SlideShare a Scribd company logo

Engineering Cryptographic Applications: Symmetric Encryption

Download as PPTX, PDF
David Evans
David Evans

First class of four-part series developed for introducing engineers to cryptography. Delivered at AMC Theater in Tyson's Corner for Microstrategy, 4 October 2013.

TechnologyEducation
1 of 72
Engineering Cryptographic Applications
Plan for the Course Today: Symmetric Encryption – Introduction, a bit of History – Perfect Ciphers – Cryptanalysis of Imperfect Ciphers – Modern Symmetric Ciphers Oct 11 (10:30am): Implementation, Authentication Oct 18 (10:30am): Public-Key Protocols Oct 25 (10:30am): New Applications Engineering Crypto Applications 1evans@virginia.edu
Goal of The Course? Engineering Crypto Applications 2 Learn enough so you can design and implement crypto applications Learn enough so you know how hard it is to get crypto right, and will not be foolish enough to try it based on a 8-hour course! evans@virginia.edu
User Interaction Design  Every programmer thinks they can do it. Obscenely over-paid consultants claim they can’t.  If you get it wrong, every customer notices (and leaves). Cryptosystem Design  Every engineer with strong math background thinks they can do it. Obscenely over-paid consultants claim they can’t.  If you get it wrong, probably no one notices. Engineering Crypto Applications 3evans@virginia.edu
Engineering Crypto Applications 4 “If they had consulted with anyone that knows anything about password security, this would not have happened,” said Paul Kocher, president of Cryptography Research, a San Francisco computer security firm. Karsten Nohl, …, said the encryption hole allowed outsiders to obtain a SIM card’s digital key, …, which let him eavesdrop on a caller, make purchases through mobile payment systems and even impersonate the phone’s owner… as many as 750 million phones may be vulnerable to attacks… Mr. Nohl said. “We can spy on you. We know your encryption keys for calls. We can read your S.M.S.’s. More than just spying, we can steal data from the SIM card, your mobile identity, and charge to your account.” evans@virginia.edu
Real Goals • Know enough to avoid obviously bad crypto designs and implementation • Know enough to be able to ask important questions about cryptosystems • Know enough to know what you need to learn more about to build something secure • …and hopefully fun and interesting for everyone! Engineering Crypto Applications 5evans@virginia.edu
Engineering Crypto Applications 6evans@virginia.edu
Engineering Crypto Applications 7 What is cryptology? • Greek: κρυπτ oς = “kryptos” = hidden (secret) • Cryptography – secret writing • Cryptanalysis – analyzing (breaking) secrets Cryptanalysis is what an attacker does Decryption is what the intended receiver does • Cryptosystems – systems that use secrets • Cryptology – science of secrets evans@virginia.edu
Engineering Crypto Applications 8 Cryptology is a branch of mathematics: about abstract numbers and functions. Security is an engineering goal: it involves mathematics, but is mostly about real implementations and people. evans@virginia.edu
Engineering Crypto Applications 9 Introductions Encrypt DecryptPlaintext Ciphertext Plaintext Alice Bob Eve (passive attacker) Insecure Channel evans@virginia.edu
Engineering Crypto Applications 10 Introductions Encrypt DecryptPlaintext Ciphertext Plaintext Alice Bob Mallory (active attacker) Insecure Channel (e.g., the Internet) evans@virginia.edu
Engineering Crypto Applications 11 Message Cryptosystem Encrypt Decrypt Plaintext Ciphertext PlaintextCiphertext Two functions: E(m: byte[])  byte[] and D(c: byte[])  byte[] Correctness property: for all possible messages m, D(E(m)) = m Security property: given c  E(m), it is “hard” to learn anything interesting about m. evans@virginia.edu
Engineering Crypto Applications 12 It is possible to state the security property precisely (and prove a cryptosystem satisfies it given hardness assumptions). This is the main thing Shafi Goldwasser and Silvio Micali did in the 1980s to win 2013 Turing Award. evans@virginia.edu
Engineering Crypto Applications 13 Message Cryptosystem Encrypt Decrypt Plaintext Ciphertext PlaintextCiphertext Two functions: E(m: byte[])  byte[] and D(c: byte[])  byte[] Correctness property: for all possible messages m, D(E(m)) = m Security property: given c  E(m)), it is “hard” to learn anything interesting about m. evans@virginia.edu
Kerckhoff’s Principle Engineering Crypto Applications 14 Auguste Kerckhoffs evans@virginia.edu
Algorithms Can Run, But They Can’t Hide Engineering Crypto Applications 15 Car theft rate (by model year) Source: hldi.org Mifare RFID evans@virginia.edu
Inside the Mifare Chip Engineering Crypto Applications 16 0.01 mm (10000 nm)0.01 mm (10000 nm) evans@virginia.edu
Engineering Crypto Applications 17 Interconnection Layers Logic Layer evans@virginia.edu
Zooming in on the Logic… Engineering Crypto Applications 18 rotated rotated + mirrored 4 NAND: Y = !(A & B & C & D) match match evans@virginia.edu
Mifare Crypto-1 Engineering Crypto Applications 19 48-bit LFSR f(∙) RNG Challenge Key stream ID + Response ++ evans@virginia.edu
Engineering Crypto Applications 20 “The enemy knows the system being used.” Claude Shannon, Communication Theory of Secrecy Systems (1949) Claude Shannon, 1916-2001 evans@virginia.edu
what I would have said last month… Engineering Crypto Applications 21 Security through obscurity is a bad idea – much better to use publicly vetted standards that have been scrutinized by experts and rely on key for security. evans@virginia.edu
…then this happened Engineering Crypto Applications 22evans@virginia.edu
what I’d say today… Engineering Crypto Applications 23 You’re probably still better off using well- vetted open standards. Just be wary of ones the NSA could influence. evans@virginia.edu
(Keyed) Symmetric Cryptosystem Engineering Crypto Applications 24 Encrypt DecryptPlaintext Ciphertext Plaintext Insecure Channel Encrypt DecryptPlaintext Ciphertext Plaintext Insecure Channel Key KeyOnly secret is the key, not the E and D functions that now take key as input Asymmetric crypto: different keys for E and D, so you can reveal E without revealing D. evans@virginia.edu
Example: Jefferson’s Wheel Engineering Crypto Applications 25evans@virginia.edu
Jefferson’s Wheel Cipher • 26 wheels arranged in a secret order on a spindle • Each wheel has a randomly permutated alphabet around rim • Encrypt: turn wheels to display plaintext, then pick a “random” row and that is the ciphertext • Decrypt: arrange wheels in same (secret) order, line up ciphertext, look around wheel for plaintext Engineering Crypto Applications 26evans@virginia.edu
Who was the real cryptographer? Engineering Crypto Applications 27 Auguste Kerckhoffs (1883)Thomas Jefferson (1790s) evans@virginia.edu
Engineering Crypto Applications 28 on the periphery of each, and between the black lines, put all the letters of the alphabet, not in their established order, but jumbled, & without order, so that no two shall be alike. now string them in their numerical order on an iron axis, one end of which has a head, and the other a nut and screw; the use of which is to hold them firm in any given position when you choose it. Jefferson’s description of wheel cipher (1802) evans@virginia.edu
Key Space Key space: K = set of possible keys Engineering Crypto Applications 29 Key is order of wheels on spindle: |K | = 26 25 … 1 > 1026 Key is jumbling of letters on wheels: |K | = (26 25 … 1)26 > 10691 Brute force attack: try all keys until you find one that “works” evans@virginia.edu
(Im)Practicality of Brute Force Attacks Minimum energy needed to flip one bit (Landauer limit) ≈ kT ln 2 ≈ 2.8 zepto-Joules Engineering Crypto Applications 30 k ≈ 1.4 10-23 J/K (Boltzmann’s constant) T = temperature (Kelvin) (300K) evans@virginia.edu
Engineering Crypto Applications 31 Bit Flips Energy WolframAlpha Description 240 (Mifare Crypto-1) 3 10-9 J “mass-energy equivalent of a Z boson” 256 (DES) 2 10-3 J “acoustic energy in a whisper” 280 (“low security”) 3 103 J “metabolic energy of one gram of sugar” 26! (Jefferson+Kerkchoffs) 1 106 J “energy of one gram of gasoline” 2128 (AES minimum) 9 1017 J “twice energy consumption of Norway in 1998” 2256 (AES maximum) 3 1056 J “1/120th mass energy equivalent of galaxy’s visible mass” evans@virginia.edu
Engineering Crypto Applications 32 Bit Flips Energy WolframAlpha Description 240 (Mifare Crypto-1) 3 10-9 J “mass-energy equivalent of a Z boson” 256 (DES) 2 10-3 J “acoustic energy in a whisper” 280 (“low security”) 3 103 J “metabolic energy of one gram of sugar” 26! (Jefferson+Kerkchoffs) 1 106 J “energy of one gram of gasoline” 2128 (AES minimum) 9 1017 J “twice energy consumption of Norway in 1998” 2256 (AES maximum) 3 1056 J “1/120th mass energy equivalent of galaxy’s visible mass” evans@virginia.edu
Engineering Crypto Applications 33 Bit Flips Energy WolframAlpha Description 240 (Mifare Crypto-1) 3 10-9 J “mass-energy equivalent of a Z boson” 256 (DES) 2 10-3 J “acoustic energy in a whisper” 280 (“low security”) 3 103 J “metabolic energy of one gram of sugar” 26! (Jefferson+Kerkchoffs) 1 106 J “energy of one gram of gasoline” 2128 (AES minimum) 9 1017 J “twice energy consumption of Norway in 1998” 2256 (AES maximum) 3 1056 J “1/120th mass energy equivalent of galaxy’s visible mass” evans@virginia.edu
Engineering Crypto Applications 34 Bit Flips Energy WolframAlpha Description 240 (Mifare Crypto-1) 3 10-9 J “mass-energy equivalent of a Z boson” 256 (DES) 2 10-3 J “acoustic energy in a whisper” 280 (“low security”) 3 103 J “metabolic energy of one gram of sugar” 26! (Jefferson+Kerkchoffs) 1 106 J “energy of one gram of gasoline” 2128 (AES minimum) 9 1017 J “twice energy consumption of Norway in 1998” 2256 (AES maximum) 3 1056 J “1/120th mass energy equivalent of galaxy’s visible mass” evans@virginia.edu
Engineering Crypto Applications 35 Bit Flips Energy WolframAlpha Description 240 (Mifare Crypto-1) 3 10-9 J “mass-energy equivalent of a Z boson” 256 (DES) 2 10-3 J “acoustic energy in a whisper” 280 (“low security”) 3 103 J “metabolic energy of one gram of sugar” 26! (Jefferson+Kerkchoffs) 1 106 J “energy of one gram of gasoline” 2128 (AES minimum) 9 1017 J “twice energy consumption of Norway in 1998” 2256 (AES maximum) 3 1056 J “1/120th mass energy equivalent of galaxy’s visible mass” This is the best (unrealistic) possible case for a brute force attack: don’t need to do anything other than represent key and physically most efficient bit flips. But, assumes better than brute force attacks are not possible. All of these ciphers have weaknesses, and are much less secure than maximum security possible for that size key. evans@virginia.edu
Can any cipher resist an infinitely powerful brute-force attacker? Engineering Crypto Applications 36evans@virginia.edu
37 Claude Shannon, A Mathematical Theory of Cryptography, 1945 (declassified later) Yes! Check out my perfect cipher! (It’s the only one.) Engineering Crypto Applicationsevans@virginia.edu
Exclusive Or Engineering Crypto Applications 38 0 0 = 0 0 1 = 1 1 0 = 1 1 1 = 0 Invertible A B B = A evans@virginia.edu
One-Time Pad C[i] = M[i] K[i] 39Engineering Crypto Applicationsevans@virginia.edu
One-Time Pad C[i] = M[i] K[i] 40 Pr(C[i] = 0) = Pr(M[i] = 0) × Pr(K[i] = 0) + Pr(M[i] = 1) × Pr(K[i] = 1) = ½ Pr(M[i] = 0) + ½ Pr(M[i] = 1) = ½ Pr(M[i] = 0) + ½ Pr(M[i] = 0) = ½ Pr(M[i] = 0) + 1 − Pr(M[i] = 0) = ½ Perfect secrecy! Ciphertext reveals nothing about message. Engineering Crypto Applications Pr(K[i] = 0) = Pr(K[i] = 1) = ½ evans@virginia.edu
Vernam’s One-Time Pad (1919) Key: a long paper tape with random letters on it (5-bit code) Cannot reuse key – tape must be very very long! Engineering Crypto Applications 41evans@virginia.edu
Why perfectly secure? For any intercepted ciphertext, without knowing the key all plaintexts are equally possible. Engineering Crypto Applications 42evans@virginia.edu C: 1000101 0110100 1010101 0011001 K1: 0001000 1100111 0000001 1001011 M1: 1001101 1010011 1010100 1010010 M S T R K2: 0001000 1100111 0010011 1001101 M2: 1001101 1010011 1000110 1010100 M S F T
No Other Perfect Ciphers Engineering Crypto Applications 43 M1 M2 Mn C1 C2 Cn Ki ...... Kj To be perfect, there must be a key that maps each message to each ciphertext. |K | ≥ |M | Hence, any practical cipher must be imperfect! (This is what Shannon proved in 1945 paper.) evans@virginia.edu
Engineering Crypto Applications 44evans@virginia.edu
Engineering Crypto Applications 45 Cryptanalysis Alice Bob Eve Encrypt DecryptPlaintext Ciphertext Plaintext Insecure Channel Key Key Cryptanalyze Plaintext (or something useful) evans@virginia.edu
Lorenz Cipher Machine Engineering Crypto Applications 46evans@virginia.edu
The World in July 1941 47 http://commons.wikimedia.org/wiki/File:Ww2_allied_axis_1941_jul.png Bletchley Park Engineering Crypto Applicationsevans@virginia.edu
5 October 2013 University of Virginia cs4414 48 21st October 1941 Dear Prime Minister, Some weeks ago you paid us the honour of a visit, and we believe that you regard our work as important. … it seems to us that we have met with unnecessary impediments. …The cumulative effect, however, has been to drive us to the conviction that the importance of the work is not being impressed with sufficient force upon those outside authorities with whom we have to deal. A.M. Turing (+ 3 others) Winston Churchill Alan Turing
HQIBPEXEZMUG! August 30, 1941 Lorenz operator retransmits failed message with same starting configuration Gets lazy and uses some abbreviations, makes some mistakes 49 GCHQ Today (not what it looked like in 1941!) SPRUCHNUMMER/SPRUCHNR (Serial Number) Engineering Crypto Applicationsevans@virginia.edu
“Two Time” Pad Allies have intercepted: C1 = M1 K1 C2 = M2 K1 50Engineering Crypto Applicationsevans@virginia.edu
“Two Time” Pad Allies have intercepted: C1 = M1 K1 C2 = M2 K1 51Engineering Crypto Applicationsevans@virginia.edu C1 C2 = M1 K1 M2 K1 = M1 M2
“Cribs” Don’t know M1 or M2, but, know they are in German and can make some guesses (cribs) SPRUCHNUMMER ADOLF HITLER, FUHRER Given guess for M1, calculate M2 = C1 C2 M1 If M2 seems plausible, calculate key: K1 = M1 C1 52Engineering Crypto Applicationsevans@virginia.edu
ReverseEngineeringLorenz 53Engineering Crypto Applicationsevans@virginia.edu Found 4000 letter key K1 from intercepted C1 and C2 Bill Tutte U. Waterloo (1917-2002) Brigadier John Tiltman (1894-1982) Figured out machine design likely to produce K1
54 Main weakness: each step, either all S wheels turn, or none do! Engineering Crypto Applicationsevans@virginia.edu Knew machine structure, but a different initial configuration was used for each message: need to find wheel settings (1019 possible) but weakness reduces to 41 × 31 K wheels, all rotate every letter M1 and M2 rotate conditionally
Recognizing a Good Guess Intercepted Message (divided into 5 channels for each Baudot code bit) zc, i = mc,i xc,i sc,i Message Key (parts from S-wheels and rest) Cryptanalyze: look for statistical properties How many of the zc,i’s are 0? How many of (zc,i+1 zc,i) are 0? ½ (not useful) ½ 55Engineering Crypto Applicationsevans@virginia.edu
Double Delta Combine two channels: Z1,i Z2,i = M1,i M2,i X1,i X2,i S1,i S2,i = ½ (key) > ½ Yippee! > ½ Yippee! M1,i M2,i > ½ Message is in German, more likely following letter is a repetition than random S1,i S2,i > ½ since S-wheels only turn when M-wheel is 1 56Engineering Crypto Applicationsevans@virginia.edu Actual advantage ≈ 0.55
Using the Advantage Try all configurations to find one(s) with highest numbers of 0s. evans@virginia.edu Engineering Crypto Applications 57 If the guess of X is incorrect: Pr( Z1,i Z2,I = 0) = ½ If the guess of X is correct: Pr( Z1,i Z2,I = 0) ≈ 0.55 # of double delta operations to try one guess = for 10,000 letter message × 1271 settings × 7 per double delta = 89 M operations Today: < 0.01s on my phone…but this was 1943
1943: Build the first (?) electronic, programmable computer: Colossus 58Engineering Crypto Applicationsevans@virginia.edu
Colossus Design Electronic Keytext Generator Logic , =0 Tape Reader Counter Position Counter Printer Ciphertext Tape 59Engineering Crypto Applicationsevans@virginia.edu 50 km/h (5000 chars/second)
Impact on WWII 10 Colossus machines operated at Bletchley Decoded 63 million letters in Nazi messages Learned German troop locations to plan D-Day 60Engineering Crypto Applicationsevans@virginia.edu
Modern Cryptanalysis • Basically the same + Bigger, faster computers – Less motivated, more bureaucratic government • Know or reverse engineer cipher algorithm • Look for statistical weaknesses in ciphers to get some small advantage: because all ciphers are imperfect, there must be some • Reduce keyspace from brute-force search to smaller incremental search evans@virginia.edu Engineering Crypto Applications 61
Engineering Crypto Applications 62evans@virginia.edu
Path to AES • DES (Data Encryption Standard) – Developed at IBM in 1970s, selected as national standard by NSA in 1977 – 56-bit key • By 1999: distributed.net can break DES key in 22 hours (today: < $10K to break a DES key) • NIST selected AES (Advanced Encryption Standard) in 2001 – Open, public process – Winner: Rijndael (developed by two Belgians) Engineering Crypto Applications 63evans@virginia.edu
Variable cost/strength: Key sizes: 128, 192, 256 bits Block sizes: 128, 192, 256 bits Rounds: 10, 12, or 14 Special AES instructions in x86 Engineering Crypto Applications 64 AES Round Each round (10-14 rounds total): 1. Byte substitution using non- linear S-Box (lookup table) 2. Shift rows (square) 3. Mix columns – matrix multiplication by polynomial 4. XOR with round key evans@virginia.edu
Most Common Mistake S-Boxes: x = S[b] S is a 256-byte table, b is an index into table. Time this takes varies based on value of b and state of cache. Engineering Crypto Applications 65 Keaton Mowery, Sriram Keelveedhi, and Hovav Shacham. Are AES x86 Cache Timing Attacks Still Feasible? (2012) evans@virginia.edu
Engineering Crypto Applications 66 From Jeff Moser’s A Stick Figure Guide to the Advanced Encryption Standard (AES) evans@virginia.edu
Can the NSA break AES? • Most actual uses: probably yes – This is because of implementation flaws and user mistakes • Correct implementation: probably not – Best openly known attacks: • Related key attacks (2009): 295 operations (but only works in very rare circumstances) • Key recovery attack (2011): 2126 operations (to recover 128-bit key) Engineering Crypto Applications 67evans@virginia.edu
Engineering Crypto Applications 68 (Assumes most efficient computation physically possible and only bit flips for each operation.) evans@virginia.edu
Engineering Crypto Applications 69 × 1 Trillion evans@virginia.edu
Summary • Cryptography is an arms race between cryptographers and cryptanalysts • In theory, the cryptanalysts should always win (all practical ciphers are imperfect) • In our universe, computation requires energy which is limited, who wins depends on deep questions we can’t yet answer (e.g., P = NP) • In practice, most cryptosystems fail because of bad implementations and humans not bad mathematics Engineering Crypto Applications 70 × 1 Trillion evans@virginia.edu
evans@virginia.edu www.JeffersonsWheel.org MightBeEvil.com Engineering Crypto Applications 71 Plan for Next Week Randomness Using Symmetric Ciphers Authentication what LinkedIn did wrong why biometrics can’t work opento requests! evans@virginia.edu

Recommended

Public-Key Protocols
Public-Key ProtocolsPublic-Key Protocols
Public-Key ProtocolsDavid Evans
 
Cryptographic Future
Cryptographic FutureCryptographic Future
Cryptographic FutureDavid Evans
 
Crack Wep Wifi Under100seconds
Crack Wep Wifi Under100secondsCrack Wep Wifi Under100seconds
Crack Wep Wifi Under100secondsmvde3000
 
Symmetric encryption
Symmetric encryptionSymmetric encryption
Symmetric encryptionDR RICHMOND ADEBIAYE
 
AssureBridge - SSO to Many B2B Service Providers - Marketing presentation
AssureBridge - SSO to Many B2B Service Providers - Marketing presentationAssureBridge - SSO to Many B2B Service Providers - Marketing presentation
AssureBridge - SSO to Many B2B Service Providers - Marketing presentationAssureBridge
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCloudIDSummit
 
OpenIG Webinar: Your Swiss Army Knife for Protecting and Securing Web Apps, A...
OpenIG Webinar: Your Swiss Army Knife for Protecting and Securing Web Apps, A...OpenIG Webinar: Your Swiss Army Knife for Protecting and Securing Web Apps, A...
OpenIG Webinar: Your Swiss Army Knife for Protecting and Securing Web Apps, A...ForgeRock
 
A CONTEMPLATION OF OPENIG DEEP THOUGHTS
A CONTEMPLATION OF OPENIG DEEP THOUGHTSA CONTEMPLATION OF OPENIG DEEP THOUGHTS
A CONTEMPLATION OF OPENIG DEEP THOUGHTSForgeRock
 

Recommended

Public-Key Protocols
Public-Key ProtocolsPublic-Key Protocols
Public-Key ProtocolsDavid Evans
 
Cryptographic Future
Cryptographic FutureCryptographic Future
Cryptographic FutureDavid Evans
 
Crack Wep Wifi Under100seconds
Crack Wep Wifi Under100secondsCrack Wep Wifi Under100seconds
Crack Wep Wifi Under100secondsmvde3000
 
Symmetric encryption
Symmetric encryptionSymmetric encryption
Symmetric encryptionDR RICHMOND ADEBIAYE
 
AssureBridge - SSO to Many B2B Service Providers - Marketing presentation
AssureBridge - SSO to Many B2B Service Providers - Marketing presentationAssureBridge - SSO to Many B2B Service Providers - Marketing presentation
AssureBridge - SSO to Many B2B Service Providers - Marketing presentationAssureBridge
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCloudIDSummit
 
OpenIG Webinar: Your Swiss Army Knife for Protecting and Securing Web Apps, A...
OpenIG Webinar: Your Swiss Army Knife for Protecting and Securing Web Apps, A...OpenIG Webinar: Your Swiss Army Knife for Protecting and Securing Web Apps, A...
OpenIG Webinar: Your Swiss Army Knife for Protecting and Securing Web Apps, A...ForgeRock
 
A CONTEMPLATION OF OPENIG DEEP THOUGHTS
A CONTEMPLATION OF OPENIG DEEP THOUGHTSA CONTEMPLATION OF OPENIG DEEP THOUGHTS
A CONTEMPLATION OF OPENIG DEEP THOUGHTSForgeRock
 
OpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowOpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowWilliam Lee
 
Securing Access Through a Multi-Purpose Credential and Digital ID
Securing Access Through a Multi-Purpose Credential and Digital IDSecuring Access Through a Multi-Purpose Credential and Digital ID
Securing Access Through a Multi-Purpose Credential and Digital IDForgeRock
 
Webinar: OpenAM 12.0 - New Featurs
Webinar: OpenAM 12.0 - New FeatursWebinar: OpenAM 12.0 - New Featurs
Webinar: OpenAM 12.0 - New FeatursForgeRock
 
OpenIDM: An Introduction
OpenIDM: An IntroductionOpenIDM: An Introduction
OpenIDM: An IntroductionForgeRock
 
Pki and OpenSSL
Pki and OpenSSLPki and OpenSSL
Pki and OpenSSLTony Fabeen
 
Information Security Lesson 9 - Keys - Eric Vanderburg
Information Security Lesson 9 - Keys - Eric VanderburgInformation Security Lesson 9 - Keys - Eric Vanderburg
Information Security Lesson 9 - Keys - Eric VanderburgEric Vanderburg
 
Identity Manager Opensource OpenIDM Architecture
Identity Manager Opensource OpenIDM ArchitectureIdentity Manager Opensource OpenIDM Architecture
Identity Manager Opensource OpenIDM ArchitectureAidy Tificate
 
Cryptography and PKI
Cryptography and PKICryptography and PKI
Cryptography and PKIRabei Hassan
 
Crypto With OpenSSL
Crypto With OpenSSLCrypto With OpenSSL
Crypto With OpenSSLZhi Guan
 
CIS 2015 Mobile SSO
CIS 2015 Mobile SSOCIS 2015 Mobile SSO
CIS 2015 Mobile SSOAshish Jain
 
OpenDJ - An Introduction
OpenDJ - An IntroductionOpenDJ - An Introduction
OpenDJ - An IntroductionForgeRock
 
Enhancing System Security Using PKI
Enhancing System Security Using PKIEnhancing System Security Using PKI
Enhancing System Security Using PKIChin Wan Lim
 
Opendj - A LDAP Server for dummies
Opendj - A LDAP Server for dummiesOpendj - A LDAP Server for dummies
Opendj - A LDAP Server for dummiesClaudio Borges
 
Virtual-HSM: Virtualization of Hardware Security Modules in Linux Containers
Virtual-HSM: Virtualization of Hardware Security Modules in Linux ContainersVirtual-HSM: Virtualization of Hardware Security Modules in Linux Containers
Virtual-HSM: Virtualization of Hardware Security Modules in Linux ContainersOSLL
 
Federation in Practice
Federation in PracticeFederation in Practice
Federation in PracticeForgeRock
 
Modern symmetric cipher
Modern symmetric cipherModern symmetric cipher
Modern symmetric cipherRupesh Mishra
 
Identity Gateway with the ForgeRock Identity Platform - So What’s New?
Identity Gateway with the ForgeRock Identity Platform - So What’s New?Identity Gateway with the ForgeRock Identity Platform - So What’s New?
Identity Gateway with the ForgeRock Identity Platform - So What’s New?ForgeRock
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseDenis Gundarev
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol OverviewMike Schwartz
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuthDan Brinkmann
 
Engineering Cryptographic Applications: Using (and Misusing) Symmetric Ciphers
Engineering Cryptographic Applications: Using (and Misusing) Symmetric CiphersEngineering Cryptographic Applications: Using (and Misusing) Symmetric Ciphers
Engineering Cryptographic Applications: Using (and Misusing) Symmetric CiphersDavid Evans
 
Cryptography
CryptographyCryptography
CryptographyDavid Evans
 

More Related Content

Viewers also liked

OpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowOpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowWilliam Lee
 
Securing Access Through a Multi-Purpose Credential and Digital ID
Securing Access Through a Multi-Purpose Credential and Digital IDSecuring Access Through a Multi-Purpose Credential and Digital ID
Securing Access Through a Multi-Purpose Credential and Digital IDForgeRock
 
Webinar: OpenAM 12.0 - New Featurs
Webinar: OpenAM 12.0 - New FeatursWebinar: OpenAM 12.0 - New Featurs
Webinar: OpenAM 12.0 - New FeatursForgeRock
 
OpenIDM: An Introduction
OpenIDM: An IntroductionOpenIDM: An Introduction
OpenIDM: An IntroductionForgeRock
 
Information Security Lesson 9 - Keys - Eric Vanderburg
Information Security Lesson 9 - Keys - Eric VanderburgInformation Security Lesson 9 - Keys - Eric Vanderburg
Information Security Lesson 9 - Keys - Eric VanderburgEric Vanderburg
 
Identity Manager Opensource OpenIDM Architecture
Identity Manager Opensource OpenIDM ArchitectureIdentity Manager Opensource OpenIDM Architecture
Identity Manager Opensource OpenIDM ArchitectureAidy Tificate
 
Cryptography and PKI
Cryptography and PKICryptography and PKI
Cryptography and PKIRabei Hassan
 
Crypto With OpenSSL
Crypto With OpenSSLCrypto With OpenSSL
Crypto With OpenSSLZhi Guan
 
CIS 2015 Mobile SSO
CIS 2015 Mobile SSOCIS 2015 Mobile SSO
CIS 2015 Mobile SSOAshish Jain
 
OpenDJ - An Introduction
OpenDJ - An IntroductionOpenDJ - An Introduction
OpenDJ - An IntroductionForgeRock
 
Enhancing System Security Using PKI
Enhancing System Security Using PKIEnhancing System Security Using PKI
Enhancing System Security Using PKIChin Wan Lim
 
Opendj - A LDAP Server for dummies
Opendj - A LDAP Server for dummiesOpendj - A LDAP Server for dummies
Opendj - A LDAP Server for dummiesClaudio Borges
 
Virtual-HSM: Virtualization of Hardware Security Modules in Linux Containers
Virtual-HSM: Virtualization of Hardware Security Modules in Linux ContainersVirtual-HSM: Virtualization of Hardware Security Modules in Linux Containers
Virtual-HSM: Virtualization of Hardware Security Modules in Linux ContainersOSLL
 
Federation in Practice
Federation in PracticeFederation in Practice
Federation in PracticeForgeRock
 
Modern symmetric cipher
Modern symmetric cipherModern symmetric cipher
Modern symmetric cipherRupesh Mishra
 
Identity Gateway with the ForgeRock Identity Platform - So What’s New?
Identity Gateway with the ForgeRock Identity Platform - So What’s New?Identity Gateway with the ForgeRock Identity Platform - So What’s New?
Identity Gateway with the ForgeRock Identity Platform - So What’s New?ForgeRock
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseDenis Gundarev
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol OverviewMike Schwartz
 

Viewers also liked (20)

OpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowOpenSSL Basic Function Call Flow
OpenSSL Basic Function Call Flow
 
Securing Access Through a Multi-Purpose Credential and Digital ID
Securing Access Through a Multi-Purpose Credential and Digital IDSecuring Access Through a Multi-Purpose Credential and Digital ID
Securing Access Through a Multi-Purpose Credential and Digital ID
 
Webinar: OpenAM 12.0 - New Featurs
Webinar: OpenAM 12.0 - New FeatursWebinar: OpenAM 12.0 - New Featurs
Webinar: OpenAM 12.0 - New Featurs
 
OpenIDM: An Introduction
OpenIDM: An IntroductionOpenIDM: An Introduction
OpenIDM: An Introduction
 
Pki and OpenSSL
Pki and OpenSSLPki and OpenSSL
Pki and OpenSSL
 
Information Security Lesson 9 - Keys - Eric Vanderburg
Information Security Lesson 9 - Keys - Eric VanderburgInformation Security Lesson 9 - Keys - Eric Vanderburg
Information Security Lesson 9 - Keys - Eric Vanderburg
 
Identity Manager Opensource OpenIDM Architecture
Identity Manager Opensource OpenIDM ArchitectureIdentity Manager Opensource OpenIDM Architecture
Identity Manager Opensource OpenIDM Architecture
 
Cryptography and PKI
Cryptography and PKICryptography and PKI
Cryptography and PKI
 
Crypto With OpenSSL
Crypto With OpenSSLCrypto With OpenSSL
Crypto With OpenSSL
 
CIS 2015 Mobile SSO
CIS 2015 Mobile SSOCIS 2015 Mobile SSO
CIS 2015 Mobile SSO
 
OpenDJ - An Introduction
OpenDJ - An IntroductionOpenDJ - An Introduction
OpenDJ - An Introduction
 
Enhancing System Security Using PKI
Enhancing System Security Using PKIEnhancing System Security Using PKI
Enhancing System Security Using PKI
 
Opendj - A LDAP Server for dummies
Opendj - A LDAP Server for dummiesOpendj - A LDAP Server for dummies
Opendj - A LDAP Server for dummies
 
Virtual-HSM: Virtualization of Hardware Security Modules in Linux Containers
Virtual-HSM: Virtualization of Hardware Security Modules in Linux ContainersVirtual-HSM: Virtualization of Hardware Security Modules in Linux Containers
Virtual-HSM: Virtualization of Hardware Security Modules in Linux Containers
 
Federation in Practice
Federation in PracticeFederation in Practice
Federation in Practice
 
Modern symmetric cipher
Modern symmetric cipherModern symmetric cipher
Modern symmetric cipher
 
Identity Gateway with the ForgeRock Identity Platform - So What’s New?
Identity Gateway with the ForgeRock Identity Platform - So What’s New?Identity Gateway with the ForgeRock Identity Platform - So What’s New?
Identity Gateway with the ForgeRock Identity Platform - So What’s New?
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your Enterprise
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol Overview
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
 

Similar to Engineering Cryptographic Applications: Symmetric Encryption

Engineering Cryptographic Applications: Using (and Misusing) Symmetric Ciphers
Engineering Cryptographic Applications: Using (and Misusing) Symmetric CiphersEngineering Cryptographic Applications: Using (and Misusing) Symmetric Ciphers
Engineering Cryptographic Applications: Using (and Misusing) Symmetric CiphersDavid Evans
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to CryptographyDavid Evans
 
cryptography_priceton_university_fall_2007.ppt
cryptography_priceton_university_fall_2007.pptcryptography_priceton_university_fall_2007.ppt
cryptography_priceton_university_fall_2007.pptJohnree4
 
Mathematics Towards Elliptic Curve Cryptography-by Dr. R.Srinivasan
Mathematics Towards Elliptic Curve Cryptography-by Dr. R.SrinivasanMathematics Towards Elliptic Curve Cryptography-by Dr. R.Srinivasan
Mathematics Towards Elliptic Curve Cryptography-by Dr. R.Srinivasanmunicsaa
 
Quantum_Safe_Crypto_Overview_v3.pdf
Quantum_Safe_Crypto_Overview_v3.pdfQuantum_Safe_Crypto_Overview_v3.pdf
Quantum_Safe_Crypto_Overview_v3.pdfRonSteinfeld1
 
ANALYSIS OF SIDE CHANNEL ATTACKS ON VARIOUS CRYPTOGRAPHIC ALGORITHMS
ANALYSIS OF SIDE CHANNEL ATTACKS ON VARIOUS CRYPTOGRAPHIC ALGORITHMSANALYSIS OF SIDE CHANNEL ATTACKS ON VARIOUS CRYPTOGRAPHIC ALGORITHMS
ANALYSIS OF SIDE CHANNEL ATTACKS ON VARIOUS CRYPTOGRAPHIC ALGORITHMSJournal For Research
 
Information system security wk3-1
Information system security wk3-1Information system security wk3-1
Information system security wk3-1Bee Lalita
 
What is Cryptography?
What is Cryptography?What is Cryptography?
What is Cryptography?Pratik Poddar
 
Emily Stamm - Post-Quantum Cryptography
Emily Stamm - Post-Quantum CryptographyEmily Stamm - Post-Quantum Cryptography
Emily Stamm - Post-Quantum CryptographyCSNP
 
Information system security it346 wk4-1
Information system security it346 wk4-1Information system security it346 wk4-1
Information system security it346 wk4-1Bee Lalita
 
Quantum computer in cryptography
Quantum computer in cryptographyQuantum computer in cryptography
Quantum computer in cryptographyAkshay Shelake
 
Crypto theory practice
Crypto theory practiceCrypto theory practice
Crypto theory practiceFraboni Ec
 
Crypto theory to practice
Crypto theory to practiceCrypto theory to practice
Crypto theory to practiceLuis Goldster
 
Crypto theory practice
Crypto theory practiceCrypto theory practice
Crypto theory practiceJames Wong
 

Similar to Engineering Cryptographic Applications: Symmetric Encryption (20)

Engineering Cryptographic Applications: Using (and Misusing) Symmetric Ciphers
Engineering Cryptographic Applications: Using (and Misusing) Symmetric CiphersEngineering Cryptographic Applications: Using (and Misusing) Symmetric Ciphers
Engineering Cryptographic Applications: Using (and Misusing) Symmetric Ciphers
 
Cryptography
CryptographyCryptography
Cryptography
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to Cryptography
 
cryptography_priceton_university_fall_2007.ppt
cryptography_priceton_university_fall_2007.pptcryptography_priceton_university_fall_2007.ppt
cryptography_priceton_university_fall_2007.ppt
 
Mathematics Towards Elliptic Curve Cryptography-by Dr. R.Srinivasan
Mathematics Towards Elliptic Curve Cryptography-by Dr. R.SrinivasanMathematics Towards Elliptic Curve Cryptography-by Dr. R.Srinivasan
Mathematics Towards Elliptic Curve Cryptography-by Dr. R.Srinivasan
 
Quantum_Safe_Crypto_Overview_v3.pdf
Quantum_Safe_Crypto_Overview_v3.pdfQuantum_Safe_Crypto_Overview_v3.pdf
Quantum_Safe_Crypto_Overview_v3.pdf
 
Quantum Safety in Certified Cryptographic Modules
Quantum Safety in Certified Cryptographic ModulesQuantum Safety in Certified Cryptographic Modules
Quantum Safety in Certified Cryptographic Modules
 
ANALYSIS OF SIDE CHANNEL ATTACKS ON VARIOUS CRYPTOGRAPHIC ALGORITHMS
ANALYSIS OF SIDE CHANNEL ATTACKS ON VARIOUS CRYPTOGRAPHIC ALGORITHMSANALYSIS OF SIDE CHANNEL ATTACKS ON VARIOUS CRYPTOGRAPHIC ALGORITHMS
ANALYSIS OF SIDE CHANNEL ATTACKS ON VARIOUS CRYPTOGRAPHIC ALGORITHMS
 
Information system security wk3-1
Information system security wk3-1Information system security wk3-1
Information system security wk3-1
 
What is Cryptography?
What is Cryptography?What is Cryptography?
What is Cryptography?
 
Serguei Beloussov - Future of computing
Serguei Beloussov - Future of computingSerguei Beloussov - Future of computing
Serguei Beloussov - Future of computing
 
Emily Stamm - Post-Quantum Cryptography
Emily Stamm - Post-Quantum CryptographyEmily Stamm - Post-Quantum Cryptography
Emily Stamm - Post-Quantum Cryptography
 
Shilpa ppt
Shilpa pptShilpa ppt
Shilpa ppt
 
Information system security it346 wk4-1
Information system security it346 wk4-1Information system security it346 wk4-1
Information system security it346 wk4-1
 
Iss lecture 2
Iss lecture 2Iss lecture 2
Iss lecture 2
 
Network security
Network securityNetwork security
Network security
 
Quantum computer in cryptography
Quantum computer in cryptographyQuantum computer in cryptography
Quantum computer in cryptography
 
Crypto theory practice
Crypto theory practiceCrypto theory practice
Crypto theory practice
 
Crypto theory to practice
Crypto theory to practiceCrypto theory to practice
Crypto theory to practice
 
Crypto theory practice
Crypto theory practiceCrypto theory practice
Crypto theory practice
 

More from David Evans

Cryptocurrency Jeopardy!
Cryptocurrency Jeopardy!Cryptocurrency Jeopardy!
Cryptocurrency Jeopardy!David Evans
 
Trick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for Cypherpunks
Trick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for CypherpunksTrick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for Cypherpunks
Trick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for CypherpunksDavid Evans
 
Hidden Services, Zero Knowledge
Hidden Services, Zero KnowledgeHidden Services, Zero Knowledge
Hidden Services, Zero KnowledgeDavid Evans
 
Anonymity in Bitcoin
Anonymity in BitcoinAnonymity in Bitcoin
Anonymity in BitcoinDavid Evans
 
Midterm Confirmations
Midterm ConfirmationsMidterm Confirmations
Midterm ConfirmationsDavid Evans
 
Scripting Transactions
Scripting TransactionsScripting Transactions
Scripting TransactionsDavid Evans
 
How to Live in Paradise
How to Live in ParadiseHow to Live in Paradise
How to Live in ParadiseDavid Evans
 
Mining Economics
Mining EconomicsMining Economics
Mining EconomicsDavid Evans
 
Becoming More Paranoid
Becoming More ParanoidBecoming More Paranoid
Becoming More ParanoidDavid Evans
 
Asymmetric Key Signatures
Asymmetric Key SignaturesAsymmetric Key Signatures
Asymmetric Key SignaturesDavid Evans
 
Class 1: What is Money?
Class 1: What is Money?Class 1: What is Money?
Class 1: What is Money?David Evans
 
Multi-Party Computation for the Masses
Multi-Party Computation for the MassesMulti-Party Computation for the Masses
Multi-Party Computation for the MassesDavid Evans
 
Proof of Reserve
Proof of ReserveProof of Reserve
Proof of ReserveDavid Evans
 
Blooming Sidechains!
Blooming Sidechains!Blooming Sidechains!
Blooming Sidechains!David Evans
 
Useful Proofs of Work, Permacoin
Useful Proofs of Work, PermacoinUseful Proofs of Work, Permacoin
Useful Proofs of Work, PermacoinDavid Evans
 
Alternate Cryptocurrencies
Alternate CryptocurrenciesAlternate Cryptocurrencies
Alternate CryptocurrenciesDavid Evans
 

More from David Evans (20)

Cryptocurrency Jeopardy!
Cryptocurrency Jeopardy!Cryptocurrency Jeopardy!
Cryptocurrency Jeopardy!
 
Trick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for Cypherpunks
Trick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for CypherpunksTrick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for Cypherpunks
Trick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for Cypherpunks
 
Hidden Services, Zero Knowledge
Hidden Services, Zero KnowledgeHidden Services, Zero Knowledge
Hidden Services, Zero Knowledge
 
Anonymity in Bitcoin
Anonymity in BitcoinAnonymity in Bitcoin
Anonymity in Bitcoin
 
Midterm Confirmations
Midterm ConfirmationsMidterm Confirmations
Midterm Confirmations
 
Scripting Transactions
Scripting TransactionsScripting Transactions
Scripting Transactions
 
How to Live in Paradise
How to Live in ParadiseHow to Live in Paradise
How to Live in Paradise
 
Bitcoin Script
Bitcoin ScriptBitcoin Script
Bitcoin Script
 
Mining Economics
Mining EconomicsMining Economics
Mining Economics
 
Mining
MiningMining
Mining
 
The Blockchain
The BlockchainThe Blockchain
The Blockchain
 
Becoming More Paranoid
Becoming More ParanoidBecoming More Paranoid
Becoming More Paranoid
 
Asymmetric Key Signatures
Asymmetric Key SignaturesAsymmetric Key Signatures
Asymmetric Key Signatures
 
Class 1: What is Money?
Class 1: What is Money?Class 1: What is Money?
Class 1: What is Money?
 
Multi-Party Computation for the Masses
Multi-Party Computation for the MassesMulti-Party Computation for the Masses
Multi-Party Computation for the Masses
 
Proof of Reserve
Proof of ReserveProof of Reserve
Proof of Reserve
 
Silk Road
Silk RoadSilk Road
Silk Road
 
Blooming Sidechains!
Blooming Sidechains!Blooming Sidechains!
Blooming Sidechains!
 
Useful Proofs of Work, Permacoin
Useful Proofs of Work, PermacoinUseful Proofs of Work, Permacoin
Useful Proofs of Work, Permacoin
 
Alternate Cryptocurrencies
Alternate CryptocurrenciesAlternate Cryptocurrencies
Alternate Cryptocurrencies
 

Recently uploaded

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 

Engineering Cryptographic Applications: Symmetric Encryption

  • 2. Plan for the Course Today: Symmetric Encryption – Introduction, a bit of History – Perfect Ciphers – Cryptanalysis of Imperfect Ciphers – Modern Symmetric Ciphers Oct 11 (10:30am): Implementation, Authentication Oct 18 (10:30am): Public-Key Protocols Oct 25 (10:30am): New Applications Engineering Crypto Applications 1evans@virginia.edu
  • 3. Goal of The Course? Engineering Crypto Applications 2 Learn enough so you can design and implement crypto applications Learn enough so you know how hard it is to get crypto right, and will not be foolish enough to try it based on a 8-hour course! evans@virginia.edu
  • 4. User Interaction Design  Every programmer thinks they can do it. Obscenely over-paid consultants claim they can’t.  If you get it wrong, every customer notices (and leaves). Cryptosystem Design  Every engineer with strong math background thinks they can do it. Obscenely over-paid consultants claim they can’t.  If you get it wrong, probably no one notices. Engineering Crypto Applications 3evans@virginia.edu
  • 5. Engineering Crypto Applications 4 “If they had consulted with anyone that knows anything about password security, this would not have happened,” said Paul Kocher, president of Cryptography Research, a San Francisco computer security firm. Karsten Nohl, …, said the encryption hole allowed outsiders to obtain a SIM card’s digital key, …, which let him eavesdrop on a caller, make purchases through mobile payment systems and even impersonate the phone’s owner… as many as 750 million phones may be vulnerable to attacks… Mr. Nohl said. “We can spy on you. We know your encryption keys for calls. We can read your S.M.S.’s. More than just spying, we can steal data from the SIM card, your mobile identity, and charge to your account.” evans@virginia.edu
  • 6. Real Goals • Know enough to avoid obviously bad crypto designs and implementation • Know enough to be able to ask important questions about cryptosystems • Know enough to know what you need to learn more about to build something secure • …and hopefully fun and interesting for everyone! Engineering Crypto Applications 5evans@virginia.edu
  • 7. Engineering Crypto Applications 6evans@virginia.edu
  • 8. Engineering Crypto Applications 7 What is cryptology? • Greek: κρυπτ oς = “kryptos” = hidden (secret) • Cryptography – secret writing • Cryptanalysis – analyzing (breaking) secrets Cryptanalysis is what an attacker does Decryption is what the intended receiver does • Cryptosystems – systems that use secrets • Cryptology – science of secrets evans@virginia.edu
  • 9. Engineering Crypto Applications 8 Cryptology is a branch of mathematics: about abstract numbers and functions. Security is an engineering goal: it involves mathematics, but is mostly about real implementations and people. evans@virginia.edu
  • 10. Engineering Crypto Applications 9 Introductions Encrypt DecryptPlaintext Ciphertext Plaintext Alice Bob Eve (passive attacker) Insecure Channel evans@virginia.edu
  • 11. Engineering Crypto Applications 10 Introductions Encrypt DecryptPlaintext Ciphertext Plaintext Alice Bob Mallory (active attacker) Insecure Channel (e.g., the Internet) evans@virginia.edu
  • 12. Engineering Crypto Applications 11 Message Cryptosystem Encrypt Decrypt Plaintext Ciphertext PlaintextCiphertext Two functions: E(m: byte[])  byte[] and D(c: byte[])  byte[] Correctness property: for all possible messages m, D(E(m)) = m Security property: given c  E(m), it is “hard” to learn anything interesting about m. evans@virginia.edu
  • 13. Engineering Crypto Applications 12 It is possible to state the security property precisely (and prove a cryptosystem satisfies it given hardness assumptions). This is the main thing Shafi Goldwasser and Silvio Micali did in the 1980s to win 2013 Turing Award. evans@virginia.edu
  • 14. Engineering Crypto Applications 13 Message Cryptosystem Encrypt Decrypt Plaintext Ciphertext PlaintextCiphertext Two functions: E(m: byte[])  byte[] and D(c: byte[])  byte[] Correctness property: for all possible messages m, D(E(m)) = m Security property: given c  E(m)), it is “hard” to learn anything interesting about m. evans@virginia.edu
  • 15. Kerckhoff’s Principle Engineering Crypto Applications 14 Auguste Kerckhoffs evans@virginia.edu
  • 16. Algorithms Can Run, But They Can’t Hide Engineering Crypto Applications 15 Car theft rate (by model year) Source: hldi.org Mifare RFID evans@virginia.edu
  • 17. Inside the Mifare Chip Engineering Crypto Applications 16 0.01 mm (10000 nm)0.01 mm (10000 nm) evans@virginia.edu
  • 18. Engineering Crypto Applications 17 Interconnection Layers Logic Layer evans@virginia.edu
  • 19. Zooming in on the Logic… Engineering Crypto Applications 18 rotated rotated + mirrored 4 NAND: Y = !(A & B & C & D) match match evans@virginia.edu
  • 20. Mifare Crypto-1 Engineering Crypto Applications 19 48-bit LFSR f(∙) RNG Challenge Key stream ID + Response ++ evans@virginia.edu
  • 21. Engineering Crypto Applications 20 “The enemy knows the system being used.” Claude Shannon, Communication Theory of Secrecy Systems (1949) Claude Shannon, 1916-2001 evans@virginia.edu
  • 22. what I would have said last month… Engineering Crypto Applications 21 Security through obscurity is a bad idea – much better to use publicly vetted standards that have been scrutinized by experts and rely on key for security. evans@virginia.edu
  • 23. …then this happened Engineering Crypto Applications 22evans@virginia.edu
  • 24. what I’d say today… Engineering Crypto Applications 23 You’re probably still better off using well- vetted open standards. Just be wary of ones the NSA could influence. evans@virginia.edu
  • 25. (Keyed) Symmetric Cryptosystem Engineering Crypto Applications 24 Encrypt DecryptPlaintext Ciphertext Plaintext Insecure Channel Encrypt DecryptPlaintext Ciphertext Plaintext Insecure Channel Key KeyOnly secret is the key, not the E and D functions that now take key as input Asymmetric crypto: different keys for E and D, so you can reveal E without revealing D. evans@virginia.edu
  • 26. Example: Jefferson’s Wheel Engineering Crypto Applications 25evans@virginia.edu
  • 27. Jefferson’s Wheel Cipher • 26 wheels arranged in a secret order on a spindle • Each wheel has a randomly permutated alphabet around rim • Encrypt: turn wheels to display plaintext, then pick a “random” row and that is the ciphertext • Decrypt: arrange wheels in same (secret) order, line up ciphertext, look around wheel for plaintext Engineering Crypto Applications 26evans@virginia.edu
  • 28. Who was the real cryptographer? Engineering Crypto Applications 27 Auguste Kerckhoffs (1883)Thomas Jefferson (1790s) evans@virginia.edu
  • 29. Engineering Crypto Applications 28 on the periphery of each, and between the black lines, put all the letters of the alphabet, not in their established order, but jumbled, & without order, so that no two shall be alike. now string them in their numerical order on an iron axis, one end of which has a head, and the other a nut and screw; the use of which is to hold them firm in any given position when you choose it. Jefferson’s description of wheel cipher (1802) evans@virginia.edu
  • 30. Key Space Key space: K = set of possible keys Engineering Crypto Applications 29 Key is order of wheels on spindle: |K | = 26 25 … 1 > 1026 Key is jumbling of letters on wheels: |K | = (26 25 … 1)26 > 10691 Brute force attack: try all keys until you find one that “works” evans@virginia.edu
  • 31. (Im)Practicality of Brute Force Attacks Minimum energy needed to flip one bit (Landauer limit) ≈ kT ln 2 ≈ 2.8 zepto-Joules Engineering Crypto Applications 30 k ≈ 1.4 10-23 J/K (Boltzmann’s constant) T = temperature (Kelvin) (300K) evans@virginia.edu
  • 32. Engineering Crypto Applications 31 Bit Flips Energy WolframAlpha Description 240 (Mifare Crypto-1) 3 10-9 J “mass-energy equivalent of a Z boson” 256 (DES) 2 10-3 J “acoustic energy in a whisper” 280 (“low security”) 3 103 J “metabolic energy of one gram of sugar” 26! (Jefferson+Kerkchoffs) 1 106 J “energy of one gram of gasoline” 2128 (AES minimum) 9 1017 J “twice energy consumption of Norway in 1998” 2256 (AES maximum) 3 1056 J “1/120th mass energy equivalent of galaxy’s visible mass” evans@virginia.edu
  • 33. Engineering Crypto Applications 32 Bit Flips Energy WolframAlpha Description 240 (Mifare Crypto-1) 3 10-9 J “mass-energy equivalent of a Z boson” 256 (DES) 2 10-3 J “acoustic energy in a whisper” 280 (“low security”) 3 103 J “metabolic energy of one gram of sugar” 26! (Jefferson+Kerkchoffs) 1 106 J “energy of one gram of gasoline” 2128 (AES minimum) 9 1017 J “twice energy consumption of Norway in 1998” 2256 (AES maximum) 3 1056 J “1/120th mass energy equivalent of galaxy’s visible mass” evans@virginia.edu
  • 34. Engineering Crypto Applications 33 Bit Flips Energy WolframAlpha Description 240 (Mifare Crypto-1) 3 10-9 J “mass-energy equivalent of a Z boson” 256 (DES) 2 10-3 J “acoustic energy in a whisper” 280 (“low security”) 3 103 J “metabolic energy of one gram of sugar” 26! (Jefferson+Kerkchoffs) 1 106 J “energy of one gram of gasoline” 2128 (AES minimum) 9 1017 J “twice energy consumption of Norway in 1998” 2256 (AES maximum) 3 1056 J “1/120th mass energy equivalent of galaxy’s visible mass” evans@virginia.edu
  • 35. Engineering Crypto Applications 34 Bit Flips Energy WolframAlpha Description 240 (Mifare Crypto-1) 3 10-9 J “mass-energy equivalent of a Z boson” 256 (DES) 2 10-3 J “acoustic energy in a whisper” 280 (“low security”) 3 103 J “metabolic energy of one gram of sugar” 26! (Jefferson+Kerkchoffs) 1 106 J “energy of one gram of gasoline” 2128 (AES minimum) 9 1017 J “twice energy consumption of Norway in 1998” 2256 (AES maximum) 3 1056 J “1/120th mass energy equivalent of galaxy’s visible mass” evans@virginia.edu
  • 36. Engineering Crypto Applications 35 Bit Flips Energy WolframAlpha Description 240 (Mifare Crypto-1) 3 10-9 J “mass-energy equivalent of a Z boson” 256 (DES) 2 10-3 J “acoustic energy in a whisper” 280 (“low security”) 3 103 J “metabolic energy of one gram of sugar” 26! (Jefferson+Kerkchoffs) 1 106 J “energy of one gram of gasoline” 2128 (AES minimum) 9 1017 J “twice energy consumption of Norway in 1998” 2256 (AES maximum) 3 1056 J “1/120th mass energy equivalent of galaxy’s visible mass” This is the best (unrealistic) possible case for a brute force attack: don’t need to do anything other than represent key and physically most efficient bit flips. But, assumes better than brute force attacks are not possible. All of these ciphers have weaknesses, and are much less secure than maximum security possible for that size key. evans@virginia.edu
  • 37. Can any cipher resist an infinitely powerful brute-force attacker? Engineering Crypto Applications 36evans@virginia.edu
  • 38. 37 Claude Shannon, A Mathematical Theory of Cryptography, 1945 (declassified later) Yes! Check out my perfect cipher! (It’s the only one.) Engineering Crypto Applicationsevans@virginia.edu
  • 39. Exclusive Or Engineering Crypto Applications 38 0 0 = 0 0 1 = 1 1 0 = 1 1 1 = 0 Invertible A B B = A evans@virginia.edu
  • 40. One-Time Pad C[i] = M[i] K[i] 39Engineering Crypto Applicationsevans@virginia.edu
  • 41. One-Time Pad C[i] = M[i] K[i] 40 Pr(C[i] = 0) = Pr(M[i] = 0) × Pr(K[i] = 0) + Pr(M[i] = 1) × Pr(K[i] = 1) = ½ Pr(M[i] = 0) + ½ Pr(M[i] = 1) = ½ Pr(M[i] = 0) + ½ Pr(M[i] = 0) = ½ Pr(M[i] = 0) + 1 − Pr(M[i] = 0) = ½ Perfect secrecy! Ciphertext reveals nothing about message. Engineering Crypto Applications Pr(K[i] = 0) = Pr(K[i] = 1) = ½ evans@virginia.edu
  • 42. Vernam’s One-Time Pad (1919) Key: a long paper tape with random letters on it (5-bit code) Cannot reuse key – tape must be very very long! Engineering Crypto Applications 41evans@virginia.edu
  • 43. Why perfectly secure? For any intercepted ciphertext, without knowing the key all plaintexts are equally possible. Engineering Crypto Applications 42evans@virginia.edu C: 1000101 0110100 1010101 0011001 K1: 0001000 1100111 0000001 1001011 M1: 1001101 1010011 1010100 1010010 M S T R K2: 0001000 1100111 0010011 1001101 M2: 1001101 1010011 1000110 1010100 M S F T
  • 44. No Other Perfect Ciphers Engineering Crypto Applications 43 M1 M2 Mn C1 C2 Cn Ki ...... Kj To be perfect, there must be a key that maps each message to each ciphertext. |K | ≥ |M | Hence, any practical cipher must be imperfect! (This is what Shannon proved in 1945 paper.) evans@virginia.edu
  • 45. Engineering Crypto Applications 44evans@virginia.edu
  • 46. Engineering Crypto Applications 45 Cryptanalysis Alice Bob Eve Encrypt DecryptPlaintext Ciphertext Plaintext Insecure Channel Key Key Cryptanalyze Plaintext (or something useful) evans@virginia.edu
  • 47. Lorenz Cipher Machine Engineering Crypto Applications 46evans@virginia.edu
  • 48. The World in July 1941 47 http://commons.wikimedia.org/wiki/File:Ww2_allied_axis_1941_jul.png Bletchley Park Engineering Crypto Applicationsevans@virginia.edu
  • 49. 5 October 2013 University of Virginia cs4414 48 21st October 1941 Dear Prime Minister, Some weeks ago you paid us the honour of a visit, and we believe that you regard our work as important. … it seems to us that we have met with unnecessary impediments. …The cumulative effect, however, has been to drive us to the conviction that the importance of the work is not being impressed with sufficient force upon those outside authorities with whom we have to deal. A.M. Turing (+ 3 others) Winston Churchill Alan Turing
  • 50. HQIBPEXEZMUG! August 30, 1941 Lorenz operator retransmits failed message with same starting configuration Gets lazy and uses some abbreviations, makes some mistakes 49 GCHQ Today (not what it looked like in 1941!) SPRUCHNUMMER/SPRUCHNR (Serial Number) Engineering Crypto Applicationsevans@virginia.edu
  • 51. “Two Time” Pad Allies have intercepted: C1 = M1 K1 C2 = M2 K1 50Engineering Crypto Applicationsevans@virginia.edu
  • 52. “Two Time” Pad Allies have intercepted: C1 = M1 K1 C2 = M2 K1 51Engineering Crypto Applicationsevans@virginia.edu C1 C2 = M1 K1 M2 K1 = M1 M2
  • 53. “Cribs” Don’t know M1 or M2, but, know they are in German and can make some guesses (cribs) SPRUCHNUMMER ADOLF HITLER, FUHRER Given guess for M1, calculate M2 = C1 C2 M1 If M2 seems plausible, calculate key: K1 = M1 C1 52Engineering Crypto Applicationsevans@virginia.edu
  • 54. ReverseEngineeringLorenz 53Engineering Crypto Applicationsevans@virginia.edu Found 4000 letter key K1 from intercepted C1 and C2 Bill Tutte U. Waterloo (1917-2002) Brigadier John Tiltman (1894-1982) Figured out machine design likely to produce K1
  • 55. 54 Main weakness: each step, either all S wheels turn, or none do! Engineering Crypto Applicationsevans@virginia.edu Knew machine structure, but a different initial configuration was used for each message: need to find wheel settings (1019 possible) but weakness reduces to 41 × 31 K wheels, all rotate every letter M1 and M2 rotate conditionally
  • 56. Recognizing a Good Guess Intercepted Message (divided into 5 channels for each Baudot code bit) zc, i = mc,i xc,i sc,i Message Key (parts from S-wheels and rest) Cryptanalyze: look for statistical properties How many of the zc,i’s are 0? How many of (zc,i+1 zc,i) are 0? ½ (not useful) ½ 55Engineering Crypto Applicationsevans@virginia.edu
  • 57. Double Delta Combine two channels: Z1,i Z2,i = M1,i M2,i X1,i X2,i S1,i S2,i = ½ (key) > ½ Yippee! > ½ Yippee! M1,i M2,i > ½ Message is in German, more likely following letter is a repetition than random S1,i S2,i > ½ since S-wheels only turn when M-wheel is 1 56Engineering Crypto Applicationsevans@virginia.edu Actual advantage ≈ 0.55
  • 58. Using the Advantage Try all configurations to find one(s) with highest numbers of 0s. evans@virginia.edu Engineering Crypto Applications 57 If the guess of X is incorrect: Pr( Z1,i Z2,I = 0) = ½ If the guess of X is correct: Pr( Z1,i Z2,I = 0) ≈ 0.55 # of double delta operations to try one guess = for 10,000 letter message × 1271 settings × 7 per double delta = 89 M operations Today: < 0.01s on my phone…but this was 1943
  • 59. 1943: Build the first (?) electronic, programmable computer: Colossus 58Engineering Crypto Applicationsevans@virginia.edu
  • 60. Colossus Design Electronic Keytext Generator Logic , =0 Tape Reader Counter Position Counter Printer Ciphertext Tape 59Engineering Crypto Applicationsevans@virginia.edu 50 km/h (5000 chars/second)
  • 61. Impact on WWII 10 Colossus machines operated at Bletchley Decoded 63 million letters in Nazi messages Learned German troop locations to plan D-Day 60Engineering Crypto Applicationsevans@virginia.edu
  • 62. Modern Cryptanalysis • Basically the same + Bigger, faster computers – Less motivated, more bureaucratic government • Know or reverse engineer cipher algorithm • Look for statistical weaknesses in ciphers to get some small advantage: because all ciphers are imperfect, there must be some • Reduce keyspace from brute-force search to smaller incremental search evans@virginia.edu Engineering Crypto Applications 61
  • 63. Engineering Crypto Applications 62evans@virginia.edu
  • 64. Path to AES • DES (Data Encryption Standard) – Developed at IBM in 1970s, selected as national standard by NSA in 1977 – 56-bit key • By 1999: distributed.net can break DES key in 22 hours (today: < $10K to break a DES key) • NIST selected AES (Advanced Encryption Standard) in 2001 – Open, public process – Winner: Rijndael (developed by two Belgians) Engineering Crypto Applications 63evans@virginia.edu
  • 65. Variable cost/strength: Key sizes: 128, 192, 256 bits Block sizes: 128, 192, 256 bits Rounds: 10, 12, or 14 Special AES instructions in x86 Engineering Crypto Applications 64 AES Round Each round (10-14 rounds total): 1. Byte substitution using non- linear S-Box (lookup table) 2. Shift rows (square) 3. Mix columns – matrix multiplication by polynomial 4. XOR with round key evans@virginia.edu
  • 66. Most Common Mistake S-Boxes: x = S[b] S is a 256-byte table, b is an index into table. Time this takes varies based on value of b and state of cache. Engineering Crypto Applications 65 Keaton Mowery, Sriram Keelveedhi, and Hovav Shacham. Are AES x86 Cache Timing Attacks Still Feasible? (2012) evans@virginia.edu
  • 67. Engineering Crypto Applications 66 From Jeff Moser’s A Stick Figure Guide to the Advanced Encryption Standard (AES) evans@virginia.edu
  • 68. Can the NSA break AES? • Most actual uses: probably yes – This is because of implementation flaws and user mistakes • Correct implementation: probably not – Best openly known attacks: • Related key attacks (2009): 295 operations (but only works in very rare circumstances) • Key recovery attack (2011): 2126 operations (to recover 128-bit key) Engineering Crypto Applications 67evans@virginia.edu
  • 69. Engineering Crypto Applications 68 (Assumes most efficient computation physically possible and only bit flips for each operation.) evans@virginia.edu
  • 70. Engineering Crypto Applications 69 × 1 Trillion evans@virginia.edu
  • 71. Summary • Cryptography is an arms race between cryptographers and cryptanalysts • In theory, the cryptanalysts should always win (all practical ciphers are imperfect) • In our universe, computation requires energy which is limited, who wins depends on deep questions we can’t yet answer (e.g., P = NP) • In practice, most cryptosystems fail because of bad implementations and humans not bad mathematics Engineering Crypto Applications 70 × 1 Trillion evans@virginia.edu
  • 72. evans@virginia.edu www.JeffersonsWheel.org MightBeEvil.com Engineering Crypto Applications 71 Plan for Next Week Randomness Using Symmetric Ciphers Authentication what LinkedIn did wrong why biometrics can’t work opento requests! evans@virginia.edu