1 / 67

Information Security and Management 3. Block Ciphers and the Data Encryption Standard

Information Security and Management 3. Block Ciphers and the Data Encryption Standard. Chih-Hung Wang Fall 2011. Block Cipher Principles. Block Ciphers and Stream Ciphers

noellej
Download Presentation

Information Security and Management 3. Block Ciphers and the Data Encryption Standard

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security and Management 3. Block Ciphers and the Data Encryption Standard Chih-Hung Wang Fall 2011

  2. Block Cipher Principles • Block Ciphers and Stream Ciphers • Block ciphers is one in which a block of plaintext is treated as a whole and used to produce a ciphertext block of equal length. • like a substitution on very big characters • 64/128-bits or more • Stream ciphers is one that encrypts a digital data stream one bit or one byte at a time. • Many current ciphers are block ciphers

  3. Block Ciphers and Stream Ciphers

  4. Motivation • Reversible Mapping Reversible Mapping Irreversible Mapping

  5. A General Substitution Cipher • If a small block size, such n=4, is used, then the system is equivalent to a classical substitution cipher.  are vulnerable to statistical analysis of the plaintext. • An arbitrary reversible substitution cipher for a large block size is not practical.

  6. A General Substitution Cipher The size of key is For a 64-bits block, key size is bits

  7. Block Cipher Principles • most symmetric block ciphers are based on a Feistel Cipher Structure • Feistel proposed the use of a cipher that alternates substitutions and permutations • needed since must be able to decrypt ciphertext to recover messages efficiently • block ciphers look like an extremely large substitution • would need table of 264 entries for a 64-bit block • instead create from smaller building blocks • using idea of a product cipher

  8. Claude Shannon and Substitution-Permutation Ciphers • in 1949 Claude Shannon introduced idea of substitution-permutation (S-P) networks • modern substitution-transposition product cipher • these form the basis of modern block ciphers • S-P networks are based on the two primitive cryptographic operations we have seen before: • substitution (S-box) • permutation (P-box) • provide confusion and diffusion of message

  9. Diffusion and Confusion • Cipher needs to completely obscure statistical properties of original message • a one-time pad does this • more practically Shannon suggested combining elements to obtain: • diffusion – the statistical structure of the plaintext is dissipated into long range statistics of the ciphertext • confusion – makes relationship between ciphertext and key as complex as possible

  10. Feistel Cipher Structure • Horst Feistel devised the feistel cipher • based on concept of invertible product cipher • Partitions input block into two halves • The two halves of the data pass through n rounds of processing and then combine to produce the ciphertext block. • Implements Shannon’s substitution-permutation network concept

  11. Feistel Cipher Structure

  12. Feistel Cipher Design Principles • Block size • larger block sizes mean greater security but reduced e/d speed • Key size • increasing size improves security, makes exhaustive key searching harder, but may slow cipher • Number of rounds • a single round offers inadequate security • increasing number improves security, but slows cipher • Subkey generation • greater complexity should lead to greater difficulty of cryptanalysis • Round function • greater complexity means greater resistance to cryptanalysis • Fast software encryption/decryption • Ease of analysis • DES does not have an easily analyzed functionality

  13. Feistel Cipher Decryption • Use the ciphertext as input to the algorithm, but use subkey Ki in reverse order. Decryption

  14. Feistel Cipher Decryption

  15. General Form of Feistel Cipher

  16. Data Encryption Standard (DES) • History • National Bureau of Standards (now the National Institute of Standards and Technology:NIST) 1977-> as Federal Information Processing Standard 46(FIPS PUB 46) • 1960:IBM LUCIFER project

  17. DES • Critique • The key length • In IBM’s original LUCIFER algorithm is 128 bits, but that of the proposed system was only 56 bits. • Design Criteria for the internal structure • S-boxes • Any hidden weak points that could enable NSA to decipher message without benefit the key? • Differential cryptanalysis -> DES has a very strong internal structure

  18. DES • Not Secure? • DES has flourished and is widely used, especially in financial applications • In 1994, NIST reaffirmed DES for federal use for another five years • NIST recommends the use of DES for applications other than protection of classified information

  19. DES Encryption • Data are encrypted in 64-bit blocks using 56 bit key. • Transforms 64-bit input in a series of steps into 64-bit output.

  20. 1-st round 2-nd round t-th round Ciphertext Plaintext …... Weak cipher Weak cipher Weak cipher n bits …... K K K 2 t 1 Key Sub-key generator k bits The Structure of Block Cipher

  21. General Depiction

  22. Details of Single Round

  23. Details of Single Round • Li = Ri-1 ; Ri = Li-1 ⊕ f(Ri-1, Ki) (i=1…15) • Li = Li-1 ⊕ f(Ri-1, Ki) ; Ri = Ri-1(i=16)

  24. Input Output 1,2,3,… ….. 64 1,2,3,… ….. 64 IP-1 IP L1 L0 R1 R0 L2 R2 Ri Li R16 L16 k16 1,2,3,…. … 32 1,2,3,…. …32 1,2,3,…. … 32 1,2,3,…. … 32 1,2,3,…. … 32 1,2,3,…. … 32 1,2,3,…. … 32 1,2,3,…. … 32 1,2,3,…. … 32 1,2,3,…. … 32 k2 k1 f f f ki f Feistel Encryption

  25. IP and IP-1 IP (Initial Permutation) IP-1 (Inverse Initial Permutation)

  26. Expansion & Permutation Expansion (E) 32 1 2 3 4 5 4 5 6 7 8 9 8 9 10 11 12 13 12 13 14 15 16 17 16 17 18 19 20 21 20 21 22 23 24 25 24 25 26 27 28 29 28 29 30 31 32 1 • Permutation (P) • 7 20 21 29 12 28 17 • 1 15 23 26 5 18 31 10 • 2 8 24 14 32 27 3 9 • 19 13 30 6 22 11 4 25

  27. R (32 bits) 48 bits Subkey ki (48bits) E P Output F (32 bits) S1 S2 S3 S4 S5 S6 S7 S8 Calculation of F(R,K)

  28. S-box (EX. S1) row 011001 1001 9 column

  29. Left shift Left shift Left shift Left shift PC-1 Left shift Left shift Left shift Left shift PC-2 PC-2 PC-2 ki k1 k16 56-bit Key 1,2,3, ..… …….. 64 C0 D0 C16 C1 D16 Ci Di D1 1,2,3 ….. 28 1,2,3 ….. 28 1,2,3 ….. 28 1,2,3 ….. 28 1,2,3 ….. 28 1,2,3 ….. 28 1,2,3 ….. 28 1,2,3 ….. 28 Key Generation 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 ------------------------------------------- 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1

  30. Key Generation

  31. DES Decryption • Decryption uses the same algorithm as encryption, except that the application of the subkeys is reversed. • K16, K15 , …, K1

  32. DES Example

  33. The Avalanche Effect • DES exhibits a strong avalanche effect • Two plaintexts differ by one bit • Two keys differ by one bit • Change in Plaintext (1 bits) • Round Number of bits that differ • 1 6 • 4 39 • 8 29 • 12 30 • 16 34 (b) Change in Key (1 bits) Round Number of bits that differ 1 2 4 32 8 34 12 33 16 35

  34. DES Avalanche Effect-Change in Plaintext

  35. DES Avalanche Effect-Change in Key

  36. The Strength of DES • 56-bit DES • 1977 Diffie & Hellman • Parallel machine with 1 million encryption devices, each of which could perform one encryption per microsecond. • Average search time down to about 10 hours • The cost would be about $20 million

  37. The Strength of DES • 1993 Wiener • Key search rate of 50 million keys per second • Design a module that costs $100,000 and contains 5750 key search chips

  38. The Strength of DES • RSA Laboratories • The Challenge • Offered a $10,000 reward, was to find a DES key given a ciphertext for a plaintext consisting of an unknown plaintext message preceeded by three known blocks of text containing the 24-character phrase “the unknown message is:” • January 29, 1997, developed a brute-force program and distributed it over the internet. • The project linked numerous machines over the Internet and eventually grew to over 70,000 systems • Ended 96 days later when the correct key was found after examining about one-quarter of all possible keys.

  39. Cryptanalysis of DES • Differential Cryptanalysis • Biham and Shamir [1993] [BIHA93] • Can successfully cryptanalyze DES with an effort on the order 247, requiring 247 chosen plaintexts (brute-force method: 255) • Not very well. The differential cryptanalysis was known to the IBM team as early as 1974. • Linear Cryptanalysis • Weak keys; Semi-weak keys

  40. Differential Cryptanalysis • A statistical attack against Feistel ciphers • Uses cipher structure not previously used • Design of S-P networks has output of function f influenced by both input & key • Hence cannot trace values back through cipher without knowing values of the key • Differential Cryptanalysis compares two related pairs of encryptions

  41. Differential Cryptanalysis Compares Pairs of Encryptions • With a known difference in the input • Searching for a known difference in output • When same subkeys are used

  42. Differential Cryptanalysis (Three Round of DES)

  43. Linear Cryptanalysis • Another recent development • Also a statistical method • Must be iterated over rounds, with decreasing probabilities • Developed by Matsui et al in early 90's [MATS93] • Based on finding linear approximations • Can attack DES given 247known plaintexts, still infeasible as an attack on DES

  44. Block Cipher Design Principles • Basic principles still like Feistel in 1970’s • DES design criteria [COPP94] (Coppersmith) • Number of rounds • The greater the number of rounds, the more difficult it is to perform cryptanalysis, even for a relatively weak F. • Design of function F: • S-box design • Provides “confusion”, is nonlinear, avalanche • Key schedule • Complex subkey creation, key (strict) avalanche, bit independence [ADAM94]

  45. Block Cipher Modes Plaintext M … 64 bits 64 bits 64 bits 64 bits DES Cipher Apply DES in Multiple Data Blocks Ciphertext C

  46. Block Cipher Modes • Four modes have been defined (FIPS PUB 74, 81) • Electronic Codebook (ECB) • Cipher Block Chaining (CBC) • Cipher Feedback (CFB) • Output Feedback (OFB) • NIST has expanded the list of recommended modes to five in special Publication 800-38A • ** Counter (CTR)

  47. ECB

  48. ECB • Each block of 64 plaintext bits is encoded independently using the same key • Typical Application • Secure transmission of single values (e.g., an encryption key)

  49. ECB • Security • For lengthy messages, the ECB mode may not be secure. • If the message is highly structured, it may be possible for a cryptanalyst to exploit these regularities. • For example: the message always starts out with certain predefined fields. • The message has repetitive elements, with a period of repetition a multiple of 64 bits.

  50. CBC

More Related