symmetric key encryption algorithms
TRANSCRIPT
Symmetric Key Encryption Algorithms
• Two categories of methods
– Stream cipher: algorithm operates on individual bits (or bytes); one at a time
– Block cipher: operates on fixed-length groups of bits called blocks
Idea of a block cipher
• Partition the text into relatively large (e.g. 128 bits) blocks and encode each block separately.
• The encoding of each block generally depends on at most one of the previous blocks.
• The same “key” is used at each block.
• The Data Encryption Standard (DES) is an example of a block cipher, where blocks of 64 bits are encrypted using a 56-bit key.
• many current ciphers are block ciphers
– better analyzed
– broader range of applications
Idea of a stream cipher
• stream ciphers process messages a bit or byte at a time when en/decrypting
• The Vigenère cipher is an example of a stream cipher.
• For each block, a different “key” is generated.
• Block ciphers work a on block / word at a
time, which is some number of bits. All of
these bits have to be available before the
block can be processed.
• Stream ciphers work on a bit or byte of the
message at a time, hence process it as a
“stream”.
Only a few symmetric methods are used today:
Data Encryption Standard (DES)
• The Data Encryption Standard (DES) is a
symmetric-key block cipher published by the
National Institute of Standards and Technology
(NIST).
Data Encryption Standard (DES) History
• DES is a block cipher, Encryption and
decryption with DES is shown bellow.
DES STRUCTURE
• The encryption process is made of two
permutations (P-boxes), which we call initial
and final permutations, and sixteen rounds.
Initial Permutation IP
• first step of the data computation
• IP reorders the input data bits
• even bits to LH half, odd bits to RH half
• quite regular in structure (easy in h/w)
• no cryptographic value
DES description
• Block cipher: 64 bits at a time
• Initial permutation rearranges 64 bits (no cryptographic effect)
• Encoding is in 16 rounds
• ENCRYPTION Each block is subjected to 16 rounds of
substitutions and permutations (transpositions). Each round uses 48 bits from key called the
subkey. Initial and final permutation appear to be
redundant. • DECRYPTION process as encryption but with subkeys applied in
reverseorder
One Round
• 64 bits divided into left, right halves
• Right half goes through function f, mixed with key
• Right half added to left half
• Halves swapped (except in last round)
• Expand right side from 32 to 48 bits (some get reused)
• Add 48 bits of key (chosen by schedule)
• S-boxes: each set of 6 bits reduced to 4
• P-box permutes 32 bits
Strength of DES – Key Size
56-bit keys have 256 = 7.2 x 1016 values
brute force search looked hard
advances have shown is possible
in 1997 on Internet in a few months
in 1998 on dedicated h/w in a few days
in 1999 above combined in 22hrs!
Forced to consider alternatives to DES
Double DES
• DES uses a 56-bit key, this raised concerns about brute force attacks
• One proposed solution: double DES.
• Apply DES twice using two keys, K1 and K2.
This leads to a 2x56=112 bit key, so it is more secure than DES
• Double DES is prone to Meet-in-the-Middle attack.
Meet-in-the-Middle Attack
If the same K1-K2 pairs match for the second plaintext-ciphertext pair, then the correct keys are most probably found
• 2-DES: C = EK2(EK1(P))
• So, X = EK1(P) = DK2(C)
• Given a known pair (P, C), attack as follows:
– Encrypt P with all 256 possible keys for K1.
– Decrypt C with all 256 possible keys for K2.
– If EK1’(P) = DK2’(C), try the keys on another (P’, C’).
– If works, (K1’, K2’) = (K1, K2) with high probability.
– Takes O(256) steps; not much more than attacking 1-DES
Triple DES
• Another method for a strong cipher
• use multiple encryption with DES with different keys
– to preserve the investment in DES
– for quicker deployment
• Triple DES is chosen as a standard method
– Standardized by ANSI, ISO and NIST
Triple-DES with two keys
can use 2 keys with E-D-E sequence C = EK1(DK2(EK1(P)))
Triple-DES with Three-Keys
• can use Triple-DES with Three-Keys
C = EK3(DK2(EK1(P)))
• has been adopted by some Internet applications, eg PGP, S/MIME
• Principal drawback is that the algorithm is relatively sluggish in software
Meet-in-the-Middle Attack on 3DES
1. For each possible key for K1, encrypt P to produce a possible value for A.
2. Using this A, and C, attack the 2DES to obtain a pair of keys (K2, K1’).
3. If K1’ = K1, try the key pair (K1, K2) on another (C’,P’).
4. If it works, (K1, K2) is the key pair with high probability.
International Data Encryption Standard
(IDEA)
International Data Encryption Standard (IDEA)
• The International Data Encryption Standard Algorithm (IDEA) is a symmetric block cipher that was proposed to replace DES designed in 1991.
• It is a minor revision of an earlier cipher, PES (Proposed Encryption Standard); IDEA was originally called IPES (Improved PES). IDEA was used as the symmetric cipher in early versions of the Pretty Good Privacy cryptosystem.
• The main design goals of IDEA are:
• Block Length: Block size of 64 bits is considered strong enough to deter statistical analysis. Also usage of Cipher Feedback Mode of operation provides better strength.
• Key Length: Its key size of 128 bits is very secure to deter exhaustive search.
• 128 bit key, 64 bit block size, 8 rounds
• algorithm is quite different than DES,
– doesn’t use S-boxes
– uses binary addition rather than exclusive-or
Features of IDEA
• The IDEA encryption algorithm • provides high level security not based on keeping the
algorithm a secret, but rather upon ignorance of the secret key
• Is fully specified, easily understood, and is available to everybody
• Is suitable for use in a wide range of applications and can be economically implemented in electronic components (VLSI Chip)
• Can be used efficiently and may be exported world wide
• Is patent protected to prevent fraud and piracy
Description of IDEA
• The block cipher IDEA operates with 64-bit plaintext and cipher text blocks and is controlled by a 128-bit key.
• Completely avoid substitution boxes and table lookups used in the block ciphers
• The algorithm structure has been chosen such
that when different key sub-blocks are used, the encryption process is identical to the decryption process
Key generation
• The 64-bit plaintext block is partitioned into four 16-bit sub-blocks
• six 16-bit key are generated from the 128-bit key. Since a further four 16-bit key-sub-blocks are required for the subsequent output transformation, a total of 52 (= 8 x 6 + 4) different 16-bit sub-blocks have to be generated from the 128-bit key.
• First, the 128-bit key is partitioned into eight 16-bit sub-blocks which are then directly used as the first eight key sub-blocks
• The 128-bit key is then cyclically shifted to the left by 25 positions, after which the resulting 128-bit block is again partitioned into eight 16-bit sub-blocks to be directly used as the next eight key sub-blocks
• The cyclic shift procedure described above is repeated until all of the required 52 16-bit key sub-blocks have been generated
Encryption of the key sub-blocks
IDEA Encryption
• Input – 64-bit plaintext, 128-bit key, Output – 64-bit ciphertext Encryption algorithm consists of 8 rounds followed by a final transformation function • Round function – Input – 4 16-bit subblocks, 6 16-bit subkeys, Output – 4 16- bit subblocks • Output transformation function –
Input – 4 16-bit subblocks, 4 16-bit subkeys Output – 4 16-bit subblocks
• Subkey generator – Input – 128-bit key Output – 52 16-bit subkeys
Details of a Single Round
1. Transformation – use addition and multiplication operations Input – 4 subblocks (X1, X2, X3, X4) and 4 subkeys (Z1, Z2, Z3, Z4) 2. XOR operation – The 4 output subblocks are XORed to form 2 16-bit blocks that are inputs to the MA structure 3. MA structure –
Input – 2 16-bit blocks, 2 16-bit subkeys Output – 2 16-bit output blocks
4. XOR operation – The 4 outputs from the upper transformation are XORed with the 2 outputs of the MA structure to produce 4 outputs
• Output Transformation Function Input – 4 16-bit blocks, 4 16-bit subkeys
Output – 4 16-bit output blocks
• Similar to the upper transformation of a single round
• The 2nd and 3rd inputs are interchanged such that decryption has the same structure as encryption
• Subkey Generation Input – 128-bit key Z Output - 52 16-bit subkeys (Z1, Z2, …, Z52) • The first 8 subkeys Z1, Z2, …, Z8 are taken directly
from the key Z Z1 = Z[1..16], Z2=Z[17..32], …, Z8=Z[113..128] • Circular left shift 25 bit positions of Z and extract
next 8 subkeys • Repeat the above procedure until all of the 52
subkeys are generated
Z1 = Z[1..16]
Z7 = Z[97..112]
Z13 = Z[90..105]
Z19 = Z[83..98]
Z25 = Z[76..91]
Z31 = Z[44..59]
Z37 = Z[37..52]
Z43 = Z[30..45]
Encryption
• the first four 16-bit key sub-blocks are combined with two of the 16-bit plaintext blocks using addition modulo 216, and with the other two plaintext blocks using multiplication modulo 216 + 1
• At the end of the first encryption round four 16-bit values are produced which are used as input to the second encryption round
• The process is repeated in each of the subsequent 7 encryption rounds
• The four 16-bit values produced at the end of the 8th encryption round are combined with the last four of the 52 key sub-blocks using addition modulo 216 and multiplication modulo 216 + 1 to form the resulting four 16-bit ciphertext blocks
Decryption
• The computational process used for decryption of the ciphertext is essentially the same as that used for encryption
• The only difference is that each of the 52 16-bit key sub-blocks used for decryption is the inverse of the key sub-block used during encryption
• In addition, the key sub-blocks must be used in the reverse order during decryption in order to reverse the encryption process
Modes of operation
• IDEA supports all modes of operation such as: – Electronic Code Book (ECB) mode – Cipher Block Chaining (CBC) – Cipher Feedback (CFB) – Output Feedback (OFB) modes
• For plaintext exceeding this fixed size, the simplest approach is to partition the plaintext into blocks of equal length and encrypt each separately. This method is named Electronic Code Book (ECB) mode.
• However, Electronic Code Book is not a good system to use with small block sizes (for example, smaller than 40 bits)
Electronic Code Book (ECB) mode
• message is broken into independent blocks which are encrypted
• each block is a value which is substituted, like a codebook, hence name
• each block is encoded independently of the other blocks
• uses: secure transmission of single values. ECB is the simplest of the modes, and is used when only a single block of info needs to be sent
• ECB is not appropriate for any quantity of data, since repetitions can be seen, esp. with graphics, and because the blocks can be shuffled/inserted without affecting the en/decryption of each block. Its main use is to send one or a very few blocks, eg a session encryption key.
Cipher Block Chaining (CBC)
• To overcome the problems of repetitions and order independence in ECB, there should be a way of making the ciphertext dependent on all blocks before it
• This is what CBC gives us, by combining the previous ciphertext block with the current message block before encrypting.
• To start the process, use an Initial Value (IV), which is usually well known (often all 0's), or otherwise is sent, ECB encrypted, just before starting CBC use.
• CBC mode is applicable whenever large amounts of data need to be sent securely, provided that all data is available in advance (eg email, FTP, web etc).
• In CBC mode, each plaintext block is
exclusive-ored with the previous ciphertext
block before being encrypted.
One issue that arises with block modes is how to handle the last block, which may well not be complete. In general have to pad this block (typically with 0's), and then must recognise padding at other end
Advantages and Limitations of CBC
• A ciphertext block depends on all blocks before it
• Any change to a block affects all following ciphertext blocks
• Need Initialization Vector (IV) – which must be known to sender & receiver
– if sent in clear, attacker can change bits of first block, and change IV to compensate
– hence IV must either be a fixed value or must be sent encrypted in ECB mode before rest of message
Cipher Feedback (CFB) Mode
• Encryption in cipher feedback (CFB) mode
• The relation between plaintext and ciphertext
blocks is shown below:
Cipher FeedBack (CFB)
• message is treated as a stream of bits
• added to the output of the block cipher
• result is feed back for next stage (hence name)
• standard allows any number of bit (1,8, 64 or 128 etc)
to be feed back
– denoted CFB-1, CFB-8, CFB-64, CFB-128 etc
• most efficient to use all bits in block (64 or 128)
• uses: stream data encryption, authentication
Advantages and Limitations of CFB
• appropriate when data arrives in bits/bytes
• most common stream mode
• limitation is need to stall while do block
encryption after every n-bits
• the block cipher is used in encryption mode at
both ends
• errors propagate for several blocks after the
error
Output Feedback (OFB) Mode
• In this mode each bit in the ciphertext is
independent of the previous bit or bits. This
avoids error propagation.
Encryption in output feedback (OFB) mode
• message is treated as a stream of bits
• output of cipher is added to message
• output is then feed back (hence name)
• feedback is independent of message
• can be computed in advance Ci = Pi XOR Oi
Oi = EK1(Oi-1)
O-1 = IV
• uses: stream encryption on noisy channels
• Here the generation of the "random" bits is independent of the message being encrypted. The advantage is that firstly, they can be computed in advance, good for bursty traffic, and secondly, any bit error only affects a single bit. Thus this is good for noisy links (eg satellite TV transmissions etc).
Advantages and Limitations of OFB
• One advantage of the OFB method is that bit errors in transmission do not propagate.
• The disadvantage of OFB is that it is more vulnerable to a message stream modification attack than is CFB.
• Since OFB is a Vernam cipher variant, the stream should never be used more than once.
Applications of IDEA
• Today, there are hundreds of IDEA-based security solutions available in many market areas, ranging from Financial Services, and Broadcasting to Government
• The IDEA algorithm can easily be embedded in any encryption software. Data encryption can be used to protect data transmission and storage. Typical fields are: – Audio and video data for cable TV, pay TV, video conferencing,
distance learning
– Sensitive financial and commercial data
– Email via public networks
– Smart cards