Beruflich Dokumente
Kultur Dokumente
Operation
CSE 651: Introduction to Network
Security
Abstract
We will discuss
2DES and 3DES
AES (Advanced Encryption Standard)
How to use block ciphers?
RC4: a widely used stream cipher
Problems with WEPs use of RC4
2
Multiple Encryption with DES
DES is not secure enough.
The once large key space, 2
56
, is now too small.
In 2001, NIST published the Advanced Encryption
Standard (AES) as an alternative.
But users in commerce and finance are not ready
to give up on DES.
Solution: to use multiple DES with multiple keys
3
Double-DES
Consider 2-DES with two keys:
C = E
K2
(E
K1
(P))
Decryption: P = D
K1
(D
K2
(C))
Key length: 56 x 2 = 112 bits
This should have thwarted brute-force attacks?
Wrong!
4
Meet-in-the-Middle Attack on 2DES
2-DES: C = E
K2
(E
K1
(P))
So, X = E
K1
(P) = D
K2
(C)
Given a known pair (P, C), attack as follows:
Encrypt P with all 2
56
possible keys for K1.
Decrypt C with all 2
56
possible keys for K2.
If E
K1
(P) = D
K2
(C), try the keys on another (P, C).
If works, (K1, K2) = (K1, K2) with high probability.
Takes O(2
56
) steps; not much more than attacking 1-DES.
5
Triple DES with Two Keys
A straightforward implementation would be:
C = E
K1
(E
K2
(E
K1
(P)))
In practice: C = E
K1
(D
K2
(E
K1
(P)))
Also referred to as EDE encryption
Reason: if K1=K2, then 3DES = 1DES. Thus, a 3DES
software can be used as a single-DES.
Standardized in ANSI X9.17 & ISO8732
No current known practical attacks
What about the meet-in-the-middle attack?
6
Meet-in-the-Middle Attack on 3DES
1. For each possible key for K1, encrypt P to produce a
possible value for A.
2. Using this A, and C, attack the 2DES to obtain a pair of
keys (K2, K1).
3. If K1 = K1, try the key pair (K1, K2) on another (C,P).
4. If it works, (K1, K2) is the key pair with high probability.
5. It takes O(2
55
x 2
56
) = O(2
111
) steps on average.
E D E
A B
P C
K1 K2 K1
7
Triple DES with Three Keys
Encryption: C = E
K3
(D
K2
(E
K1
(P))).
If K1 = K3, we have 3DES with 2 keys.
If K1 = K2 = K3, we have the regular DES.
So, 3DES w/ 3keys is backward compatible with
3DES w/ 2 keys and with the regular DES
Some internet applications have adopted 3DES
with three keys.
E.g. PGP and S/MIME.
8
Finite Fields
Some mathematics used in AES
A group, denoted by ( , ), is a set with a
binary operation : such that
1. ( ) ( ) (associative)
2. s.t. , (identity)
3. , s.t.
Group
G G
G G G
a b c a b c
e G x G e x x e x
x G y G x y y x
-
=
- e e = =
e - e = =
*
(inverse)
A group ( , ) is if , , .
Examples: ( , ), ( , ), ( \ {0}, ), ( , ),
( \ {0}, ), ( , ), ( , ), where is a positive
in
a
teger
belian
.
n n
e
G x y G x y y x
Z Q Q R
R Z Z n
- e =
- + + +
+
{ }
10
10
10
0, 1, 2, ..., 1
For , , we define mod
For example, in ,
5 8 3, 9 9 8.
0 for every ; 0 is the identity element.
Every has
The Group ( , )
n
n
n
Z n
a b Z a b a b n
Z
a a a Z
a Z
Z
- =
- e = +
-
= =
= e
+
+ +
+
e
+
an inverse, namely 10 .
So, the inverse of 5 is 5, the inverse of 3 is 7.
We write the inverse of as .
a
a a
{ }
{ }
*
*
*
1
*
0
*
10
: gcd( , ) 1
For , , we define mod
For example, in 1, 3, 7, 9
3 7 1, 9 9 1.
1 for every ; 1 is the identity element.
Every
The Group ( , )
n
n n
n
Z x Z x n
a b Z a b a b n
Z
a a a Z
Z
- = e =
- e =
- =
= =
= e
10
1
has an inverse.
E.g., the inverse of 3 is , the inverse of 9 is 9.
We write the inverse of as .
7
a Z
a a
e
A field, denoted by ( , , ), is a set with two
binary operations, and , such that
1. ( , ) is an abelian group (with identity 0).
2. ( \ {0}, ) is an abelian group (with identy 1).
Field
F F
F
F
- +
+
+
- = + + = +
+ = + + +
3 2
5 4 3 2
5 4 3
2
) 1 1.
( ) ( ) (1 1)
( [ ], +, ) is not a field, because any polynomial of
degree 1 does not have a multiplicative inverse.
x x x
A x B x x x x x x
x x x x
F x
+ = + +
= + + + + +
= + + +
-
>
{ }
2
2 2
2
Let ( ) [ ] be a fixed irreducible polynomial.
= remainder of ( ) divided by ( ).
Define [ ] ( ) ( ) mod ( ) : ( )
( ) m
[ ]
For ( ),
o
( ) [ ] (
d ( )
Finite fields (Galois fields)
p x F x
A x p x
F x p x A x p x A x F x
A x
A x
B x
x
p
p
F x
- e
-
- = e
- e
2
), define
( ) ( ) = ( ) ( ) mod ( )
( ) ( ) = ( ) ( ) mod ( )
( [ ] ( ), , ) is a field, denoted as GF(2 ),
where is the degree of ( ).
n
x
A x B x A x B x p x
A x B x A x B x p x
F x p x
n p x
+
-
+
+
{ }
2
GF(2 ) has 2 elements.
Each element is a polynomial of degree ,
with coefficients in 0,1 .
Think of each element/polynomial as a bit string of
length , and vice v
Galois field GF(2 )
n n
n
n
F
n
-
- <
=
-
8
6 5 2
ersa.
Thus, if 8, then GF(2 ) consists of all ploynomials
of degree less than 8, or all bit strings of length 8.
e.g., 1 01100101
n
x x x
- =
+ + +
AES: Advanced Encryption
Standard
20
AES: Advanced Encryption Standard
In1997, NIST began the process of choosing a
replacement for DES and called it the
Advanced Encryption Standard.
Requirements: block length of 128 bits, key
lengths of 128, 192, and 256 bits.
In 2000, Rijndael cipher (by Rijmen and
Daemen) was selected.
An iterated cipher, with 10, 12, or 14 rounds.
Rijndael allows various block lengths.
But AES allows only one block size: 128 bits.
There are only two numbers : 0 and 1.
Addition, substraction and multiplication are as below:
0 1 0 1 0 1
0 0 1 0 0 1 0 0 0
1 1 0 1 1 0 1 0 1
Note: addition =
Modulo-2 Arithmetic
-
-
+
- substraction = XOR.
22
7 3
7
Each byte is viewed as a polynomial of degree 7.
Suppose: 10001001 1 ( ).
10000010 ( ).
Addition and substraction are simply b
Byte-oriented operations
a x x A x
b x x B x
s
= = + + =
= = + =
itwise XOR:
10001001 10000010 00001011 ( ) ( ).
10001001 10000010 00001011 ( ) ( ).
a b A x B x
a b A x B x
+ = = = +
= = = +
23
8
14
4 3
Multiplication: "regular" polynomial multiplication
modulo a fixed modulus ( ), where
.
( ) ( ) mod ( )
( ) 1 100011
01
1
Byte-oriented operations
P x x x x x
P x
a b A x B x P x
x x
= + + + + =
=
= +
10 8 7 4
6 5 4 3 2
mod ( )
1
10001001 10000010 mod 100011011
= 100010110010010 mod 100011011
01111111
x x x x P x
x x x x x x
a b
+ + + +
= + + + + + +
=
=
24
For any byte (viewed as a polynomial), there is
a unique byte (also viewed as a polynomial) such that
1.
This element is called the inverse of , and is
Byte-oriented operations
a
b
a b
b a
=
1
8
denoted by .
Mathematically, the set of all polynomials of degrees 7
forms a field, GF(2 ), under the operation of addition and
multiplication mod ( ), where ( ) is a fixed modulus.
a
P x P x
s
25
: block size (number of words). For AES, 4.
: key length (number of words).
: number of rounds, depending on , .
Assume: 4, 4, 10.
:
Structure of Rijndael
b b
k
r b k
b k r
N N
N
N N
sta
N
N N
e
N
t
=
= = =
0 1 10
a variable of 4 words, holding the data block,
viewed as a each column is a word.
Key schedule: 11 round keys , , ,
computed from the main key
4 4 matrix of byt
.
es;
key key key
k
26
( )
0
input: plaintext , key
1
2 AddKey( , )
3 for 1 to 1 do
4 SubBytes( )
5 ShiftRows( )
6 Mixcolumns( )
7
Rijndael algorithm
r
m k
state m
state key
i N
state
state
state
AddKey( , )
8 SubBytes( )
9 ShiftRows( )
10 AddKey( , )
11 return( )
r
i
N
state key
state
state
state key
state
27
Figure 5.1 AES Encryption and Decryption
28
AddKey( , )
i
i
state state key
state key
29
1
RD
For each byte in the matrix,
substitute with S ( ) , where
10001111
11000111
11100011
11110001
and
11111000
01111100
00111110
00011111
SubBytes( )
stat z
z
e
z Az b
A
state
= +
| |
|
|
|
= |
|
|
|
|
\ .
1
1
0
0
0
1
1
0
b
| |
|
|
|
= |
|
|
|
|
\ .
30
8
1 8
1
1
1
0 1 2
That is, treat as an element in GF(2 ).
Find its multiplicative inverse in GF(2 ).
Now treat as a vector of 0/1.
Multiply with , and add the result to .
If
z
z
z
A z b
z z z z z
=
( ) ( )
( )
3 4 5 6 7 0 1 2 3 4 5 6 7
RD 0 1 2 3 4 5 6 7
4 5 6 7
, , and
S ( ) , then
The indices shoud be interpreted as mod8.
i i i i i i i
z z z z b b bb b b b b b
z z z z z z z z z
z z z z z z b
i k i k
+ + + +
=
' ' ' ' ' ' ' '
=
'
=
+ +
31
1
RD
The function S ( ) is Rijndael's S-box.
It can be specified as a table (Table 5.4 of Stallings).
z Az b
= +
32
Left-shift row circularly by bytes, 0 3.
ShiftRows( )
i i i
a b c d a b c d
e f g h f g h e
i j k l k l i j
m n o p p m n o
state
s s
| | | |
| |
| |
| |
| |
\ . \ .
33
0 1 2 3
8
3 2
3 2 1 0
Operates on each column of the matrix.
View each column ( , , , ) as a
polynomial with coefficients in GF(2 ) :
( ) +
A fixed pol
MixColumns( )
a
state
a a a a
a x a x a x a x a
state
=
= + +
3 2
4
ynomial: ( ) 03 01 +01 02.
The MixColumns operation maps each column
( ) ( ) ( ) mod ( 1) a x a
c x x x x
x c x x
= + +
+
34
Each step of Rijndael encryption is invertible.
Rijndael Decryption
35
Assume: 4, 4, 10.
The secret key , having 4 words, is expanded to 44 words.
Every four words are used as a round key.
[0..43] : an array of words.
Rijndael key schedule
b k r
N N N
ExpKey
key
= = =
0 1 2 3 RD 1
Initialization: [0..3] .
For 4 43, [ ]
[ ] ( [ ]) if mod4 0
[ 4] [ 1] else
: ( , , , ) (S ( ) [ / 4],
1
4
j
j
key
j
ExpKey
j ExpKey
ExpKey f ExpKey j
ExpKey j ExpKey j
f a a a a a RC
j j
j
s s
=
RD 2 RD 3 RD 0
1
RD
S ( ), S ( ), S ( )).
Where S is as in , and [ ] mo SubByte ) s d ( .
i
a a a
RC i x P x
=
Modes of Operations
How to use a block cipher?
Block ciphers encrypt fixed size blocks
E.g. DES encrypts 64-bit blocks
We need some way to encrypt arbitrary
amounts of data
E.g. a message of 1000 bytes
NIST defines five ways to do it
Called modes of operations
Including block and stream modes
37
Five Modes of Operation
Electronic codebook mode (ECB)
Cipher block chaining mode (CBC) most
popular
Output feedback mode (OFB)
Cipher feedback mode (CFB)
Counter mode (CTR)
38
Electronic Code Book (ECB)
The plaintext is broken into blocks, P
1
, P
2
, P
3
, ...
Each block is encrypted independently of the other
blocks
C
i
= E
K
(P
i
)
For a given key, this mode behaves like we have a
gigantic codebook, in which each plaintext block has
an entry, hence the name Electronic Code Book
39
Remarks on ECB
Strength: its simple.
Weakness:
Repetitive information contained in the
plaintext may show in the ciphertext, if aligned
with blocks.
If the same message (e.g., your SSN) is
encrypted (with the same key) and sent twice,
their ciphertexts are the same.
Typical application: secure transmission of short
pieces of information (e.g. an encryption key)
40
Cipher Block Chaining (CBC)
( )
( )
1 2 3
1
The plaintext is broken into blocks: , , , ...
Each plaintext block is XORed chained with the previous
ciphertext block before encryption (hence the name):
E
i K i i
P P P
C C P
-
-
=
( )
0
1
IV
Use an Initial Vector IV to start the process.
Decryption : D ( )
Application : general block-oriented transmission.
i i K i
C
P C C
=
-
- =
-
41
Cipher Block Chaining (CBC)
42
Remarks on CBC
The same key is used for all blocks.
A ciphertext block depends on all blocks before it.
So, repeated plaintext blocks are encrypted
differently.
Initialization Vector (IV)
Must be known to both the sender & receiver
Typically, IV is either a fixed value
Or is sent encrypted in ECB mode before the rest of
message.
43
Message Padding
The last plaintext block may be short of a
whole block and needs padding:
Possible padding:
Known non-data values (e.g. nulls)
Or a number indicating the size of the pad
Or a number indicating the size of the plaintext
The last two schemes may require an extra block.
44
45
Cipher feedback mode (basic version)
Plaintext blocks: p
1
, p
2
,
Key: k
Basic idea: construct key stream k
1
, k
2
, k
3
,
Encryption:
0
1
IV
( ), for 1
, for 1
i k i
i i i
c
k E c i
c p k i
= >
= >
-
-
s s
mod key-length], for 0 255
(i.e., fill up [0..255] with the key repeatedly.)
i
T K
s s
RC4: Initial Permutation
62
Initial Permutation of :
0
for 0 to 255 do
( [ ] [ ] ) mod 256
Swap [ ], [ ]
This part of RC4 is generally known as the
Key Sch
S
j
i
j j S i T i
S i S j
-
+ +
-
eduling Algorithm (KSA).
After KSA, the input key and the temporary
vector will no longer be used. T
-
RC4: Key Stream Generation
63
Key stream generation:
, 0
while (true)
( 1 ) mod 256
( [ ] ) mod 256
Swap [ ], [ ]
( [ ]
i j
i i
j j S i
S i S j
t S i
-
+
+
[ ] ) mod 256
[ ]
output
S j
k S t
k
+
Security of RC4
The keystream generated by RC4 is biased.
The second byte is biased toward zero with high
probability.
The first few bytes are strongly non-random and leak
information about the input key.
Defense: discard the initial n bytes of the keystream.
Called RC4-drop[n-bytes].
Recommended values for n = 256, 768, or 3072 bytes.
Efforts are underway (e.g. the eSTREAM project) to
develop more secure stream ciphers.
64
Problems with WEPs
use of RC4
WEP is a protocol using RC4 to encrypt packets for
transmission over IEEE 802.11 wireless LAN.
WEP requires each packet to be encrypted with a
separate RC4 key.
The RC4 key for each packet is a concatenation of a
24-bit IV (initialization vector) and a 40 or 104-bit long-
term key.
65
l
RC4 key: IV (24) Long-term key (40 or 104 bits)
802.11 frames using WEP
66
l
Header IV Packet ICV FCS
encrypted
ICV: integrity check value
FCS: frame check sequence
Both use CRC32
Fluhrer, Mantin, and Shamir showed that:
If the same secret key is used with numerous IVs,
and the attacker can obtain the first word of RC4
output (keystream) corresponding to each IV, then
he can construct the secret key with little effort.
The first word is known for many plaintext packets.
Recall: Ciphertext = plaintext XOR keystream
So, the first word of RC output (keystream) can be
obtained.
67
Tews, Weinmann, and Pyshkin wrote an
article, Breaking 104 bit WEP in less than
60 seconds, discussing how to discover
the RC4 key by analyzing the easily
identified ARP packets.
ARP: Address Resolution Protocol.
68