4-More-on-Sym-Ciphers.ppt

7/27/2019 4-More-on-Sym-Ciphers.ppt

1/68

3DES and Block Cipher Modes of

Operation

CSE 651: Introduction to Network

Security


2/68

Abstract

We will discuss

2DES and 3DES

AES (Advanced Encryption Standard)

How to use block ciphers?

RC4: a widely used stream cipher

Problems with WEPs use of RC4

2


3/68

Multiple Encryption with DES

DES is not secure enough.

The once large key space, 256, is now too small.

In 2001, NIST published the Advanced EncryptionStandard (AES) as an alternative.

But users in commerce and finance are not ready

to give up on DES.

Solution: to use multiple DES with multiple keys

3


4/68

Double-DES

Consider 2-DES with two keys:

C = EK2(EK1(P))

Decryption: P = DK1(DK2(C))

Key length: 56 x 2 = 112 bits

This should have thwarted brute-force attacks? Wrong!

4


5/68

Meet-in-the-Middle Attack on 2DES

2-DES: C = EK2(EK1(P))

So, X = EK1(P) = DK2(C)

Given a known pair (P, C), attack as follows:

Encrypt P with all 256possible keys for K1.

Decrypt C with all 256possible keys for K2.

If EK1(P) = DK2(C), try the keys on another (P, C).

If works, (K1, K2) = (K1, K2) with high probability.

Takes O(256) steps; not much more than attacking 1-DES.

5


6/68

Triple DES with Two Keys

A straightforward implementation would be:

C = EK1(EK2(EK1(P)))

In practice: C = EK1(DK2(EK1(P)))

Also referred to as EDE encryption

Reason: if K1=K2, then 3DES = 1DES. Thus, a 3DES

software can be used as a single-DES.

Standardized in ANSI X9.17 & ISO8732

No current known practical attacks

What about the meet-in-the-middle attack?

6


7/68

Meet-in-the-Middle Attack on 3DES

1. For each possible key for K1, encrypt P to produce apossible value for A.

2. Using this A, and C, attack the 2DES to obtain a pair of

keys (K2, K1).

3. If K1 = K1, try the key pair (K1, K2) on another (C,P).

4. If it works, (K1, K2) is the key pair with high probability.

5. It takes O(255

x 256

) = O(2111

) steps on average.

E D EA B

P C

K1 K2 K1

7


8/68

Triple DES with Three Keys

Encryption: C = EK3(DK2(EK1(P))).

If K1 = K3, we have 3DES with 2 keys.

If K1 = K2 = K3, we have the regular DES.

So, 3DES w/ 3keys is backward compatible with

3DES w/ 2 keys and with the regular DES

Some internet applications have adopted 3DESwith three keys.

E.g. PGP and S/MIME.

8


9/68

Finite Fields

Some mathematics used in AES


10/68

A group, denoted by ( , ), is a set with a

binary operation : such that

1. ( ) ( ) (associative)

2. s.t. , (identity)

3. , s.t.

Group

G G

G G G

a b c a b c

e G x G e x x e x

x G y G x y y x

*

(inverse)

A group ( , ) is if , , .

Examples: ( , ), ( , ), ( \ {0}, ), ( , ),

( \ {0}, ), ( , ), ( , ), where is a positive

in

a

teger

belian

.

n n

e

G x y G x y y x

Z Q Q R

R Z Z n


11/68

10

10

10

0, 1, 2, ..., 1

For , , we define mod

For example, in ,

5 8 3, 9 9 8.

0 for every ; 0 is the identity element.

Every has

The Group ( , )

n

n

n

Z n

a b Z a b a b n

Z

a a a Z

a Z

Z

an inverse, namely 10 .

So, the inverse of 5 is 5, the inverse of 3 is 7.

We write the inverse of as .

a

a a


12/68

*

*

*

1

*

0

*

10

: gcd( , ) 1

For , , we define mod

For example, in 1,3,7,9

3 7 1, 9 9 1.

1 for every ; 1 is the identity element.

Every

The Group ( , )n

n n

n

Z x Z x n

a b Z a b a b n

Z

a a a Z

Z

10

1

has an inverse.

E.g., the inverse of 3 is , the inverse of 9 is 9.

We write the inverse of as .

7

a Z

a a


13/68

A field, denoted by ( , , ), is a set with two

binary operations, and , such that 1. ( , ) is an abelian group (with identity 0).

2. ( \ {0}, ) is an abelian group (with identy 1).

Field

F F

F

F

3. For all elements , 0 0 0. 3. , , , ( ) (distributive).

Example fields: ( , , ), ( , , ).

( , , ) is not a field.

For any prime , ( , , ) is a field, often denoted asp

a F a ax y z F x y z x y x z

Q R

Z

p Z

.pF


14/68

2

There are only two numbers : 0 and 1.

Addition, substraction and multiplication are as below:

0 1 0 1 0 1

0 0 1 0 0 1 0 0 0

1 1 0 1 1 0 1 0 1

Note: addition = substr

The Field F

action = XOR.

Just call it modulo-2 arithmetic.


15/68

[ ] set of all polynomials with coefficients in .

[ ] set of all polynomials with coefficients in ,

where is a field.

[ ] set of all polynomials with coefficient

Polynomials over a field

p

Q x Q

F x F

F

F x

2 2

s in ,

where is a prime.

[ ] set of all polynomials with coefficients in .

pF

p

F x F


16/68

2

2

3 2

3 2

Consider [ ].

For ( ), ( ) [ ], define ( )+ ( ) and

( ) ( ) in a straightforward way.

Example: ( ) 1, ( )

( ) ( ) (1 1

Addition & multiplication of polynomials

F x

A x B x F x A x B x

A x B x

A x x x B x x x

A x B x x x

3 2

5 4 3 2

5 4 3

2

) 1 1.

( ) ( ) (1 1)

( [ ],+, ) is not a field, because any polynomial of

degree 1 does not have a multiplicative inverse.

x x x

A x B x x x x x x

x x x xF x


17/68

2

2 2

2

Let ( ) [ ] be a fixed irreducible polynomial. = remainder of ( ) divided by ( ).

Define [ ] ( ) ( ) mod ( ) : ( )

( ) m

[ ]

For ( ),

o

( ) [ ] (

d ( )

Finite fields (Galois fields)

p x F xA x p x

F x p x A x p x A x F x

A x

A x

B x

x

p

p

F x

2

) , define

( ) ( ) = ( ) ( ) mod ( )

( ) ( ) = ( ) ( ) mod ( )

( [ ] ( ) , , ) is a field, denoted as GF(2 ),

where is the degree of ( ).

n

x

A x B x A x B x p x

A x B x A x B x p x

F x p x

n p x


18/68

2

GF(2 ) has 2 elements. Each element is a polynomial of degree ,

with coefficients in 0,1 .

Think of each element/polynomial as a bit string of

length , and vice v

Galois field GF(2 )

n n

n

n

F

n

8

6 5 2

ersa.

Thus, if 8, then GF(2 ) consists of all ploynomials

of degree less than 8, or all bit strings of length 8.

e.g., 1 01100101

n

x x x


19/68

AES: Advanced Encryption

Standard


20/68

20

AES: Advanced Encryption Standard

In1997, NIST began the process of choosing areplacement for DES and called it theAdvanced Encryption Standard.

Requirements: block length of 128 bits, keylengths of 128, 192, and 256 bits.

In 2000, Rijndaelcipher (by Rijmen andDaemen) was selected.

An iterated cipher, with 10, 12, or 14 rounds. Rijndael allows various block lengths.

But AES allows only one block size: 128 bits.


21/68

There are only two numbers : 0 and 1.

Addition, substraction and multiplication are as below:

0 1 0 1 0 1

0 0 1 0 0 1 0 0 0

1 1 0 1 1 0 1 0 1

Note: addition =

Modulo-2 Arithmetic

substraction = XOR.


22/68

22

7 3

7

Each byte is viewed as a polynomial of degree 7.

Suppose: 10001001 1 ( ).

10000010 ( ).

Addition and substraction are simply b

Byte-oriented operations

a x x A x

b x x B x

itwise XOR:

10001001 10000010 00001011 ( ) ( ).10001001 10000010 00001011 ( ) ( ).

a b A x B xa b A x B x


23/68

23

8

14

4 3

Multiplication: "regular" polynomial multiplication modulo a fixed modulus ( ), where

.

( ) ( ) mod ( )

( ) 1 100011

01

1


P x x x x x

P x

a b A x B x P x

x x

10 8 7 4

6 5 4 3 2

mod ( )

1

10001001 10000010 mod 100011011

= 100010110010010 mod 100011011

01111111

x x x x P x

x x x x x x

a b


24/68

24

For any byte (viewed as a polynomial), there is

a unique byte (also viewed as a polynomial) such that

1.

This element is called the inverse of , and is


a

b

a b

b a

1

8

denoted by .

Mathematically, the set of all polynomials of degrees 7

forms a field, GF(2 ), under the operation of addition and

multiplication mod ( ), where ( ) is a fixed modulus.

a

P x P x


25/68

25

: block size (number of words). For AES, 4.

: key length (number of words).

: number of rounds, depending on , .

Assume: 4, 4, 10.

:

Structure of Rijndael

b b

k

r b k

b k r

N N

N

N N

sta

N

N N

e

N

t

0 1 10

a variable of 4 words, holding the data block,

viewed as a each column is a word.

Key schedule: 11 round keys , , ,

computed from the main key

4 4 matrix of byt

.

es;

key key key

k


26/68

26

0

input: plaintext , key

1

2 AddKey( , ) 3 for 1 to 1 do

4 SubBytes( )

5 ShiftRows( )

6 Mixcolumns( )

7

Rijndael algorithm

r

m k

state m

state keyi N

state

state

state

AddKey( , )

8 SubBytes( )

9 ShiftRows( )10 AddKey( , )

11 return( )r

i

N

state key

state

statestate key

state


27/68

27

Figure 5.1 AES Encryption and Decryption
http://localhost/var/www/apps/conversion/tmp/scratch_7/f5-01.pdfhttp://localhost/var/www/apps/conversion/tmp/scratch_7/f5-01.pdf


28/68

28

AddKey( , )

i

i

state state key

state key


29/68

29

1

RD

For each byte in the matrix,substitute with S ( ) , where

10001111

110001111110001111110001

and11111000

011111000011111000011111

SubBytes( )

statzz

ez Az b

A

state

1

100

0

110

b


30/68

30

8

1 8

1

1

10 1 2

That is, treat as an element in GF(2 ).

Find its multiplicative inverse in GF(2 ). Now treat as a vector of 0/1.

Multiply with , and add the result to .

If

z

zz

A z b

z z z z z

3 4 5 6 7 0 1 2 3 4 5 6 7

RD 0 1 2 3 4 5 6 7

4 5 6 7

, , and

S ( ) , then

The indices shoud be interpreted as mod8.

i i i i i i i

z z z z b b b b b b b b b

z z z z z z z z z

z z z z z z b

i k i k


31/68

31

1

RD The function S ( ) is Rijndael's S-box.

It can be specified as a table (Table 5.4 of Stallings).

z Az b


32/68

32

Left-shift row circularly by bytes, 0 3.

ShiftRows( )

i i i

a b c d a b c d e f g h f g h e

i j k l k l i j

m n o p p m n o

state


33/68

33

0 1 2 3

8

3 2

3 2 1 0

Operates on each column of the matrix.

View each column ( , , , ) as a

polynomial with coefficients in GF(2 ) :

( ) +

A fixed pol

MixColumns( )

a

state

a a a a

a x a x a x a x a

state

3 2

4

ynomial: ( ) 03 01 +01 02.

The MixColumns operation maps each column

( ) ( ) ( ) mod ( 1)a x a

c x x x x

x c x x


34/68

34

Each step of Rijndael encryption is invertible.

Rijndael Decryption


35/68

35

Assume: 4, 4, 10.

The secret key , having 4 words, is expanded to 44 words.

Every four words are used as a round key.

[0..43] : an array of words.

Rijndael key schedule

b k rN N N

ExpKey

key

0 1 2 3 RD 1

Initialization: [0..3] .

For 4 43, [ ]

[ ] ( [ ]) if mod 4 0

[ 4] [ 1] else

: ( , , , ) (S ( ) [ / 4],

1

4

j

j

key

j

ExpKey

j ExpKey

ExpKey f ExpKey j

ExpKey j ExpKey j

f a a a a a RC

j j

j

RD 2 RD 3 RD 0

1

RD

S ( ), S ( ), S ( )).

Where S is as in , and [ ] moSubByte )s d ( .i

a a a

RC i x P x


36/68

Modes of Operations


37/68

How to use a block cipher?

Block ciphers encrypt fixed size blocks

E.g. DES encrypts 64-bit blocks

We need some way to encrypt arbitraryamounts of data

E.g. a message of 1000 bytes

NIST defines five ways to do it Called modes of operations

Including blockand streammodes37


38/68

Five Modes of Operation

Electronic codebook mode (ECB)

Cipher block chaining mode (CBC)most

popular

Output feedback mode (OFB)

Cipher feedback mode (CFB)

Counter mode (CTR)

38


39/68

Electronic Code Book (ECB)

The plaintext is broken into blocks, P1, P2, P3, ...

Each block is encrypted independently of the other

blocks

Ci= EK(Pi) For a given key, this mode behaves like we have a

gigantic codebook, in which each plaintext block has

an entry, hence the name Electronic Code Book

39


40/68

Remarks on ECB

Strength: its simple.

Weakness:

Repetitive information contained in the

plaintext may show in the ciphertext, if alignedwith blocks.

If the same message (e.g., your SSN) isencrypted (with the same key) and sent twice,

their ciphertexts are the same. Typical application: secure transmission of short

pieces of information (e.g. an encryption key)

40


41/68

Cipher Block Chaining (CBC)

1 2 3

1

The plaintext is broken into blocks: , , , ...

Each plaintext block is XORed chained with the previous

ciphertext block before encryption (hence the name):

Ei K i i

P P P

C C P

0

1

IV

Use an Initial Vector IV to start the process.

Decryption : D ( )

Application : general block-oriented transmission.

i i K i

C

P C C

41


42/68

Cipher Block Chaining (CBC)

42


43/68

Remarks on CBC

The same key is used for all blocks.

A ciphertext block depends on allblocks before it.

So, repeated plaintext blocks are encrypteddifferently.

Initialization Vector (IV)

Must be known to both the sender & receiver

Typically, IV is either a fixed value

Or is sent encrypted in ECB mode before the rest of

message.

43


44/68

Message Padding

The last plaintext block may be short of awhole block and needs padding:

Possible padding:

Known non-data values (e.g. nulls) Or a number indicating the size of the pad

Or a number indicating the size of the plaintext

The last two schemes may require an extra block.

44


45/68

45

Cipher feedback mode (basic version)

Plaintext blocks:p1,p2,

Key: k

Basic idea: construct key stream k1, k2, k3,

Encryption:

0

1

IV

( ), for 1

, for 1

i k i

i i i

c

k E c i

c p k i


46/68

Cipher Feedback (CFB) Mode

1 2 3 4

1 2 3 4

The plaintext is divided into segments of bits

(where block-size): , , , ,

Encryption is used to generate a sequence of keys,each of bits: , , , ,

The cip

s

s P P P P

s K K K K

1 2 3 4hertext is , , , , , where

How to generate the key stream?

i i i

C C C C

C P K

46


47/68

Generating Key Stream for CFB

1

1 1

The input to the block cipher is a shift register ;

its value at stage is denoted as .

Initially, an initial vector (IV).

For 1, shift-left- -bits( ) .

Then, -mos

i

i i i

i

x

i x

x

i x s x C

K s

t-significant-bits(E ( )).K ix

47


48/68

Encryption in CFB Mode

48


49/68

Decryption in CFB Mode

1 2 3 4Generate key stream , , , ,

the same way as for encryption.

Then decrypt each ciphertext segment as:

i i i

K K K K

P C K

49


50/68

Remark on CFB

The block cipher is used as a stream cipher.

Appropriate when data arrives in bits/bytes.

s can be any value; a common value is s = 8.

A ciphertext segment depends on the current andall preceding plaintext segments.

A corrupted ciphertext segment during

transmission will affect the current and nextseveral plaintext segments.

How many plaintext segments will be affected?

50


51/68

Output Feedback (OFB) Mode

1 1

Very similar to Cipher Feedback in structure.

But rather than is fed back to the next stage.

As in CFB, the input to the block cipher is a shift

register ; its value at stage

i iK C

x i

1

1 1

is denoted as .

Initially, an initial vector (IV).

For 1, shift-left- -bits( ) .

Then, -most-significant-bits(E ( )).

i

i i i

i K i

x

x

i x s x K

K s x

51


52/68

Cipher Feedback

Output Feedback

52


53/68

Remark on OFB

The block cipher is used as a stream cipher.

Appropriate when data arrives in bits/bytes.

Advantage:

more resistant to transmission errors; a bit error in a ciphertext

segment affects only the decryption of that segment.

Disadvantage:

Cannot recover from lost ciphertext segments; if a ciphertext

segment is lost, all following segments will be decrypted

incorrectly. IV should be generated randomly each time and sent with

the ciphertext.

53


54/68

Counter Mode (CTR)

A counter T is initialized to some IV and then

incremented by 1 for each subsequent plaintext

block.

Encryption:

T1= IV

Ti= T

i-1+ 1

Ci= PiXOR EK(Ti)

54


55/68

Remark on CTR

Strengthes:

Needs only the encryption algorithm (so do CFB and

OFB)

Fast encryption/decryption; blocks can be processed

(encrypted or decrypted) in parallel; good for high

speed links

Random access to encrypted data blocks As in OFB, IV should not be reused.

55


56/68

Stream Ciphers


57/68

Stream Cipher Diagram

57


58/68

Stream Ciphers

1 2 3

1

Typically,process the plaintext byte by byte.

So, the plaintext is a stream of bytes: , , ,

Use a key as the seed to generate a sequence of

pseudorandom bytes (keystream): ,

P P P

K

K

2 3

1 2 3 4

, ,

The ciphertext is , , , , , where

Various stream ciphers differ in the way they

generate keystreams.

i i i

K K

C C C C

C P K

58


59/68

Stream Ciphers

For a stream cipher to be secure, the keystream

should have a large period, and

should be as random as possible, each of the 256

values appearing about equally often.

The sam

e keystream must not be reused. That is,

the input key must be different for each plaintext.K

59


60/68

The RC4 Stream Cipher

Designed by Ron Rivest in 1987 for RSASecurity.

Kept as a trade secret until leaked out in 1994.

The most popular stream cipher. Simple and fast.

With a 128 bits key, the period is > 10100.

Used in the SSL/TLS standards (for secure Web

communication), IEEE 802.11 wireless LANstandard, Microsoft Point-to-Point Encryption,and many others.

60


61/68

RC4

61

Two vectors of :

[0], [1], [2], , [255]

[0], [1], [2], , [255]

Key: variable length, from 1 to 256 bytes

Initialization:

1. [ ] , for 0 255

2. [

bytes

] [

S S S S

T T T T

S i i i

T i K i

mod key-length], for 0 255

(i.e., fill up [0..255] with the key repeatedly.)

i

T K


62/68

RC4: Initial Permutation

62

Initial Permutation of : 0

for 0 to 255 do

( [ ] [ ] ) mod 256 Swap [ ], [ ]

This part of RC4 is generally known as the

Key Sch

Sj

i

j j S i T iS i S j

eduling Algorithm (KSA).

After KSA, the input key and the temporary

vector will no longer be used.T


63/68

RC4: Key Stream Generation

63

Key stream generation: , 0

while (true)

( 1 ) mod 256 ( [ ] ) mod 256

Swap [ ], [ ]

( [ ]

i j

i ij j S i

S i S j

t S i

[ ] ) mod 256

[ ]

output

S jk S t

k


64/68

Security of RC4

The keystream generated by RC4 is biased.

The second byte is biased toward zero with high

probability.

The first few bytes are strongly non-random and leak

information about the input key.

Defense: discard the initial n bytes of the keystream.

Called RC4-drop[n-bytes].

Recommended values for n = 256, 768, or 3072 bytes.

Efforts are underway (e.g. the eSTREAM project) to

develop more secure stream ciphers.

64

Problems with WEPs


65/68

Problems with WEP s

use of RC4 WEP is a protocol using RC4 to encrypt packets for

transmission over IEEE 802.11 wireless LAN.

WEP requires each packet to be encrypted with a

separate RC4 key.

The RC4 key for each packet is a concatenation of a

24-bit IV (initialization vector) and a 40 or 104-bit long-

term key.

65

lRC4 key: IV (24) Long-term key (40 or 104 bits)


66/68

802.11 frames using WEP

66

lHeader IV Packet ICV FCS

encrypted

ICV: integrity check value FCS: frame check sequence

Both use CRC32


67/68

Fluhrer, Mantin, and Shamir showed that:

If the same secret key is used with numerous IVs,and the attacker can obtain the first word of RC4

output (keystream) corresponding to each IV, then

he can construct the secret key with little effort.

The first word is known for many plaintext packets.

Recall: Ciphertext = plaintext XOR keystream

So, the first word of RC output (keystream) can be

obtained.

67


68/68

Tews, Weinmann, and Pyshkin wrote an

article, Breaking 104 bit WEP in less than60 seconds, discussing how to discover

the RC4 key by analyzing the easily

identified ARP packets.

ARP: Address Resolution Protocol.

4-More-on-Sym-Ciphers.ppt

Documents

Transcript of 4-More-on-Sym-Ciphers.ppt