Presentation is loading. Please wait.

Presentation is loading. Please wait.

Modern Symmetric-Key Ciphers

Similar presentations

Presentation on theme: "Modern Symmetric-Key Ciphers"— Presentation transcript:

1 Modern Symmetric-Key Ciphers
Chapter 8 Encipherment Using Modern Symmetric-Key Ciphers Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

2 Block length is fixed (n-bit) • How to encrypt large messages?
Chapter 8 Objectives Block length is fixed (n-bit) • How to encrypt large messages? – Partition into n-bit blocks – Choose mode of operation • Electronic Codebook (ECB), • Cipher-Block Chaining (CBC), • Cipher Feedback (CFB), • Output Feedback (OFB), • Counter (CTR) -- Modes of operation have been devised to encipher text of any size employing either DES or AES. Two stream ciphers used for real-time processing of data.

3 8-1 Continued Figure 8.1 Modes of operation

4 Evaluation criteria • Identical messages • Chaining dependencies
– under which conditions ciphertext of two identical messages are the same • Chaining dependencies – how adjacent plaintext blocks affect encryption of a plaintext block • Error propagation – resistance to channel noise • Efficiency – preprocessing – parallelization: random access

5 Electronic Codebook Book (ECB)
message is broken into independent blocks which are encrypted each block is a value which is substituted, like a codebook, hence name each block is encoded independently of the other blocks uses: secure transmission of single values The simplest mode is the electronic codebook (ECB) mode, in which plaintext is handled one block at a time and each block of plaintext is encrypted using the same key. ECB is the simplest of the modes, and is used when only a single block of info needs to be sent (eg. a session key encrypted using a master key).

6 Electronic Codebook (ECB) Mode
The simplest mode of operation is called the electronic codebook (ECB) mode. Figure 8.2 Electronic codebook (ECB) mode

7 Advantages and Limitations of ECB
message repetitions may show in ciphertext if aligned with message block particularly with data such graphics or with messages that change very little, which become a code-book analysis problem weakness is due to the encrypted message blocks being independent main use is sending a few blocks of data ECB is not appropriate for any quantity of data, since repetitions can be seen, esp. with graphics, and because the blocks can be shuffled/inserted without affecting the en/decryption of each block. Its main use is to send one or a very few blocks, eg a session encryption key.

8 Electronic Codebook (ECB)
• Does not hide data patterns, unsuitable for long messages – Wiki example: pixel map using ECB Plain text ECB mode Other modes • Susceptible to replay attacks – Example: a wired transfer transaction can be replayed by resending the original message)

9 Electronic Codebook (ECB)
Example Assume that Eve works in a company a few hours per month (her monthly payment is very low). She knows that the company uses several blocks of information for each employee in which the seventh block is the amount of money to be deposited in the employee’s account. Eve can intercept the ciphertext sent to the bank at the end of the month, replace the block with the information about her payment with a copy of the block with the information about the payment of a full-time colleague. Each month Eve can receive more money than she deserves.

10 Electronic Codebook (ECB)
Error Propagation A single bit error in transmission can create errors in several in the corresponding block. However, the error does not have any effect on the other blocks.

11 Cipher Block Chaining (CBC)
message is broken into blocks linked together in encryption operation each previous cipher blocks is chained with current plaintext block, hence name use Initial Vector (IV) to start process uses: bulk data encryption, authentication To overcome the problems of repetitions and order independence in ECB, want some way of making the ciphertext dependent on all blocks before it. This is what CBC gives us, by combining the previous ciphertext block with the current message block before encrypting. To start the process, use an Initial Value (IV), which is usually well known (often all 0's), or otherwise is sent, ECB encrypted, just before starting CBC use. CBC mode is applicable whenever large amounts of data need to be sent securely, provided that all data is available in advance (eg , FTP, web etc).

12 8.1.2 Cipher Block Chaining (CBC) Mode
In CBC mode, each plaintext block is exclusive-ored with the previous ciphertext block before being encrypted. Figure 8.3 Cipher block chaining (CBC) mode

13 Continued Figure 8.3 Cipher block chaining (CBC) mode

14 Message Padding at end of message must handle a possible last short block which is not as large as block size of cipher pad either with known non-data value (e.g. nulls) or pad last block along with count of pad size eg. [ b1 b2 b ] means have 3 data bytes, then 5 bytes pad+count this may require an extra entire block over those in message there are other, more esoteric modes, which avoid the need for an extra block One issue that arises with block modes is how to handle the last block, which may well not be complete. In general have to pad this block (typically with 0's), and then must recognise padding at other end - may be obvious (eg in text the 0 value should usually not occur), or otherwise must explicitly have the last byte as a count of how much padding was used (including the count). Note that if this is done, if the last block IS an even multiple of 8 bytes or has exactly the same form as pad+count, then will have to add an extra block, all padding so as to have a count in the last byte. There are other, more esoteric, “ciphertext stealing” modes, which avoid the need for an extra block.

15 Advantages and Limitations of CBC
a ciphertext block depends on all blocks before it any change to a block affects all following ciphertext blocks need Initialization Vector (IV) which must be known to sender & receiver if sent in clear, attacker can change bits of first block, and change IV to compensate hence IV must either be a fixed value (as in EFTPOS) or must be sent encrypted in ECB mode before rest of message CBC is the block mode generally used. The chaining provides an avalanche effect, which means the encrypted message cannot be changed or rearranged without totally destroying the subsequent data. However there is the issue of ensuring that the IV is either fixed or sent encrypted in ECB mode to stop attacks on 1st block.

16 Cipher Feedback (CFB) Mode
In some situations, we need to use DES or AES as secure ciphers, but the plaintext or ciphertext block sizes are to be smaller. Figure 8.4 Encryption in cipher feedback (CFB) mode

17 Continued Note In CFB mode, encipherment and decipherment use the encryption function of the underlying block cipher. The relation between plaintext and ciphertext blocks is shown below:

18 Continued CFB as a Stream Cipher
Figure 8.5 Cipher feedback (CFB) mode as a stream cipher

19 Cipher FeedBack (CFB) message is treated as a stream of bits
added to the output of the block cipher result is feed back for next stage (hence name) standard allows any number of bit (1,8, 64 or 128 etc) to be feed back denoted CFB-1, CFB-8, CFB-64, CFB-128 etc most efficient to use all bits in block (64 or 128) uses: stream data encryption, authentication If the data is only available a bit/byte at a time (eg. terminal session, sensor value etc), then must use some other approach to encrypting it, so as not to delay the info. Idea here is to use the block cipher essentially as a pseudo-random number generator (see stream cipher lecture later) and to combine these "random" bits with the message. Note as mentioned before, XOR is an easily inverted operator (just XOR with same thing again to undo). Again start with an IV to get things going, then use the ciphertext as the next input. As originally defined, idea was to "consume" as much of the "random" output as needed for each message unit (bit/byte) before "bumping" bits out of the buffer and re-encrypting. This is wasteful though, and slows the encryption down as more encryptions are needed. An alternate way to think of it is to generate a block of "random" bits, consume them as message bits/bytes arrive, and when they're used up, only then feed a full block of ciphertext back. This is CFB-64 or CFB-128 mode (depending on the block size of the cipher used eg DES or AES respectively). CFB is the usual choice for quantities of stream oriented data, and for authentication use.

20 Advantages and Limitations of CFB
appropriate when data arrives in bits/bytes most common stream mode limitation is need to stall while do block encryption after every n-bits note that the block cipher is used in encryption mode at both ends errors propagate for several blocks after the error CFB is the usual stream mode. As long as can keep up with the input, doing encryptions every 8 bytes. A possible problem is that if its used over a "noisy" link, then any corrupted bit will destroy values in the current and next blocks (since the current block feeds as input to create the random bits for the next). So either must use over a reliable network transport layer (pretty usual) or use OFB.

21 Output Feedback (OFB) Mode
In this mode each bit in the ciphertext is independent of the previous bit or bits. This avoids error propagation. Figure 8.6 Encryption in output feedback (OFB) mode

22 Continued OFB as a Stream Cipher
Figure 8.7 Output feedback (OFB) mode as a stream cipher

23 Output FeedBack (OFB) message is treated as a stream of bits
output of cipher is added to message output is then feed back (hence name) feedback is independent of message can be computed in advance Ci = Pi XOR Oi Oi = DESK1(Oi-1) O-1 = IV uses: stream encryption on noisy channels The alternative to CFB is OFB. Here the generation of the "random" bits is independent of the message being encrypted. The advantage is that firstly, they can be computed in advance, good for bursty traffic, and secondly, any bit error only affects a single bit. Thus this is good for noisy links (eg satellite TV transmissions etc).

24 Advantages and Limitations of OFB
bit errors do not propagate more vulnerable to message stream modification a variation of a Vernam cipher hence must never reuse the same sequence (key+IV) sender & receiver must remain in sync originally specified with m-bit feedback subsequent research has shown that only full block feedback (ie CFB-64 or CFB-128) should ever be used One advantage of the OFB method is that bit errors in transmission do not propagate. The disadvantage of OFB is that it is more vulnerable to a message stream modification attack than is CFB. Since OFB is a Vernam cipher variant, the stream should never be used more than once (otherwise the 2 ciphertexts can be combined, cancelling these bits, and leaving a "book" cipher to solve). And sender & receiver need to remain in sync, or all data is lost. Also, research has shown that you should only ever use a full block feedback ie OFB-64/128 mode.

25 Counter (CTR) Mode In the counter (CTR) mode, there is no feedback. The pseudorandomness in the key stream is achieved using a counter. Figure 8.8 Encryption in counter (CTR) mode

26 Continued Figure 8.9 Counter (CTR) mode as a stream cipher

27 Counter (CTR) a “new” mode, though proposed early on
similar to OFB but encrypts counter value rather than any feedback value must have a different key & counter value for every plaintext block (never reused) Oi = DESK1(i) Ci = Pi XOR Oi uses: high-speed network encryptions The Counter (CTR) mode is a variant of OFB, but which encrypts a counter value (hence name). Although it was proposed many years before, it has only recently been standardized for use with AES along with the other existing 4 modes. It is being used with applications in ATM (asynchronous transfer mode) network security and IPSec (IP security). A counter, equal to the plaintext block size is used. The only requirement stated in SP A is that the counter value must be different for each plaintext block that is encrypted. Typically the counter is initialized to some value and then incremented by 1 for each subsequent block.

28 Advantages and Limitations of CTR
efficiency can do parallel encryptions in hardware or software can preprocess in advance of need good for burst high speed links random access to encrypted data blocks provable security (good as other modes) but must ensure never reuse key/counter values, otherwise could break (cf OFB) CTR mode has a number of advantages in parallel h/w & s/w efficiency, can preprocess the output values in advance of needing to encrypt, can get random access to encrypted data blocks, and is simple. But like OFB have issue of not reusing the same key+counter value.

29 Continued Comparison of Different Modes n-bit

30 Selection of Modes Choice of encryption mode affects
Encryption/decryption speed Security against active adversaries (bit flips) Security against passive adversaries (ECB) Error propagation

31 Stream Ciphers process message bit by bit (as a stream)
have a pseudo random keystream combined (XOR) with plaintext bit by bit randomness of stream key completely destroys statistically properties in message Ci = Mi XOR StreamKeyi but must never reuse stream key otherwise can recover messages (cf book cipher) A typical stream cipher encrypts plaintext one byte (or bit) at a time, usually by XOR’ing with a pseudo-random keystream. The stream cipher is similar to the one-time pad discussed in Chapter 2. The difference is that a one-time pad uses a genuine random number stream, whereas a stream cipher uses a pseudorandom number stream. But rely on the randomness of stream key completely destroys statistically properties in message. However, you must never reuse a stream key since otherwise you can recover messages (as with a book cipher).

32 Stream Cipher Structure
Stallings Figure 6.8 illustrates the general structure of a stream cipher, where a key is input to a pseudorandom bit generator that produces an apparently random keystream of bits, and which are XOR’d with message to encrypt it, and XOR’d again to decrypt it by the receiver.

33 Stream Cipher Properties
some design considerations are: long period with no repetitions statistically random depends on large enough key large linear complexity properly designed, can be as secure as a block cipher with same size key but usually simpler & faster [KUMA97] lists the following important design considerations for a stream cipher: The encryption sequence should have a large period, the longer the period of repeat the more difficult it will be to do cryptanalysis. The keystream should approximate the properties of a true random number stream as close as possible, the more random-appearing the keystream is, the more randomized the ciphertext is, making cryptanalysis more difficult. To guard against brute-force attacks, the key needs to be sufficiently long. The same considerations as apply for block ciphers are valid here .Thus, with current technology, a key length of at least 128 bits is desirable. With a properly designed pseudorandom number generator, a stream cipher can be as secure as block cipher of comparable key length. The primary advantage of a stream cipher is that stream ciphers are almost always faster and use far less code than do block ciphers.

34 RC4 a proprietary cipher owned by RSA
another Ron Rivest design, simple but effective variable key size, byte-oriented stream cipher widely used (web SSL/TLS, wireless WEP) key forms random permutation of all 8-bit values uses that permutation to scramble input info processed a byte at a time RC4 is a stream cipher designed in 1987 by Ron Rivest for RSA Security. It is a variable key-size stream cipher with byte-oriented operations. The algorithm is based on the use of a random permutation. Analysis shows that the period of the cipher is overwhelmingly likely to be greater than 10^100. Eight to sixteen machine operations are required per output byte, and the cipher can be expected to run very quickly in software. RC4 is probably the most widely used stream cipher. It is used in the SSL/TLS secure web protocol, & in the WEP & WPA wireless LAN security protocols. RC4 was kept as a trade secret by RSA Security, but in September 1994 was anonymously posted on the Internet on the Cypherpunks anonymous r ers list. In brief, the RC4 key is ued to form a random permutation of all 8-bit values, it then uses that permutation to scramble input info processed a byte at a time.

35 RC4 RC4 is a byte-oriented stream cipher in which a byte (8 bits) of a plaintext is exclusive-ored with a byte of key to produce a byte of a ciphertext. State RC4 is based on the concept of a state.

36 Continued Figure 8.10 The idea of RC4 stream cipher
The RC4 key schedule initialises the state S to the numbers , and then walks through each entry in turn, using its current value plus the next byte of key to pick another entry in the array, and swaps their values over. After doing this 256 times, the result is a well and truly shuffled array. The total number of possible states is 256! - a truly enormous number, much larger even than the 2048-bit (256*8) max key allowed can select.

37 Continued Initialization Initialization is done in two steps:
Key Stream Generation The keys in the key stream are generated, one by one. The RC4 key schedule initialises the state S to the numbers , and then walks through each entry in turn, using its current value plus the next byte of key to pick another entry in the array, and swaps their values over. After doing this 256 times, the result is a well and truly shuffled array. The total number of possible states is 256! - a truly enormous number, much larger even than the 2048-bit (256*8) max key allowed can select.

38 Continued Algorithm

39 Continued Algorithm Continued

40 Continued Example 8.5 To show the randomness of the stream key, we use a secret key with all bytes set to 0. The key stream for 20 values of k is (222, 24, 137, 65, 163, 55, 93, 58, 138, 6, 30, 103, 87, 110, 146, 109, 199, 26, 127, 163). Example 8.6 Repeat Example 8.5, but let the secret key be five bytes of (15, 202, 33, 6, 8). The key stream is (248, 184, 102, 54, 212, 237, 186, 133, 51, 238, 108, 106, 103, 214, 39, 242, 30, 34, 144, 49). Again the randomness in the key stream is obvious.

41 RC4 Security claimed secure against known attacks
have some analyses, none practical result is very non-linear since RC4 is a stream cipher, must never reuse a key have a concern with WEP, but due to key handling rather than RC4 itself A number of papers have been published analyzing methods of attacking RC4, but none of these approaches is practical against RC4 with a reasonable key length, such as 128 bits. A more serious problem occurs in its use in the WEP protocol, not with RC4 itself but the way in which keys are generated for use as input to RC4. Currently RC4 its regarded as quite secure, if used correctly, with a sufficiently large key.

42 A5/1 A5/1 (a member of the A5 family of ciphers) is used in the Global System for Mobile Communication (GSM), a network for mobile telephone communication.. Figure General outline of A5/1

43 Continued Key Generator
A5/1 uses three Linear Feedback Shift Registers (LFSRs) with 19, 22, and 23 bits. Figure Three LFSR’s in A5/1

44 Continued Initialization 1. set all bits in three LFSRs to 0. 2. 3.

45 Continued 4.

46 Continued Example 8.7 At a point of time the clocking bits are 1, 0, and 1. Which LFSR is clocked (shifted)? Solution The result of Majority (1, 0, 1) = 1. LFSR1 and LAFS3 are shifted, but LFSR2 is not.

47 Continued Encryption/Decryption
The bit streams created from the key generator are buffered to form a 228-bit key that is exclusive-ored with the plaintext frame to create the ciphertext frame. Encryption/decryption is done one frame at a time.

48 Topics discussed in this section:
8-3 OTHER ISSUES Encipherment using symmetric-key block or stream ciphers requires discussion of other issues. Topics discussed in this section: 8.3.1 Key Management Key Generation

49 Key management is discussed in Chapter 15.
Alice and Bob need to share a secret key between themselves to securely communicate using a symmetric-key cipher. If there are n entities in the community, n(n − 1)/2 keys are needed. Note Key management is discussed in Chapter 15.

50 Random number generators are discussed in Appendix K.
Key Generation Different symmetric-key ciphers need keys of different sizes. The selection of the key must be based on a systematic approach to avoid a security leak. The keys need to be chosen randomly. This implies that there is a need for random (or pseudorandom) number generator. Note Random number generators are discussed in Appendix K.

Download ppt "Modern Symmetric-Key Ciphers"

Similar presentations

Ads by Google