# Secret Key Cryptography

## Presentation on theme: "Secret Key Cryptography"— Presentation transcript:

Secret Key Cryptography

Algorithm Types Stream Ciphers Block Ciphers
Plaintext encrypted one bit at a time Disadvantage…time consuming. Block Ciphers A block of bits encrypted at one go. Disadvantage for repeating text….. RAIT Madhumita Chatterjee

Shannon concepts Confusion Diffusion
Ciphertext gives no clue about original text. Achieved using substitution. Diffusion Increases redundancy of plaintext by spreading across rows and columns. Achieved using transposition or permutation. RAIT Madhumita Chatterjee

Algorithm modes ECB (Electronic Code Book)
CBC (Cipher Block Chaining Mode) OFB (Output Feedback Mode) CFB (Cipher Feedback Mode) Stream Cipher RAIT Madhumita Chatterjee

Electronic Code Book (ECB)
M1 M2 M3 M4 pad ENC ENC ENC ENC C1 C2 C3 C4 RAIT Madhumita Chatterjee

ECB Problem #1 (M1 == M3) => (C1 ==C3) M1 M2 M3 M4 64 64 64 46 pad
pad ENC ENC ENC ENC C1 C2 C3 C4 (M1 == M3) => (C1 ==C3) RAIT Madhumita Chatterjee

ECB Problem #2 Lack the basic protection against integrity attacks on the ciphertext at message level (i.e., multiple cipher blocks) Without additional integrity protection cipher block substitution and rearrangement attacks fabrication of specific information RAIT Madhumita Chatterjee

Cipher Block Chaining (CBC)
M1 M2 M3 M4 pad IV Initialization Vector ENC ENC ENC ENC C1 C2 C3 C4 (M1 == M3) very unlikely leads to (C1 == C3) RAIT Madhumita Chatterjee

CBC Decryption M1 M2 M3 M4 IV DEC DEC DEC DEC C1 C2 C3 C4 RAIT

CBC Vulnerabilities Loss sync of block boundary garbles the rest of the stream Create desired change in decrypted block Pn by sacrificing block P n-1 RAIT Madhumita Chatterjee

CBC….. DEC P n-1 C n-1 Pn Cn RAIT Madhumita Chatterjee

Output Feedback Mode (OFB)
Like a Random Number Generator... IV ENC ENC ENC ENC M1 M2 M3 M4 C1 C2 C3 C4 RAIT Madhumita Chatterjee

Allow pre-computing of pseudo-random stream (One-Time Pad); XOR can be implemented very efficiently No error propagation problem as in CBC Allow in-time encrypt/decrypt due to bit-wise computation (versus the fixed blocks) RAIT Madhumita Chatterjee

General k-bit Cipher Feedback Mode (CFB)
ENC C1 C2 C3 M1 M2 M3 IV k k k K bits K bits K bits RAIT Madhumita Chatterjee

CFB Properties Advantage compared with CBC.
With k=8, errors on one byte of ciphertext only affect 8 more bytes beyond. Disadvantage compared with OFB. Random stream can no longer be computed in advance. RAIT Madhumita Chatterjee

Generating MICs Only send last block of CBC (CBS residue)
Send plaintext Any modification in plaintext modifies CBC residue Insures integrity RAIT Madhumita Chatterjee

CBC Plus Residue M1 M2 M3 M4 pad 64 64 64 46 IV Initialization Vector
IV Initialization Vector ENC ENC ENC ENC C1 C2 C C residue RAIT Madhumita Chatterjee

Elementary Cryptography

Background & History System developed by the US Govt. intended for public use in 1976 Many hardware and software systems designed with DES Goals were High level of security Specified and easy to understand Publishable, available Adaptable to diverse applications Economic to implement in elctronic devices Efficient to use and able to be validated RAIT Madhumita Chatterjee

Generic Block Encryption
Convert block to another: one-to-one Long enough to avoid known-plaintext attack 64 bit typical, nice for RISC Naïve: 264 input values, 64 bits each, total 270 bits to store the mapping Output should look random No correlation between plaintext and ciphertext Bit spreading RAIT Madhumita Chatterjee

Generic Block Encryption (Cont’d)
Substitution: 2k values: k  2k bits done by S-Boxes, adds confusion Permutation: change position for each bit: klog2k bits done by P-Boxes adds diffusion Round: combination of substitution chunks and permutation do often enough so that a bit change can affect every output bit How many rounds? A few but not fewer RAIT Madhumita Chatterjee

Block Cipher Scheme Encrypt Plaintext block of length N Cipher block
Secret key Decrypt RAIT Madhumita Chatterjee

Overview of the DES A block cipher:
encrypts blocks of 64 bits using a 64-bit key Key: 64 bit quantity=8-bit parity+56-bit key. Every 8th bit is a parity bit. outputs 64 bits of ciphertext A product cipher basic unit is the bit performs both substitution and transposition (permutation) on the bits RAIT Madhumita Chatterjee

Cipher consists of 16 rounds (iterations) each with a round key generated from the user-supplied key

Key features Sheer complexity of tracing a single bit through 16 iterations of substitutions and transpositions discourages analysis 8 extra bits are used only for parity so key is 56 bits long Substitution provides confusion and transposition provides diffusion Uses only std. arithmetic and logical operations, and is repetitive an can be implemented on a single purpose chip. RAIT Madhumita Chatterjee

Cycles of Substitution and Permutation.

Features : DES Data Encryption Standard (DES)
Encodes plaintext in 64-bit chunks using a 64-bit key (56 bits + 8 bits parity) Uses a combination of diffusion and confusion to achieve security Was cracked in 1997 Parallel attack – exhaustively search key space Decryption in DES – it’s symmetric! Use KA again as input and then the same keys except in reverse order RAIT Madhumita Chatterjee

Overview: DES DES 64-bit input is permuted
16 stages of identical operation differ in the 48-bit key extracted from 56-bit key - complex R2= R1 is encrypted with K1 and XOR’d with L1 L2=R1, … Final inverse permutation stage RAIT Madhumita Chatterjee

Pictorial Representation For DES

A more detailed picture

DEScription: One Round
64 bits divided into left, right halves Right half goes through function f, mixed with key Right half added to left half Halves swapped (except in last round) Li-1 Ri-1 Li Ri RAIT Madhumita Chatterjee

DEScription: InsiDES Ri-1 Expand right side from 32 to 48 bits (some get reused) Add 48 bits of key (chosen by schedule) S-boxes: each set of 6 bits reduced to 4 P-box permutes 32 bits Expansion Ki Eight S-boxes P-box Output RAIT Madhumita Chatterjee

DES Top View …... 56-bit Key 64-bit Input 48-bit K1 Generate keys
Permutation Initial Permutation 48-bit K1 Round 1 48-bit K2 Round 2 …... 48-bit K16 Round 16 Swap Swap 32-bit halves Permutation Final Permutation 64-bit Output RAIT Madhumita Chatterjee

Bit Permutation (1-to-1)
……. Input: 1 bit Output …….. RAIT Madhumita Chatterjee

Bits Expansion (1-to-m)
Input: ……. …….. Output RAIT Madhumita Chatterjee

Initial and Final Permutations
Initial permutation (IP) View the input as M: 8(-byte) by 8(-bit) matrix Transform M into M1 in two steps Transpose row x into column (9-x), 0<x<9 Apply permutation on the rows: For even column y, it becomes row y/2 For odd column y, it becomes row (5+y/2) Final permutation FP = IP-1 RAIT Madhumita Chatterjee

Per-Round Key Generation
Initial Permutation of DES key C i-1 28 bits D i-1 28 bits Circular Left Shift Circular Left Shift One round Permutation with Discard Round 1,2,9,16: single shift Others: two bits 48 bits Ki C i D i 28 bits 28 bits RAIT Madhumita Chatterjee

A DES Round One Round Encryption 32 bits Ln 32 bits Rn E 48 bits
Mangler Function 48 bits Ki S-Boxes P 32 bits 32 bits Ln+1 32 bits Rn+1 RAIT Madhumita Chatterjee

A Full Picture Of DES RAIT Madhumita Chatterjee

Cycles of Substitution and Permutation.

A Cycle in the DES. RAIT Madhumita Chatterjee

Types of Permutations. RAIT Madhumita Chatterjee

Details of a Cycle. RAIT Madhumita Chatterjee

Pattern of Expansion Permutation.

Mangler Function 4 6 + S8 S1 S2 S7 S3 S4 S5 S6 Permutation

S-Box (Substitute and Shrink)
48 bits ==> 32 bits. (8*6 ==> 8*4) 2 bits used to select amongst 4 substitutions for the rest of the 4-bit quantity 2 bits row S i = 1,…8. I1 I2 I3 I4 I5 I6 O1 O2 O3 O4 4 bits column RAIT Madhumita Chatterjee

S1: one of the S-boxes Example: input: 100110 output: ???
Each row and column contain different numbers. …. 15 Example: input: output: ??? RAIT Madhumita Chatterjee

8 S-Boxes Logic behind the selection of the S-Boxes remains unpublished secret Is it a good idea technically to publish it? RAIT Madhumita Chatterjee

Decryption Apply the same operations (keys in reverse order: K16, K15, …, K1): Input: Rn+1|Ln+1 Due to the “swap” operation Output: Rn|Ln The swap operation at the end will produce the correct result: L|R RAIT Madhumita Chatterjee

DESign Principles: Inverses
Equations for round i: In other words: So decryption is the same as encryption Last round, no swap: really is the same Li-1 Ri-1 Li Ri RAIT Madhumita Chatterjee

DES’s Problem Considered too weak Design decisions not public
Diffie, Hellman prediction: “in a few years technology would allow DES to be broken in days” Design using 1999 technology published Design decisions not public S-boxes may have backdoors RAIT Madhumita Chatterjee

MoDES of Operation ECB: Electronic CodeBook mode:
Encrypt each 64-bit block independently Attacker could build codebook CBC: Cipher Block Chaining mode: Encryption: Ci = EK(Pi  Ci-1) Decryption: Pi = Ci-1  DK(Ci) CFB, OFB: allow byte-wise encryption Cipher FeedBack, Output FeedBack RAIT Madhumita Chatterjee

PeDEStrian attacks Obvious attack: guess the key. 256 keys
Complementation Property: 255 keys 1 million per second: years Store EK(P1) for all K: 512 petabytes Time/Memory Tradeoff (Hellman, 1980): 1 terabyte 5 days RAIT Madhumita Chatterjee

DEStroying Security Differential Cryptanalysis (1990):
Say you know plaintext, ciphertext pairs Difference dP = P1  P2, dC = C1  C2 Distribution of dC’s given dP may reveal key Need lots of pairs to get lots of good dP’s Look at pairs, build up key in pieces Could find some bits, brute-force for rest RAIT Madhumita Chatterjee

DEServing of Praise Against 8-round DES, attack requires:
214 = 16,384 chosen plaintexts, or 238 known plaintext-ciphertext pairs Against 16-round DES, attack requires: 247 chosen plaintexts, or Roughly known plaintext-ciphertext pairs Differential cryptanalysis not effective RAIT Madhumita Chatterjee

DESperate measures Linear cryptanalysis:
Look at algorithm structure: find places where, if you XOR plaintext and ciphertext bits together, you get key bits S-boxes not linear, but can approximate Need 243 known pairs; best known attack RAIT Madhumita Chatterjee

DES apparently not optimized against this
Still, not an easy-to-mount attack RAIT Madhumita Chatterjee

DESuetude “Weakest link” is size of key
Attacks take advantage of encryption speed 1993: Weiner: \$1M machine, 3.5 hours 1998: EFF’s Deep Crack: \$250,000 92 billion keys per second; 4 days on average 1999: distributed.net: 23 hours OK for some things (e.g., short time horizon) DES sliDES into wiDESpread DESuetude RAIT Madhumita Chatterjee

Triple-DES Run DES three times: If K2 = K3, this is DES
ECB mode: If K2 = K3, this is DES Backwards compatibility Known not to be just DES with K4 (1992) Has 112 bits of security, not = 168 RAIT Madhumita Chatterjee

What’s wrong with Double-DES?
Why? What’s the attack? What’s wrong with Double-DES? RAIT Madhumita Chatterjee

DESpair Double-DES: Ci = EB(EA(Pi))
Given P1, C1: Note that DB(C1) = EA(P1) Make a list of every EK(P1). Try each L: if DL(C1) = EK(P1), then maybe K = A, L = B. (248 L’s might work.) RAIT Madhumita Chatterjee

Test with P2, C2: if it checks, it was probably right.
Time roughly Memory very large. RAIT Madhumita Chatterjee

DES’s Undesirable Properties
4 weak keys (They are their own inverses) 12 semi-weak keys (Each has another semi-weak key as inverse) Complementation property DESk(m) = c  DESk´(m´) = c´ S-boxes exhibit irregular properties Distribution of odd, even numbers non-random Outputs of fourth box depends on input to third box RAIT Madhumita Chatterjee