380 likes | 991 Views
Rotor Machines. Combine Substitution and Transposition Methods • produce ciphers that are very difficult to break Rotor Machines in World War II: German “Enigma” and Japanese “Purple” • Breaking by the Allies was a significant factor in the outcome of the war (Turing).
E N D
Rotor Machines Combine Substitution and Transposition Methods • produce ciphers that are very difficult to break Rotor Machines in World War II: German “Enigma” and Japanese “Purple” • Breaking by the Allies was a significant factor in the outcome of the war (Turing) 8. Cryptography part 2
Example of Rotor Machine 8. Cryptography part 2
Concealment Cipher Message within a message: Example – third word in each sentence matters: GMU students take the security class very seriously. They study a good eight hours a day, each day. They can break many of the classical ciphers. 8. Cryptography part 2
Symmetric (Secret Key)Cryptography 8. Cryptography part 2
Conditional Cryptography Cryptographic schemes that do not have a mathematical proof that they are 100% secure • An opponent can break the scheme if unlimited text, computing power, and time is available • Strength of the scheme relies on assumption that attacker does not have sufficient resources (text, time, computers, money, etc.) to break the scheme All modern practical cryptographic schemes are only conditionally secure 8. Cryptography part 2
Xor = Exclusive OR 8. Cryptography part 2
Notation • A – Alice (a party) • B – Bob (another party) • E – Eve (eavesdropper / attacker) • M – Message (plaintext, sometimes secret) • K – Key (very secret) • C – Cipher (ciphertext, seen by attacker) • ENC – Encryption (secret / known) • DEC – Decryption (secret / known) • AUTH – Authentication (secret / known) • VER – Verification (secret / known) 8. Cryptography part 2
Symmetric Encryption • A encrypts the message M using the algorithm ENC with the key K to obtain the ciphertext C • B decrypts the ciphertext C using the algorithm DEC with the key K to obtain the message M • Key K is symmetric, secret, and known only to A and B 8. Cryptography part 2
DES (Data Encryption Standard) • In 1973, NBS (National Bureau of Standards, now NIST) wrote an RFP (Request for Proposals) for a commercial encryption standard • IBM proposed its strong Lucifer algorithm (developed by Feistel and others) • NSA (National Security Agency) asked for a weaker Lucifer (by shortening the key) and also made changes to IBM’s algorithm • Data Encryption Standard (DES) accepted in 1976 and expired 22 years later, in 1998 8. Cryptography part 2
DES Design Criteria Algorithm must: • provide high level of security • be completely specified Security of the algorithm must reside in the key Algorithm must be: • available to all users • adaptable for use in diverse applications • efficiently implemented in hardware • efficient to use • able to be validated • Exportable ! 8. Cryptography part 2
DES in use DES is widely-used data encryption using a (secret) key judged so difficult to break by the U.S. government that it was restricted for export to other countries. • There are 72,000,000,000,000,000 (72 quadrillion) or more possible encryption keys that can be used. For each given message, the key is chosen at random from among this enormous number of keys. • Like other private key cryptographic methods, both the sender and receiver must know and use the same private key. 8. Cryptography part 2
DES Structure • Block size – 64 bits • Key size – 64 bit quantity=(8 bit parity)+(56 bit key) – Every 8th bit is a parity bit. – 16 round keys (48 bits) derived from key (56 bits) • 16 iterations each consisting of scrambling the round-block (64 bits) with the round-key (48 bits) • 64 bit input, 64 bit output. 8. Cryptography part 2
Multiple Encryption 8. Cryptography part 2
Multiple Encryption Major limitation of DES • Key length is too short (56 bits). • Question: So can we apply DES multiple times to increase the strength of encryption? • Advantage: We could then preserve the existing investment in software and equipment. 8. Cryptography part 2
Double DES (I) Apply two iterations of DES with two keys K1 and K2 What if DES has a structure of an algebraic group, such that for each K1 and K2 there is a K3 with the property: Ek2(Ek1(P)) = Ek3(P) This is not the case (it was proved in 1992) but is the security level O(2112)? 8. Cryptography part 2
Double DES (II) Meet-in-the-Middle Attack: • For given M and C – search only O(256) pairs of keys K1 and K2 at the intermediate point I • Encrypt M under all 256 options for K1 – Denote the results by X1, X2, . . ., X2 • Decrypt C under all 256 options for K2 – Denote the results by Y1, Y2, . . ., Y2 8. Cryptography part 2
Double DES (III) Meet-in-the-Middle Attack (continued): • Sort the values X1, X2, . . ., X2 • Sort the values Y1, Y2, . . . • Find collisions between values of Xi and Yj – there should be about (2112 / 264) = 248 collisions • Mark the 248 potential candidates for key-pair K1 / K2 • Take another pair M’ and C’, and repeat this -- test with the new pair and the suspected 248 key-pairs • The second test will pin down the correct pair K1 / K2 (the success rate will be (248 / 264) = 2-16 ) 8. Cryptography part 2
Double DES (IV) Meet-in-the-Middle Attack (continued): • Time requirement of attack – for encryptions, decryptions, sorting, and comparing: O(264) steps • Space requirement of attack – for keeping the encryption and decryption values: O(260) bytes Although attack is not practical – it is high enough to consider Double-DES insecure 8. Cryptography part 2
Triple-DES (I) EEE Mode: – DES Encrypt-Encrypt-Encrypt with three keys K1, K2, K3 (168 bits) and strength O (2110) against Meet-in-the-Middle – Not compatible with regular DES 8. Cryptography part 2
Triple-DES (II) EDE Mode: • DES Encrypt-Decrypt-Encrypt with two keys K1, & K2 • Properties: • Two keys (112 bits) • Strength O(2110) against Meet-in-the-Middle • Compatible with regular DES when K1= K2 8. Cryptography part 2
E-D-E versus E-E-E Why E-D-E? • – Initial and final permutations would cancel each other out with EEE (minor advantage to EDE) • EDE compatible with single DES if same keys. • Only 2 different Keys needed with E-D-E 8. Cryptography part 2
Triple DES • Not Ideal... Efficiency demands schemes with longer keys! • Runs one third as fast as DES on the same platform • New candidates numerous - RC5, IDEA, two-fish, CAST, etc • New AES 8. Cryptography part 2
Modes of Block Cipher Operations Encrypting a Large Message The base algorithms encrypt a fixed size block -- one block at a time. This is the Electronic Code Book (ECB) • repeated plaintext blocks results in repeated ciphertext blocks Other modes “chain” to avoid this • CBC (Cipher Block Chaining Mode) • OFB (Output Feedback Mode) • CFB (Cipher Feedback Mode) Encryption does not guarantee integrity! 8. Cryptography part 2
ECB • Divide and conquer ! • (M1 == M3) => (C1 == C3) giving information to eavesdroppers 8. Cryptography part 2
ECB Properties Disadvantage: • If ci=cJ, then pi=pJ 1. Can reorder blocks 2. Can substitute (fabricated information) blocks to affect plaintext Advantage: • No error propagation. Two serious flaws, one advantage! 8. Cryptography part 2
ECB problem 8. Cryptography part 2
CBC Encryption 8. Cryptography part 2
CBC Decryption 8. Cryptography part 2
CBC Properties Chaining dependency – Each ciphertext block depends on all preceding plaintext blocks – To change a bit in mi, change the corresponding bit in ci-1. The side effect is that mi-1 will be garbled. Error propagation – Each error in cj affects decipherment of mj and mj+1. Error recovery – An error in cj doesn’t propagate beyond cj+1. – Can recover from loss of cipher text blocks. 8. Cryptography part 2
OFB 8. Cryptography part 2
OFB Properties OFB stream generated: – IV (transmitted in the clear) – pad1=e(IV, key) – pad2=e(pad1, key) – padi=e(padi-1,key) • Chaining dependencies – Key stream is plaintext-independent – Allow pre-computing of pseudo-random stream (One-Time Pad); XOR can be implemented very efficiently • No error propagation problem as in CBC • What if ciphertext is garbled or lost? – If garbled, only plaintext bits are garbled. – If lost or duplicated, it is no linger synchronized, so everything is lost. 8. Cryptography part 2
CFB 8. Cryptography part 2
CFB Properties • Chaining dependencies – Ciphertext block cj depends on all preceding plaintext blocks. Error propagation • Bit error in one ciphertext block affects the next few Error recovery • Can recover from bit errors after several blocks • Can resynchronize after loss of blocks. 8. Cryptography part 2