Presentation is loading. Please wait.

Presentation is loading. Please wait.

Classical &ontemporyryptology 1 CryptologyCryptology Dr. Richard Spillman Pacific Lutheran University Dr. Richard Spillman Pacific Lutheran University.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Classical &ontemporyryptology 1 CryptologyCryptology Dr. Richard Spillman Pacific Lutheran University Dr. Richard Spillman Pacific Lutheran University."— Presentation transcript:

1

2 Classical &ontemporyryptology 1 CryptologyCryptology Dr. Richard Spillman Pacific Lutheran University Dr. Richard Spillman Pacific Lutheran University Lecture Five

3 Classical &ontemporyryptology 2 Last Lecture History History More Transpositions More Transpositions – Double Column Transposition Computer Based Encryption Computer Based Encryption Stream Ciphers Stream Ciphers – LFSR – One Time Pad – Cellular Automata

4 Classical &ontemporyryptology 3 Review – Stream Cipher A stream cipher XORs a plaintext stream with a key stream to create a ciphertext stream A stream cipher XORs a plaintext stream with a key stream to create a ciphertext stream plaintext Key stream XOR Key stream plaintext The random key stream can be produce by a LFSR, Cellular Automata, or another random process (such as a modification of a block cipher)

5 Classical &ontemporyryptology 4 OutlineOutline History History RC4 Algorithm RC4 Algorithm Introduction to Block Ciphers Introduction to Block Ciphers DES and AES (and others) DES and AES (and others) Cryptanalysis of Block Ciphers Cryptanalysis of Block Ciphers

6 Classical &ontemporyryptology 5 HistoryHistory

7 Classical &ontemporyryptology 6 WW1 – The American Effort Soon after the American declaration of war in April 1917, Herbert O. Yardley sold the war department on the idea of starting a cryptologic service called MI-8 Soon after the American declaration of war in April 1917, Herbert O. Yardley sold the war department on the idea of starting a cryptologic service called MI-8 – David Stevens, 32, an English instructor at UChicago – Thomas A. Knot, 37, an associate professor of English at UC – Charles H. Beeson, 47, associate professor of Latin at UC – Bliss Luquiens, 41, professor of Spanish at Yale MI-8 became involved in many activities including MI-8 became involved in many activities including – cryptography – secret inks – shorthand translation

8 Classical &ontemporyryptology 7 Secret Inks The Germans used several kinds of secret inks which could be developed by exposure to heat or by special chemicals The Germans used several kinds of secret inks which could be developed by exposure to heat or by special chemicals – Allied chemists responded with a reagent that brought out secret writing of any kind because it could detect the fibers of paper which had been disturbed by a wetting action – Germans responded by writing in a sympathetic ink and then moistening the entire sheet – Allies responded with a chemical streak test that would detect whether the paper surface had been dampened - who but a spy would dampen paper? – Eventually, both sides discovered a general reagent that would detect any ink under any conditions MI-8’s secret ink division, however, was testing over 2,000 letters a week and discovered 50 of major importance including the plans of one spy to import high explosives inside the hollow figures of saints and the Virgin Mary MI-8’s secret ink division, however, was testing over 2,000 letters a week and discovered 50 of major importance including the plans of one spy to import high explosives inside the hollow figures of saints and the Virgin Mary

9 Classical &ontemporyryptology 8 Cryptographic Section MI-8’s cryptographic section was very successful MI-8’s cryptographic section was very successful One of their most important solutions involved the case of the only German spy condemned to death in the US during WWI. One of their most important solutions involved the case of the only German spy condemned to death in the US during WWI. – Captured in January 1918 in Mexico by a US agent, he had a cipher letter – Broken by Dr. John Manly who went on to become one of the world’s leading authorities on Chaucer – After a marathon 3-day effort he broke down the 12 step transposition cipher:

10 Classical &ontemporyryptology 9 The American Black Chamber After Armistice, Yardley sold both the State Department and the War Department on jointly setting up a permanent cryptography organization After Armistice, Yardley sold both the State Department and the War Department on jointly setting up a permanent cryptography organization – it became known as the American Black Chamber and was established on July 15, 1919 in NYC – its first task was to solve the codes of Japan and by 1921, they were regularly reading Japanese telegrams – In the summer of 1921, they solved telegram 813 of July 5th from the Japanese ambassador in London to Tokyo which contained instructions about the upcoming naval disarmament conference

11 Classical &ontemporyryptology 10 Conference Results Japan was demanding a tonnage ratio of 10 t0 7 with the US when the Black Chamber read what Yardley called the most important telegram he ever solved (0.5 represents 50,000 tons of ship - a battleship and a half) Japan was demanding a tonnage ratio of 10 t0 7 with the US when the Black Chamber read what Yardley called the most important telegram he ever solved (0.5 represents 50,000 tons of ship - a battleship and a half) – “It is necessary to avoid any clash with Great Britain and America, particularly America, in regard to the armament limitation question. You will to the upmost maintain a middle attitude and redouble your efforts to carry out our policy. In case of inevitable necessity you will work to establish your second proposal of 10 to 6.5. If, in spite of your utmost efforts, it becomes necessary in view of the situation and in the interests of general policy to fall back on your proposal no. 3, you will endeavor to limit the power of concentration and maneuver of the Pacific and to make an adequate reservation which will make clear that this is our intention in agreeing to a 10 to 6 ratio.” What do you think the Americans settled for with Japan? What do you think the Americans settled for with Japan?

12 Classical &ontemporyryptology 11 The End of the Black Chamber Between 1971 and 1929, the American Black Chamber solved more that 45,000 telegrams involving the codes of: Between 1971 and 1929, the American Black Chamber solved more that 45,000 telegrams involving the codes of: – Argentina, Brazil, Chile, China, Cuba, England, France, Germany, Japan, Liberia, Mexico, Peru, USSR, Spain,... – They even started on the codes used by the Vatican It all ended on Oct 31, 1929 after Henry L. Stimson, Hoover’s Secretary of State received some solutions from the Black Chamber. He said “Gentlemen do not read each other’s mail” It all ended on Oct 31, 1929 after Henry L. Stimson, Hoover’s Secretary of State received some solutions from the Black Chamber. He said “Gentlemen do not read each other’s mail”

13 Classical &ontemporyryptology 12 RC4RC4

14 Classical &ontemporyryptology 13 RC4RC4 RC4 was developed by Ron Rivest of MIT (one of the developers of RSA a cipher that will be covered later) RC4 was developed by Ron Rivest of MIT (one of the developers of RSA a cipher that will be covered later) – It is perhaps the most widely used stream cipher in the world Microsoft Windows Microsoft Windows Lotus Notes Lotus Notes the SSL (Secure Sockets Layer) protocol to protect Internet traffic the SSL (Secure Sockets Layer) protocol to protect Internet traffic the Wireless Equivalent Privacy (WEP) system used to protect wireless links. the Wireless Equivalent Privacy (WEP) system used to protect wireless links. – One advantage of RC4 is that it can be easily implemented in software.

15 Classical &ontemporyryptology 14 ProcedureProcedure RC4 uses an arrangement of the numbers 0 to 255 (8 bits each) in an array S which changes over time RC4 uses an arrangement of the numbers 0 to 255 (8 bits each) in an array S which changes over time It consists of two processes It consists of two processes – A Key Scheduling Algorithm (KSA) to set up the initial permutation of S – A pseudo-random generation algorithm (PSGA) to randomly select elements of S and modify the permutation of S

16 Classical &ontemporyryptology 15 Key Scheduling Algorithm 1 KSA begins by initialing S such that S(i) = i for i = 0 to 255. KSA begins by initialing S such that S(i) = i for i = 0 to 255. A secret key is constructed by selecting a set of numbers which are loaded into a key array K(0 to 255) A secret key is constructed by selecting a set of numbers which are loaded into a key array K(0 to 255) – The usual process is to select a short sequence of numbers and repeat them until K is filled

17 Classical &ontemporyryptology 16 Key Scheduling Algorithm 2 The key array is used to randomize S based on the following algorithm: The key array is used to randomize S based on the following algorithm: for i = 0 to 255 do j = j + S(i) + K(i) (mod 256) swap(S(i), S(j))

18 Classical &ontemporyryptology 17 PRGAPRGA Once the KSA has completed the initial randomization of S, the PRGA takes over and selects bytes for the key stream by selecting random elements of S and modifying S for the next selection. Once the KSA has completed the initial randomization of S, the PRGA takes over and selects bytes for the key stream by selecting random elements of S and modifying S for the next selection. – The selection process relies on two indices i and j which both start at 0. – The following program is run to select each byte of the key stream: i i + 1 (mod 256) j j + S(i) (mod 256) swap (S(i), S(j)) t S(j) + S(i) (mod 256) k S(t)

19 Classical &ontemporyryptology 18 ExampleExample A simple example of RC4 will be constructed using 3 bit representations (the numbers range from 0 to 7) and mod 8 operations (instead of mod 256). A simple example of RC4 will be constructed using 3 bit representations (the numbers range from 0 to 7) and mod 8 operations (instead of mod 256).S:01234567 K: 01234567 S Array K Array Initialize S 01234567 Select key : 5, 6, 7 567 567 56 Use the key to randomize S i = 0 j = 0 j = (0 + S(0) + K(0)) mod 8 j = (0 + 0 + 5) mod 8 = 5 Swap 0 and 5 i = 1 j = 5 j = (5 + S(1) + K(1)) mod 8 j = (5 + 1 + 6) mod 8 = 4 Swap 1 and 4 S:01234567 Final S Array 7 65 4 0 1 3 2 4

20 Classical &ontemporyryptology 19 Random Numbers Now, the S array is ready to be used to produce a sequence of random numbers. Now, the S array is ready to be used to produce a sequence of random numbers. – With i and j starting at 0, RC4 calculates the first random number as follows: S:01234567 76540132 i = (i + 1) mod 8 = (0 + 1) mod 8 = 1 j = (j + S(i)) mod 8 = (0 + S(1)) mod 8 = (0 + 4) mod 8 = 4 = (0 + 4) mod 8 = 4 Swap S(1) and S(4) t = (S(i) + S(j)) mod 8 = (S(4) + S(1) mod 8 t = (S(i) + S(j)) mod 8 = (S(4) + S(1) mod 8 = (1 + 4) mod 8 = 5 = (1 + 4) mod 8 = 5 k = S(t) = S(5) = 6 k = S(t) = S(5) = 6 6

21 Classical &ontemporyryptology 20 Using CAP CAP uses RC4 to implement a stream cipher CAP uses RC4 to implement a stream cipher

22 Classical &ontemporyryptology 21 Block Ciphers

23 Classical &ontemporyryptology 22 Cipher Structures BlockStreamClassical... ShiftAffineKeywordMultiLiteral VigenereHillNihilist TranspositionSubstitution polyalphabeticmonoalphabetic Column RC4

24 Classical &ontemporyryptology 23 Block Cipher Today’s most widely used ciphers are in the class of Block Ciphers Today’s most widely used ciphers are in the class of Block Ciphers – Define a block of computer bits which represent several characters – Encipher the complete block at one time Algorithm Block of Bits KEY

25 Classical &ontemporyryptology 24 Modes of Operation Before examining the details of any specific block cipher algorithm, it is useful to consider how such algorithms are used Before examining the details of any specific block cipher algorithm, it is useful to consider how such algorithms are used There are 3 operational modes: There are 3 operational modes: – Electronic Code Book (ECB) – Cipher Block Chaining (CBC) – Output Feedback Mode (OFM) These modes have become international standards for implementing any block cipher These modes have become international standards for implementing any block cipher

26 Classical &ontemporyryptology 25 Electronic Code Book Simplest mode of operation Simplest mode of operation – each block is enciphered into a ciphertext block using one key EkEk M1M1 C1C1 Key EkEk M2M2 C2C2 EkEk MmMm CmCm Problem: if Mi Mi = Mj Mj then Ci Ci = CjCj

27 Classical &ontemporyryptology 26 Cipher Block Chaining The input to each block stage is the current block XORed with the previous stage cipher block The input to each block stage is the current block XORed with the previous stage cipher block Key EkEk M1M1 C1C1 EkEk M2M2 C2C2 EkEk MmMm CmCm

28 Classical &ontemporyryptology 27 Output Feedback Mode The block cipher is used as a stream cipher The block cipher is used as a stream cipher – it produces the random key stream RiRi EkEk R i+1 KEY MiMi CiCi

29 Classical &ontemporyryptology 28 General Structure In 1973, Feistel suggest a form of product cipher that has become the architecture of choice for almost all symmetric block ciphers in use today. In 1973, Feistel suggest a form of product cipher that has become the architecture of choice for almost all symmetric block ciphers in use today. – The overall process involves several stages of a substitution followed by a transposition. – The master key is subdivided into a set of subkeys – one for each stage. – At each stage the data block is divided into a left and a right segment, the segments are swapped, and one segment is mixed with subkey for that stage. – Another name for this type of cipher is a substitution- permutation (SP) cipher.

30 Classical &ontemporyryptology 29 Feistel Cipher A single stage of the Feistel cipher looks like: A single stage of the Feistel cipher looks like: Left SideRight Side Plaintext S Key New Left SideNew Right Side Permutation Substitution F Creates the subkey for each stage

31 Classical &ontemporyryptology 30 Cipher Evaluation Any new cipher must be secure against attacks but as ciphers become more complicated (such as the class of block ciphers) how can we be reasonably confident that they can protect our valuable data? Any new cipher must be secure against attacks but as ciphers become more complicated (such as the class of block ciphers) how can we be reasonably confident that they can protect our valuable data? – The real answer to this problem is that we can never be sure that a cipher is secure. – The best way to gain some confidence in a new cipher is to allow the security community to test it. There are some features that a cipher must possess if it is to be accepted by the users. There are some features that a cipher must possess if it is to be accepted by the users. – First, of course, the key space must be large enough to make a brute force attack impossible or at least to expensive to mount.

32 Classical &ontemporyryptology 31 Algorithm Strength Algorithm strength is a subjective judgment call. Several factors are considered including: Algorithm strength is a subjective judgment call. Several factors are considered including: – The plaintext cannot be derived from the ciphertext without use of the key. – There should be no plaintext attack that is better than a brute force attack. – Knowledge of the algorithm should not reduce the strength of the cipher. – The algorithm should include substitutions and permutations under the control of both the input data and the key. – Redundant bit groups in the plaintext should be totally obscured in the ciphertext. – The length of the ciphertext should be the same length as the plaintext. – Any possible key should produce a strong cipher,

33 Classical &ontemporyryptology 32 Avalanche Condition One of the most important strength criteria is the avalanche condition: there should be no correlation between any input bits or key bits and the output bits. One of the most important strength criteria is the avalanche condition: there should be no correlation between any input bits or key bits and the output bits. – This is important because if someone started trying different keys, they should not be able to tell if they are close (within a few bits) to the actual key. – There are two versions of the avalanche condition: Strict plaintext avalanche criterion (SPAC): each bit of the ciphertext block should change with the probability of one half whenever any bit of the plaintext block is complemented. Strict plaintext avalanche criterion (SPAC): each bit of the ciphertext block should change with the probability of one half whenever any bit of the plaintext block is complemented. Strict key avalanche criterion (SKAC.) for a fixed plaintext block, each bit of the ciphertext block changes with a probability of one half when any bit of the key changes. Strict key avalanche criterion (SKAC.) for a fixed plaintext block, each bit of the ciphertext block changes with a probability of one half when any bit of the key changes.

34 Classical &ontemporyryptology 33 DES Example Input:...............................................................*1 Permuted:.......................................*........................ 1 Round 1:.......*........................................................ 1 Round 2:.*..*...*.....*........................*........................ 5 Round 3:.*..*.*.**..*.*.*.*....**.....**.*..*...*.....*................. 18 Round 4:..*.*****.*.*****.*.*......*.....*..*.*.**..*.*.*.*....**.....** 28 Round 5: *...**..*.*...*.*.*.*...*.***..*..*.*****.*.*****.*.*......*.... 29 Round 6:...*..**.....*.*..**.*.**...*..**...**..*.*...*.*.*.*...*.***..* 26 Round 7: *****...***....**...*..*.*..*......*..**.....*.*..**.*.**...*..* Round 8: *.*.*.*.**.....*.*.*...**.*...*******...***....**...*..*.*..*... Round 9: ***.*.***...**.*.****.....**.*..*.*.*.*.**.....*.*.*...**.*...** Round 10: *.*..*.*.**.*..*.**.***.**.*...****.*.***...**.*.****.....**.*.. Round 11:..******......*..******....*....*.*..*.*.**.*..*.**.***.**.*...* Round 12: *..***....*...*.*.*.***...****....******......*..******....*.... Round 13: **..*....*..******...*........*.*..***....*...*.*.*.***...****.. Round 14: *.**.*....*.*....**.*...*..**.****..*....*..******...*........*. Round 15: **.*....*.*.*...*.**.*..*.*.**.**.**.*....*.*....**.*...*..**.** Round 16:.*..*.*..*..*.**....**..*..*..****.*....*.*.*...*.**.*..*.*.**.* Output:..*..**.*.*...*....***..***.**.*...*..*..*.*.*.**.*....*.*.*.**.

35 Classical &ontemporyryptology 34 DES, AES, and Others

36 Classical &ontemporyryptology 35 Data Encryption Standard In the mid-70’s the US government decided that a powerful standard cipher system was necessary. In the mid-70’s the US government decided that a powerful standard cipher system was necessary. – The National Bureau of Standards put out a request for the development of such a cipher. – Several companies went to work and submitted proposals. The winner was IBM with their cipher system called Lucifer. – With some modifications suggested by the National Security Agency, in 1977, Lucifer became known as the Data Encryption Standard or DES. – It has since been replaced by the Advanced Encryption Standard (AES)

37 Classical &ontemporyryptology 36 Basic Structure DES works on 64 bit blocks of plaintext using a 56 bit key to produce 64 bit blocks of ciphertext. DES works on 64 bit blocks of plaintext using a 56 bit key to produce 64 bit blocks of ciphertext. – It is a substitution-permutation cipher with 16 SP stages. The key for DES is an arbitrary 56 bit string of 0’s and 1’s The key for DES is an arbitrary 56 bit string of 0’s and 1’s – there are 2 56 possible strings (greater than 10 16 ) – often it is given as a 7 letter word DES expands this key to 64 bits by adding 8 additional 0’s and 1’s DES expands this key to 64 bits by adding 8 additional 0’s and 1’s – bits 8, 16, 24, 32, 40, 48, 56, and 64 are added so that each 8 bit block has odd parity (odd number of 1’s) – the key is divided, shifted, and shuffled 16 times to form 16 different (but related) subkeys each of which is 48 bits long

38 Classical &ontemporyryptology 37 Key Generation Each of the 16 stages uses a 48 bit subkey which is derived from the initial 64 bit key. Each of the 16 stages uses a 48 bit subkey which is derived from the initial 64 bit key. – The key passes through a PC-1 block (Permuted Choice 1) which extracts the original 56 bits supplied by the user. – The 56 bits are divided into left and right halves. Each half is shifted left by 1 or 2 bit positions (it varies depending on the stage). – The new 56 bits are compressed using PC-2 (Permuted Choice 2) by throwing out 8 bits to create the 48 bit key for the given stage. 64 bit key PC-1 28 bit C 0 28 bit D 0 Left Shift 28 bit C 1 28 bit D 1 Left Shift PC-2 K1K1

39 Classical &ontemporyryptology 38 DES Stages Each stage of DES is performs the same set of operations using a different subkey acting on the output of the previous stage. Each stage of DES is performs the same set of operations using a different subkey acting on the output of the previous stage. – Those operations are defined in three “boxes” called the expansion box (Ebox), the substitution box (Sbox), and the permutation box (Pbox).

40 Classical &ontemporyryptology 39 Example Stage E Box Left 32 bits Right 32 bits Key Box XOR 48 bits 56 bits Key S Boxes 48 bits P Box 32 bits XOR 32 bits The E-Box expands (from 32 to 48 bits) and permutates The E-Box output is XORed with part of the key There are 8 S-Boxes and each one accepts 6 bits of input and produces 4 bits of output The P-Box is a simple permutation Finally, the left side is XORed with the result and both sides are passed on to the next round

41 Classical &ontemporyryptology 40 E-BoxE-Box The EBox expands its 32-bit input into 48-bits by duplicating some of the input bits. The EBox expands its 32-bit input into 48-bits by duplicating some of the input bits. 28293031321 242526272829 202122232425 161718192021 121314151617 8910111213 456789 3212345 EBox 1234567891011121314151617181920212223242526272829303132 Right 32 bits Note the duplication

42 Classical &ontemporyryptology 41 S-BoxesS-Boxes The SBoxes are the real source of the power of DES. The SBoxes are the real source of the power of DES. – There are 8 different Sboxes – Each Sbox accepts 6-bits of input and produces 4-bits of output. – An Sbox has 16 columns and 4 rows where each element in the box is a 4-bit block usually given in its decimal representation. 15128249175113141006 13 411481362111512973105 0 015741421311061211953 8 144131215118310612590 7 Column 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Row 0 1 2 3

43 Classical &ontemporyryptology 42 Working with the S-Boxes Each 6-bit input to an S-Box is divided into a row and a column index. Each 6-bit input to an S-Box is divided into a row and a column index. – The row index is given by bits 1 and 6 and the bits 2 to 5 supply the column index. – The output of the S-Box is the value stored at the addressed row/column S2 138101315421167120514 9 0 71110413158126932 5 313471528141201106911 5 15181461134972131205 10 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 1 2 3 Input: 0 1 1 1 1 0 Column 15 Row 0 10 Output: 1 0 1 0

44 Classical &ontemporyryptology 43 P-BoxP-Box After the S-Box operation there are just 32-bits remaining which are rearranged according to the permutation table: After the S-Box operation there are just 32-bits remaining which are rearranged according to the permutation table: 2211425 1913306 322739 282414 5183110 1152326 29122817 1672021 PBox 1234567891011121314151617181920212223242526272829303132 SBox Outputs

45 Classical &ontemporyryptology 44 Final Step The final operation places the original RHS 32- bits on the LHS and XORs the original LHS with the 32-bit output of the Pbox The final operation places the original RHS 32- bits on the LHS and XORs the original LHS with the 32-bit output of the Pbox This process is repeated 16 times using a different subkey each time This process is repeated 16 times using a different subkey each time

46 Classical &ontemporyryptology 45 DES Implementations DES could be used in any one of the three standard block cipher implementation modes: OFM, CBC, or ECB. DES could be used in any one of the three standard block cipher implementation modes: OFM, CBC, or ECB. – However DES is no longer a secure cipher. – Hence, alternative implementations of DES have been suggested in an effort to improve its overall security. The most common is called Triple-DES. – Triple-DES comes in two versions, one uses three keys and the other only uses two keys. The three key version first encrypts the message with Key1, decrypts the result with Key2, and finally encrypts that with K3 The three key version first encrypts the message with Key1, decrypts the result with Key2, and finally encrypts that with K3 The two key version uses the same steps where K3 = K1. The two key version uses the same steps where K3 = K1. E M Key1 D Key2 E Key3

47 Classical &ontemporyryptology 46 Using CAP CAP provides an implementation of DES CAP provides an implementation of DES Run Avalanche tests CAP also provides a simple version of DES

48 Classical &ontemporyryptology 47 S-DESS-DES S-DES (Simplified-DES) was developed by Dr. Edward Schaefer at Santa Clara University in 1996. S-DES (Simplified-DES) was developed by Dr. Edward Schaefer at Santa Clara University in 1996. – It is simple enough so that you can explore the operation of DES and some of its weaknesses. – It operates on 8-bit data blocks (in other words, single characters) using a 10-bit key (only 2 10 = 1024 possibilities) and two stages

49 Classical &ontemporyryptology 48 S-DES Structure In spite of the simplifications, S-DES looks much like our basic DES. In spite of the simplifications, S-DES looks much like our basic DES. 8 bits Plaintext block IP L0L0 R0R0 XOR F L1L1 R1R1 F L2L2 R2R2 8 bits IP -1 Ciphertext block 10 bit key PC-1 C0C0 D0D0 Left Shift 1 bit C1C1 D1D1 Left Shift 2 bits C2C2 D2D2 PC-2 K1K1 K2K2 1 2 3 4 5 6 7 8 2 6 3 1 4 8 5 7 1 2 3 4 5 6 7 8 4 1 3 5 7 2 8 6

50 Classical &ontemporyryptology 49 S-DES S-Boxes The function F on the prior slide contains an EBox, PBox and 2 SBoxes (much like DES) The function F on the prior slide contains an EBox, PBox and 2 SBoxes (much like DES) The two S-Boxes are given by: The two S-Boxes are given by: The input is a 4 bit value The first and last bits define the row define the row The middle bits define the column the column The output is a 2 bit value

51 Classical &ontemporyryptology 50 S-DES Key Generation The key generation mechanism begins with a 10-bit key which is permuted by PC-1 into the order 3 5 2 7 4 10 1 9 8 6. The key generation mechanism begins with a 10-bit key which is permuted by PC-1 into the order 3 5 2 7 4 10 1 9 8 6. It is separated into 2 five bit segments and each segment is left shift by one bit. It is separated into 2 five bit segments and each segment is left shift by one bit. PC-2 selects and rearranges 8 bits from the two five bit segments – the bits in order are 6 3 7 4 8 5 10 9. The result is subkey 1. PC-2 selects and rearranges 8 bits from the two five bit segments – the bits in order are 6 3 7 4 8 5 10 9. The result is subkey 1. The two segments are now left shifted twice and PC-2 is applied again to produce subkey 2. The two segments are now left shifted twice and PC-2 is applied again to produce subkey 2.

52 Classical &ontemporyryptology 51 Using CAP CAP implements S-DES and in the process illustrates the key generation method. CAP implements S-DES and in the process illustrates the key generation method.

53 Classical &ontemporyryptology 52 Status of DES When IBM first proposed DES it had a 128 bit key When IBM first proposed DES it had a 128 bit key – NSA required that the key be reduced to 56 bits There have been several successful attacks on DES There have been several successful attacks on DES – June 1997: Using the internet 14,000 to 78,000 computers broke DES in 90 days – Jan 1998: Using the internet again it only took 39 days – July 1998: a $210,000 machine called deep crack was built and it broke DES in 56 hours

54 Classical &ontemporyryptology 53 AESAES

55 Classical &ontemporyryptology 54 Advanced Encryption Standard Since DES was becoming less reliable as new cryptanalysis techniques were developed, the National Institute of Standards and Technology (NIST) put out a notice in early 1999 requesting submissions for a new encryption standard. The requirements were: Since DES was becoming less reliable as new cryptanalysis techniques were developed, the National Institute of Standards and Technology (NIST) put out a notice in early 1999 requesting submissions for a new encryption standard. The requirements were: – A symmetric block cipher with a variable length key (128, 192, or 256 bits) and a 128-bit block – It must be more secure than TripleDES – It must be in the public domain – royalty free world wide – It should remain secure for at least 30 years Fifteen algorithms were submitted from ten different countries. Fifteen algorithms were submitted from ten different countries.

56 Classical &ontemporyryptology 55 Submitted Algorithms Australia – LOKI97 Belgium – RIJNDAEL Canada – CAST-256 – DEAL Costa Rica – FROG France – DFC Germany – MAGENTA Japan – E2 Korea – CRYPTON USA – HPC – MARS – RC6 – SAFER+ – TWOFISH UK, Israel, Norway – SERPENT

57 Classical &ontemporyryptology 56 Selection Process NIST relied on public participation: NIST relied on public participation: – algorithm proposals – cryptanalysis – efficiency testing AES Timetable AES Timetable – Round 1: Aug. 20 - April 15, 1999 – Submit papers for 2nd AES conference: Feb 1, 1999 – Second AES conference: March 22-23, 1999 – Announcement of (about) five finalists – Round 2 analysis of finalists: 6-9 months – Third AES Conference – Selection of AES Algorithm

58 Classical &ontemporyryptology 57 AES Finalists MARS (IBM) MARS (IBM) RC6 (Rivest, et. al.) RC6 (Rivest, et. al.) Rijndael (top Belgium cryptographers) Rijndael (top Belgium cryptographers) Serpent (Anderson, Biham, Knudsen) Serpent (Anderson, Biham, Knudsen) Twofish (Schneier, et. al.) Twofish (Schneier, et. al.) And the winner was... Pronounced “rain-doll”

59 Classical &ontemporyryptology 58 Introduction to Rijndael One of the fastest and strongest algorithms One of the fastest and strongest algorithms – Variable block length: 128, 192, 256 bits – Variable key length: 128, 192, 256 bits – Variable number of rounds (iterations): 10, 12, 14 – Number of rounds depend on key/block length

60 Classical &ontemporyryptology 59 Rijndael Structure The general structure of Rijndael is shown below The general structure of Rijndael is shown below – Rather than using just a substitution and a permutation at each stage like DES, Rijndael consists of multiple cycles of Substitution, Shifting, Column mixing and a KeyAdd operation. KeyAdd subkey Plaintext block SubstitutionShiftRowMixColumnKeyAdd subkey Final round? no yes KeyAdd Ciphertext block ShiftRowSubstitution

61 Classical &ontemporyryptology 60 Initial Step The process begins by grouping the plaintext bits into a column array by bytes. The process begins by grouping the plaintext bits into a column array by bytes. – The first four bytes form the first column; the second four bytes form the second column, and so on. – If the block size is 128 bits then this becomes a 4x4 array. For larger block sizes the array has additional columns. – The key is also grouped into an array using the same process. a 0,0 a 1,0 a 2,0 a 3,0 a 0,1 a 1,1 a 2,1 a 3,1 a 0,2 a 1,2 a 2,2 a 3,2 a 0,3 a 1,3 a 2,3 a 3,3 a 3,0 a 2,0 a 1,0 a 0,0 a 3,1 a 2,1 a 1,1 a 0,1 a 3,2 a 2,2 a 1,2 a 0,2 a 3,3 a 2,3 a 1,3 a 0,3

62 Classical &ontemporyryptology 61 SubstitutionSubstitution The substitution layer uses a single S-box (rather than the 8 Sboxes used in DES). The Rijndael S-box is a 16 x 16 array The substitution layer uses a single S-box (rather than the 8 Sboxes used in DES). The Rijndael S-box is a 16 x 16 array – Each element in the current column array serves as an address into the S-box where the first four bits identify the S-box row and the last 4 bits identify the S-box column. – The S-box element at that location replaces the current column array element. a 3,0 a 2,0 a 1,0 a 0,0 a 3,1 a 2,1 a 1,1 a 0,1 a 3,2 a 2,2 a 1,2 a 0,2 a 3,3 a 2,3 a 1,3 a 0,3 b 3,0 b 2,0 b 1,0 b 0,0 b 3,1 b 2,1 b 1,1 b 0,1 b 3,2 b 2,2 b 1,2 b 0,2 b 3,3 b 2,3 b 1,3 b 0,3 SBox a 1,2 b 1,2

63 Classical &ontemporyryptology 62 Row Shift Operation A row shift operation is applied to the output of the S-box in which the four rows of the column array are cyclically shifted to the left. A row shift operation is applied to the output of the S-box in which the four rows of the column array are cyclically shifted to the left. – The first row is shifted by 0, the second by 1, the third by 2, and the fourth by 3 b 3,0 b 2,0 b 1,0 b 0,0 b 3,1 b 2,1 b 1,1 b 0,1 b 3,2 b 2,2 b 1,2 b 0,2 b 3,3 b 2,3 b 1,3 b 0,3 b 3,3 b 2,2 b 1,1 b 0,0 b 3,0 b 2,3 b 1,2 b 0,1 b 3,1 b 2,0 b 1,3 b 0,2 b 3,2 b 2,1 b 1,0 b 0,3 No shift Shift 1 Shift 2 Shift 3

64 Classical &ontemporyryptology 63 Matrix Multiply Column mixing is accomplished by a matrix multiplication operation. Column mixing is accomplished by a matrix multiplication operation. – The shifted column array is multiplied by a fixed matrix b 3,3 b 2,2 b 1,1 b 0,0 b 3,0 b 2,3 b 1,2 b 0,1 b 3,1 b 2,0 b 1,3 b 0,2 b 3,2 b 2,1 b 1,0 b 0,3 Matrix Multiply c 3,3 c 2,2 c 1,1 c 0,0 c 3,0 c 2,3 c 1,2 c 0,1 c 3,1 c 2,0 c 1,3 c 0,2 c 3,2 c 2,1 c 1,0 c 0,3 c 3,1 c 2,0 c 1,3 c 0,2 b 3,1 b 2,0 b 1,3 b 0,2

65 Classical &ontemporyryptology 64 Key Add The final operation adds a subkey derived from the original key to the column array The final operation adds a subkey derived from the original key to the column array – This completes one round of AES c 3,3 c 2,2 c 1,1 c 0,0 c 3,0 c 2,3 c 1,2 c 0,1 c 3,1 c 2,0 c 1,3 c 0,2 c 3,2 c 2,1 c 1,0 c 0,3 d 3,3 d 2,2 d 1,1 d 0,0 d 3,0 d 2,3 d 1,2 d 0,1 d 3,1 d 2,0 d 1,3 d 0,2 d 3,2 d 2,1 d 1,0 d 0,3 k 3,3 k 2,2 k 1,1 k 0,0 k 3,0 k 2,3 k 1,2 k 0,1 k 3,1 k 2,0 k 1,3 k 0,2 k 3,2 k 2,1 k 1,0 k 0,3 XOR This is repeated 9 more times

66 Classical &ontemporyryptology 65 Key Schedule The key is grouped into a column array and then expanded by adding 40 new columns. The key is grouped into a column array and then expanded by adding 40 new columns. – If the first four columns (given by the key) are C(0), C(1), C(2) and C(3) then the new columns are generated in a recursive manner. If i is not a multiple of 4 then column i is determined by: C(i) = C(i-4) XOR C(i-1) If i is not a multiple of 4 then column i is determined by: C(i) = C(i-4) XOR C(i-1) If i is a multiple of 4 then column i is determined by: C(i) = C(i-4) XOR T(C(i-1)) If i is a multiple of 4 then column i is determined by: C(i) = C(i-4) XOR T(C(i-1)) – Where T(C(i-1)) is a transformation of C(i-1) implemented as: 1. Cyclically shift the elements of C(i-1) by one byte 2. Use each of these 4 bytes as input into the S-box to create four new bytes e,f,g,h. 3. Calculate a round constant r(i) = 2(i-4)/4 4. Create the transformed column as: (e XOR r(i), f, g, h) The round key for the ith round consists of the columns C(4i), C(4i+1), C(4i+2), C(4i+3). The round key for the ith round consists of the columns C(4i), C(4i+1), C(4i+2), C(4i+3).

67 Classical &ontemporyryptology 66 Key Generation Flow For what’s worth: For what’s worth: W(i) XOR Rot W(i+4) XOR W(i+1) XOR W(i+2) W(i+5) XOR W(i+3) W(i+6) XOR W(i+7) S-Box RCON

68 Classical &ontemporyryptology 67 ConclusionConclusion We have come a long way from just shifting letters over in the alphabet

69 Classical &ontemporyryptology 68 Cryptanalysis of Block Ciphers

70 Classical &ontemporyryptology 69 Security of DES DES has a long an interesting history full of speculation and controversy. DES has a long an interesting history full of speculation and controversy. – It all began when the National Security Agency (NSA) required the modification of the original specification for Lucifer submitted by IBM. Among the changes they requested was that the original key length of 128 bit be reduced to 56 bits. – This fuelled the speculation (which has never been verified) that NSA could break the 56-bit version of DES from the very beginning. – Since NSA wasn’t talking, brute force attacks seemed to be the only feasible way to undermine the algorithm. – These had to wait until computer technology caught up with the key size to allow for high speed testing of all possible keys. This happened in the late 1990’s. In July of 1997, a process that borrowed time from more than 14,000 computers across the Internet was able to break a DES key in 90 days. In July of 1997, a process that borrowed time from more than 14,000 computers across the Internet was able to break a DES key in 90 days. Within six months, the time to break DES in this way was reduced to 39 days. Within six months, the time to break DES in this way was reduced to 39 days. In July of 1998 a special machine was built called Deep Crack that was able to break a DES key in 56 hours. In July of 1998 a special machine was built called Deep Crack that was able to break a DES key in 56 hours.

71 Classical &ontemporyryptology 70 Weak Keys One of the early discoveries was that DES had some weak keys. One of the early discoveries was that DES had some weak keys. – These are keys that generate the same subkey for each round. – There are four such DES keys: – There are four such DES keys: 0101 0101 0101 0101 FEFE FEFE FEFE FEFE 1F1F 1F1F 0E0E 0E0E E0E0 E0E0 F1F1 F1F1 There are also 12 semi-weak DES keys. There are also 12 semi-weak DES keys. – Semi-weak keys generate only two subkeys which alternate rounds.

72 Classical &ontemporyryptology 71 Using CAP CAP provides two tools for running brute force attacks against S-DES CAP provides two tools for running brute force attacks against S-DES – The first is an attack against a single key version of S-DES

73 Classical &ontemporyryptology 72 Meet-in-the-Middle Attack One level of improvement to DES is called Triple-DES – why not simplify the process and use Double-DES? One level of improvement to DES is called Triple-DES – why not simplify the process and use Double-DES? – The reason is that Double-DES is as easy to break as single key DES using a Meet-in-the-Middle attack – The process involves a known plaintext/ciphertext pair If there is enough memory space available, encipher the known plaintext with every possible key and save each result. If there is enough memory space available, encipher the known plaintext with every possible key and save each result. Then decipher the ciphertext with every possible key and compare each result with the contents of memory. Then decipher the ciphertext with every possible key and compare each result with the contents of memory. If there is a match, then both keys have been found. If there is a match, then both keys have been found. E P Key1 D Key2 Memory Result of enciphering with K i Decipher with K j Look for match C

74 Classical &ontemporyryptology 73 Using CAP CAP will implement a Meet-in-the-Middle attack on S-DES: CAP will implement a Meet-in-the-Middle attack on S-DES:

75 Classical &ontemporyryptology 74 Recent Developments There are two new classes of attacks which have been developed specifically for SP networks There are two new classes of attacks which have been developed specifically for SP networks – Differential Cryptanalysis – Linear Cryptanalysis In addition, there is a class of unexpected attacks called Side-Channel Analysis In addition, there is a class of unexpected attacks called Side-Channel Analysis

76 Classical &ontemporyryptology 75 DES S-Box The S-box for DES is designed to produce “random” like outputs The S-box for DES is designed to produce “random” like outputs – Consider the S1 S-box: 6 bits 4 bits 6 bits 4 bits 0 1 2 3 4 5 6 7 8 9 A B C D E F 0 E 4 D 1 2 F B 8 3 A 6 C 5 9 0 7 1 0 F 7 4 E 2 D 1 A 6 C B 9 5 3 8 2 4 1 E 8 D 6 2 B F C 9 7 3 A 5 0 3 F C 8 2 4 9 1 7 5 B 3 E A 0 6 C If the input is randomly distributed over 0 - 63 Then the output should be randomly distributed over 0 - 15 100101 B = 1000

77 Classical &ontemporyryptology 76 S-Box Weakness - Background A weakness in the S-box concept was discovered to be its behavior when two different inputs are compared A weakness in the S-box concept was discovered to be its behavior when two different inputs are compared – If x and x* are the two inputs, there are 64 2 = 4096 possible pairs (x, x*) – Define the S-box output to be S(x) and S(x*) – Consider the relationship between the difference of the inputs and the difference of the outputs x’ = x x*y’ = S(x) S(x*) This ranges over all 64 possibilities 00 to 3F This ranges over all 16 possibilities 0 to F

78 Classical &ontemporyryptology 77 S-Box Weakness While it is expected that the output difference values should be evenly distributed over their range, it turns out they are not While it is expected that the output difference values should be evenly distributed over their range, it turns out they are not NOTE the 0’s

79 Classical &ontemporyryptology 78 Interesting Feature Consider one row of the S1 difference table: Consider one row of the S1 difference table: There are five output differences which never occur if the input difference is 1: 0, 1, 2, 4, 8 Output Input 0 1 2 3 4 5 6 7 8 9 A B C D E F 01 0 0 0 6 0 2 4 4 0 10 12 4 10 6 2 4 12 of the 64 inputs which produce a difference of 1 produce an output of A.

80 Classical &ontemporyryptology 79 Finding the Key 1 Say, we know two inputs to S1 (01 and 35) such that the differential input to box S1 is 34 and the differential output is D Say, we know two inputs to S1 (01 and 35) such that the differential input to box S1 is 34 and the differential output is D S1 01, 35 K 34 D Therefore K xor either 01 or 35 must be one of these 8 values, then K must be: 06 01 = 07 10 01 = 11 16 01 = 17 1C 01 = 1D 22 01 = 23 24 01 = 25 28 01 = 29 32 01 = 33 06 35 = 33 10 35 = 25 16 35 = 23 1C 35 = 29 22 35 = 17 24 35 = 11 28 35 = 1D 32 35 = 07 Possible Keys From the differential table, there are only 8 ways 34 can map to D From the construction of the table, those 8 ways imply that K xor the input must be 06, 10, 16, 1C, 22, 24, 28, 32

81 Classical &ontemporyryptology 80 Finding the Key 2 Say, we know two other inputs to S1 (21 and 15) such that the differential input to box S1 is 34 and the differential output is 3 Say, we know two other inputs to S1 (21 and 15) such that the differential input to box S1 is 34 and the differential output is 3 S1 21, 15 K 34 3 From the differential table, there are only 6 ways 34 can map to 3 From the construction of the table, those 6 ways imply that K xor the input must be 01, 02, 15, 21, 35,36 Therefore K xor either 21 or 15 must be one of these 6 values, then K must be: 01 21 = 20 02 21 = 23 15 21 = 34 21 21 = 00 35 21 = 14 36 21 = 17 01 15 = 14 02 15 = 17 15 15 = 00 21 15 = 34 35 15 = 29 36 15 = 23 Possible Keys

82 Classical &ontemporyryptology 81 Finding the Key 3 The actual key must be in both sets: The actual key must be in both sets: {33, 25, 23, 29, 17, 11, 1D, 07} and {14, 17, 00, 34, 29, 33} RESULT: {17, 33} Try other differentials until a single key is found.

83 Classical &ontemporyryptology 82 Linear Cryptanalysis Linear cryptanalysis is a powerful tool to use against SP networks developed in the early 90’s Linear cryptanalysis is a powerful tool to use against SP networks developed in the early 90’s It requires discovering an approximate linear relationship between the plaintext, the ciphertext and the key that holds more than half the time It requires discovering an approximate linear relationship between the plaintext, the ciphertext and the key that holds more than half the time – Then guess some key bits and verify that the linear relationship holds - if it does then your guess is correct – Used to find a subset of key bits, then do a brute force attack on the remaining bits

84 Classical &ontemporyryptology 83 Side Channel Analysis It turns out that information about the operation of the underlying cipher can be leaked by observing certain performance characteristics. It turns out that information about the operation of the underlying cipher can be leaked by observing certain performance characteristics. These are called side channel attacks. These are called side channel attacks. – For example, when a key bit of 1 is being processed the chip draws more power from the power supply. – By monitoring the power drain, the key bits can actually be exposed. – There is also a timing version of this attack which monitors the number of microseconds it takes to complete the algorithm. – The timing values will expose parts of the key as well.

85 Classical &ontemporyryptology 84 SummarySummary History History RC4 Algorithm RC4 Algorithm Introduction to Block Ciphers Introduction to Block Ciphers DES and AES (and others) DES and AES (and others) Cryptanalysis of Block Ciphers Cryptanalysis of Block Ciphers – Differential Cryptanalysis – Linear Cryptanalysis – Side Channel Attacks

Download ppt "Classical &ontemporyryptology 1 CryptologyCryptology Dr. Richard Spillman Pacific Lutheran University Dr. Richard Spillman Pacific Lutheran University."

Similar presentations

Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.

Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.

1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 5

Cryptography and Network Security Chapter 5
Cryptography and Network Security Chapter 3

Cryptography and Network Security Chapter 3
The Advanced Encryption Standard (AES) Simplified.

The Advanced Encryption Standard (AES) Simplified.
Data Encryption Standard (DES)

Data Encryption Standard (DES)
Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.

Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.
Cryptography and Network Security

Cryptography and Network Security
Cryptography1 CPSC 3730 Cryptography Chapter 3 DES.

Cryptography1 CPSC 3730 Cryptography Chapter 3 DES.
Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.

Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.
AES clear a replacement for DES was needed

AES clear a replacement for DES was needed
1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.

1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.
1 Chapter 3 – Block Ciphers and the Data Encryption Standard Modern Block Ciphers  now look at modern block ciphers  one of the most widely used types.

1 Chapter 3 – Block Ciphers and the Data Encryption Standard Modern Block Ciphers  now look at modern block ciphers  one of the most widely used types.
1 Chapter 3 – Block Ciphers and the Data Encryption Standard Modern Block Ciphers  now look at modern block ciphers  one of the most widely used types.

1 Chapter 3 – Block Ciphers and the Data Encryption Standard Modern Block Ciphers  now look at modern block ciphers  one of the most widely used types.
Cryptography and Network Security (AES) Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 10/18/2009 INCS 741: Cryptography 10/18/20091Dr.

Cryptography and Network Security (AES) Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 10/18/2009 INCS 741: Cryptography 10/18/20091Dr.
Introduction to Symmetric Block Cipher Jing Deng Based on Prof. Rick Han’s Lecture Slides Dr. Andreas Steffen’s Security Tutorial.

Introduction to Symmetric Block Cipher Jing Deng Based on Prof. Rick Han’s Lecture Slides Dr. Andreas Steffen’s Security Tutorial.
Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard It seems very simple. It is very simple. But if you don't know.

Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard "It seems very simple." "It is very simple. But if you don't know.

Similar presentations

Ads by Google