feistel cipher

advertisement
1
Information Security and
Management
3. Block Ciphers and the
Data Encryption Standard
Chih-Hung Wang
Fall 2011
2
Block Cipher Principles
• Block Ciphers and Stream Ciphers
▫ Block ciphers is one in which a block of plaintext
is treated as a whole and used to produce a
ciphertext block of equal length.
▫ like a substitution on very big characters
 64/128-bits or more
▫ Stream ciphers is one that encrypts a digital data
stream one bit or one byte at a time.
▫ Many current ciphers are block ciphers
3
Block Ciphers and Stream Ciphers
4
Motivation
• Reversible Mapping
Reversible Mapping
Irreversible Mapping
Plaintext
Ciphertext
Plaintext
Ciphertext
00
11
00
11
01
10
01
10
10
00
10
01
11
01
11
01
5
A General Substitution Cipher
• If a small block size, such n=4, is used, then the system is equivalent to
a classical substitution cipher.  are vulnerable to statistical analysis
of the plaintext.
• An arbitrary reversible substitution cipher for a large block size is not
practical.
6
A General Substitution Cipher
The size of key
is n  2 n
For a 64-bits
block, key size
64
21
is 64  2  10
bits
7
Block Cipher Principles
• most symmetric block ciphers are based on a
Feistel Cipher Structure
• Feistel proposed the use of a cipher that alternates
substitutions and permutations
• needed since must be able to decrypt ciphertext to
recover messages efficiently
• block ciphers look like an extremely large
substitution
• would need table of 264 entries for a 64-bit block
• instead create from smaller building blocks
• using idea of a product cipher
8
Claude Shannon and SubstitutionPermutation Ciphers
• in 1949 Claude Shannon introduced idea of
substitution-permutation (S-P) networks
▫ modern substitution-transposition product cipher
• these form the basis of modern block ciphers
• S-P networks are based on the two primitive
cryptographic operations we have seen before:
▫ substitution (S-box)
▫ permutation (P-box)
• provide confusion and diffusion of message
9
Diffusion and Confusion
• Cipher needs to completely obscure statistical
properties of original message
• a one-time pad does this
• more practically Shannon suggested combining
elements to obtain:
• diffusion – the statistical structure of the plaintext
is dissipated into long range statistics of the
ciphertext
• confusion – makes relationship between
ciphertext and key as complex as possible
10
Feistel Cipher Structure
• Horst Feistel devised the feistel cipher
▫ based on concept of invertible product cipher
• Partitions input block into two halves
▫ The two halves of the data pass through n rounds
of processing and then combine to produce the
ciphertext block.
• Implements Shannon’s substitutionpermutation network concept
11
Feistel Cipher Structure
12
Feistel Cipher Design Principles
• Block size
▫ larger block sizes mean greater security but reduced e/d speed
• Key size
▫ increasing size improves security, makes exhaustive key searching
harder, but may slow cipher
• Number of rounds
▫ a single round offers inadequate security
▫ increasing number improves security, but slows cipher
• Subkey generation
▫ greater complexity should lead to greater difficulty of cryptanalysis
• Round function
▫ greater complexity means greater resistance to cryptanalysis
• Fast software encryption/decryption
• Ease of analysis
▫ DES does not have an easily analyzed functionality
13
Feistel Cipher Decryption
• Use the ciphertext as input to the algorithm, but
use subkey Ki in reverse order.
LE16  RE15
RE16  LE15  F ( RE15 , K16 )
Decryption
LD1  RD0  LE16  RE15
RD1  LD0  F ( RD0 , K16 )
 RE16  F ( RE15 , K16 )
 [ LE15  F ( RE15 , K16 )]  F ( RE15 , K16 )
14
Feistel Cipher
Decryption
15
General Form of Feistel Cipher
LEi  RE i 1
RE i  LEi 1  F ( RE i 1 , K i )
RE i 1  LEi
LEi 1  RE i  F ( RE i 1 , K i )  RE i  F ( LEi , K i )
16
Data Encryption Standard (DES)
• History
▫ National Bureau of Standards (now the National
Institute of Standards and Technology:NIST)
1977-> as Federal Information Processing
Standard 46(FIPS PUB 46)
▫ 1960:IBM LUCIFER project
17
DES
• Critique
▫ The key length
 In IBM’s original LUCIFER algorithm is 128 bits,
but that of the proposed system was only 56 bits.
▫ Design Criteria for the internal structure
 S-boxes
 Any hidden weak points that could enable NSA to
decipher message without benefit the key?
 Differential cryptanalysis -> DES has a very strong
internal structure
18
DES
• Not Secure?
▫ DES has flourished and is widely used, especially
in financial applications
▫ In 1994, NIST reaffirmed DES for federal use for
another five years
▫ NIST recommends the use of DES for
applications other than protection of classified
information
19
DES Encryption
• Data are encrypted in 64-bit blocks using 56 bit
key.
• Transforms 64-bit input in a series of steps into
64-bit output.
20
The Structure of Block Cipher
Plaintext
n bits
1-st round
Weak
cipher
2-nd round
Weak
cipher
…...
t-th round
Weak
cipher
…...
K1
Key
k bits
K2
Sub-key generator
Kt
Ciphertext
21
General
Depiction
22
Details of Single Round
23
Details of Single Round
• Li = Ri-1 ; Ri = Li-1 ⊕ f(Ri-1, Ki) (i=1…15)
• Li = Li-1 ⊕ f(Ri-1, Ki) ; Ri = Ri-1 (i=16)
24
Feistel Encryption
Input
IP
f
f
f
f
IP-1
Output
… 32
… 32
… 32
… 32
… 32
1,2,3,…
L0
1,2,3,….
L1
1,2,3,….
L2
1,2,3,….
Li
1,2,3,….
L16
1,2,3,….
1,2,3,…
…..
64
R0
1,2,3,….
R1
1,2,3,….
R2
1,2,3,….
Ri
1,2,3,….
R16
64
1,2,3,….
…..
… 32
… 32
… 32
… 32
… 32
k1
k2
ki
k16
25
IP and IP-1
IP (Initial Permutation)
IP-1 (Inverse Initial Permutation)
58
60
62
64
57
59
61
63
50
52
54
56
49
51
53
55
IP
42 34
44 36
46 38
48 40
41 33
43 35
45 37
47 39
26
28
30
32
25
27
29
31
18
20
22
24
17
19
21
23
10
12
14
16
9
11
13
15
2
4
6
8
1
3
5
7
40 8 48
39 7 47
38 6 46
37 5 45
36 4 44
35 3 43
34 2 42
33 1 41
IP-1
16 56 24 64 32
15 55 23 63 31
14 54 22 62 30
13 53 21 61 29
12 52 20 60 28
11 51 19 59 27
10 50 18 58 26
9 49 17 57 25
26
Expansion & Permutation
Expansion (E)
32
4
8
12
16
20
24
28
1
5
9
13
17
21
25
29
2
6
10
14
18
22
26
30
3
7
11
15
19
23
27
31
Permutation (P)
4
8
12
16
20
24
28
32
5
9
13
17
21
25
29
1
16
1
2
19
7
15
8
13
20
23
24
30
21 29 12 28 17
26 5 18 31 10
14 32 27 3 9
6 22 11 4 25
27
Calculation of F(R,K)
R (32 bits)
E
48 bits
S1
S2
S3
Subkey ki (48bits)
S4
S5
P
Output F (32 bits)
S6
S7
S8
28
S-box (EX. S1)
Column
row 0
1
2
3
4
5
7
8
9
13 1
2
15 11 8
3
10 6
0
14 4
1
0
15 7
2
4
1
3
15 12 8
6
12 5
9
0
7
12 11 9
5
3
8
10 5
0
4
14 2
13 1
14 8
13 6
2
11 15 12 9
7
4
1
7
14 10 0
2
9
10 6
10 11 12 13 14 15 S-box
5
11 3
row
011001
column
1001
9
3
6
13
S1
29
Key Generation
1,2,3
1,2,3
1,2,3
1,2,3
1,2,3, ..…
C0
….. 28
Left shift
….. 28
….. 28
D1
Left shift
D0
….. 28
…….. 64
56-bit Key
PC-1
1,2,3
1,2,3
Left shift
C1
Left shift
D16
….. 28
Left shift
….. 28
Di
Left shift
1,2,3
1,2,3
Left shift
Ci
….. 28
Left shift
C
16
….. 28
PC-2
PC-2
PC-2
k16
ki
k1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
------------------------------------------1122222212 2 2 2 2 2 1
30
Key Generation
Left shift
Round
number
Bits
rotated
57
1
10
19
63
7
14
21
49
58
2
11
55
62
6
13
1
2
3
4
5
6
7
8
9
10 11 12 13 14 15 16
1
1
2
2
2
2
2
2
1
2
PC-1
41 33
50 42
59 51
3 60
47 39
54 46
61 53
5 28
25
34
43
52
31
38
45
20
17
26
35
44
23
30
37
12
|
9 |
18 |
27 |
36 |
15 |
22 |
29 |
4 |
14
3
23
16
41
30
44
46
17
28
19
7
52
40
49
42
2
2
PC-2
11
15
12
27
31
51
39
50
24
6
4
20
37
45
56
36
2
1
21
26
13
47
33
34
29
2
2
5
10
8
2
55
48
53
32
1
31
DES Decryption
• Decryption uses the same algorithm as
encryption, except that the application of the
subkeys is reversed.
▫ K16, K15 , …, K1
32
DES Example
33
The Avalanche Effect
• DES exhibits a strong avalanche effect
▫ Two plaintexts differ by one bit
▫ Two keys differ by one bit
(a) Change in Plaintext (1 bits)
Round
1
4
8
12
16
Number of bits that differ
6
39
29
30
34
(b) Change in Key (1 bits)
Round
1
4
8
12
16
Number of bits that differ
2
32
34
33
35
34
DES Avalanche Effect-Change in
Plaintext
35
DES Avalanche Effect-Change in
Key
36
The Strength of DES
• 56-bit DES
▫ 1977 Diffie & Hellman
 Parallel machine with 1 million encryption devices,
each of which could perform one encryption per
microsecond.
 Average search time down to about 10 hours
 The cost would be about $20 million
37
The Strength of DES
▫ 1993 Wiener
 Key search rate of 50 million keys per second
 Design a module that costs $100,000 and contains
5750 key search chips
Key search machine Unit Expected search time
Cost
$100,000
35 hours
$1,000,000
3.5 hours
$10,000,000
21 minutes
38
The Strength of DES
• RSA Laboratories
▫ The Challenge
 Offered a $10,000 reward, was to find a DES key
given a ciphertext for a plaintext consisting of an
unknown plaintext message preceeded by three
known blocks of text containing the 24-character
phrase “the unknown message is:”
 January 29, 1997, developed a brute-force program
and distributed it over the internet.
 The project linked numerous machines over the
Internet and eventually grew to over 70,000
systems
 Ended 96 days later when the correct key was
found after examining about one-quarter of all
possible keys.
39
Cryptanalysis of DES
• Differential Cryptanalysis
▫ Biham and Shamir [1993] [BIHA93]
 Can successfully cryptanalyze DES with an effort
on the order 247, requiring 247 chosen plaintexts
(brute-force method: 255)
 Not very well. The differential cryptanalysis was
known to the IBM team as early as 1974.
▫ Linear Cryptanalysis
▫ Weak keys; Semi-weak keys
40
Differential Cryptanalysis
• A statistical attack against Feistel ciphers
• Uses cipher structure not previously used
• Design of S-P networks has output of function f
influenced by both input & key
• Hence cannot trace values back through cipher
without knowing values of the key
• Differential Cryptanalysis compares two related
pairs of encryptions
41
Differential Cryptanalysis Compares Pairs of
Encryptions
• With a known difference in the input
• Searching for a known difference in output
• When same subkeys are used
42
Differential Cryptanalysis (Three Round of
DES)
43
Linear Cryptanalysis
• Another recent development
• Also a statistical method
• Must be iterated over rounds, with decreasing
probabilities
• Developed by Matsui et al in early 90's [MATS93]
• Based on finding linear approximations
• Can attack DES given 247 known plaintexts, still
infeasible as an attack on DES
44
Block Cipher Design Principles
• Basic principles still like Feistel in 1970’s
• DES design criteria [COPP94] (Coppersmith)
• Number of rounds
▫ The greater the number of rounds, the more difficult it is to
perform cryptanalysis, even for a relatively weak F.
• Design of function F:
▫ S-box design
▫ Provides “confusion”, is nonlinear, avalanche
• Key schedule
▫ Complex subkey creation, key (strict) avalanche, bit
independence [ADAM94]
45
Block Cipher Modes
Plaintext M
64 bits
64 bits
64 bits
DES Cipher
Ciphertext C
…
64 bits
Apply DES in Multiple Data Blocks
46
Block Cipher Modes
• Four modes have been defined (FIPS PUB 74, 81)
▫
▫
▫
▫
Electronic Codebook (ECB)
Cipher Block Chaining (CBC)
Cipher Feedback (CFB)
Output Feedback (OFB)
• NIST has expanded the list of recommended modes
to five in special Publication 800-38A
▫ ** Counter (CTR)
47
ECB
48
ECB
• Each block of 64 plaintext bits is encoded
independently using the same key
• Typical Application
▫ Secure transmission of single values (e.g., an
encryption key)
49
ECB
• Security
▫ For lengthy messages, the ECB mode may not be
secure.
 If the message is highly structured, it may be
possible for a cryptanalyst to exploit these
regularities.
 For example: the message always starts out with
certain predefined fields.
 The message has repetitive elements, with a period
of repetition a multiple of 64 bits.
50
CBC
51
CBC
• The input to the encryption algorithm is the
XOR of the next 64 bits of plaintext and the
preceding 64 bits of ciphertext.
• Typical Application
▫ General-purpose block-oriented transmission
52
CBC
• Expression
▫ Encryption
 Cn = EK(Cn-1 Pn)
▫ Decryption
 DK[Cn] = DK[EK(Cn-1 Pn)
= (Cn-1 Pn)
=> Cn-1 DK[Cn] = Cn-1  Cn-1Pn = Pn
53
CBC
• IV: initialization vector
▫ Must be known to both the sender and receiver.
▫ IV should be protected as well as the key.
▫ This should be done by sending the IV using ECB
encryption
▫ If an opponent can predictably change bits in IV, the
corresponding bits of the received value of P1 can be
changed.
54
CFB
• Encryption
55
CFB
• Decryption
56
5e book
(CFB)
57
CFB
• Input is processed J bits at a time. Preceding
ciphertext is used as input to the encryption
algorithm to produce pseudorandom output, which
is XORed with plaintext to produce next unit of
ciphertext.
• Typical Application
▫ General-purpose stream-oriented transmission
▫ Authentication
58
CFB
• Stream Cipher
▫ It is possible to convert DES into a stream cipher,
using either CFB or OFB.
▫ A stream cipher eliminates the need to pad a
message to be an integral number of blocks.
▫ A stream cipher can operate in real time.
59
OFB
• Encryption
60
OFB
• Decryption
61
5e book
OFB
62
OFB
• Similar to CFB, except that the input to the
encryption algorithm is the preceding DES
output.
• Typical Application
▫ Stream-oriented transmission over noisy channel
(e.g., satellite communication)
63
OFB
• Advantage
▫ Bit errors in transmission do not propagate. If a
bit error occurs in C1, only the recovered value of
P1 is affected.
• Disadvantage
▫ It is more vulnerable to a message stream
modification attack than is CFB.
64
Counter Mode (CTR)
• Encryption
65
CTR
• Decryption
66
CTR
• This mode was proposed early on [DIFF79]
• Applications to ATM (asynchronous transfer mode)
network security and IPSec (IP Security)
• Advantages [LIPM00]
▫
▫
▫
▫
▫
▫
Hardware efficiency
Software efficiency
Preprocessing
Random access
Provable
Simplicity
67
5e book
CTR
Download