Beruflich Dokumente
Kultur Dokumente
1 2
3 4
Secret Key Cryptography Secret Key Cryptography
5 6
Transformations Substitution
• simple transformations on blocks of • for each of the 2^k possible values of
data the input, the k-bit output is specified
– substitutions • impractical for 64 bit input
– permutations • practical for 8 bit input
9 10
64-bit intermediate
Permute the bits,
possibly based on the key
64-bit output
13 14
Decryption DES
• need to be able to undo process • Data Encryption Standard
• that described above can be undone • 64 bit input to 64 bit output
• each of the the steps can be run as • 56 bit key
efficiently backwards as forwards • actually 64 bit, but 1 bit in 8 parity
• efficient in hardware
• relatively slow in software, but feasible
15 16
Secret Key Cryptography Secret Key Cryptography
DES
64-bit input 56-bit key
Decryption
Initial permutation
Generate 16
per-round keys
Round 1
48-bit key K1
• run DES backwards
• initial and final permutations are
Round 2
48-bit key K2
inverses
48-bit key K16
Round 16
19 20
Secret Key Cryptography Secret Key Cryptography
64-bit input
64-bit output
Encryption Decryption
21 22
Expansion of Rn from 32 to 48
S-Box
bits 6 bits 6 bits
Chunk i of R Chunk i of K
S-Box
23 24
Secret Key Cryptography Secret Key Cryptography
1&6 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111 • is a secret key algorithm just shuffling
00 1110 0100 1101 0001 0010 1111 1011 1000 0011 1010 0110 1100 0101 1001 0000 0111
some bits?
01 0000 1111 0111 0100 1110 0010 1101 0001 1010 0110 1100 1011 1001 0101 0011 1000
10 0100 0001 1110 1000 1101 0110 0010 1011 1111 1100 1010 0111 0011 1010 0101 0000 • DES is more subtle than that
11 1111 1100 1000 0010 0100 1001 0001 0111 0101 1011 0011 1110 1010 0000 0110 1101
• switching the order of S-boxes can
lessen the security
• the design process was not made public
– who knows exactly what cryptanalytic
attacks it was designed to be proof against?
25 26
29 30
Addition Multiply
• carries thrown away • calculate 32 bit result
• so addition mod 2^16 • take remainder when divided by 2^16 +
1
• this can be reversed
31 32
Secret Key Cryptography Secret Key Cryptography
33 34
Key expansion
• 17 rounds
K1 K2 K3 K4
Round 1
64-bit output
35 36
Secret Key Cryptography Secret Key Cryptography
39 40
Secret Key Cryptography Secret Key Cryptography
41 42
Discussion Skipjack
• brute force on 128 bit key requires • Data Encryption Standard
enormous computing resources • 64 bit input to 64 bit output
• nobody has published a way to break • 80 bit key
IDEA • developed by US govt National Security
Agency in late 80’s
• started in use in 1993
• declassified 1998
43 44
Secret Key Cryptography Secret Key Cryptography
Skipjack Skipjack
• Used in the clipper chip and the • Uses 32 rounds
fortezza PC card • see additional material for details
• clipper chips can be used in telephones,
faxes, modems
• US govt retains keys to decrypt all
communication using this technology
• however, plan failed in face of
widespread public opposition
45 46
47 48
Secret Key Cryptography Secret Key Cryptography
49 50
51 52
Secret Key Cryptography Secret Key Cryptography
Problems CBC
• twice as much information must be • uses previous ciphertext as random
transmitted (r's as well as c's) number for next block encryption
• attacker can still interfere with each • need a random number to start with
individual block • known as IV (initialisation vector)
• randomly chosen IV's protect identical
messages
• IV must be transmitted
53 54
IV + + + + + + IV + + + + + +
E E E E E E Encrypt D D D D D D Decrypt
with secret with secret
key key
c1 c2 c3 c4 c5 c6 c1 c2 c3 c4 c5 c6
55 56
Secret Key Cryptography Secret Key Cryptography
57 58
59 60
Secret Key Cryptography Secret Key Cryptography
61 62
Advantages Cont.
• one time pad can be generated in • if bits of ciphertext garbled, only
advance corresponding bits of plaintext garbled
• makes encryption much quicker • of course, this could be a disadvantage
• as actual encryption does not have to be • if message arrives in arbitrary chunks,
done on-line can be transmitted as arrives
• with CBC must wait until have 64 bits
63 64
Secret Key Cryptography Secret Key Cryptography
65 66
m1 + m2 + m3 +
k bits k bits k bits
c1 c2 c3
67 68
Secret Key Cryptography Secret Key Cryptography
MICs CBC
• CBC, CFB, OFB offer good protection • compute CBC
against eavesdropping • send only last block with plaintext
• none offer good protection against an • last block called CBC residue
attacker who knows plaintext • to compute residue you must know key
modifying it
• attacker,not knowing key, cannot
modify message and compute
corresponding residue
71 72
Secret Key Cryptography Secret Key Cryptography
73 74
75 76
Secret Key Cryptography Secret Key Cryptography
E E E E E E E
c1 c2 c3 c4 c5 c6 c7
77 78
Well So?
• doesn't work • can get protection and integrity by
• last block is encryption of zero using CBC
• as anything bitwise exclusive or'ed with • encryption and residue calculation
itself is zero using two different keys
• a last block that doesn't depend on the • using one key is possible
message offers no integrity protection • but has flaws which may or may not be
important depending on situation
79 80
Secret Key Cryptography Secret Key Cryptography
81 82
c D i2 E i1 D m
85 86
EDE Discussion
m1 m2 m3 m4 m5 m6
87 88
Secret Key Cryptography Secret Key Cryptography
Discussion Attack
• what about encrypting twice using two • make two tables of 2^56 entries for each pair
different keys? • first table result of encrypting plaintext
• not much harder to break than a single • second table result of decrypting ciphertext
key • look for matching entries
• assume block encyrption • these are possible key pairs
• Takes about twice the time of breaking a 56
• assume attacker has some
bit key
plaintext,ciphertext pairs
89 90