Transcript DES.ppt

Cryptography and
Network Security
Chapter 6
Fifth Edition
by William Stallings
Lecture slides by Lawrie Brown
Chapter 6 – Block Cipher
Operation
Many savages at the present day regard
their names as vital parts of themselves,
and therefore take great pains to conceal
their real names, lest these should give to
evil-disposed persons a handle by which
to injure their owners.
— The Golden Bough, Sir James George
Frazer
Multiple Encryption & DES
 clear
a replacement for DES was needed
 theoretical
attacks that can break it
 demonstrated exhaustive key search attacks
 AES
is a new cipher alternative
 prior to this alternative was to use multiple
encryption with DES implementations
 Triple-DES is the chosen form
Double-DES?
 could
C
use 2 DES encrypts on each block
= EK2(EK1(P))
 issue
of reduction to single stage
 and have “meet-in-the-middle” attack
 works
whenever use a cipher twice
 since X = EK1(P) = DK2(C)
 attack
by encrypting P with all keys and store
 then decrypt C with keys and match X value
 can show takes O(256) steps
Triple-DES with Two-Keys
 hence
must use 3 encryptions
 would
 but
seem to need 3 distinct keys
can use 2 keys with E-D-E sequence
C
= EK1(DK2(EK1(P)))
 nb encrypt & decrypt equivalent in security
 if K1=K2 then can work with single DES
 standardized
in ANSI X9.17 & ISO8732
 no current known practical attacks
 several
proposed impractical attacks might
become basis of future attacks
Triple-DES with Three-Keys
 although
are no practical attacks on twokey Triple-DES have some indications
 can use Triple-DES with Three-Keys to
avoid even these
C
 has
= EK3(DK2(EK1(P)))
been adopted by some Internet
applications, eg PGP, S/MIME
Modes of Operation
 block
 eg.
 need
ciphers encrypt fixed size blocks
DES encrypts 64-bit blocks with 56-bit key
some way to en/decrypt arbitrary
amounts of data in practise
 NIST SP 800-38A defines 5 modes
 have block and stream modes
 to cover a wide variety of applications
 can be used with any block cipher
 To
apply a block cipher in a variety of
applications, five "modes of operation"
have been defined by NIST (SP 800-38A).
 In essence, a mode of operation is a
technique for enhancing the effect of a
cryptographic algorithm
 or adapting the algorithm for an
application, such as
 applying a block cipher to a sequence of
data blocks or a data stream.
 The
five modes are intended to cover a
wide variety of applications of encryption
for which a block cipher could be used.
 These modes are intended for use with
any symmetric block cipher, including
triple DES and AES. .
Electronic Codebook Book (ECB)
 message
is broken into independent
blocks which are encrypted
 each block is a value which is substituted,
like a codebook, hence name
 each block is encoded independently of
the other blocks
Ci = EK(Pi)
 uses:
secure transmission of single values
Electronic
Codebook
Book
(ECB)
Advantages and Limitations of
ECB
 message
repetitions may show in ciphertext
 if
aligned with message block
 particularly with data such graphics
 or with messages that change very little, which
become a code-book analysis problem
 weakness
is due to the encrypted message
blocks being independent
 main use is sending a few blocks of data
 For
lengthy messages, the ECB mode may
not be secure.
 If the message is highly structured, it may
be possible for a cryptanalyst to exploit
these regularities.
 If the message has repetitive elements,
with a period of repetition a multiple of b
bits, then these elements can be identified
by the analyst. .
 This
may help in the analysis or may
provide an opportunity for substituting or
rearranging blocks.
 Hence ECB is not appropriate for any
quantity of data, since repetitions can be
seen, esp. with graphics,
 and because the blocks can be
shuffled/inserted without affecting the
en/decryption of each block.
 Its main use is to send one or a very few
blocks, eg a session encryption key
Cipher Block Chaining (CBC)
 message
is broken into blocks
 linked together in encryption operation
 each previous cipher blocks is chained
with current plaintext block, hence name
 use Initial Vector (IV) to start process
Ci = EK(Pi XOR Ci-1)
C-1 = IV
 uses:
bulk data encryption, authentication
Message Padding
 at
end of message must handle a possible
last short block
 which
is not as large as blocksize of cipher
 pad either with known non-data value (eg nulls)
 or pad last block along with count of pad size
eg. [ b1 b2 b3 0 0 0 0 5]
means have 3 data bytes, then 5 bytes pad+count
 this
may require an extra entire block over
those in message
 there
are other, more esoteric modes,
which avoid the need for an extra block
Advantages and Limitations of
CBC
a
ciphertext block depends on all blocks
before it
 any change to a block affects all following
ciphertext blocks
 need Initialization Vector (IV)




which must be known to sender & receiver
if sent in clear, attacker can change bits of first block,
and change IV to compensate
hence IV must either be a fixed value (as in EFTPOS)
or must be sent encrypted in ECB mode before rest of
message
Stream Modes of Operation
 block
modes encrypt entire block
 may need to operate on smaller units
 real
time data
 convert
block cipher into stream cipher
 cipher
feedback (CFB) mode
 output feedback (OFB) mode
 counter (CTR) mode
 use
block cipher as some form of pseudorandom number generator
Cipher FeedBack (CFB)

message is treated as a stream of bits
 added to the output of the block cipher
 result is feed back for next stage (hence name)
 standard allows any number of bit (1,8, 64 or
128 etc) to be feed back


denoted CFB-1, CFB-8, CFB-64, CFB-128 etc
most efficient to use all bits in block (64 or 128)
Ci = Pi XOR EK(Ci-1)
C-1 = IV

uses: stream data encryption, authentication
Advantages and Limitations of
CFB
 appropriate
when data arrives in bits/bytes
 most common stream mode
 limitation is need to stall while do block
encryption after every n-bits
 note that the block cipher is used in
encryption mode at both ends
 errors propogate for several blocks after
the error
A
possible problem is that if its used over
a "noisy" link, then any corrupted bit will
destroy values in the current and next
blocks (since the current block feeds as
input to create the random bits for the
next).
 So either must use over a reliable network
transport layer (typical) or use OFB/CTR.
Output FeedBack (OFB)
 message
is treated as a stream of bits
 output of cipher is added to message
 output is then feed back (hence name)
 feedback is independent of message
 can be computed in advance
Oi = EK(Oi-1)
Ci = Pi XOR Oi
O-1 = IV
 uses:
stream encryption on noisy channels
Advantages and Limitations of
OFB





needs an IV which is unique for each use
 if ever reuse attacker can recover outputs
bit errors do not propagate
disadvantage :- more vulnerable to message stream
modification
sender & receiver must remain in sync ,or all data is lost.
only use with full block feedback
 subsequent research has shown that only full block
feedback (ie CFB-64 or CFB-128) should ever be used
 eg satellite TV transmissions etc
Counter (CTR)
a “new” mode, though proposed early on
 similar to OFB but encrypts counter value rather
than any feedback value
 must have a same key & different counter
value for every plaintext block (never reused)

Oi = EK(i)
Ci = Pi XOR Oi

uses: high-speed network
encryptions,ATM(asynchronous transfer mode)
n/w security and IP security
Advantages and Limitations of
CTR
 efficiency
 can
do parallel encryptions in h/w or s/w
 can preprocess in advance of need
 good for bursty high speed links
 random
access to encrypted data blocks
 provable security (good as other modes)
 but must ensure never reuse key/counter
values, otherwise could break (cf OFB)
XTS-AES Mode
 new
 in
mode, for block oriented storage use
IEEE Std 1619-2007
 concept
of tweakable block cipher
 different requirements to transmitted data
 uses AES twice for each block
Tj = EK2(i) XOR αj
Cj = EK1(Pj XOR Tj) XOR Tj
where i is tweak & j is sector no
 each
sector may have multiple blocks
 Storage

Encryption Requirements
The requirements for encrypting stored data,
also referred to as “data at rest” differ somewhat
from those for transmitted data.
 The P1619 standard was designed to have the
following characteristics:
 1. The ciphertext is freely available for an
attacker. Among the circumstances
 that lead to this situation:
 a.
A group of users has authorized access
to a database. Some of the records
in the database are encrypted so that only
specific users can successfully read/write
them.
 Other users can retrieve an encrypted
record but are unable to read it without the
key.
 b. An unauthorized user manages to gain
access to encrypted records.
 c.
A data disk or laptop is stolen, giving the
adversary access to the encrypted data.
2. The data layout is not changed on the
storage medium and in transit. The
encrypted data must be the same size as
the plaintext data.
3. Data are accessed in fixed sized blocks,
independently from each other.That is, an
authorized user may access one or more
blocks in any order.
 4.
Encryption is performed in 16-byte
blocks, independently from other blocks
(except the last two plaintext blocks of a
sector, if its size is not a multiple of 16
bytes).
 only exception occurs when the last block
has less than 128 bits. In that case, the
last two blocks are encrypted/decrypted
using a ciphertext- stealing technique
instead of padding
 5. There are no other metadata used,
except the location of the data blocks
within the whole data set.
 6.
The same plaintext is encrypted to
different ciphertexts at different locations,
but always to the same ciphertext when
written to the same location again.
 7. A standard conformant device can be
constructed for decryption of data
encrypted by another standard conformant
device
 Key
:- The 256 or 512 bit XTS-AES key;
this is parsed as a concatenation of two
fields of equal size called and , such that
Key = Key1 ||Key2
 Pj:-
The jth block of plaintext. All blocks
except possibly the final block have a
length of 128 bits.A plaintext data unit,
typically a disk sector, consists of a
sequence of plaintext blocks P1, P2, ..Pm.
 Cj:-
The th block of ciphertext. All blocks
except possibly the final block have a
length of 128 bits.
j
:- The sequential number of the 128-bit
block inside the data unit.
i
:-The value of the 128-bit tweak. Each
data unit (sector) is assigned a tweak
value that is a nonnegative integer.The
tweak values are assigned consecutively,
starting from an arbitrary nonnegative
integer.
 α:- A primitive element of GF(2128 ) that
corresponds to polynomial x
 (i.e., 0000 ... 0102).
 2128 x



αj:- a multiplied by itself j times, in GF(2128).
Bitwise XOR.
Modular multiplication of two polynomials with
binary coefficients modulo x128 + x7 + x2 + x + 1.
Thus, this is multiplication in GF(2128).
 Encryption
of block j is function of:
 128 bit keys K1 and K2
 “Tweak” value i
Each sector assigned different tweak value
consecutively (like counter in CTR mode)
 Multiplier
αj
α = 000…00010 (that is, x in GF(2128 ))
α j = α multiplied by itself j times mod
x128+x7+x2+x+1
Different for each block j in sector i
Advantages and Limitations of
XTS-AES
 efficiency
 can
do parallel encryptions in h/w or s/w
 random access to encrypted data blocks
 has
both nonce & counter
 addresses security concerned related to
stored data
Summary
 Multiple
Encryption & Triple-DES
 Modes of Operation
 ECB,
CBC, CFB, OFB, CTR, XTS-AES