Network Security & Cryptography lecture 7

Network Security

and

Cryptography

Lecture 7

Uday Prakash Pethakamsetty

[email protected]

1/29/2013 1Dept. of ECE Network Security &

Cryptography

Background to modern symmetric ciphers

• All the traditional ciphers are character-oriented ciphers.

• Advent of computer resulted in the usage of bit-oriented or

byte oriented ciphers.

• Information transmitted using modern cryptography is not just

text, but also includes numbers, graphics, audio and video

data.

• So, even text is treated at bit level, each character is replaced

by 8 (or 16) bits. Thereby, mixing a larger number of symbols

increases security.


Cryptography

Modern symmetric key ciphers

1. Modern stream cipherEncrypts /decrypts a digital data stream one bit or one byte at a time.

1. Synchronous stream ciphers ex: one-time PadKey stream is independent of the plaintext or ciphertext stream.

2. Non synchronous stream cipherEach key in the key stream depends on previous plaintext or ciphertext.

2. Modern block cipherPlaintext is treated as a whole and used to produce a ciphertext block of equal

length. Typically the block size is 64 ,128 ,256 or 512 bits.


Cryptography

Stream ciphers

Stream ciphers

The most famous: Vernam cipher

Invented by Vernam, ( AT&T, in 1917)

Process the message bit by bit (as a stream)

different from the one-time pad– some call same

Simply add bits of message to random key bits

Examples

A well-known stream cipher is RC4;

others include: A5/1, A5/2, Chameleon, FISH,

Helix. ISAAC, Panama, Pike, SEAL, SOBER,

SOBER-128 and WAKE.

Usage

Stream ciphers are used in applications where

plaintext comes in quantities of unknowable

length - for example, a secure wireless

connection1/29/2013Dept. of ECE Network Security &

Cryptography4

Stream ciphers

• Drawbacks

– Need as many key bits as message, difficult in practice i.e., distribute on a

magnetic tape or CD-ROM.

• Strength

– Is unconditionally secure provided key is truly random

• Key Generation

– Why not to generate key stream from a smaller (base) key?

• Use some pseudo-random function to do this .

• Although this looks very attractive, it proves to be very difficult in practice

to find a good pseudo-random function that is cryptographically strong .

• This is still an area of much research.

1/29/2013Dept. of ECE Network Security &

Cryptography5

Modern block cipher

• Symmetric key modern block cipher encrypts/decrypts an n-bit

block of plaintext.

• Encryption/Decryption algorithm uses a k-bit key.

• If a message has fewer than n bits, padding must be added to

make it an n-bit block; if the message has more than n-bits, it

should be divided into n-bit blocks and the appropriate

padding may be done for the last block.

• Typically block sizes are 64,128,256 or 512 bits.


Cryptography

Modern Block cipher

Practical implemented Algorithms:

• Data Encryption Standards ( DES )

– Block size is 64 bits

– Key is 56 bits

• IDEA

– Block size is 64 bits

– Key size is 128 bits

Advanced Encryption Standard (AES)

Variable Block size=128, 192 or 256 bits

Variable Key size =128, 192 or 256 bits

Invented by Rijndael


Cryptography

Dept. of ECE Network Security & Cryptography 8

Block vs Stream Ciphers

• Stream ciphers are faster than block ciphers.

• The hardware implementation of a stream cipher is also easier.

• When the binary stream is encrypted and transmitted at a constantrate, a stream cipher is the better choice to use.

• Stream ciphers are also more immune to corruption of bits duringtransmission.

• Stream ciphers process messages a bit or byte at a timewhen en/decrypting

• Block ciphers process messages in into blocks, each of which is thenen/decrypted.

• Like a substitution on very big characters– 64-bits or more

• Many current ciphers are block ciphers. Hence, more focused in thecourse.

1/29/2013

Modern block cipher

Substitution or Transposition block cipher ? To resist any exhaustive-search attacks, modern block ciphers are designed

as substitution ciphers.

This is because the inherent characteristics of transposition (preserving no.

of 1s and 0s) makes the cipher vulnerable to exhaustive-search attacks.

Components of Modern Block Cipher

D-boxes used as transposition units for diffusion.

S-boxes used as substitution units confusion.


Cryptography

D(diffusion)-Boxes

• They parallels the traditional transposition cipher forcharacters. It transposes the bits.

• Helps in spreading (diffusion) of the input disturbances.

• There are three types of D-boxes

1. Straight D-boxes

2. Expansion D-boxes

3. Compression D-boxes

D-boxes are keyless. i.e., mapping is predetermined. Inhardware implementation, it is prewired. In softwareimplementation, a predefined permutation table showsthe rule of mapping.


Cryptography

D(diffusion)-Boxes

• Straight D-boxes contains n-inputs and n-outputs.– The connection between them is a permutation.

– There exists n! possible mapping.

– It is called as permutation box or p-box.

• Compression D-boxes contains n inputs and m outputs, with n>m.– some of the inputs are blocked and do not reach the output.

– Used mainly when we need to permute bits and the same time decreasethe number of bits for the next stage.

• Expansion D-boxes contains n inputs and m outputs, with n<m.– m-n inputs are mapped to more than one output.

– Used mainly when we need to transpose bits and the same timeincrease the number of bits for the next stage.

• NOTE: Straight D-boxes are invertible. Compression and ExpansionD-boxes have no inverses.


Cryptography

S (substitution)-Boxes

S-box does the task of substitution cipher.

It can have different no. of inputs and outputs.

No. of inputs may not necessarily be same as the no. of outputs.

S-boxes can be keyed or keyless. Generally, keyless S-boxes aremore popular.

Linear and Nonlinear S-boxes- nonlinear S-boxes doesn’t have therelative equations for every output, as linear S-boxes have. In non-linear S-boxes, at times, combinations (AND) of two or moreinputs/outputs takes place.

Invertibility : S-boxes are substitution ciphers, in which the relationbetween inputs and outputs is defined by a table or mathematicalrelation. So, S-boxes may or mayn’t be invertible. Invertible S-boxes have same no. of input bits and output bits.


Cryptography

Block cipher


Cryptography

CBC cipher (Cipher Block Chaining)


Cryptography

CBC Deciphering


Cryptography

Substitution and Permutation

• In his 1949 paper, Shannon also introduced

the idea of substitution-permutation (S-P)

networks, which now form the basis of modern

block ciphers

– An S-P network is the modern form of a

substitution-transposition product cipher

– S-P networks are based on the two primitive

cryptographic operations we have seen before.

(block and CBC ciphering)


Cryptography

Substitution

• A binary word is replaced by some other binaryword

• The whole substitution function forms the key

• If use n bit words,

– The key space is 2^n!

• Can also think of this as a large lookup table, withn address lines (hence 2^n addresses), each n bitswide being the output value

• Will call them s-boxes


Cryptography

Permutation

• A binary word has its bits reordered(permuted)

• The re-ordering forms the key

• If we use n bit words, the key space is n! (Lesssecure than substitution)

• This is equivalent to a wire-crossing inpractice

– (Though is much harder to do in software)

• Will call these p-boxes


Cryptography

Substitution-permutation Network

• Shannon combined these two primitives

• He called these mixing transformations

• A special form of product ciphers where

• S-boxes

– Provide confusion of input bits

• P-boxes

– Provide diffusion across s-box inputs


Cryptography


Confusion and Diffusion

• Cipher needs to completely obscure statistical properties oforiginal message

• Confusion – makes relationship between ciphertext and key ascomplex as possible

– A technique that seeks to make the relationship between the statistics of the ciphertext and the value of the encryption keys as complex as possible. Cipher uses key and plaintext.

• Diffusion – dissipates statistical structure of plaintext overbulk of ciphertext

– A technique that seeks to obscure the statistical structure of the plaintext by spreading out the influence of each individual plaintext digit over many ciphertext digits.

1/29/2013

Desired Effect

• Avalanche effect

– A characteristic of an encryption algorithm in

which a small change in the plaintext gives rise to

a large change in the ciphertext

– Best: changing one input bit results in changes of

approximately half the output bits.

• Completeness effect

– where each output bit is a complex function of all

the input bits.


Cryptography

Practical Substitution-Permutation Networks

• In practice, we need to be able to decrypt

messages, as well as to encrypt them, hence

either:

– Have to define inverses for each of our S & P-

boxes, but this doubles the code/hardware needed,

or

– Define a structure that is easy to reverse, so can

use basically the same code or hardware for both

encryption and decryption


Cryptography


Feistel Cipher Structure

Invented by Horst Feistel,

working at IBM Thomas J Watson research labs in early 70's,

Based on concept of invertible product cipher

Implements shannon’s substitution-permutation network

concept.

Partitions input block into two halves Process through multiple rounds which

Perform a substitution on left data half

Based on round function of right half & subkey

Then have permutation swapping halves

1/29/2013



In this Fiestel cipher structure, for

each round, the operation is

performed on one half of the block.

The operation can be expressed as:

1/29/2013

This can be described functionally as:

L(i) = R(i-1)

R(i) = L(i-1) f(k(i), R(i-1))

This can easily be reversed as seen in the above diagram, working backwards through the rounds

In practice link a number of these stages together (typically 16 rounds) to form the full cipher


Cryptography25


Data Encryption Standards (DES)

Adopted in 1977 by the National Bureau of Standards, now

the National Institute of Standards and Technology in US.

Most widely used encryption technique.

Block cipher with fixed block size

Plaintext block size—64 bits

Key size ---- 56 bits

Longer plaintexts are processes in 64 bit blocks.

Shorter plaintexts are processed by padding sufficient zeros.

The same algorithm is used for decryption.

Subject to much controversy


Cryptography

History of DES

• IBM LUCIFER 60’s

– Uses 128 bits key

• Proposal for NBS, 1973

• Adopted by NBS, 1977

– Uses only 56 bits key

• Possible brute force attack

– Design of S-boxes was classified

• Hidden weak points in in S-Boxes?

– Wiener (1993) claim to be able to build a machine at $100,00 and break DES in 1.5 days


Cryptography27

DES

• DES encrypts 64-bit blocks of data, using a 56-bit

key.

• The basic process consists of:

– an initial permutation (IP)

– 16 rounds of a complex key dependent calculation f

– a final permutation, being the inverse of IP

– Function f can be described as

• L(i) = R(i-1)

• R(i) = L(i-1) ⨁P(S( E(R(i-1)) ⨁P K ( i ) ))


Cryptography28

DES


Cryptography29

DES function f


Cryptography30

Initial and Final Permutation

• The Initial Permutation IP table may be as

follows:


Cryptography31

Expansion Table E

• Expands the 32 bit data to 48 bits

– Result (i) = input (array(i))


Cryptography32

S-Boxes

• Here, S-Box is a fixed 4 by 16 array

• Given, 6-bits B=b1 b2 b3 b4 b5 b6

– Row r=b 1 b 6

– Column c=b 2 b 3 b 4 b 5

– S(B)=S(r,c) written in binary of length 4

• Example of an S-box is as below:


Cryptography33

Permutation Table P

• The permutation after each round will be as

follows:


Cryptography34

Subkey Generation

• Given a 64 bits key (with parity-check bit)

– Discard the parity-check bits

– Permute the remaining bits using fixed table P1

– Let C0D0 be the result (total 56 bits)

• Let Ci =Shifti(Ci-1); Di =Shifti(Di-1) and Ki be

another permutation P2 of CiDi (total 56 bits)

– Where cyclic shift one position left if i=1,2,9,16

– Else cyclic shift two positions left


Cryptography35

DES subkeys


Cryptography36

Permutation Tables


Cryptography37

DES in practice

• DEC (Digital Equipment Corp. 1992) built a

chip with 50k transistors

– Encrypt at the rate of 1 G /second

– Clock rate 250 Mhz

– Cost about $ 300

• Applications

– ATM transactions (encrypting PIN and so on)


Cryptography38

Modes of operation

• Mode of use

– The way we use a block cipher

– Four have been defined for the DES by ANSI in

the standard: ANSI X3.106-1983 modes of use.

• Block modes

– Splits messages in blocks (ECB, CBC)

• Stream modes

– On bit stream messages (C F B, O F B)


Cryptography39

Block Modes

• Electronic Codebook Book (ECB)

– where the message is broken into independent 64-bit blocks which are encrypted

– Ci = DESK1 (Pi)

• Cipher Block Chaining (CBC)

– again the message is broken into 64-bit blocks, but they are linked together in the encryption operation with an IV

– Ci = DESK1 (Pi ⨁ Ci-1)

– C-1=I V (initial value)


Cryptography40

Stream Modes

• Cipher Feed Back (CFB)

– where the message is treated as a stream of bits,

added to the output of the DES, with the result

being feed back for the next stage

– Ci = Pi ⨁ DESK1 (Ci-1)

– C-1 = I V (initial value)


Cryptography41

Stream modes

• Output Feed Back (OFB)

– where the message is treated as a stream of bits,

added to the message, but with the feedback being

independent of the message

– Ci = P i ⨁ O i

– Oi = DESK1 (Oi-1)

– O-1=I V (initial value)


Cryptography42

DES Weak Keys

• With many block ciphers there are some keys that should be avoided, because of reduced cipher complexity

• These keys are such that the same sub-key is generated in more than one round, and they include:

– Weak Keys• The same sub-key is generated for every round

• DES has 4 weak keys

– Semi-weak keys• Only two sub-keys are generated on alternate rounds

• DES has 12 of these (in 6 pairs)

– Demi-Semi Weak Keys• Have four sub-keys generated

• None of these causes a problem since they are a tiny fraction of all available keys

• However they M U ST be avoided by any key generation program


Cryptography43

DES Attacks

• Brute force attack

• 1998:

• The EFF's U S $250,000DES cracking machinecontained 1,536 customchips and could bruteforce a DES key in amatter of days

• The photo shows a DESCracker circuit boardfitted with several DeepCrack chips.


Cryptography44

DES attacks

• Brute force attack

• The COPACOBANA machine, built

for US$10,000 by the Universities of

Bochum and Kiel, contains 120 low-

cost FPGAs and can perform an

exhaustive key search on DES in 9

days on average. The photo shows the

backplane of the machine with the

FPGAs.


Cryptography45

DES attack : Faster than Brute force attack

• There are three attacks known that can break the full 16 rounds

of DES with less complexity than a brute-force search:

– differential cryptanalysis (DC),

– linear cryptanalysis (LC), and

– Davies' attack.

• However, the attacks are theoretical and are unfeasible to

mount in practice, these types of attack are sometimes termed

certificational weaknesses.


Cryptography46


Differential Cryptanalysis

• One of the most significant recent (public) advances in cryptanalysis

• Known by NSA in 70's cf DES design

• Murphy, biham & shamir published 1990

• Powerful method to analyse block ciphers

• Used to analyse most current block ciphers with varying degrees of success

• DES reasonably resistant to it, cf lucifer

• was discovered in the late 1980s by Eli Biham and Adi Shamir, although it was known earlier to both IBM and the NSA and kept secret.

• To break the full 16 rounds, differential cryptanalysis requires 247 chosen plaintexts. DES was designed to be resistant to DC.

1/29/2013


Linear Cryptanalysis

• Another recent development

• Also a statistical method

• Must be iterated over rounds, with decreasing probabilities

• Developed by Mitsuru Matsui in 1994

• Based on finding linear approximations

• Can attack DES with 247 known plaintexts, still in practise infeasible

• Needs 243 known plaintexts

• It was the first experimental cryptanalysis of DES to be reported. There is no evidence that DES was tailored to be resistant to this type of attack.

1/29/2013

Davies' attack


Cryptography49

Possible techniques for improving DES

• Multiple Enciphering with DES

– Double DES, Triple DES,…

• Extending DES to 128 bit data paths and 112

bit keys

• Extending the key expansion calculation.


Cryptography50

Double DES

using two encryption stages and two keys

– C = Ek2(Ek1(P))

– P=Dk1(Dk2(C))

It is proved that there is no key k3 such that

– C =E k 2 (E k 1 (P))=E k 3 (P)

But, Meet in the middle attack is possible

Thus, 2-DES is not secure (if DES is broken)


Cryptography51

Cryptography: Theory and Practice by Douglas R. Stinson

CRC press

Cryptography and Network Security : Principles and Practice;

By William Stallings Prentice Hall

Handbook of Applied Cryptography by Alfred J. Menezes,

Paul C. van Oorschotand Scott A. Vanstone, CRC Press.


Cryptography52

References

Documents

Network Security & Cryptography lecture 7