network security & cryptography lecture 7
DESCRIPTION
Block Ciphers & DESTRANSCRIPT
Network Security
and
Cryptography
Lecture 7
Uday Prakash Pethakamsetty
1/29/2013 1Dept. of ECE Network Security &
Cryptography
Background to modern symmetric ciphers
• All the traditional ciphers are character-oriented ciphers.
• Advent of computer resulted in the usage of bit-oriented or
byte oriented ciphers.
• Information transmitted using modern cryptography is not just
text, but also includes numbers, graphics, audio and video
data.
• So, even text is treated at bit level, each character is replaced
by 8 (or 16) bits. Thereby, mixing a larger number of symbols
increases security.
1/29/2013 2Dept. of ECE Network Security &
Cryptography
Modern symmetric key ciphers
1. Modern stream cipherEncrypts /decrypts a digital data stream one bit or one byte at a time.
1. Synchronous stream ciphers ex: one-time PadKey stream is independent of the plaintext or ciphertext stream.
2. Non synchronous stream cipherEach key in the key stream depends on previous plaintext or ciphertext.
2. Modern block cipherPlaintext is treated as a whole and used to produce a ciphertext block of equal
length. Typically the block size is 64 ,128 ,256 or 512 bits.
1/29/2013 3Dept. of ECE Network Security &
Cryptography
Stream ciphers
Stream ciphers
The most famous: Vernam cipher
Invented by Vernam, ( AT&T, in 1917)
Process the message bit by bit (as a stream)
different from the one-time pad– some call same
Simply add bits of message to random key bits
Examples
A well-known stream cipher is RC4;
others include: A5/1, A5/2, Chameleon, FISH,
Helix. ISAAC, Panama, Pike, SEAL, SOBER,
SOBER-128 and WAKE.
Usage
Stream ciphers are used in applications where
plaintext comes in quantities of unknowable
length - for example, a secure wireless
connection1/29/2013Dept. of ECE Network Security &
Cryptography4
Stream ciphers
• Drawbacks
– Need as many key bits as message, difficult in practice i.e., distribute on a
magnetic tape or CD-ROM.
• Strength
– Is unconditionally secure provided key is truly random
• Key Generation
– Why not to generate key stream from a smaller (base) key?
• Use some pseudo-random function to do this .
• Although this looks very attractive, it proves to be very difficult in practice
to find a good pseudo-random function that is cryptographically strong .
• This is still an area of much research.
1/29/2013Dept. of ECE Network Security &
Cryptography5
Modern block cipher
• Symmetric key modern block cipher encrypts/decrypts an n-bit
block of plaintext.
• Encryption/Decryption algorithm uses a k-bit key.
• If a message has fewer than n bits, padding must be added to
make it an n-bit block; if the message has more than n-bits, it
should be divided into n-bit blocks and the appropriate
padding may be done for the last block.
• Typically block sizes are 64,128,256 or 512 bits.
1/29/2013 6Dept. of ECE Network Security &
Cryptography
Modern Block cipher
Practical implemented Algorithms:
• Data Encryption Standards ( DES )
– Block size is 64 bits
– Key is 56 bits
• IDEA
– Block size is 64 bits
– Key size is 128 bits
Advanced Encryption Standard (AES)
Variable Block size=128, 192 or 256 bits
Variable Key size =128, 192 or 256 bits
Invented by Rijndael
1/29/2013 7Dept. of ECE Network Security &
Cryptography
Dept. of ECE Network Security & Cryptography 8
Block vs Stream Ciphers
• Stream ciphers are faster than block ciphers.
• The hardware implementation of a stream cipher is also easier.
• When the binary stream is encrypted and transmitted at a constantrate, a stream cipher is the better choice to use.
• Stream ciphers are also more immune to corruption of bits duringtransmission.
• Stream ciphers process messages a bit or byte at a timewhen en/decrypting
• Block ciphers process messages in into blocks, each of which is thenen/decrypted.
• Like a substitution on very big characters– 64-bits or more
• Many current ciphers are block ciphers. Hence, more focused in thecourse.
1/29/2013
Modern block cipher
Substitution or Transposition block cipher ? To resist any exhaustive-search attacks, modern block ciphers are designed
as substitution ciphers.
This is because the inherent characteristics of transposition (preserving no.
of 1s and 0s) makes the cipher vulnerable to exhaustive-search attacks.
Components of Modern Block Cipher
D-boxes used as transposition units for diffusion.
S-boxes used as substitution units confusion.
1/29/2013 9Dept. of ECE Network Security &
Cryptography
D(diffusion)-Boxes
• They parallels the traditional transposition cipher forcharacters. It transposes the bits.
• Helps in spreading (diffusion) of the input disturbances.
• There are three types of D-boxes
1. Straight D-boxes
2. Expansion D-boxes
3. Compression D-boxes
D-boxes are keyless. i.e., mapping is predetermined. Inhardware implementation, it is prewired. In softwareimplementation, a predefined permutation table showsthe rule of mapping.
1/29/2013 10Dept. of ECE Network Security &
Cryptography
D(diffusion)-Boxes
• Straight D-boxes contains n-inputs and n-outputs.– The connection between them is a permutation.
– There exists n! possible mapping.
– It is called as permutation box or p-box.
• Compression D-boxes contains n inputs and m outputs, with n>m.– some of the inputs are blocked and do not reach the output.
– Used mainly when we need to permute bits and the same time decreasethe number of bits for the next stage.
• Expansion D-boxes contains n inputs and m outputs, with n<m.– m-n inputs are mapped to more than one output.
– Used mainly when we need to transpose bits and the same timeincrease the number of bits for the next stage.
• NOTE: Straight D-boxes are invertible. Compression and ExpansionD-boxes have no inverses.
1/29/2013 11Dept. of ECE Network Security &
Cryptography
S (substitution)-Boxes
S-box does the task of substitution cipher.
It can have different no. of inputs and outputs.
No. of inputs may not necessarily be same as the no. of outputs.
S-boxes can be keyed or keyless. Generally, keyless S-boxes aremore popular.
Linear and Nonlinear S-boxes- nonlinear S-boxes doesn’t have therelative equations for every output, as linear S-boxes have. In non-linear S-boxes, at times, combinations (AND) of two or moreinputs/outputs takes place.
Invertibility : S-boxes are substitution ciphers, in which the relationbetween inputs and outputs is defined by a table or mathematicalrelation. So, S-boxes may or mayn’t be invertible. Invertible S-boxes have same no. of input bits and output bits.
1/29/2013 12Dept. of ECE Network Security &
Cryptography
Block cipher
1/29/2013 13Dept. of ECE Network Security &
Cryptography
CBC cipher (Cipher Block Chaining)
1/29/2013 14Dept. of ECE Network Security &
Cryptography
CBC Deciphering
1/29/2013 15Dept. of ECE Network Security &
Cryptography
Substitution and Permutation
• In his 1949 paper, Shannon also introduced
the idea of substitution-permutation (S-P)
networks, which now form the basis of modern
block ciphers
– An S-P network is the modern form of a
substitution-transposition product cipher
– S-P networks are based on the two primitive
cryptographic operations we have seen before.
(block and CBC ciphering)
1/29/2013 16Dept. of ECE Network Security &
Cryptography
Substitution
• A binary word is replaced by some other binaryword
• The whole substitution function forms the key
• If use n bit words,
– The key space is 2^n!
• Can also think of this as a large lookup table, withn address lines (hence 2^n addresses), each n bitswide being the output value
• Will call them s-boxes
1/29/2013 17Dept. of ECE Network Security &
Cryptography
Permutation
• A binary word has its bits reordered(permuted)
• The re-ordering forms the key
• If we use n bit words, the key space is n! (Lesssecure than substitution)
• This is equivalent to a wire-crossing inpractice
– (Though is much harder to do in software)
• Will call these p-boxes
1/29/2013 18Dept. of ECE Network Security &
Cryptography
Substitution-permutation Network
• Shannon combined these two primitives
• He called these mixing transformations
• A special form of product ciphers where
• S-boxes
– Provide confusion of input bits
• P-boxes
– Provide diffusion across s-box inputs
1/29/2013 19Dept. of ECE Network Security &
Cryptography
Dept. of ECE Network Security & Cryptography 20
Confusion and Diffusion
• Cipher needs to completely obscure statistical properties oforiginal message
• Confusion – makes relationship between ciphertext and key ascomplex as possible
– A technique that seeks to make the relationship between the statistics of the ciphertext and the value of the encryption keys as complex as possible. Cipher uses key and plaintext.
• Diffusion – dissipates statistical structure of plaintext overbulk of ciphertext
– A technique that seeks to obscure the statistical structure of the plaintext by spreading out the influence of each individual plaintext digit over many ciphertext digits.
1/29/2013
Desired Effect
• Avalanche effect
– A characteristic of an encryption algorithm in
which a small change in the plaintext gives rise to
a large change in the ciphertext
– Best: changing one input bit results in changes of
approximately half the output bits.
• Completeness effect
– where each output bit is a complex function of all
the input bits.
1/29/2013 21Dept. of ECE Network Security &
Cryptography
Practical Substitution-Permutation Networks
• In practice, we need to be able to decrypt
messages, as well as to encrypt them, hence
either:
– Have to define inverses for each of our S & P-
boxes, but this doubles the code/hardware needed,
or
– Define a structure that is easy to reverse, so can
use basically the same code or hardware for both
encryption and decryption
1/29/2013 22Dept. of ECE Network Security &
Cryptography
Dept. of ECE Network Security & Cryptography 23
Feistel Cipher Structure
Invented by Horst Feistel,
working at IBM Thomas J Watson research labs in early 70's,
Based on concept of invertible product cipher
Implements shannon’s substitution-permutation network
concept.
Partitions input block into two halves Process through multiple rounds which
Perform a substitution on left data half
Based on round function of right half & subkey
Then have permutation swapping halves
1/29/2013
Dept. of ECE Network Security & Cryptography 24
Feistel Cipher Structure
In this Fiestel cipher structure, for
each round, the operation is
performed on one half of the block.
The operation can be expressed as:
1/29/2013
This can be described functionally as:
L(i) = R(i-1)
R(i) = L(i-1) f(k(i), R(i-1))
This can easily be reversed as seen in the above diagram, working backwards through the rounds
In practice link a number of these stages together (typically 16 rounds) to form the full cipher
1/29/2013Dept. of ECE Network Security &
Cryptography25
Feistel Cipher Structure
Data Encryption Standards (DES)
Adopted in 1977 by the National Bureau of Standards, now
the National Institute of Standards and Technology in US.
Most widely used encryption technique.
Block cipher with fixed block size
Plaintext block size—64 bits
Key size ---- 56 bits
Longer plaintexts are processes in 64 bit blocks.
Shorter plaintexts are processed by padding sufficient zeros.
The same algorithm is used for decryption.
Subject to much controversy
1/29/2013 26Dept. of ECE Network Security &
Cryptography
History of DES
• IBM LUCIFER 60’s
– Uses 128 bits key
• Proposal for NBS, 1973
• Adopted by NBS, 1977
– Uses only 56 bits key
• Possible brute force attack
– Design of S-boxes was classified
• Hidden weak points in in S-Boxes?
– Wiener (1993) claim to be able to build a machine at $100,00 and break DES in 1.5 days
1/29/2013Dept. of ECE Network Security &
Cryptography27
DES
• DES encrypts 64-bit blocks of data, using a 56-bit
key.
• The basic process consists of:
– an initial permutation (IP)
– 16 rounds of a complex key dependent calculation f
– a final permutation, being the inverse of IP
– Function f can be described as
• L(i) = R(i-1)
• R(i) = L(i-1) ⨁P(S( E(R(i-1)) ⨁P K ( i ) ))
1/29/2013Dept. of ECE Network Security &
Cryptography28
DES
1/29/2013Dept. of ECE Network Security &
Cryptography29
DES function f
1/29/2013Dept. of ECE Network Security &
Cryptography30
Initial and Final Permutation
• The Initial Permutation IP table may be as
follows:
1/29/2013Dept. of ECE Network Security &
Cryptography31
Expansion Table E
• Expands the 32 bit data to 48 bits
– Result (i) = input (array(i))
1/29/2013Dept. of ECE Network Security &
Cryptography32
S-Boxes
• Here, S-Box is a fixed 4 by 16 array
• Given, 6-bits B=b1 b2 b3 b4 b5 b6
– Row r=b 1 b 6
– Column c=b 2 b 3 b 4 b 5
– S(B)=S(r,c) written in binary of length 4
• Example of an S-box is as below:
1/29/2013Dept. of ECE Network Security &
Cryptography33
Permutation Table P
• The permutation after each round will be as
follows:
1/29/2013Dept. of ECE Network Security &
Cryptography34
Subkey Generation
• Given a 64 bits key (with parity-check bit)
– Discard the parity-check bits
– Permute the remaining bits using fixed table P1
– Let C0D0 be the result (total 56 bits)
• Let Ci =Shifti(Ci-1); Di =Shifti(Di-1) and Ki be
another permutation P2 of CiDi (total 56 bits)
– Where cyclic shift one position left if i=1,2,9,16
– Else cyclic shift two positions left
1/29/2013Dept. of ECE Network Security &
Cryptography35
DES subkeys
1/29/2013Dept. of ECE Network Security &
Cryptography36
Permutation Tables
1/29/2013Dept. of ECE Network Security &
Cryptography37
DES in practice
• DEC (Digital Equipment Corp. 1992) built a
chip with 50k transistors
– Encrypt at the rate of 1 G /second
– Clock rate 250 Mhz
– Cost about $ 300
• Applications
– ATM transactions (encrypting PIN and so on)
1/29/2013Dept. of ECE Network Security &
Cryptography38
Modes of operation
• Mode of use
– The way we use a block cipher
– Four have been defined for the DES by ANSI in
the standard: ANSI X3.106-1983 modes of use.
• Block modes
– Splits messages in blocks (ECB, CBC)
• Stream modes
– On bit stream messages (C F B, O F B)
1/29/2013Dept. of ECE Network Security &
Cryptography39
Block Modes
• Electronic Codebook Book (ECB)
– where the message is broken into independent 64-bit blocks which are encrypted
– Ci = DESK1 (Pi)
• Cipher Block Chaining (CBC)
– again the message is broken into 64-bit blocks, but they are linked together in the encryption operation with an IV
– Ci = DESK1 (Pi ⨁ Ci-1)
– C-1=I V (initial value)
1/29/2013Dept. of ECE Network Security &
Cryptography40
Stream Modes
• Cipher Feed Back (CFB)
– where the message is treated as a stream of bits,
added to the output of the DES, with the result
being feed back for the next stage
– Ci = Pi ⨁ DESK1 (Ci-1)
– C-1 = I V (initial value)
1/29/2013Dept. of ECE Network Security &
Cryptography41
Stream modes
• Output Feed Back (OFB)
– where the message is treated as a stream of bits,
added to the message, but with the feedback being
independent of the message
– Ci = P i ⨁ O i
– Oi = DESK1 (Oi-1)
– O-1=I V (initial value)
1/29/2013Dept. of ECE Network Security &
Cryptography42
DES Weak Keys
• With many block ciphers there are some keys that should be avoided, because of reduced cipher complexity
• These keys are such that the same sub-key is generated in more than one round, and they include:
– Weak Keys• The same sub-key is generated for every round
• DES has 4 weak keys
– Semi-weak keys• Only two sub-keys are generated on alternate rounds
• DES has 12 of these (in 6 pairs)
– Demi-Semi Weak Keys• Have four sub-keys generated
• None of these causes a problem since they are a tiny fraction of all available keys
• However they M U ST be avoided by any key generation program
1/29/2013Dept. of ECE Network Security &
Cryptography43
DES Attacks
• Brute force attack
• 1998:
• The EFF's U S $250,000DES cracking machinecontained 1,536 customchips and could bruteforce a DES key in amatter of days
• The photo shows a DESCracker circuit boardfitted with several DeepCrack chips.
1/29/2013Dept. of ECE Network Security &
Cryptography44
DES attacks
• Brute force attack
• The COPACOBANA machine, built
for US$10,000 by the Universities of
Bochum and Kiel, contains 120 low-
cost FPGAs and can perform an
exhaustive key search on DES in 9
days on average. The photo shows the
backplane of the machine with the
FPGAs.
1/29/2013Dept. of ECE Network Security &
Cryptography45
DES attack : Faster than Brute force attack
• There are three attacks known that can break the full 16 rounds
of DES with less complexity than a brute-force search:
– differential cryptanalysis (DC),
– linear cryptanalysis (LC), and
– Davies' attack.
• However, the attacks are theoretical and are unfeasible to
mount in practice, these types of attack are sometimes termed
certificational weaknesses.
1/29/2013Dept. of ECE Network Security &
Cryptography46
Dept. of ECE Network Security & Cryptography 47
Differential Cryptanalysis
• One of the most significant recent (public) advances in cryptanalysis
• Known by NSA in 70's cf DES design
• Murphy, biham & shamir published 1990
• Powerful method to analyse block ciphers
• Used to analyse most current block ciphers with varying degrees of success
• DES reasonably resistant to it, cf lucifer
• was discovered in the late 1980s by Eli Biham and Adi Shamir, although it was known earlier to both IBM and the NSA and kept secret.
• To break the full 16 rounds, differential cryptanalysis requires 247 chosen plaintexts. DES was designed to be resistant to DC.
1/29/2013
Dept. of ECE Network Security & Cryptography 48
Linear Cryptanalysis
• Another recent development
• Also a statistical method
• Must be iterated over rounds, with decreasing probabilities
• Developed by Mitsuru Matsui in 1994
• Based on finding linear approximations
• Can attack DES with 247 known plaintexts, still in practise infeasible
• Needs 243 known plaintexts
• It was the first experimental cryptanalysis of DES to be reported. There is no evidence that DES was tailored to be resistant to this type of attack.
1/29/2013
Davies' attack
1/29/2013Dept. of ECE Network Security &
Cryptography49
Possible techniques for improving DES
• Multiple Enciphering with DES
– Double DES, Triple DES,…
• Extending DES to 128 bit data paths and 112
bit keys
• Extending the key expansion calculation.
1/29/2013Dept. of ECE Network Security &
Cryptography50
Double DES
using two encryption stages and two keys
– C = Ek2(Ek1(P))
– P=Dk1(Dk2(C))
It is proved that there is no key k3 such that
– C =E k 2 (E k 1 (P))=E k 3 (P)
But, Meet in the middle attack is possible
Thus, 2-DES is not secure (if DES is broken)
1/29/2013Dept. of ECE Network Security &
Cryptography51
Cryptography: Theory and Practice by Douglas R. Stinson
CRC press
Cryptography and Network Security : Principles and Practice;
By William Stallings Prentice Hall
Handbook of Applied Cryptography by Alfred J. Menezes,
Paul C. van Oorschotand Scott A. Vanstone, CRC Press.
1/29/2013Dept. of ECE Network Security &
Cryptography52
References