Serious Cryptography 4
S-boxes
"substitution boxes", small lookup tables that transform chunks of 4 or 8 bits. Be as nonlinear as possible, and have no statistical bias.
Block Cipher
A cipher that manipulates an entire block of plaintext at one time. Consists of an encryption algorithm and a decryption algorithm.
Triple DES (3DES)
A more-secure variant of DES that repeatedly encodes the message using three separate DES keys. 112 bit security, but the key must be 168 bits long, and it's slow in software. DES encrypts, then decrypts, then encrypts again, using a separate key for each stage. Vulnerable to Meet-in-the-Middle attacks.
A Nonce
A number used only once. Same for all blocks in a message, but no 2 messages should use the same nonce. Needs to be unique for the same reason a one-time pad shouldn't be reused. Doesn't need to be random, like an initial value in CBC, only unique.
Advanced Encryption Standard (AES)
A symmetric cipher that was approved by the NIST in late 2000 as a replacement for DES. Developed in Belgium. Most used cipher in the Universe. NSA approved for top-secret info. Result of a NIST "Got Talent" competition 1997-2000. Used to be "Rijndael" for Rijmen and Daemen.
Data Encryption Standard (DES)
An older type of block cipher selected by the United States federal government back in the 1970s as its encryption standard; due to its weak key, it is now considered deprecated. 56 bit security.
Security Goals
Attackers shouldn't be able to find any pattern in the values. Impossible for to tell a block cipher from a random permutation. Should be unable to recover the secret key.
AES Internals
Blocks of 128 bits, usually with a 128 bit key being most common. Manipulates bytes. Views a 16-byte plaintext as a 2-dimensional array (state) of bytes. AES transforms the bytes, columns, rows of the array to produce ciphertext.
Other Block Ciphers
CAST-256, CRYPTON, DEAL, DFC, E2, FROG, HPC, LOKI97, Magenta, MARS, RC6, SAFER+, Serpent, Twofish. NSA designs: Skipjack, SIMON, SPECK. Lightweight: KATAN, PRESENT, PRINCE.
GOST 28147-89
Developed by the KGB, kept secret until 1990 and still used.
AES round - 4 building blocks
Each round consists of: 1-SubBytes, replaces each bytes with another byte according to an s-box (substitution layer) 2-ShiftRows, shifts the ith row of i positions, for i ranging from 0-3 (permutation layer) 3- MixColumns, Applies the same linear transformation to each of the 4 columns of the state (permutation layer) 4- AddRoundKey, XORs a round key to the internal state MixColumns doesn't exist in the last round because it's linear and too predictable.
Decryption algorithm
Essentially the encryption algorithm run in reverse. Takes the ciphertext and the same secret key and produce the original text.
Feistel Scheme
Horst Feistel in the 70s designed block cipher "Lucifer": 1- split the 64 bit block into 2 halves, L and R 2- Set L to a "substitution-permutation round" 3- Swap the values of L and R 4- Repeat step 2, 15 times 5- Merge L and R again to form the 64 bit output block The rounds can be psuedorandom permutations (PRP), yielding very distinct outputs from inputs or pseudorandom functions (PRF), yielding only values X and Y. DES performs 16 rounds, GOST performs 32 rounds. Only 4 rounds is sufficient in theory.
Rounds
In a block cipher, a round is a basic transformation that is simple to specify and implement, iterated several times to form the algorithm. Simpler to implement and analyze than a huge algorithm.
Substitution-Permutation Networks (SPNs)
In a block cipher, confusion and diffusion take the form of substitution and permutation operations, which are combined here. Substitution appears in the form of s-boxes. Permutation is changing the order of the bits, sometimes using linear algebra or matrix multiplications to mix up the bits, like the block cipher FOX.
Electronic Codebook (ECB) Mode
Insecure, should never be used. Just changes the colors of the penguin. Identical ciphertext blocks reveal identical plaintext blocks. Only takes complete blocks of data, so if it were 16 bytes, it encrypts in 16 byte increments.
Cipher Block Chaining (CBC) Mode
Like ECB, but CBC mode makes each ciphertext block dependent on all the previous blocks, and ensures that identical plaintext blocks won't be identical ciphertext blocks. "Random initial value" guarantees that 2 same plaintexts will become different ciphertexts. Decryption is a lot faster due to parallelism and the initial value is sent with the ciphertext, in the clear. Encryption always has to wait for the previous block's ciphertext.
Meet-in-the-middle attack
Makes double DES attacks only as secure as DES attacks. The reason they created triple DES (3DES). Also the reason why 3DES gets only 112-bit security despite having 168-bits of key material.
Ciphertext stealing
More complex and less common than padding. 1- Plaintexts can be any bit length, not just bytes. 2- Ciphertexts are always the same length as Plaintexts. 3- not vulnerable to padding oracle attacks. In CBC mode, it extends the last incomplete plaintext block with bits from the previous ciphertext block, then encrypts the entire block. The last ciphertext block is made up of the first bits of the previous ciphertext block. Inelegant, and hard to get right.
Block Size
Security depends on the block size and the key size. 64 bit or 128 bit blocks. DES is 64 bits and AES is 128 bits. Can't be too large to minimize the length of ciphertext and memory footprint.
Padding Oracle Attack
Simple and devastating attack. System behaves differently depending on whether the padding of a CBC encrypted ciphertext is valid. Returns either a "success" or "error" value. The padding oracle sends error messages when it receives a malformed ciphertext. The padding oracle attack is recording which inputs have valid padding and which inputs don't. Attackers can exploit the info to decrypt chosen ciphertext as a CCA.
AES KeyExpansion
The AES key schedule algorithm. Creates 11 round keys of 16 bytes each using the same s-box as SubBytes and a combination of XORs. By reversing the algorithm, an attacker can determine all other round keys, as well as the main key. Imperfect defense vs side-channel attacks, where attackers can recover a round key.
AES Secure?
Yes, will never be broken. No proof that it's immune to all types of attacks. Biggest threat is the mode of operation, not the core algorithm.
encryption algorithm
a set of steps that can convert readable plaintext into unreadable ciphertext
Padding a message
a technique that allows you to encrypt a message of any length, even smaller than a single block. Rules for padding a 16-byte block: if there's 1 byte left over (17-bytes), then pad it with 15 more bytes, and so on, and so on. Always makes ciphertext a bit longer by at least 1 byte or a block!
AES uses
an SPN structure with 10 rounds for 128-bit keys, 12 rounds for 192-bit keys, 14 rounds for 256-bit keys.
A Counter
an integer that is incremented for each block. No 2 blocks should use the same counter within a message, but different messages can use the same counter values. Always guaranteed to be unique if it's incremented for every new plaintext.
Pseudorandom Permutation (PRP)
as long as the key is secret, an attacked shouldn't be able to compute an output of the block cipher from any input.
Codebook Attacks
attacks vs block ciphers that are only efficient when smaller blocks are used. Only used effectively under 64 bit blocks. Builds a lookup table (the codebook), mapping each ciphertext block to it's plaintext block.
cache-timing attacks
exploit timing variations when a program reads or writes elements in cache memory. Timings leak information about which element was accessed. Difficult to stop... can't ditch lookup tables altogether. Instead of relying on vulnerable software, rely on hardware.
Round Key
keys derived from the main key using an algorithm called a "key schedule". Should always be different from each other in every round. Also protects against side-channel attacks (attacks that exploit info leaked from the implementation of a cipher)! Few block ciphers have a one-way key schedule.
Slide Attacks
look for 2 plaintext/ciphertext pairs. When rounds are identical, the relation between 2 plaintexts will show the relation between 2 ciphertexts. Knowing input/output of a round can help recover the key. Using different round keys will make sure rounds behave differently and foil this attack.
Table-Based Implementations
of AES replaces the sequence of SubBytes-ShiftRows-MixColumns with a combination of XORs and lookup tables hardcoded into the program and memory. Encryption need 4 KBs worth of tables, because each table stores 256 32-bit values (8192 bits = 1 KB). Decryption needs another 4 KBs. This is vulnerable to cache-timing attacks.
AES Native Instructions (AES-NI)
solve the problem of cache-timing attacks. Allow you to tell the processor to run an AES round instead of requiring you to program rounds as a combination of basic operations. Just call the instruction "AESENC" and the chip computes the round for you. AES is 10x faster on platforms that implement Native Instructions.
Confusion
the input undergoes complex transformations. "Depth"
memory footprint
to process a 128 bit block, you need 128 bits of memory. Blocks of 64, 128, 512 bits are short enough to allow for efficient implementations. Use 128 bits over 64 bits whenever possible. Processed more efficiently and more secure.
Diffusion
transformations depends equally on all bits of the input. "Breadth"
Counter (CTR) Mode
turns a block cipher into a stream cipher, takes bits in and spits out bits. Doesn't make blocks. Encrypts blocks composed of a counter and a nonce. The nonce is sent in the clear with the ciphertext. Faster than any other mode... by picking a nonce and start encrypting before even knowing the plaintext.