block cipher operation - parkjonghyuk.net · contents multiple encryption and triple des electronic...
TRANSCRIPT
BLOCK CIPHER OPERATION
ABHILASH SREERAMANENI
Department Of Computer Science
Seoul National University Of Science And Technology
2013-2014
1
CONTENTS
Multiple Encryption and Triple DES
Electronic Code Book (ECB)
Cipher Block Chaining Mode(CBC)
Cipher Feedback Mode (CFB)
Output Feedback Mode (OFB)
Counter Mode(CTR)
XTS-AES Mode
2
MULTIPLE ENCRYPTION AND TRIPLE DES
Double DES
Triple DES with Two Keys
Triple DES with Three Keys
3
MULTIPLE ENCRYPTION AND TRIPLE DES
Double DES The simplest form of multiple encryption has two encryption stages and
two keys . Given a plaintext P and two encryption keys K1 and K2,
ciphertext C is generated as
C = E(K2, E(K1, P))
Decryption requires that the keys be applied in reverse order:
P = D(K1, D(K2, C))
For DES, this scheme apparently involves a key length of 56 * 2 = 112 bits,
resulting in a dramatic increase in cryptographic strength.
4
MULTIPLE ENCRYPTION AND TRIPLE DES DOUBLE ENCYPTION
K1 Encryption K2
P X C
K2 Decryption K1
C X P
E E
D D
5
MULTIPLE ENCRYPTION AND TRIPLE DES
Encryption and decryption with DES
6
MULTIPLE ENCRYPTION AND TRIPLE DES REDUCTION TO A SINGLE STAGE For DES, for all 56-bit key values, that given any two keys K1 and K2, it would be possible to
find a key K3.
E(K2, E(K1, P)) = E(K3, P)
Number of stages of multiple encryption with DES, would be useless because the result would be equivalent to a single encryption with a single 56-bit key.
DES is a mapping of 64-bit blocks to 64-bit blocks. If we consider all 264 possible input blocks, DES encryption with a specific key will map each block into a unique 64-bit block . The value is easily seen to be
(264)! = 10347380000000000000000 > (101020)
DES defines one mapping for each different key, for a total number of mappings:
256 < 1017
DES is used twice with different keys, it will produce one of the many mappings that are not defined by a single application of DES.
7
MULTIPLE ENCRYPTION AND TRIPLE DES
MEET-IN-THE-MIDDLE ATTACK
Double DES results in a mapping that is not equivalent to a single DES encryption
C = E(K2, E(K1, P))
X = E(K1, P) = D(K2, C)
First, encrypt P for all 256 possible values of K1. Decrypt C using all 256 possible values of K2.
As each decryption is produced, If a match occurs, then test the two resulting keys against a new known plaintext–ciphertext pair. If the two keys produce the correct ciphertext, accept them as the correct keys.
Double DES uses, in effect as 112-bit key,so that there are 2112
possible keys.
8
MULTIPLE ENCRYPTION AND TRIPLE DES A given plaintext P, the number of different 112-bit keys that
will produce a given ciphertext C is 2112/264 = 248.
64 bits of known plaintext and ciphertext, the false alarm
rate is reduced to 248 - 64 = 2- 16.
Meet-in-the-middle attack is performed on two blocks of
known plaintext–ciphertext, the probability that the correct
keys are determined is 1-2-16.
Plaintext attack will succeed against double DES, which has a
key size of 112 bits, with an effort on the order of 256.
9
MULTIPLE ENCRYPTION AND TRIPLE DES
Double DES Multiple Encryption
Encryption Encryption Plaintext
Intermediate
Ciphertext
X
Ciphertext
K1 K2
meet-in-the-middle attack
P EK1(P) EK2[EK1(P)]
10
MULTIPLE ENCRYPTION AND TRIPLE DES
Triple DES With Two Keys
An obvious counter to the meet-in-the-middle attack is to use three stages of encryption with three different keys. This raises the cost of the meet-in-the-middle attack to 2112.
It has the drawback of requiring a key length of 56 * 3 = 168 bits.
Tuchman proposed a triple encryption method that uses only two keys. Function follows an Encrypt-Decrypt-Encrypt (EDE)
C = E(K1, D(K2, E(K1, P)))
P = D(K1, E(K2, D(K1, C)))
11
MULTIPLE ENCRYPTION AND TRIPLE DES
It allows users of 3DES to decrypt data encrypted by users of the older single DES
C = E(K1, D(K1, E(K1, P))) = E(K1, P)
P = D(K1, E(K1, D(K1, C))) = D(K1, C)
DES and has been adopted for use in the key management standards ANS X9.17 and ISO 8732.1
Coppersmith [COPP94] notes that the cost of a brute-force key search on 3DES is on the order of
2112 ≈ (5 *1033) , compared to single DES, exceeding 1052.
several proposed attacks on 3DES that, although not practical .
The first serious proposal came from Merkle and Hellman [MERK81]. Their plan involves finding
plaintext values that produce a first intermediate value of A = 0and then using the meet-in-the-
middle attack to determine the two keys.
12
MULTIPLE ENCRYPTION AND TRIPLE DES
Triple Encryption
K1 K2 K1
P A B C
Encryption
K1 K2 K1
C B A P
Decryption
E E D
E D D
13
MULTIPLE ENCRYPTION AND TRIPLE DES
The attack is based on the observation that if we know A and C .
Attacker does not know A, even if P and C are known, as long as the two keys are unknown.
However, attacker can choose a potential value of A and then try to find a known (P, C) pair that produces A.
1.Obtain n (P, C) pairs. This is the known plaintext. sorted on the values of P.
2.Pick an arbitrary value a for A.For each of the 256 possible keys K1 = i, calculate the plaintext value Pi that produces a:
Pi = D(i, a)
For each Pi that matches the K1 value and the value of B that is produced for the (P, C) pair , assuming that value of K1:
B = D(i, C)
14
MULTIPLE ENCRYPTION AND TRIPLE DES
For each of the 256 possible keys K2 = j, the second intermediate value for our chosen value of a:
Bj = D(j, a)
If there is a match, then the corresponding key i plus this value of j are candidate values for the unknown keys (K1, K2).
Pair of keys produces the desired ciphertext, the task is complete.
Probability of selecting the unique value of a that leads to success is 1/264. Probability of success for a single selected value of a is n/264.
From probability theory is that the expected number of draws required to draw one red ball out of a bin containing n red balls and N - n green balls is (N + 1)/(n + 1) if the balls are not replaced.
Thus, the expected running time of the attack is on the order of
15
MULTIPLE ENCRYPTION AND TRIPLE DES
Two-key triple encryption with candidate pair of
keys
i j i
a Bj
Pi Ci
E E D
16
MULTIPLE ENCRYPTION AND TRIPLE DES
Triple DES with Three Keys
Although the attacks just described appear impractical, anyone
using two-key 3DES may feel some concern.
Researchers now feel that three-key 3DES is the preferred
alternative.
Three-key 3DES has an effective key length of 168 bits and is
defined as
C=E(K3 ,D(K2,E(K1,P)))
17
ELECTRONIC CODE BOOK The electronic codebook (ECB) mode, in which
plaintext is handled one block at a time and each block of plaintext is encrypted using the same key.
Codebook is used because, for a given key there is a unique ciphertext for every b-bit block of plaintext.
The procedure is simply to break the message into b-bit blocks, padding the last block.
Decryption is performed one block at a time, always using the same key.
18
ELECTRONIC CODE BOOK
ENCRYPTION
K K …… K
C1
ENCRYPT
P1 P2
ENCRYPT
PN
ENCRYPT
C2 CN
19
ELECTRONIC CODE BOOK
DECRYPTION
K K ……. K DECRYPT
C1
P1
C2
DECRYPT
P2
CN
DECRYPT
PN
20
ELECTRONIC CODE BOOK
plaintext consists of a sequence of b-bit blocks, P1, P2, ……. , PN.
corresponding sequence of ciphertext blocks C1,C2,……,CN .
The ECB method is ideal for a short amount of data, such as an
encryption key.
Lengthy messages, the ECB mode may not be secure.
If the message has repetitive elements with a period of
repetition a multiple of bits,then these elements can be
identified by the analyst.
ECB C j=E(K,P j) j=1,…………,N P j=E(K,Cj) j=1,..,N
21
LIMITATIONS OF ECB
Message repetitions may show in ciphertext
Weakness is due to the encrypted message blocks
being independent.
Vulnerable to cut-and-paste attacks.
Main use is sending a few blocks of data.
22
CIPHER BLOCK CHAINING MODE
Input to the encryption algorithm is the XOR of the
current plaintext block and the preceding ciphertext
block the same key is used for each block.
Chained together the processing of the sequence of
plaintext blocks.
No fixed relationship to the plaintext block.
As with the ECB mode, the CBC mode requires that the
last block be padded to a full b-bits if it is a partial block.
Result is XORed with the preceding ciphertext block to
produce the plaintext block.
23
CIPHER BLOCK CHAINING MODE
Cj = E(K, [Cj-1 ⊕ Pj])
ENCRYPTION
IV CN-1
K K K P1
ENCRYPT
PN P2
ENCRYPT ENCRYPT
CN C2 C1
24
CIPHER BLOCK CHAINING MODE
DECRYPTION
CN-1
K K K
IV
C1
DECRYPT
CN C2
DECRYPT DECRYPT
PN P2 P1
25
CIPHER BLOCK CHAINING MODE
Then
D(K, Cj) = D(K, E(K, [Cj-1 ⊕ Pj]))
D(K, Cj) = Cj-1 ⊕ Pj
Cj-1 ⊕ D(K, Cj) = Cj-1 ⊕ Cj-1 ⊕ Pj = Pj
To produce the first block of ciphertext, an Initialization vector (IV) is XORed with the first block of plaintext.
On decryption, the IV is XORed with the output of the decryption algorithm to recover the first block of plaintext.
IV is a data block that is same size as the cipher block. 26
CIPHER BLOCK CHAINING MODE
CBC MODE
IV must be known to both the sender and
receiver but be unpredictable by a third party.
Impossible to predict the IV, it will be associated
to the plaintext in advance of the generation of
IV.
CBC C1 = E(K, [P1 ⊕ IV])
Cj = E(K, [Pj ⊕ Cj-1]) j = 2,..,N
P1 = D(K, C1) ⊕ IV
Pj = D(K, Cj) ⊕ Cj-1 j = 2,...,N
27
CIPHER BLOCK CHAINING MODE
Maximum security, the IV should be protected
against unauthorized changes.
One reason for protecting the IV . If an opponent
is able to fool the receiver into using a different
value for IV, then the opponent is able to invert
selected bits in the first block of plaintext.
C1 = E(K, [IV ⊕ P1])
P1= IV ⊕ D(K,C1)
28
CIPHER BLOCK CHAINING MODE
X[i] denotes the ith bit of the b-bit quantity X.
P1[i] = IV[i] ⊕ D(K, C1)[i]
Using the properties of XOR
P1[i]`= IV[i] `⊕ D(K, C1)[i]
If an opponent can predictably change bits in IV,
the corresponding bits of the received value of P1
can be changed.
Possible attacks based on prior knowledge of IV
Long as it is unpredictable, the specific choice of
IV is unimportant.
29
CIPHER BLOCK CHAINING MODE
The first method is to apply the encryption
function, under the same key that is used for the
encryption of the plaintext,to a nonce2.
The second method is to generate a random data
block using a random number generator.
chaining mechanism of CBC, it is an appropriate
mode for encrypting messages of length greater
than b-bits.
Addition to its use to achieve confidentiality, the
CBC mode can be used for authentication.
30
ADVANTAGES AND LIMITATIONS OF CBC
● A ciphertext block depends on all blocks.
● Any change to a block affects all following ciphertext blocks.
● Need Initialization Vector (IV)
Which must be known to sender & receiver .
If sent in clear, attacker can change bits of first block, by changing corresponding bits of IV .
Hence IV must either be a fixed value.
Derived in way hard to manipulate.
31
CIPHER FEEDBACK MODE
AES, DES, or any block cipher, encryption is
performed on a block of b-bits.
stream cipher eliminates the need to pad a message
to be an integral number of blocks, It also can operate
in real time.
A character stream is being transmitted, each
character can be encrypted and transmitted
immediately using a character-oriented stream
cipher.
One desirable property of a stream cipher is that the
ciphertext be of the same length as the plaintext.
More OUT PUTS are produced, transmission
capacity is wasted.
32
CIPHER FEEDBACK MODE
Input to the encryption function is a b-bit shift register that is
initially set to some initialization vector (IV).
The MSBs-bits of the output of the encryption function are XORed
with the first segment of plaintext P1 to produce the first unit of
ciphertext C1.
The contents of the shift register are shifted left by s bits,and C1,
LSBs-bits of the shift register.
The received ciphertext unit is XORed with the output of the
encryption function to produce the plaintext unit.
Note: The encryption function that is used, not the decryption
function.
33
CIPHER FEEDBACK MODE
Let MSBs(X) be defined
C1 = P1 ⊕ MSBs[E(K, IV)]
Rearranging terms
P1 = C1 ⊕ MSBs[E(K, IV)]
34
S-BIT CIPHER FEEDBACK (CFB) MODE
ENCRYPTION
35
S-BIT CIPHER FEEDBACK (CFB) MODE
DECRYPTION
36
CIPHER FEEDBACK MODE
CFB Mode
CFB can be viewed as a stream cipher, it does not
conform to the typical construction of a stream
cipher.
CFB, the stream of bits that is XORed with the
plaintext also depends on the plaintext.
CFB I1 = IV
Ij = LSBb-s(Ij-1) ||Cj-1 j = 2,.., N
Oj = E(K, Ij) j = 1,..., N
Cj = Pj⊕MSBs(Oj) j = 1,..., N
I1 = IV
Ij =LSBb-s(Ij-1)||Cj-1 j = 2,....., N
Oj = E(K, Ij) j = 1,......, N
Pj = Cj⊕MSBs(Oj) j = 1,......., N
37
OUTPUT FEEDBACK MODE Output feedback (OFB) mode is similar in structure to that of
CFB.
The output of the encryption function that is fed back to the shift register in OFB.
In CFB, the ciphertext unit is fed back to the shift register.
Other difference is that the OFB mode operates on full blocks of plaintext and ciphertext, not on an S-bit subset.
ENCRYPTION :
Cj = Pj ⊕ E(K, [Cj-i ⊕ Pj-1])
DECRYPTION:
Pj = Cj ⊕ E(K, [Cj-i ⊕ Pj-1])
38
OUTPUT FEEDBACK MODE ENCRYPTION
39
OUTPUT FEEDBACK MODE DECRYPTION
40
OUTPUT FEEDBACK MODE
Last block of plaintext contains U bits (indicated by *), with u<b the most significant bits of the last output block ON are used for the XOR operation.
OFB I1 = Nonce
Ij =Oj-1 j= 2,....., N
Oj = E(K, Ij) j = 1,......, N
Cj = Pj ⊕ Oj j = 1,....., N-1
C*N = P*N⊕MSBu(ON)
I1 = Nonce
Ij =LSBb-s(Ij-1)||Cj-1 j = 2,....., N
Oj = E(K, Ij) j = 1,......, N
Pj = Cj ⊕ Oj j = 1,......., N-1
P*N = C*N⊕MSBu(ON)
41
OUTPUT FEEDBACK MODE
CBC and CFB, the OFB mode requires an IV.
In OFB,the IV must be a nonce.
The sequence of encryption output blocks Oj ,depends
only on the key and the IV and does not depend on the
plaintext.
A given key and IV, the stream of output bits used to
XOR with the stream of plaintext bits is fixed.
Advantage of the OFB method is that bit errors in
transmission do not propagate.
Disadvantage of OFB is that it is more vulnerable to a
message stream modification attack than is CFB.
42
COUNTER MODE
Counter (CTR) mode has increased recently with
applications to ATM (asynchronous transfer mode)
network security and IP security.
A counter equal to the plaintext block size is used.
The counter value must be different for each plaintext
block that is encrypted.
The counter is initialized to some value and then
incremented by 1.
The counter is encrypted and then XORed with the
plaintext block to produce the ciphertext block , there
is no chaining.
For decryption, the same sequence of counter values
is used,
43
COUNTER MODE
ENCRYPTION
44
COUNTER MODE
DECRYPTION
45
COUNTER MODE
CTR mode
sequence of counters T1, T2,..........TN,
we do not need to use padding because of the structure of
the CTR mode.
Counter value is used multiple times, then the
confidentiality of all of the plaintext blocks corresponding
to that counter value may be compromised.
output allows any other plaintext blocks that are encrypted
using the same counter value.
CTR Cj = Pj ⊕E(K, Tj) j = 1,...., N – 1
C*N = P*N ⊕ MSBu[E(K, TN)]
Pj = Cj ⊕E(K,Tj) j = 1,...., N – 1
P*N = C*N ⊕ MSBu[E(K, TN)]
46
COUNTER MODE
Hardware & Software Efficiency:
Can do parallel encryptions in h/w or s/w.
● Preprocess in advance of need.
● Good for bursty high speed links.
Preprocessing: The execution of the underlying encryption algorithm does not depend on input of the plaintext or ciphertext.
Random access: The ith block of plaintext or ciphertext can be processed in random-access fashion with the chaining modes. Applications in which a ciphertext is stored and it is desired to decrypt just one block
47
COUNTER MODE
Provable security: It can be shown that CTR is at
least as secure as the other modes.
Simplicity: Unlike ECB and CBC modes, CTR mode
requires only the implementation of the encryption
algorithm and not the decryption algorithm.
The Feedback mechanism, it is useful to think of the
encryption function as taking input from a input
register whose length equals the encryption block
length and with output stored in an output register.
The input register is updated one block at a time by
the feedback mechanism.
Both OFB and CTR produce output that is
independent of both the plaintext and the ciphertext. 48
FEEDBACK CHARACTERISTIC OF MODES OF OPERATION
49
FEEDBACK CHARACTERISTIC OF MODES OF OPERATION
50
FIVE BLOCK CIPHER MODES OF OPERATION MODE Description Typical Application
Electronic Codebook
(ECB)
Each block of 64 plaintext bits
is encoded independently using
the same key.
• Secure transmission of
single values .(e.g., an encryption
key)
Cipher Block Chaining
(CBC)
The input to the encryption
algorithm is the XOR of the next
64 bits of plaintext and the
preceding 64 bits of ciphertext.
• General-purpose block oriented
transmission
• Authentication
Cipher Feedback (CFB) Input is processed s bits at a time.
Preceding ciphertext is used as input
to the encryption algorithm to produce
pseudorandom output,which is XORed
with plaintext toproduce next unit of
ciphertext.
• General-purpose stream oriented
transmission
• Authentication
Output Feedback (OFB) Similar to CFB, except that the
input to the encryption algorithm
is the preceding encryption output and
full blocks are used.
• Stream-oriented
transmission over noisy channel (e.g.,
satellite communication)
Counter (CTR) Each block of plaintext is XORed
with an encrypted counter.The
counter is incremented for each
subsequent block.
• Stream-oriented transmission over
noisy channel (e.g., satellite
communication)
51
XTS-AES MODE
Storage Encryption Requirements
Operation on a Single Block
Operation on a Sector
New mode, for block oriented storage use in
IEEE Std 1619-2007.
This standard describes a method of encryption
for data stored in sector-based devices.
XTS-AES mode is based on the concept of a
tweakable block cipher.
Standard has received widespread industry
support.
52
XTS-AES MODE
STORAGE ENCRYPTION REQUIREMENTS
(1) The ciphertext is freely available for an attacker:
In Data Base other users can retrieve an encrypted record but are unable to read it without the key.
unauthorized user manages to gain access to encrypted records.
Data disk or laptop is stolen, giving the adversary access to the encrypted data.
(2) Data layout is not changed on the storage medium and in transit.
(3) Data are accessed in fixed sized blocks independently from each other. 53
XTS-AES MODE
STORAGE ENCRYPTION REQUIREMENTS
(4) Encryption is performed in 16-byte blocks,
independently from other blocks.
(5) No other metadata used, except the location of the data blocks within the whole data set.
(6) A standard conformant device can be constructed for decryption of data encrypted by another standard conformant device.
CTR mode, an adversary with write access to the encrypted media can flip any bit of the plaintext by flipping the corresponding ciphertext bit.
CBC,an adversary with read/write access to the encrypted disk can copy a ciphertext sector from one position to another.
54
XTS-AES MODE OPERATION ON A SINGLE BLOCK
(1) j sequential number of the 128-bit block inside
the data unit.
(2) i The value of the 128-bit tweak. Each data unit
(sector) is assigned.
j functions assures that if the same plaintext
block appears at two different positions within a
data unit, it will encrypt to two different
ciphertext blocks.
i functions assures that, if the same plaintext
block appears at the same position in two
different data units, it will encrypt to two
different ciphertext blocks. 55
OPERATION ON A SINGLE BLOCK
ENCRYPTION
56
OPERATION ON A SINGLE BLOCK
DECRYPTION
57
OPERATION ON A SINGLE BLOCK
Encryption and decryption of a single block :
Encryption:
C = CC ⊕ T = E(K1, PP) ⊕ T = E(K1, P ⊕ T) ⊕ T
Decryption:
P = PP ⊕ T = D(K1, CC) ⊕ T = D(K1, C ⊕ T) ⊕ T
Substitute C:
P=(P ⊕ T) ⊕ T = P
XTS-AES block
Operation T = E(K2, i) ⊕ αj PP = P ⊕ T
CC = E(K1, PP)
C = CC ⊕ T
T = E(K2, i) ⊕ αj CC = C ⊕ T
PP = D(K1, CC)
P = PP ⊕ T
58
OPERATION ON A SECTOR
Plaintext of a sector or data unit is organized into
blocks of 128 bits. Blocks are P0, P1,….., Pm.
Encryption and decryption, each block is
treated independently.
The last two blocks are encrypted/decrypted
using a ciphertext-stealing technique instead
of padding scheme.
Use to make ciphertext length same as plaintext
length.
Requires more than one block of plaintext.
59
XTS-AES MODE
60
XTS-AES MODE
61
XTS-AES MODE
Block Encryption: XTS-AES-blockEnc(K, Pj, i, j)
Block Dncryption: XTS-AES-blockEnc(K, Pj, i, j)
62
ADVANTAGES AND LIMITATIONS OF XTS-AES
● Efficiency
can do parallel encryptions in h/w or s/w
random access to encrypted data blocks
● Has both nonce(i) & counter(j)
● Addresses security concerns related to stored
data
63
END
THANK YOU
64