340 likes | 544 Views
Cryptography Team Presentation 2. Agarwal, Kshitij Rao , Prashant. “Implementation of a RC5 block cipher algorithm and implementing an attack on it”. Project Mentor – Prof. Alan Kaminsky. Fast symmetric block cipher Same key for encryption and decryption
E N D
Cryptography Team Presentation 2 Agarwal, Kshitij Rao, Prashant “Implementation of a RC5 block cipher algorithm and implementing an attack on it” Project Mentor – Prof. Alan Kaminsky
Fast symmetric block cipher • Same key for encryption and decryption • Plaintext and ciphertext are fixed-length bit sequences (blocks) About RC5
RC5 – w/r/b • E.g. RC5 – 32/16/10 • w = 32 bits • r = 16 rounds • b = 10-byte (80-bit) secret key variable • t = 2 (r + 1) = 2 (16 + 1) = 34 rounds Parameters of RC5
“w”(bits) – variable word size • Allowable choice for “w” in RC5– 16,32 and 64 • Suggested 32 • “Two” word input (plaintext) block size – 64-bit plaintext • “Two” word output (ciphertext) block size – 64-bit ciphertext • Design accepts all w > 0 • Variable word size can exploit longer word length of processors like 64 – bit processors. Important parameters in details
“r” – variable number of rounds • Tradeoff between high speed and high security. • Allowed values 0-255 • Suggested – 12 • Higher the number of rounds provides increased level of security. • “S” – Expanded key table – derived from user’s secret key. • “t” – The size of table “S” (depends on “r”) • t = 2 ( r + 1 ) words. Important parameters in details
“b” – variable length secret cryptographic key • The number of bytes in the secret key K. • 16 bytes suggested with allowed values from 0 – 255 • “K” – The b-byte secret key : K[0], K[1], ..., K[b-1]. Important parameters in details
Three Primitive operations(and their inverses) • Two’s complement addition of words, modulo 2w • ‘+’ • Inverse op , subtraction, ‘-’ • Bit-wise exclusive OR of words, denoted by ⊕ • A left-rotation of words • x <<< y , cyclic rotation of word x left by y bits • One word of the intermediate results is cyclically rotated by an amount determined bits of another intermediate results. • The inverse operation is right-rotation, x>>>y Notation and RC5 Primitive Ops
Three parts:- • Key Expansion • Encryption Algorithm • Decryption Algorithm RC5 Algorithm
Requirements of key expansion • Filling the expanded key table array S[0…t – 1] with random binary words • “t” – Size of table “S” => 2 ( r+1 ) • S table is not an “S-box” like DES. • Entries in S sequentially, one at a time. • Random binary words are derived from the K. RC5 Algorithm – Key Expansion
Starting with two magic constants • Two word-sized binary constants • Pw = Odd((e - 2) 2w ) • Qw = Odd((φ – 1) 2w ) • e = 2.718281828459… (base of natural logarithms) • Φ = 1.618033988749… (golden ratio), • Where, Odd(x) is the odd integer nearest to x • For w = 16 and 32 in hexadecimal form • P16 = b7e1 • Q16 = 9e37 • P32 = b7e15163 • Q32 = 9e3779b9 RC5 Algorithm – Key Expansion
Converting the Secret Key from Bytes to Words • c = ceiling(b/u) words • Pseudo code for conversion:- RC5 Algorithm – Key Expansion Image Source: http://people.csail.mit.edu/rivest/Rivest-rc5rev.pdf
Initializing the S Array • Initialization to a particular fixed(key- independent) RC5 Algorithm – Key Expansion Image Source: http://people.csail.mit.edu/rivest/Rivest-rc5rev.pdf
Mixing in the Secret Key • Pseudo code:- RC5 Algorithm – Key Expansion Image Source: http://people.csail.mit.edu/rivest/Rivest-rc5rev.pdf
Encryption Algorithm • Two w-bit words are denoted as A and B A = A + S[0]; B = B + S[1]; for i = 1 to r do A = (( A ⊕ B ) <<< B ) + S[ 2 * i ]; B = (( B ⊕ A) <<< A ) + S[ 2 * i + 1]; The output is in the registers A and B. Work is done on both A and B, unlike DES where only half input is updated. RC5 Algorithm Image Source: http://en.wikipedia.org/wiki/File:RC5_InfoBox_Diagram.svg
Decryption Algorithm • (easily derived from encryption) • Two w-bit words are denoted as A and B for i = r downto 1 do B = (( B – S[ 2 * i + 1 ]) >>> A) ⊕ A; A = (( A – S[ 2 * i ] >>> B) ⊕ B; B = B - S[1]; A = A - S[0]; The output is in the registers A and B. RC5 Algorithm
Initial proposed attack was differential attack • Why switch to Meet-in-the-Middle Attack?! • Why attack only to RC5 reduced to round 1 • For one round, we need to brute force S[3] and S[2] • S[1] will be calculated on the basis of S[3] • S[0] will be calculated on the basis of S[2] Description of the attack
For brute forcing S[2] • We need to have the value of the register B • The value of register B is generated with the help of S[3] • S[3] has to be computed before starting the computation of S[2]. • Decryption algorithm recap. for i = r downto 1 do B = (( B – S[ 2 * i + 1 ]) >>> A) ⊕ A; A = (( A – S[ 2 * i ] >>> B) ⊕ B; B = B - S[1]; A = A - S[0]; Description of the attack(contd.)
Operations required for brute forcing S[2] and S[3] • 232 + 232 = 2 x 232 = 233 Description of the attack(contd.)
Usage of the attack program • java Attack <seed> • <seed>=The pseudo random number generator(PRNG) seed • The input to the attack program is the PRNG seed. • Utilized for generating a random key of 16 bytes. • Multiple plaintexts of (32+32) bits for 2w word input. • Utilizing the two above, corresponding cipher texts are also generated. • Why are we generating these, will come in a minute. Description of the attack program
Working of the Attack Program • The attack program is developed in Java. • 232 operations mentioned earlier for brute forcing the value of S[3] are independent of each other. • The program exploits the above, by splitting the computations over all available processors. • Similarly, the computations of 232 operations for brute forcing the value of S[2] after correctly guessing the value for S[3] are split over the available processers. • This is achieved by the use of RIT’s Parallel Java Library • Developed by Prof. Alan Kaminsky Description of the attack program
Output of the Attack Program • Printout of the randomly generated plaintexts and ciphertexts along with the key • After this printout the four found subkey values are printed. • The values are printed in the base 10 decimal format. Description of the attack program
Input 1: java Attack 1234 Output 1: Plaintext : 3eac66b63480cbdf Key : 540d288d630efa40935e68393c24d53c ciphertext : f40399a37aea39b4 Plaintext : 68404092cb22c3f8 Key : 540d288d630efa40935e68393c24d53c ciphertext : 7edbef1c9bbf72e3 Plaintext : 622a3a0609d7cd42 Key : 540d288d630efa40935e68393c24d53c ciphertext : a477bf7d18ee8f36 Plaintext : 476e1cd8d76a0bad Key : 540d288d630efa40935e68393c24d53c ciphertext : f2bbce3b49c55317 Plaintext : c12117941c4c5bb2 Key : 540d288d630efa40935e68393c24d53c ciphertext : 1968d2c31e601e58 Plaintext : 73bee6786325577f Key : 540d288d630efa40935e68393c24d53c ciphertext : cc03279bb26ff46e Plaintext : fb69aebc0324d257 Key : 540d288d630efa40935e68393c24d53c ciphertext : 8acecb7240f37473 Plaintext : 27dfe2cb4183de82 Key : 540d288d630efa40935e68393c24d53c ciphertext : 58cc58cb90bc94b4 Plaintext : f5553a19347606b4 Key : 540d288d630efa40935e68393c24d53c ciphertext : e66d108254dc88bf Plaintext : 8d05c8c5988d2017 Key : 540d288d630efa40935e68393c24d53c ciphertext : e4228fbbff2e780e s0 : -847233926 s1 : 1877894389 s2 : -444735396 s3 : 1180379244 Results of the attack program
As we know, subkey array is generated from the key. • This array is dependent of the key provided. • If key is unique, then the generated subkey array shoud also be unique • Two plaintexts and ciphertexts are required for the attack to succeed. • One plaintext and ciphertext are required for brute forcing the subkeys. • Another one is required to make sure which brute forced values of subkeys are correct. How many encryptions and how many known plaintexts and ciphertexts are required for the attack to succeed(contd.)
For RC5-32/1/16 – that is, 128 bits of key • The number of round being 1, t = 2( r + 1) = 4 • Size of S array in bits 4 x 32 = 128bits • For 128 bits input key, we generate 128 bits of subkey array • Just in case • We actually generated one key and 10 randomly generated plaintexts and their corresponding ciphertexts in order to attack the cipher. How many encryptions and how many known plaintexts and ciphertexts are required for the attack to succeed(contd.)
Literature that we studied were focused upon the differential attacks. • The differential attack in the examples are based on the substitution boxes and the S-boxes are available with the specification of the block cipher. • The problem is that there is no concept of substitution boxes in the RC5 block cipher, so we found it difficult to translating the examples onto the RC5 algorithm to carry out the differential attack. Analysis of each item found in the literature search
No literatures were available for successful Meet-in-the-middle attack • Possible reasons:- • One round of encryption is not used in practice. • As explained earlier, going above one round is not good idea. Instead the key can be brute forced. Analysis of each item found in the literature search
Implementation of RC5 block cipher • Usage of the bit shifting operators in Java • Importance of Parallel Programming Lessons Learned
Differential attack against the cipher was not performed due to the use of substitution boxes in all the examples and tutorials we read. • Study of the differential attacks that can be performed on the RC5 block cipher. Future Work
1.) Rivest, R. L. (1994). "The RC5 Encryption Algorithm" (pdf). Proceedings of the Second International Workshop on Fast Software Encryption (FSE) 1994e. pp. 86–96. • 2.) H. Heyes. A tutorial on linear and differential cryptanalysis. http://www.engr.mun.ca/~howard/PAPERS/ldc_tutorial.pdf • 3.) http://www.cs.rit.edu/~ark/482/attacks/notes.shtml • 4.) http://en.wikipedia.org/wiki/RC5 • 5.) Alan Kaminsky. Building Parallel Programs: SMPs, Clusters, and Java. Cengage Course Technology, 2010. ISBN 1-4239-0198-3. • 6.) Parallel Java Library developed by Prof. Alan Kaminsky References
THANK YOU Questions, if any.