1 / 23

Agenda

CS G513 / SS G513 Network Security. Agenda. Block Cipher – Example: DES Product Ciphers and Feistel Ciphers DES – Description Attacks on Block Ciphers and DES. Product Ciphers. A Product Cipher c ombines two or more transformations:

elizabeth-whitley
Télécharger la présentation

Agenda

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS G513 / SS G513 Network Security Agenda Block Cipher – Example: DES Product Ciphers and Feistel Ciphers DES – Description Attacks on Block Ciphers and DES

  2. Product Ciphers • A Product Cipher combines two or more transformations: • transposition, substitution, arithmetic operations (e.g. modular multiplication), translations (e.g. XOR). • An iterated block cipher is a block cipher that • Repeats (sequentially) an internal function known as the round function • Parameters: • Number of rounds r and block-size n • Initial key K, from which different subkeys Ki for each round i are derived. • given Ki, each round must be a bijection on the round input. • A SP (substitution-permutation) network is • An iterated cipher where each iteration is a product of substitutions and permutations.

  3. Feistel Ciphers • A Feistel Cipher is an iterated cipher: • mapping a 2t bit plaintext (L0, R0) - L0 is of t bits – into a 2t bit ciphertext (Rr, Lr) through r>=1 rounds • for each i, 1 <= i <= r, round i: • Li = Ri-1 and • Ri = Li-1 f(Ri-1, Ki) where each Ki is derived from key K. • Decryption is done by the same process but the keys are used in reverse order: Kr to K1 • f must be invertible.

  4. DES – Data Encryption Standard • DES is a Feistel Cipher • Block size = 64 bits and Number of rounds r = 16 • Key size = 64 bits (bits 8, 16, …,64 are parity bits) • Effective key size = 56 bits. DES: (figure from Menezes et. al)

  5. DES – Data Encryption Standard [2] • One round of DES: • Li = Ri-1 and Ri = Li-1 f(Ri-1, Ki) • where f(Ri-1, Ki) = P(S(E(Ri-1, Ki))) • P is a fixed permutation • S is a substitution and • E is an expansion permutation mapping (from 32 to 48 bits). • Each Ki is of 48 bits. Sundar B.

  6. DES – Data Encryption Standard [3] A round of DES: (figure from Menezes et. al) Sundar B.

  7. DES[4] DES – Round function f: (fig. from Menezes et. al)

  8. DES – Data Encryption Standard [5] • Round function f = P . S . EKi • E is an expansion permutation mapping: • 32 bits of Ri-1 are expanded to 48 bits (by repeating 16 of the bits) and permuting them • This is done according to a fixed (8x6) table: (32 1 2 3 4 5 4 5 6 7 8 9 8 9 10 11 12 13 12 13 … 32 1) • Then the 48 bits are XOR-ed with Ki Sundar B.

  9. DES – Data Encryption Standard [6] • Round function f = P . S . EKi • S is done using 8 substitution boxes (S-boxes): • 48-bit input block is divided as B1, B2, … B8, each of 6 bits. • Each S-box Si is a 4 by 16 table of numbers between 0 and 15. • Si(Bi) = Si.lookup(r(Bi), c(Bi)) • r(Bi) = b0b5 and c(Bi) = b1b2b3b4 given Bi = b0 b1b2b3b4b5 Sundar B.

  10. DES – Data Encryption Standard [7] • Round key generation: • Input: 64-bit key K. Output: 16 keys of 48 bits each. • Define vi , 1<=i<=16 as: • vi=1 if i in { 1,2,9,16} vi=2 otherwise • T=PC1(K) and let T = (C0, D0) • where PC1 is a fixed-table permutation on 56 bits • For i = 1 to 16 do: • Ci = lcs(Ci-1) ; Di = lcs(Di-1) ; Ki = PC2(Ci, Di) where PC2 is a fixed table that selects and permutes 48 bits from 56 bits Sundar B.

  11. DES[8] 16-round ladder DES : (fig. from Menezes et. al)

  12. CS G513 / SS G513 Network Security Agenda Attacks on Block Ciphers and DES

  13. Classical Ciphers - Attacks • Redundancy in language: • E.g English language (26 char.): • Possible information per character = lg26 = 4.7bits • Estimated average amount of info. Carried per char (a.k.a per-character entropy) in English text = 1.5 bits • Per-character Redundancy = 3.2bits Sundar B.

  14. Classical Ciphers - Attacks • Transposition: • E.g cryptanalysis is like solving an anagram: • Building dictionaries of possible digrams and trigrams will be useful in confirming partial success against polygrams. • Block-size implications: • E.g Substitution ciphers: • An n-bit block-size implies 2n plaintext units; • for large compilation of frequency stats. becomes infeasible. Sundar B.

  15. Block Ciphers – Exhaustive Key Search • Basis: • For an n-bit block cipher with k-bit key, given a few plaintext-ciphertext pairs encrypted with key K, • K can be recovered by exhaustive key search in an expected time of 2k-1 operations. • Plaintext is used for validating a decryption • There may be external mechanisms that meet the validation requirement. • Additional plaintext-ciphertext pairs can be used to eliminate false alarms. Sundar B.

  16. DES – Exhaustive Key Search • K=56 n=64 • Expected requirement: 255 decryptions per pair • Impact of parity bits in plaintext: • E.g assume a block is 8 ASCII char. With 1 bit-parity (say even parity). • Trial decryption w/ incorrect key K yields all 8 parity bits correct with probability = 1/28 • The same happens for t different blocks w/ prob. = 1/28t • So, if this is used as filter on all 256 keys, • Then the expected number of unfiltered keys (after t blocks) is 256/28t Sundar B.

  17. Cascade Ciphers and Multiple Encryption • Concatenation of block ciphers w/ independent keys – cascade cipher • Multiple encryption – similar to cascade ciphers but • keys need not be independent and • ciphers may be encryption functions or corresponding decryption functions • Double Encryption: E(x) = E(K2, E(K1, x)) • Triple Encryption: E(x) = E3(K3,E2(K2,E1(K1,x))) • E1 = E2 = E3 and K1=K2 known as two-key triple encryption • E2 = (E1)-1 and E1 = E3 two-key triple encryption Sundar B.

  18. Multiple Encryption - Attacks • Exhaustive key search on double encryption: • 22k key pairs • Meet-in-the-middle attack: • Given a (P,C) pair compute Mi = Ei(P) under all 2k keys K1=i. • Store all pairs sorted/indexed on Mi • Decrypt C under all 2k possible keys K2=j to get Mj = Dj(C), check for hits Mj = Mi; • A hit is a candidate pair (i,j) – further validated thru’ additional plaintext-ciphertext pairs. • Complexity 2k time and 2k space. Sundar B.

  19. Meet-in-the-middle - DES • Number of candidate key pairs for one (P,C) is • 2k * 2k / 2n = 248 • Likelihood of a false key pair satisfying a second (P’, C’): • 248 / 2n = 2-16 • Thus w/ high prob. Two (P,C) pairs suffice for key determination (of course time complexity being 256 and space complexity being 256) • Attack can be modified to guess s bits of each of K1 and K2 (independently): • Tables have 2k-s entries and attack runs 22s pairs – time-space tradeoff. Sundar B.

  20. DES – Specific attacks • Complementation property: • Y=E(k,x)  Y’ = E(k’,x’) • Exercise: verify this – inspect one round • Chosen plaintext attack???: • Given (P1, C1) and (P1’, C2) • Checking if key K with plaintext P yields C1 or C2’ reduce encryptions by half (255 to 254) Sundar B.

  21. DES – Specific attacks • Weak keys • Identical subkeys (round keys) lead to encryption and decryption being identical functions. • That is E(K, E(K, x)) = x for all x • Semi-weak keys • E(K1, E(K2, x)) = x for all x. • DES has four weak keys and six pairs of semi-weak keys. Sundar B.

  22. DES – Specific attacks • The set of 256 permutations is not closed under composition: • So, multiple encryption is stronger (than single) • A lower bound on the size of the group generated by composition is 102499 • So, multiple encryption is much stronger! Sundar B.

  23. Other Block Ciphers • IDEA, FEAL, RC-5, AES etc. • FEAL • Feistel cipher – similar to DES but fast and simple • Was useful in developing cryptanalytic techniques • IDEA • Generalization of Feistel cipher – mixes multiple operations from different groups • 128 bit keys Sundar B.

More Related