Conventional Encryption: Modern Technologies

Transcription

1 Conventional Encryption: Modern Technologies We mentioned that the statistical weakness in substitution ciphers is that they don t change the frequency of alphabetic letters. For example, if a substitution cipher scheme were used to obtain the ciphertext: CFGPSF GJWF A cryptanalyst may initially guess that the most frequent ciphertext letter (F) is corresponding to a disguised E. If this guess is correct, the cryptanalyst is on the road to cracking the ciphertext. The 2 nd best guess is if (F) is not really a disguised (E), it may then be a (T). The cryptanalyst can also guess that the most frequent two-letter pattern in longer ciphertext may correspond to a (TH), and so forth. Note that with the help of computers, statistical analysis for cryptanalytic purposes can be prepared much quicker. Note 1: Note 2: Note 3: Note 4: Note 5: We need to eliminate statistical relationship between the ciphertext and the underlying plaintext. Combining transposition and substitution diffuses the statistical structure of plaintext over the ciphertext. This method is referred to as diffusion. Diffusion dissipates or disperses parts of letters throughout the ciphertext. In addition to diffusion, we may need to create confusion to prevent the cryptanalyst from using ciphertext to figure out the secret encryption key. Confusion usually means that the cipher scheme should be complex such that even one can figure out some ciphertext patterns, she cannot use the cipher method and pattern to figure out the secret key. As cipher scheme or an algorithm providing good confusion will have a complex functional relationship between the plaintext /key pair and the ciphertext. Confusion obscures the relationship between the plaintext and the ciphertext, while diffusion dissipates the redundancy of the plaintext by spreading it out over the ciphertext. Ciphers that use confusion and diffusion are called product ciphers. Each application of confusion and diffusion is called a round. Product ciphers that use many rounds are called iterated product ciphers. The idea is to make the encryption function so complex and involuted that makes it almost impossible to discover the encryption key. Sep.23/2003 1

2 Note 6: The computational complexity of an encryption algorithm is often measured by two variables: -T (for time complexity) -S (for space complexity, or computing memory requirement) Note 7: An encryption algorithm is said to be computationally secure if the following two criteria are met: -The time complexity exceeds the useful lifetime of the information. -The space complexity exceeds the value of the encrypted information. 2.1 P-box and S-box Transposition and substitution can be implemented with simple, hardware circuits. For example, Fig. 1 below shows a device, called P-box (P stands for permutation), used to implement the following transposition cipher on an 8-bit input: X (x) P-box Output (x) input (x) Fig. 1 By appropriately internal wiring, a P-box can be made to perform any transposition, and do it at practically the speed of light. Sep.23/2003 2

3 Substitutions can be performed by S-boxes (S stands for substitution), as shown in fig. 2 below. Output 3-bit S-box Input 3-bit Fig. 1 Decoder: 3 to 8 Encoder: 8 to 3 Fig. 2 In this example, a 3-bit plaintext is entered into the S-box, and 3-bit ciphertext is output. The 3-bit input selects one of the eight lines exiting from the encoder and sets it to 1; all the other lines are 0. The second stage in an S-box is a simple P- box, as described earlier. The third stage is a decoder, which encodes the resulting output line of the P-box in binary again. For example, if the eight octal numbers were input one after another, the output sequence in Fig. 2 would be In other words, 0 has been replaced by 2; 1 has been replaced by 4, etc. Again by appropriately wiring of the P-box inside the S-box, any substitution can be accomplished. The real power of these basic elements only becomes apparent when we cascade a whole series of boxes to form a product cipher, as shown in Fig. 3 below. Sep.23/2003 3

4 Product Cipher S1 S5 S9 S2 S6 S10 P1 P2 P3 P4 S3 S7 S11 S4 S8 S12 Fig. 3 In this example, 12 input lines are transposed by the first stage. In the second stage, the input is broken up into four groups of 3 bits, each of which is substituted independently of each others. By including four stages of permutation-substitution network in this product cipher, the output is made to be an exceedingly complicated function of the input. 2.2 The Feistel cipher Feistel proposed the use of a cipher that alternates substitutions and permutations, as we described above. This is a practical implementation of a product cipher that alternates confusion and diffusion functions. Fig. 4 below shows the Feistel cipher scheme. Fig. 4 Feistel Cipher The inputs to the encryption algorithm are a plaintext block of length 2w bits and a key K. The plaintext block is divided into two halves, L 0 and R 0. The two halves of the data pass through n rounds of processing and then combine to produce the ciphertext block. Each round i has inputs Li -1 and R i-1, derived from Sep.23/2003 4

5 the previous round, as well as a subkey Ki, derived from the overall K. in general, the subkeys are different from K and from each other. All rounds have the same structure. A substitution is performed on the left half of the data. This is done by applying a round function F to the right half of the data and then taking the exclusive OR of the output of that function and the left half of the data. The round function has the same general structure for each round but is parameterized by the round subkey Ki. Following this substitution, a permutation is performed that consists of the interchange of the two halves of the data. Note 1: Note 2: The Feistel structure is a particular form of the substitution permutation network (SPN) proposed by Claude Shannon in his paper in The security of a Feistel structure depends on the choice of the following parameters and design features: (1) Block Size: Larger block sizes mean greater security. A block size of 64 bits is reasonable and is nearly universal in block cipher design. (2) Key Size: Larger key size means greater security but may decrease encryption/decryption speed. Key sizes of 64 bits or less are now widely considered to be inadequate, and 128 bits has become a common size. (3) Number of Rounds: The multiple rounds offer increasing security. A typical size is 16 rounds. (4) Subkey Generation Algorithm: Greater complexity in this algorithm should lead to greater difficulty of cryptanalysis. (5) Round Function: Greater complexity generally means greater resistance to cryptanalysis. Note 3: Note 4: Feistel cipher is an example of product ciphers, in which one encryption is applied to the result of another. Product ciphers resemble the product or composition of two functions in mathematics. Therefore, if e k1 (.) and e k2 (.) are two transposition ciphers following a regular pattern, their product e k1 (e k2 (y)) is also a regular pattern. That is, the product cipher formed by using the output of e k1 (.) as the input to e k2 (.) is a complicated function, but it is still regular. The Caesar s substitution and mono-alphabetic transposition ciphers are stream ciphers; i.e., they convert one symbol of plaintext immediately into a symbol of ciphertext. Block cipher encrypts a group of Sep.23/2003 5

6 plaintext symbols as one block. Hill cipher, Feistel cipher and other transpositions are examples of block ciphers. Block ciphers work on blocks of plaintext and produce blocks of ciphertext, as shown for Feistel cipher. Note 5: In a Feistel cipher, shown in Fig. 4, each state is divided into two halves of equal length, say L i and R i. The round function g is: G(L i-1, R i-1, K i ) = (L i, R i ) where: L i = R i-1 R i = L i-1 f (R i-1, K i ) The exclusive OR (XOR) has the following properties: A B C = A B C D D = 0 E 0 = E Therefore the function f in Feistel cipher does not need to satisfy any type of one-to-one property; i.e., injectivity property. This is because a Feistel-type round function is always invertible, given the round key, as shown below: L i-1 f (R i-1,k i ) f (R i-1,k i ) = R i f (R i-1,k i ) R i-1 = L i Note 6: (Feistel Decryption Algorithm) The process of decryption with a Feistel cipher is essentially the same as the encryption process. The rule is as follows: Use the ciphertext as input to the Feistel structure, but use the subkey K i in reverse order That is, use K n in the first round, K n-1 in the second round, and so on until K 1 is used in the last round. Therefore, we need not to implement Sep.23/2003 6

7 two different algorithms (or structures), one for encryption one for decryption. 2.3 Long and Random Number Keys It seems that the safety of the Feistel and similar ciphers depends on the size and randomness of the key used. Also, XOR used in the round function is a basic machine instruction on computers, making it easier to implement this algorithm, as shown in the following figure Same Series of Numbers Long Random Numbers Round i I am Li F Ki Ri Round i F plaintext XOR combining function ciphertext Li Ki Ri Original plaintext Encryption Decryption Fig 5 Use of Long Size Key. 2.4 Symmetric Encryption Systems The algorithms presented in this chapter so far are all single key or conventional encryption algorithms, in which both the encryptor and the decryptor use the same key, which must be kept secret. Single key systems are called symmetric encryption systems or secret key, or sometimes private key systems. The symmetric systems provide a two-way secure channel to their users. Alice and Bob share a secret key, and they can both encrypt information to send to each other as well as decrypt information received from the other. Sep.23/2003 7

8 The symmetry of this situation is a major advantage. However, symmetric key systems have several difficulties: (a) If the key is compromised, the opponents, such as Oscar, can immediately decrypt all encrypted information they have available. For this reason, in practice, the keys are changed fairly frequently so that a compromised key will reveal only a limited amount of information. (b) Distribution of keys becomes a problem. Keys must be transmitted with utmost security. For applications that extend throughout the world, this can be a complex task. One approach is to distribute the keys pieces under separate channels, so that any one discovery will not produce full key. This approach is shown in the following Fig 6. k1 Encrypted Channel Trust Worthy channel K3 Secure channel K5 Certified Mail K2 Seder separates key Courier K4 Receiver reassembles key K1 K2 K3 K4 K5 key K2 key K5 Fig 6 Key Distribution in Pieces (c) It can be shown that the number of keys increases with the square of the number of people exchanging secret information. (d) The symmetric key encryption systems described so far have been relatively weak, vulnerable to various cryptanalysis attacks. A secure symmetric key system must be based on mathematically complex problems, Sep.23/2003 8

9 problems that have interested mathematicians for years. In the next section we describe a secure encryption algorithm adopted in 1977 by the USA National Institute of Standards and Technology (NIST) called Data Encryption Algorithm (DEA) or Data Encryption Standard (DES). 2.5 The Data Encryption Standard ( DES ) The Data Encryption Standard (DES) is a system developed for the U.S. government for use accepted as a cryptographic standard both in the United States and aboard. Many hardware and software systems have been designed using the DES. However, recently its adequacy has been questioned Background and History The new era in cryptography began in the late 1960 s, when companies began needing secure ways to send files. At the time, there was no industry standard no widely accepted encryption method that had a universal seal of approval. Financial institutions in particular wanted a standard encryption method that they could have confidence in and could use for data exchange. Because U.S. national security depends on secure cryptography, government agencies involved in cryptography, such as the National Security Agency (NSA) had not been open with their expertise. [Some people say that NSA stands for No Such Agency or Never Say Anything!]. In 1972, NIST, then known as the National Bureau of Standards, issued a call for proposal for a public encryption algorithm. This led ultimately to the adoption of Data Encryption Standard, or DES, which became the most widely used cryptosystem in the world. DES was developed at IBM, as a modification of an earlier system known as Lucifer. Much of the underlying DES cipher research is credited to the IBM researcher, Horst Feistel, who in 1967 began experimenting with a combination of substitution and transposition ciphers. The Feistel Cipher was described earlier in this chapter. Before computers, transposition was difficult to mechanize and too complex to do by hand. Increases in the size of computer memory made it possible for Feistel to use transposition in his system. Feistel blocks are still used in many (if not most) symmetric encryption systems. DES did not evolved into the standard without significant discussion and even suspicion by some participants suspicion that still continues. NIST requested and received assistance from NSA on DES development. Some people have said that NSA modified DES so that the agency could easily reclaim plaintext without using a brute force attack, installing what is commonly known as a trapdoor function. NSA shortened the secret key originally proposed by IBM to 56 bits from 128 bits. Sep.23/2003 9

10 Even in the 1970 s, it was argued that a special purpose machine could be built to carry out a known plaintext attack, which would essentially perform an exhaustic search for the key. That is given a 64-bit plaintext x and corresponding ciphertext y, every possible key would be tested until a key K is found such that e k (x) = y. As early as 1977, one could build a VLSI chip, which could test10 6 keys per second. A machine with 10 6 chips could search the entire key-space in about a day. Some people believe that NSA altered IBM s algorithm to ensure that IBM had not secretly included its own trapdoor function. Some people also believe that NSA wanted to control the use of DES and expected DES to be implemented only in hardware. Despite the controversy, DES was adopted as the federal standard for unclassified document in 1977, as Federal Information Processing Standard 46 (FIPS PUB 46). It is the most widely used cryptographic method in history. The 1977 DES standard mandated a review every five years. In 1983, DES was approved for five more years. Then in 1993, DES was again approved for yet another five years. In 1997, NIST solicited candidates for a new secret key encryption standard, Advanced Encryption Standard (AES). NIST announced the candidates for AES, successor to DES, in 1999, and in October 2000, NIST selected Rijndael. (See < >) Description of DES DES is a special type of iterated cipher called a Feistel cipher. We described the basic form of a Feistel cipher earlier. An outline of DES is shown in Fig 7. Plaintext is encrypted in blocks of 64 bits, yielding 64 bits of ciphertext. In other words, DES is a 16-round Feistel cipher having block length 64; it encrypts a plaintext bit-string x (of length 64) using a 56-bit key K, obtaining a ciphertext bitstring ( of length 64 ). The algorithm, which is parameterized by this 56-bit key, has 19 distinct stages. The first stage is a key independent transposition (permutation) on the 64-bit plaintext. The last stage is the exact inverse of this transposition. The stage prior to the last one exchanges the leftmost 32bits with the rightmost 32 bits. The remaining 16 stages are consisting of 16 iterations of the identical functions but are parameterized by different subkeys. The algorithm has been designed to allow decryption to be done with the same key as encryption. The steps are just run in the reverse order. The left hand side of the figure shows that first the 64-bit plaintext passes through the initial permutation (IP), which rearranges the bits to produce the permutated input. Sep.23/

11 64-bit plaintext 56-bit key Initial permutation Permuted choice 1 Round 1 K1 Permutation choice 2 Left circular shift K2 Round 2 Permuted choice 2 Left circular shift K16 Round 16 Permuted choice 2 Left circular shift 32-bit swap Inverse initial permutation 64-bit ciphertext Sep.23/

12 Fig 7 General Description of DES Encryption Algorithm This is followed by 16 rounds of iterations; the left and right halves of the output from round 16 are swapped to produce an input to be passed through a permutation function (IP) -1, to produce the 64 bit ciphertext. The right hand portion of Figure 7 shows the way in which the 56 bit key is used. Initially the key is passed through a permutation function (i.e., permuted choice 1 in this figure). Then, for each of the 16 iterations, a subkey Ki is produced by the combination of a left circular shift and a permutation (permutated choice 2 in this figure). The permutation function is the same for each iteration, but a different subkey is produced because of the repeated shifting of the key bits. The operation of one of these 16 rounds is illustrated in Fig. 8 (above). Each round takes two 32 bit inputs and produces two 32 bit outputs. The left and right halves of each 64 bit intermediate value are treated as separate 32 bit quantities, labeled L (left) and R (right). The overall processing at each iteration can be summarized in the following formulas: Sep.23/

13 L i = R i 1 R = L F( R, K ) i i 1 i 1 i where + denotes XOR function. That is, the left output is simply a copy of the right input. The right output is the bit-wise EXCLUSIVE OR of the left input and a function of the right input and the key for this round, K i. All the complexity lies in this function. This complex function involves both permutation and substitution operation. The function F consists of four steps, carried out in sequence. First, a 48 bit number, E, is constructed by expanding the 32 bit R i-1 according to a fixed transposition and duplication rule. Second, E and K i are EXCLUSIVE ORed together. This output is then partitioned into eight groups of 6 bits each, each of which is fed into a different S box. Each of the 64 possible inputs to an S box is mapped onto a 4 bit output. This step uses eight S boxes. Each S box mapped six bits to four bits. Finally, the 8 4 bits, outputs of eight S boxes, are passed through a permutation operator, i.e. a P box. In each of the 16 iterations, a different key is used. Figure 7 shows that before the algorithm starts, a 56 bit transposition is applied to the key. Figure 8 shows that just before each iteration, the key is partitioned into two 28 bit units, each of which is rotated left (i.e. circular left shift) by a number of bits dependent on the iteration number. K i is derived from this rotated key by applying yet another 56 bit transposition to it. A different 48 bit subset of the 56 bit is extracted and permuted on each round. The process of decryption with DES is essentially the same as the encryption process. The rule is as follows: use the ciphertext as input to the DES algorithm, but use the keys K i in reverse order. That is, use K 16 on the first iteration, K 15 on the second iteration, and so on until K 1 is used on the sixteenth and last iteration. 2.6 DES Modes of Operation The DES algorithm is basically a monoalphabetic substitution cipher using a 64 bit character. Whenever the same 64 bit plaintext block goes in the front end, the same 64 bit ciphertext block comes out the back end. A cryptanalyst can exploit this property to help break DES. To apply DES in a variety of application four modes of operation have been defined (FIPS PUB 74, 81). These four modes are intended to cover virtually all the possible application of encryption for which DES could be used. The modes are described as follows and summarized in Table 1. These same modes can be applied for any symmetric block cipher. Sep.23/

14 Electronic Code Book (ECB) Cipher Block Chaining (CBC) Table 1 DES Modes of Operation Mode Description Typical Application Each block of 64 plaintext bits Secure transmission of is encoded independently using single values (e.g. an the same key. encryption key) Cipher Feedback (CFB) Output Feedback (OFB) The input to the encryption algorithm is the XOR of the next 64 bits of plaintext and the preceding 64 bits of ciphertext. Input is processed J bits at a time. Preceding ciphertext is used as input to the encryption algorithm to produce pseudorandom output, which is XORed with plaintext to produce next unit of ciphertext. Similar to CFB, except that the input to the encryption algorithm is the preceding DES output. General-purpose blockoriented transmission Authentication General-purpose blockoriented transmission Authentication Stream-oriented transmission over noisy channel (e.g. satellite communication) Triple DES Given the potential vulnerabilities of DES to a brute-force attack, there has been considerable interest in finding an alternative. One approach is to design a completely new algorithm. Examples are International Data Encryption Algorithm (IDEA), Advanced Encryption Standard (AES), Blowfish, RC5, CAST (developed by Carlisle Adams and Stafford Tavares in 1997) and RC2. Another alternative, which would preserve the existing investment in software and equipment, is to use multiple encryptions with DES and multiple keys. The simplest form of multiple encryption has two stages and two keys as shown in Figure below. Given Plaintext P and two encryption keys K 1 and K 2, ciphertext C is generated as: Sep.23/

15 K1 K2 P E X E C K2 Encryption K1 C D X D P Decryption (a) Double Decryption K1 K2 K1 P C E D E Encryption K1 K2 K1 D E D Decryption (b) Triple Encryption Figure Multiple Encryption C P C = e k2 (e k1 (P)) Decryption requires that the keys be applied in reverse order: P = d k1 (d k2 (C)) For DES, this scheme apparently involves a key length of 56 x 2 = 112 bits, resulting in a dramatic increase in cryptographic strength. Sep.23/

16 Note 1: It can be shown that any block encryption cipher such as Double DES is mot immune to an attack known as a meet-in-the-middle attack, which was first described by Diffie and Hellman in An obvious counter to the meet-in-the-middle attack is to use three stages of encryption with three different keys. However, it has the drawback of requiring a key length of 56 x 3 = 168 bits, which may be somewhat unwieldy. As an alternative, there has been proposed a triple encryption method that uses only two keys. The function follows an encryption-decryption-encryption (EDE) sequence, as shown in the previous figure: C = e k1 (d k2 (e k1 (P))) Note 2: The advantage of the use of decryption for the second record stage is that it allows users of 3DES to decrypt data encrypted by using the older version of single DES: Note 3: C = e k1 (d k1 (e k1 (P))) = e k1 (P) Triple DES (or 3DES) with two keys is a relatively popular alternative to DES and has been adopted for use in the key management standards ANS X9.17 and ISO Note 4: Many researchers now feel that three-key triple DES is the preferred alternative. Three-key 3DES has an effective key length of 168 bits and is defined as follows: C = e k3 (d k2 (e k1 (P))) Backward compatibility with DES is provided by putting K 3 = K 2 or K 1 = K 2. Note 5: A number of Internet-based applications have adopted three-key 3DES, including PGP (Pretty Good Privacy) and S/MIME (Secure/Multipurpose Internet Mail Extension). Sep.23/

17 2.6.2 Electronic Code-Book Mode This is the simplest mode, in which plaintext is handled 64 bits at a time and each block of plaintext is encrypted using the same key, as shown in the following Fig. 9. The term code-book is used because, for a given key, there is a unique ciphertext for every 64-bit block of plaintext. For a message longer than 64 bits, the procedure is simply to break the message into 64-bit blocks, padding the last block if necessary. Decryption is performed one block at a time, always using the same key. In Fig. 9, the plaintext (padded as necessary) consists of a sequence of 64-bit blocks, P 1, P 2,, P N ; the corresponding sequence of ciphertext blocks is C 1, C 2,, C N. Note 1 If the message has repetitive elements, with a period of repetition a multiple of 64 bits, then these elements can be identified by the analyst. To overcome the security deficiencies of ECB, we would like a technique in which the same plaintext block, if repeated, produces different ciphertext blocks. DES can be chained in various ways so that replacing a block will cause the plaintext decrypted starting at the replaced block to be garbage Cipher Block Chaining Mode One way of chaining is cipher block chaining (CBC). In this method, shown in Fig. 10 (below), each plaintext block is XORed with the previous ciphertext block before being encrypted. Consequently, the same plaintext block no longer maps Sep.23/

18 onto the same ciphertext block, and the encryption is no longer a big monoalphabetic substitution cipher. The same key is used for each block. The first block is XORed with a randomly chosen initial vector(iv), which is transmitted along with the ciphertext. For maximum security, the IV should be protected as well as the key. This could be done by sending the IV using ECB encryption. For decryption, each cipher block is passed through the decryption algorithm. The result is XORed with the preceding ciphertext block to produce the plaintext block. To see that this works, we can write: C = e ( C P ) n k n 1 n Then d ( C ) = d [ e ( C P)] = ( C P ) k n k k n 1 n n 1 n C d ( C ) = C C P = P n 1 k n n 1 n 1 n n However, the CBC has the disadvantage of requiring an entire 64-bit block to arrive before decryption can begin. Sep.23/

19 2.6.3 Cipher Feedback Mode For byte-by-byte encryption, cipher feedback (CFB) mode, shown in Fig. 11 below, can be used. For example, if 8-bit characters are being transmitted, each character should be encrypted using 8 bits. If more than 8 bits are used, transmission capacity is wasted. In the figure, it is assumed that the unit of transmission is j bits; a common value is j=8. As with CBC, the units of plaintext are chained together, so that the ciphertext of any plaintext unit is a function of all the preceding plaintext. First, consider encryption. The input to the encryption function is a 64-bit shift register that is initially set to some initialization vector (IV). The leftmost (most significant) j bits of the output of the encryption function are XORed with the first unit of plaintext P 1 to produce the first unit of ciphertext C 1, which is then transmitted. In addition, the contents of the shift register are shifted left by j bits and C 1 is placed in the rightmost (least significant) j bits of the shift register. This process continues until all plaintext units have been encrypted. Sep.23/

20 For decryption, the same scheme is used, except that the received ciphertext unit is XORed with the output of the encryption function to produce the plaintext unit. Note that the contents of the shift register depend on the entire previous history of the plaintext, so pattern that repeats multiple times in the plaintext will be encrypted differently each time in the ciphertext. In addition to its use to achieve confidentiality, the CFB mode can be used for authentication. As an aside, it should be noted that if one bit of the ciphertext is accidentally inverted during transmission, the 8 bytes that are decrypted while the bad byte is in the shift register will be corrupted. Once the bad byte is pushed out of the shift register, correct plaintext will once again be generated. Thus the effects of a single inverted bit are relatively localized and do not ruin the rest of the message. Nevertheless, if the effect of 1-bit transmission error is too large, a fourth option, output feedback (OFB) mode, exists Output Feedback Mode It is identical in structure to that of CFB, as shown in Fig. 12 (below). Sep.23/

21 As can be seen, it is the output of the encryption function that is fed back to the shift register in OFB, whereas in CFB, the ciphertext unit is fed back to the shift register. One advantage of OFB method is that bit errors in transmission do not propagate. For example, if a bit error occurs in C 1, only the recovered value of P 1 is affected; subsequent plaintext units are not corrupted. With CFB, C 1 also serves as input to the shift register and therefore causes additional corruption downstream. The disadvantage of OFB is that it is more vulnerable to a message stream modification attack than is CFB. Thus, it should be avoided for general-purpose use. The ECB mode should also be avoided except under special circumstances (e.g., for encrypting a single random number, such as a session key or the IV). For normal operation, CBC should be used when the input arrived in 8-byte units (e.g., for encrypting disk files) and CFB mode should be used for irregular input streams, such as keyboard input. Sep.23/