Document

advertisement
Chapter 8
Encipherment Using
Modern Symmetric-Key
Ciphers
8.1
8-1 USE OF MODERN BLOCK CIPHERS
Symmetric-key encipherment can be done using
modern block ciphers. Modes of operation have been
devised to encipher text of any size employing either
DES or AES.
8.2
8-1 Continued
Figure 8.1 Modes of operation
8.3
8.1.1 Electronic Codebook (ECB) Mode
The simplest mode of operation is called the electronic
codebook (ECB) mode.
Figure 8.2 Electronic codebook (ECB) mode
8.4
8.1.1
Continued
Example 8.1
It can be proved that each plaintext block at Alice’s site is exactly
recovered at Bob’s site. Because encryption and decryption are
inverses of each other,
Example 8.2
This mode is called electronic codebook because one can
precompile 2K codebooks (one for each key) in which each
codebook has 2n entries in two columns. Each entry can list the
plaintext and the corresponding ciphertext blocks. However, if K
and n are large, the codebook would be far too large to precompile
and maintain.
8.5
8.1.1
Continued
Example 8.3
Assume that Eve works in a company a few hours per month (her
monthly payment is very low). She knows that the company uses
several blocks of information for each employee in which the
seventh block is the amount of money to be deposited in the
employee’s account. Eve can intercept the ciphertext sent to the
bank at the end of the month, replace the block with the
information about her payment with a copy of the block with the
information about the payment of a full-time colleague. Each
month Eve can receive more money than she deserves.
8.6
8.1.1 Continued
Security Issues
1- Patterns at the block level are preserved
2- The block independency creates opportunities for Eve
to exchange some ciphertext blocks without knowing the
key.
Error Propagation
A single bit error in transmission can create errors in
several in the corresponding block. However, the error
does not have any effect on the other blocks.
8.7
8.1.1 Continued
Ciphertext Stealing
A technique called ciphertext stealing (CTS) can make it
possible to use ECB mode without padding. In this
technique the last two plaintext blocks, PN−1 and PN , are
encrypted differently and out of order, as shown below,
assuming that PN−1 has n bits and PN has m bits, where m
≤n.
8.8
8.1.1 Continued
Applications
• The ECB mode is not recommended for encryption of
messages more than one block.
• One area where the independency of the ciphertext
block is useful is where records need to be encrypted
before they are stored in a database or decrypted
before they are retrieved….Access to the database can
be random.
• Another advantage of this mode is that we can use
parallel processing if we need to create a very huge
encrypted database.
8.9
8.1.2 Cipher Block Chaining (CBC) Mode
In CBC mode, each plaintext block is exclusive-ored with
the previous ciphertext block before being encrypted.
Figure 8.3 Cipher block chaining (CBC) mode
8.10
8.1.2 Continued
Figure 8.3 Cipher block chaining (CBC) mode
8.11
8.1.2
Continued
Example 8.4
It can be proved that each plaintext block at Alice’s site is
recovered exactly at Bob’s site. Because encryption and decryption
are inverses of each other,
Initialization Vector (IV)
The initialization vector (IV) should be known by the
sender and the receiver.
8.12
8.1.2 Continued
Security Issues
• Patterns at the block level are not preserved. However,
if the first M blocks in two different messages are
equal, they are enciphered into equal blocks unless
different Ivs are used. Hence, recommend the use of
timestamp as an IV.
• Eve can add some ciphertext blocks to the end of the
ciphertext stream.
Error Propagation
In CBC mode, a single bit error in ciphertext block Cj
during transmission may create error in most bits in
plaintext block Pj during decryption.
8.13
8.1.2 Continued
Applications
• Parallel processing is not possible.
• CBC mode is not used to encrypt and decrypt randomaccess files records because of the need to access the
previous records.
• CBC mode is used for authentication.
8.14
8.1.2 Continued
Ciphertext Stealing
The ciphertext stealing technique described for ECB
mode can also be applied to CBC mode, as shown below.
The head function is the same as described in ECB mode;
the pad function inserts 0’s.
8.15
8.1.3 Cipher Feedback (CFB) Mode
In some situations, we need to use DES or AES as secure
ciphers, but the plaintext or ciphertext block sizes are to
be smaller.
Figure 8.4 Encryption in cipher feedback (CFB) mode
8.16
8.1.3 Continued
Note
In CFB mode, encipherment and decipherment use
the encryption function of the underlying block
cipher.
The relation between plaintext and ciphertext blocks is
shown below:
8.17
8.1.3 Continued
Advantages
• This mode does not need padding because the
size of the block r, is normally chosen to fit the
data unit to be encrypted ( a character for example).
• The system does not have to wait until It has
received a large block of data (64 or 128 bits)
before starting the encryption.
Disadvantages
CFB is less efficient than CBC and ECB because
it needs to apply the encryption function for each
small block of size r.
8.18
8.1.3 Continued
CFB as a Stream Cipher
Figure 8.5 Cipher feedback (CFB) mode as a stream cipher
8.19
8.1.3 Continued
Security Issues
• The patterns are not preserved.
• The IV should be changed for each message
• Eve can add some ciphertext block to the end
of the ciphertext stream.
Error Propagation
A single bit error in ciphertext block Ci during
transmission creates a single bit eror in plaintext
block Pi. However most of the bits in the following
plaintext blocks are in error.
Application
This mode can be used to encipher blocks of
small size such as characters or bit at a time.
8.20
18.1.4 Output Feedback (OFB) Mode
In this mode each bit in the ciphertext is independent of
the previous bit or bits. This avoids error propagation.
Figure 8.6 Encryption in output feedback (OFB) mode
8.21
8.1.4 Continued
OFB as a Stream Cipher
Figure 8.7 Output feedback (OFB) mode as a stream cipher
8.22
8.1.4 Continued
Security Issues
The patterns are not preserved.
Error Propagation
A single bit error in the ciphertext affects
only the corresponding bit in the plaintext.
8.23
8.1.5 Counter (CTR) Mode
In the counter (CTR) mode, there is no feedback. The
pseudorandomness in the key stream is achieved using a
counter.
Figure 8.8 Encryption in counter (CTR) mode
8.24
8.1.5 Continued
Figure 8.9 Counter (CTR) mode as a stream cipher
8.25
8.1.5 Continued
Notes
• CTR creates n-bit blocks that are independent
from each other; they depend only on the value
of the counter.
• CTR, like ECB mode, cannot be used for realtime processing.
• CTR, like ECB mode, can be used to encrypt
and decrypt random access files as long as the
value of the counter can be related to the record
number in the file.
8.26
8.1.5 Continued
Comparison of Different Modes
8.27
8-2 USE OF STREAM CIPHERS
Although the five modes of operations enable the use
of block ciphers for encipherment of messages or files
in large units and small units, sometimes pure stream
are needed for enciphering small units of data such as
characters or bits.
Topics discussed in this section:
8.2.1
8.2.2
8.28
RC4
A5/1
8.2.1 RC4
Developed by RSA Labs, RC4 is a symmetric, byteoriented stream cipher with a variable length key size, in
which a byte (8 bits) of a plaintext is exclusive-ored with a
byte of key to produce a byte of a ciphertext.
KEY
ksa
RC4 HAS two main parts:
KSA (Key Scheduling Algorithm)
PRGA (Pseudo Random Generation Algorithm)
State
RC4 is based on the concept of a state.
8.29
PRGA
K
P
+
C
8.2.1 Continued
Figure 8.10 The idea of RC4 stream cipher
KSA
PRGA
8.30
RC4 Key Schedule KSA
Starts with an array S of numbers: 0..255
􀁺 Use key to truly shuffle S
􀁺 S forms internal state of the cipher
􀁺 Given a key k of length L bytes
Scrambling Pseudocode :
for i = 0 to 255 do
S[i] = i
j=0
for i = 0 to 255 do
j = (j + S[i] + k[i ]) (mod 256)
swap (S[i], S[j])
8.31
RC4 PRGA and Encryption
Encryption involves XORing data bytes with output of the
PRGA
􀁺 The PRGA initializes i and j to 0 and then loops over 4 basic
operations: increase j, increase j using s[i], swap and output
s[i]+s[j]
􀁺PRGA Pseudocode is:
i=j=0
for each message byte Mi
i = (i + 1) (mod 256)
j = (j + S[i]) (mod 256)
swap(S[i], S[j])
t = (S[i] + S[j]) (mod 256)
; Ki = S[t]
Encryption :
Ci = Mi XOR S[t]
8.32
RC4 Encryption Example
Lets consider the stream cipher RC4, but
instead of the full 256 bytes, we will use 8 x
3-bits.
That is, the state vector S is 8 x 3-bits.
We will operate on 3-bits of plaintext at a time
since S can take the values 0 to 7, which can
be represented as 3 bits.
Assume we use a 4 x 3-bit key of K = [1 2 3
6]. And a plaintext P = [1 2 2 2]
8.33
RC4 PRGA and Encryption
The first step is to generate the stream.
Initialise the state vector S and temporary vector T. S is
initialised so the S[i] = i, and T is initialised so it is the key K
(repeated as necessary).
S = [0 1 2 3 4 5 6 7]
T = [1 2 3 6 1 2 3 6]
Now perform the initial permutation on S.
j = 0;
for i = 0 to 7 do
j = (j + S[i] + T[i]) mod 8
Swap(S[i],S[j]);
end
For i = 0:
j = (0 + 0 + 1) mod 8 = 1
Swap(S[0],S[1]);
S = [1 0 2 3 4 5 6 7]
8.34
RC4 PRGA and Encryption
For i = 1:
j=3
Swap(S[1],S[3])
S = [1 3 2 0 4 5 6 7];
For i = 2:
j=0
Swap(S[2],S[0]);
S = [2 3 1 0 4 5 6 7];
For i = 3:
j = 6;
Swap(S[3],S[6])
S = [2 3 1 6 4 5 0 7];
8.35
RC4 PRGA and Encryption
For i = 4:
j=3
Swap(S[4],S[3])
S = [2 3 1 4 6 5 0 7];
For i = 5:
j=2
Swap(S[5],S[2]);
S = [2 3 5 4 6 1 0 7];
For i = 6:
j = 5;
Swap(S[6],S[4])
S = [2 3 5 4 0 1 6 7];
For i = 7:
j = 2;
Swap(S[7],S[2])
S = [2 3 7 4 0 1 6 5];
Hence, our initial permutation of S = [2 3 7 4 0 1 6 5];
8.36
RC4 PRGA and Encryption
Now we generate 3-bits at a time, k, that we XOR with each 3-bits
of plaintext to produce the ciphertext. The 3-bits k is generated
by:
i, j = 0;
while (true) {
i = (i + 1) mod 8;
j = (j + S[i]) mod 8;
Swap (S[i], S[j]);
t = (S[i] + S[j]) mod 8;
k = S[t]; }
8.37
The first iteration:
S = [2 3 7 4 0 1 6 5]
i = (0 + 1) mod 8 = 1
j = (0 + S[1]) mod 8 = 3
Swap(S[1],S[3])
S = [2 4 7 3 0 1 6 5]
t = (S[1] + S[3]) mod 8 = 7
k = S[7] = 5
Remember, P = [1 2 2 2]
RC4 PRGA and Encryption
Remember, P = [1 2 2 2]
So our first 3-bits of ciphertext is obtained by: k XOR P
5 XOR 1 = 101 XOR 001 = 100 = 4
The second iteration:
S = [2 4 7 3 0 1 6 5]
i = (1 + 1 ) mod 8 = 2
j = (2 + S[2]) mod 8 = 1
Swap(S[2],S[1])
S = [2 7 4 3 0 1 6 5]
t = (S[2] + S[1]) mod 8 = 3
k = S[3] = 3
Second 3-bits of ciphertext are:
3 XOR 2 = 011 XOR 010 = 001 = 1
8.38
RC4 PRGA and Encryption
After 4 iterations:
To encrypt the plaintext stream P =
[1 2 2 2] with key K = [1 2 3 6] using
our simplified RC4 stream cipher we
get C = [4 1 2 0].
(or in binary: P = 001010010010, K =
001010011110 and C =
100001010000)
Simplified
8.39
8.2.2 A5/1
A5/1 (a member of the A5 family of ciphers) is used in the
Global System for Mobile Communication (GSM), a
network for mobile telephone communication..
Figure 8.11 General outline of A5/1
8.40
8.2.2 Continued
Key Generator
A5/1 uses three LFSRs with 19, 22, and 23 bits.
Figure 8.12 Three LFSR’s in A5/1
8.41
8.2.2
Continued
Example 8.7
At a point of time the clocking bits are 1, 0, and 1. Which LFSR is
clocked (shifted)?
Solution
The result of Majority (1, 0, 1) = 1. LFSR1 and LAFS3 are shifted,
but LFSR2 is not.
8.42
8.2.2 Continued
Encryption/Decryption
The bit streams created from the key generator are
buffered to form a 228-bit key that is exclusive-ored with
the plaintext frame to create the ciphertext frame.
Encryption/decryption is done one frame at a time.
8.43
8-3 OTHER ISSUES
Encipherment using symmetric-key block or stream
ciphers requires discussion of other issues.
Topics discussed in this section:
8.3.1
8.3.2
8.44
Key Management
Key Generation
8.3.1 Key Management
Alice and Bob need to share a secret key between
themselves to securely communicate using a symmetrickey cipher. If there are n entities in the community,
n(n − 1)/2 keys are needed.
Note
Key management is discussed in Chapter 15.
8.45
8.3.2 Key Generation
Different symmetric-key ciphers need keys of different
sizes. The selection of the key must be based on a
systematic approach to avoid a security leak. The keys
need to be chosen randomly. This implies that there is a
need for random (or pseudorandom) number generator.
Note
Random number generators are discussed in
Appendix K.
8.46
Download