1 DES & Hash function. 2 Outline zIntroduction zData Encryption Standard (DES) zDouble & Triple DES...
-
date post
21-Dec-2015 -
Category
Documents
-
view
213 -
download
1
Transcript of 1 DES & Hash function. 2 Outline zIntroduction zData Encryption Standard (DES) zDouble & Triple DES...
1
DES & Hash function
2
Outline
Introduction Data Encryption Standard (DES) Double & Triple DES Hash Function MD5 SHA-1
3
Introduction Encryption Schemes
Conventional Encryption (Symmetric) ex: DES
Public-Key Encryption (Asymmetric) ex: RSA
Messagesource
Encryptionalgorithm
Decryptionalgorithm
Destination
K eysource
KSecure Channel
Model of Conventional Cryptosystem
4
Introduction(Cont’d)
Messagesource
Encryptionalgorithm
Decryptionalgorithm
Destination
K ey pairsource
Public-K ey Cryptosystem : Secrecy
KUb
KRb
Source A Destination B
Messagesource
Encryptionalgorithm
Decryptionalgorithm
Destination
K ey pairsource
Public-K ey Cryptosystem : Authentication
KRaKUa
Source A Destination B
5
Data Encryption Standard (DES)
Two inputs to the encryption function plaintext and key
64-bit plaintext passes through an initial permutation to produce the permuted input
16 rounds have the same function permutation and substitution
The pre-output is passed through a permutation (IP-1) to produce the 64-bit ciphertext.
6
Data Encryption Standard (DES)
Initial permutation
Round 1
Round 2
Permuted choice 2
Permuted choice 2
Left circular shift
Left circular shift
Permuted choice 1
Left circular shiftPermuted choice 2Round 16
32-bit swap
Inverse initialpermutation
K 1
K 2
K 16
64-bit plaintext 56-bit key
…………… ……………
……………
64-bit ciphertext
General Depiction of DES Encryption Algorithm.
7
Data Encryption Standard (DES)
Initial Permutation (IP)、 Inverse Initial Permutation (IP-1)
Initial Permutation (IP)
58 50 42 34 26 18 10 260 52 44 36 28 20 12 462 54 46 38 30 22 14 664 56 48 40 32 24 16 857 49 41 33 25 17 9 159 51 43 35 27 19 11 361 53 45 37 29 21 13 563 55 47 39 31 23 15 7
Inverse Initial Permutation (IP-1)
40 8 48 16 56 24 64 3239 7 47 15 55 23 63 3138 6 46 14 54 22 62 3037 5 45 13 53 21 61 2936 4 44 12 52 20 60 2835 3 43 11 51 19 59 2734 2 42 10 50 18 58 2633 1 41 9 49 17 57 25
8
Data Encryption Standard (DES)
Details of Single Round:
)KR(FL RR L
,11
1
iiii
ii
L i-1 Ri-1 Ci-1 Di-1
Left shift(s) Left shift(s)Expansion/permutation(E table)
Permutation/contraction(permuted choice 2)
XOR
Substition/choice(S-box)
Permutation(P)
XOR
RiL i Ci Di
K i
48
48
32
32
F
28 bits 28 bits32 bits 32 bits
9
Expansion Permutation (E) :
Permutation Function (P) :
Data Encryption Standard (DES)
Expansion Permutation (E)
32 1 2 3 4 5 4 5 6 7 8 9 8 9 10 11 12 1312 13 14 15 16 1716 17 18 19 20 2120 21 22 23 24 2524 25 26 27 28 2928 29 30 31 32 1
Permutation Function (P)
16 7 20 21 29 12 28 17 1 15 23 26 5 18 31 10 2 8 24 14 32 27 3 919 13 30 6 22 11 4 25
10
S-box 8 S-boxes each accepts 6 bits input, produces 4 bits output
Data Encryption Standard (DES)
R (32 bits)
48 bits
E
K (48 bits)
+
S1 S2 S3 S4 S5 S6 S7 S8
P
32 bits
11
S-box The first and last bits of the
input to box Si to select a row
The middle 4 bits select a column.
ex : in S1, input = 010011, the row is 01, the column is 1001 => output : 0110
Data Encryption Standard (DES)
12
DES Key Generation
56-bit key used as input and produces a 48-bit output the function F(Ri-1,Ki)
Permuted Choice One (PC-1)
At each round, Ci-1 and Di-1 are separately subjected to acircular left shift of 1 or 2 bits.
Permuted Choice One (PC-1)
57 49 41 33 25 17 9 1 58 50 42 34 26 1810 2 59 51 43 35 2719 11 3 60 52 44 3663 55 47 39 31 23 15 7 62 54 46 38 30 2214 6 61 53 45 37 2921 13 5 28 20 12 4
(c) Schedule of Left Shifts ─────────────────────────────── Round number 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Bits rotated 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1 ───────────────────────────────
13
Permuted Choice One (PC-2)
DES Key Generation
Permuted Choice Two (PC-2)
14 17 11 24 1 5 3 2815 6 21 10 23 19 12 426 8 16 7 27 20 13 241 52 31 37 47 55 30 4051 45 33 48 44 49 39 5634 53 46 42 50 36 29 32
14
DES Decryption Algorithm
DES Decryption uses the samealgorithm as encryption, exceptthe application of the subkeys is reversed.
The initial permutation (IP) is the same as the IP-1 at theencryption part
15
DES Decryption Algorithm
LERD LERDRELD RELD
way,same By theLE RD RE LD
LE )]K,F(RE )K,[F(RE LE )K,F(RE )]K,F(RE [LE
)K,F(RE RE )K,F(RD LD RD
RELE RD LD )K,F(RD LD RD
RD LD )K,F(RE LE RE LD
RE LE RD
016 -16
016-16
15 1
15 1
15
16151615 15
16151615 15
1615 16
16o 0 1
15 16 0 1
)1(161 1
1
1615 15 16 0
15 16 0
ii
ii
iiii
ii
[Note] LEi, REi : the output of the ith encryption round LDi, RDi : the output of the ith decryption round
Input (plaintext)
LE 0 RE0K 1
RE1 LE 1K 2
LE 2 RE2
F⊕
F ⊕
⊕
⊕
F
F
LE 14 RE14
RE15 LE 15
K 15
K 16
LE 16 RE16
LE 16RE16
Output (ciphertext)
Input (ciphertext)
F⊕
F ⊕
⊕
⊕
F
F
LD 16=RE0
K 1
K 2
Output (plaintext)
RD16=LE0
RD15=LE1LD 15=RE1
LD 14=RE2 RD14=LE2
RD16=LE0LD 16=RE0
K 16LD 0=RE16 RD0=LE16
LD 2=RE14 RD2=LE14
K 15RD1=LE15LD 1=RE15
16
After a 32-bit swap, the data at the decryption part is the same as the data before encrypted.
Finally, the data passes through an IP-1
return to the original plaintext
DES Decryption Algorithm
17
DES Decryption Algorithm
Avalanche Effect : a small change in either the plaintext or the key should produce a significant change in the ciphertext.
DES exhibits a strong avalanche effect.
18
Double DES
meet-in-the-middle attack : Given a known pair ( P,C ).
K1,K2 are not independent. The Complexity is similar to thesingle DES.
256
P CK2 X
K1 K2
K1 X
256
19
Encryption-Decryption-Encryption (EDE)
The cost of a brute-force key search on triple DES : 2112
Currently, there are no practical cryptanalytic attacks of triple DES.
Triple DES
20
Hash Function
h = H(M) M : variable-length message H(M) : fixed-length message
The hash value is appended to the message at the source.
The receiver authenticates that message by re-computing the hash value .
21
Hash Function
22
Requirement for a Hash Function H can be applied to a block of data of any size.
H produces a fixed-length output.
H(x) is relatively easy to compute for any given x.
one-way property
weak collision resistance
Hash Function
23
MD5
Input variable-length message The input is processed in 512-bit block
Output a 128-bit message digest
Message 100...0
Y 0 Y 1 Y q Y L-1… …
HMD5 HMD5 HMD5 HMD5
512 bits 512 bits 512 bits 512 bits
512 512 512 512
128
CV 1
128
CV q
128
CV L-1
128
IV
128-bit digest
K bitsL x 512 bits = N x 32 bits
24
MD5
Append padding bits the padding bits : 1 512 bits (100…0) Padding is always added, even if the message is already
of the desired length. ex: the message is 448 bits long,
it is padded by 512 bits to a length of 960 bits
Append length a 64-bit representation of the original message’s length If the original length greater than 264
K mod 264 (the low-order 64 bits of the length)
25
Initialize MD buffer The buffer can be represented as four-32 bit
registers(A,B,C,D) A = 67452301 B = EFCDAB89 C = 98BADCFE D = 10325476
The heart of the algorithm is a compression function
four rounds each round processes 16 steps The four rounds have a similar structure, but each uses a
different primitive logical function (F,G,H,I).
MD5
26
MD5
F, T[1...16], X[i]16 steps
G, T[17...32], X[ρ 2i]16 steps
H, T[33...48], X[ρ 3i]16 steps
I, T[49...64], X[ρ 4i]16 steps
+ + + +
128512
Y q CV q
A B C D
A B C D
A B C D
A B C D
32
128
CV q+1
Note: Addition (+) is mod 232.
27
MD5 A,B,C,D D,{[(A+g(B,C,D)
+X[k]+T[i]) <<< s]+B},B,C
g : one of the primitive functions F,G,H,I
<<<s : circular left shift by s bits
X[k] : the k’th 32-bit word in the 512-bit block of the message round 1 k = i-1 round 2 k = [1+5(i-1)] mod 16 round 3 k = [5+3(i-1)] mod 16 round 4 k = [7(i-1)] mod 16
T[i] : the i’th 32-bit word in matrix T
+ : addition modulo 232 ^, , ¯, : AND,OR,NOT,XOR
A B C D
+
+
+
CLS s
+
A B C D
gX[k]
T[i]
Elementary MD5 Operation (single step).
28
Round Primitive function g g(b, c, d)
1 F(b, c, d)
2 G(b, c, d)
3 H(b, c, d)
4 I(b, c, d)
)()( dbcb )()( dcdb
dcb )( dbc
MD5
29
MD5 Table T, constructed from the sine function
───────────────────────────────────
T[1] = D76AA478 T[17] = F61E2562 T[33] = FFFA3942 T[49] = F4292244
T[2] = E8C7B756 T[18] = C040B340 T[34] = 8771F681 T[50] = 432AFF97
T[3] = 242070DB T[19] = 265E5A51 T[35] = 699D6122 T[51] = AB9423A7
T[4] = C1BDCEEE T[20] = E9B6C7AA T[36] = FDE5380C T[52] = FC93A039
T[5] = F57C0FAF T[21] = D62F105D T[37] = A4BEEA44 T[53] = 655B59C3
T[6] = 4787C62A T[22] = 02441453 T[38] = 4BDECFA9 T[54] = 8F0CCC92
T[7] = A8304613 T[23] = D8A1E681 T[39] = F6BB4B60 T[55] = FFEFF47D
T[8] = FD469501 T[24] = E7D3FBC8 T[40] = BEBFBC70 T[56] = 85845DD1
T[9] = 698098D8 T[25] = 21E1CDE6 T[41] = 289B7EC6 T[57] = 6FA87E4F
T[10] = 8B44F7AF T[26] = C33707D6 T[42] = EAA127FA T[58] = FE2CE6E0
T[11] = FFFF5BB1 T[27] = F4D50D87 T[43] = D4EF3085 T[59] = A3014314
T[12] = 895CD7BE T[28] = 455A14ED T[44] = 04881D05 T[60] = 4E0811A1
T[13] = 6B901122 T[29] = A9E3E905 T[45] = D9D4D039 T[61] = F7537E82
T[14] = FD987193 T[30] = FCEFA3F8 T[46] = E6DB99E5 T[62] = BD3AF235
T[15] = A679438E T[31] = 676F02D9 T[47] = 1FA27CF8 T[63] = 2AD7D2BB
T[16] = 49B40821 T[32] = 8D2A4C8A T[48] = C4AC5665 T[64] = EB86D391
───────────────────────────────────
30
MD5
/* Round 1. */ /* Let [abcd k s i] denote the operation a = b + ((a + F(b,c,d) + X[k] + T[i]<<<s). Do the following 16 operations. */ [ABCD 0 7 1] [DABC 1 12 2] [CDAB 2 17 3] [BCDA 3 22 4] [ABCD 4 7 5] [DABC 5 12 6] [CDAB 6 17 7] [BCDA 7 22 8] [ABCD 8 7 9] [DABC 9 12 10] [CDAB 10 17 11] [BCDA 11 22 12] [ABCD 12 7 13] [DABC 13 12 14] [CDAB 14 17 15] [BCDA 15 22 16]
/* Round 2. */ /* Let [abcd k s i] denote the operation a = b + ((a + G(b,c,d) + X[k] + T[i]<<<s). Do the following 16 operations. */ [ABCD 1 5 17] [DABC 6 9 18] [CDAB 11 14 19] [BCDA 0 20 20] [ABCD 5 5 21] [DABC 10 9 22] [CDAB 15 14 23] [BCDA 4 20 24] [ABCD 9 5 25] [DABC 14 9 26] [CDAB 3 14 27] [BCDA 8 20 28] [ABCD 13 5 29] [DABC 2 9 30] [CDAB 7 14 31] [BCDA 12 20 32]
31
MD5
/* Round 3. */ /* Let [abcd k s i] denote the operation a = b + ((a + H(b,c,d) + X[k] + T[i]<<<s). Do the following 16 operations. */ [ABCD 5 4 33] [DABC 8 11 34] [CDAB 11 16 35] [BCDA 14 23 36] [ABCD 1 4 37] [DABC 4 11 38] [CDAB 7 16 39] [BCDA 10 23 40] [ABCD 13 4 41] [DABC 0 11 42] [CDAB 3 16 43] [BCDA 6 23 44] [ABCD 9 4 45] [DABC 12 11 46] [CDAB 15 16 47] [BCDA 2 23 48]
/* Round 4. */ /* Let [abcd k s i] denote the operation a = b + ((a + I(b,c,d) + X[k] + T[i]<<<s). Do the following 16 operations. */ [ABCD 0 6 49] [DABC 7 10 50] [CDAB 14 15 51] [BCDA 5 21 52] [ABCD 12 6 53] [DABC 3 10 54] [CDAB 10 15 55] [BCDA 1 21 56] [ABCD 8 6 57] [DABC 15 10 58] [CDAB 6 15 59] [BCDA 13 21 60] [ABCD 4 6 61] [DABC 11 10 62] [CDAB 2 15 63] [BCDA 9 21 64]
32
MD5
For each step, only one of four buffers is updated.
Four different circular left shift are used in each round and different from round to round.
33
Secure Hash Algorithm (SHA-1)
Input input message with a maximum length of less than 264 bits The input is processed in 512-bit block
Output a 160-bit message digest
Append padding bits Append length Initialize MD buffer
The buffer can be represented as five-32 bit registers. A = 67452301 D = 10325476 B = EFCDAB89 F = C3D2E1F0 C = 98BADCF
34
Secure Hash Algorithm (SHA-1)
The heart of the algorithm is a compression function
four rounds each round processes 20 steps The four rounds have a similar structure, but each uses
a different primitive logical function (f1,f2,f3,f4).
35
Secure Hash Algorithm (SHA-1)
f1, K, W[0...19]20 steps
+ + + +
160512
Y q CV q
A B C D
A B C D
A B C D
A B C D
32
160
CV q+1
Note: Addition (+) is mod 232.
E
E
E
E
f2, K, W[20...39]20 steps
f3, K, W[40...59]20 steps
f4, K, W[60...79]20 steps
+
SHA-1 Processing of a Single 512-bit Block
36
Secure Hash Algorithm (SHA-1)
A,B,C,D,E [E+f(t,B,C,D)+S5(A)+Wt
+Kt ],A,S30(B),C,D t : step number ; 0 t 79 f(t,B,C,D): one of the primitive
functions (f1,f2,f3,f4) for step t
Sk : circular left shift by k bits Kt : an additional constant ;
four distinct value are used
A B C D
+
+
+
A B C D
E
E
+
Wt
K t
Ft
S5
S30
Elementary SHA Operation (single step).
37
Secure Hash Algorithm (SHA-1)
Step Function Name Function Value
(0 ≦ t ≦ 19) f1 = f(t, B, C, D)
(20 ≦ t ≦ 39) f2 = f(t, B, C, D)
(40 ≦ t ≦ 59) f3 = f(t, B, C, D)
(60 ≦ t ≦ 79) f4 = f(t, B, C, D)
)()( DBCB
DCB )()()( DCDBCB
DCB
───────────────────────
Step Number Hexadecimal Take Integer Part of:
0 t 19 K≦ ≦ t = 5A827999
20 t 39 K≦ ≦ t = 6ED9EBA1
40 t 59 K≦ ≦ t = 8F1BBCDC
60 t 79 K≦ ≦ t = CA62C1D6
───────────────────────
]22[ 30
]32[ 30 ]52[ 30
]102[ 30
38
Secure Hash Algorithm (SHA-1)
Wt : a 32-bit word derived from current 512-bit input block
in the first 16 steps of processing, Wt is equal to the corresponding word in the message block.
for the remaining 64 steps :Wt = S1(Wt-16 Wt-14 Wt-8 Wt-3)ex : W16 = S1(W0 W2 W8 W13)
For each step, two of buffers are updated.
Y q
W0 W1 W15 W16… …
XOR
S1
W0 W2 W8 W13
XOR
S1
Wt-16 W t-14 W t-8 W t-3
W t
XOR
S1
W63 W65 W71 W76
W79…
512 bits
39
Comparison of SHA-1 and MD5
Complicacy: MD5 :
Uses one of 16 words of a message block directly as input of each step function.
Only the order of the words is permuted from round to round.
SHA-1 : Expands the 16 blocks words to 80 words for using in the
compression function.
SHA-1 complicates the task of finding a different message block that maps to the same compression function output.
.
40
Comparison of SHA-1 and MD5 Security against brute-force attacks
to produce any message having a given message digest : MD5 requires on the order of 2128 operations. SHA-1 " " " " " 2160 " .
to produce two message having the same message digest :
MD5 requires on the order of 264 operations. SHA-1 " " " " " 280 " .
SHA-1 is stronger against brute-force attacks.
41
Comparison of SHA-1 and MD5 Speed
Both algorithms rely heavily on addition modulo 232. SHA-1 involves more steps (80 v.s. 64) and process a
160-bit buffer compare to MD5’s 128-bit buffer. SHA-1 should execute more slowly than MD5 on the
same hardware.
Simplicity and compactness Both algorithms are simple to describe and simple to
implement.
42
Little-endian versus big-endian architecture
MD5 uses a little-endian scheme for interpreting a message as a sequence of 32-bit words.
SHA-1 uses a big-endian scheme.
Comparison of SHA-1 and MD5