CS 5430: Symmetric-key Encryption

# Symmetric-key Encryption Encryption is an important tool in cryptography, and cryptography is an important building block for security. But there's much more to security than just cryptography or encryption. - **Cryptography is not the solution.** It can help and harm security. Used incorrectly, cryptography makes systems less secure. - **Cryptography is not easy.** Don't invent it yourself. Use well-studied solutions (and standards, though they sometimes have problems). - **Cryptography is not cheap, but who cares?** It may incur a performance hit, but what do you want: a fast system, or a secure system? We have enough fast, insecure systems. This material is dangerous. You won't know enough about cryptography when we're done, but you'll go off and use it anyway. Be **very** suspicious of yourself. Take further courses in cryptography if you really want to play in this space. There are two branches of cryptography: modern and applied. - **Modern:** we prove it's secure, mathematically, but the algorithms are typically inefficient. - **Applied:** we think it's secure, in practice, and the algorithms are typically efficient. ## Encryption as a countermeasure **Threat:** An attacker who controls the communication network. This attacker can arbitrarily read, modify, and delete messages. Think of this communication model as one in which messages are always sent to the attacker, never to the intended recipient. The attacker can then forward the message along if he chooses, redirect the message, save it for later replay, etc. This kind of threat is called a *Dolev–Yao* attacker. **Harm:** Messages containing secret information could be disclosed to the adversary, thus violating confidentiality. **Vulnerability:** The communication channel between sender and receiver can be read by untrusted principals. **Countermeasure:** Encryption. ## Symmeric-key encryption schemes ``` 1. Alice: c = Enc(m; k) 2. Alice -> Bob: c 3. Bob: m = Dec(c; k) ``` The format we use above is a *protocol narration*: each step is numbered and is either a computation or a message. We identify the principal(s) involved at each step by writing their names followed by a colon. Enc is the encryption algorithm; Dec is decryption. Alice and Bob must somehow *share* a key k that has previously been generated: ``` 0. k = Gen(len) // len is length of key 1. ... ``` Together, (Gen,Enc,Dec) constitute an *encryption scheme* or *cryptosystem*. Well known examples of encryption schemes include AES (which uses shared keys) and RSA (which does not). What makes an encryption scheme secure? - **Kerckhoffs' Principle:** Secrecy should depend *only* upon key being secret—not the algorithms. You might see "proprietary encryption" algorithms touted as a good thing. [They're not.](http://www.google.com/#q=proprietary+encryption+broken) This principle is an instance of Open Design. - Given a ciphertext, no function of the plaintext can be computed. There is a provably perfectly secure encryption scheme called the *one-time pad*. Gen must generate a uniformly random sequence of bits of the same length as the message to be encrypted. Enc simply xors those random bits with the message, and Dec is identical to Enc. There are practical problems to deploying this scheme: 1. The keys must be really long (as long as the messages). 2. You may never re-use a key (because doing so would reveal [relationships between messages](https://cryptosmith.com/2008/05/31/stream-reuse/): (m1 &oplus; k) &oplus; (m2 &oplus; k) = m1 &oplus; m2). 3. Hence distributing the keys is difficult. Practical encryption schemes instead rely on one short key that can be reused for many messages. ## Block Ciphers Efficient encryption schemes usually operate on fixed-size messages called *blocks*. Such schemes are called *block ciphers*. Here are some well-known examples: - **DES (Data Encryption Standard).** Block size: 64 bits; key size: 56 bits. DES was designed by IBM in 1973-4, tweaked by the NSA, then became the US standard for encryption. International adoption followed. - **3DES (Triple DES).** Block size: 64 bits; key size: 112 or 168 bits. 3DES is a strengthening of DES introduced in 1998, because 56 bit keys had become feasible to brute force. 3DES is simply three DES encryptions with two different keys, for an effective 112 bit key; or with three different keys, for an effective 168 bit key. - **AES (Advanced Encryption Standard).** Block size: 128 bits; key size: 128, 192, or 256 bits. AES resulted from a public competition held by NIST, ending in 2001. It's now the US standard, approved by the NSA for Top Secret information. When a block cipher has multiple key lengths available, we indicate the particular length being used by appending it to the name of the cipher. AES-192, for example, means AES with 192 bit keys. ### Breaking an encryption scheme An attacker might attempt to recover an unknown key (hence be able to decrypt ciphertexts), or directly decrypt a ciphertext (without necessarily recovering the key), or learn relationships amongst related keys or messages, etc. For sake of this discussion, let's assume the attack objective is to recover a key, given knowledge of many plaintexts and ciphertexts encrypted under that key; the ideas here generalize to other kinds of attacks. A *brute force* or *exhaustive* search means trying every possible key (e.g., for AES-128, trying 2^128 keys) to determine which is the right key. We'll say that a *break* of an encryption scheme is an attack that succeeds in recovering the key in fewer steps than brute force. (e.g., only 2^99.5 tries for AES-256, which is what one theoretical, impractical attack already achieves). If 2^X is the number of steps necessary to succeed at an attack then we'll say that X is the *strength* (or *security level*) of an encryption scheme. In the best case, the strength equals the key length. In practice, the strength goes down as attacks are discovered. E.g., 3DES-168 has a known attack that requires only 2^112 steps, reducing its strength from 168 to 112. Currently no practical attacks are known for AES, so—for now—its strength remains at the key length. ## Recommended key lengths Various entities publish recommendations for cryptographic strength based on known attacks, hardware capabilities, and predicted advances. This website summarizes recommendations by NIST, ECRYPT, and others: <http://www.keylength.com/en/>. ## Exercises 1. It's difficult to define an *ideal block cipher* without involving a some theory we haven't covered. But you could think about it in the following way. For every possible key, there is a lookup table mapping input blocks (plaintexts) to output blocks (ciphertexts). This set of tables would be huge. Every table would be chosen uniformly at random from the space of all permutations on blocks. How much space would be required to store a table for an entire ideal block cipher that operates on 64 bit blocks and 80 bit keys? 2. Under what circumstances might you choose 3DES over AES? Under what circumstances might you choose AES over 3DES? 3. One-time pads are theoretically perfect ciphers. So why are they not used in practice on the Internet? 4. Suppose a company chose to use encryption to protect its most sensitive information, and the only person in the company who had the decryption key was the chief security officer (CSO). Under what circumstances might the key need to be made available to other employees? Describe a strategy such that the key could become available if needed but would generally be protected against casual access. 5. If a company had encrypted its most sensitive data with a key held by the CSO, and the CSO were fired, the company would want to change its decryption key. Describe what would be necessary to revoke the old key and deploy a new one.