Download presentation

1
**Secret Key Cryptography**

RAIT Madhumita Chatterjee

2
**Algorithm Types Stream Ciphers Block Ciphers**

Plaintext encrypted one bit at a time Disadvantage…time consuming. Block Ciphers A block of bits encrypted at one go. Disadvantage for repeating text….. RAIT Madhumita Chatterjee

3
**Shannon concepts Confusion Diffusion**

Ciphertext gives no clue about original text. Achieved using substitution. Diffusion Increases redundancy of plaintext by spreading across rows and columns. Achieved using transposition or permutation. RAIT Madhumita Chatterjee

4
**Algorithm modes ECB (Electronic Code Book)**

CBC (Cipher Block Chaining Mode) OFB (Output Feedback Mode) CFB (Cipher Feedback Mode) Stream Cipher RAIT Madhumita Chatterjee

5
**Electronic Code Book (ECB)**

M1 M2 M3 M4 pad ENC ENC ENC ENC C1 C2 C3 C4 RAIT Madhumita Chatterjee

6
**ECB Problem #1 (M1 == M3) => (C1 ==C3) M1 M2 M3 M4 64 64 64 46 pad**

pad ENC ENC ENC ENC C1 C2 C3 C4 (M1 == M3) => (C1 ==C3) RAIT Madhumita Chatterjee

7
ECB Problem #2 Lack the basic protection against integrity attacks on the ciphertext at message level (i.e., multiple cipher blocks) Without additional integrity protection cipher block substitution and rearrangement attacks fabrication of specific information RAIT Madhumita Chatterjee

8
**Cipher Block Chaining (CBC)**

M1 M2 M3 M4 pad IV Initialization Vector ENC ENC ENC ENC C1 C2 C3 C4 (M1 == M3) very unlikely leads to (C1 == C3) RAIT Madhumita Chatterjee

9
**CBC Decryption M1 M2 M3 M4 IV DEC DEC DEC DEC C1 C2 C3 C4 RAIT**

Madhumita Chatterjee

10
CBC Vulnerabilities Loss sync of block boundary garbles the rest of the stream Create desired change in decrypted block Pn by sacrificing block P n-1 RAIT Madhumita Chatterjee

11
CBC….. DEC P n-1 C n-1 Pn Cn RAIT Madhumita Chatterjee

12
**Output Feedback Mode (OFB)**

Like a Random Number Generator... IV ENC ENC ENC ENC M1 M2 M3 M4 C1 C2 C3 C4 RAIT Madhumita Chatterjee

13
**OFB Properties Advantages**

Allow pre-computing of pseudo-random stream (One-Time Pad); XOR can be implemented very efficiently No error propagation problem as in CBC Allow in-time encrypt/decrypt due to bit-wise computation (versus the fixed blocks) RAIT Madhumita Chatterjee

14
**General k-bit Cipher Feedback Mode (CFB)**

ENC C1 C2 C3 M1 M2 M3 IV k k k K bits K bits K bits RAIT Madhumita Chatterjee

15
**CFB Properties Advantage compared with CBC.**

With k=8, errors on one byte of ciphertext only affect 8 more bytes beyond. Disadvantage compared with OFB. Random stream can no longer be computed in advance. RAIT Madhumita Chatterjee

16
**Generating MICs Only send last block of CBC (CBS residue)**

Send plaintext Any modification in plaintext modifies CBC residue Insures integrity RAIT Madhumita Chatterjee

17
**CBC Plus Residue M1 M2 M3 M4 pad 64 64 64 46 IV Initialization Vector**

IV Initialization Vector ENC ENC ENC ENC C1 C2 C C residue RAIT Madhumita Chatterjee

18
**Elementary Cryptography**

DES Algorithm RAIT Madhumita Chatterjee

19
Background & History System developed by the US Govt. intended for public use in 1976 Many hardware and software systems designed with DES Goals were High level of security Specified and easy to understand Publishable, available Adaptable to diverse applications Economic to implement in elctronic devices Efficient to use and able to be validated RAIT Madhumita Chatterjee

20
**Generic Block Encryption**

Convert block to another: one-to-one Long enough to avoid known-plaintext attack 64 bit typical, nice for RISC Naïve: 264 input values, 64 bits each, total 270 bits to store the mapping Output should look random No correlation between plaintext and ciphertext Bit spreading RAIT Madhumita Chatterjee

21
**Generic Block Encryption (Cont’d)**

Substitution: 2k values: k 2k bits done by S-Boxes, adds confusion Permutation: change position for each bit: klog2k bits done by P-Boxes adds diffusion Round: combination of substitution chunks and permutation do often enough so that a bit change can affect every output bit How many rounds? A few but not fewer RAIT Madhumita Chatterjee

22
**Block Cipher Scheme Encrypt Plaintext block of length N Cipher block**

Secret key Decrypt RAIT Madhumita Chatterjee

23
**Overview of the DES A block cipher:**

encrypts blocks of 64 bits using a 64-bit key Key: 64 bit quantity=8-bit parity+56-bit key. Every 8th bit is a parity bit. outputs 64 bits of ciphertext A product cipher basic unit is the bit performs both substitution and transposition (permutation) on the bits RAIT Madhumita Chatterjee

24
**Cipher consists of 16 rounds (iterations) each with a round key generated from the user-supplied key**

RAIT Madhumita Chatterjee

25
Key features Sheer complexity of tracing a single bit through 16 iterations of substitutions and transpositions discourages analysis 8 extra bits are used only for parity so key is 56 bits long Substitution provides confusion and transposition provides diffusion Uses only std. arithmetic and logical operations, and is repetitive an can be implemented on a single purpose chip. RAIT Madhumita Chatterjee

26
** Cycles of Substitution and Permutation.**

RAIT Madhumita Chatterjee

27
**Features : DES Data Encryption Standard (DES)**

Encodes plaintext in 64-bit chunks using a 64-bit key (56 bits + 8 bits parity) Uses a combination of diffusion and confusion to achieve security Was cracked in 1997 Parallel attack – exhaustively search key space Decryption in DES – it’s symmetric! Use KA again as input and then the same keys except in reverse order RAIT Madhumita Chatterjee

28
**Overview: DES DES 64-bit input is permuted**

16 stages of identical operation differ in the 48-bit key extracted from 56-bit key - complex R2= R1 is encrypted with K1 and XOR’d with L1 L2=R1, … Final inverse permutation stage RAIT Madhumita Chatterjee

29
**Pictorial Representation For DES**

RAIT Madhumita Chatterjee

30
**A more detailed picture**

RAIT Madhumita Chatterjee

31
**DEScription: One Round**

64 bits divided into left, right halves Right half goes through function f, mixed with key Right half added to left half Halves swapped (except in last round) Li-1 Ri-1 Li Ri RAIT Madhumita Chatterjee

32
DEScription: InsiDES Ri-1 Expand right side from 32 to 48 bits (some get reused) Add 48 bits of key (chosen by schedule) S-boxes: each set of 6 bits reduced to 4 P-box permutes 32 bits Expansion Ki Eight S-boxes P-box Output RAIT Madhumita Chatterjee

33
**DES Top View …... 56-bit Key 64-bit Input 48-bit K1 Generate keys**

Permutation Initial Permutation 48-bit K1 Round 1 48-bit K2 Round 2 …... 48-bit K16 Round 16 Swap Swap 32-bit halves Permutation Final Permutation 64-bit Output RAIT Madhumita Chatterjee

34
**Bit Permutation (1-to-1)**

……. Input: 1 bit Output …….. RAIT Madhumita Chatterjee

35
**Bits Expansion (1-to-m)**

Input: ……. …….. Output RAIT Madhumita Chatterjee

36
**Initial and Final Permutations**

Initial permutation (IP) View the input as M: 8(-byte) by 8(-bit) matrix Transform M into M1 in two steps Transpose row x into column (9-x), 0<x<9 Apply permutation on the rows: For even column y, it becomes row y/2 For odd column y, it becomes row (5+y/2) Final permutation FP = IP-1 RAIT Madhumita Chatterjee

37
**Per-Round Key Generation**

Initial Permutation of DES key C i-1 28 bits D i-1 28 bits Circular Left Shift Circular Left Shift One round Permutation with Discard Round 1,2,9,16: single shift Others: two bits 48 bits Ki C i D i 28 bits 28 bits RAIT Madhumita Chatterjee

38
**A DES Round One Round Encryption 32 bits Ln 32 bits Rn E 48 bits**

Mangler Function 48 bits Ki S-Boxes P 32 bits 32 bits Ln+1 32 bits Rn+1 RAIT Madhumita Chatterjee

39
A Full Picture Of DES RAIT Madhumita Chatterjee

40
** Cycles of Substitution and Permutation.**

RAIT Madhumita Chatterjee

41
A Cycle in the DES. RAIT Madhumita Chatterjee

42
Types of Permutations. RAIT Madhumita Chatterjee

43
Details of a Cycle. RAIT Madhumita Chatterjee

44
** Pattern of Expansion Permutation.**

RAIT Madhumita Chatterjee

45
**Mangler Function 4 6 + S8 S1 S2 S7 S3 S4 S5 S6 Permutation**

The permutation produces “spread” among the chunks/S-boxes! RAIT Madhumita Chatterjee

46
**S-Box (Substitute and Shrink)**

48 bits ==> 32 bits. (8*6 ==> 8*4) 2 bits used to select amongst 4 substitutions for the rest of the 4-bit quantity 2 bits row S i = 1,…8. I1 I2 I3 I4 I5 I6 O1 O2 O3 O4 4 bits column RAIT Madhumita Chatterjee

47
**S1: one of the S-boxes Example: input: 100110 output: ???**

Each row and column contain different numbers. …. 15 Example: input: output: ??? RAIT Madhumita Chatterjee

48
8 S-Boxes Logic behind the selection of the S-Boxes remains unpublished secret Is it a good idea technically to publish it? RAIT Madhumita Chatterjee

49
Decryption Apply the same operations (keys in reverse order: K16, K15, …, K1): Input: Rn+1|Ln+1 Due to the “swap” operation Output: Rn|Ln The swap operation at the end will produce the correct result: L|R RAIT Madhumita Chatterjee

50
**DESign Principles: Inverses**

Equations for round i: In other words: So decryption is the same as encryption Last round, no swap: really is the same Li-1 Ri-1 Li Ri RAIT Madhumita Chatterjee

51
**DES’s Problem Considered too weak Design decisions not public**

Diffie, Hellman prediction: “in a few years technology would allow DES to be broken in days” Design using 1999 technology published Design decisions not public S-boxes may have backdoors RAIT Madhumita Chatterjee

52
**MoDES of Operation ECB: Electronic CodeBook mode:**

Encrypt each 64-bit block independently Attacker could build codebook CBC: Cipher Block Chaining mode: Encryption: Ci = EK(Pi Ci-1) Decryption: Pi = Ci-1 DK(Ci) CFB, OFB: allow byte-wise encryption Cipher FeedBack, Output FeedBack RAIT Madhumita Chatterjee

53
**PeDEStrian attacks Obvious attack: guess the key. 256 keys**

Complementation Property: 255 keys 1 million per second: years Store EK(P1) for all K: 512 petabytes Time/Memory Tradeoff (Hellman, 1980): 1 terabyte 5 days RAIT Madhumita Chatterjee

54
**DEStroying Security Differential Cryptanalysis (1990):**

Say you know plaintext, ciphertext pairs Difference dP = P1 P2, dC = C1 C2 Distribution of dC’s given dP may reveal key Need lots of pairs to get lots of good dP’s Look at pairs, build up key in pieces Could find some bits, brute-force for rest RAIT Madhumita Chatterjee

55
**DEServing of Praise Against 8-round DES, attack requires:**

214 = 16,384 chosen plaintexts, or 238 known plaintext-ciphertext pairs Against 16-round DES, attack requires: 247 chosen plaintexts, or Roughly known plaintext-ciphertext pairs Differential cryptanalysis not effective RAIT Madhumita Chatterjee

56
**DESperate measures Linear cryptanalysis:**

Look at algorithm structure: find places where, if you XOR plaintext and ciphertext bits together, you get key bits S-boxes not linear, but can approximate Need 243 known pairs; best known attack RAIT Madhumita Chatterjee

57
**DES apparently not optimized against this **

Still, not an easy-to-mount attack RAIT Madhumita Chatterjee

58
**DESuetude “Weakest link” is size of key**

Attacks take advantage of encryption speed 1993: Weiner: $1M machine, 3.5 hours 1998: EFF’s Deep Crack: $250,000 92 billion keys per second; 4 days on average 1999: distributed.net: 23 hours OK for some things (e.g., short time horizon) DES sliDES into wiDESpread DESuetude RAIT Madhumita Chatterjee

59
**Triple-DES Run DES three times: If K2 = K3, this is DES**

ECB mode: If K2 = K3, this is DES Backwards compatibility Known not to be just DES with K4 (1992) Has 112 bits of security, not = 168 RAIT Madhumita Chatterjee

60
**What’s wrong with Double-DES?**

Why? What’s the attack? What’s wrong with Double-DES? RAIT Madhumita Chatterjee

61
**DESpair Double-DES: Ci = EB(EA(Pi))**

Given P1, C1: Note that DB(C1) = EA(P1) Make a list of every EK(P1). Try each L: if DL(C1) = EK(P1), then maybe K = A, L = B. (248 L’s might work.) RAIT Madhumita Chatterjee

62
**Test with P2, C2: if it checks, it was probably right. **

Time roughly Memory very large. RAIT Madhumita Chatterjee

63
**DES’s Undesirable Properties**

4 weak keys (They are their own inverses) 12 semi-weak keys (Each has another semi-weak key as inverse) Complementation property DESk(m) = c DESk´(m´) = c´ S-boxes exhibit irregular properties Distribution of odd, even numbers non-random Outputs of fourth box depends on input to third box RAIT Madhumita Chatterjee

Similar presentations

© 2020 SlidePlayer.com Inc.

All rights reserved.

To make this website work, we log user data and share it with processors. To use this website, you must agree to our Privacy Policy, including cookie policy.

Ads by Google