1 / 72

Chapter 3: Symmetric Key Crypto

Chapter 3: Symmetric Key Crypto. The chief forms of beauty are order and symmetry…  Aristotle. “You boil it in sawdust: you salt it in glue: You condense it with locusts and tape: Still keeping one principal object in view  To preserve its symmetrical shape.”

lblankenship
Télécharger la présentation

Chapter 3: Symmetric Key Crypto

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 3:Symmetric Key Crypto The chief forms of beauty are order and symmetry…  Aristotle “You boil it in sawdust: you salt it in glue: You condense it with locusts and tape: Still keeping one principal object in view  To preserve its symmetrical shape.”  Lewis Carroll, The Hunting of the Snark Part 1  Cryptography 1

  2. Symmetric Key Crypto • Stream cipher  generalize One-Time Pad (OTP) • Except that key is relatively short • Key is stretched into a long keystream • Keystream is used just like a One-Time Pad • Block cipher  generalized codebook • Block cipher key determines a codebook • Each key yields a different codebook • Employs both “confusion” and “diffusion” Part 1  Cryptography 2

  3. When & Where • For applications that require encryption/decryption of a stream of data, such as • over a data communications channel or a browser/Web link, a streamciphermight be the better alternative. • For applications that deal with blocks of data, such as • filetransfer, e-mail, and database, block ciphers may be more appropriate. • However, either type of cipher can be used in virtually any application.

  4. Stream Ciphers

  5. Stream Ciphers • Once upon a time, not so very long ago… stream ciphers were the king of crypto • Today, not as popular as block ciphers • We’ll discuss two Stream Cipher Algorithms: • A5/1 • Based on shift registers (LFSR) • Used in GSM mobile phone system • RC4 • Based on a changing lookup table • Used in many places (i.e. WEP, WPA) Part 1  Cryptography 5

  6. A5/1: Shift Registers • A5/1 uses 3 shift registers • X: 19bits(x0, x1, x2,… , x18) • Y: 22bits(y0, y1, y2,… , y21) • Z: 23bits(z0, z1, z2,… , z22) Part 1  Cryptography 6

  7. A5/1: Keystream • At each iteration:m = maj(x8, y10, z10) • Examples: maj(0,1,0) = 0and maj(1,1,0) = 1 • If x8 = mthen Xsteps(shifts as follows) • t = x13 x16  x17  x18 #predefined set of bits in X • xi = xi1 for i = 18, 17, … , 1 and thenx0= t • If y10 = mthen Ysteps • t = y20 y21#predefined set of bits in Y • yi= yi1 for i = 21, 20, … , 1and theny0=t • If z10 = mthen Zsteps • t = z7 z20  z21  z22 #predefined set of bits in Z • zi = zi1 for i = 22, 21, … , 1and thenz0= t • Finally, Keystreambitis the result of: x18  y21 z22 Key Part 1  Cryptography 7

  8. A5/1 X steps • Each variable here is a single bit • Key is used as initial fill of registers • Each register steps (or not) based on maj(x8, y10, z10) • Keystreambit is the XOR of rightmost bits of registers  Keystream bit Y  steps  Z  steps Part 1  Cryptography 8

  9. A5/1 x8 x18 X steps  • In this example, m = maj(x8, y10, z10) = maj(1,0,1) = 1 • Register X steps, Ydoes not step, and Z steps • Keystream bit is XOR of right bits of registers • S = x18  y21z22 • Here, the new keystreambitwill be the result of: 0  1  0 = 1 y10 y21 Y  steps  z10 z22 Z  steps Part 1  Cryptography 9

  10. Shift Register Crypto • Shift register cryptoefficientin hardware • Often, slowif implemented in software • In the past, very, very popular • Today, more is done in software due to fast processors • Shift register crypto still used in some applications • Especially in resource-constrained devices Part 1  Cryptography 10

  11. RC4 • RC4 is a stream cipher (by Ron Rivest for RSA Security) • It is a variable-key-sizestream cipher with byte-orientedoperations; based on the use of a random permutation • It is used in the SSL/TLS (Secure Sockets Layer/Transport Layer Security) standards • It is also used in the WEP (Wired Equivalent Privacy) protocol and the newer WiFi Protected Access (WPA) protocol that are part of the IEEE 802.11 wireless LAN standard • The RC4 algorithm: • A variable length key: from 1 to 256bytes (8 to 2048bits) is used to initialize a 256-byte state vector S, with elements S[0], S[1], . . . , S[255] • At all times, Scontains a permutation of all 8-bit numbers from 0 through 255 • For encryption and decryption, a byte kis generated from Sby selecting one of the 255entries in a systematicfashion • As each value of kis generated, the entries in Sare once againpermuted Part 1  Cryptography 11

  12. RC4 • A self-modifying lookup table • Table always contains a permutation of the byte values 0,1,…, 255 • Initialize the permutation using Key • At each step, RC4 does the following • Swaps elements in current lookup table • Selects a keystreambytefrom table • Each step of RC4 produces a byte • Efficient in software • Each step of A5/1 produces only a bit • Efficient in hardware Part 1  Cryptography 12

  13. RC4 Initialization • S[] is permutation of 0, 1, ... , 255 • K[] contains Nbytes of key # Initialization for i = 0 to 255 S[i] = i T[i] = K [imod N] #N is the key length next i # Initial Permutation of S j = 0 for i = 0 to 255 j = (j + S[i] + T[i]) mod 256 swap(S[i], S[j]) nexti i = j = 0 # Initialization for i = 0 to 255 S[i] = i T[i] = K [i mod N] #N is the key length next i # Initial Permutation of S j = 0 for i = 0 to 255 j = (j + S[i] + T[i]) mod 256 swap(S[i], S[j]) next i i= j = 0 Part 1  Cryptography 13

  14. RC4 Keystream • At each step, swap elements in table and selectkeystream byte i = (i + 1) mod 256 j = (j + S[i]) mod 256 swap(S[i], S[j]) t = (S[i] + S[j]) mod 256 keystreamByte = S[t] • Use keystream bytes like a One-Time Pad • To encrypt, XOR the value keystreamBytewith the next byte of plaintext. • To decrypt, XOR the value keystreamBytewith the next byte of ciphertext. • Note:first 256 bytes should be discarded • Otherwise, related key attack exists /* Stream Generation */ i, j = 0 while (True) i = (i + 1) mod 256 j = (j + S[i]) mod 256 Swap (S[i], S[j]) t = (S[i] + S[j]) mod 256 keystreamByte= S[t] Part 1  Cryptography 14

  15. Byte S[256] is permutation of 0,1,...,255 Byte K[N] contains Nbytes of key

  16. Stream Ciphers: Summary • Stream ciphers were popular in the past • Efficient in hardware • Speed was needed to keep up with voice, etc. • Today, processors are fast, so software-based crypto is usually more than fast enough • Future of stream ciphers? • Shamir declared “the death of stream ciphers” • May be greatly exaggerated… Part 1  Cryptography 17

  17. Block Ciphers Part 1  Cryptography 18

  18. (Iterated) Block Cipher • The design goals for block ciphers are security and efficiency. • Plaintextand ciphertext consist of fixed-sizedblocks • Ciphertext obtained from plaintext by iterating a round function • Input to round function consists of: • key and output of previousround • Usually implemented in software Part 1  Cryptography 19

  19. Feistel Cipher: Encryption • Feistel cipher is a type of symmetric structure used in block cipher • General cipher design principle, not a specific cipher • named after the German IBM cryptographer Horst Feistel • In a Feistelcipher, Splitplaintextblock into left and right halves: P = (L0,R0) • And for each roundi = 1, 2, ..., n, compute Li = Ri1 Ri= Li1 F(Ri1,Ki) where F is round functionand Ki is subkeyfor round i. The subkey is derived from the key K according to a specified keyschedule algorithm? • Ciphertext: C = (Ln,Rn) Part 1  Cryptography 20

  20. Feistel Cipher: Decryption • Start with ciphertext C = (Ln,Rn) • For each round i = n, n1, …, 1, compute Ri1= Li Li1= Ri F(Ri1,Ki) where Fis the round functionand Ki is subkey • The final result of this decryption process is the Plaintext: P = (L0,R0) • Decryption works for any function F • But only secure for certain functions F Part 1  Cryptography 21

  21. DES: Data Encryption Standard • DES(an example of a FeistelCipher) developed in 1970’s • Based on IBM’s Lucifer cipher • Lucifer was the name given to several of the earliest civilian block ciphers, developed by Horst Feisteland his colleagues at IBM. Luciferuses a combination of Transposition and Substitution crypting as a starting point in decoding ciphers. • DES was a U.S. government standard • Development of DES was controversial • The U.S. National Security Agency (NSA) secretly involved • Design process was secret • Key length reduced from 128 to 56 bits • Subtle changes to Lucifer algorithm Part 1  Cryptography 22

  22. DES Numerology • DES is a Feistelcipher with… • 64 bit block length • 56 bit key length • 16 rounds • 48 bits of key used in each round (subkey) • Round function is simple (for block cipher) • Security depends heavily on the “S-boxes” • In DES, each S-boxmaps6 bits to 4 bits, and DES employs eight distinctS-boxes. • The S-boxes, taken together, map 48bits to 32 bits. • The same S-boxes are used at each round of DES and eachS-box is implemented as a lookup table. Part 1  Cryptography 23

  23. One Round of DES key L R 32 28 28 The round function F is the composition of the expansion permutation, addition (XORing) of subkey, S-boxes, andP-box expand shift shift 48 32 28 28 Ki  compress 48 48 S-boxes 28 28 32 P box 32 32  32 key L R F(Ri-1, Ki) = P-box(S-boxes(Expand(Ri-1)  Ki))

  24. DES Example • The expansion permutation expands its input from32to48 bits, and the subkeyis XORed with the result. • The S-boxes then compress these 48bits down to 32 bits before the result is passed through the P-box. • The P-box output is XORed with the old left half to obtain the new right half. It's important to keep in mind and realize that the overall structure of DES is actually fairly simple. • In fact, some of the DES operations are of no security benefit whatsoever, and if these were stripped away to reveal the essential security features, the algorithm becomes even simpler. Convention: bits are numbered from left to right, beginning with the index 0

  25. DES: 1.Expansion Permutation The expansion permutation expands its input from 32 to 48 bits, and the subkey is XORed with the result. • Input 32 bits 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 • Output 48 bits 31 0 1 2 3 4 3 4 5 6 7 8 7 8 9 10 11 12 11 12 13 14 15 16 15 16 17 18 19 20 19 20 21 22 23 24 23 24 25 26 27 28 27 28 29 30 31 0 Part 1  Cryptography 26

  26. DES: 2. S-box • The S-boxes then compress these 48bits down to 32 bits before the result is passed through the P-box. • each S-box can be viewed as an array of 4 rows and 16 columns, with one nibble (4-bit value) stored in each of the 64positions • Each rowis a permutation of the hexadecimal digits 0,1,2,... ,E,F.

  27. DES: 2. S-box • DES has 8 different “substitution boxes” or S-boxes • Each S-box maps 6 bits to 4 bits • Here is S-box number 1 input bits (0,5)  input bits (1,2,3,4) | 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111 ------------------------------------------------------------------------------------ 00 | 1110 0100 1101 0001 0010 1111 1011 1000 0011 1010 0110 1100 0101 1001 0000 0111 01 | 0000 1111 0111 0100 1110 0010 1101 0001 1010 0110 1100 1011 1001 0101 0011 1000 10 | 0100 0001 1110 1000 1101 0110 0010 1011 1111 1100 1001 0111 0011 1010 0101 0000 11 | 1111 1100 1000 0010 0100 1001 0001 0111 0101 1011 0011 1110 1010 0000 0110 1101 6 bits: b0b1b2b3b4b5 b0b6 b1b2b3b4 Part 1  Cryptography 28

  28. DES: 3. P-box The P-box output is XORed with the old left half to obtain the new right half. • Input 32 bits 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 • Output 32 bits 15 6 19 20 28 11 27 16 0 14 22 25 4 17 30 9 1 7 23 13 31 26 2 8 18 12 29 5 21 10 3 24 Part 1  Cryptography 29

  29. DES Last Word (Almost) • An initial permutation before round 1 • Halves are swapped after last round • A final permutation (inverse of initial perm) applied to (R16,L16) • None of this serves any security purpose Part 1  Cryptography 30

  30. Security of DES • Security depends heavily on S-boxes (8 of them) • Everything else in DES is linear • 35+ years of intense analysis has revealednoback door • Attacks, essentially exhaustive key search • 256 possible keys  ? • Inescapable Conclusions • Designers of DES knew what they were doing • Designers of DES were way ahead of their time (at least w.r.t. certain cryptanalytic techniques) Part 1  Cryptography 31

  31. Block Cipher Notation • P =plaintext block • C =ciphertext block • EncryptP with key K to get ciphertextC • C = E(P, K) • DecryptC with key K to get plaintextP • P = D(C, K) • Note: P = D( E(P,K),K ) and C = E( D(C,K),K ) ButP  D( E(P, K1), K2 ) and C  E( D(C, K1), K2 ) when K1 K2 Part 1  Cryptography 32

  32. DES vs. Double DES vs. 3DES K1 K2 K Key Space: 256 P E X E C P E C Double DES or 2DES DES Key Space: 256 X 256 K1 K1 K2 K2 K1 K3 Key Space: 256 X 256 X 256 D P P E E X1 X1 E X2 X2 E E C C Triple DES or 3DES Triple DES or 3DES, also Key Space: 256 X 256

  33. Meet In The Middle (MITM) Attack K1 K2 K1 K2 P C D E X X D E P C • Double DES (2DES) is supposed to give 112-bit key length. • E( E(P,K1), K2 ) and D( D(P,K1), K2 ) • 256 * 256 = 2112,key space (possible keys) • Instead, attackers may end up trying 257, how come? • Thus, double encryption is not that significant in terms of added security, but why? Double DES: Decryption Double DES: Encryption

  34. 2DES • Why not C = E( E(P,K), K ) instead? • Trick question still just 56 bit key • Why not C = E( E(P,K1), K2 ) instead? • A (semi-practical) known plaintext attack (MITM) • Pre-compute table of X1= E(P, K1) for every possible key K1 (resulting table has 256entries, storage?) • Then for each possible K2 compute X2 = D(C,K2) until a match in table is found • Find when X1 == X2and use it to infer the keys • When match is found, have E(P,K1) = D(C,K2) • Result gives us keys: C = E( E(P,K1),K2) Part 1  Cryptography 35

  35. Triple DES • Today, 56-bitDES key is too small • Exhaustive key search is feasible • 2DES is not secure enough (almost similar to Single DES) • But DES is everywhere, so what to do? • Triple DES or 3DES (112-bit key or 168-bit, large enough) • C = E( D( E(P, K1), K2), K1) • P = D( E( D(C, K1), K2), K1) • Why Encrypt-Decrypt-Encryptwith 2 keys? • Backward compatible:E( D( E(P,K), K), K) = E(P, K) • and 112 is a lot of bits Part 1  Cryptography 36

  36. AES: Advanced Encryption Standard • Replacement for DES • AES competition (late 90’s) • U.S. NSA openly involved • Transparent selection process • Many strong algorithms proposed • RijndaelAlgorithm ultimately selected (pronounced like “Rain Doll” or “Rhine Doll”) • Iterated block cipher (like DES) • Not a Feistelcipher (unlike DES) Part 1  Cryptography 37

  37. AES: Executive Summary • Block size:128 bits (others in Rijndael) • Key length:128, 192 or 256 bits • independent of block size in Rijndael • 10to 14rounds (depends on key length) • Each round uses 4 functions (3“layers”) • ByteSub: nonlinear layer • ShiftRow: linear mixing layer • MixColumn: nonlinear layer • AddRoundKey: key addition layer Part 1  Cryptography 38

  38. AES: 1. ByteSub • Treat 128bit block as 4x4 byte array • The ByteSub operation is applied to each byte aij, that isbij= ByteSub(ajj). The result is the array of bij as illustrated below: • ByteSub is AES’s equivalent to the DES “S-boxes” • Can be viewed as nonlinear (but invertible) composition of two math operations; simply as a lookup table Part 1  Cryptography 39

  39. AES: 1. ByteSub ByteSub(3c) = ebsince eb appears in row 3 and column c Last 4 bits of input First 4 bits of input Part 1  Cryptography 40

  40. AES:2. ShiftRow • Cyclic shift rows • The ShiftRow operation is a cyclic shift of the bytes in each row of the 4 x 4 byte array. This operation is given by • firstrow doesn't shift, • secondrow circular left-shifts by one byte, • thirdrow left-shifts by two bytes, and • lastrow left-shifts threebytes. • Note: ShiftRowis inverted, simply shifting in the opposite direction. Part 1  Cryptography 41

  41. AES:3. MixColumn • Invertible, linear operation applied to each column • the MixColumn operation is applied to each column of the4 x 4 byte array • MixColumn consists of shift and XOR operations, and it's most efficiently implemented as a (big) lookup table. • The overall operation is nonlinear but invertible, and, as with ByteSub, it serves a similar purpose as the DES S-boxes Part 1  Cryptography 42

  42. AES:4. AddRoundKey • XORsubkey with block • RoundKey (subkey) determined by key schedulealgorithm • Key schedule algorithm is used to generate a subkey for each round. Let kijbe the 4 x 4 subkey array for a particular round. Then the subkey is XORed with the current 4 x 4 byte array aij. Block Subkey Part 1  Cryptography 43

  43. AES:Decryption • To decrypt, process must be invertible • Inverse of MixAddRoundKey is easy, since “”is its own inverse • MixColumn is invertible (inverse is also implemented as a lookup table) • Inverse of ShiftRow is easy (cyclic shift the other direction) • ByteSub is invertible (inverse is also implemented as a lookup table) Part 1  Cryptography 44

  44. AES Summary • AES has both excellent confusion and diffusion • Look-up tables: non-linear, good at destroying patterns(confusion) • Diffusionstage spreads every part of the input to the output: • changing one bit of input changes half the output bits on average • The MixColumns operation along with the ShiftRows step, is the primary source of diffusion • Both confusion and diffusion are repeated multiple times for each input to increase the amount of scrambling • The secret key is mixed at every stage so that an attacker cannot pre-calculate what the cipher does. • None of this would happen if you used a simple one-stage scramble based on a key.

  45. A Few Other Block Ciphers • Briefly… • IDEA • Blowfish • RC6 • More detailed… • TEA Part 1  Cryptography 46

  46. Block Cipher Modes • Using a stream cipher is easy—you generate a keystream that is the same length as the plaintext (or ciphertext) and XOR. • Using a block cipher is also easy, provided that you have exactly one block to encrypt. • But how should multiple blocks be encryptedwith a block cipher? • It turns out that the answer is not as straightforward as it might seem. Part 1  Cryptography 47

  47. Multiple Blocks • How to encrypt multiple blocks? • Do we need a new key for each block? • If so, as impractical as a One-Time Pad! • Encrypt each block independently? • Is there any analog of codebook “additive”? • What about partial blocks, how to handle them? • What about Padding or CFC Part 1  Cryptography 48

  48. Block Cipher: Modes of Operation • Many modes  we discuss 3 most popular • Electronic Codebook (ECB) mode • Encrypt each block independently • Most obvious approach, but a bad idea • Cipher Block Chaining (CBC) mode • Chain the blocks together • More secure than ECB, virtually no extra work • Counter Mode (CTR) mode • Block ciphers acts like a stream cipher • Popular for random access Part 1  Cryptography 49

  49. ECB:Electronic Codebook Mode • Notation: C = E(P,K) • Given plaintextP0, P1, …, Pm, … • Most obvious way to use a ECB block cipher: EncryptDecrypt C0 = E(P0, K) P0 = D(C0, K) C1 = E(P1, K) P1 = D(C1, K) C2 = E(P2, K) …P2 = D(C2, K) … • For fixed key K, this is “electronic” version of a codebook cipher (without additive) • With a different codebook for each key Part 1  Cryptography 50

More Related