Sie sind auf Seite 1von 52

Modern Block Ciphers

CSE 651: Introduction to Network


Security
Summary
• Block Ciphers (Chapter 3)
• Feistel Cipher Structure (Chapter 3)
• DES: Data Encryption Standard (Ch. 3)
• 3DES (Ch 6.1)
• AES: Advanced Encryption Standard (Ch.
5.2)
2
Monoalphabetic Substitution Cipher

• Shuffle the letters and map each plaintext letter to a


different random ciphertext letter:
Plain letters: abcdefghijklmnopqrstuvwxyz
Cipher letters: DKVQFIBJWPESCXHTMYAUOLRGZN
Plaintext: ifwewishtoreplaceletters
Ciphertext: WIRFRWAJUHYFTSDVFSFUUFYA
• What does a key look like?

3
Playfair Key Matrix
• Use a 5 x 5 matrix.
• Fill in letters of the key (w/o duplicates).
• Fill the rest of matrix with other letters.
• E.g., key = MONARCHY.
M O N A R
C H Y B D
E F G I/J K
L P Q S T
U V W X Z
4
Vigenère Cipher
• Simplest polyalphabetic substitution cipher
• Consider the set of all Caesar ciphers:
{ Ca, Cb, Cc, ..., Cz }
• Key: e.g. security
• Encrypt each letter using Cs, Ce, Cc, Cu, Cr,
Ci, Ct, Cy in turn.
• Repeat from start after Cy.
• Decryption simply works in reverse.

5
Basic idea of modern block ciphers

• From classical ciphers, we learn two techniques that


may improve security:
– Encrypt multiple letters at a time
– Use multiple ciphertext alphabets (Polyalphabetic
ciphers)
• Combining these two techniques
– encrypt eight (or more) letters at a time
• called a block cipher
– and use an extremely large number of ciphertext
alphabets
• will be called modes of operation

1
Block Ciphers

• In general, a block cipher replaces a block of N plaintext bits


with a block of N ciphertext bits. (E.g., N = 64 or 128.)
• A block cipher is a monoalphabetic cipher.
• Each block may be viewed as a gigantic character.
• The “alphabet” consists of 2N gigantic characters.
• Each particular cipher is a one-to-one mapping from the
plaintext “alphabet” to the ciphertext “alphabet”.
• There are 2N! such mappings.
• A secret key indicates which mapping to use.

7
Ideal Block Cipher

• An ideal block cipher would allow us to use


any of these 2N! mappings.
– The key space would be extremely large.
• But this would require a key of log2(2N!) bits.
• If N = 64,
log2(2N!) ≈ N x 2N ≈ 1021 bits ≈ 1011 GB.
• Infeasible!
8
Practical Block Ciphers
• Modern block ciphers use a key of K bits to specify a
random subset of 2K mappings.
• If K ≈ N,
– 2K is much smaller than 2N!
– But is still very large.
• If the selection of the 2K mappings is random, the
resulting cipher will be a good approximation of the
ideal block cipher.
• Horst Feistel, in1970s, proposed a method to achieve
this.
9
The Feistel Cipher Structure
• Input: a data block and a key
• Partition the data block into two halves L and
R.
• Go through a number of rounds.
• In each round,
– R does not change.
– L goes through an operation that depends on R
and a round key derived from the key.

10
The Feistel
Cipher
Structure
i


Round i
Li-1 Ri-1

ki
f
+

Li Ri
Mathematical Description of
Round i
 Let Li 1 and Ri 1 be the input of round i, and
Li and Ri the output.
 We have
Li : Ri 1
Ri : Li 1  F ( Ri 1 , Ki )
 Or, (Li , Ri ) :   i ( Li 1 , Ri 1 ), where
i : ( x, y )  ( x  F ( y , ki ), y ).
 : ( x, y )  ( y, x ).
 Note that i 1  i and  1  .
13
Feistel Cipher
 Goes through a number of rounds, say 16 rounds.
 A Feistel cipher encrypts a plaintext block m as:
c : E k ( m) :     16    2    1 ( m)
 The decryption will be:
Dk ( c )  11   1  21   1  161   1   1 ( c )
     1    2    16 ( c )
 The descryption algorithm is the same as the
encryption algorithm, but uses round keys in the
reverse order.
14
DES: The Data Encryption Standard

• Most widely used block cipher in the world.


• Adopted by NIST in 1977.
• Based on the Feistel cipher structure with 16
rounds of processing.
• Block = 64 bits
• Key = 56 bits
• What is specific to DES is the design of the F
function and how round keys are derived from
the main key.

15
Design Principles of DES
• To achieve high degree of diffusion and
confusion.
• Diffusion: making each plaintext bit affect
as many ciphertext bits as possible.
• Confusion: making the relationship
between the encryption key and the
ciphertext as complex as possible.

1
DES Encryption
Overview
Round Keys Generation
• Main key: 64 bits.
• 56-bits are selected and permuted using Permuted
Choice One (PC1); and then divided into two 28-bit
halves.
• In each round:
– Left-rotate each half separately by either 1 or 2
bits according to a rotation schedule.
– Select 24-bits from each half, and permute the
combined 48 bits.
– This forms a round key.
Permuted Choice One (PC1)

57 49 41 33 25 17 9
1 58 50 42 34 26 18
10 2 59 51 43 35 27
19 11 3 60 52 44 36
63 55 47 39 31 23 15
7 62 54 46 38 30 22
14 6 61 53 45 37 29
21 13 5 28 20 12 4

19
Initial Permutation IP
• IP: the first step of the encryption.
• It reorders the input data bits.
• The last step of encryption is the inverse of IP.
• IP and IP-1 are specified by tables (see
Stallings book, Table 3.2) or
http://en.wikipedia.org/wiki/DES_supplementar
y_material
Round i
Li-1 Ri-1

32
ki
F 48
32 32
+

Li Ri
The F function of DES
 The L and R each have 32 bits, and the round key K 48 bits.

 The F function, on input R and K , produces 32 bits:

F ( R, K )  P  S  E ( R)  K  

where E : expands 32 bits to 48 bits;


S : shrinks it back to 32 bits;
P : permutes the 32 bits.

22
The F function of DES
The Expansion Permutation E
The S-Boxes
• Eight S-boxes each map 6 to 4 bits
• Each S-box is specified as a 4 x 16 table
– each row is a permutation of 0-15
– outer bits 1 & 6 of input are used to select one
of the four rows
– inner 4 bits of input are used to select a
column
• All the eight boxes are different.
Box S1

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
1 0 15 7 4 14 2 13 1 10 6 12 11 6 5 3 8
2 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
3 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13

• For example, S1(101010) = 6 = 0110.

26
Permutation Function P
P
16 7 20 21
29 12 28 17
1 15 23 26
5 18 31 10
2 8 24 14
32 27 3 9
19 13 30 6
22 11 4 25

1
Avalanche Effect
• Avalanche effect:
– A small change in the plaintext or in the key results in a
significant change in the ciphertext.
– an evidence of high degree of diffusion and confusion
– a desirable property of any encryption algorithm

• DES exhibits a strong avalanche effect


– Changing 1 bit in the plaintext affects 34 bits in the
ciphertext on average.
– 1-bit change in the key affects 35 bits in the ciphertext on
average.
Attacks on DES
• Brute-force key search
– Needs only two plaintext-ciphertext samples
– Trying 1 key per microsecond would take 1000+ years on
average, due to the large key space size, 256 ≈ 7.2×1016.

• Differential cryptanalysis
– Possible to find a key with 247 plaintext-ciphertext samples
– Known-plaintext attack

• Liner cryptanalysis:
– Possible to find a key with 243 plaintext-ciphertext samples
– Known-plaintext attack

29
DES Cracker
• DES Cracker:
– A DES key search machine
– contains 1536 chips
– Cost: $250,000.
– could search 88 billion keys per second
– won RSA Laboratory’s “DES Challenge II-2” by
successfully finding a DES key in 56 hours.
• DES is feeling its age. A more secure
cipher is needed.
30
Multiple Encryption with DES

• In 2001, NIST published the Advanced Encryption


Standard (AES) to replace DES.

• But users in commerce and finance are not ready to give


up on DES.

• As a temporary solution to DES’s security problem, one


may encrypt a message (with DES) multiple times using
multiple keys:
– 2DES is not much securer than the regular DES
– So, 3DES with either 2 or 3 keys is used
31
2DES
• Consider 2DES with two keys:

C = EK2(EK1(P))

• Decryption: P = DK1(DK2(C))
• Key length: 56 x 2 = 112 bits
• This should have thwarted brute-force attacks?
• Wrong!

32
Meet-in-the-Middle Attack on 2DES
• 2-DES: C = EK2(EK1(P))

P EK1 EK2 C

• Given a known pair (P, C), attack as follows:


– Encrypt P with all 256 possible keys for K1.
– Decrypt C with all 256 possible keys for K2.
– If EK1’(P) = DK2’(C), try the keys on another (P’, C’).
– If works, (K1’, K2’) = (K1, K2) with high probability.
– Takes O(256) steps; not much more than attacking 1-DES.

33
3DES with 2 keys
 A straightforward implementation would be :  

      
    c : Ek1 Ek2 Ek1 (m) 
 
 In practice :  c : Ek1 Dk2 Ek1 (m) 
 Also referred to as EDE encryption
 Reason : if k1  k2 , then 3DES  1DES. 
Thus, a 3DES software can be used as a single-DES.
 Standardized in ANSI X9.17 & ISO 8732.
 No practical attacks are known.

34
3DES with 3 keys
 
 Encryption:  c : Ek3 Dk2 Ek1 (m) . 
 If k1  k3 , it becomes 3DES with 2 keys.
 If k1  k2  k3 , it becomes the regular DES.
 So, it is backward compatible with both 3DES with 2 keys
and the regular DES.
 Some internet applications adopt 3DES with three keys;
e.g. PGP and S / MIME.

35
AES: Advanced Encryption
Standard
AES: Advanced Encryption Standard
• In1997, NIST began the process of choosing a
replacement for DES and called it the
Advanced Encryption Standard.
• Requirements: block length of 128 bits, key
lengths of 128, 192, and 256 bits.
• In 2000, Rijndael cipher (by Rijmen and
Daemen) was selected.
• An iterated cipher, with 10, 12, or 14 rounds.
• Rijndael allows various block lengths.
• But AES allows only one block size: 128 bits.

37
Modulo-2 Arithmetic
 There are only two numbers : 0 and 1.

 Addition, substraction and multiplication are as below:

 0 1  0 1  0 1
0 0 1 0 0 1 0 0 0
1 1 0 1 1 0 1 0 1

 Note: addition = substraction = XOR.


Byte-oriented operations
 Each byte is viewed as a polynomial of degree  7.

 Example: a  10001001  x 7  x 3  1  A( x ).

b  10000010  x 7  x  B( x ).
 Addition and substraction are simply bitwise XOR:
a  b  10001001  10000010  00001011  A( x )  B( x ).
a  b  10001001  10000010  00001011  A( x )  B ( x ).

39
Byte-oriented operations
 Multiplication (): "regular" polynomial multiplication ()
modulo a fixed modulus P ( x ), where
P( x )  x 8  x 4  x 3  x  1  100011011.
a  b  A( x )  B ( x ) mod P( x )
 x14  x10  x 8  x 7  x 4  x mod P ( x )
 x6  x5  x 4  x3  x 2  x  1
a  b  10001001  10000010 mod 100011011
= 100010110010010 mod 100011011
 01111111
40
Byte-oriented operations
 For any byte a (viewed as a polynomial), there is
a unique byte b (also viewed as a polynomial) such that
a  b  1.
 This element b is called the inverse of a, and is
denoted by a 1.
 Mathematically, the set of all polynomials of degrees  7
forms a field, GF(28 ), under the operation of addition and
multiplication mod P( x), where P( x) is a fixed modulus.

41
Structure of Rijndael
 N b : block size (number of words). For AES, Nb  4.
 N k : key length (number of words).
 N r : number of rounds, depending on Nb , N k .
 Assume: N b  4, N k  4, N r  10.
 state: a variable of 4 words, holding the data block,
viewed as a 4  4 matrix of bytes; each column is a word.
 Key schedule: 11 round keys key0 , key1 ,  , key10
computed from the main key k .

42
Rijndael algorithm  input: plaintext m, key k 
1 state  m
2 AddKey( state, key0 )
3 for i  1 to N r  1 do
4 SubBytes(state)
5 ShiftRows(state)
6 Mixcolumns(state)
7 AddKey( state, keyi )
8 SubBytes(state)
9 ShiftRows(state)
10 AddKey( state, key N r )
11 return(state)

43
Figure 5.1 AES Encryption and Decryption

44
AddKey(state, keyi )

state  state  keyi

45
SubBytes(state)
 Each byte z in the state matrix is substituted with
another byte SRD ( z )  Az 1  b.

 The substitution SRD ( z )  Az 1  b, called Rijndael's


S-box, is based on some mathematics in finite fields,
and can be specified as a table (Table 5.4 of Stallings).

46
 That is, treat z as an element in GF(28 ).
 Find its multiplicative inverse z 1 in GF(28 ).
 Now treat z 1 as a vector of 0/1.
 Multiply A with z 1 , and add the result to b.

10001111  1 
11000111  1 
11100011  0
11110001  0
A    and b   
11111000  0
 01111100  1 
 00111110  1 
 00011111  0
   
47
ShiftRows(state)
 Left-shift row i circularly by i bytes, 0  i  3.

a b c d a b c d
   
 e f g h  f g h e

i j k l  k l i j
   
m n o p  p m n o

48
MixColumns(state)
 Operate on each column of the state matrix.
 Each column a  ( a0 , a1 , a2 , a3 ) is substituted with
(b0 , b1 , b2 , b3 ), where

 b0   02 03 01 01   a0 
b   01 02 03 
01  a 
 1    1
 b2   01 01 02 03   a2 
     
 b3   03 01 01 02   a3 
 Using finite-field multiplication and addition.

49
Math behind MixColumns(state)
 Operate on each column of the state matrix.
 Each column a  (a0 , a1 , a2 , a3 ) is viewed as a
polynomial :
a( x)  a3 x 3  a2 x 2 +a1 x  a0
 A fixed polynomial: c( x)  03 x 3  01x 2 +01x  02.
 Compute b( x)  b3 x 3  b2 x 2 +b1 x  b0
= a ( x)  c( x) mod (x 4  1)
 (a0 , a1 , a2 , a3 ) is substituted with (b0 , b1, b2 , b3 )

50
Rijndael Decryption
 Each step of Rijndael encryption is invertible.

51
A Rijndael Animation by Enrique
Zabala

52

Das könnte Ihnen auch gefallen