classical &ontemporyryptology 1 cryptologycryptology dr. richard spillman pacific lutheran...

1

CClassicallassical &&ontemporyontemporyryptologyryptology

CryptologyCryptologyCryptologyCryptology

Dr. Richard SpillmanDr. Richard Spillman

Pacific Lutheran UniversityPacific Lutheran UniversityDr. Richard SpillmanDr. Richard Spillman

Pacific Lutheran UniversityPacific Lutheran University

Lecture FiveLecture Five

2

CClassicallassical &&ontemporyontemporyryptologyryptology Last LectureLast LectureLast LectureLast Lecture

HistoryHistory

More TranspositionsMore Transpositions– Double Column TranspositionDouble Column Transposition

Computer Based EncryptionComputer Based Encryption

Stream CiphersStream Ciphers– LFSRLFSR– One Time PadOne Time Pad– Cellular AutomataCellular Automata

3


Review – Stream CipherReview – Stream CipherReview – Stream CipherReview – Stream Cipher

A stream cipher XORs a plaintext stream with A stream cipher XORs a plaintext stream with a key stream to create a ciphertext streama key stream to create a ciphertext stream

plaintext

Key stream

XOR XOR

Key stream

plaintext

The random key stream can be produce by a LFSR, Cellular Automata,The random key stream can be produce by a LFSR, Cellular Automata,or another random process (such as a modification of a block cipher)or another random process (such as a modification of a block cipher)

4

CClassicallassical &&ontemporyontemporyryptologyryptology OutlineOutlineOutlineOutline

HistoryHistory

RC4 AlgorithmRC4 Algorithm

Introduction to Block CiphersIntroduction to Block Ciphers

DES and AES (and others)DES and AES (and others)

Cryptanalysis of Block CiphersCryptanalysis of Block Ciphers

5


HistoryHistoryHistoryHistory

6


WW1 – The American WW1 – The American EffortEffort

WW1 – The American WW1 – The American EffortEffort

Soon after the American declaration of war in Soon after the American declaration of war in April 1917, Herbert O. Yardley sold the war April 1917, Herbert O. Yardley sold the war department on the idea of starting a cryptologic department on the idea of starting a cryptologic service called MI-8service called MI-8

– David Stevens, 32, an English instructor at UChicagoDavid Stevens, 32, an English instructor at UChicago– Thomas A. Knot, 37, an associate professor of English at UCThomas A. Knot, 37, an associate professor of English at UC– Charles H. Beeson, 47, associate professor of Latin at UCCharles H. Beeson, 47, associate professor of Latin at UC– Bliss Luquiens, 41, professor of Spanish at YaleBliss Luquiens, 41, professor of Spanish at Yale

MI-8 became involved in many activities MI-8 became involved in many activities includingincluding

– cryptographycryptography– secret inkssecret inks– shorthand translationshorthand translation

7

CClassicallassical &&ontemporyontemporyryptologyryptology Secret InksSecret InksSecret InksSecret Inks

The Germans used several kinds of secret inks which The Germans used several kinds of secret inks which could be developed by exposure to heat or by special could be developed by exposure to heat or by special chemicalschemicals

– Allied chemists responded with a reagent that brought out secret writing of any kind because Allied chemists responded with a reagent that brought out secret writing of any kind because it could detect the fibers of paper which had been disturbed by a wetting actionit could detect the fibers of paper which had been disturbed by a wetting action

– Germans responded by writing in a sympathetic ink and then moistening the entire sheetGermans responded by writing in a sympathetic ink and then moistening the entire sheet– Allies responded with a chemical streak test that would detect whether the paper surface had Allies responded with a chemical streak test that would detect whether the paper surface had

been dampened - who but a spy would dampen paper?been dampened - who but a spy would dampen paper?– Eventually, both sides discovered a general reagent that would detect any ink under any Eventually, both sides discovered a general reagent that would detect any ink under any

conditionsconditions

MI-8’s secret ink division, however, was testing over MI-8’s secret ink division, however, was testing over 2,000 letters a week and discovered 50 of major 2,000 letters a week and discovered 50 of major importance including the plans of one spy to import high importance including the plans of one spy to import high explosives inside the hollow figures of saints and the explosives inside the hollow figures of saints and the Virgin MaryVirgin Mary

8


Cryptographic SectionCryptographic SectionCryptographic SectionCryptographic Section

MI-8’s cryptographic section was very successfulMI-8’s cryptographic section was very successful

One of their most important solutions involved One of their most important solutions involved the case of the only German spy condemned to the case of the only German spy condemned to death in the US during WWI.death in the US during WWI.

– Captured in January 1918 in Mexico by a US agent, he had a Captured in January 1918 in Mexico by a US agent, he had a cipher lettercipher letter

– Broken by Dr. John Manly who went on to become one of the Broken by Dr. John Manly who went on to become one of the world’s leading authorities on Chaucerworld’s leading authorities on Chaucer

– After a marathon 3-day effort he broke down the 12 step After a marathon 3-day effort he broke down the 12 step transposition cipher:transposition cipher:

9


The American Black The American Black ChamberChamber

The American Black The American Black ChamberChamber

After Armistice, Yardley sold both the State After Armistice, Yardley sold both the State Department and the War Department on jointly Department and the War Department on jointly setting up a permanent cryptography setting up a permanent cryptography organizationorganization

– it became known as the American Black Chamber and was it became known as the American Black Chamber and was established on July 15, 1919 in NYCestablished on July 15, 1919 in NYC

– its first task was to solve the codes of Japan and by 1921, they its first task was to solve the codes of Japan and by 1921, they were regularly reading Japanese telegramswere regularly reading Japanese telegrams

– In the summer of 1921, they solved telegram 813 of July 5th In the summer of 1921, they solved telegram 813 of July 5th from the Japanese ambassador in London to Tokyo which from the Japanese ambassador in London to Tokyo which contained instructions about the upcoming naval disarmament contained instructions about the upcoming naval disarmament conferenceconference

10

CClassicallassical &&ontemporyontemporyryptologyryptology Conference ResultsConference ResultsConference ResultsConference Results

Japan was demanding a tonnage ratio of 10 t0 7 with the Japan was demanding a tonnage ratio of 10 t0 7 with the US when the Black Chamber read what Yardley called the US when the Black Chamber read what Yardley called the most important telegram he ever solved (0.5 represents most important telegram he ever solved (0.5 represents 50,000 tons of ship - a battleship and a half)50,000 tons of ship - a battleship and a half)

– ““It is necessary to avoid any clash with Great Britain and America, It is necessary to avoid any clash with Great Britain and America, particularly America, in regard to the armament limitation question. particularly America, in regard to the armament limitation question. You will to the upmost maintain a middle attitude and redouble your You will to the upmost maintain a middle attitude and redouble your efforts to carry out our policy. In case of inevitable necessity you will efforts to carry out our policy. In case of inevitable necessity you will work to establish your second proposal of 10 to 6.5. If, in spite of your work to establish your second proposal of 10 to 6.5. If, in spite of your utmost efforts, it becomes necessary in view of the situation and in the utmost efforts, it becomes necessary in view of the situation and in the interests of general policy to fall back on your proposal no. 3, you will interests of general policy to fall back on your proposal no. 3, you will endeavor to limit the power of concentration and maneuver of the Pacific endeavor to limit the power of concentration and maneuver of the Pacific and to make an adequate reservation which will make clear that this is and to make an adequate reservation which will make clear that this is our intention in agreeing to a 10 to 6 ratio.”our intention in agreeing to a 10 to 6 ratio.”

What do you think the Americans settled for with Japan?What do you think the Americans settled for with Japan?

11


The End of the Black The End of the Black ChamberChamber

The End of the Black The End of the Black ChamberChamber

Between 1971 and 1929, the American Black Between 1971 and 1929, the American Black Chamber solved more that 45,000 telegrams Chamber solved more that 45,000 telegrams involving the codes of:involving the codes of:

– Argentina, Brazil, Chile, China, Cuba, England, France, Argentina, Brazil, Chile, China, Cuba, England, France, Germany, Japan, Liberia, Mexico, Peru, USSR, Spain, ...Germany, Japan, Liberia, Mexico, Peru, USSR, Spain, ...

– They even started on the codes used by the VaticanThey even started on the codes used by the Vatican

It all ended on Oct 31, 1929 after Henry L. It all ended on Oct 31, 1929 after Henry L. Stimson, Hoover’s Secretary of State received Stimson, Hoover’s Secretary of State received some solutions from the Black Chamber. He said some solutions from the Black Chamber. He said “Gentlemen do not read each other’s mail”“Gentlemen do not read each other’s mail”

12


RC4RC4RC4RC4

13

CClassicallassical &&ontemporyontemporyryptologyryptology RC4RC4RC4RC4

RC4 was developed by Ron Rivest of MIT (one of RC4 was developed by Ron Rivest of MIT (one of the developers of RSA a cipher that will be the developers of RSA a cipher that will be covered later)covered later)– It is perhaps the most widely used stream cipher in the It is perhaps the most widely used stream cipher in the

worldworld Microsoft WindowsMicrosoft Windows Lotus Notes Lotus Notes the SSL (Secure Sockets Layer) protocol to protect Internet the SSL (Secure Sockets Layer) protocol to protect Internet

traffic traffic the Wireless Equivalent Privacy (WEP) system used to the Wireless Equivalent Privacy (WEP) system used to

protect wireless links. protect wireless links.

– One advantage of RC4 is that it can be easily One advantage of RC4 is that it can be easily implemented in software. implemented in software.

14

CClassicallassical &&ontemporyontemporyryptologyryptology ProcedureProcedureProcedureProcedure

RC4 uses an arrangement of the numbers 0 to RC4 uses an arrangement of the numbers 0 to 255 (8 bits each) in an array S which changes 255 (8 bits each) in an array S which changes over timeover time

It consists of two processesIt consists of two processes– A Key Scheduling Algorithm (KSA) to set up the A Key Scheduling Algorithm (KSA) to set up the

initial permutation of Sinitial permutation of S– A pseudo-random generation algorithm (PSGA) to A pseudo-random generation algorithm (PSGA) to

randomly select elements of S and modify the randomly select elements of S and modify the permutation of Spermutation of S

15


Key Scheduling Key Scheduling Algorithm 1Algorithm 1


KSA begins by initialing S such that S(i) = i for KSA begins by initialing S such that S(i) = i for i = 0 to 255.i = 0 to 255.

A secret key is constructed by selecting a set of A secret key is constructed by selecting a set of numbers which are loaded into a key array K(0 numbers which are loaded into a key array K(0 to 255)to 255)– The usual process is to select a short sequence of The usual process is to select a short sequence of

numbers and repeat them until K is fillednumbers and repeat them until K is filled

16




The key array is used to randomize S based on The key array is used to randomize S based on the following algorithm: the following algorithm:

for i = 0 to 255 doj = j + S(i) + K(i) (mod 256)

swap(S(i), S(j))

17

CClassicallassical &&ontemporyontemporyryptologyryptology PRGAPRGAPRGAPRGA

Once the KSA has completed the initial randomization Once the KSA has completed the initial randomization of S, the PRGA takes over and selects bytes for the key of S, the PRGA takes over and selects bytes for the key stream by selecting random elements of S and stream by selecting random elements of S and modifying S for the next selection.modifying S for the next selection.

– The selection process relies on two indices i and j which both The selection process relies on two indices i and j which both start at 0. start at 0.

– The following program is run to select each byte of the key The following program is run to select each byte of the key stream:stream:

i i + 1 (mod 256)

j j + S(i) (mod 256)

swap (S(i), S(j))

t S(j) + S(i) (mod 256)

k S(t)

18

CClassicallassical &&ontemporyontemporyryptologyryptology ExampleExampleExampleExample

A simple example of RC4 will be constructed A simple example of RC4 will be constructed using 3 bit representations (the numbers range using 3 bit representations (the numbers range from 0 to 7) and mod 8 operations (instead of from 0 to 7) and mod 8 operations (instead of mod 256).mod 256).

S:S:00 11 22 33 44 55 66 77

K:K:00 11 22 33 44 55 66 77

S ArrayS Array K ArrayK Array

Initialize SInitialize S

00 11 22 33 44 55 66 77

Select key : 5, 6, 7Select key : 5, 6, 7

55 66 77 55 66 77 55 66

Use the key to randomize SUse the key to randomize S

i = 0 j = 0i = 0 j = 0j = (0 + S(0) + K(0)) mod 8j = (0 + S(0) + K(0)) mod 8j = (0 + 0 + 5) mod 8 = 5j = (0 + 0 + 5) mod 8 = 5

Swap 0 and 5Swap 0 and 5 i = 1 j = 5i = 1 j = 5j = (5 + S(1) + K(1)) mod 8j = (5 + S(1) + K(1)) mod 8

j = (5 + 1 + 6) mod 8 = 4j = (5 + 1 + 6) mod 8 = 4

Swap 1 and 4Swap 1 and 4S:S:

00 11 22 33 44 55 66 77

Final S ArrayFinal S Array

77 6655 44 00 11 33 22

44

19

CClassicallassical &&ontemporyontemporyryptologyryptology Random NumbersRandom NumbersRandom NumbersRandom Numbers

Now, the S array is ready to be used to produce Now, the S array is ready to be used to produce a sequence of random numbers. a sequence of random numbers. – With i and j starting at 0, RC4 calculates the first With i and j starting at 0, RC4 calculates the first

random number as follows:random number as follows:

S:S:00 11 22 33 44 55 66 77

77 6655 44 00 11 33 22i = (i + 1) mod 8 = (0 + 1) mod 8 = 1i = (i + 1) mod 8 = (0 + 1) mod 8 = 1

j = (j + S(i)) mod 8 = (0 + S(1)) mod 8j = (j + S(i)) mod 8 = (0 + S(1)) mod 8

= (0 + 4) mod 8 = 4= (0 + 4) mod 8 = 4 Swap S(1) and S(4)Swap S(1) and S(4)

t = (S(i) + S(j)) mod 8 = (S(4) + S(1) mod 8t = (S(i) + S(j)) mod 8 = (S(4) + S(1) mod 8

= (1 + 4) mod 8 = 5= (1 + 4) mod 8 = 5

k = S(t) = S(5) = 6k = S(t) = S(5) = 666

20

CClassicallassical &&ontemporyontemporyryptologyryptology Using CAPUsing CAPUsing CAPUsing CAP

CAP uses RC4 to implement a stream cipherCAP uses RC4 to implement a stream cipher

21


Block CiphersBlock CiphersBlock CiphersBlock Ciphers

22

CClassicallassical &&ontemporyontemporyryptologyryptology Cipher StructuresCipher StructuresCipher StructuresCipher Structures

BlockStreamClassical

...

ShiftAffineKeywordMultiLiteralVigenere HillNihilist

Transposition Substitution

polyalphabetic monoalphabetic

Column

RC4

23

CClassicallassical &&ontemporyontemporyryptologyryptology Block CipherBlock CipherBlock CipherBlock Cipher

Today’s most widely used ciphers are in the class Today’s most widely used ciphers are in the class of Block Ciphersof Block Ciphers– Define a block of computer bits which represent several Define a block of computer bits which represent several

characterscharacters

– Encipher the complete block at one timeEncipher the complete block at one time

AlgorithmAlgorithm

Block of BitsBlock of Bits

Block of BitsBlock of Bits

KEYKEY

24

CClassicallassical &&ontemporyontemporyryptologyryptology Modes of OperationModes of OperationModes of OperationModes of Operation

Before examining the details of any specific block Before examining the details of any specific block cipher algorithm, it is useful to consider how such cipher algorithm, it is useful to consider how such algorithms are usedalgorithms are used

There are 3 operational modes:There are 3 operational modes:– Electronic Code Book (ECB)Electronic Code Book (ECB)– Cipher Block Chaining (CBC)Cipher Block Chaining (CBC)– Output Feedback Mode (OFM)Output Feedback Mode (OFM)

These modes have become international These modes have become international standards for implementing any block cipherstandards for implementing any block cipher

25


Electronic Code BookElectronic Code BookElectronic Code BookElectronic Code Book

Simplest mode of operationSimplest mode of operation– each block is enciphered into a ciphertext each block is enciphered into a ciphertext

block using one keyblock using one key

Ek

M1

C1

Key Ek

M2

C2

Ek

Mm

Cm

Problem:if Mi = Mj thenCi = Cj

26


Cipher Block ChainingCipher Block ChainingCipher Block ChainingCipher Block Chaining

The input to each block stage is the The input to each block stage is the current block XORed with the current block XORed with the previous stage cipher blockprevious stage cipher block

Key Ek

M1

C1

Ek

M2

C2

Ek

Mm

Cm

27


Output Feedback ModeOutput Feedback ModeOutput Feedback ModeOutput Feedback Mode

The block cipher is used as a stream The block cipher is used as a stream ciphercipher– it produces the random key streamit produces the random key stream

RiEk Ri+1

KEYMi

Ci

28

CClassicallassical &&ontemporyontemporyryptologyryptology General StructureGeneral StructureGeneral StructureGeneral Structure

In 1973, Feistel suggest a form of product cipher that In 1973, Feistel suggest a form of product cipher that has become the architecture of choice for almost all has become the architecture of choice for almost all symmetric block ciphers in use today. symmetric block ciphers in use today.

– The overall process involves several stages of a substitution The overall process involves several stages of a substitution followed by a transposition. followed by a transposition.

– The master key is subdivided into a set of subkeys – one for The master key is subdivided into a set of subkeys – one for each stage. each stage.

– At each stage the data block is divided into a left and a right At each stage the data block is divided into a left and a right segment, the segments are swapped, and one segment is segment, the segments are swapped, and one segment is mixed with subkey for that stage. mixed with subkey for that stage.

– Another name for this type of cipher is a substitution-Another name for this type of cipher is a substitution-permutation (SP) cipher. permutation (SP) cipher.

29

CClassicallassical &&ontemporyontemporyryptologyryptology Feistel CipherFeistel CipherFeistel CipherFeistel Cipher

A single stage of the Feistel cipher looks like:A single stage of the Feistel cipher looks like:

Left Side Right Side

Plaintext

S Key

New Left Side New Right Side

Permutation

Substitution

F

Creates the Creates the subkeysubkey

for each stagefor each stage

30

CClassicallassical &&ontemporyontemporyryptologyryptology Cipher EvaluationCipher EvaluationCipher EvaluationCipher Evaluation

Any new cipher must be secure against attacks but as ciphers Any new cipher must be secure against attacks but as ciphers become more complicated (such as the class of block ciphers) how become more complicated (such as the class of block ciphers) how can we be reasonably confident that they can protect our valuable can we be reasonably confident that they can protect our valuable

data?data? – The real answer to this problem is that we can never be sure that a The real answer to this problem is that we can never be sure that a

cipher is secure. cipher is secure.

– The best way to gain some confidence in a new cipher is to allow the The best way to gain some confidence in a new cipher is to allow the security community to test it. security community to test it.

There are some features that a cipher must possess if it is to be There are some features that a cipher must possess if it is to be accepted by the users. accepted by the users.

– First, of course, the key space must be large enough to make a brute First, of course, the key space must be large enough to make a brute

force attack impossible or at least to expensive to mount.force attack impossible or at least to expensive to mount.

31

CClassicallassical &&ontemporyontemporyryptologyryptology Algorithm StrengthAlgorithm StrengthAlgorithm StrengthAlgorithm Strength

Algorithm strength is a subjective judgment call. Several Algorithm strength is a subjective judgment call. Several factors are considered including:factors are considered including:

– The plaintext cannot be derived from the ciphertext without use of The plaintext cannot be derived from the ciphertext without use of the key.the key.

– There should be no plaintext attack that is better than a brute force There should be no plaintext attack that is better than a brute force attack.attack.

– Knowledge of the algorithm should not reduce the strength of the Knowledge of the algorithm should not reduce the strength of the cipher.cipher.

– The algorithm should include substitutions and permutations under The algorithm should include substitutions and permutations under the control of both the input data and the key. the control of both the input data and the key.

– Redundant bit groups in the plaintext should be totally obscured in Redundant bit groups in the plaintext should be totally obscured in the ciphertext.the ciphertext.

– The length of the ciphertext should be the same length as the The length of the ciphertext should be the same length as the plaintext.plaintext.

– Any possible key should produce a strong cipher,Any possible key should produce a strong cipher,

32

CClassicallassical &&ontemporyontemporyryptologyryptology Avalanche ConditionAvalanche ConditionAvalanche ConditionAvalanche Condition

One of the most important strength criteria is the One of the most important strength criteria is the avalanche condition: avalanche condition: there should be no correlation there should be no correlation between any input bits or key bits and the output bitsbetween any input bits or key bits and the output bits..

– This is important because if someone started trying different This is important because if someone started trying different keys, they should not be able to tell if they are close (within a keys, they should not be able to tell if they are close (within a few bits) to the actual key. few bits) to the actual key.

– There are two versions of the avalanche condition:There are two versions of the avalanche condition: Strict plaintext avalanche criterion (SPAC):Strict plaintext avalanche criterion (SPAC): each bit of the each bit of the

ciphertext block should change with the probability of one half ciphertext block should change with the probability of one half whenever any bit of the plaintext block is complemented. whenever any bit of the plaintext block is complemented.

Strict key avalanche criterion (SKAC.)Strict key avalanche criterion (SKAC.) for a fixed plaintext block, for a fixed plaintext block, each bit of the ciphertext block changes with a probability of one each bit of the ciphertext block changes with a probability of one half when any bit of the key changes.half when any bit of the key changes.

33

CClassicallassical &&ontemporyontemporyryptologyryptology DES ExampleDES ExampleDES ExampleDES Example

Input: ...............................................................*1

Permuted: .......................................*........................ 1

Round 1: .......*........................................................ 1

Round 2: .*..*...*.....*........................*........................ 5

Round 3: .*..*.*.**..*.*.*.*....**.....**.*..*...*.....*................. 18Round 4: ..*.*****.*.*****.*.*......*.....*..*.*.**..*.*.*.*....**.....** 28Round 5: *...**..*.*...*.*.*.*...*.***..*..*.*****.*.*****.*.*......*.... 29Round 6: ...*..**.....*.*..**.*.**...*..**...**..*.*...*.*.*.*...*.***..* 26Round 7: *****...***....**...*..*.*..*......*..**.....*.*..**.*.**...*..* Round 8: *.*.*.*.**.....*.*.*...**.*...*******...***....**...*..*.*..*... Round 9: ***.*.***...**.*.****.....**.*..*.*.*.*.**.....*.*.*...**.*...** Round 10: *.*..*.*.**.*..*.**.***.**.*...****.*.***...**.*.****.....**.*.. Round 11: ..******......*..******....*....*.*..*.*.**.*..*.**.***.**.*...* Round 12: *..***....*...*.*.*.***...****....******......*..******....*.... Round 13: **..*....*..******...*........*.*..***....*...*.*.*.***...****.. Round 14: *.**.*....*.*....**.*...*..**.****..*....*..******...*........*. Round 15: **.*....*.*.*...*.**.*..*.*.**.**.**.*....*.*....**.*...*..**.** Round 16: .*..*.*..*..*.**....**..*..*..****.*....*.*.*...*.**.*..*.*.**.* Output: ..*..**.*.*...*....***..***.**.*...*..*..*.*.*.**.*....*.*.*.**.

34


DES, AES, and OthersDES, AES, and OthersDES, AES, and OthersDES, AES, and Others

35


Data Encryption Data Encryption StandardStandard

Data Encryption Data Encryption StandardStandard

In the mid-70’s the US government decided that a In the mid-70’s the US government decided that a powerful standard cipher system was necessary. powerful standard cipher system was necessary.

– The National Bureau of Standards put out a request for the The National Bureau of Standards put out a request for the development of such a cipher. development of such a cipher.

– Several companies went to work and submitted proposals. Several companies went to work and submitted proposals. The winner was IBM with their cipher system called Lucifer.The winner was IBM with their cipher system called Lucifer.

– With some modifications suggested by With some modifications suggested by the National Security the National Security Agency, in 1977, Lucifer became known as the Data Agency, in 1977, Lucifer became known as the Data Encryption Standard or DES. Encryption Standard or DES.

– It has since been replaced by the Advanced Encryption It has since been replaced by the Advanced Encryption Standard (AES) Standard (AES)

36

CClassicallassical &&ontemporyontemporyryptologyryptology Basic StructureBasic StructureBasic StructureBasic Structure

DES works on 64 bit blocks of plaintext using a 56 bit key DES works on 64 bit blocks of plaintext using a 56 bit key to produce 64 bit blocks of ciphertext. to produce 64 bit blocks of ciphertext.

– It is a substitution-permutation cipher with 16 SP stages. It is a substitution-permutation cipher with 16 SP stages.

The key for DES is an arbitrary 56 bit string of The key for DES is an arbitrary 56 bit string of 0’s and 1’s0’s and 1’s

– there are 2there are 25656 possible strings (greater than 10 possible strings (greater than 101616))– often it is given as a 7 letter wordoften it is given as a 7 letter word

DES expands this key to 64 bits by adding 8 DES expands this key to 64 bits by adding 8 additional 0’s and 1’sadditional 0’s and 1’s

– bits 8, 16, 24, 32, 40, 48, 56, and 64 are added so that each 8 bit bits 8, 16, 24, 32, 40, 48, 56, and 64 are added so that each 8 bit block has odd parity (odd number of 1’s)block has odd parity (odd number of 1’s)

– the key is divided, shifted, and shuffled 16 times to form 16 the key is divided, shifted, and shuffled 16 times to form 16 different (but related) subkeys each of which is 48 bits longdifferent (but related) subkeys each of which is 48 bits long

37

CClassicallassical &&ontemporyontemporyryptologyryptology Key GenerationKey GenerationKey GenerationKey Generation

Each of the 16 stages uses a 48 bit Each of the 16 stages uses a 48 bit subkey which is derived from the subkey which is derived from the initial 64 bit key.initial 64 bit key.

– The key passes through a PC-1 block The key passes through a PC-1 block (Permuted Choice 1) which extracts (Permuted Choice 1) which extracts the original 56 bits supplied by the the original 56 bits supplied by the user. user.

– The 56 bits are divided into left and The 56 bits are divided into left and right halves. Each half is shifted left right halves. Each half is shifted left by 1 or 2 bit positions (it varies by 1 or 2 bit positions (it varies depending on the stage). depending on the stage).

– The new 56 bits are compressed The new 56 bits are compressed using PC-2 (Permuted Choice 2) by using PC-2 (Permuted Choice 2) by throwing out 8 bits to create the 48 throwing out 8 bits to create the 48 bit key for the given stage.bit key for the given stage.

64 bit key

PC-1

28 bit C0 28 bit D0

Left Shift Left Shift

28 bit C1 28 bit D1

Left Shift Left Shift

PC-2 K1

38

CClassicallassical &&ontemporyontemporyryptologyryptology DES StagesDES StagesDES StagesDES Stages

Each stage of DES is performs the same set of Each stage of DES is performs the same set of operations using a different subkey acting on operations using a different subkey acting on the output of the previous stage. the output of the previous stage. – Those operations are defined in three “boxes” Those operations are defined in three “boxes”

called the expansion box (Ebox), the substitution called the expansion box (Ebox), the substitution box (Sbox), and the permutation box (Pbox). box (Sbox), and the permutation box (Pbox).

39

CClassicallassical &&ontemporyontemporyryptologyryptology Example StageExample StageExample StageExample Stage

E Box

Left 32 bits Right 32 bits

Key BoxXOR

48 bits

48 bits

56 bits

Key

S Boxes

48 bits

P Box

32 bits

32 bits

XOR

32 bits

32 bits

The E-Box expands (from 32 to 48 bits)and permutates

The E-Box output is XORed withpart of the key

There are 8 S-Boxes and each one accepts6 bits of input and produces 4 bits of output

The P-Box is a simple permutation

Finally, the left side is XORed with theresult and both sides are passed on tothe next round

40

CClassicallassical &&ontemporyontemporyryptologyryptology E-BoxE-BoxE-BoxE-Box

The EBox expands its 32-bit input into 48-bits The EBox expands its 32-bit input into 48-bits by duplicating some of the input bits. by duplicating some of the input bits.

28 29 30 31 32 1

24 25 26 27 28 29

20 21 22 23 24 25

16 17 18 19 20 21

12 13 14 15 16 17

8 9 10 11 12 13

4 5 6 7 8 9

32 1 2 3 4 5

EBox

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32

Right 32 bits

Note the duplicationNote the duplication

41

CClassicallassical &&ontemporyontemporyryptologyryptology S-BoxesS-BoxesS-BoxesS-Boxes

The SBoxes are the real source of the power of DES. The SBoxes are the real source of the power of DES. – There are 8 different Sboxes There are 8 different Sboxes

– Each Sbox accepts 6-bits of input and produces 4-bits of Each Sbox accepts 6-bits of input and produces 4-bits of output. output.

– An Sbox has 16 columns and 4 rows where each element An Sbox has 16 columns and 4 rows where each element in the box is a 4-bit block usually given in its decimal in the box is a 4-bit block usually given in its decimal representation. representation.

15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13

4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0

0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8

14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7

Column0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

Row

0

1

2

3

42


Working with the Working with the S-BoxesS-Boxes

Working with the Working with the S-BoxesS-Boxes

Each 6-bit input to an S-Box is divided into a Each 6-bit input to an S-Box is divided into a row and a column index. row and a column index. – The row index is given by bits 1 and 6 and the bits 2 The row index is given by bits 1 and 6 and the bits 2

to 5 supply the column index.to 5 supply the column index.

– The output of the S-Box is the value stored at the The output of the S-Box is the value stored at the addressed row/columnaddressed row/column

S213 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9

0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 5

3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5

15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

0

1

2

3

Input: 0 1 1 1 1 0 Input: 0 1 1 1 1 0 Column 15Column 15

Row 0Row 0

10

Output: 1 0 1 0 Output: 1 0 1 0

43

CClassicallassical &&ontemporyontemporyryptologyryptology P-BoxP-BoxP-BoxP-Box

After the S-Box operation there are just 32-bits After the S-Box operation there are just 32-bits remaining which are rearranged according to remaining which are rearranged according to the permutation table:the permutation table:

22 11 4 25

19 13 30 6

32 27 3 9

2 8 24 14

5 18 31 10

1 15 23 26

29 12 28 17

16 7 20 21

PBox

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32

SBox Outputs

44

CClassicallassical &&ontemporyontemporyryptologyryptology Final StepFinal StepFinal StepFinal Step

The final operation places the original RHS 32-The final operation places the original RHS 32-bits on the LHS and XORs the original LHS bits on the LHS and XORs the original LHS with the 32-bit output of the Pboxwith the 32-bit output of the Pbox

This process is repeated 16 times using a This process is repeated 16 times using a different subkey each timedifferent subkey each time

45


DES ImplementationsDES ImplementationsDES ImplementationsDES Implementations

DES could be used in any one of the three standard block cipher DES could be used in any one of the three standard block cipher implementation modes: OFM, CBC, or ECB.implementation modes: OFM, CBC, or ECB.

– However DES is no longer a secure cipher. However DES is no longer a secure cipher. – Hence, alternative implementations of DES have been suggested in Hence, alternative implementations of DES have been suggested in

an effort to improve its overall security. The most common is an effort to improve its overall security. The most common is called Triple-DES. called Triple-DES.

– Triple-DES comes in two versions, one uses three keys and the Triple-DES comes in two versions, one uses three keys and the other only uses two keys.other only uses two keys.

The three key version first encrypts the message with Key1, decrypts The three key version first encrypts the message with Key1, decrypts the result with Key2, and finally encrypts that with K3the result with Key2, and finally encrypts that with K3

The two key version uses the same steps where K3 = K1.The two key version uses the same steps where K3 = K1.

EM

Key1

D

Key2

E

Key3

46


CAP provides an implementation of DESCAP provides an implementation of DES

RunRunAvalanche Avalanche

teststests

CAP also provides a simple version of DESCAP also provides a simple version of DES

47

CClassicallassical &&ontemporyontemporyryptologyryptology S-DESS-DESS-DESS-DES

S-DES (Simplified-DES) was developed by Dr. S-DES (Simplified-DES) was developed by Dr. Edward Schaefer at Santa Clara University in Edward Schaefer at Santa Clara University in 1996. 1996. – It is simple enough so that you can explore the It is simple enough so that you can explore the

operation of DES and some of its weaknesses. operation of DES and some of its weaknesses.

– It operates on 8-bit data blocks (in other words, It operates on 8-bit data blocks (in other words, single characters) using a 10-bit key (only 2single characters) using a 10-bit key (only 21010 = = 1024 possibilities) and two stages 1024 possibilities) and two stages

48

CClassicallassical &&ontemporyontemporyryptologyryptology S-DES StructureS-DES StructureS-DES StructureS-DES Structure

In spite of the In spite of the simplifications, simplifications, S-DES looks S-DES looks much like our much like our

basic DES.basic DES.

8 bits

Plaintext block

IP

L0 R0

XOR F

L1 R1

XOR F

L2 R2

8 bits

IP-1

Ciphertext block

10 bit key

PC-1

C0 D0

Left Shift 1 bit Left Shift 1 bit

C1 D1

Left Shift 2 bits Left Shift 2 bits

C2 D2

PC-2

PC-2

K1

K2

1 2 3 4 5 6 7 82 6 3 1 4 8 5 7

1 2 3 4 5 6 7 84 1 3 5 7 2 8 6

49

CClassicallassical &&ontemporyontemporyryptologyryptology S-DES S-BoxesS-DES S-BoxesS-DES S-BoxesS-DES S-Boxes

The function F on the prior slide contains an The function F on the prior slide contains an EBox, PBox and 2 SBoxes (much like DES)EBox, PBox and 2 SBoxes (much like DES)

The two S-Boxes are given by:The two S-Boxes are given by:

The input is a 4 bit valueThe input is a 4 bit value

The first and last bitsThe first and last bits define the rowdefine the rowThe middle bits defineThe middle bits define the columnthe column

The output is a 2 bit valueThe output is a 2 bit value

50


S-DES Key GenerationS-DES Key GenerationS-DES Key GenerationS-DES Key Generation

The key generation mechanism begins with a 10-bit key which The key generation mechanism begins with a 10-bit key which is permuted by PC-1 into the order 3 5 2 7 4 10 1 9 8 6. is permuted by PC-1 into the order 3 5 2 7 4 10 1 9 8 6.

It is separated into 2 five bit segments and each segment is left It is separated into 2 five bit segments and each segment is left shift by one bit. shift by one bit.

PC-2 selects and rearranges 8 bits from the two five bit PC-2 selects and rearranges 8 bits from the two five bit segments – the bits in order are 6 3 7 4 8 5 10 9. The result is segments – the bits in order are 6 3 7 4 8 5 10 9. The result is subkey 1. subkey 1.

The two segments are now left shifted twice and PC-2 is The two segments are now left shifted twice and PC-2 is applied again to produce subkey 2.applied again to produce subkey 2.

51


CAP implements S-DES and in the process illustrates the CAP implements S-DES and in the process illustrates the key generation method.key generation method.

52

CClassicallassical &&ontemporyontemporyryptologyryptology Status of DESStatus of DESStatus of DESStatus of DES

When IBM first proposed DES it had a 128 bit When IBM first proposed DES it had a 128 bit keykey

– NSA required that the key be reduced to 56 bitsNSA required that the key be reduced to 56 bits

There have been several successful attacks on There have been several successful attacks on DESDES

– June 1997: Using the internet 14,000 to 78,000 computers broke June 1997: Using the internet 14,000 to 78,000 computers broke DES in 90 daysDES in 90 days

– Jan 1998: Using the internet again it only took 39 daysJan 1998: Using the internet again it only took 39 days– July 1998: a $210,000 machine called July 1998: a $210,000 machine called deep crackdeep crack was built and was built and

it broke DES in 56 hoursit broke DES in 56 hours

53


AESAESAESAES

54


Advanced Encryption Advanced Encryption StandardStandard

Advanced Encryption Advanced Encryption StandardStandard

Since DES was becoming less reliable as new Since DES was becoming less reliable as new cryptanalysis techniques were developed, the National cryptanalysis techniques were developed, the National Institute of Standards and Technology (NIST) put out a Institute of Standards and Technology (NIST) put out a notice in early 1999 requesting submissions for a new notice in early 1999 requesting submissions for a new encryption standard. The requirements were:encryption standard. The requirements were:– A symmetric block cipher with a variable length key (128, 192, A symmetric block cipher with a variable length key (128, 192,

or 256 bits) and a 128-bit blockor 256 bits) and a 128-bit block– It must be more secure than TripleDES It must be more secure than TripleDES – It must be in the public domain – royalty free world wideIt must be in the public domain – royalty free world wide– It should remain secure for at least 30 yearsIt should remain secure for at least 30 years

Fifteen algorithms were submitted from ten different Fifteen algorithms were submitted from ten different countries.countries.

55


Submitted AlgorithmsSubmitted AlgorithmsSubmitted AlgorithmsSubmitted Algorithms

Australia– LOKI97Belgium– RIJNDAELCanada– CAST-256– DEALCosta Rica– FROGFrance– DFC Germany– MAGENTA

Japan– E2Korea– CRYPTONUSA– HPC– MARS– RC6– SAFER+– TWOFISH• UK, Israel, Norway– SERPENT

56

CClassicallassical &&ontemporyontemporyryptologyryptology Selection ProcessSelection ProcessSelection ProcessSelection Process

NIST relied on public participation:NIST relied on public participation:– algorithm proposalsalgorithm proposals– cryptanalysiscryptanalysis– efficiency testingefficiency testing

AES TimetableAES Timetable– Round 1: Round 1: Aug. 20 - April 15, 1999Aug. 20 - April 15, 1999– Submit papers for 2nd AES conference: Submit papers for 2nd AES conference: Feb 1, 1999Feb 1, 1999– Second AES conference: Second AES conference: March 22-23, 1999March 22-23, 1999– Announcement of (about) five finalistsAnnouncement of (about) five finalists– Round 2 analysis of finalists: Round 2 analysis of finalists: 6-9 months6-9 months– Third AES ConferenceThird AES Conference– Selection of AES AlgorithmSelection of AES Algorithm

57

CClassicallassical &&ontemporyontemporyryptologyryptology AES FinalistsAES FinalistsAES FinalistsAES Finalists

MARS (IBM) MARS (IBM) RC6 (Rivest, et. al.)RC6 (Rivest, et. al.) Rijndael (top Belgium Rijndael (top Belgium

cryptographers)cryptographers) Serpent (Anderson, Biham, Serpent (Anderson, Biham,

Knudsen)Knudsen) Twofish (Schneier, et. al.)Twofish (Schneier, et. al.)

And the winner was . . .And the winner was . . .

Pronounced“rain-doll”

58


Introduction to RijndaelIntroduction to RijndaelIntroduction to RijndaelIntroduction to Rijndael

One of the fastest and One of the fastest and strongest algorithmsstrongest algorithms– Variable block length: 128, 192, 256 bitsVariable block length: 128, 192, 256 bits– Variable key length: 128, 192, 256 bitsVariable key length: 128, 192, 256 bits– Variable number of rounds (iterations): Variable number of rounds (iterations):

10, 12, 1410, 12, 14– Number of rounds depend on key/block Number of rounds depend on key/block

lengthlength

59

CClassicallassical &&ontemporyontemporyryptologyryptology Rijndael StructureRijndael StructureRijndael StructureRijndael Structure

The general structure of Rijndael is shown below The general structure of Rijndael is shown below – Rather than using just a substitution and a permutation at each Rather than using just a substitution and a permutation at each

stage like DES, Rijndael consists of multiple cycles of Substitution, stage like DES, Rijndael consists of multiple cycles of Substitution, Shifting, Column mixing and a KeyAdd operation.Shifting, Column mixing and a KeyAdd operation.

KeyAdd

subkey

Plaintext block

Substitution ShiftRow MixColumn KeyAdd

subkey

subkey

Final round?no

yes

KeyAddCiphertext block ShiftRow Substitution

60

CClassicallassical &&ontemporyontemporyryptologyryptology Initial StepInitial StepInitial StepInitial Step

The process begins by grouping the plaintext bits into a The process begins by grouping the plaintext bits into a column array by bytes.column array by bytes.

– The first four bytes form the first column; the second four The first four bytes form the first column; the second four bytes form the second column, and so on. bytes form the second column, and so on.

– If the block size is 128 bits then this becomes a 4x4 array. If the block size is 128 bits then this becomes a 4x4 array. For larger block sizes the array has additional columns. For larger block sizes the array has additional columns.

– The key is also grouped into an array using the same process. The key is also grouped into an array using the same process.

a0,0 a1,0 a2,0 a3,0 a0,1 a1,1 a2,1 a3,1 a0,2 a1,2 a2,2 a3,2 a0,3 a1,3 a2,3 a3,3

a3,0

a2,0

a1,0

a0,0

a3,1

a2,1

a1,1

a0,1

a3,2

a2,2

a1,2

a0,2

a3,3

a2,3

a1,3

a0,3

61

CClassicallassical &&ontemporyontemporyryptologyryptology SubstitutionSubstitutionSubstitutionSubstitution

The substitution layer uses a single S-box (rather than the 8 The substitution layer uses a single S-box (rather than the 8 Sboxes used in DES). The Rijndael S-box is a 16 x 16 array Sboxes used in DES). The Rijndael S-box is a 16 x 16 array

– Each element in the current column array serves as an address into Each element in the current column array serves as an address into the S-box where the first four bits identify the S-box row and the last the S-box where the first four bits identify the S-box row and the last 4 bits identify the S-box column. 4 bits identify the S-box column.

– The S-box element at that location replaces the current column The S-box element at that location replaces the current column array element. array element.

a3,0

a2,0

a1,0

a0,0

a3,1

a2,1

a1,1

a0,1

a3,2

a2,2

a1,2

a0,2

a3,3

a2,3

a1,3

a0,3

b3,0

b2,0

b1,0

b0,0

b3,1

b2,1

b1,1

b0,1

b3,2

b2,2

b1,2

b0,2

b3,3

b2,3

b1,3

b0,3SBox

a1,2b1,2

62

CClassicallassical &&ontemporyontemporyryptologyryptology Row Shift OperationRow Shift OperationRow Shift OperationRow Shift Operation

A row shift operation is applied to the output A row shift operation is applied to the output of the S-box in which the four rows of the of the S-box in which the four rows of the column array are cyclically shifted to the left.column array are cyclically shifted to the left.– The first row is shifted by 0, the second by 1, the The first row is shifted by 0, the second by 1, the

third by 2, and the fourth by 3third by 2, and the fourth by 3

b3,0

b2,0

b1,0

b0,0

b3,1

b2,1

b1,1

b0,1

b3,2

b2,2

b1,2

b0,2

b3,3

b2,3

b1,3

b0,3

b3,3

b2,2

b1,1

b0,0

b3,0

b2,3

b1,2

b0,1

b3,1

b2,0

b1,3

b0,2

b3,2

b2,1

b1,0

b0,3No shift

Shift 1

Shift 2

Shift 3

63

CClassicallassical &&ontemporyontemporyryptologyryptology Matrix MultiplyMatrix MultiplyMatrix MultiplyMatrix Multiply

Column mixing is accomplished by a matrix Column mixing is accomplished by a matrix multiplication operation. multiplication operation. – The shifted column array is multiplied by a fixed The shifted column array is multiplied by a fixed

matrix matrix

b3,3

b2,2

b1,1

b0,0

b3,0

b2,3

b1,2

b0,1

b3,1

b2,0

b1,3

b0,2

b3,2

b2,1

b1,0

b0,3

MatrixMultiply

c3,3

c2,2

c1,1

c0,0

c3,0

c2,3

c1,2

c0,1

c3,1

c2,0

c1,3

c0,2

c3,2

c2,1

c1,0

c0,3

c3,1

c2,0

c1,3

c0,2

b3,1

b2,0

b1,3

b0,2

64

CClassicallassical &&ontemporyontemporyryptologyryptology Key AddKey AddKey AddKey Add

The final operation adds a subkey derived The final operation adds a subkey derived from the original key to the column array from the original key to the column array – This completes one round of AES This completes one round of AES

c3,3

c2,2

c1,1

c0,0

c3,0

c2,3

c1,2

c0,1

c3,1

c2,0

c1,3

c0,2

c3,2

c2,1

c1,0

c0,3

d3,3

d2,2

d1,1

d0,0

d3,0

d2,3

d1,2

d0,1

d3,1

d2,0

d1,3

d0,2

d3,2

d2,1

d1,0

d0,3

k3,3

k2,2

k1,1

k0,0

k3,0

k2,3

k1,2

k0,1

k3,1

k2,0

k1,3

k0,2

k3,2

k2,1

k1,0

k0,3

XOR

This is repeated 9 more timesThis is repeated 9 more times

65

CClassicallassical &&ontemporyontemporyryptologyryptology Key ScheduleKey ScheduleKey ScheduleKey Schedule

The key is grouped into a column array and then expanded The key is grouped into a column array and then expanded by adding 40 new columns. by adding 40 new columns.

– If the first four columns (given by the key) are C(0), C(1), C(2) and If the first four columns (given by the key) are C(0), C(1), C(2) and C(3) then the new columns are generated in a recursive manner.C(3) then the new columns are generated in a recursive manner.

If i is not a multiple of 4 then column i is determined by:If i is not a multiple of 4 then column i is determined by: C(i) = C(i-4) XOR C(i-1) C(i) = C(i-4) XOR C(i-1)

If i is a multiple of 4 then column i is determined by:If i is a multiple of 4 then column i is determined by: C(i) = C(i-4) XOR T(C(i-1)) C(i) = C(i-4) XOR T(C(i-1))

– Where T(C(i-1)) is a transformation of C(i-1) implemented as:Where T(C(i-1)) is a transformation of C(i-1) implemented as: 1. Cyclically shift the elements of C(i-1) by one byte 1. Cyclically shift the elements of C(i-1) by one byte 2. Use each of these 4 bytes as input into the S-box to create 2. Use each of these 4 bytes as input into the S-box to create four new bytes e,f,g,h. four new bytes e,f,g,h. 3. Calculate a round constant r(i) = 2(i-4)/4 3. Calculate a round constant r(i) = 2(i-4)/4 4. Create the transformed column as: (e XOR r(i), f, g, h) 4. Create the transformed column as: (e XOR r(i), f, g, h)

The round key for the ith round consists of the columns C(4i), C(4i+1), The round key for the ith round consists of the columns C(4i), C(4i+1), C(4i+2), C(4i+3).C(4i+2), C(4i+3).

66

CClassicallassical &&ontemporyontemporyryptologyryptology Key Generation FlowKey Generation FlowKey Generation FlowKey Generation Flow

For what’s worth:For what’s worth:

W(i)

XOR

Rot

W(i+4)

XOR

W(i+1)

XOR

W(i+2)

W(i+5) XOR

W(i+3)

W(i+6) XOR W(i+7)

S-Box

RCON

67

CClassicallassical &&ontemporyontemporyryptologyryptology ConclusionConclusionConclusionConclusion

We have come a long way from just We have come a long way from just shifting letters over in the alphabetshifting letters over in the alphabet

68


Cryptanalysis of Block Cryptanalysis of Block CiphersCiphers

Cryptanalysis of Block Cryptanalysis of Block CiphersCiphers

69

CClassicallassical &&ontemporyontemporyryptologyryptology Security of DESSecurity of DESSecurity of DESSecurity of DES

DES has a long an interesting history full of speculation and DES has a long an interesting history full of speculation and controversy.controversy.

– It all began when the National Security Agency (NSA) required the It all began when the National Security Agency (NSA) required the modification of the original specification for Lucifer submitted by modification of the original specification for Lucifer submitted by IBM. Among the changes they requested was that the original key IBM. Among the changes they requested was that the original key length of 128 bit be reduced to 56 bits. length of 128 bit be reduced to 56 bits.

– This fuelled the speculation (which has never been verified) that NSA This fuelled the speculation (which has never been verified) that NSA could break the 56-bit version of DES from the very beginning. could break the 56-bit version of DES from the very beginning.

– Since NSA wasn’t talking, brute force attacks seemed to be the only Since NSA wasn’t talking, brute force attacks seemed to be the only feasible way to undermine the algorithm. feasible way to undermine the algorithm.

– These had to wait until computer technology caught up with the key These had to wait until computer technology caught up with the key size to allow for high speed testing of all possible keys. This size to allow for high speed testing of all possible keys. This happened in the late 1990’s. happened in the late 1990’s.

In July of 1997, a process that borrowed time from more than 14,000 In July of 1997, a process that borrowed time from more than 14,000 computers across the Internet was able to break a DES key in 90 days. computers across the Internet was able to break a DES key in 90 days.

Within six months, the time to break DES in this way was reduced to 39 Within six months, the time to break DES in this way was reduced to 39 days. days.

In July of 1998 a special machine was built called Deep Crack that was In July of 1998 a special machine was built called Deep Crack that was able to break a DES key in 56 hours. able to break a DES key in 56 hours.

70

CClassicallassical &&ontemporyontemporyryptologyryptology Weak KeysWeak KeysWeak KeysWeak Keys

One of the early discoveries was that DES had some weak One of the early discoveries was that DES had some weak keys. keys.

– These are keys that generate the same subkey for each round.These are keys that generate the same subkey for each round.

– There are four such DES keys:There are four such DES keys:

0101 0101 0101 0101 FEFE FEFE FEFE FEFE 1F1F 1F1F 0E0E 0E0E E0E0 E0E0 F1F1 F1F1

There are also 12 semi-weak DES keys. There are also 12 semi-weak DES keys. – Semi-weak keys generate only two subkeys which alternate Semi-weak keys generate only two subkeys which alternate

rounds. rounds.

71


CAP provides two tools for running brute force attacks CAP provides two tools for running brute force attacks against S-DESagainst S-DES

– The first is an attack against a single key version of S-DESThe first is an attack against a single key version of S-DES

72


Meet-in-the-Middle Meet-in-the-Middle AttackAttack

Meet-in-the-Middle Meet-in-the-Middle AttackAttack

One level of improvement to DES is One level of improvement to DES is called Triple-DES – why not called Triple-DES – why not simplify the process and use simplify the process and use Double-DES?Double-DES?

– The reason is that Double-DES is The reason is that Double-DES is as easy to break as single key DES as easy to break as single key DES using a Meet-in-the-Middle attackusing a Meet-in-the-Middle attack

– The process involves a known The process involves a known plaintext/ciphertext pair plaintext/ciphertext pair

If there is enough memory space If there is enough memory space available, encipher the known available, encipher the known plaintext with every possible key plaintext with every possible key and save each result. and save each result.

Then decipher the ciphertext Then decipher the ciphertext with every possible key and with every possible key and compare each result with the compare each result with the contents of memory. contents of memory.

If there is a match, then both If there is a match, then both keys have been found. keys have been found.

EP

Key1

D

Key2

Memory

Result ofencipheringwith Ki

Decipher with Kj

Look for match

C

73


CAP will implement a Meet-in-the-Middle attack on CAP will implement a Meet-in-the-Middle attack on S-DES:S-DES:

74

CClassicallassical &&ontemporyontemporyryptologyryptology Recent DevelopmentsRecent DevelopmentsRecent DevelopmentsRecent Developments

There are two new classes of attacks which There are two new classes of attacks which have been developed specifically for SP have been developed specifically for SP networksnetworks– Differential CryptanalysisDifferential Cryptanalysis– Linear CryptanalysisLinear Cryptanalysis

In addition, there is a class of unexpected In addition, there is a class of unexpected attacks called Side-Channel Analysisattacks called Side-Channel Analysis

75

CClassicallassical &&ontemporyontemporyryptologyryptology DES S-BoxDES S-BoxDES S-BoxDES S-Box

The S-box for DES is designed to produce “random” The S-box for DES is designed to produce “random” like outputslike outputs– Consider the S1 S-box:Consider the S1 S-box:

6 bits

4 bits

6 bits

4 bits

0 1 2 3 4 5 6 7 8 9 A B C D E F0 E 4 D 1 2 F B 8 3 A 6 C 5 9 0 71 0 F 7 4 E 2 D 1 A 6 C B 9 5 3 82 4 1 E 8 D 6 2 B F C 9 7 3 A 5 03 F C 8 2 4 9 1 7 5 B 3 E A 0 6 C

If the input is randomlydistributed over 0 - 63

Then the output should berandomly distributed over0 - 15

100101

B = 1000

76


S-Box Weakness - S-Box Weakness - BackgroundBackground

S-Box Weakness - S-Box Weakness - BackgroundBackground

A weakness in the S-box concept was discovered to A weakness in the S-box concept was discovered to be its behavior when two different inputs are be its behavior when two different inputs are comparedcompared– If x and x* are the two inputs, there are 64If x and x* are the two inputs, there are 6422 = 4096 = 4096

possible pairs (x, x*)possible pairs (x, x*)

– Define the S-box output to be S(x) and S(x*)Define the S-box output to be S(x) and S(x*)

– Consider the relationship between the difference of the Consider the relationship between the difference of the inputs and the difference of the outputsinputs and the difference of the outputs

x’ = x x* y’ = S(x) S(x*)

This ranges over all 64 possibilities 00 to 3F

This ranges over all 16 possibilities 0 to F

77

CClassicallassical &&ontemporyontemporyryptologyryptology S-Box WeaknessS-Box WeaknessS-Box WeaknessS-Box Weakness

While it is While it is expected that the expected that the output difference output difference values should be values should be evenly distributed evenly distributed over their range, it over their range, it turns out they are turns out they are notnot

NOTE the 0’sNOTE the 0’s

78

CClassicallassical &&ontemporyontemporyryptologyryptology Interesting FeatureInteresting FeatureInteresting FeatureInteresting Feature

Consider one row of the S1 difference table:Consider one row of the S1 difference table:

There are five output differences which never occurif the input difference is 1: 0, 1, 2, 4, 8

OutputInput 0 1 2 3 4 5 6 7 8 9 A B C D E F 01 0 0 0 6 0 2 4 4 0 10 12 4 10 6 2 4

12 of the 64 inputs which produce a difference of1 produce an output of A.

79

CClassicallassical &&ontemporyontemporyryptologyryptology Finding the Key 1Finding the Key 1Finding the Key 1Finding the Key 1

Say, we know two inputs to S1 (01 and 35) such that the Say, we know two inputs to S1 (01 and 35) such that the differential input to box S1 is 34 and the differential differential input to box S1 is 34 and the differential output is Doutput is D

S1

01, 35

K34

D

Therefore K xor either 01 or 35 must beone of these 8 values, then K must be:

06 01 = 0710 01 = 1116 01 = 171C 01 = 1D22 01 = 2324 01 = 2528 01 = 2932 01 = 33

06 35 = 3310 35 = 2516 35 = 231C 35 = 2922 35 = 1724 35 = 1128 35 = 1D32 35 = 07

PossibleKeys

From the differential table, thereare only 8 ways 34 can map to D

From the construction of the table,those 8 ways imply that K xor the inputmust be 06, 10, 16, 1C, 22, 24, 28, 32

80


Say, we know two other inputs to S1 (21 and 15) such that the Say, we know two other inputs to S1 (21 and 15) such that the differential input to box S1 is 34 and the differential output is 3differential input to box S1 is 34 and the differential output is 3

S1

21, 15

K34

3

From the differential table, thereare only 6 ways 34 can map to 3

From the construction of the table,those 6 ways imply that K xor the inputmust be 01, 02, 15, 21, 35,36

Therefore K xor either 21 or 15 must beone of these 6 values, then K must be:

01 21 = 2002 21 = 2315 21 = 3421 21 = 0035 21 = 1436 21 = 17

01 15 = 1402 15 = 1715 15 = 0021 15 = 3435 15 = 2936 15 = 23

PossibleKeys

81


The actual key must be in both sets:The actual key must be in both sets:

{33, 25, 23, 29, 17, 11, 1D, 07} and {14, 17, 00, 34, 29, 33}

RESULT: {17, 33}

Try other differentials until a single key is found.Try other differentials until a single key is found.

82

CClassicallassical &&ontemporyontemporyryptologyryptology Linear CryptanalysisLinear CryptanalysisLinear CryptanalysisLinear Cryptanalysis

Linear cryptanalysis is a powerful tool to use against Linear cryptanalysis is a powerful tool to use against SP networks developed in the early 90’sSP networks developed in the early 90’s

It requires discovering an approximate linear It requires discovering an approximate linear relationship between the plaintext, the ciphertext and relationship between the plaintext, the ciphertext and the key that holds more than half the timethe key that holds more than half the time

– Then guess some key bits and verify that the linear Then guess some key bits and verify that the linear relationship holds - if it does then your guess is correctrelationship holds - if it does then your guess is correct

– Used to find a subset of key bits, then do a brute force attack Used to find a subset of key bits, then do a brute force attack on the remaining bitson the remaining bits

83


Side Channel AnalysisSide Channel AnalysisSide Channel AnalysisSide Channel Analysis

It turns out that information about the operation of the It turns out that information about the operation of the underlying cipher can be leaked by observing certain underlying cipher can be leaked by observing certain performance characteristics. performance characteristics.

These are called side channel attacks. These are called side channel attacks. – For example, when a key bit of 1 is being processed the chip For example, when a key bit of 1 is being processed the chip

draws more power from the power supply. draws more power from the power supply.

– By monitoring the power drain, the key bits can actually be By monitoring the power drain, the key bits can actually be exposed. exposed.

– There is also a timing version of this attack which monitors the There is also a timing version of this attack which monitors the number of microseconds it takes to complete the algorithm. number of microseconds it takes to complete the algorithm.

– The timing values will expose parts of the key as well. The timing values will expose parts of the key as well.

84

CClassicallassical &&ontemporyontemporyryptologyryptology SummarySummarySummarySummary

HistoryHistory

RC4 AlgorithmRC4 Algorithm

Introduction to Block CiphersIntroduction to Block Ciphers

DES and AES (and others)DES and AES (and others)

Cryptanalysis of Block CiphersCryptanalysis of Block Ciphers– Differential CryptanalysisDifferential Cryptanalysis– Linear CryptanalysisLinear Cryptanalysis– Side Channel AttacksSide Channel Attacks

classical &ontemporyryptology 1 cryptologycryptology dr. richard spillman pacific lutheran...

Documents