dept. of computer engineering information security …read.pudn.com/downloads94/doc/374757/ch06.pdf1...

1

152152/181/181

Information Security Lab.Dept. of Computer Engineering

PART I Symmetric CiphersCHAPTER 6 More On Symmetric Cipher

6.1 Multiple Encryption and Triple DES

6.2 Block Cipher Modes of Operation

6.3 Stream Cipher and RC4

153153/181/181


6.1 6.1 Multiple Encryption & Multiple Encryption & Triple Triple DESDESClear a replacement for DES was needed

theoretical attacks that can break itdemonstrated exhaustive key search attacks

AES is a new cipher alternative

Prior to this alternative was to use multiple encryption with DES implementations; Triple-DES

Double DESTwo encryption stages & two keys : Key size : 112 bitsEncryption : C = EK2

(EK1(P))

Decryption : P = DK1(DK2

(C))

2

154154/181/181


6.1 6.1 Multiple Encryption & Multiple Encryption & Triple Triple DESDESDouble DES

155155/181/181


6.1 6.1 Multiple Encryption & Multiple Encryption & Triple Triple DESDESDouble DES(1) Reduction to a Single Stage

EK2(EK1

(P)) = C = EK3(P)

If it would be possible to find a key K3, any number ofstages of multiple encryption with DES would be uselessbecause the result would be equivalent to a single encryption with a single 56-bit key

(2) Meet-in-the-Middle Attacksince X = EK1

(P) = DK2(C)

attack by encrypting P with all keys and storethen decrypt C with keys and match X valuecan show takes O(256) steps

3

156156/181/181


6.1 6.1 Multiple Encryption & Multiple Encryption & Triple Triple DESDESTriple DES with Two Keys

C = EK1(DK2

(EK1( P ))) P = DK1

(EK2(DK1

( C )))

157157/181/181


6.1 6.1 Multiple Encryption & Multiple Encryption & Triple Triple DESDESTriple DES with Two Keys

Use 2 keys with E-D-E sequenceif K1= K2 then can work with single DES

Standardized in ANSI X9.17 & ISO8732No current known practical attacks (A known-plaintext attack)

Triple DES with Three Keyscan use Triple-DES with Three-Keys to avoid a known-plaintext attack

C = EK3(DK2(EK1(P)))has been adopted by some Internet applications, eg PGP,S/MIME

4

158158/181/181


6.2 Block Cipher 6.2 Block Cipher Modes of OperationModes of OperationBlock ciphers encrypt fixed size blocks

eg. DES encrypts 64-bit blocks with 56-bit key

Need some way to en/decrypt arbitrary amounts of data in practise

ANSI X3.106 : Modes of Use (now FIPS 81) defines 4 possible modes, 1983; NIST 5 mode in Special Publication 800-38AHave block and stream modesTable 6.1 (Block Cipher Modes of Operation)

159159/181/181


6.2 Block Cipher 6.2 Block Cipher Modes of OperationModes of Operation

5

160160/181/181


6.2 Block Cipher 6.2 Block Cipher Modes of OperationModes of OperationElectronic Codebook Mode (EBC)

Message is broken into independent blocks which are encrypted; each block is encoded independently of the other blocks

Ci = DESK ( Pi )uses: secure transmission of single values

Time=1P1

DESencrypt

DESencryptK

C1

EncryptionTime=2

P2

DESencrypt

DESencryptK

C2

Time=NPN

DESencrypt

DESencryptK

CN

…

161161/181/181


6.2 Block Cipher 6.2 Block Cipher Modes of OperationModes of OperationElectronic Codebook Mode (EBC)

Limitation of ECB mode message repetitions may show in ciphertextweakness is due to the encrypted message blocks being independent

Decryption

DESdecrypt

DESdecryptK DES

decryptDES

decryptK DESdecrypt

DESdecryptK…

P1 P2 PN

C1 C2 CN

6

162162/181/181


6.2 Block Cipher 6.2 Block Cipher Modes of OperationModes of OperationCipher Block Chaining Mode (CBC)

Given a sequence P1 P2 P3 . . . of 64-bit plaintext block;Ci = EK(Ci−1⊕ Pi) 1≤ i ≤ N , C0 = IV

Time=1P1

DESencrypt

DESencryptK

C1

EncryptionTime=2

P2

DESencrypt

DESencryptK

C2

Time=NPN

DESencrypt

DESencryptK

CN

…+

IV

+ +CN-1

C0

163163/181/181



Given a sequence C1 C2 C3 … of 64-bit ciphertext block;Pi = Ci−1⊕ DK(Ci) 1≤ i ≤ N , C0 = IV

Decryption

DESdecrypt

DESdecryptK DES

decryptDES

decryptK…

P1 P2

C1 C2

+ +IV

DESdecrypt

DESdecryptK

PN

CN

+CN-1C0

7

164164/181/181



Each previous cipher blocks is chained with current plaintext blockUse Initial Vector (IV) to start process ; which must be known to sender & receiver Uses: bulk data encryption, authenticationAt end of message must handle a possible last short block

pad either with known non-data value (eg nulls)or pad last block along with count of pad size• eg. [ b1 b2 b3 0 0 0 0 5] • means have 3 data bytes, then 5 bytes pad + count

165165/181/181


6.2 Block Cipher 6.2 Block Cipher Modes of OperationModes of OperationCipher Feedback Mode (CFB)

DESencrypt

DESencryptK

C1 C2 CM

…

+

IV CM-1

Shift reg.64-j bits | j bits

64

Select Discardj bits 64-j bits

64

j

j

P1

DESencrypt

DESencryptK

+


64


64

j

jP2

DESencrypt

DESencryptK

+


64


64

j

j

PM

EncryptionC0

8

166166/181/181



DESencrypt

DESencryptK

C1 C2 CM

…

+

(IV) CM-1


64


64

j

j

P1

DESencrypt

DESencryptK

+


64


64

j

jP2

DESencrypt

DESencryptK

+


64


64

j

jPM

DecryptionC0

167167/181/181



Message is treated as a stream of bitsAdded to the output of the block cipherstandard allows any number of bit (1,8, 64 or 128 etc) to be feed back; denoted CFB-1, CFB-8, CFB-64, CFB-128Uses: stream data encryption, authentication

Advantages and Limitations of CFBappropriate when data arrives in bits/bytes; most commonstream modeErrors propogate for several blocks after the errorLimitation is need to stall while do block encryption afterevery n-bits

9

168168/181/181


6.2 Block Cipher 6.2 Block Cipher Modes of OperationModes of OperationOutput FeedBack Mode (OFB)Encryption

DESencrypt

DESencryptK

C1 C2 CM

…

+


64

Select DiscardJ bits | 64-j bits

64

j

jP1

DESencrypt

DESencryptK

+


64

Select Discardj bits | 64-j bits

64

j

jP2

DESencrypt

DESencryptK

+


64


64

j

jPM

…O0 (IV)

O1O2 OM-1

169169/181/181


6.2 Block Cipher 6.2 Block Cipher Modes of OperationModes of OperationOutput FeedBack Mode (OFB)

Decryption

DESdecrypt

DESdecryptK

C1 C2 CM

…

+

OM-1


64


64

j

jP1

DESdecrypt

DESdecryptK

+


64


64

j

jP2

DESdecrypt

DESdecryptK

+


64


64

j

jPM

O1O2

O0 (IV)

10

170170/181/181


6.2 Block Cipher 6.2 Block Cipher Modes of OperationModes of OperationOutput FeedBack Mode (OFB)

Message is treated as a stream of bits Output of cipher is added to messageCan be computed in advance

Ci = Pi XOR Oi ; Oi = DESK(Oi−1); O−1 = IVUses: stream encryption on noisy channels

Advantages and Limitations of OFBBit errors do not propagate More vulnerable to message stream modificationSender & receiver must remain in syncOnly full block feedback (CFB-64,CFB-128) should ever be used.

171171/181/181


6.2 Block Cipher 6.2 Block Cipher Modes of OperationModes of OperationCounter Mode (CTR)

11

172172/181/181


6.2 Block Cipher 6.2 Block Cipher Modes of OperationModes of OperationCounter Mode (CTR)

a “new” mode; similar to OFB but encrypts counter valuerather than any feedback value.must have a different key & counter value for every plaintext block (never reused)

Ci = Pi ⊕ Oi ; Oi = DESK (i)Uses: high-speed network encryptions

Advantages and Limitations of CTREfficiency; random access to encrypted data blocksprovable security (good as other modes)but must ensure never reuse key/counter values, otherwise could break (cf OFB)

173173/181/181


6.3 6.3 Stream CiphersStream Ciphers and RC4and RC4Stream Cipher Structure

Process message bit by bit (as a stream); Have a pseudo random keystreamCombined (XOR) with plaintext bit by bit Randomness of stream key completely destroysstatistically properties in message

Ci = Mi ⊕ StreamKeyiSome design considerations are:

long period with no repetitions statistically random depends on large enough keylarge linear complexity

Properly designed, can be as secure as a block cipher with same size key; but usually simpler & faster

12

174174/181/181


6.3 6.3 Stream CiphersStream Ciphers and RC4and RC4

Fig. 6.8 Stream Cipher Diagram

Stream Cipher Structure

175175/181/181


6.3 6.3 Stream CiphersStream Ciphers and RC4and RC4Table 6.2 Speed Comparisons of Symmetric Cipher on a Pentium II

The RC4 AlgorithmRC4 is a stream cipher designed in 1987 by Ron Rivest; A proprietary cipher owned by RSA Security. Variable key size (1~256bytes);byte-oriented stream cipher. Widely used (web SSL/TLS, wireless WEP). Key forms random permutation of all 8-bit values

45variableRC40.9variableRC231683DES956DES

Speed(Mbps)Key LengthCipher

13

176176/181/181


6.3 6.3 Stream CiphersStream Ciphers and RC4and RC4Initialization of S

Starts with an array S of numbers: 0 ~ 255 Use key K (256 bytes) to well and truly shuffle S forms internal state of the cipher

for i = 0 to 255 doS[i] = i;T[i] = K[i mod keylen]);

j = 0 ;for i = 0 to 255 do

j = (j + S[i] + T[i]) (mod 256); swap(S[i], S[j]);

177177/181/181


6.3 6.3 Stream CiphersStream Ciphers and RC4and RC4Stream Generation

Encryption continues shuffling array valuesSum of shuffled pair selects "stream key" value from permutationXOR S[t] with next byte of message to en/decrypt

i = j = 0 ; for each message byte Mi

i = (i + 1) (mod 256); j = (j + S[i])(mod 256);swap(S[i], S[j]) ;t = (S[i] + S[j]) (mod 256) ;Ci = Mi ⊕ S[t] ; // decrypt : Mi = Ci ⊕ S[t]

14

178178/181/181


6.3 6.3 Stream CiphersStream Ciphers and RC4and RC4

179179/181/181


6.3 6.3 Stream CiphersStream Ciphers and RC4and RC4Strength of RC4

Claimed secure against known attackshave some analyses, none practical

Result is very non-linear Since RC4 is a stream cipher, must never reuse a keyHave a concern with WEP, but due to key handling rather than RC4 itself

15

180180/181/181


KKeyey PointPointMultiple encryption is a technique in which an encryption is used multiple times.

Triple DES makes use of three stages of the DESalgorithm, using a total of two or three distinct keys.

A mode of operation is a technique for enhancing theeffect of a cryptographic algorithm; Five modes of operation for symmetric block ciphers : 1 electronic code book, 2 cipher block chaining mode,3 cipher feedback mode, 4 output feedback mode,5 counter mode

A stream cipher : encrypted by bit-by-bit or byte-by-byte; The most widely used such cipher is RC4

181181/181/181


SummarySummaryTriple-DESModes of Operation

ECB, CBC, CFB, OFB, CTRstream ciphersRC4

dept. of computer engineering information security …read.pudn.com/downloads94/doc/374757/ch06.pdf1...

Documents