ch03 ch06 des and others

--VIJAY KATTA----VIJAY KATTA-- 11

Cryptography and Network Cryptography and Network Security.Security.

By.-----By.-----

William Stalling.William Stalling.

B.ForouzanB.Forouzan

Bruce SchneierBruce Schneier

P. van Oorschot, and S. Vanstone,P. van Oorschot, and S. Vanstone,


Chapter 3 & Chapter 6 – Chapter 3 & Chapter 6 – Block CiphersBlock Ciphers 、、 DESDES 、、 OthersOthers

3.1 Simplified DES 3.2 Block Cipher Principles 3.3 The Data Encryption Standard 3.4 The Strength of DES 3.5 Differential and Linear Cryptanalysis 3.6 Block Cipher Design Principles 3.7 Block Cipher Modes of Operation

Ch06- Contemporary symmetric ciphers


3.0 Modern Block Ciphers3.0 Modern Block Ciphers

will now look at modern block cipherswill now look at modern block ciphers

one of the most widely used types of one of the most widely used types of cryptographic algorithms cryptographic algorithms

provide secrecy and/or authentication provide secrecy and/or authentication servicesservices

in particular will introduce DES (Data in particular will introduce DES (Data Encryption Standard)Encryption Standard)


Block vs Stream CiphersBlock vs Stream Ciphers

block ciphers process messages in into block ciphers process messages in into blocks, each of which is then en/decrypted blocks, each of which is then en/decrypted

like a substitution on very big characterslike a substitution on very big characters– 64-bits or more 64-bits or more

stream ciphers stream ciphers process messages a bit or process messages a bit or byte at a time when en/decryptingbyte at a time when en/decrypting

many current ciphers are block ciphersmany current ciphers are block ciphers

hence are focus of coursehence are focus of course


Simplified DES (S-DES)Simplified DES (S-DES)

An educational algorithmAn educational algorithm

A product cipher A product cipher – two identical sub-cipherstwo identical sub-ciphers

Each sub-cipherEach sub-cipher– PermutationPermutation– SubstitutionSubstitution


S-DESS-DES

EncryptionEncryption– Input: 8-bit plaintextInput: 8-bit plaintext– Input: 10-bit key KInput: 10-bit key K– Output: 8-bit ciphertextOutput: 8-bit ciphertext

DecryptionDecryption– Input: 8-bit ciphertextInput: 8-bit ciphertext– Input: 10-bit key KInput: 10-bit key K– Output: 8-bit plaintextOutput: 8-bit plaintext


Simplified DES (cont.)Simplified DES (cont.)

Key generationKey generation– P10:P10: a permutation of 10 bits a permutation of 10 bits

– shift:shift: shift (rotate) the input shift (rotate) the input

– P8: P8: a permutation of 8-bita permutation of 8-bit

Encryption/DecryptionEncryption/Decryption– IP: IP: initial permutationinitial permutation

– ffKK: : a complex function (substitution+permutation)a complex function (substitution+permutation)

– SW: a SW: a simple permutation (swapping)simple permutation (swapping)

– IPIP-1-1:: the inverse of IP the inverse of IP


Overview of S-DESOverview of S-DES

Subkey generationSubkey generation– KK11=P8=P8 shift shift P10P10 ((KK))

– KK22=P8 =P8 shift shift shift shift P10P10 ((KK))

EncryptionEncryption– C= C= IPIP-1-1 ffKK22 SWSW ffKK11 IPIP ((PP))

DecryptionDecryption– P= P= IPIP-1-1 ffK1K1 SWSW ffK2K2 IPIP ((CC))


Sub-key generationSub-key generation


Sub-key generation (cont.)Sub-key generation (cont.)

P10P10

33 55 22 77 44 1010 11 99 88 66

P10 (k1 k2 k3 k4 k5 k6 k7 k8 k9 k10) k3 k5 k2 k7 k4 k10 k1 k9 k8 k6

e.g. K= 10100 00010 P10(K) = P10 (10100 00010) = 10000 01100

• P10: 10-bit permutation


Sub-key generation (cont.)Sub-key generation (cont.)• LS-1: rotate left for 1 bit

e.g. LS-1(10000)=00001 LS-1(01100)=11000



P8P8

66 33 77 44 88 55 1010 99

P8 (k1 k2 k3 k4 k5 k6 k7 k8 k9 k10) k6 k3 k7 k4 k8 k5 k10 k9

e.g. K1= P8 (00001 11000) = 010100100

• P8: a permutation with 10-bit input and 8-bit output


Sub-key generation (cont.)Sub-key generation (cont.)• LS-2: rotate left for 2 bits

e.g. LS-2(00001)=00100 LS-2(11000)=00011



P8P8

66 33 77 44 88 55 1010 99

P8 (k1 k2 k3 k4 k5 k6 k7 k8 k9 k10) k6 k3 k7 k4 k8 k5 k10 k9

e.g. K2= P8 (00100 00011) = 01000011

• P8: a permutation with 10-bit input and 8-bit output


S-DES encryptionS-DES encryption


S-DES encryption (cont.)S-DES encryption (cont.)



Function fFunction fKK

– PermutationPermutation + + substitutionsubstitution..

– ffKK((LL, , RR)=()=(LLF(R,SK)F(R,SK), , RR))

SK: A subkey Ki (i = 1, 2)SK: A subkey Ki (i = 1, 2)

L: Leftmost 4 bitsL: Leftmost 4 bits

R: Rightmost 4 bitsR: Rightmost 4 bits

F: A mapping from 4-bit strings to 4-bit strings.F: A mapping from 4-bit strings to 4-bit strings.

: bit-wise XOR: bit-wise XOR



Function fFunction fKK

– Example:Example:Input is 1011 1101 Input is 1011 1101 L=1011L=1011, , R=1101R=1101

F(F(11011101, SK) = 1110, SK) = 1110

ffKK((10111011 11011101) = ) = 10111011 1110 || 1110 || 11011101

= = 01010101 11011101


S-DES encryption (cont.)S-DES encryption (cont.)• Mapping F(R, SK)

R

SK



Mapping F(R, SK) Mapping F(R, SK) – Expansion/permutation (E/P): 4-bit R Expansion/permutation (E/P): 4-bit R 8 bits 8 bits– XOR with subkey SK XOR with subkey SK 8 bits 8 bits– 2 S-box 2 S-box 4 bits 4 bits– P4 permutation P4 permutation 4 bits (output) 4 bits (output)



E/P: 4-bit E/P: 4-bit 8-bit 8-bit

E/PE/P

44 11 22 33 22 33 44 11

Example: E/P(1001)=11000011



S-box (substitution box)S-box (substitution box)– S0, S1: 4 bits S0, S1: 4 bits 2 bits 2 bits

b2b3b2b3

b1b4b1b40000 0101 1010 1111

0000 0101 0000 1111 1010

0101 1111 1010 0101 0000

1010 0000 1010 0101 1111

1111 1111 0101 1111 1010

S0(b1 b2 b3 b4)



b2b3b2b3

b1b4b1b40000 0101 1010 1111

0000 0000 1010 1010 1111

0101 1010 0000 0101 1111

1010 1111 0000 0101 0000

1111 1010 0101 0000 1111

S1(b1 b2 b3 b4)

Example: S0(0010)=00, S1(0010)=10



P4: 4-bit permutationP4: 4-bit permutation

P4P4

22 44 11 33


S-DES encryption (cont.)S-DES encryption (cont.)1001

10011001 11000011

0101 1010

01 00

1000


S-DES Encryption (cont.)S-DES Encryption (cont.)

SW: switch functionSW: switch function– Interchange the left and right 4 bitsInterchange the left and right 4 bits

b1 b2 b3 b4 b5 b6 b7 b8

b1 b2 b3 b4b5 b6 b7 b8


S-DES Encryption (cont.)S-DES Encryption (cont.)22nd round: same as the first round exceptnd round: same as the first round except

Sub-key KSub-key K22 is used is used

Final permutation IPFinal permutation IP-1-1 is applied. is applied.



Key: K=1010000010Key: K=1010000010Plaintext: P=11110011Plaintext: P=11110011Sub-key generationSub-key generation– K1 = P8 K1 = P8 • • LS-1 LS-1 •• P10 ( P10 (10100000101010000010) = ) = 1010010010100100– K2 = P8 K2 = P8 •• LS-2 LS-2 • • LS-1 LS-1 • • P10 (P10 (10100000101010000010) ) = 01000011= 01000011

Plaintext: 11110011Plaintext: 11110011– IP (11110011) = 1011IP (11110011) = 101111011101 = L || = L || RR– F (R, KF (R, K11))

E/P (E/P (11011101) ) K K1 1 = = 111010111110101110100100 = 10100100 = 0100010011111111S0 (S0 (01000100) = 11) = 11S1 (S1 (11111111) = 11) = 11P4 (1111) = 1111P4 (1111) = 1111



– ffK1 K1 ((1011 1011 11011101) = () = (LLF(F(RR, K, K11), ), RR)) = = ((101110111111,1111,11011101) = 0100 1101) = 0100 1101

– SW (SW (01000100 1101)= 1101 1101)= 1101 0100 = 0100 = LL || R || R– F(R, KF(R, K22))

E/P (E/P (01000100) ) K K22== 00101000 00101000 01000011 01000011 == 0110011010111011S0 (S0 (01100110) = 10) = 10S1 (S1 (10111011) = 01) = 01P4 (1001) = P4 (1001) = 01010101

– ffK2K2((11011101 01000100) = () = (LLF(F(RR, K, K22), ), RR)) == ((1101110101010101, , 01000100) = 0000100) = 0000100

– IPIP-1 -1 (10000100) = 01000001(10000100) = 01000001

Ciphertext C=01000001Ciphertext C=01000001


S-DES decryptionS-DES decryption


S-DES decryption (cont.)S-DES decryption (cont.)

C = C = IPIP-1-1 ffKK22 SWSW ffKK11 IPIP ((PP))

IPIP-1-1 ffK1K1 SWSW ffK2K2 IPIP ((CC))= = IPIP-1-1 ffK1K1 SWSW ffK2K2 IPIP IPIP-1-1 ffKK22 SWSW ffKK11 IPIP ((PP))= = IPIP-1-1 ffK1K1 SWSW ffK2K2 ffKK22

SWSW ffKK11 IPIP ((PP))== IPIP-1-1 ffK1K1 SWSW SWSW ffKK11 IPIP ((PP))== IPIP-1-1 ffK1K1 ffKK11 IPIP ((PP))== IPIP-1-1 IPIP ((PP))== P P



Only Only sub-keys are fed in reverse ordersub-keys are fed in reverse order

SW SW • • SW = I (identity)SW = I (identity)

IPIP-1-1 • IP = IP • IP• IP = IP • IP-1-1 = I (identity) = I (identity)

ffK1K1 • f • fK1K1 (X,Y) = f (X,Y) = fK1K1((XXF(Y, KF(Y, K11)), Y), Y)

= (= (XXF(Y, KF(Y, K11))F(Y, KF(Y, K11), Y)), Y)

= (X, Y)= (X, Y)

ffK2K2 • f • fK2K2 (X,Y) = f (X,Y) = fK2K2((XXF(Y, KF(Y, K22)), Y), Y)

= (= (XXF(Y, KF(Y, K22))F(Y, KF(Y, K22), Y)), Y)

= (X, Y)= (X, Y)



Generate Generate sub-keys in reverse ordersub-keys in reverse order



Generate sub-keys in reverse orderGenerate sub-keys in reverse order

P10(K)=k1 k2 … k10P10(K)=k1 k2 … k10

EncryptionEncryption– LS-1(k1 k2 k3 k4 k5) = LS-1(k1 k2 k3 k4 k5) = k2 k3 k4 k5 k1k2 k3 k4 k5 k1– LS-2 (k2 k3 k4 k5 k1) = LS-2 (k2 k3 k4 k5 k1) = k4 k5 k1 k2 k3k4 k5 k1 k2 k3

DecryptionDecryption– RS-2 (k1 k2 k3 k4 k5) = RS-2 (k1 k2 k3 k4 k5) = k4 k5 k1 k2 k3k4 k5 k1 k2 k3– RS-2 (k4 k5 k1 k2 k3) = RS-2 (k4 k5 k1 k2 k3) = k2 k3 k4 k5 k1k2 k3 k4 k5 k1



Generate Generate sub-keys in reverse ordersub-keys in reverse order

RS-2 RS-2

RS-2RS-2

K2

K1


S-DES decryptionS-DES decryptionEncrytion/Decryption

e/d flag

P/C

K1/K2

K2/K1

C/P


3.2& 3.6 Block Cipher Principles3.2& 3.6 Block Cipher Principles

most symmetric block ciphers are based on a most symmetric block ciphers are based on a Feistel Cipher StructureFeistel Cipher Structure

needed since must be able to needed since must be able to decryptdecrypt ciphertext ciphertext to recover messages efficientlyto recover messages efficiently

block ciphers look like an extremely large block ciphers look like an extremely large substitution substitution

would need table of 2would need table of 26464 entries for a 64-bit block entries for a 64-bit block

instead create from smaller building blocks instead create from smaller building blocks

using idea of a product cipher using idea of a product cipher


Claude Shannon and Substitution-Claude Shannon and Substitution-Permutation CiphersPermutation Ciphers

in 1949 Claude Shannon introduced idea of in 1949 Claude Shannon introduced idea of substitution-permutation (S-P) networkssubstitution-permutation (S-P) networks– modern substitution-transposition product cipher modern substitution-transposition product cipher

these form the basis of modern block ciphers these form the basis of modern block ciphers

S-P networks are based on the two primitive S-P networks are based on the two primitive cryptographic operations we have seen before: cryptographic operations we have seen before: – substitutionsubstitution (S-box) (S-box)– permutation permutation (P-box)(P-box)

provide provide confusionconfusion and and diffusiondiffusion of message of message


Shannon introduced the concept of a product cipher. A product cipher is a complex cipher combining substitution, permutation, and other components discussed in previous sections.

5.1.4 Product Ciphers


DiffusionThe idea of diffusion is to hide the relationship between the ciphertext and the plaintext.

5.1.4 Continued

Diffusion hides the relationship between the ciphertext and the plaintext.

Note


ConfusionThe idea of confusion is to hide the relationship between the ciphertext and the key.

5.1.4 Continued

Confusion hides the relationship between the ciphertext and the key.

Note


RoundsDiffusion and confusion can be achieved using iterated product ciphers where each iteration is a combination of S-boxes, P-boxes, and other components.

5.1.4 Continued


Confusion and DiffusionConfusion and Diffusion

Shannon suggests to thwart “statistical analysis”Shannon suggests to thwart “statistical analysis”

ConfusionConfusion– Blur the relation between the ciphertext and the Blur the relation between the ciphertext and the

encryption keyencryption key– SubstitutionSubstitution

DiffusionDiffusion– Each ciphertext alphabet is affected by many plaintext Each ciphertext alphabet is affected by many plaintext

alphabetalphabet– Repeated permutationsRepeated permutations


Feistel Cipher StructureFeistel Cipher Structure

Horst Feistel devised the Horst Feistel devised the feistel cipherfeistel cipher– based on concept of invertible product cipherbased on concept of invertible product cipher

partitions input block into two halvespartitions input block into two halves– process through multiple rounds whichprocess through multiple rounds which– perform a substitution on left data halfperform a substitution on left data half– based on round function of right half & subkeybased on round function of right half & subkey– then have permutation swapping halvesthen have permutation swapping halves

implements Shannon’s substitution-implements Shannon’s substitution-permutation network conceptpermutation network concept


Feistel Cipher StructureFeistel Cipher Structure


Feistel Cipher Design PrinciplesFeistel Cipher Design Principlesblock sizeblock size – increasing size improves security, but slows cipher increasing size improves security, but slows cipher

key sizekey size – increasing size improves security, makes exhaustive key searching increasing size improves security, makes exhaustive key searching

harder, but may slow cipher harder, but may slow cipher number of roundsnumber of rounds – increasing number improves security, but slows cipher increasing number improves security, but slows cipher

subkey generationsubkey generation – greater complexity can make analysis harder, but slows cipher greater complexity can make analysis harder, but slows cipher

round functionround function – greater complexity can make analysis harder, but slows cipher greater complexity can make analysis harder, but slows cipher

fast software en/decryption & ease of analysisfast software en/decryption & ease of analysis– are more recent concerns for practical use and testingare more recent concerns for practical use and testing


Feistel Cipher DecryptionFeistel Cipher Decryption


Average time required Average time required for exhaustivefor exhaustive key key

search search

Key Key Size Size (bits)(bits)

Number of Number of Alternative Alternative KeysKeys

Time required Time required at 10at 1066 Decryption/Decryption/µsµs

3232 223232 = 4.3 x 10 = 4.3 x 1099 2.15 milliseconds2.15 milliseconds

5656 225656 = 7.2 x 10 = 7.2 x 101616 10 hours10 hours

128128 22128 128 = 3.4 x 10= 3.4 x 103838 5.4 x 105.4 x 101818 yearsyears

168168 22168 168 = 3.7 x 10= 3.7 x 105050 5.9 5.9 xx 10 103030 yearsyears


3.3 Data Encryption Standard 3.3 Data Encryption Standard (DES)(DES)

most widely used block cipher in world most widely used block cipher in world

adopted in 1977 by NBS (now NIST)adopted in 1977 by NBS (now NIST)– as FIPS PUB 46as FIPS PUB 46

encrypts 64-bit data using 56-bit keyencrypts 64-bit data using 56-bit key

has widespread usehas widespread use

has been considerable controversy over has been considerable controversy over its securityits security


DES HistoryDES History

IBM developed Lucifer cipherIBM developed Lucifer cipher– by team led by Feistelby team led by Feistel– used 64-bit data blocks with 128-bit keyused 64-bit data blocks with 128-bit key

then redeveloped as a commercial cipher then redeveloped as a commercial cipher with input from NSA and otherswith input from NSA and othersin 1973 NBS issued request for proposals in 1973 NBS issued request for proposals for a national cipher standardfor a national cipher standardIBM submitted their revised Lucifer which IBM submitted their revised Lucifer which was eventually accepted as the DESwas eventually accepted as the DES


Security analysis of DESSecurity analysis of DES

Why 56 bits? Why 56 bits? – Lucifer’s key is 128-bit longLucifer’s key is 128-bit long– Rumor: it was deliberately reduced so that Rumor: it was deliberately reduced so that

NSA can break itNSA can break it– FactsFacts

1997: distributed exhaustive key search all over 1997: distributed exhaustive key search all over the world takes 3 months.the world takes 3 months.

1998: specialized key search chips take 56 hours1998: specialized key search chips take 56 hours

1999: the search device is improved and achieves 1999: the search device is improved and achieves the record of 22 hoursthe record of 22 hours


A single roundA single round


6.2.3 Continued

Figure 6.10Key generation


Avalanche effectAvalanche effect

A A small changesmall change in either the plaintext or in either the plaintext or the key should produce the key should produce a significant a significant change in the ciphertextchange in the ciphertext

In particular, In particular, one bit changeone bit change in either the in either the plaintextplaintext or the or the keykey half bits changehalf bits change in in ciphertextciphertext


Avalanche effect (cont.)Avalanche effect (cont.)

For exampleFor example– P1=0000 0000 P1=0000 0000 0000 0000– P2=1000 0000 P2=1000 0000 0000 0000– K=0000001 1001011 0100100 1100010 K=0000001 1001011 0100100 1100010

0011100 0011000 0011100 0110010]0011100 0011000 0011100 0110010]

– Then, 34 bits differ in C=RThen, 34 bits differ in C=R1616LL1616

Avalanche effectAvalanche effect


Fast avalanche effectFast avalanche effect

The avalanche effect within the first few rounds; The avalanche effect within the first few rounds; for example, the first 3 rounds.for example, the first 3 rounds.

Change in Plaintext Change in KeyRound #bits that differ Round #bits that differ

0 1 0 01 6 1 22 21 2 143 35 3 284 39 4 325 34 5 306 32 6 327 31 7 358 29 8 349 42 9 4010 44 10 3811 32 11 3112 30 12 3313 30 13 2814 26 14 2615 29 15 3416 34 16 35


3.7 Modes of Operation3.7 Modes of Operationblock ciphers encrypt fixed size blocksblock ciphers encrypt fixed size blockseg. DES encrypts 64-bit blocks, with 56-bit key eg. DES encrypts 64-bit blocks, with 56-bit key need way to use in practise, given usually have need way to use in practise, given usually have arbitrary amount of information to encrypt arbitrary amount of information to encrypt four were defined for DES in ANSI standard four were defined for DES in ANSI standard ANSI X3.106-1983 Modes of UseANSI X3.106-1983 Modes of Usesubsequently now have 5 for DES and AESsubsequently now have 5 for DES and AEShave have blockblock and and streamstream modes modes– Recall ch03-3Recall ch03-3– stream ciphers stream ciphers process messages a bit or byte at a process messages a bit or byte at a

time when en/decryptingtime when en/decrypting


Modes of operations Modes of operations (Overview)(Overview)Advantages and disadvantages: Advantages and disadvantages: goalsgoals – Same plaintext blocks => Same Cipher blocks Same plaintext blocks => Same Cipher blocks – Padding Padding – Stream cipher => Error propagationStream cipher => Error propagation– Parallel encryption/decryptionParallel encryption/decryption

Padding message (64bits block)Padding message (64bits block)– Electronic codebook mode (ECB)Electronic codebook mode (ECB)– Cipher block chaining mode (CBC)Cipher block chaining mode (CBC)

Convert DES to Stream cipherConvert DES to Stream cipher (1 bit or 8 bits) (1 bit or 8 bits)– Cipher feedback mode (CFB) Cipher feedback mode (CFB) – Output feedback mode (OFB) Output feedback mode (OFB)

Parallel encryptionsParallel encryptions– Counter (CTR)Counter (CTR)


ECB modeECB mode

Simplest modeSimplest mode

Each block of 64-bit plaintext is handled Each block of 64-bit plaintext is handled independentlyindependently

It is like a codebook (huge) lookupIt is like a codebook (huge) lookup

The same 64-bit block has the same The same 64-bit block has the same cipher textcipher text

Same key is used in all block encryption.Same key is used in all block encryption.

APPLICATION :-APPLICATION :-

Secured Transmission of Key. Secured Transmission of Key.


ECB mode (cont.)ECB mode (cont.)

EncryptionEncryption– Key: KKey: K

– Plaintext: P=PPlaintext: P=P11PP22…P…PN-1N-1PPNN

– Padded plaintext: Padded plaintext: P’=PP’=P11PP22…P…PN-1N-1PPNN’’

PP11, P, P22,…, P,…, PN-1N-1 are 64-bit blocks are 64-bit blocks

PPN-1N-1’’ is the last (padded) 64-bit block is the last (padded) 64-bit block

Padding pattern: Padding pattern: 10…010…0

– Ciphertext C=CCiphertext C=C11CC22…C…CNN

CCii = E = EKK(P(Pii), 1), 1iiNN



DecryptionDecryption– Key: KKey: K

– Ciphertext: C=CCiphertext: C=C11CC22…C…CNN

– Padded plaintext: P’=PPadded plaintext: P’=P11PP22…P…PN-1N-1PPNN’’

– Plaintext: PPlaintext: P11PP22…P…PN-1N-1PPNN


Advantages and Limitations of ECBAdvantages and Limitations of ECB

repetitions in message may show in repetitions in message may show in ciphertext ciphertext – if aligned with message block if aligned with message block – particularly with data such graphics particularly with data such graphics – or with messages that change very little, or with messages that change very little,

which become a code-book analysis problem which become a code-book analysis problem

weakness due to encrypted message weakness due to encrypted message blocks being independent blocks being independent main use is sending a few blocks of data main use is sending a few blocks of data


Cipher Block Chaining (CBC) Cipher Block Chaining (CBC)

message is broken into blocks message is broken into blocks but these are linked together in the but these are linked together in the encryption operation encryption operation each previous cipher blocks is chained each previous cipher blocks is chained with current plaintext block, hence name with current plaintext block, hence name use Initial Vector (IV) to start process use Initial Vector (IV) to start process CCii = DES = DESK1K1(P(Pii XOR C XOR Ci-1i-1))

CC-1-1 = IV = IV

uses: bulk data encryption, authenticationuses: bulk data encryption, authentication


CBC mode (Cont….)CBC mode (Cont….)

GoalGoal: the same plaintext block is encrypted into : the same plaintext block is encrypted into different ciphertext blockdifferent ciphertext block

Initial vector (IV)Initial vector (IV)– 64-bit long64-bit long– Fixed, or negotiated between sender and receiverFixed, or negotiated between sender and receiver

Padded Padded plaintext: P’= Pplaintext: P’= P11PP22…P…PNN

Ciphertext: C = CCiphertext: C = C11CC22…C…CNN

– CC11=E=EKK(IV (IV P P11))

– CCii=E=EKK(C(Ci-1 i-1 P Pii), 2), 2iiNN


CBC mode (cont.)CBC mode (cont.)



DecryptionDecryption– Key: KKey: K

– Ciphertext: C=CCiphertext: C=C11CC22…C…CNN

– Padded plaintext: P=PPadded plaintext: P=P11PP22…P…PNN

PP11=D=DKK(C(C11) ) IV IV

PPii= D= DKK(C(Cii) ) C Ci-1i-1= C= Ci-1i-1PPiiCCi-1i-1


Advantages and Limitations of CBCAdvantages and Limitations of CBC

each ciphertext block depends on each ciphertext block depends on allall message blocks message blocks thus a change in the message affects all ciphertext thus a change in the message affects all ciphertext blocks after the change as well as the original block blocks after the change as well as the original block need need Initial ValueInitial Value (IV) known to sender & receiver (IV) known to sender & receiver – however if IV is sent in the clear, an attacker can change bits of however if IV is sent in the clear, an attacker can change bits of

the first block, and change IV to compensate the first block, and change IV to compensate – hence either IV must be a fixed value (as in EFTPOS) or it must hence either IV must be a fixed value (as in EFTPOS) or it must

be sent encrypted in ECB mode before rest of message be sent encrypted in ECB mode before rest of message

at end of message, handle possible last short block at end of message, handle possible last short block – by padding either with known non-data value (eg nulls)by padding either with known non-data value (eg nulls)– or pad last block with count of pad size or pad last block with count of pad size

eg. [ b1 b2 b3 0 0 0 0 5] <- 3 data bytes, then 5 bytes pad+count eg. [ b1 b2 b3 0 0 0 0 5] <- 3 data bytes, then 5 bytes pad+count


CFB mode (Cipher feedback)CFB mode (Cipher feedback)

Stream cipher modeStream cipher mode

One-time padOne-time pad

Block size: J bits, 1Block size: J bits, 1JJ 64 64

Need Need no paddingno padding in most cases in most cases– For example, between key board and For example, between key board and

computer, we set J=8computer, we set J=8


CFB mode (cont.)CFB mode (cont.)

Encryption: J-bit CFBEncryption: J-bit CFB– Plaintext: P = PPlaintext: P = P11PP22PPNN, P, Pii’s are J-bit blocks’s are J-bit blocks

– SSJJ(X): the leftmost (X): the leftmost J bitsJ bits of X of X

– TT64-J64-J(Y): the rightmost (Y): the rightmost 64-J64-J bits of Y bits of Y

– AlgorithmAlgorithmR=IVR=IV

For i=1 to NFor i=1 to N– CCii= P= Pi i S SJJ(E(EKK(R))(R))

– R=TR=T64-J64-J(R)||C(R)||Ci-1i-1


CFB mode (cont.)CFB mode (cont.)

Decryption: J-bit CFBDecryption: J-bit CFB– Ciphertext: C= CCiphertext: C= C11CC22CCNN, C, Cii’s are J-bit blocks’s are J-bit blocks

– SSJJ(X): the leftmost J bits of X(X): the leftmost J bits of X

– TT64-J64-J(Y): the rightmost 64-J bits of Y(Y): the rightmost 64-J bits of Y

– AlgorithmAlgorithmR=IVR=IV

For i=1 to NFor i=1 to N– PPii= C= Ci i S SJJ(E(EKK(R))(R))

– R=TR=T64-J64-J(R)||C(R)||Ci-1i-1


Advantages and Limitations of CFBAdvantages and Limitations of CFB

appropriate when data arrives in bits/bytes appropriate when data arrives in bits/bytes

most common stream mode most common stream mode

limitation is need to stall while do block limitation is need to stall while do block encryption after every n-bits encryption after every n-bits

note that the block cipher is used in note that the block cipher is used in encryptionencryption mode at mode at bothboth ends ends

errors propagate for several blocks after errors propagate for several blocks after the error the error


OFB mode (Output feedback)OFB mode (Output feedback) Similar to CFB, but Similar to CFB, but output (not ciphertext) is fed backoutput (not ciphertext) is fed back

uses: stream encryption over noisy channelsuses: stream encryption over noisy channels

AdvantageAdvantage– Bit errors in CBit errors in Cii won’t propagate to decryption errors won’t propagate to decryption errors of C of Cjj, j>I, j>I

DisadvantageDisadvantage– Complement bits of CComplement bits of Cii result in complementing bits in P result in complementing bits in Pi i

Not suitable for error-correcting (See the next decryption figure)Not suitable for error-correcting (See the next decryption figure)( modify one bit of C1)( modify one bit of C1)


Counter (CTR)Counter (CTR)

a “new” mode, though proposed early ona “new” mode, though proposed early on

similar to OFB but encrypts counter value similar to OFB but encrypts counter value rather than any feedback valuerather than any feedback value

must have a must have a different key & counter valuedifferent key & counter value for every plaintext block (never reused)for every plaintext block (never reused)CCii = P = Pii XOR O XOR Oii

OOii = DES = DESK1K1(i)(i)

uses: high-speed network encryptionsuses: high-speed network encryptions


Counter (CTR)Counter (CTR)


Advantages and Limitations of CTRAdvantages and Limitations of CTR

efficiencyefficiency– can do can do parallel encryptionsparallel encryptions– in advancein advance of need of need– good for bursty high speed linksgood for bursty high speed links

random accessrandom access to encrypted data blocks to encrypted data blocks

provable security (good as other modes) ?provable security (good as other modes) ?

but must ensure never reuse key/counter but must ensure never reuse key/counter values, otherwise could break (cf OFB)values, otherwise could break (cf OFB)


Modes of operations (Modes of operations (SummarySummary) )

Advantages and disadvantages: Advantages and disadvantages: goalsgoals – Same plaintext blocks => Same Cipher Same plaintext blocks => Same Cipher

blocks blocks – Padding problemPadding problem– Stream cipher => Error propagationStream cipher => Error propagation– Parallel encryption/decryptionParallel encryption/decryption


Ch06 - Double DESCh06 - Double DES

Key size K=(KKey size K=(K11, K, K22): 112 bits): 112 bits

C=EC=EK2K2(E(EK1K1(P))(P))


The first approach is to use double DES (2DES).

6.4.1 Double DES

Meet-in-the-Middle AttackHowever, using a known-plaintext attack called meet-in-the-middle attack proves that double DES improves this vulnerability slightly (to 257 tests), but not tremendously (to 2112).


Double DES (cont.)Double DES (cont.)

Meet-in-the-middle attackMeet-in-the-middle attack – Given a pair (P, C)Given a pair (P, C)

– Let KLet Kii be the be the iith key of the key space, 0 th key of the key space, 0 i i 225656-1-1

– Compute MCompute Mii=E=EKiKi(P), 0 (P), 0 i i 225656-1-1

– Compute NCompute Njj=D=DKjKj(C), 0 (C), 0 i i 225656-1-1

– Check whether Mi=NjCheck whether Mi=NjIf so, K=(Ki, Kj) is very likely to be the secret keyIf so, K=(Ki, Kj) is very likely to be the secret key

– Time: 2Time: 25656+2+25656=2=25757

– The memory size for Mi’s: 2The memory size for Mi’s: 25656×64 bits×64 bitswe need not store Nj’s.we need not store Nj’s.


6.4.1 Continued

Figure 6.14 Meet-in-the-middle attack for double DES


6.4.1 Continued

Figure 6.15 Tables for meet-in-the-middle attack


6.4.2 Triple DES

Figure 6.16 Triple DES with two keys


Triple DESTriple DES

Plaintext, ciphertext: 64 bitsPlaintext, ciphertext: 64 bits

Key K=(KKey K=(K11, K, K22): 112 bits): 112 bits

Encryption: C=EEncryption: C=EK1K1(D(DK2K2(E(EK1K1(P)))(P)))

Decryption: P=DDecryption: P=DK1K1(E(EK2K2(D(DK1K1(P)))(P)))

AdvantagesAdvantages– Key size is largerKey size is larger– Compatible with regular one-key DESCompatible with regular one-key DES

Set KSet K11=K=K22=K (56-bit)=K (56-bit)

CC=E=EKK(D(DKK(E(EKK(P)))=E(P)))=EKK(P)(P)

PP=D=DKK(E(EKK(D(DKK(P)))=D(P)))=DKK(P)(P)


6.4.2 Continuous

Triple DES with Three KeysThe possibility of known-plaintext attacks on triple DES with two keys has enticed some applications to use triple DES with three keys. Triple DES with three keys is used by many applications such as PGP (See Chapter 16).


IDEA…IDEA…(International Data Encryption (International Data Encryption

Algorithm)Algorithm)Plain text = 64 bit.Plain text = 64 bit.

Key =128 bit.Key =128 bit.

Sub key = 52. (16 bit each)Sub key = 52. (16 bit each)

Cipher text = 64.Cipher text = 64.

Number of identical rounds =8.(6 key in Number of identical rounds =8.(6 key in each round)each round)

And one output transformation round(4 And one output transformation round(4 key)key)


Design Issues Design Issues

The design philosophy behind the The design philosophy behind the algorithm is one of “ mixing operation from algorithm is one of “ mixing operation from different algebraic groups”.different algebraic groups”.

1) XOR1) XOR

2)Addition modulo 22)Addition modulo 21616

3) Multiplication modulo 23) Multiplication modulo 21616 + 1 + 1


Encryption Key Generation.Encryption Key Generation.


Encryption Algorithm.Encryption Algorithm.


Sequence of operationSequence of operation1)Multiply x1 and first sub key(sk)1)Multiply x1 and first sub key(sk)2)Add x2 and second sk2)Add x2 and second sk3)Add x3 and third sk3)Add x3 and third sk4)Multiply x4 and fourth sk4)Multiply x4 and fourth sk5) Step 1 5) Step 1 step 3 step 36) Step 2 6) Step 2 step 4 step 47)Multiply step 5 with fifth sk.7)Multiply step 5 with fifth sk.8)Add result of step 6 and step 78)Add result of step 6 and step 79) Multiply result of step 8 with sixth sk.9) Multiply result of step 8 with sixth sk.10)Add result of step 7 and step 9.10)Add result of step 7 and step 9.


Continue..Continue..11) XOR result of steps 1 and step 9.11) XOR result of steps 1 and step 9.

12) XOR result of steps 3 and step 9.12) XOR result of steps 3 and step 9.




Operation in output transformation Operation in output transformation

1)Multiply x1 with first sk.1)Multiply x1 with first sk.

2)Add x2 and second sk.2)Add x2 and second sk.

3)Add x3 and third sk.3)Add x3 and third sk.

4)Multiply x4 and fourth sk.4)Multiply x4 and fourth sk.


Next generationNext generation

NIST begin the process of selecting the NIST begin the process of selecting the next-generation secret-key encryption next-generation secret-key encryption algorithm in 1998.algorithm in 1998.Advanced encryption standard (AES)Advanced encryption standard (AES)– Rijndael (Rijndael (Chapter 5Chapter 5))

Plaintext, ciphertext: Plaintext, ciphertext: at least 128 bitsat least 128 bits..Key size: flexible, Key size: flexible, at least 128 bitsat least 128 bits..You can check its web.You can check its web.– Http://www.nist.gov/aesHttp://www.nist.gov/aes


Stream CiphersStream Ciphers

process the message process the message bit by bit (or byes) (as a stream)bit by bit (or byes) (as a stream)

typically have a typically have a (pseudo) random (pseudo) random stream keystream key

combined (combined (XORXOR) with plaintext bit by bit ) with plaintext bit by bit

randomness of randomness of stream keystream key completely destroys any completely destroys any statistically properties in the message statistically properties in the message – CCii = M = Mii XOR StreamKey XOR StreamKeyii

what could be simpler!!!! what could be simpler!!!!

but must never reuse stream keybut must never reuse stream key– otherwise can remove effect and recover messagesotherwise can remove effect and recover messages


Stream Cipher PropertiesStream Cipher Properties

some design considerations are:some design considerations are:– long period with no repetitions long period with no repetitions – statistically random statistically random – depends on depends on large enough keylarge enough key– large linear complexitylarge linear complexity– correlation immunity correlation immunity – confusionconfusion– diffusiondiffusion– use of highly non-linear boolean functions use of highly non-linear boolean functions


Stream Cipher: RC4Stream Cipher: RC4

a proprietary cipher owned by RSA DSI a proprietary cipher owned by RSA DSI

another Ron Rivest design, simple but effectiveanother Ron Rivest design, simple but effective

variable key size, byte-oriented stream cipher variable key size, byte-oriented stream cipher

widely used (web SSL/TLS, widely used (web SSL/TLS, WLAN WEP-not WLAN WEP-not secure)secure)

key forms random permutation of all 8-bit values key forms random permutation of all 8-bit values

uses that permutation to scramble input info uses that permutation to scramble input info processed a byte at a time processed a byte at a time


WLANs 環境屬性定義

protocol standard ： IEEE 802.11a 、 802.11b 、 802.11g (WEP) 、 802.11i (TKIP short-term solution)

WLAN WEP (WLAN security WLAN WEP (WLAN security requirement and some attacks.ppt)requirement and some attacks.ppt)


Problems with WEP24-bit IVs are too short

The CRC checksum is used by WEP for integrity protection

WEP combines the IV with the key in a way that enables cryptanalytic attacks

Integrity protection for source and destination addresses is not provided



TKIP ： IEEE 802.11i short-term solutionA message integrity code (MIC), called Michael,to defeat forgeries;

A packet sequencing discipline, to defeat replay attacks

A per-packet key mixing function, to prevent attack

Long-term solutionA single key to provide confidentiality and integrity

Provide integrity protection for the plaintext packet header, as well as



WEPWEP TKIPTKIP

Cipher Key Size(s)Cipher Key Size(s) RC4 40RC4 40 or 104-bit or 104-bit encryptionencryption

RC4 128-bitRC4 128-bit encryption encryption 64-bit authentication64-bit authentication

Key Lifetime Per-Key Lifetime Per-packet-keypacket-key

224-bit wrapping IV4-bit wrapping IV Concatenate IV to Concatenate IV to base keybase key

48-48-bit IV TKIP mixing bit IV TKIP mixing functionfunction

Packet Data Replay Packet Data Replay detectiondetection

CRC-32CRC-32

NoneNone

Michael Michael

Enforcing IV Enforcing IV sequencingsequencing

Key ManagementKey Management NoneNone IEEE802.1XIEEE802.1X



IEEE 802.1X provide both authentication and key management

EAP RADIUS

WLAN EAP (EAP series methods on WLAN EAP (EAP series methods on wireless security.ppt)wireless security.ppt)


EAP seriesEAP series– Password-basedPassword-based

LEAPLEAPEAP-SKEEAP-SKEEAP-SRPEAP-SRPEAP-SPEKEEAP-SPEKEEAP-SIM (GSM/GPRS, SIM card)EAP-SIM (GSM/GPRS, SIM card)EAP-AKA (3G-UMTS, USIM card)EAP-AKA (3G-UMTS, USIM card)

– Certificate-basedCertificate-basedEAP-TLSEAP-TLSEAP-TTLSEAP-TTLSPEAPPEAP

WLAN EAP (EAP series methods WLAN EAP (EAP series methods on wireless security.ppt)on wireless security.ppt)

ch03 ch06 des and others

Technology

ip p ip

f k1 sw f k2 ip ip

ip ip 1x7

f k1 sw f k2 f

bits f

f k1 sw sw f

f k1 sw f k2 ip c

function f