Network systems security by mort anvari lecture5

Galois Fields GFp GFp is set of integers {0,1, … , p-1} with arithmetic operations modulo prime p  Form a finite field  since have multiplicative inverses  Hence arithmetic is “well-

After DES…

Network Systems Security

Mort Anvari

Triple DES

 Clearly a replacement for DES was needed

attacks

 Use multiple encryptions with DES implementations

 Triple-DES is the chosen form

Why Triple-DES?

 Double-DES may suffer from meet-in-the-middle attack

 works whenever use a cipher twice

Triple-DES with Two Keys

 Must use 3 encryptions

 would seem to need 3 distinct keys

 But can use 2 keys with E-D-E sequence

 encrypt & decrypt equivalent in

security

 C = EK1[DK2[EK1[P]]]

 if K1=K2 then can work with single DES

 Standardized in ANSI X9.17 & ISO8732

 No current known practical attacks

Triple-DES with Three Keys

 Some proposed attacks on two-key Triple-DES, although none

Origins of

Advanced Encryption

Standard

 Triple-DES is slow with small blocks

 US NIST issued call for ciphers in 1997

 15 candidates accepted in Jun 1998

 5 were shortlisted in Aug 1999

 Rijndael was selected as the AES in Oct 2000

 Issued as FIPS PUB 197 standard in Nov 2001

AES Requirements

 Private key symmetric block cipher

 128-bit data, 128/192/256-bit keys

 Stronger and faster than Triple-DES

 Active life of 20-30 years (+ archival use)

 Provide full specification and design details

 Both C and Java implementations

 NIST has released all submissions and unclassified

AES Evaluation Criteria

AES Shortlist

 Shortlist in Aug 99 after testing and evaluation

 MARS (IBM) - complex, fast, high security margin

 RC6 (USA) - very simple, very fast, low security

margin

 Rijndael (Belgium) - clean, fast, good security margin

 Serpent (Euro) - slow, clean, very high security margin

 Twofish (USA) - complex, very fast, high security

margin

 Subject to further analysis and comment

The Winner - Rijndael

 Designed by Rijmen-Daemen in Belgium

 Has 128/192/256 bit keys, 128 bit data

 An iterative rather than feistel cipher

 treats data in 4 groups of 4 bytes

 operates an entire block in every round

 Designed to be

 resistant against known attacks

 speed and code compactness on many CPUs

 design simplicity

 Use finite field

Abstract Algebra Background

 Group

 Ring

 Field

 A set of elements or “numbers”

 With a binary operation whose result is also in the set (closure)

 Obey following axioms

 associative law: (a.b).c = a.(b.c)

 has inverses a-1: a.a-1 = e

 Abelian group if commutative a.b = b.a

 distributive over addition: a(b+c) = ab + ac

 Commutative ring if multiplication operation is commutative

 Integral domain if multiplication operation has identity and no

zero divisors

 A set of numbers with two operations

(ignoring 0)

 multiplicative inverse: aa-1 = a-1a= 1

 Infinite field if infinite number of elements

 Finite field if finite number of elements

Modular Arithmetic

 Define modulo operator a mod n to be remainder when a is divided by

n

 Use the term congruence for: a ≡ b mod n

 when divided by n, a and b have same

remainder

 e.g 100 ≡ 34 mod 11

 b is called the residue of a mod n if 0 ≤ b ≤ n-1

 with integers can write a = qn + b

 A non-zero number b is a divisor of a if for some m have

a=mb (a,b,m all integers)

 That is, b divides a with no remainder

 Denote as b|a

 E.g all of 1,2,3,4,6,8,12,24 divide 24

Modular Arithmetic

 Can do modular arithmetic with any group of integers Zn

= {0, 1, … , n-1}

 Form a commutative ring for addition

 With a multiplicative identity

 Some peculiarities

 if (a+b)≡(a+c) mod n then b≡c mod n

 but (ab)≡(ac) mod n then b≡c mod n

Modulo 8 Example

Greatest Common Divisor

(GCD)

 GCD (a,b) of a and b is the largest number that divides evenly into both a and b

 e.g GCD(60,24) = 12

 It is often desirable to find numbers that are relatively

prime, namely they have no common factors (except 1)

 e.g 8 and 15 relatively prime as GCD(8,15)

= 1

Galois Fields

 Finite fields play a key role in cryptography

 Number of elements in a finite field must be a power of a

Galois Fields GF(p)

 GF(p) is set of integers {0,1, … , p-1} with arithmetic operations modulo prime p

 Form a finite field

 since have multiplicative inverses

 Hence arithmetic is “well-behaved” and can do addition, subtraction, multiplication, and division without leaving the field GF(p)

Arithmetic in GF(7)

Finding Multiplicative

Inverses

 By extending Euclid’s algorithm

1.(A1, A2, A3)=(1, 0, m);

Polynomial Arithmetic

 Can compute using polynomials

 Several alternatives available

Ordinary Polynomial

Arithmetic

 Add or subtract corresponding coefficients

 Multiply all terms by each other

Polynomial Arithmetic with

Modulo Coefficients

 Compute value of each coefficient as modulo some value

 Could be modulo any prime

 But we are most interested in mod 2

 i.e all coefficients are 0 or 1

 e.g let f(x) = x3 + x2, g(x) = x2 + x +

1

 If no remainder say g(x) divides f(x)

 If g(x) has no divisors other than itself and 1 say it is

irreducible (or prime) polynomial

 Arithmetic modulo an irreducible polynomial forms a field

Polynomial GCD

 Can find greatest common divisor for polys

 c(x) = GCD(a(x), b(x)) if c(x) is the poly of

greatest degree which divides both a(x), b(x)

1 A(x) = a(x); B(x) = b(x)

2 if B(x) = 0 return A(x) = gcd[a(x), b(x)]

3 R(x) = A(x) mod B(x)

Modular Polynomial

Arithmetic

 Can compute in field GF(2n)

 polynomials with coefficients modulo 2

 whose degree is less than n

 hence must reduce modulo an irreducible poly of degree n (for multiplication only)

 Form a finite field

 Can always find an inverse

 can extend Euclid’s Inverse algorithm to find

Arithmetic in GF(23)

 Process data as 4 groups of 4 bytes (State)

 Has 9/11/13 rounds in which state undergoes:

 byte substitution (1 S-box used on every byte)

 shift rows (permute bytes between groups/columns)

 mix columns (subs using matrix multiply of groups)

 add round key (XOR state with key material)

 Initial XOR key material & incomplete last round

 All operations can be combined into XOR and table lookups, hence very fast and efficient

Rijndael

AES Round

Byte Substitution

column (right 4 bits)

 eg byte {95} is replaced by row 9 col 5 byte, which is

{2A}

Shift Rows

 Circular byte shift in each row

 1st row is unchanged

 2nd row does 1 byte circular shift to left

 3rd row does 2 byte circular shift to left

 4th row does 3 byte circular shift to left

 Decryption does shifts to right

 Since state is processed by columns, this step permutes bytes between the columns

Mix Columns

 Each column is processed separately

 Each byte is replaced by a value dependent on all 4

bytes in the column

 Effectively a matrix multiplication in GF(28) using

prime poly m(x) =x8+x4+x3+x+1

Add Round Key

 XOR state with 128 bits of the round key

 Again processed by column (though effectively a series of byte operations)

 Inverse for decryption is identical since XOR is own

inverse, just with correct round key

 Designed to be as simple as possible

AES Key Expansion

 Take 128-bit (16-byte) key and expand into array of

44/52/60 32-bit words

 Start by copying key into first 4 words

 Then loop creating words that depend on values in previous and 4 places back

 in 3 of 4 cases just XOR these together

 every 4th has S-box + rotate + XOR

constant of previous before XOR together

 but using inverses of each step

 with a different key schedule

 Works since result is unchanged when

 swap byte substitution & shift rows

 swap mix columns and add (tweaked) round key

Implementation Aspects

 Can efficiently implement on 8-bit CPU

 byte substitution works on bytes

using a table of 256 entries

 shift rows is simple byte shifting

 mix columns requires matrix multiply

Implementation Aspects

 Can efficiently implement on 32-bit CPU

 redefine steps to use 32-bit words

 can precompute 4 tables of 256-words

 then each column in each round can be

computed using 4 table lookups + 4 XORs

 at a cost of 16Kb to store tables

 Designers believe this very efficient implementation was a key factor in its selection as the AES cipher

Next Class

 Confidentiality of symmetric encryption

 Asymmetric encryption: RSA