03 Secretkey Ovs

Secret Key Cryptography Secret Key Cryptography
Secret Key Cryptography

• DES
Computer Security • IDEA
• Skipjack
Secret Key Cryptography • AES
1 2
Generic Block Encryption Input Block Length

• cryptographic algorithms take a fixed- • remember keys must be long enough so
length block and fixed length key that trying all keys is infeasible
• generate an output block of same size as • same reasoning applies to input block
input length
• too long a block length only effects
performance
3 4
Input Block Length General Encryption

• DES, IDEA and Skipjack use 64 bits • take each 2^64 bit input value and map
• this means a useful number of plaintext, it to a unique one of the 2^64 bit output
ciphertext pairs almost impossible to values
obtain and manage • would take ~2^70 bits to specify this
mapping
• this number is, in effect, a key
• not very practical
5 6
Randomness Bit Change

• secret key schemes take a reasonable • any bit change in input should result in
key (eg., around 128 bits) totally independent output
• used to generate a one-to-one mapping • eg., a change in the 3rd input bit should not
• mapping, to someone who does not always change the 12th output bit
know key, should look random • cryptographic algorithms should spread
bits around
• if one input bit changes half the output
should be the same and half should change
7 8
Transformations Substitution
• simple transformations on blocks of • for each of the 2^k possible values of
data the input, the k-bit output is specified
– substitutions • impractical for 64 bit input
– permutations • practical for 8 bit input
9 10
Permutations Secret Key Algorithm

• specifies, for each of the k input bits, the • break input into manageable size (eg., 8
output position to which it goes bits)
• for k bit input takes klogk bits • do a substitution on each small chunk
• Simple example • take results and run them through a
permuter
0 1 2 3 4 5 6 7
• repeat, so each bit is used as input to
each substituter
0 1 2 3 4 5 6 7
11 12
Block Encryption Round

64-bit input
Divide Input into
8-bits 8-bits 8-bits 8-bits 8-bits 8-bits 8-bits 8-bits

8-bit pieces
• each repeat is called a round
Eight 8-bit • need to have enough rounds for
security
S1 S2 S3 S4 S5 S6 S7 S8 substitution
functions derived
from key
8-bits 8-bits 8-bits 8-bits 8-bits 8-bits 8-bits 8-bits
• not too many, for efficiency
64-bit intermediate
Permute the bits,
possibly based on the key
64-bit output
13 14
Decryption DES
• need to be able to undo process • Data Encryption Standard
• that described above can be undone • 64 bit input to 64 bit output
• each of the the steps can be run as • 56 bit key
efficiently backwards as forwards • actually 64 bit, but 1 bit in 8 parity
• efficient in hardware
• relatively slow in software, but feasible
15 16
56 bits DES Overview

• 256 times easier to break than a real 64 • 64 input permuted to 64 bit result
bit key • 56 bit key used to generate 16 48 bit per
• can parity check, but 1 in 256 chance of round keys
incorrectly accepting • each round takes as input the output of
• perhaps so the US govt can break it? previous
• after 16th 64 bit output has its halves
swapped
• then a final permutation
17 18
DES
64-bit input 56-bit key
Decryption
Initial permutation
Generate 16
per-round keys
Round 1
48-bit key K1
• run DES backwards
• initial and final permutations are
Round 2
48-bit key K2
inverses
48-bit key K16
Round 16
Swap left and right halves
Final permutation (different from initial)
19 20
Detail DES Round

64-bit output
64-bit input
• need to specify 32-bit Ln 32-bit Rn

32-bit Ln 32-bit Rn
– permutations
– how keys are generated
Mangler
Mangler
Kn Function Kn
Function
– what happens in each round

+ +
• I expect you to look this up for yourself 32-bit Ln+1 32-bit Rn+1
32-bit Ln+1 32-bit Rn+1
64-bit input
64-bit output
Encryption Decryption
21 22
Expansion of Rn from 32 to 48
S-Box
bits 6 bits 6 bits
Chunk i of R Chunk i of K
S-Box
23 24
Sample - S-Box 1 Discussion

2-5
1&6 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111 • is a secret key algorithm just shuffling
00 1110 0100 1101 0001 0010 1111 1011 1000 0011 1010 0110 1100 0101 1001 0000 0111
some bits?
01 0000 1111 0111 0100 1110 0010 1101 0001 1010 0110 1100 1011 1001 0101 0011 1000
10 0100 0001 1110 1000 1101 0110 0010 1011 1111 1100 1010 0111 0011 1010 0101 0000 • DES is more subtle than that
11 1111 1100 1000 0010 0100 1001 0001 0111 0101 1011 0011 1110 1010 0000 0110 1101
• switching the order of S-boxes can
lessen the security
• the design process was not made public
– who knows exactly what cryptanalytic
attacks it was designed to be proof against?
25 26
IDEA IDEA and DES

• International Data Encryption • both operate in rounds
Algorithm • both have a mangler function
• efficient in software – both manglers do not have to be reversible
• 64 bit block of input to 64 bit block of • DES uses same 48 bit keys for
output encryption and decryption
• 128 bit key • in IDEA sub-keys related in more
complex manner for encryption and
decryption
27 28
IDEA - Primitive Operation Operations

• two 16 bit quantities mapped into a 16 • bitwise exclusive or
bit quantity • a slightly modified add
• DES s-box maps 6 bits into 4 • a slightly modified multiply
• IDEA uses three operations, all • modified as result must be 16 bits
reversible
• important for decryption
29 30
Addition Multiply
• carries thrown away • calculate 32 bit result
• so addition mod 2^16 • take remainder when divided by 2^16 +
1
• this can be reversed
31 32
Key Expansion Key Expansion - Encryption

• 128 bit key expanded in 52 16-bit keys • first 8 keys generated by cutting 16 bits
• key expansion different for encryption at a time from the 128, from the left
and decryption • then do same again, starting at bit 25
• once keys are generated encryption and • then again, offsetting by 25 more bits,
decryption operations are the same and so on
• keys 50 and 51 are swapped
33 34
Basic IDEA Structure

IDEA Rounds 64-bit input 128-bit key
Key expansion
• 17 rounds
K1 K2 K3 K4
Round 1
• odd rounds different from even rounds

K5 K6
Round 2
K49 K51 K50 K52

Round 17
64-bit output
35 36
One Round Odd Rounds

• each round takes 64 bit input Xa Xb Xc Xd
• treats it as four 16 bit quantities
(Xa,Xb,Xc,Xd) x Ka + Kb + Kc x Kd
• mathematical functions yield new Xa Xd

Xb Xc
versions of these four quantities
• odd rounds use four of the 16 bit keys
• even rounds use two of the 16 bit keys
37 38
Even Round Modification

Even Round
Functions (Mangler)
• more complicated than an odd round
Yin = Xa + Xb Zin = Xc + Xd
• but easily reversible (see textbook for
Yout = ((Ke x Yin) + Zin) x Kf Zout = (Ke x Yin) + Yout
how)
We compute the new Xa, Xb, Xc, and Xd
New Xa = Xa + Yout New Xb = Xb + Yout
New Xc = Xc + Zout New Xd = Xd + Zout
39 40
Even Rounds Decryption

Xa Xb Xc Xd
• IDEA designed so same code can
+ + perform encryption or decryption given
Yin Zin
different expanded keys
Mangler Ke
Function • need inverses of the encryption keys
Kf
Yout Zout (multipicative inverse mod 2^16 + 1)
+ +
+ + • use them in opposite order
Xa Xd
Xc Xd
41 42
Discussion Skipjack
• brute force on 128 bit key requires • Data Encryption Standard
enormous computing resources • 64 bit input to 64 bit output
• nobody has published a way to break • 80 bit key
IDEA • developed by US govt National Security
Agency in late 80’s
• started in use in 1993
• declassified 1998
43 44
Skipjack Skipjack
• Used in the clipper chip and the • Uses 32 rounds
fortezza PC card • see additional material for details
• clipper chips can be used in telephones,
faxes, modems
• US govt retains keys to decrypt all
communication using this technology
• however, plan failed in face of
widespread public opposition
45 46
Use of Secret Key

Large Messages
Cryptography
• we've looked at how to encrypt 64 bit • four schemes defined for DES
chunks using secret key • can also be used for IDEA & Skipjack
• messages are often longer than that • they are
• how are these algorithms used for large – electronic code book (ECB)
messages and integrity? – cipher block chaining (CBC)
– k-bit output feedback mode (OFB)
– k-bit cipher feedback mode (CFB)
47 48
Electronic Code Book Problems

• the obvious method • two identical 64-bit blocks have
• encrypt each 64 bit block with secret identical ciphertext
key • may be able to calculate positions of
• decrypt it at other end information fields
49 50
Cipher Block Chaining Randomised ECB

• with CBC identical plaintext does not m1 m2 m3 m4 m5 m6
lead to identical ciphertext Generate
• first an example which isn't CBC but r1 + r2 + r3 + r4 + r5 + r6 + random

numbers
will help
Encrypt
• transmit both random r's and ciphertext E E E E E E
with secret
c c1 c2 c3 c4 c5 c6
key
51 52
Problems CBC
• twice as much information must be • uses previous ciphertext as random
transmitted (r's as well as c's) number for next block encryption
• attacker can still interfere with each • need a random number to start with
individual block • known as IV (initialisation vector)
• randomly chosen IV's protect identical
messages
• IV must be transmitted
53 54
CBC Encryption CBC Decryption

m1 m2 m3 m4 m5 m6 m1 m2 m3 m4 m5 m6
IV + + + + + + IV + + + + + +
E E E E E E Encrypt D D D D D D Decrypt
with secret with secret
key key
c1 c2 c3 c4 c5 c6 c1 c2 c3 c4 c5 c6
55 56
Modifying Ciphertext Blocks Output Feedback Mode (OFB)

• of course, the ciphertext blocks can still • acts like a pseudo-random number
be modified or rearranged in transit generator
• message encrypted by bitwise exclusive
oring it with the pseudorandom stream
generated by OFB
57 58
Random Number Encryption & Decryption

• generate 64 bit random number b0 • encrypt message by bitwise exclusive
• call it the initialisation vector (IV) oring it with as many bits as necessary
• encrypt b0 with secret key to get b1 of b0|b1|b2|b3...
• encrypt b1 to get b2 and so on • transmit result with IV
• decrypt by again bitwise exclusive
oring it with b0|b1|b2|b3...
59 60
k-bit OFB One Time Pad

E is DES
• a long random (or pseudorandom)
string
IV
• used to encrypt message with simple
K E K E K E
bitwise exclusive oring
discarded discarded discarded
k bits k bits k bits • known as a one-time pad
m1 + m2 + m3 +
k bits k bits k bits
c1 c2 c3
61 62
Advantages Cont.
• one time pad can be generated in • if bits of ciphertext garbled, only
advance corresponding bits of plaintext garbled
• makes encryption much quicker • of course, this could be a disadvantage
• as actual encryption does not have to be • if message arrives in arbitrary chunks,
done on-line can be transmitted as arrives
• with CBC must wait until have 64 bits
63 64
Disadvantage Cipher Feedback Mode

• plaintext and ciphertext may be known • similar to OFB
by attacker • k bits generated and bitwise exclusive
• can modify plaintext by or'ed with plaintext
– bitwise exclusive oring ciphertext with • in OFB k bits are shifted in to register
known plaintext used as input to DES encrypt are
– bitwise exclusive oring result with desired
• output of DES encrypt of previous
result
block
65 66
CFB (Cont.) k-bit CFB

• in CFB the k bits shifted in are the k bits
of ciphertext from previous block
IV
• so one time pad cannot be generated
K E K E K E
before message known
discarded discarded discarded
m1 + m2 + m3 +
c1 c2 c3
67 68
Chunk Size Tampering

• the k in k-bit should not be 64 • 8-bit CFB
• 8 bit better • attacker can predictably change one
• with OFB or CBC if characters lost or byte
added remainder of transmission • this unpredictably changes next 8 bytes
garbled
• with 8 bit CFB if error is integral
number of bytes things will
resynchronise
69 70
MICs CBC
• CBC, CFB, OFB offer good protection • compute CBC
against eavesdropping • send only last block with plaintext
• none offer good protection against an • last block called CBC residue
attacker who knows plaintext • to compute residue you must know key
modifying it
• attacker,not knowing key, cannot
modify message and compute
corresponding residue
71 72
CBC Residue Privacy and Integrity

m1 m2 m3 m4 m5 m6 • CBC encrypt to ensure privacy
• send residue to ensure integrity
+ + + + +
• so do both for integrity and privacy?
E E E E E E Encrypt
with secret
key
c1 c2 c3 c4 c5 CBC residue
73 74
CBC Encryption and Residue Hmm

m1 m2 m3 m4 m5 m6 • that just sends encrypted message and
repeat final block
IV + + + + + + • attacker could tamper and send new
final block twice
Encrypt
E E E E E E
with secret • we want to automatically detect
c1 c2 c3 c4 c5
key
CBC residue
tampering, so need integrity as well as
privacy
75 76
CBC Encryption Message +

Next Try
Residue
• compute CBC residue m1 m2 m3 m4 m5 m6 c6
• attach that to plaintext

+ + + + + + +
• CBC encrypt result IV
E E E E E E E
c1 c2 c3 c4 c5 c6 c7
77 78
Well So?
• doesn't work • can get protection and integrity by
• last block is encryption of zero using CBC
• as anything bitwise exclusive or'ed with • encryption and residue calculation
itself is zero using two different keys
• a last block that doesn't depend on the • using one key is possible
message offers no integrity protection • but has flaws which may or may not be
important depending on situation
79 80
Multiple Encryption DES Multiple Encryption

• due to key length DES not as secure as • can be done for any encryption scheme
it could be • mostly with DES to try to increase its
• can be made more secure by multiple inadequate key length
encryptions
• most accepted method known as EDE
(encrypt-decrypt-encrypt)
81 82
Encrypt and Decrypt Multiple Encryption

• functions are inverses of each other • two keys K1 and K2
• each actually takes arbitrary data and • each plaintext block subjected to E with
garbles it in a way that is reversed by K1
other function
• then D with K2
• so could perform decrypt on plaintext
to encrypt • then E with K1
• then perform encrypt to get plaintext
• let’s just call the two functions E and D
83 84
Multiple Encryption Result

K1 K2 K1
• is just a new secret key scheme
m E i1 D i2 E c • 64 bit input mapped to 64 bit output
Decryption simply reverses the operation
• CBC is used to turn block encryption
into stream encryption
K1 K2 K1
c D i2 E i1 D m
85 86
EDE Discussion
m1 m2 m3 m4 m5 m6
• need more then one key

IV + + + + + + • what happens if simply encrypt twice
E E E E E E
Encrypt with
secret key K1 using same key?
D D D D D D
Decrypt with
secret key K2
• exhaustive searching would still only
Encrypt with
require trying 2^56 possibilities
E E E E E E secret key K1
• each attempt would require twice as
c1 c2 c3 c4 c5 c6 much work, but that’s not much
87 88
Discussion Attack
• what about encrypting twice using two • make two tables of 2^56 entries for each pair
different keys? • first table result of encrypting plaintext
• not much harder to break than a single • second table result of decrypting ciphertext
key • look for matching entries
• assume block encyrption • these are possible key pairs
• Takes about twice the time of breaking a 56
• assume attacker has some
bit key
plaintext,ciphertext pairs
89 90

03 Secretkey Ovs

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

03 Secretkey Ovs

Hochgeladen von

Copyright:

Verfügbare Formate

Secret Key Cryptography Secret Key Cryptography

Secret Key Cryptography

Secret Key Cryptography Secret Key Cryptography

Generic Block Encryption Input Block Length

Input Block Length General Encryption

Secret Key Cryptography Secret Key Cryptography

Randomness Bit Change

Secret Key Cryptography Secret Key Cryptography

Permutations Secret Key Algorithm

Block Encryption Round

8-bits 8-bits 8-bits 8-bits 8-bits 8-bits 8-bits 8-bits

Secret Key Cryptography Secret Key Cryptography

56 bits DES Overview

Secret Key Cryptography Secret Key Cryptography

Swap left and right halves

Final permutation (different from initial)

Detail DES Round

• need to specify 32-bit Ln 32-bit Rn

– what happens in each round

Secret Key Cryptography Secret Key Cryptography

Sample - S-Box 1 Discussion

Secret Key Cryptography Secret Key Cryptography

IDEA IDEA and DES

IDEA - Primitive Operation Operations

Secret Key Cryptography Secret Key Cryptography

Key Expansion Key Expansion - Encryption

Secret Key Cryptography Secret Key Cryptography

Basic IDEA Structure

• odd rounds different from even rounds

K49 K51 K50 K52

One Round Odd Rounds

• mathematical functions yield new Xa Xd

Secret Key Cryptography Secret Key Cryptography

Even Round Modification

New Xa = Xa + Yout New Xb = Xb + Yout

New Xc = Xc + Zout New Xd = Xd + Zout

Even Rounds Decryption

Secret Key Cryptography Secret Key Cryptography

Secret Key Cryptography Secret Key Cryptography

Use of Secret Key

Electronic Code Book Problems

Secret Key Cryptography Secret Key Cryptography

Cipher Block Chaining Randomised ECB

lead to identical ciphertext Generate

• first an example which isn't CBC but r1 + r2 + r3 + r4 + r5 + r6 + random

Secret Key Cryptography Secret Key Cryptography

CBC Encryption CBC Decryption

Modifying Ciphertext Blocks Output Feedback Mode (OFB)

Secret Key Cryptography Secret Key Cryptography

Random Number Encryption & Decryption

k-bit OFB One Time Pad

Secret Key Cryptography Secret Key Cryptography

Disadvantage Cipher Feedback Mode

Secret Key Cryptography Secret Key Cryptography

CFB (Cont.) k-bit CFB

Chunk Size Tampering

Secret Key Cryptography Secret Key Cryptography

CBC Residue Privacy and Integrity

Secret Key Cryptography Secret Key Cryptography

CBC Encryption and Residue Hmm

CBC Encryption Message +

• attach that to plaintext