Symmetric Key Cryptography

Similar documents
Chapter 3 Block Ciphers and the Data Encryption Standard

Content of this part

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

CSCI 454/554 Computer and Network Security. Topic 3.1 Secret Key Cryptography Algorithms

Symmetric Encryption. Thierry Sans

3 Symmetric Cryptography

6 Block Ciphers. 6.1 Block Ciphers CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Network Security Essentials Chapter 2

CENG 520 Lecture Note III

Understanding Cryptography by Christof Paar and Jan Pelzl. Chapter 4 The Advanced Encryption Standard (AES) ver. October 28, 2009

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Cryptography BITS F463 S.K. Sahay

Cryptography III: Symmetric Ciphers

Data Encryption Standard (DES)

AIT 682: Network and Systems Security

Introduction to Network Security Missouri S&T University CPE 5420 Data Encryption Standard

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Symmetric Encryption Algorithms

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl

PRNGs & DES. Luke Anderson. 16 th March University Of Sydney.

Winter 2011 Josh Benaloh Brian LaMacchia

P2_L6 Symmetric Encryption Page 1

Lecture 1 Applied Cryptography (Part 1)

Introduction to Cryptography. Lecture 2. Benny Pinkas. Perfect Cipher. Perfect Ciphers. Size of key space

ENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel

Content of this part

Advanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50

Symmetric Cryptography. Chapter 6

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Lecture 2: Secret Key Cryptography

CIS 4360 Secure Computer Systems Symmetric Cryptography

Computer Security 3/23/18

Private-Key Encryption

Information Security CS526

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Stream Ciphers An Overview

Network Security Essentials

Modern Symmetric Block cipher

Stream Ciphers and Block Ciphers

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

7. Symmetric encryption. symmetric cryptography 1

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Symmetric key cryptography

Block Ciphers. Advanced Encryption Standard (AES)

Practical Aspects of Modern Cryptography

Cryptography 2017 Lecture 3

Block Ciphers and Data Encryption Standard. CSS Security and Cryptography

Cryptography MIS

Stream Ciphers and Block Ciphers

CSCE 813 Internet Security Symmetric Cryptography

ECE596C: Handout #7. Analysis of DES and the AES Standard. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Week 5: Advanced Encryption Standard. Click

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

CPSC 467b: Cryptography and Computer Security

CSC574: Computer & Network Security

Secret Key Cryptography

Conventional Encryption: Modern Technologies

Crypto: Symmetric-Key Cryptography

CS6701- CRYPTOGRAPHY AND NETWORK SECURITY UNIT 2 NOTES

Double-DES, Triple-DES & Modes of Operation

ECE 646 Lecture 8. Modes of operation of block ciphers

Network Security. Lecture# 6 Lecture Slides Prepared by: Syed Irfan Ullah N.W.F.P. Agricultural University Peshawar

Chapter 6: Contemporary Symmetric Ciphers

Fundamentals of Cryptography

CSE 127: Computer Security Cryptography. Kirill Levchenko

Cryptography and Network Security

Modern Block Ciphers

Cryptography III: Symmetric Ciphers

ASSIGNMENT 5 TIPS AND TRICKS

CSC 474/574 Information Systems Security

Goals of Modern Cryptography

Computer Security CS 526

ICT 6541 Applied Cryptography. Hossen Asiful Mustafa

CPSC 467b: Cryptography and Computer Security

Secret Key Cryptography Overview

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Lecture 4: Symmetric Key Encryption

Symmetric Cryptography

EEC-484/584 Computer Networks

Cryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái

Computer and Data Security. Lecture 3 Block cipher and DES

Cryptographic Algorithms - AES

Lecture 3: Symmetric Key Encryption

Cryptography and Network Security Chapter 3. Modern Block Ciphers. Block vs Stream Ciphers. Block Cipher Principles

Symmetric Key Cryptography

1 Achieving IND-CPA security

Part XII. From theory to practice in cryptography

Lecture 2: Shared-Key Cryptography

L3. An Introduction to Block Ciphers. Rocky K. C. Chang, 29 January 2015

Basic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline

Cryptography Functions

Introduction to Cryptographic Systems. Asst. Prof. Mihai Chiroiu

Applied Cryptography Data Encryption Standard

CHAPTER 6. SYMMETRIC CIPHERS C = E(K2, E(K1, P))

Block Cipher Operation. CS 6313 Fall ASU

This chapter gives an introduction to stream ciphers:

CSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography

New Kid on the Block Practical Construction of Block Ciphers. Table of contents

Transcription:

Symmetric Key Cryptography Jooyoung Lee School of Computing (GSIS), KAIST

Outline 1. Introduction to Symmetric Key Crypto 2. Stream Ciphers 3. Block Ciphers 3.1 DES 3.2 AES 3.3 Modes of Operations 3.4 Key Exhaustive Search and Meet-in-the-Middle Attack

(Symmetric Key) Cryptography Message Privacy: concealing the content of messages via encryption schemes, modes of operations etc. Message Integrity: preventing an adversary from making unnoticed changes to the message via message authentication codes, authenticated modes of operation etc.

Communication Over an Insecure Channel Oscar (bad) x Alice (good) x insecure channel x Bob (good)

Symmetric Key Cryptography Oscar (bad) y Alice (good) x y y x encryption insecure channel decryption e( ) d( ) Bob (good) k k secure channel x, y, k are called plaintext, ciphertext, key, resp. The set of all possible keys is called the key space We write y = e k (x) and x = d k (y) d k (e k (x)) = x for every key k The problem of transmitting a message securely is reduced to the problems of transmitting a key secretly and of storing the key in a secure fashion.

A Message is a Binary String: ASCII Code ASCII Code Row Number Column Number 000 001 010 011 100 101 110 111 0000 NUL DLE 0 @ P ` p 0001 SOH DC1! 1 A Q a q 0010 STX DC2 " 2 B R b r 0011 ETX DC3 # 3 C S c s 0100 EOT DC4 $ 4 D T d t 0101 ENQ NAK % 5 E U e u 0110 ACK SYN & 6 F V f v 0111 BELL ETB ' 7 G W g w 1000 BS CAN ( 8 H X h x 1001 HT EM ) 9 I Y i y 1010 LF SUB * : J Z j z 1011 VT ESC + ; K [ k 1100 FF FS, < L \ l { 1101 CR GS - = M ] m 1110 SO RS. > N ^ n } ~ 1111 SI US /? O _ o DEL Ex) A" The isascii represented code of a character by is found 1000001". by combining its Column Number (given in 3-bit binary) with its Row Number (given in 4-bit binary).

Key Length Should be Secure against Exhaustive Key Search Definition (Basic Exhaustive Key Search) Let (x, y) denote the pair of plaintext and cipher text, and let K = {k 1,..., k N } be the key space of all possible keys k i. Exhaustive key search checks for every k i K whether or not d ki (y) = x. If the equality holds, a possible correct key is found; if not, proceed with the next key. If an encryption algorithm uses n-bit keys, then exhaustive key search requires O(2 n ) computational steps If there is a smart attack whose complexity is less than O(2 n ), then the encryption algorithm is said broken"

Key Length How many key bits are enough? Only relevant if exhaustive key search is the best known attack The key lengths for symmetric and asymmetric algorithms are dramatically different Time for exhaustive key search on symmetric algorithms Key length Security estimation 56-64 bits short term: a few hours or days 112-128 bits long term: several decades w/o quantum computers 256 bits long term: several decades with quantum comp. alg.

Stream Ciphers vs. Block Ciphers Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010 Stream ciphers encrypt bits individually Block ciphers encrypt an entire block of plaintext bits at a time with the same key Each key defines a permutation on {0, 1} b Most block ciphers have a block length of 128 bits (AES) or 64 bits (DES, 3DES)

Design Principles for Block Ciphers Confusion: the influence of one key bit is spread over many ciphertext bits. Diffusion: the influence of one plaintext bit is spread over many ciphertext bits. The goal of diffusion is to hide statistical properties of the plaintext. Achieved by substitution boxes (S-boxes) and permutation boxes (P-boxes). Iteration: substitution and permutation boxes are iterated, producing a product cipher. Confusion Diffusion x Block Cipher y1=1011 1001 y2=0110 1100 x1=0010 1011 Block x2=0000 1011 Cipher y1=1011 1001 y2=0110 1100 k1=0010 1011 k2=0000 1011 k

SP Network vs. Feistel Network SP Network Feistel Network L R f K0 f K1 f K2 f K3 S T http://en.wikipedia.org/wiki/file:substitutionpermutationnetwork2.png Round function f also uses an SPN. It should behave like a random function.

Confusion and Diffusion Failure to achieve confusion property might allow for an attack that is faster than key exhaustive search What if a 2n-bit key n-bit block cipher is represented by E k1 k 2 (x) = F k1 (x) F k2 (x), for some keyed function F? Failure to achieve diffusion property might allow for a statistical attack (letter frequency analysis)

A Substitution Cipher Using an Arbitrary Table Idea: Substitute each letter of the alphabet with another one by an arbitrary table Example A B C D E F G H I J K L M k d w g u z b y s m t f e N O P Q R S T U V W X Y Z x v r a i h j c n o l q p What is the encryption of SEVEN YEARS AGO"? What is the key of this cipher? How many keys can be used? How this cipher can be attacked?

Cryptanalysis of a Substitution Cipher Observation: Each plaintext symbol always maps to the same ciphertext symbol 1. Frequency of letters in English text (%) E T A O N R I S H D L F C 13.11 10.47 8.15 8.00 7.10 6.83 6.35 6.10 5.26 3.79 3.39 2.92 2.76 M U G Y P W B V K X J Q Z 2.54 2.46 1.99 1.98 1.98 1.54 1.44 0.92 0.42 0.17 0.13 0.12 0.08 2. Most common English bigrams (frequency per 1000 words) th he an re er in on at nd st es en of te ed 168 132 92 91 88 86 71 68 61 53 52 51 49 46 46

Stream Ciphers Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010 1. Synchronous stream ciphers use a key stream that depends only on the key (most stream ciphers) 2. Asynchronous stream ciphers use a key stream that depends on the key and the ciphertext Remark 1. Block ciphers are used more often than stream ciphers 2. Stream ciphers tend to be more efficient than block ciphers: suitable for highly constrained environments

Stream Ciphers Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010 Definition (Stream cipher encryption and decryption) The plaintext, the ciphertext and the key stream consist of individual bits, i.e., x i, y i, s i {0, 1}. Encryption: y i = e si (x i ) = (x i + s i mod 2)(= x i s i ) Decryption: x i = d si (y i ) = (y i + s i mod 2)(= y i s i ) Remark 1. Encryption and decryption are the same functions 2. The generation of the key stream is the central issue for the security of stream ciphers (randomness)

Generating Random" Key Streams 1. True Random Number Generators (TRNG) Based on physical random processes: coin flipping, semiconductor noise, thermal noise, etc Generate 0 and 1 with probability 1/2 Typically used to generate session keys and nonces 2. Pseudorandom Number Generators (PRNG) Computed from an initial seed value Have good statistical properties 3. Cryptographically Secure PRNG (CSPRNG) PRNG with unpredictability: given N output bits s i, s i+1,..., s N 1, it should be hard to predict the next bit s N

An Unbreakable Stream Cipher As a stream cipher TRNG: a key stream should be shared between Alice and Bob used in OTP CSPRNG: a key should be shared between Alice and Bob One-Time Pad(OTP) A stream cipher for which 1. the key stream s 0, s 1, s 2... is generated by a TRNG, and 2. the key stream is only known to the legitimate communicating parties, and 3. every key stream bit s i is only used once is called a one-time pad. The one-time pad is unconditionally secure (i.e., cannot be broken even with infinite computational resources). Then what is the main drawback of OTP?

PRNG: Linear Feedback Shift Registers (LFSR) Feedback coefficients: p 0,..., p m 1 {0, 1} (degree= m) Initial values: s 0,..., s m 1 {0, 1} Recursive relation: s i+m = ( m 1 j=0 p j s i+j mod 2), i 0 Characteristic polynomial: P(x) = x m + p m 1 x m 1 + + p 1 x + p 0 Linear Feedback Shift Registers (LFSRs) Very efficient, easy to implement! Concatenated flip-flops (FF), i.e., a shift register together with a feedback path Feedback computes fresh input by XOR of certain state bits Degree m given by number of storage elements Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010

PRNG: Linear Feedback Shift Registers (LFSR) Linear Feedback Shift Registers (LFSRs): Example with m=3 Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010 Example Maximum output length (of 2 3-1=7) achieved only for certain feedback configurations,.e.g., the one shown here. clk FF 2 FF 1 FF 0 =s i 0 1 0 0 LFSR 1. output With described an initial by recursive stateequation: of (s 2, s 1, s 0 ) = (1, 0, 0), 1 compute 0 1 s i 0for s i + 3 = i = si + 10, +. s. i. mod, 14. 2 2 1 0 1 3 1 1 0 2. What is the period of this LFSR sequence? 3. Can we construct an LFSR with period > 7? 4 1 1 1 5 0 1 1 4. As a stream cipher, what is the weakness6of this 0 LFSR? 0 1 7 1 0 0 8 0 1 0

PRNG: Linear Feedback Shift Registers (LFSR) Theorem The maximum sequence length generated by an LFSR of degree m is 2 m 1. Proof. The m internal register bits of an LFSR determine the next bit. Therefore, as soon as an LFSR has a previous state, it starts to repeat. Since the m internal register bits can only take 2 m 1 states, the maximum sequence length before repetition is 2 m 1. Remark For any m > 0, there is a polynomial of degree m over GF(2) called primitive". Each primitive polynomial generates a sequence of the maximum length 2 m 1.

Security of LFSR as CPRNG In a known-plaintext attack, an attacker is assumed to know some plaintext and the corresponding ciphertext. This means the attacker knows a certain number of key stream bits. When the initial values are used as a key: vulnerable to a known-plaintext attack (with m key stream bits). When the feedback coefficients are used as a key: vulnerable to a known-plaintext attack (solving a system of linear equations defined by 2m key stream bits).

Problems 1. (a) Find every irreducible polynomial of degree 3 over GF(2). (b) Describe the LFSR defined by each irreducible polynomial. (c) With IV = (1, 1, 1), compute the first 10 output bits. 2. With the recurrence s i+3 = s i+1 + s i and a secret IV, it produces 110... (The first bit is the last produced one.) What is the next three output bits? 3. An LFSR of degree 4 with the maximum sequence length produces 01101011... What is the next four output bits?

An Example of CSPRNG: Trivium Trivium uses LFSRs as its building blocks A Modern Stream Cipher - Trivium Three nonlinear LFSRs (NLFSR) of length 93, 84, 111 Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010 XOR-Sum of all three NLFSR outputs generates key stream s i Initialization: Small in Hardware: 1. Load 80-bit IV into A Total register count: 288 2. Load 80-bit key into B Non-linearity: 3 AND-Gates 3. c 109 = 7 XOR-Gates c 110 = c(4 111 with = three 1 inputs) and all other bits are set to 0 25/27 Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl 4. Clock the cipher 4 x 288 = 1152 times

History of DES The National Bureau of Standards (NBS) initiates a request for proposals for a standardized cipher in the US (1972) IBM submits a block cipher designed based on Lucifer that encrypts 64-bit blocks using 128-bit keys (1974) Lucifer is a family of ciphers developed by Horst Feistel in the late 1960s The NBS requests the help of the National Security Agency (NSA) Key length reduced from 128 bit to 56 bit The NBS releases all specs of the modified IBM cipher as the Data Encryption Standards (DES) (1977) Due to its short key length, it is used until 1999, and replaced by Advanced Encryption Standard (AES)

Security of DES Exhaustive Key Search Feasible due to short key length (56-bit keys) Can break DES in 6.4 days at a cost of $10,000 (2008) Analytical Attack Differential cryptanalysis(dc) and linear cryptanalysis(lc) We say a block cipher is broken" when an analytical attack is faster than exhaustive key search DES is secure against DC, but if the number of rounds is small... DES is broken by LC, but it is not practical 2 43 plaintext-ciphertext pairs are needed

single bit flip Overview of the DES Algorithm many bit flips Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010

DES Encryption Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010

DES Encryption Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010

DES Encryption 16-round Feistel structure 1. Input: L 0 R 0 2. (L i, R i ) = (R i 1, L i 1 f (R i 1, k i )) for i = 1,..., 16 3. Output: L 16 R 16 Property The Feistel structure is a permutation for any keys k i. Property Encryption and decryption of the Feistel structure (with no swap in the last round) differ only in key schedule.

DES Encryption Bitwise Permutations. Inverse operations. Described by tables IP and IP -1. Initial Permutation Final Permutation 14/29 Chapter 3 of Understanding Source: C. Cryptography Paar andby J. Christof Pelzl, Understanding Paar and Jan Pelzl Cryptography, Springer, 2010 Does not increase the security of DES Probably for efficient hardware implementation

DES Encryption The f -function Expansion E Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010

DES Encryption S-box substitution Permutation P Example What is S 1 (100101)? Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010

DES Key Schedule Algorithm Permuted Choice PC-1 Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010

DES Key Schedule Algorithm Permuted Choice PC-2 In rounds i = 1, 2, 9, 16: two halves rotated left by one bit The other rounds: two halves rotated left by two bits Note that (C 0, D 0 ) = (C 16, D 16 ) Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010

DES Decryption Reversed key schedule In rounds i = 2, 9, 16: two halves rotated right by one bit The other rounds: two halves rotated right by two bits With the same round keys in reverse order, the encryption and the decryption functions are the same! Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010

DES Decryption In rounds i = 1, 2, 9, 16: 1-bit Left Rotation The other rounds: 2-bit No rotation in round 1 In rounds i = 2, 9, 16: 1-bit Right Rotation The other rounds: 2-bit Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010

History of AES US NIST(National Institute of Standards and Technology) announced 3DES should be used instead of DES (1996) However, 3DES is slow and block size is too small for certain applications (hash functions etc.) NIST called for proposals for a new Advanced Encryption Standard (AES) as an open process (1997) Requirements 128-bit block size 128, 192, 256-bit key supported security relative to other submissions efficiency in software and hardware 15 algorithms collected (1998) 5 finalists announced (1999) Mars(IBM), RC6(RSA), Rijndael(J.Daemen, V.Rijmen), Serpent(R.Anderson, et.al.),twofish(b.schneier et.al.) Rijndael was chosen as the AES (2000)

Overview of the AES Algorithm x 128 AES 128/192/256 k y 128 DES ES -1 key lengths # rounds 128 10 k2 192 k3 12 256 14 Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010

AES Round Function Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010

AES Round Function: Byte Substitution Layer S-box: B i = S(A i ) GF(2 8 ) inverse Affine mapping Ai B'i Bi 1. In GF(2 8 ) (finite field of 2 8 elements), B i = (A i ) 1 GF(2 8 ) = GF(2)[x]/ < x 8 + x 4 + x 3 + x + 1 > x 2. In GF(2) 8 (vector space over GF(2)), 128 b 0 b 1 b 2 b 3 b 4 b 5 b 6 b 7 1 0 0 0 1 AES 1 1 1 k 1 1 0 0 0 1 1 1 1 1 1 0 0 0 128 1 1 y = 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 0 0 0 0 1 1 1 DES DES -1 1 1 0 0 0 0 1 1 1 1 DES 1 128/192/256 b 0 b 1 b 2 b 3 b 4 b 5 b 6 b 7 + 1 1 0 0 0 1 1 0

AES Round Function: Byte Substitution Layer S-box Table Lookup S(xy) is...(in hexadecimal notation)

AES Round Function: Diffusion Layer ShiftRows Sublayer B 0 B 4 B 8 B 12 B 1 B 5 B 9 B 13 B 2 B 6 B 10 B 14 B 3 B 7 B 11 B 15 B 0 B 4 B 8 B 12 B 5 B 9 B 13 B 1 B 10 B 14 B 2 B 6 B 15 B 3 B 7 B 11 no shift 1 pos. 2 pos. 3 pos. MixColumn Sublayer In GF(2 8 ), C 0 C 4 C 8 C 12 C 1 C 5 C 9 C 13 C 2 C 6 C 10 C 14 C 3 C 7 C 11 C 15 = 02 03 01 01 01 02 03 01 01 01 02 03 03 01 01 02 B 0 B 4 B 8 B 12 B 5 B 9 B 13 B 1 B 10 B 14 B 2 B 6 B 15 B 3 B 7 B 11

AES Key Schedule Algorithm k RC[i] = x i 1 in GF (2 8 ) Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010

AES Decryption Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010

AES Decryption Inv MixColumn Sublayer In GF(2 8 ), B 0 B 4 B 8 B 12 B 5 B 9 B 13 B 1 B 10 B 14 B 2 B 6 B 15 B 3 B 7 B 11 = Inv ShiftRows Sublayer B 0 B 4 B 8 B 12 B 5 B 9 B 13 B 1 B 10 B 14 B 2 B 6 B 15 B 3 B 7 B 11 0E 0B 0D 09 09 0E 0B 0D 0D 09 0E 0B 0B 0D 09 0E B 0 B 4 B 8 B 12 B 1 B 5 B 9 B 13 B 2 B 6 B 10 B 14 B 3 B 7 B 11 B 15 C 0 C 4 C 8 C 12 C 1 C 5 C 9 C 13 C 2 C 6 C 10 C 14 C 3 C 7 C 11 C 15 no shift 1 pos. 2 pos. 3 pos. Inv Byte Substitution Layer It is possible to construct an inverse such that A i = S 1 (B i ) It is usually realized as a lookup table

AES Design Considerations In a Feistel cipher, half the bits are moved, but not changed during each round. AES treats all bits uniformly, making the effect of diffusing the input bits faster. The S-box was constructed in an explicit and simple algebraic way. The ShiftRow step resist the truncated differential analysis and the Square attack. The MixColumn causes diffusion among the bytes. A change in one input byte results in all four output bytes changing. Changes in two input bytes results in at least three output bytes changing.

AES Design Considerations The Key Schedule involves nonlinear mixing of the key bits using the S-box. Even though an attacker knows part of the key, it cannot deduce the remaining bits. It ensures that two distinct keys do not have a large number of round keys in common. The round constants eliminates symmetries in the encryption process by making each round different. Until recently, there have been no known attacks that are better than exhaustive key search up to six rounds. It was felt that four extra rounds provide a large enough security margin of safety.

DES vs. AES DES AES Feistel Network SP Network 8 different S-boxes: A single S-box not 1-1 (6-bit to 4-bit) 1-1 (8-bit to 8-bit) Design principle unclear Algebraic structure Encryption=Decryption Encryption Decryption using round keys in reverse order

Modes of Operation A block cipher by itself allows encryption only of a single data block of the cipher s block length. In order to encrypt a variable-length message, the data must first be partitioned into separate cipher blocks. Typically, the last block must also be extended to match the cipher s block length using a suitable padding scheme. The method of encrypting each of these blocks is called a mode of operation. A mode of operation generally uses randomization based on an additional input value, often called an initialization vector.

Modes of Operation ECB, CBC, OFB, and CFB were specified in FIPS 81, DES Modes of Operation" (1981). NIST added CTR mode in SP800-38A, Recommendation for Block Cipher Modes of Operation" (2001). NIST added XTS-AES in SP800-38E, Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Confidentiality on Storage Devices" (2010). ECB, CBC, OFB, CFB, CTR, and XTS modes only provide confidentiality. Some modern modes of operation combine encryption and authentication in an efficient way, and are known as authenticated modes of operation.

Electronic Codebook Mode (ECB) http://en.wikipedia.org/wiki/file:ecb_encryption.png http://en.wikipedia.org/wiki/file:ecb_decryption.png

Electronic Codebook Mode (ECB) Both encryption and decryption algorithms are used Identical plaintext blocks map to identical ciphertext blocks images distinguishable Susceptible to codebook attacks and replay attacks Not recommended http://en.wikipedia.org/wiki/file:tux_ecb.jpg

Cipher Block Chaining Mode (CBC) http://en.wikipedia.org/wiki/file:cbc_encryption.png http://en.wikipedia.org/wiki/file:cbc_decryption.png

Cipher Block Chaining Mode (CBC) Invented by IBM in 1976 Both encryption and decryption algorithms are used An initialization vector is used IV does not need to be secret. However, in most cases, an initialization vector should not be reused under the same key Encryption cannot be parallelized / Decryption can be parallelized A one-bit change to the ciphertext causes complete corruption of the corresponding block of plaintext a one-bit change in the corresponding bit in the following block of plaintext

Cipher Feedback Mode (CFB) http://en.wikipedia.org/wiki/file:cfb_encryption.png http://en.wikipedia.org/wiki/file:cfb_decryption.png

Cipher Feedback Mode (CFB) Makes a block cipher into an asynchronous stream cipher Only an encryption algorithms is used Suitable for a block cipher for which decryption is slower than encryption An initialization vector is used Encryption cannot be parallelized / Decryption can be parallelized A one-bit change in the ciphertext causes a one-bit change in the corresponding plaintext block complete corruption of the following plaintext block

Output Feedback Mode (OFB) http://en.wikipedia.org/wiki/file:ofb_encryption.png http://en.wikipedia.org/wiki/file:ofb_decryption.png

Output Feedback Mode (OFB) Makes a block cipher into a synchronous stream cipher Only an encryption algorithms is used An initialization vector is used Encryption and decryption cannot be parallelized However, a keysteam can be computed in advance A one-bit change in the ciphertext causes only a one-bit change in the corresponding plaintext block

Counter Mode (CTR) http://en.wikipedia.org/wiki/file:ctr_encryption.png http://en.wikipedia.org/wiki/file:ctr_decryption.png

Counter Mode (CTR) Makes a block cipher into a synchronous stream cipher Only an encryption algorithms is used A nonce and a counter are used A counter produces a sequence which is guaranteed not to repeat for a long time Encryption and decryption can be parallelized A one-bit change in the ciphertext causes only a one-bit change in the corresponding plaintext block

Cryptanalysis Cryptanalysis Classical Cryptanalysis Implementation Attacks Social Engineering Mathematical Analysis Brute-Force Attacks Classical Analysis: tries to recover the plaintext x(or the key k) from the ciphertext y Mathematical Analysis: exploits the internal structure of the encryption method Exhaustive Key Search: treat the encryption algorithm as a black box and test all possible keys Implementation Attacks: use power consumption, electromagnetic radiation, runtime behavior, etc. Social Engineering Attacks: include bribing, blackmailing, tricking, espionage, etc.

Cryptanalysis An attacker looks for the weakest link in your cryptosystem. That means we have to choose strong algorithms and we have to make sure that social engineering and implementation attacks are not practical. Kerckhoffs Principle A cryptosystem should be secure even if the attacker knows all details about the system, with the exception of the secret key. In particular, the system should be secure when the attacker knows the encryption and decryption algorithms. Question Doesn t it improve the security to keep the details of an algorithm hidden? (This is called security by obscurity)

Exhaustive Key Search Revisited Exhaustive Key Search Let K = {k 1,..., k N } be the key space. Given t plaintext -ciphertext pairs (x 1, y 1 ),..., (x t, y t ), check for every k i K whether or not DES ki (x j ) = y j for all j = 1,..., t. If the equality holds, a possible correct key is found; if not, proceed with the next key. What if a wrong key k satisfies DES k (x j ) = y j for j = 1,..., t? Theorem Given a block cipher with a key length of κ bits and block size of n bits, as well as t plaintext-ciphertext pairs (x 1, y 1 ),..., (x t, y t ), the expected number of false keys which encrypt all plaintexts to the corresponding ciphertexts is 2 κ tn. Choose t such that 2 κ tn 1.

k1 k2 k3 Increasing the Security of DES: Double Encryption 2DES x DES DES y k1 k2 Example What is the size of the key space of 2DES? x DES DES DES y

Meet-in-the-middle Attack on 2DES 1. Table Computation: Given a plaintext-ciphertext pair (x 1, y 1 ), encrypt z = DES k (x 1 ) for every k {0, 1} 56. Arrange these values and store them in a list L. 2. Key Matching: Decrypt w = DES 1 k (y 1 ) for every k {0, 1} 56. If for some k, is in the list L, then we have w = DES 1 k (y 1 ) = DES k (x 1 ) Problems DES k DES k (x 1 ) = y 1. 1. What is the expected number of false keys when we use three plaintext-ciphertext pairs (x 1, y 1 ), (x 2, y 2 ), (x 3, y 3 )? 2. What is the number of encryptions, decryptions, and memory locations (of κ + n-bits) with t = 3?

DES DES Increasing the Security of DES: Triple Encryption k1 k2 3DES x DES DES DES y k1 k2 k3 Problem Apply the meet-in-the-middle attack to 3DES. What is the number of encryptions, decryptions, and memory locations (of n-bits)?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback