Chapters 2-3

Conventional Encryption
//Modified by Prof. M. Singhal// Henric Johnson Blekinge Institute of Technology, Sweden http://www.its.bth.se/staff/hjo/ henric.johnson@bth.se
Henric Johnson 1

Outline
Conventional Encryption Principles Conventional Encryption Algorithms Cipher Block Modes of Operation Location of Encryption Devices Key Distribution

Henric Johnson

Conventional Encryption Principles

An encryption scheme has five ingredients:
Plaintext Encryption algorithm Secret Key Ciphertext Decryption algorithm

Security depends on the secrecy of the key, not the secrecy of the algorithm.
Henric Johnson 3

Conventional Encryption Principles

Henric Johnson

Generically classified along three independent dimension

Cryptography

1. The

type of operations used for transforming plaintext to ciphertext.

Two general principles: A. Substitution: An element in plaintext is mapped into another element. B. Transposition: Elements in the plaintext are rearranged. >>Fundamental requirements: all operations be reversible. >> Most systems use a combination of substitution and transposition. Henric Johnson

Cryptography
2. The number of keys used
symmetric (single key) Both sender and receiver use the same key. asymmetric (two-keys, or public-key encryption) Sender and receiver use a different key.

Henric Johnson

Cryptography
3. The way in which the plaintext is processed
Block cipher: Encrypts/decrypts a block at a time. Stream cipher: Encrypts/decrypts one element a time.

Henric Johnson

Cryptanalysis
The process of discovering the key or the plaintext.
Strategy depends upon the type of encryption scheme and the amount of information available.

Types of Attacks:
Ciphertext only, Known plaintext, Chosen plaintext, Chosen ciphertext, and Chosen text. //It is assumed that the encryption algorithm is known to a Henric Johnson cryptanalyst.// 8

Cryptanalysis
Types of Attacks --------------------Ciphertext only. Known plaintext. Info. Known to Cryptanalyst -------------------------------Ciphertext to be decoded. -Ciphertext to be decoded. -Corresponding plaintext. -Plaintext message of the choice of cryptanalyst and corresponding ciphertext.

Chosen plaintext.

Henric Johnson

Cryptanalysis
Types of Attacks --------------------Chosen ciphertext. Info. Known to Cryptanalyst -------------------------------Ciphertext to be decoded. -Purported ciphertext chosen by the cryptanalyst along with corresponding plaintext.

Henric Johnson

10

Cryptanalysis
Types of Attacks --------------------Chosen text. Info. Known to Cryptanalyst -------------------------------Ciphertext to be decoded. -Purported ciphertext chosen by the cryptanalyst along with corresponding plaintext. -Plaintext message of the choice of cryptanalyst and corresponding ciphertext.
Henric Johnson 11

Two more definitions

Unconditionally secure and Computationally secure.

(1) Unconditionally secure scheme:

No matter how much time and resources an intruder has, he/she can not decrypt the ciphercode.
>No encryption method is unconditionally secure except one. (One-time pad)

Henric Johnson

12

One-time Pad
A random key sequence is used with no repetitions. >The key is as long as the message. > Ciphertext bears no statistical relationship to the plaintext. A Problem: Sender and receiver must possess this random key sequence.
Henric Johnson 13

Two more definitions

(1) Unconditionally secure scheme Encryption algorithms strive for one or both of the following criteria: A. The cost of breaking a cipher exceeds the value of the encrypted information. B. The time required to break the cipher exceeds the useful lifetime of the info. (2) Computationally secure scheme If the above two criteria are met.
Henric Johnson 14

Average time required for exhaustive key search

Key Size Number of Time required at (bits) Alternative Keys 106 Decryption/s 32 56 128 168 232 = 4.3 x 109 256 = 7.2 x 1016 2128 = 3.4 x 1038 2168 = 3.7 x 1050
Henric Johnson

2.15 milliseconds 10 hours 5.4 x 1018 years 5.9 x 1030 years

15

Diffusion and Confusion

Shannon introduced the principles of Diffusion and Confusion for encryption. Idea: break dependencies and introduce as much randomness in the ciphertext. Main objective: to thwart statistical cryptanalysis of ciphertext. Basic idea is to churn the plaintext so that syntactical and language-specific features are eliminated.
Henric Johnson 16

Diffusion and Confusion

Diffusion: The statistical structure of the plaintext is spread (dissipated) into long-range statistics of the ciphertext. Achieved by having each plaintext digit affect the value of many ciphertext digits. Objective is to globalize the local affects.
Henric Johnson 17

Diffusion and Confusion

Confusion: Attempts to make the relationship between the ciphertext and the encryption key as complex as possible. Achieved by using a complex substitution algorithm. Even if an attacker can some handle on the statistics of the ciphertext, it is very difficult to deduce the key.
Henric Johnson 18

Feistel Cipher Structure

Virtually all conventional block encryption algorithms, including DES have a structure first described by Horst Feistel of IBM in 1973. The realization of a Fesitel Network depends on the choice of the following parameters and design features (see next slide):
Henric Johnson 19

Feistel Cipher Structure

Has the following design parameters: Block size: larger block sizes mean greater security but lower encryption/decryption speed. (64 bits block size is a good compromise.) Key Size: larger key size means greater security but lower encryption/decryption speed. (Appropriate key size is a function of how fast processors are.) Number of rounds: multiple rounds offer increasing security. (16 rounds are mostly used.)
Henric Johnson 20

Feistel Cipher Structure...

Subkey generation algorithm: Greater complexity of this algorithm will lead to greater difficulty of cryptanalysis. Round function: The greater the complexity of rounds function, the greater the resistance to cryptanalysis.
Henric Johnson 21

Henric Johnson

22

Conventional Encryption Algorithms

Data Encryption Standard (DES)
The most widely used encryption scheme The algorithm is referred to as the Data Encryption Algorithm (DEA) DES is a block cipher The plaintext is processed in 64-bit blocks The key is 56-bits in length
Henric Johnson 23

Henric Johnson

24

DES
Initial Permutation (IP): The plaintext block undergoes an intial permutation. > 64 bits of the block are permuted. A Complex Transformation: 64 bit permuted block undergoes 16 rounds of complex transformation. (Using subkeys)
Henric Johnson 25

DES
32-bit swap: 32 bit left and right halves of the output of the 16th round are swapped. Inverse Initial Permutation (IP-1): The 64 bit output undergoes a permutation that is inverse of the intial permutation. >The 64 bit output is the ciphertext.
Henric Johnson 26

Henric Johnson

27

DES
The complex processing at each iteration/round: Li = Ri-1 Ri = Li-1 F(Ri-1, Ki)

Details of function F: It takes 32 bits input and produces a 32 bit output.

Henric Johnson 28

DES
Details of function F: >32 bit input is expanded into 48 bits. -This is done by permuting and duplicating some bits of 32 bits. >Exclusive OR operation is performed between these 48 bits and 48 bit subkey.
Henric Johnson 29

DES
Details of function F:... > 48 bit output of the Exclusive OR operation is grouped into 8 groups of 6 bits each. > Each 6 bit group is fed into a 6to-4 substitution box that transforms 6 bits to 4 bits.
Henric Johnson 30

DES
Details of function F:... > 32 bit output of 8 substitution boxes is fed into a permutation box. > The 32 bit output of the permutation box is F(Ri-1, Ki).
Henric Johnson 31

DES
Concerns about:
The key length (56-bits) > 56 bit key was adequate in 70s. > With faster processors, this encryption method is no longer safe.

Henric Johnson

32

Time to break a code (106 decryptions/s)

Henric Johnson

33

Triple DEA
Use three keys and three executions of the DES algorithm (encryptdecrypt-encrypt)
C = EK3[DK2[EK1[P]]]
C = ciphertext P = Plaintext EK[X] = encryption of X using key K DK[Y] = decryption of Y using key K

Effective key length of 168 bits

Henric Johnson 34

Triple DEA

Henric Johnson

35

Cipher Block Modes of Operation

Cipher Block Chaining Mode (CBC) - A method to increase the security of DES or any block cipher. The input to the encryption algorithm is the XOR of the current plaintext block and the preceding ciphertext block.

- Processing of a sequence of plaintext blocks is chained together.

Henric Johnson 36

Henric Johnson

37

Basis of Cipher Block Chaining

Ci E k [Ci 1 Pi ] D K [Ci ] D K [EK (Ci 1 Pi )] D K [Ci ] (Ci 1 Pi ) Ci 1 D K [Ci ] Ci 1 Ci 1 Pi Pi

Henric Johnson 38

Other Symmetric Block Ciphers

DES has reached the end of its useful lifetime. New symmetric encryption schemes have been proposed in last decade. Examples: International Data Encryption Algorithm (IDEA) Blowfish RC5 Cast-128.
Henric Johnson 39

Other Symmetric Block Ciphers...

International Data Encryption Algorithm (IDEA)
A block cipher with block size 64 bits 128-bit key Used in PGP Confusion: (the ciphertext should depend upon the plaintext and key in a complex way) Confusion is achieved by using three operations. Diffusion: (Each plaintext bit should influence as many ciphertext bits as possible) -IDEA very effective in achieving diffusion.
Henric Johnson 40

IDEA...
Confusion: -Achieved by mixing three different operations. -Each operation takes two 16-bit inputs and produces a 16-bit output. Three Operations: 1. Bit-by-bit Exclusive-OR. 2. Addition of integers modulo 2^16 (=65536) Henric Johnson 41

IDEA
2. Addition of integers modulo 2^16... -inputs and output are treated as 16 bit unsunged integers. 3. Multiplication of integers modulo 2^16+1 (=65537). -inputs and output are treated as 16 bit unsunged integers. -A block of all zeros is treated as 2^16.
Henric Johnson 42

IDEA
Three Operations:.. in combination provide a complex transformation making cryptanalysis very difficult. Three operations are incompatible: >No two satisfy distributive law. >No two satisfy associate law.
Henric Johnson 43

IDEA
Diffusion: Provided by a multiplication/addition structure (MA). >Takes two inputs: (1) Two 16 bit values derived from plaintext. (2) Two 16 bit subkeys derived from the key. >Produces two 16 bit outputs.
Henric Johnson 44

IDEA
Diffusion:.. >Each output bit depends on every input bit and on every bit of the subkeys. //meaning lot of diffusion.//
>This structure is repeated 8 times in the encryption algorithm. //provides very effective diffusion.//
Henric Johnson 45

IDEA
Encryption Algorithm: //draw fig. 4.4.// >Consists of eight rounds. >64 bit input is divided into four 16-bit subblocks. >Each round uses six 16-bit keys. >Each round produces four 16-bit outputs. >Output of a round is fed into the next round.
Henric Johnson 46

IDEA
Details of a Single Round: //draw fig. 4.5// >Four input sub-blocks are combined with four subkeys producing 4 output sub-blocks. >Four output sub-blocks are combined using XOR operation to from two 16 bit blocks. >These two blocks are fed into the MA structure. >MA structure takes & produces two 16-bit outputs. >Four outputs of upper transformation are combined with the two outputs of MA structure to produce four output blocks for this round.
Henric Johnson 47

Other Symmetric Block Ciphers

Blowfish
Easy to implement (simple structrure) High execution speed Run in less than 5K of memory Variable security: key length is variable. (can be as long as 448 bits, range 32..448). > Allows a tradeoff between speed and security. -The key is used to generate 18 32-bit subkeys. -Encryption/decryption consist of 16 rounds.
Henric Johnson 48

Blowfish
Encryption: Uses two primitive operations: 1. Addition: performed modulo 2^32. 2. Bitwise Exclusive-OR. > These two operations do not commute. >Making cryptanalysis difficult.
Henric Johnson 49

Blowfish
Encryption Algorithm: //draw Fig. 4.9a// -Plaintext is divided into two 32 bit halves. -Go through 16 rounds of transformation using subkeys. -Each rounds takes two 32 bit inputs and produces two 32 outputs. -Output of a round is fed into the next round. -The output of 16th round is exclusive-ORed with 17th and 18th subkeys to produce the ciphertext.
Henric Johnson 50

Blowfish
Details of a Single Round: //draw Fig. 4.10// - Each round includes complex use of addition modulo 2^32, Ex-OR, and substitution using SBoxes. - 32 bit input to the function F is divided into four bytes. -Each byte goes through a separate S-box and is expanded into 32 bits. -32 bit outputs go through complex transformation using addition modulo 2^32 and Ex-OR.
Henric Johnson 51

 RC5 Suitable for hardware and software Fast, simple Adaptable to processors of different word lengths Variable number of rounds Variable-length key Low memory requirement High security Data-dependent rotations (circular bit shifts) Cast-128 Key size from 40 to 128 bits The round function differs from round to round
Henric Johnson 52

Other Symmetric Block Ciphers

Location of Encryption Device

Link encryption:
A lot of encryption devices High level of security Decrypt each packet at every switch The source encrypt and the receiver decrypts Payload encrypted Header in the clear

End-to-end encryption

High Security: Both link and end-to-end encryption are needed (see Figure 2.9)
Henric Johnson

53

Henric Johnson

54

Key Distribution
1. A key could be selected by A and physically delivered to B. 2. A third party could select the key and physically deliver it to A and B. 3. If A and B have previously used a key, one party could transmit the new key to the other, encrypted using the old key. 4. If A and B each have an encrypted connection to a third party C, C could deliver a key on the encrypted links to A and B. Henric Johnson 55

Key Distribution (See Figure 2.10)

Session key:
Data encrypted with a one-time session key.At the conclusion of the session the key is destroyed

Permanent key:
Used between entities for the purpose of distributing session keys

Henric Johnson

56

Henric Johnson

57

Recommended Reading
Stallings, W. Cryptography and

1999 Scneier, B. Applied Cryptography, New York: Wiley, 1996 Mel, H.X. Baker, D. Cryptography Decrypted. Addison Wesley, 2001
Henric Johnson

Network Security: Principles and Practice, 2nd edition. Prentice Hall,

58