Network Security & Cryptography Lecture 7

Network Security and Cryptography Lecture 7
Uday Prakash Pethakamsetty
Udayprakash.jntuhceh@gmail.com
Dept. of ECE Network Security & Cryptography
1/29/2013
Background to modern symmetric ciphers

All the traditional ciphers are character-oriented ciphers. Advent of computer resulted in the usage of bit-oriented or byte oriented ciphers. Information transmitted using modern cryptography is not just text, but also includes numbers, graphics, audio and video data. So, even text is treated at bit level, each character is replaced by 8 (or 16) bits. Thereby, mixing a larger number of symbols increases security.
1/29/2013
Modern symmetric key ciphers

1. Modern stream cipher
Encrypts /decrypts a digital data stream one bit or one byte at a time.
1. Synchronous stream ciphers ex: one-time Pad

Key stream is independent of the plaintext or ciphertext stream.
2. Non synchronous stream cipher

Each key in the key stream depends on previous plaintext or ciphertext.
2. Modern block cipher

Plaintext is treated as a whole and used to produce a ciphertext block of equal length. Typically the block size is 64 ,128 ,256 or 512 bits.
1/29/2013
Stream ciphers
Stream ciphers The most famous: Vernam cipher Invented by Vernam, ( AT&T, in 1917) Process the message bit by bit (as a stream) different from the one-time pad some call same Simply add bits of message to random key bits Examples A well-known stream cipher is RC4; others include: A5/1, A5/2, Chameleon, FISH, Helix. ISAAC, Panama, Pike, SEAL, SOBER, SOBER-128 and WAKE. Usage Stream ciphers are used in applications where plaintext comes in quantities of unknowable length - for example, a secure wireless Dept. of ECE Network Security & 1/29/2013 connection
Cryptography
Stream ciphers
Drawbacks Need as many key bits as message, difficult in practice i.e., distribute on a magnetic tape or CD-ROM. Strength Is unconditionally secure provided key is truly random Key Generation Why not to generate key stream from a smaller (base) key? Use some pseudo-random function to do this . Although this looks very attractive, it proves to be very difficult in practice to find a good pseudo-random function that is cryptographically strong . This is still an area of much research.
1/29/2013
Modern block cipher

Symmetric key modern block cipher encrypts/decrypts an n-bit block of plaintext. Encryption/Decryption algorithm uses a k-bit key. If a message has fewer than n bits, padding must be added to make it an n-bit block; if the message has more than n-bits, it should be divided into n-bit blocks and the appropriate padding may be done for the last block. Typically block sizes are 64,128,256 or 512 bits.
1/29/2013
Modern Block cipher

Practical implemented Algorithms: Data Encryption Standards ( DES )
Block size is 64 bits Key is 56 bits
IDEA
Block size is 64 bits Key size is 128 bits
Variable Block size=128, 192 or 256 bits Variable Key size =128, 192 or 256 bits Invented by Rijndael
Advanced Encryption Standard (AES)

1/29/2013
Block vs Stream Ciphers

Stream ciphers are faster than block ciphers. The hardware implementation of a stream cipher is also easier. When the binary stream is encrypted and transmitted at a constant rate, a stream cipher is the better choice to use. Stream ciphers are also more immune to corruption of bits during transmission.
Stream ciphers process messages a bit or byte at a time when en/decrypting

Block ciphers process messages in into blocks, each of which is then en/decrypted. Like a substitution on very big characters
64-bits or more
Many current ciphers are block ciphers. Hence, more focused in the course.
1/29/2013 Dept. of ECE Network Security & Cryptography 8
Modern block cipher

Substitution or Transposition block cipher ?
To resist any exhaustive-search attacks, modern block ciphers are designed as substitution ciphers. This is because the inherent characteristics of transposition (preserving no. of 1s and 0s) makes the cipher vulnerable to exhaustive-search attacks.
Components of Modern Block Cipher

D-boxes used as transposition units for diffusion. S-boxes used as substitution units confusion.
1/29/2013
D(diffusion)-Boxes
They parallels the traditional transposition cipher for characters. It transposes the bits. Helps in spreading (diffusion) of the input disturbances. There are three types of D-boxes
1. Straight D-boxes 2. Expansion D-boxes 3. Compression D-boxes
D-boxes are keyless. i.e., mapping is predetermined. In hardware implementation, it is prewired. In software implementation, a predefined permutation table shows the rule of mapping.
1/29/2013
10
D(diffusion)-Boxes
Straight D-boxes contains n-inputs and n-outputs.
The connection between them is a permutation. There exists n! possible mapping. It is called as permutation box or p-box.
Compression D-boxes contains n inputs and m outputs, with n>m.

some of the inputs are blocked and do not reach the output. Used mainly when we need to permute bits and the same time decrease the number of bits for the next stage.
Expansion D-boxes contains n inputs and m outputs, with n<m.

m-n inputs are mapped to more than one output. Used mainly when we need to transpose bits and the same time increase the number of bits for the next stage.
NOTE: Straight D-boxes are invertible. Compression and Expansion D-boxes have no inverses.
1/29/2013
11
S (substitution)-Boxes
S-box does the task of substitution cipher. It can have different no. of inputs and outputs. No. of inputs may not necessarily be same as the no. of outputs. S-boxes can be keyed or keyless. Generally, keyless S-boxes are more popular. Linear and Nonlinear S-boxes- nonlinear S-boxes doesnt have the relative equations for every output, as linear S-boxes have. In nonlinear S-boxes, at times, combinations (AND) of two or more inputs/outputs takes place. Invertibility : S-boxes are substitution ciphers, in which the relation between inputs and outputs is defined by a table or mathematical relation. So, S-boxes may or maynt be invertible. Invertible Sboxes have same no. of input bits and output bits.
1/29/2013
12
Block cipher
1/29/2013
13
CBC cipher (Cipher Block Chaining)
1/29/2013
14
CBC Deciphering
1/29/2013
15
Substitution and Permutation

In his 1949 paper, Shannon also introduced the idea of substitution-permutation (S-P) networks, which now form the basis of modern block ciphers
An S-P network is the modern form of a substitution-transposition product cipher S-P networks are based on the two primitive cryptographic operations we have seen before. (block and CBC ciphering)
1/29/2013
16
Substitution
A binary word is replaced by some other binary word The whole substitution function forms the key If use n bit words,
The key space is 2^n!
Can also think of this as a large lookup table, with n address lines (hence 2^n addresses), each n bits wide being the output value Will call them s-boxes
1/29/2013
17
Permutation
A binary word has its bits reordered (permuted) The re-ordering forms the key If we use n bit words, the key space is n! (Less secure than substitution) This is equivalent to a wire-crossing in practice
(Though is much harder to do in software)
Will call these p-boxes

1/29/2013
18
Substitution-permutation Network
Shannon combined these two primitives He called these mixing transformations A special form of product ciphers where S-boxes
Provide confusion of input bits
P-boxes
Provide diffusion across s-box inputs
1/29/2013
19
Confusion and Diffusion

Cipher needs to completely obscure statistical properties of original message Confusion makes relationship between ciphertext and key as complex as possible
A technique that seeks to make the relationship between the statistics of the ciphertext and the value of the encryption keys as complex as possible. Cipher uses key and plaintext.
Diffusion dissipates statistical structure of plaintext over bulk of ciphertext

A technique that seeks to obscure the statistical structure of the plaintext by spreading out the influence of each individual plaintext digit over many ciphertext digits.
1/29/2013
Dept. of ECE
Network Security & Cryptography
20
Desired Effect
Avalanche effect
A characteristic of an encryption algorithm in which a small change in the plaintext gives rise to a large change in the ciphertext Best: changing one input bit results in changes of approximately half the output bits.
Completeness effect
where each output bit is a complex function of all the input bits.
1/29/2013
21
Practical Substitution-Permutation Networks
In practice, we need to be able to decrypt messages, as well as to encrypt them, hence either:
Have to define inverses for each of our S & Pboxes, but this doubles the code/hardware needed, or Define a structure that is easy to reverse, so can use basically the same code or hardware for both encryption and decryption
1/29/2013
22
Feistel Cipher Structure

Invented by Horst Feistel,
working at IBM Thomas J Watson research labs in early 70's, Based on concept of invertible product cipher
Implements shannons substitution-permutation network concept. Partitions input block into two halves
Process through multiple rounds which Perform a substitution on left data half Based on round function of right half & subkey Then have permutation swapping halves
1/29/2013
Dept. of ECE
23

In this Fiestel cipher structure, for each round, the operation is performed on one half of the block. The operation can be expressed as:
1/29/2013
Dept. of ECE
24

This can be described functionally as:
L(i) = R(i-1) R(i) = L(i-1)
f(k(i), R(i-1))
This can easily be reversed as seen in the above diagram, working backwards through the rounds In practice link a number of these stages together (typically 16 rounds) to form the full cipher
1/29/2013
25
Data Encryption Standards (DES)

Adopted in 1977 by the National Bureau of Standards, now the National Institute of Standards and Technology in US. Most widely used encryption technique. Block cipher with fixed block size Plaintext block size64 bits Key size ---- 56 bits Longer plaintexts are processes in 64 bit blocks. Shorter plaintexts are processed by padding sufficient zeros. The same algorithm is used for decryption. Subject to much controversy
1/29/2013
26
History of DES
IBM LUCIFE R 60s
Uses 128 bits key
Proposal for NBS, 1973 Adopted by NBS, 1977

Uses only 56 bits key
Possible brute force attack
Design of S-boxes was classified

Hidden weak points in in S-Boxes?
Wiener (1993) claim to be able to build a machine at $100,00 and break DES in 1.5 days
1/29/2013
27
DES
DES encrypts 64-bit blocks of data, using a 56-bit key. The basic process consists of:
an initial permutation (IP) 16 rounds of a complex key dependent calculation f a final permutation, being the inverse of IP Function f can be described as
L(i) = R(i-1) R(i) = L(i-1) P(S( E(R(i-1)) P K ( i ) ))
1/29/2013
28
DES
1/29/2013
29
DES function f
1/29/2013
30
Initial and Final Permutation

The Initial Permutation IP table may be as follows:
1/29/2013
31
Expansion Table E
Expands the 32 bit data to 48 bits
Result (i) = input (array(i))
1/29/2013
32
S-Boxes
Here, S-Box is a fixed 4 by 16 array Given, 6-bits B=b1 b2 b3 b4 b5 b6
Row r=b 1 b 6 Column c=b 2 b 3 b 4 b 5 S(B)=S(r,c) written in binary of length 4
Example of an S-box is as below:
1/29/2013
33
Permutation Table P
The permutation after each round will be as follows:
1/29/2013
34
Subkey Generation
Given a 64 bits key (with parity-check bit)
Discard the parity-check bits Permute the remaining bits using fixed table P1 Let C0D0 be the result (total 56 bits)
Let Ci =Shifti(Ci-1); Di =Shifti(Di-1) and Ki be another permutation P2 of CiDi (total 56 bits)

Where cyclic shift one position left if i=1,2,9,16 Else cyclic shift two positions left
1/29/2013
35
DES subkeys
1/29/2013
36
Permutation Tables
1/29/2013
37
DES in practice
DEC (Digital Equipment Corp. 1992) built a chip with 50k transistors
Encrypt at the rate of 1 G /second Clock rate 250 Mhz Cost about $ 300
Applications
ATM transactions (encrypting PIN and so on)
1/29/2013
38
Modes of operation
Mode of use
The way we use a block cipher Four have been defined for the DES by ANSI in the standard: ANSI X3.106-1983 modes of use.
Block modes
Splits messages in blocks (ECB, CBC)
Stream modes
On bit stream messages (C F B, O F B)
1/29/2013
39
Block Modes
Electronic Codebook Book (ECB)
where the message is broken into independent 64-bit blocks which are encrypted Ci = DESK1 (Pi)
Cipher Block Chaining (CBC)

again the message is broken into 64-bit blocks, but they are linked together in the encryption operation with an I V Ci = DESK1 (Pi Ci-1) C-1=I V (initial value)
1/29/2013
40
Stream Modes
Cipher Feed Back (CFB)
where the message is treated as a stream of bits, added to the output of the DES, with the result being feed back for the next stage Ci = Pi DESK1 (Ci-1) C-1 = I V (initial value)
1/29/2013
41
Stream modes
Output Feed Back (OFB)
where the message is treated as a stream of bits, added to the message, but with the feedback being independent of the message Ci = P i O i Oi = DESK1 (Oi-1) O-1=I V (initial value)
1/29/2013
42
DES Weak Keys

With many block ciphers there are some keys that should be avoided, because of reduced cipher complexity These keys are such that the same sub-key is generated in more than one round, and they include: Weak Keys
The same sub-key is generated for every round DES has 4 weak keys
Semi-weak keys
Only two sub-keys are generated on alternate rounds DES has 12 of these (in 6 pairs)
Demi-Semi Weak Keys

Have four sub-keys generated
None of these causes a problem since they are a tiny fraction of all available keys However they M U ST be avoided by any key generation program
1/29/2013
43
DES Attacks
Brute force attack 1998: The EFF's U S $250,000 DES cracking machine contained 1,536 custom chips and could brute force a DES key in a matter of days The photo shows a DES Cracker circuit board fitted with several Deep Crack chips.
1/29/2013
44
DES attacks
Brute force attack The COPACOBANA machine, built for US$10,000 by the Universities of Bochum and Kiel, contains 120 lowcost FPGAs and can perform an exhaustive key search on DES in 9 days on average. The photo shows the backplane of the machine with the FPGAs.
1/29/2013
45
DES attack : Faster than Brute force attack

There are three attacks known that can break the full 16 rounds of DES with less complexity than a brute-force search:
differential cryptanalysis (DC), linear cryptanalysis (LC), and Davies' attack.
However, the attacks are theoretical and are unfeasible to mount in practice, these types of attack are sometimes termed certificational weaknesses.
1/29/2013
46
Differential Cryptanalysis
One of the most significant recent (public) advances in cryptanalysis Known by NSA in 70's cf DES design Murphy, biham & shamir published 1990 Powerful method to analyse block ciphers Used to analyse most current block ciphers with varying degrees of success DES reasonably resistant to it, cf lucifer was discovered in the late 1980s by Eli Biham and Adi Shamir, although it was known earlier to both IBM and the NSA and kept secret. To break the full 16 rounds, differential cryptanalysis requires 247 chosen plaintexts. DES was designed to be resistant to DC.
1/29/2013 Dept. of ECE Network Security & Cryptography 47
Linear Cryptanalysis
Another recent development Also a statistical method Must be iterated over rounds, with decreasing probabilities Developed by Mitsuru Matsui in 1994 Based on finding linear approximations Can attack DES with 247 known plaintexts, still in practise infeasible Needs 243 known plaintexts It was the first experimental cryptanalysis of DES to be reported. There is no evidence that DES was tailored to be resistant to this type of attack.
1/29/2013
Dept. of ECE
48
Davies' attack
1/29/2013
49
Possible techniques for improving DES

Multiple Enciphering with DES
Double DES, Triple DES,
Extending DES to 128 bit data paths and 112 bit keys Extending the key expansion calculation.
1/29/2013
50
Double DES
using two encryption stages and two keys
C = Ek2(Ek1(P)) P=Dk1(Dk2(C))
It is proved that there is no key k3 such that

C =Ek2(Ek1(P))=Ek3(P)
But, Meet in the middle attack is possible

Thus, 2-DES is not secure (if DES is broken)
1/29/2013
51
References
Cryptography: Theory and Practice by Douglas R. Stinson CRC press Cryptography and Network Security : Principles and Practice; By William Stallings Prentice Hall Handbook of Applied Cryptography by Alfred J. Menezes, Paul C. van Oorschotand Scott A. Vanstone, CRC Press.
1/29/2013
52

Network Security & Cryptography Lecture 7

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Network Security & Cryptography Lecture 7

Hochgeladen von

Copyright:

Verfügbare Formate

Network Security and Cryptography Lecture 7

Uday Prakash Pethakamsetty

Background to modern symmetric ciphers

Dept. of ECE Network Security & Cryptography

Modern symmetric key ciphers

1. Synchronous stream ciphers ex: one-time Pad

2. Non synchronous stream cipher

2. Modern block cipher

Dept. of ECE Network Security & Cryptography

Dept. of ECE Network Security & Cryptography

Modern block cipher

Dept. of ECE Network Security & Cryptography

Modern Block cipher

Advanced Encryption Standard (AES)

Block vs Stream Ciphers

Stream ciphers process messages a bit or byte at a time when en/decrypting

Modern block cipher

Components of Modern Block Cipher

Dept. of ECE Network Security & Cryptography

Compression D-boxes contains n inputs and m outputs, with n>m.

Expansion D-boxes contains n inputs and m outputs, with n<m.

Dept. of ECE Network Security & Cryptography

CBC cipher (Cipher Block Chaining)

Dept. of ECE Network Security & Cryptography

Dept. of ECE Network Security & Cryptography

Substitution and Permutation

Will call these p-boxes

Dept. of ECE Network Security & Cryptography

Confusion and Diffusion

Diffusion dissipates statistical structure of plaintext over bulk of ciphertext