7. Symmetric encryption. symmetric cryptography 1

Transcription

1 CIS 5371 Cryptography 7. Symmetric encryption symmetric cryptography 1

2 Cryptographic systems Cryptosystem: t (MCKK GED) (M,C,K,K,G,E,D) M, plaintext message space C, ciphertext message space K, K, encryption and decryption key spaces G : N K K, K key generation algorithm E : M K C, encryption algorithm D : C K M, decryption algorithm G,E,D must be efficient symmetric cryptography 2

3 Examples Cryptosystem: t (MCKK GED) (M,C,K,K,G,E,D) Substitution Cipher: M = C = Z 26, with K=K The encryption algorithm is a mapping E k :M C -- E k (x) = (x), where k K is the key. The dencryption algorithm is a mapping D k :M C -- D k (y) = -1 (y). Shift Cipher: M = C = K = K = Z 26, with -- E k (x) = x + k mod D k (y) = y k mod26 where x,y Z 26 symmetric cryptography 3

4 Examples Examples Polyalphabetic ciphers: a plaintext message can be y p p p g encrypted into any ciphertext Vigenere cipher e k i m Ke u t s r q p o n m l k j i h g f e d c b a z y x w v y h p a r g o t p y r Plaintext e k i m Key t x e t n i a l p c t x e t r e h p i c y e k t x e t n i a l p symmetric cryptography 4 c r x m v q w f t i z o Ciphertext

5 Vernam cipher the one-time pad M = C = K = K = {0,1} n, n > 1. The keys k = k 1,k 2,, k n are selected at random in K with uniform distribution. Encryption is bit by bit at a time, with each ciphertext bit obtained by XORing each message bit with the corresponding key bit. Decryption is the same as encryption since the XOR operation is its own inverse. The special case when M = C = K = K = {0,1}*, and the key is only used once (one-time key) gives us a cipher with a strong security property: perfect secrecy. symmetric cryptography 5

6 Transposition (permutation) cipher Example M = C = (Z 26 ) m, m > 1, K=K is the set of all permutations of {1,,m}. For a key (permutation) -- e (x 1,, x m ) = (x (1),, x m) ) -- d (y 1,,yy m ) = (y (1),, y (1)) where (1) is the inverse of symmetric cryptography 6

7 Structure t of classical l ciphers Classical ciphers are based on: Substitution and Transposition. This is also the basis for modern ciphers symmetric cryptography 7

8 Cryptanalysis: y attacks on cryptosystems Ciphertext only attacks: the opponent possesses a string of ciphertexts: y 1,y 2, Known plaintext attack: the opponent possesses a string of plaintexts x 1,x 2, and the corresponding string of ciphertexts: y 1,y 2, symmetric cryptography 8

9 Usefulness of classical l ciphers Cryptanalysis of substitution ciphers: Known plaintext attack - easy to get the keys Ciphertext only attack -- use statistical properties of the language. Cryptanalysis of polyalphabetic (Vigenere) cipher: Known plaintext attack - easy to get the keys Ciphertext only attack -- use statistical: properties of the language. symmetric cryptography 9

10 Requirements for secure use of classical l ciphers The notion of information-theoretic cryptographic security was developed by Shannon and requires that: K M k U K and is used only once in each encryption This kind of security is not practical for most applications. symmetric cryptography 10

11 The one-time-pad -- Perfect secrecy Assume that there is a distribution on P, K. Then the plaintext and the keys are chosen with a certain probability. bili That is we have: Pr[x = x] and Pr[k = k], where x, k are random variables (r.v. s). symmetric cryptography 11

12 The one-time-pad -- Perfect secrecy The probability bili distribution ib i on P and K induces a distribution on C, for which: Pr [y = y] = k: y=e k (x), x P k For this distribution we have, Pr [k = k] Pr [x = d k (y)] Pr [x, y] = Pr [x = x] Pr [k = k] k: x=d k (y) symmetric cryptography 12

13 Perfect secrecy c Ui Using Bayes theorem we get: Pr [ x = x y = y] = Pr [x = x] Pr [k = k] K: x=d K (y) Pr [k = k] Pr [x = d k (y)] k: y=e k (x), x P this symmetric cryptography 13

14 Perfect secrecy Definition: iti We have perfect secrecy if: Pr[x = x y = y] = Pr[x = x], for all x P, y C. symmetric cryptography 14

15 Perfect secrecy Theorem The One-Time-Pad provides perfect secrecy. Proof We have: Pr [k = k] = 1 / K, and for each x P, y C there is exactly one key k with y = e k (x). symmetric cryptography 15

16 Perfect secrecy Proof (continued) Then Pr [y = y] = Pr [k = k] Pr [x = d k (y)] k: y=e k (x), x P = 1 / K Pr [x = d k (y)] k: y=ek (x), x P = 1/ K. symmetric cryptography 16

17 Perfect secrecy Proof (continued) Using Bayes theorem: Pr [x=x y=y] = Pr [y=y x=x] Pr [x=x] /Pr[y=y] = Pr [k=k] Pr [x=x] / Pr [y=y] We have just seen that: Pr [k=k] = Pr[y=y]. It follows that: Pr [x=x y=y] = Pr [x=x], so we have perfect secrecy. symmetric cryptography 17

18 Iterating Block ciphers 1. Key schedule (Binary) key k round keys: k 1,..., k Nr, 2. Round dfunction g w r = g(w r-1, k r ), where w r-1 is the previous state symmetric cryptography 18

19 Iterated cipher Encryption operation: w 0 x w 1 = g(w 0, k 1 ), w 2 = g(w 1, k 2 ), w Nr = g(w Nr-1, k Nr ), y w Nr symmetric cryptography 19

20 Iterated t cipher For decryption we must have: g(.,k) must be invertible for all k Then decryption is the reverse of encryption (bottom-up) symmetric cryptography 20

21 DES DESi is a special iltype of fiterated tdcipher ih called llda Feistel cipher. Block length 64 bits Key length 56 bits Ciphertext length 64 bits symmetric cryptography 21

22 DES The round function is: where g ([L i-1,r i-1 ]), K i ) = (L i, R i ), L i = R i-11 and R i = L i-11 XOR f (R i-1 1,K i ). symmetric cryptography 22

23 DES round encryption symmetric cryptography 23

24 DES inner function symmetric cryptography 24

25 DES computation path symmetric cryptography 25

26 One DES Round 64 bit input 32 bit R n 32 bit L n Inner Function K n + 32 bit L n+1 32 bit R n+1 64 bit output symmetric cryptography 26

27 Inner Function Combine 32bit input and d48bi bit key into 32 bit output Expand 32 bit input to 48 bits XOR the 48 bit key with the expanded 48 bit input Apply the S-boxes to the 48 bit input to produce 32 bit output Permute the resulting 32 bits symmetric cryptography 27

28 Inner Function Expand 32 bit input to 48 bits by adding a bit to the front and the end of each 4 bit segment. These bits are taken from adjacent bits. This String Notice several bit values are repeated: 4, 5, 8, 9, 28, 29, etc. Becomes this String symmetric cryptography 28

29 S Boxes There are 8 different S-Boxes, 1 for each chunk S-box process maps 6 bit input to 4 bit output S box performs substitution on 4 bits There are 8 possible substitutions in each S box Inner 4 bits are fed into an S box Outer 2 bits determine which substitution is used symmetric cryptography 29

30 S Boxes Use bits 1 & 6 to select the row Bits 2-5 to select the substitution symmetric cryptography 30

31 DES: The Initial and Final Permutations There is also an initial and a final permutation: the final permutation is the inverse of the initial Permutation. symmetric cryptography 31

32 Decrypting DES DES (and all Feistel structures) is invertible through reverse encryption because The input to the n th step is the output of the n-1 1 th step Everything needed (except the key) to produce the input to the inner function of the n-1 th step is available from the output of the n th step. So we can Work backwards to step 1. Note that the S-boxes are not reversible (and don't need to be) symmetric cryptography 32

33 Encrypt round n Decrypt round n+1 64 bit input 64 bit output 32 bit R n 32 bit R n K 32 bit L n Inner K n 32 bit L n Inner K n Function Function bit L n+1 32 bit R n+1 32 bit L n+1 32 bit R n+1 64 bit output 64 bit input symmetric cryptography 33

34 Key schedule INPUT: 64-bit key: k 1, k 2,, k 64 OUTPUT: sixteen 48-bit keys: k 1, k 2,, k 16 The algorithm used for generating the key schedule combines and selects bits of K to generate the round keys two bit selection tables. -- for details see Handbook of Applied Cryptography. symmetric cryptography 34

35 Weak Keys Let Co and Do are the 28 bit key halves There are 4 week keys in the keyspace (2 56 ) C 0 = All zeros & D 0 = All zeros C 0 = All ones & D 0 = All zeros C 0 = All zeros & D 0 = All ones C 0 = All ones & D 0 = All ones There are 12 semi-weak keys, where C o & D o are the following in some combination All zeros, All ones, , for details see Handbook of Applied Cryptography. symmetric cryptography 35

36 Attacks on iterated t ciphers Suppose that there a probabilistic linear relation between some plaintext bits and state bits immediately preceding the last round. Say the bits XOR to 0 with probability bounded away from ½. Linear cryptanalysis is a known plaintext attack. The attacker needs to know a large number of pairs (x i,y i ) encrypted with the same key K, and uses a linear relation to decrypt a given cipher symmetric cryptography 36

37 Kerchoffs assumption The adversary knows all details of the encrypting function except the secret key symmetric cryptography 37

38 Diffusion i and Confusion -- Shannon Diffusion. i The relationship between the statistics of the plaintext and the ciphertext is as complex as possible: the value of each plaintext bit affects many plaintext bits. Confusion: the relationship between the statistics of the ciphertext and the value of the key is as complex as possible. symmetric cryptography 38

39 Attacks on DES Brute force Linear Cryptanalysis -- Known plaintext attack Differential cryptanalysis Chosen plaintext t attack Modify plaintext bits, observe change in ciphertext No dramatic improvement on brute force symmetric cryptography 39

40 Linear cryptanalysis (known plantext) For each pair (x i,y i ), decrypt using all possible candidate keys for the last round and determine if the linear relation holds. If it does, increment a frequency counter for the candidate key used. Hopefully, at the end, this counter can be used to determine the correct values for the subkey bits. symmetric cryptography 40

41 Differential cryptanalysis (chosen plaintext) Differential cryptanalysis is a chosen plaintext t attack. In this case the XOR of two inputs x, x* is compared with that of the corresponding outputs y, y*. In general we look for pairs x, x* for which x =x+x* is fixed. For each such pair, decrypt y, y* using all possible candidate keys for the last round, and determine if their XOR has a certain value. Again use a frequency counter. Hopefully, at the end, this counter can be used to determine the correct values for the subkey bits. symmetric cryptography 41

42 The security of DES None of these attacks have a serious impact on the security of DES. The main problem with DES is that it has relatively l short key length. Consequently it is subject to brute-force or exhaustive key search attacks. One solution to overcome this problem is to run DES a multiple number of times. symmetric cryptography 42

43 Countering Attacks Large keyspace combats brute force attack Triple DES, typically two key mode: E k 1 D k2 E k1 Use AES symmetric cryptography 43

44 Triple DES Encryption: c = Ek 1 (Dk 2 (Ek 1 (m)) Decryption: m = D Dk 1 (Ek 2 (Dk 1 (c))) symmetric cryptography 44

45 AES Block length 128 bits. Key lengths 128 (or 192 or 256). The AES is an iterated cipher with Nr=10 (or 12 or 14) In each round we have: Sbk Subkey mixing: ii State Roundkey XOR State A substitution: SubBytes(State) A permutation: ShiftRows(State) & MixColumns(State) symmetric cryptography 45

46 Modes of operation Four basic modes of operation are available for block ciphers: Electronic codebook mode: ECB Cipher block chaining mode: CBC Cipher feedback mode: CFB Output feedback mode: OFB symmetric cryptography 46

47 Electronic Codebook mode, ECB Each plaintext x i is encrypted with the same key K: y i = e K (x i ). So, the naïve use of a block cipher. symmetric cryptography 47

48 ECB x 1 x 2 x 3 x 4 DES DES DES DES y 1 y 2 y 3 y 4 symmetric cryptography 48

49 Cipher Block Chaining mode, CBC Each cipher block y i-1 is xor-ed with the next plaintext x i : y i = e K (y i-1 XOR x i ) bf before bi being encrypted to get the next plaintext li y i. The chain is initialized with an initialization vector: y 0 = IV with length, the block size. symmetric cryptography 49

50 CBC x 1 x 2 x 3 x 4 IV DES DES DES DES y 1 y 2 y 3 y 4 symmetric cryptography 50

51 Cipher and Output feedback modes (CFB & OFB) CFB z 0 = IV and recursively: OFB z i = e K (y i-1 ) and y i = x i XOR z i z 0 = IV and recursively: z i = e K (z i-1 ) and y i = x i XOR z i symmetric cryptography 51

52 CFB mode x 1 x 2 IV e K + e K + e K y 1 y 2 symmetric cryptography 52

53 OFB mode IV e K e K x 1 x y 1 y 2 symmetric cryptography 53

54 Key Channel Establishment for symmetric ti cryptosystems t Conventional techniques Public-key techniques Quantum Key distribution techniques symmetric cryptography 54