320 likes | 553 Views
CRYPTOGRAPHY AND INFORMATION SECURITY. Lecturer: Dr. Nguyen Nam Hong Tel.: 048781437. Mob.: 0912312816. Email: nguyennamhong2003@yahoo.com.au Website: www.freewebs.com/namhongthanhloc Chapter 7. Contemporary Symmetric Ciphers. Chapter 7. Contemporary Symmetric Ciphers (1/3).
E N D
CRYPTOGRAPHY AND INFORMATION SECURITY Lecturer: Dr. Nguyen Nam Hong Tel.: 048781437. Mob.: 0912312816. Email: nguyennamhong2003@yahoo.com.au Website: www.freewebs.com/namhongthanhloc Chapter 7. Contemporary Symmetric Ciphers
Chapter 7. Contemporary Symmetric Ciphers (1/3) 7.01. Could we use Double DES? 7.02. Attack due to a man in the middle 7.03. Triple DES Type EDE 7.04. Use of Triple DES 7.05. Triple DES with Three Keys 7.06. Blowfish 7.07. Blowfish Key Schedule 7.08. Blowfish Encryption 7.09. Blowfish Discussion Dr. Nguyen Nam Hong, Le Quy Don Technical University
Chapter 7. Contemporary Symmetric Ciphers (2/3) 7.10. RC5 7.11. RC5 Ciphers 7.12. RC5 Key Expansion 7.13. RC5 Encryption 7.14. RC5 Modes 7.15. Other Algorithms: IDEA 7.16. Other Algorithms: RC2 7.17. Other Algorithms: SAFER 7.18. Other Algorithms: CAST128 Dr. Nguyen Nam Hong, Le Quy Don Technical University
Chapter 7. Contemporary Symmetric Ciphers (3/3) 7.19. Other Algorithms: Skipjack 7.20. Block Cipher Characteristics 7.21. Stream Ciphers 7.22. Stream Cipher Properties 7.23. RC4 7.24. RC4 Key Schedule 7.25. RC4 Encryption 7.26. RC4 Security 7.27. Summary Dr. Nguyen Nam Hong, Le Quy Don Technical University
7.01. Could we use Double DES? k1 and k2 are n bits keys k1 k2 M C’ C Is the lenght of the key duplicated? On this model, we can expect that the effective lenght of the key is 22n where n represents the length in bits of k1 and k2 keys. However, this is not true. The size of the resulting key, indeed, in this case is equivalent to 2n+1, an insignificant increase (just one bit) for a big value of n (typical) and it is not used for this reason. DES DES Dr. Nguyen Nam Hong, Le Quy Don Technical University
7.02. Attack due to a man in the middle k1 k2 Y M DES DES C k1 and k2 are n bits keys a) Cryptogram C is decrypted by brute force using the 2n possible keys and making then 2n calculations. We get Y this way. b) With the “intermediate texts” Y a sorted table of ciphertexts is formed with their corresponding values k2. c) The chosen plaintexts M are encrypted with all the k1 keys and then they are compared to Y, making a maximum of 2ncalculations. d) One of the keys will be the real key and a number less than 2n + 2n= 2n+1 calculations have been made. So the real key is equal to 2n+1. This attack is known as man-in-the-middle attack. Dr. Nguyen Nam Hong, Le Quy Don Technical University
7.03. Triple DES type EDE k1 and k2 are n bits keys k1 k2 k1 M C • In this case an effective value of key lenght equal to 22n bits is achieved, this is 22•56 = 2112 effective bits. • The previous example with only two keys (equivalent to the one of three keys k1, k2, k3) is used for compatibility with the unique key DES when k1 = k2 = k3. • This model was proposed by Matyas and Meyer of IBM, is known as EDE (Encrypt-Decrypt-Encrypt) and it is inmune to man-in-the-middle attacks. E (DES) D (DES) E (DES) Dr. Nguyen Nam Hong, Le Quy Don Technical University
7.04. Uses of Triple DES k1 and k2 keys of 64 bits k1 k2 k1 M C E (DES) D (DES) E (DES) Though DES algorithm has suffered several attacks and it has not been certifed by NIST as a cipher standard anymore, Triple DES has a great security due to the size of its key of 112 effective bits and continues being valid on year 2005. In fact, it was the algorithm proposed in the SET protocol and can be found, besides other applications, on PGP software. Dr. Nguyen Nam Hong, Le Quy Don Technical University
7.05. Triple-DES with Three-Keys • although are no practical attacks on two-key Triple-DES have some indications • can use Triple-DES with Three-Keys to avoid even these • C = EK3[DK2[EK1[P]]] • has been adopted by some Internet applications, eg PGP, S/MIME • PGP: Pretty Good Privacy (see 12.1) • S/MIME: Secure Multipurpose Internet Mail Extension Dr. Nguyen Nam Hong, Le Quy Don Technical University
7.06. Blowfish • a symmetric block cipher designed by Bruce Schneier in 1993/94 • characteristics • fast implementation on 32-bit CPUs • compact in use of memory • simple structure for analysis/implementation • variable security by varying key size • has been implemented in various products Dr. Nguyen Nam Hong, Le Quy Don Technical University
7.07. Blowfish Key Schedule • uses a 32 to 448 bit key • used to generate • 18 32-bit subkeys stored in K-array Kj • four 8x32 S-boxes stored in Si,j • key schedule consists of: • initialize P-array and then 4 S-boxes using pi • XOR P-array with key bits (reuse as needed) • loop repeatedly encrypting data using current P & S and replace successive pairs of P then S values • requires 521 encryptions, hence slow in re-keying Dr. Nguyen Nam Hong, Le Quy Don Technical University
7.08. Blowfish Encryption • uses two primitives: addition & XOR • data is divided into two 32-bit halves L0 & R0 for i = 1 to 16 do Ri= Li-1 XOR Pi; Li= F[Ri] XOR Ri-1; L17 = R16 XOR P18; R17 = L16 XOR i17; • where F[a,b,c,d] = ((S1,a+ S2,b) XOR S3,c) + S4,a Dr. Nguyen Nam Hong, Le Quy Don Technical University
7.09. Blowfish Discussion • key dependent S-boxes and subkeys, generated using cipher itself, makes analysis very difficult • changing both halves in each round increases security • provided key is large enough, brute-force key search is not practical, especially given the high key schedule cost Dr. Nguyen Nam Hong, Le Quy Don Technical University
7.10. RC5 • a proprietary cipher owned by RSADSI • designed by Ronald Rivest (of RSA fame) • used in various RSADSI products • can vary key size / data size / no rounds • very clean and simple design • easy implementation on various CPUs • yet still regarded as secure Dr. Nguyen Nam Hong, Le Quy Don Technical University
7.11. RC5 Ciphers • RC5 is a family of ciphers RC5-w/r/b • w = word size in bits (16/32/64) nb data=2w • r = number of rounds (0..255) • b = number of bytes in key (0..255) • nominal version is RC5-32/12/16 • ie 32-bit words so encrypts 64-bit data blocks • using 12 rounds • with 16 bytes (128-bit) secret key Dr. Nguyen Nam Hong, Le Quy Don Technical University
7.12. RC5 Key Expansion • RC5 uses 2r+2 subkey words (w-bits) • subkeys are stored in array S[i], i=0..t-1 • then the key schedule consists of • initializing S to a fixed pseudorandom value, based on constants e and phi • the byte key is copied (little-endian) into a c-word array L • a mixing operation then combines L and S to form the final S array Dr. Nguyen Nam Hong, Le Quy Don Technical University
7.13. RC5 Encryption • split input into two halves A & B L0 = A + S[0]; R0 = B + S[1]; for i = 1 to r do Li= ((Li-1 XOR Ri-1) <<< Ri-1) + S[2 x i]; Ri= ((Ri-1 XOR Li) <<< Li) + S[2 x i + 1]; • each round is like 2 DES rounds • note rotation is main source of non-linearity • need reasonable number of rounds (eg 12-16) Dr. Nguyen Nam Hong, Le Quy Don Technical University
7.14. RC5 Modes • RFC2040 defines 4 modes used by RC5 • RC5 Block Cipher, is ECB mode • RC5-CBC, is CBC mode • RC5-CBC-PAD, is CBC with padding by bytes with value being the number of padding bytes • RC5-CTS, a variant of CBC which is the same size as the original message, uses ciphertext stealing to keep size same as original Dr. Nguyen Nam Hong, Le Quy Don Technical University
7.15. Other Algorithms: IDEA (1/2) • History of IDEA • In 1990 Xuejia Lai and James Massey propose PES, Proposed Encryption Standard. • In 1991 -due to the advances of Biham and Shamir on differential cryptanalysis- the authors propose IPES, Improved Proposed Encryption Standard. • In 1992 the authors finally propose the algorithm IDEA, International Data Encryption Algorithm. • In 1999 algorithm IDEA, much safer than DES and its versions, begins to be widely used on the secure electronic mail system PGP. Dr. Nguyen Nam Hong, Le Quy Don Technical University
7.15. Other Algorithms: IDEA (2/2) • Strenght of IDEA algorithm: • IDEA exhibits itself as inmune facing a differential cryptanalysis. • Joan Daemen discovers in 1992 a class of weakness keys. • Until now any attack system or algorithm that IDEA has cryptoanalyzed is unknown. • Joan Daemen and Vincent Rijmen will create in 1997 RIJNDAEL, new global standard of NIST from the end of 2001. Dr. Nguyen Nam Hong, Le Quy Don Technical University
7.16. Other algorithms: RC2 • Block cipher of variable key (from 8 to 1.024 bits) proposed by Ron Rivest from RSA Data Security Inc. • Size of the text block: 64 bits. • It does not use S-boxes and it's nearly three times faster than DES. • It is used on SMIME with key lenghts of 40, 64 and 128 bits. • Primitive cipher operations: addition on module 232, Xor operation, complement of bits, AND operation and circular rotation on the left. • It makes known as mixing and mashing. 18 rounds Dr. Nguyen Nam Hong, Le Quy Don Technical University
7.17. Other algorithms: SAFER • SAFER: Secure and Fast Encryption Routine (James Massey). • It encrypts text blocks of 64 bits. • Size of the key: 64 or 128 bits. • Number of rounds from 0 to 10; minimum recommendable 6. • Different encrypting and decrypting operations based in bytes, that point their use into applications for inteligent cards. • There are versions SAFER SK-64 and SK-128 more secure in the case of weak keys than their antecessors. Dr. Nguyen Nam Hong, Le Quy Don Technical University
7.18. Other algorithms: CAST128 • Feistel cipher proposed by C. Adams and S. Tavares (Canada). • It encrypts text blocks of 64 bits with keys from 40 to 128 bits by octets increments. • It encrypts through 16 rounds. • Basic operations: addition and subtraction module 232, exclusive or and circular rotations on the left. • Characteristics: inmunity to differential and linear cryptanalysis attacks; standard cipher algorithm on last versions of PGP. Dr. Nguyen Nam Hong, Le Quy Don Technical University
7.19. Other algorithms: Skipjack • It has been developed by the NSA (National Security Agency). • It encrypts 64 bits bloks with a key of 80 bits. • Users keep their secret keys on several government agencies. • It uses 32 rounds on every cipher block. • The full details of the algorithm are not public. • the USA is about to use it on their DMS, (Defense Messaging System). Dr. Nguyen Nam Hong, Le Quy Don Technical University
7.20. Block Cipher Characteristics • features seen in modern block ciphers are: • variable key length / block size / no rounds • mixed operators, data/key dependent rotation • key dependent S-boxes • more complex key scheduling • operation of full data in each round • varying non-linear functions Dr. Nguyen Nam Hong, Le Quy Don Technical University
7.21. Stream Ciphers • process the message bit by bit (as a stream) • typically have a (pseudo) random stream key • combined (XOR) with plaintext bit by bit • randomness of stream key completely destroys any statistically properties in the message • Ci = Mi XOR StreamKeyi • what could be simpler!!!! • but must never reuse stream key • otherwise can remove effect and recover messages Dr. Nguyen Nam Hong, Le Quy Don Technical University
7.22. Stream Cipher Properties • some design considerations are: • long period with no repetitions • statistically random • depends on large enough key • large linear complexity • correlation immunity • confusion • diffusion • use of highly non-linear boolean functions Dr. Nguyen Nam Hong, Le Quy Don Technical University
7.23. RC4 • a proprietary cipher owned by RSA DSI • another Ron Rivest design, simple but effective • variable key size, byte-oriented stream cipher • widely used (web SSL/TLS, wireless WEP) • key forms random permutation of all 8-bit values • uses that permutation to scramble input info processed a byte at a time Dr. Nguyen Nam Hong, Le Quy Don Technical University
7.24. RC4 Key Schedule • starts with an array S of numbers: 0..255 • use key to well and truly shuffle • S forms internal state of the cipher • given a key k of length l bytes for i = 0 to 255 do S[i] = i j = 0 for i = 0 to 255 do j = (j + S[i] + k[i mod l]) (mod 256) swap (S[i], S[j]) Dr. Nguyen Nam Hong, Le Quy Don Technical University
7.25. RC4 Encryption • encryption continues shuffling array values • sum of shuffled pair selects "stream key" value • XOR with next byte of message to en/decrypt i = j = 0 for each message byte Mi i = (i + 1) (mod 256) j = (j + S[i]) (mod 256) swap(S[i], S[j]) t = (S[i] + S[j]) (mod 256) Ci = Mi XOR S[t] Dr. Nguyen Nam Hong, Le Quy Don Technical University
7.26. RC4 Security • claimed secure against known attacks • have some analyses, none practical • result is very non-linear • since RC4 is a stream cipher, must never reuse a key • have a concern with WEP, but due to key handling rather than RC4 itself Dr. Nguyen Nam Hong, Le Quy Don Technical University
7.27. Summary • briefly introduced some modern symmetric block ciphers: • Triple-DES • Blowfish • RC5 • Other Algorithms: IDEA, RC2, SAFER, CAST128, Skipjack • Block Cipher Characteristics • briefly introduced stream ciphers: • RC4 Dr. Nguyen Nam Hong, Le Quy Don Technical University