Block 3: Modern Symmetric Key Cryptography

Objectives

Appreciate that many block ciphers are Feistel ciphers.

Be able to explain how a Feistel cipher works.

Be able to outline the architecture, modes of operation and applications of the DES.

Be able to outline the architecture of the AES.

Feistel Ciphers and the DES

1

Block Ciphers

The Data Encryption Standard (DES) developed from IBM's Lucifer Cipher

It is based on the Feistel Ladder

Almost all block ciphers since Lucifer have been Feistel ciphers

Such ciphers have a flat keyspace (with possible exception of few weak keys)

o this means the cipher is equally difficult to attack whichever key is chosen.

The 3G system encryption and integrity algorithms are both built around the KASUMI block cipher which is a Feistel cipher with 8 rounds.

2

Feistel Ciphers

The plaintext is viewed as a pair of n bit words . A function f is chosen and the pair is formed, where is bitwise addition modulo 2.

This step is called a round and is repeated as many times as required, choosing a different f each time.

A Feistel cipher gets its strength from the fact that a number of rounds involving non-linear transformations are applied to the data.

Careful choice of the nonlinear functions can help ensure that easy to solve sets of equations are unlikely to arise.

3

+1 ROUND

n bits n bits

The Feistel Ladder

Example Feistel Cipher

4

+

m0

fk1

m1

+

+

+

+

+

+

m2

m4

m6

m8

m3

m5

m7

fk2

fk3

fk4

fk5

fk6

fk7

To make the example easier to follow we use functions over the set and addition modulo 5 as our mixing operation. Plaintext pair is enciphered as follows:

5

3

Encode

0 41 22 43 14 1

0 31 22 43 24 0

0 01 22 33 04 3

2

4

24

1

2

4

f1

f2

f3

Communication Channel

Ciphertext is deciphered as follows:

6

Decode

f1

f2

f3

1 4

2

4

2

3 2

4

0 31 22 43 24 0

0 41 22 43 14 1

Communication Channel

To emphasise that this process is invertible for every message every plaintext block of two characters was encrypted.

ALL POSSIBLE PLAINTEXT PAIRS

CORRESPONDING CIPHERTEXTS

Notice that the corresponding ciphertext pairs are all distinct.

7

The Data Encryption Standard (DES)

An algorithm published in 1977 by the American National Bureau of Standards

A monoalphabetic (block) cipher with an alphabet of letters.

Officially it is now known as the Data Encryption Algorithm (DEA), but it is still usually referred to as DES.

The operation of DES is complex and a demonstration of its operation is provided in CrypTool which you can run at your own pace.

In the pull down menu go to:

Indiv. Procedures/Visualization of Algorithms/DES

A summary of the operation of DES is provided below which you should read in conjunction with the demonstration.

The cipher used to encrypt data traffic in WiMAX 802.16-2004 is 56-bit DES in cipher block chaining (CBC) mode.

8

After passing through an initial bit permutation (IP) the 64 bits are passed through a 16 round Feistel cipher and then through IP-1.

The initial permutation is not cryptographically significant.

The DES ladder is a Feistel ladder with 16 stages or rounds.

Each of the stages in the ladder has the following structure:

Each of the 16 stages requires a 48 bit subkey, ki.

These are generated from the original 56 bit key according to the following key schedule.

9

56 bit key

28 bits28 bits

48 bit subkey

The E-box expands a 32 bit block to a 48 bit block by permuting bits and repeating some.

This ensures that each input bit can affect the result of more than one application of S-box so that each output bit depends on every input bit after as few rounds of the cipher as possible.

The E-box also makes result the same size as the key for the XOR operation and provides a longer result that can be compressed in the S-box.

The 56 bit key is split into two halves, then the halves are circularly shifted by either one or two bits, depending on the round, finally 48 of the 56 bits are selected and their order permuted.

The S-box splits its 48 bit input into 8 blocks of 6 bits. Each 6 bit block is mapped to a 4 bit result in a substitution table and thus the output of S is again 32 bits.

Note that these 8 substitutions are independent of each other. Much of the work in designing DES was to design the 8 S box tables.

The S-box tables are nonlinear transformations, the crucial elements of the cipher.

Resulting 32 bits are permuted in the P-box.

10

One DES ROUND

11

+

+

+

fki

ki

+E

SP

4848

32

4832

32

DES Configuratons

They are defined in the ANSI Standard X3.106-1982, Modes of Operation of the DEA.

ECB: Electronic Codebook

In this mode a 64 bit plaintext is encrypted once using one 56 bit DES key.

This mode is vulnerable to known plaintext attack by exhaustive key search.

A symmetry means that there are “only” keys to try. This is a big number, but not so big that it is out of range of special purpose hardware, or massively parallel processors.

ECB mode is generally used only for key encryption.

12

Plain Text

DES Decrypt

Input Block

Output Block

Cipher Text

DES Encrypt

Input Block

Output Block

Plain TextCipher Text

The Electronic Frontier Foundation funded a team of engineers to build a DES cracking machine at a cost of $210,000. o In a demonstration at a 1998 Crypto conference, the

device produced the plaintext to a DES message in less than 24 hours.

More recently, the vulnerability of DES in this mode to a known plaintext attack have led to its replacement by triple DES.

Triple Encryption

One could increase the strength of a block cipher by applying it twice with different keys; this would appear to increase the size of the keyspace to search to keys (from ).

BUT double-DES is vulnerable to a known plaintext attack, the meet-in-the-middle attack that only needs rather than encryptions to be performed.

Better is triple DES with three different DES keys.

Triple DES works because DES is not a group, so encrypting a plaintext under one DES key and then encrypting the result under another key is not always equivalent to a single encryption under a single key.

13

Plain Text

DE

S E

ncry

pt

DE

S E

ncry

pt

DE

S E

ncry

pt

DE

S D

ecry

pt

DE

S D

ecry

pt

DE

S D

ecry

pt Cipher TextK1 K2 K3

Triple DES is now very popular primarily because Key size remains in practice the only true point of attack in DES.

The best meet in the middle attack for triple DES with three keys requires trial encryptions, and thus effectively doubles the key size of DES to 112 bits, and should prevent decryption by an enemy capable of single-key exhaustive search.

Of course, using triple-encryption takes three times as long as single-encryption DES.

WiMAX 802.16-2004 uses Triple-DES key wrapping in its Privacy and Key Management protocol..

CBC: Cipher Block Chaining

In CBC mode, a random initialisation vector (IV) is transmitted and also XORed with the first block of plaintext.

14

The result is then encrypted with DES and transmitted.

The result is also XORed with the next data block and the process repeated.

CBC mode helps protect against certain attacks although not against exaustive search or a technique called differential analysis.

This is a useful technique for preventing an adversary from building up a codebook of plaintext-ciphertext pairs.

It also prevent replay and deletions of single blocks, although it does not provide full authentication.

In practice, CBC is a widely used mode of DES, and is specified in several standards.

For additional security, one could use triple encryption with CBC, but since single DES in CBC mode is usually considered secure enough, triple encryption is not often used.

15

16

IV Plain Text

+

DES Encrypt

Plain Text

+

DES Encrypt

Plain Text

+

DES Encrypt

Plain Text

+

DES Decrypt

Cipher Text Cipher Text Cipher Text

Plain Text

+

DES Decrypt

Plain Text

+

DES Decrypt

IV

CFB: Cipher Feedback Mode

This is a variant of CBC which does not require that a full 64 bit block is received before encryption can begin.

The plaintext is enciphered in blocks of k bits at a time and each ciphertext block of k bits is fed into a 64 bit shift register.

The shift register is the input to the DES for the next block of k bits.

This mode is useful when the text is character-based and in some network applications where data blocks are smaller the 64 bits.

Both CBC and CFB have the disadvantage that any missing or inserted bits at any point in the message will cause all subsequent message blocks to be incorrectly deciphered.

o This is called error propogation.

17

18

OFB: Output Feedback

OFB mode protects against error propogation because ciphertext is not fed back into either the encryption or decryption process.

For security, even if only k bits are output at each stage, all 64 bits should be used for feedback.

19

20

Example: Mickey MouseExample: Mickey Mouse

Original picture

21

Encrypted in ECB mode

Weak Keys

In DES there are four keys for which encryption is exactly the same as decryption so encrypting twice with one of these weak keys recovers the original plaintext.

However, the number of weak keys is such a small fraction of all possible keys that the chance of picking one at random is very small so they pose no significant threat to security.

Algebraic Attacks

DES is not open to any attack based on the algebraic structure of groups because it has been proved not to be a group.

22

Encrypted in CBC mode

DES has been controversial since its inception for a number of reasons:

Design details were kept secret.

This led to speculation that it had a trapdoor (In reality the reason was that DES was designed to be resistant to differential cryptanalysis.

When DES was designed this method of attack was known only to the intelligence community and was classified).

Shortness of the key also caused controversy.

It has been argued that it should be 128 bits as in the original Lucifer system.

DES is now very old and ECB mode is now vulnerable to a known plaintext attack by exhaustive key search.

Advanced Encryption Standard (AES) has been proposed as the replacement for DES.

There are of course other block ciphers and the following have gained commercial acceptance:

IDEA, Blowfish, RC4, CAST-128.

23

Modes of operation for symmetric key block ciphers

In 2001 NIST issued a recommendation that: “defines five confidentiality modes of operation for use with an underlying symmetric key block cipher algorithm:

Electronic Codebook (ECB)

Cipher Block Chaining (CBC)

Cipher Feedback (CFB)

Output Feedback (OFB)

Counter (CTR)

Used with an underlying block cipher algorithm that is approved in a Federal Information Processing Standard (FIPS), these modes can provide cryptographic protection for sensitive, but unclassified, computer data.

24

CTR: Counter

In both CTR encryption and CTR decryption, the forward cipher functions can be performed in parallel.

Similarly, the plaintext block that corresponds to any particular ciphertext block can be recovered independently from the other plaintext blocks if the corresponding counter block can be determined.

Moreover, the forward cipher functions can be applied to the counters prior to the availability of the plaintext or ciphertext data.

In Wi-Fi RSN the security protocol built around AES is called Counter Mode – CBC MAC Protocol or CCMP.

Basic counter mode does not provide any message authentication, only encryption.

o Therefore, for RSN, additional capabilities are added.

25

26

Advanced Encryption Standard

DEA was designed for hardware implementation and consequently cannot be implemented efficiently in software.

Consequently, Triple DES is relatively slow to encrypt and decrypt when implemented in software and a more efficient replacement is desirable.

Furthermore, Triple DES encodes messages in blocks of 64-bits and a larger block size, giving a larger input alphabet, is desirable for greater security.

In 1997 the US National Institute for Standards and Technology (NIST) announced it would be developing an Advanced Encryption Standard (AES) as a replacement for DES.

NIST stipulated that AES would specify an unclassified publicly disclosed encryption algorithm available royalty free, worldwide, and that the algorithm would be a symmetric key block cipher supporting input blocks of at least 128 bits and key sizes of 128, 192, and 256 bits.

After a rigorous evaluation process, from an original field of 15 candidates on 2 October 2000 the Rijndael cipher was selected by NIST for the AES.

The Rijndael cipher was invented by Belgian researchers Joan Daemen and Vincent Rijmen.

27

AES was published as Federal Information Processing Standards (FIPS) publication 197 on 4 December 2001.

Algorithm specification

The Rijndael cipher is an iterated block cipher with a variable block length and variable key length where a block is the smallest data size the algorithm will encrypt.

The block length and key length can be independently specified to be 128, 192 or 256 bits.

However, the variations of Rijndael which act on the larger block sizes are not included in AES.

Rijndael is not a Feistel cipher.

AES contains nonlinear (S-box substitution) and linear (shiftrow and mixcolumn) mixing layers.

Each block of plain text is encrypted several times with a repeating sequence of various functions that constitute a so called round.

The number of rounds used depends on the key length.

For a key length of 128 bits 10 rounds are used, for a key length of 192 bits 12 rounds are used, and for a key length of 256 bits 14 rounds are used.

For an excellent demonstration of 10 round AES encryption from the CrypTool pull down menu choose:

28

Indiv.Procedures/VisualizationofAlgorithms/AES/Rijndael Animation

For an illustration of AES decryption choose:

Indiv.Procedures/VisualizationofAlgorithms/AES/Rijndael Inspector

29

Concluding Remarks

On 17 May 2005 software implementations of AES were shown to be vulnerable to a timing attack.

o Timing attacks assumes that an attacker knows how long a particular encryption operation takes.

o At the moment is not clear how serious a problem this attack represents.

The recommended modes of operation of AES are ECB, CBC, CFB, OFB and CTR, although many others have been proposed.

The result of every step in the encryption process is dependent on every bit of the key.

AES has very limited RAM and ROM memory requirements and so is suitable for use in restricted-resource environments such as smart cards.

o One current recommendation is for 3GPP AKA algorithms is MILENAGE which is based on AES

It is likely to take several years for AES to replace DES.

It is important to note that AES is freely available worldwide.

30