ch03 ch06 des and others
TRANSCRIPT
--VIJAY KATTA----VIJAY KATTA-- 11
Cryptography and Network Cryptography and Network Security.Security.
By.-----By.-----
William Stalling.William Stalling.
B.ForouzanB.Forouzan
Bruce SchneierBruce Schneier
P. van Oorschot, and S. Vanstone,P. van Oorschot, and S. Vanstone,
--VIJAY KATTA----VIJAY KATTA-- 22
Chapter 3 & Chapter 6 – Chapter 3 & Chapter 6 – Block CiphersBlock Ciphers 、、 DESDES 、、 OthersOthers
3.1 Simplified DES 3.2 Block Cipher Principles 3.3 The Data Encryption Standard 3.4 The Strength of DES 3.5 Differential and Linear Cryptanalysis 3.6 Block Cipher Design Principles 3.7 Block Cipher Modes of Operation
Ch06- Contemporary symmetric ciphers
--VIJAY KATTA----VIJAY KATTA-- 33
3.0 Modern Block Ciphers3.0 Modern Block Ciphers
will now look at modern block cipherswill now look at modern block ciphers
one of the most widely used types of one of the most widely used types of cryptographic algorithms cryptographic algorithms
provide secrecy and/or authentication provide secrecy and/or authentication servicesservices
in particular will introduce DES (Data in particular will introduce DES (Data Encryption Standard)Encryption Standard)
--VIJAY KATTA----VIJAY KATTA-- 44
Block vs Stream CiphersBlock vs Stream Ciphers
block ciphers process messages in into block ciphers process messages in into blocks, each of which is then en/decrypted blocks, each of which is then en/decrypted
like a substitution on very big characterslike a substitution on very big characters– 64-bits or more 64-bits or more
stream ciphers stream ciphers process messages a bit or process messages a bit or byte at a time when en/decryptingbyte at a time when en/decrypting
many current ciphers are block ciphersmany current ciphers are block ciphers
hence are focus of coursehence are focus of course
--VIJAY KATTA----VIJAY KATTA-- 55
Simplified DES (S-DES)Simplified DES (S-DES)
An educational algorithmAn educational algorithm
A product cipher A product cipher – two identical sub-cipherstwo identical sub-ciphers
Each sub-cipherEach sub-cipher– PermutationPermutation– SubstitutionSubstitution
--VIJAY KATTA----VIJAY KATTA-- 66
S-DESS-DES
EncryptionEncryption– Input: 8-bit plaintextInput: 8-bit plaintext– Input: 10-bit key KInput: 10-bit key K– Output: 8-bit ciphertextOutput: 8-bit ciphertext
DecryptionDecryption– Input: 8-bit ciphertextInput: 8-bit ciphertext– Input: 10-bit key KInput: 10-bit key K– Output: 8-bit plaintextOutput: 8-bit plaintext
--VIJAY KATTA----VIJAY KATTA-- 77
Simplified DES (cont.)Simplified DES (cont.)
Key generationKey generation– P10:P10: a permutation of 10 bits a permutation of 10 bits
– shift:shift: shift (rotate) the input shift (rotate) the input
– P8: P8: a permutation of 8-bita permutation of 8-bit
Encryption/DecryptionEncryption/Decryption– IP: IP: initial permutationinitial permutation
– ffKK: : a complex function (substitution+permutation)a complex function (substitution+permutation)
– SW: a SW: a simple permutation (swapping)simple permutation (swapping)
– IPIP-1-1:: the inverse of IP the inverse of IP
--VIJAY KATTA----VIJAY KATTA-- 88
--VIJAY KATTA----VIJAY KATTA-- 99
Overview of S-DESOverview of S-DES
Subkey generationSubkey generation– KK11=P8=P8 shift shift P10P10 ((KK))
– KK22=P8 =P8 shift shift shift shift P10P10 ((KK))
EncryptionEncryption– C= C= IPIP-1-1 ffKK22 SWSW ffKK11 IPIP ((PP))
DecryptionDecryption– P= P= IPIP-1-1 ffK1K1 SWSW ffK2K2 IPIP ((CC))
--VIJAY KATTA----VIJAY KATTA-- 1010
Sub-key generationSub-key generation
--VIJAY KATTA----VIJAY KATTA-- 1111
Sub-key generation (cont.)Sub-key generation (cont.)
P10P10
33 55 22 77 44 1010 11 99 88 66
P10 (k1 k2 k3 k4 k5 k6 k7 k8 k9 k10) k3 k5 k2 k7 k4 k10 k1 k9 k8 k6
e.g. K= 10100 00010 P10(K) = P10 (10100 00010) = 10000 01100
• P10: 10-bit permutation
--VIJAY KATTA----VIJAY KATTA-- 1212
Sub-key generation (cont.)Sub-key generation (cont.)• LS-1: rotate left for 1 bit
e.g. LS-1(10000)=00001 LS-1(01100)=11000
--VIJAY KATTA----VIJAY KATTA-- 1313
Sub-key generation (cont.)Sub-key generation (cont.)
P8P8
66 33 77 44 88 55 1010 99
P8 (k1 k2 k3 k4 k5 k6 k7 k8 k9 k10) k6 k3 k7 k4 k8 k5 k10 k9
e.g. K1= P8 (00001 11000) = 010100100
• P8: a permutation with 10-bit input and 8-bit output
--VIJAY KATTA----VIJAY KATTA-- 1414
Sub-key generation (cont.)Sub-key generation (cont.)• LS-2: rotate left for 2 bits
e.g. LS-2(00001)=00100 LS-2(11000)=00011
--VIJAY KATTA----VIJAY KATTA-- 1515
Sub-key generation (cont.)Sub-key generation (cont.)
P8P8
66 33 77 44 88 55 1010 99
P8 (k1 k2 k3 k4 k5 k6 k7 k8 k9 k10) k6 k3 k7 k4 k8 k5 k10 k9
e.g. K2= P8 (00100 00011) = 01000011
• P8: a permutation with 10-bit input and 8-bit output
--VIJAY KATTA----VIJAY KATTA-- 1616
S-DES encryptionS-DES encryption
--VIJAY KATTA----VIJAY KATTA-- 1818
S-DES encryption (cont.)S-DES encryption (cont.)
--VIJAY KATTA----VIJAY KATTA-- 1919
S-DES encryption (cont.)S-DES encryption (cont.)
Function fFunction fKK
– PermutationPermutation + + substitutionsubstitution..
– ffKK((LL, , RR)=()=(LLF(R,SK)F(R,SK), , RR))
SK: A subkey Ki (i = 1, 2)SK: A subkey Ki (i = 1, 2)
L: Leftmost 4 bitsL: Leftmost 4 bits
R: Rightmost 4 bitsR: Rightmost 4 bits
F: A mapping from 4-bit strings to 4-bit strings.F: A mapping from 4-bit strings to 4-bit strings.
: bit-wise XOR: bit-wise XOR
--VIJAY KATTA----VIJAY KATTA-- 2020
S-DES encryption (cont.)S-DES encryption (cont.)
Function fFunction fKK
– Example:Example:Input is 1011 1101 Input is 1011 1101 L=1011L=1011, , R=1101R=1101
F(F(11011101, SK) = 1110, SK) = 1110
ffKK((10111011 11011101) = ) = 10111011 1110 || 1110 || 11011101
= = 01010101 11011101
--VIJAY KATTA----VIJAY KATTA-- 2121
S-DES encryption (cont.)S-DES encryption (cont.)• Mapping F(R, SK)
R
SK
--VIJAY KATTA----VIJAY KATTA-- 2222
S-DES encryption (cont.)S-DES encryption (cont.)
Mapping F(R, SK) Mapping F(R, SK) – Expansion/permutation (E/P): 4-bit R Expansion/permutation (E/P): 4-bit R 8 bits 8 bits– XOR with subkey SK XOR with subkey SK 8 bits 8 bits– 2 S-box 2 S-box 4 bits 4 bits– P4 permutation P4 permutation 4 bits (output) 4 bits (output)
--VIJAY KATTA----VIJAY KATTA-- 2323
S-DES encryption (cont.)S-DES encryption (cont.)
E/P: 4-bit E/P: 4-bit 8-bit 8-bit
E/PE/P
44 11 22 33 22 33 44 11
Example: E/P(1001)=11000011
--VIJAY KATTA----VIJAY KATTA-- 2424
S-DES encryption (cont.)S-DES encryption (cont.)
S-box (substitution box)S-box (substitution box)– S0, S1: 4 bits S0, S1: 4 bits 2 bits 2 bits
b2b3b2b3
b1b4b1b40000 0101 1010 1111
0000 0101 0000 1111 1010
0101 1111 1010 0101 0000
1010 0000 1010 0101 1111
1111 1111 0101 1111 1010
S0(b1 b2 b3 b4)
--VIJAY KATTA----VIJAY KATTA-- 2525
S-DES encryption (cont.)S-DES encryption (cont.)
b2b3b2b3
b1b4b1b40000 0101 1010 1111
0000 0000 1010 1010 1111
0101 1010 0000 0101 1111
1010 1111 0000 0101 0000
1111 1010 0101 0000 1111
S1(b1 b2 b3 b4)
Example: S0(0010)=00, S1(0010)=10
--VIJAY KATTA----VIJAY KATTA-- 2626
S-DES encryption (cont.)S-DES encryption (cont.)
P4: 4-bit permutationP4: 4-bit permutation
P4P4
22 44 11 33
--VIJAY KATTA----VIJAY KATTA-- 2727
S-DES encryption (cont.)S-DES encryption (cont.)1001
10011001 11000011
0101 1010
01 00
1000
--VIJAY KATTA----VIJAY KATTA-- 2828
S-DES Encryption (cont.)S-DES Encryption (cont.)
SW: switch functionSW: switch function– Interchange the left and right 4 bitsInterchange the left and right 4 bits
b1 b2 b3 b4 b5 b6 b7 b8
b1 b2 b3 b4b5 b6 b7 b8
--VIJAY KATTA----VIJAY KATTA-- 2929
S-DES Encryption (cont.)S-DES Encryption (cont.)22nd round: same as the first round exceptnd round: same as the first round except
Sub-key KSub-key K22 is used is used
Final permutation IPFinal permutation IP-1-1 is applied. is applied.
--VIJAY KATTA----VIJAY KATTA-- 3030
S-DES encryption (cont.)S-DES encryption (cont.)
Key: K=1010000010Key: K=1010000010Plaintext: P=11110011Plaintext: P=11110011Sub-key generationSub-key generation– K1 = P8 K1 = P8 • • LS-1 LS-1 •• P10 ( P10 (10100000101010000010) = ) = 1010010010100100– K2 = P8 K2 = P8 •• LS-2 LS-2 • • LS-1 LS-1 • • P10 (P10 (10100000101010000010) ) = 01000011= 01000011
Plaintext: 11110011Plaintext: 11110011– IP (11110011) = 1011IP (11110011) = 101111011101 = L || = L || RR– F (R, KF (R, K11))
E/P (E/P (11011101) ) K K1 1 = = 111010111110101110100100 = 10100100 = 0100010011111111S0 (S0 (01000100) = 11) = 11S1 (S1 (11111111) = 11) = 11P4 (1111) = 1111P4 (1111) = 1111
--VIJAY KATTA----VIJAY KATTA-- 3131
S-DES encryption (cont.)S-DES encryption (cont.)
– ffK1 K1 ((1011 1011 11011101) = () = (LLF(F(RR, K, K11), ), RR)) = = ((101110111111,1111,11011101) = 0100 1101) = 0100 1101
– SW (SW (01000100 1101)= 1101 1101)= 1101 0100 = 0100 = LL || R || R– F(R, KF(R, K22))
E/P (E/P (01000100) ) K K22== 00101000 00101000 01000011 01000011 == 0110011010111011S0 (S0 (01100110) = 10) = 10S1 (S1 (10111011) = 01) = 01P4 (1001) = P4 (1001) = 01010101
– ffK2K2((11011101 01000100) = () = (LLF(F(RR, K, K22), ), RR)) == ((1101110101010101, , 01000100) = 0000100) = 0000100
– IPIP-1 -1 (10000100) = 01000001(10000100) = 01000001
Ciphertext C=01000001Ciphertext C=01000001
--VIJAY KATTA----VIJAY KATTA-- 3232
S-DES decryptionS-DES decryption
--VIJAY KATTA----VIJAY KATTA-- 3333
S-DES decryption (cont.)S-DES decryption (cont.)
C = C = IPIP-1-1 ffKK22 SWSW ffKK11 IPIP ((PP))
IPIP-1-1 ffK1K1 SWSW ffK2K2 IPIP ((CC))= = IPIP-1-1 ffK1K1 SWSW ffK2K2 IPIP IPIP-1-1 ffKK22 SWSW ffKK11 IPIP ((PP))= = IPIP-1-1 ffK1K1 SWSW ffK2K2 ffKK22
SWSW ffKK11 IPIP ((PP))== IPIP-1-1 ffK1K1 SWSW SWSW ffKK11 IPIP ((PP))== IPIP-1-1 ffK1K1 ffKK11 IPIP ((PP))== IPIP-1-1 IPIP ((PP))== P P
--VIJAY KATTA----VIJAY KATTA-- 3434
S-DES decryption (cont.)S-DES decryption (cont.)
Only Only sub-keys are fed in reverse ordersub-keys are fed in reverse order
SW SW • • SW = I (identity)SW = I (identity)
IPIP-1-1 • IP = IP • IP• IP = IP • IP-1-1 = I (identity) = I (identity)
ffK1K1 • f • fK1K1 (X,Y) = f (X,Y) = fK1K1((XXF(Y, KF(Y, K11)), Y), Y)
= (= (XXF(Y, KF(Y, K11))F(Y, KF(Y, K11), Y)), Y)
= (X, Y)= (X, Y)
ffK2K2 • f • fK2K2 (X,Y) = f (X,Y) = fK2K2((XXF(Y, KF(Y, K22)), Y), Y)
= (= (XXF(Y, KF(Y, K22))F(Y, KF(Y, K22), Y)), Y)
= (X, Y)= (X, Y)
--VIJAY KATTA----VIJAY KATTA-- 3535
S-DES decryption (cont.)S-DES decryption (cont.)
Generate Generate sub-keys in reverse ordersub-keys in reverse order
--VIJAY KATTA----VIJAY KATTA-- 3636
S-DES decryption (cont.)S-DES decryption (cont.)
Generate sub-keys in reverse orderGenerate sub-keys in reverse order
P10(K)=k1 k2 … k10P10(K)=k1 k2 … k10
EncryptionEncryption– LS-1(k1 k2 k3 k4 k5) = LS-1(k1 k2 k3 k4 k5) = k2 k3 k4 k5 k1k2 k3 k4 k5 k1– LS-2 (k2 k3 k4 k5 k1) = LS-2 (k2 k3 k4 k5 k1) = k4 k5 k1 k2 k3k4 k5 k1 k2 k3
DecryptionDecryption– RS-2 (k1 k2 k3 k4 k5) = RS-2 (k1 k2 k3 k4 k5) = k4 k5 k1 k2 k3k4 k5 k1 k2 k3– RS-2 (k4 k5 k1 k2 k3) = RS-2 (k4 k5 k1 k2 k3) = k2 k3 k4 k5 k1k2 k3 k4 k5 k1
--VIJAY KATTA----VIJAY KATTA-- 3737
S-DES decryption (cont.)S-DES decryption (cont.)
Generate Generate sub-keys in reverse ordersub-keys in reverse order
RS-2 RS-2
RS-2RS-2
K2
K1
--VIJAY KATTA----VIJAY KATTA-- 3838
S-DES decryptionS-DES decryptionEncrytion/Decryption
e/d flag
P/C
K1/K2
K2/K1
C/P
--VIJAY KATTA----VIJAY KATTA-- 3939
3.2& 3.6 Block Cipher Principles3.2& 3.6 Block Cipher Principles
most symmetric block ciphers are based on a most symmetric block ciphers are based on a Feistel Cipher StructureFeistel Cipher Structure
needed since must be able to needed since must be able to decryptdecrypt ciphertext ciphertext to recover messages efficientlyto recover messages efficiently
block ciphers look like an extremely large block ciphers look like an extremely large substitution substitution
would need table of 2would need table of 26464 entries for a 64-bit block entries for a 64-bit block
instead create from smaller building blocks instead create from smaller building blocks
using idea of a product cipher using idea of a product cipher
--VIJAY KATTA----VIJAY KATTA-- 4040
Claude Shannon and Substitution-Claude Shannon and Substitution-Permutation CiphersPermutation Ciphers
in 1949 Claude Shannon introduced idea of in 1949 Claude Shannon introduced idea of substitution-permutation (S-P) networkssubstitution-permutation (S-P) networks– modern substitution-transposition product cipher modern substitution-transposition product cipher
these form the basis of modern block ciphers these form the basis of modern block ciphers
S-P networks are based on the two primitive S-P networks are based on the two primitive cryptographic operations we have seen before: cryptographic operations we have seen before: – substitutionsubstitution (S-box) (S-box)– permutation permutation (P-box)(P-box)
provide provide confusionconfusion and and diffusiondiffusion of message of message
--VIJAY KATTA----VIJAY KATTA-- 4141
Shannon introduced the concept of a product cipher. A product cipher is a complex cipher combining substitution, permutation, and other components discussed in previous sections.
5.1.4 Product Ciphers
--VIJAY KATTA----VIJAY KATTA-- 4242
DiffusionThe idea of diffusion is to hide the relationship between the ciphertext and the plaintext.
5.1.4 Continued
Diffusion hides the relationship between the ciphertext and the plaintext.
Note
--VIJAY KATTA----VIJAY KATTA-- 4343
ConfusionThe idea of confusion is to hide the relationship between the ciphertext and the key.
5.1.4 Continued
Confusion hides the relationship between the ciphertext and the key.
Note
--VIJAY KATTA----VIJAY KATTA-- 4444
RoundsDiffusion and confusion can be achieved using iterated product ciphers where each iteration is a combination of S-boxes, P-boxes, and other components.
5.1.4 Continued
--VIJAY KATTA----VIJAY KATTA-- 4545
--VIJAY KATTA----VIJAY KATTA-- 4646
Confusion and DiffusionConfusion and Diffusion
Shannon suggests to thwart “statistical analysis”Shannon suggests to thwart “statistical analysis”
ConfusionConfusion– Blur the relation between the ciphertext and the Blur the relation between the ciphertext and the
encryption keyencryption key– SubstitutionSubstitution
DiffusionDiffusion– Each ciphertext alphabet is affected by many plaintext Each ciphertext alphabet is affected by many plaintext
alphabetalphabet– Repeated permutationsRepeated permutations
--VIJAY KATTA----VIJAY KATTA-- 4747
Feistel Cipher StructureFeistel Cipher Structure
Horst Feistel devised the Horst Feistel devised the feistel cipherfeistel cipher– based on concept of invertible product cipherbased on concept of invertible product cipher
partitions input block into two halvespartitions input block into two halves– process through multiple rounds whichprocess through multiple rounds which– perform a substitution on left data halfperform a substitution on left data half– based on round function of right half & subkeybased on round function of right half & subkey– then have permutation swapping halvesthen have permutation swapping halves
implements Shannon’s substitution-implements Shannon’s substitution-permutation network conceptpermutation network concept
--VIJAY KATTA----VIJAY KATTA-- 4848
Feistel Cipher StructureFeistel Cipher Structure
--VIJAY KATTA----VIJAY KATTA-- 4949
Feistel Cipher Design PrinciplesFeistel Cipher Design Principlesblock sizeblock size – increasing size improves security, but slows cipher increasing size improves security, but slows cipher
key sizekey size – increasing size improves security, makes exhaustive key searching increasing size improves security, makes exhaustive key searching
harder, but may slow cipher harder, but may slow cipher number of roundsnumber of rounds – increasing number improves security, but slows cipher increasing number improves security, but slows cipher
subkey generationsubkey generation – greater complexity can make analysis harder, but slows cipher greater complexity can make analysis harder, but slows cipher
round functionround function – greater complexity can make analysis harder, but slows cipher greater complexity can make analysis harder, but slows cipher
fast software en/decryption & ease of analysisfast software en/decryption & ease of analysis– are more recent concerns for practical use and testingare more recent concerns for practical use and testing
--VIJAY KATTA----VIJAY KATTA-- 5050
Feistel Cipher DecryptionFeistel Cipher Decryption
--VIJAY KATTA----VIJAY KATTA-- 5151
Average time required Average time required for exhaustivefor exhaustive key key
search search
Key Key Size Size (bits)(bits)
Number of Number of Alternative Alternative KeysKeys
Time required Time required at 10at 1066 Decryption/Decryption/µsµs
3232 223232 = 4.3 x 10 = 4.3 x 1099 2.15 milliseconds2.15 milliseconds
5656 225656 = 7.2 x 10 = 7.2 x 101616 10 hours10 hours
128128 22128 128 = 3.4 x 10= 3.4 x 103838 5.4 x 105.4 x 101818 yearsyears
168168 22168 168 = 3.7 x 10= 3.7 x 105050 5.9 5.9 xx 10 103030 yearsyears
--VIJAY KATTA----VIJAY KATTA-- 5252
3.3 Data Encryption Standard 3.3 Data Encryption Standard (DES)(DES)
most widely used block cipher in world most widely used block cipher in world
adopted in 1977 by NBS (now NIST)adopted in 1977 by NBS (now NIST)– as FIPS PUB 46as FIPS PUB 46
encrypts 64-bit data using 56-bit keyencrypts 64-bit data using 56-bit key
has widespread usehas widespread use
has been considerable controversy over has been considerable controversy over its securityits security
--VIJAY KATTA----VIJAY KATTA-- 5353
DES HistoryDES History
IBM developed Lucifer cipherIBM developed Lucifer cipher– by team led by Feistelby team led by Feistel– used 64-bit data blocks with 128-bit keyused 64-bit data blocks with 128-bit key
then redeveloped as a commercial cipher then redeveloped as a commercial cipher with input from NSA and otherswith input from NSA and othersin 1973 NBS issued request for proposals in 1973 NBS issued request for proposals for a national cipher standardfor a national cipher standardIBM submitted their revised Lucifer which IBM submitted their revised Lucifer which was eventually accepted as the DESwas eventually accepted as the DES
--VIJAY KATTA----VIJAY KATTA-- 5454
Security analysis of DESSecurity analysis of DES
Why 56 bits? Why 56 bits? – Lucifer’s key is 128-bit longLucifer’s key is 128-bit long– Rumor: it was deliberately reduced so that Rumor: it was deliberately reduced so that
NSA can break itNSA can break it– FactsFacts
1997: distributed exhaustive key search all over 1997: distributed exhaustive key search all over the world takes 3 months.the world takes 3 months.
1998: specialized key search chips take 56 hours1998: specialized key search chips take 56 hours
1999: the search device is improved and achieves 1999: the search device is improved and achieves the record of 22 hoursthe record of 22 hours
--VIJAY KATTA----VIJAY KATTA-- 5555
--VIJAY KATTA----VIJAY KATTA-- 5656
A single roundA single round
--VIJAY KATTA----VIJAY KATTA-- 5757
6.2.3 Continued
Figure 6.10Key generation
--VIJAY KATTA----VIJAY KATTA-- 5858
--VIJAY KATTA----VIJAY KATTA-- 5959
--VIJAY KATTA----VIJAY KATTA-- 6060
--VIJAY KATTA----VIJAY KATTA-- 6161
--VIJAY KATTA----VIJAY KATTA-- 6262
Avalanche effectAvalanche effect
A A small changesmall change in either the plaintext or in either the plaintext or the key should produce the key should produce a significant a significant change in the ciphertextchange in the ciphertext
In particular, In particular, one bit changeone bit change in either the in either the plaintextplaintext or the or the keykey half bits changehalf bits change in in ciphertextciphertext
--VIJAY KATTA----VIJAY KATTA-- 6363
Avalanche effect (cont.)Avalanche effect (cont.)
For exampleFor example– P1=0000 0000 P1=0000 0000 0000 0000– P2=1000 0000 P2=1000 0000 0000 0000– K=0000001 1001011 0100100 1100010 K=0000001 1001011 0100100 1100010
0011100 0011000 0011100 0110010]0011100 0011000 0011100 0110010]
– Then, 34 bits differ in C=RThen, 34 bits differ in C=R1616LL1616
Avalanche effectAvalanche effect
--VIJAY KATTA----VIJAY KATTA-- 6464
Fast avalanche effectFast avalanche effect
The avalanche effect within the first few rounds; The avalanche effect within the first few rounds; for example, the first 3 rounds.for example, the first 3 rounds.
Change in Plaintext Change in KeyRound #bits that differ Round #bits that differ
0 1 0 01 6 1 22 21 2 143 35 3 284 39 4 325 34 5 306 32 6 327 31 7 358 29 8 349 42 9 4010 44 10 3811 32 11 3112 30 12 3313 30 13 2814 26 14 2615 29 15 3416 34 16 35
--VIJAY KATTA----VIJAY KATTA-- 6565
3.7 Modes of Operation3.7 Modes of Operationblock ciphers encrypt fixed size blocksblock ciphers encrypt fixed size blockseg. DES encrypts 64-bit blocks, with 56-bit key eg. DES encrypts 64-bit blocks, with 56-bit key need way to use in practise, given usually have need way to use in practise, given usually have arbitrary amount of information to encrypt arbitrary amount of information to encrypt four were defined for DES in ANSI standard four were defined for DES in ANSI standard ANSI X3.106-1983 Modes of UseANSI X3.106-1983 Modes of Usesubsequently now have 5 for DES and AESsubsequently now have 5 for DES and AEShave have blockblock and and streamstream modes modes– Recall ch03-3Recall ch03-3– stream ciphers stream ciphers process messages a bit or byte at a process messages a bit or byte at a
time when en/decryptingtime when en/decrypting
--VIJAY KATTA----VIJAY KATTA-- 6666
Modes of operations Modes of operations (Overview)(Overview)Advantages and disadvantages: Advantages and disadvantages: goalsgoals – Same plaintext blocks => Same Cipher blocks Same plaintext blocks => Same Cipher blocks – Padding Padding – Stream cipher => Error propagationStream cipher => Error propagation– Parallel encryption/decryptionParallel encryption/decryption
Padding message (64bits block)Padding message (64bits block)– Electronic codebook mode (ECB)Electronic codebook mode (ECB)– Cipher block chaining mode (CBC)Cipher block chaining mode (CBC)
Convert DES to Stream cipherConvert DES to Stream cipher (1 bit or 8 bits) (1 bit or 8 bits)– Cipher feedback mode (CFB) Cipher feedback mode (CFB) – Output feedback mode (OFB) Output feedback mode (OFB)
Parallel encryptionsParallel encryptions– Counter (CTR)Counter (CTR)
--VIJAY KATTA----VIJAY KATTA-- 6767
--VIJAY KATTA----VIJAY KATTA-- 6868
ECB modeECB mode
Simplest modeSimplest mode
Each block of 64-bit plaintext is handled Each block of 64-bit plaintext is handled independentlyindependently
It is like a codebook (huge) lookupIt is like a codebook (huge) lookup
The same 64-bit block has the same The same 64-bit block has the same cipher textcipher text
Same key is used in all block encryption.Same key is used in all block encryption.
APPLICATION :-APPLICATION :-
Secured Transmission of Key. Secured Transmission of Key.
--VIJAY KATTA----VIJAY KATTA-- 6969
ECB mode (cont.)ECB mode (cont.)
EncryptionEncryption– Key: KKey: K
– Plaintext: P=PPlaintext: P=P11PP22…P…PN-1N-1PPNN
– Padded plaintext: Padded plaintext: P’=PP’=P11PP22…P…PN-1N-1PPNN’’
PP11, P, P22,…, P,…, PN-1N-1 are 64-bit blocks are 64-bit blocks
PPN-1N-1’’ is the last (padded) 64-bit block is the last (padded) 64-bit block
Padding pattern: Padding pattern: 10…010…0
– Ciphertext C=CCiphertext C=C11CC22…C…CNN
CCii = E = EKK(P(Pii), 1), 1iiNN
--VIJAY KATTA----VIJAY KATTA-- 7070
ECB mode (cont.)ECB mode (cont.)
--VIJAY KATTA----VIJAY KATTA-- 7171
ECB mode (cont.)ECB mode (cont.)
DecryptionDecryption– Key: KKey: K
– Ciphertext: C=CCiphertext: C=C11CC22…C…CNN
– Padded plaintext: P’=PPadded plaintext: P’=P11PP22…P…PN-1N-1PPNN’’
– Plaintext: PPlaintext: P11PP22…P…PN-1N-1PPNN
--VIJAY KATTA----VIJAY KATTA-- 7272
ECB mode (cont.)ECB mode (cont.)
--VIJAY KATTA----VIJAY KATTA-- 7373
Advantages and Limitations of ECBAdvantages and Limitations of ECB
repetitions in message may show in repetitions in message may show in ciphertext ciphertext – if aligned with message block if aligned with message block – particularly with data such graphics particularly with data such graphics – or with messages that change very little, or with messages that change very little,
which become a code-book analysis problem which become a code-book analysis problem
weakness due to encrypted message weakness due to encrypted message blocks being independent blocks being independent main use is sending a few blocks of data main use is sending a few blocks of data
--VIJAY KATTA----VIJAY KATTA-- 7474
Cipher Block Chaining (CBC) Cipher Block Chaining (CBC)
message is broken into blocks message is broken into blocks but these are linked together in the but these are linked together in the encryption operation encryption operation each previous cipher blocks is chained each previous cipher blocks is chained with current plaintext block, hence name with current plaintext block, hence name use Initial Vector (IV) to start process use Initial Vector (IV) to start process CCii = DES = DESK1K1(P(Pii XOR C XOR Ci-1i-1))
CC-1-1 = IV = IV
uses: bulk data encryption, authenticationuses: bulk data encryption, authentication
--VIJAY KATTA----VIJAY KATTA-- 7575
CBC mode (Cont….)CBC mode (Cont….)
GoalGoal: the same plaintext block is encrypted into : the same plaintext block is encrypted into different ciphertext blockdifferent ciphertext block
Initial vector (IV)Initial vector (IV)– 64-bit long64-bit long– Fixed, or negotiated between sender and receiverFixed, or negotiated between sender and receiver
Padded Padded plaintext: P’= Pplaintext: P’= P11PP22…P…PNN
Ciphertext: C = CCiphertext: C = C11CC22…C…CNN
– CC11=E=EKK(IV (IV P P11))
– CCii=E=EKK(C(Ci-1 i-1 P Pii), 2), 2iiNN
--VIJAY KATTA----VIJAY KATTA-- 7676
CBC mode (cont.)CBC mode (cont.)
--VIJAY KATTA----VIJAY KATTA-- 7777
CBC mode (cont.)CBC mode (cont.)
DecryptionDecryption– Key: KKey: K
– Ciphertext: C=CCiphertext: C=C11CC22…C…CNN
– Padded plaintext: P=PPadded plaintext: P=P11PP22…P…PNN
PP11=D=DKK(C(C11) ) IV IV
PPii= D= DKK(C(Cii) ) C Ci-1i-1= C= Ci-1i-1PPiiCCi-1i-1
--VIJAY KATTA----VIJAY KATTA-- 7878
CBC mode (cont.)CBC mode (cont.)
--VIJAY KATTA----VIJAY KATTA-- 7979
Advantages and Limitations of CBCAdvantages and Limitations of CBC
each ciphertext block depends on each ciphertext block depends on allall message blocks message blocks thus a change in the message affects all ciphertext thus a change in the message affects all ciphertext blocks after the change as well as the original block blocks after the change as well as the original block need need Initial ValueInitial Value (IV) known to sender & receiver (IV) known to sender & receiver – however if IV is sent in the clear, an attacker can change bits of however if IV is sent in the clear, an attacker can change bits of
the first block, and change IV to compensate the first block, and change IV to compensate – hence either IV must be a fixed value (as in EFTPOS) or it must hence either IV must be a fixed value (as in EFTPOS) or it must
be sent encrypted in ECB mode before rest of message be sent encrypted in ECB mode before rest of message
at end of message, handle possible last short block at end of message, handle possible last short block – by padding either with known non-data value (eg nulls)by padding either with known non-data value (eg nulls)– or pad last block with count of pad size or pad last block with count of pad size
eg. [ b1 b2 b3 0 0 0 0 5] <- 3 data bytes, then 5 bytes pad+count eg. [ b1 b2 b3 0 0 0 0 5] <- 3 data bytes, then 5 bytes pad+count
--VIJAY KATTA----VIJAY KATTA-- 8080
CFB mode (Cipher feedback)CFB mode (Cipher feedback)
Stream cipher modeStream cipher mode
One-time padOne-time pad
Block size: J bits, 1Block size: J bits, 1JJ 64 64
Need Need no paddingno padding in most cases in most cases– For example, between key board and For example, between key board and
computer, we set J=8computer, we set J=8
--VIJAY KATTA----VIJAY KATTA-- 8181
CFB mode (cont.)CFB mode (cont.)
Encryption: J-bit CFBEncryption: J-bit CFB– Plaintext: P = PPlaintext: P = P11PP22PPNN, P, Pii’s are J-bit blocks’s are J-bit blocks
– SSJJ(X): the leftmost (X): the leftmost J bitsJ bits of X of X
– TT64-J64-J(Y): the rightmost (Y): the rightmost 64-J64-J bits of Y bits of Y
– AlgorithmAlgorithmR=IVR=IV
For i=1 to NFor i=1 to N– CCii= P= Pi i S SJJ(E(EKK(R))(R))
– R=TR=T64-J64-J(R)||C(R)||Ci-1i-1
--VIJAY KATTA----VIJAY KATTA-- 8282
CFB mode (cont.)CFB mode (cont.)
Decryption: J-bit CFBDecryption: J-bit CFB– Ciphertext: C= CCiphertext: C= C11CC22CCNN, C, Cii’s are J-bit blocks’s are J-bit blocks
– SSJJ(X): the leftmost J bits of X(X): the leftmost J bits of X
– TT64-J64-J(Y): the rightmost 64-J bits of Y(Y): the rightmost 64-J bits of Y
– AlgorithmAlgorithmR=IVR=IV
For i=1 to NFor i=1 to N– PPii= C= Ci i S SJJ(E(EKK(R))(R))
– R=TR=T64-J64-J(R)||C(R)||Ci-1i-1
--VIJAY KATTA----VIJAY KATTA-- 8383
--VIJAY KATTA----VIJAY KATTA-- 8484
Advantages and Limitations of CFBAdvantages and Limitations of CFB
appropriate when data arrives in bits/bytes appropriate when data arrives in bits/bytes
most common stream mode most common stream mode
limitation is need to stall while do block limitation is need to stall while do block encryption after every n-bits encryption after every n-bits
note that the block cipher is used in note that the block cipher is used in encryptionencryption mode at mode at bothboth ends ends
errors propagate for several blocks after errors propagate for several blocks after the error the error
--VIJAY KATTA----VIJAY KATTA-- 8585
OFB mode (Output feedback)OFB mode (Output feedback) Similar to CFB, but Similar to CFB, but output (not ciphertext) is fed backoutput (not ciphertext) is fed back
uses: stream encryption over noisy channelsuses: stream encryption over noisy channels
AdvantageAdvantage– Bit errors in CBit errors in Cii won’t propagate to decryption errors won’t propagate to decryption errors of C of Cjj, j>I, j>I
DisadvantageDisadvantage– Complement bits of CComplement bits of Cii result in complementing bits in P result in complementing bits in Pi i
Not suitable for error-correcting (See the next decryption figure)Not suitable for error-correcting (See the next decryption figure)( modify one bit of C1)( modify one bit of C1)
--VIJAY KATTA----VIJAY KATTA-- 8686
--VIJAY KATTA----VIJAY KATTA-- 8787
Counter (CTR)Counter (CTR)
a “new” mode, though proposed early ona “new” mode, though proposed early on
similar to OFB but encrypts counter value similar to OFB but encrypts counter value rather than any feedback valuerather than any feedback value
must have a must have a different key & counter valuedifferent key & counter value for every plaintext block (never reused)for every plaintext block (never reused)CCii = P = Pii XOR O XOR Oii
OOii = DES = DESK1K1(i)(i)
uses: high-speed network encryptionsuses: high-speed network encryptions
--VIJAY KATTA----VIJAY KATTA-- 8888
Counter (CTR)Counter (CTR)
--VIJAY KATTA----VIJAY KATTA-- 8989
Advantages and Limitations of CTRAdvantages and Limitations of CTR
efficiencyefficiency– can do can do parallel encryptionsparallel encryptions– in advancein advance of need of need– good for bursty high speed linksgood for bursty high speed links
random accessrandom access to encrypted data blocks to encrypted data blocks
provable security (good as other modes) ?provable security (good as other modes) ?
but must ensure never reuse key/counter but must ensure never reuse key/counter values, otherwise could break (cf OFB)values, otherwise could break (cf OFB)
--VIJAY KATTA----VIJAY KATTA-- 9090
Modes of operations (Modes of operations (SummarySummary) )
Advantages and disadvantages: Advantages and disadvantages: goalsgoals – Same plaintext blocks => Same Cipher Same plaintext blocks => Same Cipher
blocks blocks – Padding problemPadding problem– Stream cipher => Error propagationStream cipher => Error propagation– Parallel encryption/decryptionParallel encryption/decryption
--VIJAY KATTA----VIJAY KATTA-- 9191
Ch06 - Double DESCh06 - Double DES
Key size K=(KKey size K=(K11, K, K22): 112 bits): 112 bits
C=EC=EK2K2(E(EK1K1(P))(P))
--VIJAY KATTA----VIJAY KATTA-- 9292
The first approach is to use double DES (2DES).
6.4.1 Double DES
Meet-in-the-Middle AttackHowever, using a known-plaintext attack called meet-in-the-middle attack proves that double DES improves this vulnerability slightly (to 257 tests), but not tremendously (to 2112).
--VIJAY KATTA----VIJAY KATTA-- 9393
Double DES (cont.)Double DES (cont.)
Meet-in-the-middle attackMeet-in-the-middle attack – Given a pair (P, C)Given a pair (P, C)
– Let KLet Kii be the be the iith key of the key space, 0 th key of the key space, 0 i i 225656-1-1
– Compute MCompute Mii=E=EKiKi(P), 0 (P), 0 i i 225656-1-1
– Compute NCompute Njj=D=DKjKj(C), 0 (C), 0 i i 225656-1-1
– Check whether Mi=NjCheck whether Mi=NjIf so, K=(Ki, Kj) is very likely to be the secret keyIf so, K=(Ki, Kj) is very likely to be the secret key
– Time: 2Time: 25656+2+25656=2=25757
– The memory size for Mi’s: 2The memory size for Mi’s: 25656×64 bits×64 bitswe need not store Nj’s.we need not store Nj’s.
--VIJAY KATTA----VIJAY KATTA-- 9494
6.4.1 Continued
Figure 6.14 Meet-in-the-middle attack for double DES
--VIJAY KATTA----VIJAY KATTA-- 9595
6.4.1 Continued
Figure 6.15 Tables for meet-in-the-middle attack
--VIJAY KATTA----VIJAY KATTA-- 9696
6.4.2 Triple DES
Figure 6.16 Triple DES with two keys
--VIJAY KATTA----VIJAY KATTA-- 9797
Triple DESTriple DES
Plaintext, ciphertext: 64 bitsPlaintext, ciphertext: 64 bits
Key K=(KKey K=(K11, K, K22): 112 bits): 112 bits
Encryption: C=EEncryption: C=EK1K1(D(DK2K2(E(EK1K1(P)))(P)))
Decryption: P=DDecryption: P=DK1K1(E(EK2K2(D(DK1K1(P)))(P)))
AdvantagesAdvantages– Key size is largerKey size is larger– Compatible with regular one-key DESCompatible with regular one-key DES
Set KSet K11=K=K22=K (56-bit)=K (56-bit)
CC=E=EKK(D(DKK(E(EKK(P)))=E(P)))=EKK(P)(P)
PP=D=DKK(E(EKK(D(DKK(P)))=D(P)))=DKK(P)(P)
--VIJAY KATTA----VIJAY KATTA-- 9898
--VIJAY KATTA----VIJAY KATTA-- 9999
6.4.2 Continuous
Triple DES with Three KeysThe possibility of known-plaintext attacks on triple DES with two keys has enticed some applications to use triple DES with three keys. Triple DES with three keys is used by many applications such as PGP (See Chapter 16).
--VIJAY KATTA----VIJAY KATTA-- 100100
IDEA…IDEA…(International Data Encryption (International Data Encryption
Algorithm)Algorithm)Plain text = 64 bit.Plain text = 64 bit.
Key =128 bit.Key =128 bit.
Sub key = 52. (16 bit each)Sub key = 52. (16 bit each)
Cipher text = 64.Cipher text = 64.
Number of identical rounds =8.(6 key in Number of identical rounds =8.(6 key in each round)each round)
And one output transformation round(4 And one output transformation round(4 key)key)
--VIJAY KATTA----VIJAY KATTA-- 101101
Design Issues Design Issues
The design philosophy behind the The design philosophy behind the algorithm is one of “ mixing operation from algorithm is one of “ mixing operation from different algebraic groups”.different algebraic groups”.
1) XOR1) XOR
2)Addition modulo 22)Addition modulo 21616
3) Multiplication modulo 23) Multiplication modulo 21616 + 1 + 1
--VIJAY KATTA----VIJAY KATTA-- 102102
--VIJAY KATTA----VIJAY KATTA-- 103103
Encryption Key Generation.Encryption Key Generation.
--VIJAY KATTA----VIJAY KATTA-- 104104
Encryption Algorithm.Encryption Algorithm.
--VIJAY KATTA----VIJAY KATTA-- 105105
Sequence of operationSequence of operation1)Multiply x1 and first sub key(sk)1)Multiply x1 and first sub key(sk)2)Add x2 and second sk2)Add x2 and second sk3)Add x3 and third sk3)Add x3 and third sk4)Multiply x4 and fourth sk4)Multiply x4 and fourth sk5) Step 1 5) Step 1 step 3 step 36) Step 2 6) Step 2 step 4 step 47)Multiply step 5 with fifth sk.7)Multiply step 5 with fifth sk.8)Add result of step 6 and step 78)Add result of step 6 and step 79) Multiply result of step 8 with sixth sk.9) Multiply result of step 8 with sixth sk.10)Add result of step 7 and step 9.10)Add result of step 7 and step 9.
--VIJAY KATTA----VIJAY KATTA-- 106106
Continue..Continue..11) XOR result of steps 1 and step 9.11) XOR result of steps 1 and step 9.
12) XOR result of steps 3 and step 9.12) XOR result of steps 3 and step 9.
13) XOR result of steps 2 and step 10.13) XOR result of steps 2 and step 10.
14) XOR result of steps 2 and step 10.14) XOR result of steps 2 and step 10.
--VIJAY KATTA----VIJAY KATTA-- 107107
Operation in output transformation Operation in output transformation
1)Multiply x1 with first sk.1)Multiply x1 with first sk.
2)Add x2 and second sk.2)Add x2 and second sk.
3)Add x3 and third sk.3)Add x3 and third sk.
4)Multiply x4 and fourth sk.4)Multiply x4 and fourth sk.
--VIJAY KATTA----VIJAY KATTA-- 108108
Next generationNext generation
NIST begin the process of selecting the NIST begin the process of selecting the next-generation secret-key encryption next-generation secret-key encryption algorithm in 1998.algorithm in 1998.Advanced encryption standard (AES)Advanced encryption standard (AES)– Rijndael (Rijndael (Chapter 5Chapter 5))
Plaintext, ciphertext: Plaintext, ciphertext: at least 128 bitsat least 128 bits..Key size: flexible, Key size: flexible, at least 128 bitsat least 128 bits..You can check its web.You can check its web.– Http://www.nist.gov/aesHttp://www.nist.gov/aes
--VIJAY KATTA----VIJAY KATTA-- 109109
Stream CiphersStream Ciphers
process the message process the message bit by bit (or byes) (as a stream)bit by bit (or byes) (as a stream)
typically have a typically have a (pseudo) random (pseudo) random stream keystream key
combined (combined (XORXOR) with plaintext bit by bit ) with plaintext bit by bit
randomness of randomness of stream keystream key completely destroys any completely destroys any statistically properties in the message statistically properties in the message – CCii = M = Mii XOR StreamKey XOR StreamKeyii
what could be simpler!!!! what could be simpler!!!!
but must never reuse stream keybut must never reuse stream key– otherwise can remove effect and recover messagesotherwise can remove effect and recover messages
--VIJAY KATTA----VIJAY KATTA-- 110110
Stream Cipher PropertiesStream Cipher Properties
some design considerations are:some design considerations are:– long period with no repetitions long period with no repetitions – statistically random statistically random – depends on depends on large enough keylarge enough key– large linear complexitylarge linear complexity– correlation immunity correlation immunity – confusionconfusion– diffusiondiffusion– use of highly non-linear boolean functions use of highly non-linear boolean functions
--VIJAY KATTA----VIJAY KATTA-- 111111
Stream Cipher: RC4Stream Cipher: RC4
a proprietary cipher owned by RSA DSI a proprietary cipher owned by RSA DSI
another Ron Rivest design, simple but effectiveanother Ron Rivest design, simple but effective
variable key size, byte-oriented stream cipher variable key size, byte-oriented stream cipher
widely used (web SSL/TLS, widely used (web SSL/TLS, WLAN WEP-not WLAN WEP-not secure)secure)
key forms random permutation of all 8-bit values key forms random permutation of all 8-bit values
uses that permutation to scramble input info uses that permutation to scramble input info processed a byte at a time processed a byte at a time
--VIJAY KATTA----VIJAY KATTA-- 112112
WLANs 環境屬性定義
protocol standard : IEEE 802.11a 、 802.11b 、 802.11g (WEP) 、 802.11i (TKIP short-term solution)
WLAN WEP (WLAN security WLAN WEP (WLAN security requirement and some attacks.ppt)requirement and some attacks.ppt)
--VIJAY KATTA----VIJAY KATTA-- 113113
Problems with WEP24-bit IVs are too short
The CRC checksum is used by WEP for integrity protection
WEP combines the IV with the key in a way that enables cryptanalytic attacks
Integrity protection for source and destination addresses is not provided
WLAN WEP (WLAN security WLAN WEP (WLAN security requirement and some attacks.ppt)requirement and some attacks.ppt)
--VIJAY KATTA----VIJAY KATTA-- 114114
TKIP : IEEE 802.11i short-term solutionA message integrity code (MIC), called Michael,to defeat forgeries;
A packet sequencing discipline, to defeat replay attacks
A per-packet key mixing function, to prevent attack
Long-term solutionA single key to provide confidentiality and integrity
Provide integrity protection for the plaintext packet header, as well as
WLAN WEP (WLAN security WLAN WEP (WLAN security requirement and some attacks.ppt)requirement and some attacks.ppt)
--VIJAY KATTA----VIJAY KATTA-- 115115
WEPWEP TKIPTKIP
Cipher Key Size(s)Cipher Key Size(s) RC4 40RC4 40 or 104-bit or 104-bit encryptionencryption
RC4 128-bitRC4 128-bit encryption encryption 64-bit authentication64-bit authentication
Key Lifetime Per-Key Lifetime Per-packet-keypacket-key
224-bit wrapping IV4-bit wrapping IV Concatenate IV to Concatenate IV to base keybase key
48-48-bit IV TKIP mixing bit IV TKIP mixing functionfunction
Packet Data Replay Packet Data Replay detectiondetection
CRC-32CRC-32
NoneNone
Michael Michael
Enforcing IV Enforcing IV sequencingsequencing
Key ManagementKey Management NoneNone IEEE802.1XIEEE802.1X
WLAN WEP (WLAN security WLAN WEP (WLAN security requirement and some attacks.ppt)requirement and some attacks.ppt)
--VIJAY KATTA----VIJAY KATTA-- 116116
IEEE 802.1X provide both authentication and key management
EAP RADIUS
WLAN EAP (EAP series methods on WLAN EAP (EAP series methods on wireless security.ppt)wireless security.ppt)
--VIJAY KATTA----VIJAY KATTA-- 117117
EAP seriesEAP series– Password-basedPassword-based
LEAPLEAPEAP-SKEEAP-SKEEAP-SRPEAP-SRPEAP-SPEKEEAP-SPEKEEAP-SIM (GSM/GPRS, SIM card)EAP-SIM (GSM/GPRS, SIM card)EAP-AKA (3G-UMTS, USIM card)EAP-AKA (3G-UMTS, USIM card)
– Certificate-basedCertificate-basedEAP-TLSEAP-TLSEAP-TTLSEAP-TTLSPEAPPEAP
WLAN EAP (EAP series methods WLAN EAP (EAP series methods on wireless security.ppt)on wireless security.ppt)