L3. An Introduction to Block Ciphers. Rocky K. C. Chang, 29 January 2015

Similar documents
Week 5: Advanced Encryption Standard. Click

Data Encryption Standard (DES)

Lecture 4: Symmetric Key Encryption

Block Ciphers. Lucifer, DES, RC5, AES. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk Block Ciphers 1

Modern Symmetric Block cipher

Winter 2011 Josh Benaloh Brian LaMacchia

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Lecture 3: Symmetric Key Encryption

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

Content of this part

Computer and Data Security. Lecture 3 Block cipher and DES

CPSC 467b: Cryptography and Computer Security

Computer Security CS 526

Fundamentals of Cryptography

Understanding Cryptography by Christof Paar and Jan Pelzl. Chapter 4 The Advanced Encryption Standard (AES) ver. October 28, 2009

Secret Key Cryptography

CPSC 467b: Cryptography and Computer Security

Introduction to Network Security Missouri S&T University CPE 5420 Data Encryption Standard

Cryptography Functions

Lecture 2: Secret Key Cryptography

P2_L6 Symmetric Encryption Page 1

CSC 474/574 Information Systems Security

Encryption Details COMP620

Stream Ciphers and Block Ciphers

Chapter 3 Block Ciphers and the Data Encryption Standard

Lecture 4. Encryption Continued... Data Encryption Standard (DES)

Stream Ciphers and Block Ciphers

ENEE 459-C Computer Security. Symmetric key encryption in practice: DES and AES algorithms

CIT 380: Securing Computer Systems. Symmetric Cryptography

ICT 6541 Applied Cryptography. Hossen Asiful Mustafa

Cryptographic Algorithms - AES

Symmetric Encryption Algorithms

Introduction to Modern Symmetric-Key Ciphers

Cryptography III: Symmetric Ciphers

CPSC 467: Cryptography and Computer Security

Symmetric Cryptography. CS4264 Fall 2016

Lecture 5. Encryption Continued... Why not 2-DES?

EEC-484/584 Computer Networks

Cryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái

7. Symmetric encryption. symmetric cryptography 1

Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34

ECE596C: Handout #7. Analysis of DES and the AES Standard. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Comp527 status items. Crypto Protocols, part 2 Crypto primitives. Bart Preneel July Install the smart card software. Today

Cryptography MIS

Modes of Operation. Raj Jain. Washington University in St. Louis

Block Ciphers and Stream Ciphers. Block Ciphers. Stream Ciphers. Block Ciphers

A Brief Outlook at Block Ciphers

CS Network Security. Module 6 Private Key Cryptography

Block Ciphers and Data Encryption Standard. CSS Security and Cryptography

Block Ciphers. Secure Software Systems

On the Design of Secure Block Ciphers

How many DES keys, on the average, encrypt a particular plaintext block to a particular ciphertext block?

Introduction to Cryptography. Lecture 2. Benny Pinkas. Perfect Cipher. Perfect Ciphers. Size of key space

A SIMPLIFIED IDEA ALGORITHM

AES Java Technology Comparisons

AES Advanced Encryption Standard

CSE 127: Computer Security Cryptography. Kirill Levchenko

Symmetric Key Encryption. Symmetric Key Encryption. Advanced Encryption Standard ( AES ) DES DES DES 08/01/2015. DES and 3-DES.

Symmetric Cryptography CS461/ECE422

Jaap van Ginkel Security of Systems and Networks

Secret Key Algorithms (DES)

6 Block Ciphers. 6.1 Block Ciphers CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Symmetric Key Algorithms. Definition. A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting.

Advanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50

Chapter 6: Contemporary Symmetric Ciphers

Symmetric Cryptography

Secret Key Cryptography Overview

CS 392/681 Computer Security. Module 1 Private Key Cryptography

Goals of Modern Cryptography

CPS2323. Block Ciphers: The Data Encryption Standard (DES)

CSCI 454/554 Computer and Network Security. Topic 3.1 Secret Key Cryptography Algorithms

Network Security Essentials Chapter 2

Information Security CS526

L3: Basic Cryptography II. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Attacks on Advanced Encryption Standard: Results and Perspectives

Few Other Cryptanalytic Techniques

UNIT - II Traditional Symmetric-Key Ciphers. Cryptography & Network Security - Behrouz A. Forouzan

Presented by: Kevin Hieb May 2, 2005

Data Encryption Standard

CSc 466/566. Computer Security. 6 : Cryptography Symmetric Key

Goals for Today. Substitution Permutation Ciphers. Substitution Permutation stages. Encryption Details 8/24/2010

Cryptography and Network Security

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Computer Security 3/23/18

Course Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here

Network Security Essentials

Symmetric key cryptography

Cryptography and Network Security. Sixth Edition by William Stallings

CIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)

Symmetric Cryptography. Chapter 6

CENG 520 Lecture Note III

AIT 682: Network and Systems Security

Introduction to Cryptology. Lecture 17

Data Encryption Standard

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Computational Security, Stream and Block Cipher Functions

L2. An Introduction to Classical Cryptosystems. Rocky K. C. Chang, 23 January 2015

Linear Cryptanalysis of Reduced Round Serpent

CSCE 813 Internet Security Symmetric Cryptography

Transcription:

L3. An Introduction to Block Ciphers Rocky K. C. Chang, 29 January 2015

Outline Product and iterated ciphers A simple substitution-permutation network DES and AES Modes of operations Cipher block chaining How to ensure message integrity? How to increase the security of DES? 2

Affine cipher as a product cipher Multiplicative Cipher: Let M = C = Z 26 = {0, 1, 2,, 25}. K = {a Z 26 : gcd(a, 26} = 1}. E K (m) = am mod 26. D K (c) = a -1 c mod 26. Affine Cipher: A key in the Shift Cipher is an element b in K = {0, 1, 2,, 25}. A key in the Multiplication Cipher is an element a in Z 26 such that gcd(a, 26} = 1. Hence, a key in the product of an Multiplicative Cipher and an Affine Cipher is in the form of (a, b), where E (a,b) (m) = (am + b) mod 26. 3

Iterated ciphers Block ciphers today are product ciphers. Involves a sequence of permutation (diffusion) and substitution (confusion) operations. A common design is an iterated cipher consisting of a round function and a key schedule. Encryption of a plaintext proceeds through N similar rounds. The key K is used to construct the N round keys or subkeys: K 1, K 2,, and K N. Denote the round function as g() that take in the current state and a subkey as inputs. 4

Encryption in an iterated cipher K 1, K 2,, K N are the subkeys derived from K. The encryption operation: w 0 m w 1 g(w 0, K 1 ) w 2 g(w 1, K 2 ) w N-1 g(w N-2, K N-1 ) w N g(w N-1, K N ) c w N 5

Decryption in an iterated cipher To decrypt c, we need a function g -1 () which performs the followings: w N c w N-1 g -1 (w N, K N ) w N-2 g -1 (w N-1, K N-1 ) w 1 g -1 (w 2, K 2 ) w 0 g -1 (w 1, K 1 ) m w 0 By comparing the decryption and encryption operations, g -1 () has to satisfy g -1 (g(w, y), y) = w for all w and y. 6

A simple substitution-permutation network plaintext K 1 S S S S K 2 S S S S K 3 S S S S K 4 S S S S K 5 7 ciphertext

A simple substitution-permutation network There are 4 identical rounds for encryption: Each round uses a round key. An initial key K generates the round keys according to a key schedule. Functions of the components: In each of the long rectangular box, the 16-input bits are XOR-ed with the subkey (for mixing the round key with data) The S-boxes perform 4-bit substitutions (for providing nonlinearity). Remove the linear algebraic structure. The operation of an S-box cannot be encoded in a linear equation. The output bits of the S-boxes are permutated (for providing diffusion). One bit change in the input affect more than one bit in the output. How is decryption performed? 8

Threats In a known-plaintext attack, one can launch a brute-force attack. Should not regard a brute-force attack as a real attack. Cipher designers have anticipated it, and hope that this is the only way to attack it. Linear and differential cryptanalysis Known-plaintext attacks Linear: finding a probabilistic linear relationship between some bits in the plaintext and a subset of state bits. 9

10 The Data Encryption Standard (DES)

DES s overall DES is a special type of iterated cipher called a Feistel cipher. Inputs to DES: 64-bit blocks of a plaintext DES uses a 56-bit key (8 parity bits) Output from DES: 64-bit blocks of a ciphertext Encryption algorithm: Apply an initial permutation (IP) to the input block. Iterate 16 rounds of operations with subkeys (k 1, k 2,, k 16 ). The subkeys are generated according to a key schedule and a key K. The result from round 16 is input to the inverse of IP (IP -1 ). 11

DES encryption Initial permutation Round 1 Round 2 56-bit key Round 16 12 Final permutation

The permutations The initial permutation: (L 0, R 0 ) IP(input block), where L 0, and R 0 are the left and right blocks (32 bits each) IP is a fixed function. The final permutation: Output block IP -1 (R 16, L 16 ) IP -1 cancels the effect of IP. 13

Why permute? The permutations do not enhance the security. Why? Take a modified DES that does not have the permutations (called EDS). If we can break EDS (discover the key), we can also break DES. Given a DES <m, c>, m IP(m); and c IP(c) and reverse the left and right blocks. Feed (m, c ) to our EDS-breaking codes. 14

In each round Perform for round i = 1, 2,, 16 (Feistel cipher). L i R i-1 R i L i-1 f(r i-1, k i ), where k i is the 48-bit per-round key for the round i L i-1 and R i-1 are the left and right blocks as a result of the (i-1)th round. f is called the S-box function (or Mangler function). The swapping operation is a simple permutation cipher. Generate the per-round keys. 15

Feistel cipher encryption for round i L i-1 R i-1 f k i L i R i 16

Mangler function 17

Feistel cipher decryption for round i 18

DES decryption Decryption algorithm: Apply IP to a ciphertext block. Swap the left and right 32-bit blocks Iterate the same 16 rounds of operations with keys (k 16, k 15,, k 1 ). Swap the left and right 32-bit blocks for the result from the last round. The output goes through IP -1 to obtain the plaintext block. Decryption requires exactly the same set of operations as encryption! 19

The security of DES 16 weak keys to avoid A single critique about DES: a relatively short key length Have been cracked many times: Linear cryptanalysis: 2 43 plaintext-ciphertext pairs and 40 days in 1994 Brute-force: e.g., a special machine in 56 hours in 1998. 20

The Advanced Encryption Standard (AES) 21

The AES initiative Unlike DES, an open call for the AES algorithms was made in Sept. 1997. The requirements: Unclassified, publicly disclosed secret key encryption algorithm. It must support (at a minimum) block sizes of 128-bits, key sizes of 128-, 192-, and 256-bits. It should have a strength at the level of 3DES, but should be more efficient than 3DES. The algorithm, if selected, must be available royalty-free, worldwide. 22

The AES candidates 1. CAST-256 by Entrust Technologies, Inc. 2. CRYPTON by Future Systems, Inc. 3. DEAL by Ecole Normale Superieure 4. E2 by NTT 5. FROG by TecApro Internacional S.A. 6. HPC by Rich Schroeppel 7. LOKI97 by L. Brown, J. Pieprzyk, and J. Seberry 8. MAGENTA by Deutsche Telekom AG 9. MARS by IBM 10. RC6 by the RSA Laboratories 11. Rijndael by J. Daemen and V. Rijmen 12. Serpent by R. Anderson, E. Biham, and L. Knudsen 13. Twofish by B. Schneier, et al. 23

The finalists 1. MARS by IBM 2. RC6 by the RSA Laboratories 3. RIJNDAEL (Rhine Dahl) by J. Daemen and V. Rijmen Support different combinations of block sizes (128, 160, 192, 224, 256) and key sizes (128, 192, 256) http://csrc.nist.gov/archive/aes/rijndael/rijndaelammended.pdf 4. SERPENT by R. Anderson, E. Biham, and L. Knudsen 5. TWOFISH by B. Schneier, et al. 24

The AES algorithm DES is based on an Feistel network; AES is a substitutionpermutation network. The AES algorithm is an iterated cipher, similar to the simple substitution-permutation network in structure. The number of round depends on the key length, e.g., N = 10 for 128-bit key and N = 14 for 256-bit key. Each round provides Subkey mixing (XOR) Substitutions (SubBytes) Permutations (ShiftRows and MixColumns) AES is broken! http://www.theregister.co.uk/2011/08/19/aes_crypto_atta ck/) 25

AES with 128 bits 26

27 The modes of operations

A simple electronic code book (ECB) Break the message into 64-bit blocks and pad the last one, if necessary. How does the receiver know about the padding? Encrypt/decrypt each block with the secret key. Disadvantages: Identical 64-bit blocks give identical ciphertexts for them. May rearrange or even modify blocks without having the receiver know about it. 28

A simple electronic code book (ECB) plaintext m 1 m 2 m 3 m 4 E E E E c 1 c 2 c 3 c 4 ciphertext 29

An improved approach Generate a 64-bit random number r i for each plaintext block m i. m i r i and then encrypt the result. Send out the ciphertext and the r i s. Solve the problem of identical ciphertext blocks. Disadvantages: Send out twice the amount of information. An attacker can still remove or swap or even modify blocks without having the receiver know about it. 30

An improved approach m 1 m 2 m 3 m 4 r 1 r 2 r 3 r 4 E E E E c 1 c 2 c 3 c 4 transmit r 1, c 1, r 2, c 2, r 3, c 3, r 4, c 4 31

Cipher block chaining (CBC) CBC uses c i as r i+1 (the ith ciphertext block used as the (i+1)th random number.) CBC encryption: c 0 IV c i E(m i c i-1 ) for i > 0 CBC decryption: c 0 IV m i D(c i ) c i-1 for i > 0 32

Benefits of CBC Remove the need for sending all random numbers except for the first block. The first random number is known as an initialization vector (IV). CBC solves the identical ciphertext block problem. Each ciphertext block is dependent on the corresponding plaintext block and the previous blocks. Without IV, two identical messages will encrypt in the same way up to the first difference. A randomly chosen IV also prevents chosen-plaintext attacks. 33

CBC encryption IV m 1 m 2 m 3 m 4 E E E E IV c 1 c 2 c 3 c 4 34

CBC decryption IV c 1 c 2 c 3 c 4 D D D D IV m 1 m 2 m 3 m 4 35

Security problems of CBC An attacker can add blocks to the end of an encrypted message without being detected. Need to know where the message ends. If a bit is added or lost from the ciphertext stream, all subsequent blocks are shifted 1 bit out of position. Need to ensure that the block structure remains intact. 36

Security problems of CBC An attacker can alter a ciphertext block to introduce controlled changes. E.g., if bit 3 of c i is modified, Since m i+1 = c i decrypted c i+1, bit 3 of m i+1 is also modified (deterministic). Since m i = c i-1 decrypted c i, m i would also be modified (nondeterministic). Can this modification be detected by the receiver? 37

CBC padding A message has to be padded to an integral number of blocks before encryption. For example, in the PKCS7 standard (RFC5652), 38

Vulnerabilities of CBC padding The final decrypted block should end with one of the binary strings below. 0x01 0x02 0x02 0x03 0x03 0x03 0x04 0x04 0x04 0x04... In workshop one, you will be asked to decrypt a message using the knowledge of the CBC padding scheme and an oracle. Oracle padding attack 39

How to ensure message integrity? 40

Generating MACs for unencrypted messages As usual, compute the CBC for a message. Send out the plaintext with the last ciphertext block (CBC residue, MAC). The receiver verifies whether the plaintext + CBC residue has been modified by Computing the CBC for the message and comparing the last ciphertext block with the MAC. 41

Generating MACs for unencrypted messages IV m 1 m 2 m 3 m 4 E E E E IV c 1 c 2 c 3 residue 42

Both secrecy and message integrity Proposal 1? IV m 1 m 2 m 3 m 4 E E E E IV c 1 c 2 c 3 residue c 4 43

Both secrecy and message integrity Proposal 2? IV m 1 m 2 m 3 m 4 c 4 E E E E E IV c 1 c 2 c 3 c 4 c 5 44

Both secrecy and message integrity Proposal 3? IV m 1 m 2 m 3 m 4 CRC E E E E E IV c 1 c 2 c 3 c 4 c 7 45

How to increase the security of DES? 46

Multiple encryption DES Triple DES (3DES or EDE) using 2 keys Encrypt (or Decrypt )a plaintext and then decrypt (or encrypt) it. Encryption: k 1 k 2 k 1 Decryption: m E D E c k 1 k 2 k 1 c D E D m 47

EDE with CBC on the outside IV m 1 m 2 m 3 m 4 E E E E k 1 D D D D k 2 E E E E k 1 IV c 1 c 2 c 3 c 4 48

Design issues How many encryption? How many keys? Order of encryption and decryption? EEE, DDD, EDE, DED CBC outside vs inside? 49

Summary The modern block ciphers are iterated ciphers. Based on multiple rounds of substitutions and permutations. Subject to linear and differential cryptanalysis, and brute-force attacks Examined DES, including the operations and special properties. Examined the operational issues for block ciphers, e.g., Variable-length message Attacks on CBC Message integrity Increase DES security 50

Acknowledgments The notes are prepared mostly based on D. Stinson, Cryptography: Theory and Practice, Chapman & Hall/CRC, Second Edition, 2002. C. Kaufman, R. Perlman and M. Speciner, Network Security: Private Communication in a Public World, Second Edition, Prentice Hall PTR, 2002. W. Mao, Modern Cryptography: Theory and Practice, Prentice Hall, 2004. B. Schneier, Applied Cryptography, Second Edition, Wiley, 1996. The Mangler function is taken from http://en.wikipedia.org/wiki/file:data_encryption_standard_infobox_ Diagram.png. The AES block diagram is taken from http://www.giac.org/cissppapers/42.pdf. Other references: AES homepage: http://csrc.nist.gov/archive/aes/index.html Wiki: http://en.wikipedia.org/wiki/advanced_encryption_standard 51

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback