# Cryptography -- Block Ciphers

Document Sample

```					    Cryptography -- Block Ciphers

Anita Jones
CS451 Information Security

Overview

terms and principles
Claude Shannon
Feistel cipher
DES

September, 2006
A few terms
block cipher
block of plaintext is treated as a whole &
used to produce a ciphertext block of equal
length
typical size: 64 bits
most modern ciphers are block ciphers
stream cipher
digital data is encrypted one bit (or one unit)
at a time
In both cases, plaintext is transformed incrementally
September, 2006
Symmetric ciphers

Symmetric implies ONE key

Secret key shared by sender &
Background

ideally want one extremely large substitution
not practical since would need a table with
264 entries in it for a 64-bit block
so approximate the ideal by constructing
from smaller building blocks

September, 2006
Basis of modern ciphers

Claude Shannon („45) - information theory
product cipher
perform two or more ciphers in sequence so
that result (product) is cryptographically
stronger than any component cipher
alternate confusion & diffusion
virtually all significant symmetric block
ciphers currently in use are of this type

September, 2006
Shannon‟s strategy
thwart cryptanalysis that is based on
statistical analysis
hacker has some knowledge of statistical
characteristic of plaintext
if statistics are reflected in ciphertext, then
analyst may be able to deduce encryption
key, or part of it
in Shannon‟s ideal cipher, statistics of
ciphertext are independent of plaintext
September, 2006
Shannon‟s building blocks
confusion
make relation between statistics of ciphertext
and the value of the encryption key as
complex as possible
diffusion
diffuse statistical property of plaintext digit
across a range of ciphertext digits
i.e. each plaintext digits affects value of
many ciphertext digits

September, 2006
Shannon‟s building blocks
Shannon proposed product ciphers with
two components
S-Boxes -- substitution
providing confusion of input bits
P-Boxes -- permutation
providing diffusion across S-box inputs
n rounds of S-P boxes

September, 2006
S-box (substitution)
3 bit                                                3 bit
input                                                output
0           0
0                  1           1                     1
2           2
3           3                     1
1
4           4
5           5
0                  6           6                     0
7           7

Word size of 3 bits => mapping of 23 = 8 values
Note: mapping can be reversed
September, 2006
P-box (permutation)
4 bit
input
1                         1     1                     1

1                         0     1                     0

1                         1     1                     1
0                         1     0                     1

Example 1                  Example 2 - swap two
Note: reversible   halves of input
September, 2006
S-P networks
alternate S and P boxes
BUT, in practice we must decrypt as well
as encrypt
so define the sequence of boxes so that
precisely the same system will decrypt as
well as encrypt
just run it backwards

September, 2006
Feistel cipher
input plaintext of 2w bits
key K = n sub-keys: K1, K2, …, Kn
sequence of n “rounds” each using Ki
substitution followed by a permutation
apply function F(Ki) to right half of data,
then exclusive-OR it to left half of data
permutation: interchange two result halves
of data
DES is essentially a Feistel cipher
September, 2006
Feistel cipher

Multiple rounds
round i input is Li-1, Ri-1

Li = Ri-1
Ri = (Li-1   XOR   F(Ri-1 , Ki))

L – left portion of intermediate data
R – right …..

September, 2006
plaintext (2w bits)

L0       w bits          w bits   R0
K1
+
Round 1                           F

L1                                R1
. . .                         . . .
Kn
+
Round n                           F

Ln                                Rn

Ln+1                                 Rn+1
ciphertext (2w bits)
Feistel cipher dependencies
block size – increasing size increases
security – 64 bits common
key size – increasing size improves security,
– 128 bits common
number of rounds – 16 is typical
subkey generation – complex generation
makes cryptanalysis harder
round function – complex function is stronger
… but all increases slow the implementation
September, 2006
Feistel decryption

same as encryption, except
ciphertext is input
use keys in reverse order
at each round the output is equal to the
corresponding value of the encryption
process with the two halves of the value
swapped
final permutation (swap) realigns 2 halves
September, 2006
History of DES

DES – Data Encryption Standard
Horst Feistel at IBM developed LUCIFER
about 1971, sold to Lloyds of London
Nat‟l Bureau of Standards issued request
for national cipher standard
IBM submitted (refined) LUCIFER
NSA worked with IBM to refine cipher
adopted in 1977 by Nat‟l Bureau of Stds.
September, 2006
DES Characteristics

Plaintext is 64 bits long
16 rounds
Key length is 56 bits
16 sub-keys generated, one used in each round
DES algorithm is a variant of the Feistel
algorithm

September, 2006
plaintext (64 bits)                   56 bit key

init permutation                        permute

K1
round 1                  perm   left circ shift

K2
round 2                  perm   left circ shift

. . .                            . . .
Kn
round n                  perm    left circ shift

32 bit swap

inverse permutation

ciphertext (64 bits)
DES cipher
round i input is Li-1, Ri-1

Li = Ri-1
Ri = (Li-1 XOR F(Ri-1 ,Ki))

September, 2006
One DES Round
<----32 bits------>   <----32 bits------>

Li-1                   Ri-1

exp/perm to 48
--- 48 bits

x             Ki
--- 48 bits

S-box
--- 32 bits
permutation
--- 32 bits

x
Li                    Ri
Key property
avalanche
small change in plaintext or in key produces
significant change in ciphertext
test for avalanche
encrypt two plaintext blocks that differ only in
one bit
about half the (ciphertext) bits will differ

September, 2006
DES controversy

DES choice was intensely criticized:
original LUCIFER key length was 128 bits, and
DES used 56 bit key (to fit on chip, they said)
critics feared brute force attacks
design criteria for the S-boxes was classified,
so users not sure that internal structure was
free of hidden weak points that might let NSA
break cipher

September, 2006
DES status

no weak points have surfaced
DES is widely used
1994, NIST reaffirmed DES for federal use
NIST recommends DES use for all except
classified information
generally considered a sound standard
Need more security: use Triple DES
September, 2006
Cryptanalysis of DES
increased computing speed has made a 56
bit key susceptible to exhaustive key search
demonstrated breaks:
1997 – taking a few months, a large network of
computers broke DES
1998 – Electronic Frontier Foundation broke
DES in a few days on dedicated hardware
1999 – break accomplished in 22 hours
in practice DES is used, and works
September, 2006
1997 break
RSA issued reward of \$10,000 for finding a
DES key, given ciphertext for known and
unknown plaintext
solution found in 96 days – involved 70,000
computers on the Internet
an embarrassingly parallel problem – just
divide the key space being searched (brute
force) each time a new computer joins in
found the key after searching 1/4 key space
September, 2006
So, how does the Prez talk?
 STU-III:
http://webhome.idirect.com/~jproc/crypto/stuiii.html

http://www.tscm.com/stu.html

    “A STU-III operates by taking an audio signal and
digitizing it into a serial data stream (usually 8,000 bits
per second). This is then mixed with a "keying stream" of
data created by an internal ciphering algorithm. This mixed data is them passed
though an internal CODEC to convert it back to audio so it can be passed over the
phone lines. STU-III's also allow a serial data stream to pass though the phone and
into the ciphering engine to allow its usage as an encrypted modem when not being
"keying stream" is a polymorphic
used for voice. The
regenerating mathematic algorithm which takes a
initialization key and mathematically morphs it into a bit
stream pattern. The "keying stream" is created by the "Key Generator" and
is the actual heart of the STU. A portion of the "keying stream" are then mixed back
into to the original key, and process repeated. The results is a pseudo-random bit
stream that if properly implemented is extremely difficult (but not impossible) to
decrypt.”
Source: http://www.tscm.com/stu.html
September, 2006
Model for cryptography-revisit
Trusted 3rd Party
Principal            (arbitrates, distributes     Principal
secret information)
Message                                                       Message

Info channel                     Secret
Secret
Information
Information

Security
Security
Transform
Transform
Opponent

September, 2006

```
DOCUMENT INFO
Shared By:
Categories:
Stats:
 views: 68 posted: 5/26/2010 language: English pages: 29