IDEA, RC5. Modes of operation of block ciphers

Similar documents
ECE 646 Lecture 7. Modes of Operation of Block Ciphers. Modes of Operation. Required Reading:

ECE 646 Lecture 8. Modes of operation of block ciphers

Double-DES, Triple-DES & Modes of Operation

ECE 646 Lecture 7. Data Encryption Standard DES. Secret-Key Ciphers. Secret agreement between IBM & NSA, 1974

Network Security Essentials Chapter 2

ECE 646 Lecture 7. Secret-Key Ciphers. Data Encryption Standard DES

Chapter 6 Contemporary Symmetric Ciphers

Lecture 2B. RTL Design Methodology. Transition from Pseudocode & Interface to a Corresponding Block Diagram

Symmetric Encryption. Thierry Sans

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

Symmetric Encryption Algorithms

Stream Ciphers and Block Ciphers

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

6 Block Ciphers. 6.1 Block Ciphers CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Introduction to Network Security Missouri S&T University CPE 5420 Data Encryption Standard

Block Cipher Operation. CS 6313 Fall ASU

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

CENG 520 Lecture Note III

ECE 545 Lecture 8b. Hardware Architectures of Secret-Key Block Ciphers and Hash Functions. George Mason University

Chapter 3 Block Ciphers and the Data Encryption Standard

CSC 474/574 Information Systems Security

CHAPTER 6. SYMMETRIC CIPHERS C = E(K2, E(K1, P))

Network Security Essentials

CIS 4360 Secure Computer Systems Symmetric Cryptography

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

Computer Security 3/23/18

c Eli Biham - March 13, Cryptanalysis of Modes of Operation (4) c Eli Biham - March 13, Cryptanalysis of Modes of Operation (4)

How to Use Your Block Cipher? Palash Sarkar

Chapter 6: Contemporary Symmetric Ciphers

Darshan Institute of Engineering & Technology Page Information Security (IS) UNIT-2 Conventional Encryption Techniques

3 Symmetric Cryptography

Block Ciphers and Stream Ciphers. Block Ciphers. Stream Ciphers. Block Ciphers

Computer Security: Principles and Practice

Stream ciphers. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 91

CSCI 454/554 Computer and Network Security. Topic 3.2 Secret Key Cryptography Modes of Operation

Advanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50

Introduction to Cryptography. Lecture 3

BCA III Network security and Cryptography Examination-2016 Model Paper 1

Lecture 1 Applied Cryptography (Part 1)

Stream Ciphers An Overview

Processing with Block Ciphers

Data Encryption Standard (DES)

CSC/ECE 574 Computer and Network Security. Processing with Block Ciphers. Issues for Block Chaining Modes

Data Encryption Standard

ECE596C: Handout #7. Analysis of DES and the AES Standard. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Cryptography III: Symmetric Ciphers

Information Security CS526

Symmetric Crypto MAC. Pierre-Alain Fouque

Secret Key Cryptography

Modern Symmetric Block cipher

Modes of Operation. Raj Jain. Washington University in St. Louis

Symmetric key cryptography

ENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Acronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector

Introduction to Cryptography. Lecture 3

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl

Geldy : A New Modification of Block Cipher

Cryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái

CSC574: Computer & Network Security

Stream Ciphers and Block Ciphers

Block Cipher Modes of Operation

Introduction to Cryptography. Lecture 2. Benny Pinkas. Perfect Cipher. Perfect Ciphers. Size of key space

Secret Key Cryptography

Appendix A: Introduction to cryptographic algorithms and protocols

Content of this part

Lecture 2: Shared-Key Cryptography

Applied Cryptography Data Encryption Standard

Block Cipher Operation

Computer and Data Security. Lecture 3 Block cipher and DES

A SIMPLIFIED IDEA ALGORITHM

Secret Key Cryptography Overview

CS6701- CRYPTOGRAPHY AND NETWORK SECURITY UNIT 2 NOTES

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

Some Aspects of Block Ciphers

Crypto: Symmetric-Key Cryptography

Cryptography and Network Security

The Helion basic guide to AES encryption in hardware

symmetric cryptography s642 computer security adam everspaugh

Introduction to Cryptographic Systems. Asst. Prof. Mihai Chiroiu

Acronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector

CIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)

The OCB Authenticated-Encryption Algorithm

7. Symmetric encryption. symmetric cryptography 1

Cryptography Functions

The Salsa20 Family of Stream Ciphers

Block Cipher Modes of Operation

Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General Considerations:

CSE 127: Computer Security Cryptography. Kirill Levchenko

Sensor Networks. Xueying Zhang, Howard M. Heys, and Cheng Li. Electrical and Computer Engineering. Faculty of Engineering and Applied Science

CIS 6930/4930 Computer and Network Security. Topic 3.2 Secret Key Cryptography Modes of Operation

Summary on Crypto Primitives and Protocols

Computer Security CS 526

UNCLASSIFIED INFORMATION TECHNOLOGY SECURITY GUIDANCE

Jaap van Ginkel Security of Systems and Networks

A Chosen-key Distinguishing Attack on Phelix

Cryptography Symmetric Encryption Class 2

Cryptography III: Symmetric Ciphers

The Rectangle Attack

Cryptography and Network Security Chapter 7

Transcription:

C 646 - Lecture 8 IDA, RC5 Modes of operation of block ciphers Required Reading: I. W. Stallings, "Cryptography and Network-Security," 5th dition, Chapter 6 Block Cipher Operation II. A. Menezes, P. van Oorschot, and S. Vanstone, Handbook of Applied Cryptography, 7.6 IDA 7.7.2 RC5 7.2.2 Modes of Operation

IDA IDA X. Lai, J. Massey TH, 1990-91 128-bit key (billion machines each checking billion keys per second still would require 10 trillion years, to check all keys used in PGP (Pretty Good Privacy) - the most popular public domain program for secure e-mail constructed to provide an absolute resistance against differential cryptanalysis

Three basic operations: IDA X X X Y = X Y = X + mod 2 16 Y = X mod (2 16 +1) where 0 represents 2 16 Corresponding inverse operations: Y Y Y - -1 X = Y X = Y+(- ) mod 2 16 X = Y -1 mod (2 16 +1) Half-round of IDA: Transformation Forward transformation: X a X b X c X d a b c d Y a Y b Y c Y d Inverse transformation: Y a Y b Y c Y d -1 a - c - b -1 d X a X b X c X d

Half-round of IDA: Sub-encryption Forward transformation X a X b X c X d W in = X a X b V in = X c X d MANGLR FUNCTION e f W out V out Y a = X a W out Y b = X b W out Y c = X c V out Y d = X d V out Half-round of IDA: Sub-encryption Inverse transformation Y a Y b Y c Y d W in = X a X b V in = X c X d MANGLR FUNCTION e f W out V out X a = Y a W out Y b = Y b W out X c = Y c V out X d = Y d V out

IDA Mangler Function W in V in e f W out V out

IDA - ey Scheduling 128 bit Z 1 Z 2 Z 3 Z 4 Z 5 Z 6 Z 7 Z 8 Rotate 25 positions left Z 9 Z 10 Z 11 Z 12 Z 13 Z 14 Z 15 Z 16 Rotate 25 positions left RC5

RC5 Ron Rivest, MIT, 1994 (Ron s Code 5, Rivest s Cipher 5) variable key length (40 bits in the former export version, 128 bits to achieve the same strength as IDA) variable block size (depends on the processor word length) variable number of rounds (determines resistance to linear and differential cryptanalysis; for 9 rounds this resistance is greater than for DS) simplicity of description Basic operations: Rotation by a variable number of bits RC5 One of the fastest ciphers B w A w A<<<B C w C=A<<<B w Addition modulo 2 w where w is the size of operands A and B + A B C C = A + B mod 2 w

RC5 w/r/b w - word size in bits w = 16, 32, 64 input/output block = 2 words = 2 w bits Typical value: w=32 64-bit input/output block r - number of rounds b - key size in bytes key size in bits = 8 b bits 0 b 255 Recommended version: RC5 32/12/16 64 bit block 12 rounds 128 bit key ncryption RC5 Decryption Split M into two halves A and B A = A + S[0] B = B + S[1] for i= 1 to r do { A= ((A B) <<< B) + S[2i] B= ((B A) <<< A) + S[2i+1] } C= A B Split C into two halves A and B for i= r downto 1 do { B= ((B-S[2i+1]) >>> A) A A= ((A - S[2i])>>>B) B } B = B - S[1] A = A - S[0] M= A B

RC5 - ey Scheduling k bits of the main key 2 r + 2 round keys = (2 r + 2 ) w bits Two magic constants: P w = Odd ((e-2) 2 w ) Q w = Odd ((ϕ-1) 2 w ) ϕ - golden ratio = e - base of natural logarithms e = 2.7182... x-y x y x y = y x-y = 1.6180... RC5 ey Scheduling

RC5 - ey Scheduling Initialize and Convert Initialize S[0] = P w for i=1 to t-1 do S[i] = S[i-1] + Q w Convert for i=0 to c-1 do L[i] = 0; t = 2 r + 2 8 b c = w Copy key bits directly to the memory positions represented by L. RC5 - ey Scheduling Mix Mix i = j = 0 A = B = 0 do 3 max{t, c} times { A = S[i] = (S[i] + A + B) <<< 3 B = L[j] = (L[j] + A + B) <<< (A+B) i = (i+1) mod t j = (j+1) mod c }

RC5 - Resistance to differential and linear cryptanalysis Plaintext requirement # rounds 4 5 9 6 7 12 13 Differential Cryptanalysis Linear Cryptanalysis 2 22 2 26 2 32 2 37 2 46 2 63 >2 64 2 37 2 47 2 57 >2 64 Differential cryptanalysis cannot be applied to RC5 with #rounds 13 Linear cryptanalysis cannot be applied to RC5 with #rounds 7 Resistance of modern ciphers against known attacks Proprietary ciphers built into application software mostly insecure, seconds on a PC Propriatery ciphers with unknown specification uncertain, may be hard to verify Past 40-bit international version eys recoverable in less than of ciphers one hour using a small network of computers worth less than $10,000 DS Triple DS, DSX, RC5 eys can be recovered within 24 hours using a specialized machine based on FPGAs worth less than $100,000 All known attacks impractical

State of research regarding the security of secret-key ciphers limited number of researchers actively involved in cryptanalysis and design of new ciphers number of published ciphers > number of researchers evaluations of the cipher strength given by designers typically unreliable Honest cipher = the best known attack is an exhaustive key search attack One can rely only on ciphers analyzed by a large group of qualified researchers Modes of Operation

Block vs. stream ciphers M 1, M 2,, M n m 1, m 2,, m n Block cipher Internal state - IS Stream cipher C 1, C 2,, C n c 1, c 2,, c n C i =f (M i ) c i = f (m i, IS i ) IS i+1 =g (m i, IS i ) very block of ciphertext is a function of only one corresponding block of plaintext very block of ciphertext is a function of the current block of plaintext and the current internal state of the cipher Typical stream cipher Sender key initialization vector (seed) Receiver key initialization vector (seed) Pseudorandom ey Generator Pseudorandom ey Generator k i keystream k i keystream m i plaintext c i ciphertext c i ciphertext m i plaintext

Standard modes of operation of block ciphers Block ciphers Stream ciphers CB mode Counter mode OFB mode CFB mode CBC mode CB (lectronic CodeBook) mode

lectronic CodeBook Mode CB ncryption M 1 M 2 M 3 M N-1 M N C 1 C 2 C 3 C N-1 C N C i = (M i ) for i=1..n lectronic CodeBook Mode CB Decryption C 1 C 2 C 3 C N-1 C N D D D D D M 1 M 2 M 3 M N-1 M N C i = (M i ) for i=1..n

Criteria for Comparison of Modes of Operation hiding repeating message blocks speed capability for parallel processing and pipelining during encryption / decryption use of block cipher operations (encryption only or both) capability for preprocessing during encryption / decryption capability for random access for the purpose of reading / writing number of plaintext and ciphertext blocks required for exhaustive key search error propagation in the message after modifying / deleting one block / byte / bit of the corresponding ciphertext Block Cipher Modes of Operation Basic Features (1) Hiding repeating plaintext blocks Basic speed Capability for parallel processing and pipelining CB CTR OFB CFB CBC Cipher operations Preprocessing Random access

Block Cipher Modes of Operation Basic Features (2) CB CTR OFB CFB CBC Security against the exhaustive key search attack Minimum number of the message and ciphertext blocks needed rror propagation in the decrypted message Modification of j-bits Deletion of j bits Integrity Counter Mode

Counter Mode - CTR ncryption IV IV+1 IV+2 IV+N-2 IV+N-1 k 1 k 2 k 3 k N-1 k N m 1 m 2 m 3 m N-1 m N c 1 c 2 c 3 c N-1 c N c i = m i k i k i = (IV+i-1) for i=1..n Counter Mode - CTR Decryption IV IV+1 IV+2 IV+N-2 IV+N-1 k 1 k 2 k 3 k N-1 k N c 1 c 2 c 3 c N-1 c N m 1 m 2 m 3 m N-1 m N m i = c i k i k i = (IV+i-1) for i=1..n

IV Counter Mode - CTR IV counter counter 1 L 1 L IN IN OUT 1 L OUT 1 L c i c i IS 1 = IV m i m i c i = (IS i ) m i IS i+1 = IS i +1 m 1 m 2 m 3 J-bit Counter Mode - CTR IV IV+1 IV+2 IV+N-2 IV+N-1 j k 1 k 2 k 3 k N-1 k N j j j j j j j j j m N-1 m j N j j j j c 1 c 2 c 3 c N-1 c N c i = m i k i k i = (IV+i-1)[1..j] for i=1..n

IV J-bit Counter Mode - CTR IV counter counter 1 L 1 L IN IN OUT OUT j bits L-j bits j bits L-j bits 1 j L 1 j L c i c i m i m i OFB (Output FeedBack) Mode

IV Output Feedback Mode - OFB ncryption k 1 k 2 k 3 k N-1 k N m 1 m 2 m 3 m N-1 m N c 1 c 2 c 3 c N-1 c N c i = m i k i k i = (k i-1 ) for i=1..n, and k 0 = IV IV Output Feedback Mode - OFB Decryption k 1 k 2 k 3 k N-1 k N c 1 c 2 c 3 c N-1 c N m 1 m 2 m 3 m N-1 m N m i = c i k i k i = (k i-1 ) for i=1..n, and k 0 = IV

Output Feedback Mode - OFB IV IV 1 L 1 L IN IN OUT 1 L IS 1 = IV c i = (IS i ) m i IS i+1 = (IS i ) OUT 1 L c i c i m i m i J-bit Output Feedback Mode - OFB IV shift shift IV L-j bits j bits L-j bits j bits 1 L-j L 1 L-j L IN IN OUT j bits L-j bits OUT j bits L-j bits 1 j L 1 j L c i c i m i m i

CFB (Cipher FeedBack) Mode IV Cipher Feedback Mode - CFB ncryption k 1 k 2 k 3 k N-1 k N m 1 m 2 m 3 m N-1 m N c 1 c 2 c 3 c N-1 c N c i = m i k i k i = (c i-1 ) for i=1..n, and c 0 = IV

IV Cipher Feedback Mode - CFB Decryption k 1 k 2 k 3 k N-1 k N m 1 m 2 m 3 m N-1 m N c 1 c 2 c 3 c N-1 c N m i = c i k i k i = (c i-1 ) for i=1..n, and c 0 = IV Cipher Feedback Mode - CFB IV IV 1 L 1 L IN IN IS 1 = IV OUT 1 L c i = (IS i ) m i IS i+1 = c i OUT 1 L c i c i m i m i

shift J-bit Cipher Feedback Mode - CFB IV shift L-j bits j bits L-j bits j bits 1 L-j L 1 L-j L IV IN IN OUT j bits L-j bits OUT j bits L-j bits 1 j L 1 j L c i c i m i m i CBC (Cipher Block Chaining) Mode

Cipher Block Chaining Mode - CBC ncryption IV m 1 m 2 m 3 m N-1 m N c 1 c 2 c 3 c N-1 c N c i = (m i c i-1 ) for i=1..n c 0 =IV Cipher Block Chaining Mode - CBC Decryption c 1 c 2 c 3 c N-1 c N IV D D D D D m 1 m 2 m 3 m N-1 m N m i = D (c i ) c i-1 for i=1..n c 0 =IV

Comparison among various modes Block Cipher Modes of Operation Basic Features (1) Hiding repeating plaintext blocks Basic speed Capability for parallel processing and pipelining Cipher operations Preprocessing Random access CB CTR OFB CFB CBC No Yes Yes Yes Yes s CB s CB j/l s CB j/l s CB s CB ncryption and decryption ncryption and decryption ncryption and decryption ncryption only None ncryption only Decryption only ncryption only Decryption only ncryption and decryption No Yes Yes No No R/W R/W No R only R only

Block Cipher Modes of Operation Basic Features (2) CB CTR OFB CFB CBC Security against the exhaustive key search attack Minimum number of the message and ciphertext blocks needed 1 plaintext block, 1 ciphertext block 1 plaintext block, 1 ciphertext block 2 plaintext blocks, 2 ciphertext blocks (for j=l) 1 plaintext block, 2 ciphertext blocks (for j=l) 1 plaintext block, 2 ciphertext blocks rror propagation in the decrypted message Modification of j-bits Deletion of j bits Integrity L bits j bits j bits L+j bits L+j bits Current and all subsequent Current and all subsequent Current and all subsequent L bits Current and all subsequent No No No No No New modes of operation

valuation Criteria for Modes of Operation Security fficiency Functionality Security valuation criteria (1) fficiency resistance to attacks proof of security random properties of the ciphertext number of calls of the block cipher capability for parallel processing memory/area requirements initialization time capability for preprocessing

valuation criteria (2) Functionality security services - confidentiality, integrity, authentication flexibility - variable lengths of blocks and keys - different amount of precomputations - requirements on the length of the message vulnerability to implementation errors requirements on the amount of keys, initialization vectors, random numbers, etc. error propagation and the capability for resynchronization patent restrictions CBC IV m 1 m 2 m 3 m N-1 m N c 1 c 2 c 3 c N-1 c N Problems: - No parallel processing of blocks from the same packet - No speed-up by preprocessing - No integrity or authentication

Counter mode IV IV+1 IV+2 IV+N-1 IV+N k 0 k 1 k 2 k N-1 k N m 0 m 1 m 2 m N-1 m N c 0 c 1 c 2 c N-1 c N Features: + Potential for parallel processing + Speed-up by preprocessing - No integrity or authentication Properties of existing and new cipher modes Proof of security CBC CFB OFB New standard Parallel processing Preprocessing Integrity and authentication Resistance to implementation errors decryption only

OCB - Offset Codebook Mode IV 0 M 1 M 2 M N-1 M N Control sum length Z 1 Z 2 Z N-1 g(l) Z N Z N L Z 1 Z 2 Z N-1 M N τ bits R C 1 C 2 C N-1 C N T Z i =f(l, R, i) New modes of block ciphers 1. CCM - Counter with CBC-MAC developed by R. Housley, D. Whiting, N. Ferguson in 2002 assures simultaneous confidentiality and authentication not covered by any patent part of the I 802.11i standard for wireless networks 2. GCM Galois/Counter Mode developed by D. McGrew and J. Viega in 2005 assures simultaneous confidentiality and authentication not covered by any patent used in the I 802.1A (MACsec) thernet security, ANSI (INCITS) Fibre Channel Security Protocols (FC-SP), I P1619.1 tape storage, and ITF IPSec standards

Properties of new modes of operation CBC CFB OFB CTR CCM GCM Proof of security Parallel processing only decryption Half of operations Preprocessing Integrity and authentication Half of Half of operations operations Resistance to implementation errors FIPS standards: Modes of operation of block ciphers Timeline CBC, CFB, OFB, CB FIPS 81 (for DS) CTR (counter mode) Dec. 2001 For arbitrary block cipher CCM May 2004 GCM SP 800-38A SP 800-38A SP 800-38B SP 800-38D Nov 2007 Contests: Apr. 2001 NIST 10 modes submitted to the contest (including, CTR, OCB, IACBC, IAPM) Patent issues. Attacks: Aug. 2001 DCM mode developed by NSA several days after the publication 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback