dept. of computer engineering information security …read.pudn.com/downloads94/doc/374757/ch06.pdf1...
TRANSCRIPT
1
152152/181/181
Information Security Lab.Dept. of Computer Engineering
PART I Symmetric CiphersCHAPTER 6 More On Symmetric Cipher
6.1 Multiple Encryption and Triple DES
6.2 Block Cipher Modes of Operation
6.3 Stream Cipher and RC4
153153/181/181
Information Security Lab.Dept. of Computer Engineering
6.1 6.1 Multiple Encryption & Multiple Encryption & Triple Triple DESDESClear a replacement for DES was needed
theoretical attacks that can break itdemonstrated exhaustive key search attacks
AES is a new cipher alternative
Prior to this alternative was to use multiple encryption with DES implementations; Triple-DES
Double DESTwo encryption stages & two keys : Key size : 112 bitsEncryption : C = EK2
(EK1(P))
Decryption : P = DK1(DK2
(C))
2
154154/181/181
Information Security Lab.Dept. of Computer Engineering
6.1 6.1 Multiple Encryption & Multiple Encryption & Triple Triple DESDESDouble DES
155155/181/181
Information Security Lab.Dept. of Computer Engineering
6.1 6.1 Multiple Encryption & Multiple Encryption & Triple Triple DESDESDouble DES(1) Reduction to a Single Stage
EK2(EK1
(P)) = C = EK3(P)
If it would be possible to find a key K3, any number ofstages of multiple encryption with DES would be uselessbecause the result would be equivalent to a single encryption with a single 56-bit key
(2) Meet-in-the-Middle Attacksince X = EK1
(P) = DK2(C)
attack by encrypting P with all keys and storethen decrypt C with keys and match X valuecan show takes O(256) steps
3
156156/181/181
Information Security Lab.Dept. of Computer Engineering
6.1 6.1 Multiple Encryption & Multiple Encryption & Triple Triple DESDESTriple DES with Two Keys
C = EK1(DK2
(EK1( P ))) P = DK1
(EK2(DK1
( C )))
157157/181/181
Information Security Lab.Dept. of Computer Engineering
6.1 6.1 Multiple Encryption & Multiple Encryption & Triple Triple DESDESTriple DES with Two Keys
Use 2 keys with E-D-E sequenceif K1= K2 then can work with single DES
Standardized in ANSI X9.17 & ISO8732No current known practical attacks (A known-plaintext attack)
Triple DES with Three Keyscan use Triple-DES with Three-Keys to avoid a known-plaintext attack
C = EK3(DK2(EK1(P)))has been adopted by some Internet applications, eg PGP,S/MIME
4
158158/181/181
Information Security Lab.Dept. of Computer Engineering
6.2 Block Cipher 6.2 Block Cipher Modes of OperationModes of OperationBlock ciphers encrypt fixed size blocks
eg. DES encrypts 64-bit blocks with 56-bit key
Need some way to en/decrypt arbitrary amounts of data in practise
ANSI X3.106 : Modes of Use (now FIPS 81) defines 4 possible modes, 1983; NIST 5 mode in Special Publication 800-38AHave block and stream modesTable 6.1 (Block Cipher Modes of Operation)
159159/181/181
Information Security Lab.Dept. of Computer Engineering
6.2 Block Cipher 6.2 Block Cipher Modes of OperationModes of Operation
5
160160/181/181
Information Security Lab.Dept. of Computer Engineering
6.2 Block Cipher 6.2 Block Cipher Modes of OperationModes of OperationElectronic Codebook Mode (EBC)
Message is broken into independent blocks which are encrypted; each block is encoded independently of the other blocks
Ci = DESK ( Pi )uses: secure transmission of single values
Time=1P1
DESencrypt
DESencryptK
C1
EncryptionTime=2
P2
DESencrypt
DESencryptK
C2
Time=NPN
DESencrypt
DESencryptK
CN
…
161161/181/181
Information Security Lab.Dept. of Computer Engineering
6.2 Block Cipher 6.2 Block Cipher Modes of OperationModes of OperationElectronic Codebook Mode (EBC)
Limitation of ECB mode message repetitions may show in ciphertextweakness is due to the encrypted message blocks being independent
Decryption
DESdecrypt
DESdecryptK DES
decryptDES
decryptK DESdecrypt
DESdecryptK…
P1 P2 PN
C1 C2 CN
6
162162/181/181
Information Security Lab.Dept. of Computer Engineering
6.2 Block Cipher 6.2 Block Cipher Modes of OperationModes of OperationCipher Block Chaining Mode (CBC)
Given a sequence P1 P2 P3 . . . of 64-bit plaintext block;Ci = EK(Ci−1⊕ Pi) 1≤ i ≤ N , C0 = IV
Time=1P1
DESencrypt
DESencryptK
C1
EncryptionTime=2
P2
DESencrypt
DESencryptK
C2
Time=NPN
DESencrypt
DESencryptK
CN
…+
IV
+ +CN-1
C0
163163/181/181
Information Security Lab.Dept. of Computer Engineering
6.2 Block Cipher 6.2 Block Cipher Modes of OperationModes of OperationCipher Block Chaining Mode (CBC)
Given a sequence C1 C2 C3 … of 64-bit ciphertext block;Pi = Ci−1⊕ DK(Ci) 1≤ i ≤ N , C0 = IV
Decryption
DESdecrypt
DESdecryptK DES
decryptDES
decryptK…
P1 P2
C1 C2
+ +IV
DESdecrypt
DESdecryptK
PN
CN
+CN-1C0
7
164164/181/181
Information Security Lab.Dept. of Computer Engineering
6.2 Block Cipher 6.2 Block Cipher Modes of OperationModes of OperationCipher Block Chaining Mode (CBC)
Each previous cipher blocks is chained with current plaintext blockUse Initial Vector (IV) to start process ; which must be known to sender & receiver Uses: bulk data encryption, authenticationAt end of message must handle a possible last short block
pad either with known non-data value (eg nulls)or pad last block along with count of pad size• eg. [ b1 b2 b3 0 0 0 0 5] • means have 3 data bytes, then 5 bytes pad + count
165165/181/181
Information Security Lab.Dept. of Computer Engineering
6.2 Block Cipher 6.2 Block Cipher Modes of OperationModes of OperationCipher Feedback Mode (CFB)
DESencrypt
DESencryptK
C1 C2 CM
…
+
IV CM-1
Shift reg.64-j bits | j bits
64
Select Discardj bits 64-j bits
64
j
j
P1
DESencrypt
DESencryptK
+
Shift reg.64-j bits | j bits
64
Select Discardj bits 64-j bits
64
j
jP2
DESencrypt
DESencryptK
+
Shift reg.64-j bits | j bits
64
Select Discardj bits 64-j bits
64
j
j
PM
EncryptionC0
8
166166/181/181
Information Security Lab.Dept. of Computer Engineering
6.2 Block Cipher 6.2 Block Cipher Modes of OperationModes of OperationCipher Feedback Mode (CFB)
DESencrypt
DESencryptK
C1 C2 CM
…
+
(IV) CM-1
Shift reg.64-j bits | j bits
64
Select Discardj bits 64-j bits
64
j
j
P1
DESencrypt
DESencryptK
+
Shift reg.64-j bits | j bits
64
Select Discardj bits 64-j bits
64
j
jP2
DESencrypt
DESencryptK
+
Shift reg.64-j bits | j bits
64
Select Discardj bits 64-j bits
64
j
jPM
DecryptionC0
167167/181/181
Information Security Lab.Dept. of Computer Engineering
6.2 Block Cipher 6.2 Block Cipher Modes of OperationModes of OperationCipher Feedback Mode (CFB)
Message is treated as a stream of bitsAdded to the output of the block cipherstandard allows any number of bit (1,8, 64 or 128 etc) to be feed back; denoted CFB-1, CFB-8, CFB-64, CFB-128Uses: stream data encryption, authentication
Advantages and Limitations of CFBappropriate when data arrives in bits/bytes; most commonstream modeErrors propogate for several blocks after the errorLimitation is need to stall while do block encryption afterevery n-bits
9
168168/181/181
Information Security Lab.Dept. of Computer Engineering
6.2 Block Cipher 6.2 Block Cipher Modes of OperationModes of OperationOutput FeedBack Mode (OFB)Encryption
DESencrypt
DESencryptK
C1 C2 CM
…
+
Shift reg.64-j bits | j bits
64
Select DiscardJ bits | 64-j bits
64
j
jP1
DESencrypt
DESencryptK
+
Shift reg.64-j bits | j bits
64
Select Discardj bits | 64-j bits
64
j
jP2
DESencrypt
DESencryptK
+
Shift reg.64-j bits | j bits
64
Select Discardj bits | 64-j bits
64
j
jPM
…O0 (IV)
O1O2 OM-1
169169/181/181
Information Security Lab.Dept. of Computer Engineering
6.2 Block Cipher 6.2 Block Cipher Modes of OperationModes of OperationOutput FeedBack Mode (OFB)
Decryption
DESdecrypt
DESdecryptK
C1 C2 CM
…
+
OM-1
Shift reg.64-j bits | j bits
64
Select Discardj bits | 64-j bits
64
j
jP1
DESdecrypt
DESdecryptK
+
Shift reg.64-j bits | j bits
64
Select Discardj bits | 64-j bits
64
j
jP2
DESdecrypt
DESdecryptK
+
Shift reg.64-j bits | j bits
64
Select Discardj bits | 64-j bits
64
j
jPM
O1O2
O0 (IV)
10
170170/181/181
Information Security Lab.Dept. of Computer Engineering
6.2 Block Cipher 6.2 Block Cipher Modes of OperationModes of OperationOutput FeedBack Mode (OFB)
Message is treated as a stream of bits Output of cipher is added to messageCan be computed in advance
Ci = Pi XOR Oi ; Oi = DESK(Oi−1); O−1 = IVUses: stream encryption on noisy channels
Advantages and Limitations of OFBBit errors do not propagate More vulnerable to message stream modificationSender & receiver must remain in syncOnly full block feedback (CFB-64,CFB-128) should ever be used.
171171/181/181
Information Security Lab.Dept. of Computer Engineering
6.2 Block Cipher 6.2 Block Cipher Modes of OperationModes of OperationCounter Mode (CTR)
11
172172/181/181
Information Security Lab.Dept. of Computer Engineering
6.2 Block Cipher 6.2 Block Cipher Modes of OperationModes of OperationCounter Mode (CTR)
a “new” mode; similar to OFB but encrypts counter valuerather than any feedback value.must have a different key & counter value for every plaintext block (never reused)
Ci = Pi ⊕ Oi ; Oi = DESK (i)Uses: high-speed network encryptions
Advantages and Limitations of CTREfficiency; random access to encrypted data blocksprovable security (good as other modes)but must ensure never reuse key/counter values, otherwise could break (cf OFB)
173173/181/181
Information Security Lab.Dept. of Computer Engineering
6.3 6.3 Stream CiphersStream Ciphers and RC4and RC4Stream Cipher Structure
Process message bit by bit (as a stream); Have a pseudo random keystreamCombined (XOR) with plaintext bit by bit Randomness of stream key completely destroysstatistically properties in message
Ci = Mi ⊕ StreamKeyiSome design considerations are:
long period with no repetitions statistically random depends on large enough keylarge linear complexity
Properly designed, can be as secure as a block cipher with same size key; but usually simpler & faster
12
174174/181/181
Information Security Lab.Dept. of Computer Engineering
6.3 6.3 Stream CiphersStream Ciphers and RC4and RC4
Fig. 6.8 Stream Cipher Diagram
Stream Cipher Structure
175175/181/181
Information Security Lab.Dept. of Computer Engineering
6.3 6.3 Stream CiphersStream Ciphers and RC4and RC4Table 6.2 Speed Comparisons of Symmetric Cipher on a Pentium II
The RC4 AlgorithmRC4 is a stream cipher designed in 1987 by Ron Rivest; A proprietary cipher owned by RSA Security. Variable key size (1~256bytes);byte-oriented stream cipher. Widely used (web SSL/TLS, wireless WEP). Key forms random permutation of all 8-bit values
45variableRC40.9variableRC231683DES956DES
Speed(Mbps)Key LengthCipher
13
176176/181/181
Information Security Lab.Dept. of Computer Engineering
6.3 6.3 Stream CiphersStream Ciphers and RC4and RC4Initialization of S
Starts with an array S of numbers: 0 ~ 255 Use key K (256 bytes) to well and truly shuffle S forms internal state of the cipher
for i = 0 to 255 doS[i] = i;T[i] = K[i mod keylen]);
j = 0 ;for i = 0 to 255 do
j = (j + S[i] + T[i]) (mod 256); swap(S[i], S[j]);
177177/181/181
Information Security Lab.Dept. of Computer Engineering
6.3 6.3 Stream CiphersStream Ciphers and RC4and RC4Stream Generation
Encryption continues shuffling array valuesSum of shuffled pair selects "stream key" value from permutationXOR S[t] with next byte of message to en/decrypt
i = j = 0 ; for each message byte Mi
i = (i + 1) (mod 256); j = (j + S[i])(mod 256);swap(S[i], S[j]) ;t = (S[i] + S[j]) (mod 256) ;Ci = Mi ⊕ S[t] ; // decrypt : Mi = Ci ⊕ S[t]
14
178178/181/181
Information Security Lab.Dept. of Computer Engineering
6.3 6.3 Stream CiphersStream Ciphers and RC4and RC4
179179/181/181
Information Security Lab.Dept. of Computer Engineering
6.3 6.3 Stream CiphersStream Ciphers and RC4and RC4Strength of RC4
Claimed secure against known attackshave some analyses, none practical
Result is very non-linear Since RC4 is a stream cipher, must never reuse a keyHave a concern with WEP, but due to key handling rather than RC4 itself
15
180180/181/181
Information Security Lab.Dept. of Computer Engineering
KKeyey PointPointMultiple encryption is a technique in which an encryption is used multiple times.
Triple DES makes use of three stages of the DESalgorithm, using a total of two or three distinct keys.
A mode of operation is a technique for enhancing theeffect of a cryptographic algorithm; Five modes of operation for symmetric block ciphers : 1 electronic code book, 2 cipher block chaining mode,3 cipher feedback mode, 4 output feedback mode,5 counter mode
A stream cipher : encrypted by bit-by-bit or byte-by-byte; The most widely used such cipher is RC4
181181/181/181
Information Security Lab.Dept. of Computer Engineering
SummarySummaryTriple-DESModes of Operation
ECB, CBC, CFB, OFB, CTRstream ciphersRC4