Cryptography - lecture6
Transcript of Cryptography - lecture6
8/7/2019 Cryptography - lecture6
http://slidepdf.com/reader/full/cryptography-lecture6 1/30
April 4, 2006 1
Cryptography and Network Security
Lecture 6: Contemporary ciphers
Ion PetreIon PetreAcademy of Finland andAcademy of Finland andDepartment of IT, Åbo Akademi UniversityDepartment of IT, Åbo Akademi University
Spring 2006http://www.abo.fi/~ipetre/crypto/
8/7/2019 Cryptography - lecture6
http://slidepdf.com/reader/full/cryptography-lecture6 2/30
April 4, 2006 2
3DES, RC5, RC4
Examine in this lecture some of the most important symmetricciphers currently in use Triple DES RC5 RC4 Blowfish not included in this lecture due to lack of time – those
interested can read about it e.g., in the Stallings book
8/7/2019 Cryptography - lecture6
http://slidepdf.com/reader/full/cryptography-lecture6 3/30
April 4, 2006 3
Replacing DES
DES is vulnerable nowadays to a brute-force attack It is replaced as a standard by AES There has been interest to provide another algorithm during the
transition to AES Also interest to preserve the existing investment in software and
hardware, increasing the security Solution: iterated version of DES
8/7/2019 Cryptography - lecture6
http://slidepdf.com/reader/full/cryptography-lecture6 4/30
April 4, 2006 4
Obvious solution: double DES
Use two keys K1, K2 and encrypt the text using the two keysC=EK2(EK1(P))
To decrypt simply use DES decryption twiceP=DK1(DK2(C))
The scheme involves now a key of 112 bits which should make it
much more secure than DES, at least in principle
8/7/2019 Cryptography - lecture6
http://slidepdf.com/reader/full/cryptography-lecture6 5/30
April 4, 2006 5
Security of double DES
Question 1: Is double DES more than just DES? In other words, could there be a key K3 such that EK2(EK1(P))= EK3(P)?
Answer: Double DES cannot be reduced to single DES (intuitivelyclear, difficult to prove though)
Question 2: Is double DES more secure than DES?
Key is twice as long Does this imply necessarily that all attacks must take significantly more
time than a DES attack?
Answer: Double DES can be broken with only twice the effort of
breaking DES with a brute-force attack Meet-in-the-middle attack
8/7/2019 Cryptography - lecture6
http://slidepdf.com/reader/full/cryptography-lecture6 6/30
April 4, 2006 6
Meet-in-the-Middle attack on 2DES
Due to Diffie, Hellman (1977) Main observation: if C=EK2(EK1(P)), then
X=EK1(P)=DK2(C) Assume we have two pairs of plaintext-ciphertext (of only one byte
each!)
Given a known pair (P,C) attack as follows: Encrypt P for all 256 possible keys K1 Store the results in a table and sort the table by the values of X Decrypt C using all possible 256 possible keys K2
For each decryption check the result in the table In case of match, either we have the answer, or a false positive Test the two keys with the second pair of plaintext-ciphertext: if they match,
the correct keys were found
8/7/2019 Cryptography - lecture6
http://slidepdf.com/reader/full/cryptography-lecture6 7/30
April 4, 2006 7
Meet-in-the-Middle attack on 2DES
Short analysis: For a given plaintext P, there are 264 possible ciphertext values that
could be produced by 2DES 2DES uses 112-bit key so that there 2112 possible keys Thus, on average the number of different keys that give the same C for a
given P is 2112 /264=248: thus, the attacker will have 248 “false alarms” Having the second pair of plaintext-ciphertext the false alarm rate is
reduced to 248-64=2-16
Conclusion: 2DES is broken in 256 steps with probability larger than1-2-16
The effort is not much bigger than the 255 required to break DES
8/7/2019 Cryptography - lecture6
http://slidepdf.com/reader/full/cryptography-lecture6 8/30
April 4, 2006 8
Meet-in-the-Middle attack on 2DES
Other considerations Storing a table with 256 bytes is a major task
256 bytes = 65536 Tb Sorting it is non-trivial in terms of complexity Still this is enough to discard a double iteration algorithm: no necessarily
a feasible attack today, but potentially dangerous
8/7/2019 Cryptography - lecture6
http://slidepdf.com/reader/full/cryptography-lecture6 9/30
April 4, 2006 9
Triple DES
Counter to the meet-in-the-middle attack: use three stages of encryption withthree different keys
C=EK3(EK2(EK1(P))) Drawback : keys is now 168 bits which makes it slower Alternative : 3DES with 2 keys: K3=K1
Another alternative: instead of three encryptions, use 2 encryptions and onedecryption
C=EK1(DK2(EK3(P)))
Using decryption rater than encryption in the second stage yields no weakness This is only a solution to remain compatible with the users of simple DES. Suchusers should use K1=K2:
C=EK1(DK1(EK3(P)))=EK3(P) There are no practical cryptoanalytical attacks on 3DES
Brute-force attack is on the scale of 2112
, i.e., more than 5x1033
Differential cryptanalysis exceeds an effort of 1052
Best attack (Lucks, 1998): 232 known plaintexts, 2113 steps, 290 signle DESencryptions, 288 bytes memory not practical
Suggestion : given the current state of technology, 3DES should be used with3 keys
8/7/2019 Cryptography - lecture6
http://slidepdf.com/reader/full/cryptography-lecture6 10/30
April 4, 2006 10
RC5
Symmetric encryption algorithm developed by Rivest; incorporated intoBSAFE, JSAFE, S/MAIL (of RSA Data Security Inc.)
Characteristics of RC5 Suitable for hardware and software: uses only common operations found onmicroprocessors
Fast: simple and word oriented Adaptable to processors of different word lengths: the number of bits in the word
is the 1st
parameter of RC5 Variable number of rounds: number of rounds is the 2nd parameter Variable-length key: key length is the 3rd parameter of RC5 Simple: easy to implement and analyze Low memory requirement: suitable for smart cards or other devices with limited
memory High security Data-dependent rotations
8/7/2019 Cryptography - lecture6
http://slidepdf.com/reader/full/cryptography-lecture6 11/30
April 4, 2006 11
RC5
Parameters w is the word size in bits – RC5 encrypts blocks of 2 words. Allowed values: 16,
32, 64
r is the number of rounds. Allowed values: 0,1,…,255 b is the number of 8-bit bytes in the secret key K. Allowed values: 0,1,…,255
A specific version of RC5 is denoted RC5-w/r/b The author advises to use RC5-32/12/16 as the “nominal” version
That means: 64-bit plaintext/ciphertext blocks, 12 rounds, 128-bit key Algorithm
Key expansion Input manipulation
Details are on the following slides: where addition and subtraction (+ and -) are modulo 2w
bitwise XOR is ⊕
x<<<y is the circular left-shift of x by y bits x>>>y is the circular right-shift of word x by y bits
8/7/2019 Cryptography - lecture6
http://slidepdf.com/reader/full/cryptography-lecture6 12/30
April 4, 2006 12
RC5 encryption/decryption scheme
RC5-w/r/b – encryption
LE0=A+S[0]RE
0=B+S[1]
For i=1 to r doLEi=((LEi-1⊕REi-1)<<<REi-1)+S[2i]REi=((REi-1⊕LEi)<<<LEi)+S[2i+1]
RC5 – decryption
For i=r downto 1 doRDi-1=((RDi-S[2i+1])>>>LDi) ⊕LDi
LDi-1=((LDi-S[2i])>>>Rdi-1) ⊕Rdi-1B=RD0-S[1]A=LD0-S[0]
⊕ ⊕
⊕ ⊕
⊕ ⊕
⊕⊕
8/7/2019 Cryptography - lecture6
http://slidepdf.com/reader/full/cryptography-lecture6 13/30
April 4, 2006 13
RC5- w/r/b – key expansion (the big picture)
Two subkeys are used in each round, two subkeys are used in anadditional operation We need 2r+2 subkeys
Each subkey is one word (w bits) in length The subkeys are generated in the array S
S is initialized with a certain pattern (details on the next slide)
The b-byte key K[0…b-1] is converted into an array of words K’[0…c-1] Content of K is simply copied to K’; if b is not a multiple of w, fill in with 0 Nominal version: key has 128 bits, words have 32 bits: K’ will have c=4
elements
Recall: they key K has b*8 bits, a word has w bits c is the smallest integer larger than b*8/w
Mix K’ with S to produce the final values for the array S (details on thenext slide)
8/7/2019 Cryptography - lecture6
http://slidepdf.com/reader/full/cryptography-lecture6 14/30
April 4, 2006 14
RC5- w/r/b – key expansion
Initialize S as follows:S[0]=PwFor i=1 to t-1 do
S[i]=S[i-1]+Qw
Constants Pw and Qw (on w bits) are defined as Pw=Odd[(e-2)2w
], Qw=Odd[(φ-1)2w], where Odd gives the closest odd integer to its output, e is the base of thenatural logarithm and φ is the golden ration (φ=(1+√5)/2. Values are given in thetable bellow (in hexadecimal)
Mix array S with the key array K’ to produce the final values for S:i=j=X=Y=0; t=2r+2
Do 3 x max(t,c) times:S[i]=(S[i]+X+Y)<<<3;X=S[i]; i=(i+1) mod t;K’[j]=(K’[j]+X+Y)<<<(X+Y);Y=K’[j]; j=(j+1) mod c;
This particular key expansion algorithm seeks to make it difficult to guess Kgiven Sw 16 32 64
Pw B7E1 B7E15163 B7E151628AED2A6B
Qw
9E37 9E3779B9 9E3779B97F4A7C15
8/7/2019 Cryptography - lecture6
http://slidepdf.com/reader/full/cryptography-lecture6 15/30
April 4, 2006 15
Comments on RC5
Note the exceptional simplicity of the code 5 lines of code both for encryption and for decryption
Rotations are the only nonlinear portions of the algorithm Because the amount of rotation varies depending on the data moving
through the algorithm, linear and differential cryptanalysis are difficult
8/7/2019 Cryptography - lecture6
http://slidepdf.com/reader/full/cryptography-lecture6 16/30
April 4, 2006 16
Characteristics of current symmetric block ciphers
Variable key length / block size / number of rounds – RC5 Mixed operators : use of more than one arithmetic and/or Boolean operator
is advisable, especially if these operator are not distributive andassociative – RC5 Modular addition/subtraction, XOR
Data-dependent (and key-dependent) rotation – an alternative to S-boxes – RC5
Key-dependent S-boxes – Blowfish Lengthy key scheduling – generation of subkeys takes much longer than
encryption and decryption (brute-force attacks become much moredifficult) – Blowfish
Operation on full data (rather than one half as in Feistel) in each round –Blowfish, RC5, AES Varying non-linear functions – the encryption function varies from round to
round
8/7/2019 Cryptography - lecture6
http://slidepdf.com/reader/full/cryptography-lecture6 17/30
April 4, 2006 17
RC4 Stream Cipher
This is the most popular symmetric stream cipher Designed by Rivest for RSA Security Used in SSL/TLS (Secure Sockets Layer/Transport Layer Security)
standards for secure communication between Web browsers andservers
Used in WEP, part of the IEEE 802.11 wireless LAN standard RC4 was kept as a trade secret by RSA Inc but got anonymously
posted on the Internet in 1994
8/7/2019 Cryptography - lecture6
http://slidepdf.com/reader/full/cryptography-lecture6 18/30
8/7/2019 Cryptography - lecture6
http://slidepdf.com/reader/full/cryptography-lecture6 19/30
April 4, 2006 19
Stream cipher structure
⊕ ⊕
8/7/2019 Cryptography - lecture6
http://slidepdf.com/reader/full/cryptography-lecture6 20/30
April 4, 2006 20
Stream cipher design
Key stream should have a large period – a pseudorandom numbergenerator uses a function that produces a deterministic stream of
bits that eventually repeats Key stream should approximate the properties of a true random
number generator Same frequency of 0 and 1 If treated as a stream of bytes, all 255 values should occur with the
same frequency
Key should be long enough to protect against brute-force attack At least 128 bits
Advantage over block ciphers: generating the stream key is muchfaster than encrypting and decrypting and less code is needed
8/7/2019 Cryptography - lecture6
http://slidepdf.com/reader/full/cryptography-lecture6 21/30
April 4, 2006 21
RC4 algorithm
Key length is variable: from 1 to 256 bytes Based on the key initialize a 256-byte state vector S: S[0…255]
At all times S contains a permutation of the numbers 0, 1, …, 255 For encryption and decryption a byte k is selected from S and the
entries in S are permuted
8/7/2019 Cryptography - lecture6
http://slidepdf.com/reader/full/cryptography-lecture6 22/30
April 4, 2006 22
RC4 – initialization of S
Initially S[i]=i, i=0,1,…,255 and create a temporary vector T of length256 – the key K is copied to T (if K has less than 256 bytes, repeat K
as many times as necessary to fill T)For i=0 to 255 doS[i]=i;T[i]=K[i mod keylen]
Use T to produce the initial permutation of S j=0;For i=0 to 255 do
j=(j+S[i]+T[i]) mod 256;
Swap(S[i],S[j]); Input key is never used after this initialization
8/7/2019 Cryptography - lecture6
http://slidepdf.com/reader/full/cryptography-lecture6 23/30
8/7/2019 Cryptography - lecture6
http://slidepdf.com/reader/full/cryptography-lecture6 24/30
April 4, 2006 24
Part II of the lecture: Block cipher modes of operation
8/7/2019 Cryptography - lecture6
http://slidepdf.com/reader/full/cryptography-lecture6 25/30
April 4, 2006 25
Cipher modes of operation
Any block cipher is essentially just a monoalphabetic substitutioncipher using big characters (on 64 bits)
The same plaintext and the same key will always generate the sameciphertext – this may be exploited sometimes E.g., this may be exploited to break the header of a document if we
know its structure
Five modes of operation (originally for DES, applicable to anysymmetric cipher) have been defined Describe them briefly in the following
l d k d
8/7/2019 Cryptography - lecture6
http://slidepdf.com/reader/full/cryptography-lecture6 26/30
April 4, 2006 26
Electronic Code Book (ECB) Mode
This is the simplest way to use the cipher: break the plaintext into64-bit blocks and encrypt each of them with the same key
The last block should be padded to 64-bit if it is shorter Note: same block and same key always yields same cipher block This can be easily attacked: replace one encrypted block with
another encrypted block if the structure of the document is known If the message always starts with a predefined header, then the attacker
may have a number of known plain-cipher pairs Alter the message without being able to break it: replace blocks,
rearrange them
8/7/2019 Cryptography - lecture6
http://slidepdf.com/reader/full/cryptography-lecture6 27/30
April 4, 2006 27
Cipher Block Chaining Mode (CBC)
Devised to defeat the previous attack All cipherblocks will be chained so that if one is modified, the ciphertext
cannot be decrypted correctly (will only produce “garbage”)
Each plaintext block is XORed with the previous cipher block beforeencryption The first plaintext block is XORed with an initialization vector IV
Protect IV: e.g., send it encrypted in ECB mode
8/7/2019 Cryptography - lecture6
http://slidepdf.com/reader/full/cryptography-lecture6 28/30
April 4, 2006 28
Cipher Feedback Mode (CFB)
CFB turns a symmetric cipher into a stream cipher
Use a shift register (64 bit for DES, 128 bit for AES, etc) that is initially set to an initializationvector IV (that can be sent as plain text)
Encrypt the content of the register, take leftmost byte of the cypher and XOR with the
current plaintext byte P – the result C is transmitted, register is left shifted with one byteand C is placed in the rightmost byte of the register Decryption works exactly the same way: note that one must use the encryption box here Note that if one bit is accidentally inverted in the transmission, the decryption will only be
ruined as long as the bit is in the register, i.e., only 64 bits will be affected
db k d
8/7/2019 Cryptography - lecture6
http://slidepdf.com/reader/full/cryptography-lecture6 29/30
April 4, 2006 29
Output Feedback Mode (OFB)
(also known as Stream Cipher Mode)
If affecting 64 bits (for DES, 128 bits for AES) by one single inverted bit is too much for anapplication, use OFB
Encrypt an IV (that can be sent in plain) to get an output block; this block is themencrypted to get a second block, etc. – this is the keystream and it will be treated as aone-time pad and XORed with the plaintext to get the ciphertext
Keystream is independent of the data and can be computed in advance For decryption generate the same keystream using the IV and the key
1-bit error in the transmission only affects 1-bit in the ciphertext and in the decryption
C M d
8/7/2019 Cryptography - lecture6
http://slidepdf.com/reader/full/cryptography-lecture6 30/30
April 4, 2006 30
Counter Mode
Files are sometimes kept on computers in encrypted form All modes of operations except ECB make random access to the file impossible:
to access data at the end of the file one has to decrypt everything Counter Mode fixes this problem
Plaintext is not encrypted directly IV plus a constant is encrypted and the resulting ciphertext is XORed with the
plaintext – add 1 to IV in each step Note: if the same IV is used twice with the same key, then cryptanalyst may
XOR the ciphers to get the XOR of the plaintexts – this could be used in anattack IV must be random! Encryption/decryption in parallel for multiple blocks Simple: decryption algorithm not needed
Random access to the file