View
238
Download
1
Category
Preview:
Citation preview
Network Security
CryptologyCryptography
Cryptanalysis
Topics Covered
Modern Encryption Techniques Simplified DES (S-DES) Block Cipher Principles
The Feistel Cipher Diffusion and Confusion
Data Encryption Standard DES Design Principles The Strength of DES DES Modes of Operation
Modern Encryption Techniques
Secret Key (Symmetric) CryptographySimplified Data Encryption StandardData Encryption StandardAdvanced Encryption Standard
Public Key (Asymmetric) CryptographyRSA (Rivest-Shamir-Adleman)ECC (Elliptic Curve Cryptography)NTRU (Number Theorist aRe Us)
Symmetric Cryptography
Asymmetric Cryptography
Simplified Data Encryption Standard (S-DES)
Developed by Professor Edward Schaefer of Santa Clara University.
S-DES: An Overview
Similar properties and structure to DES, with much smaller parameters.
Encryption It takes an 8-bit block of plain text and a 10-bit key as
input and produces an 8-bit block of cipher text as output.
Decryption It takes an 8-bit block of cipher text and the same 10-bit
key used to produce that ciphertext as input and produces the original 8-bit block of plaintext.
S-DES Algorithm
Algorithm involves 5 functions1. An initial permutation (IP).
2. A complex function, fk , that involves both permutation and substitution operations and depends on a key input.
3. A simple permutation function that switches the two halves of the data (SW).
4. The function fk again.
5. A permutation function that is the inverse of the initial one (IP-1).
S-DES Algorithm
text)))))(IP(cipher(SW(f(fIPPlaintext
and
ey))))hift(P10(kP8(Shift(SK
10(key)))P8(Shift(PK
where
ext)))))(IP(plaint(SW(f(fIPCiphertext
or
IP)fWSf(IP C
21
12
12
KK1-
2
1
KK1-
KK-1
S-DES Key Generation
It depends on the use of a 10-bit key shared between sender and receiver.
From this key, two 8-bit subkeys are produced for use in particular stages of the encryption and decryption algorithm.
First permute the key in the following fashion,
P10(k1,k2,k3,k4,k5,k6,k7,k8,k9,k10)=(k3,k5,k2,k7,k4,k10,k1,k9,k8,k6)
S-DES Key Generation (contd.)
Next perform a circular-left shift (LS-1), or rotation, separately on the first five bits and the second five bits.LS-1(k1,k2,k3,k4,k5)=(k2,k3,k4,k5,k1)
Next apply P8, which permutes 8 of the 10
bits according to the following rule,P8(k1,k2,k3,k4,k5,k6,k7,k8,k9,k10)=(k6,k3,k7,k4,k8,k5,k10,k9)
The result is subkey 1 (K1)
S-DES Key Generation (contd.)
To get the second subkey (K2), perform
again a 2-bit circular-left shift LS-2 on the
product of LS-1LS-2(LS-1(k1,k2,k3,k4,k5)=LS-2(k2,k3,k4,k5,k1)=(k4,k5,k1, k2,k3)
Finally, P8 is applied again to produce K2.
Example - Key Generation
Permute 10-bit key: 1010000010P10(1010000010) = 1000001100
Perform circular left shift, separately, on first 5 bits and second 5 bits (LS-1).
LS-1(10000) = 00001 and LS-1(01100) = 11000 Pick out and permute 8 of the 10 bits: (P8)
P8(0000111000) = 10100100
Result is K1
Now perform circular left shift of 2 bit positions, on first 5 bits and second 5 bits (LS-2) on the result LS-1.
LS-2(00001) = 00100 and LS-2(11000) = 00011 Apply (P8) again.
P8(0010000011) = 01000011
Result is K2
S-DES Encryption
Initial and final permutations
The Function fk
Let L and R be left and right halves of 8-bit input to fk .
Let F be a map from 4-bit strings to 4-bit strings, and SK be the subkey (K1 or K2) and XOR is the bit-by-bit exclusive-OR function.
fk(L, R) = (L F(R, SK), R)
IP
2 6 3 1 4 8 5 7
IP-1
4 1 3 5 7 2 8 6
Mapping F
Input is 4-bit number (n1n2n3n4). Expansion/permutation operation
8-bit subkey K1 is added to output of E/P using exclusive-OR.
E/P
4 1 2 3 2 3 4 11
3
43
21
2
4
n
n
nn
nn
n
n
Mapping F (contd.)
First 4 bits fed to S-box S0,second 4 bits fed to S-box S1.
S-box uses 1st and 4th bits to specify a row,2nd and 3rd bits to specify a column. Entry in that position (base 2) is 2-bit output.
4-bits produced by S-Boxes (S0 & S1) are permuted using P4.
P4 = (k2k4k3k1)Output of P4 is output of F.
The Switch function
The function fk only alters the leftmost 4-bits of the input.
Switch function interchanges left and right 4 bits so that second instance of fk operates on a different 4 bits.
In this second instance, the E/P, S0, S1, and P4 functions are same.
The key input isK2.
Analysis of S-DES
Brute-force attack is feasible, 210 = 1024 possible 10-bit keys.
Known plaintext? Suppose we know a sinlge 8-bit plaintext and
corresponding 8-bit ciphertext, and key is unknown. Each ci is a polynomial function of pj's and kj's. This means 8 non-linear equations in 10
unknowns. Alternating linear maps with these nonlinear maps
results in complex polynomial expressions for the ciphertext bits, making cryptanalysis difficult.
Block Cipher Principles
Stream Cipher vs. Block Cipher
Stream cipher is one that encrypts a digital data stream one bit or one byte at a time, e.g. Vigenere cipher and Vernam cipher
Block cipher is one in which a block of plaintext is treated as a whole and used to produce a ciphertext block of equal length (typically a block of 64 bits is used), e.g. S-DES and DES
Various modes of operation can make a block cipher to achieve the same effect as a stream cipher.
The vast majority of network-based cryptographic applications make use of block cipher.
Feistel Cipher Structure
Reversible TransformationFor the encryption to be reversible or non-
singular (decryption is possible), each plaintext block must produce a unique ciphertext block.
Irreversible Transformation For the encryption to be irreversible or singular
(decryption is impossible), not all the plaintext block would have unique ciphertext block.
Feistel Cipher
Symmetric block encryption algorithm are referred to as a Feistel block cipher.
The concept is to have a product cipher which is performing two or more basic ciphers in sequence in such a way that the final result or product is cryptographically stronger than any of the component ciphers.
Feistel proposed the use of a cipher that alternates substitution and permutation.
This cipher is referred to as a product cipher that alternates confusion and diffusion functions.
Confusion and Diffusion
Introduced by Claude Shannon in 1945 to capture the two basic building blocks for any cryptographic system.
Shannon’s concern was to thwart cryptanalysis based on statistical analysis. In this way all statistics of the ciphertext are independent of the particular key used.
Confusions is achieved through the XOR operation performed on ciphertext and the value of the encryption key. This is achieved by the use of a complex substitution algorithm.
Diffusion is achieved through numerous permutations followed by applying a function to that permutation. The unknown values are put into the plaintext. This causes diffusion.
Classical Feistel Network
Feistel Network Parameters
Block Size: Larger block sizes-greater security-reduced speed (64
bits) Key Size:
Larger key sizes-greater security-reduced speed Number of rounds:
Multiple rounds-increased security (16 rounds) Subkey generation algorithm:
Greater complexity-greater security Round function:
Greater complexity-greater security
Feistel Cipher Mechanism
The text being encrypted is split into two halves. The round function F is applied to one half using a
subkey Ki and the output of F is XORed with the other half.
The two halves are then swapped. Each round follows the same pattern except for
the last round where there is no swap.
Rr XOR F(kr,Lr) = Rr XOR F(kr,Rr-1)
= Rr XOR (Rr ÅLr-1) = Lr-1
Data Encryption Standard
The Actual DES
About DES
The original ideas behind the Data Encryption Algorithm were developed by IBM in the 1960's and was based on Claude Shannon’s concept.
The technique was first called as Lucifer and later refined and renamed as the DEA (Data Encryption Algorithm) and adopted as the standard in 1976.
In 1977 the United States Government chose the Data Encryption Standard (DES).
DES was widely adopted by industry for secure communication Example:
DES is used to encrypt personal identification numbers (PINs) and account transactions in automated teller machines (ATMs
Data Encryption Standard
There are two inputs to the encryption function, i.e. the plaintext and the key.
The plain text must be 64 bits and the key is 56 bits in length.
Processing of the plaintext proceeds in three phases, The 64 bit plaintext passes through an Initial Permutation (IP) Then a 16 "rounds" of operations which involves both permutation
and substitution functions that mix the data and key together in a prescribed manner.
The pre-output obtained from swapping the left and right halves of the output in each round, is then passed through a Permutation (IP-1) that is the inverse of the initial permutation function, to produce the 64-bit ciphertext.
DES Encryption Algorithm
Why 16 rounds?
The goal is to completely scramble the data and key so that every bit of the ciphertext depends on every bit of the data and every bit of the key (a 56-bit quantity for the DES).
After sufficient "rounds" with a good algorithm, there should be no correlation between the ciphertext and either the original data or key.
The DES uses 16 rounds for some solid reasons. First, a minimum of 12 rounds were needed to sufficiently scramble
the key and data together; the others provided a margin of safety. Second, the operation of 16 rounds would return the key back to its
original position in an electronic device for the next use when used in accordance with the published algorithm.
Details of Single Round
Permutation Tables for DES
Initial Permutation (IP)
58 50 42 34 26 18 10 2
60 52 44 36 28 20 12 4
62 54 46 38 30 22 14 6
64 56 48 40 32 24 16 8
57 49 41 33 25 17 9 1
59 51 43 35 27 19 11 3
61 53 45 37 29 21 13 5
63 55 47 39 31 23 15 7
Inverse Initial Permutation (IP-1)
40 8 48 16 56 24 64 32
39 7 47 15 55 23 63 31
38 6 46 14 54 22 62 30
37 5 45 13 53 21 61 29
36 4 44 12 52 20 60 28
35 3 43 11 51 19 59 27
34 2 42 10 50 18 58 26
33 1 41 9 49 17 57 25
Permutation Tables for DES
Expansion Permutation (E)
32 1 2 3 4 5
4 5 6 7 8 9
8 9 10 11 12 13
12 13 14 15 16 17
16 17 18 19 20 21
20 21 22 23 24 25
24 25 26 27 28 29
28 29 30 31 32 1
Permutation Function (P)
16 7 20 21 29 12 28 17
1 15 23 26 5 18 31 10
2 8 24 14 32 27 3 9
19 13 30 6 22 11 4 25
DES Mechanism
The 64-bit block being enciphered is broken into two halves.
The right half goes through one DES round, and the result becomes the new left half.
The old left half becomes the new right half, and will go through one round in the next round.
This goes on for 16 rounds, but after the last round the left and right halves are not swapped, so that the result of the 16th round becomes the final right half, and the result of the 15th round (which became the left half of the 16th round) is the final left half.
DES Mechanism (contd.)
Fundamentally DES performs only two operations on its input, Bit shifting, and Bit substitution.
The key controls exactly how this process works. By doing these operations repeatedly and in a non-linear manner you end up with a result which can not be used to retrieve the original without the key.
Those familiar with chaos theory should see a great deal of similarity to what DES does.
By applying relatively simple operations repeatedly a system can achieve a state of near total randomness.
DES Mechanism (contd.)
For each iteration a 48 bit subset of the 56 bit key is fed into the encryption block.
Decryption is the inverse of the encryption process.
The key is usually stored as a 64-bit number, where every eighth bit is a parity bit.
The parity bits are pitched during the algorithm, and the 56-bit key is used to create 16 different 48-bit subkeys - one for each round.
DES Key Generation
In order to generate 16 48-bit subkeys from the 56-bit key, the following process is used.
First, the key is loaded according to the Permutation Choice 1 (PC-1) and then halved.
Then each half is rotated by 2 bits in every round except the first, second, 9th and last rounds.
The reason for this is that it makes it secure against related-key cryptanalysis.
Then 48 of the 56 bits are chosen according to a compression permutation.
The subkeys used by the 16 rounds are formed by the key schedule which consists of, An initial permutation of the key (PC-1) which selects 56-bits
in two 28-bit halves
Key Schedule Calculation
The key rotation schedule KS is specified as:
Round 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
KS 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1
Total Rot
1 2 4 6 8 10 12 14 15 17 19 21 23 25 27 28
Permutation Choice One (PC-1)57 49 41 33 25 17 91 58 50 42 34 26 18
10 2 59 51 43 35 2719 11 3 60 52 44 3663 55 47 39 31 23 157 62 54 46 38 30 22
14 6 61 53 45 37 2921 13 5 28 20 12 4
Permutation Choice Two (PC-2)14 17 11 24 1 5 3 2815 6 21 10 23 19 12 426 8 16 7 27 20 13 241 52 31 37 47 55 30 4051 45 33 48 44 49 39 5634 53 46 42 50 36 29 32
S-Box
The S-boxes are somewhat different from the other permutations.
While all the others are set up according to "bit x goes to bit y", the input bits can be viewed differently for the S-boxes.
If the input is {d1,d2,d3,d4,d5,d6} then the two-bit number {d1,d6} and the four-bit number {d2,d3,d4,d5} are used as indices to the table.
For the 48-bit word {d1,d2..d48}, the word {d1..d6} is sent to S-box 1, the word {d7,,d12} to S-box 2, etc. The output of S-box 1, {o1..o4}, that of S-box 2, {o5..o8} etc. are concatenated to form the output.
48-bit input
6-bits 6-bits 6-bits 6-bits 6-bits 6-bits 6-bits 6-bits
S Box1 S Box2 S Box3 S Box4 S Box5 S Box6 S Box7 S Box8
4-bits 4-bits 4-bits 4-bits 4-bits 4-bits 4-bits 4-bits
32-bit permutation
32-bit output
Kn (+)
Mangler Function using S-Boxes
S-Box (contd.)
S1
14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
S2
15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10
3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5
0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15
13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9
S3
10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8
13 7 0 9 3 4 6 10 2 8 5 14 12 11 15 1
13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7
1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12
S-Box (contd.)
S4
7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 15
13 8 11 5 6 15 0 3 4 7 2 12 1 10 14 9
10 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4
3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14
S5
2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9
14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6
4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14
11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3
S6
12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 11
10 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8
9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6
4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13
S-Box (contd.)
S7
4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1
13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6
1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2
6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12
S8
13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7
1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2
7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8
2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11
P-Box
The output of each of the 8 S-boxes is concatenated to form a 32-bit number, which is then permutated with a P-box.
This P-box is a straight permutation, and the resulting number is XOR-ed with the left half of the input block with which we started at the beginning of this round.
Finally, if this is not the last round, we swap the left and right halves and start again.
Strength of DES
A brute-force attack is impractical with a key length of 56 bits since there are 256 possible keys, which is approximately 7.2 x 1016 keys.
Strength can be increased by compression of plain text before encryption.
Strength of DES has become questionable since very powerful machines is in action which can do parallel execution in a bit of time to break the cipher text.
Security Provided by DES
The security provided by the DES depends on several factors: Mathematical soundness, length of key, key management,
input data formatting, mode of operation, implementation, application and threat.
The DES was developed to protect unclassified computer data in federal computer systems against a number of passive and active attacks in communications and storage systems.
It was assumed that a knowledgeable person might seek to comprise the security system with resources commensurate to the value of the information to be obtained.
Applications included Electronic Funds Transfer, privacy protection of personal information, personal authentication, password protection, access control, etc.
DES Cryptanalysis
Differential Cryptanalysis
Quite complex! The overall strategy is based on consideration of seeing
the probability of occurrence of same difference in output with same subkey used in a single round.
Assume two plaintext messages with m and m’ with a given difference and trace through a probable pattern of differences after each round to yield a probable difference for the cipher text.
There can be two probable differences between two 32-bit halves.
We repeat this process until all probable patterns are correct.
Differential Cryptanalysis (contd.)
• For a large number of plaintexts, you can determine a certain behavior of the algorithm, you can help determine how changing the key affects the ciphertext, and in fact begin to guess bits of the key
• Differential cryptanalysis guesses bits of the key through various methods, until a brute force search on the remaining bits of the key becomes feasible and faster than other, more complex methods
Linear Cryptanalysis
Based on finding linear approximations to describe the transformations performed in DES.
For a Cipher with n-bit of plain text and cipher text blocks and m-bit key, let the plaintext block be labeled P[1],……, P[n], the cipher text block C[1],……, C[n] and the key K[1],…., K[m] so we define
A[i,j,….., k] = A[i] A[j] ,……, A[k] The objective of linear cryptanalysis is to find an
effective linear equation of the form P[1, 2, …….., n] C[β1, β2, ……., βn]= K[γ1, γ2, …….. [γc ]
Where , β and γ represent fixed, unique bit locations
DES Modes of Operation
Four modes of operation have been defined for the DES by ANSI in the standard:
There are classified on the basis of the types of symmetric algorithms:Block Modes
splits messages in blocks (ECB, CBC)Stream Modes
on bit stream messages (CFB, OFB)
Electronic Code Book (ECB)
In ECB mode, each plaintext block is encrypted independently with the block cipher.
A 64 bit data block is entered into the algorithm with a key and a block of ciphertext is produced.
For a given block of plaintext and a given key, the same block ciphertext is always produced.
Electronic Codebook (ECB)
Cipher Block Chaining (CBC)
In CBC mode, each plaintext block is XORed with the previous ciphertext block and then encrypted.
An initialization vector c0 is used as a ``seed'' for the process.
In ECB mode, a block of plaintext and a key will always give the same ciphertext.
In CBC each block of text, the key and the value based on the previous block is processed in the algorithm and applied to the next block of text.
Cipher Block Chaining (CBC)
Cipher Feedback Mode (CFB)
In CFB mode, the previous ciphertext block is encrypted and the output produced is combined with the plaintext block using XOR to produce the current ciphertext block.
It is possible to define CFB mode so it uses feedback that is less than one full data block.
An initialization vector c0 is used as a ``seed'' for the process.
Output Feedback Mode (OFB)
OFB mode is similar to CFB mode except that the quantity XORed with each plaintext block is generated independently of both the plaintext and ciphertext.
An initialization vector s0 is used as a ``seed'' for a sequence of data blocks si, and each data block si is derived from the encryption of the previous data block si-1.
The encryption of a plaintext block is derived by taking the XOR of the plaintext block with the relevant data block.
DES Mode of Operation contd.
Counter Mode A “new” mode used in ATM network security and
IPSec Similar to OFB but encrypts counter value rather
than any feedback value Must have a different key & counter value for every
plaintext block (never reused) Counter is incremented by one Efficiency: can do parallel encryptions in h/w or s/w
and can preprocess in advance of need Applications: high-speed network encryptions
Counter Mode
Multiple Encryption & DES
Clearly a replacement for DES was needed since theoretical attacks existed that could break it
AES is a new cipher alternative
Prior to this alternative was to use multiple encryption with DES implementations.
Double-DES?
C = EK2(EK1(P))
P = DK1(DK2(D))
The double DES can be considered a single encryption with a key of length 112 bits.
It is not a single encryption with a key of 56 bits.
Hence there are more key combinations and its stronger than single DES.
DES with twice keys will produce one of many mappings that is not defined by a single application of DES.
Double DES is subject to “meet-in-the-middle” attack
Works whenever use a cipher twice Since X = EK1(P) = DK2(C) Attack by encrypting P with all keys and store Then decrypt C with keys and match X value It takes O(256) steps which is slightly less than DES brute force attack.
Double-DES contd.
Triple-DES with Two-Keys
To counter the meet-in-the-middle attack, triple DES with Three keys are used.
The known plaintext attack is not possible anymore because it will require 2112 steps.
The key size is increased to 168 which is not practical.
Tuchman proposed 3 encryptions but can use 2 keys with E-D-E sequence
C = EK1 [DK2[EK1[P]]]
P = DK1 [EK2[DK1[C]]]
if K1=K2 then can work with single DES instead.
Standardized in ANSI X9.17 & ISO8732
no current known practical attacks
Triple-DES with Two-Keys Contd.
Triple-DES with Three-Keys
Although are no practical attacks on two-key Triple-DES have some indications.
Can use Triple-DES with Three-Keys to avoid even these
C = EK3(DK2(EK1(P)))
Has been adopted by some Internet applications, e.g. PGP, S/MIME
What Next?
Advance Encryption Standard (AES)An OverviewAES RequirementsAES Algorithms
Recommended