Data Encryption Standard (DES)

Similar documents
L3. An Introduction to Block Ciphers. Rocky K. C. Chang, 29 January 2015

Secret Key Cryptography

Winter 2011 Josh Benaloh Brian LaMacchia

Advanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50

Lecture 4. Encryption Continued... Data Encryption Standard (DES)

Secret Key Cryptography

Fundamentals of Cryptography

Week 5: Advanced Encryption Standard. Click

P2_L6 Symmetric Encryption Page 1

Lecture 5. Encryption Continued... Why not 2-DES?

AES Advanced Encryption Standard

ECE596C: Handout #7. Analysis of DES and the AES Standard. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Modern Symmetric Block cipher

Cryptographic Algorithms - AES

CSC 474/574 Information Systems Security

Cryptography and Network Security

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Modes of Operation. Raj Jain. Washington University in St. Louis

Implementation and Performance analysis of Skipjack & Rijndael Algorithms. by Viswnadham Sanku ECE646 Project Fall-2001

Symmetric Key Cryptography

CPSC 467b: Cryptography and Computer Security

Cryptography Functions

Symmetric Encryption Algorithms

A High-Performance VLSI Architecture for Advanced Encryption Standard (AES) Algorithm

Chapter 3 Block Ciphers and the Data Encryption Standard

Applied Cryptography Data Encryption Standard

CPSC 467b: Cryptography and Computer Security

Content of this part

Understanding Cryptography by Christof Paar and Jan Pelzl. Chapter 4 The Advanced Encryption Standard (AES) ver. October 28, 2009

Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General Considerations:

Encryption Details COMP620

Content of this part

6 Block Ciphers. 6.1 Block Ciphers CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Lecture 2: Secret Key Cryptography

Stream Ciphers and Block Ciphers

CENG 520 Lecture Note III

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

Computer and Data Security. Lecture 3 Block cipher and DES

Network Security Essentials Chapter 2

Block Ciphers and Stream Ciphers. Block Ciphers. Stream Ciphers. Block Ciphers

Block Ciphers. Lucifer, DES, RC5, AES. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk Block Ciphers 1

Symmetric Cryptography CS461/ECE422

Block Ciphers. Secure Software Systems

Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34

CSc 466/566. Computer Security. 6 : Cryptography Symmetric Key

CPSC 467: Cryptography and Computer Security

How many DES keys, on the average, encrypt a particular plaintext block to a particular ciphertext block?

Stream Ciphers and Block Ciphers

CS Network Security. Module 6 Private Key Cryptography

Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design:

Secret Key Algorithms (DES)

HOST Cryptography III ECE 525 ECE UNM 1 (1/18/18)

Cryptography III: Symmetric Ciphers

Implementation of the block cipher Rijndael using Altera FPGA

in a 4 4 matrix of bytes. Every round except for the last consists of 4 transformations: 1. ByteSubstitution - a single non-linear transformation is a

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

PGP: An Algorithmic Overview

Cryptography and Network Security. Sixth Edition by William Stallings

Block Cipher Operation. CS 6313 Fall ASU

Goals of Modern Cryptography

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl

3 Symmetric Cryptography

CHAPTER 6. SYMMETRIC CIPHERS C = E(K2, E(K1, P))

Optimized AES Algorithm Using FeedBack Architecture Chintan Raval 1, Maitrey Patel 2, Bhargav Tarpara 3 1, 2,

Chapter 6: Contemporary Symmetric Ciphers

Key Separation in Twofish

7. Symmetric encryption. symmetric cryptography 1

Symmetric key cryptography

Network Security Essentials

Jaap van Ginkel Security of Systems and Networks

Secret Key Cryptography Overview

Symmetric Cryptography

CSCI 454/554 Computer and Network Security. Topic 3.1 Secret Key Cryptography Algorithms

ICT 6541 Applied Cryptography. Hossen Asiful Mustafa

AIT 682: Network and Systems Security

Symmetric Encryption. Thierry Sans

Cryptography and Network Security

CS 392/681 Computer Security. Module 1 Private Key Cryptography

L3: Basic Cryptography II. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

FPGA CAN BE IMPLEMENTED BY USING ADVANCED ENCRYPTION STANDARD ALGORITHM

Cryptography Trends: A US-Based Perspective. Burt Kaliski, RSA Laboratories IPA/TAO Cryptography Symposium October 20, 2000

Introduction to Cryptology. Lecture 17

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

DIFFUSION AND TIME ANALYSIS FOR AES CANDIDATES

Cryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái

Block Ciphers and Data Encryption Standard. CSS Security and Cryptography

Block Ciphers Introduction

CIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)

Computational Security, Stream and Block Cipher Functions

CSE 127: Computer Security Cryptography. Kirill Levchenko

The Rectangle Attack

Comp527 status items. Crypto Protocols, part 2 Crypto primitives. Bart Preneel July Install the smart card software. Today

Symmetric Key Algorithms. Definition. A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting.

Implementation and Performance analysis of Skipjack & Rijndael Algorithms

Comparison of Performance of AES Standards Based Upon Encryption /Decryption Time and Throughput

Study and Analysis of Symmetric Key-Cryptograph DES, Data Encryption Standard

Computer Security 3/23/18

Introduction to Network Security Missouri S&T University CPE 5420 Data Encryption Standard

BCA III Network security and Cryptography Examination-2016 Model Paper 1

Transcription:

Data Encryption Standard (DES) Best-known symmetric cryptography method: DES 1973: Call for a public cryptographic algorithm standard for commercial purposes by the National Bureau of Standards Goals: high security degree, easy to understand, cost-effective to implement 1982: DES developed by the National Bureau of Standards, IBM, the National Security Agency, the Institute of Standardisation and Technology, and the American National Standardisation Institute Usage: e.g. for computation of secret numbers for ec-cards All 5 years: DES review for decision about further usage Result: Until now, no modifications were made Problem of DES: Usage of a key with a length of 56 bit Criticised for a key length too short for usage in practice January 1999: DES key was broken by a Brute Force attack within 22 hours Page 38

General Structure of DES DES uses blocks of length n = 64 bit Length of key k DES is 64 bit (but: only usage of 56 bit of this key, one bit in each byte is used for odd parity) Encryption takes place in 16 identical rounds with round keys k i of 48 bit length Encryption process 1. step: permutation performed on the input block Purpose of permutation: has no security means; but: simple implementations become slower with the permutation, hardware solutions are needed designers want to control the availability of DES? 2. step: generation of round keys 3. step: performing 16 identical rounds 4. step: inverse permutation to step 1 (when applying DES several times, the effects of both permutations are compensated in between) Page 39

DES Encryption Process 64 bit input block 56 bit key k DES 1. Initial permutation 2. Generation of round keys round 1 48 bit k 1 generate 16 per-round keys 3. Encryption in 16 identical rounds: a. Substitution round 2 48 bit k 2 b. Permutation round 16 48 bit k 16 Additional step: swap left and right halves 4. Final permutation 64 bit output block Page 40

Step 1 and 4: Input and Output Permutations Input permutation (IP) Output permutation (IP -1 ) 58 50 42 34 26 18 10 2 60 52 44 36 28 20 12 4 62 54 46 38 30 22 14 6 64 56 48 40 32 24 16 8 57 49 41 33 25 17 9 1 59 51 43 35 27 19 11 3 61 53 45 37 29 21 13 5 63 55 47 39 31 23 15 7 1 goes to 40 40 goes to 1 40 8 48 16 56 24 64 32 39 7 47 15 55 23 63 31 38 6 46 14 54 22 62 30 37 5 45 13 53 21 61 29 36 4 44 12 52 20 60 28 35 3 43 11 51 19 59 27 34 2 42 10 50 18 58 26 33 1 41 9 49 17 57 25 Input permutation See each 64-bit block as 8 Bytes, arranged in a matrix Diffusion of bits over all bytes Bits of a column are packed into a row First byte is spread into 8 th bits of all bytes Second byte is spread into 7 th bits of all bytes... Page 41

Step 2: Generation of Round Keys (1) Preparation: divide k DES into C 0 and D 0 (each 28 bit long - no parity bits) by performing permutations similar to DES initial permutation (which has no security value) Now: round keys k i are computed in 16 rounds from C i and D i : k DES C i-1 D i-1 left shift left shift C i D i permutations k i Page 42

Step 2: Generation of Round Keys (2) Characteristics of key generation Left shift round 1, 2, 9, and 16: left shift of 1 bit other rounds: left shift of 2 bits Notice: 10 years later it was found, that performing the left shift with varying step sizes makes the algorithm more secure Left half of k i is only determined by C i, right side only by D i Permutations: C i : bits 9, 18, 22, and 25 are discarded (remaining: 24 bits) D i : bits 35, 38, 43, and 54 are discarded (remaining: 24 bits) perform permutations on remaining bits of C i resp. D i to obtain k i (48 bits) Notice: the choice of the permutations on C i resp. D i influence the security of DES, because they determine the quality of the round keys Page 43

Step 3: One DES Round Divide input block into two 32-bit blocks L i and R i Compute L i+1 as R i, and R i+1 as L i f(r i, K i ) f is cipher function, i.e. combination of substitution and permutation Security provided by DES depends on the quality of the cipher function Decryption: uses the same algorithm, has same expense like encryption encryption: 64 bit input block decryption: 64 bit input block 32 bit L i 32 bit R i 32 bit L i+1 32 bit R i+1 cipher function k i cipher function + + 32 bit L i+1 32 bit R i+1 32 bit L i 32 bit R i 64 bit output block 64 bit output block Page 44

Step 3: Cipher Function - Substitution Expand 32-bit input block R i to a 48 input block R i ' Divide 32-bit input block into 8 chunks of 4 bit Expansion: enhance chunks of 4 bit with their neighbour bits to 6 bit 1 2 3 4 5 6 7 8 9 32 32 1 2 3 4 5 4 5 6 7 8 9 Divide round key k i into 8 chunks of 6 bit Perform XOR operation on R i ' and k i chunks Use resulting chunks as input for S-Boxes chunk j of R i ' + chunk j of k i chunk j for input in S-Box j Page 45

Step 3: Cipher Function - S-Boxes for Substitution S-Box Table for exchanging one 6-bit chunk with a 4-bit cipher block Each 4 input values map to the same output value (one in each row) First and last bit of a chunk determine a substitution row in a S-Box Overall 8 S-Boxes, one for each chunk Outputs of S-Boxes are combined into a 32 bit block S-Box for the first chunk: 000101 0000 0001 0010 0011 0100 1111 00 1110 0100 1101 0001 0010 0111 01 0000 1111 0111 0100 1110 1000 10 0100 0001 1110 1000 1101 0000 11 1111 1100 1000 0010 0100 1101 Page 46

Step 3: S-Boxes Choice of S-Boxes influences quality of the DES algorithm When exchanging e.g. S-Boxes 3 and 7, the security is distinctly restricted Chosen S-Boxes: compromise of resistance against known attacks and low costs for hardware realisation Design criteria given by IBM Output function should be relatively complex If two input chunks j 1,..., j 6 and j 1',..., j 6' to an S-Box differ in exactly one bit, the outputs should differ in a minimum of two bits If j 3 j 3', j 4 j 4', and j i = j i' else, the outputs should differ in a minimum of two bits For all input chunks with the same 6-bit-difference (there always are 32 input chunks with a common difference), a maximum of 8 of them should have the same difference in the output Page 47

Step 3: Cipher Function After applying S-Boxes: permutation step Ensure that bits of the output of an S-Box on one round affects the input of multiple S-Boxes in the next round: Two of the output bits of one S-Box should influence the middle of the result, the other two bits should influence the edges The 4 output bits should form the input of 6 S-Boxes in the next round Security of DES DES is seen as very secure (except for the key length) No attacks with lower costs than a Brute Force attack are known as far There are some so-called weak keys and semi-weak keys These keys should not be used! Questions on DES Design process for DES was not public Are details well-chosen for strength of the DES algorithm? Are some weaknesses useful for people involved in the design process? Are there other weak keys than the known ones? Page 48

Multiple Application of DES Short key in DES (56 bit) is unsuitable Repeated application of DES to increase key length Double application of DES: Suitable key length of 112 bit But: attack is known which needs 257 steps (~ Brute Force attack for DES) if only 3 or 4 <message, cipher>-pairs are known (without knowing the two DES keys <k 1, k 2 >: Assume: <m i, c i > is a known pair Search for a key pair <k 1, k 2 > matching on <m i, c i > Create one table with entries for each possible k 1 : <m i, t a > Create one table with entries for each possible k2: <t b, c i > Search for rows with t a = t b Such a row is a candidate for a key pair <k 1, k 2 > Repeat procedure by testing other known blocks <m i, c i > Usually, 3 or 4 test are enough to determine one key pair <k 1, k 2 > Page 49

Triple-DES Lehrstuhl für Informatik 4 The more applications of DES are made, the more cost is caused Generally used: Triple-DES No attack is known for Triple-DES Generally accepted method in Triple-DES: EDE (encrypt - decrypt - encrypt) Equivalent to using two cipher functions E and D with order EDE Only two keys k 1 (in E) and k 2 (in D) are used 112 bit key length is enough, not necessary to generate and transmit a third key Why using decryption D in the second step? Using k 1 = k 2, the second application cancels the first one, and standard DES results (interoperation with standard DES system) In usage of EEE, the initial permutation of one E would redo the end permutation of the previous E: perm DES rounds perm perm init end init DES rounds perm end Page 50

International Data Encryption Algorithm (IDEA) Alternative to DES: IDEA Symmetric cryptography method similar to DES Developed 1991 at the ETH Zürich by Lai and Massey Goal: create a cryptography algorithm efficiently computable in software, more secure than DES Characteristics Usage of a key with a length of 128 bit Operating on blocks of 64 bit length Like in DES, based on rounds with a cipher function Build from 17 rounds, distinguished between even and odd rounds Odd rounds each use 4 round keys Even rounds each use 2 round keys Page 51

General Structure of IDEA 64 bit input block 128 bit key k IDEA 2. Division of input block into 4 16-bit blocks key expansion round 1 k 1, k 2, k 3, k 4 3. Encryption in 17 rounds: a. even rounds b. odd rounds round 2 k 5, k 6 round 17 k 49, k 50, k 51, k 52 1. Key generation 64 bit output block Page 52

Key Generation in IDEA 52 keys of 16 bit length are generated k IDEA is divided into 8 subkeys k 1 to k 8, each 16 bit long k IDEA is shifted left by 25 bit and divided into the next 8 keys The last step is repeated, until 52 keys are generated Division of generated keys into round keys Round one is assigned with k 1 to k 4 Round two is assigned with k 5 to k 6 In general: even round r i gets keys k 3i - 1 and k 3i odd round r j gets keys k 3j - 2 to k 3j + 1 Notice: in the specification, keys 50 and 51 are exchanged Keys in decryption process Uses same algorithm like encryption Odd round: use mathematical inverse of the encryption round keys Even round: use same keys as in encryption, because the even round is its own reverse Page 53

One Round in IDEA Divide input block into 16-bit blocks X a, X b, X c, X d In odd round, use keys k a, k b, k c, k d In even round, use keys k e, k f Use three operations for transforming 16 bit on another 16 bit XOR ( ) Addition modulo 2 16 (+) Multiplication modulo 2 16 + 1 ( ) Notice: this operation is reversible, with one modification: - 0 has no inverse in multiplication -2 16 is in the range of mod 2 16 + 1, but not expressible in 16 bits define 0 (i.e. 00...00) to be 2 16 Page 54

Odd Round Lehrstuhl für Informatik 4 Compute output block by X a = X a k a 64 bit input block X b = X c + k c X c = X b + k b X d = X d k d 16 bit X a 16 bit X b 16 bit X c 16 bit X d + + k a k b k c k d Decryption: Use inverse keys k' Rounds run as before: X a = X a ' k a ' X b = X c + k c ' X c = X b + k b ' X d = X d ' k d ' 16 bit X a 16 bit X b 16 bit X c 16 bit Xd 64 bit output block Page 55

Even round Compute output block by Y ab = X a X b Y cd = X c X d 16 bit X a 64 bit input block 16 bit X b 16 bit X c 16 bit X d Z ab = ((k e Y ab ) + Y cd ) k f Z cd = (k e Y ab ) + Z ab k e k f X a = X a Z ab X b = X b Z ab X c = X c Z cd X d = X d Z cd cipher function Y ab cipher function Z ab Z cd Y cd Z ab and Z cd are computed by the cipher function Decryption: Use same keys Round is its own inverse 16 bit X a 16 bit X b 16 bit X c 16 bit X d 64 bit output block Page 56

IDEA vs. DES Lehrstuhl für Informatik 4 Advantages of IDEA Key length 128 bit is more resistant against Brute Force attacks Less attacks on IDEA known Not using 'mysterious' S-Boxes and permutations DES has weak keys, i.e. both halves only consist of successions like 0...0, 1...1, 0101...01 or 1010...10 Such keys are not known for IDEA Decision criteria DES is more suitable for hardware realisation IDEA is more suitable for software realisation Page 57

Advanced Encryption Standard (AES) National Institute of Standards and Technology (NIST), 1997: Call for an encryption algorithm as successor of DES Requirements for AES Definition of a public available symmetric block encryption algorithm Variable key length of 128, 192, and 256 bit Final proposals MARS -IBM RC6 - RSA Laboratories RIJNDAEL - Joan Daemen, Vincent Rijmen Serpent - Ross Anderson, Eli Biham, Lars Knudsen Twofish - Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels Ferguson RIJNDAEL was selected as AES Page 58

Design Criteria of AES Resistance against all known attacks Speed and code compactness on a wide range of platforms Design simplicity AES design AES consists of 1. An initial round key addition 2. A variable number of rounds 3. One final round Round transformation - not as in most ciphers - is composed of 3 distinct invertible uniform transformations (called layers) (uniform = every bit is treated in a similar way) Linear mixing layer: achieve a high bit diffusion over multiple rounds Non-linear layer: Key addition layer: perform a parallel application of S-Boxes that have optimal worst-case non-linearity properties perform XOR of the round key and the intermediate state Page 59

AES Characteristics Initial round key addition is performed for security reasons: Without key addition, the following actions could be peeled of without knowledge of the key AES is a block cipher with variable block length Key length can independently specified as 128, 192 or 256 bit A cipher key can be seen as an array with 4 rows. The number of columns is denoted by N k, and is equal to the key length divided by 32 An intermediate block is called State. It can be seen as array with 4 rows and N b columns, and is equal to the block length divided by 32 N b = 6 N k = 4 a 0,0 a 0,1 a 0,2 a 0,3 a 0,4 a 0,5 k 0,0 k 0,1 k 0,2 k 0,3 a 1,0 a 1,1 a 1,2 a 1,3 a 1,4 a 1,5 k 1,0 k 1,1 k 1,2 k 1,3 k2,0 k2,1 k2,2 k2,3 a 2,0 a 2,1 a 2,2 a 2,3 a 2,4 a 2,5 a 3,0 a 3,1 a 3,2 a 3,3 a 3,4 a 3,5 state k 3,0 k 3,1 k 3,2 k 3,3 cipher key input and output: one-dimensional arrays of 8-bit bytes. Block length: 16, 24, or 32 bytes (same for cipher key ) Page 60

Generation of Round Keys in AES Each round key is derived from the cipher key by key schedule: 1. Key expansion An expanded key is an array of 4-byte words w i The first N k words contain the cipher key All following words are composed of the previous word XOR'ed with the word N k positions earlier For words in positions of multiple of N k, a round constant is XOR'ed 2. Key selection The round key k i is given by the words from N b i to N b (i+1) Total number of round keys: with m rounds and blocks of length n: generate n (m+1) keys cipher key W 0 W 1 W 2 W 3 W 4 W 5 W 6 W 7 W 8 W 9 W 10 W 11 W 12 W 13 W 14... round key 0 round key 1 Page 61

Rounds in AES Lehrstuhl für Informatik 4 The number of rounds N r depends on N b and N k N r N b = 4 N b = 6 N b = 8 N k = 4 N k = 6 10 12 12 12 14 14 N k = 8 14 14 14 Each round transformation is composed of four transformations: ByteSub ShiftRow MixColumn AddRoundKey Exception in the final round: No MixColumn is performed Page 62

ByteSub, MixColumn, and AddRoundKey Transformation ByteSub transformation Non-linear byte substitution Operates on each of the State bytes independently Invertible S-Boxes are used as substitution table MixColumn transformation Columns of the State are considered as polynomials and multiplied with a fixed polynomial c(x) = '03' x 3 + '01' x 2 + '01' x + '02' mod x 4 + 1 Can be written as matrix multiplication AddRoundKey transformation Round key is applied to the State by a bitwise xor Round key length is equal to the block length N b Page 63

ShiftRow Transformation ShiftRow transformation Rows of the State are cyclically shifted by different offsets: Row 0: not shifted Row 1: shifted by C 1 bytes N b C 1 C 2 C 3 Row 2: shifted by C 2 bytes 4 1 2 3 Row 3: shifted by C 3 bytes 6 1 2 3 Offsets C 1, C 2, C 3 depend on N b 8 1 3 4 Example: N b = 6 C 1 = 1, C 2 = 2, C 3 = 3 a 0,0 a 0,1 a 0,2 a 0,3 a 0,4 a 0,5 a 0,0 a 0,1 a 0,2 a 0,3 a 0,4 a 0,5 a 1,0 a 1,1 a 1,2 a 1,3 a 1,4 a 1,5 a 1,0 a2,0 a2,1 a 2,0 a 2,1 a 2,2 a 2,3 a 2,4 a 2,5 a 3,0 a 3,1 a 3,2 a 3,3 a 3,4 a 3,5 a 3,0 a 3,1 a 3,5 Page 64

Characteristics of AES Strength against former attacks (but not against new attacks ) Care has been taken to eliminate symmetry in the behaviour of the cipher obtained by round constants different for each round Advantages of the algorithm: Implementation runs fast for a block cipher (trade-off between table size and performance) Can be implemented on a smart card Round transformation can be performed in parallel Extendable design: each key length in 32 bit steps is possible, number of rounds can be extended Can be used as self-synchronising stream cipher Limitations: Decryption needs more code and cycles than encryption, as well as other tables than the cipher Page 65

Encryption of Long Messages Encrypt long messages (streams) with block ciphers: Usual message has much more than 64 bits, i.e. consists of several blocks Defined for usage with DES Applicable on all block cipher algorithms using fixed-length blocks Requirements 1.) The receiver should be able to detect the integrity of the block sequence i.e. should be able to find out whether a block has been changed or inserted/deleted, or whether a permutation has been done 2.) An attacker should be not able to detect the "natur" of the message Division of messages for coding with DES or IDEA (64 bit blocks) 1. Electronic Code Book (ECB) 2. Cipher Block Chaining (CBC) 3. k-bit Cipher Feedback Mode (CFB) 4. k-bit Output Feedback Mode (OFB) Page 66

Electronic Code Book (ECB) Simplest method: divide a message into blocks and encrypt each one Disadvantage: Too simple, too dangerous; does not satisfy the requirements Identical blocks m i are encrypted to the same cipher block c i and can be identified by an attacker The message structure can be identified If the attacker knows, what context the plaintext has, parts of message can be manipulated Advantage: fast access to single blocks message stream break message into blocks m 1 m 2 m 3 m 4 m 5 m 6 m 7 m 8 m 9 m 10 m 11 e e e e e e e e e e e encrypt block with secret key (DES, IDEA,...) c 1 c 2 c 3 c 4 c 5 c 6 c 7 c 8 c 9 c 10 c 11 Page 67

Cipher Block Chaining (CBC) Improvement of ECB Equal blocks repeated in the plaintext will not cause equal cipher text blocks Has same performance as ECB CBC method: each block is coded with a random number (XOR) before encryption Avoidance of transmitting random numbers Cipher text is used as random number, i.e. each block is coded with the cipher text of the previous one Only the value for the first block has to be chosen (initialisation vector, IV) and transmitted = 0...0 m 0 IV m 1 m 2 m 3 m 4 m 5 m 6 e e e e e e e encrypt with secret key c 0 c 1 c 2 c 3 c 4 c 5 c 6 c i = e k (m i c i-1 ) Page 68

Decryption in CBC Decryption looks similar to encryption: m 1 m 2 m 3 m 4 m 5 m 6 m i = d k (c i ) c i-1 IV d d d d d d c 1 c 2 c 3 c 4 c 5 c 6 For each message to be encoded, a new IV should be used Usage of the same IV for all messages would cause some problems: First differences in similar messages can be found by an attacker Old messages can be sent by an attacker at a later time Chosen plaintext can be applied as an attack CBC is often used in combination with Triple-DES Page 69

Two Alternatives for Combining CBC and Triple-DES CBC on the outside CBC on the inside m 1 m 1 m 1 m 1 IV IV k 1 e k 1 e k 1 e k 1 e k 2 d k 2 d k 2 d k 2 d k 1 e k 1 e c 1 c 1 More common alternative More dangerous (attacks!) than CBC on the inside k 1 e k 1 e c 1 c 1 Looks complicated but performs better, because two "half"-operations can be done in parallel Page 70

Characteristics of CBC What happens if an attacker changes a block, e.g. C 3? m 4 will be changed (when decrypted) in a predictable way m 3 will be changed in a "random" way Solution: attach a 32-bit CRC to the plaintext before encryption What happens if an attacker does some permutation of the c i? If the attacker knows m 1,..., m n and c 1,..., c n he can produce any new plaintext which is a permutation of m 1,..., m n (because d k (c i ) = m i c i-1 ) Solution: also compute a CRC before encryption The attacker could construct c π1,..., c πn plus the corresponding plaintext until the CRC fits Solution: only compute a longer CRC In practice, using a 64-bit CRC would suffice, only a Brute Force attack would be possible Page 71

Output Feedback Mode (OFB) Acts like a pseudo-random number generator Perform a XOR-operation on a message and a pseudo-random stream One-time pad Generation of a pseudo-random stream Cipher algorithm together with a shift register is used as random number generator For a block length of n < 64, only use the first n bits of the encrypted IV For each next pseudo-random number, discard the first n bits of IV and append the n bits used before Only IV must be transmitted k IV e discarded k IV' e discarded k IV'' e discarded m 1 m 2 m 3 c 1 c 2 c 3 Page 72

OFB - Simple Version Use an IV of the same length as the block length (= 64 bit) No part of the vector is discarded, each random number can be generated very easy without using a shift register: e k (IV), e k (e k (IV)), e k (e k (e k (IV))),... m 1 m 2 m 3 c 1 c 2 c 3 b 0 = IV b i = e k (b i-1 ) IV b 1 b 2 b 3 e e e encryption: c i = m i b i decryption: m i = c i b i k k k Page 73

Characteristics of OFB Advantages of OFB Random numbers b 0, b 1, b 2,... can be generated in advance No costly coding operation If some blocks of the message are garbled, only single blocks of the cipher text are also garbled Blocks of any length can be encoded (For example: blocks of length 8, i.e. one character) Disadvantage of OFB If a block is lost or inserted, the following message can't be decrypted (but the receiver could try to place a mask on the received message blocks in order to find insertions or deletions) An attacker who knows plaintext and cipher text, can obtain a string with which he could encrypt own messages OFB is an example of using a block cipher as synchronous stream cipher Page 74

Cipher Feedback Mode (CFB) Similar to OFB Encrypt an IV with the key k Use n bits of the encrypted string for a XOR-operation with n bits of plain text Difference to OFB n bits shifted in are taken from the cipher text of the previous block, not from IV the encrypted IV k e k e k e discarded discarded discarded m 1 m 2 m 3 c 1 c 2 c 3 Page 75

CFB - Simple Version Use an IV of the same length as the block length (= 64 bit) As in the simple OFB, no part of the vector is discarded More secure as CFB, because not only IV and e k influence a cipher block, but the previous cipher block, too m 1 m 2 m 3 c 1 c 2 c 3 c 0 = IV encryption: c i = m i e k (c i-1 ) decryption: m i = c i e k (c i-1 ) b 1 b 2 b 3 IV e e e k k k Page 76

Characteristics of CFB Advantages of CFB Errors in cipher text causes errors only in the next n plaintext blocks (CFB is selfresynchronising) Best suited for serial transmission of data, because lost or added words are only causing a short error CFB is more secure than OFB, because the cipher text is used for generating the random numbers No re-arrangement of blocks is possible Blocks of any length can be encoded (like in OFB) Disadvantage of CFB Random numbers cannot be computed in advance; each block of plaintext needs a DES operation - a lot of calculation Usage of CFB In general used for words of 8 bit CFB detects alterations better than OFB but not as well as CBC CFB is an example for using a block cipher as self-synchronising stream cipher Page 77

Message Integrity Code (MIC) Purpose: guarantee integrity of a message Use e.g. CBC to encrypt a message Use the last block of the cipher text as a message integrity code. This last block is called CBC residue Transmit the plaintext together with the MIC (as a kind of signature), don't transmit c 1,..., c r-1 m 1 m 2 m 3 m 4 m 5 m 6 IV e e e e e e k c 1 c 2 c 3 c 4 c 5 message integrity code Page 78

Guaranteeing Privacy and Integrity Privacy: encrypt message using CBC Integrity: use CBC residue as MIC Problem: how to guarantee integrity for a CBC-encoded message? Solution: use different keys for encryption and generation of the MIC: 1.) Use two independent keys 2a.) Only change one bit in the encryption key for generating the MIC 2b.) Generate the MIC key k 2 from the encryption key k 1 by k 2 = k 1 F0F0F0F0F0F0F0F0 16 (= 1111000011110000...11110000) This method preserves the key parity. It never changes a non-weak key into a weak key (as possible in 2a) This method is practised by KERBEROS V 3.) Compute a hash value h(m 1,..., m n ) of 128 or 192 bit Add it to the message, i.e. enhance it by 2 or 3 more blocks Encrypt the enhanced message with CBC Page 79

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback