Lecture 4: Symmetric ey Encryption CS6903: Modern Cryptography Spring 2009 Nitesh Saxena Let s use the board, please take notes 2/20/2009 Lecture 1 - Introduction 2
Data Encryption Standard Encrypts by series of substitution and transpositions. Based on Feistel Structure Worldwide standard for more than 20 years. Has a history of controversy. Designed by IBM (Lucifer) with later help (interference?) from NSA. No longer considered secure for highly sensitive applications. Replacement standard AES (advanced encryption standard) recently completed. 2/20/2009 Lecture 1 - Introduction 3 - Overview 2/20/2009 Lecture 1 - Introduction 4
Each iteration. 2/20/2009 Lecture 1 - Introduction 5 Function F 2/20/2009 Lecture 1 - Introduction 6
2/20/2009 Lecture 1 - Introduction 7 Operation Tables of (ey Schedule, PC-1, PC-2) 2/20/2009 Lecture 1 - Introduction 8
Operation Tables (IP, IP -1, E and P) 2/20/2009 Lecture 1 - Introduction 9 S-boxes: S1 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111 00 01 10 11 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13 S( b1b 2b3b4b5b6) Sj Is the table entry from row : b1b column 2 : b 3 b 4 b 5 b 6 S( 011001) = 6d = 0110 2/20/2009 Lecture 1 - Introduction 10
Decryption Same as the encryption algorithm with the reversed key schedule NEXT! 2/20/2009 Lecture 1 - Introduction 11 x L0 R0 R 0 L0 F( R0, 1) Plain text Initial permutation (IP) Round-1 (key 1 ) Rounds 2-15 L15 L15 F(, 16) Round-16 (key 16 ) L15 F(, 16) swap y IP inverse Cipher text 2/20/2009 Lecture 1 - Introduction 12
L15 F(, 16) y L15 F(, 16) = L IP inverse Cipher text IP Round-1 ( 16 ) F(, 16) F(, 16) 15 encrypt decrypt L15 Since b b = 0 b 0 = b 2/20/2009 Lecture 1 - Introduction 13 Security S-Box design not well understood (secret). Has survived some recent sophisticated attacks (differential cryptanalysis) ey is too short. Hence is vulnerable to brute force attack. 1998 distributed attack took 3 months. $1,000,000 machine will crack in 35 minutes 1997 estimate. $10,000 2.5 days. 2/20/2009 Lecture 1 - Introduction 14
Cracking machine 2/20/2009 Lecture 1 - Introduction 15 Super-encryption. If key length is a concern, then instead of encrypting once, encrypt twice!! C = E 2 (E 1 (P)) P = D 2 (D 1 (C)) Does this result in a larger key space? Encrypting with multiple keys is known as super-encryption. May not always be a good idea. 2/20/2009 Lecture 1 - Introduction 16
Double 1 2 P E X E C Encryption 2 1 C D X D P Decryption Double is almost as easy to break as single (Needs more memory though)! 2/20/2009 Lecture 1 - Introduction 17 Double Meet-in-the-middle Attack (due to Diffie-Hellman) Based on the observation that, if C = E 2 (E 1 (P)) Then X = E 1 (P) = D 2 (C). Given a known (P, C) pair, encrypt P with all possible values of and store result in table T. Next, decrypt C with all possible keys and check result. If match occurs then check key pair with new known (P, C) pair. If match occurs, you have found the keys. Else continue as before. Process will terminate successfully. 2/20/2009 Lecture 1 - Introduction 18
Meet-in-the-middle Explanation. The first match does not say anything as we have 2 64 ciphertexts and 2 112 keys. On the average 2 112 / 2 64 = 2 48 keys will produce same ciphertext. So there could be 2 48 possible candidates We can use a second pair (P,C ) So, probability that false alarm will survive two known (P, C) pairs is 2 48 / 2 64 = 2-16. One can always check a third pair to further reduce the chance of a false alarm. 2/20/2009 Lecture 1 - Introduction 19 Triple 1 2 1 P A B E D E Encryption C 1 2 1 C B A D E D Decryption P Triple (2 keys) requires 2 112 search. Is reasonably secure. 3 keys requires 2 112. 2/20/2009 Lecture 1 - Introduction 20
Encryption modes Electronic Code Book (ECB) Cipher Block Chain (CBC) 2/20/2009 Lecture 1 - Introduction 21 Electronic Code Book (ECB) Mode Although encrypts 64 bits (a block) at a time, it can encrypt a long message (file) in Electronic Code Book (ECB) mode. Time = 1 Time = 2 Time = N P1 P2 PN Encrypt Encrypt Encrypt C1 C2 CN C1 C2 CN Decrypt Decrypt Decrypt P1 P2 PN If same key is used then identical plaintext blocks map to identical ciphertext. 2/20/2009 Lecture 1 - Introduction 22
Cipher Block Chain (CBC) Mode. IV Time = 1 P1 Time = 2 P2 Time = N PN + + CN-1 + Encrypt Encrypt Encrypt C1 C2 CN C1 C2 CN Decrypt Decrypt Decrypt IV + + CN-1 + P1 P2 PN 2/20/2009 Lecture 1 - Introduction 23 Today s Reading http://www-cse.ucsd.edu/users/mihir/cse207/w-se.pdf http://www-cse.ucsd.edu/users/mihir/cse207/w-bc.pdf 2/20/2009 Lecture 1 - Introduction 24