CNT-4403: 18.Sept.2011 1

Week 10

Cryptography

Symmetric Encryption

Stallings: Ch 3 & 6

Stallings: Ch 4

CNT-4403: 18.Sept.2011 2

Symmetric Ciphers

Multiple Encryption

Modes of Operation

Today’s Class

CNT-4403: 18.Sept.2011 3

Uses 56-bit keys to encrypt 64 bit blocks

Differential cryptanalysis – O(247) encryptions

Linear cryptanalysis – O(243) encryptions

Multiple Encryption and DES

Can we make DES withstand attacks without changing its structure ?

Yes !

CNT-4403: 18.Sept.2011 4

2 DES with keys K1 and K2: C = EK2(EK1(P))

Double DES

DES Encrypt

P

K1 K2

DES Encrypt

X C

DES Decrypt

K1 K2

DES Decrypt

C X P

CNT-4403: 18.Sept.2011 5

2 DES uses two keys: 56+56=112 bits

Is the strength 256 of DES ?

NO !!!!

Given P and C

Encrypt P for all possible 256 values of K1

Store in table T: pairs (K1, EK1(P))

Decrypt C for all possible 256 values of K2

Search DK2(C) in table T

Success when EK1(P) = DK2(C)

Attack takes O(256) steps – similar to DES

2 DES: Meet-in-the-Middle

CNT-4403: 18.Sept.2011 6

Must use 3 encryptions

But can use 2 keys with E-D-E sequence

C = EK1(DK2(EK1(P)))

If K1=K2 then equivalent with single DES

Standardized in ANSI X9.17 & ISO8732

No current known practical attacks Several proposed impractical attacks might become

basis of future attacks

Triple DES: Two Keys

CNT-4403: 18.Sept.2011 7

Can use Triple-DES with Three-Keys to avoid

even these

C = EK3(DK2(EK1(P)))

Has been adopted by some Internet applications

PGP, S/MIME

Triple DES: Three Keys

CNT-4403: 18.Sept.2011 8

Symmetric Ciphers

Multiple Encryption

Modes of Operation

Today’s Class

CNT-4403: 18.Sept.2011 9

Block ciphers encrypt fixed size blocks

DES encrypts 64-bit blocks with 56-bit key

Need to encrypt and decrypt arbitrary amounts of data in practice

NIST SP 800-38A defines 5 modes Electronic Code Book: ECB

Cipher Block Chaining: CBC

Cipher Feedback: CFB

Output Feedback: OFB

Counter Mode: CTR

Can be used with any block cipher

Modes of Operation

CNT-4403: 18.Sept.2011 10

Split message into blocks of length b (e.g., 64 bits)

Use the same key to encrypt each block

Each block is mapped into a unique value like a codebook

Electronic Code Book (ECB)

DES Encrypt DES Encrypt

C1 Cs

P1 Ps

…

(s blocks)

K K

CNT-4403: 18.Sept.2011 11

Weakness due to independent encryptions Same bit repeated each b positions

Main use is sending a few blocks of data E.g., shared keys

ECB Decryption

C1 Cs

P1 Ps

…

(s blocks)

K K DES Decrypt DES Decrypt

CNT-4403: 18.Sept.2011 12

Use Initial Vector (IV) to start process

Chain current cipher block into next encryption

Cipher Block Chaining (CBC)

DES Encrypt DES Encrypt

C1 C2

P1 P2 …

(s blocks)

K K

IV

C1

CNT-4403: 18.Sept.2011 13

CBC: Decryption

DES Decrypt DES Decrypt

C1 C2

P1 P2

…

(s blocks)

K K

IV

C1

CNT-4403: 18.Sept.2011 14

Padding: Message length may not be divisible by b

End of message must handle a possible last short block

Random padding

May require an extra entire block over those in message

Need Initialization Vector (IV) Must be known to sender & receiver

May be sent encrypted in ECB mode before rest of message

CBC Discussion

CNT-4403: 18.Sept.2011 15

Block modes (ECB,CBC) encrypt entire block

May need to operate on smaller units: Why ?

Real time data

Convert block cipher into stream cipher

Cipher feedback (CFB) mode

Output feedback (OFB) mode

Counter (CTR) mode

Stream Modes of Operation

CNT-4403: 18.Sept.2011 16

Message is treated as a stream of bits

Take s bits at a time; s<b

Cipher Feedback Mode (CFB)

DES Encrypt

…

(so on) K

P1 (s)

C1

s bits Discard

IV (b bits) IV Shift s bits

DES Encrypt

C1

s bits Discard

P2 (s)

C2

K

CNT-4403: 18.Sept.2011 17

More on CFB

Decryption similar …

Appropriate when data arrives in bits/bytes

CNT-4403: 18.Sept.2011 18

b is block size

Counter Mode (CTR)

Encrypt

…

(so on) K

P1 (b)

Counter1

Encrypt

C1

P2 (b)

C2

K

Counter2

Counter2 = Counter1 +1, .., Countern = Countern-1 + 1

CNT-4403: 18.Sept.2011 19

CTR (cont’d)

The initial Counter1 is random

Decryption is identical to encryption

Counter1 must be known

Counters should not be reused

This includes across multiple messages

CNT-4403: 18.Sept.2011 20

CTR Advantages

Hardware/software efficient

Can process blocks in parallel

Preprocessing

Precompute encryptions of counters

Random access

Can encrypt/decrypt any block

CNT-4403: 18.Sept.2011 21

CTR Advantages (cont’d)

Provable security

At least as secure as the other modes

Simplicity

Encryption = Decryption

CNT-4403: 18.Sept.2011 22

Symmetric Ciphers

Multiple Encryption

Cipher Modes of Operation

Summary