450 likes | 530 Views
Cryptography and Network Security. Chapter 3 – Block Ciphers and the Data Encryption Standard.
E N D
Chapter 3 – Block Ciphers and the Data Encryption Standard All the afternoon Mungo had been working on Stern's code, principally with the aid of the latest messages which he had copied down at the Nevin Square drop. Stern was very confident. He must be well aware London Central knew about that drop. It was obvious that they didn't care how often Mungo read their messages, so confident were they in the impenetrability of the code. —Talking to Strange Men, Ruth Rendell
Modern Block Ciphers • will now look at modern block ciphers • one of the most widely used types of cryptographic algorithms • provide secrecy and/or authentication services • in particular we will introduce DES (Data Encryption Standard) • still most important symmetric cipher
Block vs Stream Ciphers • block ciphers process messages in blocks, each of which is en/decrypted as a whole • like substitution on BIG characters (blocks) • usual block size is n=64 or 128 bits • stream ciphers process messages one bit or byte at a time when en/decrypting • many current ciphers are block ciphers • hence are focus of course
Block Cipher Principles • block ciphers base on Feistel Cipher Structure • mapping of plaintext blocks to ciphertext blocks must be reversible (one-to-one) • needed since must be able to decrypt ciphertext to recover plaintext efficiently • each block treated as ‘character’ of bit size n=64 • would need table of 264 entries (possible blocks) • instead create from smaller building blocks • using idea of a product cipher
Claude Shannon and Substitution-Permutation Ciphers • in 1949 Claude Shannon introduced idea of substitution-permutation (S-P) networks • used as substitution-transposition product cipher • these form the basis of modern block ciphers • S-P networks are based on the two primitive cryptographic operations we have seen before: • substitution (S-box) • permutation (P-box), that is, transposition • provide confusion and diffusion of message
Confusion and Diffusion • cipher needs to completely obscure statistical properties of original message • a one-time pad does this • more practically Shannon suggested combining elements to obtain: • diffusion – dissipates statistical structure of plaintext over bulk of ciphertext, that is, changing a single plaintext digit affects lots of ciphertext digits, e.g. take cn as average of pn …pn+k • confusion – makes relationship between ciphertext and key as complex as possible • Goal: don’t allow an attacker to deduce the key
Feistel Cipher Structure • Horst Feistel devised the Feistel cipher • based on concept of invertible product cipher • decryption works as encryption, but uses subkeys in reverse order • Feistel Encryption Algorithm (uses S-P network concept) • partitions input block into two halves L0 and R0 • process through multiple rounds (e.g. n=16) which • perform a substitution on left data half Li-1 • for that apply a round function F to right data half Ri-1 and • modify Li by performing bitwise xor: Ri=Li-1 F(Ri-1, Ki) • subkey Ki is derived from the global key K • then have permutation swapping halves: Li=Ri-1 • finally obtain ciphertext RnLn
Feistel Cipher Design Principles • block size (today usually 64 or 128 bits) increasing size improves security, but slows cipher • key size (today usually 128 bits, 64 insufficient) increasing size improves security, makes exhaustive key searching harder, but may slow cipher • number of rounds (usually 16) increasing number improves security, but slower • subkey generation greater complexity makes analysis harder, but slows ciph. • round function greater complexity makes analysis harder, but slows ciph. • fast software en/decryption & ease of analysis are more recent concerns for practical use and testing
Data Encryption Standard (DES) • most widely used block cipher in world • adopted in 1977 by NBS (now NIST) • as FIPS PUB 46 • encrypts 64-bit data using 56-bit key • has widespread use • has been considerable controversy over its security
DES History • IBM developed Lucifer cipher • by team led by Feistel • used 64-bit blocks with 128-bit key • then redeveloped as a commercial cipher with input from NSA and others • in 1973 NBS issued request for proposals for a national cipher standard • IBM submitted their revised Lucifer which was eventually accepted as the DES
DES Design Controversy • although DES standard is public • was considerable controversy over design • in choice of 56-bit key (vs Lucifer 128-bit) • and because design criteria for internal structure of DES (S-boxes) were classified • subsequent events and public analysis show in fact design was appropriate • DES has become widely used, especially in financial applications
Initial Permutation IP • first step of the data computation • IP reorders the input data bits • even bits go to left half L, odd bits to right half R • quite regular in structure • uses look-up table, see Table 3.2a in textbook • in the end, the output bits are again permuted by a final permutation (FP) which is just the inverse IP-1 of the initial permutation • again uses look-up table, see Table 3.2b
DES Round Structure • splits block into two 32-bit halves L0 and R0 • as for Feistel cipher we calculate in each round: Li= Ri–1 Ri= Li–1 F(Ri–1, Ki) where again means xor • How to compute the substitution key (F)? • F expands the 32-bit Ri–1 to 48-bits by using an expansion permutation E, see Table 3.2c in textbook • adds the result to subkey Ki via xor, that is, • passes these 48-bits through 8 S-boxes to get 32-bits • finally permutes this using a 32-bit permutation P, see Table 3.2d in textbook
Substitution Boxes (S-boxes) • eight S-boxes, each maps a 6-bit input to a 4-bit output, see Table 3.3 in textbook • outer bits 1 & 6 (row bits) select one of 4 rows • inner bits 2-5 (col bits) select one of 16 columns • the number in the specified cell gives the output • Example: 011001, row bits 01 specify row 1, col bits 1100 specify column 12, cell contains 9, gives output 1001 • in total, 48-bits are passed through 8 different S-boxes giving 32-bits • row selection depends on both data & key • feature known as autoclaving (autokeying)
DES Key Schedule • generates subkeys Ki used in each round • select 56-bits out of original 64-bits, perform initial permutation (PC1) and split the result into two 28-bit halves (C0 and D0), see Table 3.4 in textbook • in each round, derive Ci and Di from Ci-1 and Di-1 by • rotating each half (Ci-1 and Di-1) separately either 1 or 2 places depending on the round (left shifts) • permuting them by PC2, see Table 3.4 and selecting 24-bits from each half • together Ci and Di form the subkey Ki used by F in this round
DES Decryption • decryption must unwind steps of encryption • with Feistel design, do encryption steps again • using subkeys in reverse order (K16 down to K1) • note that IP undoes final FP step of encryption: FP is chosen as the inverse of IP, that is, FP=IP-1 • 1st round with K16 undoes 16th encryption round … • 16th round with K1 undoes 1st encryption round • then final FP undoes initial IP step of encryption • thus recovering original data value
Avalanche Effect • desirable property of ciphers • a change of one input bit or key bit results in changing approximately half of all output bits • high degree of diffusion and confusion • makes attempts to “home-in” by guessing keys impossible • DES exhibits strong avalanche
Strength of DES – Key Size • DES uses 56-bit key, chosen from original 64 bits • 56-bit keys allow 256 = 7.2 x 1016 different values • brute force search looks hard • but recent advances have shown is possible • in 1997 on Internet in a few months • in 1998 on dedicated h/w (EFF) in a few days • in 1999 above combined in 22hrs! • Electronic Frontier Foundation used a special-purpose “DES cracker” machine built for less than US$250,000 • EFF also published detailed description of the machine ;-) • still must be able to recognize plaintext, that is, how does a computer know whether a message makes sense
Strength of DES – Timing Attacks • attacks actual implementation of cipher • use knowledge of consequences of implementation to derive knowledge of some/all subkey bits • specifically use fact that calculations can take varying times depending on the value of the inputs to it • particularly problematic on smartcards
Strength of DES – Analytic Attacks • now have several analytic attacks on DES • these utilise some deep structure of the cipher • by gathering information about encryptions • can eventually recover some/all of the subkey bits • if necessary then exhaustively search for the rest • generally these are statistical attacks • include • differential cryptanalysis • linear cryptanalysis • related key attacks
Differential Cryptanalysis • one of the most significant recent published advances in cryptanalysis • by Murphy and Biham & Shamir (1990-…) • used to analyse most current block ciphers with varying degrees of success • requires 247 chosen plaintext/ciphertext block pairs • so DES reasonably resistant • need only 214 for 8-round DES, 256 for 8-round Lucifer • IBM knew about differential cryptanalysis in 1970s • analyses how input differences propagate to output differences
Linear Cryptanalysis • also a statistical method • published by Matsui (1991-…) • tries to find linear approximations to describe the transformations performed by DES • requires 247 known plaintext/ciphertext block pairs • still in practise infeasible • in general, exhaustive search seems to be easier to attack DES • still must be able to recognize plaintext, that is, how does a computer know whether a message makes sense • however, cryptanalysis helps to construct new ciphers and to study their security (e.g. Triple DES, AES)
Block Cipher Design Principles • basic principles still like Feistel in 1970’s • number of rounds • more is better, exhaustive search best attack • function F • provides “confusion”, is nonlinear, avalanche • key schedule • complex subkey creation, key avalanche
Modes of Operation • modern block ciphers encrypt fixed size blocks • e.g. DES encrypts 64-bit blocks, with 56-bit key • need way to use in practise, given usually have arbitrary amount of information to encrypt • originally four modes were defined for DES • ANSI X3.106-1983 Modes of Use • later extended to 5 modes for DES (and AES) • have block and stream modes (for different purposes, applications)
Electronic Codebook (ECB) • plaintext is broken into blocks (e.g. 64-bits), each of which is encrypted using the same key K • each block is a value which is substituted, like a codebook • each block is encoded independently of the other blocks C1 = DESK(P1), …, CN = DESK(PN) • used for: secure transmission of single values (e.g. transmission of encryption keys) • not secure when plaintext has lots of repetitions
Cipher Block Chaining (CBC) • plaintext is broken into blocks (e.g. 64-bits), each of which is encrypted using the same key K • but blocks are linked together in the encryption operation • each plaintext block is chained with previous cipher block Cj = DESK(Pj Cj-1) • use an Initial Vector (IV) to start process C0 = IV • IV must be known to sender and receiver • For decryption use Pj = Cj-1 DESK(Cj) • Used for: bulk data encryption, authentication
Advantages and Limitations of CBC • each ciphertext block depends on all plaintext blocks • a change in the plaintext affects all ciphertext blocks after the change as well as the original block • need Initial Value (IV) known to sender & receiver • if IV is sent in the clear, attackers can change bits of the first block, and change IV to compensate • Recall C1 = DESK(P1 IV) and P1 = IV DESK(C1) • Attackers may keep ith bit as is was P1[i] = IV[i] DESK(C1)[i] … or change it P1[i]’ = IV[i]’ DESK(C1)[i] • hence IV should be fixed (as in EFTPOS) or sent encrypted in ECB mode before rest of message
Coping with Short Blocks • if plaintext is not a multiple of the block size, we have to handle a short block at the end of the plaintext, e.g. • pad with known non-data value (e.g. pre-defined nulls) • pad last block with a counter for the pad size, e.g. 3 data bytes, then 5 bytes pad+counter: [DataByte1 DataByte2 DataByte3 0 0 0 0 5]
Cipher Feedback (CFB) • short blocks do not occur with stream ciphers • plaintext is treated as a stream of bits or bytes/characters, that is, we have 8-bit segments rather than 64-bit blocks • each encoded character is used as feedback for encoding the next character • standard allows any number of bits s, but s=8 is common • use 64-bit shift register (initialized with IV), perform DES, combine leftmost s bits with first plaintext segment C1 = P1 Ss(DESK(IV)) • Shift contents of shift register left by s bits and insert C1 • for decryption use P1 = C1 Ss(DESK(IV)) • used for: stream data encryption, authentication
Advantages and Limitations of CFB • appropriate when data arrives in bits/bytes e.g. character stream, real time transmission • most common stream mode • blocks for DES contain plaintext segment together with lots of pseudo-random bits • limitation is need to stall while performing segment encryption after every s-bits • often used for transmission of data streams • in case of a noisy channel, errors propagate for several blocks after the error
Output Feedback (OFB) • plaintext is treated as a stream of bits or bytes/characters (called segments) • similar to CFB, but uses output of DES as feedback, rather than the ciphertext segment • feedback is independent of plaintext • feedback can be computed in advance Oj = IV and Oj = DESK(Oj-1) Cj = Pj Oj • used for: stream encryption over noisy channels (e.g. satellite TV transmissions)
Advantages and Limitations of OFB • used when error feedback a problem or where need to encryptions before message is available • superficially similar to CFB, but feedback is from output of DES, hence independent from plaintext • a variation of a Vernam cipher • must never reuse the same sequence (key+IV) • sender and receiver must remain in sync, some recovery method is needed to ensure this • changing ciphertext bit i results in changing plaintext bit i, enables attacks, use checksums • as research shows only OFB-64 should be used
Counter (CTR) • a “new” mode, though proposed early on • similar to OFB but encrypts actual value of some counter, rather than any feedback • bit-size of counter coincides with block size • must have a different key & counter value for every plaintext block (never reused), usually counter is incremented after each block Oj = DESK(i) Cj = Pj Oj • used for: high-speed network encryptions
Advantages and Limitations of CTR • efficiency • can do parallel encryptions (h/w, s/w efficiency) • in advance of need (preprocessing) • good for high speed links • random access to data blocks, no chaining • provable security (equal/higher than other modes) • never reuse key/counter values
Summary • have considered: • block cipher design principles • DES • details • strength • Differential & Linear Cryptanalysis • Modes of Operation • ECB, CBC, CFB, OFB, CTR