block cipher operation - parkjonghyuk.net · contents multiple encryption and triple des electronic...

BLOCK CIPHER OPERATION

ABHILASH SREERAMANENI

Department Of Computer Science

Seoul National University Of Science And Technology

2013-2014

1

CONTENTS

Multiple Encryption and Triple DES

Electronic Code Book (ECB)

Cipher Block Chaining Mode(CBC)

Cipher Feedback Mode (CFB)

Output Feedback Mode (OFB)

Counter Mode(CTR)

XTS-AES Mode

2

MULTIPLE ENCRYPTION AND TRIPLE DES

Double DES

Triple DES with Two Keys

Triple DES with Three Keys

3


Double DES The simplest form of multiple encryption has two encryption stages and

two keys . Given a plaintext P and two encryption keys K1 and K2,

ciphertext C is generated as

C = E(K2, E(K1, P))

Decryption requires that the keys be applied in reverse order:

P = D(K1, D(K2, C))

For DES, this scheme apparently involves a key length of 56 * 2 = 112 bits,

resulting in a dramatic increase in cryptographic strength.

4

MULTIPLE ENCRYPTION AND TRIPLE DES DOUBLE ENCYPTION

K1 Encryption K2

P X C

K2 Decryption K1

C X P

E E

D D

5


Encryption and decryption with DES

6

MULTIPLE ENCRYPTION AND TRIPLE DES REDUCTION TO A SINGLE STAGE For DES, for all 56-bit key values, that given any two keys K1 and K2, it would be possible to

find a key K3.

E(K2, E(K1, P)) = E(K3, P)

Number of stages of multiple encryption with DES, would be useless because the result would be equivalent to a single encryption with a single 56-bit key.

DES is a mapping of 64-bit blocks to 64-bit blocks. If we consider all 264 possible input blocks, DES encryption with a specific key will map each block into a unique 64-bit block . The value is easily seen to be

(264)! = 10347380000000000000000 > (101020)

DES defines one mapping for each different key, for a total number of mappings:

256 < 1017

DES is used twice with different keys, it will produce one of the many mappings that are not defined by a single application of DES.

7


MEET-IN-THE-MIDDLE ATTACK

Double DES results in a mapping that is not equivalent to a single DES encryption

C = E(K2, E(K1, P))

X = E(K1, P) = D(K2, C)

First, encrypt P for all 256 possible values of K1. Decrypt C using all 256 possible values of K2.

As each decryption is produced, If a match occurs, then test the two resulting keys against a new known plaintext–ciphertext pair. If the two keys produce the correct ciphertext, accept them as the correct keys.

Double DES uses, in effect as 112-bit key,so that there are 2112

possible keys.

8

MULTIPLE ENCRYPTION AND TRIPLE DES A given plaintext P, the number of different 112-bit keys that

will produce a given ciphertext C is 2112/264 = 248.

64 bits of known plaintext and ciphertext, the false alarm

rate is reduced to 248 - 64 = 2- 16.

Meet-in-the-middle attack is performed on two blocks of

known plaintext–ciphertext, the probability that the correct

keys are determined is 1-2-16.

Plaintext attack will succeed against double DES, which has a

key size of 112 bits, with an effort on the order of 256.

9


Double DES Multiple Encryption

Encryption Encryption Plaintext

Intermediate

Ciphertext

X

Ciphertext

K1 K2

meet-in-the-middle attack

P EK1(P) EK2[EK1(P)]

10


Triple DES With Two Keys

An obvious counter to the meet-in-the-middle attack is to use three stages of encryption with three different keys. This raises the cost of the meet-in-the-middle attack to 2112.

It has the drawback of requiring a key length of 56 * 3 = 168 bits.

Tuchman proposed a triple encryption method that uses only two keys. Function follows an Encrypt-Decrypt-Encrypt (EDE)

C = E(K1, D(K2, E(K1, P)))

P = D(K1, E(K2, D(K1, C)))

11


It allows users of 3DES to decrypt data encrypted by users of the older single DES

C = E(K1, D(K1, E(K1, P))) = E(K1, P)

P = D(K1, E(K1, D(K1, C))) = D(K1, C)

DES and has been adopted for use in the key management standards ANS X9.17 and ISO 8732.1

Coppersmith [COPP94] notes that the cost of a brute-force key search on 3DES is on the order of

2112 ≈ (5 *1033) , compared to single DES, exceeding 1052.

several proposed attacks on 3DES that, although not practical .

The first serious proposal came from Merkle and Hellman [MERK81]. Their plan involves finding

plaintext values that produce a first intermediate value of A = 0and then using the meet-in-the-

middle attack to determine the two keys.

12


Triple Encryption

K1 K2 K1

P A B C

Encryption

K1 K2 K1

C B A P

Decryption

E E D

E D D

13


The attack is based on the observation that if we know A and C .

Attacker does not know A, even if P and C are known, as long as the two keys are unknown.

However, attacker can choose a potential value of A and then try to find a known (P, C) pair that produces A.

1.Obtain n (P, C) pairs. This is the known plaintext. sorted on the values of P.

2.Pick an arbitrary value a for A.For each of the 256 possible keys K1 = i, calculate the plaintext value Pi that produces a:

Pi = D(i, a)

For each Pi that matches the K1 value and the value of B that is produced for the (P, C) pair , assuming that value of K1:

B = D(i, C)

14


For each of the 256 possible keys K2 = j, the second intermediate value for our chosen value of a:

Bj = D(j, a)

If there is a match, then the corresponding key i plus this value of j are candidate values for the unknown keys (K1, K2).

Pair of keys produces the desired ciphertext, the task is complete.

Probability of selecting the unique value of a that leads to success is 1/264. Probability of success for a single selected value of a is n/264.

From probability theory is that the expected number of draws required to draw one red ball out of a bin containing n red balls and N - n green balls is (N + 1)/(n + 1) if the balls are not replaced.

Thus, the expected running time of the attack is on the order of

15


Two-key triple encryption with candidate pair of

keys

i j i

a Bj

Pi Ci

E E D

16


Triple DES with Three Keys

Although the attacks just described appear impractical, anyone

using two-key 3DES may feel some concern.

Researchers now feel that three-key 3DES is the preferred

alternative.

Three-key 3DES has an effective key length of 168 bits and is

defined as

C=E(K3 ,D(K2,E(K1,P)))

17

ELECTRONIC CODE BOOK The electronic codebook (ECB) mode, in which

plaintext is handled one block at a time and each block of plaintext is encrypted using the same key.

Codebook is used because, for a given key there is a unique ciphertext for every b-bit block of plaintext.

The procedure is simply to break the message into b-bit blocks, padding the last block.

Decryption is performed one block at a time, always using the same key.

18

ELECTRONIC CODE BOOK

ENCRYPTION

K K …… K

C1

ENCRYPT

P1 P2

ENCRYPT

PN

ENCRYPT

C2 CN

19


DECRYPTION

K K ……. K DECRYPT

C1

P1

C2

DECRYPT

P2

CN

DECRYPT

PN

20


plaintext consists of a sequence of b-bit blocks, P1, P2, ……. , PN.

corresponding sequence of ciphertext blocks C1,C2,……,CN .

The ECB method is ideal for a short amount of data, such as an

encryption key.

Lengthy messages, the ECB mode may not be secure.

If the message has repetitive elements with a period of

repetition a multiple of bits,then these elements can be

identified by the analyst.

ECB C j=E(K,P j) j=1,…………,N P j=E(K,Cj) j=1,..,N

21

LIMITATIONS OF ECB

Message repetitions may show in ciphertext

Weakness is due to the encrypted message blocks

being independent.

Vulnerable to cut-and-paste attacks.

Main use is sending a few blocks of data.

22

CIPHER BLOCK CHAINING MODE

Input to the encryption algorithm is the XOR of the

current plaintext block and the preceding ciphertext

block the same key is used for each block.

Chained together the processing of the sequence of

plaintext blocks.

No fixed relationship to the plaintext block.

As with the ECB mode, the CBC mode requires that the

last block be padded to a full b-bits if it is a partial block.

Result is XORed with the preceding ciphertext block to

produce the plaintext block.

23


Cj = E(K, [Cj-1 ⊕ Pj])

ENCRYPTION

IV CN-1

K K K P1

ENCRYPT

PN P2

ENCRYPT ENCRYPT

CN C2 C1

24


DECRYPTION

CN-1

K K K

IV

C1

DECRYPT

CN C2

DECRYPT DECRYPT

PN P2 P1

25


Then

D(K, Cj) = D(K, E(K, [Cj-1 ⊕ Pj]))

D(K, Cj) = Cj-1 ⊕ Pj

Cj-1 ⊕ D(K, Cj) = Cj-1 ⊕ Cj-1 ⊕ Pj = Pj

To produce the first block of ciphertext, an Initialization vector (IV) is XORed with the first block of plaintext.

On decryption, the IV is XORed with the output of the decryption algorithm to recover the first block of plaintext.

IV is a data block that is same size as the cipher block. 26


CBC MODE

IV must be known to both the sender and

receiver but be unpredictable by a third party.

Impossible to predict the IV, it will be associated

to the plaintext in advance of the generation of

IV.

CBC C1 = E(K, [P1 ⊕ IV])

Cj = E(K, [Pj ⊕ Cj-1]) j = 2,..,N

P1 = D(K, C1) ⊕ IV

Pj = D(K, Cj) ⊕ Cj-1 j = 2,...,N

27


Maximum security, the IV should be protected

against unauthorized changes.

One reason for protecting the IV . If an opponent

is able to fool the receiver into using a different

value for IV, then the opponent is able to invert

selected bits in the first block of plaintext.

C1 = E(K, [IV ⊕ P1])

P1= IV ⊕ D(K,C1)

28


X[i] denotes the ith bit of the b-bit quantity X.

P1[i] = IV[i] ⊕ D(K, C1)[i]

Using the properties of XOR

P1[i]`= IV[i] `⊕ D(K, C1)[i]

If an opponent can predictably change bits in IV,

the corresponding bits of the received value of P1

can be changed.

Possible attacks based on prior knowledge of IV

Long as it is unpredictable, the specific choice of

IV is unimportant.

29


The first method is to apply the encryption

function, under the same key that is used for the

encryption of the plaintext,to a nonce2.

The second method is to generate a random data

block using a random number generator.

chaining mechanism of CBC, it is an appropriate

mode for encrypting messages of length greater

than b-bits.

Addition to its use to achieve confidentiality, the

CBC mode can be used for authentication.

30

ADVANTAGES AND LIMITATIONS OF CBC

● A ciphertext block depends on all blocks.

● Any change to a block affects all following ciphertext blocks.

● Need Initialization Vector (IV)

Which must be known to sender & receiver .

If sent in clear, attacker can change bits of first block, by changing corresponding bits of IV .

Hence IV must either be a fixed value.

Derived in way hard to manipulate.

31

CIPHER FEEDBACK MODE

AES, DES, or any block cipher, encryption is

performed on a block of b-bits.

stream cipher eliminates the need to pad a message

to be an integral number of blocks, It also can operate

in real time.

A character stream is being transmitted, each

character can be encrypted and transmitted

immediately using a character-oriented stream

cipher.

One desirable property of a stream cipher is that the

ciphertext be of the same length as the plaintext.

More OUT PUTS are produced, transmission

capacity is wasted.

32


Input to the encryption function is a b-bit shift register that is

initially set to some initialization vector (IV).

The MSBs-bits of the output of the encryption function are XORed

with the first segment of plaintext P1 to produce the first unit of

ciphertext C1.

The contents of the shift register are shifted left by s bits,and C1,

LSBs-bits of the shift register.

The received ciphertext unit is XORed with the output of the

encryption function to produce the plaintext unit.

Note: The encryption function that is used, not the decryption

function.

33


Let MSBs(X) be defined

C1 = P1 ⊕ MSBs[E(K, IV)]

Rearranging terms

P1 = C1 ⊕ MSBs[E(K, IV)]

34

S-BIT CIPHER FEEDBACK (CFB) MODE

ENCRYPTION

35

S-BIT CIPHER FEEDBACK (CFB) MODE

DECRYPTION

36


CFB Mode

CFB can be viewed as a stream cipher, it does not

conform to the typical construction of a stream

cipher.

CFB, the stream of bits that is XORed with the

plaintext also depends on the plaintext.

CFB I1 = IV

Ij = LSBb-s(Ij-1) ||Cj-1 j = 2,.., N

Oj = E(K, Ij) j = 1,..., N

Cj = Pj⊕MSBs(Oj) j = 1,..., N

I1 = IV

Ij =LSBb-s(Ij-1)||Cj-1 j = 2,....., N

Oj = E(K, Ij) j = 1,......, N

Pj = Cj⊕MSBs(Oj) j = 1,......., N

37

OUTPUT FEEDBACK MODE Output feedback (OFB) mode is similar in structure to that of

CFB.

The output of the encryption function that is fed back to the shift register in OFB.

In CFB, the ciphertext unit is fed back to the shift register.

Other difference is that the OFB mode operates on full blocks of plaintext and ciphertext, not on an S-bit subset.

ENCRYPTION :

Cj = Pj ⊕ E(K, [Cj-i ⊕ Pj-1])

DECRYPTION:

Pj = Cj ⊕ E(K, [Cj-i ⊕ Pj-1])

38

OUTPUT FEEDBACK MODE ENCRYPTION

39

OUTPUT FEEDBACK MODE DECRYPTION

40

OUTPUT FEEDBACK MODE

Last block of plaintext contains U bits (indicated by *), with u<b the most significant bits of the last output block ON are used for the XOR operation.

OFB I1 = Nonce

Ij =Oj-1 j= 2,....., N

Oj = E(K, Ij) j = 1,......, N

Cj = Pj ⊕ Oj j = 1,....., N-1

C*N = P*N⊕MSBu(ON)

I1 = Nonce

Ij =LSBb-s(Ij-1)||Cj-1 j = 2,....., N

Oj = E(K, Ij) j = 1,......, N

Pj = Cj ⊕ Oj j = 1,......., N-1

P*N = C*N⊕MSBu(ON)

41

OUTPUT FEEDBACK MODE

CBC and CFB, the OFB mode requires an IV.

In OFB,the IV must be a nonce.

The sequence of encryption output blocks Oj ,depends

only on the key and the IV and does not depend on the

plaintext.

A given key and IV, the stream of output bits used to

XOR with the stream of plaintext bits is fixed.

Advantage of the OFB method is that bit errors in

transmission do not propagate.

Disadvantage of OFB is that it is more vulnerable to a

message stream modification attack than is CFB.

42

COUNTER MODE

Counter (CTR) mode has increased recently with

applications to ATM (asynchronous transfer mode)

network security and IP security.

A counter equal to the plaintext block size is used.

The counter value must be different for each plaintext

block that is encrypted.

The counter is initialized to some value and then

incremented by 1.

The counter is encrypted and then XORed with the

plaintext block to produce the ciphertext block , there

is no chaining.

For decryption, the same sequence of counter values

is used,

43

COUNTER MODE

ENCRYPTION

44

COUNTER MODE

DECRYPTION

45

COUNTER MODE

CTR mode

sequence of counters T1, T2,..........TN,

we do not need to use padding because of the structure of

the CTR mode.

Counter value is used multiple times, then the

confidentiality of all of the plaintext blocks corresponding

to that counter value may be compromised.

output allows any other plaintext blocks that are encrypted

using the same counter value.

CTR Cj = Pj ⊕E(K, Tj) j = 1,...., N – 1

C*N = P*N ⊕ MSBu[E(K, TN)]

Pj = Cj ⊕E(K,Tj) j = 1,...., N – 1

P*N = C*N ⊕ MSBu[E(K, TN)]

46

COUNTER MODE

Hardware & Software Efficiency:

Can do parallel encryptions in h/w or s/w.

● Preprocess in advance of need.

● Good for bursty high speed links.

Preprocessing: The execution of the underlying encryption algorithm does not depend on input of the plaintext or ciphertext.

Random access: The ith block of plaintext or ciphertext can be processed in random-access fashion with the chaining modes. Applications in which a ciphertext is stored and it is desired to decrypt just one block

47

COUNTER MODE

Provable security: It can be shown that CTR is at

least as secure as the other modes.

Simplicity: Unlike ECB and CBC modes, CTR mode

requires only the implementation of the encryption

algorithm and not the decryption algorithm.

The Feedback mechanism, it is useful to think of the

encryption function as taking input from a input

register whose length equals the encryption block

length and with output stored in an output register.

The input register is updated one block at a time by

the feedback mechanism.

Both OFB and CTR produce output that is

independent of both the plaintext and the ciphertext. 48

FEEDBACK CHARACTERISTIC OF MODES OF OPERATION

49

FEEDBACK CHARACTERISTIC OF MODES OF OPERATION

50

FIVE BLOCK CIPHER MODES OF OPERATION MODE Description Typical Application

Electronic Codebook

(ECB)

Each block of 64 plaintext bits

is encoded independently using

the same key.

• Secure transmission of

single values .(e.g., an encryption

key)

Cipher Block Chaining

(CBC)

The input to the encryption

algorithm is the XOR of the next

64 bits of plaintext and the

preceding 64 bits of ciphertext.

• General-purpose block oriented

transmission

• Authentication

Cipher Feedback (CFB) Input is processed s bits at a time.

Preceding ciphertext is used as input

to the encryption algorithm to produce

pseudorandom output,which is XORed

with plaintext toproduce next unit of

ciphertext.

• General-purpose stream oriented

transmission

• Authentication

Output Feedback (OFB) Similar to CFB, except that the

input to the encryption algorithm

is the preceding encryption output and

full blocks are used.

• Stream-oriented

transmission over noisy channel (e.g.,

satellite communication)

Counter (CTR) Each block of plaintext is XORed

with an encrypted counter.The

counter is incremented for each

subsequent block.

• Stream-oriented transmission over

noisy channel (e.g., satellite

communication)

51

XTS-AES MODE

Storage Encryption Requirements

Operation on a Single Block

Operation on a Sector

New mode, for block oriented storage use in

IEEE Std 1619-2007.

This standard describes a method of encryption

for data stored in sector-based devices.

XTS-AES mode is based on the concept of a

tweakable block cipher.

Standard has received widespread industry

support.

52

XTS-AES MODE

STORAGE ENCRYPTION REQUIREMENTS

(1) The ciphertext is freely available for an attacker:

In Data Base other users can retrieve an encrypted record but are unable to read it without the key.

unauthorized user manages to gain access to encrypted records.

Data disk or laptop is stolen, giving the adversary access to the encrypted data.

(2) Data layout is not changed on the storage medium and in transit.

(3) Data are accessed in fixed sized blocks independently from each other. 53

XTS-AES MODE

STORAGE ENCRYPTION REQUIREMENTS

(4) Encryption is performed in 16-byte blocks,

independently from other blocks.

(5) No other metadata used, except the location of the data blocks within the whole data set.

(6) A standard conformant device can be constructed for decryption of data encrypted by another standard conformant device.

CTR mode, an adversary with write access to the encrypted media can flip any bit of the plaintext by flipping the corresponding ciphertext bit.

CBC,an adversary with read/write access to the encrypted disk can copy a ciphertext sector from one position to another.

54

XTS-AES MODE OPERATION ON A SINGLE BLOCK

(1) j sequential number of the 128-bit block inside

the data unit.

(2) i The value of the 128-bit tweak. Each data unit

(sector) is assigned.

j functions assures that if the same plaintext

block appears at two different positions within a

data unit, it will encrypt to two different

ciphertext blocks.

i functions assures that, if the same plaintext

block appears at the same position in two

different data units, it will encrypt to two

different ciphertext blocks. 55

OPERATION ON A SINGLE BLOCK

ENCRYPTION

56


DECRYPTION

57


Encryption and decryption of a single block :

Encryption:

C = CC ⊕ T = E(K1, PP) ⊕ T = E(K1, P ⊕ T) ⊕ T

Decryption:

P = PP ⊕ T = D(K1, CC) ⊕ T = D(K1, C ⊕ T) ⊕ T

Substitute C:

P=(P ⊕ T) ⊕ T = P

XTS-AES block

Operation T = E(K2, i) ⊕ αj PP = P ⊕ T

CC = E(K1, PP)

C = CC ⊕ T

T = E(K2, i) ⊕ αj CC = C ⊕ T

PP = D(K1, CC)

P = PP ⊕ T

58

OPERATION ON A SECTOR

Plaintext of a sector or data unit is organized into

blocks of 128 bits. Blocks are P0, P1,….., Pm.

Encryption and decryption, each block is

treated independently.

The last two blocks are encrypted/decrypted

using a ciphertext-stealing technique instead

of padding scheme.

Use to make ciphertext length same as plaintext

length.

Requires more than one block of plaintext.

59

XTS-AES MODE

60

XTS-AES MODE

61

XTS-AES MODE

Block Encryption: XTS-AES-blockEnc(K, Pj, i, j)

Block Dncryption: XTS-AES-blockEnc(K, Pj, i, j)

62

ADVANTAGES AND LIMITATIONS OF XTS-AES

● Efficiency

can do parallel encryptions in h/w or s/w

random access to encrypted data blocks

● Has both nonce(i) & counter(j)

● Addresses security concerns related to stored

data

63

END

THANK YOU

64

block cipher operation - parkjonghyuk.net · contents multiple encryption and triple des electronic...

Documents