230 likes | 423 Views
CS 5920 Applied Cryptography Spring 2014 Chapter 6 Block Cipher Operation. Cryptography and Network Security Fifth Edition, by William Stallings . Multiple Encryption & DES. clearly, a replacement for DES was needed theoretical attacks that can break it
E N D
CS 5920 Applied CryptographySpring 2014Chapter 6 Block Cipher Operation Cryptography and Network Security Fifth Edition, by William Stallings
Multiple Encryption & DES • clearly, a replacement for DES was needed • theoretical attacks that can break it • demonstrated exhaustive key search attacks • AES is a new cipher alternative • prior to this alternative was to use multiple encryption with DES implementations • Triple-DES is the chosen form
Double-DES? • Could use 2 DES encrypts on each block • C = E(K2, E(K1, P)); P = D(K1, D(K2, C)); • Key-length 112, dramatic increase in cryptographic strength • Intuition of cryptographic strength • Ideal block cipher: (264)! reversible mappings • DES each different key: 256 reversible mappings • Double-DES with different keys will produce one of the many mappings that are not defined by a single application of DES • Proof of cryptographic strength(CAMP92) • DES is not a group: E(K2, E(K1, P)) != E(K3, P)
The “meet-in-the-middle” Attack • Work against any block encryption cipher • whenever use a cipher twice, with known plaintext • if C = E(K2, E(K1, P)) then X = E(K1, P) = D(K2, C) • E.g, against double-DES • given a known plaintext-ciphertext pair (P, C) • encrypt P with all 256 values of K1 and store X in a table • decrypt C with all 256 values of K2 and match X in table when each decryption is produced. If a match occurs, test the matching (K1, K2) against a new pair (P, C); if a match occurs, accept (K1, K2) • false alarms: first match 2112/264 =248, second match 248/264 =2-16 • an effort on the order of 256, not much more than single DES 255
Triple-DES with Two-Keys • hence must use 3 encryptions • raises the cost of meet-in-the-middle attack to 2112 • would seem to need 3 distinct keys • but can use 2 keys with E-D-E sequence • C = E(K1, D(K2, E(K1, P))); P = D(K1, E(K2, D(K1, C))); • 2nd stage uses decryption: compatible with single DES • standardized in ANSI X9.17 & ISO8732 • no current known practical attacks • several proposed impractical attacks might become basis of future attacks
Triple-DES with Three-Keys • although are no practical attacks on two-key Triple-DES, some concerns still exist • can use Triple-DES with Three-Keys • C = E(K3, D(K2, E(K1, P))); P = D(K1, E(K2, D(K3, C))); • if K1=K2 or K2=K3,compatible with single DES • has been adopted by some Internet applications, e.g., PGP, S/MIME (chapter 18)
Modes of Operation • block ciphers encrypt fixed size blocks • eg. DES encrypts 64-bit blocks with 56-bit key • encrypt arbitrary amounts of data with same key • many security issues • NIST SP 800-38A defines 5 modes of operation • techniques for security or for practical applications • e.g., apply block ciphers to a sequence of data blocks/stream • cover a wide variety of applications • can be used with any block cipher
Electronic Codebook (ECB) • each block is handled independently at a time • Ci = E(K, Pi) • Pi = D(K, Ci) • good for encrypting a short amount of data, e.g., securely transmit DES or AES keys
Advantages and Limitations of ECB • For lengthy messages, repetitions may be shown in ciphertext • if aligned with message block • particularly with data such graphics • or with messages that change very little • weakness is due to the encrypted message blocks being independent • main use is sending a few blocks of data
Cipher Block Chaining (CBC) • Same plaintext block different ciphertext block • each previous ciphertext block is chained with current plaintext block • Ci = E(K, [Ci-1Pi]) • Pi = D(K, Ci) Ci-1 • use Initialization Vector (IV) to start the process • good for bulk data encryption, authentication
Advantages and Limitations of CBC • a ciphertext block depends on all blocks before it • any change to a block affects all following ciphertext blocks • need Initialization Vector (IV) • IV should be known to sender & receiver • IV must be unpredictable to attackers • Generated by encrypting a nonce • A nonce is time-varying value that has at most a negligible chance of repeating, e.g., a random value that is generated anew for each use, a timestamp, a sequence number, or some combination of these (NIST) • Generated by a random number generator • IV could be sent encrypted, e.g., using ECB mode, before rest of message
Message Padding • at end of message must handle a possible last partial block • which is not as large as block size of cipher • pad either with known non-data value (e.g. nulls) • or pad last block along with count of pad size • eg. [ b1 b2 b3 0 0 0 0 5] • means have 3 data bytes, then 5 bytes pad+count • may require an extra entire block over those in message
Stream Modes of Operation • block modes encrypt entire block • may need to operate on smaller units • real time data • convert block cipher into stream cipher • cipher feedback (CFB) mode • output feedback (OFB) mode • counter (CTR) mode • no need to pad a message • only encryption function is needed • each unit is encrypted and transmitted immediately
s-bit Cipher FeedBack (CFB-s) • Data unit: s bits • plaintext unit is XORed to the output of encryption function • ciphertext unit is fed back to next stage • b-bit shift register is initialized with IV • Ci = Pi MSBs(E(K, Ii)) • Pi = Ci MSBs(E(K, Ii)) • no padding is needed
Advantages and Limitations of CFB • appropriate when data arrives in bits/bytes • most common stream mode • note that the block cipher encryption function is used at both ends of communication • bit errors in transmission will propagate • one bit error occurs in one transmitted cipher propagate unit will not cause additional corruptions • Can be viewed as a stream cipher, but not strictly • keystream of CFB depends on plaintext/ciphertext bits
Recall Block vs Stream Ciphers keystream keystream One-time pad version of Vernam cipher
Output FeedBack (OFB) • Operate on full blocks • plaintext unit is XORed to the output of encryption function • output of encryption function is the feedback • feedback is independent of plaintext and ciphertext; shown in the dashed box • Ci = Pi E(K, [Ci-1Pi-1]) • Pi = Ci E(K, [Ci-1Pi-1]) • no padding is needed
Advantages and Limitations of OFB • IV must be a nonce • because output feedback is independent of plaintext • a given key and IV generate same output feedback (keystream) • If ever reuse attacker can recover outputs • bit errors do not propagate • more vulnerable to message stream modification • one bit change in ciphertext cause the corresponding bit change in the recovered plaintext • Has the structure of a typical stream cipher, but operates on a full block at a time
Counter (CTR) • A different counter value is used for each encryption (typically an initial value is incremented by 1 each time) • there is no chaining • Ci = Pi E(K, Ti) • Pi = Ci E(K, Ti) • the initial counter must be a nonce (same as OFB) • no padding is needed (same as OFB)
Advantages and Limitations of CTR • efficiency • can do parallel encryptions in h/w or s/w (no chaining) • can preprocess (generate keystream) in advance of need • good for bursty high speed links • random access (individually process the ith block) • provable security (good as other modes) • but must ensure never reuse key/counter values, otherwise could break (same as OFB)
Feedback Characteristics • Except for ECB, all other four modes of operations involve feedback. • Encryption function: input register output register • Output register in OFB and CTR is independent of both plaintext and ciphertext
XTS-AES Mode • new mode, for encryption data stored in sector-based storage devices (in IEEE Std 1619-2007) • requirements for encrypting stored data are different from those for encrypting transmitted data • E.g., fix-sized unit, each unit processed separately, same plaintext encrypted to different ciphertexts at different location • Transparent encryption without data layout modification • uses AES twice for each 16-byte block; also use GF(2128) • each sector may have multiple blocks, each block treated independently except for the last one (ciphertext-stealing) • See text for more details.
Summary • Multiple Encryption & Triple-DES • Modes of Operation • ECB, CBC, CFB, OFB, CTR, XTS-AES • Securely use block cipher in different applications