Block Ciphers

advertisement
Cryptography -- Block Ciphers
Anita Jones
CS451 Information Security
Copyright(C) Anita Jones
Overview
terms and principles
Claude Shannon
Feistel cipher
DES
September, 2006
A few terms
block cipher
block of plaintext is treated as a whole &
used to produce a ciphertext block of equal
length
typical size: 64 bits
most modern ciphers are block ciphers
stream cipher
digital data is encrypted one bit (or one unit)
at a time
In both cases, plaintext is transformed incrementally
September, 2006
Symmetric ciphers
Symmetric implies ONE key
Secret key shared by sender &
receiver
Background
ideally want one extremely large substitution
not practical since would need a table with
264 entries in it for a 64-bit block
so approximate the ideal by constructing
from smaller building blocks
September, 2006
Basis of modern ciphers
Claude Shannon (‘45) - information theory
product cipher
perform two or more ciphers in sequence so
that result (product) is cryptographically
stronger than any component cipher
alternate confusion & diffusion
virtually all significant symmetric block
ciphers currently in use are of this type
September, 2006
Shannon’s strategy
thwart cryptanalysis that is based on
statistical analysis
hacker has some knowledge of statistical
characteristic of plaintext
if statistics are reflected in ciphertext, then
analyst may be able to deduce encryption
key, or part of it
in Shannon’s ideal cipher, statistics of
ciphertext are independent of plaintext
September, 2006
Shannon’s building blocks
confusion
make relation between statistics of ciphertext
and the value of the encryption key as
complex as possible
diffusion
diffuse statistical property of plaintext digit
across a range of ciphertext digits
i.e. each plaintext digits affects value of many
ciphertext digits
September, 2006
Shannon’s building blocks
Shannon proposed product ciphers with
two components
S-Boxes -- substitution
providing confusion of input bits
P-Boxes -- permutation
providing diffusion across S-box inputs
n rounds of S-P boxes
September, 2006
S-box (substitution)
3 bit
input
0
1
0
0
1
2
3
4
5
6
7
0
1
2
3
4
5
6
7
3 bit
output
Word size of 3 bits => mapping of 23 = 8 values
Note: mapping can be reversed
September, 2006
1
1
0
P-box (permutation)
4 bit
input
1
1
1
1
1
0
1
0
1
0
1
1
0
1
Example 1
Note: reversible
Example 2 - swap two
halves of input
1
September, 2006
1
S-P networks
alternate S and P boxes
BUT, in practice we must decrypt as well
as encrypt
so define the sequence of boxes so that
precisely the same system will decrypt as
well as encrypt
just run it backwards
September, 2006
Feistel cipher
input plaintext of 2w bits
key K = n sub-keys: K1, K2, …, Kn
sequence of n “rounds” each using Ki
substitution followed by a permutation
apply function F(Ki) to right half of data,
then exclusive-OR it to left half of data
permutation: interchange two result halves
of data
DES is essentially a Feistel cipher
September, 2006
Feistel cipher
Multiple rounds
round i input is Li-1, Ri-1
Li = Ri-1
Ri = (Li-1
XOR
F(Ri-1 , Ki))
L – left portion of intermediate data
R – right …..
September, 2006
plaintext (2w bits)
w bits
L0
+
Round 1
. . .
L1
R0
K1
F
. . .
+
Round n
w bits
R1
Kn
F
Ln
Rn
Ln+1
Rn+1
ciphertext (2w bits)
Feistel cipher dependencies
block size – increasing size increases
security – 64 bits common
key size – increasing size improves security,
– 128 bits common
number of rounds – 16 is typical
subkey generation – complex generation
makes cryptanalysis harder
round function – complex function is stronger
… but all increases slow the implementation
September, 2006
Feistel decryption
same as encryption, except
ciphertext is input
use keys in reverse order
at each round the output is equal to the
corresponding value of the encryption
process with the two halves of the value
swapped
final permutation (swap) realigns 2 halves
September, 2006
History of DES
DES – Data Encryption Standard
Horst Feistel at IBM developed LUCIFER
about 1971, sold to Lloyds of London
Nat’l Bureau of Standards issued request
for national cipher standard
IBM submitted (refined) LUCIFER
NSA worked with IBM to refine cipher
adopted in 1977 by Nat’l Bureau of Stds.
September, 2006
DES Characteristics
Plaintext is 64 bits long
16 rounds
Key length is 56 bits
16 sub-keys generated, one used in each round
DES algorithm is a variant of the Feistel
algorithm
September, 2006
plaintext (64 bits)
56 bit key
init permutation
permute
K1
round 1
K2
round 2
perm
left circ shift
perm
left circ shift
. . .
. . .
Kn
round n
32 bit swap
inverse permutation
ciphertext (64 bits)
perm
left circ shift
DES cipher
round i input is Li-1, Ri-1
Li = Ri-1
Ri = (Li-1 XOR F(Ri-1 ,Ki))
September, 2006
One DES Round
<----32 bits------>
Li-1
<----32 bits------>
Ri-1
exp/perm to 48
--- 48 bits
x
Ki
--- 48 bits
S-box
--- 32 bits
permutation
--- 32 bits
x
Li
Ri
Key property
avalanche
small change in plaintext or in key produces
significant change in ciphertext
test for avalanche
encrypt two plaintext blocks that differ only in
one bit
about half the (ciphertext) bits will differ
September, 2006
DES controversy
DES choice was intensely criticized:
original LUCIFER key length was 128 bits, and
DES used 56 bit key (to fit on chip, they said)
critics feared brute force attacks
design criteria for the S-boxes was classified,
so users not sure that internal structure was
free of hidden weak points that might let NSA
break cipher
September, 2006
DES status
no weak points have surfaced
DES is widely used
1994, NIST reaffirmed DES for federal use
NIST recommends DES use for all except
classified information
generally considered a sound standard
Need more security: use Triple DES
Future: Adv.d Encryption Standard (AES)
September, 2006
Cryptanalysis of DES
increased computing speed has made a 56
bit key susceptible to exhaustive key search
demonstrated breaks:
1997 – taking a few months, a large network of
computers broke DES
1998 – Electronic Frontier Foundation broke
DES in a few days on dedicated hardware
1999 – break accomplished in 22 hours
in practice DES is used, and works
September, 2006
1997 break
RSA issued reward of $10,000 for finding a
DES key, given ciphertext for known and
unknown plaintext
solution found in 96 days – involved 70,000
computers on the Internet
an embarrassingly parallel problem – just
divide the key space being searched (brute
force) each time a new computer joins in
found the key after searching 1/4 key space
September, 2006
So, how does the Prez talk?
 STU-III:
http://webhome.idirect.com/~jproc/crypto/stuiii.html
http://www.tscm.com/stu.html

“A
STU-III operates by taking an audio signal and
digitizing it into a serial data stream (usually 8,000 bits
per second). This is then mixed with a "keying stream" of
data created by an internal ciphering algorithm. This mixed data is them passed
though an internal CODEC to convert it back to audio so it can be passed over the
phone lines. STU-III's also allow a serial data stream to pass though the phone and
into the ciphering engine to allow its usage as an encrypted modem when not being
used for voice. The
"keying stream" is a polymorphic
regenerating mathematic algorithm which takes a
initialization key and mathematically morphs it into a bit
stream pattern. The "keying stream" is created by the "Key Generator" and
is the actual heart of the STU. A portion of the "keying stream" are then mixed back
into to the original key, and process repeated. The results is a pseudo-random bit
stream that if properly implemented is extremely difficult (but not impossible) to
decrypt.”
Source: http://www.tscm.com/stu.html
September, 2006
Model for cryptography-revisit
Principal
Trusted 3rd Party
(arbitrates, distributes
secret information)
Principal
Message
Message
Secret
Information
Security
Transform
Security
Transform
Opponent
September, 2006
Secret
Information
Info channel
Download