Cryptography - lecture6

8/7/2019 Cryptography - lecture6

http://slidepdf.com/reader/full/cryptography-lecture6 1/30

April 4, 2006 1

Cryptography and Network Security

Lecture 6: Contemporary ciphers

Ion PetreIon PetreAcademy of Finland andAcademy of Finland andDepartment of IT, Åbo Akademi UniversityDepartment of IT, Åbo Akademi University

Spring 2006http://www.abo.fi/~ipetre/crypto/

http://www.abo.fi/~ipetre/crypto/

http://www.abo.fi/~ipetre/crypto/



April 4, 2006 2

3DES, RC5, RC4

Examine in this lecture some of the most important symmetricciphers currently in use Triple DES RC5 RC4 Blowfish not included in this lecture due to lack of time – those

interested can read about it e.g., in the Stallings book



April 4, 2006 3

Replacing DES

DES is vulnerable nowadays to a brute-force attack It is replaced as a standard by AES There has been interest to provide another algorithm during the

transition to AES Also interest to preserve the existing investment in software and

hardware, increasing the security Solution: iterated version of DES



April 4, 2006 4

Obvious solution: double DES

Use two keys K1, K2 and encrypt the text using the two keysC=EK2(EK1(P))

To decrypt simply use DES decryption twiceP=DK1(DK2(C))

The scheme involves now a key of 112 bits which should make it

much more secure than DES, at least in principle



April 4, 2006 5

Security of double DES

Question 1: Is double DES more than just DES? In other words, could there be a key K3 such that EK2(EK1(P))= EK3(P)?

Answer: Double DES cannot be reduced to single DES (intuitivelyclear, difficult to prove though)

Question 2: Is double DES more secure than DES?

Key is twice as long Does this imply necessarily that all attacks must take significantly more

time than a DES attack?

Answer: Double DES can be broken with only twice the effort of

breaking DES with a brute-force attack Meet-in-the-middle attack



April 4, 2006 6

Meet-in-the-Middle attack on 2DES

Due to Diffie, Hellman (1977) Main observation: if C=EK2(EK1(P)), then

X=EK1(P)=DK2(C) Assume we have two pairs of plaintext-ciphertext (of only one byte

each!)

Given a known pair (P,C) attack as follows: Encrypt P for all 256 possible keys K1 Store the results in a table and sort the table by the values of X Decrypt C using all possible 256 possible keys K2

For each decryption check the result in the table In case of match, either we have the answer, or a false positive Test the two keys with the second pair of plaintext-ciphertext: if they match,

the correct keys were found



April 4, 2006 7


Short analysis: For a given plaintext P, there are 264 possible ciphertext values that

could be produced by 2DES 2DES uses 112-bit key so that there 2112 possible keys Thus, on average the number of different keys that give the same C for a

given P is 2112 /264=248: thus, the attacker will have 248 “false alarms” Having the second pair of plaintext-ciphertext the false alarm rate is

reduced to 248-64=2-16

Conclusion: 2DES is broken in 256 steps with probability larger than1-2-16

The effort is not much bigger than the 255 required to break DES



April 4, 2006 8


Other considerations Storing a table with 256 bytes is a major task

256 bytes = 65536 Tb Sorting it is non-trivial in terms of complexity Still this is enough to discard a double iteration algorithm: no necessarily

a feasible attack today, but potentially dangerous



April 4, 2006 9

Triple DES

Counter to the meet-in-the-middle attack: use three stages of encryption withthree different keys

C=EK3(EK2(EK1(P))) Drawback : keys is now 168 bits which makes it slower Alternative : 3DES with 2 keys: K3=K1

Another alternative: instead of three encryptions, use 2 encryptions and onedecryption

C=EK1(DK2(EK3(P)))

Using decryption rater than encryption in the second stage yields no weakness This is only a solution to remain compatible with the users of simple DES. Suchusers should use K1=K2:

C=EK1(DK1(EK3(P)))=EK3(P) There are no practical cryptoanalytical attacks on 3DES

Brute-force attack is on the scale of 2112

, i.e., more than 5x1033

Differential cryptanalysis exceeds an effort of 1052

Best attack (Lucks, 1998): 232 known plaintexts, 2113 steps, 290 signle DESencryptions, 288 bytes memory not practical

Suggestion : given the current state of technology, 3DES should be used with3 keys



April 4, 2006 10

RC5

Symmetric encryption algorithm developed by Rivest; incorporated intoBSAFE, JSAFE, S/MAIL (of RSA Data Security Inc.)

Characteristics of RC5 Suitable for hardware and software: uses only common operations found onmicroprocessors

Fast: simple and word oriented Adaptable to processors of different word lengths: the number of bits in the word

is the 1st

parameter of RC5 Variable number of rounds: number of rounds is the 2nd parameter Variable-length key: key length is the 3rd parameter of RC5 Simple: easy to implement and analyze Low memory requirement: suitable for smart cards or other devices with limited

memory High security Data-dependent rotations



April 4, 2006 11

RC5

Parameters w is the word size in bits – RC5 encrypts blocks of 2 words. Allowed values: 16,

32, 64

r is the number of rounds. Allowed values: 0,1,…,255 b is the number of 8-bit bytes in the secret key K. Allowed values: 0,1,…,255

A specific version of RC5 is denoted RC5-w/r/b The author advises to use RC5-32/12/16 as the “nominal” version

That means: 64-bit plaintext/ciphertext blocks, 12 rounds, 128-bit key Algorithm

Key expansion Input manipulation

Details are on the following slides: where addition and subtraction (+ and -) are modulo 2w

bitwise XOR is ⊕

x<<<y is the circular left-shift of x by y bits x>>>y is the circular right-shift of word x by y bits



April 4, 2006 12

RC5 encryption/decryption scheme

RC5-w/r/b – encryption

LE0=A+S[0]RE

0=B+S[1]

For i=1 to r doLEi=((LEi-1⊕REi-1)<<<REi-1)+S[2i]REi=((REi-1⊕LEi)<<<LEi)+S[2i+1]

RC5 – decryption

For i=r downto 1 doRDi-1=((RDi-S[2i+1])>>>LDi) ⊕LDi

LDi-1=((LDi-S[2i])>>>Rdi-1) ⊕Rdi-1B=RD0-S[1]A=LD0-S[0]

⊕ ⊕

⊕ ⊕

⊕ ⊕

⊕⊕



April 4, 2006 13

RC5- w/r/b – key expansion (the big picture)

Two subkeys are used in each round, two subkeys are used in anadditional operation We need 2r+2 subkeys

Each subkey is one word (w bits) in length The subkeys are generated in the array S

S is initialized with a certain pattern (details on the next slide)

The b-byte key K[0…b-1] is converted into an array of words K’[0…c-1] Content of K is simply copied to K’; if b is not a multiple of w, fill in with 0 Nominal version: key has 128 bits, words have 32 bits: K’ will have c=4

elements

Recall: they key K has b*8 bits, a word has w bits c is the smallest integer larger than b*8/w

Mix K’ with S to produce the final values for the array S (details on thenext slide)



April 4, 2006 14

RC5- w/r/b – key expansion

Initialize S as follows:S[0]=PwFor i=1 to t-1 do

S[i]=S[i-1]+Qw

Constants Pw and Qw (on w bits) are defined as Pw=Odd[(e-2)2w

], Qw=Odd[(φ-1)2w], where Odd gives the closest odd integer to its output, e is the base of thenatural logarithm and φ is the golden ration (φ=(1+√5)/2. Values are given in thetable bellow (in hexadecimal)

Mix array S with the key array K’ to produce the final values for S:i=j=X=Y=0; t=2r+2

Do 3 x max(t,c) times:S[i]=(S[i]+X+Y)<<<3;X=S[i]; i=(i+1) mod t;K’[j]=(K’[j]+X+Y)<<<(X+Y);Y=K’[j]; j=(j+1) mod c;

This particular key expansion algorithm seeks to make it difficult to guess Kgiven Sw 16 32 64

Pw B7E1 B7E15163 B7E151628AED2A6B

Qw

9E37 9E3779B9 9E3779B97F4A7C15



April 4, 2006 15

Comments on RC5

Note the exceptional simplicity of the code 5 lines of code both for encryption and for decryption

Rotations are the only nonlinear portions of the algorithm Because the amount of rotation varies depending on the data moving

through the algorithm, linear and differential cryptanalysis are difficult



April 4, 2006 16

Characteristics of current symmetric block ciphers

Variable key length / block size / number of rounds – RC5 Mixed operators : use of more than one arithmetic and/or Boolean operator

is advisable, especially if these operator are not distributive andassociative – RC5 Modular addition/subtraction, XOR

Data-dependent (and key-dependent) rotation – an alternative to S-boxes – RC5

Key-dependent S-boxes – Blowfish Lengthy key scheduling – generation of subkeys takes much longer than

encryption and decryption (brute-force attacks become much moredifficult) – Blowfish

Operation on full data (rather than one half as in Feistel) in each round –Blowfish, RC5, AES Varying non-linear functions – the encryption function varies from round to

round



April 4, 2006 17

RC4 Stream Cipher

This is the most popular symmetric stream cipher Designed by Rivest for RSA Security Used in SSL/TLS (Secure Sockets Layer/Transport Layer Security)

standards for secure communication between Web browsers andservers

Used in WEP, part of the IEEE 802.11 wireless LAN standard RC4 was kept as a trade secret by RSA Inc but got anonymously

posted on the Internet in 1994



April 4, 2006 19

Stream cipher structure

⊕ ⊕



April 4, 2006 20

Stream cipher design

Key stream should have a large period – a pseudorandom numbergenerator uses a function that produces a deterministic stream of

bits that eventually repeats Key stream should approximate the properties of a true random

number generator Same frequency of 0 and 1 If treated as a stream of bytes, all 255 values should occur with the

same frequency

Key should be long enough to protect against brute-force attack At least 128 bits

Advantage over block ciphers: generating the stream key is muchfaster than encrypting and decrypting and less code is needed



April 4, 2006 21

RC4 algorithm

Key length is variable: from 1 to 256 bytes Based on the key initialize a 256-byte state vector S: S[0…255]

At all times S contains a permutation of the numbers 0, 1, …, 255 For encryption and decryption a byte k is selected from S and the

entries in S are permuted



April 4, 2006 22

RC4 – initialization of S

Initially S[i]=i, i=0,1,…,255 and create a temporary vector T of length256 – the key K is copied to T (if K has less than 256 bytes, repeat K

as many times as necessary to fill T)For i=0 to 255 doS[i]=i;T[i]=K[i mod keylen]

Use T to produce the initial permutation of S j=0;For i=0 to 255 do

j=(j+S[i]+T[i]) mod 256;

Swap(S[i],S[j]); Input key is never used after this initialization



April 4, 2006 24

Part II of the lecture: Block cipher modes of operation



April 4, 2006 25

Cipher modes of operation

Any block cipher is essentially just a monoalphabetic substitutioncipher using big characters (on 64 bits)

The same plaintext and the same key will always generate the sameciphertext – this may be exploited sometimes E.g., this may be exploited to break the header of a document if we

know its structure

Five modes of operation (originally for DES, applicable to anysymmetric cipher) have been defined Describe them briefly in the following

l d k d



April 4, 2006 26

Electronic Code Book (ECB) Mode

This is the simplest way to use the cipher: break the plaintext into64-bit blocks and encrypt each of them with the same key

The last block should be padded to 64-bit if it is shorter Note: same block and same key always yields same cipher block This can be easily attacked: replace one encrypted block with

another encrypted block if the structure of the document is known If the message always starts with a predefined header, then the attacker

may have a number of known plain-cipher pairs Alter the message without being able to break it: replace blocks,

rearrange them



April 4, 2006 27

Cipher Block Chaining Mode (CBC)

Devised to defeat the previous attack All cipherblocks will be chained so that if one is modified, the ciphertext

cannot be decrypted correctly (will only produce “garbage”)

Each plaintext block is XORed with the previous cipher block beforeencryption The first plaintext block is XORed with an initialization vector IV

Protect IV: e.g., send it encrypted in ECB mode



April 4, 2006 28

Cipher Feedback Mode (CFB)

CFB turns a symmetric cipher into a stream cipher

Use a shift register (64 bit for DES, 128 bit for AES, etc) that is initially set to an initializationvector IV (that can be sent as plain text)

Encrypt the content of the register, take leftmost byte of the cypher and XOR with the

current plaintext byte P – the result C is transmitted, register is left shifted with one byteand C is placed in the rightmost byte of the register Decryption works exactly the same way: note that one must use the encryption box here Note that if one bit is accidentally inverted in the transmission, the decryption will only be

ruined as long as the bit is in the register, i.e., only 64 bits will be affected

db k d



April 4, 2006 29

Output Feedback Mode (OFB)

(also known as Stream Cipher Mode)

If affecting 64 bits (for DES, 128 bits for AES) by one single inverted bit is too much for anapplication, use OFB

Encrypt an IV (that can be sent in plain) to get an output block; this block is themencrypted to get a second block, etc. – this is the keystream and it will be treated as aone-time pad and XORed with the plaintext to get the ciphertext

Keystream is independent of the data and can be computed in advance For decryption generate the same keystream using the IV and the key

1-bit error in the transmission only affects 1-bit in the ciphertext and in the decryption

C M d



April 4, 2006 30

Counter Mode

Files are sometimes kept on computers in encrypted form All modes of operations except ECB make random access to the file impossible:

to access data at the end of the file one has to decrypt everything Counter Mode fixes this problem

Plaintext is not encrypted directly IV plus a constant is encrypted and the resulting ciphertext is XORed with the

plaintext – add 1 to IV in each step Note: if the same IV is used twice with the same key, then cryptanalyst may

XOR the ciphers to get the XOR of the plaintexts – this could be used in anattack IV must be random! Encryption/decryption in parallel for multiple blocks Simple: decryption algorithm not needed

Random access to the file

Cryptography - lecture6

Documents

Transcript of Cryptography - lecture6