EE5552 Network Security and Encryption

block 6

Dr. T.J. Owens CMath, FIMA, MIEEEDr T. Itagaki MIET, MIEEE, MAES

Block 6: Modern Symmetric Key

Cryptography

ObjectivesAfter studying this material you should• Appreciate that many block ciphers are Feistel ciphers.• Be able to explain how a Feistel cipher works.• Be able to outline the architecture, modes of operation and

applications of the DES.• Be able to outline the architecture of the AES.

Feistel Ciphers and the DESBlock CiphersThe Data Encryption Standard (DES) developed from IBM's Lucifer CipherIt is based on the Feistel LadderAlmost all block ciphers since Lucifer have been Feistel ciphersSuch ciphers have a flat keyspace (with possible exception of few weak keys) o this means the cipher is equally difficult to attack whichever key is chosen.

The 3G system encryption and integrity algorithms are both built around the KASUMI block cipher which is a Feistel cipher with 8 rounds.

Feistel Ciphers (1)The plaintext is viewed as a pair of n bit words (w1, w2). A

function f is chosen and the pair (w2, f(w2) ⊕ w1). is formed, where is bitwise addition modulo 2. ⊕

This step is called a round and is repeated as many times as required, choosing a different f each time.

Feistel Ciphers (2)A Feistel cipher gets its strength

from the fact that a number of rounds involving non-linear transformations are applied to the data.

Careful choice of the nonlinear functions can help ensure that easy to solve sets of equations are unlikely to arise.

Feistel Ciphers (3)The Feistel Ladder

Feistel Ciphers (4)To make the example

easier to follow we use functions over the set {0, 1, 2, 3, 4} and addition modulo 5 as our mixing operation. Plaintext pair (3, 2) is enciphered as follows:

Feistel Ciphers (5)Ciphertext is deciphered

as follows:

Feistel Ciphers (6)To emphasise that this process is invertible for every message

every plaintext block of two characters was encrypted.

ALL POSSIBLE PLAINTEXT PAIRS CORRESPONDING CIPHERTEXTS

Notice that the corresponding ciphertext pairs are all distinct.

The Data Encryption Standard (DES) (1)

An algorithm published in 1977 by the American National Bureau of Standards now named NIST (National Institute of Standards and Technology).

Superseded as a NIST standard by AES (Advanced Encryption Standard), DES has been withdrawn as a NIST standard.

Officially it is now known as the Data Encryption Algorithm (DEA), but it is still usually referred to as DES.

DES is a monoalphabetic (block) cipher with an alphabet of 264 letters.

The Data Encryption Standard (DES) (2)

The operation of DES is complex and a demonstration of its operation is provided in CrypTool which you can run at your own pace.

In the pull down menu go to:Indiv. Procedures/Visualization of Algorithms/DES A summary of the operation of DES is provided below which you should read

in conjunction with the demonstration.

The Data Encryption Standard (DES) (3)

The initial permutation is not cryptographically significant.

The DES ladder is a Feistel ladder with 16 stages or rounds.

Each of the stages in the ladder has the following structure:

Each of the 16 stages requires a 48 bit subkey, ki.

These are generated from the original 56 bit key according to the following key schedule.

The Data Encryption Standard (DES) (4)

The E-box expands a 32 bit block to a 48 bit block by permuting bits and repeating some.

This ensures that each input bit can affect the result of more than one application of S-box so that each output bit depends on every input bit after as few rounds of the cipher as possible.

The E-box also makes result the same size as the key for the XOR operation and provides a longer result that can be compressed in the S-box.

The 56 bit key is split into two halves, then the halves are circularly shifted by either one or two bits, depending on the round, finally 48 of the 56 bits are selected and their order permuted.

The Data Encryption Standard (DES) (5)

The 56 bit key is split into two halves, then the halves are circularly shifted by either one or two bits, depending on the round, finally 48 of the 56 bits are selected and their order permuted.

The S-box splits its 48 bit input into 8 blocks of 6 bits. Each 6 bit block is mapped to a 4 bit result in a substitution table and thus the output of S is again 32 bits.

Note that these 8 substitutions are independent of each other. Much of the work in designing DES was to design S box tables.

The S-box tables are nonlinear transformations, the crucial elements of the cipher.

Resulting 32 bits are permuted in the P-box.

The Data Encryption Standard (DES) (6)

One DES ROUND

DES ConfigurationsThey are defined in the ANSI Standard X3.106-1982, Modes of

Operation of the DEA.

ECB: Electronic Codebook (1)In this mode a 64 bit plaintext is

encrypted once using one 56 bit DES key.

This mode is vulnerable to known plaintext attack by exhaustive key search.

A symmetry means that there are “only” 255 keys to try. This is a big number, but not so big that it is out of range of special purpose hardware, or massively parallel processors.

ECB: Electronic Codebook (2)ECB mode is generally used only for key encryption. The Electronic Frontier Foundation funded a team of engineers

to build a DES cracking machine at a cost of $210,000. This broke a DES challenge in 3 days.

In 2006 Sandeep Kumar and colleagues at the universities of Bochum and Kiel build a DES cracking machine for $10,000 that could break DES in 7 days on average.

Currently SciEngines RIVYERA machine holds the record for brute-force breaking DES utilizing 128 Spartan-3 5000 FPGAs being able to break DES in under 24 hours.

ECB: Electronic Codebook (3)The vulnerability of DES in ECB mode exhaustive key search

(Brute force attack) have led to its replacement by triple DES.It is important to realise that ECB mode should never be used to

encrypt a message of more than one input block that has an authenticity requirement as it could be subject to a cut and splice attack.

o For example, from the message ‘Pay account number X the sum Y transaction number Z’ an attacker could initiate a payment where some of the digits of X have been replaced with some of the digits of Z.

ECB: Electronic Codebook (4)Triple Encryption (1)One could increase the strength of a block cipher by applying it

twice with different keys; this would appear to increase the size of the keyspace to search to 22n keys (from 2n).

BUT double-DES is vulnerable to a known plaintext attack, the meet-in-the-middle attack that only needs 2n+1 rather 22n than encryptions to be performed.

ECB: Electronic Codebook (5)Triple Encryption (2)Better is triple DES with three different DES keys.Triple DES works because DES is not a group, so encrypting a plaintext under

one DES key and then encrypting the result under another key is not always equivalent to a single encryption under a single key.

ECB: Electronic Codebook (6)Triple DES is now very popular primarily because Key size

remains in practice the only true point of attack in DES.The best meet in the middle attack for triple DES with three keys

requires 2n trial encryptions, and thus effectively doubles the key size of DES to 112 bits, and should prevent decryption by an enemy capable of single-key exhaustive search.

Of course, using triple-encryption takes three times as long as single-encryption DES.

ECB: Electronic Codebook (7)AES has a 128 bit input block and new systems use AES as of

choice but the banking industry is committed to using block ciphers with a 64 bit input block because of the way the protocols by which ATMs (Automatic Teller Machines), point-of-sale terminals and bank networks talk to each other format messages. Triple-DES is likely to be used for such applications for the foreseeable future.

CBC: Cipher Block Chaining (1)In CBC mode, a random initialisation vector (IV) is transmitted

and also XORed with the first block of plaintext. The result is then encrypted with DES and transmitted. The result is also XORed with the next data block and the process

repeated.CBC mode helps protect against certain attacks although not

against exaustive search or a technique called differential analysis.

This is a useful technique for preventing an adversary from building up a codebook of plaintext-ciphertext pairs.

CBC: Cipher Block Chaining (2)It also prevents replay and deletions of single blocks, although it

does not provide message integrity protection. A change within a block of ciphertext will only affect two plaintext blocks on decryption.

In practice, most commercial applications that encrypt more than one block use CBC which is specified in several standards.

For additional security, one could use triple encryption with CBC, but since single DES in CBC mode is usually considered secure enough, triple encryption is not often used.

CBC: Cipher Block Chaining (3)

CFB: Cipher Feedback Mode (1)This is a variant of CBC which does not require that a full 64 bit

block is received before encryption can begin. The plaintext is enciphered in blocks of s bits at a time and each

ciphertext block of s bits is fed into a 64 bit shift register. The shift register is the input to the DES for the next block of s

bits.Both CBC and CFB have the disadvantage that any missing or

inserted bits at any point in the message will cause all subsequent message blocks to be incorrectly deciphered. o This is called error propagation.

CFB: Cipher Feedback Mode (2)However, in CFB if some bits in one block of s bits are corrupted

by noise so that a 0 is read as a 1 or vice versa the system will recover after one block of s bits.

CFB was designed for use in military High Frequency radio links which are vulnerable to fading but is not often used these days as error correction protocols are used do address the problem of bits being received incorrectly.

CFB: Cipher Feedback Mode (3)

OFB: Output Feedback (1)OFB mode protects against error propagation because ciphertext is not fed

back into either the encryption or decryption process. This is one standard way of turning a block cipher into a stream cipher.However, like any stream cipher OFM fails to protect message integrity. For

example, fund transfer messages are very highly structured. Suppose an attacker knew bytes 37-42 of such a message contained the amount to be transferred. They could request a modest sum (500 euro) to be sent to an accomplice. If by wiretapping the attacker can obtain the corresponding ciphertext for the message C = M ⊕ K they know M for bytes 37-42 so know K for bytes 37-42. They take the ciphertext and change bytes 37-42 to read 500,000 euro XORed with K for bytes 37-42 then send it on. This is an example of an attack in depth.

OFB: Output Feedback (2)For security, even if only k bits are output at each stage, all 64 bits should be

used for feedback.

OFB: Output Feedback (3)Example: Mickey Mouse

Original ECBCBC

Weak KeysIn DES there are four keys for which encryption is exactly the

same as decryption so encrypting twice with one of these weak keys recovers the original plaintext.

However, the number of weak keys is such a small fraction of all possible keys that the chance of picking one at random is very small so they pose no significant threat to security.

Algebraic Attacks (1)DES is not open to any attack based on the algebraic structure of

groups because it has been proved not to be a group.DES has been controversial since its inception for a number of

reasons:Design details were kept secret. This led to speculation that it had a trapdoor (In reality the

reason was that DES was designed to be resistant to differential cryptanalysis.

When DES was designed this method of attack was known only to the intelligence community and was classified).

Shortness of the key also caused controversy.

Algebraic Attacks (2)It has been argued that it should be 128 bits as in the original

Lucifer system.DES is now very old and ECB mode is now vulnerable to a known

plaintext attack by exhaustive key search. Advanced Encryption Standard (AES) has been proposed as the

replacement for DES.There are of course other block ciphers and the following have

gained commercial acceptance:IDEA, Blowfish, RC4, CAST-128.

Modes of operation for symmetric key block ciphers

In 2001 NIST issued a recommendation that: “defines five confidentiality modes of operation for use with an underlying symmetric key block cipher algorithm: • Electronic Codebook (ECB) • Cipher Block Chaining (CBC) • Cipher Feedback (CFB) • Output Feedback (OFB) • Counter (CTR)

Used with an underlying block cipher algorithm that is approved in a Federal Information Processing Standard (FIPS), these modes can provide cryptographic protection for sensitive, but unclassified, computer data.

CTR: CounterIn both CTR encryption and CTR decryption, the forward cipher functions can

be performed in parallel. Similarly, the plaintext block that corresponds to any particular ciphertext

block can be recovered independently from the other plaintext blocks if the corresponding counter block can be determined.

Moreover, the forward cipher functions can be applied to the counters prior to the availability of the plaintext or ciphertext data.

In Wi-Fi RSN the security protocol built around AES is called Counter Mode – CBC MAC Protocol or CCMP.

Basic counter mode does not provide any message authentication, only encryption.

o Therefore, for RSN, additional capabilities are added.

Advanced Encryption Standard (1)DEA was designed for hardware implementation and

consequently cannot be implemented efficiently in software.Consequently, Triple DES is relatively slow to encrypt and decrypt

when implemented in software and a more efficient replacement is desirable.

Furthermore, Triple DES encodes messages in blocks of 64-bits and a larger block size, giving a larger input alphabet, is desirable for greater security.

In 1997 the US National Institute for Standards and Technology (NIST) announced it would be developing an Advanced Encryption Standard (AES) as a replacement for DES.

Advanced Encryption Standard (2)NIST stipulated that AES would specify an unclassified publicly

disclosed encryption algorithm available royalty free, worldwide, and that the algorithm would be a symmetric key block cipher supporting input blocks of at least 128 bits and key sizes of 128, 192, and 256 bits.

After a rigorous evaluation process, from an original field of 15 candidates on 2 October 2000 the Rijndael cipher was selected by NIST for the AES.

The Rijndael cipher was invented by Belgian researchers Joan Daemen (male) and Vincent Rijmen.

AES was published as Federal Information Processing Standards (FIPS) publication 197 on 4 December 2001.

Algorithm specification (1) The Rijndael cipher is an iterated block cipher with a variable

block length and variable key length where a block is the smallest data size the algorithm will encrypt.

The block length and key length can be independently specified to be 128, 192 or 256 bits.

However, the variations of Rijndael which act on the larger block sizes are not included in AES.

Rijndael is not a Feistel cipher. AES contains nonlinear (S-box substitution) and linear (shiftrow

and mixcolumn) mixing layers.

Algorithm specification (2) Each block of plain text is encrypted several times with a repeating sequence

of various functions that constitute a so called round. The number of rounds used depends on the key length. For a key length of 128 bits 10 rounds are used, for a key length of 192 bits 12

rounds are used, and for a key length of 256 bits 14 rounds are used.For an excellent demonstration of 10 round AES encryption from the CrypTool

pull down menu choose:Indiv.Procedures/VisualizationofAlgorithms/AES/Rijndael AnimationFor an illustration of AES decryption choose:Indiv.Procedures/VisualizationofAlgorithms/AES/Rijndael Inspector

Concluding Remarks (1)Side-channel attacks do not attack the underlying cryptographic algorithm,

and so have nothing to do with its security, but attack implementations of the cipher on systems which inadvertently leak data. There are several such known attacks on certain implementations of AES.

In October 2005 a paper was presented that demonstrated several cache-timing attacks against AES. One attack was able to obtain an entire AES key after only 800 operations triggering encryption, in a total of 65 milliseconds. This attack requires the attacker to be able to run programs on the same system or platform that is performing AES.

In December 2009 an attack on some hardware implementations of AES was published that used Differential Fault Analysis and allows recovery of key with complexity of 232.

Concluding Remarks (2)Although there is no proof of the security of the AES cryptographic algorithm

it is the first publicly accessible and open cipher approved by the United States National Security Agency (NSA) for top secret information. In 2003 it stated:

“The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths. The implementation of AES in products intended to protect national security systems and/or information must be reviewed and certified by NSA prior to their acquisition and use.”

See: http://csrc.nist.gov/groups/ST/toolkit/documents/aes/CNSS15FS.pdf

Concluding Remarks (3)On July 1, 2009, Bruce Schneier blogged about related-key attacks published

in December 2009 on the 192-bit and 256-bit versions of AES, which exploit AES's somewhat simple key schedule. A related-key attack can break 256-bit AES with a complexity of 299.5 which while faster than brute force is still infeasible. In a similar manner, 192-bit AES can be broken by an attack with a complexity of 2176. 128-bit AES is not affected by these attacks.

See: http://eprint.iacr.org/2009/317

Concluding Remarks (4)Note: In cryptography, a related-key attack is any form of cryptanalysis where

the attacker can observe the operation of a cipher under several different keys whose values are initially unknown, but where some mathematical relationship connecting the keys is known to the attacker. If the AES algorithm is properly implemented this is a somewhat unrealistic model so both of the above attacks are still mainly of theoretical interest and do not present a threat to practical applications using AES.

Concluding Remarks (5)The recommended modes of operation of AES are ECB, CBC, CFB, OFB and

CTR, although many others have been proposed. The result of every step in the encryption process is dependent on every bit

of the key. AES has very limited RAM and ROM memory requirements and so is suitable

for use in restricted-resource environments such as smart cards.o One current recommendation is for 3GPP AKA algorithms is MILENAGE which

is based on AES

It is likely to take several years for AES to replace DES. It is important to note that AES is freely available worldwide.