410 likes | 596 Vues
Chapter 3: Secret Key Cryptography. CS 772/872: Fall 2005. General Block Encryption.
Chapter 3: Secret Key Cryptography CS 772/872: Fall 2005
General Block Encryption • The general way of encrypting a 64-bit block is to take each of the:264 input values and map it to a unique one of the 264 output values.This would take (264 )*(64) = 270 bits. NOT practical. • Secret key cryptographic systems take a reasonable length key (e.g., 64 bits) and generate a one-to-one mapping that appears, to someone who does not know the key, as completely random.I.e., any single bit change in the input results in a totally independent random number output.
Types of transformation for k-bit blocks • Substitution:Specify for each of the 2k possible values of the input, the k-bit output.This takes k.2k bits. This is reasonable for k=8. • Permutation:Specify for each of the k input bits, the output position to which it goes.This takes k*log2 k bits. • Figure 3-1 shows a secret key algorithm based on rounds of substitution and permutation. If we do only a single round, then a bit of input can only affect 8 bits of output. There is an optimal number of rounds to achieve complete randomization.The algorithm take the same effort to reverse (decrypt).
Data Encryption Standard (DES) • Key length: 56 + 8 parity bits = 64 bits • 8 bits are used for parity check,why is that? Possible reason: to make it 256 times less secure against exhaustive search!read p. 63 in the textbook. • How secure is DES?In 1998, $150K machine can break the key in 5 days!For added security, triple DES is 256more secure.
Why decryption works? • oThe output of the Mangler Function (M) is the same for both encryption and decryption. • oIn encryption: M ® Ln = Rn+1 • oIn decryption: M ® Rn+1 = M ® ( M ® Ln ) = Ln
The Mangler Function: (Figure 3-7) • Expands R from 32 bit to 48 bits as shown in Fig 3-7: • It breaks R into eight 4-bit chunks and expand each to 6-bit by concatenating the adjacent 2 bits. Let CRi refer to chunk i of expanded R. The 48-bit K is broken to eight 6-bit chunks. • Let CKi refer to chunk i of K. Let Si = CRi ® Cki; Si is fed into an S-box, a substitution which produces a 4-bit output for each possible 6-bit input as shown in Figure 3-8 • The 8 S-boxes specified in Figures 3-9 to 3-16. • The 4-bit output of each of the eight S-boxes is permuted as shown in Figure 3-17 (it has security value to ensure that the output of an S-box in one round affects the input of multiple S-boxes on the next round):
Mangler Function • 48-bit Key and the expanded 48-bit R are broken into 8 chunks of 6-bits each.
International Data Encryption Algorithm (IDEA) • Encrypts 64-bit blocks using 128-bit key.It is similar to DES since it: • operates in rounds • the mangler function runs in the same direction for both encryption and decryption • It differs from DES since: • Designed to be efficient in software (as opposed to DES’s hardware orientation) • The encryption and decryption keys are different but related in a complex manner.
IDEA primitive operations • ® exclusive OR + addition mod 216 andx multiplication mod 216+1 • These operations are reversible: • a ® K = A » A ® K = a since (a ® K) ® K = aa + K = A » A + (-K) = a since (a + K) + (-K) = aa x K = A » A x (K-1) = a since (a x K) x (K-1) = aK-1 is the multiplicative inverse of K such that K K-1 = 1 mod (216+1) • Example: K = 1101; -K=0000-1101=0011, a=1001, K-1 = 0100 (Since 4*13=52 = 1+3*17 (17 = 24+1); Euclid’s algorithm sec 7.4) • a ® K=0100; (a ® K) ® K=1001; • a+K= 0110; (a+K)+(-K)=1001 • axK= 9*13 mod 17=15; (axK)xK-1mod 17 = 60 mod 17 = 9 = 1001
Key Expansion (Encryption) • The 128-bit key is expanded into 52 16-bit keys: K1, K2 , ....K52.Step 1: Keys K1….K8 are generated by taking 8 chunks of 16-bits each Step 2: Keys K9…K16 are generated by starting from the 25th bit, wrapping around the first 25 bits at the end, and taking 16-bit chunks. Step 3: Wrap around 25 more bits to the end, and generate keys K17…K24. This process is repeated until all keys K1…K52 are generated
X is the modified multiply operation, and + is a modified add. • To get the original values back, the inverse of Ka is used for X and –Xb (mod 216) for +.
Decryption • Same code can perform either encryption or decryption given different expanded keys. • The the inverses of the encryption keys and use them in the opposite order (use the inverse of the last-used encryption key as the first used used when doing encryption). • Since the last encryption round (an odd-round) used keys K49,K50,K51,K52, • The first decryption round uses the inverses of the keys K49-K52.
Advanced Encryption Standard (AES) • Developed with the help of NIST as an efficient, flexible, secure andunencumbered (free to implement) standard for protectingsensitive non classified, U.S. government information. • NIST selected an algorithm called Rijndael (named after two Belgium cryptographers: Rijmen + Daemen). • It uses a variety of block and key sizes (mainly 128, 192 and 256)and the standards are named: AES-128, AES-192, AES-256!(block sizes are fixed in all to 128 bits). • It is similar to DES and IDEA in that there are rounds and key expansion.
AES: Parameters • Nb: is the number of 32-bit words in an encryption block.E.g., for AES-128: Nb = 4. • Nk: is the number of 32-bit words in an encryption key.E.g., for AES-128: Nk = 4. • Nr: is the number of rounds.It should be large enough to allow sufficient mixing so thateach bit of a plain text block or a key has a complex effect oneach bit of the resulting cipher text. • Nr = 6 + Max (Nb, Nk),E.g., for AES-128: Nr = 10.
Primitive Operations • ® XOR • Octet-Substitution (S-box) (see Figure 3-24) • A rearrangement of octets (rotating rows and columns). • An operation called MixColumn: Replace a column with another. Each octet of the input column is used as index to retrieve a column from a table (see Figure 3-26). each retrieved column is rotated and the four rotated columns are ®'d together to produce the output column (see Figure 3-25); nibble = 4 bits
Inverse Cipher: • ·® is its own inverse • ·The inverse of S-box is given by a different table (Fig 3-27) • ·The inverse of rotating is another rotation in the opposite direction. • ·The inverse of MixColumn is called InvMixCoumn is just like MixColumn using a different table (Fig 3-28).
Key Expansion • Arrange the key as Nk columns and iteratively generate the next Nk columns(see Figure 3-29 and 3-30). The Ci are constants defined in Figure 3-31.
Rounds Each round is an identical sequence of 3 operations:1. Each octet of the state has the S-box applied.2. For AES-128: Row i of the state is rotated lefti columns (i=0, 1, 2, 3).3. Each column of the state has MixColumn applied to it (The last round omits this operation).
Inverse Rounds • Since each operation is invertible, decryption can be done by performingthe inverse of each operation in the opposite order andusing the round keys in the reverse order.
RC4 • Ron Rivest (of the famous RCA) is the inventor • A long random string is called a one-time pad.A stream cipher generates a one-time pad and applies it to a stream of plain text with ®.RC4 is a stream cipher designed by Ron Rivest.Page 93 gives a C code for RC4 one-time pad generator.