Darshan Institute of Engineering & Technology Page Information Security (IS) UNIT-2 Conventional Encryption Techniques

Transcription

1 Q 1. Draw and explain Feistel s structure for encryption and decryption. The exact realization of Feistel network depends on the choice of which parameters? Feistel cipher is based on the idea that instead of using Ideal block cipher which degrades performance, a substitution-permutation network can be used. Feistel Cipher Encryption The inputs to the encryption algorithm are a plaintext block of length b bits and a key K. The plaintext block is divided into two halves. The two halves of the data pass through rounds of processing and then combine to produce the ciphertext block. Each round has as inputs and derived from the previous round, as well as a subkey derived from the overall K. Any number of rounds could be implemented and all rounds have the same structure. A substitution is performed on the left half of the data. This is done by applying a round function F. The Round Function F: F takes right-half block of previous round and a subkey as input. The output of the function is XORed with the left half of the data. Left and right halves are then swapped. Feistel Cipher Decryption The process of decryption with a Feistel cipher is same as the encryption process. The ciphertext is input to the algorithm and the subkeys are used in reverse order. That is, subkey of the last round in encryption is used in the first round in decryption, second last in the second round, and so on. The exact realization of a Feistel network depends on the choice of the following parameters: Block size: Larger block sizes mean greater security but reduced encryption/decryption speed for a given algorithm. Traditionally, a block size of 64 bits is used which gives enough security without greatly affecting the speed. Darshan Institute of Engineering & Technology Page 1

2 Key size: Larger key size means greater security but may decrease encryption/ decryption speed. The greater security is achieved by greater resistance to brute-force attacks and greater confusion. Key sizes of 64 bits or less are now widely considered to be inadequate, and 128 bits has become a common size. Number of rounds: The essence of the Feistel cipher is that a single round offers inadequate security but that multiple rounds offer increasing security. A typical size is 16 rounds. Sub key generation algorithm: Greater complexity in this algorithm leads to greater difficulty of cryptanalysis. Round function F: Again, greater complexity generally means greater resistance to cryptanalysis. There are two other considerations in the design of a Feistel cipher: Fast software encryption/decryption: In many cases, encryption is embedded in applications implementation (as software). Accordingly, the speed of execution of the algorithm becomes a concern. Ease of analysis: Although we would like to make our algorithm as difficult as possible to cryptanalyze, there is great benefit in making the algorithm easy to analyze. Thus, it will be easier to analyze that algorithm for cryptanalytic. Q 2. Write a note on block cipher design principles. The followed criteria need to be taken into account when designing a block cipher: Number of Rounds: The greater the number of rounds, the more difficult it is to perform cryptanalysis, even for a weak function. The number of rounds is chosen so that efforts required to crypt analyze it becomes greater than a simple brute-force attack. Design of Function F: F should be nonlinear and should satisfy strict avalanche criterion (SAC) and bit independence criterion (BIC). S-Box Design: S-Box obviously should be non-linear and should satisfy SAC, BIC and Guaranteed Avalanche criteria. One more obvious characteristic of the S-box is its size. Larger S-Boxes provide good diffusion but also result in greater look-up tables. Hence, general size is 8 to 10. Key Generation Algorithm: With any Feistel block cipher, the key is used to generate one sub key for each round. In general, sub keys should be selected such that it should be deduce sub keys from one another or main key from the sub key. Q 3. Explain the following algorithms in detail: a) Data Encryption Standard(DES) b) Double and Triple DES c) International Data Encryption Algorithm(IDEA) d) Blowfish e) RC-5 f) RC-2 g) CAST-128 Data Encryption Standard(DES) DES encrypts 64-bit blocks using a 56-bit key and produces a 64-bit ciphertext. The same steps, with the same key, are used to reverse the encryption with the order of the keys reversed. The DES is widely used. Darshan Institute of Engineering & Technology Page 2

3 DES Encryption The DES encryption is shown in the figure below: Encryption function has two inputs: the plaintext to be encrypted and the key. The processing of the plaintext proceeds in three phases. o The 64-bit plaintext passes through an initial permutation (IP) that rearranges the bits to produce the permuted input. o The permuted output is then passed through sixteen rounds of the same function, which involves both permutation and substitution functions. The left and right halves from the last round are swapped to produce preoutput. o The preoutput is passed through a permutation that is the inverse of the initial permutation function, to produce the 64-bit cipher text. The right-hand portion of the figure shows the way in which the 56-bit key is used. o Initially, the key is passed through a permutation function. o Then, a sub key (k i ) is produces for each of the sixteen rounds by the combination of a left circular shift and a permutation. o The permutation function is the same for each round, but a different sub key is produced because of the repeated shifts of the key bits. Initial Permutation The initial permutation and its inverse are defined by tables. The tables are to be interpreted as follows. o The input to a table consists of 64 bits numbered from 1 to 64. o The 64 entries in the permutation table contain a permutation of the numbers from 1 to 64. o Each entry in the permutation table indicates the position of a input bit in the output. Inverse permutation table nullifies the effect of initial permutation. Darshan Institute of Engineering & Technology Page 3

4 Details Of Single Round The figure shows the internal structure of a single round. The left and right halves are treated as separate 32-bit quantities, labeled L (left) and R (right). The overall processing at each round can be summarized as: L i = R i -1 R i = L i -1 { F(R i -1, K i ) Expansion: The 32-bit input is first expanded to 48 bits. o 32 bits of input are split into groups of 4 bits. o Each group is written as groups of 6 bits by taking the outer bits from the two adjacent groups. For example... efgh ijkl mnop... is expanded to... defghi hijklm lmnopq... The resulting 48 bits are XORed with K i. Substitution: This 48-bit result is input to S-Boxes that perform a substitution on input and produces a 32-bit output. o DES consists of a set of eight S-boxes. o Each S-Box takes 6 bits as input and produces 4 bits as output. o The first and last bits of the input to box form a 2-bit binary number which gives the binary value of row number. o The middle four bits select one of the sixteen columns. o The decimal value in the cell selected by the row and column is then converted to its 4-bit binary number to produce the output. o For example, in S1, for input , the row is 01 (row 1) and the column is 1100 (column 12).The value in row 1, column 12 is 9, so the output is The result is again permuted using a permutation table. Key Generation: A 64-bit key is used as input to the algorithm while only 56 bits are actually used. Every eighth bit is ignored. Sub-keys at each round are generated as given below: o The key is first permuted using a table named Permuted Choice One. o The resulting 56-bit key is divided into two 28-bit quantities, C 0 and D 0. At each round, C i-1 and D i-1 are separately subjected to a circular left shift of 1 or 2 bits, as governed by Darshan Institute of Engineering & Technology Page 4

5 a table. o These shifted values are forwarded to the next round. They are also input to a permutation table-permuted Choice Two. o The table produces a 48-bit output that serves as the round key k i. DES Decryption Decryption in DES is same as encryption, except that the subkeys are used in reverse order. Strength of DES The Use of 56-Bit Keys DES has been developed from LUCIFER which used 128-bit keys. As a result, DES with only 56-bit key-length is considered insecure and devices have been proposed time and again showing that DES is no longer secure. The Nature of the DES The only non-linear part of DES is the S-Boxes, design of which was not made public. If someone is able to find weakness in S-Box, then attack on DES is possible. Characteristics of the algorithm can be exploited as the algorithm is based on linear functions. Algorithm Timing Attacks In this type of attack, the attacker exploits the fact that any algorithm takes different amount of time for different data. Double DES DES is vulnerable to a brute-force attack, so various alternatives have been considered, one of which is multiple encryptions. The simplest form of multiple encryptions has two encryption stages and two keys and is known as Double DES. Given a plaintext P and two encryption keys K 1 and K 2, cipher text C is generated as: C = E(K 2, E(K 1, P)) Decryption applies keys in reverse order: P = D(K 1, D(K 2, C)) This scheme involves a key length of 56 * 2 = 112 bits, making Brute-Force attack impractical. However, other types of attacks are possible: o Reduction to a Single Stage: If it is possible to find a key such that E(K 2, E(K 1, P)) = E(K 3, P) then double encryption, or any number of stages of multiple encryption with DES, would be useless because the result would be equivalent to a single encryption with a single 56- bit key. However, by the principle of reverse mapping, such a key is not possible. o Meet-In-The-Middle Attack: This attack is based on the on the observation that if: Darshan Institute of Engineering & Technology Page 5

6 C = E(K 2, E(K 1, P)), then X = E(K 1, P) = D(K 2, C) Given a known (P, C) pair, the attack proceeds as follows: First, encrypt P for all 2 56 possible values of K 1. Store these results in a table and then sort the table by the values of X. Decrypt C using all 2 56 possible values of K 2. Check the result against the table for a match after every decryption. If a match occurs, then test the two resulting keys against a new known plaintext ciphertext pair. If the two keys produce the correct ciphertext, accept them as the correct keys. For any given plaintext, 2 48 false alarms are possible since there are only 2 64 ciphertext values whereas key values. Thus, the order of attack can be reduced to 2 48 instead of Triple DES Triple DES with Two Keys An alternative to the meet-in-the-middle attack is to use three stages of encryption with three or two different keys. The function follows an encrypt-decrypt-encrypt (EDE) sequence. C = E(K1, D(K2, E(K1, P))) P = D(K1, E(K2, D(K1, C))) 3DES with two keys is a relatively popular alternative to DES. Currently, there are no practical cryptanalytic attacks on 3DES. Brute-force key search on 3DES is on the order of and the cost of differential cryptanalysis also has an exponential growth, compared to single DES. Several proposed attacks (though impractical) on 3DES are: o Chosen-plaintext attack: Find plaintext values that gives A = 0. Then, use the meet-in-themiddle attack to determine the two keys. However, this attack requires 2 56 chosen plaintext-cipher text pairs which is impractical. o Known-plaintext attack: This method does not require chosen plaintext-cipher text pairs but requires more effort. The attack is based on the observation that if an attacker knows A and C, then the problem reduces to that of an attack on double DES. The attack is as follows: The attacker obtains n(p, C) pairs places them in Table 1 sorted on the values of P. For an arbitrary value a for A, calculate the plaintext value that produces: P i = D(i, a) For each P i that matches an entry in Table 1, create an entry in Table 2 that contains value of K 1 and b that is obtained by decrypting the corresponding cipher text from Table 2. B = D(i, C) Darshan Institute of Engineering & Technology Page 6

7 Table 2 contains a number of candidate values of K i. Now, for each of the 2 56 possible values of K 2, calculate the second intermediate value for our chosen value of a: B j = D(j, a) At each step, look up B j in Table 2. If there is a match, then the corresponding key i from Table 2 plus this value of j are candidate values for the unknown keys (K 1, K 2 ). Test each candidate pair of keys on a few other plaintext cipher text pairs. If a pair of keys produces the desired cipher text, the task is complete. If no pair succeeds, repeat from step 1 with a new value of a. Triple DES with Three Keys Although the attacks just described appear impractical, anyone using two-key 3DES may feel some concern. In that case, three-key 3DES is the preferred alternative. Three-key 3DES has an effective key length of 168 bits and is defined as: C = E(K 3, D(K 2, E(K 1, P))) Backward compatibility with DES is provided by putting K 3 = K 1 or K 1 = K 3. A number of Internet-based applications have adopted three-key 3DES, including PGP and S/MIME. International Data Encryption Algorithm (IDEA) Features IDEA is publicly known and easily understandable. Due to the simplicity of the operations used in this algorithm, it can be economically implemented in electronic components. As result, its hardware implementation is extremely fast and cheap and consumes low power. A distinct feature of this algorithm is that it completely avoids look-up tables and S-Boxes. To avoid fraud and piracy, this algorithm is patent protected. This algorithm uses operations from three different algebraic groups viz. bitwise X-OR, modulo addition and multiplication. IDEA supports all the modes of operation. Encryption IDEA is a block cipher with input of 64-bits. Key size is 128-bits. Encryption consists of eight identical rounds also known as encryption rounds followed by one output transformation round. Input is divided into four 16-bit blocks. Two blocks are combined with two 16-bit key blocks using addition modulo 2 16 and other two plaintext blocks are combined with key blocks using multiplication modulo Two more 16-bit key blocks are used in modulo multiplication and addition as shown in the figure. At the end of the first round, four 16-bit values are produced which are input to the next round. The same process is repeated 7 more times using a different key-block every time. During the subsequent output transformation, the four 16-bit values produced at the end of the 8 th encryption round are combined with the last four of the 52 key sub-blocks using addition modulo 2 16 and multiplication modulo to form the resulting four 16-bit cipher Darshan Institute of Engineering & Technology Page 7

8 text blocks. Decryption Figure : IDEA Encryption Decryption is same as encryption except that different key-blocks are used. Key Generation A total of 52 (6 keys in each of the first eight rounds and 4 keys in last round) different 16-bit sub-blocks have to be generated from the 128-bit key. Encryption Keys: The fifty two 16-bit key sub-blocks are generated from the 128-bit key as given below: o The 128-bit key is partitioned into eight 16-bit sub-blocks. These are directly used as the first eight key sub-blocks. o The 128-bit key is cyclically shifted to the left by 25 positions. The resulting 128-bit block is again partitioned into eight 16-bit sub-blocks to be used as the next eight key sub-blocks. o The cyclic shift procedure described above is repeated until all of the required fifty two 16- bit key sub-blocks have been generated. Round Encryption Keys Decryption Keys (1) (1) (1) (1) (1) (1) (9)-1 (9) (9) 1 Z 1 Z 2 Z 3 Z 5 Z 6 Z 1 -Z 2 -Z 3 2 Z 1 (2) (3) 3 Z 1 (4) 4 Z 1 5 Z 1 (5) 6 Z 1 (6) 7 Z 1 (7) 8 Z 1 (8) 9 Z 1 (9) (2) Z 2 (2) Z 3 (2) (2) Z 5 (2) Z 6 (3) Z 2 (3) Z 3 (3) (3) Z 5 (3) Z 6 (4) Z 2 (4) Z 3 (4) (4) Z 5 (4) Z 6 (5) Z 2 (5) Z 3 (5) (5) Z 5 (5) Z 6 (6) Z 2 (6) Z 3 (6) (6) Z 5 (6) Z 6 (7) Z 2 (7) Z 3 (7) (7) Z 5 (7) Z 6 (8) Z 2 (8) Z 3 (8) (8) Z 5 (8) Z 6 (9) Z 2 (9) Z 3 (9) (9)-1 (8) Z 5 (8) Z 6 (8)-1 Z 1 (8) -Z 3 (8) -Z 2 (8)-1 (7) Z 5 (7) Z 6 (7)-1 Z 1 (7) -Z 3 (7) -Z 2 (7)-1 (6) Z 5 (6) Z 6 (6)-1 Z 1 (6) -Z 3 (6) -Z 2 (6)-1 (5) Z 5 (5) Z 6 (5)-1 Z 1 (5) -Z 3 (5) -Z 2 (5)-1 (4) Z 5 (4) Z 6 (4)-1 Z 1 (4) -Z 3 (4) -Z 2 (4)-1 (3) Z 5 (3) Z 6 (3)-1 Z 1 (3) -Z 3 (3) -Z 2 (3)-1 (2) Z 5 (2) Z 6 (2)-1 Z 1 (2) -Z 3 (2) -Z 2 (2)-1 (1) Z 5 (1) Z 6 (1)-1 Z 1 (1) -Z 2 (1) -Z 3 (1)-1 Decryption keys: Each of the bit key sub-blocks used for decryption is either inverse or negative of the key sub-block used during encryption. Also, the key sub-blocks must be used in the reverse order during decryption. Darshan Institute of Engineering & Technology Page 8

9 Blowfish Blowfish is a symmetric block cipher algorithm which is public domain, secure and lightweight. Notable features of Blowfish include key-dependent S-Boxes and a highly complex key schedule. This algorithm is fast. And Blowfish has a very low memory requirement and uses simple operations that are efficient on microprocessors. This algorithm is suitable for applications where the key does not change often as the key schedule is highly complex and time consuming. This algorithm has no linear structure and hence is more secure against cryptanalysis. There is no effective cryptanalysis on the full-round version of Blowfish. It includes bitwise X-OR, addition modulo 2 32 and S-Box look-up. Encryption The encryption process is shown in the figure below: The algorithm takes a 64-bit input and uses a key varying from 32 to 448 bits. Keys are precomputed. Input is divided into two halves. Left half is X-ORed with first element of P-array P 1 and the right half is X-ORed with the output of the round function. Left and right halves are then swapped to give left and right halves that are fed to the next round. Same process is repeated 16 times. The left output of the 16 th round is X-ORed with P 18 and the other output is X-ORed with P 17. The result is then combined to produce 64-bit cipher text. Darshan Institute of Engineering & Technology Page 9

10 Round Function The function divides a 32-bit input into four groups of 8 bits. Each group is input to an S-Box which takes in 8-bit input and gives out 32-bit output. The output of S-Boxes are then added and X-ORed as shown in the figure below to produce the output. Generating the Sub keys The P-array and S-array values used by Blowfish are precomputed based on the user's key. After computing P and S arrays, the user's may be discarded. The P-array and S-array need to be recomputed only when the key changes and they must be kept secret. The sub keys are calculated using the Blowfish algorithm: 1) Initialize first the P-array and then the four S-boxes with hexadecimal digits of pi except the initial 3. 2) XOR P1 with the first 32 bits of the key, XOR P2 with the second 32-bits of the key, and so on for all bits of the key. 3) Repeatedly cycle the key bits until the entire P-array has been XORed with key bits. 4) Encrypt a message with all zeroes with the Blowfish algorithm, using the sub keys described in steps (1) and (2). 5) Replace P1 and P2 with the output of step (4). 6) Encrypt the output of step (4) using the Blowfish algorithm with the modified sub keys. 7) Replace P3 and P4 with the output of step (6). 8) Continue the process, replacing all entries of the P array, and then all four S-boxes. RC-2 RC-2 has a very simple design and is 3 times faster than DES. This algorithm does not use S-Boxes. This algorithm is used in S/MIME. This algorithm has a total of 18 rounds 16 mixing rounds and 2 mashing rounds. RC-2 is a 64-bit block cipher with a variable key size of bits in 8-bit increment. Default size is 64 bits. RC-2 Encryption The 64-bit input is split into 4 16-bit words, R[0], R[1], R[2], R[3]. Key is expanded to get bit words, K[0], K[1],, K[63]. Initialize a variable j to 0. Perform 5 mixing rounds followed by 1 mashing round. It is followed by 6 more mixing rounds, then 1 mashing rounds and again 5 mixing rounds. Darshan Institute of Engineering & Technology Page 10

11 Each mixing round uses 4 keywords and mashing rounds uses keywords that vary from encryption to encryption. Mixing round One-fourth part of a mixing round is shown in the figure below. When this process is repeated four times, a single mixing round is completed. The mix operation adds a combination of other data words and one keyword to each data word. Operations of mixing round can be given by the expression: R[i] = R[i] + K[j] + ((R[i-1] & R[i-2]) + (~R[i-1] & R[i-3])) R[i] = R[i] <<< S[i]; left shift by S[i] bits j = j + 1 Mashing round The mashing operation chooses 4 random sub keys based on the value of current data words and adds them to the data word. A mash operations can be expressed as: R[i] = R[i] + K[R[i-1 % 64]] Decryption Decryption is just the reverse of encryption. Decryption uses the reverse encryption operations and has R-mixing and R-mashing rounds. R-mixing round j is initialized to 63. This round can be expresses as: R[i] = R[i] >>> S[i]; right shift by S[i] bits R[i] = R[i] ((R[i-1] & R[i-2]) (~R[i-1] & R[i-3])) K[j] j = j - 1 R-mashing round The expression for this round is: R[i] = R[i] K[R[i-1] % 64]] A related key attack has been proposed for RC-2. However, it need 2 34 chosen plaintexts and hence is impractical and RC-2 is secure at least in near future. Darshan Institute of Engineering & Technology Page 11

12 RC-5 RC-5 has a variable block size (32, 64, 128), key size ( bits) and number of rounds (0 255). Most common values for block size, key size and number of rounds is 64 bits, 128 bits and 12 respectively. This algorithm is very fast and has a low memory requirement. This algorithm has a data dependent rotation which strengthens the algorithm against cryptanalysis. Operations used in the algorithm are rotation, X-OR, addition and subtraction modulo 2 w. Encryption Data words are divided into 2 parts. Left and right half are added with S[0] and S[1] respectively. Each half is then subjected to the following round operations: o X-OR with other half. o Rotate data (left/ right half) based on the other half. o Add subsequent S-array element. A single encryption round and the initial addition is shown below. Entire encryption algorithm can be depicted by the following expressions: A = A + S[0] B = B + S[1] for i = 1 to r (r = no of rounds) A = (A B) <<< B) + S[2*i]; <<< B is left shift based on B B = (B A) <<< A) + S[2*i + 1] Decryption Decryption is just the reverse of encryption and can be expressed as: for i = r to 1 (r = no of rounds) B = ((B S[2*i + 1]) >>> A) A; >>> A is right shift based on A A = ((A S[2*i]) >>> B) B B = B - S[1] A = A - S[0] Darshan Institute of Engineering & Technology Page 12

13 Key expansion User s secret key is expanded to fill S-array of size t = 2(r + 1). Define magic constants P w and Q w. P w = Odd((e 2)2 w ); e = 2.71 Q w = Odd(( 1)2 w ); = 1.61 Convert the secret key K[0] to K[b-1] from bytes to words and copy it into L-array, L[0] to L[c- 1]. b is the size of key in bytes and c is the size of L-array obtained by dividing the key size by number of bytes in a word. Initialize S-array in the following way: S[0] = P w for I = 1 to (t-1) S[i] = S[i-1] + Q w Mix the secret key with S-array and L-array. i = j = 0 A = B = 0 for i = 1 to 3 * max(t, c) A = S[i] = (S[i] + A + B) <<< 3; <<< 3 denotes left shift by 3 bits. B = L[j] = (L[j] + A + B) <<< (A + B); i = (i + 1) mod t j = (j + 1) mod c 12 round RC-5 is prone to differential attack but it needs 2 44 chosen cipher texts, hence impractical. CAST-128 Generally, for greater security RC-5 with 18 to 20 rounds is used. CAST-128 is a 64-bit block cipher and it supports variable key-size ( in 8-bit increments like 40, 48, 56 and so on). Components include large 8 32-bit S-boxes, key-dependent rotations, modular addition and subtraction, and XOR operations. There are three alternating types of round function which are similar in structure but differ only in the choice of the exact operation (addition, subtraction or XOR) at various points. CAST-128 is a 12 or 16-round Feistel network. If key size is less than 80 bits, 12 rounds are used else full 16 rounds are used. CAST-128 is a cryptographically-strong, freely-available encryption algorithm. Darshan Institute of Engineering & Technology Page 13

14 Encryption The CAST-128 encryption is shown in the figure: Compute 16 pairs of sub keys {K mi, K ri } from K. Split the plaintext into left and right 32-bit halves. There are 3 different rounds which are repeated alternately and the data halves are processed in the following way. L i = R i-1 R i = L i-1 ^ f(r i-1,k mi,k ri ), where f is round function. Swap the left and right halves obtained from the final round. These are combined to form cipher text. Decryption is same as encryption except that rounds are used in reverse order. Key Generation CAST-128 key generation includes splitting the input keys and passing it through a large series of S-box look-ups. CAST-128 uses a pair of sub keys per round: a 32-bit quantity Km is used as a "masking" key and a 5-bit quantity Kr is used as a "rotation" key. Variable Key size: The CAST-128 encryption algorithm has been designed to allow a key size that can vary from 40 bits to 128 bits. The specifications for the use of variable key size are as follows: o For key sizes up to and including 80 bits (i.e., 40, 48 72, 80 bits), the algorithm uses 12 Darshan Institute of Engineering & Technology Page 14

15 rounds instead of 16. o For key sizes greater than 80 bits, the algorithm uses the full 16 rounds. o For key sizes less than 128 bits, the key is padded with zero bytes (in the rightmost positions) out to 128 bits Non-identical rounds and Round function Input is split into 4 8-bit blocks, I a, I b, I c and I d. Three different round functions are used in CAST-128. The rounds are as follows: o Type 1: Input = ((K mi + R i-1 ) <<< K ri ) f = ((S 1 [I a ] ^ S 2 [I b ]) - S 3 [I c ]) + S 4 [I d ] o Type 2: Input = ((K mi ^ R i-1 ) <<< K ri ) f = ((S 1 [I a ] - S 2 [I b ]) + S 3 [I c ]) ^ S 4 [I d ] o Type 3: Input = ((K mi - R i-1 ) <<< K ri ) f = ((S 1 [I a ] + S 2 [I b ]) ^ S 3 [I c ]) - S 4 [I d ] where "+" and "-" are addition and subtraction modulo 2 32 "^" is bitwise XOR "<<<" is the circular left-shift operation. Rounds 1, 4, 7, 10, 13, and 16 use function of Type 1. Rounds 2, 5, 8, 11, and 14 use function of Type 2. Rounds 3, 6, 9, 12, and 15 use function of Type 3. Substitution Boxes: CAST-128 uses eight substitution boxes: S-boxes S1, S2, S3, and S4 are used in encryption-decryption while S5, S6, S7, and S8 are used in key schedule algorithm. This algorithm is resistant to linear and differential attacks. Q 4. Explain S-box. What is the purpose of S-boxes in DES? Figure: Calculation of F(R, K) The substitution consists of a set of eight S-boxes, each of which accepts 6 bits as input and produces 4 bits as output. S-boxes: These are the only non-linear part of DES and it secures the algorithm against differential cryptanalysis. Darshan Institute of Engineering & Technology Page 15

16 They are typically used to obscure the relationship between the key and the cipher text to provide confusion. The permutation P spreads the bits as widely as possible, so each S-box output affects as many S-box inputs in the next round as possible, giving "diffusion". There are 8 S-boxes or substitution boxes. An S-box is a table that consists of four rows and 16 columns. They take in 6-bits and produce 4-bits. The 48-bit input is divided into groups of 6-bits each to form a total of 8 groups. Each group is fed to S-box. The 6-bits are represented in binary form. The two outer bits (the first and the last bit) represents the row (one of the four rows) and the inner four bits represent the columns (one of the 16 columns). The cell where the row and the column meet represents the value of the output. For example if the input to an S-box is , the first and last digits 00 = the row (Row 0). The inner four digits 1010= the column (Column 10). All the 8 S-boxes will output 4-bits each in similar way. Figure: S-Box Q 5. List and explain various block cipher modes of operation with the help of diagram. There are 5 modes of operation which are listed below. Electronic Codebook mode (ECB) This is the simplest mode in which plaintext is handled one block at a time and each block of plaintext is encrypted using the same key. The term codebook is used because, for a given key, there is a unique ciphertext for every -bit block of plaintext. Therefore, we can imagine a huge codebook in which there is an entry for every possible b-bit plaintext showing its corresponding ciphertext. For a message longer than b bits, the procedure is simply to break the message into b-bit blocks, padding the last block if necessary. Decryption is performed one block at a time, always using the same key. Darshan Institute of Engineering & Technology Page 16

17 For lengthy messages, ECB mode may be not secure. If the message has repetitive elements, then these elements can be identified by the analyst. Thus, the ECB method is ideal for a short amount of data, such as an encryption key. Cipher Block Chaining Mode (CBC) To overcome the security deficiencies of ECB, a technique is needed in which the same plaintext block, if repeated, produces different cipher text blocks. A simple way to satisfy this requirement is the cipher block chaining (CBC) which is shown in the figure. In this mode, the input to the encryption algorithm is the X-OR of the current plaintext block and the preceding ciphertext block; the same key is used for each block. The input to the encryption function for each plaintext block has no fixed relationship to the plaintext block. Therefore, repeating patterns will not produce same ciphertext. The last block is padded to a full b bits if it is a partial block. For decryption, each cipher block is passed through the decryption algorithm. The result is X- ORed with the preceding ciphertext block to produce the plaintext block. The expressions for CBC are: C j = E(K, [C j-1 P j ]); D(K, C j )= D(K, E(K, [C j-1 P j ])); Encryption Decryption output = C j-1 P j C j-1 D(K, C) = C j-1 C j-1 P j ; X-OR ciphertext with decryption Darshan Institute of Engineering & Technology Page 17

18 = P j To produce the first block of cipher text, an initialization vector (IV) is X-ORed with the first block of plaintext. On decryption, the IV is X-ORed with the output of the decryption algorithm to recover the first block of plaintext. The IV must be known to both the sender and receiver but be unpredictable by a third party. For maximum security, the IV should be protected against unauthorized changes. This could be done by sending the IV using ECB encryption. Cipher Feedback Mode (CFB) DES is a block cipher, but it may be used as a stream cipher if the Cipher Feedback Mode (CFB) or the Output Feedback Mode (OFB) is used. CFB scheme is depicted below. A stream cipher eliminates the need to pad a message to be an integral number of blocks. It also can operate in real time. s bits is the size usually selected by the user, usually 8 bits. In this case, rather than units of 64 bits, the plaintext is divided into segments of s bits. Encryption: The input to the encryption function is a 64-bit shift register that is initially set to some initialization vector (IV). The leftmost (most significant) s bits of the output of the encryption function are X-ORed with the first segment of plaintext P1 to produce the first unit of ciphertext C1, which is then transmitted. In addition, the contents of the shift register are shifted left by s bits and C1 is placed in the rightmost s bits of the shift register. This process continues until all plaintext units have been encrypted. Decryption: The same scheme is used except that the received ciphertext unit is X-ORed with Darshan Institute of Engineering & Technology Page 18

19 the output of the encryption function to produce the plaintext unit. The disadvantage of this scheme is that bit error in one ciphertext propagates to next stage also. Output Feedback Mode (OFB) The Output Feedback Mode (OFB) is similar in structure to that of CFB: The only difference between CFB and OFB is that in OFB the output of the encryption function is fed back to the shift register in OFB, whereas in CFB the ciphertext is fed to the shift register. One advantage of the OFB method is that bit errors in transmission do not propagate. The disadvantage of OFB is that it is more vulnerable to a message stream modification attack than CFB. Counter Mode (CTR) In this mode, a counter equal to the plaintext block size is used. The only requirement is that the counter value must be different for each plaintext block that is encrypted. Typically, the counter is initialized to some value and then incremented by 1 for each subsequent block (modulo 2 b, where b is the block size) Counter Mode works as follows: Encryption: The counter is encrypted and then X-ORed with the plaintext block to produce the cipher text block; there is no chaining. Decryption: The same sequence of counter values is used. Each encrypted counter is X-ORed with a cipher text block to recover the corresponding plaintext block. Darshan Institute of Engineering & Technology Page 19

20 CTR has following advantages: o Hardware efficiency: In this mode, encryption (or decryption) can be done in parallel on multiple blocks of plaintext or cipher text. For the chaining modes, the algorithm must complete the computation on one block before beginning on the next block. o Software efficiency: Similarly, because of the opportunities for parallel execution in CTR mode, processors that support parallel features, such as aggressive pipelining, multiple instruction dispatch per clock cycle, a large number of registers can be effectively utilized. o Preprocessing: The execution of the encryption algorithm does not depend on input of the plaintext or cipher text. Therefore preprocessing can be used to prepare the output of the encryption boxes which can be fed into the X-OR functions when the plaintext or cipher text input is presented. o Random access: The i th block of plaintext or cipher text can be processed in random-access fashion. With the chaining modes, block cannot be computed until the i 1 prior block is computed. o Provable security: It can be shown that CTR is as secure as the other modes. o Simplicity: CTR mode requires only the implementation of the encryption algorithm and not the decryption algorithm and has a very simple implementation. Q 6. This mode is used in ATM (asynchronous transfer mode) and IPsec (IP security) nowadays. Write the key distribution scenario in which each user shares a unique master key with key distribution center. A scenario where each user shares a unique master key with the key distribution center (KDC) is presented below. Assume that user A wishes to establish a logical connection with B and requires a one-time session key to protect the data transmitted over the connection. A has a master key, K a, known only to itself and the KDC; similarly, B shares the master key K b Darshan Institute of Engineering & Technology Page 20

21 with the KDC. The following steps occur: o Step 1: A issues a request to the KDC for a session key to communicate with B. The message includes the identity of A and B and a unique identifier, nonce N 1, for this transaction. Nonce should be difficult for an opponent to guess. o Step 2: The KDC responds with a message encrypted using K a. Thus, A is the only one who can successfully read the message, and knows that it originated at the KDC. The message includes two items intended for A: The one-time session key, K s, the original request message so that A can verify that its original request was not altered before reception by the KDC and the nonce proves that this is not a replay of some previous request. o In addition, the message includes two items intended for B: The one-time session key, K s to be used for the session and an identifier of A, ID A. The last two items are encrypted with K b. o Step 3: A stores the session key for use in the upcoming session and forwards to B the last two items ( E(K b, [K s ID A ]) ) of the message from KDC. o Since, this information is encrypted with K b, it is protected from eavesdropping. o B knows the session key and the other party A. and knows that the information originated at the KDC (because it is encrypted using K b ). o Key exchange is complete here. However two steps are added for authentication purpose. o Step 4: Using the new session key for encryption, B sends a nonce N 2, to A. o Step 5: A encrypts f(n 2 ) using K s, where f is a function that performs some transformation on N 2. In some cases, users are concerned about security from traffic analysis. Knowledge about the number and length of messages between nodes may enable an opponent to determine who is talking to whom. This can have obvious implications in a military conflict. Even in commercial applications, traffic analysis may yield information that the traffic generators would like to conceal. lists the following types of information that can be derived from a traffic analysis attack: Identities of partners How frequently the partners are communicating Darshan Institute of Engineering & Technology Page 21

22 Message pattern, message length, or quantity of messages that suggest important information is being exchanged The events that correlate with special conversations between particular partners Another concern related to traffic is the use of traffic patterns to create a covert channel. A covert channel is a means of communication in a fashion unintended by the designers of the communications facility. Typically, the channel is used to transfer information in a way that violates a security policy. For example, an employee may wish to communicate information to an outsider in a way that is not detected by management and that requires simple eavesdropping on the part of the outsider. The two participants could set up a code in which an apparently legitimate message of a less than a certain length represents binary zero, whereas a longer message represents a binary one. Q 7. Explain different key distribution techniques. Various key distribution techniques are: Hierarchical Key control For very large networks, key distribution function using a single KDC may not be practical. As an alternative, a hierarchy of KDCs can be established. For example, there can be local KDCs, each responsible for a small domain of the overall internetwork, such as a single LAN or a single building. For communication among entities within the same local domain, the local KDC is responsible for key distribution. If two entities in different domains desire a shared key, then the corresponding local KDCs can communicate through a global KDC. In this case, any one of the three KDCs involved can actually select the key. The hierarchical concept can be extended to three or even more layers, depending on the size of the user population and the geographic scope of the internetwork. A hierarchical scheme minimizes the effort involved in master key distribution, because most master keys are those shared by a local KDC with its local entities. Such a scheme limits the damage of a faulty or subverted KDC to its local area only. A Transparent Key Control Scheme This scheme is useful for providing end-to-end encryption at a network or transport level in a way that is transparent to the end users. The approach assumes that communication makes use of a connection-oriented end-to-end protocol, such as TCP. An element of this approach is a session security module (SSM) that performs end-to-end encryption and obtains session keys on behalf of its host or terminal. Darshan Institute of Engineering & Technology Page 22

23 Step 1: When one host wishes to set up a connection to another host, it transmits a connection-request packet. Step 2: The SSM saves that packet and applies to the KDC for permission to establish the connection. The communication between the SSM and the KDC is encrypted using a master key shared only by this SSM and the KDC. Step 3: If the KDC approves the connection request, it generates the session key and delivers it to the two appropriate SSMs, using a unique master key for each SSM. Step 4: The requesting SSM can now release the connection request packet, and a connection is set up between the two end systems. All user data exchanged between the two end systems are encrypted by their respective SSMs using the one-time session key. The automated key distribution approach provides the flexibility and dynamic characteristics so that a number of terminal users can access a number of hosts. Decentralized Key Control The use of a key distribution center requires that the KDC should be trusted and protected from subversion. This requirement can be avoided if key distribution is fully decentralized. Full decentralization is not practical for larger networks using symmetric encryption only. It may be useful within a local context. In a decentralized approach, each end system should be able to communicate in a secure manner with all partner end systems. Thus, [n(n - 1)]/2 master keys must be maintained in a network of n end systems. Darshan Institute of Engineering & Technology Page 23

24 Q 8. A session key may be established with the following sequence of steps: o A issues a request to B for a session key and includes a nonce N 1. o B responds with a message that is encrypted using the shared master key. The response includes the session key selected by B, an identifier of B, the value f(n 1 ), and another nonce, N 2. o Using the new session key, A returns f(n 2 ) to B. Since the messages transferred using the master key are short, cryptanalysis is difficult. Session keys are used for only a limited time to protect them. Which two criteria are used to validate that a sequence of numbers is random? Explain various pseudorandom number generators. Following are the criteria for validating whether a sequence of numbers is random: o Randomness: The sequence of numbers should appear random in some well-defined statistical sense. The following two criteria are used to validate that a sequence of numbers is random: Uniform distribution: The distribution of numbers in the sequence should be uniform; that is, the frequency of occurrence of all the numbers should be approximately equal. Independence: No one sub-sequence in the sequence can be inferred (guessed) from the others. o Unpredictability: The successive members of the sequence should be unpredictable. In other words, each number should be statistically independent of other numbers in the sequence and therefore unpredictable. Various pseudorandom number generators are: Linear Congruential Generators The most widely used technique for pseudorandom number generation is known as the linear congruential method. The sequence of random numbers {X n } is obtained via the following equation: X n+1 = (ax n + c) mod m, where m is the modulus, m > 0 a is the multiplier, 0 < a < m c is the increment, 0 c < m X 0 the starting value, or seed, 0 X 0 < m The selection of values for a, c, and m is critical in developing a good random number generator. However, this has implications for cryptanalysis. If an opponent knows that the linear congruential algorithm is being used, then knowledge of a small part of the sequence is Darshan Institute of Engineering & Technology Page 24

25 sufficient to determine the parameters of the algorithm. Suppose that the opponent is able to determine values for X0, X1, X2 and X3. Then X 1 = (ax 0 + c) mod m X 2 = (ax 1 + c) mod m X 3 = (ax 2 + c) mod m Cryptographically Generated Random Numbers In this type of generators, encryption logic available to produce random numbers. Three representative examples are: 1. Cyclic Encryption Session keys are generated from master keys in this procedure. A counter with period N provides input to the encryption logic. After each key is produced, the counter is incremented by one. Thus, the pseudorandom numbers produced by this scheme cycle through a full period. Since each of the outputs X 0, X 1,... X N is obtained by encrypting a different counter value, therefore X 0 X 1... X N. Also because the master key is protected, it is not feasible to deduce any of the session keys (random numbers) through knowledge of one or earlier session keys. To strengthen the algorithm further, the input could be the output of a full-period PRNG rather than a simple counter. 2. DES Output Feedback Mode The output feedback (OFB) mode of DES can be used for key generation as well as for stream encryption. The output of each stage of operation OFB is a 64-bit value, of which the s leftmost bits are fed back for encryption. Successive 64-bit outputs constitute a sequence of pseudorandom numbers with good statistical properties. 3. ANSI X9.17 PRNG One of the strongest PRNGs is specified in ANSI X9.17. A number of applications employ this technique, like financial security applications and PGP. The algorithm makes use of triple DES for encryption. The ingredients are as follows: o Input: Two pseudorandom inputs are given to the generator. One is a 64-bit Darshan Institute of Engineering & Technology Page 25

26 o o representation of the current date and time DT i and the other is a 64-bit seed value V i. Keys: The generator makes use of three triple DES encryption modules which use the same pair of 56-bit keys {K 1, K 2 }. Output: The output consists of a 64-bit pseudorandom number R i and a 64-bit seed value V i+1. The expressions for a random number and the seed value are: R i = EDE([K 1, K 2 ], [V i EDE([K 1, K 2 ], DT i )]) V i+1 = EDE([K 1, K 2 ], [R i EDE([K 1, K 2 ], DT i )]) Where EDE ([K 1,K 2 ], X) refers to the sequence encrypt-decrypt-encrypt using two-key triple DES to encrypt X. This technique is cryptographically strong due to the following reasons: o The technique involves a 112-bit key and three EDE encryptions (nine DES encryptions). o The scheme has two pseudorandom inputs, the date and time value, and a seed produced by the generator that is distinct from the pseudorandom number produced by the generator. Thus, the amount of material that must be compromised by an opponent is overwhelming. Blum Blum Shub Generator The procedure of this generator is as follows. o Choose two large prime numbers, p and q, such that p q 3 (mod 4). For example, the prime numbers 7 and 11. Let n = p x q. o Choose a random number s, such that s is relatively prime to n. o Then the BBS generator produces a sequence of bits Bi according to the following algorithm: X 0 = s 2 mod n for i = 1 to infinity X i = (X i-1 ) 2 mod n B i = X i mod 2 The BBS is referred to as a cryptographically secure pseudorandom bit generator (CSPRBG). That is this generator passes the next-bit test. The security of BBS is based on the difficulty of factoring n. Darshan Institute of Engineering & Technology Page 26

27 Q 9. Q 10. Where are random numbers used? Explain true random numbers. A number of network security algorithms and protocols based on cryptography make use of random binary numbers, some of which are: o Key distribution (nonces) o Authentication schemes o Session key generation o Generation of keys for the RSA public-key encryption algorithm True Random Number Generators A true random number generator (TRNG) uses a nondeterministic source to produce randomness. Most operate by measuring unpredictable natural processes, such as pulse detectors of ionizing radiation events, leaky capacitors etc. Intel has developed a commercially available chip that uses thermal noise by amplifying the voltage measured across undriven resistors. Another algorithm uses the variations in the response time of raw read requests for one disk sector of a hard disk. There are problems with the randomness and the precision of such numbers and also there arises a requirement of attaching one of these devices to every system in an internetwork. Another alternative is to use a published collection of good-quality random numbers. However, these collections provide a very limited source of numbers compared to the requirements of a network security application. Furthermore, although the numbers in these books do indeed exhibit statistical randomness, they are predictable, because an opponent who knows that the book is in use can obtain a copy. A true random number generator may produce an output that is biased in some way, such as having more ones than zeros or vice versa, known as skew. Various methods of modifying a bit stream to reduce or eliminate the bias have been developed. These are referred to as de-skewing algorithms. Explain the following terms: a) Diffusion b) Confusion c) The avalanche effect d) Stream and Block ciphers e) Transposition and Substitution f) Differential and Linear Cryptanalysis g) Reversible Mapping h) Pseudorandom numbers a) Diffusion: Diffusion attempts make the statistical relationship between the plaintext and cipher text as complex as possible in order to thwart attempts to deduce the key. This is achieved by having each plaintext digit affect the value of many cipher text digits. Diffusion can be achieved by repeatedly performing some permutation on the data followed by applying a function to that permutation. b) Confusion: Confusion seeks to make the relationship between the statistics of the cipher text and the value of the encryption key as complex as possible, again to thwart attempts to discover the key. This is achieved by the use of a complex substitution algorithm. Darshan Institute of Engineering & Technology Page 27

28 c) The avalanche effect: A small change in either the plaintext or the key should produce a significant change in the cipher text. In particular, a change in one bit of the plaintext or one bit of the key should produce a change in many bits of the cipher text. This is referred to as the avalanche effect. d) Stream and Block ciphers: A block cipher processes the input, one block of elements at a time, producing an output block for each input block. A stream cipher processes the input elements continuously, producing output one element at a time. e) Transposition and Substitution: Transposition or permutation includes changing of position elements. That is, no elements are added or deleted or replaced in the sequence, but the order in which the elements appear in the sequence is changed. Substitution includes replacing each plaintext element or group of elements uniquely by a corresponding ciphertext element or group of elements. f) Differential Cryptanalysis: In differential cryptanalysis, the behavior of pairs of text blocks from each round of the cipher is observed instead of the final output. This attack starts with two messages, and, with a known XOR difference m = m m, and consider the difference between the intermediate message halves: m i = m i m i.then, When many pairs of inputs to f with the same difference yield the same output difference if the same sub key is used and if a number of such differences are determined, it is feasible to determine the sub key used in the function f. g) Linear Cryptanalysis: This attack is based on finding linear approximations to describe the transformations performed in an algorithm. This method can find a key given known plaintexts whereas differential cryptanalysis requires chosen plaintexts. For a cipher with n-bit plaintext and cipher text blocks and an m-bit key, let the plaintext block be P[1],..., P[n], the cipher text block C[1],..., C[n], and the key K[1],... K[m]. Then, find an effective linear equation of the form: P[a 1, a 2,..., a a ] C[b 1, b 2,..., b b ] = K[g 1, g 2,..., g c ] where x = 0 or 1 1 a b n 1 c m and a, b and g terms represent fixed, unique bit locations Once a proposed relation is determined, the procedure is to compute the results of the lefthand side of the equation for a large number of plaintext-ciphertext pairs. If the result is 0 more than half the time, assume K[g 1, g 2,..., g c ] = 0 and vice versa. This gives us a linear equation on the key bits. h) Reversible Mapping: For a given plaintext blocks, if the encryption produces a unique ciphertext block, then such a transformation is called reversible, or nonsingular mapping. Darshan Institute of Engineering & Technology Page 28

29 i) Pseudorandom numbers: The sequence of numbers that exhibit properties of random numbers like randomness and unpredictability but actually are not random numbers. They are generated using some deterministic algorithm. Such numbers are called pseudorandom numbers. Q-11 Explain characteristics of Advanced Symmetrical Block Cipher. Key size (words/bytes/bits) 4/16/128 6/24/192 8/32/256 Plaintext block size (words/bytes/bits) 4/16/128 4/16/128 4/16/128 Number of rounds Round key size (words/bytes/bits) 4/16/128 4/16/128 4/16/128 Expanded key size (words/bytes) 44/176 52/208 60/240 Figure shows the overall structure of AES. The input to the encryption and decryption algorithms is a single 128-bit block. Darshan Institute of Engineering & Technology Page 29