670 likes | 691 Views
Dive into the world of block ciphers and the Data Encryption Standard (DES) to enhance your knowledge of encryption methods. Learn about Feistel Cipher Structure, Substitution-Permutation Ciphers, Shannon's concepts, and more.
E N D
Information Security and Management 3. Block Ciphers and the Data Encryption Standard Chih-Hung Wang Fall 2011
Block Cipher Principles • Block Ciphers and Stream Ciphers • Block ciphers is one in which a block of plaintext is treated as a whole and used to produce a ciphertext block of equal length. • like a substitution on very big characters • 64/128-bits or more • Stream ciphers is one that encrypts a digital data stream one bit or one byte at a time. • Many current ciphers are block ciphers
Motivation • Reversible Mapping Reversible Mapping Irreversible Mapping
A General Substitution Cipher • If a small block size, such n=4, is used, then the system is equivalent to a classical substitution cipher. are vulnerable to statistical analysis of the plaintext. • An arbitrary reversible substitution cipher for a large block size is not practical.
A General Substitution Cipher The size of key is For a 64-bits block, key size is bits
Block Cipher Principles • most symmetric block ciphers are based on a Feistel Cipher Structure • Feistel proposed the use of a cipher that alternates substitutions and permutations • needed since must be able to decrypt ciphertext to recover messages efficiently • block ciphers look like an extremely large substitution • would need table of 264 entries for a 64-bit block • instead create from smaller building blocks • using idea of a product cipher
Claude Shannon and Substitution-Permutation Ciphers • in 1949 Claude Shannon introduced idea of substitution-permutation (S-P) networks • modern substitution-transposition product cipher • these form the basis of modern block ciphers • S-P networks are based on the two primitive cryptographic operations we have seen before: • substitution (S-box) • permutation (P-box) • provide confusion and diffusion of message
Diffusion and Confusion • Cipher needs to completely obscure statistical properties of original message • a one-time pad does this • more practically Shannon suggested combining elements to obtain: • diffusion – the statistical structure of the plaintext is dissipated into long range statistics of the ciphertext • confusion – makes relationship between ciphertext and key as complex as possible
Feistel Cipher Structure • Horst Feistel devised the feistel cipher • based on concept of invertible product cipher • Partitions input block into two halves • The two halves of the data pass through n rounds of processing and then combine to produce the ciphertext block. • Implements Shannon’s substitution-permutation network concept
Feistel Cipher Design Principles • Block size • larger block sizes mean greater security but reduced e/d speed • Key size • increasing size improves security, makes exhaustive key searching harder, but may slow cipher • Number of rounds • a single round offers inadequate security • increasing number improves security, but slows cipher • Subkey generation • greater complexity should lead to greater difficulty of cryptanalysis • Round function • greater complexity means greater resistance to cryptanalysis • Fast software encryption/decryption • Ease of analysis • DES does not have an easily analyzed functionality
Feistel Cipher Decryption • Use the ciphertext as input to the algorithm, but use subkey Ki in reverse order. Decryption
Data Encryption Standard (DES) • History • National Bureau of Standards (now the National Institute of Standards and Technology:NIST) 1977-> as Federal Information Processing Standard 46(FIPS PUB 46) • 1960:IBM LUCIFER project
DES • Critique • The key length • In IBM’s original LUCIFER algorithm is 128 bits, but that of the proposed system was only 56 bits. • Design Criteria for the internal structure • S-boxes • Any hidden weak points that could enable NSA to decipher message without benefit the key? • Differential cryptanalysis -> DES has a very strong internal structure
DES • Not Secure? • DES has flourished and is widely used, especially in financial applications • In 1994, NIST reaffirmed DES for federal use for another five years • NIST recommends the use of DES for applications other than protection of classified information
DES Encryption • Data are encrypted in 64-bit blocks using 56 bit key. • Transforms 64-bit input in a series of steps into 64-bit output.
1-st round 2-nd round t-th round Ciphertext Plaintext …... Weak cipher Weak cipher Weak cipher n bits …... K K K 2 t 1 Key Sub-key generator k bits The Structure of Block Cipher
Details of Single Round • Li = Ri-1 ; Ri = Li-1 ⊕ f(Ri-1, Ki) (i=1…15) • Li = Li-1 ⊕ f(Ri-1, Ki) ; Ri = Ri-1(i=16)
Input Output 1,2,3,… ….. 64 1,2,3,… ….. 64 IP-1 IP L1 L0 R1 R0 L2 R2 Ri Li R16 L16 k16 1,2,3,…. … 32 1,2,3,…. …32 1,2,3,…. … 32 1,2,3,…. … 32 1,2,3,…. … 32 1,2,3,…. … 32 1,2,3,…. … 32 1,2,3,…. … 32 1,2,3,…. … 32 1,2,3,…. … 32 k2 k1 f f f ki f Feistel Encryption
IP and IP-1 IP (Initial Permutation) IP-1 (Inverse Initial Permutation)
Expansion & Permutation Expansion (E) 32 1 2 3 4 5 4 5 6 7 8 9 8 9 10 11 12 13 12 13 14 15 16 17 16 17 18 19 20 21 20 21 22 23 24 25 24 25 26 27 28 29 28 29 30 31 32 1 • Permutation (P) • 7 20 21 29 12 28 17 • 1 15 23 26 5 18 31 10 • 2 8 24 14 32 27 3 9 • 19 13 30 6 22 11 4 25
R (32 bits) 48 bits Subkey ki (48bits) E P Output F (32 bits) S1 S2 S3 S4 S5 S6 S7 S8 Calculation of F(R,K)
S-box (EX. S1) row 011001 1001 9 column
Left shift Left shift Left shift Left shift PC-1 Left shift Left shift Left shift Left shift PC-2 PC-2 PC-2 ki k1 k16 56-bit Key 1,2,3, ..… …….. 64 C0 D0 C16 C1 D16 Ci Di D1 1,2,3 ….. 28 1,2,3 ….. 28 1,2,3 ….. 28 1,2,3 ….. 28 1,2,3 ….. 28 1,2,3 ….. 28 1,2,3 ….. 28 1,2,3 ….. 28 Key Generation 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 ------------------------------------------- 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1
DES Decryption • Decryption uses the same algorithm as encryption, except that the application of the subkeys is reversed. • K16, K15 , …, K1
The Avalanche Effect • DES exhibits a strong avalanche effect • Two plaintexts differ by one bit • Two keys differ by one bit • Change in Plaintext (1 bits) • Round Number of bits that differ • 1 6 • 4 39 • 8 29 • 12 30 • 16 34 (b) Change in Key (1 bits) Round Number of bits that differ 1 2 4 32 8 34 12 33 16 35
The Strength of DES • 56-bit DES • 1977 Diffie & Hellman • Parallel machine with 1 million encryption devices, each of which could perform one encryption per microsecond. • Average search time down to about 10 hours • The cost would be about $20 million
The Strength of DES • 1993 Wiener • Key search rate of 50 million keys per second • Design a module that costs $100,000 and contains 5750 key search chips
The Strength of DES • RSA Laboratories • The Challenge • Offered a $10,000 reward, was to find a DES key given a ciphertext for a plaintext consisting of an unknown plaintext message preceeded by three known blocks of text containing the 24-character phrase “the unknown message is:” • January 29, 1997, developed a brute-force program and distributed it over the internet. • The project linked numerous machines over the Internet and eventually grew to over 70,000 systems • Ended 96 days later when the correct key was found after examining about one-quarter of all possible keys.
Cryptanalysis of DES • Differential Cryptanalysis • Biham and Shamir [1993] [BIHA93] • Can successfully cryptanalyze DES with an effort on the order 247, requiring 247 chosen plaintexts (brute-force method: 255) • Not very well. The differential cryptanalysis was known to the IBM team as early as 1974. • Linear Cryptanalysis • Weak keys; Semi-weak keys
Differential Cryptanalysis • A statistical attack against Feistel ciphers • Uses cipher structure not previously used • Design of S-P networks has output of function f influenced by both input & key • Hence cannot trace values back through cipher without knowing values of the key • Differential Cryptanalysis compares two related pairs of encryptions
Differential Cryptanalysis Compares Pairs of Encryptions • With a known difference in the input • Searching for a known difference in output • When same subkeys are used
Linear Cryptanalysis • Another recent development • Also a statistical method • Must be iterated over rounds, with decreasing probabilities • Developed by Matsui et al in early 90's [MATS93] • Based on finding linear approximations • Can attack DES given 247known plaintexts, still infeasible as an attack on DES
Block Cipher Design Principles • Basic principles still like Feistel in 1970’s • DES design criteria [COPP94] (Coppersmith) • Number of rounds • The greater the number of rounds, the more difficult it is to perform cryptanalysis, even for a relatively weak F. • Design of function F: • S-box design • Provides “confusion”, is nonlinear, avalanche • Key schedule • Complex subkey creation, key (strict) avalanche, bit independence [ADAM94]
Block Cipher Modes Plaintext M … 64 bits 64 bits 64 bits 64 bits DES Cipher Apply DES in Multiple Data Blocks Ciphertext C
Block Cipher Modes • Four modes have been defined (FIPS PUB 74, 81) • Electronic Codebook (ECB) • Cipher Block Chaining (CBC) • Cipher Feedback (CFB) • Output Feedback (OFB) • NIST has expanded the list of recommended modes to five in special Publication 800-38A • ** Counter (CTR)
ECB • Each block of 64 plaintext bits is encoded independently using the same key • Typical Application • Secure transmission of single values (e.g., an encryption key)
ECB • Security • For lengthy messages, the ECB mode may not be secure. • If the message is highly structured, it may be possible for a cryptanalyst to exploit these regularities. • For example: the message always starts out with certain predefined fields. • The message has repetitive elements, with a period of repetition a multiple of 64 bits.