Cryptography -- Block Ciphers Anita Jones CS451 Information Security Copyright(C) Anita Jones Overview terms and principles Claude Shannon Feistel cipher DES September, 2006
Download
Report
Transcript Cryptography -- Block Ciphers Anita Jones CS451 Information Security Copyright(C) Anita Jones Overview terms and principles Claude Shannon Feistel cipher DES September, 2006
Cryptography -- Block Ciphers
Anita Jones
CS451 Information Security
Copyright(C) Anita Jones
Overview
terms and principles
Claude Shannon
Feistel cipher
DES
September, 2006
A few terms
block cipher
block of plaintext is treated as a whole &
used to produce a ciphertext block of equal
length
typical size: 64 bits
most modern ciphers are block ciphers
stream cipher
digital data is encrypted one bit (or one unit)
at a time
In both cases, plaintext is transformed incrementally
September, 2006
Symmetric ciphers
Symmetric implies ONE key
Secret key shared by sender &
receiver
Background
ideally want one extremely large substitution
not practical since would need a table with
264 entries in it for a 64-bit block
so approximate the ideal by constructing
from smaller building blocks
September, 2006
Basis of modern ciphers
Claude Shannon (‘45) - information theory
product cipher
perform two or more ciphers in sequence so
that result (product) is cryptographically
stronger than any component cipher
alternate confusion & diffusion
virtually all significant symmetric block
ciphers currently in use are of this type
September, 2006
Shannon’s strategy
thwart cryptanalysis that is based on
statistical analysis
hacker has some knowledge of statistical
characteristic of plaintext
if statistics are reflected in ciphertext, then
analyst may be able to deduce encryption
key, or part of it
in Shannon’s ideal cipher, statistics of
ciphertext are independent of plaintext
September, 2006
Shannon’s building blocks
confusion
make relation between statistics of ciphertext
and the value of the encryption key as
complex as possible
diffusion
diffuse statistical property of plaintext digit
across a range of ciphertext digits
i.e. each plaintext digits affects value of many
ciphertext digits
September, 2006
Shannon’s building blocks
Shannon proposed product ciphers with
two components
S-Boxes -- substitution
providing confusion of input bits
P-Boxes -- permutation
providing diffusion across S-box inputs
n rounds of S-P boxes
September, 2006
S-box (substitution)
3 bit
input
0
1
0
0
1
2
3
4
5
6
7
0
1
2
3
4
5
6
7
3 bit
output
Word size of 3 bits => mapping of 23 = 8 values
Note: mapping can be reversed
September, 2006
1
1
0
P-box (permutation)
4 bit
input
1
1
1
1
1
0
1
0
1
0
1
1
0
1
Example 1
Note: reversible
Example 2 - swap two
halves of input
1
September, 2006
1
S-P networks
alternate S and P boxes
BUT, in practice we must decrypt as well
as encrypt
so define the sequence of boxes so that
precisely the same system will decrypt as
well as encrypt
just run it backwards
September, 2006
Feistel cipher
input plaintext of 2w bits
key K = n sub-keys: K1, K2, …, Kn
sequence of n “rounds” each using Ki
substitution followed by a permutation
apply function F(Ki) to right half of data,
then exclusive-OR it to left half of data
permutation: interchange two result halves
of data
DES is essentially a Feistel cipher
September, 2006
Feistel cipher
Multiple rounds
round i input is Li-1, Ri-1
Li = Ri-1
Ri = (Li-1
XOR
F(Ri-1 , Ki))
L – left portion of intermediate data
R – right …..
September, 2006
plaintext (2w bits)
w bits
L0
+
Round 1
. . .
L1
R0
K1
F
. . .
+
Round n
w bits
R1
Kn
F
Ln
Rn
Ln+1
Rn+1
ciphertext (2w bits)
Feistel cipher dependencies
block size – increasing size increases
security – 64 bits common
key size – increasing size improves security,
– 128 bits common
number of rounds – 16 is typical
subkey generation – complex generation
makes cryptanalysis harder
round function – complex function is stronger
… but all increases slow the implementation
September, 2006
Feistel decryption
same as encryption, except
ciphertext is input
use keys in reverse order
at each round the output is equal to the
corresponding value of the encryption
process with the two halves of the value
swapped
final permutation (swap) realigns 2 halves
September, 2006
History of DES
DES – Data Encryption Standard
Horst Feistel at IBM developed LUCIFER
about 1971, sold to Lloyds of London
Nat’l Bureau of Standards issued request
for national cipher standard
IBM submitted (refined) LUCIFER
NSA worked with IBM to refine cipher
adopted in 1977 by Nat’l Bureau of Stds.
September, 2006
DES Characteristics
Plaintext is 64 bits long
16 rounds
Key length is 56 bits
16 sub-keys generated, one used in each round
DES algorithm is a variant of the Feistel
algorithm
September, 2006
plaintext (64 bits)
56 bit key
init permutation
permute
K1
round 1
K2
round 2
perm
left circ shift
perm
left circ shift
. . .
. . .
Kn
round n
32 bit swap
inverse permutation
ciphertext (64 bits)
perm
left circ shift
DES cipher
round i input is Li-1, Ri-1
Li = Ri-1
Ri = (Li-1 XOR F(Ri-1 ,Ki))
September, 2006
One DES Round
<----32 bits------>
Li-1
<----32 bits------>
Ri-1
exp/perm to 48
--- 48 bits
x
Ki
--- 48 bits
S-box
--- 32 bits
permutation
--- 32 bits
x
Li
Ri
Key property
avalanche
small change in plaintext or in key produces
significant change in ciphertext
test for avalanche
encrypt two plaintext blocks that differ only in
one bit
about half the (ciphertext) bits will differ
September, 2006
DES controversy
DES choice was intensely criticized:
original LUCIFER key length was 128 bits, and
DES used 56 bit key (to fit on chip, they said)
critics feared brute force attacks
design criteria for the S-boxes was classified,
so users not sure that internal structure was
free of hidden weak points that might let NSA
break cipher
September, 2006
DES status
no weak points have surfaced
DES is widely used
1994, NIST reaffirmed DES for federal use
NIST recommends DES use for all except
classified information
generally considered a sound standard
Need more security: use Triple DES
Future: Adv.d Encryption Standard (AES)
September, 2006
Cryptanalysis of DES
increased computing speed has made a 56
bit key susceptible to exhaustive key search
demonstrated breaks:
1997 – taking a few months, a large network of
computers broke DES
1998 – Electronic Frontier Foundation broke
DES in a few days on dedicated hardware
1999 – break accomplished in 22 hours
in practice DES is used, and works
September, 2006
1997 break
RSA issued reward of $10,000 for finding a
DES key, given ciphertext for known and
unknown plaintext
solution found in 96 days – involved 70,000
computers on the Internet
an embarrassingly parallel problem – just
divide the key space being searched (brute
force) each time a new computer joins in
found the key after searching 1/4 key space
September, 2006
So, how does the Prez talk?
STU-III:
http://webhome.idirect.com/~jproc/crypto/stuiii.html
http://www.tscm.com/stu.html
“A
STU-III operates by taking an audio signal and
digitizing it into a serial data stream (usually 8,000 bits
per second). This is then mixed with a "keying stream" of
data created by an internal ciphering algorithm. This mixed data is them passed
though an internal CODEC to convert it back to audio so it can be passed over the
phone lines. STU-III's also allow a serial data stream to pass though the phone and
into the ciphering engine to allow its usage as an encrypted modem when not being
used for voice. The
"keying stream" is a polymorphic
regenerating mathematic algorithm which takes a
initialization key and mathematically morphs it into a bit
stream pattern. The "keying stream" is created by the "Key Generator" and
is the actual heart of the STU. A portion of the "keying stream" are then mixed back
into to the original key, and process repeated. The results is a pseudo-random bit
stream that if properly implemented is extremely difficult (but not impossible) to
decrypt.”
Source: http://www.tscm.com/stu.html
September, 2006
Model for cryptography-revisit
Principal
Trusted 3rd Party
(arbitrates, distributes
secret information)
Principal
Message
Message
Secret
Information
Security
Transform
Security
Transform
Opponent
September, 2006
Secret
Information
Info channel