3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.
-
Upload
silvia-ball -
Category
Documents
-
view
226 -
download
4
Transcript of 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.
![Page 1: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/1.jpg)
3DES and Block Cipher Modes of Operation
CSE 651: Introduction to Network Security
![Page 2: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/2.jpg)
Abstract
• We will discuss
– 2DES and 3DES
– AES (Advanced Encryption Standard)
– How to use block ciphers?
– RC4: a widely used stream cipher
– Problems with WEP’s use of RC4
2
![Page 3: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/3.jpg)
Multiple Encryption with DES
• DES is not secure enough.
• The once large key space, 256, is now too small.
• In 2001, NIST published the Advanced Encryption Standard (AES) as an alternative.
• But users in commerce and finance are not ready to give up on DES.
• Solution: to use multiple DES with multiple keys
3
![Page 4: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/4.jpg)
Double-DES
• Consider 2-DES with two keys:
C = EK2(EK1(P))
• Decryption: P = DK1(DK2(C))
• Key length: 56 x 2 = 112 bits
• This should have thwarted brute-force attacks?
• Wrong!
4
![Page 5: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/5.jpg)
Meet-in-the-Middle Attack on 2DES
• 2-DES: C = EK2(EK1(P))
• So, X = EK1(P) = DK2(C)
• Given a known pair (P, C), attack as follows:
– Encrypt P with all 256 possible keys for K1.
– Decrypt C with all 256 possible keys for K2.
– If EK1’(P) = DK2’(C), try the keys on another (P’, C’).
– If works, (K1’, K2’) = (K1, K2) with high probability.
– Takes O(256) steps; not much more than attacking 1-DES.
5
![Page 6: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/6.jpg)
Triple DES with Two Keys
• A straightforward implementation would be:
C = EK1(EK2(EK1(P)))
• In practice: C = EK1(DK2(EK1(P)))– Also referred to as EDE encryption
• Reason: if K1=K2, then 3DES = 1DES. Thus, a 3DES software can be used as a single-DES.
• Standardized in ANSI X9.17 & ISO8732
• No current known practical attacks– What about the meet-in-the-middle attack?
6
![Page 7: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/7.jpg)
Meet-in-the-Middle Attack on 3DES
1. For each possible key for K1, encrypt P to produce a possible value for A.
2. Using this A, and C, attack the 2DES to obtain a pair of keys (K2, K1’).
3. If K1’ = K1, try the key pair (K1, K2) on another (C’,P’).
4. If it works, (K1, K2) is the key pair with high probability.
5. It takes O(255 x 256) = O(2111) steps on average.
E D E
A BP C
K1 K2 K1
7
![Page 8: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/8.jpg)
Triple DES with Three Keys
• Encryption: C = EK3(DK2(EK1(P))).
• If K1 = K3, we have 3DES with 2 keys.
• If K1 = K2 = K3, we have the regular DES.
• So, 3DES w/ 3keys is backward compatible with 3DES w/ 2 keys and with the regular DES
• Some internet applications have adopted 3DES with three keys.
– E.g. PGP and S/MIME.8
![Page 9: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/9.jpg)
Finite Fields
Some mathematics used in AES
![Page 10: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/10.jpg)
A group, denoted by ( , ), is a set with a
binary operation : such that
1. ( ) ( ) (associative)
2. s.t. , (identity)
3. , s.t.
Group
G G
G G G
a b c a b c
e G x G e x x e x
x G y G x y y x
*
(inverse)
A group ( , ) is if , , .
Examples: ( , ), ( , ), ( \ {0}, ), ( , ),
( \ {0}, ), ( , ), ( , ), where is a positive
in
a
teger
belian
.n n
e
G x y G x y y x
Z Q Q R
R Z Z n
![Page 11: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/11.jpg)
10
10
10
0, 1, 2, ..., 1
For , , we define mod
For example, in ,
5 8 3, 9 9 8.
0 for every ; 0 is the identity element.
Every has
The Group ( , )
n
n
n
Z n
a b Z a b a b n
Z
a a a Z
a Z
Z
an inverse, namely 10 .
So, the inverse of 5 is 5, the inverse of 3 is 7.
We write the inverse of as .
a
a a
![Page 12: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/12.jpg)
*
*
*1
*
0
*10
: gcd( , ) 1
For , , we define mod
For example, in 1,3,7,9
3 7 1, 9 9 1.
1 for every ; 1 is the identity element.
Every
The Group ( , )n
n n
n
Z x Z x n
a b Z a b a b n
Z
a a a Z
Z
10
1
has an inverse.
E.g., the inverse of 3 is , the inverse of 9 is 9.
We write the inverse of as .
7
a Z
a a
![Page 13: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/13.jpg)
A field, denoted by ( , , ), is a set with two
binary operations, and , such that
1. ( , ) is an abelian group (with identity 0).
2. ( \ {0}, ) is an abelian group (with identy 1).
Field
F F
F
F
3. For all elements , 0 0 0.
3. , , , ( ) (distributive).
Example fields: ( , , ), ( , , ).
( , , ) is not a field.
For any prime , ( , , ) is a field, often denoted asp
a F a a
x y z F x y z x y x z
Q R
Z
p Z
.pF
![Page 14: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/14.jpg)
2
There are only two numbers : 0 and 1.
Addition, substraction and multiplication are as below:
0 1 0 1 0 1
0 0 1 0 0 1 0 0 0
1 1 0 1 1 0 1 0 1
Note: addition = substr
The Field F
action = XOR.
Just call it modulo-2 arithmetic.
![Page 15: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/15.jpg)
[ ] set of all polynomials with coefficients in .
[ ] set of all polynomials with coefficients in ,
where is a field.
[ ] set of all polynomials with coefficient
Polynomials over a field
p
Q x Q
F x F
F
F x
2 2
s in ,
where is a prime.
[ ] set of all polynomials with coefficients in .
pF
p
F x F
![Page 16: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/16.jpg)
2
2
3 2
3 2
Consider [ ].
For ( ), ( ) [ ], define ( )+ ( ) and
( ) ( ) in a straightforward way.
Example: ( ) 1, ( )
( ) ( ) (1 1
Addition & multiplication of polynomials
F x
A x B x F x A x B x
A x B x
A x x x B x x x
A x B x x x
3 2
5 4 3 2
5 4 3
2
) 1 1.
( ) ( ) (1 1)
( [ ],+, ) is not a field, because any polynomial of
degree 1 does not have a multiplicative inverse.
x x x
A x B x x x x x x
x x x x
F x
![Page 17: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/17.jpg)
2
2 2
2
Let ( ) [ ] be a fixed irreducible polynomial.
= remainder of ( ) divided by ( ).
Define [ ] ( ) ( ) mod ( ) : ( )
( ) m
[ ]
For ( ),
o
( ) [ ] (
d ( )
Finite fields (Galois fields)
p x F x
A x p x
F x p x A x p x A x F x
A x
A x
B x
x
p
p
F x
2
) , define
( ) ( ) = ( ) ( ) mod ( )
( ) ( ) = ( ) ( ) mod ( )
( [ ] ( ) , , ) is a field, denoted as GF(2 ),
where is the degree of ( ).
n
x
A x B x A x B x p x
A x B x A x B x p x
F x p x
n p x
![Page 18: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/18.jpg)
2
GF(2 ) has 2 elements.
Each element is a polynomial of degree ,
with coefficients in 0,1 .
Think of each element/polynomial as a bit string of
length , and vice v
Galois field GF(2 )n n
n
n
F
n
8
6 5 2
ersa.
Thus, if 8, then GF(2 ) consists of all ploynomials
of degree less than 8, or all bit strings of length 8.
e.g., 1 01100101
n
x x x
![Page 19: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/19.jpg)
AES: Advanced Encryption Standard
![Page 20: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/20.jpg)
20
AES: Advanced Encryption Standard
• In1997, NIST began the process of choosing a replacement for DES and called it the Advanced Encryption Standard.
• Requirements: block length of 128 bits, key lengths of 128, 192, and 256 bits.
• In 2000, Rijndael cipher (by Rijmen and Daemen) was selected.
• An iterated cipher, with 10, 12, or 14 rounds. • Rijndael allows various block lengths. • But AES allows only one block size: 128 bits.
![Page 21: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/21.jpg)
There are only two numbers : 0 and 1.
Addition, substraction and multiplication are as below:
0 1 0 1 0 1
0 0 1 0 0 1 0 0 0
1 1 0 1 1 0 1 0 1
Note: addition =
Modulo-2 Arithmetic
substraction = XOR.
![Page 22: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/22.jpg)
22
7 3
7
Each byte is viewed as a polynomial of degree 7.
Suppose: 10001001 1 ( ).
10000010 ( ).
Addition and substraction are simply b
Byte-oriented operations
a x x A x
b x x B x
itwise XOR:
10001001 10000010 00001011 ( ) ( ).
10001001 10000010 00001011 ( ) ( ).
a b A x B x
a b A x B x
![Page 23: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/23.jpg)
23
8
14
4 3
Multiplication: "regular" polynomial multiplication
modulo a fixed modulus ( ), where
.
( ) ( ) mod ( )
( ) 1 100011
01
1
Byte-oriented operations
P x x x x x
P x
a b A x B x P x
x x
10 8 7 4
6 5 4 3 2
mod ( )
1
10001001 10000010 mod 100011011
= 100010110010010 mod 100011011
01111111
x x x x P x
x x x x x x
a b
![Page 24: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/24.jpg)
24
For any byte (viewed as a polynomial), there is
a unique byte (also viewed as a polynomial) such that
1.
This element is called the inverse of , and is
Byte-oriented operations
a
b
a b
b a
1
8
denoted by .
Mathematically, the set of all polynomials of degrees 7
forms a field, GF(2 ), under the operation of addition and
multiplication mod ( ), where ( ) is a fixed modulus.
a
P x P x
![Page 25: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/25.jpg)
25
: block size (number of words). For AES, 4.
: key length (number of words).
: number of rounds, depending on , .
Assume: 4, 4, 10.
:
Structure of Rijndael
b b
k
r b k
b k r
N N
N
N N
sta
N
N N
e
N
t
0 1 10
a variable of 4 words, holding the data block,
viewed as a each column is a word.
Key schedule: 11 round keys , , ,
computed from the main key
4 4 matrix of byt
.
es;
key key key
k
![Page 26: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/26.jpg)
26
0
input: plaintext , key
1 2 AddKey( , ) 3 for 1 to 1 do 4 SubBytes( ) 5 ShiftRows( ) 6 Mixcolumns( ) 7
Rijndael algorithm
r
m k
state mstate key
i Nstatestatestate
AddKey( , ) 8 SubBytes( ) 9 ShiftRows( ) 10 AddKey( , )
11 return( )r
i
N
state keystatestate
state key
state
![Page 27: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/27.jpg)
27
Figure 5.1 AES Encryption and Decryption
![Page 28: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/28.jpg)
28
AddKey( , )
i
i
state state key
state key
![Page 29: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/29.jpg)
29
1RD
For each byte in the matrix,
substitute with S ( ) , where
10001111110001111110001111110001 and 11111000011111000011111000011111
SubBytes( )
statz
z
e
z Az b
A
state
1100 0110
b
![Page 30: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/30.jpg)
30
8
1 8
1
1
10 1 2
That is, treat as an element in GF(2 ).
Find its multiplicative inverse in GF(2 ).
Now treat as a vector of 0/1.
Multiply with , and add the result to .
If
z
z
z
A z b
z z z z z
3 4 5 6 7 0 1 2 3 4 5 6 7
RD 0 1 2 3 4 5 6 7
4 5 6 7
, , and
S ( ) , then
The indices shoud be interpreted as mod8.
i i i i i i i
z z z z b b bb b b b b b
z z z z z z z z z
z z z z z z b
i k i k
![Page 31: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/31.jpg)
31
1RD The function S ( ) is Rijndael's S-box.
It can be specified as a table (Table 5.4 of Stallings).
z Az b
![Page 32: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/32.jpg)
32
Left-shift row circularly by bytes, 0 3.
ShiftRows( )
i i i
a b c d a b c d
e f g h f g h e
i j k l k l i j
m n o p p m n o
state
![Page 33: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/33.jpg)
33
0 1 2 3
8
3 23 2 1 0
Operates on each column of the matrix.
View each column ( , , , ) as a
polynomial with coefficients in GF(2 ) :
( ) +
A fixed pol
MixColumns( )
a
state
a a a a
a x a x a x a x a
state
3 2
4
ynomial: ( ) 03 01 +01 02.
The MixColumns operation maps each column
( ) ( ) ( ) mod ( 1)a x a
c x x x x
x c x x
![Page 34: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/34.jpg)
34
Each step of Rijndael encryption is invertible.
Rijndael Decryption
![Page 35: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/35.jpg)
35
Assume: 4, 4, 10.
The secret key , having 4 words, is expanded to 44 words.
Every four words are used as a round key.
[0..43] : an array of words.
Rijndael key schedule
b k rN N N
ExpKey
key
0 1 2 3 RD 1
Initialization: [0..3] .
For 4 43, [ ]
[ ] ( [ ]) if mod 4 0
[ 4] [ 1] else
: ( , , , ) (S ( ) [ / 4],
1
4
j
j
key
j
ExpKey
j ExpKey
ExpKey f ExpKey j
ExpKey j ExpKey j
f a a a a a RC
j j
j
RD 2 RD 3 RD 0
1RD
S ( ), S ( ), S ( )).
Where S is as in , and [ ] moSubByte )s d ( .i
a a a
RC i x P x
![Page 36: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/36.jpg)
Modes of Operations
![Page 37: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/37.jpg)
How to use a block cipher?
• Block ciphers encrypt fixed size blocks
– E.g. DES encrypts 64-bit blocks
• We need some way to encrypt arbitrary amounts of data
– E.g. a message of 1000 bytes
• NIST defines five ways to do it
– Called modes of operations
– Including block and stream modes37
![Page 38: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/38.jpg)
Five Modes of Operation
– Electronic codebook mode (ECB)
– Cipher block chaining mode (CBC) – most
popular
– Output feedback mode (OFB)
– Cipher feedback mode (CFB)
– Counter mode (CTR)
38
![Page 39: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/39.jpg)
Electronic Code Book (ECB)
• The plaintext is broken into blocks, P1, P2, P3, ...
• Each block is encrypted independently of the other blocks
Ci = EK(Pi)
• For a given key, this mode behaves like we have a gigantic codebook, in which each plaintext block has an entry, hence the name Electronic Code Book
39
![Page 40: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/40.jpg)
Remarks on ECB
• Strength: it’s simple.• Weakness:
– Repetitive information contained in the plaintext may show in the ciphertext, if aligned with blocks.
– If the same message (e.g., your SSN) is encrypted (with the same key) and sent twice, their ciphertexts are the same.
• Typical application: secure transmission of short pieces of information (e.g. an encryption key)
40
![Page 41: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/41.jpg)
Cipher Block Chaining (CBC)
1 2 3
1
The plaintext is broken into blocks: , , , ...
Each plaintext block is XORed chained with the previous
ciphertext block before encryption (hence the name):
E
i K i i
P P P
C C P
0
1
IV
Use an Initial Vector IV to start the process.
Decryption : D ( )
Application : general block-oriented transmission.i i K i
C
P C C
41
![Page 42: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/42.jpg)
Cipher Block Chaining (CBC)
42
![Page 43: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/43.jpg)
Remarks on CBC
• The same key is used for all blocks.
• A ciphertext block depends on all blocks before it.
• So, repeated plaintext blocks are encrypted differently.
• Initialization Vector (IV)– Must be known to both the sender & receiver– Typically, IV is either a fixed value– Or is sent encrypted in ECB mode before the rest of
message.
43
![Page 44: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/44.jpg)
Message Padding
• The last plaintext block may be short of a whole block and needs padding:
• Possible padding:– Known non-data values (e.g. nulls)– Or a number indicating the size of the pad– Or a number indicating the size of the plaintext– The last two schemes may require an extra block.
44
![Page 45: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/45.jpg)
45
Cipher feedback mode (basic version)
• Plaintext blocks: p1, p2, …
• Key: k
• Basic idea: construct key stream k1, k2, k3, …
• Encryption:
0
1
IV
( ), for 1
, for 1
i k i
i i i
c
k E c i
c p k i
![Page 46: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/46.jpg)
Cipher Feedback (CFB) Mode
1 2 3 4
1 2 3 4
The plaintext is divided into segments of bits
(where block-size): , , , ,
Encryption is used to generate a sequence of keys,
each of bits: , , , ,
The cip
s
s P P P P
s K K K K
1 2 3 4hertext is , , , , , where
How to generate the key stream?i i i
C C C C
C P K
46
![Page 47: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/47.jpg)
Generating Key Stream for CFB
1
1 1
The input to the block cipher is a shift register ;
its value at stage is denoted as .
Initially, an initial vector (IV).
For 1, shift-left- -bits( ) .
Then, -mos
i
i i i
i
x
i x
x
i x s x C
K s
t-significant-bits(E ( )).K ix
47
![Page 48: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/48.jpg)
Encryption in CFB Mode
48
![Page 49: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/49.jpg)
Decryption in CFB Mode
1 2 3 4 Generate key stream , , , ,
the same way as for encryption.
Then decrypt each ciphertext segment as:
i i i
K K K K
P C K
49
![Page 50: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/50.jpg)
Remark on CFB
• The block cipher is used as a stream cipher. • Appropriate when data arrives in bits/bytes.• s can be any value; a common value is s = 8.• A ciphertext segment depends on the current and
all preceding plaintext segments.• A corrupted ciphertext segment during
transmission will affect the current and next several plaintext segments.– How many plaintext segments will be affected?
50
![Page 51: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/51.jpg)
Output Feedback (OFB) Mode
1 1
Very similar to Cipher Feedback in structure.
But rather than is fed back to the next stage.
As in CFB, the input to the block cipher is a shift
register ; its value at stage
i iK C
x i
1
1 1
is denoted as .
Initially, an initial vector (IV).
For 1, shift-left- -bits( ) .
Then, -most-significant-bits(E ( )).
i
i i i
i K i
x
x
i x s x K
K s x
51
![Page 52: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/52.jpg)
Cipher Feedback
Output Feedback
52
![Page 53: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/53.jpg)
Remark on OFB
• The block cipher is used as a stream cipher. • Appropriate when data arrives in bits/bytes.• Advantage:
– more resistant to transmission errors; a bit error in a ciphertext segment affects only the decryption of that segment.
• Disadvantage: – Cannot recover from lost ciphertext segments; if a ciphertext
segment is lost, all following segments will be decrypted incorrectly.
• IV should be generated randomly each time and sent with the ciphertext.
53
![Page 54: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/54.jpg)
Counter Mode (CTR)
• A counter T is initialized to some IV and then incremented by 1 for each subsequent plaintext block.
• Encryption:
T1 = IV
Ti = Ti-1 + 1
Ci = Pi XOR EK(Ti)
54
![Page 55: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/55.jpg)
Remark on CTR
• Strengthes:
– Needs only the encryption algorithm (so do CFB and
OFB)
– Fast encryption/decryption; blocks can be processed
(encrypted or decrypted) in parallel; good for high
speed links
– Random access to encrypted data blocks
• As in OFB, IV should not be reused.
55
![Page 56: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/56.jpg)
Stream Ciphers
![Page 57: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/57.jpg)
Stream Cipher Diagram
57
![Page 58: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/58.jpg)
Stream Ciphers
1 2 3
1
Typically,process the plaintext byte by byte.
So, the plaintext is a stream of bytes: , , ,
Use a key as the seed to generate a sequence of
pseudorandom bytes (keystream): ,
P P P
K
K
2 3
1 2 3 4
, ,
The ciphertext is , , , , , where
Various stream ciphers differ in the way they
generate keystreams.
i i i
K K
C C C C
C P K
58
![Page 59: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/59.jpg)
Stream Ciphers
For a stream cipher to be secure, the keystream
should have a large period, and
should be as random as possible, each of the 256
values appearing about equally often.
The sam
e keystream must not be reused. That is,
the input key must be different for each plaintext.K
59
![Page 60: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/60.jpg)
The RC4 Stream Cipher
• Designed by Ron Rivest in 1987 for RSA Security.
• Kept as a trade secret until leaked out in 1994. • The most popular stream cipher.• Simple and fast.• With a 128 bits key, the period is > 10100 .• Used in the SSL/TLS standards (for secure Web
communication), IEEE 802.11 wireless LAN standard, Microsoft Point-to-Point Encryption, and many others.
60
![Page 61: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/61.jpg)
RC4
61
Two vectors of :
[0], [1], [2], , [255]
[0], [1], [2], , [255]
Key: variable length, from 1 to 256 bytes
Initialization:
1. [ ] , for 0 255
2. [
bytes
] [
S S S S
T T T T
S i i i
T i K i
mod key-length], for 0 255
(i.e., fill up [0..255] with the key repeatedly.)
i
T K
![Page 62: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/62.jpg)
RC4: Initial Permutation
62
Initial Permutation of :
0
for 0 to 255 do
( [ ] [ ] ) mod 256
Swap [ ], [ ]
This part of RC4 is generally known as the
Key Sch
S
j
i
j j S i T i
S i S j
eduling Algorithm (KSA).
After KSA, the input key and the temporary
vector will no longer be used.T
![Page 63: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/63.jpg)
RC4: Key Stream Generation
63
Key stream generation:
, 0
while (true)
( 1 ) mod 256
( [ ] ) mod 256
Swap [ ], [ ]
( [ ]
i j
i i
j j S i
S i S j
t S i
[ ] ) mod 256
[ ]
output
S j
k S t
k
![Page 64: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/64.jpg)
Security of RC4
• The keystream generated by RC4 is biased. – The second byte is biased toward zero with high
probability.
– The first few bytes are strongly non-random and leak information about the input key.
• Defense: discard the initial n bytes of the keystream. – Called “RC4-drop[n-bytes]”.
– Recommended values for n = 256, 768, or 3072 bytes.
• Efforts are underway (e.g. the eSTREAM project) to develop more secure stream ciphers.
64
![Page 65: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/65.jpg)
Problems with WEP’s use of RC4
• WEP is a protocol using RC4 to encrypt packets for
transmission over IEEE 802.11 wireless LAN.
• WEP requires each packet to be encrypted with a
separate RC4 key.
• The RC4 key for each packet is a concatenation of a
24-bit IV (initialization vector) and a 40 or 104-bit long-
term key.
65
lRC4 key: IV (24) Long-term key (40 or 104 bits)
![Page 66: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/66.jpg)
802.11 frames using WEP
66
lHeader IV Packet ICV FCS
encrypted
• ICV: integrity check value• FCS: frame check sequence• Both use CRC32
![Page 67: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/67.jpg)
• Fluhrer, Mantin, and Shamir showed that:
• If the same secret key is used with numerous IVs, and the attacker can obtain the first word of RC4 output (keystream) corresponding to each IV, then he can construct the secret key with little effort.
• The first word is known for many plaintext packets.
• Recall: Ciphertext = plaintext XOR keystream
• So, the first word of RC output (keystream) can be obtained.
67
![Page 68: 3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f055503460f94c19621/html5/thumbnails/68.jpg)
• Tews, Weinmann, and Pyshkin wrote an
article, “Breaking 104 bit WEP in less than
60 seconds,” discussing how to discover
the RC4 key by analyzing the easily
identified ARP packets.
• ARP: Address Resolution Protocol.
68