chap. 6: contemporary symmetric ciphers jen-chang liu, 2004 adapted from lecture slides by lawrie...
Post on 21-Dec-2015
219 views
TRANSCRIPT
Chap. 6: Contemporary Symmetric Ciphers
Jen-Chang Liu, 2004
Adapted fromLecture slides by Lawrie Brown
"I am fairly familiar with all the forms of secret writings, and am myself the author of a trifling monograph upon the subject, in which I analyze one hundred and sixty separate ciphers," said Holmes.
—The Adventure of the Dancing Men, Sir Arthur Conan Doyle
Outline
Characteristics of advanced symmetric block cipher
Triple DES Blowfish RC5 RC4 stream cipher
Feistel cipher
• Key• Key length• subkey generation
• block• block length• two halves of block
• no. of round• encryption algorithm
• S-box• XOR
+
+
+
Key features not found in DES
• Key• Key length• subkey generation
• block• block length• two halves of block
• no. of round• encryption algorithm
• S-box• XOR
Variable length key : Blowfish, RC5
Complex subkey generation process: Blowfish
Variable plain/ciphertext block length: RC5Operate on both halves each round: Blowfish, RC5Variable no. of round: RC5
Key-dependent S-box: BlowfishData/key-dependent rotation: RC5Mixed operation: more than one arithmetic and Boolean operations
Outline
Characteristics of advanced symmetric block cipher
Triple DES Blowfish RC5 RC4 stream cipher
Triple DES
clear a replacement for DES was needed theoretical attacks that can break it demonstrated exhaustive key search
attacks AES is a new cipher alternative prior to this alternative was to use
multiple encryption with DES implementations
Double-DES ? why not Double-
DES?56x2=112 bits key
Q1: Is that possible ][]][[312PEPEE KKK
for some K3 ?
Space of mapping
1. The whole space of mapping
64-bit plaintext 64-bit ciphertext
264!
264! > 10347380000000000000000
mapping
2. Space of mapping defined by DES
56-key => 256 mapping
256
256 < 1017
Double-DES is likely to producea new mapping !
Q2: meet-in-the-middle attack
DES: O(256) to attack 2DES: O(2112) to attack?1. Given a (P,C)
2. Encrypt P with 256 keys
K1 X000…00000000…00001000…00010000…00011
…111…11111
0101…01011101…0111
0001…0110
…
…
3. Decrypt C with 256 keys
K2
000…00000000…00001000…00010000…00011
…111…11111
X
0001…0110
…
Match!
Triple-DES
3 DES encryption with 3 keys (56x3=168 bits) Avoid meet-in-the-middle attack with O(256) complexity
E-D-E application of DES: PGP, S/MIME Backward compatible with DES: K3=K2 or
K1=K2
E
3
3
Attack on 3DES Idea: if A and C are known, then it
becomes an attack on double DES
1. Given n known (P,C) pairs
0100…1011001…011…0110…1001001…001
1100…1111011…001…0100…1011101…010
2. Select an arbitrary a for A
a
3. Search 256 keys for K1
K1,1
K1,2
K1,1
K1,2
0110…000
1110…011
4. Search 256 keys for K2
K2
Complexity of attack on 3DES
Brute-force key search: 2112
Known plaintext-ciphertext attack on previous slide:
No practical attack is known for now
n/2120
Outline
Characteristics of advanced symmetric block cipher
Triple DES Blowfish RC5 RC4 stream cipher
Blowfish
a symmetric block cipher designed by Bruce Schneier in 1993/94
Characteristics 64-bit block cipher Variable length key (32 bits to 448 bits) Complex subkey generation Key-dependent S-boxes Simple operations – fast implementation
Modulo 232 addition Bitwise XOR
Subkey and S-box generation
uses a 32 to 448 bit key 1 word = 32 bits, 1 to 14 words
to generate 18 32-bit subkeys stored in P-array
four 256 entry S-boxes, 1 word in each entry
K1, K2, K3, K4, …, Kj1<= j <= 14
P1, P2, P3, P4, …, P18
S1,0, S1,1, S1,2, S1,3, …, S1,255
S2,0, S2,1, S2,2, S2,3, …, S2,255S3,0, S3,1, S3,2, S3,3, …, S3,255
S4,0, S4,1, S4,2, S4,3, …, S4,255
Totally 1024 words
Subkey and S-box generation
1. initialize P-array and then 4 S-boxes using
2. XOR P-array with K-array (reuse as needed)
用用用用用用用用用 P 和 S 陣列P1 = 243F6A88P2 = 85A308D3 … S4,255 = 3AC372E6
P1, P2, P3, P4, … P14, P15, P16, P17, P18
K1, K2, K3, K4, …, K14,K1, K2, K3, K4
+ + + + + + + + +
(Suppose input key is 14 words)
Subkey and S-box generation
3. loop repeatedly encrypting data using current P & S and replace successive pairs of P then S valuesP1, P2 = EP,S [0] 用現在 P,S 值當參數的 Blowfish, 加密 0
更新 P1, P2
P3, P4 = EP,S [P1 || P2]…
S1,0, S1,1 = EP,S [P17 || P18]…
S4,254, S4,255 = EP,S [S4,252 || S4,253]
Totally 521 executions of Blowfish encryption => not suitable for frequent key changes
Discussion
key dependent S-boxes and subkeys, generated using cipher itself, makes analysis very difficult
changing both halves in each round increases security (c.f. Feistel cipher)
brute-force key search is not practical (maximally 448 bits)
Outline
Characteristics of advanced symmetric block cipher
Triple DES Blowfish RC5 RC4 stream cipher
RC5
designed by Ronald Rivest (of RSA fame) used in RSA Data Security, Inc.’s products
can vary key size / data size / no rounds
very clean and simple design easy implementation on various CPUs yet still regarded as secure
RC5 Ciphers
RC5 is a family of ciphers RC5-w/r/b w = word size in bits (16/32/64), block
data=2w r = number of rounds (0..255) b = number of bytes in key (0..255)
nominal version is RC5-32/12/16 i.e. 32-bit words so encrypts 64-bit data
blocks using 12 rounds with 16 bytes (128-bit) secret key
+ +
++
Simple operations:
1. Addition: modulo 2w
2. Bitwise XOR3. Circular shift (rotation): x <<< y, x is left rotate y bits
w w
1. Substitution depends on both words2. Permutation depends on both words3. Substitution depends on key
A Substitution-permutation round:
subkey
(nonlinear and data dependent !!!)
RC5 subkey initialization
e = 2.718281828459… Pw=Odd[(e-2)2w] = B7E1 (16 bits) B7E15163 (32 bits)
= 1.618033988749… Qw=Odd[( -1)2w] = 9E37 (16 bits) 9E3779B9 (32 bits)
S[0] = Pw
for i=1 to t-1 do S[i] = S[i-1] + Qw
/* initialize subkey array */
RC5 Modes
RFC2040 defines 4 modes used by RC5 RC5 Block Cipher, is ECB mode RC5-CBC, is CBC (cipher block chaining)
mode RC5-CBC-PAD, is CBC with padding by
bytes with value being the number of padding bytes
RC5-CTS, a variant of CBC which is the same size as the original message, uses ciphertext stealing to keep size same as original
Plaintext message may not be a multiple of the block size
Summary: Block Cipher Characteristics
features seen in modern block ciphers are: variable key length / block size / no rounds mixed operators, data/key dependent
rotation key dependent S-boxes more complex key scheduling operation of full data in each round varying non-linear functions
Outline
Characteristics of advanced symmetric block cipher
Triple DES Blowfish RC5 RC4 stream cipher
Stream Cipher Properties
some design considerations are: A pseudorandom number generator
produces a deterministic stream that eventually repeats
The period should be long Keystream should approximate a true
random stream Ex. Approximately equal number of 1s and 0s
The key needs to be sufficiently long Ex. 128 bits or longer key to avoid brute-force
attack
Disadvantage of stream cipher
never reuse stream key
Ciphertext 1 = plaintext 1 keystream
Ciphertext 2 = plaintext 2 keystream
Ciphertext 1 Ciphertext 2= (plaintext 1 keystream) (plaintext 2 keystream) = plaintext 1 plaintext 2
If plaintexts are text string, credit card no., or other streams with known properties, then cryptanalysis may be successful
RC4
Designed by Ron Rivest in 1987, owned by RSA DSI
variable key size, byte-oriented stream cipher widely used (web SSL/TLS, wireless WEP)
SSL: secure sockets layer TLS: transport layer security WEP: wired equivalent privacy
Main steps: key forms random permutation of all 8-bit values
(state vector S[0],S[1],…,S[255]) uses that permutation to scramble input info
processed a byte at a time
RC4 Key Schedule
starts with an array S of numbers: 0…255 S forms internal state of the cipher given a key K of length keylen bytes (1 to
256 bytes)
254253
RC4 key scheduling and stream generation
j=0, for i=0 to 255
Plaintext k = ciphertext
i=0, j=0 While(1){ i=i+1 mod 256, …}
RC4 Encryption
encryption continues shuffling array values sum of shuffled pair selects "stream key"
value XOR with next byte of message to en/decrypt
i = j = 0
for each message byte Mi
i = (i + 1) (mod 256)
j = (j + S[i]) (mod 256)
swap(S[i], S[j])
t = (S[i] + S[j]) (mod 256)
Ci = Mi XOR S[t]