classical &ontemporyryptology 1 cryptologycryptology dr. richard spillman pacific lutheran...
Post on 20-Dec-2015
237 views
TRANSCRIPT
1
CClassicallassical &&ontemporyontemporyryptologyryptology
CryptologyCryptologyCryptologyCryptology
Dr. Richard SpillmanDr. Richard Spillman
Pacific Lutheran UniversityPacific Lutheran UniversityDr. Richard SpillmanDr. Richard Spillman
Pacific Lutheran UniversityPacific Lutheran University
Lecture FiveLecture Five
2
CClassicallassical &&ontemporyontemporyryptologyryptology Last LectureLast LectureLast LectureLast Lecture
HistoryHistory
More TranspositionsMore Transpositions– Double Column TranspositionDouble Column Transposition
Computer Based EncryptionComputer Based Encryption
Stream CiphersStream Ciphers– LFSRLFSR– One Time PadOne Time Pad– Cellular AutomataCellular Automata
3
CClassicallassical &&ontemporyontemporyryptologyryptology
Review – Stream CipherReview – Stream CipherReview – Stream CipherReview – Stream Cipher
A stream cipher XORs a plaintext stream with A stream cipher XORs a plaintext stream with a key stream to create a ciphertext streama key stream to create a ciphertext stream
plaintext
Key stream
XOR XOR
Key stream
plaintext
The random key stream can be produce by a LFSR, Cellular Automata,The random key stream can be produce by a LFSR, Cellular Automata,or another random process (such as a modification of a block cipher)or another random process (such as a modification of a block cipher)
4
CClassicallassical &&ontemporyontemporyryptologyryptology OutlineOutlineOutlineOutline
HistoryHistory
RC4 AlgorithmRC4 Algorithm
Introduction to Block CiphersIntroduction to Block Ciphers
DES and AES (and others)DES and AES (and others)
Cryptanalysis of Block CiphersCryptanalysis of Block Ciphers
5
CClassicallassical &&ontemporyontemporyryptologyryptology
HistoryHistoryHistoryHistory
6
CClassicallassical &&ontemporyontemporyryptologyryptology
WW1 – The American WW1 – The American EffortEffort
WW1 – The American WW1 – The American EffortEffort
Soon after the American declaration of war in Soon after the American declaration of war in April 1917, Herbert O. Yardley sold the war April 1917, Herbert O. Yardley sold the war department on the idea of starting a cryptologic department on the idea of starting a cryptologic service called MI-8service called MI-8
– David Stevens, 32, an English instructor at UChicagoDavid Stevens, 32, an English instructor at UChicago– Thomas A. Knot, 37, an associate professor of English at UCThomas A. Knot, 37, an associate professor of English at UC– Charles H. Beeson, 47, associate professor of Latin at UCCharles H. Beeson, 47, associate professor of Latin at UC– Bliss Luquiens, 41, professor of Spanish at YaleBliss Luquiens, 41, professor of Spanish at Yale
MI-8 became involved in many activities MI-8 became involved in many activities includingincluding
– cryptographycryptography– secret inkssecret inks– shorthand translationshorthand translation
7
CClassicallassical &&ontemporyontemporyryptologyryptology Secret InksSecret InksSecret InksSecret Inks
The Germans used several kinds of secret inks which The Germans used several kinds of secret inks which could be developed by exposure to heat or by special could be developed by exposure to heat or by special chemicalschemicals
– Allied chemists responded with a reagent that brought out secret writing of any kind because Allied chemists responded with a reagent that brought out secret writing of any kind because it could detect the fibers of paper which had been disturbed by a wetting actionit could detect the fibers of paper which had been disturbed by a wetting action
– Germans responded by writing in a sympathetic ink and then moistening the entire sheetGermans responded by writing in a sympathetic ink and then moistening the entire sheet– Allies responded with a chemical streak test that would detect whether the paper surface had Allies responded with a chemical streak test that would detect whether the paper surface had
been dampened - who but a spy would dampen paper?been dampened - who but a spy would dampen paper?– Eventually, both sides discovered a general reagent that would detect any ink under any Eventually, both sides discovered a general reagent that would detect any ink under any
conditionsconditions
MI-8’s secret ink division, however, was testing over MI-8’s secret ink division, however, was testing over 2,000 letters a week and discovered 50 of major 2,000 letters a week and discovered 50 of major importance including the plans of one spy to import high importance including the plans of one spy to import high explosives inside the hollow figures of saints and the explosives inside the hollow figures of saints and the Virgin MaryVirgin Mary
8
CClassicallassical &&ontemporyontemporyryptologyryptology
Cryptographic SectionCryptographic SectionCryptographic SectionCryptographic Section
MI-8’s cryptographic section was very successfulMI-8’s cryptographic section was very successful
One of their most important solutions involved One of their most important solutions involved the case of the only German spy condemned to the case of the only German spy condemned to death in the US during WWI.death in the US during WWI.
– Captured in January 1918 in Mexico by a US agent, he had a Captured in January 1918 in Mexico by a US agent, he had a cipher lettercipher letter
– Broken by Dr. John Manly who went on to become one of the Broken by Dr. John Manly who went on to become one of the world’s leading authorities on Chaucerworld’s leading authorities on Chaucer
– After a marathon 3-day effort he broke down the 12 step After a marathon 3-day effort he broke down the 12 step transposition cipher:transposition cipher:
9
CClassicallassical &&ontemporyontemporyryptologyryptology
The American Black The American Black ChamberChamber
The American Black The American Black ChamberChamber
After Armistice, Yardley sold both the State After Armistice, Yardley sold both the State Department and the War Department on jointly Department and the War Department on jointly setting up a permanent cryptography setting up a permanent cryptography organizationorganization
– it became known as the American Black Chamber and was it became known as the American Black Chamber and was established on July 15, 1919 in NYCestablished on July 15, 1919 in NYC
– its first task was to solve the codes of Japan and by 1921, they its first task was to solve the codes of Japan and by 1921, they were regularly reading Japanese telegramswere regularly reading Japanese telegrams
– In the summer of 1921, they solved telegram 813 of July 5th In the summer of 1921, they solved telegram 813 of July 5th from the Japanese ambassador in London to Tokyo which from the Japanese ambassador in London to Tokyo which contained instructions about the upcoming naval disarmament contained instructions about the upcoming naval disarmament conferenceconference
10
CClassicallassical &&ontemporyontemporyryptologyryptology Conference ResultsConference ResultsConference ResultsConference Results
Japan was demanding a tonnage ratio of 10 t0 7 with the Japan was demanding a tonnage ratio of 10 t0 7 with the US when the Black Chamber read what Yardley called the US when the Black Chamber read what Yardley called the most important telegram he ever solved (0.5 represents most important telegram he ever solved (0.5 represents 50,000 tons of ship - a battleship and a half)50,000 tons of ship - a battleship and a half)
– ““It is necessary to avoid any clash with Great Britain and America, It is necessary to avoid any clash with Great Britain and America, particularly America, in regard to the armament limitation question. particularly America, in regard to the armament limitation question. You will to the upmost maintain a middle attitude and redouble your You will to the upmost maintain a middle attitude and redouble your efforts to carry out our policy. In case of inevitable necessity you will efforts to carry out our policy. In case of inevitable necessity you will work to establish your second proposal of 10 to 6.5. If, in spite of your work to establish your second proposal of 10 to 6.5. If, in spite of your utmost efforts, it becomes necessary in view of the situation and in the utmost efforts, it becomes necessary in view of the situation and in the interests of general policy to fall back on your proposal no. 3, you will interests of general policy to fall back on your proposal no. 3, you will endeavor to limit the power of concentration and maneuver of the Pacific endeavor to limit the power of concentration and maneuver of the Pacific and to make an adequate reservation which will make clear that this is and to make an adequate reservation which will make clear that this is our intention in agreeing to a 10 to 6 ratio.”our intention in agreeing to a 10 to 6 ratio.”
What do you think the Americans settled for with Japan?What do you think the Americans settled for with Japan?
11
CClassicallassical &&ontemporyontemporyryptologyryptology
The End of the Black The End of the Black ChamberChamber
The End of the Black The End of the Black ChamberChamber
Between 1971 and 1929, the American Black Between 1971 and 1929, the American Black Chamber solved more that 45,000 telegrams Chamber solved more that 45,000 telegrams involving the codes of:involving the codes of:
– Argentina, Brazil, Chile, China, Cuba, England, France, Argentina, Brazil, Chile, China, Cuba, England, France, Germany, Japan, Liberia, Mexico, Peru, USSR, Spain, ...Germany, Japan, Liberia, Mexico, Peru, USSR, Spain, ...
– They even started on the codes used by the VaticanThey even started on the codes used by the Vatican
It all ended on Oct 31, 1929 after Henry L. It all ended on Oct 31, 1929 after Henry L. Stimson, Hoover’s Secretary of State received Stimson, Hoover’s Secretary of State received some solutions from the Black Chamber. He said some solutions from the Black Chamber. He said “Gentlemen do not read each other’s mail”“Gentlemen do not read each other’s mail”
12
CClassicallassical &&ontemporyontemporyryptologyryptology
RC4RC4RC4RC4
13
CClassicallassical &&ontemporyontemporyryptologyryptology RC4RC4RC4RC4
RC4 was developed by Ron Rivest of MIT (one of RC4 was developed by Ron Rivest of MIT (one of the developers of RSA a cipher that will be the developers of RSA a cipher that will be covered later)covered later)– It is perhaps the most widely used stream cipher in the It is perhaps the most widely used stream cipher in the
worldworld Microsoft WindowsMicrosoft Windows Lotus Notes Lotus Notes the SSL (Secure Sockets Layer) protocol to protect Internet the SSL (Secure Sockets Layer) protocol to protect Internet
traffic traffic the Wireless Equivalent Privacy (WEP) system used to the Wireless Equivalent Privacy (WEP) system used to
protect wireless links. protect wireless links.
– One advantage of RC4 is that it can be easily One advantage of RC4 is that it can be easily implemented in software. implemented in software.
14
CClassicallassical &&ontemporyontemporyryptologyryptology ProcedureProcedureProcedureProcedure
RC4 uses an arrangement of the numbers 0 to RC4 uses an arrangement of the numbers 0 to 255 (8 bits each) in an array S which changes 255 (8 bits each) in an array S which changes over timeover time
It consists of two processesIt consists of two processes– A Key Scheduling Algorithm (KSA) to set up the A Key Scheduling Algorithm (KSA) to set up the
initial permutation of Sinitial permutation of S– A pseudo-random generation algorithm (PSGA) to A pseudo-random generation algorithm (PSGA) to
randomly select elements of S and modify the randomly select elements of S and modify the permutation of Spermutation of S
15
CClassicallassical &&ontemporyontemporyryptologyryptology
Key Scheduling Key Scheduling Algorithm 1Algorithm 1
Key Scheduling Key Scheduling Algorithm 1Algorithm 1
KSA begins by initialing S such that S(i) = i for KSA begins by initialing S such that S(i) = i for i = 0 to 255.i = 0 to 255.
A secret key is constructed by selecting a set of A secret key is constructed by selecting a set of numbers which are loaded into a key array K(0 numbers which are loaded into a key array K(0 to 255)to 255)– The usual process is to select a short sequence of The usual process is to select a short sequence of
numbers and repeat them until K is fillednumbers and repeat them until K is filled
16
CClassicallassical &&ontemporyontemporyryptologyryptology
Key Scheduling Key Scheduling Algorithm 2Algorithm 2
Key Scheduling Key Scheduling Algorithm 2Algorithm 2
The key array is used to randomize S based on The key array is used to randomize S based on the following algorithm: the following algorithm:
for i = 0 to 255 doj = j + S(i) + K(i) (mod 256)
swap(S(i), S(j))
17
CClassicallassical &&ontemporyontemporyryptologyryptology PRGAPRGAPRGAPRGA
Once the KSA has completed the initial randomization Once the KSA has completed the initial randomization of S, the PRGA takes over and selects bytes for the key of S, the PRGA takes over and selects bytes for the key stream by selecting random elements of S and stream by selecting random elements of S and modifying S for the next selection.modifying S for the next selection.
– The selection process relies on two indices i and j which both The selection process relies on two indices i and j which both start at 0. start at 0.
– The following program is run to select each byte of the key The following program is run to select each byte of the key stream:stream:
i i + 1 (mod 256)
j j + S(i) (mod 256)
swap (S(i), S(j))
t S(j) + S(i) (mod 256)
k S(t)
18
CClassicallassical &&ontemporyontemporyryptologyryptology ExampleExampleExampleExample
A simple example of RC4 will be constructed A simple example of RC4 will be constructed using 3 bit representations (the numbers range using 3 bit representations (the numbers range from 0 to 7) and mod 8 operations (instead of from 0 to 7) and mod 8 operations (instead of mod 256).mod 256).
S:S:00 11 22 33 44 55 66 77
K:K:00 11 22 33 44 55 66 77
S ArrayS Array K ArrayK Array
Initialize SInitialize S
00 11 22 33 44 55 66 77
Select key : 5, 6, 7Select key : 5, 6, 7
55 66 77 55 66 77 55 66
Use the key to randomize SUse the key to randomize S
i = 0 j = 0i = 0 j = 0j = (0 + S(0) + K(0)) mod 8j = (0 + S(0) + K(0)) mod 8j = (0 + 0 + 5) mod 8 = 5j = (0 + 0 + 5) mod 8 = 5
Swap 0 and 5Swap 0 and 5 i = 1 j = 5i = 1 j = 5j = (5 + S(1) + K(1)) mod 8j = (5 + S(1) + K(1)) mod 8
j = (5 + 1 + 6) mod 8 = 4j = (5 + 1 + 6) mod 8 = 4
Swap 1 and 4Swap 1 and 4S:S:
00 11 22 33 44 55 66 77
Final S ArrayFinal S Array
77 6655 44 00 11 33 22
44
19
CClassicallassical &&ontemporyontemporyryptologyryptology Random NumbersRandom NumbersRandom NumbersRandom Numbers
Now, the S array is ready to be used to produce Now, the S array is ready to be used to produce a sequence of random numbers. a sequence of random numbers. – With i and j starting at 0, RC4 calculates the first With i and j starting at 0, RC4 calculates the first
random number as follows:random number as follows:
S:S:00 11 22 33 44 55 66 77
77 6655 44 00 11 33 22i = (i + 1) mod 8 = (0 + 1) mod 8 = 1i = (i + 1) mod 8 = (0 + 1) mod 8 = 1
j = (j + S(i)) mod 8 = (0 + S(1)) mod 8j = (j + S(i)) mod 8 = (0 + S(1)) mod 8
= (0 + 4) mod 8 = 4= (0 + 4) mod 8 = 4 Swap S(1) and S(4)Swap S(1) and S(4)
t = (S(i) + S(j)) mod 8 = (S(4) + S(1) mod 8t = (S(i) + S(j)) mod 8 = (S(4) + S(1) mod 8
= (1 + 4) mod 8 = 5= (1 + 4) mod 8 = 5
k = S(t) = S(5) = 6k = S(t) = S(5) = 666
20
CClassicallassical &&ontemporyontemporyryptologyryptology Using CAPUsing CAPUsing CAPUsing CAP
CAP uses RC4 to implement a stream cipherCAP uses RC4 to implement a stream cipher
21
CClassicallassical &&ontemporyontemporyryptologyryptology
Block CiphersBlock CiphersBlock CiphersBlock Ciphers
22
CClassicallassical &&ontemporyontemporyryptologyryptology Cipher StructuresCipher StructuresCipher StructuresCipher Structures
BlockStreamClassical
...
ShiftAffineKeywordMultiLiteralVigenere HillNihilist
Transposition Substitution
polyalphabetic monoalphabetic
Column
RC4
23
CClassicallassical &&ontemporyontemporyryptologyryptology Block CipherBlock CipherBlock CipherBlock Cipher
Today’s most widely used ciphers are in the class Today’s most widely used ciphers are in the class of Block Ciphersof Block Ciphers– Define a block of computer bits which represent several Define a block of computer bits which represent several
characterscharacters
– Encipher the complete block at one timeEncipher the complete block at one time
AlgorithmAlgorithm
Block of BitsBlock of Bits
Block of BitsBlock of Bits
KEYKEY
24
CClassicallassical &&ontemporyontemporyryptologyryptology Modes of OperationModes of OperationModes of OperationModes of Operation
Before examining the details of any specific block Before examining the details of any specific block cipher algorithm, it is useful to consider how such cipher algorithm, it is useful to consider how such algorithms are usedalgorithms are used
There are 3 operational modes:There are 3 operational modes:– Electronic Code Book (ECB)Electronic Code Book (ECB)– Cipher Block Chaining (CBC)Cipher Block Chaining (CBC)– Output Feedback Mode (OFM)Output Feedback Mode (OFM)
These modes have become international These modes have become international standards for implementing any block cipherstandards for implementing any block cipher
25
CClassicallassical &&ontemporyontemporyryptologyryptology
Electronic Code BookElectronic Code BookElectronic Code BookElectronic Code Book
Simplest mode of operationSimplest mode of operation– each block is enciphered into a ciphertext each block is enciphered into a ciphertext
block using one keyblock using one key
Ek
M1
C1
Key Ek
M2
C2
Ek
Mm
Cm
Problem:if Mi = Mj thenCi = Cj
26
CClassicallassical &&ontemporyontemporyryptologyryptology
Cipher Block ChainingCipher Block ChainingCipher Block ChainingCipher Block Chaining
The input to each block stage is the The input to each block stage is the current block XORed with the current block XORed with the previous stage cipher blockprevious stage cipher block
Key Ek
M1
C1
Ek
M2
C2
Ek
Mm
Cm
27
CClassicallassical &&ontemporyontemporyryptologyryptology
Output Feedback ModeOutput Feedback ModeOutput Feedback ModeOutput Feedback Mode
The block cipher is used as a stream The block cipher is used as a stream ciphercipher– it produces the random key streamit produces the random key stream
RiEk Ri+1
KEYMi
Ci
28
CClassicallassical &&ontemporyontemporyryptologyryptology General StructureGeneral StructureGeneral StructureGeneral Structure
In 1973, Feistel suggest a form of product cipher that In 1973, Feistel suggest a form of product cipher that has become the architecture of choice for almost all has become the architecture of choice for almost all symmetric block ciphers in use today. symmetric block ciphers in use today.
– The overall process involves several stages of a substitution The overall process involves several stages of a substitution followed by a transposition. followed by a transposition.
– The master key is subdivided into a set of subkeys – one for The master key is subdivided into a set of subkeys – one for each stage. each stage.
– At each stage the data block is divided into a left and a right At each stage the data block is divided into a left and a right segment, the segments are swapped, and one segment is segment, the segments are swapped, and one segment is mixed with subkey for that stage. mixed with subkey for that stage.
– Another name for this type of cipher is a substitution-Another name for this type of cipher is a substitution-permutation (SP) cipher. permutation (SP) cipher.
29
CClassicallassical &&ontemporyontemporyryptologyryptology Feistel CipherFeistel CipherFeistel CipherFeistel Cipher
A single stage of the Feistel cipher looks like:A single stage of the Feistel cipher looks like:
Left Side Right Side
Plaintext
S Key
New Left Side New Right Side
Permutation
Substitution
F
Creates the Creates the subkeysubkey
for each stagefor each stage
30
CClassicallassical &&ontemporyontemporyryptologyryptology Cipher EvaluationCipher EvaluationCipher EvaluationCipher Evaluation
Any new cipher must be secure against attacks but as ciphers Any new cipher must be secure against attacks but as ciphers become more complicated (such as the class of block ciphers) how become more complicated (such as the class of block ciphers) how can we be reasonably confident that they can protect our valuable can we be reasonably confident that they can protect our valuable
data?data? – The real answer to this problem is that we can never be sure that a The real answer to this problem is that we can never be sure that a
cipher is secure. cipher is secure.
– The best way to gain some confidence in a new cipher is to allow the The best way to gain some confidence in a new cipher is to allow the security community to test it. security community to test it.
There are some features that a cipher must possess if it is to be There are some features that a cipher must possess if it is to be accepted by the users. accepted by the users.
– First, of course, the key space must be large enough to make a brute First, of course, the key space must be large enough to make a brute
force attack impossible or at least to expensive to mount.force attack impossible or at least to expensive to mount.
31
CClassicallassical &&ontemporyontemporyryptologyryptology Algorithm StrengthAlgorithm StrengthAlgorithm StrengthAlgorithm Strength
Algorithm strength is a subjective judgment call. Several Algorithm strength is a subjective judgment call. Several factors are considered including:factors are considered including:
– The plaintext cannot be derived from the ciphertext without use of The plaintext cannot be derived from the ciphertext without use of the key.the key.
– There should be no plaintext attack that is better than a brute force There should be no plaintext attack that is better than a brute force attack.attack.
– Knowledge of the algorithm should not reduce the strength of the Knowledge of the algorithm should not reduce the strength of the cipher.cipher.
– The algorithm should include substitutions and permutations under The algorithm should include substitutions and permutations under the control of both the input data and the key. the control of both the input data and the key.
– Redundant bit groups in the plaintext should be totally obscured in Redundant bit groups in the plaintext should be totally obscured in the ciphertext.the ciphertext.
– The length of the ciphertext should be the same length as the The length of the ciphertext should be the same length as the plaintext.plaintext.
– Any possible key should produce a strong cipher,Any possible key should produce a strong cipher,
32
CClassicallassical &&ontemporyontemporyryptologyryptology Avalanche ConditionAvalanche ConditionAvalanche ConditionAvalanche Condition
One of the most important strength criteria is the One of the most important strength criteria is the avalanche condition: avalanche condition: there should be no correlation there should be no correlation between any input bits or key bits and the output bitsbetween any input bits or key bits and the output bits..
– This is important because if someone started trying different This is important because if someone started trying different keys, they should not be able to tell if they are close (within a keys, they should not be able to tell if they are close (within a few bits) to the actual key. few bits) to the actual key.
– There are two versions of the avalanche condition:There are two versions of the avalanche condition: Strict plaintext avalanche criterion (SPAC):Strict plaintext avalanche criterion (SPAC): each bit of the each bit of the
ciphertext block should change with the probability of one half ciphertext block should change with the probability of one half whenever any bit of the plaintext block is complemented. whenever any bit of the plaintext block is complemented.
Strict key avalanche criterion (SKAC.)Strict key avalanche criterion (SKAC.) for a fixed plaintext block, for a fixed plaintext block, each bit of the ciphertext block changes with a probability of one each bit of the ciphertext block changes with a probability of one half when any bit of the key changes.half when any bit of the key changes.
33
CClassicallassical &&ontemporyontemporyryptologyryptology DES ExampleDES ExampleDES ExampleDES Example
Input: ...............................................................*1
Permuted: .......................................*........................ 1
Round 1: .......*........................................................ 1
Round 2: .*..*...*.....*........................*........................ 5
Round 3: .*..*.*.**..*.*.*.*....**.....**.*..*...*.....*................. 18Round 4: ..*.*****.*.*****.*.*......*.....*..*.*.**..*.*.*.*....**.....** 28Round 5: *...**..*.*...*.*.*.*...*.***..*..*.*****.*.*****.*.*......*.... 29Round 6: ...*..**.....*.*..**.*.**...*..**...**..*.*...*.*.*.*...*.***..* 26Round 7: *****...***....**...*..*.*..*......*..**.....*.*..**.*.**...*..* Round 8: *.*.*.*.**.....*.*.*...**.*...*******...***....**...*..*.*..*... Round 9: ***.*.***...**.*.****.....**.*..*.*.*.*.**.....*.*.*...**.*...** Round 10: *.*..*.*.**.*..*.**.***.**.*...****.*.***...**.*.****.....**.*.. Round 11: ..******......*..******....*....*.*..*.*.**.*..*.**.***.**.*...* Round 12: *..***....*...*.*.*.***...****....******......*..******....*.... Round 13: **..*....*..******...*........*.*..***....*...*.*.*.***...****.. Round 14: *.**.*....*.*....**.*...*..**.****..*....*..******...*........*. Round 15: **.*....*.*.*...*.**.*..*.*.**.**.**.*....*.*....**.*...*..**.** Round 16: .*..*.*..*..*.**....**..*..*..****.*....*.*.*...*.**.*..*.*.**.* Output: ..*..**.*.*...*....***..***.**.*...*..*..*.*.*.**.*....*.*.*.**.
34
CClassicallassical &&ontemporyontemporyryptologyryptology
DES, AES, and OthersDES, AES, and OthersDES, AES, and OthersDES, AES, and Others
35
CClassicallassical &&ontemporyontemporyryptologyryptology
Data Encryption Data Encryption StandardStandard
Data Encryption Data Encryption StandardStandard
In the mid-70’s the US government decided that a In the mid-70’s the US government decided that a powerful standard cipher system was necessary. powerful standard cipher system was necessary.
– The National Bureau of Standards put out a request for the The National Bureau of Standards put out a request for the development of such a cipher. development of such a cipher.
– Several companies went to work and submitted proposals. Several companies went to work and submitted proposals. The winner was IBM with their cipher system called Lucifer.The winner was IBM with their cipher system called Lucifer.
– With some modifications suggested by With some modifications suggested by the National Security the National Security Agency, in 1977, Lucifer became known as the Data Agency, in 1977, Lucifer became known as the Data Encryption Standard or DES. Encryption Standard or DES.
– It has since been replaced by the Advanced Encryption It has since been replaced by the Advanced Encryption Standard (AES) Standard (AES)
36
CClassicallassical &&ontemporyontemporyryptologyryptology Basic StructureBasic StructureBasic StructureBasic Structure
DES works on 64 bit blocks of plaintext using a 56 bit key DES works on 64 bit blocks of plaintext using a 56 bit key to produce 64 bit blocks of ciphertext. to produce 64 bit blocks of ciphertext.
– It is a substitution-permutation cipher with 16 SP stages. It is a substitution-permutation cipher with 16 SP stages.
The key for DES is an arbitrary 56 bit string of The key for DES is an arbitrary 56 bit string of 0’s and 1’s0’s and 1’s
– there are 2there are 25656 possible strings (greater than 10 possible strings (greater than 101616))– often it is given as a 7 letter wordoften it is given as a 7 letter word
DES expands this key to 64 bits by adding 8 DES expands this key to 64 bits by adding 8 additional 0’s and 1’sadditional 0’s and 1’s
– bits 8, 16, 24, 32, 40, 48, 56, and 64 are added so that each 8 bit bits 8, 16, 24, 32, 40, 48, 56, and 64 are added so that each 8 bit block has odd parity (odd number of 1’s)block has odd parity (odd number of 1’s)
– the key is divided, shifted, and shuffled 16 times to form 16 the key is divided, shifted, and shuffled 16 times to form 16 different (but related) subkeys each of which is 48 bits longdifferent (but related) subkeys each of which is 48 bits long
37
CClassicallassical &&ontemporyontemporyryptologyryptology Key GenerationKey GenerationKey GenerationKey Generation
Each of the 16 stages uses a 48 bit Each of the 16 stages uses a 48 bit subkey which is derived from the subkey which is derived from the initial 64 bit key.initial 64 bit key.
– The key passes through a PC-1 block The key passes through a PC-1 block (Permuted Choice 1) which extracts (Permuted Choice 1) which extracts the original 56 bits supplied by the the original 56 bits supplied by the user. user.
– The 56 bits are divided into left and The 56 bits are divided into left and right halves. Each half is shifted left right halves. Each half is shifted left by 1 or 2 bit positions (it varies by 1 or 2 bit positions (it varies depending on the stage). depending on the stage).
– The new 56 bits are compressed The new 56 bits are compressed using PC-2 (Permuted Choice 2) by using PC-2 (Permuted Choice 2) by throwing out 8 bits to create the 48 throwing out 8 bits to create the 48 bit key for the given stage.bit key for the given stage.
64 bit key
PC-1
28 bit C0 28 bit D0
Left Shift Left Shift
28 bit C1 28 bit D1
Left Shift Left Shift
PC-2 K1
38
CClassicallassical &&ontemporyontemporyryptologyryptology DES StagesDES StagesDES StagesDES Stages
Each stage of DES is performs the same set of Each stage of DES is performs the same set of operations using a different subkey acting on operations using a different subkey acting on the output of the previous stage. the output of the previous stage. – Those operations are defined in three “boxes” Those operations are defined in three “boxes”
called the expansion box (Ebox), the substitution called the expansion box (Ebox), the substitution box (Sbox), and the permutation box (Pbox). box (Sbox), and the permutation box (Pbox).
39
CClassicallassical &&ontemporyontemporyryptologyryptology Example StageExample StageExample StageExample Stage
E Box
Left 32 bits Right 32 bits
Key BoxXOR
48 bits
48 bits
56 bits
Key
S Boxes
48 bits
P Box
32 bits
32 bits
XOR
32 bits
32 bits
The E-Box expands (from 32 to 48 bits)and permutates
The E-Box output is XORed withpart of the key
There are 8 S-Boxes and each one accepts6 bits of input and produces 4 bits of output
The P-Box is a simple permutation
Finally, the left side is XORed with theresult and both sides are passed on tothe next round
40
CClassicallassical &&ontemporyontemporyryptologyryptology E-BoxE-BoxE-BoxE-Box
The EBox expands its 32-bit input into 48-bits The EBox expands its 32-bit input into 48-bits by duplicating some of the input bits. by duplicating some of the input bits.
28 29 30 31 32 1
24 25 26 27 28 29
20 21 22 23 24 25
16 17 18 19 20 21
12 13 14 15 16 17
8 9 10 11 12 13
4 5 6 7 8 9
32 1 2 3 4 5
EBox
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Right 32 bits
Note the duplicationNote the duplication
41
CClassicallassical &&ontemporyontemporyryptologyryptology S-BoxesS-BoxesS-BoxesS-Boxes
The SBoxes are the real source of the power of DES. The SBoxes are the real source of the power of DES. – There are 8 different Sboxes There are 8 different Sboxes
– Each Sbox accepts 6-bits of input and produces 4-bits of Each Sbox accepts 6-bits of input and produces 4-bits of output. output.
– An Sbox has 16 columns and 4 rows where each element An Sbox has 16 columns and 4 rows where each element in the box is a 4-bit block usually given in its decimal in the box is a 4-bit block usually given in its decimal representation. representation.
15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
Column0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Row
0
1
2
3
42
CClassicallassical &&ontemporyontemporyryptologyryptology
Working with the Working with the S-BoxesS-Boxes
Working with the Working with the S-BoxesS-Boxes
Each 6-bit input to an S-Box is divided into a Each 6-bit input to an S-Box is divided into a row and a column index. row and a column index. – The row index is given by bits 1 and 6 and the bits 2 The row index is given by bits 1 and 6 and the bits 2
to 5 supply the column index.to 5 supply the column index.
– The output of the S-Box is the value stored at the The output of the S-Box is the value stored at the addressed row/columnaddressed row/column
S213 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9
0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 5
3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5
15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0
1
2
3
Input: 0 1 1 1 1 0 Input: 0 1 1 1 1 0 Column 15Column 15
Row 0Row 0
10
Output: 1 0 1 0 Output: 1 0 1 0
43
CClassicallassical &&ontemporyontemporyryptologyryptology P-BoxP-BoxP-BoxP-Box
After the S-Box operation there are just 32-bits After the S-Box operation there are just 32-bits remaining which are rearranged according to remaining which are rearranged according to the permutation table:the permutation table:
22 11 4 25
19 13 30 6
32 27 3 9
2 8 24 14
5 18 31 10
1 15 23 26
29 12 28 17
16 7 20 21
PBox
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
SBox Outputs
44
CClassicallassical &&ontemporyontemporyryptologyryptology Final StepFinal StepFinal StepFinal Step
The final operation places the original RHS 32-The final operation places the original RHS 32-bits on the LHS and XORs the original LHS bits on the LHS and XORs the original LHS with the 32-bit output of the Pboxwith the 32-bit output of the Pbox
This process is repeated 16 times using a This process is repeated 16 times using a different subkey each timedifferent subkey each time
45
CClassicallassical &&ontemporyontemporyryptologyryptology
DES ImplementationsDES ImplementationsDES ImplementationsDES Implementations
DES could be used in any one of the three standard block cipher DES could be used in any one of the three standard block cipher implementation modes: OFM, CBC, or ECB.implementation modes: OFM, CBC, or ECB.
– However DES is no longer a secure cipher. However DES is no longer a secure cipher. – Hence, alternative implementations of DES have been suggested in Hence, alternative implementations of DES have been suggested in
an effort to improve its overall security. The most common is an effort to improve its overall security. The most common is called Triple-DES. called Triple-DES.
– Triple-DES comes in two versions, one uses three keys and the Triple-DES comes in two versions, one uses three keys and the other only uses two keys.other only uses two keys.
The three key version first encrypts the message with Key1, decrypts The three key version first encrypts the message with Key1, decrypts the result with Key2, and finally encrypts that with K3the result with Key2, and finally encrypts that with K3
The two key version uses the same steps where K3 = K1.The two key version uses the same steps where K3 = K1.
EM
Key1
D
Key2
E
Key3
46
CClassicallassical &&ontemporyontemporyryptologyryptology Using CAPUsing CAPUsing CAPUsing CAP
CAP provides an implementation of DESCAP provides an implementation of DES
RunRunAvalanche Avalanche
teststests
CAP also provides a simple version of DESCAP also provides a simple version of DES
47
CClassicallassical &&ontemporyontemporyryptologyryptology S-DESS-DESS-DESS-DES
S-DES (Simplified-DES) was developed by Dr. S-DES (Simplified-DES) was developed by Dr. Edward Schaefer at Santa Clara University in Edward Schaefer at Santa Clara University in 1996. 1996. – It is simple enough so that you can explore the It is simple enough so that you can explore the
operation of DES and some of its weaknesses. operation of DES and some of its weaknesses.
– It operates on 8-bit data blocks (in other words, It operates on 8-bit data blocks (in other words, single characters) using a 10-bit key (only 2single characters) using a 10-bit key (only 21010 = = 1024 possibilities) and two stages 1024 possibilities) and two stages
48
CClassicallassical &&ontemporyontemporyryptologyryptology S-DES StructureS-DES StructureS-DES StructureS-DES Structure
In spite of the In spite of the simplifications, simplifications, S-DES looks S-DES looks much like our much like our
basic DES.basic DES.
8 bits
Plaintext block
IP
L0 R0
XOR F
L1 R1
XOR F
L2 R2
8 bits
IP-1
Ciphertext block
10 bit key
PC-1
C0 D0
Left Shift 1 bit Left Shift 1 bit
C1 D1
Left Shift 2 bits Left Shift 2 bits
C2 D2
PC-2
PC-2
K1
K2
1 2 3 4 5 6 7 82 6 3 1 4 8 5 7
1 2 3 4 5 6 7 84 1 3 5 7 2 8 6
49
CClassicallassical &&ontemporyontemporyryptologyryptology S-DES S-BoxesS-DES S-BoxesS-DES S-BoxesS-DES S-Boxes
The function F on the prior slide contains an The function F on the prior slide contains an EBox, PBox and 2 SBoxes (much like DES)EBox, PBox and 2 SBoxes (much like DES)
The two S-Boxes are given by:The two S-Boxes are given by:
The input is a 4 bit valueThe input is a 4 bit value
The first and last bitsThe first and last bits define the rowdefine the rowThe middle bits defineThe middle bits define the columnthe column
The output is a 2 bit valueThe output is a 2 bit value
50
CClassicallassical &&ontemporyontemporyryptologyryptology
S-DES Key GenerationS-DES Key GenerationS-DES Key GenerationS-DES Key Generation
The key generation mechanism begins with a 10-bit key which The key generation mechanism begins with a 10-bit key which is permuted by PC-1 into the order 3 5 2 7 4 10 1 9 8 6. is permuted by PC-1 into the order 3 5 2 7 4 10 1 9 8 6.
It is separated into 2 five bit segments and each segment is left It is separated into 2 five bit segments and each segment is left shift by one bit. shift by one bit.
PC-2 selects and rearranges 8 bits from the two five bit PC-2 selects and rearranges 8 bits from the two five bit segments – the bits in order are 6 3 7 4 8 5 10 9. The result is segments – the bits in order are 6 3 7 4 8 5 10 9. The result is subkey 1. subkey 1.
The two segments are now left shifted twice and PC-2 is The two segments are now left shifted twice and PC-2 is applied again to produce subkey 2.applied again to produce subkey 2.
51
CClassicallassical &&ontemporyontemporyryptologyryptology Using CAPUsing CAPUsing CAPUsing CAP
CAP implements S-DES and in the process illustrates the CAP implements S-DES and in the process illustrates the key generation method.key generation method.
52
CClassicallassical &&ontemporyontemporyryptologyryptology Status of DESStatus of DESStatus of DESStatus of DES
When IBM first proposed DES it had a 128 bit When IBM first proposed DES it had a 128 bit keykey
– NSA required that the key be reduced to 56 bitsNSA required that the key be reduced to 56 bits
There have been several successful attacks on There have been several successful attacks on DESDES
– June 1997: Using the internet 14,000 to 78,000 computers broke June 1997: Using the internet 14,000 to 78,000 computers broke DES in 90 daysDES in 90 days
– Jan 1998: Using the internet again it only took 39 daysJan 1998: Using the internet again it only took 39 days– July 1998: a $210,000 machine called July 1998: a $210,000 machine called deep crackdeep crack was built and was built and
it broke DES in 56 hoursit broke DES in 56 hours
53
CClassicallassical &&ontemporyontemporyryptologyryptology
AESAESAESAES
54
CClassicallassical &&ontemporyontemporyryptologyryptology
Advanced Encryption Advanced Encryption StandardStandard
Advanced Encryption Advanced Encryption StandardStandard
Since DES was becoming less reliable as new Since DES was becoming less reliable as new cryptanalysis techniques were developed, the National cryptanalysis techniques were developed, the National Institute of Standards and Technology (NIST) put out a Institute of Standards and Technology (NIST) put out a notice in early 1999 requesting submissions for a new notice in early 1999 requesting submissions for a new encryption standard. The requirements were:encryption standard. The requirements were:– A symmetric block cipher with a variable length key (128, 192, A symmetric block cipher with a variable length key (128, 192,
or 256 bits) and a 128-bit blockor 256 bits) and a 128-bit block– It must be more secure than TripleDES It must be more secure than TripleDES – It must be in the public domain – royalty free world wideIt must be in the public domain – royalty free world wide– It should remain secure for at least 30 yearsIt should remain secure for at least 30 years
Fifteen algorithms were submitted from ten different Fifteen algorithms were submitted from ten different countries.countries.
55
CClassicallassical &&ontemporyontemporyryptologyryptology
Submitted AlgorithmsSubmitted AlgorithmsSubmitted AlgorithmsSubmitted Algorithms
Australia– LOKI97Belgium– RIJNDAELCanada– CAST-256– DEALCosta Rica– FROGFrance– DFC Germany– MAGENTA
Japan– E2Korea– CRYPTONUSA– HPC– MARS– RC6– SAFER+– TWOFISH• UK, Israel, Norway– SERPENT
56
CClassicallassical &&ontemporyontemporyryptologyryptology Selection ProcessSelection ProcessSelection ProcessSelection Process
NIST relied on public participation:NIST relied on public participation:– algorithm proposalsalgorithm proposals– cryptanalysiscryptanalysis– efficiency testingefficiency testing
AES TimetableAES Timetable– Round 1: Round 1: Aug. 20 - April 15, 1999Aug. 20 - April 15, 1999– Submit papers for 2nd AES conference: Submit papers for 2nd AES conference: Feb 1, 1999Feb 1, 1999– Second AES conference: Second AES conference: March 22-23, 1999March 22-23, 1999– Announcement of (about) five finalistsAnnouncement of (about) five finalists– Round 2 analysis of finalists: Round 2 analysis of finalists: 6-9 months6-9 months– Third AES ConferenceThird AES Conference– Selection of AES AlgorithmSelection of AES Algorithm
57
CClassicallassical &&ontemporyontemporyryptologyryptology AES FinalistsAES FinalistsAES FinalistsAES Finalists
MARS (IBM) MARS (IBM) RC6 (Rivest, et. al.)RC6 (Rivest, et. al.) Rijndael (top Belgium Rijndael (top Belgium
cryptographers)cryptographers) Serpent (Anderson, Biham, Serpent (Anderson, Biham,
Knudsen)Knudsen) Twofish (Schneier, et. al.)Twofish (Schneier, et. al.)
And the winner was . . .And the winner was . . .
Pronounced“rain-doll”
58
CClassicallassical &&ontemporyontemporyryptologyryptology
Introduction to RijndaelIntroduction to RijndaelIntroduction to RijndaelIntroduction to Rijndael
One of the fastest and One of the fastest and strongest algorithmsstrongest algorithms– Variable block length: 128, 192, 256 bitsVariable block length: 128, 192, 256 bits– Variable key length: 128, 192, 256 bitsVariable key length: 128, 192, 256 bits– Variable number of rounds (iterations): Variable number of rounds (iterations):
10, 12, 1410, 12, 14– Number of rounds depend on key/block Number of rounds depend on key/block
lengthlength
59
CClassicallassical &&ontemporyontemporyryptologyryptology Rijndael StructureRijndael StructureRijndael StructureRijndael Structure
The general structure of Rijndael is shown below The general structure of Rijndael is shown below – Rather than using just a substitution and a permutation at each Rather than using just a substitution and a permutation at each
stage like DES, Rijndael consists of multiple cycles of Substitution, stage like DES, Rijndael consists of multiple cycles of Substitution, Shifting, Column mixing and a KeyAdd operation.Shifting, Column mixing and a KeyAdd operation.
KeyAdd
subkey
Plaintext block
Substitution ShiftRow MixColumn KeyAdd
subkey
subkey
Final round?no
yes
KeyAddCiphertext block ShiftRow Substitution
60
CClassicallassical &&ontemporyontemporyryptologyryptology Initial StepInitial StepInitial StepInitial Step
The process begins by grouping the plaintext bits into a The process begins by grouping the plaintext bits into a column array by bytes.column array by bytes.
– The first four bytes form the first column; the second four The first four bytes form the first column; the second four bytes form the second column, and so on. bytes form the second column, and so on.
– If the block size is 128 bits then this becomes a 4x4 array. If the block size is 128 bits then this becomes a 4x4 array. For larger block sizes the array has additional columns. For larger block sizes the array has additional columns.
– The key is also grouped into an array using the same process. The key is also grouped into an array using the same process.
a0,0 a1,0 a2,0 a3,0 a0,1 a1,1 a2,1 a3,1 a0,2 a1,2 a2,2 a3,2 a0,3 a1,3 a2,3 a3,3
a3,0
a2,0
a1,0
a0,0
a3,1
a2,1
a1,1
a0,1
a3,2
a2,2
a1,2
a0,2
a3,3
a2,3
a1,3
a0,3
61
CClassicallassical &&ontemporyontemporyryptologyryptology SubstitutionSubstitutionSubstitutionSubstitution
The substitution layer uses a single S-box (rather than the 8 The substitution layer uses a single S-box (rather than the 8 Sboxes used in DES). The Rijndael S-box is a 16 x 16 array Sboxes used in DES). The Rijndael S-box is a 16 x 16 array
– Each element in the current column array serves as an address into Each element in the current column array serves as an address into the S-box where the first four bits identify the S-box row and the last the S-box where the first four bits identify the S-box row and the last 4 bits identify the S-box column. 4 bits identify the S-box column.
– The S-box element at that location replaces the current column The S-box element at that location replaces the current column array element. array element.
a3,0
a2,0
a1,0
a0,0
a3,1
a2,1
a1,1
a0,1
a3,2
a2,2
a1,2
a0,2
a3,3
a2,3
a1,3
a0,3
b3,0
b2,0
b1,0
b0,0
b3,1
b2,1
b1,1
b0,1
b3,2
b2,2
b1,2
b0,2
b3,3
b2,3
b1,3
b0,3SBox
a1,2b1,2
62
CClassicallassical &&ontemporyontemporyryptologyryptology Row Shift OperationRow Shift OperationRow Shift OperationRow Shift Operation
A row shift operation is applied to the output A row shift operation is applied to the output of the S-box in which the four rows of the of the S-box in which the four rows of the column array are cyclically shifted to the left.column array are cyclically shifted to the left.– The first row is shifted by 0, the second by 1, the The first row is shifted by 0, the second by 1, the
third by 2, and the fourth by 3third by 2, and the fourth by 3
b3,0
b2,0
b1,0
b0,0
b3,1
b2,1
b1,1
b0,1
b3,2
b2,2
b1,2
b0,2
b3,3
b2,3
b1,3
b0,3
b3,3
b2,2
b1,1
b0,0
b3,0
b2,3
b1,2
b0,1
b3,1
b2,0
b1,3
b0,2
b3,2
b2,1
b1,0
b0,3No shift
Shift 1
Shift 2
Shift 3
63
CClassicallassical &&ontemporyontemporyryptologyryptology Matrix MultiplyMatrix MultiplyMatrix MultiplyMatrix Multiply
Column mixing is accomplished by a matrix Column mixing is accomplished by a matrix multiplication operation. multiplication operation. – The shifted column array is multiplied by a fixed The shifted column array is multiplied by a fixed
matrix matrix
b3,3
b2,2
b1,1
b0,0
b3,0
b2,3
b1,2
b0,1
b3,1
b2,0
b1,3
b0,2
b3,2
b2,1
b1,0
b0,3
MatrixMultiply
c3,3
c2,2
c1,1
c0,0
c3,0
c2,3
c1,2
c0,1
c3,1
c2,0
c1,3
c0,2
c3,2
c2,1
c1,0
c0,3
c3,1
c2,0
c1,3
c0,2
b3,1
b2,0
b1,3
b0,2
64
CClassicallassical &&ontemporyontemporyryptologyryptology Key AddKey AddKey AddKey Add
The final operation adds a subkey derived The final operation adds a subkey derived from the original key to the column array from the original key to the column array – This completes one round of AES This completes one round of AES
c3,3
c2,2
c1,1
c0,0
c3,0
c2,3
c1,2
c0,1
c3,1
c2,0
c1,3
c0,2
c3,2
c2,1
c1,0
c0,3
d3,3
d2,2
d1,1
d0,0
d3,0
d2,3
d1,2
d0,1
d3,1
d2,0
d1,3
d0,2
d3,2
d2,1
d1,0
d0,3
k3,3
k2,2
k1,1
k0,0
k3,0
k2,3
k1,2
k0,1
k3,1
k2,0
k1,3
k0,2
k3,2
k2,1
k1,0
k0,3
XOR
This is repeated 9 more timesThis is repeated 9 more times
65
CClassicallassical &&ontemporyontemporyryptologyryptology Key ScheduleKey ScheduleKey ScheduleKey Schedule
The key is grouped into a column array and then expanded The key is grouped into a column array and then expanded by adding 40 new columns. by adding 40 new columns.
– If the first four columns (given by the key) are C(0), C(1), C(2) and If the first four columns (given by the key) are C(0), C(1), C(2) and C(3) then the new columns are generated in a recursive manner.C(3) then the new columns are generated in a recursive manner.
If i is not a multiple of 4 then column i is determined by:If i is not a multiple of 4 then column i is determined by: C(i) = C(i-4) XOR C(i-1) C(i) = C(i-4) XOR C(i-1)
If i is a multiple of 4 then column i is determined by:If i is a multiple of 4 then column i is determined by: C(i) = C(i-4) XOR T(C(i-1)) C(i) = C(i-4) XOR T(C(i-1))
– Where T(C(i-1)) is a transformation of C(i-1) implemented as:Where T(C(i-1)) is a transformation of C(i-1) implemented as: 1. Cyclically shift the elements of C(i-1) by one byte 1. Cyclically shift the elements of C(i-1) by one byte 2. Use each of these 4 bytes as input into the S-box to create 2. Use each of these 4 bytes as input into the S-box to create four new bytes e,f,g,h. four new bytes e,f,g,h. 3. Calculate a round constant r(i) = 2(i-4)/4 3. Calculate a round constant r(i) = 2(i-4)/4 4. Create the transformed column as: (e XOR r(i), f, g, h) 4. Create the transformed column as: (e XOR r(i), f, g, h)
The round key for the ith round consists of the columns C(4i), C(4i+1), The round key for the ith round consists of the columns C(4i), C(4i+1), C(4i+2), C(4i+3).C(4i+2), C(4i+3).
66
CClassicallassical &&ontemporyontemporyryptologyryptology Key Generation FlowKey Generation FlowKey Generation FlowKey Generation Flow
For what’s worth:For what’s worth:
W(i)
XOR
Rot
W(i+4)
XOR
W(i+1)
XOR
W(i+2)
W(i+5) XOR
W(i+3)
W(i+6) XOR W(i+7)
S-Box
RCON
67
CClassicallassical &&ontemporyontemporyryptologyryptology ConclusionConclusionConclusionConclusion
We have come a long way from just We have come a long way from just shifting letters over in the alphabetshifting letters over in the alphabet
68
CClassicallassical &&ontemporyontemporyryptologyryptology
Cryptanalysis of Block Cryptanalysis of Block CiphersCiphers
Cryptanalysis of Block Cryptanalysis of Block CiphersCiphers
69
CClassicallassical &&ontemporyontemporyryptologyryptology Security of DESSecurity of DESSecurity of DESSecurity of DES
DES has a long an interesting history full of speculation and DES has a long an interesting history full of speculation and controversy.controversy.
– It all began when the National Security Agency (NSA) required the It all began when the National Security Agency (NSA) required the modification of the original specification for Lucifer submitted by modification of the original specification for Lucifer submitted by IBM. Among the changes they requested was that the original key IBM. Among the changes they requested was that the original key length of 128 bit be reduced to 56 bits. length of 128 bit be reduced to 56 bits.
– This fuelled the speculation (which has never been verified) that NSA This fuelled the speculation (which has never been verified) that NSA could break the 56-bit version of DES from the very beginning. could break the 56-bit version of DES from the very beginning.
– Since NSA wasn’t talking, brute force attacks seemed to be the only Since NSA wasn’t talking, brute force attacks seemed to be the only feasible way to undermine the algorithm. feasible way to undermine the algorithm.
– These had to wait until computer technology caught up with the key These had to wait until computer technology caught up with the key size to allow for high speed testing of all possible keys. This size to allow for high speed testing of all possible keys. This happened in the late 1990’s. happened in the late 1990’s.
In July of 1997, a process that borrowed time from more than 14,000 In July of 1997, a process that borrowed time from more than 14,000 computers across the Internet was able to break a DES key in 90 days. computers across the Internet was able to break a DES key in 90 days.
Within six months, the time to break DES in this way was reduced to 39 Within six months, the time to break DES in this way was reduced to 39 days. days.
In July of 1998 a special machine was built called Deep Crack that was In July of 1998 a special machine was built called Deep Crack that was able to break a DES key in 56 hours. able to break a DES key in 56 hours.
70
CClassicallassical &&ontemporyontemporyryptologyryptology Weak KeysWeak KeysWeak KeysWeak Keys
One of the early discoveries was that DES had some weak One of the early discoveries was that DES had some weak keys. keys.
– These are keys that generate the same subkey for each round.These are keys that generate the same subkey for each round.
– There are four such DES keys:There are four such DES keys:
0101 0101 0101 0101 FEFE FEFE FEFE FEFE 1F1F 1F1F 0E0E 0E0E E0E0 E0E0 F1F1 F1F1
There are also 12 semi-weak DES keys. There are also 12 semi-weak DES keys. – Semi-weak keys generate only two subkeys which alternate Semi-weak keys generate only two subkeys which alternate
rounds. rounds.
71
CClassicallassical &&ontemporyontemporyryptologyryptology Using CAPUsing CAPUsing CAPUsing CAP
CAP provides two tools for running brute force attacks CAP provides two tools for running brute force attacks against S-DESagainst S-DES
– The first is an attack against a single key version of S-DESThe first is an attack against a single key version of S-DES
72
CClassicallassical &&ontemporyontemporyryptologyryptology
Meet-in-the-Middle Meet-in-the-Middle AttackAttack
Meet-in-the-Middle Meet-in-the-Middle AttackAttack
One level of improvement to DES is One level of improvement to DES is called Triple-DES – why not called Triple-DES – why not simplify the process and use simplify the process and use Double-DES?Double-DES?
– The reason is that Double-DES is The reason is that Double-DES is as easy to break as single key DES as easy to break as single key DES using a Meet-in-the-Middle attackusing a Meet-in-the-Middle attack
– The process involves a known The process involves a known plaintext/ciphertext pair plaintext/ciphertext pair
If there is enough memory space If there is enough memory space available, encipher the known available, encipher the known plaintext with every possible key plaintext with every possible key and save each result. and save each result.
Then decipher the ciphertext Then decipher the ciphertext with every possible key and with every possible key and compare each result with the compare each result with the contents of memory. contents of memory.
If there is a match, then both If there is a match, then both keys have been found. keys have been found.
EP
Key1
D
Key2
Memory
Result ofencipheringwith Ki
Decipher with Kj
Look for match
C
73
CClassicallassical &&ontemporyontemporyryptologyryptology Using CAPUsing CAPUsing CAPUsing CAP
CAP will implement a Meet-in-the-Middle attack on CAP will implement a Meet-in-the-Middle attack on S-DES:S-DES:
74
CClassicallassical &&ontemporyontemporyryptologyryptology Recent DevelopmentsRecent DevelopmentsRecent DevelopmentsRecent Developments
There are two new classes of attacks which There are two new classes of attacks which have been developed specifically for SP have been developed specifically for SP networksnetworks– Differential CryptanalysisDifferential Cryptanalysis– Linear CryptanalysisLinear Cryptanalysis
In addition, there is a class of unexpected In addition, there is a class of unexpected attacks called Side-Channel Analysisattacks called Side-Channel Analysis
75
CClassicallassical &&ontemporyontemporyryptologyryptology DES S-BoxDES S-BoxDES S-BoxDES S-Box
The S-box for DES is designed to produce “random” The S-box for DES is designed to produce “random” like outputslike outputs– Consider the S1 S-box:Consider the S1 S-box:
6 bits
4 bits
6 bits
4 bits
0 1 2 3 4 5 6 7 8 9 A B C D E F0 E 4 D 1 2 F B 8 3 A 6 C 5 9 0 71 0 F 7 4 E 2 D 1 A 6 C B 9 5 3 82 4 1 E 8 D 6 2 B F C 9 7 3 A 5 03 F C 8 2 4 9 1 7 5 B 3 E A 0 6 C
If the input is randomlydistributed over 0 - 63
Then the output should berandomly distributed over0 - 15
100101
B = 1000
76
CClassicallassical &&ontemporyontemporyryptologyryptology
S-Box Weakness - S-Box Weakness - BackgroundBackground
S-Box Weakness - S-Box Weakness - BackgroundBackground
A weakness in the S-box concept was discovered to A weakness in the S-box concept was discovered to be its behavior when two different inputs are be its behavior when two different inputs are comparedcompared– If x and x* are the two inputs, there are 64If x and x* are the two inputs, there are 6422 = 4096 = 4096
possible pairs (x, x*)possible pairs (x, x*)
– Define the S-box output to be S(x) and S(x*)Define the S-box output to be S(x) and S(x*)
– Consider the relationship between the difference of the Consider the relationship between the difference of the inputs and the difference of the outputsinputs and the difference of the outputs
x’ = x x* y’ = S(x) S(x*)
This ranges over all 64 possibilities 00 to 3F
This ranges over all 16 possibilities 0 to F
77
CClassicallassical &&ontemporyontemporyryptologyryptology S-Box WeaknessS-Box WeaknessS-Box WeaknessS-Box Weakness
While it is While it is expected that the expected that the output difference output difference values should be values should be evenly distributed evenly distributed over their range, it over their range, it turns out they are turns out they are notnot
NOTE the 0’sNOTE the 0’s
78
CClassicallassical &&ontemporyontemporyryptologyryptology Interesting FeatureInteresting FeatureInteresting FeatureInteresting Feature
Consider one row of the S1 difference table:Consider one row of the S1 difference table:
There are five output differences which never occurif the input difference is 1: 0, 1, 2, 4, 8
OutputInput 0 1 2 3 4 5 6 7 8 9 A B C D E F 01 0 0 0 6 0 2 4 4 0 10 12 4 10 6 2 4
12 of the 64 inputs which produce a difference of1 produce an output of A.
79
CClassicallassical &&ontemporyontemporyryptologyryptology Finding the Key 1Finding the Key 1Finding the Key 1Finding the Key 1
Say, we know two inputs to S1 (01 and 35) such that the Say, we know two inputs to S1 (01 and 35) such that the differential input to box S1 is 34 and the differential differential input to box S1 is 34 and the differential output is Doutput is D
S1
01, 35
K34
D
Therefore K xor either 01 or 35 must beone of these 8 values, then K must be:
06 01 = 0710 01 = 1116 01 = 171C 01 = 1D22 01 = 2324 01 = 2528 01 = 2932 01 = 33
06 35 = 3310 35 = 2516 35 = 231C 35 = 2922 35 = 1724 35 = 1128 35 = 1D32 35 = 07
PossibleKeys
From the differential table, thereare only 8 ways 34 can map to D
From the construction of the table,those 8 ways imply that K xor the inputmust be 06, 10, 16, 1C, 22, 24, 28, 32
80
CClassicallassical &&ontemporyontemporyryptologyryptology Finding the Key 2Finding the Key 2Finding the Key 2Finding the Key 2
Say, we know two other inputs to S1 (21 and 15) such that the Say, we know two other inputs to S1 (21 and 15) such that the differential input to box S1 is 34 and the differential output is 3differential input to box S1 is 34 and the differential output is 3
S1
21, 15
K34
3
From the differential table, thereare only 6 ways 34 can map to 3
From the construction of the table,those 6 ways imply that K xor the inputmust be 01, 02, 15, 21, 35,36
Therefore K xor either 21 or 15 must beone of these 6 values, then K must be:
01 21 = 2002 21 = 2315 21 = 3421 21 = 0035 21 = 1436 21 = 17
01 15 = 1402 15 = 1715 15 = 0021 15 = 3435 15 = 2936 15 = 23
PossibleKeys
81
CClassicallassical &&ontemporyontemporyryptologyryptology Finding the Key 3Finding the Key 3Finding the Key 3Finding the Key 3
The actual key must be in both sets:The actual key must be in both sets:
{33, 25, 23, 29, 17, 11, 1D, 07} and {14, 17, 00, 34, 29, 33}
RESULT: {17, 33}
Try other differentials until a single key is found.Try other differentials until a single key is found.
82
CClassicallassical &&ontemporyontemporyryptologyryptology Linear CryptanalysisLinear CryptanalysisLinear CryptanalysisLinear Cryptanalysis
Linear cryptanalysis is a powerful tool to use against Linear cryptanalysis is a powerful tool to use against SP networks developed in the early 90’sSP networks developed in the early 90’s
It requires discovering an approximate linear It requires discovering an approximate linear relationship between the plaintext, the ciphertext and relationship between the plaintext, the ciphertext and the key that holds more than half the timethe key that holds more than half the time
– Then guess some key bits and verify that the linear Then guess some key bits and verify that the linear relationship holds - if it does then your guess is correctrelationship holds - if it does then your guess is correct
– Used to find a subset of key bits, then do a brute force attack Used to find a subset of key bits, then do a brute force attack on the remaining bitson the remaining bits
83
CClassicallassical &&ontemporyontemporyryptologyryptology
Side Channel AnalysisSide Channel AnalysisSide Channel AnalysisSide Channel Analysis
It turns out that information about the operation of the It turns out that information about the operation of the underlying cipher can be leaked by observing certain underlying cipher can be leaked by observing certain performance characteristics. performance characteristics.
These are called side channel attacks. These are called side channel attacks. – For example, when a key bit of 1 is being processed the chip For example, when a key bit of 1 is being processed the chip
draws more power from the power supply. draws more power from the power supply.
– By monitoring the power drain, the key bits can actually be By monitoring the power drain, the key bits can actually be exposed. exposed.
– There is also a timing version of this attack which monitors the There is also a timing version of this attack which monitors the number of microseconds it takes to complete the algorithm. number of microseconds it takes to complete the algorithm.
– The timing values will expose parts of the key as well. The timing values will expose parts of the key as well.
84
CClassicallassical &&ontemporyontemporyryptologyryptology SummarySummarySummarySummary
HistoryHistory
RC4 AlgorithmRC4 Algorithm
Introduction to Block CiphersIntroduction to Block Ciphers
DES and AES (and others)DES and AES (and others)
Cryptanalysis of Block CiphersCryptanalysis of Block Ciphers– Differential CryptanalysisDifferential Cryptanalysis– Linear CryptanalysisLinear Cryptanalysis– Side Channel AttacksSide Channel Attacks