Professional Documents
Culture Documents
01-Symmetric Encryption
01-Symmetric Encryption
01-Symmetric Encryption
Symmetric Encryption
Nils Nordbotten
29.8.2023
Terminology
IN3210/4210 2
1
Main cryptographic cipher types
Symmetric Asymmetric
(one key, i.e., shared secret key) (two keys, i.e., public / private key)
Stream Block
IN3210/4210 4
2
Model of symmetric cryptosystem (i.e., the sender and receiver share a
secret key)
Ciphertext (C)
Plaintext (P) E(K,P) D(K,C)
Plaintext (P)
=C =P
Opponent
Encrypter Decrypter
The secret key must be distributed over a secure channel, while the encryption algorithm
is assumed to be publicly known
IN3210/4210 5
IN3210/4210 6
3
The one-time pad (the Vernam cipher)
101 101
K K
110 000
111 001
IN3210/4210 8
4
If the key is reused, the one time pad no longer provides perfect secrecy
IN3210/4210 9
If we know that the plaintext starts with a 0, how can we manipulate the
ciphertext so that the decrypted plaintext starts with a 1?
101 101
K K
110 010
011 111
P ⨁ ⨁ P
D(K, C ⨁ i) = P ⨁ i (i.e., changes to C are not detected and results in predictable changes to P)
The general lesson: a cipher only providing confidentiality does not provide
integrity/authenticity!
IN3210/4210 10
5
Notions of cryptographic security
IN3210/4210 11
● Block ciphers
- AES
- Block cipher modes of operation
● Attacks on (symmetric) cryptosystems
IN3210/4210 12
6
Stream ciphers use pseudo-random number generators to generate a
keystream that is XORed with the plaintext/ciphertext
Key K Key K
Pseudorandom Pseudorandom
number generator number generator
Keystream k Keystream k
IN3210/4210 13
● WEP/WPA
- The attack on TLS with RC4 also applies to WPA/TKIP
- The vulnerabilities in WEP were not due to RC4 itself, but the way it was used
IN3210/4210 14
7
RC4 initialization
● Start with a key K of length ≤ 256:
for i = 0 to 255 do
S[i] = i S = 0, 1, 2, 3 ......, 255
T[i] = K[i mod keylength] e.g., K=2, 5 then T= 2, 5, 2, 5, 2 , 5,....
S is now initialized with all numbers from 0-255. T is initialized with K (where K is
repeated if necessary to generate T of length 256).
● Use T to shuffle S:
j=0
for i = 0 to 255 do
j = (j + S[i] + T[i]) mod 256
swap(S[i], S[j])
For each byte plaintext/ciphertext: shuffle S and generate keystream value that is
XORed with plaintext/ciphertext byte:
i=j=0
for each plaintext byte Pi do
i = (i + 1) (mod 256)
j = (j + S[i]) (mod 256)
swap(S[i], S[j])
t = (S[i] + S[j]) (mod 256)
S[t] S[t]
IN3210/4210 16
8
Original 16x32 bits input/state
Cons- Cons- Cons- Cons-
ChaCha20 stream cipher (RFC 8439) tant tant tant tant
Key Key Key Key
● ChaCha20 is a variation of Salsa20 that completed the final phase Key Key Key Key
of eSTREAM in 2008, both designed by D. Bernstein
Block Nonce Nonce Nonce
● Designed to be fast when implemented in software count
- faster than AES when AES is not supported in hardware
Quarter round function
● Successively calls a round function with increasing block counter:
- 20 rounds (i.e., 80 quarter rounds) before the original input is added to the
current state to produce a block of keystream
- Quarter round function: addition (mod 232), XOR and roll/shift
- Alters between column and diagonal rounds, where each quarter
round takes one column or diagonal as input
IN3210/4210 17
Figure by Tony Arcieri (CC BY-SA)
IN3210/4210 18
9
Random numbers
● Critical that these values are statistically random (uniform distribution and independence)
and that future values are unpredictable
- Improper random number generation is a common source of security vulnerabilities
IN3210/4210 19
IN3210/4210 20
10
Symmetric block ciphers maps a fixed size input block to a
fixed size output block
IN3210/4210 21
Input block
Output block
IN3210/4210 22
11
Advanced Encryption Standard (AES) uses the Rijndael block cipher
Rijndael was developed by Belgium cryptographers Joan Daemen and Vincent Rijmen
IN3210/4210 23
AES-128
• Plaintext represented as
4x4 byte matrix
Decryption
IN3210/4210 24
12
Rijndael/AES round function uses four invertible operations
IN3210/4210 25
IN3210/4210 26
13
Data Encryption Standard (DES)
3DES
IN3210/4210 27 27
IN3210/4210 28
14
Using Electronic Codebook (ECB) mode, each block is
encrypted/decrypted independently
K Encrypt
Cj
IN3210/4210 29 29
IN3210/4210 30
15
Cipher Block Chaining (CBC) mode
● Needs to pad last block if the plaintext is not a multiple of the block size (can be
avoided using ciphertext stealing)
IN3210/4210 31
Counter Counter
X0=IV, Xi=Xi-1+1 X0=IV, Xi=Xi-1+1
K Encrypt K Encrypt
Yi Yi
Ci
Pi ⨁ ⨁ Pi
IN3210/4210 32
16
Counter (CTR) mode
IN3210/4210 33
Figure from NIST - page 7 of D. McGrew, J. Viega, The Galois/Counter Mode of Operation (GCM), Natl. Inst. Stand.Technol.
IN3210/4210 [Web page] , http://www.csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf, 34
May 31, 2005., CC0, https://commons.wikimedia.org/w/index.php?curid=74845777
17
Output feedback mode (OFB) (used in this weeks’ exercise)
Decryption is the same as encryption, using the ciphertext (instead of the plaintext) as input
IN3210/4210 35
IN3210/4210 36
18
Attacks on cryptosystems
● Brute-force attack
- On average half the keys must be tried
- Must be able to recognize valid plaintext
- Mitigated by sufficient key length
● Cryptanalysis
- Weaknesses may result in much less resources/effort being required than for a brute-force
attack
● Attacks on implementation
- E.g., side channel attacks based on variations in power consumption, timing, or emanations
● Attacks on key management or the environment
- E.g., circumventing encryption by exploiting vulnerabilities in the end-user operating system
IN3210/4210 37
Cryptanalytic attacks
IN3210/4210 38
19
Relative Illustration of Average Time Required for Exhaustive Key Search
• Using a meet-in-the-middle attack the effort for 3DES can be reduced to 112 bits
• Given successful quantum computers, the symmetric key size must be about doubled to achieve the same
security (Grover's algorithm)
IN3210/4210 39
Table from: W. Stallings, Cryptography and Network Security
Categorization of
269 cryptographic
vulnerabilities from
the CVE database
in the period 2011-
2014
IN3210/4210 40
20