1. 1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES

2. 2 Glossary plaintext – message in its original form ciphertext – encrypted message encryption – process of producing ciphertext from plaintext decryption – reverse process breaking encryption scheme – discovering plaintext that matches ciphertext cryptoanalyst, attacker, intruder, bad guy – an entity trying to break encryption

3. 3 Concepts block cipher – encrypts blocks of data (say 64), essentially substituting 64 bit-data block by 64-bit encrypted block –we can specify cipher by stating the complete data->encryption, is it possible? –can two data blocks map to the same encrypted block? –can we map a data block to a smaller (larger) encrypted block? two basic operations for k -bit blocks –substitution – for each 2 k inputs specify output, impractical for large k –permutation – for each bit specifies the output position it gets block encryption usually contains multiple rounds of substituitions and premutations

4. 4  (Exclusive-OR) Bitwise operation with two inputs where the output bit is 1 if exactly one of the two input bits is one (B  A)  A) = B If A is a “one time pad”, very efficient and secure Common encryption schemes (e.g. RC4) calculate a pseudo- random stream from a key

5. 5 DES Intro DES – Data Encryption Standard published in 1977 by National Bureau of Standards (now NIST) with input from NSA based on IBM Lucifer cipher encodes 64-bit blocks uses 56-bit key –key consists of 8 octets, where 7 bits are useful and 8 th is parity efficient to implement in hardware, but slow in software the adoption of DES was done without public scrutiny some operations are suspect

6. 6 DES Basic Structure encryption –64 bit data block is permuted (initial permutation) –from 56-bit key – generate sixteen 48-bit round keys –16 rounds: at each round take 64-bit data from previous round and 48-bit key and produce data for the next round –final permutation (inverse of initial permutation) decryption –do initial permutation (to undo final) –run 16 rounds “in reverse” (more later) –do final permutation security value of initial/final permutations is suspect

7. 7 DES Round Key Generation 56-bit key is divided into two 28-bit halves: C0 and D0 initial permutation of both parts (security value suspect) 16 rounds –in each round the bits C i-1 and D i-1 are rotated (to produce C i and D i ) then permuted (this permutation may be of security value) and some bits dropped to produce two 24-bit halves of K i

8. 8 DES Round 64-bit input is divided into 32-bit halves L n and R n observe that due to properties of  decoding can be done even if the mangler function is not reversible encodingdecoding

9. 9 DES Mangler Function takes 32-bit R n and 48-bit K n and produces a 32-bit R n+1 operation –32-bit R n is expanded to 48 bits – each 4-bits are expanded to 6 bits by duplicating adjacent bits –each 6 bits or R n are XOR-ed with corresponding 6 bits of K n and fed into S-Box (1 through 8) each S-box is different –S-Box is a (completely defined) substitution that accepts 6 bits and produces 4 bits (mapping is not unique) –the output 32 bits are then permuted to produce R n+1 the idea of the permutation is so that the output of one S-Box affexts the input of multiple S-Boxes in the next round

10. 10 DES Weak Keys there are sixteen DES keys that are suspect 4 weak keys: – C0 and D0 are either all 0s or all 1s - thekeys are their own inverses (encrypting with the key is the same as decrypting with it) semi-weak: –either all 0s and all 1s or alternating 0s and 1s

11. 11 Why is DES the Way it Is? operations in DES appear simple and arbitrary things are however mysterious –if S-Boxes 3 and 7 are swapped, DES is an order of magnitude less secure DES design process was not public, so it is not clear how the details were chosen if they leave some hidden weakness? possibility –DES was designed to be strong against specific attacks the designers knew about but did not publish (not to educate the bad guys) –are the other standards vulnerable to these attacks?

12. 12 IDEA IDEA = international data encryption standard devloped by Lai and Massey, 1992 64-bit block size, 128-bit key similar to DES in the sense – operates in rounds, complicated one-way mangler function 8.5 rounds of:  : bitwise XOR +: addition mod 2 16  : multplication mod 2 16 + 1 decryption: same as encryption, with inverse keys very secure, a bit slow (about the same as DES)

13. 13 AES AES = Advanced Encryption Standard public design process: NIST’s request for proposals (1997) Winner: Rijndael (2000) Rijndael –128, 192, or 256-bit block size, 128, 192, or 256-bit key. –algebraically designed s-boxes, input is divided into octets –10-14 rounds of: Byte substitution in every octet using s-box shifting (rotating) rows MixColumn – spread octets according specified MicColumn table XOR with a RoundKey –Decryption is by design similar to encryption