Download slides - CS.Duke

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
Document related concepts

System of polynomial equations wikipedia , lookup

Fundamental theorem of algebra wikipedia , lookup

Polynomial ring wikipedia , lookup

Factorization wikipedia , lookup

Eisenstein's criterion wikipedia , lookup

Field (mathematics) wikipedia , lookup

Factorization of polynomials over finite fields wikipedia , lookup

Transcript 
Computer Security
Private Key Algorithms
Feistel Networks
AES
Page 1
Symmetric/Private Key Algorithms
Plaintext
Key1
Encryption C = Ek(M)
Cyphertext
Key1
Decryption
M = Dk(C)
Original Plaintext
What granularity of the message does Ek encrypt?
Page 2
Private Key Exchange
Private Key method
Eka(k)
Trent
Generates k
Ekb(k)
Alice
Bob
Trusted third party Trent has already exchanged
private keys ka and kb with Alice and Bob,
respectively. (E.g., Kerberos)
Public Key method
Alice
Generates k
Ek1(k)
Bob
k1 = Bob’s public key
Or we can use a direct private-key-exchange
protocol, such as Diffie-Hellman (discussed later)
Page 3
Private Key Algorithms
Block Ciphers: blocks of bits at a time
– DES (Data Encryption Standard)
Banks, linux passwords (almost), SSL, kerberos, …
– Blowfish (SSL as option)
– IDEA (used in PGP, SSL as option)
– AES
Stream Ciphers: one bit (or a few bits) at a time
– RC4 (SSL as option)
– PKZip
– Sober, Leviathan, Panama, …
Page 4
Private Key: Block Ciphers
Encrypt one block at a time (e.g., 64 bits)
ci = f(k,mi) mi = f’(k,ci)
Keys and blocks are often about the same size.
Equal message blocks will encrypt to equal codeblocks
– Why is this a problem?
Various ways to avoid this:
– E.g. ci = f(k,ci-1  mi)
“Cipher block chaining” (CBC)
Why could this still be a problem?
Solution: attach random block to the front of the
message
Page 5
Iterated Block Ciphers
m
key
k1
R
R
.
.
.
s1
k2
s2
R
.
.
.
kn
Consists of n rounds
- DES: 16 rounds
- AES: 10-14 rounds
depending on key size
R = the “round” function
si = state after round i
ki = the ith round key
c
Page 6
Iterated Block Ciphers: Decryption
m
key
R-1
s1
R-1
.
.
.
k1
k2
s2
R-1
Run the rounds in
reverse.
Requires that R has an
inverse.
.
.
.
kn
c
Page 7
Feistel Networks
Even if function F is not invertible, rounds can still be
made invertible. Requires 2 rounds to mix all bits.
high-order bits
low-order bits
R
F
XOR
ki
R-1
F
ki
XOR
Forwards
Backwards
Used by DES (the Data Encryption Standard)
Page 8
Product Ciphers
Each round has two components:
– Substitution on smaller blocks
Decorrelate input and output: “confusion”
– Permutation across the smaller blocks
Mix the bits: “diffusion”
Substitution-Permutation Product Cipher
Avalanche Effect: 1 bit of input should affect all
output bits, ideally evenly, and for all settings of
other bits
Page 9
AES
Selected by NIST as the new private-key encryption
standard.
Based on an open “competition”.
– Competition started Sept. 1997.
– Narrowed to 5 Sept. 1999
• MARS by IBM, RC6 by RSA, Twofish by
Counterplane, Serpent, and Rijndael
– Rijndael selected Oct. 2000.
– Official Oct. 2001? (AES page on Rijndael)
Designed by Rijmen and Daemen (Dutch)
Page 10
Group
A group consists of a set S and a binary operator  on S
with the following properties:
Closure: for all a,b  S, a  b  S
Associativity: for all a,b,c  S, (a  b)  c = a  (b  c)
Identity element: there exists an element e such that for
each a  S, e  a = a  e = a
Inverses: for each a  S there exists an element b such
at a  b = b  a = e
Examples: integers and addition
{1,2,3,4} and multiplication mod 5
non-zero rational numbers and multiplication
Page 11
Abelian Group
A group is abelian or commutative if for every
a and b, a  b = b  a
Page 12
Field
A field consists of a set S and two operations, addition () and
multiplication () with the following properties:
Closure under addition and multiplication
Associativity of both addition and multiplication
Commutativity of both addition and multiplication
Identity elements for both addition and multiplication
Inverses: additive inverse for every element, multiplicative
inverses for all elements except additive identity
Distributivity of multiplication over addition:
a  (b  c) = (a  b)  (a  c)
(a  b)  c = (a  c)  (b  c)
Page 13
Examples of Fields
Rational numbers with addition, multiplication
Real numbers with addition, multiplication
Complex numbers with addition, multiplication
Finite fields:
Zp = {0,1,2,…,p-1} (p prime), addition and
multiplication mod p
Galois Fields
Page 14
High-level overview of AES
An iterated block cipher with
– 10–14 rounds,
– 128-256 bit blocks, and
– 128-256 bit keys
Mathematically reasonably sophisticated
Page 15
Blocks and Keys
The blocks and keys are organized as matrices of
bytes. For the 128-bit case, it is a 4x4 matrix.
 b0 b4 b8 b12 


 b1 b5 b9 b13 
b b b

b
 2 6 10 14 
b b b

b
 3 7 11 15 
Data block
 k0

 k1
k
 2
k
 3
k4
k5
k8
k9
k6
k10
k7
k11
k12 

k13 
k14 

k15 
Key
b0, b1, …, b15 is the order of the bytes in the stream.
Page 16
Galois Fields
Finite fields of size Pn for P prime, any n  0.
Let ZP[x] denote the set of polynomials on variable x with
coefficients drawn from ZP.
Then the polynomials
ZP[x] mod p(x)
where
p(x)  ZP[x] p(x) is irreducible (cannot be factored)
and deg(p(x)) = n (i.e., n+1 coefficients)
form a finite field. Such a field has pn elements.
(Irreducibility ensures multiplicative inverses.)
These fields are called Galois Fields or GF(Pn).
The special case n = 1 reduces to the fields ZP
The multiplicative group of GF(Pn)/{0} is cyclic (this will be
important later).
Page 17
Why do we care about Galois fields?
We would like to have finite fields consisting of, e.g.,
256 elements.
Integer arithmetic mod 256 isn’t a field: even
numbers don’t have multiplicative inverses.
CPS 290
Page 18
Example Galois Field: GF(23)
http://flylib.com/books/en/3.190.1.50/1/
CPS 290
Page 19
Galois Fields in AES
Uses GF(28) where each degree-7 polynomial (with
coefficients drawn from 0 or 1) is stored in a byte.
Example: z5 + z2 + z + 1 is stored as 00100111 = 0x27
The irreducible polynomial is:
z 8 + z4 + z3 + z + 1
Also uses degree-3 polynomials with coefficients from GF(28).
I.e., each coefficient is represented as a byte.
These are kept as 4 bytes (used for the columns)
The polynomial used as a modulus is:
M(x) = 00000001x4 + 00000001 or x4 + 1 (= x4 - 1)
Not irreducible (hence no Galois field), but we only need to find
inverses of polynomials that are relatively prime to it.
Page 20
Round i:
Keyi
in
0
1
2
3
.
.
Byte
substitution
Shift
Rows
+
Mix
columns
out
bit-wise XOR
To invert, run the steps and rounds backwards.
Each step must be reversible!
Page 21
Byte Substitution
b is a byte
Non linear: y = b-1 (done over GF(28)), 0 mapped to 0
Linear:
z = Ay + B (done over GF(2)=Z2, i.e., binary)
1

1

A  1

1


0 0 0 1 1 1 1

1 0 0 0 1 1 1

1 1 0 0 0 1 1

1 1 1 0 0 0 1



1
 
1
 0
 
 0
B 
 0
1
 
1
 0
 
To invert the substitution:
y = A-1(z - B) (the matrix A is nonsingular)
b = y-1
(over GF(28))
Page 22
Shift Rows
Cyclic shift of each row.
Four 4 columns, row i is shifted left i positions, or, equivalently,
shifted right 4-i positions.
 z0

 z1
z
 2
z
 3
z4
z8
z5
z9
z6
z10
z7
z11
z12 

z13 
z14 

z15 

 z0

 z5
z
 10
z
 15
z4
z8
z9
z13
z14
z2
z3
z7
z12 

z1 
z6 

z11 
Page 23
Mix Columns
For each column a in data block
a0
a1
a2
a3
hex representation of
polynomial in GF(28)
compute b(x) =
(a3x3+a2x2+a1x+a0)(’03’x3+’01’x2+’01’x+’02’) mod x4+1
where coefficients are taken over GF(28).
b0
New column b is b
1
b2
b3
where b(x)=b3x3+b2x2+b1x+b0
Page 24
Implementation
Using xj mod (x4 + 1) = x(j mod 4)
(a3x3+a2x2+a1x+a0)(3x3+x2+x+2) mod x4+1
= (2a0+3a1+a2+a3) +
(a0+2a1+3a2+a3)x +
(a0+a1+2a2+3a3)x2 +
(3a0+a1+a2+2a3)x3
Therefore, b = C  a
2

1
C 
1

3

3 1 1

2 3 1
1 2 3

1 1 2 
M(x) is not irreducible, but 3x3+x2+x+2 and M(x) are
co-prime, so the transform can be inverted.
Page 25
Generating the round keys
Use “key schedule” to generate round keys from cypher key.
f
round i
+
(In first
round, use
cypher key.)
+
+
round i+1
+
Words corresponding to columns of the key
f=
b1
b2
b3
b4
rotate
b2
b3
b4
b1
+
byte subst.
consti
Page 26
Linear Cryptanalysis
A known plaintext attack used to extract the key
i1
im k1
km
Round
o1
om
Consider a linear equality involving i, o, and k
– e.g.: k1  k6 = i2  i4  i5  o4
To be secure this should be true with p = .5
(probability over all inputs and keys)
If true with p = 1, then linear and easy to break
If true with p = .5 + e then you might be able to use
this to help break the system
Page 27
Differential Cryptanalysis
A chosen plaintext attack used to extract the key
I
K
Round
O
Considers fixed “differences” between inputs,
DI = I1 - I2, and sees how they propagate into
differences in the outputs, DO = O1 - O2.
“difference” is often exclusive OR
Assigns probabilities to different keys based on
these differences. With enough and appropriate
samples (I1, I2, O1, O2), the probability of a
particular key will converge to 1.
Page 28
Related documents
(3) Associative Property Let a, b, and c be any whole numbers. Then
(3) Associative Property Let a, b, and c be any whole numbers. Then
Solve for x - Denise Kapler
Solve for x - Denise Kapler
Formal Multiplication – HTU x TU
Formal Multiplication – HTU x TU
LO: To calculate angles on a straight line and use a protractor to
LO: To calculate angles on a straight line and use a protractor to
document 8935627
document 8935627
Properties of Multiplication Associative Property of Multiplication
Properties of Multiplication Associative Property of Multiplication
Algebraic Properties
Algebraic Properties
Chapter 1 Mid Chapter Review Math 7
Chapter 1 Mid Chapter Review Math 7
MATH 0960/1.10
MATH 0960/1.10
Sec. 6.3 Part 2 Blank Notes
Sec. 6.3 Part 2 Blank Notes
POSITIVE AND NEGATIVE INTEGERS
POSITIVE AND NEGATIVE INTEGERS