First class of four-part series developed for introducing engineers to cryptography.
Delivered at AMC Theater in Tyson's Corner for Microstrategy, 4 October 2013.
2. Plan for the Course
Today: Symmetric Encryption
– Introduction, a bit of History
– Perfect Ciphers
– Cryptanalysis of Imperfect Ciphers
– Modern Symmetric Ciphers
Oct 11 (10:30am): Implementation, Authentication
Oct 18 (10:30am): Public-Key Protocols
Oct 25 (10:30am): New Applications
Engineering Crypto Applications 1evans@virginia.edu
3. Goal of The Course?
Engineering Crypto Applications 2
Learn enough so you can
design and implement
crypto applications
Learn enough so you know how hard it is to
get crypto right, and will not be foolish
enough to try it based on a 8-hour course!
evans@virginia.edu
4. User Interaction Design
Every programmer thinks
they can do it.
Obscenely over-paid
consultants claim they
can’t.
If you get it wrong, every
customer notices (and
leaves).
Cryptosystem Design
Every engineer with strong
math background thinks
they can do it.
Obscenely over-paid
consultants claim they
can’t.
If you get it wrong, probably
no one notices.
Engineering Crypto Applications 3evans@virginia.edu
5. Engineering Crypto Applications 4
“If they had consulted with
anyone that knows anything
about password security, this
would not have happened,” said
Paul Kocher, president of
Cryptography Research, a San
Francisco computer security firm.
Karsten Nohl, …, said the encryption hole
allowed outsiders to obtain a SIM card’s
digital key, …, which let him eavesdrop on a
caller, make purchases through mobile
payment systems and even impersonate the
phone’s owner… as many as 750 million
phones may be vulnerable to attacks… Mr.
Nohl said. “We can spy on you. We know
your encryption keys for calls. We can read
your S.M.S.’s. More than just spying, we can
steal data from the SIM card, your mobile
identity, and charge to your account.”
evans@virginia.edu
6. Real Goals
• Know enough to avoid obviously bad crypto
designs and implementation
• Know enough to be able to ask important
questions about cryptosystems
• Know enough to know what you need to
learn more about to build something secure
• …and hopefully fun and interesting for
everyone!
Engineering Crypto Applications 5evans@virginia.edu
8. Engineering Crypto Applications 7
What is cryptology?
• Greek: κρυπτ oς = “kryptos” = hidden (secret)
• Cryptography – secret writing
• Cryptanalysis – analyzing (breaking) secrets
Cryptanalysis is what an attacker does
Decryption is what the intended receiver does
• Cryptosystems – systems that use secrets
• Cryptology – science of secrets
evans@virginia.edu
9. Engineering Crypto Applications 8
Cryptology is a branch of mathematics:
about abstract numbers and functions.
Security is an engineering goal: it involves
mathematics, but is mostly about real
implementations and people.
evans@virginia.edu
10. Engineering Crypto Applications 9
Introductions
Encrypt DecryptPlaintext
Ciphertext
Plaintext
Alice Bob
Eve
(passive attacker)
Insecure Channel
evans@virginia.edu
11. Engineering Crypto Applications 10
Introductions
Encrypt DecryptPlaintext
Ciphertext
Plaintext
Alice Bob
Mallory
(active attacker)
Insecure Channel
(e.g., the Internet)
evans@virginia.edu
12. Engineering Crypto Applications 11
Message Cryptosystem
Encrypt
Decrypt
Plaintext Ciphertext
PlaintextCiphertext
Two functions: E(m: byte[]) byte[]
and D(c: byte[]) byte[]
Correctness property: for all possible messages m, D(E(m)) = m
Security property: given c E(m), it is “hard” to learn anything
interesting about m.
evans@virginia.edu
13. Engineering Crypto Applications 12
It is possible to state the security property precisely (and
prove a cryptosystem satisfies it given hardness
assumptions). This is the main thing Shafi Goldwasser and
Silvio Micali did in the 1980s to win 2013 Turing Award.
evans@virginia.edu
14. Engineering Crypto Applications 13
Message Cryptosystem
Encrypt
Decrypt
Plaintext Ciphertext
PlaintextCiphertext
Two functions: E(m: byte[]) byte[]
and D(c: byte[]) byte[]
Correctness property: for all possible messages m, D(E(m)) = m
Security property: given c E(m)), it is “hard” to learn anything
interesting about m.
evans@virginia.edu
16. Algorithms Can Run,
But They Can’t Hide
Engineering Crypto Applications 15
Car theft rate (by model year)
Source: hldi.org
Mifare RFID
evans@virginia.edu
17. Inside the Mifare Chip
Engineering Crypto Applications 16
0.01 mm (10000 nm)0.01 mm (10000 nm)
evans@virginia.edu
21. Engineering Crypto Applications 20
“The enemy knows the
system being used.”
Claude Shannon,
Communication Theory
of Secrecy Systems
(1949)
Claude Shannon, 1916-2001
evans@virginia.edu
22. what I would
have said last
month…
Engineering Crypto Applications 21
Security through
obscurity is a bad idea –
much better to use
publicly vetted standards
that have been
scrutinized by experts and
rely on key for security.
evans@virginia.edu
24. what I’d say
today…
Engineering Crypto Applications 23
You’re probably still
better off using well-
vetted open
standards. Just be
wary of ones the NSA
could influence.
evans@virginia.edu
25. (Keyed) Symmetric Cryptosystem
Engineering Crypto Applications 24
Encrypt DecryptPlaintext
Ciphertext
Plaintext
Insecure Channel
Encrypt DecryptPlaintext
Ciphertext
Plaintext
Insecure Channel
Key KeyOnly secret is the key,
not the E and D
functions that now
take key as input
Asymmetric crypto:
different keys for E and
D, so you can reveal E
without revealing D.
evans@virginia.edu
27. Jefferson’s Wheel Cipher
• 26 wheels arranged in a secret
order on a spindle
• Each wheel has a randomly
permutated alphabet around rim
• Encrypt: turn wheels to display
plaintext, then pick a “random”
row and that is the ciphertext
• Decrypt: arrange wheels in same
(secret) order, line up ciphertext,
look around wheel for plaintext
Engineering Crypto Applications 26evans@virginia.edu
28. Who was the real cryptographer?
Engineering Crypto Applications 27
Auguste Kerckhoffs (1883)Thomas Jefferson (1790s)
evans@virginia.edu
29. Engineering Crypto Applications 28
on the periphery of each, and
between the black lines, put all the
letters of the alphabet, not in their
established order, but jumbled, &
without order, so that no two shall
be alike. now string them in their
numerical order on an iron axis, one
end of which has a head, and the
other a nut and screw; the use of
which is to hold them firm in any
given position when you choose it.
Jefferson’s description of wheel cipher (1802)
evans@virginia.edu
30. Key Space
Key space: K = set of possible keys
Engineering Crypto Applications 29
Key is order of wheels on spindle:
|K | = 26 25 … 1 > 1026
Key is jumbling of letters on wheels:
|K | = (26 25 … 1)26 > 10691
Brute force attack:
try all keys until you find one that “works”
evans@virginia.edu
31. (Im)Practicality of Brute Force Attacks
Minimum energy needed to flip one bit
(Landauer limit) ≈ kT ln 2 ≈ 2.8 zepto-Joules
Engineering Crypto Applications 30
k ≈ 1.4 10-23 J/K (Boltzmann’s constant)
T = temperature (Kelvin) (300K)
evans@virginia.edu
32. Engineering Crypto Applications 31
Bit Flips Energy WolframAlpha Description
240 (Mifare Crypto-1) 3 10-9 J “mass-energy equivalent of a Z
boson”
256 (DES) 2 10-3 J “acoustic energy in a whisper”
280 (“low security”) 3 103 J “metabolic energy of one gram
of sugar”
26!
(Jefferson+Kerkchoffs)
1 106 J “energy of one gram of gasoline”
2128 (AES minimum) 9 1017 J “twice energy consumption of
Norway in 1998”
2256 (AES maximum) 3 1056 J “1/120th mass energy equivalent
of galaxy’s visible mass”
evans@virginia.edu
33. Engineering Crypto Applications 32
Bit Flips Energy WolframAlpha Description
240 (Mifare Crypto-1) 3 10-9 J “mass-energy equivalent of a Z
boson”
256 (DES) 2 10-3 J “acoustic energy in a whisper”
280 (“low security”) 3 103 J “metabolic energy of one gram
of sugar”
26!
(Jefferson+Kerkchoffs)
1 106 J “energy of one gram of gasoline”
2128 (AES minimum) 9 1017 J “twice energy consumption of
Norway in 1998”
2256 (AES maximum) 3 1056 J “1/120th mass energy equivalent
of galaxy’s visible mass”
evans@virginia.edu
34. Engineering Crypto Applications 33
Bit Flips Energy WolframAlpha Description
240 (Mifare Crypto-1) 3 10-9 J “mass-energy equivalent of a Z
boson”
256 (DES) 2 10-3 J “acoustic energy in a whisper”
280 (“low security”) 3 103 J “metabolic energy of one gram
of sugar”
26!
(Jefferson+Kerkchoffs)
1 106 J “energy of one gram of gasoline”
2128 (AES minimum) 9 1017 J “twice energy consumption of
Norway in 1998”
2256 (AES maximum) 3 1056 J “1/120th mass energy equivalent
of galaxy’s visible mass”
evans@virginia.edu
35. Engineering Crypto Applications 34
Bit Flips Energy WolframAlpha Description
240 (Mifare Crypto-1) 3 10-9 J “mass-energy equivalent of a Z
boson”
256 (DES) 2 10-3 J “acoustic energy in a whisper”
280 (“low security”) 3 103 J “metabolic energy of one gram
of sugar”
26!
(Jefferson+Kerkchoffs)
1 106 J “energy of one gram of gasoline”
2128 (AES minimum) 9 1017 J “twice energy consumption of
Norway in 1998”
2256 (AES maximum) 3 1056 J “1/120th mass energy equivalent
of galaxy’s visible mass”
evans@virginia.edu
36. Engineering Crypto Applications 35
Bit Flips Energy WolframAlpha Description
240 (Mifare Crypto-1) 3 10-9 J “mass-energy equivalent of a Z
boson”
256 (DES) 2 10-3 J “acoustic energy in a whisper”
280 (“low security”) 3 103 J “metabolic energy of one gram
of sugar”
26!
(Jefferson+Kerkchoffs)
1 106 J “energy of one gram of gasoline”
2128 (AES minimum) 9 1017 J “twice energy consumption of
Norway in 1998”
2256 (AES maximum) 3 1056 J “1/120th mass energy equivalent
of galaxy’s visible mass”
This is the best (unrealistic) possible case
for a brute force attack: don’t need to do
anything other than represent key and
physically most efficient bit flips.
But, assumes better than brute force
attacks are not possible. All of these
ciphers have weaknesses, and are much
less secure than maximum security
possible for that size key.
evans@virginia.edu
37. Can any cipher
resist an
infinitely
powerful
brute-force
attacker?
Engineering Crypto Applications 36evans@virginia.edu
38. 37
Claude Shannon, A Mathematical Theory
of Cryptography, 1945 (declassified later)
Yes! Check
out my perfect
cipher! (It’s
the only one.)
Engineering Crypto Applicationsevans@virginia.edu
40. One-Time Pad
C[i] = M[i] K[i]
39Engineering Crypto Applicationsevans@virginia.edu
41. One-Time Pad
C[i] = M[i] K[i]
40
Pr(C[i] = 0)
= Pr(M[i] = 0) × Pr(K[i] = 0)
+ Pr(M[i] = 1) × Pr(K[i] = 1)
= ½ Pr(M[i] = 0) + ½ Pr(M[i] = 1)
= ½ Pr(M[i] = 0) + ½ Pr(M[i] = 0)
= ½ Pr(M[i] = 0) + 1 − Pr(M[i] = 0)
= ½ Perfect secrecy! Ciphertext reveals nothing about message.
Engineering Crypto Applications
Pr(K[i] = 0) = Pr(K[i] = 1) = ½
evans@virginia.edu
42. Vernam’s
One-Time
Pad
(1919)
Key: a long paper tape
with random letters
on it (5-bit code)
Cannot reuse key – tape must be very very long!
Engineering Crypto Applications 41evans@virginia.edu
43. Why perfectly secure?
For any intercepted ciphertext, without knowing
the key all plaintexts are equally possible.
Engineering Crypto Applications 42evans@virginia.edu
C: 1000101 0110100 1010101 0011001
K1: 0001000 1100111 0000001 1001011
M1: 1001101 1010011 1010100 1010010
M S T R
K2: 0001000 1100111 0010011 1001101
M2: 1001101 1010011 1000110 1010100
M S F T
44. No Other Perfect Ciphers
Engineering Crypto Applications 43
M1
M2
Mn
C1
C2
Cn
Ki
......
Kj
To be perfect, there
must be a key that
maps each message
to each ciphertext.
|K | ≥ |M |
Hence, any practical
cipher must be
imperfect!
(This is what Shannon proved in 1945 paper.)
evans@virginia.edu
48. The World in July 1941
47
http://commons.wikimedia.org/wiki/File:Ww2_allied_axis_1941_jul.png
Bletchley Park
Engineering Crypto Applicationsevans@virginia.edu
49. 5 October 2013 University of Virginia cs4414 48
21st October 1941
Dear Prime Minister,
Some weeks ago you paid us the honour
of a visit, and we believe that you regard
our work as important. … it seems to us
that we have met with unnecessary
impediments. …The cumulative effect,
however, has been to drive us to the
conviction that the importance of the
work is not being impressed with
sufficient force upon those outside
authorities with whom we have to deal.
A.M. Turing (+ 3 others) Winston Churchill
Alan Turing
50. HQIBPEXEZMUG!
August 30, 1941
Lorenz operator
retransmits failed
message with same
starting configuration
Gets lazy and uses some
abbreviations, makes
some mistakes
49
GCHQ Today
(not what it looked like in 1941!)
SPRUCHNUMMER/SPRUCHNR
(Serial Number)
Engineering Crypto Applicationsevans@virginia.edu
51. “Two Time” Pad
Allies have intercepted:
C1 = M1 K1
C2 = M2 K1
50Engineering Crypto Applicationsevans@virginia.edu
53. “Cribs”
Don’t know M1 or M2, but, know they are in German
and can make some guesses (cribs)
SPRUCHNUMMER
ADOLF HITLER, FUHRER
Given guess for M1, calculate M2 = C1 C2 M1
If M2 seems plausible, calculate key:
K1 = M1 C1
52Engineering Crypto Applicationsevans@virginia.edu
55. 54
Main weakness:
each step,
either all S
wheels turn, or
none do!
Engineering Crypto Applicationsevans@virginia.edu
Knew machine structure, but a
different initial configuration was
used for each message: need to
find wheel settings (1019 possible)
but weakness reduces to 41 × 31
K wheels,
all rotate
every
letter
M1 and M2
rotate
conditionally
56. Recognizing a Good Guess
Intercepted Message (divided into 5 channels for
each Baudot code bit)
zc, i = mc,i xc,i sc,i
Message Key (parts from S-wheels and rest)
Cryptanalyze: look for statistical properties
How many of the zc,i’s are 0?
How many of (zc,i+1 zc,i) are 0?
½ (not useful)
½
55Engineering Crypto Applicationsevans@virginia.edu
57. Double Delta
Combine two channels:
Z1,i Z2,i = M1,i M2,i
X1,i X2,i
S1,i S2,i
= ½ (key)
> ½ Yippee!
> ½ Yippee!
M1,i M2,i > ½
Message is in German, more likely following
letter is a repetition than random
S1,i S2,i > ½ since S-wheels only turn when
M-wheel is 1
56Engineering Crypto Applicationsevans@virginia.edu
Actual advantage ≈ 0.55
58. Using the Advantage
Try all configurations to find one(s) with highest
numbers of 0s.
evans@virginia.edu Engineering Crypto Applications 57
If the guess of X is incorrect:
Pr( Z1,i Z2,I = 0) = ½
If the guess of X is correct:
Pr( Z1,i Z2,I = 0) ≈ 0.55
# of double delta operations to try one guess
= for 10,000 letter message
× 1271 settings × 7 per double delta
= 89 M operations
Today: < 0.01s on my phone…but this was 1943
59. 1943: Build the first (?) electronic,
programmable computer: Colossus
58Engineering Crypto Applicationsevans@virginia.edu
61. Impact on WWII
10 Colossus machines operated at Bletchley
Decoded 63 million letters in Nazi messages
Learned German troop locations to plan D-Day
60Engineering Crypto Applicationsevans@virginia.edu
62. Modern Cryptanalysis
• Basically the same
+ Bigger, faster computers
– Less motivated, more bureaucratic government
• Know or reverse engineer cipher algorithm
• Look for statistical weaknesses in ciphers to
get some small advantage: because all ciphers
are imperfect, there must be some
• Reduce keyspace from brute-force search to
smaller incremental search
evans@virginia.edu Engineering Crypto Applications 61
64. Path to AES
• DES (Data Encryption Standard)
– Developed at IBM in 1970s, selected as national
standard by NSA in 1977
– 56-bit key
• By 1999: distributed.net can break DES key in 22
hours (today: < $10K to break a DES key)
• NIST selected AES (Advanced Encryption
Standard) in 2001
– Open, public process
– Winner: Rijndael (developed by two Belgians)
Engineering Crypto Applications 63evans@virginia.edu
65. Variable cost/strength:
Key sizes: 128, 192, 256 bits
Block sizes: 128, 192, 256 bits
Rounds: 10, 12, or 14
Special AES instructions in x86
Engineering Crypto Applications 64
AES Round
Each round (10-14 rounds total):
1. Byte substitution using non-
linear S-Box (lookup table)
2. Shift rows (square)
3. Mix columns – matrix
multiplication by polynomial
4. XOR with round key
evans@virginia.edu
66. Most Common Mistake
S-Boxes: x = S[b]
S is a 256-byte table,
b is an index into
table.
Time this takes varies
based on value of b
and state of cache.
Engineering Crypto Applications 65
Keaton Mowery, Sriram Keelveedhi, and Hovav Shacham.
Are AES x86 Cache Timing Attacks Still Feasible? (2012)
evans@virginia.edu
67. Engineering Crypto Applications 66
From Jeff Moser’s
A Stick Figure Guide to the
Advanced Encryption
Standard (AES)
evans@virginia.edu
68. Can the NSA break AES?
• Most actual uses: probably yes
– This is because of implementation flaws and user
mistakes
• Correct implementation: probably not
– Best openly known attacks:
• Related key attacks (2009): 295 operations (but only
works in very rare circumstances)
• Key recovery attack (2011): 2126 operations (to recover
128-bit key)
Engineering Crypto Applications 67evans@virginia.edu
69. Engineering Crypto Applications 68
(Assumes most efficient computation physically
possible and only bit flips for each operation.)
evans@virginia.edu
71. Summary
• Cryptography is an arms race between
cryptographers and cryptanalysts
• In theory, the cryptanalysts should always win (all
practical ciphers are imperfect)
• In our universe, computation requires energy
which is limited, who wins depends on deep
questions we can’t yet answer (e.g., P = NP)
• In practice, most cryptosystems fail because of
bad implementations and humans not bad
mathematics
Engineering Crypto Applications 70
× 1 Trillion
evans@virginia.edu