71
Network Security Cryptology Cryptography Cryptanalysis

Network Security Cryptology Cryptography Cryptanalysis

Embed Size (px)

Citation preview

Page 1: Network Security Cryptology Cryptography Cryptanalysis

Network Security

CryptologyCryptography

Cryptanalysis

Page 2: Network Security Cryptology Cryptography Cryptanalysis

Topics Covered

Modern Encryption Techniques Simplified DES (S-DES) Block Cipher Principles

The Feistel Cipher Diffusion and Confusion

Data Encryption Standard DES Design Principles The Strength of DES DES Modes of Operation

Page 3: Network Security Cryptology Cryptography Cryptanalysis

Modern Encryption Techniques

Secret Key (Symmetric) CryptographySimplified Data Encryption StandardData Encryption StandardAdvanced Encryption Standard

Public Key (Asymmetric) CryptographyRSA (Rivest-Shamir-Adleman)ECC (Elliptic Curve Cryptography)NTRU (Number Theorist aRe Us)

Page 4: Network Security Cryptology Cryptography Cryptanalysis

Symmetric Cryptography

Page 5: Network Security Cryptology Cryptography Cryptanalysis

Asymmetric Cryptography

Page 6: Network Security Cryptology Cryptography Cryptanalysis

Simplified Data Encryption Standard (S-DES)

Developed by Professor Edward Schaefer of Santa Clara University.

Page 7: Network Security Cryptology Cryptography Cryptanalysis

S-DES: An Overview

Similar properties and structure to DES, with much smaller parameters.

Encryption It takes an 8-bit block of plain text and a 10-bit key as

input and produces an 8-bit block of cipher text as output.

Decryption It takes an 8-bit block of cipher text and the same 10-bit

key used to produce that ciphertext as input and produces the original 8-bit block of plaintext.

Page 8: Network Security Cryptology Cryptography Cryptanalysis

S-DES Algorithm

Algorithm involves 5 functions1. An initial permutation (IP).

2. A complex function, fk , that involves both permutation and substitution operations and depends on a key input.

3. A simple permutation function that switches the two halves of the data (SW).

4. The function fk again.

5. A permutation function that is the inverse of the initial one (IP-1).

Page 9: Network Security Cryptology Cryptography Cryptanalysis

S-DES Algorithm

text)))))(IP(cipher(SW(f(fIPPlaintext

and

ey))))hift(P10(kP8(Shift(SK

10(key)))P8(Shift(PK

where

ext)))))(IP(plaint(SW(f(fIPCiphertext

or

IP)fWSf(IP C

21

12

12

KK1-

2

1

KK1-

KK-1

Page 10: Network Security Cryptology Cryptography Cryptanalysis
Page 11: Network Security Cryptology Cryptography Cryptanalysis

S-DES Key Generation

It depends on the use of a 10-bit key shared between sender and receiver.

From this key, two 8-bit subkeys are produced for use in particular stages of the encryption and decryption algorithm.

First permute the key in the following fashion,

P10(k1,k2,k3,k4,k5,k6,k7,k8,k9,k10)=(k3,k5,k2,k7,k4,k10,k1,k9,k8,k6)

Page 12: Network Security Cryptology Cryptography Cryptanalysis

S-DES Key Generation (contd.)

Next perform a circular-left shift (LS-1), or rotation, separately on the first five bits and the second five bits.LS-1(k1,k2,k3,k4,k5)=(k2,k3,k4,k5,k1)

Next apply P8, which permutes 8 of the 10

bits according to the following rule,P8(k1,k2,k3,k4,k5,k6,k7,k8,k9,k10)=(k6,k3,k7,k4,k8,k5,k10,k9)

The result is subkey 1 (K1)

Page 13: Network Security Cryptology Cryptography Cryptanalysis

S-DES Key Generation (contd.)

To get the second subkey (K2), perform

again a 2-bit circular-left shift LS-2 on the

product of LS-1LS-2(LS-1(k1,k2,k3,k4,k5)=LS-2(k2,k3,k4,k5,k1)=(k4,k5,k1, k2,k3)

Finally, P8 is applied again to produce K2.

Page 14: Network Security Cryptology Cryptography Cryptanalysis

Example - Key Generation

Permute 10-bit key: 1010000010P10(1010000010) = 1000001100

Perform circular left shift, separately, on first 5 bits and second 5 bits (LS-1).

LS-1(10000) = 00001 and LS-1(01100) = 11000 Pick out and permute 8 of the 10 bits: (P8)

P8(0000111000) = 10100100

Result is K1

Now perform circular left shift of 2 bit positions, on first 5 bits and second 5 bits (LS-2) on the result LS-1.

LS-2(00001) = 00100 and LS-2(11000) = 00011 Apply (P8) again.

P8(0010000011) = 01000011

Result is K2

Page 15: Network Security Cryptology Cryptography Cryptanalysis
Page 16: Network Security Cryptology Cryptography Cryptanalysis

S-DES Encryption

Initial and final permutations

The Function fk

Let L and R be left and right halves of 8-bit input to fk .

Let F be a map from 4-bit strings to 4-bit strings, and SK be the subkey (K1 or K2) and XOR is the bit-by-bit exclusive-OR function.

fk(L, R) = (L F(R, SK), R)

IP

2 6 3 1 4 8 5 7

IP-1

4 1 3 5 7 2 8 6

Page 17: Network Security Cryptology Cryptography Cryptanalysis

Mapping F

Input is 4-bit number (n1n2n3n4). Expansion/permutation operation

8-bit subkey K1 is added to output of E/P using exclusive-OR.

E/P

4 1 2 3 2 3 4 11

3

43

21

2

4

n

n

nn

nn

n

n

Page 18: Network Security Cryptology Cryptography Cryptanalysis

Mapping F (contd.)

First 4 bits fed to S-box S0,second 4 bits fed to S-box S1.

S-box uses 1st and 4th bits to specify a row,2nd and 3rd bits to specify a column. Entry in that position (base 2) is 2-bit output.

4-bits produced by S-Boxes (S0 & S1) are permuted using P4.

P4 = (k2k4k3k1)Output of P4 is output of F.

Page 19: Network Security Cryptology Cryptography Cryptanalysis

The Switch function

The function fk only alters the leftmost 4-bits of the input.

Switch function interchanges left and right 4 bits so that second instance of fk operates on a different 4 bits.

In this second instance, the E/P, S0, S1, and P4 functions are same.

The key input isK2.

Page 20: Network Security Cryptology Cryptography Cryptanalysis

Analysis of S-DES

Brute-force attack is feasible, 210 = 1024 possible 10-bit keys.

Known plaintext? Suppose we know a sinlge 8-bit plaintext and

corresponding 8-bit ciphertext, and key is unknown. Each ci is a polynomial function of pj's and kj's. This means 8 non-linear equations in 10

unknowns. Alternating linear maps with these nonlinear maps

results in complex polynomial expressions for the ciphertext bits, making cryptanalysis difficult.

Page 21: Network Security Cryptology Cryptography Cryptanalysis

Block Cipher Principles

Page 22: Network Security Cryptology Cryptography Cryptanalysis

Stream Cipher vs. Block Cipher

Stream cipher is one that encrypts a digital data stream one bit or one byte at a time, e.g. Vigenere cipher and Vernam cipher

Block cipher is one in which a block of plaintext is treated as a whole and used to produce a ciphertext block of equal length (typically a block of 64 bits is used), e.g. S-DES and DES

Various modes of operation can make a block cipher to achieve the same effect as a stream cipher.

The vast majority of network-based cryptographic applications make use of block cipher.

Page 23: Network Security Cryptology Cryptography Cryptanalysis

Feistel Cipher Structure

Reversible TransformationFor the encryption to be reversible or non-

singular (decryption is possible), each plaintext block must produce a unique ciphertext block.

Irreversible Transformation For the encryption to be irreversible or singular

(decryption is impossible), not all the plaintext block would have unique ciphertext block.

Page 24: Network Security Cryptology Cryptography Cryptanalysis

Feistel Cipher

Symmetric block encryption algorithm are referred to as a Feistel block cipher.

The concept is to have a product cipher which is performing two or more basic ciphers in sequence in such a way that the final result or product is cryptographically stronger than any of the component ciphers.

Feistel proposed the use of a cipher that alternates substitution and permutation.

This cipher is referred to as a product cipher that alternates confusion and diffusion functions.

Page 25: Network Security Cryptology Cryptography Cryptanalysis

Confusion and Diffusion

Introduced by Claude Shannon in 1945 to capture the two basic building blocks for any cryptographic system.

Shannon’s concern was to thwart cryptanalysis based on statistical analysis. In this way all statistics of the ciphertext are independent of the particular key used.

Confusions is achieved through the XOR operation performed on ciphertext and the value of the encryption key. This is achieved by the use of a complex substitution algorithm.

Diffusion is achieved through numerous permutations followed by applying a function to that permutation. The unknown values are put into the plaintext. This causes diffusion.

Page 26: Network Security Cryptology Cryptography Cryptanalysis

Classical Feistel Network

Page 27: Network Security Cryptology Cryptography Cryptanalysis

Feistel Network Parameters

Block Size: Larger block sizes-greater security-reduced speed (64

bits) Key Size:

Larger key sizes-greater security-reduced speed Number of rounds:

Multiple rounds-increased security (16 rounds) Subkey generation algorithm:

Greater complexity-greater security Round function:

Greater complexity-greater security

Page 28: Network Security Cryptology Cryptography Cryptanalysis

Feistel Cipher Mechanism

The text being encrypted is split into two halves. The round function F is applied to one half using a

subkey Ki and the output of F is XORed with the other half.

The two halves are then swapped. Each round follows the same pattern except for

the last round where there is no swap.

Rr XOR F(kr,Lr) = Rr XOR F(kr,Rr-1)

= Rr XOR (Rr ÅLr-1) = Lr-1

Page 29: Network Security Cryptology Cryptography Cryptanalysis

Data Encryption Standard

The Actual DES

Page 30: Network Security Cryptology Cryptography Cryptanalysis

About DES

The original ideas behind the Data Encryption Algorithm were developed by IBM in the 1960's and was based on Claude Shannon’s concept.

The technique was first called as Lucifer and later refined and renamed as the DEA (Data Encryption Algorithm) and adopted as the standard in 1976.

In 1977 the United States Government chose the Data Encryption Standard (DES).

DES was widely adopted by industry for secure communication Example:

DES is used to encrypt personal identification numbers (PINs) and account transactions in automated teller machines (ATMs

Page 31: Network Security Cryptology Cryptography Cryptanalysis

Data Encryption Standard

There are two inputs to the encryption function, i.e. the plaintext and the key.

The plain text must be 64 bits and the key is 56 bits in length.

Processing of the plaintext proceeds in three phases, The 64 bit plaintext passes through an Initial Permutation (IP) Then a 16 "rounds" of operations which involves both permutation

and substitution functions that mix the data and key together in a prescribed manner.

The pre-output obtained from swapping the left and right halves of the output in each round, is then passed through a Permutation (IP-1) that is the inverse of the initial permutation function, to produce the 64-bit ciphertext.

Page 32: Network Security Cryptology Cryptography Cryptanalysis

DES Encryption Algorithm

Page 33: Network Security Cryptology Cryptography Cryptanalysis

Why 16 rounds?

The goal is to completely scramble the data and key so that every bit of the ciphertext depends on every bit of the data and every bit of the key (a 56-bit quantity for the DES).

After sufficient "rounds" with a good algorithm, there should be no correlation between the ciphertext and either the original data or key.

The DES uses 16 rounds for some solid reasons. First, a minimum of 12 rounds were needed to sufficiently scramble

the key and data together; the others provided a margin of safety. Second, the operation of 16 rounds would return the key back to its

original position in an electronic device for the next use when used in accordance with the published algorithm.

Page 34: Network Security Cryptology Cryptography Cryptanalysis

Details of Single Round

Page 35: Network Security Cryptology Cryptography Cryptanalysis
Page 36: Network Security Cryptology Cryptography Cryptanalysis

Permutation Tables for DES

Initial Permutation (IP)

58 50 42 34 26 18 10 2

60 52 44 36 28 20 12 4

62 54 46 38 30 22 14 6

64 56 48 40 32 24 16 8

57 49 41 33 25 17 9 1

59 51 43 35 27 19 11 3

61 53 45 37 29 21 13 5

63 55 47 39 31 23 15 7

Inverse Initial Permutation (IP-1)

40 8 48 16 56 24 64 32

39 7 47 15 55 23 63 31

38 6 46 14 54 22 62 30

37 5 45 13 53 21 61 29

36 4 44 12 52 20 60 28

35 3 43 11 51 19 59 27

34 2 42 10 50 18 58 26

33 1 41 9 49 17 57 25

Page 37: Network Security Cryptology Cryptography Cryptanalysis

Permutation Tables for DES

Expansion Permutation (E)

32 1 2 3 4 5

4 5 6 7 8 9

8 9 10 11 12 13

12 13 14 15 16 17

16 17 18 19 20 21

20 21 22 23 24 25

24 25 26 27 28 29

28 29 30 31 32 1

Permutation Function (P)

16 7 20 21 29 12 28 17

1 15 23 26 5 18 31 10

2 8 24 14 32 27 3 9

19 13 30 6 22 11 4 25

Page 38: Network Security Cryptology Cryptography Cryptanalysis

DES Mechanism

The 64-bit block being enciphered is broken into two halves.

The right half goes through one DES round, and the result becomes the new left half.

The old left half becomes the new right half, and will go through one round in the next round.

This goes on for 16 rounds, but after the last round the left and right halves are not swapped, so that the result of the 16th round becomes the final right half, and the result of the 15th round (which became the left half of the 16th round) is the final left half.

Page 39: Network Security Cryptology Cryptography Cryptanalysis

DES Mechanism (contd.)

Fundamentally DES performs only two operations on its input, Bit shifting, and Bit substitution.

The key controls exactly how this process works. By doing these operations repeatedly and in a non-linear manner you end up with a result which can not be used to retrieve the original without the key.

Those familiar with chaos theory should see a great deal of similarity to what DES does.

By applying relatively simple operations repeatedly a system can achieve a state of near total randomness.

Page 40: Network Security Cryptology Cryptography Cryptanalysis

DES Mechanism (contd.)

For each iteration a 48 bit subset of the 56 bit key is fed into the encryption block.

Decryption is the inverse of the encryption process.

The key is usually stored as a 64-bit number, where every eighth bit is a parity bit.

The parity bits are pitched during the algorithm, and the 56-bit key is used to create 16 different 48-bit subkeys - one for each round.

Page 41: Network Security Cryptology Cryptography Cryptanalysis

DES Key Generation

In order to generate 16 48-bit subkeys from the 56-bit key, the following process is used.

First, the key is loaded according to the Permutation Choice 1 (PC-1) and then halved.

Then each half is rotated by 2 bits in every round except the first, second, 9th and last rounds.

The reason for this is that it makes it secure against related-key cryptanalysis.

Then 48 of the 56 bits are chosen according to a compression permutation.

The subkeys used by the 16 rounds are formed by the key schedule which consists of, An initial permutation of the key (PC-1) which selects 56-bits

in two 28-bit halves

Page 42: Network Security Cryptology Cryptography Cryptanalysis

Key Schedule Calculation

The key rotation schedule KS is specified as:

Round 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

KS 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1

Total Rot

1 2 4 6 8 10 12 14 15 17 19 21 23 25 27 28

Permutation Choice One (PC-1)57 49 41 33 25 17 91 58 50 42 34 26 18

10 2 59 51 43 35 2719 11 3 60 52 44 3663 55 47 39 31 23 157 62 54 46 38 30 22

14 6 61 53 45 37 2921 13 5 28 20 12 4

Permutation Choice Two (PC-2)14 17 11 24 1 5 3 2815 6 21 10 23 19 12 426 8 16 7 27 20 13 241 52 31 37 47 55 30 4051 45 33 48 44 49 39 5634 53 46 42 50 36 29 32

Page 43: Network Security Cryptology Cryptography Cryptanalysis

S-Box

The S-boxes are somewhat different from the other permutations.

While all the others are set up according to "bit x goes to bit y", the input bits can be viewed differently for the S-boxes.

If the input is {d1,d2,d3,d4,d5,d6} then the two-bit number {d1,d6} and the four-bit number {d2,d3,d4,d5} are used as indices to the table.

For the 48-bit word {d1,d2..d48}, the word {d1..d6} is sent to S-box 1, the word {d7,,d12} to S-box 2, etc. The output of S-box 1, {o1..o4}, that of S-box 2, {o5..o8} etc. are concatenated to form the output.

Page 44: Network Security Cryptology Cryptography Cryptanalysis

48-bit input

6-bits 6-bits 6-bits 6-bits 6-bits 6-bits 6-bits 6-bits

S Box1 S Box2 S Box3 S Box4 S Box5 S Box6 S Box7 S Box8

4-bits 4-bits 4-bits 4-bits 4-bits 4-bits 4-bits 4-bits

32-bit permutation

32-bit output

Kn (+)

Mangler Function using S-Boxes

Page 45: Network Security Cryptology Cryptography Cryptanalysis

S-Box (contd.)

S1

14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7

0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8

4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0

15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13

S2

15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10

3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5

0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15

13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9

S3

10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8

13 7 0 9 3 4 6 10 2 8 5 14 12 11 15 1

13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7

1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12

Page 46: Network Security Cryptology Cryptography Cryptanalysis

S-Box (contd.)

S4

7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 15

13 8 11 5 6 15 0 3 4 7 2 12 1 10 14 9

10 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4

3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14

S5

2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9

14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6

4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14

11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3

S6

12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 11

10 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8

9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6

4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13

Page 47: Network Security Cryptology Cryptography Cryptanalysis

S-Box (contd.)

S7

4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1

13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6

1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2

6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12

S8

13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7

1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2

7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8

2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11

Page 48: Network Security Cryptology Cryptography Cryptanalysis

P-Box

The output of each of the 8 S-boxes is concatenated to form a 32-bit number, which is then permutated with a P-box.

This P-box is a straight permutation, and the resulting number is XOR-ed with the left half of the input block with which we started at the beginning of this round.

Finally, if this is not the last round, we swap the left and right halves and start again.

Page 49: Network Security Cryptology Cryptography Cryptanalysis

Strength of DES

A brute-force attack is impractical with a key length of 56 bits since there are 256 possible keys, which is approximately 7.2 x 1016 keys.

Strength can be increased by compression of plain text before encryption.

Strength of DES has become questionable since very powerful machines is in action which can do parallel execution in a bit of time to break the cipher text.

Page 50: Network Security Cryptology Cryptography Cryptanalysis

Security Provided by DES

The security provided by the DES depends on several factors: Mathematical soundness, length of key, key management,

input data formatting, mode of operation, implementation, application and threat.

The DES was developed to protect unclassified computer data in federal computer systems against a number of passive and active attacks in communications and storage systems.

It was assumed that a knowledgeable person might seek to comprise the security system with resources commensurate to the value of the information to be obtained.

Applications included Electronic Funds Transfer, privacy protection of personal information, personal authentication, password protection, access control, etc.

Page 51: Network Security Cryptology Cryptography Cryptanalysis

DES Cryptanalysis

Page 52: Network Security Cryptology Cryptography Cryptanalysis

Differential Cryptanalysis

Quite complex! The overall strategy is based on consideration of seeing

the probability of occurrence of same difference in output with same subkey used in a single round.

Assume two plaintext messages with m and m’ with a given difference and trace through a probable pattern of differences after each round to yield a probable difference for the cipher text.

There can be two probable differences between two 32-bit halves.

We repeat this process until all probable patterns are correct.

Page 53: Network Security Cryptology Cryptography Cryptanalysis

Differential Cryptanalysis (contd.)

• For a large number of plaintexts, you can determine a certain behavior of the algorithm, you can help determine how changing the key affects the ciphertext, and in fact begin to guess bits of the key

• Differential cryptanalysis guesses bits of the key through various methods, until a brute force search on the remaining bits of the key becomes feasible and faster than other, more complex methods

Page 54: Network Security Cryptology Cryptography Cryptanalysis

Linear Cryptanalysis

Based on finding linear approximations to describe the transformations performed in DES.

For a Cipher with n-bit of plain text and cipher text blocks and m-bit key, let the plaintext block be labeled P[1],……, P[n], the cipher text block C[1],……, C[n] and the key K[1],…., K[m] so we define

A[i,j,….., k] = A[i] A[j] ,……, A[k] The objective of linear cryptanalysis is to find an

effective linear equation of the form P[1, 2, …….., n] C[β1, β2, ……., βn]= K[γ1, γ2, …….. [γc ]

Where , β and γ represent fixed, unique bit locations

Page 55: Network Security Cryptology Cryptography Cryptanalysis

DES Modes of Operation

Four modes of operation have been defined for the DES by ANSI in the standard:

There are classified on the basis of the types of symmetric algorithms:Block Modes

splits messages in blocks (ECB, CBC)Stream Modes

on bit stream messages (CFB, OFB)

Page 56: Network Security Cryptology Cryptography Cryptanalysis

Electronic Code Book (ECB)

In ECB mode, each plaintext block is encrypted independently with the block cipher.

A 64 bit data block is entered into the algorithm with a key and a block of ciphertext is produced.

For a given block of plaintext and a given key, the same block ciphertext is always produced.

Page 57: Network Security Cryptology Cryptography Cryptanalysis

Electronic Codebook (ECB)

Page 58: Network Security Cryptology Cryptography Cryptanalysis

Cipher Block Chaining (CBC)

In CBC mode, each plaintext block is XORed with the previous ciphertext block and then encrypted.

An initialization vector c0 is used as a ``seed'' for the process.

In ECB mode, a block of plaintext and a key will always give the same ciphertext.

In CBC each block of text, the key and the value based on the previous block is processed in the algorithm and applied to the next block of text.

Page 59: Network Security Cryptology Cryptography Cryptanalysis

Cipher Block Chaining (CBC)

Page 60: Network Security Cryptology Cryptography Cryptanalysis

Cipher Feedback Mode (CFB)

In CFB mode, the previous ciphertext block is encrypted and the output produced is combined with the plaintext block using XOR to produce the current ciphertext block.

It is possible to define CFB mode so it uses feedback that is less than one full data block.

An initialization vector c0 is used as a ``seed'' for the process.

Page 61: Network Security Cryptology Cryptography Cryptanalysis
Page 62: Network Security Cryptology Cryptography Cryptanalysis

Output Feedback Mode (OFB)

OFB mode is similar to CFB mode except that the quantity XORed with each plaintext block is generated independently of both the plaintext and ciphertext.

An initialization vector s0 is used as a ``seed'' for a sequence of data blocks si, and each data block si is derived from the encryption of the previous data block si-1.

The encryption of a plaintext block is derived by taking the XOR of the plaintext block with the relevant data block.

Page 63: Network Security Cryptology Cryptography Cryptanalysis

DES Mode of Operation contd.

Counter Mode A “new” mode used in ATM network security and

IPSec Similar to OFB but encrypts counter value rather

than any feedback value Must have a different key & counter value for every

plaintext block (never reused) Counter is incremented by one Efficiency: can do parallel encryptions in h/w or s/w

and can preprocess in advance of need Applications: high-speed network encryptions

Page 64: Network Security Cryptology Cryptography Cryptanalysis

Counter Mode

Page 65: Network Security Cryptology Cryptography Cryptanalysis

Multiple Encryption & DES

Clearly a replacement for DES was needed since theoretical attacks existed that could break it

AES is a new cipher alternative

Prior to this alternative was to use multiple encryption with DES implementations.

Page 66: Network Security Cryptology Cryptography Cryptanalysis

Double-DES?

C = EK2(EK1(P))

P = DK1(DK2(D))

The double DES can be considered a single encryption with a key of length 112 bits.

It is not a single encryption with a key of 56 bits.

Hence there are more key combinations and its stronger than single DES.

DES with twice keys will produce one of many mappings that is not defined by a single application of DES.

Double DES is subject to “meet-in-the-middle” attack

Works whenever use a cipher twice Since X = EK1(P) = DK2(C) Attack by encrypting P with all keys and store Then decrypt C with keys and match X value It takes O(256) steps which is slightly less than DES brute force attack.

Page 67: Network Security Cryptology Cryptography Cryptanalysis

Double-DES contd.

Page 68: Network Security Cryptology Cryptography Cryptanalysis

Triple-DES with Two-Keys

To counter the meet-in-the-middle attack, triple DES with Three keys are used.

The known plaintext attack is not possible anymore because it will require 2112 steps.

The key size is increased to 168 which is not practical.

Tuchman proposed 3 encryptions but can use 2 keys with E-D-E sequence

C = EK1 [DK2[EK1[P]]]

P = DK1 [EK2[DK1[C]]]

if K1=K2 then can work with single DES instead.

Standardized in ANSI X9.17 & ISO8732

no current known practical attacks

Page 69: Network Security Cryptology Cryptography Cryptanalysis

Triple-DES with Two-Keys Contd.

Page 70: Network Security Cryptology Cryptography Cryptanalysis

Triple-DES with Three-Keys

Although are no practical attacks on two-key Triple-DES have some indications.

Can use Triple-DES with Three-Keys to avoid even these

C = EK3(DK2(EK1(P)))

Has been adopted by some Internet applications, e.g. PGP, S/MIME

Page 71: Network Security Cryptology Cryptography Cryptanalysis

What Next?

Advance Encryption Standard (AES)An OverviewAES RequirementsAES Algorithms