Sie sind auf Seite 1von 22

Lecture 3: Block Ciphers: Practical Instantiation of PRP

Lecture 3: Block Ciphers: Practical Instantiation of PRP CS6903: Modern Cryptography Spring 2010 Nitesh Saxena

CS6903: Modern Cryptography Spring 2010

Lecture 3: Block Ciphers: Practical Instantiation of PRP CS6903: Modern Cryptography Spring 2010 Nitesh Saxena

Nitesh Saxena

DES – Data Encryption Standard Encrypts by series of substitution and transpositions. Based on Feistel

DES – Data Encryption Standard

DES – Data Encryption Standard Encrypts by series of substitution and transpositions. Based on Feistel Structure
DES – Data Encryption Standard Encrypts by series of substitution and transpositions. Based on Feistel Structure

Encrypts by series of substitution and transpositions. Based on Feistel Structure Worldwide standard for more than 20 years. Has a history of controversy. Designed by IBM (Lucifer) with later help (interference?) from NSA. No longer considered secure for highly sensitive applications. Replacement standard AES (advanced encryption standard) recently completed.

3/1/2011

Lecture 1 - Introduction

2

DES - Overview 3/1/2011 Lecture 1 - Introduction 3
DES - Overview
3/1/2011
Lecture 1 - Introduction
3
DES – Each iteration. 3/1/2011 Lecture 1 - Introduction 4
DES – Each iteration.
3/1/2011
Lecture 1 - Introduction
4
DES – Function F 3/1/2011 Lecture 1 - Introduction 5
DES – Function F
3/1/2011
Lecture 1 - Introduction
5
3/1/2011 Lecture 1 - Introduction 6
3/1/2011 Lecture 1 - Introduction 6
3/1/2011 Lecture 1 - Introduction 6

3/1/2011

Lecture 1 - Introduction

6

Operation Tables of DES (Key Schedule, PC-1, PC-2)

Operation Tables of DES (Key Schedule, PC-1, PC-2) 3/1/2011 Lecture 1 - Introduction 7
Operation Tables of DES (Key Schedule, PC-1, PC-2) 3/1/2011 Lecture 1 - Introduction 7
Operation Tables of DES (Key Schedule, PC-1, PC-2) 3/1/2011 Lecture 1 - Introduction 7
Operation Tables of DES (Key Schedule, PC-1, PC-2) 3/1/2011 Lecture 1 - Introduction 7

3/1/2011

Lecture 1 - Introduction

7

Operation Tables (IP, IP - 1 , E and P) 3/1/2011 Lecture 1 - Introduction

Operation Tables (IP, IP -1 , E and P)

Operation Tables (IP, IP - 1 , E and P) 3/1/2011 Lecture 1 - Introduction 8
Operation Tables (IP, IP - 1 , E and P) 3/1/2011 Lecture 1 - Introduction 8
Operation Tables (IP, IP - 1 , E and P) 3/1/2011 Lecture 1 - Introduction 8

3/1/2011

Lecture 1 - Introduction

8

S-boxes: S1 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100
S-boxes: S1
0000
0001 0010
0011 0100
0101 0110
0111
1000
1001 1010
1011 1100
1101 1110
1111
14
4
13
1
2
15
11
8
3
10
6
12
5
9
0
7
00
01
0
15
7
4
14
2
13
1
10
6
12
11
9
5
3
8
10
4
1
14
8
13
6
2
11
15
12
9
7
3
10
5
0
11
15
12
8
2
4
9
1
7
5
11
3
14
10
0
6
13
0 11 15 12 8 2 4 9 1 7 5 11 3 14 10 0
0 11 15 12 8 2 4 9 1 7 5 11 3 14 10 0

Sj

S (b1b 2 b 3b 4 b 5b 6 )

Is the table entry from

row b b

:

1

2

column b b b b

:

3

4

5

6

S ( 011001) = 6 d = 0110

3/1/2011

Lecture 1 - Introduction

9

DES Decryption Same as the encryption algorithm with the “reversed” key schedule – NEXT! 3/1/2011

DES Decryption

DES Decryption Same as the encryption algorithm with the “reversed” key schedule – NEXT! 3/1/2011 Lecture

Same as the encryption algorithm with the “reversed” key schedule – NEXT!

Same as the encryption algorithm with the “reversed” key schedule – NEXT! 3/1/2011 Lecture 1 -

3/1/2011

Lecture 1 - Introduction

10

x Plain text Initial permutation (IP) L 0 R 0 Round-1 (key K 1 )
x
Plain text
Initial permutation (IP)
L
0
R
0
Round-1 (key K 1 )

R

0

L 0 F ( R 0 , K 1)

Rounds 2-15

L15

R15

Round-16 (key K 16 )

R15

L15 F ( R15 , K 16 )

R 15 L 15 ⊕ F ( R 15 , K 16 ) L 15 ⊕

L15 F ( R15 , K 16 )

R15

3/1/2011

y

swap

IP inverse

Cipher text

Lecture 1 - Introduction

11

decryptencrypt

L15 ⊕ F ( R15 , K 16 ) R15 IP inverse
L15 ⊕ F ( R15 , K 16 )
R15
IP inverse

y

Cipher text IP

L15 ⊕ F ( R15 , K 16 ) R15 IP inverse y Cipher text IP

L15 F ( R15 , K 16 )

R15

Round-1 (K 16 )

L15 F ( R15 , K 16 ) F ( R15 , K 16 )

R15

=

F ( R 15 , K 16 ) ⊕ F ( R 15 , K 16

R15

L15

Since

3/1/2011

Lecture 1 - Introduction

= 0

b 0 = b

b b

12

DES Security S-Box design not well understood (secret). Has survived some recent sophisticated attacks (differential

DES Security

DES Security S-Box design not well understood (secret). Has survived some recent sophisticated attacks (differential
DES Security S-Box design not well understood (secret). Has survived some recent sophisticated attacks (differential

S-Box design not well understood (secret). Has survived some recent sophisticated attacks (differential cryptanalysis) Key is too short. Hence is vulnerable to brute force attack. 1998 distributed attack took 3 months. $1,000,000 machine will crack DES in 35 minutes – 1997 estimate. $10,000 – 2.5 days.

3/1/2011

Lecture 1 - Introduction

13

DES Cracking machine 14 3/1/2011 Lecture 1 - Introduction

DES Cracking machine

DES Cracking machine 14 3/1/2011 Lecture 1 - Introduction
DES Cracking machine 14 3/1/2011 Lecture 1 - Introduction
DES Cracking machine 14 3/1/2011 Lecture 1 - Introduction

14

DES Cracking machine 14 3/1/2011 Lecture 1 - Introduction

3/1/2011

Lecture 1 - Introduction

Super-encryption. If key length is a concern, then instead of encrypting once, encrypt twice!! C

Super-encryption.

Super-encryption. If key length is a concern, then instead of encrypting once, encrypt twice!! C =
Super-encryption. If key length is a concern, then instead of encrypting once, encrypt twice!! C =

If key length is a concern, then instead of encrypting once, encrypt twice!! C = E K2 (E K1 (P)) P = D K2 (D K1 (C)) Does this result in a larger key space? Encrypting with multiple keys is known as super-encryption. May not always be a good idea.

3/1/2011

Lecture 1 - Introduction

15

Double DES K 1 K 2 P E E X C Encryption C K 2

Double DES

Double DES K 1 K 2 P E E X C Encryption C K 2 K

K

1

K

2

P

E

E

X

Double DES K 1 K 2 P E E X C Encryption C K 2 K

C

Encryption

Double DES K 1 K 2 P E E X C Encryption C K 2 K

C

K

2

K

1

D
D

X

X D
X D
X D
X D
X D
X D

D

X D
X D
X D

Double DES K 1 K 2 P E E X C Encryption C K 2 K

Decryption

P

Double DES is almost as easy to break as single DES (Needs more memory though)!

3/1/2011

Lecture 1 - Introduction

16

Double DES – Meet-in-the-middle Attack (due to Diffie-Hellman)

DES – Meet-in-the-middle Attack (due to Diffie-Hellman) Based on the observation that, if = E K
DES – Meet-in-the-middle Attack (due to Diffie-Hellman) Based on the observation that, if = E K

Based on the observation that, if

= E K2 (E K1 (P))

C

Then

observation that, if = E K 2 (E K 1 (P)) C Then X = E

X

= E K1 (P) = D K2 (C).

Given a known (P, C) pair, encrypt P with all possible values of K and store result in table T.

Next, decrypt C with all possible keys K and check result. If match occurs then check key pair with new known (P, C) pair. If match occurs, you have found the keys. Else continue as before. Process will terminate successfully.

3/1/2011

Lecture 1 - Introduction

17

Meet-in-the-middle Explanation. The first match does not say anything as we have 2 6 4

Meet-in-the-middle Explanation.

Meet-in-the-middle Explanation. The first match does not say anything as we have 2 6 4 ciphertexts
Meet-in-the-middle Explanation. The first match does not say anything as we have 2 6 4 ciphertexts

The first match does not say anything as we have 2 64 ciphertexts and 2 112 keys. On the average 2 112 / 2 64 = 2 48 keys will produce same ciphertext. So there could be 2 48 possible candidates We can use a second pair (P’,C’) So, probability that false alarm will survive two known (P, C) pairs is 2 48 / 2 64 = 2 -16 . One can always check a third pair to further reduce the chance of a false alarm.

3/1/2011

Lecture 1 - Introduction

18

Triple DES K 1 K 2 K 1 A P B EDE C Encryption K

Triple DES

Triple DES K 1 K 2 K 1 A P B EDE C Encryption K 1

K

1

K 2

K 1

A
A

P

Triple DES K 1 K 2 K 1 A P B EDE C Encryption K 1
Triple DES K 1 K 2 K 1 A P B EDE C Encryption K 1
Triple DES K 1 K 2 K 1 A P B EDE C Encryption K 1
Triple DES K 1 K 2 K 1 A P B EDE C Encryption K 1
Triple DES K 1 K 2 K 1 A P B EDE C Encryption K 1
Triple DES K 1 K 2 K 1 A P B EDE C Encryption K 1
Triple DES K 1 K 2 K 1 A P B EDE C Encryption K 1

Triple DES K 1 K 2 K 1 A P B EDE C Encryption K 1

B

EDE

C

Encryption

K

1

K 2

K 1

Triple DES K 1 K 2 K 1 A P B EDE C Encryption K 1
Triple DES K 1 K 2 K 1 A P B EDE C Encryption K 1
Triple DES K 1 K 2 K 1 A P B EDE C Encryption K 1
Triple DES K 1 K 2 K 1 A P B EDE C Encryption K 1
Triple DES K 1 K 2 K 1 A P B EDE C Encryption K 1
Triple DES K 1 K 2 K 1 A P B EDE C Encryption K 1
Triple DES K 1 K 2 K 1 A P B EDE C Encryption K 1
Triple DES K 1 K 2 K 1 A P B EDE C Encryption K 1

Triple DES K 1 K 2 K 1 A P B EDE C Encryption K 1

B

A

C

DED

Decryption

P

A P B EDE C Encryption K 1 K 2 K 1 B A C DED

Triple DES (2 keys) requires 2 112 search. Is reasonably secure. 3 keys requires 2 112 .

3/1/2011

Lecture 1 - Introduction

19

DES Encryption modes Electronic Code Book (ECB) Cipher Block Chain (CBC) 3/1/2011 Lecture 1 -

DES Encryption modes

DES Encryption modes Electronic Code Book (ECB) Cipher Block Chain (CBC) 3/1/2011 Lecture 1 - Introduction

Electronic Code Book (ECB) Cipher Block Chain (CBC)

DES Encryption modes Electronic Code Book (ECB) Cipher Block Chain (CBC) 3/1/2011 Lecture 1 - Introduction

3/1/2011

Lecture 1 - Introduction

20

Electronic Code Book (ECB) Mode Although DES encrypts 64 bits (a block) at a time,

Electronic Code Book (ECB) Mode

Electronic Code Book (ECB) Mode Although DES encrypts 64 bits (a block) at a time, it

Although DES encrypts 64 bits (a block) at a time, it can encrypt a long message (file) in Electronic Code Book (ECB) mode.

a long message (file) in Electronic Code Book (ECB) mode. K K Time = 1 P1

K

K

Time = 1

P1 DES Encrypt
P1
DES
Encrypt

K

Time = 2

P2 DES Encrypt
P2
DES
Encrypt

K

Time = N

PN

DES

Encrypt

C1 C2 CN C1 C2 CN DES DES DES Decrypt K Decrypt K Decrypt •
C1
C2
CN
C1
C2
CN
DES
DES
DES
Decrypt
K Decrypt
K Decrypt
• •
P1
P2
PN

If same key is used then identical plaintext blocks map to identical ciphertext.

3/1/2011

Lecture 1 - Introduction

21

Cipher Block Chain (CBC) Mode. K K Time = 1 Time = 2 P1 P2

Cipher Block Chain (CBC) Mode.

Cipher Block Chain (CBC) Mode. K K Time = 1 Time = 2 P1 P2 IV

K

K

Time = 1

Time = 2

P1 P2 IV + + DES DES Encrypt K Encrypt C1 C2 C1 C2
P1
P2
IV
+
+
DES
DES
Encrypt
K Encrypt
C1
C2
C1
C2
DES DES K Decrypt Decrypt IV + + P1 P2
DES
DES
K
Decrypt
Decrypt
IV
+
+
P1
P2

• •

• •

CN-1

K

K

CN-1

Time = N PN

+ DES Encrypt CN
+
DES
Encrypt
CN
CN DES Decrypt
CN
DES
Decrypt

+

PN

• • C N -1 K K C N -1 Time = N P N +

3/1/2011

Lecture 1 - Introduction

22