Network Security & Cryptography Lecture 8
-
Upload
udhay-prakash -
Category
Documents
-
view
63 -
download
1
description
Transcript of Network Security & Cryptography Lecture 8
![Page 1: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/1.jpg)
Network Security
and
Cryptography
Lecture 8
Advanced Block Ciphers Triple DES, CAST, BLOWFISH, IDEA
Uday Prakash Pethakamsetty
![Page 2: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/2.jpg)
Taxonomy of Cryptographic primitives
3/18/2013 2JNTUH CEH Network Security &
Cryptography
![Page 3: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/3.jpg)
Private Key Algorithms
Encryption
Decryption
Key1
Key1
Cyphertext
Ekey1(M) = C
Dkey1(C) = M
Original Plaintext
Plaintext
What granularity of the message does Ek encrypt?
3/18/2013 3JNTUH CEH Network Security &
Cryptography
![Page 4: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/4.jpg)
General Block Encryption
• The general way of encrypting a 64-bit block is to take
each of the:
264 input values and map it to a unique one of the 264
output values.
This would take (264 )*(64) = 270 bits. NOT practical.
• Secret key cryptographic systems take a reasonable length
key (e.g., 64 bits) and generate a one-to-one mapping
that appears, to someone who does not know the key, as
completely random.
I.e., any single bit change in the input results in a totally
independent random number output.
3/18/2013 4JNTUH CEH Network Security &
Cryptography
![Page 5: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/5.jpg)
Structure of Multiround block ciphers
• These are private-key symmetric ciphers – same key for encrypt and decrypt
• Each single round must be invertible
• Key scheduling rounds do not need to be invertible
• If key is constant from block to block, this is a monoalphabetic, but with huge alphabet
• Strength comes from confusion and diffusion repeatedly applied
Single round Key scheduling round Inverse of single round
Single round
Single round
Key scheduling round
Key scheduling round
Inverse of single round
Inverse of single round
KeyPlaintext
input
Plaintextoutput
Ciphertext out Ciphertext in
3/18/2013 5JNTUH CEH Network Security &
Cryptography
![Page 6: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/6.jpg)
Structure of a single round
• Invertible operations can include– Bitwise exclusive or
– Addition modulo block size
– Galois field but not conventional multiplication
– permutation
Partially
Encrypted text
From previous round
Non-feedback network of
Invertible operations
Key for this round
From key scheduler
Partially
Encrypted text
To next round
XOR
A
C
KXOR
A
C
KExample of an invertible
operation
If C = K xor A
Then A = K xor C
3/18/2013 6JNTUH CEH Network Security &
Cryptography
![Page 7: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/7.jpg)
Types of transformation for k-bit blocks
o Substitution: Specify for each of the 2k possible values of
the input, the k-bit output. This takes k.2k bits. This is
reasonable for k=8.
o Permutation: Specify for each of the k input bits, the
output position to which it goes. This takes k*log2 k bits.
• Next slide shows a secret key algorithm based on rounds
of substitution and permutation. If we do only a
single round, then a bit of input can only affect 8 bits of
output. There is an optimal number of rounds to achieve
complete randomization. The algorithm take the same
effort to reverse (decrypt).
3/18/2013 7JNTUH CEH Network Security &
Cryptography
![Page 8: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/8.jpg)
Example of block encryption
3/18/2013 8JNTUH CEH Network Security &
Cryptography
![Page 9: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/9.jpg)
Private Key Algorithms
• Block Ciphers: blocks of bits at a time
– DES (Data Encryption Standard)Banks, linux passwords (almost), SSL, kerberos, …
– Blowfish (SSL as option)
– IDEA (used in PGP, SSL as option)
– Rinjdael (AES) – the new standard
• Stream Ciphers: one bit (or a few bits) at a time
– RC4 (SSL as option)
– PKZip
– Sober, Leviathan, Panama, …
3/18/2013 9JNTUH CEH Network Security &
Cryptography
![Page 10: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/10.jpg)
Private Key: Block Ciphers
• Encrypt one block at a time (e.g., 64 bits)
• ci = f(k,mi) mi = f’(k,ci)
• Keys and blocks are often about the same size.
• Equal message blocks will encrypt to equal code blocks– Why is this a problem?
• Various ways to avoid this:– E.g. ci = f(k,ci-1 mi)
“Cipher block chaining” (CBC)
• Why could this still be a problem?
Solution: attach random block to the front of the message
3/18/2013 10JNTUH CEH Network Security &
Cryptography
![Page 11: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/11.jpg)
Security of Block Ciphers
• Ideal:
– k-bit -> k-bit key-dependent substitution
(i.e. “random permutation”)
– If keys and blocks are k-bits, can be implemented
with 22k entry table.
3/18/2013 11JNTUH CEH Network Security &
Cryptography
![Page 12: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/12.jpg)
Iterated Block Ciphers
• Consists of n rounds
• R = the “round” function
• si = state after round i
• ki = the ith round key
R
R
R
s1
.
.
.
m
c
.
.
.
key
k1
k2
kn
s2
3/18/2013 12JNTUH CEH Network Security &
Cryptography
![Page 13: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/13.jpg)
Iterated Block Ciphers: Decryption
• Run the rounds in
reverse.
• Requires that R
has an inverse.
R-1
R-1
R-1
s1
.
.
.
m
c
.
.
.
key
k2
kn
s2
k1
3/18/2013 13JNTUH CEH Network Security &
Cryptography
![Page 14: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/14.jpg)
Feistel Networks• If function is not invertible rounds can still be made
invertible. Requires at least 2 rounds to mix all bits.
Fki
XOR
Fki
XOR
high bits low bits
Forwards Backwards
R R-1
Used by DES (the Data Encryption Standard)
3/18/2013 14JNTUH CEH Network Security &
Cryptography
![Page 15: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/15.jpg)
The Feistel block is a reversible round
One-way(nonreversible)
blockXOR
One-way(nonreversible)
blockXOR
Left halfi Right halfi
Left halfi+1
Left halfi
Left halfi+1Right halfi+1
Right halfi
Right halfi+1
Note: This block is reversible
The direction of signal flow does not change in the one-way block
The XOR is a reversible device3/18/2013 15JNTUH CEH Network Security &
Cryptography
![Page 16: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/16.jpg)
More on the Feistel block
• Characteristics and limitations
– Essentially any one-way function can be used – doesn’t have to be reversible
– Because the block scrambles only one half the partial text at a time it is
possibly weaker than other ciphers, but more rounds (typically 16) can be used
– The one-way function is half the width of the block, so a 64-bit block can be
encrypted efficiently with a 32-bit processor
– The Feistel block is vulnerable to differential cryptanalysis, which is a chosen-
plaintext attack. With enough rounds, it is usable.
3/18/2013 16JNTUH CEH Network Security &
Cryptography
![Page 17: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/17.jpg)
The equations for the Feistel block
• Comments– These equations are valid for any Feistel block, regardless of the
particular one-way function used
– They are the basis for differential and linear cryptanalysis
– A large number of present-day ciphers, but not all, use Feistel
The direct transformation
Li+1 = Li F(Ri, Ki )
Ri+1 = Li
The inverse transformation
Li = Li+1 F(Li+1, Ki )
Ri = Li+1
The recurrence relation used in differential cryptanalysis
Li+2 = Li+1 F(Li, Ki )
3/18/2013 17JNTUH CEH Network Security &
Cryptography
![Page 18: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/18.jpg)
Product Ciphers
• Each round has two components:
– Substitution on smaller blocksDecorrelate input and output: “confusion”
– Permutation across the smaller blocksMix the bits: “diffusion”
• Substitution-Permutation Product Cipher
• Avalanche Effect: 1 bit of input should affectall output bits, ideally evenly, and for allsettings of other in bits
3/18/2013 18JNTUH CEH Network Security &
Cryptography
![Page 19: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/19.jpg)
Data Encryption Standard (DES)
• Key length: 56 + 8 parity bits = 64 bits
• 8 bits are used for parity check, why is that?Possible reason: to make it 256 times lesssecure against exhaustive search!read p. 63 in the textbook.
• How secure is DES? In 1998, $150Kmachine can break the key in 5 days!For added security, triple DES is 256 moresecure.
3/18/2013 19JNTUH CEH Network Security &
Cryptography
![Page 20: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/20.jpg)
The one-way function for DES
• Components– E-box – expansion and
permutation
– S-box – substitution – a 64 by 4 bit memory or array
– P-box – expansion and permutation
– E and P boxes were hardwired
– S-boxes were in on-chip ROM – 256 bytes per round
E-boxExpand/permute
64x4S-box
48-bit-wide XOR
P-box –permute only
32
48
6
32
4
6
4
48
Per-stage keyword
Input half
Output half
3/18/2013 20JNTUH CEH Network Security &
Cryptography
![Page 21: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/21.jpg)
Basic structure of DES
3/18/2013 21
JNTUH CEH Network Security & Cryptography
![Page 22: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/22.jpg)
3/18/2013 22JNTUH CEH Network Security &
Cryptography
![Page 23: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/23.jpg)
3/18/2013 23JNTUH CEH Network Security &
Cryptography
![Page 24: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/24.jpg)
Why decryption works?
• The output of the Mangler Function (M) is the same for both encryption and decryption.
• In encryption: M ® Ln = Rn+1
• In decryption: M ® Rn+1 = M ® ( M ® Ln ) = Ln
![Page 25: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/25.jpg)
The Mangler Function
• Expands R from 32 bit to 48 bits as shown in Figure:
• It breaks R into eight 4-bit chunks and expand each to 6-bit by
concatenating the adjacent 2 bits. Let CRi refer to chunk i of
expanded R. The 48-bit K is broken to eight 6-bit chunks.
• Let CKi refer to chunk i of K. Let Si = CRi ® Cki; Si is fed into an
S-box, a substitution which produces a 4-bit output for each
possible 6-bit input.
• The 4-bit output of each of the eight S-boxes is permuted (it has
security value to ensure that the output of an S-box in one round
affects the input of multiple S-boxes on the next round).
![Page 26: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/26.jpg)
Mangler Function in DES
![Page 27: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/27.jpg)
Mangler Function
• 48-bit Key and the expanded 48-bit R are broken into 8 chunks of 6-
bits each.
![Page 28: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/28.jpg)
S-boxes
![Page 29: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/29.jpg)
DES Weak Keys
• With many block ciphers there are some keys that should be avoided,because of reduced cipher complexity
• These keys are such that the same sub-key is generated in more than oneround, and they include:
– Weak Keys• The same sub-key is generated for every round
• DES has 4 weak keys
– Semi-weak keys• Only two sub-keys are generated on alternate rounds
• DES has 12 of these (in 6 pairs)
– Demi-Semi Weak Keys• Have four sub-keys generated
• None of these causes a problem since they are a tiny fraction of allavailable keys
• However they MUST be avoided by any key generation program
3/18/2013Dept. of ECE Network Security &
Cryptography29
![Page 30: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/30.jpg)
DES attacks
• Brute force attack
• The COPACOBANA
machine, built for
US$10,000 by the
Universities of Bochum and
Kiel, contains 120 low-cost
FPGAs and can perform an
exhaustive key search on
DES in ays on average. The
p9 dhoto shows the
backplane of the machine
with the FPGAs.
3/18/2013Dept. of ECE Network Security &
Cryptography30
![Page 31: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/31.jpg)
DES attack : Faster than Brute force attack
• There are three attacks known that can break the full 16 rounds
of DES with less complexity than a brute-force search:
– differential cryptanalysis (DC),
– linear cryptanalysis (LC), and
– Davies' attack.
• However, the attacks are theoretical and are unfeasible to
mount in practice, these types of attack are sometimes termed
certificational weaknesses.
3/18/2013Dept. of ECE Network Security &
Cryptography31
![Page 32: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/32.jpg)
Possible techniques for improving DES
• Design a complete new algorithm– Requires completely new infrastructure
• Multiple Enciphering with DES
– Double DES, Triple DES,…
• Extending DES to 128 bit data paths and 112
bit keys
• Extending the key expansion calculation.
3/18/2013 32JNTUH CEH Network Security &
Cryptography
![Page 33: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/33.jpg)
Double DES
Using two encryption stages and two keys
– C = ek2(ek1(p))
– p=dk1(dk2(c))
It is proved that there is no key k3 such that
– C = e k 2 ( e k 1 ( p ) ) =e k 3 (p )
• Plaintext block length : 64bit block
• Ciphertext block length : 56 2=112 bits
But, meet in the middle attack is possible
Thus, 2-DES is not secure (if DES is broken)
3/18/2013 33JNTUH CEH Network Security &
Cryptography
![Page 34: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/34.jpg)
Meet in the Middle attack
Assume C=Ek2 (Ek1(P))
Given the plaintext-cipher text pair, knownplaintext attack.
Encrypt P using all possible key k1
Decrypt C using all possible keys k2
o Check the result with the encrypted plaintext lists
o If match is found, then test the found keys again foranother plaintext and cipher text pair
o If it turns correct, then find the keys
o Otherwise keep decrypting C
3/18/2013 34JNTUH CEH Network Security &
Cryptography
![Page 35: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/35.jpg)
3/18/2013 35
Breaking double DES
JNTUH CEH Network Security & Cryptography
![Page 36: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/36.jpg)
Breaking double DES-MIM attack
3/18/2013JNTUH CEH Network Security &
Cryptography36
• Given a pair of messages P, and its ciphertext C
(encrypted using some unknown keys k1 and k2).
• When decrypt C using all keys, and encrypt P
using all keys, some results will match
– The expected number of matching's is 256*2
56=2
48.
• When we have another pair of (P2 ,C2), the
possible key pairs that work for them is also 248.
• Then, among these two sets of key pools found, the expected common key
pairs is only
![Page 37: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/37.jpg)
Triple DES
• DES variant
• Standardized in ANSI X.917 & ISO 8732 and in PEM for key management
• Proposed for general EFT standard by ANSI X9
• Backwards compatible with many DES schemes
• Uses either two or three keys.
3/18/2013 37JNTUH CEH Network Security &
Cryptography
![Page 38: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/38.jpg)
Triple DES
• Use three keys and three executions of the DES algorithm (encrypt-decrypt-encrypt)
• C = ciphertext
• P = Plaintext
• EK[X] = encryption of X using key K
• DK[Y] = decryption of Y using key K
• Effective key length of 168 bits
C = EK3[DK2[EK1[P]]]
3/18/2013 38JNTUH CEH Network Security &
Cryptography
![Page 39: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/39.jpg)
Triple DES with two keys
3/18/2013 39JNTUH CEH Network Security &
Cryptography
![Page 40: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/40.jpg)
Triple DES with three keys
3/18/2013 40JNTUH CEH Network Security &
Cryptography
![Page 41: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/41.jpg)
Other Symmetric Block Ciphers
• DES has reached the end of its useful lifetime.
• New symmetric encryption schemes have beenproposed in last decade.
Examples:– International Data Encryption Algorithm (IDEA)
– Blowfish
– RC5
– Cast-128.
3/18/2013 41JNTUH CEH Network Security &
Cryptography
![Page 42: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/42.jpg)
CAST 128
• By Carlisle Adams and Stafford Tavares
– Defined in RFC 2144
– Use key size varying from 40 to 128 bits
– Structure of Feistel network
– 16 rounds on 64 bit data block
– The round function differs from round to round
– Four primitive operations
• Addition, subtraction (mod 232)
• Bitwise exclusive-OR
3/18/2013 42JNTUH CEH Network Security &
Cryptography
![Page 43: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/43.jpg)
Blowfish
Easy to implement (simple structrure)
Two basic operations: addition, XOR
High execution speed
Similar to Feistel Scheme
Run in less than 5K of memory
Variable security: key length is variable (between 32 and448 bits).
> Allows a tradeoff between speed and security.
-The key is used to generate 18 32-bit subkeys.
-Encryption/decryption consist of 16 rounds.
The sub key and s-boxes are complicated. So, not suitablewhen key changes often.
3/18/2013 43JNTUH CEH Network Security &
Cryptography
![Page 44: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/44.jpg)
Blowfish…
• Encryption:
Uses two primitive operations:
1. Addition: performed modulo 232.
2. Bitwise Exclusive-OR.
> These two operations do not commute.
>Making cryptanalysis difficult.
3/18/2013 44JNTUH CEH Network Security &
Cryptography
![Page 45: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/45.jpg)
Blowfish…
• Encryption Algorithm:
-Plaintext is divided into two 32 bit halves.
-Go through 16 rounds of transformation usingsubkeys.
-Each rounds takes two 32 bit inputs and produces two32 outputs.
-Output of a round is fed into the next round.
-The output of 16th round is exclusive-ORed with 17th
and 18th subkeys to produce the ciphertext.
3/18/2013 45JNTUH CEH Network Security &
Cryptography
![Page 46: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/46.jpg)
Blowfish…
• Details of a Single Round:
- Each round includes complex use of addition modulo232, Ex-OR, and substitution using S-Boxes.
- 32 bit input to the function F is divided into fourbytes.
-Each byte goes through a separate S-box and isexpanded into 32 bits.
-32 bit outputs go through complex transformationusing addition modulo 232 and Ex-OR.
3/18/2013 46JNTUH CEH Network Security &
Cryptography
![Page 47: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/47.jpg)
International Data Encryption Algorithm (IDEA)
• Encrypts 64-bit blocks using 128-bit key.
It is similar to DES since it:
– operates in rounds
– the mangler function runs in the same direction for both encryption and decryption
• It differs from DES since:
– Designed to be efficient in software (as opposed to DES’s hardware orientation)
– The encryption and decryption keys are different but related in a complex manner.
• Used in PGP
• Confusion: (the ciphertext should depend upon the plaintext and key in a complex way)
– Confusion is achieved by using three operations.
• Diffusion: (Each plaintext bit should influence as many ciphertext bits as possible)
-IDEA very effective in achieving diffusion.
3/18/2013 47JNTUH CEH Network Security &
Cryptography
![Page 48: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/48.jpg)
IDEA...
Confusion:
-Achieved by mixing three different operations.
-Each operation takes two 16-bit inputs and produces a 16-bit output.
Three Operations:
1. Bit-by-bit Exclusive-OR.
2. Addition of integers modulo 2^16 (=65536)
3. Addition of integers modulo 216...-inputs and output are treated as 16 bit unsunged integers.
4. Multiplication of integers modulo 216+1 (=65537).-inputs and output are treated as 16 bit unsunged integers.-A block of all zeros is treated as 216.
3/18/2013 48JNTUH CEH Network Security &
Cryptography
![Page 49: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/49.jpg)
IDEA…
• Three Operations:..
“in combination provide a complex transformation
making cryptanalysis very difficult.”
• Three operations are incompatible:
>No two satisfy distributive law.
>No two satisfy associate law.
3/18/2013 49JNTUH CEH Network Security &
Cryptography
![Page 50: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/50.jpg)
IDEA…
• Diffusion:
Provided by a multiplication/addition structure
(MA).
>Takes two inputs:
(1) Two 16 bit values derived from plaintext.
(2) Two 16 bit subkeys derived from the key.
>Produces two 16 bit outputs.
3/18/2013 50JNTUH CEH Network Security &
Cryptography
![Page 51: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/51.jpg)
IDEA…
• Diffusion:
>Each output bit depends on every input bit and
on every bit of the subkeys.
//meaning lot of diffusion.//
>This structure is repeated 8 times in the
encryption algorithm.
//provides very effective diffusion.//
3/18/2013 51JNTUH CEH Network Security &
Cryptography
![Page 52: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/52.jpg)
IDEA…
• Encryption Algorithm:
>Consists of eight rounds.
>64 bit input is divided into four 16-bit sub-blocks.
>Each round uses six 16-bit keys.
>Each round produces four 16-bit outputs.
>Output of a round is fed into the next round.
3/18/2013 52JNTUH CEH Network Security &
Cryptography
![Page 53: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/53.jpg)
IDEA…
Details of a Single Round:
Four input sub-blocks are combined with four sub-keys producing 4 output sub-blocks.
Four output sub-blocks are combined using XORoperation to from two 16 bit blocks.
These two blocks are fed into the MA structure.
MA structure takes & produces two 16-bit outputs.
Four outputs of upper transformation are combinedwith the two outputs of MA structure to produce fouroutput blocks for this round.
3/18/2013 53JNTUH CEH Network Security &
Cryptography
![Page 54: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/54.jpg)
Basic structure of IDEA
3/18/2013 54
JNTUH CEH Network Security & Cryptography
![Page 55: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/55.jpg)
IDEA primitive operations• ® exclusive OR
+ addition mod 216 and
x multiplication mod 216+1
• These operations are reversible:
• a ® K = A » A ® K = a since (a ® K) ® K = a
a + K = A » A + (-K) = a since (a + K) + (-K) = a
a x K = A » A x (K-1) = a since (a x K) x (K-1) = a
K-1 is the multiplicative inverse of K such that K K-1 = 1 mod (216+1)
• Example: K = 1101; -K=0000-1101=0011, a=1001, K-1 = 0100 (Since
4*13=52 = 1+3*17 (17 = 24+1); Euclid’s algorithm sec 7.4)
• a ® K=0100; (a ® K) ® K=1001;
• a+K= 0110; (a+K)+(-K)=1001
• axK= 9*13 mod 17=15; (axK)xK-1mod 17 = 60 mod 17 = 9 = 1001
3/18/2013 55JNTUH CEH Network Security &
Cryptography
![Page 56: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/56.jpg)
Key Expansion (Encryption)
• The 128-bit key is expanded into 52 16-bit keys: K1, K2 , ....K52.
Step 1: Keys K1….K8 are generated by taking 8 chunks of 16-bits each
Step 2: Keys K9…K16 are generated by starting from the 25th bit, wrapping
around the first 25 bits at the end, and taking 16-bit chunks.
Step 3: Wrap around 25 more bits to the end, and generate keys K17…K24.
This process is repeated until all keys K1…K52 are generated
3/18/2013 56JNTUH CEH Network Security &
Cryptography
![Page 57: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/57.jpg)
IDEA Odd Round
• X is the modified multiply operation, and + is a
modified add.
• To get the original values back, the inverse of Ka is
used for X and –Xb (mod 216) for +.
3/18/2013 57JNTUH CEH Network Security &
Cryptography
![Page 58: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/58.jpg)
IDEA Decryption
• Same code can perform either encryption ordecryption given different expanded keys.
• The inverses of the encryption keys and usethem in the opposite order (use the inverseof the last-used encryption key as the firstused when doing encryption).
• Since the last encryption round (an odd-round) used keys K49,K50,K51,K52,
• The first decryption round uses the inversesof the keys K49-K52.
3/18/2013 58JNTUH CEH Network Security &
Cryptography
![Page 59: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/59.jpg)
IDEA Even Round
3/18/2013 59JNTUH CEH Network Security &
Cryptography
![Page 60: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/60.jpg)
RC 5
• Developed by R. Rivest– Suitable for hardware or software– Fast, simple– Variable number of rounds– Variable-length key– Low memory requirement– High security– Data-dependent rotations (circular bit shifts)
– Fast, simple, low memory, data-dependent rotations
– Adaptable to processors of different word length• A family of algorithms determined by word length, number of rounds, size of
secret key
– Decryption and encryption are not the same• With little variations
– Primitive operations• Addition, XOR, left circular rotation
3/18/2013JNTUH CEH Network Security &
Cryptography60
![Page 61: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/61.jpg)
RC4
• Ron Rivest (of the famous RCA) is the inventor
• A long random string is called a one-time pad.
• A stream cipher generates a one-time pad and
applies it to a stream of plain text with ®.
• RC4 is a stream cipher designed by Ron Rivest.
3/18/2013 61JNTUH CEH Network Security &
Cryptography
![Page 62: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/62.jpg)
C code for RC4 one-time pad generator
3/18/2013 62JNTUH CEH Network Security &
Cryptography
![Page 63: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/63.jpg)
Key features of advanced symmetric block ciphers
3/18/2013 63JNTUH CEH Network Security &
Cryptography
![Page 64: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/64.jpg)
64
Location of Encryption Device
• Link encryption:
– A lot of encryption devices
– High level of security
– Decrypt each packet at every switch
• End-to-end encryption
– The source encrypt and the receiver decrypts
– Payload encrypted
– Header in the clear
• High Security: Both link and end-to-end encryptionare needed
3/18/2013JNTUH CEH Network Security &
Cryptography
![Page 65: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/65.jpg)
653/18/2013JNTUH CEH Network Security &
Cryptography
![Page 66: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/66.jpg)
66
Key Distribution
1. A key could be selected by A and physicallydelivered to B.
2. A third party could select the key and physicallydeliver it to A and B.
3. If A and B have previously used a key, one partycould transmit the new key to the other, encryptedusing the old key.
4. If A and B each have an encrypted connection to athird party C, C could deliver a key on theencrypted links to A and B.
3/18/2013JNTUH CEH Network Security &
Cryptography
![Page 67: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/67.jpg)
67
Key Distribution
• Session key:
– Data encrypted with a one-time session key. At the
conclusion of the session the key is destroyed
• Permanent key:
– Used between entities for the purpose of
distributing session keys
3/18/2013JNTUH CEH Network Security &
Cryptography
![Page 68: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/68.jpg)
683/18/2013JNTUH CEH Network Security &
Cryptography
![Page 69: Network Security & Cryptography Lecture 8](https://reader031.fdocuments.us/reader031/viewer/2022020217/552b9ab5550346f5478b4764/html5/thumbnails/69.jpg)
References
• Behrouz A. Forouzan, Debdeep Mukhopadhyay,
“Cryptography and Network Security” 2e, McGraw Hill
Publications, ISBN 978-0-07-070208-0.
• William Stallings, “Cryptography and Network Security-
Principles and Practices”, 4e, Pearson-Printice Hall
publications, ISBN 81-7758-774-9.
• Stallings, W. Cryptography and Network Security: Principlesand Practice, 2nd edition. Prentice Hall, 1999
• Scneier, B. Applied Cryptography, New York: Wiley, 1996
• Mel, H.X. Baker, D. Cryptography Decrypted. AddisonWesley, 2001.
3/18/2013 69JNTUH CEH Network Security &
Cryptography