Embed Size (px)
DESCRIPTION
Lecture 4 Overview. Data Encryption Standard. Combination of substitution and transposition Repeated for 16 cycles Provides confusion and diffusion Product cipher Two weak but complementary ciphers can be made more secure by being applied together. Types of Permutations. - PowerPoint PPT Presentation
Citation preview
Lecture 4 Overview
Data Encryption Standard
• Combination of substitution and transposition– Repeated for 16 cycles– Provides confusion and diffusion
• Product cipher– Two weak but complementary ciphers
can be made more secure by being applied together
CS 450/650 – Lecture 4: DES 2
Types of Permutations
CS 450/650 Fundamentals of Integrated Computer Security 3
Pattern of Expansion Permutation
A High Level Description of DES
CS 450/650 – Lecture 4: DES 4
Input - P
16 Cycles
Output - C
Key
IP
Inverse IP
A Cycle in DES
CS 450/650 – Lecture 4: DES 5
Right halfLeft half
Key shifted
And
Permuted
New R-halfNew L-half
f
K 64 bits
PC-1
K+ 56 bits
C0 28 bits D0 28 bits
C1 28 bits
D1 28 bits
C2 28 bits
D2 28 bits
C16 28 bits
D16 28 bits
PC-2
K1 48 bits K2 48 bits K16 48 bits
Shift
Key Summary
CS 450/650 – Lecture 4: DES 6
32 bits
Kn 48 bits
E
E(Rn-1) 48 bits
E(Rn-1)+Kn 48 bits
S Boxes
P
f
CS 450/650 – Lecture 4: DES 7
The Calculation of the function f
1- Expand Rn-1 E(Rn-1 )
2- XOR Kn + E(Rn-1) = B1B2B3B4B5B6B7B8
3- Substitution S-Boxes S1(B1)S2(B2)S3(B3)S4(B4)S5(B5)S6(B6)S7(B7)S8(B8)
4- P permutation f = P(S1(B1)S2(B2)...S8(B8)) 8CS 450/650 – Lecture 4: DES
M 64 bits
I-P
L0 32 bits R0 32 bits
IP 64 bits
f
L1 32 bits R1 32 bits
K1 48 bits
Cycle 1
CS 450/650 – Lecture 4: DES 9
L15 32 bits R15 32 bits
f
L16 32 bits R16 32 bits
K16 48 bits
IP-1
C 64 bits
L16 32 bitsR16 32 bits
Cycle 16
CS 450/650 – Lecture 4: DES 10
DES
CS 450/650 – Lecture 4: DES 11
Design of the Algorithm
• key elements of the algorithm design were "sensitive" and would not be made public– the rationale behind transformations by the S-
boxes, the P-boxes, and the key changes• trapdoors?
– Congressional inquiry
• design flaw would be discovered by a cryptanalyst– to date, no serious flaws have been published
CS 450/650 – Lecture 4: DES 12
Does DES Work?
• Differential Cryptanalysis Idea– Use two plaintext that barely differ– Study the difference in the corresponding cipher
text– Collect the keys that could accomplish the change– Repeat
• Diffie and Hellman then outlined a "brute force" attack on DES– try as many of the 256 possible keys
CS 450/650 – Lecture 4: DES 13
Triple DES• Triple-DES is just DES with two 56-bit keys applied. • Given a plaintext message, the first key is used to
DES- encrypt the message. • The second key is used to DES-decrypt the encrypted
message. – Since the second key is not the right key, this decryption
just scrambles the data further.
• The twice-scrambled message is then encrypted again with the first key to yield the final ciphertext.
• This three-step procedure is called triple-DES.
CS 450/650 – Lecture 4: DES 14
Lecture 6 Advanced Encryption Standard (AES)
CS 450/650
Fundamentals of Integrated Computer Security
Slides are modified from Hesham El-Rewini
The Birth of AES
• By mid 1990s, virtually all cryptologists agreed that DES needed to be replaced
• NIST abandoned the official endorsement of DES in 1997 and began work on a replacement– to be called the Advanced Encryption Standard
• Despite concerns about its vulnerability– DES is still widely used by worldwide to protect
sensitive on-line applicationsCS 450/650 Lecture 6: AES 16
The minimum requirements
• A symmetric-key cryptosystem• A block cipher• Capable of supporting a block size of 128 bits• Capable of supporting key length of 128, 192,
and 256 bits• Available on a worldwide, non-exclusive,
royalty-free basis
CS 450/650 Lecture 6: AES 17
Criteria for Evaluation
• Security– Soundness of the mathematical basis for an
algorithm’s claimed strength– Research community search for flaws
• Computational Efficiency• Memory Requirements• Flexibility• Simplicity
CS 450/650 Lecture 6: AES 18
Advanced Encryption Standard
• NIST chose 15 algorithms for evaluation in the first round– 9 of them were descendants of DES
• 5 made it to the second round
• Rijndael (Rine dahl) – by Vincent Rijmen & Joam Daemen– selected based on efficiency and implementation– In 2001, it was formally adopted by US
CS 450/650 Lecture 6: AES 19
AES (cont)
• 10, 12, 14 rounds for 128, 192, 256 bit keys– Regular Rounds (9, 11, 13)– Final Round is different (10th, 12th, 14th)
• Each regular round consists of 4 steps– Byte substitution (BSB)– Shift row (SR)– Mix column (MC)– Add Round key (ARK)
CS 450/650 Lecture 6: AES 20
AES Overview
Plaintext (128) ARK Subkey0
Ciphertext (128) ARK Subkey10
SR
BSB
9 rounds
CS 450/650 Lecture 6: AES 21
Round i operations
Subkeyi
CS 450/650 Lecture 6: AES 22
128-bit substitution boxes
transposition step of circular shift
Left shift and XOR of bits
portion of key is XORed
confusion
confusion
diffusion and confusion
confusion
State
b0 b4 b8 b12
b1 b5 b9 b13
b2 b6 b10 b14
b3 b7 b11 b15
128-bit block 4 x 4 matrix128 bits 16 bytes b0, b1, b2, .., b15
CS 450/650 Lecture 6: AES 23
S0,0 S0,1
Key
k0 k4 k8 k12
k1 k5 k9 k13
k2 k6 k10 k14
k3 k7 k11 k15
128-bit key 4 x 4 matrix128 bits 16 bytes k0, k1, k2, .., k15
CS 450/650 Lecture 6: AES 24
Four Operations
1. Byte Substitution– predefined substitution table s[i,j] s’[i,j]
2. Shift Row– left circular shift
3. Mix Columns– 4 elements in each column are multiplied by a
polynomial
4. Add Round Key– Key is derived and added to each column
CS 450/650 Lecture 6: AES 25
Substitution table
26CS 450/650 Lecture 6: AES
Exercise
• Using the table, find the substitution of
6b, ff, 6e, 09
7f, 16, 9f, 01
CS 450/650 Lecture 6: AES 27
Shift Row (128-bit)b0 b4 b8 b12
b1 b5 b9 b13
b2 b6 b10 b14
b3 b7 b11 b15
b0 b4 b8 b12
b5 b9 b13 b1
b10 b14 b2 b6
b15 b3 b7 b11
CS 450/650 Lecture 6: AES 28
Byte as a Polynomial
• One byte 8 bits B7, B6, B5, B4, B3, B2, B1, B0
B7x7 + B6 x6 + B5 x5 + B4 x4 + B3 x3 + B2 x2 + B1 x1 + B0
• Example:• E5 (hex) = 1110 0101 (binary)
= x7 + x6 + x5 + x2 + 1 (poly)
CS 450/650 Lecture 6: AES 29
Mix Column
2 3 1 1
1 2 3 1
1 1 2 3
3 1 1 2
S0,i
S1,i
S2,I
S3,i
S’0,I
S’1,I
S’2,I
S’3,i
= *
Multiplying by 1 no change
Multiplying by 2 shift left one bit
Multiplying by 3 shift left one bit and XOR with original value
More than 8 bits 100011011 is subtracted CS 450/650 Lecture 6: AES 30
Exercise
CS 450/650 Lecture 6: AES 31
2 3 1 1
1 2 3 1
1 1 2 3
3 1 1 2
e5
a8
6f
33
S’0,I
S’1,I
S’2,I
S’3,i
= *
6e
2c
c6
95
Add Key
b0 b4 b8 b12
b1 b5 b9 b13
b2 b6 b10 b14
b3 b7 b11 b15
k0 k4 k8 k12
k1 k5 k9 k13
k2 k6 k10 k14
k3 k7 k11 k15
b’x bx kx= XOR
CS 450/650 Lecture 6: AES 32
Example
k = 1f 34 0c da 5a 29 bb 71 6e a3 90 f1 47 d6 8b 12
B = e5 a8 6f 33 0a 52 31 9c c2 75 f8 1e b0 46 de 3a
B’ = fa 9c 63 9e 50 7b 8a ed ac d6 68 ef f7 90 55 28
CS 450/650 Lecture 6: AES 33
Key Generation
4 bytes 4 bytes 4 bytes 4 bytes
4 bytes 4 bytes 4 bytes 4 bytes
Circular left shift 1byte
S-box
XORXOR
Round constant
CS 450/650 Lecture 6: AES 34
Round Constant Table
Round Round Constant (hex)1 01 00 00 00
2 02 00 00 00
3 04 00 00 00
4 08 00 00 00
5 10 00 00 00
6 20 00 00 00
7 40 00 00 00
8 80 00 00 00
9 1b 00 00 00
Final 36 00 00 00
CS 450/650 Lecture 6: AES 35
DES vs AES
DES AESDate 1976 1999
Block size 64 bits 128 bits
Key length 56 bits 128, 192, 256, … bits
Encryption primitives Substitution and permutation Substitution, shift, bit mixing
Cryptographic primitives
Confusion and diffusion Confusion and diffusion
Design Open Open
Design rationale Closed Open
Selection process Secret Secret (accepted public comment)
Source IBM, enhanced by NSA Belgian cryptographers
36CS 450/650 Lecture 6: AES
