Conventional Cryptography - PowerPoint PPT Presentation

1 / 31
About This Presentation
Title:

Conventional Cryptography

Description:

Alice and Bob agree on cryptosystem (algorithm) Alice and Bob agree on a key ... Used hardware to winnow false positives (plaintext recognizer) then software to ... – PowerPoint PPT presentation

Number of Views:168
Avg rating:3.0/5.0
Slides: 32
Provided by: www1I
Category:

less

Transcript and Presenter's Notes

Title: Conventional Cryptography


1
Conventional Cryptography
  • Dr. Ron Rymon
  • Efi Arazi School of Computer Science
  • IDC, Herzliya. 2007/8

Pre-Requisites Simple Math Background
2
Overview
  • Symmetric Cryptography
  • Cipher Block Modes
  • Key Management
  • Message Authentication Using Conventional
    Cryptography

3
Symmetric Cryptography
Main sources Network Security Essentials /
Stallings Applied
Cryptography / Schneier
4
Symmetric Cryptography Protocol
  • A typical protocol
  • Alice and Bob agree on cryptosystem (algorithm)
  • Alice and Bob agree on a key
  • Alice encrypts her message with the key
  • Alice sends the message to Bob
  • Bob decrypts the messages using same key
  • A common variation is where a new key is issued
    for each session (set of messages) and is
    corresponded encrypted using the master key

5
Feistel Networks
  • Most block encryption algorithms use this general
    structure, due to Horst Feistel (1973)
  • Inputs Plaintext (halved) , Key, Round function
    F
  • Uses n rounds, in each (e.g., n16)
  • Inputs Li and Ri Ki is derived from K
    (sub-key)
  • Li1Ri
  • Ri1Li?F(Ri,Ki)
  • F (round function) selects certain bits,
    duplicates some, and permutes them. Ki is derived
    from K
  • Final ciphertext is combination of Ln and Rn
  • At IBM, Feistel built Lucifer, the first such
    system

6
?
7
Notes on Feistel Cipher Structure
  • Decryption The same process is reversible
  • Ri-1Li
  • Li-1Ri?F(Ri-1,Ki-1)
  • Same algorithm can be used but with keys reversed
  • Security Considerations
  • Larger block size results in fewer blocks and
    increased security
  • Larger key size also increases security (recall
    Shannon)
  • More rounds considered to offer better security
    (?)
  • Greater complexity of subkey generation may help
    security
  • Greater complexity of round function may increase
    security

8
Design Goals for Block Ciphers
  • Highly secure more of everything
  • Fast fewer rounds that use simpler operations
  • Low communication overheads
  • Low battery consumption in hand-helds
  • Easy to implement in hardware
  • Simple, ubiquitous operations
  • Efficient in memory usage
  • Can run on a smart card
  • Require less secret material (keys, boxes)
  • Sometimes put on expensive tamper-proof memory

9
Design Principles for Feistel Round Function
  • Feistel is a family of algorithms
  • Depends on choice of F, and subkey generation
    algorithm
  • Can be designed to fit needs
  • Non-Linearity. F is as difficult as possible to
    approximate with a set of linear equations
  • Avalanche
  • Strict Avalanche Criterion (SAC) with the
    change of any one input bit, every output bit
    shall change with probability of exactly ½
  • Bit Independence Criterion (BIC) output bits
    i,j shall change independently from each other
    when an input bit is inverted
  • Guaranteed Avalanche at least n output bits
    will change whenever any single input bit is
    inverted

10
Data Encryption Standard (DES)
  • Without a standard, software and hardware cannot
    interoperate, or at least it is very expensive
  • In 1973, National Institute for Standards and
    Technology (NIST) issued RFP for Data Encryption
    Algorithm (DEA)
  • provide high level of security
  • completely specified and easy to understand
  • the security must reside in the key
  • available to all users
  • adaptable to diverse applications
  • economically implementable in hardware
  • efficient to use
  • validated
  • exportable

11
Data Encryption Standard (DES)
  • NIST (NBS) issued a Request For Proposal (RFP)
  • Only serious proposal came from IBM
  • Patented and based on Lucifer (Feistel et al)
  • NIST issued a Request For Comments (RFC)
  • For first time, a crypto algorithm is reviewed by
    experts (NSA)
  • Quite a few were concerned about NSA backdoor
  • NSA reduced the key size from 112 to 56 bits
  • Diffie and Helman presented a 20MM 1-day DES
    cracking machine
  • NSA had also changed the original S-boxes design
  • There were some claims of linearity in the new
    design
  • DES was adopted in 1977, and renewed in 1983
  • In 1987, under NSA pressure, DES almost not
    re-certified
  • Concerned about the details of the algorithm
    being open and available to software
    implementations
  • Certified only hardware implementations until 1994

12
Data Encryption Standard (DES)
  • A Feistel block cipher structure
  • 64-bit blocks
  • 56-bit keys
  • 16 rounds
  • Adds initial and final permutation of the text
    (irrelevant to security)
  • Key shifted circularly for next round, and 48
    bits are selected for Ki

13
One Round of DES
14
One Round of DES
  • Key Transformation
  • Each key-half is shifted 1 or 2 bits in each
    round (per given table)
  • The 56 key bits are permuted and 48 bits are
    chosen (per table)
  • Text transformations
  • Expansion of Ri from 32 to 48 bits (size of key)
  • Avalanche effect some bits are duplicated
  • 48 bits are XORed with Ki
  • Substitution, using 8 S-Boxes with 6-bit input
    and 4-bit output
  • S-boxes are well chosen to introduce
    non-linearity
  • 32 bits are permuted according to specified P-Box
  • 32 bits are XORed with Li to create Ri1

15
Data Encryption Standard (DES)
  • Confusion
  • Obtained through permutations, substitutions, and
    number of rounds
  • Diffusion
  • Good avalanche effect 1 bit difference in
    plaintext quickly results in a large difference
    in bits, even after few rounds
  • Software implementations are slow
  • On IBM Mainframe 32,000 blocks / second
  • Hardware implementations are very fast
  • VLSI Technology 6868 (Gatekeeper) DESes in 8
    clock cycles
  • DEC built GaAs gate array that DESes 16.8 million
    blocks / second

16
DES Avalanche Effect
  • (a) Difference between two plaintexts with 1-bit
    original difference
  • (b) Difference between two keys with 1-bit
    original difference

17
Data Encryption Standard (DES)
  • Weak keys
  • All 0s, or all 1s in each half would result in
    same subkeys
  • Note if Kcomplement of K, then Ek(P)
    complement of Ek(P)
  • Claims that the S-boxes were weakened by the NSA
  • Notable DES Attacks
  • In 1990, Eli Biham and Adi Shamir presented
    differential cryptanalysis
  • A chosen-plaintext attack that uses two
    plaintexts with specific difference. Then, based
    on the difference in the ciphertext (and also
    internal rounds), one can update the a priori
    probability of keys
  • Similar to the T-attack that was originally
    developed at IBM and was classified by NSA
  • In 1993, Mitsuru Matsui showed linear
    cryptanalysis attack
  • Certain XORs of plaintext and ciphertext bits
    will result in a certain XOR of key bits with
    some probability p?1/2

18
EFFs DES Cracker
  • In 1996, a public debate about security of DES.
  • US Agencies (FBI, NSA) claiming that they cannot
    practically break DES (takes weeks on many
    computers)
  • Offer companies software export license in return
    for establishing a key recovery system
  • Electronic Frontier Foundation DES Cracker
    project
  • DES is slow in software but fast in hardware
  • Used easily available Field Programmable Gate
    Arrays
  • Total budget is 200,000
  • Used hardware to winnow false positives
    (plaintext recognizer) then software to test the
    remaining
  • A 1996 paper by top cryptographers suggests a
    minimum key size of 75 bits, and 90 bits needed
    to hold for 20 years

19
RC5
  • Also a block cipher, invented by Ron Rivest
    (1994)
  • Similar in structure to Feistel
  • Operations XORs, Additions (mod bitsize), and
    Rotations
  • Word-oriented, Low-cycle operations Fast in
    software
  • Variable length blocks, keys, and number of
    rounds (r)
  • Each block is made of 2 w-bits blocks (A, B)
    (w16,/32/64)
  • Each key is made of bx8 bits (0ltblt255 can be
    larger than a block)
  • Round keys (S2i , S2i1), each with w bits, are
    derived from the key
  • Encryption and decryption consist of r rounds
  • With 16 rounds, RC5 resists differential attack
  • 12 round RC5 shown susceptible with 244 chosen
    plaintexts
  • Data-dependent shifts is one of the innovations
    of RC5

20
RC5 Encryption and Decryption
B
A
  • S2i ,S2i1 are round sub-keys
  • Start AAS0 BBS1
  • In each encryption round (i1..r)
  • A((A ? B)ltltltB) S2i
  • B((A ? B)ltltltA) S2i1
  • In each decryption round (ir1)
  • B((B-S2i1)gtgtgtA) ? A
  • A((A-S2i)gtgtgtB) ? B
  • Finish AA-S0 BB-S1

S2i
S2i1
A
B
21
RC5 Subkey Generation
  • Sub-keys are a mix of original key with two words
  • POdd((e-2)2w) e is the natural log 2.71
  • QOdd((Phi-1)2w) Phi is golden ratio
    (1sqrt(5))/2 1.61
  • Initialize a c-word sub-key array
  • S0P
  • For i12r1
  • Si(Si-1Q)
  • Mix with key bits
  • L is a c-word array filled with 0-padded
    concatenation of key bits
  • c rounds the key bytes into words
  • ij0 AB0
  • Do 3n times (nmax2(r1),c)
  • A Si(Si AB)ltltlt3
  • B Lj(Lj AB)ltltlt(AB)
  • i(i1) mod 2(r1)
  • j(j1) mod c

22
Variants in Other Block Ciphers
  • Blowfish (Schneier)
  • Simple additions, XORs, and table lookups
  • Table lookups may require large memory
  • Variable key length
  • CAST
  • The round function differs from one round to next
  • Intl Data Encryption Alg (IDEA), Lai and Masey
  • Plaintext, key, and ciphertext are divided to 4
    parts
  • Uses XORs, additions, and multiplications in 8
    rounds
  • 128-bit key, 52 16-bit subkeys (can be
    independent)
  • Resists differential cryptanalysis
  • Used in PGP

23
Triple DES (3DES)
  • In 1999, DES becomes too weak
  • NIST replaces DES with 3DES
  • 3DES (EDE) uses three 56-bit keys
  • CEk3(Dk2(Ek1(P)))
  • PDk1(Ek2(Dk3(C)))
  • Note if K1K2 then 3DESDES
  • Double encryption doesnt work well
  • Merkle-Hellman chosen plaintext man-in-the-middle
    attack requires only 2n1 trials (instead of 22n)
  • Quintuple encryption also ok
  • CEk1(Dk2(Ek3(Dk2(Ek1(P)))

24
Stream Ciphers
Keystream Generator
Ki
Pi
Ci
  • A pseudorandom keystream generator
  • Keystream depends only on generating key
  • Keystream bits are XORed with the plaintext to
    produce the ciphertext, and vice-versa
  • Similar to one-time pads, except that not
    strictly random
  • Keystream period should be as long as possible
  • Other options
  • Keystream may change according also to previous
    encryptions, block index, etc.
  • In synchronous stream ciphers, keystream does not
    depend on text, otherwise, it is called
    self-synchronizing

25
RC4
  • Byte-based stream cipher, with variable key size
  • Uses an S-box, with all possible 8-bit
    key-entries
  • Initialized so that Sii, i0255
  • Sis are initially permuted, based on the key
  • j0
  • for i0 to 255
  • j(jSiKi) mod 256 // Ki is original key
  • Swap Si and Sj
  • In each iteration
  • Indices i,j are updated
  • ii1 mod 256 j(jSi) mod 256
  • Si and Sj are swapped for current i,j
  • KS(SiSj mod 256
  • The keystream K is then XORed with the plaintext
  • RC4 with up to 40-bit keys was approved by NSA,
    and is used in Lotus Notes, CDPD, WEP, and
    original SSL

26
Summary of Cryptographic Tools
  • Rounds structure
  • Key generation
  • Mixing key bits for confusion and diffusion
  • Use of state matrix for session key
  • Encryption
  • Mix round key with plaintext for
    confusion/diffusion
  • Bit permutation
  • Substitution with S-boxes for non-linearity
  • Data dependent operations (e.g., shifts) to add
    complexity
  • Use of processor-friendly operations for software
    speed
  • Key size, block size, many rounds add to security
  • Multi-application of encryption with more key
    bits
  • Block ciphers vs. Stream Ciphers

27
Advanced Encryption Standard (AES)
  • NIST put out the RFP in 1997
  • In meantime, 3DES replaces DES in 1999
  • Main criteria for evaluation
  • Security
  • Cost and performance of implementation
  • General evaluation of design features
  • Five finalists (out of 21)
  • In October 2000, NIST recommended Rijndael
  • Approved 2002

28
Rijndael Block Cipher
  • By Belgians Joan Daemen, and Vincent Rijmen
  • Variables block size and key size
  • Number of rounds determined by block and key size
  • Does not use Feistel structure
  • Instead, each round uses a state and 4 operations
  • Non-linear layer, uses optimized S-boxes, for
    confusion
  • 16x16 S-box with all byte values, and a separate
    inverse S-box
  • Linear mixing layer for diffusion
  • Row shifts on the state matrix
  • Column mixes on the state matrix
  • Key addition layer, using a simple XOR
  • AES set to use Rijndael with 128bit blocks, key
    size of 128-192-256 bits, and 10-12-14 rounds

29
Rijndael Structure
30
Rijndael Round
31
Next Class
  • Cipher Block Modes
  • Key Management
  • Message Authentication Using Conventional
    Cryptography
Write a Comment
User Comments (0)
About PowerShow.com