1 / 92

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto. Stream Ciphers Block Ciphers Block Cipher Modes Integrity. Symmetric Key Crypto. Stream cipher  like a one-time pad Key is relatively short Key is stretched into a long keystream Keystream is then used like a one-time pad except provable security

wyome
Télécharger la présentation

Chapter 3 Symmetric Key Crypto

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 3Symmetric Key Crypto Stream Ciphers Block Ciphers Block Cipher Modes Integrity Chapter 3 Symmetric Key Crypto

  2. Symmetric Key Crypto • Stream cipher like a one-time pad • Key is relatively short • Key is stretched into a long keystream • Keystream is then used like a one-time pad except provable security • Employ confusion only Chapter 3 Symmetric Key Crypto

  3. Symmetric Key Crypto • Examples of Stream cipher • A5/1: employed GSM cell phones • Representative stream cipher based in H/W • RC4: used SSL protocol • Almost unique stream cipher since efficiently implemented in S/W Chapter 3 Symmetric Key Crypto

  4. Symmetric Key Crypto • Block cipher  based on codebook concept • Block cipher key determines a “electronic” codebook • Each key yields a different codebook • Employ both “confusion” and “diffusion” Chapter 3 Symmetric Key Crypto

  5. Symmetric Key Crypto • Examples of Block cipher • Data Encryption Stantard(DES): relatively simple, • Advanced Encryption STD(AES) • International Data Encrytption Alg.(IEDA) • Blowfish, • RC6 • Tiny Encryption Algorithm Chapter 3 Symmetric Key Crypto

  6. Symmetric Key Crypto • Mode of Operation of block cipher • Examples of block cipher mode Op • Electronic codebook (EOB) • Cipher-block chaining (CBC) • Cipher feedback (CFB) • Output feedback (OFB) • Counter (CTR) • Data integrity of block cipher • Message Authentication code (MAC) Chapter 3 Symmetric Key Crypto

  7. Symmetric Key Crypto • Goal of this section • Introduce symmetric ciphers • Understand their inner working and uses • Focus more on the “how” than the “why” • To understand :”why” -> need to understand cryptanalysis(Chapter 6) Chapter 3 Symmetric Key Crypto

  8. Stream Ciphers Chapter 3 Symmetric Key Crypto

  9. Stream Ciphers • Not as popular today as block ciphers • Key K of n bits stretches it into a long keystream • Function of stream cipher • StreamCipher(K) = S where K:key, S:keystream • S is used like a one-time pad • c0 = p0  s0, c1 = p1  s1, c2 = p2  s2, … • p0 = c0  s0, p1 = c1  s1, p2 = c2  s2, … • Sender and receiver have same stream cipher algorithm and both know the key K Chapter 3 Symmetric Key Crypto

  10. Stream Ciphers • We’ll discuss two examples • A5/1 • Based on linear feedback shift registers • Used in GSM mobile phone system • A5/1 is used in Europe and the United States; • A5/2, is used in countries that are not considered trustworthy enough to have strong crypto. • RC4 • Based on a changing lookup table • Used many places – SSL Chapter 3 Symmetric Key Crypto

  11. A5/1 Chapter 3 Symmetric Key Crypto

  12. A5/1 • A5/1 is Representative stream cipher based in H/W • Consists of 3 Linear feedback shift registers • X: 19 bits (x0, x1, x2,…, x18) • Y: 22 bits (y0, y1, y2,………, y21) • Z: 23 bits (z0, z1, z2,………….,z22) • X+Y+Z = 64 bits Chapter 3 Symmetric Key Crypto

  13. A5/1 • At each step: m = maj(x8, y10, z10) • Examples: maj(0,1,0) = 0 and maj(1,1,0) = 1 • If x8 = m then X steps • t = x13 x16  x17  x18 • xi = xi1 for i = 18, 17, …, 1 and x0 = t • If y10 = m then Y steps • t = y20 y21 • yi = yi1 for i = 21, 20, …, 1 and y0 =t • If z10 = m then Z steps • t = z7 z20  z21  z22 • zi = zi1 for i = 22, 21, …, 1 and z0 = t • Keystream bit is x18 y21  z22 Chapter 3 Symmetric Key Crypto

  14. A5/1 X • Each value is a single bit • Key is used as initial fill of registers • Each register steps or not, based on (x8, y10, z10) • Keystream bit is XOR of right bits of registers  Y   Z  Chapter 3 Symmetric Key Crypto

  15. From Wikipedia Chapter 3 Symmetric Key Crypto

  16. A5/1 Example X • In this example, m = maj(x8, y10, z10)= maj(1,0,1) = 1 • Register X steps, Y does not step, and Z steps • Keystream bit is XOR of right bits of registers • Here, keystream bit will be 0  1  0 = 1  Y   Z  Chapter 3 Symmetric Key Crypto

  17. RC4 Chapter 3 Symmetric Key Crypto

  18. RC4 • RC4 Optimized for software implementation, whereas A5/1 for hardware • RC4 produces a keystream BYTE at each step, whereas A5/1 only produce a single keystream bit Chapter 3 Symmetric Key Crypto

  19. RC4 • RC4 is remarkably simple • Because it is essentially just lookup table containing permutation of the 256(28)-byte values • Each time a byte of keystream is produced, the lookup table is modified in such a way that the table always contains a permutation of {0,1,2,…256} Chapter 3 Symmetric Key Crypto

  20. RC4 Initialization • S[] is permutation of 0,1,…,255 • key[] contains N bytes of key for i = 0 to 255 S[i] = i K[i] = key[i (mod N)] next i j = 0 for i = 0 to 255 j = (j + S[i] + K[i]) mod 256 swap(S[i], S[j]) next j i = j = 0 • The first phase - initialize the lookup table using key • Key: key[i] for i=0,1,…,N-1 where key[i] is a byte • Lookup table: S[i] is a byte • Key can be any length 0 to 256 bytes • Key is only use to initialize the permutation S Chapter 3 Symmetric Key Crypto

  21. RC4 Keystream • The next phase – each keystream byte is generated accordingthe following algorithm i = (i + 1) mod 256 j = (j + S[i]) mod 256 swap(S[i], S[j]) t = (S[i] + S[j]) mod 256 keystreamByte = S[t] • Use keystream bytes like a one-time pad • Note: first 256 bytes must be discarded • Otherwise attacker may be able to recover key Chapter 3 Symmetric Key Crypto

  22. Stream Ciphers • Stream ciphers were big in the past • Efficient in hardware • Speed needed to keep up with voice, etc. • Today, processors are fast, so software-based crypto is fast enough • Future of stream ciphers? • Shamir: “the death of stream ciphers” • May be exaggerated… Chapter 3 Symmetric Key Crypto

  23. How secure is stream cipher? • Stream cipher is based on the one-time pad. • The security of the stream cipher depends entirely on the keystream generator. • If the key stream generator make an endless real bits, the cipher is provably secure like the one-time pad. Chapter 3 Symmetric Key Crypto

  24. Block Ciphers Chapter 3 Symmetric Key Crypto

  25. Block Cipher • Plaintext and ciphertext consists of fixed sized blocks • Design goal: security and efficiency • It is not easy to design a block cipher that is secure and efficient Chapter 3 Symmetric Key Crypto

  26. (Iterated) Block Cipher • Ciphertext obtained from plaintext by iterating a round function • Input to round function consists of key and the output of previous round • Usually implemented in software • Typical Type is Feistel Cipher Chapter 3 Symmetric Key Crypto

  27. Feistel Cipher • Feistel cipher refers to a type of block cipher design, not a specific cipher • Split plaintext block into left and right halves: Plaintext = (L0,R0) • For each round i=1,2,...,n, compute Li= Ri1 Ri= Li1 F(Ri1,Ki) where F is round functionand Ki is subkey • Ciphertext = (Ln,Rn) Chapter 3 Symmetric Key Crypto

  28. Feistel Cipher • Decryption: Ciphertext = (Ln,Rn) • For each round i=n,n1,…,1, compute Ri1 = Li Li1 = Ri F(Ri1,Ki) where F is round functionand Ki is subkey • Plaintext = (L0,R0) • Formula “works” for any function F • But only secure for certain functions F • Ex: F(Ri-1, Ki) = 0 for all Ri-1 and Ki -> not secure Chapter 3 Symmetric Key Crypto

  29. Data Encryption Standard Chapter 3 Symmetric Key Crypto

  30. Data Encryption Standard • DES developed in 1970’s • Based on IBM Lucifer cipher • U.S. government standard • DES development was controversial • NSA was secretly involved • Design process not open • Key length was reduced • Subtle changes to Lucifer algorithm Chapter 3 Symmetric Key Crypto

  31. National Security Agency/Central Security Service Chapter 3 Symmetric Key Crypto

  32. DES Numerology • DES is a Feistel cipher • 64 bit block length • 56 bit key length • 16 rounds • 48 bits of key used each round (subkey) • Each round is simple (for a block cipher) • Security depends primarily on “S-boxes” • Each S-boxes maps 6 bits to 4 bits • Total 8 S-boxes Chapter 3 Symmetric Key Crypto

  33. One Round of DES L R key 28 28 32 32 L R expand 28 28 48 48 Compress 48 S-boxes(8) 28 32 28 P Box 32 32 32 key R L Next Slide Chapter 3 Symmetric Key Crypto

  34. DES Expansion Permutation • Input 32 bits • Output 48 bits BACK Chapter 3 Symmetric Key Crypto

  35. DES S-box • 8 “substitution boxes” or S-boxes • Each S-box maps 6 bits to 4 bits • S-box number 1 among 8 boxes input bits (0,5)  input bits (1,2,3,4) BACK Chapter 3 Symmetric Key Crypto

  36. DES P-box • Input 32 bits • Output 32 bits BACK Chapter 3 Symmetric Key Crypto

  37. DES Subkey • 56 bit DES key, numbered 0,1,2,…,55 • Left half key bits, LK • Right half key bits, RK Chapter 3 Symmetric Key Crypto

  38. DES Subkey • For rounds i=1,2,...,16 • Let LK = (LKcircular shift left byri) • Let RK = (RKcircular shift left byri) • Left half of subkeyKi is of LK bits 13 16 10 23 0 4 2 27 14 5 20 9 22 18 11 3 25 7 15 6 26 19 12 1 • Right half of subkeyKi is RK bits 12 23 2 8 18 26 1 11 22 16 4 19 15 20 10 27 5 24 17 13 21 7 0 3 Chapter 3 Symmetric Key Crypto

  39. DES Subkey • For rounds 1, 2, 9 and 16 the shift ri is 1, and in all other rounds ri is 2 • Bits 8,17,21,24 of LK omitted each round • Bits 6,9,14,25 of RK omitted each round • Compression permutation yields 48 bit subkey Ki from 56 bits of LK and RK • Key schedule generates subkey BACK Chapter 3 Symmetric Key Crypto

  40. DES Last Word (Almost) • An initial perm P before round 1 • Halves are swapped after last round • A final permutation (inverse of P) is applied to (R16,L16) to yield ciphertext • None of these serve any security purpose Chapter 3 Symmetric Key Crypto

  41. Security of DES • Security of DES depends a lot on S-boxes • Everything else in DES is linear • Thirty years of intense analysis has revealed no “back door” • Attacks today use exhaustive key search • Inescapable conclusions • Designers of DES knew what they were doing • Designers of DES were ahead of their time Chapter 3 Symmetric Key Crypto

  42. Exhaustive Key Search time

  43. Block Cipher Notation • P = plaintext block • C = ciphertext block • Encrypt P with key K to get ciphertext C • C = E(P, K) • Decrypt C with key K to get plaintext P • P = D(C, K) • Note that • P = D(E(P, K), K) and C = E(D(C, K), K) Chapter 3 Symmetric Key Crypto

  44. Double DES • DES’s key length is insufficient today. • A clear way to use DES with a larger key length: intuitively “double DES” • C = E(E(P,K),K) ? • Problem: Still just 56 bit key • C = E(E(P,K1),K2) ? • There is an attack that is more-or-less equivalent to single DES • Although the attack is somewhat impractical, it’s close enough to being practical Chapter 3 Symmetric Key Crypto

  45. Double DES attack • C = E(E(P,K1),K2) Attack: chosen plaintext attack • For particular P, precompute table of E(P,K) for every possible key K (resulting table has 256 entries) • Given this table(C= E(P,K), K)and C corresponding to chosen P • Then for each possible K2, compute D(C,K2) until a match in table is found • Here, P = D(C,K2) → E(P,K2) = E(D(C,K2), K2) = C, that is, D(C,K2) should be in the table Chapter 3 Symmetric Key Crypto

  46. Double DES attack • When match is found, have E(P,K1) = D(C,K2) • Result is keys: C = E(E(P,K1),K2) where K1 and K2 are known, i.e. C is decrypted • Neglecting the work needed to precompute the table, the work consists of computing D(C,K) until we find a match in the table • This has an expected work of 255 : single DES exhausted key search work • So, double DES is not secure Chapter 3 Symmetric Key Crypto

  47. Triple DES • Logical approach to triple DES • But practically, Triple DES is • C = E(D(E(P,K1),K2),K1) • P = D(E(D(C,K1),K2),K1) • (112 bit key) Chapter 3 Symmetric Key Crypto

  48. Triple DES • Why use Encrypt-Decrypt-Encrypt (EDE) with 2 keys? (Whynot EEE and not 3 keys?) • Backward compatible with single DES: If K1=K2=K then E(D(E(P,K),K),K) = E(P,K) • And 112 bits is enough • 3DES is popular today, But with coming of the AES, 3DES should fade from use over time Chapter 3 Symmetric Key Crypto

  49. Advanced Encryption STD Chapter 3 Symmetric Key Crypto

  50. AES History • Needs for replacement for DES • DES had outlived its usefulness • Attacked by exhaustive key search: Special purpose DES crackers and distributed attack at internet • 3DES is very resistant to crypto analysis but • No efficient software code • Too slow: 3 times as many rounds as DES • 3DES use 64-bit block size: for reasons of both efficient and security, a larger blk size desirable • So, 3DES is not solution for long-term use • In 1997, NIST made a formal call for advanced encryption standard algorithms Chapter 3 Symmetric Key Crypto

More Related