Download presentation
Presentation is loading. Please wait.
1
Secret Key Cryptography
RAIT Madhumita Chatterjee
2
Algorithm Types Stream Ciphers Block Ciphers
Plaintext encrypted one bit at a time Disadvantage…time consuming. Block Ciphers A block of bits encrypted at one go. Disadvantage for repeating text….. RAIT Madhumita Chatterjee
3
Shannon concepts Confusion Diffusion
Ciphertext gives no clue about original text. Achieved using substitution. Diffusion Increases redundancy of plaintext by spreading across rows and columns. Achieved using transposition or permutation. RAIT Madhumita Chatterjee
4
Algorithm modes ECB (Electronic Code Book)
CBC (Cipher Block Chaining Mode) OFB (Output Feedback Mode) CFB (Cipher Feedback Mode) Stream Cipher RAIT Madhumita Chatterjee
5
Electronic Code Book (ECB)
M1 M2 M3 M4 pad ENC ENC ENC ENC C1 C2 C3 C4 RAIT Madhumita Chatterjee
6
ECB Problem #1 (M1 == M3) => (C1 ==C3) M1 M2 M3 M4 64 64 64 46 pad
pad ENC ENC ENC ENC C1 C2 C3 C4 (M1 == M3) => (C1 ==C3) RAIT Madhumita Chatterjee
7
ECB Problem #2 Lack the basic protection against integrity attacks on the ciphertext at message level (i.e., multiple cipher blocks) Without additional integrity protection cipher block substitution and rearrangement attacks fabrication of specific information RAIT Madhumita Chatterjee
8
Cipher Block Chaining (CBC)
M1 M2 M3 M4 pad IV Initialization Vector ENC ENC ENC ENC C1 C2 C3 C4 (M1 == M3) very unlikely leads to (C1 == C3) RAIT Madhumita Chatterjee
9
CBC Decryption M1 M2 M3 M4 IV DEC DEC DEC DEC C1 C2 C3 C4 RAIT
Madhumita Chatterjee
10
CBC Vulnerabilities Loss sync of block boundary garbles the rest of the stream Create desired change in decrypted block Pn by sacrificing block P n-1 RAIT Madhumita Chatterjee
11
CBC….. DEC P n-1 C n-1 Pn Cn RAIT Madhumita Chatterjee
12
Output Feedback Mode (OFB)
Like a Random Number Generator... IV ENC ENC ENC ENC M1 M2 M3 M4 C1 C2 C3 C4 RAIT Madhumita Chatterjee
13
OFB Properties Advantages
Allow pre-computing of pseudo-random stream (One-Time Pad); XOR can be implemented very efficiently No error propagation problem as in CBC Allow in-time encrypt/decrypt due to bit-wise computation (versus the fixed blocks) RAIT Madhumita Chatterjee
14
General k-bit Cipher Feedback Mode (CFB)
ENC C1 C2 C3 M1 M2 M3 IV k k k K bits K bits K bits RAIT Madhumita Chatterjee
15
CFB Properties Advantage compared with CBC.
With k=8, errors on one byte of ciphertext only affect 8 more bytes beyond. Disadvantage compared with OFB. Random stream can no longer be computed in advance. RAIT Madhumita Chatterjee
16
Generating MICs Only send last block of CBC (CBS residue)
Send plaintext Any modification in plaintext modifies CBC residue Insures integrity RAIT Madhumita Chatterjee
17
CBC Plus Residue M1 M2 M3 M4 pad 64 64 64 46 IV Initialization Vector
IV Initialization Vector ENC ENC ENC ENC C1 C2 C C residue RAIT Madhumita Chatterjee
18
Elementary Cryptography
DES Algorithm RAIT Madhumita Chatterjee
19
Background & History System developed by the US Govt. intended for public use in 1976 Many hardware and software systems designed with DES Goals were High level of security Specified and easy to understand Publishable, available Adaptable to diverse applications Economic to implement in elctronic devices Efficient to use and able to be validated RAIT Madhumita Chatterjee
20
Generic Block Encryption
Convert block to another: one-to-one Long enough to avoid known-plaintext attack 64 bit typical, nice for RISC Naïve: 264 input values, 64 bits each, total 270 bits to store the mapping Output should look random No correlation between plaintext and ciphertext Bit spreading RAIT Madhumita Chatterjee
21
Generic Block Encryption (Cont’d)
Substitution: 2k values: k 2k bits done by S-Boxes, adds confusion Permutation: change position for each bit: klog2k bits done by P-Boxes adds diffusion Round: combination of substitution chunks and permutation do often enough so that a bit change can affect every output bit How many rounds? A few but not fewer RAIT Madhumita Chatterjee
22
Block Cipher Scheme Encrypt Plaintext block of length N Cipher block
Secret key Decrypt RAIT Madhumita Chatterjee
23
Overview of the DES A block cipher:
encrypts blocks of 64 bits using a 64-bit key Key: 64 bit quantity=8-bit parity+56-bit key. Every 8th bit is a parity bit. outputs 64 bits of ciphertext A product cipher basic unit is the bit performs both substitution and transposition (permutation) on the bits RAIT Madhumita Chatterjee
24
Cipher consists of 16 rounds (iterations) each with a round key generated from the user-supplied key
RAIT Madhumita Chatterjee
25
Key features Sheer complexity of tracing a single bit through 16 iterations of substitutions and transpositions discourages analysis 8 extra bits are used only for parity so key is 56 bits long Substitution provides confusion and transposition provides diffusion Uses only std. arithmetic and logical operations, and is repetitive an can be implemented on a single purpose chip. RAIT Madhumita Chatterjee
26
Cycles of Substitution and Permutation.
RAIT Madhumita Chatterjee
27
Features : DES Data Encryption Standard (DES)
Encodes plaintext in 64-bit chunks using a 64-bit key (56 bits + 8 bits parity) Uses a combination of diffusion and confusion to achieve security Was cracked in 1997 Parallel attack – exhaustively search key space Decryption in DES – it’s symmetric! Use KA again as input and then the same keys except in reverse order RAIT Madhumita Chatterjee
28
Overview: DES DES 64-bit input is permuted
16 stages of identical operation differ in the 48-bit key extracted from 56-bit key - complex R2= R1 is encrypted with K1 and XOR’d with L1 L2=R1, … Final inverse permutation stage RAIT Madhumita Chatterjee
29
Pictorial Representation For DES
RAIT Madhumita Chatterjee
30
A more detailed picture
RAIT Madhumita Chatterjee
31
DEScription: One Round
64 bits divided into left, right halves Right half goes through function f, mixed with key Right half added to left half Halves swapped (except in last round) Li-1 Ri-1 Li Ri RAIT Madhumita Chatterjee
32
DEScription: InsiDES Ri-1 Expand right side from 32 to 48 bits (some get reused) Add 48 bits of key (chosen by schedule) S-boxes: each set of 6 bits reduced to 4 P-box permutes 32 bits Expansion Ki Eight S-boxes P-box Output RAIT Madhumita Chatterjee
33
DES Top View …... 56-bit Key 64-bit Input 48-bit K1 Generate keys
Permutation Initial Permutation 48-bit K1 Round 1 48-bit K2 Round 2 …... 48-bit K16 Round 16 Swap Swap 32-bit halves Permutation Final Permutation 64-bit Output RAIT Madhumita Chatterjee
34
Bit Permutation (1-to-1)
……. Input: 1 bit Output …….. RAIT Madhumita Chatterjee
35
Bits Expansion (1-to-m)
Input: ……. …….. Output RAIT Madhumita Chatterjee
36
Initial and Final Permutations
Initial permutation (IP) View the input as M: 8(-byte) by 8(-bit) matrix Transform M into M1 in two steps Transpose row x into column (9-x), 0<x<9 Apply permutation on the rows: For even column y, it becomes row y/2 For odd column y, it becomes row (5+y/2) Final permutation FP = IP-1 RAIT Madhumita Chatterjee
37
Per-Round Key Generation
Initial Permutation of DES key C i-1 28 bits D i-1 28 bits Circular Left Shift Circular Left Shift One round Permutation with Discard Round 1,2,9,16: single shift Others: two bits 48 bits Ki C i D i 28 bits 28 bits RAIT Madhumita Chatterjee
38
A DES Round One Round Encryption 32 bits Ln 32 bits Rn E 48 bits
Mangler Function 48 bits Ki S-Boxes P 32 bits 32 bits Ln+1 32 bits Rn+1 RAIT Madhumita Chatterjee
39
A Full Picture Of DES RAIT Madhumita Chatterjee
40
Cycles of Substitution and Permutation.
RAIT Madhumita Chatterjee
41
A Cycle in the DES. RAIT Madhumita Chatterjee
42
Types of Permutations. RAIT Madhumita Chatterjee
43
Details of a Cycle. RAIT Madhumita Chatterjee
44
Pattern of Expansion Permutation.
RAIT Madhumita Chatterjee
45
Mangler Function 4 6 + S8 S1 S2 S7 S3 S4 S5 S6 Permutation
The permutation produces “spread” among the chunks/S-boxes! RAIT Madhumita Chatterjee
46
S-Box (Substitute and Shrink)
48 bits ==> 32 bits. (8*6 ==> 8*4) 2 bits used to select amongst 4 substitutions for the rest of the 4-bit quantity 2 bits row S i = 1,…8. I1 I2 I3 I4 I5 I6 O1 O2 O3 O4 4 bits column RAIT Madhumita Chatterjee
47
S1: one of the S-boxes Example: input: 100110 output: ???
Each row and column contain different numbers. …. 15 Example: input: output: ??? RAIT Madhumita Chatterjee
48
8 S-Boxes Logic behind the selection of the S-Boxes remains unpublished secret Is it a good idea technically to publish it? RAIT Madhumita Chatterjee
49
Decryption Apply the same operations (keys in reverse order: K16, K15, …, K1): Input: Rn+1|Ln+1 Due to the “swap” operation Output: Rn|Ln The swap operation at the end will produce the correct result: L|R RAIT Madhumita Chatterjee
50
DESign Principles: Inverses
Equations for round i: In other words: So decryption is the same as encryption Last round, no swap: really is the same Li-1 Ri-1 Li Ri RAIT Madhumita Chatterjee
51
DES’s Problem Considered too weak Design decisions not public
Diffie, Hellman prediction: “in a few years technology would allow DES to be broken in days” Design using 1999 technology published Design decisions not public S-boxes may have backdoors RAIT Madhumita Chatterjee
52
MoDES of Operation ECB: Electronic CodeBook mode:
Encrypt each 64-bit block independently Attacker could build codebook CBC: Cipher Block Chaining mode: Encryption: Ci = EK(Pi Ci-1) Decryption: Pi = Ci-1 DK(Ci) CFB, OFB: allow byte-wise encryption Cipher FeedBack, Output FeedBack RAIT Madhumita Chatterjee
53
PeDEStrian attacks Obvious attack: guess the key. 256 keys
Complementation Property: 255 keys 1 million per second: years Store EK(P1) for all K: 512 petabytes Time/Memory Tradeoff (Hellman, 1980): 1 terabyte 5 days RAIT Madhumita Chatterjee
54
DEStroying Security Differential Cryptanalysis (1990):
Say you know plaintext, ciphertext pairs Difference dP = P1 P2, dC = C1 C2 Distribution of dC’s given dP may reveal key Need lots of pairs to get lots of good dP’s Look at pairs, build up key in pieces Could find some bits, brute-force for rest RAIT Madhumita Chatterjee
55
DEServing of Praise Against 8-round DES, attack requires:
214 = 16,384 chosen plaintexts, or 238 known plaintext-ciphertext pairs Against 16-round DES, attack requires: 247 chosen plaintexts, or Roughly known plaintext-ciphertext pairs Differential cryptanalysis not effective RAIT Madhumita Chatterjee
56
DESperate measures Linear cryptanalysis:
Look at algorithm structure: find places where, if you XOR plaintext and ciphertext bits together, you get key bits S-boxes not linear, but can approximate Need 243 known pairs; best known attack RAIT Madhumita Chatterjee
57
DES apparently not optimized against this
Still, not an easy-to-mount attack RAIT Madhumita Chatterjee
58
DESuetude “Weakest link” is size of key
Attacks take advantage of encryption speed 1993: Weiner: $1M machine, 3.5 hours 1998: EFF’s Deep Crack: $250,000 92 billion keys per second; 4 days on average 1999: distributed.net: 23 hours OK for some things (e.g., short time horizon) DES sliDES into wiDESpread DESuetude RAIT Madhumita Chatterjee
59
Triple-DES Run DES three times: If K2 = K3, this is DES
ECB mode: If K2 = K3, this is DES Backwards compatibility Known not to be just DES with K4 (1992) Has 112 bits of security, not = 168 RAIT Madhumita Chatterjee
60
What’s wrong with Double-DES?
Why? What’s the attack? What’s wrong with Double-DES? RAIT Madhumita Chatterjee
61
DESpair Double-DES: Ci = EB(EA(Pi))
Given P1, C1: Note that DB(C1) = EA(P1) Make a list of every EK(P1). Try each L: if DL(C1) = EK(P1), then maybe K = A, L = B. (248 L’s might work.) RAIT Madhumita Chatterjee
62
Test with P2, C2: if it checks, it was probably right.
Time roughly Memory very large. RAIT Madhumita Chatterjee
63
DES’s Undesirable Properties
4 weak keys (They are their own inverses) 12 semi-weak keys (Each has another semi-weak key as inverse) Complementation property DESk(m) = c DESk´(m´) = c´ S-boxes exhibit irregular properties Distribution of odd, even numbers non-random Outputs of fourth box depends on input to third box RAIT Madhumita Chatterjee
Similar presentations
