William Stallings Data and Computer Communications

Download Report

Transcript William Stallings Data and Computer Communications 

DES & Hash function
1
Outline
 Introduction
 Data Encryption Standard (DES)
 Double & Triple DES
 Hash Function
 MD5
 SHA-1
2
Introduction
 Encryption Schemes
 Conventional Encryption (Symmetric)
ex: DES
 Public-Key Encryption (Asymmetric)
ex: RSA
Message
source
Encryption
algorithm
K
Decryption
algorithm
Destination
Secure Channel
Key
source
Model of Conventional Cryptosystem
3
Introduction(Cont’d)
Destination B
Source A
Message
source
Encryption
algorithm
Decryption
algorithm
Destination
KRb
KUb
Key pair
source
Public-Key Cryptosystem : Secrecy
Destination B
Source A
Message
source
Encryption
algorithm
KRa
Decryption
algorithm
Destination
KUa
Key pair
source
Public-Key Cryptosystem : Authentication
4
Data Encryption Standard (DES)
 Two inputs to the encryption function
 plaintext and key
 64-bit plaintext passes through an initial
permutation
to produce the permuted input
 16 rounds have the same function
permutation and substitution
 The pre-output is passed through a permutation (IP1) to produce the 64-bit ciphertext.
5
Data Encryption Standard (DES)
64-bit plaintext
56-bit key
……………
……………
Initial permutation
Permuted choice 1
Round 1
K1
Permuted choice 2
Left circular shift
Round 2
K2
Permuted choice 2
Left circular shift
Round 16
K16
Permuted choice 2
Left circular shift
32-bit swap
Inverse initial
permutation
……………
64-bit ciphertext
General Depiction of DES Encryption Algorithm.
6
Data Encryption Standard (DES)
 Initial Permutation (IP)、Inverse Initial Permutation
(IP-1)
Inverse Initial Permutation (IP-1)
Initial Permutation (IP)
58
60
62
64
57
59
61
63
50
52
54
56
49
51
53
55
42
44
46
48
41
43
45
47
34
36
38
40
33
35
37
39
26
28
30
32
25
27
29
31
18
20
22
24
17
19
21
23
10
12
14
16
9
11
13
15
2
4
6
8
1
3
5
7
40
39
38
37
36
35
34
33
8
7
6
5
4
3
2
1
48
47
46
45
44
43
42
41
16
15
14
13
12
11
10
9
56
55
54
53
52
51
50
49
24
23
22
21
20
19
18
17
64
63
62
61
60
59
58
57
32
31
30
29
28
27
26
25
7
Data Encryption Standard (DES)
Details of Single Round:
32 bits
32 bits
28 bits
28 bits
Li- 1
Ri-1
Ci-1
Di-1
Expansion/permutation
(E table)
Li  R i1
R i  Li1 F( R i1, K i )
Left shift(s)
Left shift(s)
48
F
Permutation/contraction
(permuted choice 2)
Ki
XOR
48
Substition/choice
(S-box)
32
Permuta tion
(P)
32
XOR
Li
Ri
Ci
Di 8
Data Encryption Standard (DES)
 Expansion Permutation (E) :
Expansion Permutation (E)
32
4
8
12
16
20
24
28
1
5
9
13
17
21
25
29
2
6
10
14
18
22
26
30
3
7
11
15
19
23
27
31
4
8
12
16
20
24
28
32
5
9
13
17
21
25
29
1
 Permutation Function (P) :
Permutation Function (P)
16
1
2
19
7
15
8
13
20
23
24
30
21
26
14
6
29
5
32
22
12
18
27
11
28
31
3
4
17
10
9
25
9
Data Encryption Standard (DES)
 S-box
8 S-boxes
each accepts 6 bits input, produces 4 bits output
R (32 bits)
E
48 bits
K (48 bits)
+
S1
S2
S3
S4
S5
S6
S7
S8
P
32 bits
10
Data Encryption Standard (DES)
 S-box
The first and last bits of the
input to box Si to select a row
The middle 4 bits select a
column.
ex : in S1, input=010011,
the row is 01,
the column is 1001
=> output:0110
11
DES Key Generation
 56-bit key used as input and produces a 48-bit output
the function F(Ri-1,Ki)
 Permuted Choice One (PC-1)
Permuted Choice One (PC-1)
57
1
10
19
63
7
14
21
49
58
2
11
55
62
6
13
41
50
59
3
47
54
61
5
33
42
51
60
39
46
53
28
25
34
43
52
31
38
45
20
17
26
35
44
23
30
37
12
9
18
27
36
15
22
29
4
 At each round, Ci-1 and Di-1 are separately subjected to a
circular left shift of 1 or 2 bits.
(c) Schedule of Left Shifts
───────────────────────────────
Round number
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Bits rotated
1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1
───────────────────────────────
12
DES Key Generation
 Permuted Choice One (PC-2)
Permuted Choice Two (PC-2)
14
15
26
41
51
34
17
6
8
52
45
53
11
21
16
31
33
46
24
10
7
37
48
42
1
23
27
47
44
50
5
19
20
55
49
36
3
12
13
30
39
29
28
4
2
40
56
32
13
DES Decryption Algorithm
 DES Decryption uses the same
algorithm as encryption, except
the application of the subkeys is
reversed.
 The initial permutation (IP) is
the same as the IP-1 at the
encryption part
14
DES Decryption Algorithm
Output (plaintext)
Input (plaintext)
LE0
⊕
K1
RE0
RD16=LE0
LD16=RE0
LD16=RE0
RD16=LE0
F
RE1
K2
F
LE2
LE14
⊕
K15
F
LE1
⊕
RD15=LE1 K1 LD15=RE1
⊕
K16
F
F
RE2
LD14=RE2 K2 RD14=LE2
RE14
LD2=RE14
F
RE15
⊕
RD2=LE14
F
LE15
⊕
LE16
RE16
RE16
LE16
Output (ciphertext)
⊕
RD1=LE15 K15 LD1=RE15
⊕
F
LD0=RE16 K16 RD0=LE16
RD 0  LE16  RE 15
LD0  RE 16  LE15  F(RE 15 , K16 )
 LDi  RD i 1
RD i  LDi 1  F(RD i 1 , K16 ( i 1) )
 LD1  RD 0  LE16  RE 15
RD1  LD0  F(RD o , K16 )
 RE16  F(RE 15 , K16 )
 [LE15  F(RE 15 , K16 )]  F(RE 15 , K16 )
 LE15  [F(RE 15 , K16 )  F(RE 15 , K16 )]
 LE15
 LD1  RE 15
RD1  LE15
By the same way,
LDi  RE16 -i  LD16  RE 0
RD i  LE16 -i
RD16  LE0
Input (ciphertext)
[Note] LEi, REi : the output of the ith encryption
round
LDi, RDi : the output of the ith decryption 15
round
DES Decryption Algorithm
 After a 32-bit swap, the data at the decryption
part is the same as the data before encrypted.
 Finally, the data passes through an IP-1
return to the original plaintext
16
DES Decryption Algorithm
 Avalanche Effect : a small
change in either the
plaintext or the key should
produce a significant change
in the ciphertext.
 DES exhibits a strong
avalanche effect.
17
Double DES
P
C
K1
 meet-in-the-middle attack :
Given a known pair ( P,C ).
X
256
K2
X
256
K1
K2
 K1,K2 are not independent.
The Complexity is similar to
thesingle DES.
18
Triple DES
 Encryption-Decryption-Encryption (EDE)
 The cost of a brute-force key search on triple
DES : 2112
 Currently, there are no practical cryptanalytic
attacks of triple DES.
19
Hash Function
 h = H(M)
M : variable-length message
H(M) : fixed-length message
 The hash value is appended to the message at the
source.
 The receiver authenticates that message by recomputing the hash value .
20
Hash Function
21
Hash Function
 Requirement for a Hash Function
H can be applied to a block of data of any size.
H produces a fixed-length output.
H(x) is relatively easy to compute for any given x.
 one-way property
 weak collision resistance
22
MD5
 Input
variable-length message
The input is processed in 512-bit block
 Output
a 128-bit message digest
L x 512 bits = N x 32 bits
K bits
Message
512 bits
512 bits
Y0
Y1
128
IV
128
HMD5
512 bits
…
Yq
512
512
CV1
100...0
…
YL-1
512
128
HMD5
512 bits
CVq
512
128
HMD5
CVL -1
HMD5
128-bit digest
23
MD5
 Append padding bits
the padding bits : 1  512 bits (100…0)
Padding is always added, even if the message is already of
the desired length.
ex: the message is 448 bits long,
it is padded by 512 bits to a length of 960 bits
 Append length
a 64-bit representation of the original message’s length
If the original length greater than 264
 K mod 264 (the low-order 64 bits of the length)
24
MD5
 Initialize MD buffer
The buffer can be represented as four-32 bit
registers(A,B,C,D)
A = 67452301
B = EFCDAB89
C = 98BADCFE
D = 10325476
 The heart of the algorithm is a compression function
four rounds
each round processes 16 steps
The four rounds have a similar structure, but each uses a
different primitive logical function (F,G,H,I).
25
MD5
Yq
CVq
128
512
32
A
B
C
D
A
B
C
D
A
B
C
D
A
B
C
D
F, T[1...16], X[i]
16 steps
G, T[17...32], X[ρ
2i]
16 steps
H, T[33...48], X[ρ
i]
3
16 steps
I, T[49...64], X[ρ
4i]
16 steps
+ + + +
128
CVq+1
32.
Note: Addition (+) is mod
2
26
MD5
 A,B,C,D 
D,{[(A+g(B,C,D)+X[k]+T[i])
<<< s]+B},B,C
 g : one of the primitive functions
F,G,H,I
 <<<s : circular left shift by s bits
 X[k] : the k’th 32-bit word in
the 512-bit
block of the message
round 1  k = i-1
round 2  k = [1+5(i-1)]
mod 16
round 3  k = [5+3(i-1)]
mod 16
round 4  k = [7(i-1)]
mod 16
 T[i] : the i’th 32-bit word in
matrix T
 + : addition modulo 232

^, , ¯,  : AND,OR,NOT,XOR
A
X[k]
+
T[i]
+
B
C
D
C
D
g
+
C L Ss
+
A
B
Elementary MD5 Operation (single step).
27
MD5
Round
Primitive function g
g(b, c, d)
1
F(b, c, d)
2
3
G(b, c, d)
H(b, c, d)
4
I(b, c, d)
(b  c)  (b  d )
(b  d )  (c  d )
bcd
c  (b  d )
28
MD5
Table T, constructed from the sine function
───────────────────────────────────
T[1] = D76AA478
T[17] = F61E2562
T[33] = FFFA3942
T[49] = F4292244
T[2] = E8C7B756
T[18] = C040B340
T[34] = 8771F681
T[50] = 432AFF97
T[3] = 242070DB
T[19] = 265E5A51
T[35] = 699D6122
T[51] = AB9423A7
T[4] = C1BDCEEE T[20] = E9B6C7AA T[36] = FDE5380C
T[52] = FC93A039
T[5] = F57C0FAF
T[21] = D62F105D
T[37] = A4BEEA44 T[53] = 655B59C3
T[6] = 4787C62A
T[22] = 02441453
T[38] = 4BDECFA9 T[54] = 8F0CCC92
T[7] = A8304613
T[23] = D8A1E681
T[39] = F6BB4B60
T[8] = FD469501
T[24] = E7D3FBC8
T[40] = BEBFBC70 T[56] = 85845DD1
T[9] = 698098D8
T[25] = 21E1CDE6
T[41] = 289B7EC6
T[55] = FFEFF47D
T[57] = 6FA87E4F
T[10] = 8B44F7AF T[26] = C33707D6
T[42] = EAA127FA T[58] = FE2CE6E0
T[11] = FFFF5BB1 T[27] = F4D50D87
T[43] = D4EF3085
T[59] = A3014314
T[12] = 895CD7BE T[28] = 455A14ED
T[44] = 04881D05
T[60] = 4E0811A1
T[13] = 6B901122
T[29] = A9E3E905
T[45] = D9D4D039 T[61] = F7537E82
T[14] = FD987193
T[30] = FCEFA3F8
T[46] = E6DB99E5 T[62] = BD3AF235
T[15] = A679438E
T[31] = 676F02D9
T[47] = 1FA27CF8
T[16] = 49B40821
T[32] = 8D2A4C8A T[48] = C4AC5665
───────────────────────────────────
T[63] = 2AD7D2BB
T[64] = EB86D391
29
MD5
/* Round 1. */
/* Let [abcd k s i] denote the operation
a = b + ((a + F(b,c,d) + X[k] + T[i]<<<s).
Do the following 16 operations. */
[ABCD 0 7 1]
[DABC 1 12 2]
[CDAB 2 17 3]
[BCDA 3 22 4]
[ABCD 4 7 5]
[DABC 5 12 6]
[CDAB 6 17 7]
[BCDA 7 22 8]
[ABCD 8 7 9]
[DABC 9 12 10]
[CDAB 10 17 11]
[BCDA 11 22 12]
[ABCD 12 7 13]
[DABC 13 12 14]
[CDAB 14 17 15]
[BCDA 15 22 16]
/* Round 2. */
/* Let [abcd k s i] denote the operation
a = b + ((a + G(b,c,d) + X[k] + T[i]<<<s).
Do the following 16 operations. */
[ABCD 1 5 17]
[DABC 6 9 18]
[CDAB 11 14 19]
[BCDA 0 20 20]
[ABCD 5 5 21]
[DABC 10 9 22]
[CDAB 15 14 23]
[BCDA 4 20 24]
[ABCD 9 5 25]
[DABC 14 9 26]
[CDAB 3 14 27]
[BCDA 8 20 28]
[ABCD 13 5 29]
[DABC 2 9 30]
[CDAB 7 14 31]
[BCDA 12 20 32]
30
MD5
/* Round 3. */
/* Let [abcd k s i] denote the operation
a = b + ((a + H(b,c,d) + X[k] + T[i]<<<s).
Do the following 16 operations. */
[ABCD 5 4 33]
[DABC 8 11 34]
[CDAB 11 16 35]
[BCDA 14 23 36]
[ABCD 1 4 37]
[DABC 4 11 38]
[CDAB 7 16 39]
[BCDA 10 23 40]
[ABCD 13 4 41]
[DABC 0 11 42]
[CDAB 3 16 43]
[BCDA 6 23 44]
[ABCD 9 4 45]
[DABC 12 11 46]
[CDAB 15 16 47]
[BCDA 2 23 48]
/* Round 4. */
/* Let [abcd k s i] denote the operation
a = b + ((a + I(b,c,d) + X[k] + T[i]<<<s).
Do the following 16 operations. */
[ABCD 0 6 49]
[DABC 7 10 50]
[CDAB 14 15 51]
[BCDA 5 21 52]
[ABCD 12 6 53]
[DABC 3 10 54]
[CDAB 10 15 55]
[BCDA 1 21 56]
[ABCD 8 6 57]
[DABC 15 10 58]
[CDAB 6 15 59]
[BCDA 13 21 60]
[ABCD 4 6 61]
[DABC 11 10 62]
[CDAB 2 15 63]
[BCDA 9 21 64]
31
MD5
 For each step, only one of four buffers is
updated.
 Four different circular left shift are used in each
round and different from round to round.
32
Secure Hash Algorithm (SHA-1)
 Input
 input message with a maximum length of less than 264 bits
 The input is processed in 512-bit block
 Output
 a 160-bit message digest
 Append padding bits
 Append length
 Initialize MD buffer
 The buffer can be represented as five-32 bit registers.
A = 67452301
B = EFCDAB89
C = 98BADCF
D = 10325476
F = C3D2E1F0
33
Secure Hash Algorithm (SHA-1)
 The heart of the algorithm is a compression function
four rounds
each round processes 20 steps
The four rounds have a similar structure, but each uses a
different primitive logical function (f1,f2,f3,f4).
34
Secure Hash Algorithm (SHA-1)
Yq
CVq
160
512
32
A
A
A
A
B
C
D
E
B
C
D
E
B
C
D
E
B
C
D
E
f1, K, W[0...19]
20 steps
f2, K, W[20...39]
20 steps
f3, K, W[40...59]
20 steps
f4, K, W[60...79]
20 steps
+ + + + +
160
32.
Note: A ddition (+) is mod
2
CVq+1
SHA-1 Processing of a Single 512-bit Block
35
Secure Hash Algorithm (SHA-1)
A
B
C
D
+
Ft
+
S5
S30
A
E
B
C
D
+
Wt
+
Kt
E
 A,B,C,D,E  [E+f(t,B,C,D)+S5(A)+Wt
+Kt ],A,S30(B),C,D
 t : step number ; 0  t  79
 f(t,B,C,D): one of the primitive
functions
(f1,f2,f3,f4) for step t
 Sk : circular left shift by k bits
 Kt : an additional constant ;
four distinct value are used
Elementary SHA Operation (single step).
36
Secure Hash Algorithm (SHA-1)
Step
(0 ≦ t ≦ 19)
Function Name
Function Value
f1 = f(t, B, C, D)
( B  C)  ( B  D)
BC  D
(40 ≦ t ≦ 59)
f2 = f(t, B, C, D)
f3 = f(t, B, C, D)
( B  C )  ( B  D)  (C  D)
(60 ≦ t ≦ 79)
f4 = f(t, B, C, D)
BC  D
(20 ≦ t ≦ 39)
───────────────────────
Step Number
Hexadecimal
Take Integer Part of:
0 ≦ t ≦ 19
Kt = 5A827999
[230  2 ]
20 ≦ t ≦ 39
Kt = 6ED9EBA1
40 ≦ t ≦ 59
Kt = 8F1BBCDC
[230  3]
[230  5]
60 ≦ t ≦ 79
Kt = CA62C1D6
[230  10]
───────────────────────
37
Secure Hash Algorithm (SHA-1)
 Wt : a 32-bit word derived from current 512-bit input block
in the first 16 steps of processing, Wt is equal to the
corresponding word in the message block.
for the remaining 64 steps :
Wt = S1(Wt-16 Wt-14 Wt-8 Wt-3)
ex : W16 = S1(W0  W2  W8  W13)
512 bits
Yq
W0
W1
…
W0 W2 W8 W13 Wt-16 Wt-14 Wt-8 Wt-3
W15 W16
W63 W65 W71 W76
XOR
XOR
XOR
S1
S1
S1
…
Wt
…
 For each step, two of buffers are updated.
W79
38
Comparison of SHA-1 and MD5
 Complicacy:
MD5 :
Uses one of 16 words of a message block directly as input of
each step function.
Only the order of the words is permuted from round to
round.
SHA-1 :
Expands the 16 blocks words to 80 words for using in the
compression function.
 SHA-1 complicates the task of finding a different
message block that maps to the same compression function
output.
.
39
Comparison of SHA-1 and MD5
 Security against brute-force attacks
to produce any message having a given message digest :
MD5 requires on the order of 2128 operations.
"
"
"
"
"
.
SHA-1 "
2160
to produce two message having the same message digest :
MD5 requires on the order of 264 operations.
"
"
"
"
"
.
SHA-1 "
280
 SHA-1 is stronger against brute-force attacks.
40
Comparison of SHA-1 and MD5
 Speed
Both algorithms rely heavily on addition modulo 232.
SHA-1 involves more steps (80 v.s. 64) and process a 160-bit
buffer compare to MD5’s 128-bit buffer.
SHA-1 should execute more slowly than MD5 on the same
hardware.
 Simplicity and compactness
Both algorithms are simple to describe and simple to
implement.
41
Comparison of SHA-1 and MD5
 Little-endian versus big-endian architecture
MD5 uses a little-endian scheme for interpreting a message
as a sequence of 32-bit words.
 SHA-1 uses a big-endian scheme.
42