Upload
vilina
View
59
Download
3
Embed Size (px)
DESCRIPTION
Conventional Cryptography (Symmetric Ciphers). Outline. Stream Ciphers and Block Ciphers Confusion and Diffusion DES (Data Encryption Standard) Exhaustive Key Search Triple DES, DESX AES (Advanced Encryption Standard) Operation Modes. Symmetric Encryption. - PowerPoint PPT Presentation
Citation preview
CPSC415 Biometrics and Cryptography 1
Conventional Cryptography(Symmetric Ciphers)
CPSC415 Biometrics and Cryptography 2
Outline• Stream Ciphers and Block Ciphers• Confusion and Diffusion• DES (Data Encryption Standard)• Exhaustive Key Search• Triple DES, DESX• AES (Advanced Encryption Standard)• Operation Modes
CPSC415 Biometrics and Cryptography 3
Symmetric Encryption
• or conventional / secret-key / single-key
• sender and recipient share a common key
• all classical encryption algorithms are private-key
• was only type prior to invention of public-key in 1970’s
CPSC415 Biometrics and Cryptography 4
Symmetric Cipher Model
CPSC415 Biometrics and Cryptography 5
Symmetric Key Cryptography
symmetric key crypto: Bob and Alice share know same (symmetric) key: K
• e.g., key is knowing substitution pattern in mono alphabetic substitution cipher
plaintextciphertext
KA-B
encryptionalgorithm
decryption algorithm
A-B
KA-B
plaintextmessage, m K (m)A-B K (m)A-Bm = K ( ) A-B
CPSC415 Biometrics and Cryptography 6
Requirements• two requirements for secure use of
symmetric encryption:– a strong encryption algorithm– a secret key known only to sender / receiver
Y = EK(X)X = DK(Y)
• assume encryption algorithm is known• implies a secure channel to distribute key
CPSC415 Biometrics and Cryptography 7
Cryptography
• can characterize by:– type of encryption operations used
• substitution / transposition / product– number of keys used
• single-key or private / two-key or public– way in which plaintext is processed
• block / stream
CPSC415 Biometrics and Cryptography 8
Symmetric Key Cryptosystems• Stream ciphers
– Operate on the plaintext a single bit (or sometimes byte) at a time
– Simple substitution– Poly-alphabetic substitution– Feedback Shift Register Sequences– e.g. SEAL, RC4 (used by WLAN IEEE 802.11 in WEP)
• Block ciphers– Operate on the plaintext in groups of bits. The
groups of bits are called blocks.– Typical block size is 64 bits or multiple of it
• E.g. 128 bits, 256 bits.– DES, AES (Rijndael)– Others include IDEA, Blowfish, RC5, …– Different modes of operation
CPSC415 Biometrics and Cryptography 9
Properties that one would like to have in
an encryption scheme• Easy to encrypt• Easy to decrypt• Provides fast encryption and decryption speed• Minimal bandwidth expansion• Generate diffusion and confusion (security)
CPSC415 Biometrics and Cryptography 10
Confusion and Diffusion• Shannon in 1948 introduced two concepts as basic building
blocks for designing cryptographic systems• Diffusion: to obscure the statistical structure of the
plaintext from the ciphertext.– By having each ciphertext digit be affected by more than one
plaintext digit– In other words, to have the statistical structure of the plaintext
be dissipated into long-range statistics of the ciphertext.– e.g.
– where message M = m1, m2, … and a ciphertext letter yn is obtained by adding k successive plaintext (English) letters.
• Confusion: to obscure the statistical dependence between the encryption key and the ciphertext– to thwart attempts to discover the key– simple linear substitution generates little confusion– This can be achieved by using complex substitution algorithms.
)26(modmyk
1iinn
CPSC415 Biometrics and Cryptography 11
Block Ciphers
• An encryption algorithm that takes a fixed length block of message letters (plaintext) and a key (not necessarily the same length), and produces a block of ciphertext of the same length as the plaintext.
• The key is reused for different plaintext blocks• Typical block sizes (value of n): 64 bits, 128 bits• Complex modes of operation are used in practice• Key sizes (value of k): 56 bits (DES), 128/192/256 bits (AES)
secret key(k bits)
Message(n bits)
Ciphertext(n bits)
CPSC415 Biometrics and Cryptography 12
Common Block Cipher Design Approach
• Iterative cipher– start with a simple but
useful function f– iterative f many rounds
until it is “secure”–F: Feistel structure is quite
common (e.g., DES)
message
ciphertext
F
F
F
CPSC415 Biometrics and Cryptography 13
Block Cipher Operation (Simplified)
Block of plaintext
S S S S
S S S S
S S S S
KeyAdd some secret key bitsto provide confusion
Each S-box permutes its input bits in a “random-looking” way to provide diffusion (spread plaintext bits throughout ciphertext)
repeat for several rounds
Block of ciphertextProcedure must be reversible
(for decryption)
CPSC415 Biometrics and Cryptography 14
Block Cipher Principles
• needed since must be able to decrypt ciphertext to recover messages efficiently
• block ciphers look like an extremely large substitution
• instead create from smaller building blocks
• using idea of a product cipher
CPSC415 Biometrics and Cryptography 15
Data Encryption Standard (DES)• DES was adopted as a US federal
standard for commercial encryption in 1975.
• Feistel Cipher: the fundamental building block of DES designed by IBM.
• Design requirements:– must provide high level of security
(commercial standard)– Security must not depend on secrecy of
algorithm (Kerckhoff’s principle)– Must be easily and economically implemented
CPSC415 Biometrics and Cryptography 16
Overview of DESC = DES (K, M)• Block size = 64 bits• Key size = 56 bits• Number of rounds = 16• IP - Initial Permutation• IP-1 - The inverse of IP• f - A nonlinear function• Ki - Round i subkey (48
bits)• Each Feistel block can be
described asLi = Ri-1
Ri = Li-1 f (Ri-1, Ki)
CPSC415 Biometrics and Cryptography 17
The Initial Permutation
How to read this table?The 58th bit of input x will be the 1st bit of output IP(x), the 50th bit of x is the second bit of IP(x), etc.
• Do not affect security.• As far as anyone can tell, it makes things awkward for
1975-era general-purpose computers.(DES predates 16-bit or 32-bit microprocessor busses)
CPSC415 Biometrics and Cryptography 18
Feistel Transformation Block• In Round i,
– Separate message block into two 32-bit halves, Li and Ri– Introduce confusion by using a “complex” nonlinear function f– f has two inputs: Ri and a 48-bit round key, Ki– Introduce diffusion by “adding” Li and the output of f
• DES(K, ·) is a sequence of Feistel transforms.Li+1 = Ri
Ri+1 = Li f(Ri, Ki+1)
Li-1 Ri-1
f
Li Ri
Ki+1
CPSC415 Biometrics and Cryptography 19
Nonlinear Function f in Feistel Transformation
f(R, K) : (32 bits, 48 bits) 32 bits– expand R to 48 bits R’ using permutation
and repetition– R’ XOR with K – subdivide the result into 8 blocks of 6 bits
each– each 6-bit block goes through a S-box to
produce 4 bits– permute the 32-bit string
CPSC415 Biometrics and Cryptography 20
S1
6
4 4 4 4 4 4 4 4
6 6 6 6 6 6 6
Li Ri-1
Ri+1Li+1
S2 S3 S4 S5 S6 S7 S8
Expansion
Ki+1
Permutation32
48
4848
32
32
32
CPSC415 Biometrics and Cryptography 21
Expansion Permutation• Output bits 32, 1, 2, 3, 4, 5, then 4, 5
again, and so on.• For each output group of six bits (one
row in the E table), the two outer bits select a row of a S-box, and the four bits in the middle chooses the substitution value.
CPSC415 Biometrics and Cryptography 22
S-box 1: Bit Bits 2, 3, 4, and 5 form: 1 6 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 0 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 0 1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 1 0 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0 1 1 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
The S-Box Substitution• There are eight S-boxes.• Each takes 6 bits to 4 bits.• Take the 6-bit input b1, b2, b3, b4, b5, b6
• Interpret b1 b6 as a row number, between 0 and 3.• Interpret b2 b3 b4 b5 as a column number, 0 through
15.
CPSC415 Biometrics and Cryptography 23
A Summary of One DES Round
CPSC415 Biometrics and Cryptography 24
DES Key Schedule(Subkey Generation)
56-bit key K
Permutation P1
Permutation P2
C0 D0
Cyclic Shift Cyclic Shift
K1
C1 D1
8-byte key has 8 parity check bits
Each has 28 bits
Number of shifts are dependent on i for each Ki
56
48
CPSC415 Biometrics and Cryptography 25
Security of DES• Avalanche Effect
– Change in one input bit produces independent changes in at least two output bits
• Bit Independence– No dependence on the changes of input bits
with the changes of output bits• Number of rounds
– 15 or fewer rounds make cryptanalytic attacks against reduced-round DES easier than brute force key search (which needs to try a total of 256 keys in the worst case)
• Security of DES mainly relies on the nonlinearity of the f (i.e. the S-boxes)
CPSC415 Biometrics and Cryptography 26
DES Controversy• When DES was proposed as a standard in 1975, there was
considerable criticism.• One objection to DES concerned the S-boxes: all computations
in DES, with the exception of the S-boxes, are linear. The S-boxes, being the non-linear component of the cryptosystem, are vital to its security. However, the design criteria of the S-boxes are not completely known.
• Due to the NSA collaboration, several people have suggested that the S-boxes might contain hidden “trapdoors” which would allow the NSA to decrypt messages while maintaining that DES is “secure”. It is of course, impossible to disprove such an assertion, but no evidence has come to light that indicates that trapdoors in DES do in fact exist.
• The most pertinent criticism of DES is the reduction of key length from original 112-bits down to 56-bits.
• The size of the keyspace, 256, is “too small” to be really secure.
CPSC415 Biometrics and Cryptography 27
Exhaustive Key Search• Given a plaintext x and corresponding ciphertext y, every
possible key would be tested until a key K is found such thatEK(x) = yNote: there may be more than one such key K.
• Total number of keys = 256 7.21016 keys• Assume at a speed of 106 encryptions per second, it would
need more than 1000 years to break DES.• Diffie and Hellman postulated in 1977 that a DES cracking
machine with 106 processors, each could test 106 keys per second, could be built for about US$20M.– This machine could break DES in about 10 hours.
CPSC415 Biometrics and Cryptography 28
Exhaustive Key Search• In 1993, Michael Wiener presented a pipelined chip which does
16 encryptions simultaneously and tests 5107 DES keys per second.
• Each chip could be built for US$10 using current technology.• A frame consisting of 5760 chips can be built for $100K.
• In 1997, cost cut by a factor of 6• Software version of DES cracking effort can be found at
http://www.distributed.net/des/• Current Record: 22 hrs and 15 mins to break DES by
distributed software cracking effort.
Machine Unit Cost Expected Time $100,000 35 hours $1,000,000 (10 f rames) 3.5 hours $10,000,000 (100 f rames) 21 minutes
CPSC415 Biometrics and Cryptography 29
How to strengthen DES?
CPSC415 Biometrics and Cryptography 30
Triple DES and DESX• Triple DES: two 56-bit keys
• DESX: three 56-bit keysC = K3 DES(K2 , M K1)
DES DES-1 DESM C
K1 K2 K1
DES M
K1 K2 K3
C
• Similar security to DES using differential cryptanalysis and linear cryptanalysis
• But much harder to break using exhaustive key search than DES.
CPSC415 Biometrics and Cryptography 31
DES Replacements• The most popular DES replacements in US are RC2,
RC4 and RC5.• The first two are used by SSL version 3.• The most popular DES replacement in Europe is IDEA• The most popular DES replacement in Japan is FEAL-
N.• AES (Advanced Encryption Standard) is the ‘official’
replacement of DES.• The AES algorithm is called Rijndael.
CPSC415 Biometrics and Cryptography 32
Overview of Rijndael• Rijndael: the algorithm chosen for AES (Advanced
Encryption Standard)• Both the key size and the block size may be chosen to be
any of 128, 192, or 256 bits, although the AES only requires key size to be selectable in one of these lengths and the block size is fixed to be 128 bits long.
• Number of rounds is a function of the block and key length:– 10 rounds if both the block and the key are 128 bits long;– 12 rounds if either the block or the key is 192 bits long, and
neither of them is longer than that;– 14 rounds if either the block or the key is 256 bits long.
• From their Web page:If you’re Dutch, Flemish, Indonesian, Surinamer or South-African, it’s pronounced like you think it should be. Otherwise, you could pronounce it like “Reign Dahl”, “Rain Doll”, “Rhine Dahl”. We’re not picky. As long as you make it sound different from “Region Deal”.
CPSC415 Biometrics and Cryptography 33
• Fully byte-oriented• good for both software and hardware implementations
• Rijndael is composed of1. An initial XOR step (AddRoundKey)2. Regular round transformations (or rounds)3. Final round
• Each regular round involves four steps:1. ByteSub2. ShiftRow3. MixColumn4. AddRoundKey
• The final round is a regular round but with MixColumn omitted.
Rijndael Round Function
CPSC415 Biometrics and Cryptography 34
The Round Transformation• ByteSub
Each byte of the data block is substituted according to values given in an S-Box.
• ShiftRowRows (except first row) of the State are cyclic shifted left independently.
• MixColumn• AddRoundKey
http://www.nist.gov/aeshttp://
www.esat.kuleuven.ac.be/~rijmen/rijndael/
35CPSC415 Biometrics and Cryptography
Rijndael Wrap Up
• The Rijndael algorithm is not a Feistel system• In a Feistel system, half of the bits are moved but not
changed during each round.• In Rijndael, all bits are treated uniformly. This has the
effect of diffusing the input bits faster.• It can be shown that two rounds are sufficient to
obtain full diffusion, namely, each of the 128 output bits depends on each of the 128 input bits.
• So far, there is no known attack beats brute force for seven or more rounds. It was felt that four extra rounds provide a large enough margin of safety.
• Of course, the number of rounds could easily be increased if needed.
CPSC415 Biometrics and Cryptography 36
Operation Modes• How to encrypt a plaintext which is longer
than the size of a cipher block?– E.g. Using AES to encrypt 1024-bit plaintext
• How to encrypt a plaintext which is not a multiple of cipher block size?– E.g. Using AES to encryption 129-bit plaintext
CPSC415 Biometrics and Cryptography 37
Electronic Codebook Mode (ECB)Ci = DES (K, Mi)• Each block is encoded independently using the same key• Padding is needed• Used to transmit fixed length messages, e.g. session key• One bit transmission error affects one cipher block• Repeated plaintext blocks produce the same cipher blocks• Not frequently used in practice
– Why?
M1
DESK K K
C1 C2Ct
M2 Mt
DES DES
CPSC415 Biometrics and Cryptography 38
Cipher Block Chaining (CBC)• Goal: repeated plaintext blocks produce different ciphertext blocks
Ci = DES(K, Mi Ci-1)• Initiation vector (IV = C0) is used for randomization• Padding is required • If one bit of M1 is changed, all subsequent blocks will be affected
– can be used for constructing a MAC – Message Authentication Code• Maintain IV secret to strengthen security of the system• Generally used for block oriented transmission
DES DES
M1 M2
C1C2
IV
K K
CPSC415 Biometrics and Cryptography 39
Counter Mode• Goal: to eliminate padding and error
propagation– use block cipher as a pseudorandom bit generator
• Encryption algorithm:– Encrypt a known string of numbers in ECB mode,
producing a string of output blocks DES(K, Ii)– Compute Ci = Mi DES(K, Ii)
• One bit transmission error spoils one bit onlyI1
DESK K K
C1Ct
I2 It
DES DES
M1
M2 Mt
C2
CPSC415 Biometrics and Cryptography 40
Comparison on Symmetric Encryption Algorithm
Algorithm Strength Features (Key length)
3DES Strong 64, 112, 168
AES Strong 128, 192, 256
IDEA (International Data Encryption Algorithm)
Strong 64, 128
Blowfish Weak 32, 448
RC4 Weak
RC5 Strong 32, 64, 128
CPSC415 Biometrics and Cryptography 41
Problems with Symmetric Encryption• A single key must be shared in pairs of each sender and
receiver. In a distributed environment with large numbers of combination pairs involved in many-to-one communication topology, it is difficult for the one recipient to keep so many keys in order to support all communication.
• Key management: setting up and acquisition of the secret key.
• The integrity of data can be compromised because the receiver cannot verify that the message has not been altered before receipt.
• It is possible for the sender to repudiate the message because there are no mechanisms for the receiver to make sure that the message has been sent by the claimed sender.