Transcript William Stallings, Cryptography and Network Security 3/e

Cryptography and Network
Security, resuming some notes
Dr. M. Sakalli
Reminding cornerstones (1)
Singular if not reversible.
Feistel approximates ideal block cipher characteristics of OTP by a linear, reversible
(tractable) block ciphers..
a)
Ideal block cipher: A substitution cipher for n bit of words,
|K|= word length*the number of words = n*2n. Feasible for n=64, |K|=270!!!..
The number of transformations = 2k
b)
A linear reversible n=4, |K|=n2, vulnerable to cryptanalysis (Hill)
y1
= k11x1 + k12x2 + k13x3 + k14x4
y2
= k21x1 + k22x2 + k23x3 + k24x4
y3
= k31x1 + k32x2 + k33x3 + k34x4
y4
= k41x1 + k42x2 + k43x3 + k44x4
Feistel uses product cipher to achieve this, alternates substitutions and permutations.
In principle based on the Shannon’s diffusion and confusion to eliminate statistical
attacks, (known plain text). Diffusion for complexity between PT and CT, for
example of an averaging system.. Confusion to introduce complexity between
CT and K..
Classical Feistel: Block size 2w, |K|=64, 128, Rounds=16. Key generation.
2w of PT  {w, w}={L||R}  Round( L1..n  F(R1..n, K1..n )||R), 16 times, swap( Ln || Rn) to
get CT=(Ln+1 || Rn+1).
Reminding cornerstones (2)
Lucifer, DES (NBS)
- Block size 2w, |K|=64permuted to 56 and 48 (circular
shifts), rounds=16. Key generation.
Li = Ri-1
F(Ri-1, Ki) = (32bit block, expanded to 48, permutated, 
Ki) 8 of 6 bit S boxes  32 bits permuted again.
Ri = Li-1  F(Ri-1, Ki)
CT=(Li||Ri) = (32bit block, expanded to 48, permutated,
Kn)
- Avalanche Effect. 21 bit in Des.
- 2w of PT  {w, w}={L||R}  Round( L1..n  F(R1..n, K1..n )||R),
16 times, swap( Ln || Rn) to get CT=(Ln+1 || Rn+1).
Differential cryptanalysis
Observing the behaviors of blocks while evolving around each round.
As an example..
mi+1 = mi-1F(mi, Ki)
∆mi+1 = mi+1 m’i+1
= [mi-1  f(mi, Ki)]  [m’i-1  f(m’i, Ki)] = ∆mi-1  [f(mi, Ki)  f(m’i, Ki)]
•
•
Many pairs of inputs to f with the same difference yielding the same
output difference, ∆mi-1 if the same subkey is used. Suppose that X
may cause Y with pr p, if for a fraction p of the pairs in which the input
XOR is X, the output XOR equals Y, and therefore, ∆X∆YKi=0
∆X∆Y=Ki .
First published attack capable of breaking DES in less than 255
complexity. Reported that successful cryptanalysis on the order of 247
encryptions - requiring 247 chosen plaintexts.
- 8-round LUCIFER algorithm requires only 256 chosen plaintexts,
whereas an attack on an 8-round DES requires only 214 chosen
plaintexts.
• Linear Cryptanalysis: Linear cryptanalysis attempts to find linear
dependency of high probability between the PT, CT and the K, by
which Key might be retrieved (P[a1, a2, ..., aa]  C[b1, b2, ..., bb] =
K[g1, g2, ..., gc] where a, b, g are the bit positions), .
• Man-In-The-Middle Attack (MIM, or MITM): A "man-in-the-middle“
attack is an attack that is placed by an active attacker who can listen
to the communication between two entities and can also change the
contents of this communication. While performing this attack, the
attacker pretends to be one of the parties in front of the other party.
• Oracle Attack: An Oracle attack is in attack during which the
attacker can be assisted by a machine or user who will perform
encryption or decryption for him at will. The attacker can use
multiple encryptions and decryptions of data of his choice to recover
the key.
• Related-Key Cryptanalysis: Related-key cryptanalysis refers to
attacks based on encrypting plaintexts with various similar (but not
identical) keys and analyzing the differences in output.
Double DES
Meet in the middle attack
• P = D(K1, D(K2, E(K2, E(K1, P))))
• K1K2=K3: 128 bits. Useless since the result equivalent to a
single encryption with a single 112-bit K.
• Consider DES mapping 264 possible input blocks, with a
specific key into a unique 64-bit C block. If two given input
blocks would’ve been mapped to the same output block, then
decryption to recover the original PT would be impossible.
• With 264 possible inputs, the # of different mappings including
permutation is (264!), for each key. 256 key.
• Using DES twice, with different keys.. Producing a different
output.
– C = E(K2, E(K1, P)),
– X = E(K1, P) = D(K2, C)
• For a known pair of (P, C), the attack:
– Encrypt P for all 256 possible values of K1 sort and store the results.
– Next, decrypt C using all 256 possible values of K2. search for a match.
If found one, then test the keys for a new known PC pair. If correct.
• For any given PT, 264 possible CT values that could be produced by
double DES. 112-bit key in effect, so that there are 2112 possible keys.
Therefore, on average, for a given plaintext P, the number of different
112-bit keys that will produce a given CT is 2112/264 = 248.
• Thus, 248 false alarms on the first (P, C) pair. With an additional 64 bits
of known PT CT pair, the false alarm rate is reduced to 248-64 = 2-16.
• Put together, if the meet-in-the-middle attack is performed on two
blocks of known PT CT, determining the probability of the correct keys
is 1/2-16. A known PT attack will succeed against double DES.
• Triple DES with Two Keys
• A countermeasure to the meet-in-the-middle attack is 3 stages of
encryption with 3 different keys  raising the cost of the known-PT
attack to 2112, beyond the practical reach.
• The drawback is another 68 bits longer, somewhat unwieldy.
• Alternative, Tuchman, a triple encryption using two keys, an encryptdecrypt-encrypt (EDE) sequence:
• C = E(K1, D(K2, E(K1, P)))
• no practical cryptanalytic attacks on 3DES.
FISH to be updated
• FISH is a stream cipher using Lagged Fibonacci Generator
and a shrinking generator.
• Fibonacci shrinking stream cipher.
• Lagged Fibonacci generators. LFG:
-Sn = Sn-1 + Sn-2Sn = Sn-j * Sn-k (mod(m)), 0<j<k
• Linear congruential generator, .
– Pseudorandom generator. .
– Xn+1= (a Xn +c) mod(m): Xn pseudorandom sequence. 0<a<m gain,
0c<m shift, c=0 park miller rng. 0X0<m, the seed (start value).
– Randomness extremely sensitive of coefficients: The period of a
general LCG is at most m, and for some choices of a much less
than that. The LCG will have a full period if and only if:
1. c and m are relatively prime,
2. a-1 is divisible by all prime factors of m,
3. a-1 is a multiple of 4 if m is a multiple of 4.