Cryptographic Algorithms and Protocols

About This Presentation

Title:

Cryptographic Algorithms and Protocols

Description:

Blowfish. Designed by Bruce Schneier in 1993/94. fast implementation on 32-bit CPUs ... Blowfish Key Schedule. Uses a 32 to 448 bit key ... – PowerPoint PPT presentation

Number of Views:250

Avg rating:3.0/5.0

Slides: 98

Provided by: scie241

Category:

more less

Transcript and Presenter's Notes

Title: Cryptographic Algorithms and Protocols

1
Cryptographic Algorithms and Protocols

Text Book Williams Stalling
Lecture Notes Adapted from that of Lawrie Brown
Lecturer
Professor Frances Yao Professor Xiaotie Deng
Department of Computer Science
City University of Hong Kong

2
Modern Block Ciphers

Among the most widely used types of cryptographic
algorithms
Services Provided
secrecy
authentication services

3
Chapter 6 Contemporary Symmetric Ciphers

"I am fairly familiar with all the forms of
secret writings, and am myself the author of a
trifling monograph upon the subject, in which I
analyze one hundred and sixty separate ciphers,"
said Holmes.
The Adventure of the Dancing Men, Sir Arthur
Conan Doyle

4
Design Requirement Avalanche Effect

A change of one input or key bit results in
changing approx half output bits
making attempts to home-in by guessing keys
impossible
DES exhibits strong avalanche

5
Against Timing Attacks

Attacks actual implementation of cipher
Use knowledge of consequences of implementation
to derive knowledge of some/all subkey bits
Specifically use fact that calculations can take
varying times depending on the value of the
inputs to it
Particularly problematic on smartcards
Also on software systems
http//crypto.stanford.edu/dabo/abstracts/ssl-tim
ing.html
DES is relatively safe vs timing attacks

6
Strength of DES Analytic Attacks

There are several analytic attacks on DES
that utilise some deep structure of the cipher
by gathering information about encryptions
can eventually recover some/all of the sub-key
bits
if necessary then exhaustively search for the rest

7
Strength of DES Key Size

56-bit keys have 256 7.2 x 1016 values
brute force search looks hard
recent advances have shown is possible
in 1997 on Internet in a few months
in 1998 on dedicated h/w (EFF) in a few days
in 1999 above combined in 22hrs!
still must be able to recognize plaintext

8
DES Security

Design of S box is not well understood
(trapdoor?)
Key is too short which is vulnerable to brute
force attack
http//www.cl.cam.ac.uk/rnc1/descrack/
Necessary to consider alternatives to DES

9
Multiple DES
10
Enhancement using double key

Use two keys
C EK2(EK1(P))
Does it double the key space?
In Monoalphabetic cipher, we have
C K2(K1(P)) K3(P) for some K3

11
Double keys do not double DES

Is there a K3 such that C K3(P)?
A heuristic analysis
There are 256 keys, and 264! Mappings
If DES is good, a key corresponds to a random
mapping
Probability that a randomly chosen mapping
corresponds to a DES key
Effective key size of Double DES?
256?256 2112 Wrong!

12
Meet-in-the-Middle Attack

C EK2(EK1(P))
Set X EK1(P) DK2(C)
Given one pair of P and C
Brute force attack
Calculate EK1(P) for all keys ? 256 work
Calculate DK2(C) for all keys ? 256 work
The match will reveal the encryption key
Total work 2 ? 256 257

13
Triple DES

A replacement for DES is needed
theoretical attacks that can break it
demonstrated exhaustive key search attacks
AES is a new cipher alternative
prior to this alternative was to use multiple
encryption with DES implementations
Triple-DES is another alternative (but slow)

14
Triple-DES with Two-Keys

2 keys with E-D-E sequence
C EK1DK2EK1P
standardized in ANSI X9.17 ISO8732
no current known practical attacks
Why DK2 not EK2?
Backwards compatibility with DES
If K1K2, then C EK1(DK1(EK1(P))) EK1(P)
Actual key size 5656 bits 112 bits
Meet-in-the-middle attack does not work
X EK1(P) EK2 (DK1(C))

256 2112
15
3-Key Triple DES

C EK3(DK2(EK1(P)))
Adopted by some Internet applications, eg PGP,
S/MIME
Actual key size 565656 168 bits
Exhaustive search with Meet-in-the-middle attack
requires 2112 computation
X DK3(C) DK2(EK1(P))

256 2112
16
Comments on Triple-DES

Too many bits are used for keys.
May not be efficient.
New algorithms may be better.

17
Overview of other Alternatives
18
Blowfish

Designed by Bruce Schneier in 1993/94
fast implementation on 32-bit CPUs
compact in use of memory
simple structure eases analysis/implementation
variable security by varying key size
Implemented in various products

19
Blowfish Key Schedule

Uses a 32 to 448 bit key
One to fourteen 32-bit words stored in K-array
Kj, j1,2,,14
Generate
18 32-bit subkeys stored in P-array Pj ,
j1,2,,18
four 8x32 S-boxes stored in Si,j, i1,2,3,4
j0,1,,255
key schedule consists of
initialize P-array Pj and then 4 S-boxes using p
XOR P-array with key bits (reuse as needed) from
K-array
loop repeatedly encrypting data using current P
S and replace successive pairs of P then S values
requires 521 encryptions, hence slow in rekeying

20
Blowfish Encryption

Uses two primitives addition XOR
Data is divided into two 32-bit halves L0 R0
for i 1 to 16 do
Ri Li-1 XOR Pi
Li FRi XOR Ri-1
L17 R16 XOR P18
R17 L16 XOR P17
where
Fa,b,c,d ((S1,a S2,b) XOR S3,c) S4,a

21
Discussion

key dependent S-boxes and subkeys, generated
using cipher itself, makes analysis very
difficult
changing both halves in each round increases
security
provided key is large enough, brute-force key
search is not practical, especially given the
high key schedule cost

22
RC5

A proprietary cipher owned by RSADSI
designed by Ronald Rivest (of RSA fame)
used in various RSADSI products
It allows varying key size / data size / no
rounds
very clean and simple design
easy implementation on various CPUs
yet still regarded as secure

23
RC5 Ciphers

RC5 is a family of ciphers RC5-w/r/b
w word size in bits (16/32/64), data2w
r number of rounds (0..255)
b number of bytes in key (0..255)
nominal version is RC5-32/12/16
ie 32-bit words so encrypts 64-bit data blocks
using 12 rounds
with 16 bytes (128-bit) secret key

24
RC5 Key Expansion

RC5 uses 2r2 subkey words (w-bits)
subkeys are stored in array Si, i0..t-1
key schedule
initializing S to a fixed value, based on
constants
e (base of natural logarithms) and phi (golden
ratio)
the byte key is copied (little-endian) into a
c-word array L
a mixing operation then combines L and S to form
the final S array

25
RC5 Encryption

Split input into two halves A B
L0 A S0
R0 B S1
for i 1 to r do
Li ((Li-1 XOR Ri-1) ltltlt Ri-1) S2 x i
Ri ((Ri-1 XOR Li) ltltlt Li) S2 x i 1
each round is like 2 DES rounds
note rotation is main source of non-linearity
need reasonable number of rounds (eg 12-16)

26
RC5 Modes

RFC2040 defines 4 modes used by RC5
RC5 Block Cipher, is ECB mode
RC5-CBC, is CBC mode
RC5-CBC-PAD, is CBC with padding by bytes with
value being the number of padding bytes
RC5-CTS, a variant of CBC which is the same size
as the original message, uses ciphertext stealing
to keep size same as original

27
Block Cipher Characteristics

features seen in modern block ciphers are
variable key length / block size / no rounds
mixed operators, data/key dependent rotation
key dependent S-boxes
more complex key scheduling
operation of full data in each round
varying non-linear functions

28
Stream Ciphers

Process the message bit by bit (as a stream)
Similar to One time pad
One time pad uses random bits
Stream ciphers use pseudo-random bits
combined (XOR) a (pseudo) random stream key with
plaintext bit by bit
Ci Mi XOR StreamKeyi
randomness of stream key completely destroys any
statistically properties in the message
but must never reuse stream key
otherwise can remove effect and recover messages

29
Design considerations

long period with no repetitions
statistically random
depends on large enough key
large linear complexity
correlation immunity
confusion
diffusion
use of highly non-linear boolean functions

30
RC4

A proprietary stream cipher owned by RSA DSI
another Ron Rivest design, simple but effective
variable key size, byte-oriented stream cipher
widely used (web SSL/TLS, wireless WEP)
key forms random permutation of all 8-bit values
uses that permutation to scramble input info
processed a byte at a time

31
RC4 Key Schedule

starts with an array S of numbers 0..255
use key to well and truly shuffle
S forms internal state of the cipher
given a key K of length l bytes
for i 0 to 255 do
Si i
j 0
for i 0 to 255 do
j (j Si Ki mod l) (mod 256)
swap (Si, Sj)

32
RC4 Encryption

The shuffled array values will be then used
sum of shuffled pairs as "stream key" value
XOR with next byte of message to en/decrypt (some
typo in the book)
i j 0
for each message byte Mi
i (i 1) (mod 256)
j (j Si) (mod 256)
swap(Si, Sj)
t (Si Sj) (mod 256)
Ci Mi XOR St (stream of cipher text)
Source code
http//www.cr0.net8040/code/crypto/rc4/

33
RC4 Security

claimed secure against known attacks
have some analyses, none practical
result is very non-linear
since RC4 is a stream cipher, must never reuse a
key
have a concern with WEP, but due to key handling
rather than RC4 itself
See attacks
http//www.wisdom.weizmann.ac.il/itsik/RC4/rc4.ht
ml

34
Summary

some other modern symmetric block ciphers
Triple-DES
Brief Discussion of
Blowfish
RC5
RC4
Exercise
Review questions
Problems 6.1-6.3

35
Chapter 5 Advanced Encryption Standard

"It seems very simple."
"It is very simple. But if you don't know what
the key is it's virtually indecipherable."
Talking to Strange Men, Ruth Rendell

36
Origins

A replacement for DES was needed
have theoretical attacks that can break it
have demonstrated exhaustive key search attacks
An alternative Triple-DES
but slow with small blocks
US NIST issued call for ciphers in 1997
15 candidates accepted in Jun 98
5 were shortlisted in Aug-99
Rijndael was selected as the AES in Oct-2000
issued as FIPS PUB 197 standard in Nov-2001

37
AES Requirements

Private key symmetric block cipher
128-bit data, 128/192/256-bit keys
Stronger faster than Triple-DES
Active life of 20-30 years ( archival use)
Provide full specification design details
Both C Java implementations
NIST have released all submissions unclassified
analyses

38
AES Evaluation Criteria

initial criteria
security vs effort to practically cryptanalyse
cost computational
algorithm implementation characteristics
final criteria
General security
Software hardware implementation ease
Defend against timing and power attacks
Flexibility (in en/decrypt, keying, other factors)

39
AES Shortlist

After testing and evaluation, shortlist in
Aug-99
MARS (IBM) - complex, fast, high security margin
RC6 (USA) - v. simple, v. fast, low security
margin
Rijndael (Belgium) - clean, fast, good security
margin
Serpent (Euro) - slow, clean, v. high security
margin
Twofish (USA) - complex, v. fast, high security
margin
Then subject to further analysis comment
Contrast between algorithms with
few complex rounds verses many simple rounds
which refined existing ciphers verses new
proposals

40
The AES Cipher - Rijndael

designed by Rijmen-Daemen in Belgium
has 128/192/256 bit keys, 128 bit data
an iterative rather than feistel cipher
treats data in 4 groups of 4 bytes
operates an entire block in every round
designed to be
resistant against known attacks
speed and code compactness on many CPUs
design simplicity

41
Rijndael

Processes data as 4 groups of 4 bytes (state)
Consists of 9/11/13 rounds in which state
undergoes
byte substitution (1 S-box used on every byte)
shift rows (permute bytes between groups/columns)
mix columns (subs using matrix multiplication of
groups)
add round key (XOR state with key material)
initial XOR key material incomplete last round
all operations can be combined into XOR
(substitution with keys) and table lookups
(permutation) - hence very fast efficient

42
(No Transcript)
43
The Cipher

The cipher AES consists of
an initial Round Key addition
Nr-1 rounds
A final round.
In pseudo C code, this gives

44
AES (State, CipherKey) KeyExpansion (CipherKey,
ExpanedKey) AddRoundKey (State,
ExpandedKey) For ( i1 iltNr i) Round
(State, ExpandedKey Nbi) FinalRound (State,
ExpandedKey NbNr)
45
The State, the Cipher Key and the Number of
Rounds.

The different transformations operate on the
intermediate result, called the state.
Definition The intermediate cipher result is
called the State.
The State can be pictured as a rectangular array
of bytes (8 bits).
Each component is a byte (8 bits)
There are 4 rows
The number of columns is denoted by Nb
which is equal to the block length divided by 32
4 (rows) 8 bits (for a byte)

46
An example for Nb6 (a block of 192 bits)
47
An example for Nk4 (key of length 128)

The Cipher Key is similarly pictured as a
rectangular array with 4 rows. The number of
columns of the Cipher Key is denoted by Nk and it
equal to the key length divided 32.

These blocks can be considered as one dimensional
arrays of 4-byte vectors.
They are sometimes referred to as words.

The number of rounds is denoted by Nr and depends
on the values Nb and Nk.

50
Each Round Transformation

The round transformation is composed of four
different transformations.
Round (State, Roundkey)
ByteSub (State)
ShiftRow (State)
Mixcolumn (State)
AddRoundKey(State, RoundKey)

The final round of AES is slightly different. It
is defined by
FinalRound (State, Roundkey)
ByteSub (State)
ShiftRow (State)
AddRoundKey(State, RoundKey)
In this notation, the function (Round,
ByteSub, ShiftRow, ) operate on two arrays of
State, RoundKey.

52
AES Round
53
Byte Substitution

A simple substitution of each byte
uses one table of 16x16 bytes containing a
permutation of all 256 8-bit values
each byte of state is replaced by a byte in row
(left 4-bits) column (right 4-bits)
independently
eg. byte 95 is replaced by row 9 col 5 byte
which is the value 2A
S-box is constructed using a defined
transformation of the values in GF(28)
designed to be resistant to all known attacks

54
(No Transcript)
55
ByteSub transformation

Equivalently, we can take the multiplicative
inverse in GF(28) of each component of State.
As a special case, 00 is mapped onto itself.
Note the inverse is derived from multiplication
of corresponding polynomials mod
M(x)x8x4x3x1
After that, apply an affine (over GF(2))
transformation defined in the next page

56
(No Transcript)
57
We should have 95H-18A Verification 95H10010101
? x7x4x21 8AH10001010? x7x3x 95H8AH ?
x14x11x9x7x10x7x5x3x8x5x3x X6M(x)x14
x10x9x7x6 95H8AH ? x11x7x6x5x3x8x5x3x
X3M(x)x11x7x6x4x3 95H8AH ?
x8x5x5x4x3xM(x)1
58
Note that the ByteSub transformation is
invertible. E.g. 95H-18A10001010, x01010001
(reverse 95H) y1001000101100011001010100,
Sub(95H)00101010H2A
59
Shift Rows

In ShiftRow, the rows of the State are cyclically
shifted over different offsets.
Row 0 is not shifted,
Row 1 is shifted over C1 bytes,
Row 2 is shifted over C2 bytes
Row 3 over C3 bytes.
The shift offsets depend on the block length Nb
and are specified next
decryption does shifts to right
since state is processed by columns, this step
permutes bytes between the columns

60
Shift offsets for different block length
61
no shift
Cyclic shift by C1 (1)
Cyclic shift by C2 (2)
Cyclic shift by C3 (3)
ShiftRow operates on the rows of the State.
62
Mix Columns

each column is processed separately
each byte is replaced by a value dependent on all
4 bytes in the column
effectively a matrix multiplication in GF(28)
using prime poly m(x) x8x4x3x1

63
Add Round Key

XOR state with 128-bits of the round key
again processed by column (though effectively a
series of byte operations)
inverse for decryption is identical since XOR is
own inverse, just with correct round key
designed to be as simple as possible

64
In the Round Key addition the Round Key is
bitwise EXORed to the State.
?

AddRoundKey is its own inverse.
The Round Key is derived from the Cipher Key by
means of the key schedule to be addressed next.

65
AES Key Expansion

takes 128-bit (16-byte) key and expands into
array of 44/52/60 32-bit words
start by copying key into first 4 words
then loop creating words that depend on values in
previous 4 places back
in 3 of 4 cases just XOR these together
every 4th has S-box rotate XOR constant of
previous before XOR together
designed to resist known attacks

66
Key schedule

The Round Key are derived from the Cipher Key by
means of the key schedule. This consists of two
components the Key Expansion and the Round Key
Selection. The basic principle is the following
The total number of Round Key bits is Nb(Nr1).
The Cipher Key is expanded into an Expanded Key.
Round Keys are taken from this Expanded Key in
the following way the first Ronun Key consists
of the first Nb words, the second one of the
following Nb words, and so on.

67
AES Decryption

AES decryption is not identical to encryption
since steps done in reverse
but can define an equivalent inverse cipher with
steps as for encryption
but using inverses of each step
with a different key schedule
works since result is unchanged when
swap byte substitution shift rows
swap mix columns add (tweaked) round key

68
Implementation Aspects

can efficiently implement on 8-bit CPU
byte substitution works on bytes using a table of
256 entries
shift rows is simple byte shifting
add round key works on byte XORs
mix columns requires matrix multiply in GF(28)
which works on byte values, can be simplified to
use a table lookup

69
Implementation Aspects

can efficiently implement on 32-bit CPU
redefine steps to use 32-bit words
can precompute 4 tables of 256-words
then each column in each round can be computed
using 4 table lookups 4 XORs
at a cost of 16Kb to store tables
designers believe this very efficient
implementation was a key factor in its selection
as the AES cipher

70
Summary

have considered
the AES selection process
the details of Rijndael the AES cipher
looked at the steps in each round
the key expansion
implementation aspects

71
Chapter 7 Confidentiality UsingSymmetric
Encryption

John wrote the letters of the alphabet under the
letters in its first lines and tried it against
the message. Immediately he knew that once more
he had broken the code. It was extraordinary the
feeling of triumph he had. He felt on top of the
world. For not only had he done it, had he broken
the July code, but he now had the key to every
future coded message, since instructions as to
the source of the next one must of necessity
appear in the current one at the end of each
month.
Talking to Strange Men, Ruth Rendell

72
Use of Cryptography

Traditionally symmetric encryption is mainly used
to provide
message confidentiality
(that is the topic of this chapter)
Only recently, other considerations surfaced
Authentication
Integrity
Digital signature
Use of public key encryption

73
Confidentiality using Symmetric Encryption

Counter Measure for Traffic Analysis Attack
Key Distribution Problem
Random Number Generation for Confidentiality

74
Traffic Analysis Attack

Identities of Partners
How frequently the partners communicate
Message pattern, length, or security quality of
messages that suggest important information is
being exchanged
Correlation, with events, of special
conversations between particular partners.

75
Covert Channel

Message patterns can be employed in coding
Long message as 1
Short message as 0
It may communicate with outsiders in a way that
is not detected.
How to detect or eliminate it?

76
Traffic Analysis Link Encryption Approach

Monitoring of communications flows between
parties
useful both in military commercial spheres
can also be used to create a covert channel
Link encryption obscures header details
but overall traffic volumes in networks and at
end-points is still visible
Traffic padding (adding random load of traffic)
can further obscure flows
but at cost of continuous traffic

77
Traffic Analysis

When using end-to-end encryption must leave
headers in clear
so network can correctly route information
Hence although contents protected, traffic
pattern flows are not
Ideally want both at once
end-to-end encryption protects data contents over
entire path and provides authentication
link encryption protects traffic flows from
monitoring

78
Key Distribution

Symmetric schemes require both parties to share a
common secret key
How to securely distribute this key?
Secure system failure is often due to a break in
the key distribution scheme

79
Key Distribution

Various key distribution alternatives
A can select key and physically deliver to B
A third party can select deliver key to A B
If A B have communicated previously can use
previous key to encrypt a new key
If A B have secure communications with a third
party C, C can relay key between A B

80
A 5-Step Key Distribution Scheme

A Trust Key Distribution Center (KDC)
Two parties A and B
Each has a master key known by KDC Ka, Kb
One party initiates the request for a session
key.
In the end, both parties have the shared session
key.

81
A Key Distribution Scenario
82
Step 1. Session Key Request

A issues a request to KDC Request(B)N1
N1 is a number used once only (Nonce), usually
chosen as a random number of sufficiently large.
The ID of B is part of the request.

83
Step 2. Issue of Session Key

KDC sends session key and other information back
to A, encrypted by As master key
Ks session key
Request (B) tell A this what it asked for
N1 Nonce sent by A initially
EKb(Ks,IDA) To be forwarded by A to B.

84
Step 3. Forward Session Key

A sends the information from KDC to B
EKb(Ks,IDA).

85
Step 4. B sends a nonce to A using the session
key received

B uses the received session key to send a nonce
to A.
EKs(N2)
Where N2 is a nonce

86
Step 5. A proves to B that it knows the session
key received

A decodes EKs(N2) to get N2 and send f(N2) back
to B
EKs(f(N2))
Where f(N2) is a function of N2,
say f(N2)N21.

87
Question

Is there any way this scheme may be attacked?

88
Key Distribution Issues

Hierarchies of KDCs required for large networks,
but must trust each other
Session key lifetimes should be limited for
greater security
Use of automatic key distribution on behalf of
users, but must trust system
Use of decentralized key distribution
Different keys for different uses

89
Random Numbers

many uses of random numbers in cryptography
nonces in authentication protocols to prevent
replay
session keys
public key generation
keystream for a one-time pad
in all cases its critical that these values be
statistically random
with uniform distribution, independent
unpredictable cannot infer future sequence on
previous values

90
Natural Random Noise

best source is natural randomness in real world
find a regular but random event and monitor
do generally need special hardware to do this
eg. radiation counters, radio noise, audio noise,
thermal noise in diodes, leaky capacitors,
mercury discharge tubes etc
starting to see such hardware in new CPU's
http//www.fourmilab.ch/hotbits/hardware.html
http//home.t-online.de/home/p.westphal/zranusbe.h
tm
problems of bias or uneven distribution in signal
have to compensate for this when sample and use
best to only use a few noisiest bits from each
sample

91
Published Sources

a few published collections of random numbers
Rand Co, in 1955, published 1 million numbers
generated using an electronic roulette wheel
has been used in some cipher designs cf Khafre
earlier Tippett in 1927 published a collection
issues are that
these are limited
too well-known for most uses

92
Pseudorandom Number Generators (PRNGs)

algorithmic technique to create random numbers
although not truly random
can pass many tests of randomness

93
Linear CongruentialGenerator

common iterative technique using
Xn1 (aXn c) mod m
given suitable values of parameters can produce a
long random-like sequence
suitable criteria to have are
function generates a full-period
generated sequence should appear random
efficient implementation with 32-bit arithmetic
note that an attacker can reconstruct sequence
given a small number of values

94
Using Block Ciphers as Stream Ciphers

can use block cipher to generate numbers
use Counter Mode
Xi EKmi
use Output Feedback Mode
Xi EKmXi-1
ANSI X9.17 PRNG
uses date-time seed inputs and 3 triple-DES
encryptions to generate new seed random

95
Blum Blum Shub Generator