Transcript Conventional Cryptography (Symmetric Ciphers) CPSC415 Biometrics and Cryptography Outline • Stream Ciphers and Block Ciphers • Confusion and Diffusion • DES (Data Encryption Standard) • Exhaustive.

Conventional Cryptography
(Symmetric Ciphers)
CPSC415 Biometrics and Cryptography
1
Outline
• Stream Ciphers and Block Ciphers
• Confusion and Diffusion
• DES (Data Encryption Standard)
• Exhaustive Key Search
• Triple DES, DESX
• AES (Advanced Encryption Standard)
• Operation Modes
CPSC415 Biometrics and Cryptography
2
Symmetric Encryption
• or conventional / secret-key / singlekey
• sender and recipient share a common
key
• all classical encryption algorithms are
private-key
• was only type prior to invention of
public-key in 1970’s
CPSC415 Biometrics and Cryptography
3
Symmetric Cipher Model
CPSC415 Biometrics and Cryptography
4
Symmetric Key Cryptography
KA-B
KA-B
plaintext
message, m
encryption ciphertext
algorithm
K (m)
A-B
decryption plaintext
algorithm
m = K ( KA-B(m) )
A-B
symmetric key crypto: Bob and Alice share know
same (symmetric) key: KA-B
• e.g., key is knowing substitution pattern in
mono alphabetic substitution cipher
CPSC415 Biometrics and Cryptography
5
Requirements
• two requirements for secure use of
symmetric encryption:
– a strong encryption algorithm
– a secret key known only to sender /
receiver
Y = EK(X)
X = DK(Y)
• assume encryption algorithm is known
• implies a secure channel to distribute
key
CPSC415 Biometrics and Cryptography
6
Cryptography
• can characterize by:
– type of encryption operations used
• substitution / transposition / product
– number of keys used
• single-key or private / two-key or public
– way in which plaintext is processed
• block / stream
CPSC415 Biometrics and Cryptography
7
Symmetric Key Cryptosystems
• Stream ciphers
– Operate on the plaintext a single bit (or sometimes byte)
at a time
– Simple substitution
– Poly-alphabetic substitution
– Feedback Shift Register Sequences
– e.g. SEAL, RC4 (used by WLAN IEEE 802.11 in WEP)
• Block ciphers
– Operate on the plaintext in groups of bits. The groups of
bits are called blocks.
– Typical block size is 64 bits or multiple of it
• E.g. 128 bits, 256 bits.
– DES, AES (Rijndael)
– Others include IDEA, Blowfish, RC5, …
– Different modes of operation
CPSC415 Biometrics and Cryptography
8
Properties that one would like to have in
an encryption scheme
•
•
•
•
•
Easy to encrypt
Easy to decrypt
Provides fast encryption and decryption speed
Minimal bandwidth expansion
Generate diffusion and confusion (security)
CPSC415 Biometrics and Cryptography
9
Confusion and Diffusion
• Shannon in 1948 introduced two concepts as basic building blocks
for designing cryptographic systems
• Diffusion: to obscure the statistical structure of the
plaintext from the ciphertext.
– By having each ciphertext digit be affected by more than one
plaintext digit
– In other words, to have the statistical structure of the plaintext be
dissipated into long-range statistics of the ciphertext.
k
– e.g.
yn   mn i (mod26)
i1
– where message M = m1, m2, … and a ciphertext letter yn is obtained
by adding k successive plaintext (English) letters.
• Confusion: to obscure the statistical dependence between the
encryption key and the ciphertext
– to thwart attempts to discover the key
– simple linear substitution generates little confusion
– This can be achieved by using complex substitution algorithms.
CPSC415 Biometrics and Cryptography
10
Block Ciphers
Message
(n bits)
Ciphertext
(n bits)
secret key
(k bits)
• An encryption algorithm that takes a fixed length block of
message letters (plaintext) and a key (not necessarily the same
length), and produces a block of ciphertext of the same length
as the plaintext.
• The key is reused for different plaintext blocks
• Typical block sizes (value of n): 64 bits, 128 bits
• Complex modes of operation are used in practice
• Key sizes (value of k): 56 bits (DES), 128/192/256 bits (AES)
CPSC415 Biometrics and Cryptography
11
Common Block Cipher Design Approach
• Iterative cipher
– start with a simple but
useful function f
– iterative f many rounds until
it is “secure”
message
F
F
– F: Feistel structure is quite
common (e.g., DES)
F
ciphertext
CPSC415 Biometrics and Cryptography
12
Block Cipher Operation (Simplified)
Block of plaintext
S
S
S
S
S
S
S
S
repeat for several rounds
S
S
S
S
Key
Add some secret key bits
to provide confusion
Each S-box permutes
its input bits in a
“random-looking” way
to provide diffusion
(spread plaintext bits
throughout ciphertext)
Procedure must be reversible
Block of ciphertext
(for decryption)
CPSC415 Biometrics and Cryptography
13
Block Cipher Principles
• needed since must be able to decrypt
ciphertext to recover messages efficiently
• block ciphers look like an extremely large
substitution
• instead create from smaller building blocks
• using idea of a product cipher
CPSC415 Biometrics and Cryptography
14
Data Encryption Standard (DES)
• DES was adopted as a US federal standard
for commercial encryption in 1975.
• Feistel Cipher: the fundamental building
block of DES designed by IBM.
• Design requirements:
– must provide high level of security (commercial
standard)
– Security must not depend on secrecy of
algorithm (Kerckhoff’s principle)
– Must be easily and economically implemented
CPSC415 Biometrics and Cryptography
15
Overview of DES
C = DES (K, M)
• Block size = 64 bits
• Key size = 56 bits
• Number of rounds = 16
• IP
- Initial Permutation
• IP-1 - The inverse of IP
• f
- A nonlinear function
• Ki
- Round i subkey (48 bits)
• Each Feistel block can be
described as
Li = Ri-1
Ri = Li-1  f (Ri-1, Ki)
CPSC415 Biometrics and Cryptography
16
The Initial Permutation
How to read this table?
The 58th bit of input x will be
the 1st bit of output IP(x), the
50th bit of x is the second bit
of IP(x), etc.
• Do not affect security.
• As far as anyone can tell, it makes things awkward for 1975era general-purpose computers.
(DES predates 16-bit or 32-bit microprocessor busses)
CPSC415 Biometrics and Cryptography
17
Feistel Transformation Block
• In Round i,
–
–
–
–
Separate message block into two 32-bit halves, Li and Ri
Introduce confusion by using a “complex” nonlinear function f
f has two inputs: Ri and a 48-bit round key, Ki
Introduce diffusion by “adding” Li and the output of f
• DES(K, ·) is a sequence of Feistel transforms.
Li+1 = Ri
Ri+1 = Li  f(Ri, Ki+1)
Li-1

Li
Ri-1
f
Ki+1
Ri
CPSC415 Biometrics and Cryptography
18
Nonlinear Function f in Feistel
Transformation
f(R, K) : (32 bits, 48 bits)  32 bits
– expand R to 48 bits R’ using permutation and
repetition
– R’ XOR with K
– subdivide the result into 8 blocks of 6 bits each
– each 6-bit block goes through a S-box to
produce 4 bits
– permute the 32-bit string
CPSC415 Biometrics and Cryptography
19
Ri-1
Li
32
Expansion
48
48
6
6
S1
4
S2
4
6
4
S3
6
4
S4
6
S5
4
Ki+1
48
6
6
6
4
4
S6 S7
4
S8
32
Permutation
32
Li+1
32
Ri+1
CPSC415 Biometrics and Cryptography
20
Expansion Permutation
• Output bits 32, 1, 2, 3, 4, 5, then 4, 5 again,
and so on.
• For each output group of six bits (one row in
the E table), the two outer bits select a row
of a S-box, and the four bits in the middle
chooses the substitution value.
CPSC415 Biometrics and Cryptography
21
The S-Box Substitution
•
•
•
•
•
There are eight S-boxes.
Each takes 6 bits to 4 bits.
Take the 6-bit input b1, b2, b3, b4, b5, b6
Interpret b1 b6 as a row number, between 0 and 3.
Interpret b2 b3 b4 b5 as a column number, 0 through 15.
S-box 1:
Bit Bits 2, 3, 4, and 5 form:
1 6
0 1 2 3 4 5 6 7 8
0
0
1
1
0
1
0
1
14 4 13
0 15 7
4 1 14
15 12 8
9 10 11 12 13 14 15
1 2 15 11 8 3 10 6 12 5 9
4 14 2 13 1 10 6 12 11 9 5
8 13 6 2 11 15 12 9 7 3 10
2 4 9 1 7 5 11 3 14 10 0
0 7
3 8
5 0
6 13
CPSC415 Biometrics and Cryptography
22
A Summary of One DES Round
CPSC415 Biometrics and Cryptography
23
DES Key Schedule
(Subkey Generation)
8-byte key has 8 parity check bits
56-bit key K
Permutation P1
C0
Each has 28 bits
D0
Cyclic Shift
Cyclic Shift
C1
D1
Number of shifts are
dependent on i for each Ki
56
Permutation P2
48
K1
CPSC415 Biometrics and Cryptography
24
Security of DES
• Avalanche Effect
– Change in one input bit produces independent
changes in at least two output bits
• Bit Independence
– No dependence on the changes of input bits with
the changes of output bits
• Number of rounds
– 15 or fewer rounds make cryptanalytic attacks
against reduced-round DES easier than brute force
key search (which needs to try a total of 256 keys
in the worst case)
• Security of DES mainly relies on the
nonlinearity of the f (i.e. the S-boxes)
CPSC415 Biometrics and Cryptography
25
DES Controversy
• When DES was proposed as a standard in 1975, there was
considerable criticism.
• One objection to DES concerned the S-boxes: all computations in
DES, with the exception of the S-boxes, are linear. The S-boxes,
being the non-linear component of the cryptosystem, are vital to its
security. However, the design criteria of the S-boxes are not
completely known.
• Due to the NSA collaboration, several people have suggested that the
S-boxes might contain hidden “trapdoors” which would allow the NSA
to decrypt messages while maintaining that DES is “secure”. It is of
course, impossible to disprove such an assertion, but no evidence has
come to light that indicates that trapdoors in DES do in fact exist.
• The most pertinent criticism of DES is the reduction of key length
from original 112-bits down to 56-bits.
• The size of the keyspace, 256, is “too small” to be really secure.
CPSC415 Biometrics and Cryptography
26
Exhaustive Key Search
• Given a plaintext x and corresponding ciphertext y, every
possible key would be tested until a key K is found such that
EK(x) = y
Note: there may be more than one such key K.
• Total number of keys = 256  7.21016 keys
• Assume at a speed of 106 encryptions per second, it would need
more than 1000 years to break DES.
• Diffie and Hellman postulated in 1977 that a DES cracking
machine with 106 processors, each could test 106 keys per
second, could be built for about US$20M.
– This machine could break DES in about 10 hours.
CPSC415 Biometrics and Cryptography
27
Exhaustive Key Search
• In 1993, Michael Wiener presented a pipelined chip which does 16
encryptions simultaneously and tests 5107 DES keys per second.
• Each chip could be built for US$10 using current technology.
• A frame consisting of 5760 chips can be built for $100K.
Machine Unit Cost
Expected Time
$100,000
$1,000,000 (10 frames)
35 hours
3.5 hours
$10,000,000 (100 frames)
21 minutes
• In 1997, cost cut by a factor of 6
• Software version of DES cracking effort can be found at
http://www.distributed.net/des/
• Current Record: 22 hrs and 15 mins to break DES by distributed
software cracking effort.
CPSC415 Biometrics and Cryptography
28
How to strengthen DES?
CPSC415 Biometrics and Cryptography
29
Triple DES and DESX
• Triple DES: two 56-bit keys
M
C
DES
DES-1
DES
K2
K1
K1
• DESX: three 56-bit keys
C = K3  DES(K2 , M  K1)
M

DES

K1
K2
K3
C
• Similar security to DES using differential cryptanalysis and linear
cryptanalysis
• But much harder to break using exhaustive key search than DES.
CPSC415 Biometrics and Cryptography
30
DES Replacements
• The most popular DES replacements in US are RC2, RC4
and RC5.
• The first two are used by SSL version 3.
• The most popular DES replacement in Europe is IDEA
• The most popular DES replacement in Japan is FEAL-N.
• AES (Advanced Encryption Standard) is the ‘official’
replacement of DES.
• The AES algorithm is called Rijndael.
CPSC415 Biometrics and Cryptography
31
Overview of Rijndael
•
•
•
Rijndael: the algorithm chosen for AES (Advanced Encryption
Standard)
Both the key size and the block size may be chosen to be any of
128, 192, or 256 bits, although the AES only requires key size to
be selectable in one of these lengths and the block size is fixed
to be 128 bits long.
Number of rounds is a function of the block and key length:
–
–
–
•
10 rounds if both the block and the key are 128 bits long;
12 rounds if either the block or the key is 192 bits long, and neither
of them is longer than that;
14 rounds if either the block or the key is 256 bits long.
From their Web page:
If you’re Dutch, Flemish, Indonesian, Surinamer or South-African, it’s
pronounced like you think it should be. Otherwise, you could pronounce
it like “Reign Dahl”, “Rain Doll”, “Rhine Dahl”. We’re not picky. As long as
you make it sound different from “Region Deal”.
CPSC415 Biometrics and Cryptography
32
Rijndael Round Function
• Fully byte-oriented
•
good for both software and hardware implementations
• Rijndael is composed of
1. An initial XOR step (AddRoundKey)
2. Regular round transformations (or rounds)
3. Final round
• Each regular round involves four steps:
1.
2.
3.
4.
ByteSub
ShiftRow
MixColumn
AddRoundKey
• The final round is a regular round but with MixColumn
omitted.
CPSC415 Biometrics and Cryptography
33
The Round Transformation
•
•
•
•
ByteSub
Each byte of the data block is
substituted according to values
given in an S-Box.
ShiftRow
Rows (except first row) of the
State are cyclic shifted left
independently.
MixColumn
AddRoundKey
http://www.nist.gov/aes
http://www.esat.kuleuven.ac.be/~rij
men/rijndael/
CPSC415 Biometrics and Cryptography
34
Rijndael Wrap Up
•
•
•
•
•
•
The Rijndael algorithm is not a Feistel system
In a Feistel system, half of the bits are moved but not
changed during each round.
In Rijndael, all bits are treated uniformly. This has the
effect of diffusing the input bits faster.
It can be shown that two rounds are sufficient to obtain
full diffusion, namely, each of the 128 output bits depends
on each of the 128 input bits.
So far, there is no known attack beats brute force for
seven or more rounds. It was felt that four extra rounds
provide a large enough margin of safety.
Of course, the number of rounds could easily be increased
if needed.
CPSC415 Biometrics and Cryptography
35
Operation Modes
• How to encrypt a plaintext which is longer than
the size of a cipher block?
– E.g. Using AES to encrypt 1024-bit plaintext
• How to encrypt a plaintext which is not a multiple
of cipher block size?
– E.g. Using AES to encryption 129-bit plaintext
CPSC415 Biometrics and Cryptography
36
Electronic Codebook Mode (ECB)
Ci = DES (K, Mi)
•
•
•
•
•
•
Each block is encoded independently using the same key
Padding is needed
Used to transmit fixed length messages, e.g. session key
One bit transmission error affects one cipher block
Repeated plaintext blocks produce the same cipher blocks
Not frequently used in practice
– Why?
K
M1
DES
C1
K
M2
DES
C2
K
Mt
DES
Ct
CPSC415 Biometrics and Cryptography
37
Cipher Block Chaining (CBC)
• Goal: repeated plaintext blocks produce different ciphertext blocks
Ci = DES(K, Mi  Ci-1)
• Initiation vector (IV = C0) is used for randomization
• Padding is required
• If one bit of M1 is changed, all subsequent blocks will be affected
– can be used for constructing a MAC – Message Authentication Code
• Maintain IV secret to strengthen security of the system
• Generally used for block oriented transmission
M1
M2
IV
K
DES
C1
K
DES
C2
CPSC415 Biometrics and Cryptography
38
Counter Mode
• Goal: to eliminate padding and error propagation
– use block cipher as a pseudorandom bit generator
• Encryption algorithm:
– Encrypt a known string of numbers in ECB mode,
producing a string of output blocks DES(K, Ii)
– Compute Ci = Mi  DES(K, Ii)
• One bit transmission error spoils one bit only
I1
K
M1
DES

C1
It
I2
K
M2
DES

C2
K
Mt
DES

Ct
CPSC415 Biometrics and Cryptography
39
Comparison on Symmetric Encryption
Algorithm
Algorithm
Strength
Features (Key length)
3DES
Strong
64, 112, 168
AES
Strong
128, 192, 256
IDEA (International Strong
Data Encryption
Algorithm)
Blowfish
Weak
RC4
Weak
RC5
Strong
64, 128
32, 448
32, 64, 128
CPSC415 Biometrics and Cryptography
40
Problems with Symmetric Encryption
• A single key must be shared in pairs of each sender and
receiver. In a distributed environment with large numbers of
combination pairs involved in many-to-one communication
topology, it is difficult for the one recipient to keep so many
keys in order to support all communication.
• Key management: setting up and acquisition of the secret
key.
• The integrity of data can be compromised because the
receiver cannot verify that the message has not been
altered before receipt.
• It is possible for the sender to repudiate the message
because there are no mechanisms for the receiver to make
sure that the message has been sent by the claimed sender.
CPSC415 Biometrics and Cryptography
41