Security Fundamentals (2) Encryption mechanisms
description
Transcript of Security Fundamentals (2) Encryption mechanisms
![Page 1: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/1.jpg)
Le Trong Ngoc
Security Fundamentals (2)Encryption mechanisms
4/2011
![Page 2: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/2.jpg)
1.2
2-5 MODERN BLOCK CIPHERS
A symmetric-key modern block cipher encrypts an n-bit block of plaintext or decrypts an n-bit block of ciphertext. The encryption or decryption algorithm uses a k-bit key.
![Page 3: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/3.jpg)
1.3
2-5 Continued
A modern block cipher can be designed to act as a substitution cipher or a transposition cipher.
To be resistant to exhaustive-search attack, a modern block cipher needs to bedesigned as a substitution cipher.
![Page 4: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/4.jpg)
1.4
2-5 Continued
Full-Size Key Transposition Block CiphersIn a full-size key transposition cipher We need to have n! possible keys, so the key should have [log2 n!] bits.
![Page 5: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/5.jpg)
1.5
2-5 Continued
Full-Size Key Substitution Block CiphersA full-size key substitution cipher does not transpose bits; it substitutes bits. We can model the substitution cipher as a permutation if we can decode the input and encode the output.
![Page 6: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/6.jpg)
1.6
2-5 Continued
![Page 7: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/7.jpg)
1.7
2-5 Continued
A full-size key n-bit transposition cipher or a substitution block cipher can be modeled
as a permutation, but their key sizes are different: Transposition: the key is [log2n!] bits long. Substitution: the key is [log2(2n)!] bits long.
A partial-key cipher is a group under the composition operation if it is a subgroup
of the corresponding full-size key cipher.
![Page 8: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/8.jpg)
1.8
2-5 Continued
Modern block ciphers normally are keyed substitution ciphers in which the key allows only partial mappings from the possible inputs to the possible outputs.
A P-box (permutation box) parallels the traditional transposition cipher for characters. It transposes bits.
P-Boxes
![Page 9: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/9.jpg)
1.9
2-5 Continued
Three types of P-boxes
![Page 10: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/10.jpg)
1.10
2-5 Continued
S-BoxAn S-box (substitution box) can be thought of as a miniature substitution cipher.
An S-box is an m × n substitution unit, where m and n are not necessarily the same.
![Page 11: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/11.jpg)
1.11
2-5 Continued
In an S-box with three inputs and two outputs, we have
The S-box is linear because a1,1 = a1,2 = a1,3 = a2,1 = 1 and a2,2 = a2,3 = 0. The relationship can be represented by matrices, as shown below:
![Page 12: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/12.jpg)
1.12
2-5 Continued
In an S-box with three inputs and two outputs, we have
where multiplication and addition is in GF(2). The S-box is nonlinear because there is no linear relationship between the inputs and the outputs.
![Page 13: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/13.jpg)
1.13
2-5 Continued
An S-box may or may not be invertible. In an invertible S-box, the number of input bits should be the same as the number of output bits.
![Page 14: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/14.jpg)
1.14
2-5 Continued
An important component in most block ciphers is the exclusive-or operation.
Invertibility of the exclusive-or operation
![Page 15: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/15.jpg)
1.15
2-5 Continued
The five properties of the exclusive-or operation in the GF(2n) field makes this operation a very interesting component for use in a block cipher: closure, associativity, commutativity, existence of identity, and existence of inverse.
![Page 16: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/16.jpg)
1.16
2-5 Continued
Another component found in some modern block ciphers is the circular shift operation.
Circular shifting an 8-bit word to the left or right
![Page 17: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/17.jpg)
1.17
2-5 Continued
SwapThe swap operation is a special case of the circular shift operation where k = n/2.
Swap operation on an 8-bit word
![Page 18: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/18.jpg)
1.18
2-5 Continued
Split and Combine
Two other operations found in some block ciphers are split and combine.
Split and combine operations on an 8-bit word
![Page 19: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/19.jpg)
1.19
2-5 Continued
Shannon introduced the concept of a product cipher. A product cipher is a complex cipher combining substitution, permutation, and other components discussed in previous sections.
![Page 20: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/20.jpg)
1.20
2-5 Continued
DiffusionThe idea of diffusion is to hide the relationship between the ciphertext and the plaintext.
Diffusion hides the relationship between the ciphertext and the plaintext.
![Page 21: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/21.jpg)
1.21
2-5 Continued
ConfusionThe idea of confusion is to hide the relationship between the ciphertext and the key.
Confusion hides the relationship between the ciphertext and the key.
![Page 22: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/22.jpg)
1.22
2-5 Continued
RoundsDiffusion and confusion can be achieved using iterated product ciphers where each iteration is a combination of S-boxes, P-boxes, and other components.
![Page 23: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/23.jpg)
1.23
2-5 Continued
![Page 24: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/24.jpg)
1.24
2-5 Continued
Diffusion and confusion in a block cipher
![Page 25: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/25.jpg)
1.25
2-5 Continued
Modern block ciphers are all product ciphers, but they are divided into two classes.
1. Feistel ciphers
2. Non-Feistel ciphers
![Page 26: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/26.jpg)
1.26
2-5 Continued
Feistel CiphersFeistel designed a very intelligent and interesting cipher that has been used for decades. A Feistel cipher can have three types of components: self-invertible, invertible, andnoninvertible.
![Page 27: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/27.jpg)
1.27
2-5 Continued
The first thought in Feistel cipher design
Diffusion hides the relationship between the ciphertext and the plaintext.
![Page 28: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/28.jpg)
1.28
2-5 Continued
Improvement of the previous Feistel design
![Page 29: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/29.jpg)
1.29
2-5 Continued
Final design of a Feistel cipher with two rounds
![Page 30: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/30.jpg)
1.30
2-5 Continued
Non-Feistel CiphersA non-Feistel cipher uses only invertible components. A component in the encryption cipher has the corresponding component in the decryption cipher.
![Page 31: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/31.jpg)
1.31
2-5 Continued
Attacks on traditional ciphers can also be used on modern block ciphers, but today’s block ciphers resist most of the attacks
Attacks on Block Ciphers
![Page 32: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/32.jpg)
1.32
2-5 Continued
Differential CryptanalysisEli Biham and Adi Shamir introduced the idea of differential cryptanalysis. This is a chosen-plaintext attack.
![Page 33: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/33.jpg)
1.33
2-5 Continued
![Page 34: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/34.jpg)
1.34
2-5 Continued
Differential input/output
![Page 35: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/35.jpg)
1.35
2-5 Continued
Differential distribution table
![Page 36: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/36.jpg)
1.36
2-5 Continued
Differential cryptanalysis is based on a nonuniform differential distribution table of
the S-boxes in a block cipher.
![Page 37: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/37.jpg)
1.37
2-5 Continued
Linear CryptanalysisLinear cryptanalysis was presented by Mitsuru Matsui in 1993. The analysis uses known plaintext attacks.
![Page 38: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/38.jpg)
1.38
2-5 Continued
In some modern block ciphers, it may happen that someS-boxes are not totally nonlinear; they can be approximated, probabilistically, by some linear functions.
where 1 ≤ x ≤ m, 1 ≤ y ≤ n, and 1 ≤ z ≤ n.
![Page 39: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/39.jpg)
1.39
2-6 MODERN STREAM CIPHERS
In a modern stream cipher, encryption and decryptionare done r bits at a time. We have a plaintext bit stream P = pn…p2 p1, a ciphertext bit stream C = cn…c2 c1, and a key bit stream K = kn…k2 k1, in which pi , ci , and ki are r-bit words.
![Page 40: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/40.jpg)
1.40
2-6 Continued
In a modern stream cipher, each r-bit word in the plaintext stream is enciphered using an r-bit word in
the key stream to create the corresponding r-bitword in the ciphertext stream.
Stream cipher
![Page 41: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/41.jpg)
1.41
2-6 Continued
In a synchronous stream cipher the key is independent of the plaintext or ciphertext.
One-time pad
![Page 42: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/42.jpg)
1.42
2-6 Continued
What is the pattern in the ciphertext of a one-time pad cipher in each of the following cases?
a. The plaintext is made of n 0’s.
b. The plaintext is made of n 1’s.
c. The plaintext is made of alternating 0’s and 1’s.
d. The plaintext is a random string of bits.
![Page 43: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/43.jpg)
1.43
2-6 Continued
Feedback shift register (FSR)
Create a linear feedback shift register with 5 cells in which b5 = b4 Å b2 Å b0 .
![Page 44: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/44.jpg)
1.44
2-6 Continued
Create a linear feedback shift register with 4 cells in which b4 = b1 Å b0. Show the value of output for 20 transitions (shifts) if the seed is (0001)2.
![Page 45: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/45.jpg)
1.45
2-6 Continued
In a nonsynchronous stream cipher, each key in the key stream depends on previous plaintext or ciphertext.
In a nonsynchronous stream cipher, the key depends on either the plaintext or ciphertext.
![Page 46: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/46.jpg)
1.46
2-7 Data Encryption Standard
In 1973, NIST published a request for proposals for a national symmetric-key cryptosystem. A proposal from IBM, a modification of a project called Lucifer, was accepted as DES. DES was published in the Federal Register in March 1975 as a draft of the Federal Information Processing Standard (FIPS).
![Page 47: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/47.jpg)
1.47
2-7 Continued
![Page 48: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/48.jpg)
1.48
2-7 Continued
Find the output of the initial permutation box when the input is given in hexadecimal as:
![Page 49: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/49.jpg)
1.49
2-7 Continued
DES uses 16 rounds. Each round of DES is a Feistel cipher.
![Page 50: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/50.jpg)
1.50
2-7 Continued
![Page 51: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/51.jpg)
1.51
2-7 Continued
The S-boxes do the real mixing (confusion).
![Page 52: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/52.jpg)
1.52
2-7 Continued
The input to S-box 1 is 100011. What is the output?
Straight permutation table
![Page 53: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/53.jpg)
1.53
2-7 Continued
Cipher and Reverse Cipher
First ApproachTo achieve this goal, one approach is to make the last round (round 16) different from the others; it has only a mixer and no swapper.
Alternative ApproachWe can make all 16 rounds the same by including one swapper to the 16th round and add an extra swapper after that (two swappers cancel the effect of each other).
![Page 54: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/54.jpg)
1.54
2-7 Continued
Key generation
![Page 55: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/55.jpg)
1.55
2-7 ContinuedParity-bit drop table
Number of bits shifts
![Page 56: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/56.jpg)
1.56
2-7 Continued
Key-compression table
![Page 57: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/57.jpg)
1.57
2-8 DES ANALYSIS AND SECURITY
Critics have used a strong magnifier to analyze DES. Tests have been done to measure the strength of some desired properties in a block cipher.
Two desired properties of a block cipher are the avalanche effect and the completeness.
![Page 58: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/58.jpg)
1.58
2-8 Continued
To check the avalanche effect in DES, let us encrypt two plaintext blocks (with the same key) that differ only in one bit and observe the differences in the number of bits in each round.
Completeness effectCompleteness effect means that each bit of the ciphertext needs to depend on many bits on the plaintext.
![Page 59: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/59.jpg)
1.59
2-8 Continued
S-BoxeThe design provides confusion and diffusion of bits from each round to the next.
P-BoxesThey provide diffusion of bits.
Number of RoundsDES uses sixteen rounds of Feistel ciphers. the ciphertext is thoroughly a random function of plaintext and ciphertext.
Design Criteria
![Page 60: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/60.jpg)
1.60
2-8 Continued
During the last few years critics have found some weaknesses in DES.Weaknesses in Cipher Design1. Weaknesses in S-boxes2. Weaknesses in P-boxes3. Weaknesses in Key
The major criticism of DES regards its key length. Fortunately DES is not a group. This means that we can use double or triple DES to increase the key size.
![Page 61: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/61.jpg)
1.61
2-8 Continued
DES, as the first important block cipher, has gone through much scrutiny. Among the attempted attacks, three are of interest: brute-force, differential cryptanalysis, and linear cryptanalysis.
Security of DES
![Page 62: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/62.jpg)
1.62
2-8 Continued
We have discussed the weakness of short cipher key in DES. Combining this weakness with the key complement weakness, it is clear that DES can be broken using 255 encryptions.
Brute-Force Attack
![Page 63: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/63.jpg)
1.63
2-8 Continued
It has been revealed that the designers of DES already knew about this type of attack and designed S-boxes and chose 16 as the number of rounds to make DES specifically resistant to this type of attack.
Differential Cryptanalysis
![Page 64: Security Fundamentals (2) Encryption mechanisms](https://reader035.fdocuments.in/reader035/viewer/2022062305/568164cc550346895dd6ed22/html5/thumbnails/64.jpg)
1.64
2-8 Continued
Linear cryptanalysis is newer than differential cryptanalysis. DES is more vulnerable to linear cryptanalysis than to differential cryptanalysis. S-boxes are not very resistant to linear cryptanalysis. It has been shown that DES can be broken using 243 pairs of known plaintexts. However, from the practical point of view, finding so many pairs is very unlikely.
Linear Cryptanalysis