S DES and DES Complete

5/7/2018 S DES and DES Complete - slidepdf.com

http://slidepdf.com/reader/full/s-des-and-des-complete 1/117

----VIJAY KATTAVIJAY KATTA---- 11

Cryptography and NetworkCryptography and Network

Security.Security.

By.By.----------

William Stalling.William Stalling.

B.ForouzanB.ForouzanBruce Schneier Bruce Schneier

P. van Oorschot, and S. Vanstone,P. van Oorschot, and S. Vanstone,




Chapter 3Chapter 3 & Chapter 6& Chapter 6 ± ±

Block CiphersBlock Ciphers DESDESOthersOthers

3.1 Simplified DES3.2 Block Cipher Principles

3.3 The Data Encryption Standard

3.4 The Strength of DES3.5 Differential and Linear Cryptanalysis

3.6 Block Cipher Design Principles

3.7 Block Cipher Modes of Operation

Ch06- Contemporary symmetric ciphers




3.0 Modern Block Ciphers3.0 Modern Block Ciphers

will now look at modern block cipherswill now look at modern block ciphers

one of the most widely used types of one of the most widely used types of

cryptographic algorithmscryptographic algorithmsprovide secrecy and/or authenticationprovide secrecy and/or authentication

servicesservices

in particular will introduce DES (Datain particular will introduce DES (DataEncryption Standard)Encryption Standard)




Block vs Stream CiphersBlock vs Stream Ciphers

block ciphers process messages in intoblock ciphers process messages in into

blocks, each of which is then en/decryptedblocks, each of which is then en/decrypted

like a substitution on very big characterslike a substitution on very big characters ± ± 6464--bits or morebits or more

stream ciphersstream ciphers process messages a bit or process messages a bit or

byte at a time when en/decryptingbyte at a time when en/decryptingmany current ciphers are block ciphersmany current ciphers are block ciphers

hence are focus of coursehence are focus of course




Simplified DES (SSimplified DES (S--DES)DES)

An educational algorithm An educational algorithm

A product cipher A product cipher

± ± two identical subtwo identical sub--ciphersciphersEach subEach sub--cipher cipher

± ± PermutationPermutation

± ± SubstitutionSubstitution




SS--DESDES

EncryptionEncryption

± ± Input: 8Input: 8--bit plaintextbit plaintext

± ± Input: 10Input: 10--bit key Kbit key K ± ± Output: 8Output: 8--bit ciphertextbit ciphertext

DecryptionDecryption

± ± Input: 8Input: 8--bit ciphertextbit ciphertext

± ± Input: 10Input: 10--bit key Kbit key K

± ± Output: 8Output: 8--bit plaintextbit plaintext




Simplified DES (cont.)Simplified DES (cont.)

Key generationKey generation

± ± P10:P10: a permutation of 10 bitsa permutation of 10 bits

± ± shift:shift: shift (rotate) the inputshift (rotate) the input ± ± P8:P8: a permutation of 8a permutation of 8--bitbit

Encryption/DecryptionEncryption/Decryption

± ± IP:IP: initial permutationinitial permutation

± ± f f KK:: a complex function (substitution+permutation)a complex function (substitution+permutation)

± ± SW: aSW: a simple permutation (swapping)simple permutation (swapping)

± ± IPIP--11:: the inverse of IPthe inverse of IP







Overview of SOverview of S--DESDES

Subkey generationSubkey generation

± ± KK11=P8=P8 yy shiftshift yy P10P10 ((KK))

± ± KK22=P8=P8yy

shiftshiftyy

shiftshiftyy

P10P10 ((KK))EncryptionEncryption

± ± C=C= IPIP--11 yy f f KK22 yy SWSW yy f f KK11 yy IPIP ((PP))

DecryptionDecryption ± ± P=P= IPIP--11 yy f f K1K1 yy SWSW yy f f K2K2 yy IPIP ((CC))




SubSub--key generationkey generation




SubSub--key generation (cont.)key generation (cont.)

P10P10

33 55 22 77 44 1010 11 99 88 66

P10 (k1 k2 k3 k4 k5 k6 k7 k8 k9 k10)

k3 k5 k2 k7 k4 k10 k1 k9 k8 k6

e.g. K= 10100 00010

P10(K) = P10 (10100 00010)

= 10000 01100

� P10: 10-bit permutation




SubSub--key generation (cont.)key generation (cont.)� LS-1: rotate left for 1 bit

e.g. LS-1(10000)=00001

LS-1(01100)=11000





P8P8

66 33 77 44 88 55 1010 99

P8 (k1 k2 k3 k4 k5 k6 k7 k8 k9 k10)

k6 k3 k7 k4 k8 k5 k10 k9

e.g. K 1= P8 (00001 11000)

= 010100100

� P8: a permutation with 10-bit input and 8-bit output




SubSub--key generation (cont.)key generation (cont.)� LS-2: rotate left for 2 bits

e.g. LS-2(00001)=00100

LS-2(11000)=00011





P8P8

66 33 77 44 88 55 1010 99

P8 (k1 k2 k3 k4 k5 k6 k7 k8 k9 k10)

k6 k3 k7 k4 k8 k5 k10 k9

e.g. K 2= P8 (00100 00011)

= 01000011

� P8: a permutation with 10-bit input and 8-bit output




--




SS--DES encryption (cont.)DES encryption (cont.)

� Initial and final permutations: IP, IP-1

IPIP

22 66 33 11 44 88 55 77

IPIP--11

44 11 33 55 77 22 88 66

IP-1 � IP (X) = X = IP � IP-1 (X)









Function f Function f KK ± ± PermutationPermutation ++ substitutionsubstitution..

± ± f f KK((LL,, RR)=()=(LL��

F(R,SK)F(R,SK),, RR))SK: A subkey Ki (i = 1, 2)SK: A subkey Ki (i = 1, 2)

L: Leftmost 4 bitsL: Leftmost 4 bits

R: Rightmost 4 bitsR: Rightmost 4 bits

F: A mapping from 4F: A mapping from 4--bit strings to 4bit strings to 4--bit strings.bit strings.��: bit: bit--wise XORwise XOR





Function f Function f KK ± ± Example:Example:

Input is 1011 1101Input is 1011 1101 L=1011L=1011,, R=1101R=1101

F(F(11011101, SK) = 1110, SK) = 1110

f f KK((10111011 11011101) =) = 10111011 �� 1110 ||1110 || 11011101

== 01010101 11011101




SS--DES encryption (cont.)DES encryption (cont.)� Mapping F(R, SK)

R

SK





Mapping F(R, SK)Mapping F(R, SK)

± ± Expansion/permutation (E/P): 4Expansion/permutation (E/P): 4--bit Rbit R 8 bits8 bits

± ± XOR with subkey SKXOR with subkey SK

8 bits8 bits ± ± 2 S2 S--boxbox 4 bits4 bits

± ± P4 permutationP4 permutation 4 bits (output)4 bits (output)





E/P: 4E/P: 4--bitbit 88--bitbit

E/PE/P

44 11 22 33 22 33 44 11

Example:

E/P(1001)=11000011





SS--box (substitution box)box (substitution box)

± ± S0, S1: 4 bitsS0, S1: 4 bits 2 bits2 bits

b2b3b2b3

b1b4b1b4

0000 0101 1010 1111

0000 0101 0000 1111 1010

0101 1111 1010 0101 00001010 0000 1010 0101 1111

1111 1111 0101 1111 1010

S0( b1 b2 b3 b4)





b2b3b2b3

b1b4b1b4

0000 0101 1010 1111

0000 0000 1010 1010 1111

0101 1010 0000 0101 1111

1010 1111 0000 0101 0000

1111 1010 0101 0000 1111

S1( b1 b2 b3 b4)

Example:

S0(0010)=00, S1(0010)=10





P4: 4P4: 4--bit permutationbit permutation

P4P4

22 44 11 33




SS--DES encryption (cont.)DES encryption (cont.)1001

10011001 11000011

0101 1010

01 00

1000




SS--DES Encryption (cont.)DES Encryption (cont.)

SW: switch functionSW: switch function

± ± Interchange the left and right 4 bitsInterchange the left and right 4 bits

b1 b2 b3 b4 b5 b6 b7 b8

b1 b2 b3 b4b5 b6 b7 b8




SS--DES Encryption (cont.)DES Encryption (cont.)

22nd round: same as the first round exceptnd round: same as the first round exceptSubSub--key Kkey K22 is usedis used

Final permutation IPFinal permutation IP--11 is applied.is applied.





Key: K=1010000010Key: K=1010000010

Plaintext: P=11110011Plaintext: P=11110011

SubSub--key generationkey generation ± ± K1 = P8K1 = P8 �� LSLS--11 �� P10 (P10 (10100000101010000010) =) = 1010010010100100

± ± K2 = P8K2 = P8 �� LSLS--22 �� LSLS--11 �� P10 (P10 (10100000101010000010)) = 01000011= 01000011Plaintext: 11110011Plaintext: 11110011 ± ± IP (11110011) = 1011IP (11110011) = 101111011101 = L ||= L || RR

± ± F (R, KF (R, K11))E/P (E/P (11011101)) �� KK11 == 1110101111101011��10100100 =10100100 = 0100010011111111

S0 (S0 (01000100) = 11) = 11

S1 (S1 (11111111) = 11) = 11

P4 (1111) = 1111P4 (1111) = 1111





± ± f f K1K1 ((10111011 11011101) = () = (LL��FF((R R ,, KK11),), R R ))== ((10111011��1111,1111,11011101) = 0100 1101) = 0100 1101

± ± SW (SW (01000100 1101)= 11011101)= 1101 0100 =0100 = LL || R|| R

± ± F(R, KF(R, K22))

E/P (E/P (01000100)) �� KK22== 0010100000101000 �� 0100001101000011 == 0110011010111011S0 (S0 (01100110) = 10) = 10

S1 (S1 (10111011) = 01) = 01

P4 (1001) =P4 (1001) = 01010101

± ± f f K2K2((11011101 01000100) = () = (LL��FF((R R ,, KK22),), R R ))

== ((11011101��01010101,, 01000100) = 0000100) = 0000100 ± ± IPIP--11 (10000100) = 01000001(10000100) = 01000001

Ciphertext C=01000001Ciphertext C=01000001




SS--DES decryptionDES decryption




SS--DES decryption (cont.)DES decryption (cont.)

C =C = IPIP--11 yy f f KK22 yy SWSW yy f f KK11 yy IPIP ((PP))

IPIP--11 yy f f K1K1 yy SWSW yy f f K2K2 yy IPIP ((CC))== IPIP--11 yy f f K1K1 yy SWSW yy f f K2K2 yy IPIP yy IPIP--11 yy f f KK22yy SWSW yy f f KK11 yy IPIP ((PP))

== IPIP--11 yy f f K1K1 yy SWSW yy f f K2K2 yy f f KK22yy SWSW yy f f KK11 yy IPIP ((PP))

== IPIP--11 yy f f K1K1 yy SWSW yy SWSW yy f f KK11 yy IPIP ((PP))== IPIP--11 yy f f K1K1 yy f f KK11 yy IPIP ((PP))== IPIP--11 yy IPIP ((PP))== PP





OnlyOnly subsub--keys are f ed in reverse order keys are f ed in reverse order

SWSW �� SW = I (identity)SW = I (identity)

IPIP--11

� IP = IP � IP� IP = IP � IP--11

= I (identity)= I (identity)f f K1K1 � f � f K1K1 (X,Y) = f (X,Y) = f K1K1((XX��FF(Y,(Y, KK11)), Y), Y)

= (= (XX��FF(Y,(Y, KK11))��FF(Y,(Y, KK11), Y)), Y)

= (X, Y)= (X, Y)

f f K2K2 � f � f K2K2 (X,Y) = f (X,Y) = f K2K2((XX��FF(Y,(Y, KK22)), Y), Y)

= (= (XX��FF(Y,(Y, KK22))��FF(Y,(Y, KK22), Y)), Y)

= (X, Y)= (X, Y)





GenerateGenerate subsub--keys in reverse order keys in reverse order





Generate subGenerate sub--keys in reverse order keys in reverse order

P10(K)=k1 k2 « k10P10(K)=k1 k2 « k10

EncryptionEncryption ± ± LSLS--1(k1 k2 k3 k4 k5) =1(k1 k2 k3 k4 k5) = k2 k3 k4 k5 k1k2 k3 k4 k5 k1

± ± LSLS--2 (k2 k3 k4 k5 k1) =2 (k2 k3 k4 k5 k1) = k4 k5 k1 k2 k3k4 k5 k1 k2 k3

DecryptionDecryption ± ± RSRS--2 (k1 k2 k3 k4 k5) =2 (k1 k2 k3 k4 k5) = k4 k5 k1 k2 k3k4 k5 k1 k2 k3

± ± RSRS--2 (k4 k5 k1 k2 k3) =2 (k4 k5 k1 k2 k3) = k2 k3 k4 k5 k1k2 k3 k4 k5 k1





GenerateGenerate subsub--keys in reverse order keys in reverse order

RS-2 RS-2

RS-2RS-2

K2

K1




SS--DES decryptionDES decryption

Encrytion/Decryption

e/d flag

P/C

K 1/K 2

K 2/K

1

C/P




3.2& 3.63.2& 3.6 Block Cipher PrinciplesBlock Cipher Principles

most symmetric block ciphers are based on amost symmetric block ciphers are based on a

Feistel Cipher StructureFeistel Cipher Structure

needed since must be able toneeded since must be able to decryptdecrypt ciphertextciphertext

to recover messages efficientlyto recover messages efficiently

block ciphers look like an extremely largeblock ciphers look like an extremely large

substitutionsubstitution

would need table of 2would need table of 26464

entries for a 64entries for a 64--bit blockbit blockinstead create from smaller building blocksinstead create from smaller building blocks

using idea of a product cipher using idea of a product cipher




Claude Shannon and SubstitutionClaude Shannon and Substitution--

Permutation CiphersPermutation Ciphers

in 1949 Claude Shannon introduced idea of in 1949 Claude Shannon introduced idea of

substitutionsubstitution--permutation (Spermutation (S--P) networksP) networks

± ± modern substitutionmodern substitution--transposition product cipher transposition product cipher

these form the basis of modern block ciphersthese form the basis of modern block ciphers

SS--P networks are based on the two primitiveP networks are based on the two primitive

cryptographic operations we have seen before:cryptographic operations we have seen before:

± ± substitutionsubstitution (S(S--box)box)

± ± permutation permutation (P(P--box)box)

provideprovide confusionconfusion andand diffusiondiffusion of messageof message




Shannon introduced the concept of a product cipher. A product cipher is a complex cipher combining

substitution, permutation, and other components

discussed in previous sections.

5.1.4 Product Ciphers




DiffusionThe idea of diffusion is to hide the relationship between

the ciphertext and the plaintext.

5.1.4 Continued

Diffusion hides the relationship between the

ciphertext and the plaintext.

N ote




ConfusionThe idea of confusion is to hide the relationship between

the ciphertext and the key.

5.1.4 Continued

Confusion hides the relationship between the

ciphertext and the k ey.

N ote




Rounds Diffusion and confusion can be achieved using iterated

product ciphers where each iteration is a combination of

S-boxes, P-boxes, and other components.

5.1.4 Continued







Confusion and DiffusionConfusion and Diffusion

Shannon suggests to thwart ³statistical analysis´Shannon suggests to thwart ³statistical analysis´

ConfusionConfusion

± ± Blur the relation between the ciphertext and theBlur the relation between the ciphertext and the

encryption keyencryption key ± ± SubstitutionSubstitution

DiffusionDiffusion

± ± Each ciphertext alphabet is affected by many plaintextEach ciphertext alphabet is affected by many plaintext

alphabetalphabet

± ± Repeated permutationsRepeated permutations





Horst Feistel devised theHorst Feistel devised the f eistel cipher f eistel cipher

± ± based on concept of invertible product cipher based on concept of invertible product cipher

partitions input block into two halvespartitions input block into two halves

± ± process through multiple rounds whichprocess through multiple rounds which

± ± perform a substitution on left data half perform a substitution on left data half

± ± based on round function of right half & subkeybased on round function of right half & subkey

± ± then have permutation swapping halvesthen have permutation swapping halvesimplements Shannon¶s substitutionimplements Shannon¶s substitution--permutation network conceptpermutation network concept








Feistel Cipher Design PrinciplesFeistel Cipher Design Principles

block sizeblock size ± ± increasing size improves security, but slows cipher increasing size improves security, but slows cipher

key sizekey size ± ± increasing size improves security, makes exhaustive key searchingincreasing size improves security, makes exhaustive key searching

harder, but may slow cipher harder, but may slow cipher

numb

er of

roundsnumb

er of

rounds ± ± increasing number improves security, but slows cipher increasing number improves security, but slows cipher

subkey generationsubkey generation ± ± greater complexity can make analysis harder, but slows cipher greater complexity can make analysis harder, but slows cipher

round f unctionround f unction ± ± greater complexity can make analysis harder, but slows cipher greater complexity can make analysis harder, but slows cipher

f ast so

f tware en/decryption & ease o

f analysis

f ast so

f tware en/decryption & ease o

f analysis ± ± are more recent concerns for practical use and testingare more recent concerns for practical use and testing




Feistel Cipher DecryptionFeistel Cipher Decryption




Average time required forAverage time required for

exhaustiveexhaustive key searchkey searchKey SizeKey Size(bits)(bits)

Number ofNumber ofAlternative KeysAlternative Keys

Time required atTime required at101066 Decryption/Decryption/µs µs

3232 223232 = 4.3 x 10= 4.3 x 1099 2.15 milliseconds2.15 milliseconds

5656 225656 = 7.2 x 10= 7.2 x 101616 10 hours10 hours

128128 22128128 = 3.4 x 10= 3.4 x 103838 5.4 x 105.4 x 101818 yearsyears

168168 22168168 = 3.7 x 10= 3.7 x 105050 5.95.9 xx 10103030 yearsyears




3.3 Data Encryption Standard (DES)3.3 Data Encryption Standard (DES)

most widely used block cipher in worldmost widely used block cipher in world

adopted in 1977 by NBS (now NIST)adopted in 1977 by NBS (now NIST)

± ± as FIPS PUB 46as FIPS PUB 46encrypts 64encrypts 64--bit data using 56bit data using 56--bit keybit key

has widespread usehas widespread use

has been considerable controversy over has been considerable controversy over its securityits security




DES HistoryDES History

IBM developed Lucifer cipher IBM developed Lucifer cipher

± ± by team led by Feistelby team led by Feistel

± ± used 64used 64--bit data blocks with 128bit data blocks with 128--bit keybit key

then redeveloped as a commercial cipher then redeveloped as a commercial cipher with input from NSA and otherswith input from NSA and others

in 1973 NBS issued request for proposalsin 1973 NBS issued request for proposals

for a national cipher standardfor a national cipher standardIBM submitted their revised Lucifer whichIBM submitted their revised Lucifer whichwas eventually accepted as the DESwas eventually accepted as the DES




Security analysis of DESSecurity analysis of DES

Why 56 bits?Why 56 bits?

± ± Lucifer¶s key is 128Lucifer¶s key is 128--bit longbit long

± ± Rumor: it was deliberately reduced so thatRumor: it was deliberately reduced so that

NSA can break itNSA can break it

± ± FactsFacts

1997: distributed exhaustive key search all over 1997: distributed exhaustive key search all over

the world takes 3 months.the world takes 3 months.1998: specialized key search chips take 56 hours1998: specialized key search chips take 56 hours

1999: the search device is improved and achieves1999: the search device is improved and achieves

the record of 22 hoursthe record of 22 hours







A single round A single round

6 2 3 C ti d




6 .2.3 Continued

Figure 6.10 K ey generation
















Avalanche effect Avalanche effect

A A small changesmall change in either the plaintext or in either the plaintext or

the key should producethe key should produce a signif icanta signif icant

change in the ciphertextchange in the ciphertext

In particular,In particular, one bit changeone bit change in either thein either the

plaintextplaintext or theor the keykey half bits changehalf bits change inin

ciphertextciphertext




Avalanche effect (cont.) Avalanche effect (cont.)

For exampleFor example

± ± P1=0000 0000P1=0000 0000 �� 00000000

± ± P2=1000 0000P2=1000 0000 �� 00000000

± ± K=0000001 1001011 0100100 1100010K=0000001 1001011 0100100 1100010

0011100 0011000 0011100 0110010]0011100 0011000 0011100 0110010]

± ± Then, 34 bits differ in C=RThen, 34 bits differ in C=R1616LL1616

Avalanche effect Avalanche effect




Fast avalanche effectFast avalanche effect

The avalanche effect within the first few rounds;The avalanche effect within the first few rounds;for example, the first 3 rounds.for example, the first 3 rounds.

Change in Plaintext Change in Key

Round #bits that differ Round #bits that differ

0 1 0 0

1 6 1 22 21 2 14

3 35 3 28

4 39 4 32

5 34 5 30

6 32 6 32

7 31 7 35

8 29 8 34

9 42 9 4010 44 10 38

11 32 11 31

12 30 12 33

13 30 13 28

14 26 14 26

15 29 15 34

16 34 16 35




3.73.7 Modes of OperationModes of Operation

block ciphers encrypt fixed size blocksblock ciphers encrypt fixed size blockseg. DES encrypts 64eg. DES encrypts 64--bit blocks, with 56bit blocks, with 56--bit keybit key

need way to use in practise, given usually haveneed way to use in practise, given usually havearbitrary amount of information to encryptarbitrary amount of information to encrypt

four were defined for DES in ANSI standardfour were defined for DES in ANSI standardANSI X3.106ANSI X3.106--1983 Modes of Use1983 Modes of Use

subsequently now have 5 for DES and AESsubsequently now have 5 for DES and AES

havehave blockblock andand streamstream modesmodes ± ± Recall ch03Recall ch03--33

± ± stream ciphersstream ciphers process messages a bit or byte at aprocess messages a bit or byte at atime when en/decryptingtime when en/decrypting




Modes of operationsModes of operations (Overview)(Overview)

Advantages and disadvantages: Advantages and disadvantages: goalsgoals ± ± Same plaintext blocks => Same Cipher blocksSame plaintext blocks => Same Cipher blocks

± ± PaddingPadding

± ± Stream cipher => Error propagationStream cipher => Error propagation

± ± Parallel encryption/decryptionParallel encryption/decryptionPadding message (64bits block)Padding message (64bits block) ± ± Electronic codebook mode (ECB)Electronic codebook mode (ECB)

± ± Cipher block chaining mode (CBC)Cipher block chaining mode (CBC)

Convert DES to Stream cipher Convert DES to Stream cipher (1 bit or 8 bits)(1 bit or 8 bits) ± ± Cipher feedback mode (CFB)Cipher feedback mode (CFB)

± ± Output feedback mode (OFB)Output feedback mode (OFB)

PParallel encryptionsarallel encryptions ± ± Counter (CTR)Counter (CTR)




CC




ECB modeECB mode

Simplest modeSimplest modeEach block of 64Each block of 64--bit plaintext is handledbit plaintext is handled

independentlyindependently

It is like a codebook (huge) lookupIt is like a codebook (huge) lookupThe same 64The same 64--bit block has the samebit block has the same

cipher textcipher text

Same key is used in all block encryption.Same key is used in all block encryption. APPLICATION : APPLICATION :--

Secured Transmission of Key.Secured Transmission of Key.




ECB mode (cont.)ECB mode (cont.)

EncryptionEncryption

± ± Key: KKey: K

± ± Plaintext: P=PPlaintext: P=P11PP22«P«PNN--11PPNN

± ± Padded plaintext:Padded plaintext: P¶=PP¶=P11PP22«P«PNN--11PPNN¶¶

PP11, P, P22,«, P,«, PNN--11 are 64are 64--bit blocksbit blocks

PPNN--11¶¶ is the last (padded) 64is the last (padded) 64--bit blockbit block

Padding pattern:Padding pattern: 10«010«0 ± ± Ciphertext C=CCiphertext C=C11CC22«C«CNN

CCii = E= EKK(P(Pii), 1), 1eeiieeNN










± ± Key: KKey: K

± ± Ciphertext: C=CCiphertext: C=C11CC22«C«CNN

± ± Padded plaintext: P¶=PPadded plaintext: P¶=P11PP22«P«PNN--11PPNN¶¶

± ± Plaintext: PPlaintext: P11PP22«P«PNN--11PPNN








Advantages and Limitations of ECB Advantages and Limitations of ECB

repetitions in message may show inrepetitions in message may show inciphertextciphertext

± ± if aligned with message blockif aligned with message block

± ± particularly with data such graphicsparticularly with data such graphics ± ± or with messages that change very little,or with messages that change very little,

which become a codewhich become a code--book analysis problembook analysis problem

weakness due to encrypted messageweakness due to encrypted messageblocks being independentblocks being independent

main use is sending a few blocks of datamain use is sending a few blocks of data




Cipher Block Chaining (CBC)Cipher Block Chaining (CBC)

message is broken into blocksmessage is broken into blocks

but these are linked together in thebut these are linked together in theencryption operationencryption operation

each previous cipher blocks is chainedeach previous cipher blocks is chainedwith current plaintext block, hence namewith current plaintext block, hence name

use Initial Vector (IV) to start processuse Initial Vector (IV) to start process

CCii = DES= DESK1K1(P(Pii XOR CXOR Cii--11))CC--11 = IV= IV

uses: bulk data encryption, authenticationuses: bulk data encryption, authentication

CBC mode (Cont )CBC mode (Cont )




CBC mode (Cont«.)CBC mode (Cont«.)

GoalGoal: the same plaintext block is encrypted into: the same plaintext block is encrypted intodifferent ciphertext blockdifferent ciphertext block

Initial vector (IV)Initial vector (IV)

± ± 6464--bit longbit long

± ± Fixed, or negotiated between sender and receiver Fixed, or negotiated between sender and receiver

PaddedPadded plaintext: P¶= Pplaintext: P¶= P11PP22«P«PNN

Ciphertext: C = CCiphertext: C = C11CC22«C«CNN

± ± CC11=E=EKK(IV(IV �� PP11))

± ± CCii=E=EKK(C(Cii--11�� PPii), 2), 2eeiieeNN




CBC mode (cont.)CBC mode (cont.)






± ± Key: KKey: K

± ± Ciphertext: C=CCiphertext: C=C11CC22«C«CNN

± ± Padded plaintext: P=PPadded plaintext: P=P11PP22«P«PNN

PP11=D=DKK(C(C11)) �� IVIV

PPii= D= DKK(C(Cii)) �� CCii--11= C= Cii--11��PPii��CCii--11








Advantages and Limitations of CBC Advantages and Limitations of CBC

each ciphertext block depends oneach ciphertext block depends on allall message blocksmessage blocks

thus a change in the message affects all ciphertextthus a change in the message affects all ciphertextblocks after the change as well as the original blockblocks after the change as well as the original block

needneed Initial ValueInitial Value (IV) known to sender & receiver (IV) known to sender & receiver

± ± however if IV is sent in the clear, an attacker can change bits of however if IV is sent in the clear, an attacker can change bits of the first block, and change IV to compensatethe first block, and change IV to compensate

± ± hence either IV must be a fixed value (as in EFTPOS) or it musthence either IV must be a fixed value (as in EFTPOS) or it mustbe sent encrypted in ECB mode before rest of messagebe sent encrypted in ECB mode before rest of message

at end of message, handle possible last short blockat end of message, handle possible last short block

± ± by padding either with known nonby padding either with known non--data value (eg nulls)data value (eg nulls) ± ± or pad last block with count of pad sizeor pad last block with count of pad size

eg. [ b1 b2 b3 0 0 0 0 5] <eg. [ b1 b2 b3 0 0 0 0 5] <-- 3 data bytes, then 5 bytes pad+count3 data bytes, then 5 bytes pad+count




CFB mode (Cipher feedback)CFB mode (Cipher feedback)

Stream cipher modeStream cipher mode

OneOne--time padtime pad

Block size: J bits, 1Block size: J bits, 1eeJJee

6464NeedNeed no paddingno padding in most casesin most cases

± ± For example, between key board andFor example, between key board and

computer, we set J=8computer, we set J=8




CFB mode (cont.)CFB mode (cont.)

Encryption: JEncryption: J--bit CFBbit CFB

± ± Plaintext: P = PPlaintext: P = P11PP22��PPNN, P, Pii¶s are J¶s are J--bit blocksbit blocks

± ± SSJJ(X): the leftmost(X): the leftmost J bitsJ bits of Xof X

± ± TT6464--JJ(Y): the rightmost(Y): the rightmost 6464--JJ bits of Ybits of Y

± ± Algorithm Algorithm

R=IVR=IV

For i=1 to NFor i=1 to N ± ± CCii= P= Pii �� SSJJ(E(EKK(R))(R))

± ± R=TR=T6464--JJ(R)||C(R)||Cii--11




CFB mode (cont.)CFB mode (cont.)

Decryption: JDecryption: J--bit CFBbit CFB

± ± Ciphertext: C= CCiphertext: C= C11CC22��CCNN, C, Cii¶s are J¶s are J--bit blocksbit blocks

± ± SSJJ(X): the leftmost J bits of X(X): the leftmost J bits of X

± ± TT6464--JJ(Y): the rightmost 64(Y): the rightmost 64--J bits of YJ bits of Y

± ± Algorithm Algorithm

R=IVR=IV

For i=1 to NFor i=1 to N ± ± PPii= C= Cii �� SSJJ(E(EKK(R))(R))

± ± R=TR=T6464--JJ(R)||C(R)||Cii--11







Advantages and Limitations of CFB Advantages and Limitations of CFB

appropriate when data arrives in bits/bytesappropriate when data arrives in bits/bytes

most common stream modemost common stream mode

limitation is need to stall while do blocklimitation is need to stall while do blockencryption after every nencryption after every n--bitsbits

note that the block cipher is used innote that the block cipher is used in

encryptionencryption mode atmode at bothboth endsends

errors propagate for several blocks after errors propagate for several blocks after

the error the error

OFB mode (Output feedback)OFB mode (Output feedback)




( p )( p )

Similar to CFB, butSimilar to CFB, but output (not ciphertext) isoutput (not ciphertext) is

fed backfed backuses: stream encryption over noisy channelsuses: stream encryption over noisy channels

Advantage Advantage

± ± Bit errors in CBit errors in Cii won¶t propagate to decryptionwon¶t propagate to decryptionerrorserrors of Cof C j j, j>I, j>I

DisadvantageDisadvantage

± ± Complement bits of CComplement bits of Cii result in complementingresult in complementing

bits in Pbits in Pii

Not suitable for error Not suitable for error--correcting (See the nextcorrecting (See the next

decryption figure)( modify one bit of C1)decryption figure)( modify one bit of C1)







Counter (CTR)Counter (CTR)

a ³new´ mode, though proposed early ona ³new´ mode, though proposed early on

similar to OFB but encrypts counter valuesimilar to OFB but encrypts counter value

rather than any feedback valuerather than any feedback value

must have amust have a different key & counter valuedifferent key & counter value

for every plaintext block (never reused)for every plaintext block (never reused)

CCii = P= Pii XOR OXOR Oii

OOii = DES= DESK1K1(i)(i)

uses: highuses: high--speed network encryptionsspeed network encryptions




Counter (CTR)Counter (CTR)




Advantages and Limitations of CTR Advantages and Limitations of CTR

efficiencyefficiency

± ± can docan do parallel encryptionsparallel encryptions

± ± in advancein advance of needof need

± ± good for bursty high speed linksgood for bursty high speed links

random accessrandom access to encrypted data blocksto encrypted data blocks

provable security (good as other modes)provable security (good as other modes) ??

but must ensure never reuse key/counter but must ensure never reuse key/counter

values, otherwise could break (cf OFB)values, otherwise could break (cf OFB)




Modes of operations (Modes of operations (SummarySummary))

Advantages and disadvantages: Advantages and disadvantages: goalsgoals

± ± Same plaintext blocks => Same Cipher Same plaintext blocks => Same Cipher

blocksblocks

± ± Padding problemPadding problem

± ± Stream cipher => Error propagationStream cipher => Error propagation

± ± Parallel encryption/decryptionParallel encryption/decryption




Ch06Ch06 -- Double DESDouble DES

Key size K=(KKey size K=(K11, K, K22): 112 bits): 112 bits

C=EC=EK2K2(E(EK1K1(P))(P))

6 .4.1 Double DE S




The first approach is to use double DE S (2 DE S).

Meet-in-the-Middle Attack

However, using a known-plaintext attack called meet-in-

the-middle attack proves that double DE S improves this

vulnerability slightly (to 257

tests), but not tremendously(to 2112 ).




Double DES (cont.)Double DES (cont.)

MeetMeet--inin--thethe--middle attackmiddle attack

± ± Given a pair (P, C)Given a pair (P, C)

± ± Let KLet Kii be thebe the i i th key of the key space, 0th key of the key space, 0 ee ii ee225656--11

± ± Compute MCompute Mii=E=EKiKi(P), 0(P), 0 ee ii ee225656

--11 ± ± ComputeCompute NN j j=D=DKjKj(C),(C), 00 ee ii ee225656--11

± ± Check whether Mi=NjCheck whether Mi=Nj

If so, K=(Ki, Kj) is very likely to be the secret keyIf so, K=(Ki, Kj) is very likely to be the secret key

± ± Time: 2Time: 25656++225656=2=25757

± ± The memory size for Mi¶s: 2The memory size for Mi¶s: 25656××64 bits64 bits

we need not store Nj¶s.we need not store Nj¶s.

6 .4.1 Continued




Figure 6.14 Meet-in-the-middle attack for double DE S

6 .4.1 Continued




Figure 6.15 Tables for meet-in-the-middle attack

6 .4.2 Triple DE S




Figure 6.16 Triple DE S with two keys

Triple DESTriple DES



----VIJAY KATTAVIJAY KATTA----9797

Triple DESTriple DES

Plaintext,Plaintext, ciphertextciphertext:: 6464 bitsbitsKeyKey K=(KK=(K11,, KK22)):: 112112 bitsbits

EncryptionEncryption:: C=EC=EKK11(D(DKK22(E(EKK11(P)))(P)))

Decryption: P=DDecryption: P=DK1K1

(E(EK2K2

(D(DK1K1

(P)))(P)))

Advantages Advantages

± ± Key size is larger Key size is larger

± ± Compatible with regular oneCompatible with regular one--key DESkey DES

Set KSet K11=K=K22=K (56=K (56--bit)bit)CC=E=EKK(D(DKK(E(EKK(P)))=E(P)))=EKK(P)(P)

PP=D=DKK(E(EKK(D(DKK(P)))=D(P)))=DKK(P)(P)




6 .4.2 Continuous




Triple DE S with Three K eys

The possibility of known-plaintext attacks on triple DE S with two keys has enticed some applications to use triple

DE S with three keys. Triple DE S with three keys is used

by many applications such as PGP (See Chapter 16 ).

IDEA«IDEA«




(International Data Encryption(International Data Encryption

Algorithm) Algorithm)Plain text = 64 bit.Plain text = 64 bit.

Key =128 bit.Key =128 bit.

Sub key = 52. (16 bit each)Sub key = 52. (16 bit each)

Cipher text = 64.Cipher text = 64.

Number of identical rounds =8.(6 key inNumber of identical rounds =8.(6 key in

each round)each round)

And one output transformation round(4 And one output transformation round(4

key)key)




Design IssuesDesign Issues

The design philosophy behind theThe design philosophy behind the

algorithm is one of ³ mixing operation fromalgorithm is one of ³ mixing operation from

different algebraic groups´.different algebraic groups´.

1) XOR1) XOR

2)Addition modulo 22)Addition modulo 21616

3) Multiplication modulo 23) Multiplication modulo 21616 + 1+ 1




E i K G iE i K G i




Encryption Key Generation.Encryption Key Generation.

E ti Al ithE ti Al ith




Encryption Algorithm.Encryption Algorithm.

Sequence of operationSequence of operation




1)Multiply x1 and first sub key(sk)1)Multiply x1 and first sub key(sk)

2)Add x2 and second sk2)Add x2 and second sk3)Add x3 and third sk3)Add x3 and third sk

4)Multiply x4 and fourth sk4)Multiply x4 and fourth sk

5) Step 15) Step 1��

step 3step 36)6) Step 2Step 2 �� step 4step 4

7)Multiply step 5 with fifth sk.7)Multiply step 5 with fifth sk.

8)Add result of step 6 and step 78)Add result of step 6 and step 7

9) Multiply result of step 8 with sixth sk.9) Multiply result of step 8 with sixth sk.

10)Add result of step 7 and step 9.10)Add result of step 7 and step 9.

Continue..Continue..




Continue..Continue..

11) XOR result of steps 1 and step 9.11) XOR result of steps 1 and step 9.




O ti i t t t f tiO ti i t t t f ti




Operation in output transformationOperation in output transformation

1)Multiply x1 with first sk.1)Multiply x1 with first sk.

2)Add x2 and second sk.2)Add x2 and second sk.

3)Add x3 and third sk.3)Add x3 and third sk.

4)Multiply x4 and fourth sk.4)Multiply x4 and fourth sk.

N t tiN t ti




Next generationNext generation

NIST begin the process of selecting theNIST begin the process of selecting thenextnext--generation secretgeneration secret--key encryptionkey encryptionalgorithm in 1998.algorithm in 1998.

Advanced encryption standard (AES) Advanced encryption standard (AES) ± ± Rijndael (Rijndael (Chapter 5Chapter 5))

Plaintext, ciphertext:Plaintext, ciphertext: at least 128 bitsat least 128 bits..

Key size: flexible,Key size: flexible, at least 128 bitsat least 128 bits..You can check its web.You can check its web.

± ± Http://www.nist.gov/aesHttp://www.nist.gov/aes

St Ci hSt Ci h




Stream CiphersStream Ciphers

process the messageprocess the message bit by bit (or byes) (as abit by bit (or byes) (as astream)stream)

typically have atypically have a (pseudo) random(pseudo) random stream keystream key

combined (combined (XORXOR) with plaintext bit by bit) with plaintext bit by bitrandomness of randomness of stream keystream key completely destroyscompletely destroys

any statistically properties in the messageany statistically properties in the message

±± CCii = M= Mii XOR StreamKeyXOR StreamKeyii

what could be simpler!!!!what could be simpler!!!!

but must never reuse stream keybut must never reuse stream key

± ± otherwise can remove effect and recover messagesotherwise can remove effect and recover messages

St Ci h P tiSt Ci h P ti




Stream Cipher PropertiesStream Cipher Properties

some design considerations are:some design considerations are:

± ± long period with no repetitionslong period with no repetitions

± ± statistically randomstatistically random

± ± depends ondepends on large enough keylarge enough key ± ± large linear complexitylarge linear complexity

± ± correlation immunitycorrelation immunity

± ± confusionconfusion

± ± diffusiondiffusion

± ± use of highly nonuse of highly non--linear boolean functionslinear boolean functions

St Ci hSt Ci h RC4RC4




Stream Cipher Stream Cipher:: RC4RC4

a proprietary cipher owned by RSA DSIa proprietary cipher owned by RSA DSI

another Ron Rivest design, simple but effectiveanother Ron Rivest design, simple but effective

variable key size, bytevariable key size, byte--oriented stream cipher oriented stream cipher

widely used (web SSL/TLS,widely used (web SSL/TLS, WLAN WEPWLAN WEP--notnotsecure)secure)

key forms random permutation of all 8key forms random permutation of all 8--bit valuesbit values

uses that permutation to scramble input infouses that permutation to scramble input infoprocessed a byte at a timeprocessed a byte at a time

WLAN WEP (WLAN securityWLAN WEP (WLAN security

requirement and some attacks ppt)requirement and some attacks ppt)




WLANs

protocol standardIEEE 802.11a802.11b802.11g

(WEP)802.11i (TKIP short-term solution)

requirement and some attacks.ppt)requirement and some attacks.ppt)






Problems withWEP24-bit IVs are too short

The CRC checksum is used byWEP for integrity

protection

WEP combines the IV with the key in a way that enablescryptanalytic attacks

Integrity protection for source and destination addresses

is not provided







TKIPIEEE 802.11i short-term solutionA message integrity code (MIC), called Michael,to

defeat forgeries;

A packet sequencing discipline, to defeat replay attacks

A per-packet key mixing function, to prevent attack

Long-term solution

A single key to provide confidentiality and integrity

Provide integrity protection for the plaintext packet

header, as well as







WEPWEP TKIPTKIP

Cipher Key Size(s)Cipher Key Size(s) RC4 40RC4 40 or 104or 104--bitbit

encryptionencryption

RC4 128RC4 128--bitbit encryptionencryption

6464--bit authenticationbit authentication

Key Lifetime Per Key Lifetime Per--packetpacket--keykey 2244--bit wrapping IVbit wrapping IVConcatenate IV toConcatenate IV to

base keybase key

4848--bit IV TKIP mixingbit IV TKIP mixingfunctionfunction

Packet Data ReplayPacket Data Replay

detectiondetection

CRCCRC--3232

NoneNone

MichaelMichael

Enforcing IVEnforcing IV

sequencingsequencingKey ManagementKey Management NoneNone IEEE802.1XIEEE802.1X


WLAN EAP (EAP series methods onWLAN EAP (EAP series methods on

wireless security ppt)wireless security ppt)




IEEE 802.1X provide both authentication and keymanagement

EAP RADIUS

wireless security.ppt)wireless security.ppt)

WLAN EAP (EAP series methodsWLAN EAP (EAP series methods



EAP seriesEAP series ± ± PasswordPassword--basedbased

LEAPLEAP

EAPEAP--SKESKE

EAPEAP--SRPSRPEAPEAP--SPEKESPEKE

EAPEAP--SIM (GSM/GPRS, SIM card)SIM (GSM/GPRS, SIM card)

EAPEAP--AKA (3G AKA (3G--UMTS, USIM card)UMTS, USIM card)

± ± CertificateCertificate--basedbased

EAPEAP--TLSTLSEAPEAP--TTLSTTLS

PEAPPEAP

on wireless security.ppt)on wireless security.ppt)

Documents

S DES and DES Complete