information security and management 3. block ciphers and the data encryption standard chih-hung wang...
TRANSCRIPT
Information Security and Management
3. Block Ciphers and the Data Encryption Standard
Chih-Hung WangFall 2011
1
•Block Ciphers and Stream Ciphers▫ Block ciphers is one in which a block of
plaintext is treated as a whole and used to produce a ciphertext block of equal length.
▫ like a substitution on very big characters 64/128-bits or more
▫ Stream ciphers is one that encrypts a digital data stream one bit or one byte at a time.
▫ Many current ciphers are block ciphers
2
Block Cipher Principles
Block Ciphers and Stream Ciphers
3
Motivation
• Reversible Mapping
Plaintext Ciphertext
00 11
01 10
10 00
11 01
4
Reversible Mapping
Plaintext Ciphertext
00 11
01 10
10 01
11 01
Irreversible Mapping
A General Substitution Cipher• If a small block size, such n=4, is used, then the system is
equivalent to a classical substitution cipher. are vulnerable to statistical analysis of the plaintext.
• An arbitrary reversible substitution cipher for a large block size is not practical.
5
6
A General Substitution Cipher
The size of keyis nn 2For a 64-bitsblock, key sizeisbits
2164 10264
• most symmetric block ciphers are based on a Feistel Cipher Structure
• Feistel proposed the use of a cipher that alternates substitutions and permutations
• needed since must be able to decrypt ciphertext to recover messages efficiently
• block ciphers look like an extremely large substitution
• would need table of 264 entries for a 64-bit block
• instead create from smaller building blocks • using idea of a product cipher
7
Block Cipher Principles
• in 1949 Claude Shannon introduced idea of substitution-permutation (S-P) networks▫ modern substitution-transposition product cipher
• these form the basis of modern block ciphers • S-P networks are based on the two primitive
cryptographic operations we have seen before: ▫ substitution (S-box)▫ permutation (P-box)
• provide confusion and diffusion of message
8
Claude Shannon and Substitution-Permutation Ciphers
• Cipher needs to completely obscure statistical properties of original message
• a one-time pad does this• more practically Shannon suggested
combining elements to obtain:• diffusion – the statistical structure of the
plaintext is dissipated into long range statistics of the ciphertext
• confusion – makes relationship between ciphertext and key as complex as possible
9
Diffusion and Confusion
•Horst Feistel devised the feistel cipher▫ based on concept of invertible product
cipher•Partitions input block into two halves
▫ The two halves of the data pass through n rounds of processing and then combine to produce the ciphertext block.
•Implements Shannon’s substitution-permutation network concept
10
Feistel Cipher Structure
11
Feistel Cipher Structure
• Block size ▫ larger block sizes mean greater security but reduced e/d
speed • Key size
▫ increasing size improves security, makes exhaustive key searching harder, but may slow cipher
• Number of rounds ▫ a single round offers inadequate security▫ increasing number improves security, but slows cipher
• Subkey generation ▫ greater complexity should lead to greater difficulty of
cryptanalysis• Round function
▫ greater complexity means greater resistance to cryptanalysis
• Fast software encryption/decryption • Ease of analysis
▫ DES does not have an easily analyzed functionality
12
Feistel Cipher Design Principles
Feistel Cipher Decryption
• Use the ciphertext as input to the algorithm, but use subkey Ki in reverse order.
),( 16151516
1516
KREFLERE
RELE
13
Decryption
),()],([
),(
),(
1615161515
161516
16001
151601
KREFKREFLE
KREFRE
KRDFLDRD
RELERDLD
14
Feistel Cipher Decryption
),(),(
),(
11
1
11
1
iiiiiii
ii
iiii
ii
KLEFREKREFRELE
LERE
KREFLERE
RELE
15
General Form of Feistel Cipher
•History▫ National Bureau of Standards (now the
National Institute of Standards and Technology:NIST) 1977-> as Federal Information Processing Standard 46(FIPS PUB 46)
▫ 1960:IBM LUCIFER project
16
Data Encryption Standard (DES)
• Critique▫ The key length
In IBM’s original LUCIFER algorithm is 128 bits, but that of the proposed system was only 56 bits.
▫ Design Criteria for the internal structure S-boxes Any hidden weak points that could enable
NSA to decipher message without benefit the key?
Differential cryptanalysis -> DES has a very strong internal structure
17
DES
•Not Secure?▫ DES has flourished and is widely used,
especially in financial applications▫ In 1994, NIST reaffirmed DES for federal
use for another five years▫ NIST recommends the use of DES for
applications other than protection of classified information
18
DES
•Data are encrypted in 64-bit blocks using 56 bit key.
•Transforms 64-bit input in a series of steps into 64-bit output.
19
DES Encryption
20
The Structure of Block Cipher
Plaintext Ciphertext
n bits
K 1 K 2 K t Key
k bits
Weak cipher
Sub-key generator
Weak cipher
Weak cipher
…...
…...
1-st round
2-nd round t-th round
21
General Depiction
22
Details of Single Round
•Li = Ri-1 ; Ri = Li-1 ⊕ f(Ri-1, Ki) (i=1…15)
•Li = Li-1 ⊕ f(Ri-1, Ki) ; Ri = Ri-1 (i=16)
23
Details of Single Round
24
Feistel EncryptionIP
Input1,2,3,…
….. 64
R0
1,2,3,…. …
32
L0
1,2,3,…. …
32
f
R1
1,2,3,…. …
32
L1
1,2,3,…. …
32
k1
f
R2
1,2,3,…. …
32
L2
1,2,3,…. …
32
k2
f
Ri
1,2,3,…. …
32
Li
1,2,3,…. …
32
ki
f
R16
1,2,3,…. …
32
L16
1,2,3,…. …
32
k16
Output
1,2,3,… …
.. 64
IP-1
25
IP and IP-1
IP IP-1
58 50 42 34 26 18 10 2 40 8 48 16 56 24 64 32
60 52 44 36 28 20 12 4 39 7 47 15 55 23 63 31
62 54 46 38 30 22 14 6 38 6 46 14 54 22 62 30
64 56 48 40 32 24 16 8 37 5 45 13 53 21 61 29
57 49 41 33 25 17 9 1 36 4 44 12 52 20 60 28
59 51 43 35 27 19 11 3 35 3 43 11 51 19 59 27
61 53 45 37 29 21 13 5 34 2 42 10 50 18 58 26
63 55 47 39 31 23 15 7 33 1 41 9 49 17 57 25
IP (Initial Permutation)IP-1 (Inverse Initial Permutation)
26
Expansion & Permutation
Expansion (E)
32 1 2 3 4 5 4 5 6 7 8 9 8 9 10 11 12 1312 13 14 15 16 1716 17 18 19 20 2120 21 22 23 24 2524 25 26 27 28 2928 29 30 31 32 1
Permutation (P)
16 7 20 21 29 12 28 17 1 15 23 26 5 18 31 10 2 8 24 14 32 27 3 919 13 30 6 22 11 4 25
27
Calculation of F(R,K)
E
S1 S2 S3 S4 S5 S6 S7 S8
48 bits Subkey ki (48bits)
R (32 bits)
P
Output F (32 bits)
28
S-box (EX. S1)
Column
row 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 S-box
0 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
S1 1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
2 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
3 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
011001row
column1001
9
29
Key Generation
PC
-1
56-bit Key
1,2,3, ..… …
….. 64
Left shift
Left shift
Left shift
Left shift
PC-2
k1
Left shift
Left shift
Left shift
PC
-2k
i
Left shift
PC
-2k
16
C0
1,2,3 ….. 28
D0
1,2,3 ….. 28
C1
1,2,3 ….. 28
D1
1,2,3 ….. 28
Ci
1,2,3 ….. 28
Di
1,2,3 ….. 28
D16
1,2,3 ….. 28
C16
1,2,3 ….. 28
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16-------------------------------------------1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1
30
Key Generation Left shift
Round number
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Bits rotated
1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1
PC-1 | PC-2 57 49 41 33 25 17 9 | 14 17 11 24 1 5 1 58 50 42 34 26 18 | 3 28 15 6 21 10 10 2 59 51 43 35 27 | 23 19 12 4 26 8 19 11 3 60 52 44 36 | 16 7 27 20 13 2 63 55 47 39 31 23 15 | 41 52 31 37 47 55 7 62 54 46 38 30 22 | 30 40 51 45 33 48 14 6 61 53 45 37 29 | 44 49 39 56 34 53 21 13 5 28 20 12 4 | 46 42 50 36 29 32
•Decryption uses the same algorithm as encryption, except that the application of the subkeys is reversed.▫ K16, K15 , …, K1
31
DES Decryption
DES Example
32
•DES exhibits a strong avalanche effect▫ Two plaintexts differ by one bit▫ Two keys differ by one bit
33
The Avalanche Effect
(a) Change in Plaintext (1 bits) Round Number of bits that differ 1 6 4 39 8 29 12 30 16 34
(b) Change in Key (1 bits) Round Number of bits that differ 1 2 4 32 8 34 12 33 16 35
DES Avalanche Effect-Change in Plaintext
34
DES Avalanche Effect-Change in Key
35
•56-bit DES▫ 1977 Diffie & Hellman
Parallel machine with 1 million encryption devices, each of which could perform one encryption per microsecond.
Average search time down to about 10 hours
The cost would be about $20 million
36
The Strength of DES
▫ 1993 Wiener Key search rate of 50 million keys per
second Design a module that costs $100,000 and
contains 5750 key search chips
37
The Strength of DES
Key search machine Unit Cost
Expected search time
$100,000 35 hours
$1,000,000 3.5 hours
$10,000,000 21 minutes
• RSA Laboratories▫ The Challenge
Offered a $10,000 reward, was to find a DES key given a ciphertext for a plaintext consisting of an unknown plaintext message preceeded by three known blocks of text containing the 24-character phrase “the unknown message is:”
January 29, 1997, developed a brute-force program and distributed it over the internet.
The project linked numerous machines over the Internet and eventually grew to over 70,000 systems
Ended 96 days later when the correct key was found after examining about one-quarter of all possible keys.
38
The Strength of DES
•Differential Cryptanalysis▫ Biham and Shamir [1993] [BIHA93]
Can successfully cryptanalyze DES with an effort on the order 247, requiring 247 chosen plaintexts (brute-force method: 255)
Not very well. The differential cryptanalysis was known to the IBM team as early as 1974.
▫ Linear Cryptanalysis▫ Weak keys; Semi-weak keys
39
Cryptanalysis of DES
•A statistical attack against Feistel ciphers •Uses cipher structure not previously used •Design of S-P networks has output of
function f influenced by both input & key•Hence cannot trace values back through
cipher without knowing values of the key •Differential Cryptanalysis compares two
related pairs of encryptions
40
Differential Cryptanalysis
•With a known difference in the input •Searching for a known difference in
output•When same subkeys are used
41
Differential Cryptanalysis Compares Pairs of Encryptions
42
Differential Cryptanalysis (Three Round of DES)
• Another recent development • Also a statistical method • Must be iterated over rounds, with
decreasing probabilities• Developed by Matsui et al in early 90's
[MATS93]• Based on finding linear approximations• Can attack DES given 247 known plaintexts,
still infeasible as an attack on DES
43
Linear Cryptanalysis
• Basic principles still like Feistel in 1970’s• DES design criteria [COPP94] (Coppersmith)• Number of rounds
▫ The greater the number of rounds, the more difficult it is to perform cryptanalysis, even for a relatively weak F.
• Design of function F:▫ S-box design▫ Provides “confusion”, is nonlinear, avalanche
• Key schedule▫ Complex subkey creation, key (strict) avalanche,
bit independence [ADAM94]
44
Block Cipher Design Principles
45
Block Cipher Modes
64 bits 64 bits 64 bits 64 bits…
Plaintext M
DES Cipher
Ciphertext C
Apply DES in Multiple Data Blocks
• Four modes have been defined (FIPS PUB 74, 81)▫ Electronic Codebook (ECB)▫ Cipher Block Chaining (CBC)▫ Cipher Feedback (CFB)▫ Output Feedback (OFB)
• NIST has expanded the list of recommended modes to five in special Publication 800-38A▫ ** Counter (CTR)
46
Block Cipher Modes
47
ECB
•Each block of 64 plaintext bits is encoded independently using the same key
•Typical Application▫ Secure transmission of single values (e.g.,
an encryption key)
48
ECB
•Security▫ For lengthy messages, the ECB mode may
not be secure. If the message is highly structured, it may
be possible for a cryptanalyst to exploit these regularities.
For example: the message always starts out with certain predefined fields.
The message has repetitive elements, with a period of repetition a multiple of 64 bits.
49
ECB
50
CBC
•The input to the encryption algorithm is the XOR of the next 64 bits of plaintext and the preceding 64 bits of ciphertext.
•Typical Application▫ General-purpose block-oriented
transmission
51
CBC
•Expression▫ Encryption
Cn = EK(Cn-1 Pn)
▫ Decryption DK[Cn] = DK[EK(Cn-1 Pn)
= (Cn-1 Pn)
=> Cn-1 DK[Cn] = Cn-1 Cn-1 Pn = Pn
52
CBC
• IV: initialization vector▫ Must be known to both the sender and receiver.▫ IV should be protected as well as the key.▫ This should be done by sending the IV using ECB
encryption▫ If an opponent can predictably change bits in IV,
the corresponding bits of the received value of P1 can be changed.
53
CBC
•Encryption
54
CFB
•Decryption
55
CFB
5e book (CFB)
56
• Input is processed J bits at a time. Preceding ciphertext is used as input to the encryption algorithm to produce pseudorandom output, which is XORed with plaintext to produce next unit of ciphertext.
• Typical Application▫ General-purpose stream-oriented transmission▫ Authentication
57
CFB
•Stream Cipher▫ It is possible to convert DES into a stream
cipher, using either CFB or OFB.▫ A stream cipher eliminates the need to pad
a message to be an integral number of blocks.
▫ A stream cipher can operate in real time.
58
CFB
•Encryption
59
OFB
•Decryption
60
OFB
5e book OFB
61
•Similar to CFB, except that the input to the encryption algorithm is the preceding DES output.
•Typical Application▫ Stream-oriented transmission over noisy
channel (e.g., satellite communication)
62
OFB
•Advantage▫ Bit errors in transmission do not
propagate. If a bit error occurs in C1, only the recovered value of P1 is affected.
•Disadvantage▫ It is more vulnerable to a message stream
modification attack than is CFB.
63
OFB
Counter Mode (CTR)
• Encryption
64
CTR
• Decryption
65
• This mode was proposed early on [DIFF79]• Applications to ATM (asynchronous transfer
mode) network security and IPSec (IP Security)
• Advantages [LIPM00]▫ Hardware efficiency▫ Software efficiency▫ Preprocessing▫ Random access▫ Provable▫ Simplicity
66
CTR
5e book CTR
67