modern block ciphers cse 651: introduction to network security
TRANSCRIPT
Modern Block Ciphers
CSE 651: Introduction to Network Security
Summary
• Block Ciphers (Chapter 3)
• Feistel Cipher Structure (Chapter 3)
• DES: Data Encryption Standard (Ch. 3)
• 3DES (Ch 6.1)
• AES: Advanced Encryption Standard (Ch. 5.2)
2
Monoalphabetic Substitution Cipher
• Shuffle the letters and map each plaintext letter to a different random ciphertext letter:
Plain letters: abcdefghijklmnopqrstuvwxyzCipher letters: DKVQFIBJWPESCXHTMYAUOLRGZN
Plaintext: ifwewishtoreplaceletters
Ciphertext: WIRFRWAJUHYFTSDVFSFUUFYA
• What does a key look like?
3
Playfair Key Matrix
• Use a 5 x 5 matrix.
• Fill in letters of the key (w/o duplicates).
• Fill the rest of matrix with other letters.
• E.g., key = MONARCHY.
MM OO NN AA RR
CC HH YY BB DD
EE FF GG I/JI/J KK
LL PP QQ SS TT
UU VV WW XX ZZ
4
Vigenère Cipher
• Simplest polyalphabetic substitution cipher• Consider the set of all Caesar ciphers:
{ Ca, Cb, Cc, ..., Cz }• Key: e.g. security• Encrypt each letter using Cs, Ce, Cc, Cu, Cr,
Ci, Ct, Cy in turn. • Repeat from start after Cy. • Decryption simply works in reverse.
5
Basic idea of modern block ciphers
• From classical ciphers, we learn two techniques that may improve security:– Encrypt multiple letters at a time– Use multiple ciphertext alphabets (Polyalphabetic
ciphers)
• Combining these two techniques– encrypt eight (or more) letters at a time
• called a block cipher
– and use an extremely large number of ciphertext alphabets
• will be called modes of operation
1
Block Ciphers
• In general, a block cipher replaces a block of N plaintext bits with a block of N ciphertext bits. (E.g., N = 64 or 128.)
• A block cipher is a monoalphabetic cipher.• Each block may be viewed as a gigantic character.• The “alphabet” consists of 2N gigantic characters.• Each particular cipher is a one-to-one mapping from the
plaintext “alphabet” to the ciphertext “alphabet”.• There are 2N! such mappings.• A secret key indicates which mapping to use.
7
Ideal Block Cipher
• An ideal block cipher would allow us to use any of these 2N! mappings.
– The key space would be extremely large.
• But this would require a key of log2(2N!) bits.
• If N = 64,
log2(2N!) ≈ N x 2N ≈ 1021 bits ≈ 1011 GB.
• Infeasible!8
Practical Block Ciphers
• Modern block ciphers use a key of K bits to specify a random subset of 2K mappings.
• If K ≈ N, – 2K is much smaller than 2N!
– But is still very large.
• If the selection of the 2K mappings is random, the resulting cipher will be a good approximation of the ideal block cipher.
• Horst Feistel, in1970s, proposed a method to achieve this.
9
The Feistel Cipher Structure
• Input: a data block and a key• Partition the data block into two halves L and
R.• Go through a number of rounds.• In each round,
– R does not change.
– L goes through an operation that depends on R
and a round key derived from the key.
10
The Feistel Cipher Structure
i
Round i
+
f
Li-1 Ri-1
ki
Li Ri
Mathematical Description of Round i
13
1 1
1
1 1
1
Let and be the input of round , and
and the output.
We have
:
( , )
:
:
( , )
Or, (
i i
i i
i i
i i
i
i
i i
i
iL R
L R i
L R
L
L
R
R L F R K
1
1 1
, where
: ( , ) ( , ).
: ( , ) ( , ).
Not
,
e
)
that and .
( , )i
i
i
i
i
x y y
x y y x
x F y k
R
Feistel Cipher
14
16 2 1
1 1 1 11 2 1
Goes through a number of rounds, say 16 rounds.
A Feistel cipher encrypts a plaintext block as:
: E ( ) : ( )
The decryption will be:
D ( )
k
k
m
c m m
c
11 16
1 2 16
( )
( )
The descryption algorithm is the same as the
encryption algorithm, but uses round keys in the
reverse order.
c
c
DES: The Data Encryption Standard
• Most widely used block cipher in the world. • Adopted by NIST in 1977.• Based on the Feistel cipher structure with 16
rounds of processing.• Block = 64 bits• Key = 56 bits • What is specific to DES is the design of the F
function and how round keys are derived from the main key.
15
Design Principles of DES
• To achieve high degree of diffusion and confusion.
• Diffusion: making each plaintext bit affect as many ciphertext bits as possible.
• Confusion: making the relationship between the encryption key and the ciphertext as complex as possible.
1
DES Encryption Overview
Round Keys Generation
• Main key: 64 bits.• 56-bits are selected and permuted using Permuted
Choice One (PC1); and then divided into two 28-bit halves.
• In each round:
– Left-rotate each half separately by either 1 or 2 bits according to a rotation schedule.
– Select 24-bits from each half, and permute the combined 48 bits.
– This forms a round key.
Permuted Choice One (PC1)
19
57 49 41 33 25 17 91 58 50 42 34 26 18
10 2 59 51 43 35 2719 11 3 60 52 44 3663 55 47 39 31 23 15
7 62 54 46 38 30 2214 6 61 53 45 37 2921 13 5 28 20 12 4
Initial Permutation IP
• IP: the first step of the encryption.
• It reorders the input data bits.
• The last step of encryption is the inverse of IP.
• IP and IP-1 are specified by tables (see Stallings book, Table 3.2) or http://en.wikipedia.org/wiki/DES_supplementary_material
Round i
+
F
Li-1 Ri-1
ki
Li Ri
32
483232
22
The and each have 32 bits, and the round key 48 bits.
The function, on input and , produces 32 bits:
( , )
where :
(
expands 32 bits o 4
)
t
The function of DES
L R K
F R K
F R K P S E K
E
R
F
8 bits;
: shrinks it back to 32 bits;
: permutes the 32 bits.
S
P
The F function of DES
The Expansion Permutation E
The S-Boxes
• Eight S-boxes each map 6 to 4 bits • Each S-box is specified as a 4 x 16 table
– each row is a permutation of 0-15– outer bits 1 & 6 of input are used to select one
of the four rows – inner 4 bits of input are used to select a
column
• All the eight boxes are different.
26
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
0 15 7 4 14 2 13 1 10 6 12 11 6 5 3 8
4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
Box S1
• For example, S1(101010) = 6 = 0110.
0
1
2
3
Permutation Function P
1
P
16 7 20 21
29 12 28 17
1 15 23 26
5 18 31 10
2 8 24 14
32 27 3 9
19 13 30 6
22 11 4 25
Avalanche Effect
• Avalanche effect:– A small change in the plaintext or in the key results in a
significant change in the ciphertext.
– an evidence of high degree of diffusion and confusion
– a desirable property of any encryption algorithm
• DES exhibits a strong avalanche effect– Changing 1 bit in the plaintext affects 34 bits in the
ciphertext on average.
– 1-bit change in the key affects 35 bits in the ciphertext on average.
29
Attacks on DES
• Brute-force key search– Needs only two plaintext-ciphertext samples
– Trying 1 key per microsecond would take 1000+ years on average, due to the large key space size, 256 ≈ 7.2×1016.
• Differential cryptanalysis– Possible to find a key with 247 plaintext-ciphertext samples
– Known-plaintext attack
• Liner cryptanalysis: – Possible to find a key with 243 plaintext-ciphertext samples
– Known-plaintext attack
30
DES Cracker• DES Cracker:
– A DES key search machine
– contains 1536 chips
– Cost: $250,000.
– could search 88 billion keys per second
– won RSA Laboratory’s “DES Challenge II-2” by successfully finding a DES key in 56 hours.
• DES is feeling its age. A more secure cipher is needed.
Multiple Encryption with DES
• In 2001, NIST published the Advanced Encryption
Standard (AES) to replace DES.
• But users in commerce and finance are not ready to give
up on DES.
• As a temporary solution to DES’s security problem, one
may encrypt a message (with DES) multiple times using
multiple keys:
– 2DES is not much securer than the regular DES
– So, 3DES with either 2 or 3 keys is used31
2DES
• Consider 2DES with two keys:
C = EK2(EK1(P))
• Decryption: P = DK1(DK2(C))
• Key length: 56 x 2 = 112 bits
• This should have thwarted brute-force attacks?
• Wrong!
32
Meet-in-the-Middle Attack on 2DES
• 2-DES: C = EK2(EK1(P))
• Given a known pair (P, C), attack as follows:
– Encrypt P with all 256 possible keys for K1.
– Decrypt C with all 256 possible keys for K2.
– If EK1’(P) = DK2’(C), try the keys on another (P’, C’).
– If works, (K1’, K2’) = (K1, K2) with high probability.
– Takes O(256) steps; not much more than attacking 1-DES.
33
EK1P CEK2
34
1 2 1
1 2 1
1 2
A straightforward implementation would be :
: ( )
In practice : : ( )
Also referred to as EDE encryption
Reason : if , then
3DE
3DES with 2 keys
k k k
k k k
c E E E m
c E D E m
k k
S 1DES.
Thus, a 3DES software can be used as a single-DES.
Standardized in ANSI X9.17 & ISO 8732.
No practical attacks are known.
35
3 2 1
1 3
1 2 3
Encryption: : ( ) .
If , it becomes 3DES with 2 keys.
If , it becomes the regular DES.
So, it is backward compatible with both 3DES with 2 keys
and
3DES with 3 keys
k k kc E D E m
k k
k k k
the regular DES.
Some internet applications adopt 3DES with three keys;
e.g. PGP and S / MIME.
AES: Advanced Encryption Standard
37
AES: Advanced Encryption Standard
• In1997, NIST began the process of choosing a replacement for DES and called it the Advanced Encryption Standard.
• Requirements: block length of 128 bits, key lengths of 128, 192, and 256 bits.
• In 2000, Rijndael cipher (by Rijmen and Daemen) was selected.
• An iterated cipher, with 10, 12, or 14 rounds. • Rijndael allows various block lengths. • But AES allows only one block size: 128 bits.
There are only two numbers : 0 and 1.
Addition, substraction and multiplication are as below:
0 1 0 1 0 1
0 0 1 0 0 1 0 0 0
1 1 0 1 1 0 1 0 1
Note: addition =
Modulo-2 Arithmetic
substraction = XOR.
39
7 3
7
Each byte is viewed as a polynomial of degree 7.
Example: 10001001 1 ( ).
10000010 ( ).
Addition and substraction are simply b
Byte-oriented operations
a x x A x
b x x B x
XOR:
10001001 10000010 00001011 ( ) ( ).
10001001 10000010 00001011
itwise
( ) ( ).
a b A x B x
a b A x B x
40
8 4 3
Multiplication ( ): "regular" polynomial multiplication ( )
modulo a fixed modulus ( ), where
( ) .
( ) ( ) mod ( )
1 100011011
Byte-oriented operations
P x x x x
P x
a b A x B x P x
x
14 10 8 7 4
6 5 4 3 2
mod ( )
1
10001001 10000010 mod 100011011
= 100010110010010 mod 100011011
01111111
x x x x x x P x
x x x x x x
a b
41
For any byte (viewed as a polynomial), there is
a unique byte (also viewed as a polynomial) such that
1.
This element is called the inverse of , and is
Byte-oriented operations
a
b
a b
b a
1
8
denoted by .
Mathematically, the set of all polynomials of degrees 7
forms a field, GF(2 ), under the operation of addition and
multiplication mod ( ), where ( ) is a fixed modulus.
a
P x P x
42
: block size (number of words). For AES, 4.
: key length (number of words).
: number of rounds, depending on , .
Assume: 4, 4, 10.
:
Structure of Rijndael
b b
k
r b k
b k r
N N
N
N N
sta
N
N N
e
N
t
0 1 10
a variable of 4 words, holding the data block,
viewed as a each column is a word.
Key schedule: 11 round keys , , ,
computed from the main key
4 4 matrix of byt
.
es;
key key key
k
43
0
input: plaintext , key
1 2 AddKey( , ) 3 for 1 to 1 do 4 SubBytes( ) 5 ShiftRows( ) 6 Mixcolumns( ) 7
Rijndael algorithm
r
m k
state mstate key
i Nstatestatestate
AddKey( , ) 8 SubBytes( ) 9 ShiftRows( ) 10 AddKey( , )
11 return( )r
i
N
state keystatestate
state key
state
44
Figure 5.1 AES Encryption and Decryption
45
AddKey( , )
i
i
state state key
state key
46
1RD
1RD
Each byte in the matrix is substituted with
another byte S ( ) .
The substitution S ( ) , called Rijndael's
S-box, is based on some mathematics in
SubBytes( )
z
z Az
stat
b
z Az
e
b
state
finite fields,
and can be specified as a table (Table 5.4 of Stallings).
47
8
1 8
1
1
That is, treat as an element in GF(2 ).
Find its multiplicative inverse in GF(2 ).
Now treat as a vector of 0/1.
Multiply with , and add the result to .
1000111111
z
z
z
A z b
A
1000111 1
11100011 011110001 0 and 11111000 001111100 100111110 100011111 0
b
48
Left-shift row circularly by bytes, 0 3.
ShiftRows( )
i i i
a b c d a b c d
e f g h f g h e
i j k l k l i j
m n o p p m n o
state
49
0 1 2 3
0 1 2 3
0
1
2
3
Operate on each column of the matrix.
Each column ( , , , ) is substituted with
( , , , ), where
02 03 01 01
01 02 03 01
01 0
MixColumns( )
a a a a a
b b b b
b
b
b
b
state
state
0
1
2
3
1 02 03
03 01 01 02
Using finite-field multiplication and addition.
a
a
a
a
50
0 1 2 3
3 23 2 1 0
Operate on each column of the matrix.
Each column ( , , , ) is viewed as a
polynomial :
( ) +
A fixed polynomial: (
Math behind MixColumns( )
a a a a a
a x a
stat
x a x a x a
c
e
state
3 2
3 23 2 1 0
0 1 2 3 0 1 2 3
4
) 03 01 +01 02.
Compute ( ) +
=
( , , , ) is substituted with ( , , , )
( ) ( ) mod ( 1)
x x x x
b x b x b x b x b
a a a a b
a x c x x
b b b
51
Each step of Rijndael encryption is invertible.
Rijndael Decryption
A Rijndael Animation by Enrique Zabala
52