1 Information Security and Management 3. Block Ciphers and the Data Encryption Standard Chih-Hung Wang Fall 2011 2 Block Cipher Principles • Block Ciphers and Stream Ciphers ▫ Block ciphers is one in which a block of plaintext is treated as a whole and used to produce a ciphertext block of equal length. ▫ like a substitution on very big characters 64/128-bits or more ▫ Stream ciphers is one that encrypts a digital data stream one bit or one byte at a time. ▫ Many current ciphers are block ciphers 3 Block Ciphers and Stream Ciphers 4 Motivation • Reversible Mapping Reversible Mapping Irreversible Mapping Plaintext Ciphertext Plaintext Ciphertext 00 11 00 11 01 10 01 10 10 00 10 01 11 01 11 01 5 A General Substitution Cipher • If a small block size, such n=4, is used, then the system is equivalent to a classical substitution cipher. are vulnerable to statistical analysis of the plaintext. • An arbitrary reversible substitution cipher for a large block size is not practical. 6 A General Substitution Cipher The size of key is n 2 n For a 64-bits block, key size 64 21 is 64 2 10 bits 7 Block Cipher Principles • most symmetric block ciphers are based on a Feistel Cipher Structure • Feistel proposed the use of a cipher that alternates substitutions and permutations • needed since must be able to decrypt ciphertext to recover messages efficiently • block ciphers look like an extremely large substitution • would need table of 264 entries for a 64-bit block • instead create from smaller building blocks • using idea of a product cipher 8 Claude Shannon and SubstitutionPermutation Ciphers • in 1949 Claude Shannon introduced idea of substitution-permutation (S-P) networks ▫ modern substitution-transposition product cipher • these form the basis of modern block ciphers • S-P networks are based on the two primitive cryptographic operations we have seen before: ▫ substitution (S-box) ▫ permutation (P-box) • provide confusion and diffusion of message 9 Diffusion and Confusion • Cipher needs to completely obscure statistical properties of original message • a one-time pad does this • more practically Shannon suggested combining elements to obtain: • diffusion – the statistical structure of the plaintext is dissipated into long range statistics of the ciphertext • confusion – makes relationship between ciphertext and key as complex as possible 10 Feistel Cipher Structure • Horst Feistel devised the feistel cipher ▫ based on concept of invertible product cipher • Partitions input block into two halves ▫ The two halves of the data pass through n rounds of processing and then combine to produce the ciphertext block. • Implements Shannon’s substitutionpermutation network concept 11 Feistel Cipher Structure 12 Feistel Cipher Design Principles • Block size ▫ larger block sizes mean greater security but reduced e/d speed • Key size ▫ increasing size improves security, makes exhaustive key searching harder, but may slow cipher • Number of rounds ▫ a single round offers inadequate security ▫ increasing number improves security, but slows cipher • Subkey generation ▫ greater complexity should lead to greater difficulty of cryptanalysis • Round function ▫ greater complexity means greater resistance to cryptanalysis • Fast software encryption/decryption • Ease of analysis ▫ DES does not have an easily analyzed functionality 13 Feistel Cipher Decryption • Use the ciphertext as input to the algorithm, but use subkey Ki in reverse order. LE16 RE15 RE16 LE15 F ( RE15 , K16 ) Decryption LD1 RD0 LE16 RE15 RD1 LD0 F ( RD0 , K16 ) RE16 F ( RE15 , K16 ) [ LE15 F ( RE15 , K16 )] F ( RE15 , K16 ) 14 Feistel Cipher Decryption 15 General Form of Feistel Cipher LEi RE i 1 RE i LEi 1 F ( RE i 1 , K i ) RE i 1 LEi LEi 1 RE i F ( RE i 1 , K i ) RE i F ( LEi , K i ) 16 Data Encryption Standard (DES) • History ▫ National Bureau of Standards (now the National Institute of Standards and Technology:NIST) 1977-> as Federal Information Processing Standard 46(FIPS PUB 46) ▫ 1960:IBM LUCIFER project 17 DES • Critique ▫ The key length In IBM’s original LUCIFER algorithm is 128 bits, but that of the proposed system was only 56 bits. ▫ Design Criteria for the internal structure S-boxes Any hidden weak points that could enable NSA to decipher message without benefit the key? Differential cryptanalysis -> DES has a very strong internal structure 18 DES • Not Secure? ▫ DES has flourished and is widely used, especially in financial applications ▫ In 1994, NIST reaffirmed DES for federal use for another five years ▫ NIST recommends the use of DES for applications other than protection of classified information 19 DES Encryption • Data are encrypted in 64-bit blocks using 56 bit key. • Transforms 64-bit input in a series of steps into 64-bit output. 20 The Structure of Block Cipher Plaintext n bits 1-st round Weak cipher 2-nd round Weak cipher …... t-th round Weak cipher …... K1 Key k bits K2 Sub-key generator Kt Ciphertext 21 General Depiction 22 Details of Single Round 23 Details of Single Round • Li = Ri-1 ; Ri = Li-1 ⊕ f(Ri-1, Ki) (i=1…15) • Li = Li-1 ⊕ f(Ri-1, Ki) ; Ri = Ri-1 (i=16) 24 Feistel Encryption Input IP f f f f IP-1 Output … 32 … 32 … 32 … 32 … 32 1,2,3,… L0 1,2,3,…. L1 1,2,3,…. L2 1,2,3,…. Li 1,2,3,…. L16 1,2,3,…. 1,2,3,… ….. 64 R0 1,2,3,…. R1 1,2,3,…. R2 1,2,3,…. Ri 1,2,3,…. R16 64 1,2,3,…. ….. … 32 … 32 … 32 … 32 … 32 k1 k2 ki k16 25 IP and IP-1 IP (Initial Permutation) IP-1 (Inverse Initial Permutation) 58 60 62 64 57 59 61 63 50 52 54 56 49 51 53 55 IP 42 34 44 36 46 38 48 40 41 33 43 35 45 37 47 39 26 28 30 32 25 27 29 31 18 20 22 24 17 19 21 23 10 12 14 16 9 11 13 15 2 4 6 8 1 3 5 7 40 8 48 39 7 47 38 6 46 37 5 45 36 4 44 35 3 43 34 2 42 33 1 41 IP-1 16 56 24 64 32 15 55 23 63 31 14 54 22 62 30 13 53 21 61 29 12 52 20 60 28 11 51 19 59 27 10 50 18 58 26 9 49 17 57 25 26 Expansion & Permutation Expansion (E) 32 4 8 12 16 20 24 28 1 5 9 13 17 21 25 29 2 6 10 14 18 22 26 30 3 7 11 15 19 23 27 31 Permutation (P) 4 8 12 16 20 24 28 32 5 9 13 17 21 25 29 1 16 1 2 19 7 15 8 13 20 23 24 30 21 29 12 28 17 26 5 18 31 10 14 32 27 3 9 6 22 11 4 25 27 Calculation of F(R,K) R (32 bits) E 48 bits S1 S2 S3 Subkey ki (48bits) S4 S5 P Output F (32 bits) S6 S7 S8 28 S-box (EX. S1) Column row 0 1 2 3 4 5 7 8 9 13 1 2 15 11 8 3 10 6 0 14 4 1 0 15 7 2 4 1 3 15 12 8 6 12 5 9 0 7 12 11 9 5 3 8 10 5 0 4 14 2 13 1 14 8 13 6 2 11 15 12 9 7 4 1 7 14 10 0 2 9 10 6 10 11 12 13 14 15 S-box 5 11 3 row 011001 column 1001 9 3 6 13 S1 29 Key Generation 1,2,3 1,2,3 1,2,3 1,2,3 1,2,3, ..… C0 ….. 28 Left shift ….. 28 ….. 28 D1 Left shift D0 ….. 28 …….. 64 56-bit Key PC-1 1,2,3 1,2,3 Left shift C1 Left shift D16 ….. 28 Left shift ….. 28 Di Left shift 1,2,3 1,2,3 Left shift Ci ….. 28 Left shift C 16 ….. 28 PC-2 PC-2 PC-2 k16 ki k1 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 ------------------------------------------1122222212 2 2 2 2 2 1 30 Key Generation Left shift Round number Bits rotated 57 1 10 19 63 7 14 21 49 58 2 11 55 62 6 13 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 1 1 2 2 2 2 2 2 1 2 PC-1 41 33 50 42 59 51 3 60 47 39 54 46 61 53 5 28 25 34 43 52 31 38 45 20 17 26 35 44 23 30 37 12 | 9 | 18 | 27 | 36 | 15 | 22 | 29 | 4 | 14 3 23 16 41 30 44 46 17 28 19 7 52 40 49 42 2 2 PC-2 11 15 12 27 31 51 39 50 24 6 4 20 37 45 56 36 2 1 21 26 13 47 33 34 29 2 2 5 10 8 2 55 48 53 32 1 31 DES Decryption • Decryption uses the same algorithm as encryption, except that the application of the subkeys is reversed. ▫ K16, K15 , …, K1 32 DES Example 33 The Avalanche Effect • DES exhibits a strong avalanche effect ▫ Two plaintexts differ by one bit ▫ Two keys differ by one bit (a) Change in Plaintext (1 bits) Round 1 4 8 12 16 Number of bits that differ 6 39 29 30 34 (b) Change in Key (1 bits) Round 1 4 8 12 16 Number of bits that differ 2 32 34 33 35 34 DES Avalanche Effect-Change in Plaintext 35 DES Avalanche Effect-Change in Key 36 The Strength of DES • 56-bit DES ▫ 1977 Diffie & Hellman Parallel machine with 1 million encryption devices, each of which could perform one encryption per microsecond. Average search time down to about 10 hours The cost would be about $20 million 37 The Strength of DES ▫ 1993 Wiener Key search rate of 50 million keys per second Design a module that costs $100,000 and contains 5750 key search chips Key search machine Unit Expected search time Cost $100,000 35 hours $1,000,000 3.5 hours $10,000,000 21 minutes 38 The Strength of DES • RSA Laboratories ▫ The Challenge Offered a $10,000 reward, was to find a DES key given a ciphertext for a plaintext consisting of an unknown plaintext message preceeded by three known blocks of text containing the 24-character phrase “the unknown message is:” January 29, 1997, developed a brute-force program and distributed it over the internet. The project linked numerous machines over the Internet and eventually grew to over 70,000 systems Ended 96 days later when the correct key was found after examining about one-quarter of all possible keys. 39 Cryptanalysis of DES • Differential Cryptanalysis ▫ Biham and Shamir [1993] [BIHA93] Can successfully cryptanalyze DES with an effort on the order 247, requiring 247 chosen plaintexts (brute-force method: 255) Not very well. The differential cryptanalysis was known to the IBM team as early as 1974. ▫ Linear Cryptanalysis ▫ Weak keys; Semi-weak keys 40 Differential Cryptanalysis • A statistical attack against Feistel ciphers • Uses cipher structure not previously used • Design of S-P networks has output of function f influenced by both input & key • Hence cannot trace values back through cipher without knowing values of the key • Differential Cryptanalysis compares two related pairs of encryptions 41 Differential Cryptanalysis Compares Pairs of Encryptions • With a known difference in the input • Searching for a known difference in output • When same subkeys are used 42 Differential Cryptanalysis (Three Round of DES) 43 Linear Cryptanalysis • Another recent development • Also a statistical method • Must be iterated over rounds, with decreasing probabilities • Developed by Matsui et al in early 90's [MATS93] • Based on finding linear approximations • Can attack DES given 247 known plaintexts, still infeasible as an attack on DES 44 Block Cipher Design Principles • Basic principles still like Feistel in 1970’s • DES design criteria [COPP94] (Coppersmith) • Number of rounds ▫ The greater the number of rounds, the more difficult it is to perform cryptanalysis, even for a relatively weak F. • Design of function F: ▫ S-box design ▫ Provides “confusion”, is nonlinear, avalanche • Key schedule ▫ Complex subkey creation, key (strict) avalanche, bit independence [ADAM94] 45 Block Cipher Modes Plaintext M 64 bits 64 bits 64 bits DES Cipher Ciphertext C … 64 bits Apply DES in Multiple Data Blocks 46 Block Cipher Modes • Four modes have been defined (FIPS PUB 74, 81) ▫ ▫ ▫ ▫ Electronic Codebook (ECB) Cipher Block Chaining (CBC) Cipher Feedback (CFB) Output Feedback (OFB) • NIST has expanded the list of recommended modes to five in special Publication 800-38A ▫ ** Counter (CTR) 47 ECB 48 ECB • Each block of 64 plaintext bits is encoded independently using the same key • Typical Application ▫ Secure transmission of single values (e.g., an encryption key) 49 ECB • Security ▫ For lengthy messages, the ECB mode may not be secure. If the message is highly structured, it may be possible for a cryptanalyst to exploit these regularities. For example: the message always starts out with certain predefined fields. The message has repetitive elements, with a period of repetition a multiple of 64 bits. 50 CBC 51 CBC • The input to the encryption algorithm is the XOR of the next 64 bits of plaintext and the preceding 64 bits of ciphertext. • Typical Application ▫ General-purpose block-oriented transmission 52 CBC • Expression ▫ Encryption Cn = EK(Cn-1 Pn) ▫ Decryption DK[Cn] = DK[EK(Cn-1 Pn) = (Cn-1 Pn) => Cn-1 DK[Cn] = Cn-1 Cn-1Pn = Pn 53 CBC • IV: initialization vector ▫ Must be known to both the sender and receiver. ▫ IV should be protected as well as the key. ▫ This should be done by sending the IV using ECB encryption ▫ If an opponent can predictably change bits in IV, the corresponding bits of the received value of P1 can be changed. 54 CFB • Encryption 55 CFB • Decryption 56 5e book (CFB) 57 CFB • Input is processed J bits at a time. Preceding ciphertext is used as input to the encryption algorithm to produce pseudorandom output, which is XORed with plaintext to produce next unit of ciphertext. • Typical Application ▫ General-purpose stream-oriented transmission ▫ Authentication 58 CFB • Stream Cipher ▫ It is possible to convert DES into a stream cipher, using either CFB or OFB. ▫ A stream cipher eliminates the need to pad a message to be an integral number of blocks. ▫ A stream cipher can operate in real time. 59 OFB • Encryption 60 OFB • Decryption 61 5e book OFB 62 OFB • Similar to CFB, except that the input to the encryption algorithm is the preceding DES output. • Typical Application ▫ Stream-oriented transmission over noisy channel (e.g., satellite communication) 63 OFB • Advantage ▫ Bit errors in transmission do not propagate. If a bit error occurs in C1, only the recovered value of P1 is affected. • Disadvantage ▫ It is more vulnerable to a message stream modification attack than is CFB. 64 Counter Mode (CTR) • Encryption 65 CTR • Decryption 66 CTR • This mode was proposed early on [DIFF79] • Applications to ATM (asynchronous transfer mode) network security and IPSec (IP Security) • Advantages [LIPM00] ▫ ▫ ▫ ▫ ▫ ▫ Hardware efficiency Software efficiency Preprocessing Random access Provable Simplicity 67 5e book CTR