Stream Ciphers and Block Ciphers

Similar documents
Stream Ciphers and Block Ciphers

Fundamentals of Cryptography

Network Security Essentials Chapter 2

AIT 682: Network and Systems Security

CSCI 454/554 Computer and Network Security. Topic 3.1 Secret Key Cryptography Algorithms

Symmetric Encryption. Thierry Sans

ENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel

Computer and Data Security. Lecture 3 Block cipher and DES

Chapter 3 Block Ciphers and the Data Encryption Standard

Jaap van Ginkel Security of Systems and Networks

Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design:

Data Encryption Standard (DES)

L3. An Introduction to Block Ciphers. Rocky K. C. Chang, 29 January 2015

Content of this part

Symmetric key cryptography

Network Security Essentials

Symmetric Key Encryption. Symmetric Key Encryption. Advanced Encryption Standard ( AES ) DES DES DES 08/01/2015. DES and 3-DES.

Symmetric Encryption Algorithms

Cryptography 2017 Lecture 3

CENG 520 Lecture Note III

Introduction to Network Security Missouri S&T University CPE 5420 Data Encryption Standard

Winter 2011 Josh Benaloh Brian LaMacchia

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

Lecture 3: Symmetric Key Encryption

Week 4. : Block Ciphers and DES

Lecture 4: Symmetric Key Encryption

Block Ciphers and Stream Ciphers. Block Ciphers. Stream Ciphers. Block Ciphers

Comp527 status items. Crypto Protocols, part 2 Crypto primitives. Bart Preneel July Install the smart card software. Today

Symmetric Cryptography CS461/ECE422

Introduction to Modern Symmetric-Key Ciphers

Private-Key Encryption

Block Cipher Operation. CS 6313 Fall ASU

Data Encryption Standard

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Crypto: Symmetric-Key Cryptography

6 Block Ciphers. 6.1 Block Ciphers CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Cryptography Functions

Data Encryption Standard

Lecture 4. Encryption Continued... Data Encryption Standard (DES)

CIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)

4. Specifications and Additional Information

CIS-331 Fall 2013 Exam 1 Name: Total of 120 Points Version 1

Understanding Cryptography by Christof Paar and Jan Pelzl. Chapter 4 The Advanced Encryption Standard (AES) ver. October 28, 2009

Week 5: Advanced Encryption Standard. Click

Secret Key Cryptography

Block Ciphers. Lucifer, DES, RC5, AES. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk Block Ciphers 1

Lecture 2: Secret Key Cryptography

CIS-331 Exam 2 Fall 2015 Total of 105 Points Version 1

APNIC elearning: Cryptography Basics

CIS-331 Fall 2014 Exam 1 Name: Total of 109 Points Version 1

ECE 646 Lecture 7. Secret-Key Ciphers. Data Encryption Standard DES

Computer Security 3/23/18

Cryptography and Network Security

CIS-331 Spring 2016 Exam 1 Name: Total of 109 Points Version 1

CIT 380: Securing Computer Systems. Symmetric Cryptography

ECE596C: Handout #7. Analysis of DES and the AES Standard. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Content of this part

ECE 646 Lecture 8. Modes of operation of block ciphers

Cryptography Trends: A US-Based Perspective. Burt Kaliski, RSA Laboratories IPA/TAO Cryptography Symposium October 20, 2000

Implementation and Performance analysis of Skipjack & Rijndael Algorithms. by Viswnadham Sanku ECE646 Project Fall-2001

L3: Basic Cryptography II. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Introduction to Cryptographic Systems. Asst. Prof. Mihai Chiroiu

7. Symmetric encryption. symmetric cryptography 1

Double-DES, Triple-DES & Modes of Operation

PRNGs & DES. Luke Anderson. 16 th March University Of Sydney.

Block Ciphers and Data Encryption Standard. CSS Security and Cryptography

Symmetric Cryptography. CS4264 Fall 2016

Modern Symmetric Block cipher

Cryptographic Algorithms - AES

Some Aspects of Block Ciphers

CIS-331 Exam 2 Fall 2014 Total of 105 Points. Version 1

Cryptography III: Symmetric Ciphers

Applied Cryptography Data Encryption Standard

Encryption DES. Dr.Talal Alkharobi. The Data Encryption Standard (DES)

Network Security. Lecture# 6 Lecture Slides Prepared by: Syed Irfan Ullah N.W.F.P. Agricultural University Peshawar

Symmetric Cryptography. Chapter 6

Cryptography MIS

Introduction. Secret Key Cryptography. Outline. Secrets? (Cont d) Secret Keys or Secret Algorithms? Introductory Remarks Feistel Cipher DES AES

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl

3 Symmetric Cryptography

ICT 6541 Applied Cryptography. Hossen Asiful Mustafa

Computer Security CS 526

CS 392/681 Computer Security. Module 1 Private Key Cryptography

Block Ciphers. Secure Software Systems

EEC-484/584 Computer Networks

The Rectangle Attack

Block Ciphers and the Data Encryption Standard (DES) Modified by: Dr. Ramzi Saifan

CIS-331 Exam 2 Spring 2016 Total of 110 Points Version 1

Lecture 5. Encryption Continued... Why not 2-DES?

Scanned by CamScanner

SECRET KEY: STREAM CIPHERS & BLOCK CIPHERS

Conventional Encryption Principles Conventional Encryption Algorithms Cipher Block Modes of Operation Location of Encryption Devices Key Distribution

Chapter 6 Contemporary Symmetric Ciphers

Study and Analysis of Symmetric Key-Cryptograph DES, Data Encryption Standard

Cryptography [Symmetric Encryption]

Secret Key Cryptography Overview

Goals of Modern Cryptography

Symmetric Key Cryptography

Jaap van Ginkel Security of Systems and Networks

Transcription:

Stream Ciphers and Block Ciphers 2MMC10 Cryptology Fall 2015 Ruben Niederhagen October 6th, 2015

Introduction 2/32 Recall: Public-key crypto: Pair of keys: public key for encryption, private key for decryption.

Introduction 2/32 Recall: Public-key crypto: Pair of keys: public key for encryption, private key for decryption. Symmetric-key crypto: Same shared secret key for encryption and decryption.

Introduction 2/32 Recall: Public-key crypto: Pair of keys: public key for encryption, private key for decryption. Symmetric-key crypto: Same shared secret key for encryption and decryption. What are the respective advantages, disadvantages, use-cases..?

Introduction: Symmetric-Key Crypto 3/32 Stream Cipher vs. Block Cipher: Idea of a stream cipher: partition the text into small (e.g. 1bit) blocks; encoding of each block depends on the previous blocks. A different key is generated for each block.

Introduction: Symmetric-Key Crypto 3/32 Stream Cipher vs. Block Cipher: Idea of a stream cipher: partition the text into small (e.g. 1bit) blocks; encoding of each block depends on the previous blocks. A different key is generated for each block. Idea of a block cipher: partition the text into large (e.g. 128bit) blocks; encode each block independently. The same key is used for each block.

Introduction: Symmetric-Key Crypto 4/32 Stream Ciphers: symmetric-key cipher, state-driven: operates on arbitrary message length, commonly used stream ciphers: A5/1 and A5/2 (GSM), RC4 (SSL, WEP), estream Project.

Introduction: Symmetric-Key Crypto 4/32 Stream Ciphers: symmetric-key cipher, state-driven: operates on arbitrary message length, commonly used stream ciphers: A5/1 and A5/2 (GSM), RC4 (SSL, WEP), estream Project.!

Introduction: Symmetric-Key Crypto 4/32 Stream Ciphers: symmetric-key cipher, state-driven: operates on arbitrary message length, commonly used stream ciphers: A5/1 and A5/2 (GSM), RC4 (SSL, WEP), estream Project.! Operate on an internal state which is updated after each block.

Introduction: Symmetric-Key Crypto 4/32 Stream Ciphers: symmetric-key cipher, state-driven: operates on arbitrary message length, commonly used stream ciphers: A5/1 and A5/2 (GSM), RC4 (SSL, WEP), estream Project.! Operate on an internal state which is updated after each block. Compute a key stream using the current state and the secret key.

Introduction: Symmetric-Key Crypto 4/32 Stream Ciphers: symmetric-key cipher, state-driven: operates on arbitrary message length, commonly used stream ciphers: A5/1 and A5/2 (GSM), RC4 (SSL, WEP), estream Project.! Operate on an internal state which is updated after each block. Compute a key stream using the current state and the secret key. Encrypt the message stream with the key stream to a cipher stream.

Introduction: Symmetric-Key Crypto 5/32 Synchronous Stream Ciphers: Given key K and initial state σ 1 : state: σ i = f (σ i 1, K) with next-state function f

Introduction: Symmetric-Key Crypto 5/32 Synchronous Stream Ciphers: Given key K and initial state σ 1 : state: σ i = f (σ i 1, K) with next-state function f key stream: z i = g(σ i, K) with key-stream function g

Introduction: Symmetric-Key Crypto 5/32 Synchronous Stream Ciphers: Given key K and initial state σ 1 : state: σ i = f (σ i 1, K) with next-state function f key stream: z i = g(σ i, K) with key-stream function g cipher stream: c i = h(z i, m i ) with output function h

Introduction: Symmetric-Key Crypto 5/32 Synchronous Stream Ciphers: Given key K and initial state σ 1 : state: σ i = f (σ i 1, K) with next-state function f key stream: z i = g(σ i, K) with key-stream function g cipher stream: c i = h(z i, m i ) with output function h decryption: m i = h 1 (z i, c i ) with inverse of h

Introduction: Symmetric-Key Crypto 5/32 Synchronous Stream Ciphers: Given key K and initial state σ 1 : state: σ i = f (σ i 1, K) with next-state function f key stream: z i = g(σ i, K) with key-stream function g cipher stream: c i = z i m i decryption: m i = z i c i

Introduction: Symmetric-Key Crypto 5/32 Synchronous Stream Ciphers: Given key K and initial state σ 1 : state: σ i = f (σ i 1, K) with next-state function f key stream: z i = g(σ i, K) with key-stream function g cipher stream: c i = z i m i decryption: m i = z i c i Self-Synchronizing Stream Ciphers: Given key K and initial state c 1... c t : state: σ i = (c i 1, c i 2,... c i t )

Introduction: Symmetric-Key Crypto 5/32 Synchronous Stream Ciphers: Given key K and initial state σ 1 : state: σ i = f (σ i 1, K) with next-state function f key stream: z i = g(σ i, K) with key-stream function g cipher stream: c i = z i m i decryption: m i = z i c i Self-Synchronizing Stream Ciphers: Given key K and initial state c 1... c t : state: σ i = (c i 1, c i 2,... c i t ) key stream: z i = g(σ i, K) with key-stream function g

Introduction: Symmetric-Key Crypto 5/32 Synchronous Stream Ciphers: Given key K and initial state σ 1 : state: σ i = f (σ i 1, K) with next-state function f key stream: z i = g(σ i, K) with key-stream function g cipher stream: c i = z i m i decryption: m i = z i c i Self-Synchronizing Stream Ciphers: Given key K and initial state c 1... c t : state: σ i = (c i 1, c i 2,... c i t ) key stream: z i = g(σ i, K) with key-stream function g cipher stream: c i = h(z i, m i ) with output function h

Introduction: Symmetric-Key Crypto 5/32 Synchronous Stream Ciphers: Given key K and initial state σ 1 : state: σ i = f (σ i 1, K) with next-state function f key stream: z i = g(σ i, K) with key-stream function g cipher stream: c i = z i m i decryption: m i = z i c i Self-Synchronizing Stream Ciphers: Given key K and initial state c 1... c t : state: σ i = (c i 1, c i 2,... c i t ) key stream: z i = g(σ i, K) with key-stream function g cipher stream: c i = h(z i, m i ) with output function h decryption: m i = h 1 (z i, c i ) with inverse of h

Introduction: Symmetric-Key Crypto 5/32 Synchronous Stream Ciphers: Given key K and initial state σ 1 : state: σ i = f (σ i 1, K) with next-state function f key stream: z i = g(σ i, K) with key-stream function g cipher stream: c i = z i m i decryption: m i = z i c i Self-Synchronizing Stream Ciphers: Given key K and initial state c 1... c t : state: σ i = (c i 1, c i 2,... c i t ) key stream: z i = g(σ i, K) with key-stream function g cipher stream: c i = z i m i decryption: m i = z i c i

Introduction: Symmetric-Key Crypto 6/32 Block Ciphers: symmetric-key cipher, memoryless: operates on a fixed-length block size, commonly used block ciphers: DES, Triple-DES, AES.

Introduction: Symmetric-Key Crypto 6/32 Block Ciphers: symmetric-key cipher, memoryless: operates on a fixed-length block size, commonly used block ciphers: DES, Triple-DES, AES.!

Introduction: Symmetric-Key Crypto 6/32 Block Ciphers: symmetric-key cipher, memoryless: operates on a fixed-length block size, commonly used block ciphers: DES, Triple-DES, AES.! An n-bit block cipher is a function E : {0, 1} n K {0, 1} n. For each fixed key K K the map E K : {0, 1} n {0, 1} n, M E K (M) is invertible (bijective) with inverse E 1 K : {0, 1}n {0, 1} n.

From Block Ciphers to Stream Ciphers 7/32 Modes of Operation: electronic codebook (ECB) mode, cipher-block chaining (CBC) mode, cipher feedback (CFB) mode, output feedback (OFB) mode, counter (CTR) mode.

Modes of Operation 8/32 Electronic Codebook (ECB) Mode: Encryption: obtain ciphertext C 1,..., C t as C i = E K (M i ), i = 1... t Plaintext Plaintext Plaintext Key block cipher encryption Key block cipher encryption Key block cipher encryption Ciphertext Ciphertext Ciphertext Electronic Codebook (ECB) mode encryption

Modes of Operation 8/32 Electronic Codebook (ECB) Mode: Decryption: obtain plaintext M 1,..., M t as M i = E 1 K (C i), i = 1... t Ciphertext Ciphertext Ciphertext Key block cipher decryption Key block cipher decryption Key block cipher decryption Plaintext Plaintext Plaintext Electronic Codebook (ECB) mode decryption

Modes of Operation 8/32 Electronic Codebook (ECB) Mode: Decryption: obtain plaintext M 1,..., M t as M i = E 1 K (C i), i = 1... t Ciphertext Ciphertext Ciphertext Key block cipher decryption Key block cipher decryption Key block cipher decryption Plaintext Plaintext Plaintext Electronic Codebook (ECB) mode decryption

Modes of Operation 9/32 Properties of ECB: Considered insecure if applied to more than one block! Each block of ciphertext Ci depends only on message block M i, encryption and decryption can be performed in parallel, allows random read access for decryption, requires padding of input to a multiple of block size.

Modes of Operation 10/32 Cipher-Block Chaining (CBC) Mode: Use a (non-secret) initialization vector (IV ) of length n bits. Encryption: obtain ciphertext C 1,..., C t as C i = E K (M i C i 1 ), i = 1... t, C 0 = IV Plaintext Plaintext Plaintext Initialization Vector (IV) Key block cipher encryption Key block cipher encryption Key block cipher encryption Ciphertext Ciphertext Ciphertext Cipher Block Chaining (CBC) mode encryption

Modes of Operation 10/32 Cipher-Block Chaining (CBC) Mode: Use a (non-secret) initialization vector (IV ) of length n bits. Decryption: obtain plaintext M 1,..., M t as M i = E 1 K (C i) C i 1, i = 1... t, C 0 = IV Ciphertext Ciphertext Ciphertext Key block cipher decryption Key block cipher decryption Key block cipher decryption Initialization Vector (IV) Plaintext Plaintext Plaintext Cipher Block Chaining (CBC) mode decryption

Modes of Operation 11/32 Properties of CBC: The last ciphertext block Ct depends all message blocks M 1,..., M t, encryption can not be performed in parallel but decryption can, no random read access for decryption, requires padding of input to a multiple of block size.

Modes of Operation 12/32 Cipher Feedback (CFB) Mode: Use a (non-secret) initialization vector (IV ) of length n bits. Encryption: obtain ciphertext C 1,..., C t as C i = E K (C i 1 ) M i, i = 1... t, C 0 = IV Initialization Vector (IV) Key block cipher encryption Key block cipher encryption Key block cipher encryption Plaintext Plaintext Plaintext Ciphertext Ciphertext Ciphertext Cipher Feedback (CFB) mode encryption

Modes of Operation 12/32 Cipher Feedback (CFB) Mode: Use a (non-secret) initialization vector (IV ) of length n bits. Decryption: obtain plaintext M 1,..., M t as M i = E K (C i 1 ) C i, i = 1... t, C 0 = IV Initialization Vector (IV) Key block cipher encryption Key block cipher encryption Key block cipher encryption Ciphertext Ciphertext Ciphertext Plaintext Plaintext Plaintext Cipher Feedback (CFB) mode decryption

Modes of Operation 13/32 Properties of CFB: The last ciphertext block Ct depends all message blocks M 1,..., M i, encryption can not be performed in parallel but decryption can, no random access for decryption, does not require padding of plaintext. Two messages encrypted with the same key must use a different IV!

Modes of Operation 14/32 Output Feedback (OFB) Mode: Use a (non-secret) initialization vector (IV ) of length n bits. Encryption: obtain ciphertext C 1,..., C t as C i = O i M i, i = 1... t, O i = E K (O i 1 ), O 0 = IV Initialization Vector (IV) Key block cipher encryption Key block cipher encryption Key block cipher encryption Plaintext Plaintext Plaintext Ciphertext Ciphertext Ciphertext Output Feedback (OFB) mode encryption

Modes of Operation 14/32 Output Feedback (OFB) Mode: Use a (non-secret) initialization vector (IV ) of length n bits. Decryption: obtain plaintext M 1,..., M t as M i = O i C i, i = 1... t, O i = E K (O i 1 ), O 0 = IV Initialization Vector (IV) Key block cipher encryption Key block cipher encryption Key block cipher encryption Ciphertext Ciphertext Ciphertext Plaintext Plaintext Plaintext Output Feedback (OFB) mode decryption

Modes of Operation 15/32 Properties of OFB: Each block of ciphertext Ci depends only on message block M i, encryption and decryption can not be performed in parallel, no random access for decryption, does not require padding of plaintext. Two messages encrypted with the same key must use a different IV!

Modes of Operation 16/32 Counter (CTR) Mode: Use a (non-secret) initialization vector (IV ) of length n bits. Encryption: obtain ciphertext C 1,..., C t as C i = E K (N i ) M i, i = 1... t, N i = N i 1 + 1 mod 2 n, N 0 = IV Nonce c59bcf35 Counter 00000000 Nonce c59bcf35 Counter 00000001 Nonce c59bcf35 Counter 00000002 Key block cipher encryption Key block cipher encryption Key block cipher encryption Plaintext Plaintext Plaintext Ciphertext Ciphertext Ciphertext Counter (CTR) mode encryption

Modes of Operation 16/32 Counter (CTR) Mode: Use a (non-secret) initialization vector (IV ) of length n bits. Decryption: obtain plaintext M 1,..., M t as M i = E K (N i ) C i, i = 1... t, N i = N i 1 + 1 mod 2 n, N 0 = IV Nonce c59bcf35 Counter 00000000 Nonce c59bcf35 Counter 00000001 Nonce c59bcf35 Counter 00000002 Key block cipher encryption Key block cipher encryption Key block cipher encryption Ciphertext Ciphertext Ciphertext Plaintext Plaintext Plaintext Counter (CTR) mode decryption

Modes of Operation 17/32 Properties of CTR: Each block of ciphertext Ci depends only on message block M i, both encryption and decryption can be performed in parallel, allows random access for decryption, does not require padding of plaintext. Two messages encrypted with the same key must use a different IV!

Modes of Operation 17/32 Properties of CTR: Each block of ciphertext Ci depends only on message block M i, both encryption and decryption can be performed in parallel, allows random access for decryption, does not require padding of plaintext. Two messages encrypted with the same key must use a different IV! Most widely used modes are CBC and CTR.

An Example for Block Ciphers: DES 18/32 History: May 1973: NBS (NIST) publishes a first request for a standard encryption algorithm.

An Example for Block Ciphers: DES 18/32 History: May 1973: NBS (NIST) publishes a first request for a standard encryption algorithm. August 1974: NBS publishes a second request algorithms.

An Example for Block Ciphers: DES 18/32 History: May 1973: NBS (NIST) publishes a first request for a standard encryption algorithm. August 1974: NBS publishes a second request algorithms. IBM submits a candidate based on Horst Feistel s Lucifer cipher.

An Example for Block Ciphers: DES 18/32 History: May 1973: NBS (NIST) publishes a first request for a standard encryption algorithm. August 1974: NBS publishes a second request algorithms. IBM submits a candidate based on Horst Feistel s Lucifer cipher. March 1975: DES proposal is published in the Federal Register. Public comments are requested.

An Example for Block Ciphers: DES 18/32 History: May 1973: NBS (NIST) publishes a first request for a standard encryption algorithm. August 1974: NBS publishes a second request algorithms. IBM submits a candidate based on Horst Feistel s Lucifer cipher. March 1975: DES proposal is published in the Federal Register. Public comments are requested. Criticism from various researchers (e.g., Hellman and Diffie) about modifications in respect to the submission: shorter keylength (56bit instead of 64bit), modified S-boxes.

An Example for Block Ciphers: DES 18/32 History: May 1973: NBS (NIST) publishes a first request for a standard encryption algorithm. August 1974: NBS publishes a second request algorithms. IBM submits a candidate based on Horst Feistel s Lucifer cipher. March 1975: DES proposal is published in the Federal Register. Public comments are requested. Criticism from various researchers (e.g., Hellman and Diffie) about modifications in respect to the submission: shorter keylength (56bit instead of 64bit), modified S-boxes. July 1991: Biham and Shamir (re-)discover differential cryptanalysis that requires 2 47 chosen plaintexts.

An Example for Block Ciphers: DES 18/32 History: May 1973: NBS (NIST) publishes a first request for a standard encryption algorithm. August 1974: NBS publishes a second request algorithms. IBM submits a candidate based on Horst Feistel s Lucifer cipher. March 1975: DES proposal is published in the Federal Register. Public comments are requested. Criticism from various researchers (e.g., Hellman and Diffie) about modifications in respect to the submission: shorter keylength (56bit instead of 64bit), modified S-boxes. July 1991: Biham and Shamir (re-)discover differential cryptanalysis that requires 2 47 chosen plaintexts. New S-boxes are stronger than the original S-boxes.

An Example for Block Ciphers: DES 18/32 History: May 1973: NBS (NIST) publishes a first request for a standard encryption algorithm. August 1974: NBS publishes a second request algorithms. NSA worked closely with IBM to strengthen the IBM submits a candidate based on Horst Feistel s Lucifer cipher. algorithm against all except brute force attacks March and 1975: to strengthen DES proposal substitution is published tables, in the called Federal S- Register. Public comments boxes. Conversely, are requested. NSA tried to convince IBM to Criticismreduce fromthe various length researchers of the key(e.g., fromhellman 64 to 48and bits. Diffie) about modifications in respect to the submission: Ultimately they compromised on a 56-bit key. shorter keylength (56bit instead of 64bit), modified S-boxes. July 1991: Biham and Shamir (re-)discover differential cryptanalysis that requires 2 47 chosen plaintexts. New S-boxes are stronger than the original S-boxes.

An Example for Block Ciphers: DES 19/32 History: in 1994: First experimental cryptanalysis using linear cryptanalysis.

An Example for Block Ciphers: DES 19/32 History: in 1994: First experimental cryptanalysis using linear cryptanalysis. June 1997: The DESCHALL Project breaks a DES key in 96 days.

An Example for Block Ciphers: DES 19/32 History: in 1994: First experimental cryptanalysis using linear cryptanalysis. June 1997: The DESCHALL Project breaks a DES key in 96 days. July 1998: The EFF s DES cracker breaks a DES key in 56 hours.

An Example for Block Ciphers: DES 19/32 History: in 1994: First experimental cryptanalysis using linear cryptanalysis. June 1997: The DESCHALL Project breaks a DES key in 96 days. July 1998: The EFF s DES cracker breaks a DES key in 56 hours. Oct. 1999: DES is reaffirmed for the fourth time as FIPS 46-3, which specifies the use of Triple DES (DES only for legacy systems).

An Example for Block Ciphers: DES 19/32 History: in 1994: First experimental cryptanalysis using linear cryptanalysis. June 1997: The DESCHALL Project breaks a DES key in 96 days. July 1998: The EFF s DES cracker breaks a DES key in 56 hours. Oct. 1999: DES is reaffirmed for the fourth time as FIPS 46-3, which specifies the use of Triple DES (DES only for legacy systems). May 2002: Advanced Encryption Standard (AES) becomes effective.

An Example for Block Ciphers: DES 19/32 History: in 1994: First experimental cryptanalysis using linear cryptanalysis. June 1997: The DESCHALL Project breaks a DES key in 96 days. July 1998: The EFF s DES cracker breaks a DES key in 56 hours. Oct. 1999: DES is reaffirmed for the fourth time as FIPS 46-3, which specifies the use of Triple DES (DES only for legacy systems). May 2002: Advanced Encryption Standard (AES) becomes effective. May 2005: NIST withdraws FIPS 46-3.

An Example for Block Ciphers: DES 19/32 History: in 1994: First experimental cryptanalysis using linear cryptanalysis. June 1997: The DESCHALL Project breaks a DES key in 96 days. July 1998: The EFF s DES cracker breaks a DES key in 56 hours. Oct. 1999: DES is reaffirmed for the fourth time as FIPS 46-3, which specifies the use of Triple DES (DES only for legacy systems). May 2002: Advanced Encryption Standard (AES) becomes effective. May 2005: NIST withdraws FIPS 46-3. April 2006: The FPGA based COPACOBANA of the Universities of Bochum and Kiel breaks DES in 9 days at $10,000 hardware cost.

An Example for Block Ciphers: DES 19/32 History: in 1994: First experimental cryptanalysis using linear cryptanalysis. June 1997: The DESCHALL Project breaks a DES key in 96 days. July 1998: The EFF s DES cracker breaks a DES key in 56 hours. Oct. 1999: DES is reaffirmed for the fourth time as FIPS 46-3, which specifies the use of Triple DES (DES only for legacy systems). May 2002: Advanced Encryption Standard (AES) becomes effective. May 2005: NIST withdraws FIPS 46-3. April 2006: The FPGA based COPACOBANA of the Universities of Bochum and Kiel breaks DES in 9 days at $10,000 hardware cost. Nov. 2008: The successor of COPACOBANA, the RIVYERA machine reduces the average time to less than one single day.

An Example for Block Ciphers: DES 20/32 Overall structure: DES uses a 64-bit key with 8 parity bits, hence effectively 56-bits. Key schedule: Expand 56-bit key into 16 subkeys. Message processing: en-/decode message in 16 rounds.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 DES: Key Schedule 21/32 Key(64 bits) PC1 PC1: 64-bit 2 28-bit <<< <<< Subkey 1 (48 bits) <<< PC2 <<< Subkey 2 (48 bits) PC2 <<< <<< PC2: 2 28-bit 48-bit Subkey 15 (48 bits) <<< PC2 <<< Subkey 16 (48 bits) PC2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 DES: Message En-/decoding 22/32 Plaintext(64 bits) IP Initial permutation: F F for 16 rounds Final permutation: F F FP Ciphertext(64 bits)

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 DES: Message En-/decoding 23/32 Expansion function: Half Block (32 bits) Subkey (48 bits) E S1 S2 S3 S4 S5 S6 S7 S8 Permutation: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 P 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32

DES: Message En-/decoding 24/32

An Example for Block Ciphers: DES 25/32 DES is broken! DES provides only 56-bits of security and can be easily broken by a brute-force attack!

An Example for Block Ciphers: DES 25/32 DES is broken! DES provides only 56-bits of security and can be easily broken by a brute-force attack! DES is not fully broken mathematically... There are attacks with lower complexity than brute force but those require a large amount of known plaintext-ciphertext pairs.

An Example for Block Ciphers: DES 25/32 DES is broken! DES provides only 56-bits of security and can be easily broken by a brute-force attack! DES is not fully broken mathematically... There are attacks with lower complexity than brute force but those require a large amount of known plaintext-ciphertext pairs. Still, DES is broken!

An Example for Block Ciphers: Triple DES 26/32 Algorithm of Triple DES: Use three 56-bit keys k 0, k 1, and k 2.

An Example for Block Ciphers: Triple DES 26/32 Algorithm of Triple DES: Use three 56-bit keys k 0, k 1, and k 2. Encryption: C = Ek2 (D k1 (E k0 (M)))

An Example for Block Ciphers: Triple DES 26/32 Algorithm of Triple DES: Use three 56-bit keys k 0, k 1, and k 2. Encryption: C = Ek2 (D k1 (E k0 (M))) Decryption: M = Dk0 (E k1 (D k2 (C)))

An Example for Block Ciphers: Triple DES 26/32 Algorithm of Triple DES: Use three 56-bit keys k 0, k 1, and k 2. Encryption: C = Ek2 (D k1 (E k0 (M))) Decryption: M = Dk0 (E k1 (D k2 (C))) Keying Options: All three keys are independent and different,

An Example for Block Ciphers: Triple DES 26/32 Algorithm of Triple DES: Use three 56-bit keys k 0, k 1, and k 2. Encryption: C = Ek2 (D k1 (E k0 (M))) Decryption: M = Dk0 (E k1 (D k2 (C))) Keying Options: All three keys are independent and different, k0 = k 2, and k 1 is different,

An Example for Block Ciphers: Triple DES 26/32 Algorithm of Triple DES: Use three 56-bit keys k 0, k 1, and k 2. Encryption: C = Ek2 (D k1 (E k0 (M))) Decryption: M = Dk0 (E k1 (D k2 (C))) Keying Options: All three keys are independent and different, k0 = k 2, and k 1 is different, k0 = k 1 = k 2 (fallback to DES for backward compatibility).

An Example for Block Ciphers: Triple DES 26/32 Algorithm of Triple DES: Use three 56-bit keys k 0, k 1, and k 2. Encryption: C = Ek2 (D k1 (E k0 (M))) Decryption: M = Dk0 (E k1 (D k2 (C))) Keying Options: All three keys are independent and different, k0 = k 2, and k 1 is different, k0 = k 1 = k 2 (fallback to DES for backward compatibility).

An Example for Block Ciphers: Triple DES Algorithm of Triple DES: Use three 56-bit keys k 0, k 1, and k 2. 26/32 Encryption: C = Ek2 (D k1 (E k0 (M))) Decryption: M = Dk0 (E k1 (D k2 (C))) Keying Options: All three keys are independent and different, k0 = k 2, and k 1 is different, k0 = k 1 = k 2 (fallback to DES for backward compatibility).

An Example for Block Ciphers: Triple DES Algorithm of Triple DES: Use three 56-bit keys k 0, k 1, and k 2. Encryption: C = Ek2 (D k1 (E k0 (M))) Decryption: M = Dk0 (E k1 (D k2 (C))) 26/32 Keying Options: All three keys are independent and different, k0 = k 2, and k 1 is different, k0 = k 1 = k 2 (fallback to DES for backward compatibility).

An Example for Block Ciphers: Triple DES Algorithm of Triple DES: Use three 56-bit keys k 0, k 1, and k 2. Encryption: C = Ek2 (D k1 (E k0 (M))) Decryption: M = Dk0 (E k1 (D k2 (C))) 26/32 Keying Options: All three keys are independent and different, k0 = k 2, and k 1 is different, k0 = k 1 = k 2 (fallback to DES for backward compatibility). Limited Security! Option 1 provides about 112-bits of security. Option 2 provides about 80-bits of security. Option 3 does not provide security.

An Example for Block Ciphers: AES 27/32 History: September 1997: NIST issued a public call for a new block cipher: block length of 128 bits; key lengths of 128, 192, and 256 bits.

An Example for Block Ciphers: AES 27/32 History: September 1997: NIST issued a public call for a new block cipher: block length of 128 bits; key lengths of 128, 192, and 256 bits. August 1998 and March 1999: AES1 and AES2 conferences organized by NIST.

An Example for Block Ciphers: AES 27/32 History: September 1997: NIST issued a public call for a new block cipher: block length of 128 bits; key lengths of 128, 192, and 256 bits. August 1998 and March 1999: AES1 and AES2 conferences organized by NIST. August 1999: NIST announces 5 finalists: MARS (IBM), RCG (Rivest, Robshaw, Sidney, Yin), Rijndael (Daemen, Rijmen), Serpent (Anderson, Biham, Knudsen), Twofish (Schneier).

An Example for Block Ciphers: AES 27/32 History: September 1997: NIST issued a public call for a new block cipher: block length of 128 bits; key lengths of 128, 192, and 256 bits. August 1998 and March 1999: AES1 and AES2 conferences organized by NIST. August 1999: NIST announces 5 finalists: MARS (IBM), RCG (Rivest, Robshaw, Sidney, Yin), Rijndael (Daemen, Rijmen), Serpent (Anderson, Biham, Knudsen), Twofish (Schneier). April 2000: AES3 conference.

An Example for Block Ciphers: AES 27/32 History: September 1997: NIST issued a public call for a new block cipher: block length of 128 bits; key lengths of 128, 192, and 256 bits. August 1998 and March 1999: AES1 and AES2 conferences organized by NIST. August 1999: NIST announces 5 finalists: MARS (IBM), RCG (Rivest, Robshaw, Sidney, Yin), Rijndael (Daemen, Rijmen), Serpent (Anderson, Biham, Knudsen), Twofish (Schneier). April 2000: AES3 conference. October 2 nd, 2000: NIST announces Rijndael as winner.

An Example for Block Ciphers: AES 28/32 Parameters: fixed block size of 128bit, variable key size (in bits): AES-128, AES-192, AES-256. Animation: http://poincare.matf.bg.ac.rs/~ezivkovm/nastava/rijndael_ animacija.swf

An Example for Block Ciphers: AES 29/32 Rijndael S-box: For y in GF (2 8 ) = GF (2)[x]/(x 8 + x 4 + x 3 + x + 1) compute with z = y 1. 1 0 0 0 1 1 1 1 z 0 1 1 1 0 0 0 1 1 1 z 1 1 1 1 1 0 0 0 1 1 z 2 0 1 1 1 1 0 0 0 1 z 3 1 1 1 1 1 0 0 0 z 4 + 0 0 0 1 1 1 1 1 0 0 z 5 1 0 0 1 1 1 1 1 0 z 6 1 0 0 0 1 1 1 1 1 z 7 0

An Example for Block Ciphers: AES 29/32 Rijndael S-box: 0 1 2 3 4 5 6 7 8 9 a b c d e f 00 63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76 10 ca 82 c9 7d fa 59 47 f0 ad d4 a2 af 9c a4 72 c0 20 b7 fd 93 26 36 3f f7 cc 34 a5 e5 f1 71 d8 31 15 30 04 c7 23 c3 18 96 05 9a 07 12 80 e2 eb 27 b2 75 40 09 83 2c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f 84 50 53 d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf 60 d0 ef aa fb 43 4d 33 85 45 f9 02 7f 50 3c 9f a8 70 51 a3 40 8f 92 9d 38 f5 bc b6 da 21 10 ff f3 d2 80 cd 0c 13 ec 5f 97 44 17 c4 a7 7e 3d 64 5d 19 73 90 60 81 4f dc 22 2a 90 88 46 ee b8 14 de 5e 0b db a0 e0 32 3a 0a 49 06 24 5c c2 d3 ac 62 91 95 e4 79 b0 e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08 c0 ba 78 25 2e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8a d0 70 3e b5 66 48 03 f6 0e 61 35 57 b9 86 c1 1d 9e e0 e1 f8 98 11 69 d9 8e 94 9b 1e 87 e9 ce 55 28 df f0 8c a1 89 0d bf e6 42 68 41 99 2d 0f b0 54 bb 16

An Example for Block Ciphers: AES 30/32 Optimizations for 32-bit Architectures: Lookup tables T0,..., T 3 combining all steps.

An Example for Block Ciphers: AES 30/32 Optimizations for 32-bit Architectures: Lookup tables T0,..., T 3 combining all steps. Security Concerns: Theoretical attacks reduce security of AES-128 to 2 126.1. Cache-timing attacks are practical attacks but require precise timing measurements. AES implementations must be resistant to timing attacks!

An Example for Block Ciphers: AES 30/32 Optimizations for 32-bit Architectures: Lookup tables T0,..., T 3 combining all steps.! Security Concerns: Theoretical attacks reduce security of AES-128 to 2 126.1. Cache-timing attacks are practical attacks but require precise timing measurements. AES implementations must be resistant to timing attacks!

An Example for Block Ciphers: AES 30/32 Optimizations for 32-bit Architectures: Lookup tables T0,..., T 3 combining all steps.! Security Concerns: Theoretical attacks reduce security of AES-128 to 2 126.1. Cache-timing attacks are practical attacks but require precise timing measurements. AES implementations must be resistant to timing attacks! High-Speed Implementations: NaCl: http://nacl.cr.yp.to/features.html http://cryptojedi.org/crypto/index.shtml#aesbs

Image Credits The figures are from Wikipedia and have been published with share-alike licenses or have been put into public domain: The shematics for the Modes of Operation on slides 8 to 12, the DES permutation figures on slides 21 to 24 (right column), and the picture of the DES F-function on slide 23 have been released into public domain. The DES flow diagrams on slides 21 and 22 have been published CC BY-SA by by Francisco Menendez (http://creativecommons.org/licenses/by-sa/3.0) via Wikimedia Commons: https://commons.wikimedia.org/wiki/file:des-main-network.svg https://commons.wikimedia.org/wiki/file:des_key_schedule.svg Feistel cipher diagram en (slide 24) by Amirkiderivative, derived from Amirki (talk). Licensed under CC BY-SA 3.0 via Commons - https://commons.wikimedia.org/wiki/file: Feistel_cipher_diagram_en.svg#/media/File:Feistel_cipher_diagram_en.svg 31/32

Image Credits (continued) 32/32 The pictures for the Tux ECB example on slide 8 are released under Attribution via Commons: TuX by Larry Ewing (lewing@isc.tamu.edu) using The Gimp. Licensed under Attribution via Commons: https://commons.wikimedia.org/wiki/file:tux.jpg#/media/file: Tux.jpg Tux ecb by en:user:lunkwill, dervied from Tux by Larry Ewing (see above). Licensed under Attribution via Commons: https://commons.wikimedia.org/wiki/file:tux_ecb.jpg#/media/file: Tux_ecb.jpg "Tux secure" by en:user:lunkwill, dervied from Tux by Larry Ewing (see above). Licensed under Attribution via Commons: https://commons.wikimedia.org/wiki/file: Tux_secure.jpg#/media/File:Tux_secure.jpg

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback