May 30May 30thth – 31 – 31stst, 2006, 2006Sheraton OttawaSheraton OttawaMay 30May 30thth – 31 – 31stst, 2006, 2006Sheraton OttawaSheraton Ottawa

Implementing Implementing Advanced Advanced Cryptography - Suite-Cryptography - Suite-BB

Implementing Implementing Advanced Advanced Cryptography - Suite-Cryptography - Suite-BB

William Billings, CISSPWilliam Billings, CISSPChief Security AdvisorChief Security AdvisorMicrosoft US FederalMicrosoft US FederalMicrosoft CorporationMicrosoft Corporation

OverviewOverviewReview the current state of the cryptographic Review the current state of the cryptographic algorithmsalgorithms

The legacy algorithms: RSA, DES and the The legacy algorithms: RSA, DES and the hashing functionshashing functions

The most recent attacks against these The most recent attacks against these algorithms and possible implicationsalgorithms and possible implications

Projected performance – speed vs strength Projected performance – speed vs strength trade-offstrade-offs

Latest suite of commercial algorithms adopted Latest suite of commercial algorithms adopted within the US, NATO and Financial institutions: within the US, NATO and Financial institutions: Suite-BSuite-B

Elliptical Curve Cryptography Elliptical Curve Cryptography

AES symmetric key algorithmsAES symmetric key algorithms

SHA-2 hash algorithmsSHA-2 hash algorithms

The Problem of Aging The Problem of Aging AlgorithmsAlgorithms

40-bit cryptography used to be required for export control

Considered almost trivial to break

56-bit DES was broken several years agofor less than $300K

128-bit MD4 hash is the equivalent of a 64-bit symmetric key algorithm and has been broken with a paper-and-pencil attack128-bit MD5 has been broken by a Chinese team

The Problem of Aging The Problem of Aging AlgorithmsAlgorithms

80-bit crypto has a limited lifetime80-bit crypto has a limited lifetime

SHA-1 has only 2SHA-1 has only 280 80 strength, assuming strength, assuming the attacker can obtain 2the attacker can obtain 24040 cipher pairs cipher pairs

RSA-1024 is considered the equivalent RSA-1024 is considered the equivalent of 2of 28080 strength strength

The handwriting is on the wallThe handwriting is on the wall

NIST recommends phasing out 80-bit NIST recommends phasing out 80-bit crypto by 2010crypto by 2010

Agencies need to initiate policies and Agencies need to initiate policies and architectures now for eventual migration architectures now for eventual migration to stronger cryptographyto stronger cryptography

Stronger (but Slower) keys can be Stronger (but Slower) keys can be usedused

RSA-2048 is somewhat stronger than RSA-RSA-2048 is somewhat stronger than RSA-1024, but requires substantially more 1024, but requires substantially more processing powerprocessing power

RSA-2048 is equivalent to 112-bit symmetric RSA-2048 is equivalent to 112-bit symmetric key algorithmkey algorithm

SHA-1 still has only 2SHA-1 still has only 26969 strength, but very few strength, but very few applications support the new “SHA-2” applications support the new “SHA-2” algorithms yetalgorithms yet

Three-key triple DES has only 2Three-key triple DES has only 2112112 strength, strength, again due to time-memory tradeoffsagain due to time-memory tradeoffs

NIST recommends phasing out 112-bit NIST recommends phasing out 112-bit crypto by 2030crypto by 2030

Significantly stronger and faster Significantly stronger and faster alternatives are available today.alternatives are available today.

Is All This Strength Really Is All This Strength Really Necessary?Necessary?

““Prediction in very difficult, Prediction in very difficult, especially if it’s about the future.”especially if it’s about the future.”

Nils Bohr, Nobel laureate in PhysicsNils Bohr, Nobel laureate in Physics

Home Computer Prediction?Home Computer Prediction?

Is All This Strength Really Is All This Strength Really Necessary?Necessary?

Predictions of cryptographic strength Predictions of cryptographic strength are seldom too conservativeare seldom too conservative

When DES was first announced, IBM and When DES was first announced, IBM and NIST predicted that it would take NIST predicted that it would take centuries of computer power to break itcenturies of computer power to break it

Now it can be broken is less than a day, with Now it can be broken is less than a day, with only a modest investmentonly a modest investment

Similar claims were initially made about Similar claims were initially made about RSA-512RSA-512

The original Secure Hash Algorithm was The original Secure Hash Algorithm was designed by NSA lasted two years before designed by NSA lasted two years before it was replaced by SHA-1it was replaced by SHA-1

RSA: Key Length vs. RSA: Key Length vs. StrengthStrength

RSA is inefficient – it gains strength RSA is inefficient – it gains strength slowlyslowly

RSA-1024 is equivalent to an 80-bit RSA-1024 is equivalent to an 80-bit symmetric keysymmetric key

RSA-2048 is equivalent to a 112-bit key RSA-2048 is equivalent to a 112-bit key (3DES)(3DES)

RSA-3072 is equivalent to 128-bit key RSA-3072 is equivalent to 128-bit key (AES)(AES)

RSA-7680 is equivalent to an 192-bit AES RSA-7680 is equivalent to an 192-bit AES keykey

RSA-15,380 is required to equal an AES-RSA-15,380 is required to equal an AES-256 key!256 key!

Bad news for high strength keysBad news for high strength keys

But that’s not all – the performance is But that’s not all – the performance is terribleterrible

RSA Key Length vs. RSA Key Length vs. PerformancePerformance

The computation time required for larger The computation time required for larger keys increases rapidlykeys increases rapidly

The time required for signing is proportional to The time required for signing is proportional to the cube of the key lengththe cube of the key length

RSA-2048 operations require 8 times as long as RSA-2048 operations require 8 times as long as RSA-1024RSA-1024

Example – 60ms for RSA-1024 sign. 600 ms for RSA-Example – 60ms for RSA-1024 sign. 600 ms for RSA-20482048

RSA-15,360 would take 3375 times RSA-1024, or 200 RSA-15,360 would take 3375 times RSA-1024, or 200 seconds!seconds!

Fortunately, there is an alternative – the Fortunately, there is an alternative – the Suite-B algorithms.Suite-B algorithms.

Suite-BSuite-BPreviously, NIST’s open crypto algorithms used to Previously, NIST’s open crypto algorithms used to protect SBU data could not be used to protect protect SBU data could not be used to protect classified data.classified data.

That is no longer the case: a standardized, public That is no longer the case: a standardized, public set of algorithms that can be used to protect both set of algorithms that can be used to protect both unclassified and classified information.unclassified and classified information.

The result is Suite-B, a selected subset of the NIST The result is Suite-B, a selected subset of the NIST toolkit for classified applications up through Top toolkit for classified applications up through Top SecretSecret

Specific approval is still required for the Specific approval is still required for the implementationsimplementations and systems that are used to and systems that are used to protect classified information protect classified information

Expect more guidance on acceptable key managementExpect more guidance on acceptable key managementShould be consistent with SP 800-57Should be consistent with SP 800-57

Suite-B - BackgroundSuite-B - BackgroundUS Government, NATO and some in the US Government, NATO and some in the Financial sector are adopting the Suite-B Financial sector are adopting the Suite-B algorithms for use in multinational algorithms for use in multinational information sharing environments.information sharing environments.

Although approved for classified data, the Although approved for classified data, the algorithms themselves are unclassified and algorithms themselves are unclassified and approved for worldwide useapproved for worldwide use

There are three components:There are three components:Elliptical Curve Cryptography (ECC)Elliptical Curve Cryptography (ECC)

The Advances Encryption Standard (AES)The Advances Encryption Standard (AES)

SHA-2 hash algorithmsSHA-2 hash algorithms

EllipticalElliptical Curve Curve CryptographyCryptography

ECC was invented by Neil Koblitz and Victor Miller in 1985, eight years after the RSA algorithm

ECC has been studied extensively for 20+ years and is well recognized and accepted world-wide for its strong number-theoretic foundation.ECC has been standardized internationally by ISO and the IETF and within the US by ANSI and NIST

Elliptical Curve Elliptical Curve CryptographyCryptography

An elliptical curve is NOT an ellipse!An elliptical curve is NOT an ellipse!

Elliptical Curve Elliptical Curve CryptographyCryptography

NIST has defined several sets of curves, NIST has defined several sets of curves, the most important of which are generated the most important of which are generated by the equations of the formby the equations of the form

YY22 = x = x33-3x + b modulo p-3x + b modulo p

Three curves in Three curves in GF(p)GF(p) are particularly are particularly important:important:

P-256, with a 256-bit key, equivalent to AES-P-256, with a 256-bit key, equivalent to AES-128128

P-384, with a 384-bit key, equivalent to AES-P-384, with a 384-bit key, equivalent to AES-192192

P-521, with a 521-bit key, equivalent to AES-P-521, with a 521-bit key, equivalent to AES-256256

These three curves and key sizes form the These three curves and key sizes form the heart of Suite-B algorithmsheart of Suite-B algorithms

ECC PerformanceECC PerformanceElliptical Curve Cryptography is much Elliptical Curve Cryptography is much stronger per bit than RSA and is less stronger per bit than RSA and is less computationally intensivecomputationally intensive

P-256 is equivalent to RSA-3,072P-256 is equivalent to RSA-3,072

P-384 is equivalent to RSA-7,680P-384 is equivalent to RSA-7,680

P-521 is equivalent to RSA-15,380P-521 is equivalent to RSA-15,380

The performance of ECC is also The performance of ECC is also proportional to the cube of the key size, proportional to the cube of the key size, but the keys are much smaller and more but the keys are much smaller and more efficient in strengthefficient in strength

P-256 is faster than RSA-2048 and much faster P-256 is faster than RSA-2048 and much faster than RSA-3062. After that, there is no contest!than RSA-3062. After that, there is no contest!

ECC AlgorithmsECC AlgorithmsECDSA is the elliptic curve equivalent ECDSA is the elliptic curve equivalent of the DSA signature algorithms and of the DSA signature algorithms and is standardized in FIPS 186-2is standardized in FIPS 186-2EC Diffie-Hellman is a key EC Diffie-Hellman is a key establishment algorithm with five establishment algorithm with five different variationsdifferent variationsECMQV is another, stronger, key ECMQV is another, stronger, key establishment algorithm that is establishment algorithm that is patented by Certicompatented by CerticomECIES is an ECC encryption algorithm ECIES is an ECC encryption algorithm that is standardized by ISO, but has that is standardized by ISO, but has been rejected by NIST.been rejected by NIST.

AES and SHA-2AES and SHA-2The Advanced Encryption Standard The Advanced Encryption Standard (AES) was selected by NIST after an (AES) was selected by NIST after an extensive competition and trialsextensive competition and trials

Initially called Rijndahl, it was developed Initially called Rijndahl, it was developed by two Belgian cryptographers, Joan by two Belgian cryptographers, Joan Daemen and Vincent RijmenDaemen and Vincent RijmenAES-128 is significantly faster and AES-128 is significantly faster and stronger then triple-DES and AES-256 is stronger then triple-DES and AES-256 is only slightly sloweronly slightly slowerAES-256 is rapidly becoming the AES-256 is rapidly becoming the de de factofacto standard standard

The SHA-224/256/384/512 hash The SHA-224/256/384/512 hash functions are significantly stronger functions are significantly stronger than SHA-1, although somewhat than SHA-1, although somewhat slowerslower

ECC, AES and SHA-2ECC, AES and SHA-2Suite-B adoption timelines (US):Suite-B adoption timelines (US):

AES was approved in 2001AES was approved in 2001

ECDSA with recommended curves ECDSA with recommended curves was approved in 2001was approved in 2001

SHA-224/256/384/512 was SHA-224/256/384/512 was approved in 2002approved in 2002

NIST’s SP 800-56A, March 2003NIST’s SP 800-56A, March 2003

NSA announced the term Suite-B at NSA announced the term Suite-B at RSA Conference 2005RSA Conference 2005

Why AES 256 with ECC 384 in Why AES 256 with ECC 384 in Suite-B?Suite-B?

TheoreticallyTheoreticallyAES 256 is equivalent to ECC 512AES 256 is equivalent to ECC 512

AES 192 is equivalent to ECC 384AES 192 is equivalent to ECC 384

AES 256 with ECC 384 seems a mismatchAES 256 with ECC 384 seems a mismatchBut there is very little performance penalty for But there is very little performance penalty for AES 256AES 256

About a 20% differenceAbout a 20% difference

A lot of people are choosing to use AES 256A lot of people are choosing to use AES 256

There is a significant performance cost going to There is a significant performance cost going to ECC 512 and ECC 384 is strong enough for Top ECC 512 and ECC 384 is strong enough for Top SecretSecret

Make life simple: use ECC 384, which is fast Make life simple: use ECC 384, which is fast and strong enough, with AES 256 which is and strong enough, with AES 256 which is strong and fast enough.strong and fast enough.

Suite-B: The algorithmsSuite-B: The algorithmsEncryption Algorithm AES (FIPS 197)Encryption Algorithm AES (FIPS 197)

AES-128 up to SECRETAES-128 up to SECRETAES-256 up to TOP SECRETAES-256 up to TOP SECRET

Digital Signature (FIPS 186-3)Digital Signature (FIPS 186-3)ECDSA with 256-bit prime modulus up to SECRETECDSA with 256-bit prime modulus up to SECRETECDSA with 384-bit prime modulus up to TOP SECRETECDSA with 384-bit prime modulus up to TOP SECRET

Key Agreement (NIST SP 800-56A)Key Agreement (NIST SP 800-56A)EC Diffie-Hellman or EC MQV with 256-bit prime mod. up EC Diffie-Hellman or EC MQV with 256-bit prime mod. up to SECRETto SECRETEC Diffie-Hellman or EC MQV with 384-bit prime modulus EC Diffie-Hellman or EC MQV with 384-bit prime modulus up to TOP SECRET up to TOP SECRET

Hash Functions (FIPS 180-2)Hash Functions (FIPS 180-2)SHA-256 up to SECRETSHA-256 up to SECRETSHA-384 up to TOP SECRETSHA-384 up to TOP SECRET

Suite-B: Bottom LineSuite-B: Bottom LineThere are requirements to do both classified and There are requirements to do both classified and unclassified applicationsunclassified applications

National security apps. need to use ordinary National security apps. need to use ordinary commercial softwarecommercial software

No fundamental difference between algorithms for No fundamental difference between algorithms for SBU & classifiedSBU & classified

In the US there is cooperation between Civilian In the US there is cooperation between Civilian government and DoD: cryptography for both SBU and government and DoD: cryptography for both SBU and classifiedclassified

NSA approval of implementations required for NSA approval of implementations required for classifiedclassified

Expect NSA-managed keying material for classified apps.Expect NSA-managed keying material for classified apps.

Unclassified users must have CMVP validated crypto Unclassified users must have CMVP validated crypto modulesmodules

More choices of algorithms including the ones in Suite-BMore choices of algorithms including the ones in Suite-B

Users typically generate their own keys Users typically generate their own keys

Nobody looses; some of us gain Nobody looses; some of us gain

Microsoft’s Microsoft’s ImplementationImplementation

We began a Corporate-wide investment in We began a Corporate-wide investment in Cryptographic Modernization in 2005Cryptographic Modernization in 2005

We had been watching ECC technology for a We had been watching ECC technology for a number of years, waiting for consensus as to fields, number of years, waiting for consensus as to fields, curves and key lengthscurves and key lengthsWhen NSA announced Suite-B we decided the time When NSA announced Suite-B we decided the time was right for implementation.was right for implementation.

We have implemented the Suite-B algorithms We have implemented the Suite-B algorithms in Vista Client and Longhorn Server. There are in Vista Client and Longhorn Server. There are some plans for down-level implementation in some plans for down-level implementation in XP/Server 2003.XP/Server 2003.For all internal implementations Microsoft will not use weaker algorithms than Suite-B

But, of course, will support your choice of crypto algorithms

Vista Suite-B SpecificsVista Suite-B Specifics

Encryption: AESFIPS 197 (with keys sizes of 128 and 256 bits)

Digital Signature: Elliptic Curve Digital Signature Algorithm

FIPS 186-2 (using the curves with 256 and 384-bit prime moduli)

Key Exchange: Elliptic Curve Diffie-Hellman or Elliptic Curve MQV

Draft NIST Special Publication 800-56 (using the curves with 256 and 384-bit prime moduli)

Hashing: Secure Hash AlgorithmFIPS 180-2 (using SHA-256 and SHA-384)

Crypto Next GenerationCrypto Next GenerationNew crypto infrastructure to replace existing CAPI 1.0 APIs

CAPI will still be available in Vista but it will be deprecated in some future version

Customers can plug a new crypto algorithm into Windows or replace the implementation of an existing algorithm

New crypto algorithms can be plugged into OS protocols (e.g. SSL, S/MIME)

© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.