1 / 41

Conventional Cryptography (Symmetric Ciphers)

Conventional Cryptography (Symmetric Ciphers). Outline. Stream Ciphers and Block Ciphers Confusion and Diffusion DES (Data Encryption Standard) Exhaustive Key Search Triple DES, DESX AES (Advanced Encryption Standard) Operation Modes. Symmetric Encryption.

vilina
Télécharger la présentation

Conventional Cryptography (Symmetric Ciphers)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Conventional Cryptography (Symmetric Ciphers) CPSC415 Biometrics and Cryptography

  2. Outline • Stream Ciphers and Block Ciphers • Confusion and Diffusion • DES (Data Encryption Standard) • Exhaustive Key Search • Triple DES, DESX • AES (Advanced Encryption Standard) • Operation Modes CPSC415 Biometrics and Cryptography

  3. Symmetric Encryption • or conventional / secret-key / single-key • sender and recipient share a common key • all classical encryption algorithms are private-key • was only type prior to invention of public-key in 1970’s CPSC415 Biometrics and Cryptography

  4. Symmetric Cipher Model CPSC415 Biometrics and Cryptography

  5. K K A-B A-B K (m) m = K ( ) A-B A-B Symmetric Key Cryptography symmetric key crypto: Bob and Alice share know same (symmetric) key: K • e.g., key is knowing substitution pattern in mono alphabetic substitution cipher encryption algorithm decryption algorithm ciphertext plaintext plaintext message, m K (m) A-B A-B CPSC415 Biometrics and Cryptography

  6. Requirements • two requirements for secure use of symmetric encryption: • a strong encryption algorithm • a secret key known only to sender / receiver Y = EK(X) X = DK(Y) • assume encryption algorithm is known • implies a secure channel to distribute key CPSC415 Biometrics and Cryptography

  7. Cryptography • can characterize by: • type of encryption operations used • substitution / transposition / product • number of keys used • single-key or private / two-key or public • way in which plaintext is processed • block / stream CPSC415 Biometrics and Cryptography

  8. Symmetric Key Cryptosystems • Stream ciphers • Operate on the plaintext a single bit (or sometimes byte) at a time • Simple substitution • Poly-alphabetic substitution • Feedback Shift Register Sequences • e.g. SEAL, RC4 (used by WLAN IEEE 802.11 in WEP) • Block ciphers • Operate on the plaintext in groups of bits. The groups of bits are called blocks. • Typical block size is 64 bits or multiple of it • E.g. 128 bits, 256 bits. • DES, AES (Rijndael) • Others include IDEA, Blowfish, RC5, … • Different modes of operation CPSC415 Biometrics and Cryptography

  9. Properties that one would like to have in an encryption scheme • Easy to encrypt • Easy to decrypt • Provides fast encryption and decryption speed • Minimal bandwidth expansion • Generate diffusion and confusion (security) CPSC415 Biometrics and Cryptography

  10. Confusion and Diffusion • Shannon in 1948 introduced two concepts as basic building blocks for designing cryptographic systems • Diffusion: to obscure the statistical structure of the plaintext from the ciphertext. • By having each ciphertext digit be affected by more than one plaintext digit • In other words, to have the statistical structure of the plaintext be dissipated into long-range statistics of the ciphertext. • e.g. • where message M = m1, m2, … and a ciphertext letter yn is obtained by adding k successive plaintext (English) letters. • Confusion: to obscure the statistical dependence between the encryption key and the ciphertext • to thwart attempts to discover the key • simple linear substitution generates little confusion • This can be achieved by using complex substitution algorithms. CPSC415 Biometrics and Cryptography

  11. Block Ciphers Encrypt Message (n bits) Ciphertext (n bits) • An encryption algorithm that takes a fixed length block of message letters (plaintext) and a key (not necessarily the same length), and produces a block of ciphertext of the same length as the plaintext. • The key is reused for different plaintext blocks • Typical block sizes (value of n): 64 bits, 128 bits • Complex modes of operation are used in practice • Key sizes (value of k): 56 bits (DES), 128/192/256 bits (AES) secret key (k bits) CPSC415 Biometrics and Cryptography

  12. Common Block Cipher Design Approach message • Iterative cipher • start with a simple but useful function f • iterative f many rounds until it is “secure” • F: Feistel structure is quite common (e.g., DES) F F F ciphertext CPSC415 Biometrics and Cryptography

  13. repeat for several rounds Block of ciphertext Block Cipher Operation (Simplified) Block of plaintext Key S S S S Add some secret key bits to provide confusion S S S S Each S-box permutes its input bits in a “random-looking” way to provide diffusion (spread plaintext bits throughout ciphertext) S S S S Procedure must be reversible (for decryption) CPSC415 Biometrics and Cryptography

  14. Block Cipher Principles • needed since must be able to decrypt ciphertext to recover messages efficiently • block ciphers look like an extremely large substitution • instead create from smaller building blocks • using idea of a product cipher CPSC415 Biometrics and Cryptography

  15. Data Encryption Standard (DES) • DES was adopted as a US federal standard for commercial encryption in 1975. • Feistel Cipher: the fundamental building block of DES designed by IBM. • Design requirements: • must provide high level of security(commercial standard) • Security must not depend on secrecy of algorithm(Kerckhoff’s principle) • Must be easily and economically implemented CPSC415 Biometrics and Cryptography

  16. Overview of DES • C = DES (K, M) • Block size = 64 bits • Key size = 56 bits • Number of rounds = 16 • IP - Initial Permutation • IP-1 - The inverse of IP • f - A nonlinear function • Ki - Roundisubkey(48 bits) • Each Feistel block can be described as • Li = Ri-1 • Ri = Li-1 f (Ri-1, Ki) CPSC415 Biometrics and Cryptography

  17. The Initial Permutation How to read this table? The 58th bit of input x will be the 1st bit of outputIP(x), the 50th bit of x is the second bit ofIP(x), etc. • Do not affect security. • As far as anyone can tell, it makes things awkward for 1975-era general-purpose computers. • (DES predates 16-bit or 32-bit microprocessor busses) CPSC415 Biometrics and Cryptography

  18. Feistel Transformation Block • In Round i, • Separate message block into two 32-bit halves, Li and Ri • Introduce confusion by using a “complex” nonlinear function f • f has two inputs: Ri and a 48-bit round key, Ki • Introduce diffusion by “adding” Li and the output of f • DES(K, ·) is a sequence of Feistel transforms. Li+1 = Ri Ri+1 = Li f(Ri, Ki+1) Li-1 Ri-1 f  Ki+1 Li Ri CPSC415 Biometrics and Cryptography

  19. Nonlinear Function f in Feistel Transformation f(R, K) : (32 bits, 48 bits)  32 bits • expand R to 48 bits R’ using permutation and repetition • R’ XOR with K • subdivide the result into 8 blocks of 6 bits each • each 6-bit block goes through a S-box to produce 4 bits • permute the 32-bit string CPSC415 Biometrics and Cryptography

  20. Ri-1 Li 32 Expansion 48 Ki+1 48 48 6 6 6 6 6 6 6 6 S2 S3 S4 S5 S6 S7 S8 S1 4 4 4 4 4 4 4 4 32 Permutation 32 32 Li+1 Ri+1 CPSC415 Biometrics and Cryptography

  21. Expansion Permutation • Output bits 32, 1, 2, 3, 4, 5, then 4, 5 again, and so on. • For each output group of six bits (one row in the E table), the two outer bits select a row of a S-box, and the four bits in the middle chooses the substitution value. CPSC415 Biometrics and Cryptography

  22. S-box 1:Bit Bits 2, 3, 4, and 5 form: 1 6 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 0 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 0 1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 1 0 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0 1 1 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13 The S-Box Substitution • There are eight S-boxes. • Each takes 6 bits to 4 bits. • Take the 6-bit input b1, b2, b3, b4, b5, b6 • Interpret b1 b6 as a row number, between 0 and 3. • Interpret b2 b3 b4 b5 as a column number, 0 through 15. CPSC415 Biometrics and Cryptography

  23. A Summary of One DES Round CPSC415 Biometrics and Cryptography

  24. DES Key Schedule(Subkey Generation) 8-byte key has 8 parity check bits 56-bit keyK Permutation P1 C0 D0 Each has 28 bits Number of shifts are dependent on i for each Ki Cyclic Shift Cyclic Shift C1 D1 56 Permutation P2 48 K1 CPSC415 Biometrics and Cryptography

  25. Security of DES • Avalanche Effect • Change in one input bit produces independent changes in at least two output bits • Bit Independence • No dependence on the changes of input bits with the changes of output bits • Number of rounds • 15 or fewer rounds make cryptanalytic attacks against reduced-round DES easier than brute force key search (which needs to try a total of 256 keys in the worst case) • Security of DES mainly relies on the nonlinearity of the f (i.e. the S-boxes) CPSC415 Biometrics and Cryptography

  26. DES Controversy • When DES was proposed as a standard in 1975, there was considerable criticism. • One objection to DES concerned the S-boxes: all computations in DES, with the exception of the S-boxes, are linear. The S-boxes, being the non-linear component of the cryptosystem, are vital to its security. However, the design criteria of the S-boxes are not completely known. • Due to the NSA collaboration, several people have suggested that the S-boxes might contain hidden “trapdoors” which would allow the NSA to decrypt messages while maintaining that DES is “secure”. It is of course, impossible to disprove such an assertion, but no evidence has come to light that indicates that trapdoors in DES do in fact exist. • The most pertinent criticism of DES is the reduction of key length from original 112-bits down to 56-bits. • The size of the keyspace, 256, is “too small” to be really secure. CPSC415 Biometrics and Cryptography

  27. Exhaustive Key Search • Given a plaintext x and corresponding ciphertext y, every possible key would be tested until a key K is found such that EK(x) = y Note: there may be more than one such key K. • Total number of keys = 256  7.21016 keys • Assume at a speed of 106 encryptions per second, it would need more than 1000 years to break DES. • Diffie and Hellman postulated in 1977 that a DES cracking machine with 106 processors, each could test 106 keys per second, could be built for about US$20M. • This machine could break DES in about 10 hours. CPSC415 Biometrics and Cryptography

  28. Exhaustive Key Search • In 1993, Michael Wiener presented a pipelined chip which does 16 encryptions simultaneously and tests 5107 DES keys per second. • Each chip could be built for US$10 using current technology. • A frame consisting of 5760 chips can be built for $100K. • In 1997, cost cut by a factor of 6 • Software version of DES cracking effort can be found at • http://www.distributed.net/des/ • Current Record: 22 hrs and 15 mins to break DES by distributed software cracking effort. CPSC415 Biometrics and Cryptography

  29. How to strengthen DES? CPSC415 Biometrics and Cryptography

  30. Triple DES and DESX C M DES DES-1 DES • Triple DES: two 56-bit keys • DESX: three 56-bit keys C = K3  DES(K2 , M  K1) K1 K2 K1 DES   C M K1 K2 K3 • Similar security to DES using differential cryptanalysis and linear cryptanalysis • But much harder to break using exhaustive key search than DES. CPSC415 Biometrics and Cryptography

  31. DES Replacements • The most popular DES replacements in US are RC2, RC4 and RC5. • The first two are used by SSL version 3. • The most popular DES replacement in Europe is IDEA • The most popular DES replacement in Japan is FEAL-N. • AES (Advanced Encryption Standard) is the ‘official’ replacement of DES. • The AES algorithm is called Rijndael. CPSC415 Biometrics and Cryptography

  32. Overview of Rijndael • Rijndael: the algorithm chosen for AES (Advanced Encryption Standard) • Both the key size and the block size may be chosen to be any of 128, 192, or 256 bits, although the AES only requires key size to be selectable in one of these lengths and the block size is fixed to be 128 bits long. • Number of rounds is a function of the block and key length: • 10 rounds if both the block and the key are 128 bits long; • 12 rounds if either the block or the key is 192 bits long, and neither of them is longer than that; • 14 rounds if either the block or the key is 256 bits long. • From their Web page: • If you’re Dutch, Flemish, Indonesian, Surinamer or South-African, it’s pronounced like you think it should be. Otherwise, you could pronounce it like “Reign Dahl”, “Rain Doll”, “Rhine Dahl”. We’re not picky. As long as you make it sound different from “Region Deal”. CPSC415 Biometrics and Cryptography

  33. Rijndael Round Function • Fully byte-oriented • good for both software and hardware implementations • Rijndael is composed of • An initial XOR step (AddRoundKey) • Regular round transformations (or rounds) • Final round • Each regular round involves four steps: • ByteSub • ShiftRow • MixColumn • AddRoundKey • The final round is a regular round but with MixColumn omitted. CPSC415 Biometrics and Cryptography

  34. The Round Transformation • ByteSub • Each byte of the data block is substituted according to values given in an S-Box. • ShiftRow • Rows (except first row) of the State are cyclic shifted left independently. • MixColumn • AddRoundKey • http://www.nist.gov/aes • http://www.esat.kuleuven.ac.be/~rijmen/rijndael/ CPSC415 Biometrics and Cryptography

  35. Rijndael Wrap Up • The Rijndael algorithm is not a Feistel system • In a Feistel system, half of the bits are moved but not changed during each round. • In Rijndael, all bits are treated uniformly. This has the effect of diffusing the input bits faster. • It can be shown that two rounds are sufficient to obtain full diffusion, namely, each of the 128 output bits depends on each of the 128 input bits. • So far, there is no known attack beats brute force for seven or more rounds. It was felt that four extra rounds provide a large enough margin of safety. • Of course, the number of rounds could easily be increased if needed. CPSC415 Biometrics and Cryptography

  36. Operation Modes • How to encrypt a plaintext which is longer than the size of a cipher block? • E.g. Using AES to encrypt 1024-bit plaintext • How to encrypt a plaintext which is not a multiple of cipher block size? • E.g. Using AES to encryption 129-bit plaintext CPSC415 Biometrics and Cryptography

  37. M2 M1 Mt K K K DES DES DES Ct C1 C2 Electronic Codebook Mode (ECB) Ci = DES (K, Mi) • Each block is encoded independently using the same key • Padding is needed • Used to transmit fixed length messages, e.g. session key • One bit transmission error affects one cipher block • Repeated plaintext blocks produce the same cipher blocks • Not frequently used in practice • Why? CPSC415 Biometrics and Cryptography

  38. M1 M2 IV DES DES K K C2 C1 Cipher Block Chaining (CBC) • Goal: repeated plaintext blocks produce different ciphertext blocks Ci = DES(K, Mi  Ci-1) • Initiation vector (IV = C0) is used for randomization • Padding is required • If one bit of M1 is changed, all subsequent blocks will be affected • can be used for constructing a MAC – Message Authentication Code • Maintain IV secret to strengthen security of the system • Generally used for block oriented transmission CPSC415 Biometrics and Cryptography

  39. Counter Mode • Goal: to eliminate padding and error propagation • use block cipher as a pseudorandom bit generator • Encryption algorithm: • Encrypt a known string of numbers in ECB mode, producing a string of output blocks DES(K, Ii) • Compute Ci = Mi DES(K, Ii) • One bit transmission error spoils one bit only It I1 I2 K K K DES DES DES M2 Mt  M1   Ct C2 C1 CPSC415 Biometrics and Cryptography

  40. Comparison on Symmetric Encryption Algorithm CPSC415 Biometrics and Cryptography

  41. Problems with Symmetric Encryption • A single key must be shared in pairs of each sender and receiver. In a distributed environment with large numbers of combination pairs involved in many-to-one communication topology, it is difficult for the one recipient to keep so many keys in order to support all communication. • Key management: setting up and acquisition of the secret key. • The integrity of data can be compromised because the receiver cannot verify that the message has not been altered before receipt. • It is possible for the sender to repudiate the message because there are no mechanisms for the receiver to make sure that the message has been sent by the claimed sender. CPSC415 Biometrics and Cryptography

More Related