SS-3

advertisement
Secret Key Cryptography
RAIT
Madhumita Chatterjee
1
Algorithm Types

Stream Ciphers



Plaintext encrypted one bit at a time
Disadvantage…time consuming.
Block Ciphers


RAIT
A block of bits encrypted at one go.
Disadvantage for repeating text…..
Madhumita Chatterjee
2
Shannon concepts

Confusion



Ciphertext gives no clue about original
text.
Achieved using substitution.
Diffusion


RAIT
Increases redundancy of plaintext by
spreading across rows and columns.
Achieved using transposition or
permutation.
Madhumita Chatterjee
3
Algorithm modes





ECB (Electronic Code Book)
CBC (Cipher Block Chaining Mode)
OFB (Output Feedback Mode)
CFB (Cipher Feedback Mode)
Stream Cipher
RAIT
Madhumita Chatterjee
4
Electronic Code Book (ECB)
M1
M2
M3
64
64
64
ENC
ENC
ENC
ENC
C1
C2
C3
C4
RAIT
Madhumita Chatterjee
M4
46 pad
5
ECB Problem #1
M1
M2
M3
64
64
ENC
ENC
ENC
ENC
C1
C2
C3
C4
64
M4
46 pad
(M1 == M3) => (C1 ==C3)
RAIT
Madhumita Chatterjee
6
ECB Problem #2


Lack the basic protection against
integrity attacks on the ciphertext at
message level (i.e., multiple cipher
blocks)
Without additional integrity protection


RAIT
cipher block substitution and
rearrangement attacks
fabrication of specific information
Madhumita Chatterjee
7
Cipher Block Chaining (CBC)
M1
M2
M3
M4
64
64
64
46 pad
ENC
ENC
ENC
C2
C3
C4
IV
Initialization
Vector
ENC
C1
(M1 == M3) very unlikely leads to (C1 == C3)
RAIT
Madhumita Chatterjee
8
CBC Decryption
M1
M2
M3
M4
DEC
DEC
DEC
DEC
C3
C4
IV
C1
RAIT
C2
Madhumita Chatterjee
9
CBC Vulnerabilities


Loss sync of block boundary garbles the
rest of the stream
Create desired change in decrypted
block Pn by sacrificing block P n-1
RAIT
Madhumita Chatterjee
10
CBC…..
P n-1
Pn
DEC
DEC
C n-1
RAIT
Cn
Madhumita Chatterjee
11
Output Feedback Mode (OFB)
Like a Random Number Generator...
IV
ENC
M1
M2
C1
RAIT
ENC
ENC
M3
C2
ENC
M4
C3
Madhumita Chatterjee
C4
12
OFB Properties

Advantages



RAIT
Allow pre-computing of pseudo-random
stream (One-Time Pad); XOR can be
implemented very efficiently
No error propagation problem as in CBC
Allow in-time encrypt/decrypt due to bitwise computation (versus the fixed blocks)
Madhumita Chatterjee
13
General k-bit Cipher Feedback
Mode (CFB)
k
k IV
k
k
ENC
M1
K bits
C1
RAIT
k
ENC
ENC
K bits
M2
M3
K bits
C2
Madhumita Chatterjee
C3
14
CFB Properties

Advantage compared with CBC.


With k=8, errors on one byte of ciphertext
only affect 8 more bytes beyond.
Disadvantage compared with OFB.

RAIT
Random stream can no longer be computed
in advance.
Madhumita Chatterjee
15
Generating MICs

Only send last block of CBC (CBS
residue)


Send plaintext
Any modification in plaintext modifies
CBC residue

RAIT
Insures integrity
Madhumita Chatterjee
16
CBC Plus Residue
M1
M2
M3
M4
64
64
64
46 pad
ENC
ENC
ENC
C2
C3
IV
Initialization
Vector
ENC
C1
RAIT
Madhumita Chatterjee
C4
residue
17
Elementary
Cryptography
DES Algorithm
RAIT
Madhumita Chatterjee
18
Background & History



System developed by the US Govt. intended
for public use in 1976
Many hardware and software systems
designed with DES
Goals were






RAIT
High level of security
Specified and easy to understand
Publishable, available
Adaptable to diverse applications
Economic to implement in elctronic
devices
Efficient to use and able to be validated
Madhumita Chatterjee
19
Generic Block Encryption


Convert block to another: one-to-one
Long enough to avoid known-plaintext
attack



64 bit typical, nice for RISC
Naïve: 264 input values, 64 bits each,
total 270 bits to store the mapping
Output should look random


RAIT
No correlation between plaintext and
ciphertext
Bit spreading
Madhumita Chatterjee
20
Generic Block Encryption
(Cont’d)



RAIT
Substitution: 2k values: k  2k bits done by S-Boxes,
adds confusion
Permutation: change position for each bit: klog2k
bits done by P-Boxes adds diffusion
Round: combination of substitution chunks and
permutation do often enough so that a bit change
can affect every output bit
 How many rounds? A few but not fewer
Madhumita Chatterjee
21
Block Cipher Scheme
Encrypt
Plaintext
block
of length N
Secret key
Cipher
block
of length N
Decrypt
RAIT
Madhumita Chatterjee
22
Overview of the DES
 A block cipher:
– encrypts blocks of 64 bits using a 64-bit key
– Key: 64 bit quantity=8-bit parity+56-bit key. Every
8th bit is a parity bit.
– outputs 64 bits of ciphertext
– A product cipher
– basic unit is the bit
– performs both substitution and transposition
(permutation) on the bits
RAIT
Madhumita Chatterjee
23
 Cipher consists of 16 rounds (iterations)
each with a round key generated from
the user-supplied key
RAIT
Madhumita Chatterjee
24
Key features




Sheer complexity of tracing a single bit
through 16 iterations of substitutions and
transpositions discourages analysis
8 extra bits are used only for parity so key is
56 bits long
Substitution provides confusion and
transposition provides diffusion
Uses only std. arithmetic and logical
operations, and is repetitive an can be
implemented on a single purpose chip.
RAIT
Madhumita Chatterjee
25
Cycles of Substitution and Permutation.
RAIT
Madhumita Chatterjee
26
Features : DES
• Data Encryption Standard (DES)
•
•
•
•
RAIT
Encodes plaintext in 64-bit chunks using a 64-bit
key (56 bits + 8 bits parity)
Uses a combination of diffusion and confusion to
achieve security
Was cracked in 1997
• Parallel attack – exhaustively search key
space
Decryption in DES – it’s symmetric! Use KA
again as input and then the same keys except in
reverse order
Madhumita Chatterjee
27
Overview: DES
• DES
• 64-bit input is permuted
• 16 stages of identical operation
• differ in the 48-bit key extracted from
56-bit key - complex
• R2= R1 is encrypted with K1 and
XOR’d with L1
• L2=R1, …
• Final inverse permutation stage
RAIT
Madhumita Chatterjee
28
Pictorial Representation For DES
RAIT
Madhumita Chatterjee
29
A more detailed picture
RAIT
Madhumita Chatterjee
30
DEScription: One Round
Li-1
64 bits divided into
left, right halves
 Right half goes

through function f,
mixed with key
 Right half added to
left half
 Halves swapped
Li
(except in last
round)
RAIT
Madhumita Chatterjee
Ri-1

f
Ri
31
DEScription: InsiDES
Ri-1
Expand right side
from 32 to 48 bits
(some get reused) Expansion
 Add 48 bits of key

(chosen by
Eight S-boxes
schedule)
 S-boxes: each set
P-box
of 6 bits reduced to
4
Output
 P-box permutes 32
RAIT
Madhumita Chatterjee

Ki
32
DES Top View
56-bit Key
64-bit
48-bitInput
K1
Generate keys
Permutation
Round 1
Round 2
…...
Round 16
Swap
Permutation
RAIT
64-bit Output
Initial Permutation
48-bit K1
48-bit K2
48-bit K16
Swap 32-bit halves
Final Permutation
Madhumita Chatterjee
33
Bit Permutation (1-to-1)
Input:
1 2
0 0
3
1
4
0
…….
32
1
1 bit
Output
RAIT
1
0
1
1
22
6
13 32
……..
Madhumita Chatterjee
1
3
34
Bits Expansion (1-to-m)
Input:
1
0
2
0
3
1
4
0
5
1…….
1
0
0
1
0
1
0
1
1
2
3
4
5
6
7
8
RAIT
……..
Madhumita Chatterjee
32
1
1
0
48
Output
35
Initial and Final Permutations



Initial permutation (IP)
View the input as M: 8(-byte) by 8(-bit)
matrix
Transform M into M1 in two steps


Transpose row x into column (9-x), 0<x<9
Apply permutation on the rows:



RAIT
For even column y, it becomes row y/2
For odd column y, it becomes row (5+y/2)
Final permutation FP = IP-1
Madhumita Chatterjee
36
Per-Round Key Generation
Initial Permutation of DES key
C i-1 28 bits
D i-1 28 bits
Circular Left Shift
Circular Left Shift
One
round
Round 1,2,9,16:
single shift
Others: two bits
Permutation
with Discard
48 bits
Ki
Ci
RAIT
28 bits
Di
28 bits
Madhumita Chatterjee
37
A DES Round
32 bits Ln
32 bits Rn
E
One Round
Encryption
48 bits
Mangler
Function
S-Boxes
48 bits
Ki
P
32 bits
RAIT
32 bits Ln+1
32 bits Rn+1
Madhumita Chatterjee
38
A Full Picture Of DES
RAIT
Madhumita Chatterjee
39
Cycles of Substitution and Permutation.
RAIT
Madhumita Chatterjee
40
A Cycle in the DES.
RAIT
Madhumita Chatterjee
41
Types of Permutations.
RAIT
Madhumita Chatterjee
42
RAIT
Details of a Cycle.
Madhumita Chatterjee
43
Pattern of Expansion Permutation.
RAIT
Madhumita Chatterjee
44
Mangler Function
4 4 4 4 4 4 4 4
6
6
6
6
6
+
+
+
+
+
6
+
6
6
+
6
6
6
6
6
6
6
+
S1 S2 S3 S4 S5 S6 S7 S8
4 4 4 4 4 4 4 4
6
The permutation produces
“spread” among the
chunks/S-boxes!
Permutation
RAIT
Madhumita Chatterjee
45
S-Box (Substitute and Shrink)
48 bits ==> 32 bits. (8*6 ==> 8*4)
 2 bits used to select amongst 4
substitutions for the rest of the 4-bit
quantity
2 bits

row
4 bits
column
RAIT
I1
I2
I3
I4
I5
I6
Si
i = 1,…8.
Madhumita Chatterjee
O1
O2
O3
O4
46
S1: one of the S-boxes
Each row and column contain different numbers.
0
1
2
3
4
5
6
7
8
0
14
4
13
1
2
15
11
8
3
1
0
15
7
4
14
2
13
1
10
2
4
1
14
8
13
6
2
11
15
3
15
12
8
2
4
9
1
7
5
9…. 15
Example: input: 100110 output: ???
RAIT
Madhumita Chatterjee
47
8 S-Boxes


Logic behind the selection of the SBoxes remains unpublished secret
Is it a good idea technically to publish it?
RAIT
Madhumita Chatterjee
48
Decryption

Apply the same operations (keys in
reverse order: K16, K15, …, K1):

Input: Rn+1|Ln+1


Output: Rn|Ln

RAIT
Due to the “swap” operation
The swap operation at the end will produce the
correct result: L|R
Madhumita Chatterjee
49
DESign Principles: Inverses

Equations for round i:

Li  Ri 1
RIni 
Li 1words:
 f Ri 1
other
Li-1

Ri 1  Li
Li 1  Ri  f Li 


So decryption is the same
as encryption
Last round, no swap: really
is the same
RAIT
Li
Madhumita Chatterjee
Ri-1
f
Ri
50
DES’s Problem
 Considered too weak
– Diffie, Hellman prediction: “in a few years
technology would allow DES to be broken in days”
• Design using 1999 technology published
– Design decisions not public
• S-boxes may have backdoors
RAIT
Madhumita Chatterjee
51
MoDES of Operation

ECB: Electronic CodeBook mode:



CBC: Cipher Block Chaining mode:



Encrypt each 64-bit block independently
Attacker could build codebook
Encryption: Ci = EK(Pi  Ci-1)
Decryption: Pi = Ci-1  DK(Ci)
CFB, OFB: allow byte-wise encryption

RAIT
Cipher FeedBack, Output FeedBack
Madhumita Chatterjee
52
PeDEStrian attacks





Obvious attack: guess the key. 256
keys
Complementation Property: 255 keys
1 million per second: 1100 years
Store EK(P1) for all K: 512 petabytes
Time/Memory Tradeoff (Hellman,
1980):

RAIT

1 terabyte
5 days
Madhumita Chatterjee
53
DEStroying Security







Differential Cryptanalysis (1990):
Say you know plaintext, ciphertext pairs
Difference dP = P1  P2, dC = C1  C2
Distribution of dC’s given dP may reveal key
Need lots of pairs to get lots of good dP’s
Look at pairs, build up key in pieces
Could find some bits, brute-force for rest
RAIT
Madhumita Chatterjee
54
DEServing of Praise

Against 8-round DES, attack requires:



Against 16-round DES, attack requires:



214 = 16,384 chosen plaintexts, or
238 known plaintext-ciphertext pairs
247 chosen plaintexts, or
Roughly 255.1 known plaintext-ciphertext
pairs
Differential cryptanalysis not effective
RAIT
Madhumita Chatterjee
55
DESperate measures

Linear cryptanalysis:



Look at algorithm structure: find places
where, if you XOR plaintext and ciphertext
bits together, you get key bits
S-boxes not linear, but can approximate
Need 243 known pairs; best known
attack
RAIT
Madhumita Chatterjee
56


DES apparently not optimized against
this
Still, not an easy-to-mount attack
RAIT
Madhumita Chatterjee
57
DESuetude




“Weakest link” is size of key
Attacks take advantage of encryption speed
1993: Weiner: $1M machine, 3.5 hours
1998: EFF’s Deep Crack: $250,000




RAIT
92 billion keys per second; 4 days on average
1999: distributed.net: 23 hours
OK for some things (e.g., short time
horizon)
DES sliDES into wiDESpread DESuetude
Madhumita Chatterjee
58
Triple-DES




3
ECB mode:
2
1

If K2 = K3, this is DES



Run DES three times:Ci  EK DK E K Pi 
Backwards compatibility
Known not to be just DES with K4
(1992)
Has 112 bits of security, not 3  56 =
168
RAIT
Madhumita Chatterjee
59


Why? What’s the attack?
What’s wrong with Double-DES?
RAIT
Madhumita Chatterjee
60
DESpair




Double-DES: Ci = EB(EA(Pi))
Given P1, C1: Note that DB(C1) = EA(P1)
Make a list of every EK(P1).
Try each L: if DL(C1) = EK(P1), then
maybe K = A, L = B. (248 L’s might
work.)
RAIT
Madhumita Chatterjee
61


Test with P2, C2: if it checks, it was
probably right.
Time roughly 256. Memory very large.
RAIT
Madhumita Chatterjee
62
DES’s Undesirable Properties
 4 weak keys
(They are their own inverses)
 12 semi-weak keys
(Each has another semi-weak key as inverse)
 Complementation property
– DESk(m) = c  DESk´(m´) = c´
 S-boxes exhibit irregular properties
– Distribution of odd, even numbers non-random
– Outputs of fourth box depends on input to third box
RAIT
Madhumita Chatterjee
63
Download