Beruflich Dokumente
Kultur Dokumente
Udayprakash.jntuhceh@gmail.com
Dept. of ECE Network Security & Cryptography
1/29/2013
1/29/2013
1/29/2013
Stream ciphers
Stream ciphers The most famous: Vernam cipher Invented by Vernam, ( AT&T, in 1917) Process the message bit by bit (as a stream) different from the one-time pad some call same Simply add bits of message to random key bits Examples A well-known stream cipher is RC4; others include: A5/1, A5/2, Chameleon, FISH, Helix. ISAAC, Panama, Pike, SEAL, SOBER, SOBER-128 and WAKE. Usage Stream ciphers are used in applications where plaintext comes in quantities of unknowable length - for example, a secure wireless Dept. of ECE Network Security & 1/29/2013 connection
Cryptography
Stream ciphers
Drawbacks Need as many key bits as message, difficult in practice i.e., distribute on a magnetic tape or CD-ROM. Strength Is unconditionally secure provided key is truly random Key Generation Why not to generate key stream from a smaller (base) key? Use some pseudo-random function to do this . Although this looks very attractive, it proves to be very difficult in practice to find a good pseudo-random function that is cryptographically strong . This is still an area of much research.
1/29/2013
1/29/2013
IDEA
Block size is 64 bits Key size is 128 bits
Variable Block size=128, 192 or 256 bits Variable Key size =128, 192 or 256 bits Invented by Rijndael
Dept. of ECE Network Security & Cryptography
1/29/2013
Many current ciphers are block ciphers. Hence, more focused in the course.
1/29/2013 Dept. of ECE Network Security & Cryptography 8
1/29/2013
D(diffusion)-Boxes
They parallels the traditional transposition cipher for characters. It transposes the bits. Helps in spreading (diffusion) of the input disturbances. There are three types of D-boxes
1. Straight D-boxes 2. Expansion D-boxes 3. Compression D-boxes
D-boxes are keyless. i.e., mapping is predetermined. In hardware implementation, it is prewired. In software implementation, a predefined permutation table shows the rule of mapping.
1/29/2013
Dept. of ECE Network Security & Cryptography
10
D(diffusion)-Boxes
Straight D-boxes contains n-inputs and n-outputs.
The connection between them is a permutation. There exists n! possible mapping. It is called as permutation box or p-box.
NOTE: Straight D-boxes are invertible. Compression and Expansion D-boxes have no inverses.
1/29/2013
Dept. of ECE Network Security & Cryptography
11
S (substitution)-Boxes
S-box does the task of substitution cipher. It can have different no. of inputs and outputs. No. of inputs may not necessarily be same as the no. of outputs. S-boxes can be keyed or keyless. Generally, keyless S-boxes are more popular. Linear and Nonlinear S-boxes- nonlinear S-boxes doesnt have the relative equations for every output, as linear S-boxes have. In nonlinear S-boxes, at times, combinations (AND) of two or more inputs/outputs takes place. Invertibility : S-boxes are substitution ciphers, in which the relation between inputs and outputs is defined by a table or mathematical relation. So, S-boxes may or maynt be invertible. Invertible Sboxes have same no. of input bits and output bits.
1/29/2013
Dept. of ECE Network Security & Cryptography
12
Block cipher
1/29/2013
13
1/29/2013
14
CBC Deciphering
1/29/2013
15
16
Substitution
A binary word is replaced by some other binary word The whole substitution function forms the key If use n bit words,
The key space is 2^n!
Can also think of this as a large lookup table, with n address lines (hence 2^n addresses), each n bits wide being the output value Will call them s-boxes
1/29/2013
Dept. of ECE Network Security & Cryptography
17
Permutation
A binary word has its bits reordered (permuted) The re-ordering forms the key If we use n bit words, the key space is n! (Less secure than substitution) This is equivalent to a wire-crossing in practice
(Though is much harder to do in software)
18
Substitution-permutation Network
Shannon combined these two primitives He called these mixing transformations A special form of product ciphers where S-boxes
Provide confusion of input bits
P-boxes
Provide diffusion across s-box inputs
1/29/2013
19
1/29/2013
Dept. of ECE
20
Desired Effect
Avalanche effect
A characteristic of an encryption algorithm in which a small change in the plaintext gives rise to a large change in the ciphertext Best: changing one input bit results in changes of approximately half the output bits.
Completeness effect
where each output bit is a complex function of all the input bits.
1/29/2013
Dept. of ECE Network Security & Cryptography
21
In practice, we need to be able to decrypt messages, as well as to encrypt them, hence either:
Have to define inverses for each of our S & Pboxes, but this doubles the code/hardware needed, or Define a structure that is easy to reverse, so can use basically the same code or hardware for both encryption and decryption
1/29/2013
Dept. of ECE Network Security & Cryptography
22
Implements shannons substitution-permutation network concept. Partitions input block into two halves
Process through multiple rounds which Perform a substitution on left data half Based on round function of right half & subkey Then have permutation swapping halves
1/29/2013
Dept. of ECE
23
1/29/2013
Dept. of ECE
24
This can easily be reversed as seen in the above diagram, working backwards through the rounds In practice link a number of these stages together (typically 16 rounds) to form the full cipher
1/29/2013
Dept. of ECE Network Security & Cryptography
25
26
History of DES
IBM LUCIFE R 60s
Uses 128 bits key
Wiener (1993) claim to be able to build a machine at $100,00 and break DES in 1.5 days
1/29/2013
Dept. of ECE Network Security & Cryptography
27
DES
DES encrypts 64-bit blocks of data, using a 56-bit key. The basic process consists of:
an initial permutation (IP) 16 rounds of a complex key dependent calculation f a final permutation, being the inverse of IP Function f can be described as
L(i) = R(i-1) R(i) = L(i-1) P(S( E(R(i-1)) P K ( i ) ))
1/29/2013
Dept. of ECE Network Security & Cryptography
28
DES
1/29/2013
29
DES function f
1/29/2013
30
1/29/2013
31
Expansion Table E
Expands the 32 bit data to 48 bits
Result (i) = input (array(i))
1/29/2013
32
S-Boxes
Here, S-Box is a fixed 4 by 16 array Given, 6-bits B=b1 b2 b3 b4 b5 b6
Row r=b 1 b 6 Column c=b 2 b 3 b 4 b 5 S(B)=S(r,c) written in binary of length 4
1/29/2013
33
Permutation Table P
The permutation after each round will be as follows:
1/29/2013
34
Subkey Generation
Given a 64 bits key (with parity-check bit)
Discard the parity-check bits Permute the remaining bits using fixed table P1 Let C0D0 be the result (total 56 bits)
35
DES subkeys
1/29/2013
36
Permutation Tables
1/29/2013
37
DES in practice
DEC (Digital Equipment Corp. 1992) built a chip with 50k transistors
Encrypt at the rate of 1 G /second Clock rate 250 Mhz Cost about $ 300
Applications
ATM transactions (encrypting PIN and so on)
1/29/2013
38
Modes of operation
Mode of use
The way we use a block cipher Four have been defined for the DES by ANSI in the standard: ANSI X3.106-1983 modes of use.
Block modes
Splits messages in blocks (ECB, CBC)
Stream modes
On bit stream messages (C F B, O F B)
1/29/2013
Dept. of ECE Network Security & Cryptography
39
Block Modes
Electronic Codebook Book (ECB)
where the message is broken into independent 64-bit blocks which are encrypted Ci = DESK1 (Pi)
40
Stream Modes
Cipher Feed Back (CFB)
where the message is treated as a stream of bits, added to the output of the DES, with the result being feed back for the next stage Ci = Pi DESK1 (Ci-1) C-1 = I V (initial value)
1/29/2013
41
Stream modes
Output Feed Back (OFB)
where the message is treated as a stream of bits, added to the message, but with the feedback being independent of the message Ci = P i O i Oi = DESK1 (Oi-1) O-1=I V (initial value)
1/29/2013
42
Semi-weak keys
Only two sub-keys are generated on alternate rounds DES has 12 of these (in 6 pairs)
None of these causes a problem since they are a tiny fraction of all available keys However they M U ST be avoided by any key generation program
1/29/2013
Dept. of ECE Network Security & Cryptography
43
DES Attacks
Brute force attack 1998: The EFF's U S $250,000 DES cracking machine contained 1,536 custom chips and could brute force a DES key in a matter of days The photo shows a DES Cracker circuit board fitted with several Deep Crack chips.
1/29/2013
Dept. of ECE Network Security & Cryptography
44
DES attacks
Brute force attack The COPACOBANA machine, built for US$10,000 by the Universities of Bochum and Kiel, contains 120 lowcost FPGAs and can perform an exhaustive key search on DES in 9 days on average. The photo shows the backplane of the machine with the FPGAs.
1/29/2013
45
However, the attacks are theoretical and are unfeasible to mount in practice, these types of attack are sometimes termed certificational weaknesses.
1/29/2013
46
Differential Cryptanalysis
One of the most significant recent (public) advances in cryptanalysis Known by NSA in 70's cf DES design Murphy, biham & shamir published 1990 Powerful method to analyse block ciphers Used to analyse most current block ciphers with varying degrees of success DES reasonably resistant to it, cf lucifer was discovered in the late 1980s by Eli Biham and Adi Shamir, although it was known earlier to both IBM and the NSA and kept secret. To break the full 16 rounds, differential cryptanalysis requires 247 chosen plaintexts. DES was designed to be resistant to DC.
1/29/2013 Dept. of ECE Network Security & Cryptography 47
Linear Cryptanalysis
Another recent development Also a statistical method Must be iterated over rounds, with decreasing probabilities Developed by Mitsuru Matsui in 1994 Based on finding linear approximations Can attack DES with 247 known plaintexts, still in practise infeasible Needs 243 known plaintexts It was the first experimental cryptanalysis of DES to be reported. There is no evidence that DES was tailored to be resistant to this type of attack.
1/29/2013
Dept. of ECE
48
Davies' attack
1/29/2013
49
Extending DES to 128 bit data paths and 112 bit keys Extending the key expansion calculation.
1/29/2013
50
Double DES
using two encryption stages and two keys
C = Ek2(Ek1(P)) P=Dk1(Dk2(C))
1/29/2013
51
References
Cryptography: Theory and Practice by Douglas R. Stinson CRC press Cryptography and Network Security : Principles and Practice; By William Stallings Prentice Hall Handbook of Applied Cryptography by Alfred J. Menezes, Paul C. van Oorschotand Scott A. Vanstone, CRC Press.
1/29/2013
52