Secret Key Cryptography Overview

Transcription

1 Secret Key Cryptography Overview Dr. Arjan Durresi Louisiana State University Baton Rouge, LA These slides are available at: Block ciphers Feistel cipher Data Encryption Standard DES DES Encryption DES - Decryption Louisiana State University - Secret Key Cryptography - 1 Louisiana State University - Secret Key Cryptography - 2 Glossary plaintext message in its original form ciphertext encrypted message encryption process of producing ciphertext from plaintext decryption reverse process breaking encryption scheme discovering plaintext that matches ciphertext cryptoanalyst, attacker, intruder, bad guy an entity trying to break encryption Louisiana State University - Secret Key Cryptography - 3 Concepts block cipher encrypts blocks of data (say ), essentially substituting bit-data block by -bit encrypted block we can specify cipher by stating the complete data->encryption, is it possible? can two data blocks map to the same encrypted block? can we map a data block to a smaller (larger) encrypted block? two basic operations for k-bit blocks substitution for each 2 k inputs specify output, impractical for large k permutation for each bit specifies the output position it gets block encryption usually contains multiple rounds of substituitions and premutations Louisiana State University - Secret Key Cryptography - Modern Block Ciphers Will now look at modern block ciphers One of the most widely used types of cryptographic algorithms Provide secrecy and/or authentication services In particular will introduce DES (Data Encryption Standard) Block vs. Stream Ciphers Block ciphers process messages in into blocks, each of which is then en/decrypted Like a substitution on very big characters -bits or more Stream ciphers process messages a bit or byte at a time when en/decrypting Many current ciphers are block ciphers Hence are focus of course Louisiana State University - Secret Key Cryptography - 5 Louisiana State University - Secret Key Cryptography -

2 Block Cipher Principles Most symmetric block ciphers are based on a Feistel Cipher Structure Needed since must be able to decrypt ciphertext to recover messages efficiently Block ciphers look like an extremely large substitution Would need table of 2 entries for a -bit block Naïve: 2 input values, bits each, total 2 70 bits to store the mapping Output should look random No correlation between plaintext and ciphertext Bit spreading Instead create from smaller building blocks Using idea of a product cipher Claude Shannon and Substitution- Permutation Ciphers In 199 Claude Shannon introduced idea of substitutionpermutation (S-P) networks modern substitution-transposition product cipher These form the basis of modern block ciphers S-P networks are based on the two primitive cryptographic operations we have seen before: substitution (S-box) permutation (P-box) Provide confusion and diffusion of message Louisiana State University - Secret Key Cryptography - 7 Louisiana State University - Secret Key Cryptography - 8 Confusion and Diffusion Cipher needs to completely obscure statistical properties of original message A one-time pad does this More practically Shannon suggested combining elements to obtain: diffusion dissipates statistical structure of plaintext over bulk of ciphertext confusion makes relationship between ciphertext and key as complex as possible Block Ciphers Substitution: 2 k values: k 2 k bits Permutation: change position for each bit: klog 2 k bits Round: combination of substitution chunks and permutation do often enough so that a bit change can affect every output bit How many rounds? A few but not fewer Louisiana State University - Secret Key Cryptography - 9 Louisiana State University - Secret Key Cryptography - 10 Feistel Cipher Structure Horst Feistel devised the feistel cipher based on concept of invertible product cipher Partitions input block into two halves process through multiple rounds which perform a substitution on left data half based on round function of right half & subkey then have permutation swapping halves Implements Shannon s substitution-permutation network concept Feistel Cipher Structure Louisiana State University - Secret Key Cryptography - 11 Louisiana State University - Secret Key Cryptography - 12

3 Feistel Cipher Design Principles Feistel Cipher Decryption block size increasing size improves security, but slows cipher key size increasing size improves security, makes exhaustive key searching harder, but may slow cipher number of rounds increasing number improves security, but slows cipher subkey generation greater complexity can make analysis harder, but slows cipher round function greater complexity can make analysis harder, but slows cipher fast software en/decryption & ease of analysis are more recent concerns for practical use and testing Louisiana State University - Secret Key Cryptography - 13 Louisiana State University - Secret Key Cryptography - 1 Data Encryption Standard (DES) Convert block to another: one-to-one Most widely used block cipher in world Adopted in 1977 by NBS (now NIST) as FIPS PUB Long enough to avoid known-plaintext attack bit nice for RISC Encrypts -bit data using 5-bit key Has been considerable controversy over its security Key length: 5bit 1979, bit- 1995, 128bit -? DES History IBM developed Lucifer cipher by team led by Feistel used -bit data blocks with 128-bit key Then redeveloped as a commercial cipher with input from NSA and others In 1973 NBS issued request for proposals for a national cipher standard IBM submitted their revised Lucifer which was eventually accepted as the DES Louisiana State University - Secret Key Cryptography - 15 Louisiana State University - Secret Key Cryptography - 1 Block Cipher Scheme DES Design Controversy Plaintext block of length N Encrypt Decrypt Secret key Cipher block of length N Although DES standard is public Was considerable controversy over design in choice of 5-bit key (vs Lucifer 128-bit) and because design criteria were classified Subsequent events and public analysis show in fact design was appropriate DES has become widely used, esp in financial applications efficient to implement in hardware, but slow in software the adoption of DES was done without public scrutiny some operations are suspect security value of initial/final permutations is suspect Louisiana State University - Secret Key Cryptography - 17 Louisiana State University - Secret Key Cryptography - 18

4 DES (Data Encryption Standard) Published in 1977, standardized in Key: bit quantity=8-bit parity+5-bit key Every 8 th bit is a parity bit. bit input, bit output. bit M bit C DES Encryption -bit 8-bit Input K1 Permutation Round 1 Round 2... Round 1 Swap DES Top View Generate keys Initial Permutation 8-bit K1 8-bit K2 8-bit K1 Swap 32-bit halves 5-bit Key Permutation Final Permutation 5 bits Louisiana State University - Secret Key Cryptography bit Output Louisiana State University - Secret Key Cryptography - 20 Bit Permutation (1-to to-1) Bits Expansion (1-to to-m) Input: Input: bit Output Output Louisiana State University - Secret Key Cryptography - 21 Louisiana State University - Secret Key Cryptography - 22 Initial and Final Permutations Initial permutation (IP) View the input as M: 8(-byte) by 8(-bit) matrix Transform M into M1 in two steps Transpose row x into column (9-x), 0<x<9 Apply permutation on the rows: For even column y, it becomes row y/2 For odd column y, it becomes row (5+y/2) Quite regular in structure (easy in h/w) Example: IP(75a97 5e5ab5a) = (ffb219d 00dffb) Final permutation FP = IP -1 Initial and Final Permutations Louisiana State University - Secret Key Cryptography - 23 Louisiana State University - Secret Key Cryptography - 2

5 Per-Round Key Generation DES Key Schedule One round 8 bits K i Initial Permutation of DES key C i-1 28 bits D i-1 28 bits Circular Left Shift Permutation with Discard Circular Left Shift Round 1,2,9,1: single shift Others: two bits Forms subkeys used in each round Consists of: initial permutation of the key which selects 5-bits in two 28-bit halves 1 stages consisting of: selecting 2-bits from each half permuting them by PC2 for use in function f, rotating each half separately either 1 or 2 places depending on the key rotation schedule K C i D i 28 bits 28 bits Louisiana State University - Secret Key Cryptography - 25 Louisiana State University - Secret Key Cryptography - 2 Input Key Initial Permutation of Key C0 D0 Louisiana State University - Secret Key Cryptography - 27 Louisiana State University - Secret Key Cryptography - 28 Permutation with Discard Schedule of Left Shifts Louisiana State University - Secret Key Cryptography - 29 Louisiana State University - Secret Key Cryptography - 30

6 A DES Round DES Round Structure One Round Encryption 32 bits L n 32 bits R n Mangler Function E S-Boxes P 8 bits 32 bits 8 bits K i Uses two 32-bit L & R halves As for any Feistel cipher can describe as: L i = R i 1 R i = L i 1 xor F(R i 1, K i ) Takes 32-bit R half and 8-bit subkey and: expands R to 8-bits using perm E adds to subkey passes through 8 S-boxes to get 32-bit result finally permutes this using 32-bit perm P 32 bits L n+1 32 bits R n+1 Louisiana State University - Secret Key Cryptography - 31 Louisiana State University - Secret Key Cryptography - 32 Expansion of R to 8 bits Decryption Apply the same operations with the same key K i at each round: Input: R n+1 L n+1 Due to the swap operation Output: R n L n The swap operation at the end will produce the correct result: L R Louisiana State University - Secret Key Cryptography - 33 Louisiana State University - Secret Key Cryptography - 3 Mangler Function S1 S2 S3 S S5 S S7 S8 The permutation produces spread among the chunks/s-boxes! DES Mangler Function takes 32-bit R n and 8-bit K n and produces a 32-bit R n+1 operation 32-bit R n is expanded to 8 bits each -bits are expanded to bits by duplicating adjacent bits each bits or R n are XOR-ed with corresponding bits of K n and fed into S-Box (1 through 8) each S-box is different S-Box is a (completely defined) substitution that accepts bits and produces bits (mapping is not unique) the output 32 bits are then permuted to produce R n+1 the idea of the permutation is so that the output of one S- Box affexts the input of multiple S-Boxes in the next round Permutation Louisiana State University - Secret Key Cryptography - 35 Louisiana State University - Secret Key Cryptography - 3

7 Substitution Boxes S Have eight S-boxes which map to bits Each S-box is actually little bit boxes outer bits 1 & (row bits) select one rows inner bits 2-5 (col bits) are substituted result is 8 lots of bits, or 32 bits Row selection depends on both data & key feature known as autoclaving (autokeying) Example: S( d ) = 5fd25e03 Louisiana State University - Secret Key Cryptography - 37 S-Box (Substitute and Shrink) 8 bits ==> 32 bits. (8* ==> 8*) 2 bits used to select amongst permutations for the rest of the -bit quantity 2 bits row I1 I2 I3 I I5 I S i bits column i = 1, 8. Louisiana State University - Secret Key Cryptography - 38 O1 O2 O3 O S1 Each row and column contain different numbers S-BoxesS Logic behind the selection of the S-Boxes remains unpublished secret Is it a good idea technically to publish it? Example: input: output:??? Louisiana State University - Secret Key Cryptography - 39 Louisiana State University - Secret Key Cryptography - 0 DES Standard Cipher Iterative Action : Input: bits Key: 8 bits Output: bits Key Generation Box : Input: 5 bits Output: 8 bits One round (Total 1 rounds) DES Decryption Decrypt must unwind steps of data computation Feistel design, do encryption steps again Using subkeys in reverse order (SK1 SK1) Note that IP undoes final FP step of encryption 1st round with SK1 undoes 1th encrypt round. 1th round with SK1 undoes 1st encrypt round Then final FP undoes initial encryption IP Thus recovering original data value Louisiana State University - Secret Key Cryptography - 1 Louisiana State University - Secret Key Cryptography - 2

8 Avalanche Effect Key desirable property of encryption algorithm Where a change of one input or key bit results in changing approx half output bits Making attempts to home-in by guessing keys impossible DES exhibits strong avalanche Example: Two plaintexts that differ by one bit and Key: A) Example Two plaintexts that differ by one bit and Key: B) A single plaintext: Two keys that differ in only one bit: Louisiana State University - Secret Key Cryptography - 3 Louisiana State University - Secret Key Cryptography - Example Strength of DES Key Size 5-bit keys have 2 5 = 7.2 x 10 1 values Brute force search looks hard Recent advances have shown is possible in 1997 on Internet in a few months in 1998 on dedicated h/w (EFF) $250,000 in less than three days in 1999 above combined in 22hrs! Still must be able to recognize plaintext Alternatives to DES Louisiana State University - Secret Key Cryptography - 5 Louisiana State University - Secret Key Cryptography - Strength of DES Timing Attacks Attacks actual implementation of cipher Use knowledge of consequences of implementation to derive knowledge of some/all subkey bits Specifically use fact that calculations can take varying times depending on the value of the inputs to it Particularly problematic on smartcards Strength of DES Analytic Attacks Several analytic attacks on DES Utilise some deep structure of the cipher by gathering information about encryptions can eventually recover some/all of the sub-key bits if necessary then exhaustively search for the rest Generally these are statistical attacks Include differential cryptanalysis linear cryptanalysis related key attacks Louisiana State University - Secret Key Cryptography - 7 Louisiana State University - Secret Key Cryptography - 8

9 DES Weak Keys there are sixteen DES keys that are suspect weak keys: C0 and D0 are either all 0s or all 1s - thekeys are their own inverses (encrypting with the key is the same as decrypting with it) semi-weak: either all 0s and all 1s or alternating 0s and 1s Why is DES the Way it Is? operations in DES appear simple and arbitrary things are however mysterious if S-Boxes 3 and 7 are swapped, DES is an order of magnitude less secure DES design process was not public, so it is not clear how the details were chosen if they leave some hidden weakness? possibility DES was designed to be strong against specific attacks the designers knew about but did not publish (not to educate the bad guys) are the other standards vulnerable to these attacks? Louisiana State University - Secret Key Cryptography - 9 Louisiana State University - Secret Key Cryptography - 50 Differential Cryptanalysis One of the most significant recent (public) advances in cryptanalysis Known by NSA in 70's - DES design Murphy, Biham & Shamir published 1990 Powerful method to analyse block ciphers Used to analyse most current block ciphers with varying degrees of success DES reasonably resistant to it, 2 7 plaintexts are needed, lessons from Lucifer Differential Cryptanalysis A statistical attack against Feistel ciphers Uses cipher structure not previously used Design of S-P networks has output of function f influenced by both input & key Hence cannot trace values back through cipher without knowing values of the key Differential Cryptanalysis compares two related pairs of encryptions Louisiana State University - Secret Key Cryptography - 51 Louisiana State University - Secret Key Cryptography - 52 Differential Cryptanalysis Compares Pairs of Encryptions With a known difference in the input Searching for a known difference in output When same subkeys are used Plaintext: m 0, m 1 : m i+1 = m i-1 XOR f(m i, K i ) m XOR m is known: Differential Cryptanalysis have some input difference giving some output difference with probability p if find instances of some higher probability input / output difference pairs occurring can infer subkey that was used in round then must iterate process over many rounds Louisiana State University - Secret Key Cryptography - 53 Louisiana State University - Secret Key Cryptography - 5

10 Differential Cryptanalysis Differential Cryptanalysis perform attack by repeatedly encrypting plaintext pairs with known input XOR until obtain desired output XOR when found if intermediate rounds match required XOR have a right pair if not then have a wrong pair, relative ratio is S/N for attack can then deduce keys values for the rounds right pairs suggest same key bits wrong pairs give random values for large numbers of rounds, probability is so low that more pairs are required than exist with -bit inputs Biham and Shamir have shown how a 13-round iterated characteristic can break the full 1-round DES Louisiana State University - Secret Key Cryptography - 55 Louisiana State University - Secret Key Cryptography - 5 Linear Cryptanalysis Another recent development Also a statistical method Must be iterated over rounds, with decreasing probabilities Developed by Matsui et al in early 90's Based on finding linear approximations Can attack DES with 2 7 known plaintexts, still in practise infeasible Linear Cryptanalysis find linear approximations with prob p!= ½ P[i1,i2,...,ia](+)C[j1,j2,...,jb] = K[k1,k2,...,kc] where ia,jb,kc are bit locations in P,C,K gives linear equation for key bits get one key bit using max likelihood algorithm using a large number of trial encryptions effectiveness given by: p ½ Louisiana State University - Secret Key Cryptography - 57 Louisiana State University - Secret Key Cryptography - 58 Block Cipher Design Principles Basic principles still like Feistel in 1970 s Number of rounds more is better, exhaustive search best attack Function f: provides confusion, is nonlinear, avalanche Specially careful about S-box the nonlinear part of DES Larger S-box more resistant to differential and linear cryptanalysis but more difficult to design properly Key schedule complex subkey creation, key avalanche Modes of Operation Block ciphers encrypt fixed size blocks eg. DES encrypts -bit blocks, with 5-bit key Need way to use in practise, given usually have arbitrary amount of information to encrypt Four were defined for DES in ANSI standard ANSI X Modes of Use Subsequently now have 5 for DES and AES Block and stream modes Louisiana State University - Secret Key Cryptography - 59 Louisiana State University - Secret Key Cryptography - 0

11 Modes of Operation Electronic Codebook Book (ECB) message is broken into independent blocks which are encrypted each block is a value which is substituted, like a codebook, hence name each block is encoded independently of the other blocks C i = DES K1 (P i ) uses: secure transmission of single values Louisiana State University - Secret Key Cryptography - 1 Louisiana State University - Secret Key Cryptography - 2 Electronic Code Book (ECB) M 1 M 2 M 3 M pad ENC ENC ENC ENC C 1 C 2 C 3 C Advantages and Limitations of ECB Repetitions in message may show in ciphertext if aligned with message block particularly with data such graphics or with messages that change very little, which become a code-book analysis problem Weakness due to encrypted message blocks being independent Bit errors in ciphertext, when decrypted will cause the entire plaintext block to decrypt incorrectly but will not affect the rest If a ciphertext is lost or added all the rest will be affected Main use is sending a few blocks of data Pad last block with count of pad size eg. [ b1 b2 b ] <- 3 data bytes, then 5 bytes pad+count Louisiana State University - Secret Key Cryptography - 3 Louisiana State University - Secret Key Cryptography - ECB Problem #1 M 1 M 2 M 3 M pad ENC ENC ENC ENC C 1 C 2 C 3 C ECB Problem #1 If a cryptanalyst has the plaintext and ciphertext for several messages, he can start to compile a code book Messages such as s may have regular structures Open to statistical attacks This vulnerability is higher at the beginning and the end of messages, where are located headers and footers with information about sender, receiver, date Stereotyped beginnings and stereotyped endings (M 1 == M 3 ) => (C 1 == C 3 ) Louisiana State University - Secret Key Cryptography - 5 Louisiana State University - Secret Key Cryptography -

12 Problems with ECB same plaintext block produces same ciphertext can be analyzed, rearranged plaintext ECB encrypted ciphertext ECB Problem #2 Lack the basic protection against integrity attacks on the ciphertext at message level (i.e., multiple cipher blocks) Without additional integrity protection cipher block substitution and rearrangement attacks fabrication of specific information Louisiana State University - Secret Key Cryptography - 7 Louisiana State University - Secret Key Cryptography - 8 ECB Problem #2 An adversary could modify encrypted messages without knowing the key or even the algorithm in such a way as to fool the recipient For example a money transfer system among banks: There are standard format such as Sender Bank A: 1.5 blocks, Receiver Bank B: 1.5 blocks, Depositor s name: blocks, Depositor s account 2 blocks, amount of deposit 1 block A bad guy intercepts these messages. Then he transfers twice $100 from Bank A to B. Isolate these messages and repeat at will Bank A and B reconcile their transfers at the end of the day and discover the fake transfer authorization, but it is too late Banks can add a time stamp field to avoid repeated messages ECB Problem #2 Block Replay technique: The bad guy by analyzing the intercepted messages can figure out the ciphertext blocks corresponding to his name, account and amount Now he can change others people transfer to his name and account When banks reconcile their transfers at the end of the day, everything matches It will take more time to catch the problem and again it will be too late Adding a MAC will solve the problem Louisiana State University - Secret Key Cryptography - 9 Louisiana State University - Secret Key Cryptography - 70 One-Time Pad proven (Shannon): XOR a message with a (truly) random number (never reuse it again) unbreakable (no information is given away) one-time pad such usage of random numbers stream cipher generates one-time pad and XORs it with the stream of plaintext to generate ciphertext Louisiana State University - Secret Key Cryptography - 71 Fixing ECB consider this: generate random numbers and XOR with blocks before encoding transmit r1, c1, r2, c2, r3, c3, r, c M1 M2 M3 M r1 r2 r3 r E E E E C1 C2 C3 C problems: need to send twice as much data can still rearrange blocks if two ciphertext blocks equal, know XOR of two plaintext blocks = XOR of the corresponding two random numbers Louisiana State University - Secret Key Cryptography - 72

13 Cipher Block Chaining (CBC) Message is broken into blocks But these are linked together in the encryption operation Each previous cipher blocks is chained with current plaintext block, hence name Use Initial Vector (IV) to start process C i = DES K1 (P i XOR C i-1 ) C -1 = IV uses: bulk data encryption, authentication Cipher Block Chaining (CBC) M 1 M 2 M 3 M pad IV Initialization Vector ENC ENC ENC ENC C 1 C 2 C 3 C (M 1 == M 3 ) very unlikely leads to (C 1 == C 3 ) Louisiana State University - Secret Key Cryptography - 73 Louisiana State University - Secret Key Cryptography - 7 IV CBC Decryption M 1 M 2 M 3 M DEC DEC DEC DEC C 1 C 2 C 3 C Advantages and Limitations of CBC Each ciphertext block depends on all message blocks thus a change in the message affects all ciphertext blocks after the change as well as the original block Need Initial Value (IV) known to sender & receiver Without it two identical messages will encrypt to the same encrypt. Two messages that begin the same will encrypt the same way up to the first difference If IV is sent in the clear, an attacker can change bits of the first block, and change IV to compensate, but not a strong requirement Hence either IV must be a fixed value (as in EFTPOS) or it must be sent encrypted in ECB mode before rest of message At end of message, handle possible last short block by padding either with known non-data value (eg nulls) or pad last block with count of pad size eg. [ b1 b2 b ] <- 3 data bytes, then 5 bytes pad+count Louisiana State University - Secret Key Cryptography - 75 Louisiana State University - Secret Key Cryptography - 7 CBC Vulnerabilities Loss sync of block boundary garbles the rest of the stream Create desired change in decrypted block P n by sacrificing block P n-1 In this case a CRC is needed P n-1 DEC P n DEC Cipher FeedBack (CFB) Message is treated as a stream of bits Added to the output of the block cipher Result is feed back for next stage (hence name) Standard allows any number of bit (1,8 or or whatever) to be feed back denoted CFB-1, CFB-8, CFB- etc Is most efficient to use all bits (CFB-) C i = P i XOR DES K1 (C i-1 ) C -1 = IV uses: stream data encryption, authentication C n-1 Louisiana State University - Secret Key Cryptography - 77 C n Louisiana State University - Secret Key Cryptography - 78

14 Cipher FeedBack (CFB) Advantages and Limitations of CFB Appropriate when data arrives in bits/bytes Most common stream mode Limitation is need to stall while do block encryption after every n-bits Note that the block cipher is used in encryption mode at both ends Errors propagate for several blocks after the error IV should be unique Louisiana State University - Secret Key Cryptography - 79 Louisiana State University - Secret Key Cryptography - 80 Output FeedBack (OFB) Output FeedBack (OFB) message is treated as a stream of bits output of cipher is added to message output is then feed back (hence name) feedback is independent of message can be computed in advance C i = P i XOR O i O i = DES K1 (O i-1 ) O -1 = IV uses: stream encryption over noisy channels Louisiana State University - Secret Key Cryptography - 81 Louisiana State University - Secret Key Cryptography - 82 Advantages and Limitations of OFB Used when error feedback a problem or where need to encryptions before message is available The one time pad can be generated in advance, so the message encryption is only -fast Superficially similar to CFB but feedback is from the output of cipher and is independent of message An error in ciphertext doesn t propagate A message can arrive in any arbitrary sized chunks and each time a chunk appears it can be immediately encrypted Advantages and Limitations of OFB A variation of a Vernam cipher hence must never reuse the same sequence (key+iv) Sender and receiver must remain in sync, and some recovery method is needed to ensure this occurs If a bad guy knows plaintext and ciphertext, he can modify the plaintext P in P P C P Originally specified with m-bit feedback in the standards Subsequent research has shown that only OFB- should ever be used Louisiana State University - Secret Key Cryptography - 83 Louisiana State University - Secret Key Cryptography - 8

15 Counter (CTR) A new mode, though proposed early on Similar to OFB but encrypts counter value rather than any feedback value Must have a different key & counter value for every plaintext block (never reused) C i = P i XOR O i O i = DES K1 (i) uses: high-speed network encryptions Counter (CTR) Louisiana State University - Secret Key Cryptography - 85 Louisiana State University - Secret Key Cryptography - 8 Advantages and Limitations of CTR Efficiency can do parallel encryptions in advance of need good for bursty high speed links Random access to encrypted data blocks Provable security (good as other modes) But must ensure never reuse key/counter values, otherwise could break (cf OFB) Like CBC can decrypt the message starting at any point rather than staring at the beginning Generating MICs Message Identity Code (MIC) or Message Authentication Code (MAC) To protect against modifications Compute CBC Only send last block of CBC (CBS residue) Send plaintext Any modification in plaintext modifies CBC residue Insures integrity Louisiana State University - Secret Key Cryptography - 87 Louisiana State University - Secret Key Cryptography - 88 CBC Plus Residue M 1 M 2 M 3 M pad IV Initialization Vector ENC ENC ENC ENC C 1 C 2 C 3 C residue Insuring Both Confidentiality and Integrity Replicating last CBC block doesn t work CBC the message + CRC not very strong P+I: use separate (but maybe related) secret keys for encryption and MIC (two encryption passes) Two keys twice the cryptographic power CBC with weak cryptographic checksum no evidence of problems CBC (message hash) it is more efficient than doing CBC twice if the hash function is faster than the encryption one Louisiana State University - Secret Key Cryptography - 89 Louisiana State University - Secret Key Cryptography - 90

16 Triple DES 3DES Encrypt-Decrypt-Encrypt (EDE) or 3DES Multiple encryption to compensate for the short basic DES key Making it more secure Standard practice: E(K 3, D(K 2, E(K 1, P))) K 1 =K 3 results an equivalent 112-bit DES which provides a sufficient key space, some systems use three keys but this is not standard Distinct K 1, K 2, K 3 results even stronger 18-bit DES Louisiana State University - Secret Key Cryptography - 91 Louisiana State University - Secret Key Cryptography - 92 Triple DES (Cont d) EDE: can run as a single DES with K 1 = K 2 More permutations DES3 Is Not Ideal... Efficiency demands schemes with longer keys to begin with! DES3 runs one third as fast as DES on the same platform New candidates are numerous - RC5, IDEA, two-fish, CAST, etc NIST is soliciting algorithms for federal standard Louisiana State University - Secret Key Cryptography - 93 Louisiana State University - Secret Key Cryptography - 9 IDEA International Data Encryption Algorithm ETH Zurich, 1991 Similar to DES: -bit blocks 128-bit keys IDEA was designed to be efficient in software No published weakness -bit 8-bit Input K1 Round 1 Round 2... Round 1 Round 17 IDEA Top View k 1 k 2 k 3 k k 5 k k 9 k 50 k 51 k bit Key key expansion Louisiana State University - Secret Key Cryptography bit Output Louisiana State University - Secret Key Cryptography - 9

17 IDEA Primitive Operations 2 1-bit to 1 1-bit + mod 2 1 mod ( ) Reversible Easy in software IDEA Key Expansion 128-bit key to 52 1-bit keys, K 1,, K 52 Encryption, decryption different But once generating the keys, the encryption and decryption operations are the same Chop off 1 bits at a time to get 8 1-bit keys Start at bit 25, chop (and wrap around) again to get next 8 1-bit keys Offsetting 25 more bits, repeat, until 52 keys are generated Louisiana State University - Secret Key Cryptography - 97 Louisiana State University - Secret Key Cryptography - 98 Key Expansion IDEA: One Round 128 bit key 17 rounds, even and odd K 1 K 2 K 3 K K 5 K K 7 K 8 -bit input divided into 1-bit: X a, X b, X c, X d Operations: get new X a, X b, X c, X d Odd rounds: K i : K a, K b, K c, K d 128 bit key K 9 K 10 K 11 K 12 K 13 K 1 K 15 K bit key First round: K 1, K 2, K 3, K Round 3: K 7, K 8, K 9, K 10 Even rounds: 2 K i : K e, K f Round 2: K 5, K Round : K 11, K 12 Louisiana State University - Secret Key Cryptography - 99 Louisiana State University - Secret Key Cryptography IDEA: Odd Round IDEA: Even Round X a = X a K a X b = X c + K c Mangler: Y out, Z out = f (Y in, Z in, K e, K f ) First step: X c = X b + K b Y in = X a X b X d = X d K d To decrypt, use the inverse (relative to the operations) of the keys Z in = X c X d Second Step, mangler: Y out = ((K e Y in ) + Z in ) K f Z out = (K e Y in ) + Y out Third step: X a = X a Y out, X b = X b Y out, X c = X c Z out, X d = X d Z out Louisiana State University - Secret Key Cryptography Louisiana State University - Secret Key Cryptography - 102

18 Decryption IDEA: Even Round (cont d) Use the same keys in inverse First round use K 9, K 50, K 51, K 52 Use the exact operations as encryption IDEA 128-bit key: Breaking by brute force search for the time being is imposible Seems to be the most secure block algorithm available to public The first version in 1990 Proposed Encryption Standard (PES). Evolved after publications of differential analysis Louisiana State University - Secret Key Cryptography AES AES = Advanced Encryption Standard public design process: NIST s request for proposals (1997) Winner: Rijndael (2000) Rijndael 128, 192, or 25-bit block size, 128, 192, or 25-bit key. algebraically designed s-boxes, input is divided into octets 10-1 rounds of: Byte substitution in every octet using s-box shifting (rotating) rows MixColumn spread octets according specified MicColumn table XOR with a RoundKey Decryption is by design similar to encryption Louisiana State University - Secret Key Cryptography - 10 Summary Block cipher design principles DES details Strength Simple, easy to implement: Hardware/gigabits/second, software/megabits/second 5-bit key DES may be acceptable for non-critical applications but triple DES (DES3) should be secure for most applications today Differential & Linear Cryptanalysis Modes of Operation ECB, CBC, CFB, OFB, CTR IDEA Louisiana State University - Secret Key Cryptography - 105