Classical Encryption Techniques - PowerPoint

Document Sample
Classical Encryption Techniques - PowerPoint Powered By Docstoc
					 Modern Block Ciphers

CSE 651: Introduction to Network
             Security
               Summary
• Block Ciphers (Chapter 3)
• Feistel Cipher Structure (Chapter 3)
• DES: Data Encryption Standard (Ch. 3)
• 3DES (Ch 6.1)
• AES: Advanced Encryption Standard (Ch.
  5.2)

                                           2
 Monoalphabetic Substitution Cipher

• Shuffle the letters and map each plaintext letter to a
  different random ciphertext letter:
   Plain letters: abcdefghijklmnopqrstuvwxyz
   Cipher letters: DKVQFIBJWPESCXHTMYAUOLRGZN
   Plaintext: ifwewishtoreplaceletters
   Ciphertext: WIRFRWAJUHYFTSDVFSFUUFYA
• What does a key look like?


                                                      3
            Playfair Key Matrix
•   Use a 5 x 5 matrix.
•   Fill in letters of the key (w/o duplicates).
•   Fill the rest of matrix with other letters.
•   E.g., key = MONARCHY.
            M     O     N     A     R
            C     H     Y     B     D
            E     F     G     I/J   K
            L     P     Q     S     T
            U     V     W     X     Z
                                                   4
           Vigenère Cipher
• Simplest polyalphabetic substitution cipher
• Consider the set of all Caesar ciphers:
          { Ca, Cb, Cc, ..., Cz }
• Key: e.g. security
• Encrypt each letter using Cs, Ce, Cc, Cu, Cr,
  Ci, Ct, Cy in turn.
• Repeat from start after Cy.
• Decryption simply works in reverse.

                                              5
Basic idea of modern block ciphers

• From classical ciphers, we learn two techniques
  that may improve security:
  – Encrypt multiple letters at a time
  – Use multiple ciphertext alphabets (Polyalphabetic
    ciphers)
• Combining these two techniques
  – encrypt eight (or more) letters at a time
     • called a block cipher
  – and use an extremely large number of ciphertext
    alphabets
     • will be called modes of operation
                                                        1
                   Block Ciphers
• In general, a block cipher replaces a block of N plaintext bits
  with a block of N ciphertext bits. (E.g., N = 64 or 128.)
• A block cipher is a monoalphabetic cipher.
• Each block may be viewed as a gigantic character.
• The “alphabet” consists of 2N gigantic characters.
• Each particular cipher is a one-to-one mapping from the
  plaintext “alphabet” to the ciphertext “alphabet”.
• There are 2N! such mappings.
• A secret key indicates which mapping to use.


                                                              7
           Ideal Block Cipher

• An ideal block cipher would allow us to use
  any of these 2N! mappings.
  – The key space would be extremely large.
• But this would require a key of log2(2N!) bits.
• If N = 64,
  log2(2N!) ≈ N x 2N ≈ 1021 bits ≈ 1011 GB.
• Infeasible!
                                                8
          Practical Block Ciphers
• Modern block ciphers use a key of K bits to specify a
  random subset of 2K mappings.
• If K ≈ N,
   – 2K is much smaller than 2N!
   – But is still very large.
• If the selection of the 2K mappings is random, the
  resulting cipher will be a good approximation of the
  ideal block cipher.
• Horst Feistel, in1970s, proposed a method to achieve
  this.
                                                          9
   The Feistel Cipher Structure
• Input: a data block and a key
• Partition the data block into two halves L and
  R.
• Go through a number of rounds.
• In each round,
  – R does not change.
  – L goes through an operation that depends on R
    and a round key derived from the key.

                                                    10
The Feistel
Cipher
Structure
              i

              
       Round i
Li-1        Ri-1



             f     ki

        +


Li           Ri
Mathematical Description of
        Round i
  Let Li 1 and Ri 1 be the input of round i, and
           Li and Ri the output.
  We have
                  Li : Ri 1
                  Ri : Li 1  F ( Ri 1 , K i )
  Or,      (Li , Ri ) :   i ( Li 1 , Ri 1 ), where
         i : ( x, y )  ( x  F ( y , ki ), y ).
          : ( x, y )  ( y, x ).
  Note that i 1  i and  1  .
                                                            13
               Feistel Cipher
 Goes through a number of rounds, say 16 rounds.
 A Feistel cipher encrypts a plaintext block m as:
  c : Ek (m ) :     16    2    1 (m )
 The decryption will be:
  Dk (c )  11   1  21   1  11   1   1 (c)
                                            6

               1    2    16 ( c)
 The descryption algorithm is the same as the
  encryption algorithm, but uses round keys in the
  reverse order.
                                                                   14
  DES: The Data Encryption Standard

• Most widely used block cipher in the world.
• Adopted by NIST in 1977.
• Based on the Feistel cipher structure with 16
  rounds of processing.
• Block = 64 bits
• Key = 56 bits
• What is specific to DES is the design of the F
  function and how round keys are derived from
  the main key.

                                                   15
     Design Principles of DES
• To achieve high degree of diffusion and
  confusion.
• Diffusion: making each plaintext bit affect
  as many ciphertext bits as possible.
• Confusion: making the relationship
  between the encryption key and the
  ciphertext as complex as possible.

                                                1
DES Encryption
Overview
        Round Keys Generation
• Main key: 64 bits.
• 56-bits are selected and permuted using Permuted
  Choice One (PC1); and then divided into two 28-bit
  halves.
• In each round:
   – Left-rotate each half separately by either 1 or 2
     bits according to a rotation schedule.
   – Select 24-bits from each half, and permute the
     combined 48 bits.
   – This forms a round key.
Permuted Choice One (PC1)

   57   49   41   33   25   17    9
    1   58   50   42   34   26   18
   10    2   59   51   43   35   27
   19   11    3   60   52   44   36
   63   55   47   39   31   23   15
    7   62   54   46   38   30   22
   14    6   61   53   45   37   29
   21   13    5   28   20   12    4

                                      19
          Initial Permutation IP
•   IP: the first step of the encryption.
•   It reorders the input data bits.
•   The last step of encryption is the inverse of IP.
•   IP and IP-1 are specified by tables (see
    Stallings book, Table 3.2) or
    http://en.wikipedia.org/wiki/DES_supplementar
    y_material
            Round i
Li-1             Ri-1

                      32

                  F             ki
                           48
       32        32
             +


Li                Ri
The F function of DES
 The L and R each have 32 bits, and the round key K 48 bits.

 The F function, on input R and K , produces 32 bits:

        F ( R, K )  P  S  E ( R )  K  

where E : expands 32 bits to 48 bits;
       S : shrinks it back to 32 bits;
       P : permutes the 32 bits.




                                                           22
The F function of DES
The Expansion Permutation E
              The S-Boxes
• Eight S-boxes each map 6 to 4 bits
• Each S-box is specified as a 4 x 16 table
  – each row is a permutation of 0-15
  – outer bits 1 & 6 of input are used to select one
    of the four rows
  – inner 4 bits of input are used to select a
    column
• All the eight boxes are different.
    Box S1

    0       1   2   3   4 5 6       7       8 9 10 11 12 13 14 15
0 14        4 13    1   2 15 11         8   3 10   6 12    5   9   0   7
1       0 15    7   4 14    2 13        1 10   6 12 11     6   5   3   8
2       4   1 14    8 13    6   2 11 15 12         9   7   3 10    5   0
3 15 12         8   2   4   9   1       7   5 11   3 14 10     0   6 13


• For example, S1(101010) = 6 = 0110.


                                                                       26
Permutation Function P
           P
     16   7    20   21
     29   12   28   17
      1   15   23   26
      5   18   31   10
      2   8    24   14
     32   27   3    9
     19   13   30   6
     22   11   4    25

                         1
               Avalanche Effect
• Avalanche effect:
   – A small change in the plaintext or in the key results in a
     significant change in the ciphertext.
   – an evidence of high degree of diffusion and confusion
   – a desirable property of any encryption algorithm

• DES exhibits a strong avalanche effect
   – Changing 1 bit in the plaintext affects 34 bits in the
     ciphertext on average.
   – 1-bit change in the key affects 35 bits in the ciphertext on
     average.
                Attacks on DES
• Brute-force key search
   – Needs only two plaintext-ciphertext samples
   – Trying 1 key per microsecond would take 1000+ years on
     average, due to the large key space size, 256 ≈ 7.2×1016.

• Differential cryptanalysis
   – Possible to find a key with 247 plaintext-ciphertext samples
   – Known-plaintext attack

• Liner cryptanalysis:
   – Possible to find a key with 243 plaintext-ciphertext samples
   – Known-plaintext attack

                                                                 29
             DES Cracker
• DES Cracker:
  – A DES key search machine
  – contains 1536 chips
  – Cost: $250,000.
  – could search 88 billion keys per second
  – won RSA Laboratory’s “DES Challenge II-2” by
    successfully finding a DES key in 56 hours.
• DES is feeling its age. A more secure
  cipher is needed.
                                              30
   Multiple Encryption with DES

• In 2001, NIST published the Advanced Encryption
  Standard (AES) to replace DES.

• But users in commerce and finance are not ready to give
  up on DES.

• As a temporary solution to DES’s security problem, one
  may encrypt a message (with DES) multiple times using
  multiple keys:
   – 2DES is not much securer than the regular DES
   – So, 3DES with either 2 or 3 keys is used
                                                           31
                      2DES
• Consider 2DES with two keys:
    C = EK2(EK1(P))

• Decryption:   P = DK1(DK2(C))
• Key length: 56 x 2 = 112 bits
• This should have thwarted brute-force attacks?
• Wrong!


                                                   32
Meet-in-the-Middle Attack on 2DES
• 2-DES:        C = EK2(EK1(P))

            P       EK1           EK2       C



• Given a known pair (P, C), attack as follows:
   – Encrypt P with all 256 possible keys for K1.
   – Decrypt C with all 256 possible keys for K2.
   – If EK1’(P) = DK2’(C), try the keys on another (P’, C’).
   – If works, (K1’, K2’) = (K1, K2) with high probability.
   – Takes O(256) steps; not much more than attacking 1-DES.
                                                               33
3DES with 2 keys
 A straightforward implementation would be :

                   
          c : Ek1 Ek2 Ek1 (m)   
                         
 In practice : c : Ek1 Dk2 Ek1 (m)   
   Also referred to as EDE encryption
 Reason : if k1  k2 , then 3DES  1DES.
  Thus, a 3DES software can be used as a single-DES.
 Standardized in ANSI X9.17 & ISO 8732.
 No practical attacks are known.


                                                       34
3DES with 3 keys
                          
 Encryption: c : Ek3 Dk2 Ek1 (m) .  
 If k1  k3 , it becomes 3DES with 2 keys.
 If k1  k2  k3 , it becomes the regular DES.
 So, it is backward compatible with both 3DES with 2 keys
  and the regular DES.
 Some internet applications adopt 3DES with three keys;
  e.g. PGP and S / MIME.



                                                             35
AES: Advanced Encryption
        Standard
AES: Advanced Encryption Standard
• In1997, NIST began the process of choosing a
  replacement for DES and called it the
  Advanced Encryption Standard.
• Requirements: block length of 128 bits, key
  lengths of 128, 192, and 256 bits.
• In 2000, Rijndael cipher (by Rijmen and
  Daemen) was selected.
• An iterated cipher, with 10, 12, or 14 rounds.
• Rijndael allows various block lengths.
• But AES allows only one block size: 128 bits.

                                                   37
Modulo-2 Arithmetic
 There are only two numbers : 0 and 1.

 Addition, substraction and multiplication are as below:

          0 1            0 1             0 1
         0 0 1            0 0 1           0 0 0
         1 1 0           1 1 0            1 0 1

 Note: addition = substraction = XOR.
Byte-oriented operations
 Each byte is viewed as a polynomial of degree  7.

 Example:   a  10001001  x 7  x 3  1  A( x ).

              b  10000010  x 7  x  B ( x ).

 Addition and substraction are simply bitwise XOR:

 a  b  10001001  10000010  00001011  A( x )  B( x ).

 a  b  10001001  10000010  00001011  A( x )  B ( x ).


                                                         39
Byte-oriented operations
 Multiplication ( ): "regular" polynomial multiplication ( )
  modulo a fixed modulus P (x ), where
       P( x )  x 8  x 4  x 3  x  1  100011011.
  a  b  A( x )  B( x ) mod P( x )
        x14  x10  x 8  x 7  x 4  x mod P( x )
        x6  x5  x 4  x3  x 2  x  1
  a  b  10001001  10000010 mod 100011011
        = 100010110010010 mod 100011011
         01111111
                                                           40
Byte-oriented operations
 For any byte a (viewed as a polynomial), there is
  a unique byte b (also viewed as a polynomial) such that
  a  b  1.
 This element b is called the inverse of a, and is
  denoted by a 1.
 Mathematically, the set of all polynomials of degrees  7
  forms a field, GF(28 ), under the operation of addition and
  multiplication mod P( x), where P( x) is a fixed modulus.

                                                          41
Structure of Rijndael
 N b : block size (number of words). For AES, N b  4.
 N k : key length (number of words).
 N r : number of rounds, depending on N b , N k .
 Assume: N b  4, N k  4, N r  10.
 state: a variable of 4 words, holding the data block,
  viewed as a 4  4 matrix of bytes; each column is a word.
 Key schedule: 11 round keys key0 , key1 , , key10
  computed from the main key k .


                                                          42
Rijndael algorithm  input: plaintext m , key k 
 1   state  m
 2   AddKey(state , key0 )
 3   for i  1 to N r  1 do
 4        SubBytes(state )
 5        ShiftRows(state )
 6        Mixcolumns(state )
 7        AddKey( state, keyi )
 8   SubBytes(state)
 9   ShiftRows(state)
10   AddKey( state, key N r )
11    return(state)

                                                    43
Figure 5.1 AES Encryption and Decryption




                                           44
AddKey(state, keyi )


  state  state  keyi




                         45
SubBytes(state)
 Each byte z in the state matrix is substituted with
   another byte SRD ( z )  Az 1  b.

 The substitution SRD ( z )  Az 1  b, called Rijndael's
   S-box, is based on some mathematics in finite fields,
   and can be specified as a table (Table 5.4 of Stallings).




                                                              46
 That is, treat z as an element in GF(28 ).
 Find its multiplicative inverse z 1 in GF(28 ).
 Now treat z 1 as a vector of 0/1.
 Multiply A with z 1 , and add the result to b.

       10001111                1 
       11000111                1 
       11100011                0
       11110001                0
   A                  and b   
        11111000               0
        01111100               1 
        00111110               1 
        00011111               0
                                
                                                     47
ShiftRows(state)
 Left-shift row i circularly by i bytes, 0  i  3.

  a    b    c   d a b c d
                           
  e    f    g   h  f g h e
                    
  i     j   k   l  k l i j
                           
  m    n    o   p  p m n o 




                                                       48
MixColumns(state)
 Operate on each column of the state matrix.
 Each column a  (a0 , a1 , a2 , a3 ) is substituted with
  (b0 , b1 , b2 , b3 ), where

            b0   02          03 01 01     a0 
           b     01          02 03 01    a 
            1                            1
            b2   01          01 02 03     a2 
                                          
            b3   03          01 01 02     a3 
 Using finite-field multiplication and addition.

                                                             49
Math behind MixColumns(state)
 Operate on each column of the state matrix.
 Each column a  (a0 , a1 , a2 , a3 ) is viewed as a
   polynomial :
          a ( x )  a3 x3  a2 x 2 +a1 x  a0
 A fixed polynomial: c( x)  03x3  01x 2 +01x  02.
 Compute b( x)  b3 x  b2 x +b1 x  b0
                           3        2


                     = a( x)  c( x) mod (x 4  1)
 (a0 , a1 , a2 , a3 ) is substituted with (b0 , b1 , b2 , b3 )

                                                                  50
Rijndael Decryption
 Each step of Rijndael encryption is invertible.




                                                    51
A Rijndael Animation by Enrique
             Zabala




                                  52

				
DOCUMENT INFO