1

Symmetric Encryption

Peter Sjödinpsj@kth.se

2

Acknowledgements• Many people have contributed to the course material• Former teachers

– Alberto Escudero Pascal, Johan Montelius, Jan-Olov Vatn, BjörnKnutsson

• We are particularly thankful to Prof. Vitaly Shmatikov, The Univ of Texas at Austin, for letting us use his material

3

Outline• Symmetric encryption

– Basics

• Modes of operation– How to deal with larger pieces of data

4

Symmetric Encryption

• Also known as:– Shared key encryption– Secret key encryption

• Same key for encryption and decryption• Sender and receiver need to agree on a key

---------------

Plaintextinput

Encryption Decryption---------------

Plaintextoutput

Ciphertext

Shared, secret key

5

One-Time Pad

= 10111101…---------------

= 00110010…10001111…⊕

00110010… =⊕

10111101…

Key is a random bit sequenceas long as the plaintext

Encrypt by bitwise XOR ofplaintext and key:ciphertext = plaintext ⊕ key

Decrypt by bitwise XOR ofciphertext and key:ciphertext ⊕ key = (plaintext ⊕ key) ⊕ key =plaintext ⊕ (key ⊕ key) =plaintext

Cipher achieves perfect secrecy if and only if there are as many possible keys as possible plaintexts, andevery key is equally likely (Claude Shannon)

6

Advantages of One-Time Pad

• Easy to compute– Encryption and decryption are the same operation– Bitwise XOR is very cheap to compute

• As secure as theoretically possible– Given a ciphertext, all plaintexts are equally likely, regardless

of attacker’s computational resources– “Cipher achieves perfect secrecy if and only if there are as

many possible keys as possible plaintexts, and every key is equally likely” (Claude Shannon)

– …as long as the key sequence is truly random• True randomness is expensive to obtain in large quantities

– …as long as each key is same length as plaintext• But how does the sender communicate the key to receiver?

7

Problems with One-Time Pad

• Key must be as long as plaintext– Impractical in most realistic scenarios– Still used for diplomatic and intelligence traffic

• Does not guarantee integrity– One-time pad only guarantees confidentiality– Attacker cannot recover plaintext, but can easily change it to

something else

• Insecure if keys are reused– Attacker can obtain XOR of plaintexts

8

RC4• Stream cipher• Ron Rivest• Generates a pseudo-random bitstream as a one-time pad• Used in SSL and WEP (IEEE 802.11)• First few bytes are non-random

– Used to break WEP (Replaced by WPA)

10111101…

00110010…10001111…⊕

00110010…⊕

10111101…

Pad generator

key

Pad generator

---------------Plaintext

input---------------

Plaintextoutput

9

Block Encryption

• Map a block of plaintext input to a block of ciphertext– Mapping is defined by key

• Input and output blocks have same size– Too short makes it possible to store all possible mappings– Too long is impractical and slow

• Result should look like a random permutation– “As if” plaintext bits were randomly shuffled

A B C D E

C A E D Bciphertext

plaintext

56-bit key

10

DES (Data Encryption Standard)

• Invented by IBM, issued in the U.S. as federal standard 1977• 64-bit blocks, 56-bit key

64-bit ciphertext

64-bit plaintext

Block cipher 56-bit key

11

Feistel

• A Feistel “round” consists of XOR of left and right half– Right half through substitution function “Mangler”

• Swap the result• Horst Feistel, IBM, 1973

Input left Input right

Output left Output right

Mangler+Key

12

“Confusion and Diffusion”• Concept by Claude Shannon• Properties of cipher• Confusion

– Complex relationship between key and ciphertext

• Diffusion– Dependency between output and input– Ideally, flipping one input bit should flip each output bit with

probability of one half

• Two main operations– Substitution – replace one symbol by another– Permutation – swap the bits around

13

Input

S S S S

Mangler Function• Also known as Feistel function,

round function, …• S-boxes perform substitution

– Replace one 4-bit symbol by another

• Through a lookup table– Different for each S-box

– Confusion

• Output is permuted– Diffusion

Output

Key

14

Feistel Ladder

Subkey 1+

Input block

Subkey n+

Output block

Subkey i+

Key

Larger block gives greater

security

Larger key gives greater security.

Multiple rounds gives greater security. DES

uses 16.

More complex subkeygeneration algorithm

gives greater security

More complex mangler function

gives greater security

• Trade-off between security and complexity (speed)• DES is reversible, so decryption is by running DES backwards!

15

DES Challenges

• DES Challenge III– January 1999

• Cracked in 22 hours 15 minutes– Electronic Frontier Foundation´s “Deep Crack”– Network of volunteers (distributed.net)

Plaintext: See you in Rome (second AES Conference, March 22-23, 1999) Ciphertext: bd 0d de 91 99 60 b8 8a 47 9c b1 5c 23 7b 81 18 99 0545 bc de 82 01 ab 53 4d 6f 1c b4 30 63 3c ee cd 96 2e07 c6 e6 95 99 9c 96 46 5a 95 70 02 02 70 98 bd 41 c288 a9 f0 2f 8b e5 48 20 d2 a8 a0 6b bf 93 de 89 f6 e252 fd 8a 25 eb d0 7d 96 83 ee a4 2d c8 8d 1b 71

16

3DES Encrypt

Triple DES

• Three DES blocks in cascade• Three or two keys (K1 = L3), 168 or 112 bits• Compatibility with DES (with K1, K2, K3 equal)

Encrypt DES

Decrypt DES

Encrypt DES

K1

K2

K3

3DES Decrypt

Decrypt DES

Encrypt DES

Decrypt DES

K1

K2

K3

17

DES Successors• Advanced Encryption Standard (AES)

– “Rijndael” after the inventors– Block size 128 bits, key length 128, 192 and 256 bits– Stated by the U.S. National Security Agency (NSA) that it may be

used for classified information• 192 or 256-bit keys for “TOP SECRET”

• International Data Encryption Algorithm (IDEA)– 64-bit blocks, 128-bit keys– IPR issues (patents)

• Blowfish– Bruce Schneier– 64-bit blocks, keys from 32 to 448 bits– Compact and efficient implementation

• …

18

Encrypting a Large Message

• So, we’ve got a good block cipher, but our plaintext is larger than 128-bit block size

• Electronic Code Book (ECB) mode– Split plaintext into blocks, encrypt each one separately using

the block cipher

• Cipher Block Chaining (CBC) mode– Split plaintext into blocks, XOR each block with the result of

encrypting previous blocks

• Also various counter modes, feedback modes, etc.

19

ECB Mode

• Identical blocks of plaintext produce identical blocks of ciphertext

• No integrity checks: can mix and match blocks

plaintext

ciphertext

blockcipher

blockcipher

blockcipher

blockcipher

blockcipher

20

CBC Mode: Encryption

• Identical blocks of plaintext encrypted differently• Last cipherblock depends on entire plaintext

– Still does not guarantee integrity

plaintext

ciphertext

blockcipher

blockcipher

blockcipher

blockcipher

⊕Initializationvector(random) ⊕ ⊕ ⊕

Sent with ciphertext(preferably encrypted)

21

CBC Mode: Decryption

plaintext

ciphertext

decrypt decrypt decrypt decrypt

⊕Initializationvector ⊕ ⊕ ⊕

22

ECB vs. CBC

AES in ECB mode AES in CBC mode

Similar plaintextblocks producesimilar ciphertextblocks

[Picture due to Bart Preneel]

23

Information Leakage in ECB Mode[Wikipedia]

Encrypt in ECB mode