Data Encryption Standard (DES) INCS 741: Cryptography Dr. Monther Aldwairi
advertisement
INCS 741: Cryptography Data Encryption Standard (DES) Dr. Monther Aldwairi New York Institute of TechnologyAmman Campus 10/18/2010 10/18/2009 Dr. Monther Aldwairi 1 Block Ciphers 10/4/2009 Dr. Monther Aldwairi 2 Block Ciphers Stream ciphers process messages a bit or byte at a time when en/decrypting ‒ Vigenère Cipher ‒ Caeser Cipher Block ciphers process messages in blocks ‒ Block are en/decrypted like a substitution on very big characters 64-bits or more ‒ Hill Cipher block size 2 ‒ DES block size 64 bits 10/4/2009 Dr. Monther Aldwairi 3 Ideal Block Cipher 10/4/2009 Dr. Monther Aldwairi 4 Shannon Properties of a Good Cryptosystem Diffusion – Each plaintext digit affects the values of many ciphertext digits and visa versa. – Achieved by applying permutation then a function on data, forcing different plaintext digits to affect a single ciphertext digit – permutation (P-box) Confusion – – – – 10/4/2009 The key doesn’t relate in a simple way to ciphertext. Ciphertext statistics cannot give the key up Achieved by a complex substitution algorithm substitution (S-box) Dr. Monther Aldwairi 5 Feistel Cipher Virtually all conventional block encryption algorithms have a structure described by Horst Feistel of IBM in 1973 – partitions input block into two halves – process through multiple rounds – each round performs a substitution on left data half based on round function of right half & sub key – then have permutation swapping halves – Implements Shannon’s S-P net concept 10/4/2009 Dr. Monther Aldwairi 6 Feistel Cipher Structure 10/4/2009 Dr. Monther Aldwairi 7 10/4/2009 Dr. Monther Aldwairi 8 Feistel Cipher Design Elements block size: larger size improves security, but slows cipher key size: increasing size makes exhaustive key searching harder, but may slow cipher. number of rounds: increasing number improves security, but slows cipher sub key generation algorithm: greater complexity can make cryptanalysis harder, but slows cipher round function: greater complexity can make analysis harder, but slows cipher fast software en/decryption: concern for practical use ease of analysis: easier validation & testing of strength 10/4/2009 Dr. Monther Aldwairi 9 Feistel Cipher Decryption 10/4/2009 Dr. Monther Aldwairi 10 Data Encryption Standard (DES) 10/4/2009 Dr. Monther Aldwairi 11 Data Encryption Standard (DES) The most widely used block cipher – adopted in 1977 by NBS/NIST as FIPS PUB 46 The plaintext is processed in 64-bit blocks The key is 56-bits in length Controversy over its security – Choice of 56-bit key (vs Lucifer 128-bit) – DES is public but design criteria were classified (S-box) – subsequent events and public analysis show in fact design was appropriate – use of DES has flourished in financial applications – still standard for legacy application use 10/4/2009 Dr. Monther Aldwairi 12 DES Overview- Encryption Generate 16 per-round keys 64-bit input Initial Permutation 56-bit Key Round 1 10/4/2009 Dr. Monther Aldwairi Final Permutation Swap left and right halves Round 16 13 DES Overview- Decryption Generate 16 per-round keys Initial Permutation 56-bit Key Round 1 10/4/2009 Final Permutation Swap left and right halves Round 16 64-bit input Dr. Monther Aldwairi 14 DES Encryption 10/4/2009 Dr. Monther Aldwairi 15 Initial Permutation IP IP reorders the input data bits – Arrange into 8 × 8 table – Permute, even columns into rows followed by odd columns (write bits from bottom up) – Example IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb) 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 10/4/2009 1 0 1 1 0 0 1 0 0 1 0 0 1 1 0 1 0 1 1 0 1 1 1 1 1 0 0 1 1 0 0 0 1 1 0 1 1 1 1 1 1 0 1 1 0 0 1 0 1 1 0 0 0 0 1 1 Dr. Monther Aldwairi 1 0 0 1 0 1 1 1 1 1 0 0 0 0 1 1 1 1 1 0 0 0 1 1 1 0 1 1 0 1 0 1 1 0 0 1 0 1 1 0 1 1 0 0 0 0 1 1 1 0 1 1 0 1 0 1 16 10/4/2009 Dr. Monther Aldwairi 17 A DES Round 64-bit input 32-bit Ln 64-bit input 32-bit Rn 32-bit Ln Mangler function 32-bit Ln+1 Mangler function Kn 32-bit Rn+1 32-bit Ln+1 64-bit output 10/4/2009 32-bit Rn Kn 32-bit Rn+1 64-bit output Dr. Monther Aldwairi 18 DES Round Details uses two 32-bit L & R halves as for any Feistel cipher can describe as: Li = Ri–1 Ri = Li–1 xor F(Ri–1, Ki) F takes 32-bit R half and 48-bit subkey: – expands R to 48-bits using Expansion perm E – adds to subkey using XORE(R) XOR K – we get 48 bits which we split into 8 blocks 6 bits each – Substitute blocks using 8 S-boxes to get 32-bit result. – Each S-box has 4 rows and 16 columns – First and last bits determine the row, remaining 4 determine column – finally permutes using 32-bit perm P Confusion 10/4/2009 Dr. Monther Aldwairi 19 The Mangler Function 4 4 4 4 4 4 4 4 6 6 6 6 6 + + + + + 6 + 6 + 6 6 6 6 6 6 6 6 6 + S1 S2 S3 S4 S5 S6 S7 S8 4 4 4 4 4 4 4 4 Permutation 10/4/2009 Dr. Monther Aldwairi 20 Calculation of F(R, K) 10/4/2009 Dr. Monther Aldwairi 21 Substitution Boxes S have eight S-boxes which map 6 to 4 bits each S-box is actually 4 little 4 bit boxes – outer bits 1 & 6 (row bits) select one row of 4 – inner bits 2-5 (col bits) are substituted – result is 8 lots of 4 bits, or 32 bits row selection depends on both data & key – feature known as autoclaving (autokeying) Example S(18 09 12 3d 11 17 38 39) = 5fd25e03 10/4/2009 Dr. Monther Aldwairi 22 DES Sub keys Generation To forms sub keys used in each round – initial permutation of the key (PC1) which selects 56bits in two 28-bit halves – 16 stages consisting of: 1. rotating each half separately either 1 or 2 places depending on the key rotation schedule K 2. selecting 24-bits from each half & permuting them by PC2 for use in round function F note practical use issues in h/w vs s/w 10/4/2009 Dr. Monther Aldwairi 23 DES Example 10/4/2009 Dr. Monther Aldwairi 24 Generating the Per-Round Keys 56-bit key C0 Initial Permutation 57 49 41 33 25 17 9 1 58 50 42 10 2 19 60 52 44 36 Permutation to obtain the left-half of Ki 14 17 11 24 1 5 3 28 15 6 21 10 23 19 12 4 26 8 16 7 27 20 13 2 © Summer 2007 C0 D0 34 26 18 59 51 43 35 19 11 3 D0 63 55 47 39 31 23 15 7 Rotate left Rotate left C1 D1 62 54 46 38 30 22 14 6 61 53 45 37 29 21 13 5 28 20 12 4 Permutation to obtain the right-half of Ki 41 52 31 37 47 55 Permutation with discard 48-bit K1 CPE 542 Network Security 30 40 51 45 33 48 44 49 39 56 34 53 46 42 50 36 29 32 25 Process the Key Process the key Get a 64-bit key from the user Every 8th bit (the least significant bit of each byte) is considered a parity bit. For a key to have correct parity, each byte should contain an odd number of "1" bits.) The parity bits are discarded, reducing the key to 56 bits (8th , 16th ,…, 64th ). 10/4/2009 Dr. Monther Aldwairi 26 Key Schedule Calculate the key schedule. Permuted Choice 1 (PC-1) 57 49 41 33 25 17 9 1 58 50 42 34 26 18 10 2 59 51 43 35 27 19 11 3 60 52 44 36 63 55 47 39 31 23 15 7 62 54 46 38 30 22 14 6 61 53 45 37 29 21 13 5 28 20 12 4 Split the permuted key (56 bits) into two halves. The first 28 bits are called C0 and the last 28 bits are called D0. 10/4/2009 Dr. Monther Aldwairi 27 PC-1 M=0000000000000000000000000000000100000000000000000000000000000001 K=1000000000000000000000000000000010000000000000000000000000000000 The first round key is the computed as follows: PC-1(K)= 00010001000000000000000000000000000000000000000000000000 C0= 0001000100000000000000000000 D0= 0000000000000000000000000000 10/4/2009 Dr. Monther Aldwairi 28 Calculate Sub keys Calculate the 16 sub keys. Perform one or two circular left shifts on both Ci-1 and Di-1 to get Ci and Di, respectively. The number of shifts per iteration are given in the table below. Round # Left Shifts 10/4/2009 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 1 1 2 2 2 2 2 2 1 Dr. Monther Aldwairi 2 2 2 2 2 2 1 29 PC-2 Calculate the key schedule. Permuted Choice 2 (PC-2) contraction to 28 bit round key 14 17 11 24 1 5 3 28 15 6 21 10 23 19 12 4 26 8 16 7 27 20 13 2 41 52 31 37 47 55 30 40 51 45 33 48 44 49 39 56 34 53 46 42 50 36 29 32 Loop back to slide 24 until K16 has been calculated 10/4/2009 Dr. Monther Aldwairi 30 PC-2 M=0000000000000000000000000000000100000000000000000000000000000001 K=1000000000000000000000000000000010000000000000000000000000000000 The first round key is the computed as follows: PC-1(K)= 00010001000000000000000000000000000000000000000000000000 C1= 1<<C0= 1<<0001000100000000000000000000 = 0010001000000000000000000000 D1= 1<<D0= 1<<0000000000000000000000000000 = 0000000000000000000000000000 PC-2(C1||D1)=PC-2(00100010000000000000000000000000000000000000000000000000) SK1= 000000100000000000010000000000000000000000000000 10/4/2009 Dr. Monther Aldwairi 31 DES Example 10/4/2009 Dr. Monther Aldwairi 32 Process Data Block Initial Permutation (IP) on 64-bit data block 58 50 42 34 26 18 10 2 60 52 44 36 28 20 12 4 62 54 46 38 30 22 14 6 64 56 48 40 32 24 16 8 57 49 41 33 25 17 9 1 59 51 43 35 27 19 11 3 61 53 45 37 29 21 13 5 63 55 47 39 31 23 15 7 10/4/2009 Dr. Monther Aldwairi 33 Round i Split the block into two halves. The first 32 bits are called L0, and the last 32 bits are called R0. Apply the 16 sub keys to the data block. Start with SK1 Expand the 32-bit Ri-1(R0) into 48 bits according Expansion Permutation E 32 4 8 12 16 20 24 28 1 5 9 13 17 21 25 29 2 6 10 14 18 22 26 30 3 7 11 15 19 23 27 31 4 8 12 16 20 24 28 32 5 9 13 17 21 25 29 1 Exclusive-or E(Ri-1) with SKi 10/4/2009 Dr. Monther Aldwairi 34 Round i/S-Boxes Eight S-boex that accept 6 bit inputs and produce 4 bit outputs Break E(Ri-1) xor SKi into eight 6-bit input blocks. Bits 1-6 are B1, bits 7-12 are B2, and so on with bits 43-48 being B8. Take the 1st and 6th bits of Bj together as a 2-bit value indicating the row in Sj Take the 2nd through 5th bits of Bj together as a 4bit value indicating the column in Sj to find the substitution. 10/4/2009 Dr. Monther Aldwairi 35 S-Boxes S1 14 4 13 1 2 15 11 8 3 0 15 7 4 14 2 13 1 10 4 1 14 8 13 6 2 11 15 15 12 8 2 4 9 1 7 5 10 6 12 5 9 0 7 6 12 11 9 5 3 8 12 9 7 3 10 5 0 11 3 14 10 0 6 13 2 12 4 1 7 10 14 11 2 12 4 7 4 2 1 11 10 13 11 8 12 7 1 14 S5 11 6 8 5 3 15 13 13 1 5 0 15 10 3 7 8 15 9 12 5 6 2 13 6 15 0 9 10 S2 15 1 8 14 6 11 3 4 9 3 13 4 7 15 2 8 14 12 0 14 7 11 10 4 13 1 5 13 8 10 1 3 15 4 2 11 7 2 13 12 0 5 10 0 1 10 6 9 11 5 8 12 6 9 3 2 15 6 7 12 0 5 14 9 12 1 10 15 10 15 4 2 9 14 15 5 4 3 2 12 S6 6 8 0 13 3 4 14 7 5 11 9 5 6 1 13 14 0 11 3 8 12 3 7 0 4 10 1 13 11 6 15 10 11 14 1 7 6 0 8 13 S3 10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8 13 7 0 9 3 4 6 10 2 8 5 14 12 11 15 1 13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7 1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12 7 13 14 13 8 11 10 6 9 3 15 0 10/4/2009 S4 3 0 6 9 10 1 2 5 6 15 0 3 4 7 0 12 11 7 13 15 1 6 10 1 13 8 9 4 8 5 11 12 4 15 2 12 1 10 14 9 3 14 5 2 8 4 5 11 12 7 2 14 9 7 2 9 2 12 8 5 0 14 9 9 8 6 3 0 14 4 5 3 S7 4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1 13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6 1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2 6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12 13 2 1 15 7 11 2 1 8 13 4 14 Dr. Monther Aldwairi S8 4 6 15 11 1 10 9 3 14 5 0 12 7 8 10 3 7 4 12 5 6 11 0 14 9 2 1 9 12 14 2 0 6 10 13 15 3 5 8 7 4 10 8 13 15 12 9 0 3 5 6 11 36 Permutation (P) Permute the concatenation of B1 through B8 (32 bits) Permutation P 16 29 1 5 2 32 19 22 7 12 15 18 8 27 13 11 20 28 23 31 24 3 30 4 21 17 26 10 14 9 6 25 Exclusive-or the resulting value with Li-1. Thus, all together, your Ri= Li-1 xor P(S1(B1)...S8(B8)), where Bj is a 6-bit block of E(Ri-1) xor SKi. The function for Ri is more concisely written as, Ri-1 = Li-1 xor f(Ri-1, Ki).) 10/4/2009 Dr. Monther Aldwairi 37 Inverse Initial Permutation -1 IP Loop back to slide 29 - Permutation E until SK16 has been applied Perform the following permutation on the block R16L116. Final Permutation (IP-1) 40 8 48 16 56 24 64 32 39 7 47 15 55 23 63 31 38 6 46 14 54 22 62 30 37 5 45 13 53 21 61 29 36 4 44 12 52 20 60 28 35 3 43 11 51 19 59 27 34 2 42 10 50 18 58 26 33 1 41 9 49 17 57 25 10/4/2009 Dr. Monther Aldwairi 38 DES Example DES round 1 Round key = 000000100000000000010000000000000000000000000000 L1= 00000000000000000000000000000001 R1= 00000000000000000000000000000001 Apply E: 100000000000000000000000000000000000000000000010 Xor K1: 000000100000000000010000000000000000000000000000⊕ 100000000000000000000000000000000000000000000010 = 100000||100000||000000||010000||000000||000000||000000||000010 S-Box S1: 0100 S-Box S2: 0000 S-Box S3: 1010 S-Box S4: 0001 S-Box S5: 0010 S-Box S6: 1100 S-Box S7: 0100 S-Box S8: 0010 P-Box: 10010000000100101000000110001100 Xor L1: 10010000000100101000000110001100⊕00000000000000000000000000000001 =10010000000100101000000110001101 R1kL1 = 00000000000000000000000000000001k10010000000100101000000110001101 16 round example @ http://www.adeptscience.co.uk/products/mathsim/maple/powertools/cryptograp hy/HTML/DES-Example.html http://www.eventid.net/docs/desexample.asp 10/4/2009 Dr. Monther Aldwairi 39 DES Decryption decrypt must unwind steps of data computation with Feistel design, do encryption steps again using subkeys in reverse order (SK16 … SK1) ‒ ‒ ‒ ‒ ‒ ‒ 10/4/2009 IP undoes final FP step of encryption 1st round with SK16 undoes 16th encrypt round …. 16th round with SK1 undoes 1st encrypt round then final FP undoes initial encryption IP thus recovering original data value Dr. Monther Aldwairi 40 Avalanche Effect key desirable property of encryption algorithm where a change of one input or key bit results in changing approx half output bits making attempts to “home-in” by guessing keys impossible DES exhibits strong avalanche Permutation E 10/4/2009 Dr. Monther Aldwairi 41 Strength of DES – Key Size 56-bit keys have 256 = 7.2 x 1016 values brute force search looks hard recent advances have shown is possible ‒ in 1997 on Internet in a few months ‒ in 1998 on dedicated h/w (EFF) in a few days ‒ in 1999 above combined in 22hrs! still must be able to recognize plaintext must now consider alternatives to DES 10/4/2009 Dr. Monther Aldwairi 42 Average time required for exhaustive key search Key Size (bits) Number of Alternative Keys Time required at 106 Decryption/µs 32 232 = 4.3 x 109 2.15 milliseconds 56 256 = 7.2 x 1016 10 hours 128 2128 = 3.4 x 1038 5.4 x 1018 years 168 2168 = 3.7 x 1050 5.9 x 1030 years Taken from Henric Johnson’s slides 10/4/2009 Dr. Monther Aldwairi 43 Strength of DES – Analytic Attacks now have several analytic attacks on DES these utilise some deep structure of the cipher ‒ by gathering information about encryptions ‒ can eventually recover some/all of the sub-key bits ‒ if necessary then exhaustively search for the rest generally these are statistical attacks ‒ differential cryptanalysis ‒ linear cryptanalysis ‒ related key attacks 10/4/2009 Dr. Monther Aldwairi 44 Differential Cryptanalysis Murphy, Biham & Shamir published in 90’s powerful method to analyze block ciphers used to analyze most current block ciphers with varying degrees of success DES reasonably resistant to it ‒ a statistical attack against Feistel ciphers ‒ uses cipher structure not previously used ‒ design of S-P networks has output of function f influenced by both input & key ‒ hence cannot trace values back through cipher without knowing value of the key ‒ differential cryptanalysis compares two related pairs of encryptions 10/4/2009 Dr. Monther Aldwairi 45 Differential Cryptanalysis have some input difference giving some output difference with probability p if find instances of some higher probability input / output difference pairs occurring can infer subkey that was used in round then must iterate process over many rounds (with decreasing probabilities) 10/4/2009 Dr. Monther Aldwairi 46 Compares Pairs of Encryptions with a known difference in the input searching for a known difference in output when same subkeys are used 10/4/2009 Dr. Monther Aldwairi 47 Differential Cryptanalysis 10/4/2009 Dr. Monther Aldwairi 48 Differential Cryptanalysis perform attack by repeatedly encrypting plaintext pairs with known input XOR until obtain desired output XOR when found – if intermediate rounds match required XOR have a right pair – if not then have a wrong pair, relative ratio is S/N for attack can then deduce keys values for the rounds – right pairs suggest same key bits – wrong pairs give random values for large numbers of rounds, probability is so low that more pairs are required than exist with 64-bit inputs Biham and Shamir have shown how a 13-round iterated characteristic can breakDr.the full 16-round DES 10/4/2009 Monther Aldwairi 49 Linear Cryptanalysis another recent development also a statistical method must be iterated over rounds, with decreasing probabilities developed by Matsui et al in early 90's based on finding linear approximations can attack DES with 243 known plaintexts, easier but still in practise infeasible 10/4/2009 Dr. Monther Aldwairi 50 Linear Cryptanalysis find linear approximations with prob p != ½ P[i1,i2,...,ia] C[j1,j2,...,jb] = K[k1,k2,...,kc] where ia,jb,kc are bit locations in P,C,K gives linear equation for key bits get one key bit using max likelihood alg using a large number of trial encryptions effectiveness given by: |p–1/2| 10/4/2009 Dr. Monther Aldwairi 51 Triple DES Use three keys and three executions of the DES algorithm (encrypt-decrypt-encrypt) C = Ek3[ Dk2[ Ek1[P] ] ] C = ciphertext P = Plaintext Ek[X] = encryption of X using key K Dk[Y] = decryption of Y using key K Effective key length of 168 bits 10/4/2009 Dr. Monther Aldwairi 52 Other Symmetric Block Ciphers International Data Encryption Algorithm (IDEA) ‒ 128-bit key ‒ Used in PGP Blowfish ‒ Easy to implement ‒ High execution speed ‒ Run in less than 5K of memory 10/4/2009 Dr. Monther Aldwairi 53 Other Symmetric Block Ciphers RC5 ‒ ‒ ‒ ‒ ‒ ‒ ‒ ‒ Suitable for hardware and software Fast, simple Adaptable to processors of different word lengths Variable number of rounds Variable-length key Low memory requirement High security Data-dependent rotations Cast-128 ‒ Key size from 40 to 128 bits ‒ The round function differs from round to round Blowfish 10/4/2009 Dr. Monther Aldwairi 54 Modes of Operation block ciphers encrypt fixed size blocks eg. DES encrypts 64-bit blocks, with 56-bit key need way to use in practise, given usually have arbitrary amount of information to encrypt Four standard modes were defined for DES Extended to five later, and they can be used with other block ciphers: 3DES and AES. 10/4/2009 Dr. Monther Aldwairi 55 Electronic Codebook Book (ECB) message is broken into independent blocks which are encrypted each block is a value which is substituted, like a codebook, hence name each block is encrypted independently from the other blocks Ci = DESK1 (Pi) uses: secure transmission of single values 10/4/2009 Dr. Monther Aldwairi 56 Electronic Codebook Book (ECB) 10/4/2009 Dr. Monther Aldwairi 57 Advantages and Limitations of ECB repetitions in message may show in ciphertext – if aligned with message block – with messages that change very little, which become a code-book analysis problem weakness due to encrypted message blocks being independent main use is sending a few blocks of data 10/4/2009 Dr. Monther Aldwairi 58 Cipher Block Chaining (CBC) message is broken into blocks but these are linked together in the encryption operation each previous cipher blocks is chained with current plaintext block, hence name use Initial Vector (IV) to start process Ci = DESK1(Pi XOR Ci-1) C-1 = IV uses: bulk data encryption, authentication 10/4/2009 Dr. Monther Aldwairi 59 Cipher Block Modes of Operation Cipher Block Chaining Mode (CBC) ‒ The input to the encryption algorithm is the XOR of the current plaintext block and the preceding ciphertext block. ‒ Repeating pattern of 64-bits are not exposed Χ ι Ε κ [Χ ι 1 Π ι ] Δ Κ [Χ ι ] Δ Κ [Ε Κ (Χ ι 1 Π ι )] Δ Κ [Χ ι ] (Χ ι 1 Π ι ) 10/4/2009 10/4/2009 Χ ι 1 Δ Κ [Χ ι ] Χ ι 1 Χ ι 1 Π ι Π ι Dr. Monther Aldwairi Dr. Monther Aldwairi 60 60 Advantages and Limitations of CBC each ciphertext block depends on all message blocks thus a change in the message affects all ciphertext blocks after the change as well as the original block need Initial Value (IV) known to sender & receiver – however if IV is sent in the clear, an attacker can change bits of the first block, and change IV to compensate – hence either IV must be a fixed value or it must be sent encrypted in ECB mode before rest of message 10/4/2009 Dr. Monther Aldwairi 61 Cipher FeedBack (CFB) message is treated as a stream of bits added to the output of the block cipher result is feed back for next stage (hence name) standard allows any number of bit (1,8 or 64 or whatever) to be feed back – denoted CFB-1, CFB-8, CFB-64 etc is most efficient to use all 64 bits (CFB-64) Ci = Pi XOR DESK1(Ci-1) C-1 = IV uses: stream data encryption, authentication 10/4/2009 Dr. Monther Aldwairi 62 Cipher FeedBack (CFB) 10/4/2009 Dr. Monther Aldwairi 63 Advantages and Limitations of CFB appropriate when data arrives in bits/bytes most common stream mode limitation is need to stall while do block encryption after every n-bits errors propagate for several blocks after the error 10/4/2009 Dr. Monther Aldwairi 64 Output FeedBack (OFB) • • • • • message is treated as a stream of bits output of cipher is added to message output is then feed back (hence name) feedback is independent of message can be computed in advance Ci = Pi XOR Oi Oi = DESK1(Oi-1) O-1 = IV 10/4/2009 Dr. Monther Aldwairi 65 Output FeedBack (OFB) 10/4/2009 Dr. Monther Aldwairi 66 Advantages and Limitations of OFB used when error feedback a problem or where need to encryptions before message is available superficially similar to CFB but feedback is from the output of cipher and is independent of message sender and receiver must remain in sync, and some recovery method is needed to ensure this occurs originally specified with m-bit feedback in the standards subsequent research has shown that only OFB-64 should ever be used 10/4/2009 Dr. Monther Aldwairi 67 Counter (CTR) a “new” mode, though proposed early on similar to OFB but encrypts counter value rather than any feedback value must have a different counter value for every plaintext block (never reused) Ci = Pi XOR Oi Oi = DESK1(i) uses: high-speed network encryptions 10/4/2009 Dr. Monther Aldwairi 68 Counter (CTR) 10/4/2009 Dr. Monther Aldwairi 69 Advantages and Limitations of CTR efficiency – can do parallel encryptions random access to encrypted data blocks provable security (good as other modes) but must ensure never reuse key/counter values, otherwise could break (cf OFB) 10/4/2009 Dr. Monther Aldwairi 70
