Transcript DES.ppt
Cryptography and
Network Security
Chapter 6
Fifth Edition
by William Stallings
Lecture slides by Lawrie Brown
Chapter 6 – Block Cipher
Operation
Many savages at the present day regard
their names as vital parts of themselves,
and therefore take great pains to conceal
their real names, lest these should give to
evil-disposed persons a handle by which
to injure their owners.
— The Golden Bough, Sir James George
Frazer
Multiple Encryption & DES
clear
a replacement for DES was needed
theoretical
attacks that can break it
demonstrated exhaustive key search attacks
AES
is a new cipher alternative
prior to this alternative was to use multiple
encryption with DES implementations
Triple-DES is the chosen form
Double-DES?
could
C
use 2 DES encrypts on each block
= EK2(EK1(P))
issue
of reduction to single stage
and have “meet-in-the-middle” attack
works
whenever use a cipher twice
since X = EK1(P) = DK2(C)
attack
by encrypting P with all keys and store
then decrypt C with keys and match X value
can show takes O(256) steps
Triple-DES with Two-Keys
hence
must use 3 encryptions
would
but
seem to need 3 distinct keys
can use 2 keys with E-D-E sequence
C
= EK1(DK2(EK1(P)))
nb encrypt & decrypt equivalent in security
if K1=K2 then can work with single DES
standardized
in ANSI X9.17 & ISO8732
no current known practical attacks
several
proposed impractical attacks might
become basis of future attacks
Triple-DES with Three-Keys
although
are no practical attacks on twokey Triple-DES have some indications
can use Triple-DES with Three-Keys to
avoid even these
C
has
= EK3(DK2(EK1(P)))
been adopted by some Internet
applications, eg PGP, S/MIME
Modes of Operation
block
eg.
need
ciphers encrypt fixed size blocks
DES encrypts 64-bit blocks with 56-bit key
some way to en/decrypt arbitrary
amounts of data in practise
NIST SP 800-38A defines 5 modes
have block and stream modes
to cover a wide variety of applications
can be used with any block cipher
To
apply a block cipher in a variety of
applications, five "modes of operation"
have been defined by NIST (SP 800-38A).
In essence, a mode of operation is a
technique for enhancing the effect of a
cryptographic algorithm
or adapting the algorithm for an
application, such as
applying a block cipher to a sequence of
data blocks or a data stream.
The
five modes are intended to cover a
wide variety of applications of encryption
for which a block cipher could be used.
These modes are intended for use with
any symmetric block cipher, including
triple DES and AES. .
Electronic Codebook Book (ECB)
message
is broken into independent
blocks which are encrypted
each block is a value which is substituted,
like a codebook, hence name
each block is encoded independently of
the other blocks
Ci = EK(Pi)
uses:
secure transmission of single values
Electronic
Codebook
Book
(ECB)
Advantages and Limitations of
ECB
message
repetitions may show in ciphertext
if
aligned with message block
particularly with data such graphics
or with messages that change very little, which
become a code-book analysis problem
weakness
is due to the encrypted message
blocks being independent
main use is sending a few blocks of data
For
lengthy messages, the ECB mode may
not be secure.
If the message is highly structured, it may
be possible for a cryptanalyst to exploit
these regularities.
If the message has repetitive elements,
with a period of repetition a multiple of b
bits, then these elements can be identified
by the analyst. .
This
may help in the analysis or may
provide an opportunity for substituting or
rearranging blocks.
Hence ECB is not appropriate for any
quantity of data, since repetitions can be
seen, esp. with graphics,
and because the blocks can be
shuffled/inserted without affecting the
en/decryption of each block.
Its main use is to send one or a very few
blocks, eg a session encryption key
Cipher Block Chaining (CBC)
message
is broken into blocks
linked together in encryption operation
each previous cipher blocks is chained
with current plaintext block, hence name
use Initial Vector (IV) to start process
Ci = EK(Pi XOR Ci-1)
C-1 = IV
uses:
bulk data encryption, authentication
Message Padding
at
end of message must handle a possible
last short block
which
is not as large as blocksize of cipher
pad either with known non-data value (eg nulls)
or pad last block along with count of pad size
eg. [ b1 b2 b3 0 0 0 0 5]
means have 3 data bytes, then 5 bytes pad+count
this
may require an extra entire block over
those in message
there
are other, more esoteric modes,
which avoid the need for an extra block
Advantages and Limitations of
CBC
a
ciphertext block depends on all blocks
before it
any change to a block affects all following
ciphertext blocks
need Initialization Vector (IV)
which must be known to sender & receiver
if sent in clear, attacker can change bits of first block,
and change IV to compensate
hence IV must either be a fixed value (as in EFTPOS)
or must be sent encrypted in ECB mode before rest of
message
Stream Modes of Operation
block
modes encrypt entire block
may need to operate on smaller units
real
time data
convert
block cipher into stream cipher
cipher
feedback (CFB) mode
output feedback (OFB) mode
counter (CTR) mode
use
block cipher as some form of pseudorandom number generator
Cipher FeedBack (CFB)
message is treated as a stream of bits
added to the output of the block cipher
result is feed back for next stage (hence name)
standard allows any number of bit (1,8, 64 or
128 etc) to be feed back
denoted CFB-1, CFB-8, CFB-64, CFB-128 etc
most efficient to use all bits in block (64 or 128)
Ci = Pi XOR EK(Ci-1)
C-1 = IV
uses: stream data encryption, authentication
Advantages and Limitations of
CFB
appropriate
when data arrives in bits/bytes
most common stream mode
limitation is need to stall while do block
encryption after every n-bits
note that the block cipher is used in
encryption mode at both ends
errors propogate for several blocks after
the error
A
possible problem is that if its used over
a "noisy" link, then any corrupted bit will
destroy values in the current and next
blocks (since the current block feeds as
input to create the random bits for the
next).
So either must use over a reliable network
transport layer (typical) or use OFB/CTR.
Output FeedBack (OFB)
message
is treated as a stream of bits
output of cipher is added to message
output is then feed back (hence name)
feedback is independent of message
can be computed in advance
Oi = EK(Oi-1)
Ci = Pi XOR Oi
O-1 = IV
uses:
stream encryption on noisy channels
Advantages and Limitations of
OFB
needs an IV which is unique for each use
if ever reuse attacker can recover outputs
bit errors do not propagate
disadvantage :- more vulnerable to message stream
modification
sender & receiver must remain in sync ,or all data is lost.
only use with full block feedback
subsequent research has shown that only full block
feedback (ie CFB-64 or CFB-128) should ever be used
eg satellite TV transmissions etc
Counter (CTR)
a “new” mode, though proposed early on
similar to OFB but encrypts counter value rather
than any feedback value
must have a same key & different counter
value for every plaintext block (never reused)
Oi = EK(i)
Ci = Pi XOR Oi
uses: high-speed network
encryptions,ATM(asynchronous transfer mode)
n/w security and IP security
Advantages and Limitations of
CTR
efficiency
can
do parallel encryptions in h/w or s/w
can preprocess in advance of need
good for bursty high speed links
random
access to encrypted data blocks
provable security (good as other modes)
but must ensure never reuse key/counter
values, otherwise could break (cf OFB)
XTS-AES Mode
new
in
mode, for block oriented storage use
IEEE Std 1619-2007
concept
of tweakable block cipher
different requirements to transmitted data
uses AES twice for each block
Tj = EK2(i) XOR αj
Cj = EK1(Pj XOR Tj) XOR Tj
where i is tweak & j is sector no
each
sector may have multiple blocks
Storage
Encryption Requirements
The requirements for encrypting stored data,
also referred to as “data at rest” differ somewhat
from those for transmitted data.
The P1619 standard was designed to have the
following characteristics:
1. The ciphertext is freely available for an
attacker. Among the circumstances
that lead to this situation:
a.
A group of users has authorized access
to a database. Some of the records
in the database are encrypted so that only
specific users can successfully read/write
them.
Other users can retrieve an encrypted
record but are unable to read it without the
key.
b. An unauthorized user manages to gain
access to encrypted records.
c.
A data disk or laptop is stolen, giving the
adversary access to the encrypted data.
2. The data layout is not changed on the
storage medium and in transit. The
encrypted data must be the same size as
the plaintext data.
3. Data are accessed in fixed sized blocks,
independently from each other.That is, an
authorized user may access one or more
blocks in any order.
4.
Encryption is performed in 16-byte
blocks, independently from other blocks
(except the last two plaintext blocks of a
sector, if its size is not a multiple of 16
bytes).
only exception occurs when the last block
has less than 128 bits. In that case, the
last two blocks are encrypted/decrypted
using a ciphertext- stealing technique
instead of padding
5. There are no other metadata used,
except the location of the data blocks
within the whole data set.
6.
The same plaintext is encrypted to
different ciphertexts at different locations,
but always to the same ciphertext when
written to the same location again.
7. A standard conformant device can be
constructed for decryption of data
encrypted by another standard conformant
device
Key
:- The 256 or 512 bit XTS-AES key;
this is parsed as a concatenation of two
fields of equal size called and , such that
Key = Key1 ||Key2
Pj:-
The jth block of plaintext. All blocks
except possibly the final block have a
length of 128 bits.A plaintext data unit,
typically a disk sector, consists of a
sequence of plaintext blocks P1, P2, ..Pm.
Cj:-
The th block of ciphertext. All blocks
except possibly the final block have a
length of 128 bits.
j
:- The sequential number of the 128-bit
block inside the data unit.
i
:-The value of the 128-bit tweak. Each
data unit (sector) is assigned a tweak
value that is a nonnegative integer.The
tweak values are assigned consecutively,
starting from an arbitrary nonnegative
integer.
α:- A primitive element of GF(2128 ) that
corresponds to polynomial x
(i.e., 0000 ... 0102).
2128 x
αj:- a multiplied by itself j times, in GF(2128).
Bitwise XOR.
Modular multiplication of two polynomials with
binary coefficients modulo x128 + x7 + x2 + x + 1.
Thus, this is multiplication in GF(2128).
Encryption
of block j is function of:
128 bit keys K1 and K2
“Tweak” value i
Each sector assigned different tweak value
consecutively (like counter in CTR mode)
Multiplier
αj
α = 000…00010 (that is, x in GF(2128 ))
α j = α multiplied by itself j times mod
x128+x7+x2+x+1
Different for each block j in sector i
Advantages and Limitations of
XTS-AES
efficiency
can
do parallel encryptions in h/w or s/w
random access to encrypted data blocks
has
both nonce & counter
addresses security concerned related to
stored data
Summary
Multiple
Encryption & Triple-DES
Modes of Operation
ECB,
CBC, CFB, OFB, CTR, XTS-AES