SS-3
advertisement
Secret Key Cryptography RAIT Madhumita Chatterjee 1 Algorithm Types Stream Ciphers Plaintext encrypted one bit at a time Disadvantage…time consuming. Block Ciphers RAIT A block of bits encrypted at one go. Disadvantage for repeating text….. Madhumita Chatterjee 2 Shannon concepts Confusion Ciphertext gives no clue about original text. Achieved using substitution. Diffusion RAIT Increases redundancy of plaintext by spreading across rows and columns. Achieved using transposition or permutation. Madhumita Chatterjee 3 Algorithm modes ECB (Electronic Code Book) CBC (Cipher Block Chaining Mode) OFB (Output Feedback Mode) CFB (Cipher Feedback Mode) Stream Cipher RAIT Madhumita Chatterjee 4 Electronic Code Book (ECB) M1 M2 M3 64 64 64 ENC ENC ENC ENC C1 C2 C3 C4 RAIT Madhumita Chatterjee M4 46 pad 5 ECB Problem #1 M1 M2 M3 64 64 ENC ENC ENC ENC C1 C2 C3 C4 64 M4 46 pad (M1 == M3) => (C1 ==C3) RAIT Madhumita Chatterjee 6 ECB Problem #2 Lack the basic protection against integrity attacks on the ciphertext at message level (i.e., multiple cipher blocks) Without additional integrity protection RAIT cipher block substitution and rearrangement attacks fabrication of specific information Madhumita Chatterjee 7 Cipher Block Chaining (CBC) M1 M2 M3 M4 64 64 64 46 pad ENC ENC ENC C2 C3 C4 IV Initialization Vector ENC C1 (M1 == M3) very unlikely leads to (C1 == C3) RAIT Madhumita Chatterjee 8 CBC Decryption M1 M2 M3 M4 DEC DEC DEC DEC C3 C4 IV C1 RAIT C2 Madhumita Chatterjee 9 CBC Vulnerabilities Loss sync of block boundary garbles the rest of the stream Create desired change in decrypted block Pn by sacrificing block P n-1 RAIT Madhumita Chatterjee 10 CBC….. P n-1 Pn DEC DEC C n-1 RAIT Cn Madhumita Chatterjee 11 Output Feedback Mode (OFB) Like a Random Number Generator... IV ENC M1 M2 C1 RAIT ENC ENC M3 C2 ENC M4 C3 Madhumita Chatterjee C4 12 OFB Properties Advantages RAIT Allow pre-computing of pseudo-random stream (One-Time Pad); XOR can be implemented very efficiently No error propagation problem as in CBC Allow in-time encrypt/decrypt due to bitwise computation (versus the fixed blocks) Madhumita Chatterjee 13 General k-bit Cipher Feedback Mode (CFB) k k IV k k ENC M1 K bits C1 RAIT k ENC ENC K bits M2 M3 K bits C2 Madhumita Chatterjee C3 14 CFB Properties Advantage compared with CBC. With k=8, errors on one byte of ciphertext only affect 8 more bytes beyond. Disadvantage compared with OFB. RAIT Random stream can no longer be computed in advance. Madhumita Chatterjee 15 Generating MICs Only send last block of CBC (CBS residue) Send plaintext Any modification in plaintext modifies CBC residue RAIT Insures integrity Madhumita Chatterjee 16 CBC Plus Residue M1 M2 M3 M4 64 64 64 46 pad ENC ENC ENC C2 C3 IV Initialization Vector ENC C1 RAIT Madhumita Chatterjee C4 residue 17 Elementary Cryptography DES Algorithm RAIT Madhumita Chatterjee 18 Background & History System developed by the US Govt. intended for public use in 1976 Many hardware and software systems designed with DES Goals were RAIT High level of security Specified and easy to understand Publishable, available Adaptable to diverse applications Economic to implement in elctronic devices Efficient to use and able to be validated Madhumita Chatterjee 19 Generic Block Encryption Convert block to another: one-to-one Long enough to avoid known-plaintext attack 64 bit typical, nice for RISC Naïve: 264 input values, 64 bits each, total 270 bits to store the mapping Output should look random RAIT No correlation between plaintext and ciphertext Bit spreading Madhumita Chatterjee 20 Generic Block Encryption (Cont’d) RAIT Substitution: 2k values: k 2k bits done by S-Boxes, adds confusion Permutation: change position for each bit: klog2k bits done by P-Boxes adds diffusion Round: combination of substitution chunks and permutation do often enough so that a bit change can affect every output bit How many rounds? A few but not fewer Madhumita Chatterjee 21 Block Cipher Scheme Encrypt Plaintext block of length N Secret key Cipher block of length N Decrypt RAIT Madhumita Chatterjee 22 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64-bit key – Key: 64 bit quantity=8-bit parity+56-bit key. Every 8th bit is a parity bit. – outputs 64 bits of ciphertext – A product cipher – basic unit is the bit – performs both substitution and transposition (permutation) on the bits RAIT Madhumita Chatterjee 23 Cipher consists of 16 rounds (iterations) each with a round key generated from the user-supplied key RAIT Madhumita Chatterjee 24 Key features Sheer complexity of tracing a single bit through 16 iterations of substitutions and transpositions discourages analysis 8 extra bits are used only for parity so key is 56 bits long Substitution provides confusion and transposition provides diffusion Uses only std. arithmetic and logical operations, and is repetitive an can be implemented on a single purpose chip. RAIT Madhumita Chatterjee 25 Cycles of Substitution and Permutation. RAIT Madhumita Chatterjee 26 Features : DES • Data Encryption Standard (DES) • • • • RAIT Encodes plaintext in 64-bit chunks using a 64-bit key (56 bits + 8 bits parity) Uses a combination of diffusion and confusion to achieve security Was cracked in 1997 • Parallel attack – exhaustively search key space Decryption in DES – it’s symmetric! Use KA again as input and then the same keys except in reverse order Madhumita Chatterjee 27 Overview: DES • DES • 64-bit input is permuted • 16 stages of identical operation • differ in the 48-bit key extracted from 56-bit key - complex • R2= R1 is encrypted with K1 and XOR’d with L1 • L2=R1, … • Final inverse permutation stage RAIT Madhumita Chatterjee 28 Pictorial Representation For DES RAIT Madhumita Chatterjee 29 A more detailed picture RAIT Madhumita Chatterjee 30 DEScription: One Round Li-1 64 bits divided into left, right halves Right half goes through function f, mixed with key Right half added to left half Halves swapped Li (except in last round) RAIT Madhumita Chatterjee Ri-1 f Ri 31 DEScription: InsiDES Ri-1 Expand right side from 32 to 48 bits (some get reused) Expansion Add 48 bits of key (chosen by Eight S-boxes schedule) S-boxes: each set P-box of 6 bits reduced to 4 Output P-box permutes 32 RAIT Madhumita Chatterjee Ki 32 DES Top View 56-bit Key 64-bit 48-bitInput K1 Generate keys Permutation Round 1 Round 2 …... Round 16 Swap Permutation RAIT 64-bit Output Initial Permutation 48-bit K1 48-bit K2 48-bit K16 Swap 32-bit halves Final Permutation Madhumita Chatterjee 33 Bit Permutation (1-to-1) Input: 1 2 0 0 3 1 4 0 ……. 32 1 1 bit Output RAIT 1 0 1 1 22 6 13 32 …….. Madhumita Chatterjee 1 3 34 Bits Expansion (1-to-m) Input: 1 0 2 0 3 1 4 0 5 1……. 1 0 0 1 0 1 0 1 1 2 3 4 5 6 7 8 RAIT …….. Madhumita Chatterjee 32 1 1 0 48 Output 35 Initial and Final Permutations Initial permutation (IP) View the input as M: 8(-byte) by 8(-bit) matrix Transform M into M1 in two steps Transpose row x into column (9-x), 0<x<9 Apply permutation on the rows: RAIT For even column y, it becomes row y/2 For odd column y, it becomes row (5+y/2) Final permutation FP = IP-1 Madhumita Chatterjee 36 Per-Round Key Generation Initial Permutation of DES key C i-1 28 bits D i-1 28 bits Circular Left Shift Circular Left Shift One round Round 1,2,9,16: single shift Others: two bits Permutation with Discard 48 bits Ki Ci RAIT 28 bits Di 28 bits Madhumita Chatterjee 37 A DES Round 32 bits Ln 32 bits Rn E One Round Encryption 48 bits Mangler Function S-Boxes 48 bits Ki P 32 bits RAIT 32 bits Ln+1 32 bits Rn+1 Madhumita Chatterjee 38 A Full Picture Of DES RAIT Madhumita Chatterjee 39 Cycles of Substitution and Permutation. RAIT Madhumita Chatterjee 40 A Cycle in the DES. RAIT Madhumita Chatterjee 41 Types of Permutations. RAIT Madhumita Chatterjee 42 RAIT Details of a Cycle. Madhumita Chatterjee 43 Pattern of Expansion Permutation. RAIT Madhumita Chatterjee 44 Mangler Function 4 4 4 4 4 4 4 4 6 6 6 6 6 + + + + + 6 + 6 6 + 6 6 6 6 6 6 6 + S1 S2 S3 S4 S5 S6 S7 S8 4 4 4 4 4 4 4 4 6 The permutation produces “spread” among the chunks/S-boxes! Permutation RAIT Madhumita Chatterjee 45 S-Box (Substitute and Shrink) 48 bits ==> 32 bits. (8*6 ==> 8*4) 2 bits used to select amongst 4 substitutions for the rest of the 4-bit quantity 2 bits row 4 bits column RAIT I1 I2 I3 I4 I5 I6 Si i = 1,…8. Madhumita Chatterjee O1 O2 O3 O4 46 S1: one of the S-boxes Each row and column contain different numbers. 0 1 2 3 4 5 6 7 8 0 14 4 13 1 2 15 11 8 3 1 0 15 7 4 14 2 13 1 10 2 4 1 14 8 13 6 2 11 15 3 15 12 8 2 4 9 1 7 5 9…. 15 Example: input: 100110 output: ??? RAIT Madhumita Chatterjee 47 8 S-Boxes Logic behind the selection of the SBoxes remains unpublished secret Is it a good idea technically to publish it? RAIT Madhumita Chatterjee 48 Decryption Apply the same operations (keys in reverse order: K16, K15, …, K1): Input: Rn+1|Ln+1 Output: Rn|Ln RAIT Due to the “swap” operation The swap operation at the end will produce the correct result: L|R Madhumita Chatterjee 49 DESign Principles: Inverses Equations for round i: Li Ri 1 RIni Li 1words: f Ri 1 other Li-1 Ri 1 Li Li 1 Ri f Li So decryption is the same as encryption Last round, no swap: really is the same RAIT Li Madhumita Chatterjee Ri-1 f Ri 50 DES’s Problem Considered too weak – Diffie, Hellman prediction: “in a few years technology would allow DES to be broken in days” • Design using 1999 technology published – Design decisions not public • S-boxes may have backdoors RAIT Madhumita Chatterjee 51 MoDES of Operation ECB: Electronic CodeBook mode: CBC: Cipher Block Chaining mode: Encrypt each 64-bit block independently Attacker could build codebook Encryption: Ci = EK(Pi Ci-1) Decryption: Pi = Ci-1 DK(Ci) CFB, OFB: allow byte-wise encryption RAIT Cipher FeedBack, Output FeedBack Madhumita Chatterjee 52 PeDEStrian attacks Obvious attack: guess the key. 256 keys Complementation Property: 255 keys 1 million per second: 1100 years Store EK(P1) for all K: 512 petabytes Time/Memory Tradeoff (Hellman, 1980): RAIT 1 terabyte 5 days Madhumita Chatterjee 53 DEStroying Security Differential Cryptanalysis (1990): Say you know plaintext, ciphertext pairs Difference dP = P1 P2, dC = C1 C2 Distribution of dC’s given dP may reveal key Need lots of pairs to get lots of good dP’s Look at pairs, build up key in pieces Could find some bits, brute-force for rest RAIT Madhumita Chatterjee 54 DEServing of Praise Against 8-round DES, attack requires: Against 16-round DES, attack requires: 214 = 16,384 chosen plaintexts, or 238 known plaintext-ciphertext pairs 247 chosen plaintexts, or Roughly 255.1 known plaintext-ciphertext pairs Differential cryptanalysis not effective RAIT Madhumita Chatterjee 55 DESperate measures Linear cryptanalysis: Look at algorithm structure: find places where, if you XOR plaintext and ciphertext bits together, you get key bits S-boxes not linear, but can approximate Need 243 known pairs; best known attack RAIT Madhumita Chatterjee 56 DES apparently not optimized against this Still, not an easy-to-mount attack RAIT Madhumita Chatterjee 57 DESuetude “Weakest link” is size of key Attacks take advantage of encryption speed 1993: Weiner: $1M machine, 3.5 hours 1998: EFF’s Deep Crack: $250,000 RAIT 92 billion keys per second; 4 days on average 1999: distributed.net: 23 hours OK for some things (e.g., short time horizon) DES sliDES into wiDESpread DESuetude Madhumita Chatterjee 58 Triple-DES 3 ECB mode: 2 1 If K2 = K3, this is DES Run DES three times:Ci EK DK E K Pi Backwards compatibility Known not to be just DES with K4 (1992) Has 112 bits of security, not 3 56 = 168 RAIT Madhumita Chatterjee 59 Why? What’s the attack? What’s wrong with Double-DES? RAIT Madhumita Chatterjee 60 DESpair Double-DES: Ci = EB(EA(Pi)) Given P1, C1: Note that DB(C1) = EA(P1) Make a list of every EK(P1). Try each L: if DL(C1) = EK(P1), then maybe K = A, L = B. (248 L’s might work.) RAIT Madhumita Chatterjee 61 Test with P2, C2: if it checks, it was probably right. Time roughly 256. Memory very large. RAIT Madhumita Chatterjee 62 DES’s Undesirable Properties 4 weak keys (They are their own inverses) 12 semi-weak keys (Each has another semi-weak key as inverse) Complementation property – DESk(m) = c DESk´(m´) = c´ S-boxes exhibit irregular properties – Distribution of odd, even numbers non-random – Outputs of fourth box depends on input to third box RAIT Madhumita Chatterjee 63
