430 likes | 443 Views
Explore the security benefits of Triple DES encryption and various modes of operation for block ciphers, such as Electronic Codebook Mode, Cipher Block Chaining Mode, and Output Feedback Mode.
E N D
Chapter 6 More on Symmetric Ciphers
Contents • Multiple Encryption and Triple DES • Block Cipher Modes of Operation • Stream Ciphers and RC4
Multiple Encryption and Triple DES • Multiple Encryption and Triple DES • Double DES • Triple DES with Two Keys • Triple DES with Three Keys
Multiple Encryption and Triple DES • DES is vulnerable to a brute-force attack • Use multiple encryption with DES implementations
Double DES • Two encryption stages and two keys • C = EK2[EK1[P]] • P = DK1[DK2[C]] • key length : 56 X 2 = 112 bits
Reduction to a Single Stage ? • Suppose given any two keys K1 and K2, it would be possible to find a key K3 • If this were the case, double DES would be useless • because the result would be equivalent to a single DES.
Reduction to a Single Stage ? • Encryption is a mapping of 64-bit blocks to 64-bit blocks • How many different mappings?
Reduction to a Single Stage ? • DES defines one mapping for each different key. • For a total number of mappings • If DES is used twice with different key, it will produce one of the many mappings that is not defined by a single application of DES.
Meet-in-the-Middle Attack • Double DES is vulnerable to meet-in-the-middle attack. • C = EK2[EK1[P]], then X = EK1[P] = DK2[C] • Given a known pair (P,C), • Encrypt P for all 256 possible value of K1. • Decrypt C using all 256 possible value of K2. • Check the results of two and find the matching pair. • Test the two keys against a new know pair (P,C).
xi = Ek1 ( m ) , i = 1,2, ..., 256 x1 x2 : x256 xj = Dk2( c ) , j = 1,2, ..., 256 x1 x2 : x256 match Meet-in-the-Middle Attack x = Ek1 ( m ) = Dk2 ( c ) Given a pair of ( m, c ),
Meet-in-the-Middle Attack • If we have a pair (p1, c1), • If we have two pairs (p1, c1) and (p2, c2),
Triple DES • 3DES with two keys • if K1=K2, it can work with single DES.
Triple DES • Currently, there are no practical cryptanalytic attacks. • Cost of a brute-force key search • The meet-in-the-middle attack does not work. • The key size is 112 bits.
Triple DES • 3DES with three keys • key length of 168bits • If K1=K2 or K2=K3, it can be used as single DES.
Block Cipher Modes of Operation • Block Cipher Modes of Operation • Electronic Codebook Mode • Cipher Block Chaining Mode • Cipher Feedback Mode • Output Feedback Mode • Counter Mode
Electronic Codebook Mode • The simplest mode • plaintext is handled 64-bits at a time (assume the use in DES) • each block of plaintext is encrypted using the same key
Electronic Codebook Mode • Decryption is performed one block at a time, always using the same key
Electronic Codebook Mode • Ideal • for short amount of data, such as an encryption key • Characteristic of ECB • the same block of plaintext always produces the same ciphertext. • For lengthy message, the ECB mode may not to be secure.
Cipher Block Chaining Mode • To overcome the security deficiencies of ECB, the same plaintext block produces different ciphertext block.
Cipher Block Chaining Mode • The simple way to satisfy this requirement is the CBC mode. • The input is the XOR of the current plaintext block and the preceding ciphertext block. • The same key used for each block. • So, repeating patterns not exposed.
Cipher Block Chaining Mode • For decryption,
Cipher Block Chaining Mode • Initialization vector (IV) • Must be known to both the sender and receiver. • Should be protected as well as the key (for maximum security). • Sending using ECB encryption.
Cipher Block Chaining Mode • One reason for protecting the IV is • If an opponent is able to fool the receiver into using a different value for IV, then the opponent is able to invert selected bits in the first block of plaintext. • X[i] denotes the i th bit of the 64bit quantity X. • where he prime notation denotes bit complementation. • This means that if an opponent can predictably change bits in IV, the corresponding bits of the received value of P1 can be changed.
Output Feedback Mode • The DES scheme is essentially a block cipher technique. • However, it is possible to convert into a stream cipher, using either the CFB or OFB. • Eliminates the need to pad a message. • Can operate in real time.
Output Feedback Mode • Similar to CFB • but, the output of the encryption function to the shift register.
Output Feedback Mode • One advantage of the OFB • Bit errors in transmission do not propagate. • If a bit error occurs in C1, only the recovered value of P1 is affected. • The disadvantage of the OFB • It is vulnerable to a message stream modification attack.
Cipher Feedback Mode • Message is treated as a stream of bits. • encryption • input is a 64-bit shift register. • initially set to some initialization vector (IV) • the leftmost s bits are XORed with the plaintext segment. • shifted left by s bits and ciphertext is placed in the rightmost s bits. • decryption • the same scheme is used. • received ciphertext is XORed with output of the encryption function to produce the plaintext.
Counter Mode • Counter mode has increased recently • application to ATM network security and IPSec • The counter value must be different for each plaintext block. • requirement in SP 800-38A • The counter is initialized to some value. • the counter incremented by 1 for each block.
Counter Mode • Advantages of CTR mode • Hardware efficiency • Can be done in parallel on multiple blocks of plaintext or ciphertext. • Software efficiency • Processors that support parallel features can be effectively utilized. • Preprocessing • Does not depend on input of the plaintext or ciphertext. • Random access • The i th block of plaintext or ciphertext can be processed in random access fashion.
Counter Mode • Advantages of CTR mode • Provable security • CTR is at least as secure as the other modes. • Simplicity • CTR mode requires only the implementation of the encryption algorithm and not decryption algorithm. • The decryption key scheduling need not be implemented.
Stream Ciphers and RC4 • Stream Ciphers and RC4 • Stream Cipher Structure • The RC4 Algorithm
Stream Cipher • Important design considerations for a stream cipher • The encryption sequence should have a large period. • The keystream should approximate the properties of a true random number stream as close as possible. • The key needs to be sufficiently long. • A key length of at least 128 bits is desirable.
Stream Cipher Structure • The advantage of a stream cipher over a block cipher • Faster • Use far less code
RC4 • Designed in 1987 by Ron Rivest • Variable key size and byte-oriented • Based on the use of random permutation • The period of the cipher is likely to be greater than 10100. • Widely used SSL/TLS andrem WEP
RC4 • Algorithm overview • Initialize arrays S[0..255] and T[0..255]. • Produce the initial permutation of S • Stream generation
RC4 • Initialization of arrays S[0..255] and T[0..255]. • S[i] = i for 0 ≤ i ≤ 255. • S[0] = 1, … , S[255] = 255 • T[i] = K [i mod keylen] for 0 ≤i ≤ 255. • T[0] = K[0], T[1] = K[1], T[keylen+1] = K[1], ...
RC4 • Produce the initial permutation of S
RC4 Key schedule • Stream generation