l3. an introduction to block ciphers - web-teaching …comp444/2015-l3-block ciphers.pdf · the aes...
TRANSCRIPT
![Page 1: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/1.jpg)
L3. An Introduction to
Block Ciphers
Rocky K. C. Chang, 29 January 2015
![Page 2: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/2.jpg)
Outline
2
Product and iterated ciphers
A simple substitution-permutation network
DES and AES
Modes of operations
Cipher block chaining
How to ensure message integrity?
How to increase the security of DES?
![Page 3: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/3.jpg)
Affine cipher as a product cipher
3
Multiplicative Cipher:
Let M = C = Z26 = {0, 1, 2, …, 25}.
K = {a Z26: gcd(a, 26} = 1}.
EK(m) = am mod 26.
DK(c) = a-1c mod 26.
Affine Cipher:
A key in the Shift Cipher is an element b in K = {0, 1, 2, …, 25}.
A key in the Multiplication Cipher is an element a in Z26 such
that gcd(a, 26} = 1.
Hence, a key in the product of an Multiplicative Cipher and an
Affine Cipher is in the form of (a, b), where
E(a,b)(m) = (am + b) mod 26.
![Page 4: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/4.jpg)
Iterated ciphers
4
Block ciphers today are product ciphers.
Involves a sequence of permutation (diffusion) and substitution (confusion) operations.
A common design is an iterated cipher consisting of a round function and a key schedule.
Encryption of a plaintext proceeds through N similar rounds.
The key K is used to construct the N round keys or subkeys: K1, K2, …, and KN.
Denote the round function as g() that take in the current state and a subkey as inputs.
![Page 5: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/5.jpg)
Encryption in an iterated cipher
5
K1, K2, …, KN are the subkeys derived from K.
The encryption operation:
w0 m
w1 g(w0, K1)
w2 g(w1, K2)
…
wN-1 g(wN-2, KN-1)
wN g(wN-1, KN)
c wN
![Page 6: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/6.jpg)
Decryption in an iterated cipher
6
To decrypt c, we need a function g-1() which performs the
followings:
wN c
wN-1 g-1(wN, KN)
wN-2 g-1(wN-1, KN-1)
…
w1 g-1(w2, K2)
w0 g-1(w1, K1)
m w0
By comparing the decryption and encryption operations, g-1()
has to satisfy
g-1(g(w, y), y) = w for all w and y.
![Page 7: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/7.jpg)
A simple substitution-permutation
network
7
K1
S S S S
K2
S S S S
K3
S S S S
K4
K5
S S S S
plaintext
ciphertext
![Page 8: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/8.jpg)
A simple substitution-permutation
network
8
There are 4 “identical” rounds for encryption:
Each round uses a round key.
An initial key K generates the round keys according to a key schedule.
Functions of the components:
In each of the long rectangular box, the 16-input bits are XOR-ed with the subkey (for mixing the round key with data)
The S-boxes perform 4-bit substitutions (for providing nonlinearity).
Remove the linear algebraic structure.
The operation of an S-box cannot be encoded in a linear equation.
The output bits of the S-boxes are permutated (for providing diffusion).
One bit change in the input affect more than one bit in the output.
How is decryption performed?
![Page 9: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/9.jpg)
Threats
9
In a known-plaintext attack, one can launch a brute-force
attack.
Should not regard a brute-force attack as a real attack.
Cipher designers have anticipated it, and hope that this is the
only way to attack it.
Linear and differential cryptanalysis
Known-plaintext attacks
Linear: finding a probabilistic linear relationship between some
bits in the plaintext and a subset of state bits.
![Page 10: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/10.jpg)
The Data Encryption Standard
(DES)
10
![Page 11: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/11.jpg)
DES’s overall
11
DES is a special type of iterated cipher called a Feistel cipher.
Inputs to DES: 64-bit blocks of a plaintext
DES uses a 56-bit key (8 parity bits)
Output from DES: 64-bit blocks of a ciphertext
Encryption algorithm:
Apply an initial permutation (IP) to the input block.
Iterate 16 rounds of operations with subkeys (k1, k2, …, k16).
The subkeys are generated according to a key schedule and a key K.
The result from round 16 is input to the inverse of IP (IP-1).
![Page 12: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/12.jpg)
DES encryption
12
Initial permutation
Round 1
Round 2
Round 16
56-bit
key
Final
permutation
…
![Page 13: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/13.jpg)
The permutations
13
The initial permutation:
(L0, R0) IP(input block), where
L0, and R0 are the left and right blocks (32 bits each)
IP is a fixed function.
The final permutation:
Output block IP-1(R16, L16)
IP-1 cancels the effect of IP.
![Page 14: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/14.jpg)
Why permute?
14
The permutations do not enhance the security.
Why?
Take a modified DES that does not have the permutations
(called EDS).
If we can break EDS (discover the key), we can also break DES.
Given a DES <m, c>, m’ IP(m); and c’ IP(c) and reverse the left
and right blocks.
Feed (m’, c’) to our EDS-breaking codes.
![Page 15: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/15.jpg)
In each round
15
Perform for round i = 1, 2, …, 16 (Feistel cipher).
Li Ri-1
Ri Li-1 f(Ri-1, ki), where
ki is the 48-bit per-round key for the round i
Li-1 and Ri-1 are the left and right blocks as a result of the (i-1)th round.
f is called the S-box function (or Mangler function).
The swapping operation is a simple permutation cipher.
Generate the per-round keys.
![Page 16: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/16.jpg)
Feistel cipher encryption for round i
16
Li-1 Ri-1
Li Ri
f ki
![Page 17: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/17.jpg)
Mangler function
17
![Page 18: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/18.jpg)
Feistel cipher decryption for round i
18
![Page 19: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/19.jpg)
DES decryption
19
Decryption algorithm:
Apply IP to a ciphertext block.
Swap the left and right 32-bit blocks
Iterate the same 16 rounds of operations with keys (k16, k15, …,
k1).
Swap the left and right 32-bit blocks for the result from the
last round.
The output goes through IP-1 to obtain the plaintext block.
Decryption requires exactly the same set of operations
as encryption!
![Page 20: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/20.jpg)
The security of DES
20
16 weak keys to avoid
A single critique about DES: a relatively short key length
Have been “cracked” many times:
Linear cryptanalysis: 243 plaintext-ciphertext pairs and 40 days
in 1994
Brute-force: e.g., a special machine in 56 hours in 1998.
![Page 21: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/21.jpg)
The Advanced Encryption
Standard (AES)
21
![Page 22: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/22.jpg)
The AES initiative
22
Unlike DES, an open call for the AES algorithms was made
in Sept. 1997.
The requirements:
Unclassified, publicly disclosed secret key encryption algorithm.
It must support (at a minimum) block sizes of 128-bits, key
sizes of 128-, 192-, and 256-bits.
It should have a strength at the level of 3DES, but should be
more efficient than 3DES.
The algorithm, if selected, must be available royalty-free,
worldwide.
![Page 23: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/23.jpg)
The AES candidates
23
1. CAST-256 by Entrust Technologies, Inc.
2. CRYPTON by Future Systems, Inc.
3. DEAL by Ecole Normale Superieure
4. E2 by NTT
5. FROG by TecApro Internacional S.A.
6. HPC by Rich Schroeppel
7. LOKI97 by L. Brown, J. Pieprzyk, and J. Seberry
8. MAGENTA by Deutsche Telekom AG
9. MARS by IBM
10. RC6 by the RSA Laboratories
11. Rijndael by J. Daemen and V. Rijmen
12. Serpent by R. Anderson, E. Biham, and L. Knudsen
13. Twofish by B. Schneier, et al.
![Page 24: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/24.jpg)
The finalists
24
1. MARS by IBM
2. RC6 by the RSA Laboratories
3. RIJNDAEL (Rhine Dahl) by J. Daemen and V. Rijmen
Support different combinations of block sizes (128, 160,
192, 224, 256) and key sizes (128, 192, 256)
http://csrc.nist.gov/archive/aes/rijndael/Rijndael-
ammended.pdf
4. SERPENT by R. Anderson, E. Biham, and L. Knudsen
5. TWOFISH by B. Schneier, et al.
![Page 25: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/25.jpg)
The AES algorithm
25
DES is based on an Feistel network; AES is a substitution-permutation network.
The AES algorithm is an iterated cipher, similar to the simple substitution-permutation network in structure. The number of round depends on the key length, e.g., N = 10
for 128-bit key and N = 14 for 256-bit key.
Each round provides Subkey mixing (XOR)
Substitutions (SubBytes)
Permutations (ShiftRows and MixColumns)
AES is broken! http://www.theregister.co.uk/2011/08/19/aes_crypto_attack/)
![Page 26: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/26.jpg)
AES with 128 bits
26
![Page 27: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/27.jpg)
The modes of operations
27
![Page 28: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/28.jpg)
A simple electronic code book (ECB)
28
Break the message into 64-bit blocks and pad the last
one, if necessary.
How does the receiver know about the padding?
Encrypt/decrypt each block with the secret key.
Disadvantages:
Identical 64-bit blocks give identical ciphertexts for them.
May rearrange or even modify blocks without having the
receiver know about it.
![Page 29: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/29.jpg)
A simple electronic code book (ECB)
29
m1 m2 m3 m4
c1 c2 c3 c4
plaintext
ciphertext
E E E E
![Page 30: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/30.jpg)
An improved approach
30
Generate a 64-bit random number ri for each plaintext block mi.
mi ri and then encrypt the result.
Send out the ciphertext and the ris.
Solve the problem of identical ciphertext blocks.
Disadvantages:
Send out twice the amount of information.
An attacker can still remove or swap or even modify blocks without having the receiver know about it.
![Page 31: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/31.jpg)
An “improved” approach
31
m1 m2 m3 m4
c1 c2 c3 c4
E E E E
r2r1 r3 r4
transmit r1, c1, r2, c2, r3, c3, r4, c4
![Page 32: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/32.jpg)
Cipher block chaining (CBC)
32
CBC uses ci as ri+1 (the ith ciphertext block used as the
(i+1)th random number.)
CBC encryption:
c0 IV
ci E(mi ci-1) for i > 0
CBC decryption:
c0 IV
mi D(ci) ci-1 for i > 0
![Page 33: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/33.jpg)
Benefits of CBC
33
Remove the need for sending all random numbers except for
the first block.
The first random number is known as an initialization vector (IV).
CBC solves the identical ciphertext block problem.
Each ciphertext block is dependent on the corresponding plaintext block
and the previous blocks.
Without IV, two identical messages will encrypt in the same way up to
the first difference.
A randomly chosen IV also prevents chosen-plaintext attacks.
![Page 34: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/34.jpg)
CBC encryption
34
IV m1 m2 m3 m4
IV c1 c2 c3 c4
E E E E
![Page 35: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/35.jpg)
CBC decryption
35
IV c1 c2 c3 c4
IV m1 m2 m3 m4
D D D D
![Page 36: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/36.jpg)
Security problems of CBC
36
An attacker can add blocks to the end of an encrypted message without being detected.
Need to know where the message ends.
If a bit is added or lost from the ciphertext stream, all subsequent blocks are shifted 1 bit out of position.
Need to ensure that the block structure remains intact.
![Page 37: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/37.jpg)
Security problems of CBC
37
An attacker can alter a ciphertext block to introduce
controlled changes.
E.g., if bit 3 of ci is modified,
Since mi+1 = ci decrypted ci+1, bit 3 of mi+1 is also modified
(deterministic).
Since mi = ci-1 decrypted ci, mi would also be modified
(nondeterministic).
Can this modification be detected by the receiver?
![Page 38: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/38.jpg)
CBC padding
38
A message has to be padded to an integral number of
blocks before encryption.
For example, in the PKCS7 standard (RFC5652),
![Page 39: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/39.jpg)
Vulnerabilities of CBC padding
39
The final decrypted block should end with one of the
binary strings below.
0x01
0x02 0x02
0x03 0x03 0x03
0x04 0x04 0x04 0x04
...
In workshop one, you will be asked to decrypt a message
using the knowledge of the CBC padding scheme and an
oracle.
Oracle padding attack
![Page 40: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/40.jpg)
How to ensure message
integrity?
40
![Page 41: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/41.jpg)
Generating MACs for unencrypted
messages
41
As usual, compute the CBC for a message.
Send out the plaintext with the last ciphertext block
(CBC residue, MAC).
The receiver verifies whether the plaintext + CBC
residue has been modified by
Computing the CBC for the message and comparing the last
ciphertext block with the MAC.
![Page 42: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/42.jpg)
Generating MACs for unencrypted
messages
42
IV m1 m2 m3 m4
IV c1 c2 c3 residue
E E E E
![Page 43: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/43.jpg)
Both secrecy and message integrity
Proposal 1?
IV m1 m2 m3 m4
IV c1 c2 c3 residue
E E E E
c4
43
![Page 44: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/44.jpg)
Both secrecy and message integrity
Proposal 2?
IV m1 m2 m3 m4
IV c1 c2 c3 c4
E E E E
c 4
c5
E
44
![Page 45: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/45.jpg)
Both secrecy and message integrity
Proposal 3?
IV m1 m2 m3 m4
IV c1 c2 c3 c4
E E E E
c7
E
CRC
45
![Page 46: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/46.jpg)
How to increase the security
of DES?
46
![Page 47: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/47.jpg)
Multiple encryption DES
47
Triple DES (3DES or EDE) using 2 keys
Encrypt (or Decrypt )a plaintext and then decrypt (or encrypt)
it.
Encryption:
Decryption:
E D E c m
k1 k2 k1
D E D m c
k1 k2 k1
![Page 48: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/48.jpg)
EDE with CBC on the outside
48
IV m1 m2 m3 m4
IV c1 c2 c3
E
c4
D
E
E
D
E
E
D
E
E
D
E k1
k2
k1
![Page 49: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/49.jpg)
Design issues
49
How many encryption?
How many keys?
Order of encryption and decryption?
EEE, DDD, EDE, DED
CBC outside vs inside?
![Page 50: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/50.jpg)
Summary
50
The modern block ciphers are iterated ciphers.
Based on multiple rounds of substitutions and permutations.
Subject to linear and differential cryptanalysis, and brute-force attacks
Examined DES, including the operations and special properties.
Examined the operational issues for block ciphers, e.g., Variable-length message
Attacks on CBC
Message integrity
Increase DES security
![Page 51: L3. An Introduction to Block Ciphers - Web-Teaching …comp444/2015-L3-Block ciphers.pdf · The AES algorithm is an iterated cipher, similar to the simple substitution-permutation](https://reader030.vdocuments.us/reader030/viewer/2022020413/5b9ce02409d3f2d6288da0ab/html5/thumbnails/51.jpg)
Acknowledgments
51
The notes are prepared mostly based on D. Stinson, Cryptography: Theory and Practice, Chapman & Hall/CRC,
Second Edition, 2002.
C. Kaufman, R. Perlman and M. Speciner, Network Security: Private Communication in a Public World, Second Edition, Prentice Hall PTR, 2002.
W. Mao, Modern Cryptography: Theory and Practice, Prentice Hall, 2004.
B. Schneier, Applied Cryptography, Second Edition, Wiley, 1996.
The Mangler function is taken from http://en.wikipedia.org/wiki/File:Data_Encryption_Standard_InfoBox_Diagram.png.
The AES block diagram is taken from http://www.giac.org/cissp-papers/42.pdf.
Other references: AES homepage: http://csrc.nist.gov/archive/aes/index.html
Wiki: http://en.wikipedia.org/wiki/Advanced_Encryption_Standard