Content of this part

Similar documents
Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl

Block Cipher Operation. CS 6313 Fall ASU

CHAPTER 6. SYMMETRIC CIPHERS C = E(K2, E(K1, P))

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

CSC 474/574 Information Systems Security

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

Data Encryption Standard (DES)

CIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

Lecture 1 Applied Cryptography (Part 1)

Advanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

Block Cipher Modes of Operation

Double-DES, Triple-DES & Modes of Operation

7. Symmetric encryption. symmetric cryptography 1

Modes of Operation. Raj Jain. Washington University in St. Louis

Chapter 3 Block Ciphers and the Data Encryption Standard

P2_L6 Symmetric Encryption Page 1

ENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel

Secret Key Cryptography

Summary on Crypto Primitives and Protocols

ECE596C: Handout #7. Analysis of DES and the AES Standard. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Network Security Essentials Chapter 2

Introduction to Cryptography. Lecture 3

Stream Ciphers and Block Ciphers

Symmetric key cryptography

Some Aspects of Block Ciphers

Applied Cryptography Data Encryption Standard

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

6 Block Ciphers. 6.1 Block Ciphers CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Introduction to Cryptography. Lecture 3

Symmetric Encryption. Thierry Sans

ECE 646 Lecture 8. Modes of operation of block ciphers

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

CSCI 454/554 Computer and Network Security. Topic 3.2 Secret Key Cryptography Modes of Operation

Cryptography and Network Security Chapter 12. Message Authentication. Message Security Requirements. Public Key Message Encryption

Chapter 6 Contemporary Symmetric Ciphers

Computer Security 3/23/18

Computer Security CS 526

Network Security Essentials

Block Cipher Modes of Operation

Symmetric Cryptography

CIS 4360 Secure Computer Systems Symmetric Cryptography

Block Cipher Operation

Introduction to Network Security Missouri S&T University CPE 5420 Data Encryption Standard

CENG 520 Lecture Note III

Content of this part

Symmetric Key Encryption. Symmetric Key Encryption. Advanced Encryption Standard ( AES ) DES DES DES 08/01/2015. DES and 3-DES.

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Stream Ciphers and Block Ciphers

Solutions to exam in Cryptography December 17, 2013

Processing with Block Ciphers

CSC/ECE 574 Computer and Network Security. Processing with Block Ciphers. Issues for Block Chaining Modes

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

Introduction to Cryptography. Lecture 2. Benny Pinkas. Perfect Cipher. Perfect Ciphers. Size of key space

Introduction to Symmetric Cryptography

CSCE 548 Building Secure Software Symmetric Cryptography

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

AN ABSTRACT OF THE THESIS OF

Stream Ciphers An Overview

3 Symmetric Cryptography

CS6701- CRYPTOGRAPHY AND NETWORK SECURITY UNIT 2 NOTES

Using block ciphers 1

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

DataTraveler 5000 (DT5000) and DataTraveler 6000 (DT6000) Ultimate Security in a USB Flash Drive. Submitted by SPYRUS, Inc.

Cryptanalysis. Ed Crowley

Practical Aspects of Modern Cryptography

Crypto: Symmetric-Key Cryptography

n-bit Output Feedback

Cryptography ThreeB. Ed Crowley. Fall 08

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Stream Ciphers. Stream Ciphers 1

05 - WLAN Encryption and Data Integrity Protocols

How many DES keys, on the average, encrypt a particular plaintext block to a particular ciphertext block?

Symmetric Encryption Algorithms

Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General Considerations:

Cryptographic Concepts

CPSC 467b: Cryptography and Computer Security

L3. An Introduction to Block Ciphers. Rocky K. C. Chang, 29 January 2015

CIS 6930/4930 Computer and Network Security. Topic 3.2 Secret Key Cryptography Modes of Operation

1 Achieving IND-CPA security

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

Unit 8 Review. Secure your network! CS144, Stanford University

Cryptography [Symmetric Encryption]

CPSC 467: Cryptography and Computer Security

CSCE 715: Network Systems Security

CPSC 467b: Cryptography and Computer Security

Winter 2011 Josh Benaloh Brian LaMacchia

Private-Key Encryption

Cryptography 2017 Lecture 3

The Rectangle Attack

Computational Security, Stream and Block Cipher Functions

CRYPTOLOGY KEY MANAGEMENT CRYPTOGRAPHY CRYPTANALYSIS. Cryptanalytic. Brute-Force. Ciphertext-only Known-plaintext Chosen-plaintext Chosen-ciphertext

Block Ciphers Introduction

Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34

Block Ciphers. Advanced Encryption Standard (AES)

Symmetric Key Cryptography

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Lecture 4: Symmetric Key Encryption

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Transcription:

UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering Introduction to Cryptography ECE 597XX/697XX Part 5 More About Block Ciphers Israel Koren ECE597/697 Koren Part.5.1 Content of this part Encryption with Block Ciphers: Modes of Operation Electronic Code Book mode (ECB) Cipher Block Chaining mode (CBC) Output Feedback mode (OFB) Cipher Feedback mode (CFB) Counter mode (CTR) Galois Counter Mode (GCM) Exhaustive Key Search Revisited Increasing the Security of Block Ciphers Cryptanalysis principles ECE597/697 Koren Part.5.2 Page 1

Block Ciphers A block cipher is much more than just an encryption algorithm, it can be used... to build different types of block-based encryption schemes to realize stream ciphers to construct hash functions to make message authentication codes to build key establishment protocols to make a pseudo-random number generator... The security of block ciphers also can be increased by key whitening multiple encryption ECE597/697 Koren Part.5.3 Encryption with Block Ciphers There are several ways of encrypting long plaintexts, e.g., an e-mail or a computer file, with a block cipher ( modes of operation ) These modes of operation have three goals: In addition to confidentiality, some of them provide authenticity and integrity:»is the message really coming from the original sender? (authenticity)»was the ciphertext altered during transmission? (integrity) ECE597/697 Koren Part.5.4 Page 2

Electronic Code Book mode (ECB) e k (x i ) = encryption of a b-bit plaintext block x i with key k e k -1 (y i ) = decryption of b-bit ciphertext block y i with key k Messages which exceed b bits are partitioned into b-bit blocks Each Block is encrypted separately x1 x2 xi ek ek ek y1 y2 yi Padding of last block: Include non-data values (e.g., Null) Include number of bytes in padding And/or number of plaintext bytes ECE597/697 Koren Part.5.5 ECB: advantages/disadvantages Advantages no block synchronization between sender and receiver is required bit errors caused by noisy channels only affect the corresponding block but not succeeding blocks Block cipher operations can be parallelized»advantage for high-speed implementations Disadvantages ECB encryption highly deterministic»identical plaintexts result in identical ciphertexts»an attacker recognizes if the same message has been sent twice»plaintext blocks are encrypted independently of previous blocks an attacker may reorder ciphertext blocks which results in valid but incorrect plaintext ECE597/697 Koren Part.5.6 Page 3

Substitution Attack on ECB Once a particular plaintext to ciphertext block mapping x i y i is known, a sequence of ciphertext blocks can easily be manipulated Suppose an electronic bank transfer encryption key between banks does not change frequently The attacker sends $1 transfers from his account at bank A to his account at bank B several times»he can check for ciphertext blocks that repeat, and he stores blocks 1,3 and 4 of these transfers He can now replace block 4 of other transfers (having the same blocks 1&3) with the block 4 that he stored before ECE597/697 Koren Part.5.7»all transfers from some account of bank A to some account of bank B are redirected to go into the attacker s B account»integrity violation does not break the cipher Example of encrypting bitmaps in ECB mode Identical plaintexts are mapped to identical ciphertexts Statistical properties in the plaintext are preserved in the ciphertext ECE597/697 Koren Part.5.8 Page 4

Cipher Block Chaining mode (CBC) There are two main ideas behind the CBC mode: The encryption of all blocks are chained together»ciphertext y i depends not only on block x i but on all previous plaintext blocks as well The encryption is randomized by using an initialization vector (IV) Encryption (first block): y 1 = e k (x 1 IV) Encryption (general block): y i = e k (x i y i 1 ), i 2 Decryption (first block): x 1 = e 1 k (y 1 ) IV Decryption (general block): x i = e 1 k (y i ) y i 1, i 2 ECE597/697 Koren Part.5.9 Cipher Block Chaining mode (CBC) For the 1st plaintext block x 1 there is no previous ciphertext an IV is added to the first plaintext to make each CBC encryption nondeterministic the first ciphertext y 1 depends on plaintext x 1 and the IV The 2nd ciphertext y 2 depends on the IV, x 1 and x 2 The 3rd ciphertext y 3 depends on the IV and x 1, x 2 and x 3, and so on Encryption Decryption ECE597/697 Koren Part.5.10 Page 5

Substitution Attack on CBC Consider the last example: If the IV is properly chosen for every wire transfer, the attack will not work at all If the IV is kept the same for several transfers, the attacker would recognize the transfers from his account at bank A to bank B If we choose a new IV every time we encrypt, the CBC mode becomes a probabilistic encryption scheme, i.e., two encryptions of the same plaintext look entirely different It is not needed to keep the IV secret - the IV should be a non-secret nonce (value used only once) Integrity can still be violated (e.g., replacing blocks 4&5) Can not be encrypted in parallel, decryption? If a bit in a block is flipped in transmission all remaining blocks are garbled ECE597/697 Koren Part.5.11 Output Feedback mode (OFB) Used to build a synchronous stream cipher from a block cipher Key stream is not generated bitwise but in a block-wise fashion The cipher output generates key stream bits S i Key stream independent of ciphertext can be generated in parallel Encryption Decryption Encryption (first block): s 1 = e k (IV) and y 1 = s 1 x 1 Encryption (general block): s i = e k (s i 1 ) and y i = s i x i, i 2 Decryption (first block): s 1 = e k (IV) and x 1 = s 1 y 1 Decryption (general block) : s i = e k (s i 1 ) and x i = s i y i, i 2 ECE597/697 Koren Part.5.12 Page 6

Cipher Feedback mode (CFB) Uses a block cipher as a building block for asynchronous stream cipher (similar to OFB mode), better name: Ciphertext Feedback Mode Key stream S i generated in a block-wise fashion and is also a function of the ciphertext By using IV, CFB encryption is also nondeterministic Encryption Decryption Encryption (first block): y 1 = e k (IV) x 1 Encryption (general block): y i = e k (y i 1 ) x i, i 2 Decryption (first block): x 1 = e k (IV) y 1 Decryption (general block): x i = e k (y i 1 ) y i, i 2 Can be used when short plaintext blocks (e.g., byte) are to be encrypted shift input to the left and use the 8-bit ciphertext ECE597/697 Koren Part.5.13 CFB byte at a a time Encryption Decryption If one ciphertext byte is lost all remaining bytes will be decrypted incorrectly. ECE597/697 Koren Part.5.14 Page 7

Counter mode (CTR) A block cipher generates a stream cipher (like OFB and CFB) The key stream is computed in a block-wise fashion The input to the block cipher is a counter which assumes a different value every time the block cipher computes a new key stream block Shorter IV Need not to be replaced every time Unlike OFB and CFB modes, the CTR mode can be parallelized since the 2 nd encryption can begin before the 1 st one has finished Desirable for high-speed implementations, e.g., in network routers Encryption: y i = e k (IV CTR i ) x i, i 1 Decryption : x i = e k (IV CTR i ) y i, i 1 AES-CTR is the basis for Wi-fi Protected Access WPA2 ECE597/697 Koren Part.5.15 ECE597/697 Koren Part.5.16 Galois Counter Mode (GCM) It also computes a message authentication code (MAC), i.e., a cryptographic checksum is computed for a message (see Chapter 12 in Understanding Cryptography) By making use of GCM, two additional services are provided: Message Authentication»the receiver can make sure that the message was really created by the original sender Message Integrity»the receiver can make sure that nobody tampered with the ciphertext during transmission Inputs: plaintext (x i ), IV and AAD = Additional Authentication Data IV and AAD transmitted in the clear AAD can include network address, port, sequence number etc Outputs: ciphertext (y i ) and authentication tag T Page 8

Galois Counter Mode (GCM) For encryption An initial counter is derived from an IV The initial counter value is incremented then encrypted and XORed with the first plaintext block For subsequent plaintexts, the counter is incremented and then encrypted For authentication For every plaintext an intermediate authentication parameter g i is derived» g i is computed as the XOR of the current ciphertext and the last g i-1, and multiplied by a constant H H is generated by encryption of the zero input with the block cipher Initial g: g 0 =H AAD (Galois field multiplication) All multiplications are in the 128-bit Galois field GF(2 128 ) mod the irreducible polynomial 128 7 2 P( x) = x + x + x + x + 1 ECE597/697 Koren Part.5.17 Galois Counter Mode (GCM) AAD = Additional Authentication Data Encryption: a. Derive a counter value CTR 0 from the IV and compute CTR 1 = CTR 0 + 1 b. Compute ciphertext: y i = e k (CTR i ) x i, i 1 Authentication: a. Generate authentication subkey H = e k (0) b. Compute g 0 = AAD H (Galois field multiplication) c. Compute g i = (g i 1 y i ) H, 1 i n (Galois field multiplication) d. Final authentication tag: T = (g n H) e k (CTR 0 ) ECE597/697 Koren Part.5.18 Page 9

Exhaustive Key Search Revisited A simple exhaustive search for a DES key knowing one pair (x 1,y 1 ): DES (i)? k (x 1 ) = y 1, i = 0,1,...,2 56 1 However, for most other block ciphers a key search is somewhat more complicated A brute-force attack can produce false positive results keys k i that are found are not the one used for the encryption The likelihood of this is related to the relative size of the key space and the plaintext space A brute-force attack is still possible, but several pairs of plaintext ciphertext are needed ECE597/697 Koren Part.5.19 An Exhaustive Key Search Example Assume cipher block width 64 bit and key size 80 bit If we encrypt x 1 under all possible 2 80 keys, we obtain 2 80 ciphertexts However, there exist only 2 64 different ones If we run through all keys for a given plaintext ciphertext pair, we find up to 2 80 /2 64 = 2 16 keys that perform the mapping e k (x 1 ) = y 1 Given a block cipher with a key length of k bits and block size of n bits, as well as t plaintext ciphertext pairs (x 1, y 1 ),..., (x t, y t ), the expected number of false keys which encrypt all plaintexts to the corresponding ciphertexts is: 2 k tn In this example assuming two plaintext-ciphertext pairs, the likelihood is 2 80 2 64 =2 48 for almost all practical purposes two plaintext-ciphertext pairs are sufficient ECE597/697 Koren Part.5.20 Page 10

Increasing the Security of Block Ciphers If we wish to increase the security of block ciphers, e.g., DES available in hardware for legacy reasons Two approaches are possible Multiple encryption: theoretically more secure, but in practice may increase the security very little Key whitening Double Encryption: A plaintext x is first encrypted with key k L, and the resulting ciphertext is encrypted again using a 2nd key k R Assuming a key length of k bits, an exhaustive key search would require 2 k 2k = 2 2k encryptions or decryptions ECE597/697 Koren Part.5.21 Meet-in-the-Middle Attack A Meet-in-the-Middle attack requires 2 k +2 k = 2 k+1 operations Phase I: for the given (x 1, y 1 ) the left encryption is brute-forced for all k L,i, i=1,2,..., 2 k and a lookup table with 2 k entry (each n+k bits wide) is computed»the lookup table should be ordered by the result of the encryption (z L,i ) Phase II: the right encryption is brute-forced (using decryption) and for each z R,i it is checked whether z R,i is equal to any z L,i value in the table of the first phase Computational Complexity number of encryptions and decryptions = 2 k +2 k = 2 k+1 number of storage locations = 2 k Double encryption is not much more secure then single encryption ECE597/697 Koren Part.5.22 Page 11

Triple Encryption Encryption of a block three times y = e k3 (e k2 (e k1 (x))) In practice a variant scheme is often used EDE (encryptdecrypt-encrypt) y = e k3 (e -1 k2 (e k1 (x))) Advantage: choosing k1=k2=k3 performs single DES encryption Still we can perform a meet-in-the middle attack, and it reduces the effective key length of triple encryption from 3k to 2k The attacker must run 2 112 tests in the case of 3DES Triple encryption effectively doubles the key length ECE597/697 Koren Part.5.23 Key Whitening Makes block ciphers such as DES much more resistant against brute-force attacks In addition to the regular cipher key k, two whitening keys k 1 and k 2 are used to XOR-mask the plaintext and ciphertext It does not strengthen block ciphers against most analytical attacks such as linear and differential cryptanalysis It is not a cure for inherently weak ciphers The additional computational load is negligible Its main application is ciphers that are relatively strong against analytical attacks but possess too short a key space especially DES A variant of DES which uses key whitening is called DESX ECE597/697 Koren Part.5.24 Page 12

Cryptanalysis Linear cryptanalysis search for an approximated linear relation among bits of plaintext-ciphertext pairs and bits of the key due to imperfect cipher structure DES: 2 43 known plaintext-ciphertext pairs to find the key (1993) Differential cryptanalysis track how differences between two plaintexts affect the corresponding difference between the ciphertexts. Search for nonrandom behavior DES: 2 47 plaintext-ciphertext pairs to find the key (1990) ECE597/697 Koren Part.5.25 Lessons Learned There are many different ways to encrypt with a block cipher. Each mode of operation has some advantages and disadvantages Several modes turn a block cipher into a stream cipher There are modes that perform encryption together with authentication, i.e., a cryptographic checksum protects against message manipulation The straightforward ECB mode has security weaknesses, independent of the underlying block cipher The counter mode allows parallelization of encryption and is thus suited for high speed implementations Double encryption with a given block cipher only marginally improves the resistance against brute-force attacks Triple encryption with a given block cipher roughly doubles the key length, e.g., Triple DES (3DES) has an effective key length of 112 bits Key whitening enlarges the DES key length without much computational overhead. ECE597/697 Koren Part.5.26 Page 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback