computer and data security - university of babylon
TRANSCRIPT
![Page 1: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/1.jpg)
Computer and Data Security
Lecture 3 Block cipher and DES
![Page 2: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/2.jpg)
Stream Ciphers
l Encrypts a digital data stream one bit or one byte at a time
l One time pad is example; but practical limitations l Typical approach for stream cipher: Ø Key (K) used as input to bit-stream generator algorithm Ø Algorithm generates cryptographic bit stream (ki ) used to
encrypt plaintext Ø Users share a key; use it to generate keystream
![Page 3: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/3.jpg)
Stream Ciphers
![Page 4: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/4.jpg)
Block Ciphers
l Encrypt a block of plaintext as a whole to produce same sized ciphertext
l Typical block sizes are 64 or 128 bits l Modes of operation used to apply block ciphers to larger
plaintexts
![Page 5: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/5.jpg)
Reversible and Irreversible Mappings
l n-bit block cipher takes n bit plaintext and produces n bit ciphertext
l 2n possible different plaintext blocks l Encryption must be reversible (decryption possible) l Each plaintext block must produce unique ciphertext
block l Total transformations is 2n!
![Page 6: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/6.jpg)
Reversible and Irreversible Mappings
![Page 7: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/7.jpg)
Ideal Block Cipher
l n-bit input maps to 2n possible input states l Substitution used to produce 2n output states l Output states map to n-bit output l Ideal block cipher allows maximum number of possible
encryption mappings from plaintext block l Problems with ideal block cipher:
Ø Small block size: equivalent to classical substitution cipher; cryptanalysis based on statistical characteristics feasible
Ø Large block size: key must be very large; performance/implementation problems
![Page 8: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/8.jpg)
General Block Substitution
![Page 9: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/9.jpg)
Encryption/Decryption Tables
![Page 10: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/10.jpg)
Feistel Structure for Block Ciphers
l Feistel proposed applying two or more simple ciphers in sequence so final result is cryptographically stronger than component ciphers
l n-bit block length; k-bit key length; 2k transformations l Feistel cipher alternates: substitutions, transpositions
(permutations) l Applies concepts of diffusion and confusion l Applied in many ciphers today
![Page 11: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/11.jpg)
Feistel Structure for Block Ciphers
l Approach: Ø Plaintext split into halves Ø Subkeys (or round keys) generated from key Ø Round function, F, applied to right half Ø Apply substitution on left half using XOR Ø Apply permutation: interchange to halves
![Page 12: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/12.jpg)
Diffusion and Confusion
Diffusion Ø Statistical nature of plaintext is reduced in ciphertext Ø E.g. A plaintext letter affects the value of many ciphertext letters Ø How: repeatedly apply permutation (transposition) to data, and then
apply function
Confusion Ø Make relationship between ciphertext and key as complex as
possible Ø Even if attacker can find some statistical characteristics of
ciphertext, still hard to find key Ø How: apply complex (non-linear) substitution algorithm
![Page 13: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/13.jpg)
Feistel Encryption and Decryption
![Page 14: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/14.jpg)
Using the Feistel Structure
l Exact implementation depends on various design features Ø Block size, e.g. 64, 128 bits: larger values leads to more
diffusion Ø Key size, e.g. 128 bits: larger values leads to more
confusion, resistance against brute force Ø Number of rounds, e.g. 16 rounds Ø Subkey generation algorithm: should be complex Ø Round function F : should be complex
l Other factors include fast encryption in software and ease of analysis
l Trade-off: security vs performance
![Page 15: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/15.jpg)
Data Encryption Standard
l Symmetric block cipher Ø 56-bit key, 64-bit input block, 64-bit output block
l One of most used encryption systems in world Ø Developed in 1977 by NBS/NIST Ø Designed by IBM (Lucifer) with input from NSA Ø Principles used in other ciphers, e.g. 3DES, IDEA
l Simplified DES (S-DES) Ø Cipher using principles of DES Ø Developed for education (not real world use)
![Page 16: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/16.jpg)
Simplified DES
l Input (plaintext) block: 8-bits l Output (ciphertext) block: 8-bits l Key: 10-bits l Rounds: 2 l Round keys generated using permutations and left
shifts l Encryption: initial permutation, round function, switch
halves l Decryption: Same as encryption, except round keys
used in opposite order
![Page 17: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/17.jpg)
S-DES Algorithm
![Page 18: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/18.jpg)
S-DES Operations
![Page 19: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/19.jpg)
S-DES Operations
![Page 20: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/20.jpg)
S-DES Key Generation
![Page 21: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/21.jpg)
S-DES Encryption Details
![Page 22: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/22.jpg)
S-DES S-Boxes
Ø S-DES (and DES) perform substitutions using S-Boxes Ø S-Box considered as a matrix: input used to select row/column;
selected element is output Ø 4-bit input: bit1 , bit2 , bit3 , bit4 Ø bit1bit4 specifies row (0, 1, 2 or 3 in decimal) Ø bit2bit3 specifies column Ø 2-bit output
![Page 23: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/23.jpg)
S-DES Summary
l Educational encryption algorithm l S-DES expressed as functions:
ciphertext = IP−1 (fK2 (SW (fK1 (IP (plaintext))))) plaintext = IP−1 (fK1 (SW (fK2 (IP (ciphertext)))))
l Security of S-DES: Ø 10-bit key, 1024 keys: brute force easy Ø If know plaintext and corresponding ciphertext, can we
determine key? Very hard
![Page 24: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/24.jpg)
Comparing DES and S-DES
![Page 25: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/25.jpg)
General DES Encryption Algorithm
![Page 26: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/26.jpg)
Permutation Tables for DES
![Page 27: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/27.jpg)
Permutation Tables for DES
![Page 28: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/28.jpg)
Single Round of DES Algorithm
![Page 29: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/29.jpg)
Calculation of F(R,K)
![Page 30: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/30.jpg)
Definition of DES S-Boxes
![Page 31: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/31.jpg)
Definition of DES S-Boxes
![Page 32: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/32.jpg)
DES Key Schedule Calculation
![Page 33: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/33.jpg)
Key Size
l Although 64 bit initial key, only 56 bits used in encryption (other 8 for parity check)
l 256 =7.2×1016 Ø 1977: estimated cost $US20m to build machine to break in 10 hours Ø 1998: EFF built machine for $US250k to break in 3 days Ø Today: 56 bits considered too short to withstand brute Ø force attack
l 3DES uses 128-bit keys
![Page 34: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/34.jpg)
Attacks on DES
Timing Attacks Ø Information gained about key/plaintext by observing how long
implementation takes to decrypt Ø No known useful attacks on DES
Differential Cryptanalysis Ø Observe how pairs of plaintext blocks evolve Ø Break DES in 247 encryptions (compared to 255); but
Ø require 247 chosen plaintexts Linear Cryptanalysis Ø Find linear approximations of the transformations Ø Break DES using 243 known plaintexts
![Page 35: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/35.jpg)
DES Algorithm Design
l DES was designed in private; questions about the motivation of the design
Ø S-Boxes provide non-linearity: important part of DES, generally considered to be secure
Ø S-Boxes provide increased confusion Ø Permutation P chosen to increase diffusion
![Page 36: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/36.jpg)
Multiple Encryption with DES
l DES is vulnerable to brute force attack l Alternative block cipher that makes use of DES
software / equipment / knowledge: encrypt multiple times with different keys
l Options: 1. Double DES: not much better than single DES 2. Triple DES (3DES) with 2 keys: brute force 2112 3. Triple DES with 3 keys: brute force 2168
![Page 37: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/37.jpg)
Double Encryption
Ø For DES, 2 × 56-bit keys, meaning 112-bit key length Ø Requires 2111 operations for brute force?
Ø Meet-in-the-middle attack makes it easier
![Page 38: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/38.jpg)
Meet-in-the-Middle Attack
l Double DES Encryption: C=E(K2,E(K1,P)) l Say X=E(K1,P)=D(K2,C) l Attacker knows two plaintext, ciphertext pairs (Pa,Ca) and (Pb,Cb)
1. Encrypt Pa using all 256 values of K1 to get multiple values of X 2. Store results in table and sort by X 3. Decrypt Ca using all 256 values of K2 4. As each decryption result produced, check against table 5. If match, check current K1,K2 on Cb. If Pb obtained, then
accept the keys l With two known plaintext, ciphertext pairs, probability of successful
attack is almost 1 l Encrypt/decrypt operations required: 256 (twice as many as single
DES)
![Page 39: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/39.jpg)
Triple Encryption
Ø 2 keys, 112 bits
Ø 3 keys, 168 bits
Ø Why E-D-E? To be compatible with single DES: C = E(K1, D(K1, E(K1, P))) = E(K1, P)
![Page 40: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/40.jpg)
Advanced Encryption Standard
l NIST called for proposals for new standard in 1997
Ø Aims: security, efficient software/hardware Ø implementations, low memory requirements, parallel processing Ø Candidate algorithms from around the world Ø Rijndael chosen, standard called AES created in 2001
![Page 41: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/41.jpg)
Advanced Encryption Standard
l AES: Ø Block size: 128 bits (others possible) Ø Key size: 128, 192, 256 bits Ø Rounds: 10, 12, 14 (depending on key) Ø Operations: XOR with round key, substitutions using S-Boxes,
mixing using Galois Field arithmetic
l Widely used in file encryption, network communications l Generally considered secure
l See textbook for details (including S-AES)
![Page 42: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/42.jpg)
Other Symmetric Encryption Algorithms
l Blowfish (Schneier, 1993): 64 bit blocks/32–448 bit keys; Feistel structure
l Twofish (Schneier et al, 1998): 128/128, 192, 256; Feistel structure
l Serpent (Anderson et al, 1998): 128/128, 192, 256; Substitution-permutation network
l Camellia (Mitsubishi/NTT, 2000): 128/128, 192, 256; Feistel structure
l IDEA (Lai and Massey, 1991): 64/128
![Page 43: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/43.jpg)
Other Symmetric Encryption Algorithms
l CAST-128 (Adams and Tavares, 1996): 64/40–128; Feistel structure
l CAST-256 (Adams and Tavares, 1998): 128/up to 256; Feistel structure
l RC5 (Rivest, 1994): 32, 64 or 128/up to 2040; Feistel-like structure
l RC6 (Rivest et al, 1998): 128/128, 192, 256; Feistel structure
![Page 44: Computer and Data Security - University of Babylon](https://reader034.vdocuments.site/reader034/viewer/2022042902/6269a976c1fb406f9c25a120/html5/thumbnails/44.jpg)
Cryptanalysis on Block Ciphers
l Known data: chosen pairs of (plaintext, ciphertext) l MITM: Meet-in-the-middle l Lucks: S. Lucks, Attacking Triple Encryption, in Fast Software
Encryption, Springer, 1998 l Biclique: Bogdanov, Khovratovich and Rechberger, Biclique
Cryptanalysis of the Full AES, in ASIACRYPT2011, Springer, 2011