SlideShare a Scribd company logo

CNIT 141: 4. Block Ciphers

Sam Bowne
Sam Bowne

This document discusses block ciphers and their implementation. It begins with an overview of block cipher history and components like block size and round keys. It then examines the AES block cipher standard and how to efficiently implement it using table lookups and processor instructions. Finally, it covers modes of operation like CBC, CTR, and their security, as well as potential attacks like padding oracles and meet-in-the-middle.

1 of 65
Download to read offline
CNIT 141 Cryptography for Computer Networks 4. Block Ciphers
Topics • What is a Block Cipher • How to Construct Block Ciphers • The Advanced Encryption Standard (AES) • Implementing AES • Modes of Operation • How Things Can Go Wrong
History • US: Federal standard: DES (1979 - 2005) • KGB: GOST 28147-89 (1990 - present) • in 2000, NIST selected AES, developed in Belgium • They are all block ciphers
What is a Block Cipher
Block Cipher E Encryption algorithm K Key P Plaintext block C Ciphertext block C = E(K, P) D Decryption algorithm P = D(K, C)
Security Goals • Block cipher should be a pseudorandom permutation (PRP) • Attacker can't compute output without the key • Attackers should be unable to find patterns in the inputs/output values • The ciphertext should appear random
Block Size • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook attack • Encrypt every possible plaintext, place in a codebook • Look up blocks of ciphertext in the codebook
How to Construct Block Ciphers
Two Techniques • Substitution-permutation (AES) • Feistel (DES)
Rounds • R is a round --in practice, a simple transformation • A block cipher with three rounds: • C = R3(R2(R1(P))) • iR is the inverse round function • I = iR1(iR2(iR3(C)))
Round Key • The round functions R1 R2 R3 use the same algorithm • But a different round key • Round keys are K1, K2, K3, ... derived from the main key K using a key schedule
The Slide Attack and Round Keys • Consider a block cipher with three rounds, and with all the round keys identical
The Slide Attack and Round Keys • If an attacker can find plaintext blocks with 
 P2 = R(P1) • That implies C2 = R(C1) • Which often helps to deduce the key
The Slide Attack and Round Keys • The solution is to make all round keys different • Note: the key schedule in AES is not one-way • Attacker can compute K from any Ki • This exposes it to side-channel attacks, like measuring electromagnetic emanations
Substitution-Permutation Networks • Confusion means that each ciphertext bit depends on several key bits • Provided by substitution using S-boxes • Diffusion means that changing a bit of plaintext changes many bits in the ciphertext • Provided by permutation
Feistel Schemes • Only half the plaintext is encrypted in each round • By the F substitution- permutation function • Halves are swapped in each round • DES uses 16 Feistel rounds
CNIT 141: 4. Block Ciphers
The Advanced Encryption Standard (AES)
DES • DES had a 56-bit key • Cracked by brute force in 1997 • 3DES was a stronger version • Still considered strong, but slower than AES • AES approved as the NIST standard in 2000
• Link Ch 4a
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
AES in Python from Crypto.Cipher import AES plaintext = "DEAD MEN TELL NO" key = "AAAABBBBCCCCDDDD" cipher = AES.new(key) ciphertext = cipher.encrypt(plaintext) print ciphertext ??k٨?U?`??? print ciphertext.encode("hex") 8fc96bdbb85c8155896088b4ca201b7e print cipher.decrypt(ciphertext) DEAD MEN TELL NO
Implementing AES
Improving Efficiency • Implementing each step as a separate function works, but it's slow • Combining them with "table-based implementations" and "native instructions" is faster • Using XORs and table lookups
OpenSSL Code is Table-Based
Timing Attacks • The time required for encryption depends on the key • Measuring timing leaks information about the key • This is a problem with any efficient coding • You could use slow code that wastes time • A better solution relies on hardware
Native Instructions • AES-NI • Processor provides dedicated assembly instructions that perform AES • Plaintext in register xmm0 • Round keys in xmm5 to xmm15 • Ten times faster with NI
Is AES Secure? • AES implements many good design principles • Proven to resist many classes of cryptoanalytic attacks • But no one can foresee all possible future attacks • So far, no significant weakness in AES-128 has been found
Modes of Operation
Electronic Code Book (ECB) • Each plaintext block is encrypted the same way • Identical plaintext blocks produce identical ciphertext blocks
AES-ECB • If plaintext repeats, so does ciphertext plaintext = "DEAD MEN TELL NODEAD MEN TELL NO" ciphertext = cipher.encrypt(plaintext) print ciphertext.encode("hex")
Staples Android App • Link Ch 4b
Encrypted Password Repeats
ECB Mode • Encrypted image retains large blocks of solid color
Cipher Block Chaining (CBC) • Uses a key and an initialization vector (IV) • Output of one block is the IV for the next block • IV is not secret; sent in the clear
CBC Mode • Encrypted image shows no patterns
Choosing IV • If the same IV is used every time • The first block is always encrypted the same way • Messages with the same first plaintext block will have identical first ciphertext blocks
Parallelism • ECB can be computed in parallel • Each block is independent • CBC requires serial processing • Output of each block used to encrypt the next block
Message Length • AES requires 16-byte blocks of plaintext • Messages must be padded to make them long enough
PKCS#7 Padding • The last byte of the plaintext is always between 'x00' and '10' • Discard that many bytes to get original plaintext
Padding Oracle Attack • Almost everything uses PKCS#7 padding • But if the system displays a "Padding Error" message the whole system shatters like glass • That message is sufficient side-channel information to allow an attacker to forge messages without the key
Ciphertext Stealing • Pad with zeroes • Swap last two blocks of ciphertext • Discard extra bytes at the end • Images on next slides from Wikipedia
Ciphertext Stealing Encryption
Ciphertext Stealing Decryption
Security of Ciphertext Stealing • No major problems • Inelegant and difficult to get right • NIST SP 800-38A specifies three different ways to implement it • Rarely used
Counter (CTR) Mode
C1 K E C2 K E C3 K E Counter (CTR) Mode • Produces a pseudorandom byte stream • XOR with plaintext to encrypt
Nonce • Nonce (N) used to produce C1, C2, C3, etc. • C1 = N ^ 1 • C2 = N ^ 2 • C3 = N ^ 3 • etc. • Use a different N for each message • N is not secret, sent in the clear
No Padding • CTR mode uses a block cipher to produce a pseudorandom byte stream • Creates a stream cipher • Message can have any length • No padding required
Parallelizing • CTR is faster than any other mode • Stream can be computed in advance, and in parallel • Before even knowing the plaintext
How Things Can Go Wrong
Two Attacks • Meet-in-the-middle • Padding oracle
Meet-in-the-Middle Attacks • 3DES does three rounds of DES • Why not 2DES? University of Houston
Attacking 2DES • Two 56-bit keys, total 112 bits • End-to-end brute force would take 2^112 calculations
Attacking 2DES • Attacker inputs known P and gets C • Wants to find K1, K2
Attacking 2DES • Make a list of E(K1, P) for all 2^56 values of K1 • Make a list of D(K2, P) for all 2^56 values of K2 • Find the item with the same values in each list • This finds K1 and K2 with 2^57 computations
Meet-in-the-Middle Attack on 3DES • One table has 2^56 entries • The other one has 2^112 entries • 3DES has 112 bits of security
Padding Oracle
Padding Oracle
Padding Oracle • Change the last byte in second block • This changes the 17 bytes shown in red
Padding Oracle • Try all 256 values of last byte in second block • One of them has valid padding of 'x01' • This determines the orange byte
Padding Oracle • Continue, 256 guesses finds the next orange byte
CNIT 141: 4. Block Ciphers

More Related Content

What's hot

CNIT 126 6: Recognizing C Code Constructs in Assembly
CNIT 126 6: Recognizing C Code Constructs in Assembly CNIT 126 6: Recognizing C Code Constructs in Assembly
CNIT 126 6: Recognizing C Code Constructs in Assembly
Sam Bowne
 
CNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code AuditingCNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code Auditing
Sam Bowne
 
CNIT 141: 12. Elliptic Curves
CNIT 141: 12. Elliptic CurvesCNIT 141: 12. Elliptic Curves
CNIT 141: 12. Elliptic Curves
Sam Bowne
 
CNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesCNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application Technologies
Sam Bowne
 
CNIT 126 Ch 7: Analyzing Malicious Windows Programs
CNIT 126 Ch 7: Analyzing Malicious Windows ProgramsCNIT 126 Ch 7: Analyzing Malicious Windows Programs
CNIT 126 Ch 7: Analyzing Malicious Windows Programs
Sam Bowne
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
Dennis Maldonado
 
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network SignaturesPractical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
Sam Bowne
 
CNIT 126 13: Data Encoding
CNIT 126 13: Data EncodingCNIT 126 13: Data Encoding
CNIT 126 13: Data Encoding
Sam Bowne
 
CNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsCNIT 141: 6. Hash Functions
CNIT 141: 6. Hash Functions
Sam Bowne
 
DEC algorithm
DEC algorithmDEC algorithm
DEC algorithm
vss gowtham
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux
Sam Bowne
 
Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly
Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly
Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly
Sam Bowne
 
Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Practical Malware Analysis Ch12
Practical Malware Analysis Ch12
Sam Bowne
 
4. Block Ciphers
4. Block Ciphers 4. Block Ciphers
4. Block Ciphers
Sam Bowne
 
Practical Malware Analysis Ch13
Practical Malware Analysis Ch13Practical Malware Analysis Ch13
Practical Malware Analysis Ch13
Sam Bowne
 
Practical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorPractical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware Behavior
Sam Bowne
 
CNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of WindowsCNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of Windows
Sam Bowne
 
CNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you BeginCNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you Begin
Sam Bowne
 
Kaldi-voice: Your personal speech recognition server using open source code
Kaldi-voice: Your personal speech recognition server using open source codeKaldi-voice: Your personal speech recognition server using open source code
Kaldi-voice: Your personal speech recognition server using open source code
Xavier Anguera
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with example
Prateek Chauhan
 

What's hot (20)

CNIT 126 6: Recognizing C Code Constructs in Assembly
CNIT 126 6: Recognizing C Code Constructs in Assembly CNIT 126 6: Recognizing C Code Constructs in Assembly
CNIT 126 6: Recognizing C Code Constructs in Assembly
 
CNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code AuditingCNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code Auditing
 
CNIT 141: 12. Elliptic Curves
CNIT 141: 12. Elliptic CurvesCNIT 141: 12. Elliptic Curves
CNIT 141: 12. Elliptic Curves
 
CNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesCNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application Technologies
 
CNIT 126 Ch 7: Analyzing Malicious Windows Programs
CNIT 126 Ch 7: Analyzing Malicious Windows ProgramsCNIT 126 Ch 7: Analyzing Malicious Windows Programs
CNIT 126 Ch 7: Analyzing Malicious Windows Programs
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
 
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network SignaturesPractical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
 
CNIT 126 13: Data Encoding
CNIT 126 13: Data EncodingCNIT 126 13: Data Encoding
CNIT 126 13: Data Encoding
 
CNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsCNIT 141: 6. Hash Functions
CNIT 141: 6. Hash Functions
 
DEC algorithm
DEC algorithmDEC algorithm
DEC algorithm
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux
 
Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly
Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly
Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly
 
Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Practical Malware Analysis Ch12
Practical Malware Analysis Ch12
 
4. Block Ciphers
4. Block Ciphers 4. Block Ciphers
4. Block Ciphers
 
Practical Malware Analysis Ch13
Practical Malware Analysis Ch13Practical Malware Analysis Ch13
Practical Malware Analysis Ch13
 
Practical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorPractical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware Behavior
 
CNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of WindowsCNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of Windows
 
CNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you BeginCNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you Begin
 
Kaldi-voice: Your personal speech recognition server using open source code
Kaldi-voice: Your personal speech recognition server using open source codeKaldi-voice: Your personal speech recognition server using open source code
Kaldi-voice: Your personal speech recognition server using open source code
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with example
 

Similar to CNIT 141: 4. Block Ciphers

CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
Sam Bowne
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
Sam Bowne
 
ch06.ppt
ch06.pptch06.ppt
ch06.ppt
AbhishekVishwakarma964719
 
Symmetric encryption
Symmetric encryptionSymmetric encryption
Symmetric encryption
DR RICHMOND ADEBIAYE
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.ppt
PriyanshuGupta896141
 
DES-lecture (1).ppt
DES-lecture (1).pptDES-lecture (1).ppt
DES-lecture (1).ppt
MrsPrabhaBV
 
Cryptography - 101
Cryptography - 101Cryptography - 101
Cryptography - 101
n|u - The Open Security Community
 
Cryptography-101
Cryptography-101Cryptography-101
Cryptography-101
Vishal Punjabi
 
Advanced encryption standard (aes)
Advanced encryption standard (aes)Advanced encryption standard (aes)
Advanced encryption standard (aes)
farazvirk554
 
Ch08-CryptoConcepts.ppt
Ch08-CryptoConcepts.pptCh08-CryptoConcepts.ppt
Ch08-CryptoConcepts.ppt
ShounakDas16
 
Ch03
Ch03Ch03
Ch03
ssusere796b3
 
Block Ciphers Modes of Operation
Block Ciphers Modes of OperationBlock Ciphers Modes of Operation
Block Ciphers Modes of Operation
Shafaan Khaliq Bhatti
 
Cryptography and steganography lesson and discription.pptx
Cryptography and steganography lesson and discription.pptxCryptography and steganography lesson and discription.pptx
Cryptography and steganography lesson and discription.pptx
RobertCarreonBula
 
CNIT 125 Ch 4. Security Engineering (Part 2)
CNIT 125 Ch 4. Security Engineering (Part 2)CNIT 125 Ch 4. Security Engineering (Part 2)
CNIT 125 Ch 4. Security Engineering (Part 2)
Sam Bowne
 
Cryptography and network security Nit701
Cryptography and network security Nit701Cryptography and network security Nit701
Cryptography and network security Nit701
Amit Pathak
 
CISSP Prep: Ch 4. Security Engineering (Part 2)
CISSP Prep: Ch 4. Security Engineering (Part 2)CISSP Prep: Ch 4. Security Engineering (Part 2)
CISSP Prep: Ch 4. Security Engineering (Part 2)
Sam Bowne
 
Cryptography & Steganography
Cryptography & SteganographyCryptography & Steganography
Cryptography & Steganography
Animesh Shaw
 
block ciphers
block ciphersblock ciphers
block ciphers
Asad Ali
 
Encryption techniqudgfhgvj,hbkes (2).pptx
Encryption techniqudgfhgvj,hbkes (2).pptxEncryption techniqudgfhgvj,hbkes (2).pptx
Encryption techniqudgfhgvj,hbkes (2).pptx
huachuhulk
 
overview of cryptographic techniques
overview of cryptographic techniquesoverview of cryptographic techniques
overview of cryptographic techniques
Shubham Jain
 

Similar to CNIT 141: 4. Block Ciphers (20)

CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
 
ch06.ppt
ch06.pptch06.ppt
ch06.ppt
 
Symmetric encryption
Symmetric encryptionSymmetric encryption
Symmetric encryption
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.ppt
 
DES-lecture (1).ppt
DES-lecture (1).pptDES-lecture (1).ppt
DES-lecture (1).ppt
 
Cryptography - 101
Cryptography - 101Cryptography - 101
Cryptography - 101
 
Cryptography-101
Cryptography-101Cryptography-101
Cryptography-101
 
Advanced encryption standard (aes)
Advanced encryption standard (aes)Advanced encryption standard (aes)
Advanced encryption standard (aes)
 
Ch08-CryptoConcepts.ppt
Ch08-CryptoConcepts.pptCh08-CryptoConcepts.ppt
Ch08-CryptoConcepts.ppt
 
Ch03
Ch03Ch03
Ch03
 
Block Ciphers Modes of Operation
Block Ciphers Modes of OperationBlock Ciphers Modes of Operation
Block Ciphers Modes of Operation
 
Cryptography and steganography lesson and discription.pptx
Cryptography and steganography lesson and discription.pptxCryptography and steganography lesson and discription.pptx
Cryptography and steganography lesson and discription.pptx
 
CNIT 125 Ch 4. Security Engineering (Part 2)
CNIT 125 Ch 4. Security Engineering (Part 2)CNIT 125 Ch 4. Security Engineering (Part 2)
CNIT 125 Ch 4. Security Engineering (Part 2)
 
Cryptography and network security Nit701
Cryptography and network security Nit701Cryptography and network security Nit701
Cryptography and network security Nit701
 
CISSP Prep: Ch 4. Security Engineering (Part 2)
CISSP Prep: Ch 4. Security Engineering (Part 2)CISSP Prep: Ch 4. Security Engineering (Part 2)
CISSP Prep: Ch 4. Security Engineering (Part 2)
 
Cryptography & Steganography
Cryptography & SteganographyCryptography & Steganography
Cryptography & Steganography
 
block ciphers
block ciphersblock ciphers
block ciphers
 
Encryption techniqudgfhgvj,hbkes (2).pptx
Encryption techniqudgfhgvj,hbkes (2).pptxEncryption techniqudgfhgvj,hbkes (2).pptx
Encryption techniqudgfhgvj,hbkes (2).pptx
 
overview of cryptographic techniques
overview of cryptographic techniquesoverview of cryptographic techniques
overview of cryptographic techniques
 

More from Sam Bowne

Cyberwar
CyberwarCyberwar
Cyberwar
Sam Bowne
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
Sam Bowne
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
Sam Bowne
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
Sam Bowne
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)
Sam Bowne
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic Curves
Sam Bowne
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-Hellman
Sam Bowne
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
Sam Bowne
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
Sam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
10 RSA
10 RSA10 RSA
10 RSA
Sam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
Sam Bowne
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard Problems
Sam Bowne
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)
Sam Bowne
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
Sam Bowne
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
Sam Bowne
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)
Sam Bowne
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)
Sam Bowne
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
Sam Bowne
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
Sam Bowne
 

More from Sam Bowne (20)

Cyberwar
CyberwarCyberwar
Cyberwar
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic Curves
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-Hellman
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
 
10 RSA
10 RSA10 RSA
10 RSA
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard Problems
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
 

Recently uploaded

How to Manage Line Discount in Odoo 17 POS
How to Manage Line Discount in Odoo 17 POSHow to Manage Line Discount in Odoo 17 POS
How to Manage Line Discount in Odoo 17 POS
Celine George
 
How To Create a Transient Model in Odoo 17
How To Create a Transient Model in Odoo 17How To Create a Transient Model in Odoo 17
How To Create a Transient Model in Odoo 17
Celine George
 
Benchmarking Sustainability: Neurosciences and AI Tech Research in Macau - Ke...
Benchmarking Sustainability: Neurosciences and AI Tech Research in Macau - Ke...Benchmarking Sustainability: Neurosciences and AI Tech Research in Macau - Ke...
Benchmarking Sustainability: Neurosciences and AI Tech Research in Macau - Ke...
Alvaro Barbosa
 
Lecture_Notes_Unit4_Chapter_8_9_10_RDBMS for the students affiliated by alaga...
Lecture_Notes_Unit4_Chapter_8_9_10_RDBMS for the students affiliated by alaga...Lecture_Notes_Unit4_Chapter_8_9_10_RDBMS for the students affiliated by alaga...
Lecture_Notes_Unit4_Chapter_8_9_10_RDBMS for the students affiliated by alaga...
Murugan Solaiyappan
 
New Features in Odoo 17 Sign - Odoo 17 Slides
New Features in Odoo 17 Sign - Odoo 17 SlidesNew Features in Odoo 17 Sign - Odoo 17 Slides
New Features in Odoo 17 Sign - Odoo 17 Slides
Celine George
 
What is Rescue Session in Odoo 17 POS - Odoo 17 Slides
What is Rescue Session in Odoo 17 POS - Odoo 17 SlidesWhat is Rescue Session in Odoo 17 POS - Odoo 17 Slides
What is Rescue Session in Odoo 17 POS - Odoo 17 Slides
Celine George
 
Bài tập bộ trợ anh 7 I learn smart world kì 1 năm học 2022 2023 unit 1.doc
Bài tập bộ trợ anh 7 I learn smart world kì 1 năm học 2022 2023 unit 1.docBài tập bộ trợ anh 7 I learn smart world kì 1 năm học 2022 2023 unit 1.doc
Bài tập bộ trợ anh 7 I learn smart world kì 1 năm học 2022 2023 unit 1.doc
PhngThLmHnh
 
Imagination in Computer Science Research
Imagination in Computer Science ResearchImagination in Computer Science Research
Imagination in Computer Science Research
Abhik Roychoudhury
 
How to Manage Shipping Connectors & Shipping Methods in Odoo 17
How to Manage Shipping Connectors & Shipping Methods in Odoo 17How to Manage Shipping Connectors & Shipping Methods in Odoo 17
How to Manage Shipping Connectors & Shipping Methods in Odoo 17
Celine George
 
C Interview Questions PDF By Scholarhat.pdf
C Interview Questions PDF By Scholarhat.pdfC Interview Questions PDF By Scholarhat.pdf
C Interview Questions PDF By Scholarhat.pdf
Scholarhat
 
How to Manage Early Receipt Printing in Odoo 17 POS
How to Manage Early Receipt Printing in Odoo 17 POSHow to Manage Early Receipt Printing in Odoo 17 POS
How to Manage Early Receipt Printing in Odoo 17 POS
Celine George
 
Odoo 17 Events - Attendees List Scanning
Odoo 17 Events - Attendees List ScanningOdoo 17 Events - Attendees List Scanning
Odoo 17 Events - Attendees List Scanning
Celine George
 
Genetics Teaching Plan: Dr.Kshirsagar R.V.
Genetics Teaching Plan: Dr.Kshirsagar R.V.Genetics Teaching Plan: Dr.Kshirsagar R.V.
Genetics Teaching Plan: Dr.Kshirsagar R.V.
DrRavindrakshirsagar1
 
BRIGADA ESKWELA OPENING PROGRAM KICK OFF.pptx
BRIGADA ESKWELA OPENING PROGRAM KICK OFF.pptxBRIGADA ESKWELA OPENING PROGRAM KICK OFF.pptx
BRIGADA ESKWELA OPENING PROGRAM KICK OFF.pptx
kambal1234567890
 
"DANH SÁCH THÍ SINH XÉT TUYỂN SỚM ĐỦ ĐIỀU KIỆN TRÚNG TUYỂN ĐẠI HỌC CHÍNH QUY ...
"DANH SÁCH THÍ SINH XÉT TUYỂN SỚM ĐỦ ĐIỀU KIỆN TRÚNG TUYỂN ĐẠI HỌC CHÍNH QUY ..."DANH SÁCH THÍ SINH XÉT TUYỂN SỚM ĐỦ ĐIỀU KIỆN TRÚNG TUYỂN ĐẠI HỌC CHÍNH QUY ...
"DANH SÁCH THÍ SINH XÉT TUYỂN SỚM ĐỦ ĐIỀU KIỆN TRÚNG TUYỂN ĐẠI HỌC CHÍNH QUY ...
thanhluan21
 
How to Manage Access Rights & User Types in Odoo 17
How to Manage Access Rights & User Types in Odoo 17How to Manage Access Rights & User Types in Odoo 17
How to Manage Access Rights & User Types in Odoo 17
Celine George
 
(T.L.E.) Agriculture: Essentials of Gardening
(T.L.E.) Agriculture: Essentials of Gardening(T.L.E.) Agriculture: Essentials of Gardening
(T.L.E.) Agriculture: Essentials of Gardening
MJDuyan
 
Debts of Gratitude - Esselde and Informal Letter.pptx
Debts of Gratitude - Esselde and Informal Letter.pptxDebts of Gratitude - Esselde and Informal Letter.pptx
Debts of Gratitude - Esselde and Informal Letter.pptx
AncyTEnglish
 
modul ajar kelas x bahasa inggris 2024-2025
modul ajar kelas x bahasa inggris 2024-2025modul ajar kelas x bahasa inggris 2024-2025
modul ajar kelas x bahasa inggris 2024-2025
NurFitriah45
 
View Inheritance in Odoo 17 - Odoo 17 Slides
View Inheritance in Odoo 17 - Odoo 17 SlidesView Inheritance in Odoo 17 - Odoo 17 Slides
View Inheritance in Odoo 17 - Odoo 17 Slides
Celine George
 

Recently uploaded (20)

How to Manage Line Discount in Odoo 17 POS
How to Manage Line Discount in Odoo 17 POSHow to Manage Line Discount in Odoo 17 POS
How to Manage Line Discount in Odoo 17 POS
 
How To Create a Transient Model in Odoo 17
How To Create a Transient Model in Odoo 17How To Create a Transient Model in Odoo 17
How To Create a Transient Model in Odoo 17
 
Benchmarking Sustainability: Neurosciences and AI Tech Research in Macau - Ke...
Benchmarking Sustainability: Neurosciences and AI Tech Research in Macau - Ke...Benchmarking Sustainability: Neurosciences and AI Tech Research in Macau - Ke...
Benchmarking Sustainability: Neurosciences and AI Tech Research in Macau - Ke...
 
Lecture_Notes_Unit4_Chapter_8_9_10_RDBMS for the students affiliated by alaga...
Lecture_Notes_Unit4_Chapter_8_9_10_RDBMS for the students affiliated by alaga...Lecture_Notes_Unit4_Chapter_8_9_10_RDBMS for the students affiliated by alaga...
Lecture_Notes_Unit4_Chapter_8_9_10_RDBMS for the students affiliated by alaga...
 
New Features in Odoo 17 Sign - Odoo 17 Slides
New Features in Odoo 17 Sign - Odoo 17 SlidesNew Features in Odoo 17 Sign - Odoo 17 Slides
New Features in Odoo 17 Sign - Odoo 17 Slides
 
What is Rescue Session in Odoo 17 POS - Odoo 17 Slides
What is Rescue Session in Odoo 17 POS - Odoo 17 SlidesWhat is Rescue Session in Odoo 17 POS - Odoo 17 Slides
What is Rescue Session in Odoo 17 POS - Odoo 17 Slides
 
Bài tập bộ trợ anh 7 I learn smart world kì 1 năm học 2022 2023 unit 1.doc
Bài tập bộ trợ anh 7 I learn smart world kì 1 năm học 2022 2023 unit 1.docBài tập bộ trợ anh 7 I learn smart world kì 1 năm học 2022 2023 unit 1.doc
Bài tập bộ trợ anh 7 I learn smart world kì 1 năm học 2022 2023 unit 1.doc
 
Imagination in Computer Science Research
Imagination in Computer Science ResearchImagination in Computer Science Research
Imagination in Computer Science Research
 
How to Manage Shipping Connectors & Shipping Methods in Odoo 17
How to Manage Shipping Connectors & Shipping Methods in Odoo 17How to Manage Shipping Connectors & Shipping Methods in Odoo 17
How to Manage Shipping Connectors & Shipping Methods in Odoo 17
 
C Interview Questions PDF By Scholarhat.pdf
C Interview Questions PDF By Scholarhat.pdfC Interview Questions PDF By Scholarhat.pdf
C Interview Questions PDF By Scholarhat.pdf
 
How to Manage Early Receipt Printing in Odoo 17 POS
How to Manage Early Receipt Printing in Odoo 17 POSHow to Manage Early Receipt Printing in Odoo 17 POS
How to Manage Early Receipt Printing in Odoo 17 POS
 
Odoo 17 Events - Attendees List Scanning
Odoo 17 Events - Attendees List ScanningOdoo 17 Events - Attendees List Scanning
Odoo 17 Events - Attendees List Scanning
 
Genetics Teaching Plan: Dr.Kshirsagar R.V.
Genetics Teaching Plan: Dr.Kshirsagar R.V.Genetics Teaching Plan: Dr.Kshirsagar R.V.
Genetics Teaching Plan: Dr.Kshirsagar R.V.
 
BRIGADA ESKWELA OPENING PROGRAM KICK OFF.pptx
BRIGADA ESKWELA OPENING PROGRAM KICK OFF.pptxBRIGADA ESKWELA OPENING PROGRAM KICK OFF.pptx
BRIGADA ESKWELA OPENING PROGRAM KICK OFF.pptx
 
"DANH SÁCH THÍ SINH XÉT TUYỂN SỚM ĐỦ ĐIỀU KIỆN TRÚNG TUYỂN ĐẠI HỌC CHÍNH QUY ...
"DANH SÁCH THÍ SINH XÉT TUYỂN SỚM ĐỦ ĐIỀU KIỆN TRÚNG TUYỂN ĐẠI HỌC CHÍNH QUY ..."DANH SÁCH THÍ SINH XÉT TUYỂN SỚM ĐỦ ĐIỀU KIỆN TRÚNG TUYỂN ĐẠI HỌC CHÍNH QUY ...
"DANH SÁCH THÍ SINH XÉT TUYỂN SỚM ĐỦ ĐIỀU KIỆN TRÚNG TUYỂN ĐẠI HỌC CHÍNH QUY ...
 
How to Manage Access Rights & User Types in Odoo 17
How to Manage Access Rights & User Types in Odoo 17How to Manage Access Rights & User Types in Odoo 17
How to Manage Access Rights & User Types in Odoo 17
 
(T.L.E.) Agriculture: Essentials of Gardening
(T.L.E.) Agriculture: Essentials of Gardening(T.L.E.) Agriculture: Essentials of Gardening
(T.L.E.) Agriculture: Essentials of Gardening
 
Debts of Gratitude - Esselde and Informal Letter.pptx
Debts of Gratitude - Esselde and Informal Letter.pptxDebts of Gratitude - Esselde and Informal Letter.pptx
Debts of Gratitude - Esselde and Informal Letter.pptx
 
modul ajar kelas x bahasa inggris 2024-2025
modul ajar kelas x bahasa inggris 2024-2025modul ajar kelas x bahasa inggris 2024-2025
modul ajar kelas x bahasa inggris 2024-2025
 
View Inheritance in Odoo 17 - Odoo 17 Slides
View Inheritance in Odoo 17 - Odoo 17 SlidesView Inheritance in Odoo 17 - Odoo 17 Slides
View Inheritance in Odoo 17 - Odoo 17 Slides
 

CNIT 141: 4. Block Ciphers

  • 1. CNIT 141 Cryptography for Computer Networks 4. Block Ciphers
  • 2. Topics • What is a Block Cipher • How to Construct Block Ciphers • The Advanced Encryption Standard (AES) • Implementing AES • Modes of Operation • How Things Can Go Wrong
  • 3. History • US: Federal standard: DES (1979 - 2005) • KGB: GOST 28147-89 (1990 - present) • in 2000, NIST selected AES, developed in Belgium • They are all block ciphers
  • 4. What is a Block Cipher
  • 5. Block Cipher E Encryption algorithm K Key P Plaintext block C Ciphertext block C = E(K, P) D Decryption algorithm P = D(K, C)
  • 6. Security Goals • Block cipher should be a pseudorandom permutation (PRP) • Attacker can't compute output without the key • Attackers should be unable to find patterns in the inputs/output values • The ciphertext should appear random
  • 7. Block Size • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook attack • Encrypt every possible plaintext, place in a codebook • Look up blocks of ciphertext in the codebook
  • 8. How to Construct Block Ciphers
  • 10. Rounds • R is a round --in practice, a simple transformation • A block cipher with three rounds: • C = R3(R2(R1(P))) • iR is the inverse round function • I = iR1(iR2(iR3(C)))
  • 11. Round Key • The round functions R1 R2 R3 use the same algorithm • But a different round key • Round keys are K1, K2, K3, ... derived from the main key K using a key schedule
  • 12. The Slide Attack and Round Keys • Consider a block cipher with three rounds, and with all the round keys identical
  • 13. The Slide Attack and Round Keys • If an attacker can find plaintext blocks with 
 P2 = R(P1) • That implies C2 = R(C1) • Which often helps to deduce the key
  • 14. The Slide Attack and Round Keys • The solution is to make all round keys different • Note: the key schedule in AES is not one-way • Attacker can compute K from any Ki • This exposes it to side-channel attacks, like measuring electromagnetic emanations
  • 15. Substitution-Permutation Networks • Confusion means that each ciphertext bit depends on several key bits • Provided by substitution using S-boxes • Diffusion means that changing a bit of plaintext changes many bits in the ciphertext • Provided by permutation
  • 16. Feistel Schemes • Only half the plaintext is encrypted in each round • By the F substitution- permutation function • Halves are swapped in each round • DES uses 16 Feistel rounds
  • 19. DES • DES had a 56-bit key • Cracked by brute force in 1997 • 3DES was a stronger version • Still considered strong, but slower than AES • AES approved as the NIST standard in 2000
  • 24. AES in Python from Crypto.Cipher import AES plaintext = "DEAD MEN TELL NO" key = "AAAABBBBCCCCDDDD" cipher = AES.new(key) ciphertext = cipher.encrypt(plaintext) print ciphertext ??k٨?U?`??? print ciphertext.encode("hex") 8fc96bdbb85c8155896088b4ca201b7e print cipher.decrypt(ciphertext) DEAD MEN TELL NO
  • 26. Improving Efficiency • Implementing each step as a separate function works, but it's slow • Combining them with "table-based implementations" and "native instructions" is faster • Using XORs and table lookups
  • 28. Timing Attacks • The time required for encryption depends on the key • Measuring timing leaks information about the key • This is a problem with any efficient coding • You could use slow code that wastes time • A better solution relies on hardware
  • 29. Native Instructions • AES-NI • Processor provides dedicated assembly instructions that perform AES • Plaintext in register xmm0 • Round keys in xmm5 to xmm15 • Ten times faster with NI
  • 30. Is AES Secure? • AES implements many good design principles • Proven to resist many classes of cryptoanalytic attacks • But no one can foresee all possible future attacks • So far, no significant weakness in AES-128 has been found
  • 32. Electronic Code Book (ECB) • Each plaintext block is encrypted the same way • Identical plaintext blocks produce identical ciphertext blocks
  • 33. AES-ECB • If plaintext repeats, so does ciphertext plaintext = "DEAD MEN TELL NODEAD MEN TELL NO" ciphertext = cipher.encrypt(plaintext) print ciphertext.encode("hex")
  • 36. ECB Mode • Encrypted image retains large blocks of solid color
  • 37. Cipher Block Chaining (CBC) • Uses a key and an initialization vector (IV) • Output of one block is the IV for the next block • IV is not secret; sent in the clear
  • 38. CBC Mode • Encrypted image shows no patterns
  • 39. Choosing IV • If the same IV is used every time • The first block is always encrypted the same way • Messages with the same first plaintext block will have identical first ciphertext blocks
  • 40. Parallelism • ECB can be computed in parallel • Each block is independent • CBC requires serial processing • Output of each block used to encrypt the next block
  • 41. Message Length • AES requires 16-byte blocks of plaintext • Messages must be padded to make them long enough
  • 42. PKCS#7 Padding • The last byte of the plaintext is always between 'x00' and '10' • Discard that many bytes to get original plaintext
  • 43. Padding Oracle Attack • Almost everything uses PKCS#7 padding • But if the system displays a "Padding Error" message the whole system shatters like glass • That message is sufficient side-channel information to allow an attacker to forge messages without the key
  • 44. Ciphertext Stealing • Pad with zeroes • Swap last two blocks of ciphertext • Discard extra bytes at the end • Images on next slides from Wikipedia
  • 47. Security of Ciphertext Stealing • No major problems • Inelegant and difficult to get right • NIST SP 800-38A specifies three different ways to implement it • Rarely used
  • 49. C1 K E C2 K E C3 K E Counter (CTR) Mode • Produces a pseudorandom byte stream • XOR with plaintext to encrypt
  • 50. Nonce • Nonce (N) used to produce C1, C2, C3, etc. • C1 = N ^ 1 • C2 = N ^ 2 • C3 = N ^ 3 • etc. • Use a different N for each message • N is not secret, sent in the clear
  • 51. No Padding • CTR mode uses a block cipher to produce a pseudorandom byte stream • Creates a stream cipher • Message can have any length • No padding required
  • 52. Parallelizing • CTR is faster than any other mode • Stream can be computed in advance, and in parallel • Before even knowing the plaintext
  • 53. How Things Can Go Wrong
  • 55. Meet-in-the-Middle Attacks • 3DES does three rounds of DES • Why not 2DES? University of Houston
  • 56. Attacking 2DES • Two 56-bit keys, total 112 bits • End-to-end brute force would take 2^112 calculations
  • 57. Attacking 2DES • Attacker inputs known P and gets C • Wants to find K1, K2
  • 58. Attacking 2DES • Make a list of E(K1, P) for all 2^56 values of K1 • Make a list of D(K2, P) for all 2^56 values of K2 • Find the item with the same values in each list • This finds K1 and K2 with 2^57 computations
  • 59. Meet-in-the-Middle Attack on 3DES • One table has 2^56 entries • The other one has 2^112 entries • 3DES has 112 bits of security
  • 62. Padding Oracle • Change the last byte in second block • This changes the 17 bytes shown in red
  • 63. Padding Oracle • Try all 256 values of last byte in second block • One of them has valid padding of 'x01' • This determines the orange byte
  • 64. Padding Oracle • Continue, 256 guesses finds the next orange byte