Beruflich Dokumente
Kultur Dokumente
Chakchai So-In, Ph.D. Department of Computer Science Faculty of Science, Khon Kaen University 123 Mitaparb Rd., Naimaung, Maung, Khon Kaen, 40002 Thailand chakso@kku.ac.th http://web.kku.ac.th/chakso/322376_Fall11/
Khon Kaen University CS 322 376 2011 Chakchai So-In
3-1
Agenda
Block cipher design principles DES (Data Encryption Standard) Modes of Operation
CS 322 376
3-2
CS 322 376
3-3
CS 322 376
3-5
Feistel Cipher
Horst Feistel devised the feistel cipher Based on concept of invertible product cipher Partitions input block into two halves Process through multiple rounds which Perform a substitution on left data half Based on round function of right half & subkey Then have permutation swapping halves Implements Shannons S-P
3-10
CS 322 376
3-11
Round
1. 2. 3.
Khon Kaen University CS 322 376
3-12
1. Initial Permutation IP
IP reorders the input data bits Input bit 58 goes to output bit 1 Input bit 50 goes to output bit 2, Even bits to LH half, odd bits to RH half Quite regular in structure (easy in hardware) Example:
IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb)
CS 322 376
3-14
16 7 20 21 29 11 4 25
CS 322 376
3-15
Substitution Boxes S
Have eight S-boxes which map 6 to 4 bits Each S-box is actually 4 little 4 bit boxes Outer bits 1 & 6 (row bits) select one rows Inner bits 2-5 (col bits) are substituted Result is 8 lots of 4 bits, or 32 bits Row selection depends on both data & key Feature known as autoclaving (autokeying) Example:
S(18 09 12 3d 11 17 38 39) = 5fd25e03
8 S-Boxes
CS 322 376
3-18
DES Sub-Key Generation SubPermutation PC1 divides 56-bits in two 28-bit halves Rotate each half separately either 1 or 2 places depending on the key rotation schedule K Select 24-bits from each half & permute them by PC2
DES Decryption
Decrypt must unwind steps of data computation With Feistel design, do encryption steps again Using subkeys in reverse order (SK16 SK1) Note that IP undoes final FP step of encryption 1st round with SK16 undoes 16th encrypt round . 16th round with SK1 undoes 1st encrypt round Then final FP undoes initial encryption IP Thus recovering original data value
CS 322 376
3-20
Avalanche Effect
Key desirable property of encryption algorithm Where a change of one input or key bit results in changing approx half output bitssss = Diffusion sss Making attempts to home-in by guessing keys impossible DES exhibits strong avalanche
CS 322 376
3-21
Avalanche in DES
CS 322 376
3-22
CS 322 376
3-23
CS 322 376
3-24
CS 322 376
3-25
Differential Cryptanalysis
One of the most significant recent (public) advances in cryptanalysis Known by NSA in 70's cf DES design Murphy, Biham & Shamir published 1990 Powerful method to analyse block ciphers Used to analyse most current block ciphers with varying degrees of success DES reasonably resistant to it A statistical attack against Feistel ciphers Differential Cryptanalysis compares two related pairs of encryptions Design of S-P networks has output of function f influenced by both input & key
Khon Kaen University CS 322 376 2011 Chakchai So-In
3-26
CS 322 376
3-27
Linear Cryptanalysis
Bits in plaintext, ciphertext, and keys may have a linear relationship. For example: P1P2 C3=K2 5 In a good cipher, the relationship should hold w probability . If any relationship has probability 1, the cipher is easy to break. If any relationship has probability 0, the cipher is easy to break. Find the linear approximation with the highest bias Helps reduce the bruteforce search effort. This method can be used to find the DES key given 243 plaintexts. Ref: http://en.wikipedia.org/wiki/Linear_cryptanalysis
CS 322 376
3-28
3-29
Modes of Operation
Block ciphers encrypt fixed size blocks E.g. DES encrypts 64-bit blocks, with 56-bit key Need way to use in practise, given usually have arbitrary amount of information to encrypt Four were defined for DES in ANSI standard ANSI X3.1061983 Modes of Use Subsequently now have 5 for DES and AES Have block and stream modes ECB, CBC, CFB, OFB, CTR
CS 322 376
3-30
CS 322 376
3-31
CS 322 376
3-33
CS 322 376
3-34
3-36
CS 322 376
3-37
CS 322 376
3-38
CS 322 376
3-40
CS 322 376
3-41
3-43
Counter (CTR)
A new mode, though proposed early on Similar to OFB but encrypts counter value rather than any feedback value Must have a different key & counter value for every plaintext block (never reused)
Ci = Pi XOR Oi Oi = DESK1(i)
CS 322 376
3-44
Counter (CTR)
Random access to encrypted data blocks Provable security (good as other modes) But must ensure never reuse key/counter values, otherwise could break (cf OFB)
CS 322 376
3-46
CS 322 376
3-47