Conventional Cryptography (Symmetric Ciphers)

CPSC415 Biometrics and Cryptography 1

Conventional Cryptography(Symmetric Ciphers)


Outline• Stream Ciphers and Block Ciphers• Confusion and Diffusion• DES (Data Encryption Standard)• Exhaustive Key Search• Triple DES, DESX• AES (Advanced Encryption Standard)• Operation Modes


Symmetric Encryption

• or conventional / secret-key / single-key

• sender and recipient share a common key

• all classical encryption algorithms are private-key

• was only type prior to invention of public-key in 1970’s


Symmetric Cipher Model


Symmetric Key Cryptography

symmetric key crypto: Bob and Alice share know same (symmetric) key: K

• e.g., key is knowing substitution pattern in mono alphabetic substitution cipher

plaintextciphertext

KA-B

encryptionalgorithm

decryption algorithm

A-B

KA-B

plaintextmessage, m K (m)A-B K (m)A-Bm = K ( ) A-B


Requirements• two requirements for secure use of

symmetric encryption:– a strong encryption algorithm– a secret key known only to sender / receiver

Y = EK(X)X = DK(Y)

• assume encryption algorithm is known• implies a secure channel to distribute key


Cryptography

• can characterize by:– type of encryption operations used

• substitution / transposition / product– number of keys used

• single-key or private / two-key or public– way in which plaintext is processed

• block / stream


Symmetric Key Cryptosystems• Stream ciphers

– Operate on the plaintext a single bit (or sometimes byte) at a time

– Simple substitution– Poly-alphabetic substitution– Feedback Shift Register Sequences– e.g. SEAL, RC4 (used by WLAN IEEE 802.11 in WEP)

• Block ciphers– Operate on the plaintext in groups of bits. The

groups of bits are called blocks.– Typical block size is 64 bits or multiple of it

• E.g. 128 bits, 256 bits.– DES, AES (Rijndael)– Others include IDEA, Blowfish, RC5, …– Different modes of operation


Properties that one would like to have in

an encryption scheme• Easy to encrypt• Easy to decrypt• Provides fast encryption and decryption speed• Minimal bandwidth expansion• Generate diffusion and confusion (security)


Confusion and Diffusion• Shannon in 1948 introduced two concepts as basic building

blocks for designing cryptographic systems• Diffusion: to obscure the statistical structure of the

plaintext from the ciphertext.– By having each ciphertext digit be affected by more than one

plaintext digit– In other words, to have the statistical structure of the plaintext

be dissipated into long-range statistics of the ciphertext.– e.g.

– where message M = m1, m2, … and a ciphertext letter yn is obtained by adding k successive plaintext (English) letters.

• Confusion: to obscure the statistical dependence between the encryption key and the ciphertext– to thwart attempts to discover the key– simple linear substitution generates little confusion– This can be achieved by using complex substitution algorithms.

)26(modmyk

1iinn


Block Ciphers

• An encryption algorithm that takes a fixed length block of message letters (plaintext) and a key (not necessarily the same length), and produces a block of ciphertext of the same length as the plaintext.

• The key is reused for different plaintext blocks• Typical block sizes (value of n): 64 bits, 128 bits• Complex modes of operation are used in practice• Key sizes (value of k): 56 bits (DES), 128/192/256 bits (AES)

secret key(k bits)

Message(n bits)

Ciphertext(n bits)


Common Block Cipher Design Approach

• Iterative cipher– start with a simple but

useful function f– iterative f many rounds

until it is “secure”–F: Feistel structure is quite

common (e.g., DES)

message

ciphertext

F

F

F


Block Cipher Operation (Simplified)

Block of plaintext

S S S S

S S S S

S S S S

KeyAdd some secret key bitsto provide confusion

Each S-box permutes its input bits in a “random-looking” way to provide diffusion (spread plaintext bits throughout ciphertext)

repeat for several rounds

Block of ciphertextProcedure must be reversible

(for decryption)


Block Cipher Principles

• needed since must be able to decrypt ciphertext to recover messages efficiently

• block ciphers look like an extremely large substitution

• instead create from smaller building blocks

• using idea of a product cipher


Data Encryption Standard (DES)• DES was adopted as a US federal

standard for commercial encryption in 1975.

• Feistel Cipher: the fundamental building block of DES designed by IBM.

• Design requirements:– must provide high level of security

(commercial standard)– Security must not depend on secrecy of

algorithm (Kerckhoff’s principle)– Must be easily and economically implemented


Overview of DESC = DES (K, M)• Block size = 64 bits• Key size = 56 bits• Number of rounds = 16• IP - Initial Permutation• IP-1 - The inverse of IP• f - A nonlinear function• Ki - Round i subkey (48

bits)• Each Feistel block can be

described asLi = Ri-1

Ri = Li-1 f (Ri-1, Ki)


The Initial Permutation

How to read this table?The 58th bit of input x will be the 1st bit of output IP(x), the 50th bit of x is the second bit of IP(x), etc.

• Do not affect security.• As far as anyone can tell, it makes things awkward for

1975-era general-purpose computers.(DES predates 16-bit or 32-bit microprocessor busses)


Feistel Transformation Block• In Round i,

– Separate message block into two 32-bit halves, Li and Ri– Introduce confusion by using a “complex” nonlinear function f– f has two inputs: Ri and a 48-bit round key, Ki– Introduce diffusion by “adding” Li and the output of f

• DES(K, ·) is a sequence of Feistel transforms.Li+1 = Ri

Ri+1 = Li f(Ri, Ki+1)

Li-1 Ri-1

f

Li Ri

Ki+1


Nonlinear Function f in Feistel Transformation

f(R, K) : (32 bits, 48 bits) 32 bits– expand R to 48 bits R’ using permutation

and repetition– R’ XOR with K – subdivide the result into 8 blocks of 6 bits

each– each 6-bit block goes through a S-box to

produce 4 bits– permute the 32-bit string


S1

6

4 4 4 4 4 4 4 4

6 6 6 6 6 6 6

Li Ri-1

Ri+1Li+1

S2 S3 S4 S5 S6 S7 S8

Expansion

Ki+1

Permutation32

48

4848

32

32

32


Expansion Permutation• Output bits 32, 1, 2, 3, 4, 5, then 4, 5

again, and so on.• For each output group of six bits (one

row in the E table), the two outer bits select a row of a S-box, and the four bits in the middle chooses the substitution value.


S-box 1: Bit Bits 2, 3, 4, and 5 form: 1 6 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 0 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 0 1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 1 0 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0 1 1 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13

The S-Box Substitution• There are eight S-boxes.• Each takes 6 bits to 4 bits.• Take the 6-bit input b1, b2, b3, b4, b5, b6

• Interpret b1 b6 as a row number, between 0 and 3.• Interpret b2 b3 b4 b5 as a column number, 0 through

15.


A Summary of One DES Round


DES Key Schedule(Subkey Generation)

56-bit key K

Permutation P1

Permutation P2

C0 D0

Cyclic Shift Cyclic Shift

K1

C1 D1

8-byte key has 8 parity check bits

Each has 28 bits

Number of shifts are dependent on i for each Ki

56

48


Security of DES• Avalanche Effect

– Change in one input bit produces independent changes in at least two output bits

• Bit Independence– No dependence on the changes of input bits

with the changes of output bits• Number of rounds

– 15 or fewer rounds make cryptanalytic attacks against reduced-round DES easier than brute force key search (which needs to try a total of 256 keys in the worst case)

• Security of DES mainly relies on the nonlinearity of the f (i.e. the S-boxes)


DES Controversy• When DES was proposed as a standard in 1975, there was

considerable criticism.• One objection to DES concerned the S-boxes: all computations

in DES, with the exception of the S-boxes, are linear. The S-boxes, being the non-linear component of the cryptosystem, are vital to its security. However, the design criteria of the S-boxes are not completely known.

• Due to the NSA collaboration, several people have suggested that the S-boxes might contain hidden “trapdoors” which would allow the NSA to decrypt messages while maintaining that DES is “secure”. It is of course, impossible to disprove such an assertion, but no evidence has come to light that indicates that trapdoors in DES do in fact exist.

• The most pertinent criticism of DES is the reduction of key length from original 112-bits down to 56-bits.

• The size of the keyspace, 256, is “too small” to be really secure.


Exhaustive Key Search• Given a plaintext x and corresponding ciphertext y, every

possible key would be tested until a key K is found such thatEK(x) = yNote: there may be more than one such key K.

• Total number of keys = 256 7.21016 keys• Assume at a speed of 106 encryptions per second, it would

need more than 1000 years to break DES.• Diffie and Hellman postulated in 1977 that a DES cracking

machine with 106 processors, each could test 106 keys per second, could be built for about US$20M.– This machine could break DES in about 10 hours.


Exhaustive Key Search• In 1993, Michael Wiener presented a pipelined chip which does

16 encryptions simultaneously and tests 5107 DES keys per second.

• Each chip could be built for US$10 using current technology.• A frame consisting of 5760 chips can be built for $100K.

• In 1997, cost cut by a factor of 6• Software version of DES cracking effort can be found at

http://www.distributed.net/des/• Current Record: 22 hrs and 15 mins to break DES by

distributed software cracking effort.

Machine Unit Cost Expected Time $100,000 35 hours $1,000,000 (10 f rames) 3.5 hours $10,000,000 (100 f rames) 21 minutes

http://www.distributed.net/des/


How to strengthen DES?


Triple DES and DESX• Triple DES: two 56-bit keys

• DESX: three 56-bit keysC = K3 DES(K2 , M K1)

DES DES-1 DESM C

K1 K2 K1

DES M

K1 K2 K3

C

• Similar security to DES using differential cryptanalysis and linear cryptanalysis

• But much harder to break using exhaustive key search than DES.


DES Replacements• The most popular DES replacements in US are RC2,

RC4 and RC5.• The first two are used by SSL version 3.• The most popular DES replacement in Europe is IDEA• The most popular DES replacement in Japan is FEAL-

N.• AES (Advanced Encryption Standard) is the ‘official’

replacement of DES.• The AES algorithm is called Rijndael.


Overview of Rijndael• Rijndael: the algorithm chosen for AES (Advanced

Encryption Standard)• Both the key size and the block size may be chosen to be

any of 128, 192, or 256 bits, although the AES only requires key size to be selectable in one of these lengths and the block size is fixed to be 128 bits long.

• Number of rounds is a function of the block and key length:– 10 rounds if both the block and the key are 128 bits long;– 12 rounds if either the block or the key is 192 bits long, and

neither of them is longer than that;– 14 rounds if either the block or the key is 256 bits long.

• From their Web page:If you’re Dutch, Flemish, Indonesian, Surinamer or South-African, it’s pronounced like you think it should be. Otherwise, you could pronounce it like “Reign Dahl”, “Rain Doll”, “Rhine Dahl”. We’re not picky. As long as you make it sound different from “Region Deal”.


• Fully byte-oriented• good for both software and hardware implementations

• Rijndael is composed of1. An initial XOR step (AddRoundKey)2. Regular round transformations (or rounds)3. Final round

• Each regular round involves four steps:1. ByteSub2. ShiftRow3. MixColumn4. AddRoundKey

• The final round is a regular round but with MixColumn omitted.

Rijndael Round Function


The Round Transformation• ByteSub

Each byte of the data block is substituted according to values given in an S-Box.

• ShiftRowRows (except first row) of the State are cyclic shifted left independently.

• MixColumn• AddRoundKey

http://www.nist.gov/aeshttp://

www.esat.kuleuven.ac.be/~rijmen/rijndael/

http://www.nist.gov/aes

http://www.nist.gov/aes

http://www.esat.kuleuven.ac.be/~rijmen/rijndael/




35CPSC415 Biometrics and Cryptography

Rijndael Wrap Up

• The Rijndael algorithm is not a Feistel system• In a Feistel system, half of the bits are moved but not

changed during each round.• In Rijndael, all bits are treated uniformly. This has the

effect of diffusing the input bits faster.• It can be shown that two rounds are sufficient to

obtain full diffusion, namely, each of the 128 output bits depends on each of the 128 input bits.

• So far, there is no known attack beats brute force for seven or more rounds. It was felt that four extra rounds provide a large enough margin of safety.

• Of course, the number of rounds could easily be increased if needed.


Operation Modes• How to encrypt a plaintext which is longer

than the size of a cipher block?– E.g. Using AES to encrypt 1024-bit plaintext

• How to encrypt a plaintext which is not a multiple of cipher block size?– E.g. Using AES to encryption 129-bit plaintext


Electronic Codebook Mode (ECB)Ci = DES (K, Mi)• Each block is encoded independently using the same key• Padding is needed• Used to transmit fixed length messages, e.g. session key• One bit transmission error affects one cipher block• Repeated plaintext blocks produce the same cipher blocks• Not frequently used in practice

– Why?

M1

DESK K K

C1 C2Ct

M2 Mt

DES DES


Cipher Block Chaining (CBC)• Goal: repeated plaintext blocks produce different ciphertext blocks

Ci = DES(K, Mi Ci-1)• Initiation vector (IV = C0) is used for randomization• Padding is required • If one bit of M1 is changed, all subsequent blocks will be affected

– can be used for constructing a MAC – Message Authentication Code• Maintain IV secret to strengthen security of the system• Generally used for block oriented transmission

DES DES

M1 M2

C1C2

IV

K K


Counter Mode• Goal: to eliminate padding and error

propagation– use block cipher as a pseudorandom bit generator

• Encryption algorithm:– Encrypt a known string of numbers in ECB mode,

producing a string of output blocks DES(K, Ii)– Compute Ci = Mi DES(K, Ii)

• One bit transmission error spoils one bit onlyI1

DESK K K

C1Ct

I2 It

DES DES

M1

M2 Mt

C2


Comparison on Symmetric Encryption Algorithm

Algorithm Strength Features (Key length)

3DES Strong 64, 112, 168

AES Strong 128, 192, 256

IDEA (International Data Encryption Algorithm)

Strong 64, 128

Blowfish Weak 32, 448

RC4 Weak

RC5 Strong 32, 64, 128


Problems with Symmetric Encryption• A single key must be shared in pairs of each sender and

receiver. In a distributed environment with large numbers of combination pairs involved in many-to-one communication topology, it is difficult for the one recipient to keep so many keys in order to support all communication.

• Key management: setting up and acquisition of the secret key.

• The integrity of data can be compromised because the receiver cannot verify that the message has not been altered before receipt.

• It is possible for the sender to repudiate the message because there are no mechanisms for the receiver to make sure that the message has been sent by the claimed sender.

Documents

Conventional Cryptography (Symmetric Ciphers)