CSC 474/574 Information Systems Security

Similar documents
CIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)

Secret Key Cryptography

Secret Key Cryptography Overview

CSCI 454/554 Computer and Network Security. Topic 3.2 Secret Key Cryptography Modes of Operation

CSC/ECE 574 Computer and Network Security. Processing with Block Ciphers. Issues for Block Chaining Modes

Chapter 3 Block Ciphers and the Data Encryption Standard

CIS 6930/4930 Computer and Network Security. Topic 3.2 Secret Key Cryptography Modes of Operation

Modern Symmetric Block cipher

P2_L6 Symmetric Encryption Page 1

Processing with Block Ciphers

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

3 Symmetric Cryptography

Data Encryption Standard (DES)

Content of this part

6 Block Ciphers. 6.1 Block Ciphers CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Symmetric key cryptography

CHAPTER 6. SYMMETRIC CIPHERS C = E(K2, E(K1, P))

7. Symmetric encryption. symmetric cryptography 1

Symmetric Encryption Algorithms

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

The Rectangle Attack

Introduction to Network Security Missouri S&T University CPE 5420 Data Encryption Standard

CSC574: Computer & Network Security

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl

Lecture 4: Symmetric Key Encryption

Cryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái

Computer Security CS 526

CSCE 813 Internet Security Symmetric Cryptography

Block Cipher Operation. CS 6313 Fall ASU

Secret Key Cryptography

L3. An Introduction to Block Ciphers. Rocky K. C. Chang, 29 January 2015

Lecture 3: Symmetric Key Encryption

Symmetric Cryptography. Chapter 6

Block Ciphers and Data Encryption Standard. CSS Security and Cryptography

Block Cipher Modes of Operation

Network Security Essentials

Chapter 6: Contemporary Symmetric Ciphers

Computer and Data Security. Lecture 3 Block cipher and DES

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Lecture 1 Applied Cryptography (Part 1)

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

Practical Aspects of Modern Cryptography

Solutions to exam in Cryptography December 17, 2013

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

CSC 474/574 Information Systems Security

Cryptography and Network Security. Sixth Edition by William Stallings

Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

CSc 466/566. Computer Security. 6 : Cryptography Symmetric Key

Double-DES, Triple-DES & Modes of Operation

How many DES keys, on the average, encrypt a particular plaintext block to a particular ciphertext block?

CSC 774 Network Security

CENG 520 Lecture Note III

Fundamentals of Cryptography

CSCI 454/554 Computer and Network Security. Topic 3.1 Secret Key Cryptography Algorithms

ICT 6541 Applied Cryptography. Hossen Asiful Mustafa

AIT 682: Network and Systems Security

Secret Key Algorithms (DES)

Processing with Block Ciphers

CS6701- CRYPTOGRAPHY AND NETWORK SECURITY UNIT 2 NOTES

Network Security. Lecture# 6 Lecture Slides Prepared by: Syed Irfan Ullah N.W.F.P. Agricultural University Peshawar

Advanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50

Block Ciphers and Stream Ciphers. Block Ciphers. Stream Ciphers. Block Ciphers

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Winter 2011 Josh Benaloh Brian LaMacchia

Applied Cryptography Data Encryption Standard

L3: Basic Cryptography II. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Conventional Encryption: Modern Technologies

Modes of Operation. Raj Jain. Washington University in St. Louis

Block Encryption and DES

Computer Security 3/23/18

Introduction to Cryptography. Lecture 2. Benny Pinkas. Perfect Cipher. Perfect Ciphers. Size of key space

Block Cipher Modes of Operation

Darshan Institute of Engineering & Technology Page Information Security (IS) UNIT-2 Conventional Encryption Techniques

Information Security CS526

CPSC 467b: Cryptography and Computer Security

Conventional Encryption Principles Conventional Encryption Algorithms Cipher Block Modes of Operation Location of Encryption Devices Key Distribution

Some Aspects of Block Ciphers

Symmetric Encryption. Thierry Sans

ENEE 457: Computer Systems Security 09/12/16. Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions

Elastic Block Ciphers: Method, Security and Instantiations

Symmetric Key Cryptography

ECE 646 Lecture 8. Modes of operation of block ciphers

Network Security Essentials Chapter 2

S. Erfani, ECE Dept., University of Windsor Network Security

ECE596C: Handout #7. Analysis of DES and the AES Standard. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Chapter 6 Contemporary Symmetric Ciphers

Security Requirements

Cryptography and Network Security Chapter 3. Modern Block Ciphers. Block vs Stream Ciphers. Block Cipher Principles

CSC/ECE 774 Advanced Network Security

ENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel

Block Ciphers and the Data Encryption Standard (DES) Modified by: Dr. Ramzi Saifan

Cryptographic Techniques. Information Technologies for IPR Protections 2003/11/12 R107, CSIE Building

Symmetric Cryptography. CS4264 Fall 2016

Cryptography [Symmetric Encryption]

Cryptography and Network Security

SOLUTIONS FOR HOMEWORK # 1 ANSWERS TO QUESTIONS

Geldy : A New Modification of Block Cipher

Lecture 2: Secret Key Cryptography

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Transcription:

CSC 474/574 Information Systems Security Topic 2.2 Secret Key Cryptography CSC 474/574 Dr. Peng Ning 1 Agenda Generic block cipher Feistel cipher DES Modes of block ciphers Multiple encryptions Message authentication through secret key cryptography. CSC 474/574 Dr. Peng Ning 2

Generic Block Cipher CSC 474/574 Dr. Peng Ning 3 Generic Block Cipher Encrypt Plaintext block of length N Decrypt Secret key Cipher block of length N CSC 474/574 Dr. Peng Ning 4

Generic Block Encryption (Cont d) Convert one block to another: one-to-one Long enough to avoid known-plaintext attack, but not too long (performance). 64 bit typical Naïve: 2 64 input values, 64 bits each Output should look random No correlation between plaintext and ciphertext Bit spreading CSC 474/574 Dr. Peng Ning 5 Generic Block Encryption (Cont d) Achieve by substitution: Need to know how to substitute each plaintext message. How many bits for k-bit blocks: bits Achieve by permutation: Need to know which position each bit is placed. How many bits for k-bit blocks: bits Achieve by combinations of substitutions and permutations How about S P S S P How about S P P S Lesson? CSC 474/574 Dr. Peng Ning 6

Feistel Cipher CSC 474/574 Dr. Peng Ning 7 Feistel Cipher Confusion Make the relationship between the plaintext/key and the ciphertext as complex as possible Achieved by complex substitution algorithm. Diffusion Dissipate the statistical structure of the plaintext Achieved by having each plaintext digit affect many ciphertext digit Equivalently, having each ciphertext digit affected by many plaintext digit. CSC 474/574 Dr. Peng Ning 8

Feistel Cipher (cont d) Alternate diffusion and confusion Equivalently, alternate substitution and permutation CSC 474/574 Dr. Peng Ning 9 Feistel Cipher Structure Encryption: Round 1 Plaintext (2w bits) L 0 R 0 F K 1 Round i Round n L i F F R i K i K n L n R n L n+1 R n+1 Ciphertext (2w bits) CSC 474/574 Dr. Peng Ning 10

Feistel Cipher Structure (cont d) Decryption: Round 1 Ciphertext (2w bits) L 0 R 0 F K n Round i Round n L i F F R i K i K 1 L n R n L n+1 R n+1 Plaintext (2w bits) CSC 474/574 Dr. Peng Ning 11 One Round Feistel Cipher Plaintext (2w bits) L 0 R 0 K 1 Encryption F L 1 R 1 L 2 R 2 Ciphertext (2w bits) Decryption L 0 R 0 F K 1 L 1 R 1 L 2 R 2 CSC 474/574 Dr. Peng Ning 12

Realization of Feistel Cipher Parameters Block Size: typically 64 bits Key Size: commonly 128 bits Number of Rounds: 16 Subkey Generation algorithm Round Function CSC 474/574 Dr. Peng Ning 13 DES (Data Encryption Standard) CSC 474/574 Dr. Peng Ning 14

DES (Data Encryption Standard) Published in 1977, standardized in 1979, expired in 1998. Similar structure to Feistel cipher Key: 64 bit quantity=8-bit parity+56-bit key Every 8th bit is a parity bit. 64 bit input, 64 bit output. 64 bit M 64 bit C DES Encryption 56 bits CSC 474/574 Dr. Peng Ning 15 DES Top View 64-bit Input Permutation Round 1 Round 2... Round 16 Initial Permutation 48-bit K1 48-bit K2 48-bit K16 56-bit Key Generate keys Swap Swap 32-bit halves Permutation 64-bit Output Final Permutation CSC 474/574 Dr. Peng Ning 16

Bit Permutation (1-to-1) Input: 1 2 3 4 32 0 0 1 0. 1 1 bit Output 1 0 1 1.. 1 22 6 13 32 3 CSC 474/574 Dr. Peng Ning 17 Initial and Final Permutations Initial permutation (IP) View the input as M: 8-byte X 8-bit matrix Transform M into M1 in two steps Transpose row x into column (9-x), 0<x<9 Apply permutation on the rows: For even row y, it becomes row y/2 For odd row y, it becomes row (5+y/2) Final permutation FP = IP -1 Why? CSC 474/574 Dr. Peng Ning 18

Per-Round Key Generation Initial Permutation of DES key C i-1 28 bits D i-1 28 bits Circular Left Shift Circular Left Shift 48 bits K i Permutation with Discard Round 1,2,9,16: single shift Others: two bits C i D i 28 bits 28 bits CSC 474/574 Dr. Peng Ning 19 A DES Round 32 bits 32 bits E One Round Encryption Mangler Function S-Boxes 48 bits K i P 32 bits 32 bits 32 bits CSC 474/574 Dr. Peng Ning 20

Bits Expansion Input: 1 2 3 4 5 32 0 0 1 0 1. 1 Output 1 0 0 1 0 1 0 1.. 1 0 1 2 3 4 5 6 7 8 48 CSC 474/574 Dr. Peng Ning 21 E Box of DES How is the E Box defined? 32 4 8 12 16 20 24 28 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 5 9 13 17 21 25 29 1 CSC 474/574 Dr. Peng Ning 22

Mangler Function 4 4 4 4 4 4 4 4 subkey 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 + + + + + + + + S1 S2 S3 S4 S5 S6 S7 4 4 4 4 4 4 4 4 Permutation S8 The permutation produces spread among the chunks/s-boxes! CSC 474/574 Dr. Peng Ning 23 S-Box (Substitute and Shrink) 48 bits ==> 32 bits. (8*6 ==> 8 *4) 2 bits used to select amongst 4 permutations for the rest of the 4-bit quantity 2 bits row 4 bits column I1 I2 I3 I4 I5 I6 S i i = 1, 8. O1 O2 O3 O4 an integer between 0 and 15. CSC 474/574 Dr. Peng Ning 24

S1: (p. 71) Each row and column contain different numbers. 0 1 2 3 4 5 6 15 0 14 4 13 1 2 15 11 1 0 15 7 4 14 2 13 2 4 1 14 8 13 6 2 3 15 12 8 2 4 9 1 Example: input: 100110 output:??? CSC 474/574 Dr. Peng Ning 25 DES Standard Cipher Iterative Action Input: 64 bits Key: 48 bits Output: 64 bits Key Generation Box Input: 56 bits Output: 48 bits One round (Total 16 rounds) CSC 474/574 Dr. Peng Ning 26

Avalanche Effect A small change in either the plaintext or the key should produce a significant change in the ciphertext. DES has a strong avalanche effect. Example Plaintexts: 0X0000000000000000 and 0X8000000000000000 Same key: 0X016B24621C181C32 34 bits difference in cipher-texts Similar result with same plaintext and slightly different keys CSC 474/574 Dr. Peng Ning 27 Concerns About DES Key space problem: 56 bit key (2 56 ) DESCHALL recovered RSA challenge I key on June 17, 1997 (6 month into the contest) $.25m (total cost), July 15, 1998, RSA DES challenge II key recovered in 56 hours Cryptanalysis Sixteen Weak and semi-weak keys: Differential cryptanalysis require less tries using chosen plaintext/ciphertext [Biham, 1993] Effective up to 15 rounds DES is well designed to defeat differential analysis Linear cryptanalysis requires only known plaintext/ciphertext [Matsui, 1993] CSC 474/574 Dr. Peng Ning 28

DES Summary Simple, easy to implement: Hardware/gigabits/second, software/megabits/second 56-bit key DES maybe acceptable for noncritical applications but triple DES (DES3) should be secure for most applications today Supports several operation modes: ECB CBC, OFB, CFB CSC 474/574 Dr. Peng Ning 29 Modes of Block Cipher Operations CSC 474/574 Dr. Peng Ning 30

Encrypting a Large Message Modes of block cipher operations ECB (Electronic Code Book) CBC (Cipher Block Chaining Mode) OFB (Output Feedback Mode) CFB (Cipher Feedback Mode) CSC 474/574 Dr. Peng Ning 31 Electronic Code Book (ECB) M 1 M 2 M 3 M 4 64 64 64 46 pad ENC ENC ENC ENC C 1 C 2 C 3 C 4 Divide and conquer! CSC 474/574 Dr. Peng Ning 32

ECB Properties M 1 M 2 M 3 M 4 64 64 64 46 pad ENC ENC ENC ENC C 1 C 2 C 3 C 4 (M 1 == M 3 ) =>? CSC 474/574 Dr. Peng Ning 33 ECB Properties (Cont d) Cipher block substitution and rearrangement attacks fabrication of specific information No error propagation. CSC 474/574 Dr. Peng Ning 34

Cipher Block Chaining (CBC) M 1 M 2 M 3 M 4 64 64 64 46 pad IV Initialization Vector ENC ENC ENC ENC C 1 C 2 C 3 C 4 (M 1 == M 3 ) very unlikely leads to (C 1 == C 3 ) CSC 474/574 Dr. Peng Ning 35 CBC Decryption M 1 M 2 M 3 M 4 IV DEC DEC DEC DEC C 1 C 2 C 3 C 4 CSC 474/574 Dr. Peng Ning 36

CBC Properties Chaining dependency Each ciphertext block depends on all preceding plaintext blocks Error propagation Each error in c j affects decipherment of c j and c j+1. Predictable bit change in m j+1 by alert corresponding bits of c j. Error recovery An error in c j doesn t propagate beyond c j+1. Can recover from loss of cipher text blocks. CSC 474/574 Dr. Peng Ning 37 Output Feedback Mode (OFB) Like a Random Number Generator... IV k k k K bits ENC ENC ENC ENC M 1 M 2 M 3 M 4 C 1 C 2 C 3 C 4 CSC 474/574 Dr. Peng Ning 38

OFB Properties Chaining dependencies Key stream is plaintext-independent Allow pre-computing of pseudo-random stream (One- Time Pad); XOR can be implemented very efficiently No error propagation problem as in CBC Error recovery Can recover from bit error But not from block loss. If the attacker knows the plaintext, he can change the ciphertext by XORing it with the plaintext and then XORing with whatever he wants to transmit. CSC 474/574 Dr. Peng Ning 39 General k-bit CFB IV k k K bits ENC ENC ENC M 1 M 2 M 3 C 1 C 2 C 3 CSC 474/574 Dr. Peng Ning 40

CFB Properties Chaining dependencies Ciphertext block c j depends on all preceding plaintext blocks. Error propagation Bit error in one ciphertext block affects the next several blocks Error recovery Can recover from bit errors after several blocks Can resynchronize after loss of blocks. Secure against known plaintext attack (plaintext substitution) Less vulnerable to tampering with ciphertext - cipher C i s impact on m i+1 is subtle (through encryption function) and thus less predictable CSC 474/574 Dr. Peng Ning 41 Multiple Encryption CSC 474/574 Dr. Peng Ning 42

Triple DES Major limitation of DES Key length is too short (56 bits). Question: Can we apply DES multiple times to increase the strength of encryption? Advantage: preserve the existing investment in software and equipment. CSC 474/574 Dr. Peng Ning 43 Triple DES (Cont d) Double DES Encrypt the plaintext twice with two different DES keys Key length increases to 112 bits Two concerns Is DES a group? E k2 (E k1 (P)) = E k3 (P) Implication? Meet-in-the-middle attack CSC 474/574 Dr. Peng Ning 44

Meet-in-the-middle attack Encryption P E X E C Observation: Decryption P K 1 K 2 X D D C X=E (P)=D K 1 K2 (C) For a known pair (P,C) Encrypt P for all 2 56 values for K 1 Store the results in a table sorted by the value of X Decrypt C for all 2 56 values for K 2, and for each result check the table A match reveals a possible combination of key CSC 474/574 Dr. Peng Ning 45 Meet-in-the-middle attack (Cont d) Analysis With one pair (P,C), #keys that can survive the test is 2 112 /2 64 =2 48. For each pair of keys (K 1, K 2 ), the probability that it can find a non-empty entry in the table is 2-8. With another pair (P,C ), #keys that can survive both tests is 2-8 *2-8 =2-16. The probability that the correct keys are determined is 1-2 -16. Goal of double DES Increase the difficulty of exhaustive key search (2 112 keys) In effect, the effort is on the order of 2 56. CSC 474/574 Dr. Peng Ning 46

Triple DES (Cont d) Encryption P E D E C Decryption P K 1 K 2 D E K 1 D C Apply DES encryption/decryption three times. With two keys or three keys Why E-D-E? It s not clear if DES is a group when this was proposed. If one key is used, it s equivalent to doing DES once. CSC 474/574 Dr. Peng Ning 47 Triple DES Is Not Ideal... Efficiency demands schemes with longer keys to begin with! Triple DES runs one third as fast as DES on the same platform New candidates are numerous - RC5, IDEA, two-fish, CAST, etc New AES CSC 474/574 Dr. Peng Ning 48

Message Authentication through Secret Key Algorithms CSC 474/574 Dr. Peng Ning 49 Message Authentication Message authentication is the process to verify that received messages come from the alleged source and have not been altered. The goals of message authentication is to prevent Masquerade: insertion of messages from a fraudulent source. Content modification: change of messages Sequence modification: insertion, deletion and reordering of messages. Timing modification: delay or replay of messages. CSC 474/574 Dr. Peng Ning 50

Message Authentication Functions Message encryption Message Authentication Code (MAC) Hash function CSC 474/574 Dr. Peng Ning 51 Encryption for Message Authentication Conventional cryptography Use the structure or pattern in the plaintext Accept the decrypted plaintext if it is in an intelligible form. No guarantee! Append an error-detecting code (Frame Check Sequence, or FCS) to the plaintext before encryption. Encryption: C=E K (P F(P)) Decryption: P F(P)=D K (C), and then check if F(P )=F(P) The order of FCS and encryption is critical CSC 474/574 Dr. Peng Ning 52

Message Authentication Code (MAC) MAC Also known as cryptographic checksum, Message Integrity Code (MIC). Assumption: the sender and the receiver share a common secret key. A small fixed-size block generated from the message with secret key cryptography. Usually appended to the original message. CSC 474/574 Dr. Peng Ning 53 MAC (Cont d) Source Destination M K C C K (M) M C K Compare Mode I Message authentication No confidentiality CSC 474/574 Dr. Peng Ning 54

MAC (Cont d) Source Destination M K 1 C E D K 2 K 2 M C K1 (M) C K 1 Compare Mode II Message authentication and confidentiality Authentication tied to plaintext CSC 474/574 Dr. Peng Ning 55 MAC (Cont d) M Source E K2 (M) Destination E D K C 1 Compare K 2 C K K 2 1 M Mode III C K1 (E K2 (M)) Message authentication and confidentiality Authentication tied to ciphertext CSC 474/574 Dr. Peng Ning 56

Requirements for MAC For M and C K (M), it s computationally infeasible to construct a message M such that C K (M )= C K (M). C K (M) should be uniformly distributed in terms of M For any two messages M and M, Pr[C K (M)= C K (M )]=2 -n, where n is the number of bits in the MAC. Intuition: prevent chosen plaintext attack. If M is equal to some known transformation on M, then Pr[C K (M)= C K (M )]=2 -n. This requirement is subsumed by the above one. Intuition: no weak spot with respect to certain bits of the message. CSC 474/574 Dr. Peng Ning 57 MAC Based on DES CBC Mode Known as Data Authentication Algorithm DES CBC mode with IV being zero. A message is padded with zeroes to form 64-bit blocks. The data authentication code (DAC, i.e., the MAC) consists of either the entire last ciphertext block or the left M bits with 16 M 64. CSC 474/574 Dr. Peng Ning 58

MAC Based on DES CBC Mode (Cont d) M 1 M 2 M 3 M 4 64 64 64 46pad ENC ENC ENC ENC C 1 C 2 C 3 C 4 DAC (16 to 64 bits) CSC 474/574 Dr. Peng Ning 59

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback