256 work)

the match gives the keys • Total work = 2 * 256 = 257


Hmmm…maybe thrice?


2-Key Triple DES• C = EK1 (DK2 (EK1 (P)))

• Why DK2 not EK2?– Backwards compatibility with DES– If K1 = K2: C = EK1 (DK1 (EK1 (P))) = EK1 (P)

• Actual key size = 56 + 56 bits = 112 bits• Meet-in-the-middle?

– X = EK1 (P) = DK1 (EK2 (C)) 256 need to try 2112


How secure is Triple-DES

• Brute force search: 2112 keys– Best DES attack: 245 B keys/second 6.7 * 1014 years (compared to 22 hours)– 1011 years = total lifetime of universe

(closed universe theory)

• Best known attack - reduces to 2120-log2n

– n = number of known P-C pairs– n = 264, work is 256

Realistic?


3-Key Triple DES

• C = EK3 (DK2 (EK1 (P)))

• H(K) = 168

• Used by PGP, S/MIME

• How much work to brute-force?– Meet-in-the-middle:

X = DK3 (C) = DK2 (EK1 (P))

256 + 2112


Cracking DES (1998)

90B keys per secondCost < $250K (in 1998)56 hours to solve RSA DES

Challenge


Cracking DES (2001)

• Mike Bond, Richard Clayton (University of Cambridge PhD Students)

• IBM 4578 “Cryptoprocessor” (used in banking security – generates PINs from account numbers)

• $995 for custom FPGA• 20 hours to extract key• Meet-in-the-middle attack (we’ll discuss this

next class)


Cracking DES (2005)

Girish Ratanpal

POWER ANALYSIS ATTACKS

Girish RatanpalElectrical & Computer Engineering

UVA


The Problem

• Mathematically secure Cryptographic algorithms.

• Implementations leak out information. • Side-channels

– Execution time– Power consumption– Radio frequencies– Electric/magnetic fields


The Power consumption side-channel

• Correlation between operation and power consumed. – E.g. MOV 0 v/s MOV FF

• Correlation between power consumed and bit transitions at the output of gates.– E.g. 01 v/s 10


DPA attack on DES

IIP

L16

L15 R15

R16

EPSP

K16

32 32

3232

64

484832

• Guess the 6-bit sub-key of K16

• Determine Ci, L15[0]

• Determine selection function D(Ci, b, K16)


DES attack contd.

• Collect power traces with k time samples for m cipher-texts.

• Divide the traces into two sets T0 and T1 using the selection function.

• Compute the average.•

• -this is the DPA trace

0][

][|0|

1][0

TkTi

i kTT

kA

1][

][|1|

1][1

TkTi

i kTT

kA

][0][1][ kAkAkS


S[k] with Correct Guess


S[k] with Incorrect Guess


Subkey for SBOX-5


Existing Countermeasures

1. Noise Insertion: Directly reduces SNR of S[k].

2. Temporal De-synchronization• Randomly varying clock• Dummy instructions• Randomized instruction stream

3. Algorithmic Countermeasure• Intermediate results masking

4. Supply Current Shielding• Off-chip capacitors


Existing Countermeasures

• Algorithmic & Temporal De-synchronization – affect implementation

• Need for a solution that– Puts minimal constraints on hardware

implementation– Can be integrated on-chip


Suppression circuit

• Voltage sensed by Rsense

• Current feedback to keep voltage constant.

• Cfilter for high frequency components.

Rsense

TshuntCfilterOPAMP

+

- Vref

Vdd

CircuitUnder

Protection


Result of Suppression

Suppression

0

0.001

0.002

0.003

0.004

0.005

0.006

0.00E+00

1.00E-05

2.00E-05

3.00E-05

4.00E-05

5.00E-05

6.00E-05

7.00E-05

8.00E-05

9.00E-05

1.00E-04

time (s)

I_su

pp

ly (

mA

) w

hth

an

d w

/o s

up

pre

ssio

n


DPA on Protected Device


Charge

• Deadline for project proposals delayed until Feb 17– Start using the forum to find project teams

• PS2 out today, due next Tuesday– Read the attached paper before

Thursday’s class– We’ll talk about it Thursday

david evans cs.virginia/evans

Documents

rounduniversity of virginia

des algorithmfeistel

choice of s

des avalancheinput

transposition cipher

nsachanged sboxesreduced

permutation cipherhow

data security