1 / 48

Modern Block Ciphers Symmetric Encryption Algorithms week 8- wend 26/12/2012

Modern Block Ciphers Symmetric Encryption Algorithms week 8- wend 26/12/2012. ITC405 – ITS407 www.kbuzakhar.ly. Symmetric Cipher Model. Plaintext Encryption Algorithm Secret Key (known to sender and receiver) Ciphertext Decryption Algorithm. Unconditional vs. Computational Security.

crispin-holley
Télécharger la présentation

Modern Block Ciphers Symmetric Encryption Algorithms week 8- wend 26/12/2012

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Modern Block CiphersSymmetric Encryption Algorithmsweek 8- wend 26/12/2012 ITC405 – ITS407 www.kbuzakhar.ly

  2. Symmetric Cipher Model • Plaintext • Encryption Algorithm • Secret Key (known to sender and receiver) • Ciphertext • Decryption Algorithm

  3. Unconditional vs. Computational Security • Unconditional security • No matter how much computer power is available, the cipher cannot be broken • The ciphertext provides insufficient information to uniquely determine the corresponding plaintext • Only one-time pad scheme qualifies • Computational security • The cost of breaking the cipher exceeds the value of the encrypted info • The time required to break the cipher exceeds the useful lifetime of the info

  4. Modern Block Ciphers • Block ciphers are among the most widely used types of cryptographic algorithms • provide secrecy and/or authentication services • in particular will introduce DES (Data Encryption Standard)

  5. Common Algorithms for Symmetric Keys

  6. Block Cipher Principles • most symmetric block ciphers are based on a Feistel Cipher Structure • needed since must be able to decrypt ciphertext to recover messages efficiently • block ciphers look like an extremely large substitution • would need table of 264 entries for a 64-bit block • instead create from smaller building blocks • using idea of a product cipher

  7. Substitution-Permutation Ciphers • Substitution-permutation (S-P) networks [Shannon, 1949] • modern substitution-transposition product cipher • These form the basis of modern block ciphers • S-P networks are based on the two primitive cryptographic operations • substitution (S-box) • permutation (P-box) • provide confusion and diffusion of message

  8. Shannon Theorem If every message we send requires a key as long as the message, and we never encrypt two messages with the same key, then encryption will not be very successful in everyday applications such as Internet transactions. This is because getting the key from one person to another will be an impossible task. After all one cannot encrypt it since that would require another key. This problem is called the key distribution problem.

  9. Shannon Theorem To simplify the key distribution problem we need to turn from perfectly secure encryption algorithms to ones which are, hopefully, computationally secure. This is the goal of modern cryptographers, where one aims to build systems such that: • One key can be used many times, • One small key can encrypt a long message. Such systems will not be unconditionally secure, by Shannon’s Theorem, and so must be at best only computationally secure.

  10. Avalanche Effect • Avalanche effect - Every bit of the key and of the plaintext should effect every bit of the ciphertext. A good block cipher achieves this after one or two rounds. • Strict Avalanche effect - A one bit change in the key or in the plaintext should, on average, change 50% of the ciphertext bits. • A good block cipher will satisfy the Strict Avalanche Condition.

  11. Confusion and Diffusion • cipher needs to completely obscure statistical properties of original message • a one-time pad does this • more practically Shannon suggested combining elements to obtain: • diffusion – dissipates statistical structure of plaintext over bulk of ciphertext • confusion – makes relationship between ciphertext and key as complex as possible

  12. Diffusion and Confusion Diffusion can be achieved by repeatedly performing some permutation(Transformation) on the data followed by applying a function to that permutation The mechanism of diffusion seeks to make the statistical relationship between the plaintext and ciphertext as complex as possible in order to thwart attempts to deduce the key.

  13. Confusion and Diffusion This is achieved by having each plaintext digit affect the value of many ciphertext digits; generally, this is equivalent to having each ciphertext digit be affected by many plaintext digits.

  14. Diffusion and Confusion An example of Diffusion is to encrypt a message m= m1 , m2 , m3 of characters with an averaging operation: adding k successive letters to get a ciphertext letter C n

  15. Diffusion and Confusion • Note the statistical structure of the plaintext has been dissipated. Thus, the letter frequencies in the ciphertext will be more nearly equal than in the plaintext.

  16. Diffusion and Confusion • Confusion: seeks to make the relationship between the statistics of the ciphertext and the value of the encryption key as complex as possible, again to thwart attempts to discover the key. Thus, even if the attacker can get some handle on the statistics of the ciphertext, the way in which the key was used to produce that ciphertext is so complex as to make it difficult to deduce the key. This is achieved by the use of a complex substitution algorithm.

  17. DES Top View 56-bit Key 64-bit Input 48-bit K1 Generate keys Permutation Initial Permutation 48-bit K1 Round 1 48-bit K2 Round 2 …... 48-bit K16 Round 16 Swap 32-bit halves Swap Final Permutation Permutation 64-bit Output

  18. DES Key Schedule • forms subkeys used in each round • consists of: • initial permutation of the key (PC1) which selects 56-bits in two 28-bit halves • 16 stages consisting of: • selecting 24-bits from each half • permuting them by PC2 for use in function f, • rotating each half separately either 1 or 2 places depending on the key rotation schedule K

  19. Per-Round Key Generation Initial Permutation of DES key C i-1 D i-1 28 bits 28 bits Circular Left Shift Circular Left Shift One round Round 1,2,9,16: single shift Others: two bits Permutation with Discard 48 bits Ki C i D i 28 bits 28 bits

  20. Initial Permutation IP • first step of the data computation • IP reorders the input data bits • even bits to LH half, odd bits to RH half • quite regular in structure (easy in h/w) • example:IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb)

  21. Bit Permutation (1-to-1) 1 2 3 4 32 ……. 0 0 1 0 1 Input: 1 bit Output …….. 1 0 1 1 1 22 6 13 32 3

  22. DES Round Structure • uses two 32-bit L & R halves • as for any Feistel cipher can describe as: Li= Ri–1 Ri= Li–1 xor F(Ri–1, Ki) • takes 32-bit R half and 48-bit subkey and: • expands R to 48-bits using perm E • adds to subkey • passes through 8 S-boxes to get 32-bit result • finally permutes this using 32-bit perm P

  23. A DES Round 32 bits Ln 32 bits Rn E One Round Encryption 48 bits Mangler Function 48 bits Ki S-Boxes P 32 bits 32 bits Ln+1 32 bits Rn+1

  24. 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 S1 S2 S3 S4 S5 S6 S7 S8 + + + + + + + + Permutation Mangler Function The permutation produces “spread” among the chunks/S-boxes!

  25. Bits Expansion (1-to-m) 1 2 3 4 5 32 Input: ……. 0 0 1 0 1 1 Output …….. 10 0 1 0 1 0 110 1 2 3 4 5 6 7 8 48

  26. Substitution Boxes S • have eight S-boxes which map 6 to 4 bits • each S-box is actually 4 little 4 bit boxes • outer bits 1 & 6 (row bits) select one rows • inner bits 2-5 (col bits) are substituted • result is 8 lots of 4 bits, or 32 bits • row selection depends on both data & key • feature known as autoclaving (autokeying) • example:S(18 09 12 3d 11 17 38 39) = 5fd25e03

  27. 2 bits row I1 I2 I3 I4 I5 I6 S O1 O2 O3 O4 i 4 bits column = 1,…8. i S-Box (Substitute and Shrink) • 48 bits ==> 32 bits. (8*6 ==> 8*4) • 2 bits used to select amongst 4 substitutions for the rest of the 4-bit quantity

  28. S-Box Examples Each row and column contain different numbers. 0 1 2 3 4 5 6 7 8 9…. 15 0 14 4 13 1 2 15 11 8 3 1 0 15 7 4 14 2 13 1 10 2 4 1 14 8 13 6 2 11 15 3 15 12 8 2 4 9 1 7 5 Example: input: 100110 output: ???

  29. DES Decryption • decrypt must unwind steps of data computation • with Feistel design, do encryption steps again • using subkeys in reverse order (SK16 … SK1) • note that IP undoes final FP step of encryption • 1st round with SK16 undoes 16th encrypt round • …. • 16th round with SK1 undoes 1st encrypt round • then final FP undoes initial encryption IP • thus recovering original data value

  30. Strength of DES – Key Size • 56-bit keys have 256 = 7.2 x 1016 values • brute force search looks hard • recent advances have shown is possible • in 1997 on Internet in a few months • in 1998 on dedicated h/w (EFF) in a few days • in 1999 above combined in 22hrs! • still must be able to recognize plaintext • now considering alternatives to DES

  31. 3DES • Made part of DES in 1999 • Uses 3 keys and 3 DES executions • using 3 keys 3DES has an effective key length of 168 bits (3*56) • follows encrypt-decrypt-encrypt (EDE) • the decryption phase is for backwards compatibility with single DES • FIPS algorithm of choice • Govt. organizations using DES are encouraged to convert to 3DES • 3DES and AES will exist simultaneously allowing a gradual migration to AES

  32. Advanced Encryption Standard • Proposed successor to DES • DES drawbacks • algorithm designed for 1970s hardware implementation • performs sluggishly in software implementations • 3DES is 3 times slower due to 3 rounds • 64 bit blocksize needs to be increased to spped things up • AES Overview • 128, 192, 256 bit blocksize (128 bit likely to be most common) • Not a Feistal structure, process entire block in parallel • 128 bit key, expanded into 44, 32bit words with 4 words used for each round

  33. International Data Encryption Standard (IDEA) • Developed in Switzerland 1991 • 128 bit key, 64 bit blocksize, 8 rounds • algorithm is quite different than DES, • doesn’t use S-boxes • uses binary addition rather than exclusive-or • used in Pretty Good Privacy (PGP)

  34. Blowfish • 1993 – Bruce Schneier • Popular alternative to DES • Variable length keys - 128 bits but up to 448 bits • up to 16 rounds • 64 bit blocksize • used in many commercial software packages

  35. RC5 • 1994 – Ron Rivest • one of inventors of RSA public key algorithm • RFC 2040 • good for either hard/software implementations • fast • adaptable to processors of different word sizes • variable length keys, variable number of rounds • low memory requirements • intended for high security applications • included in a number of RSA Data Securities products

  36. Modes of Operation • block ciphers encrypt fixed size blocks • eg. DES encrypts 64-bit blocks, with 56-bit key • need way to use in practise, given you usually have arbitrary amount of information to encrypt • four were defined for DES in ANSI standard ANSI X3.106-1983 Modes of Use • subsequently now have 5 for DES and AES • have block and stream modes

  37. DES Modes of Operation • The DES algorithm turns a 64-bit message block M into a 64-bit cipher block C. If each 64-bit block is encrypted individually, then the mode of encryption is called Electronic Code Book (ECB) mode. • A stronger method is to exclusive-or each plaintext block with the preceding ciphertext block priore to encryption. (the first block is to exclusive-or’ed with a secret 64-bit initialization vectore IV ) this is called Chain Block Coding(Cipher Block Chaining) (CBC) mode. • The other two modes are Cipher Feedback (CFB), which make each cipher block dependent on all the previous messages blocks through an initial XOR operation. And Output Feedback (OFB) mode.

  38. Padding the data block • There are several options, • Simply append zeros • Fill up the block with bits that are opposite of the last bit data. • Fill up the block with random bytes and put the number of padded bytes in the last byte of the block • Pad the block with random bytes and in the last 3 bits store the original number of data bytes.

  39. Electronic Codebook Book (ECB) • message is broken into independent blocks which are encrypted • each block is a value which is substituted, like a codebook, hence name • each block is encoded independently of the other blocks Ci = DESK1 (Mi) • uses: secure transmission of single values

  40. Electronic Codebook Book (ECB)

  41. Advantages and Limitations of ECB • repetitions in message may show in ciphertext • if aligned with message block • particularly with data such graphics • or with messages that change very little, which become a code-book analysis problem • weakness due to encrypted message blocks being independent • main use is sending a few blocks of data

  42. Cipher Block Chaining (CBC) • message is broken into blocks • but these are linked together in the encryption operation • each previous cipher blocks is chained with current plaintext block, hence name • use Initial Vector (IV) to start process Ci = DESK1(Pi XOR Ci-1) C-1 = IV • uses: bulk data encryption, authentication

  43. Cipher Block Chaining (CBC)

  44. Advantages and Limitations of CBC • each ciphertext block depends on all message blocks • thus a change in the message affects all ciphertext blocks after the change as well as the original block • need Initial Value (IV) known to sender & receiver • however if IV is sent in the clear, an attacker can change bits of the first block, and change IV to compensate • hence either IV must be a fixed value (as in EFTPOS) or it must be sent encrypted in ECB mode before rest of message • at end of message, handle possible last short block • by padding either with known non-data value (eg nulls) • or pad last block with count of pad size • eg. [ b1 b2 b3 0 0 0 0 5] <- 3 data bytes, then 5 bytes pad+count

  45. Cipher FeedBack (CFB) • message is treated as a stream of bits • added to the output of the block cipher • result is feed back for next stage (hence name) • standard allows any number of bit (1,8 or 64 or whatever) to be feed back • denoted CFB-1, CFB-8, CFB-64 etc • is most efficient to use all 64 bits (CFB-64) Ci = Pi XOR DESK1(Ci-1) C-1 = IV • uses: stream data encryption, authentication

  46. Cipher FeedBack (CFB)

  47. Advantages and Limitations of CFB • appropriate when data arrives in bits/bytes • most common stream mode • limitation is need to stall while do block encryption after every n-bits • note that the block cipher is used in encryption mode at both ends • errors propagate for several blocks after the error

  48. Summary • have considered: • block cipher design principles • DES • details • strength • Modes of Operation • ECB, CBC, CFB, OFB

More Related