Chapter6: More on Symmetric Ciphers NUIST School of Computer and Software Jian Shen, PhD, Professor
6.1. Multiple Encryption and Triple DES DES--brute-force attack One approach is AES Another alternative is to use multiple encryption with DES and multiple keys--triple DES (3DES) approach The simplest form of multiple encryption has two encryption stages and two keys (Figure 6.1a). Given a plaintext P and two encryption keys K1 and K2, ciphertext C is generated as C = E(K2, E(K1, P))
6.1. Multiple Encryption and Triple DES Decryption requires that the keys be applied in reverse order: P = D(K1, D(K2, C)) Key length: 56 x 2 = 112 bits
6.1. Multiple Encryption and Triple DES Reduction to a Single Stage Suppose it were true for DES, for all 56-bit key values, that given any two keys K1 and K2, it would be possible to find a key K3 such that E(K2, E(K1, P))=E(K3, P) If this were the case, then double encryption would be useless because the result would be equivalent to a single encryption with a single 56-bit key. Conclude: it does not appear that E(K2, E(K1, P))=E(K3, P) is likely to hold. Consider that encryption with DES is a mapping of 64-bit blocks to 64-bit blocks. we consider all 264 possible input blocks, DES encryption with a specific key will map each block into a unique 64-bit block. With 264 possible inputs, how many different mappings are there that generate a permutation of the input blocks? The value is easily seen to be
6.1. Multiple Encryption and Triple DES Reduction to a Single Stage On the other hand, DES defines one mapping for each different key, for a total number of mappings: 256>1017 Therefore, it is reasonable to assume that if DES is used twice with different keys, it will produce one of the many mappings that are not defined by a single application of DES. Meet-in-the-Middle Attack Thus, the use of double DES results in a mapping that is not equivalent to a single DES encryption. But there is a way to attack this scheme, one that does not depend on any particular property of DES but that will work against any block encryption cipher. C = E(K2, E(K1, P)) X = E(K1, P) = D(K2, C) Given a known pair, (P, C), the attack proceeds as follows. First, encrypt P for all 256 possible values of K1 Store these results in a table and then sort the table by the values of X. Next, decrypt C using all 256 possible values of K2. As each decryption is produced, check the result against the table for a match. If a match occurs, then test the two resulting keys against a new known plaintext-ciphertext pair.
6.1. Multiple Encryption and Triple DES Triple DES with Two Keys Use three stages of encryption with three different keys. It has the drawback of requiring a key length of 56 x 3 = 168 bits, which may be somewhat unwieldy. As an alternative, Tuchman proposed a triple encryption method that uses only two keys. The function follows an encrypt-decrypt-encrypt (EDE) sequence (Figure 6.1b): C = E(K1, D(K2, E(K1, P)))
6.1. Multiple Encryption and Triple DES Triple DES with Two Keys Currently, there are no practical cryptanalytic attacks on 3DES. The cost of a brute-force key search on 3DES is on the order of 2112 and estimates that the cost of differential cryptanalysis suffers an exponential growth, compared to single DES, exceeding 1052. It is worth looking at several proposed attacks on 3DES that, although not practical, give a flavor for the types of attacks that have been considered and that could form the basis for more successful future attacks. The first serious proposal came from Merkle and Hellman. finding plaintext values that produce a first intermediate value of A = 0 and then using the meet-in-the-middle attack to determine the two keys. The level of effort is 256, but the technique requires 256 chosen plaintext-ciphertext pairs, a number unlikely to be provided by the holder of the keys.
6.1. Multiple Encryption and Triple DES Triple DES with Two Keys A known-plaintext attack
6.1. Multiple Encryption and Triple DES Triple DES with Three Keys Currently, there are no practical cryptanalytic attacks on 3DES. Although the attacks just described appear impractical, anyone using two-key 3DES may feel some concern. Thus, many researchers now feel that three-key 3DES is the preferred alternative C = E(K3, D(K2, E(K1, P))) A number of Internet-based applications have adopted three-key 3DES, including PGP and S/MIME, both discussed in Chapter 15.
6.2. Block Cipher Modes of Operation A block cipher algorithm is a basic building block for providing data security. A mode of operation is a technique for enhancing the effect of a cryptographic algorithm or adapting the algorithm for an application These modes are intended for use with any symmetric block cipher, including triple DES and AES. The modes are summarized in Table 6.1.
6.2. Block Cipher Modes of Operation Electronic Codebook Mode The simplest mode is the electronic codebook (ECB) mode plaintext is handled one block at a time and each block of plaintext is encrypted using the same key (Figure 6.3).
6.2. Block Cipher Modes of Operation Electronic Codebook Mode For a message longer than b bits, the procedure is simply to break the message into b-bit blocks, padding the last block if necessary. The ECB method is ideal for a short amount of data, such as an encryption key. DES key The most significant characteristic of ECB is that the same b-bit block of plaintext. For lengthy messages, the ECB mode may not be secure. If the message is highly structured, it may be possible for a cryptanalyst to exploit these regularities.
6.2. Block Cipher Modes of Operation Cipher Block Chaining Mode To overcome the security deficiencies of ECB, we would like a technique in which the same plaintext block, if repeated, produces different ciphertext blocks. A simple way to satisfy this requirement is the cipher block chaining (CBC) mode (Figure 6.4). Initialization Vector (IV)
6.2. Block Cipher Modes of Operation Cipher Feedback Mode A stream cipher eliminates the need to pad a message to be an integral number of blocks. It also can operate in real time. Thus, if a character stream is being transmitted, each character can be encrypted and transmitted immediately using a character-oriented stream cipher. One desirable property of a stream cipher is that the ciphertext be of the same length as the plaintext. Figure 6.5 depicts the CFB scheme. In the figure, it is assumed that the unit of transmission is s bits; a common value is s = 8. As with CBC, the units of plaintext are chained together, so that the ciphertext of any plaintext unit is a function of all the preceding plaintext. In this case, rather than units of b bits, the plaintext is divided into segments of s bits.
6.2. Block Cipher Modes of Operation Output Feedback Mode The output feedback (OFB) mode is similar in structure to that of CFB, as illustrated in Figure 6.6. As can be seen, it is the output of the encryption function that is fed back to the shift register in OFB, whereas in CFB the ciphertext unit is fed back to the shift register.
6.2. Block Cipher Modes of Operation Counter Mode Application: ATM (asynchronous transfer mode) network security and IPSec (IP security) Figure 6.7 depicts the CTR mode. A counter, equal to the plaintext block size is used. The only requirement stated in SP 800-38A is that the counter value must be different for each plaintext block that is encrypted.
6.3. Stream Ciphers and RC4 Stream Cipher Structure A typical stream cipher encrypts plaintext one byte at a time, although a stream cipher may be designed to operate on one bit at a time or on units larger than a byte at a time. Figure 6.8 is a representative diagram of stream cipher structure. In this structure a key is input to a pseudorandom bit generator that produces a stream of 8-bit numbers that are apparently random.
6.3. Stream Ciphers and RC4 Stream Cipher Structure Important design considerations for a stream cipher: The encryption sequence should have a large period. A pseudorandom number generator uses a function that produces a deterministic stream of bits that eventually repeats. The keystream should approximate the properties of a true random number stream as close as possible. Note from Figure 6.8 that the output of the pseudorandom number generator is conditioned on the value of the input key. To guard against brute-force attacks, the key needs to be sufficiently long. With a properly designed pseudorandom number generator, a stream cipher can be as secure as block cipher of comparable key length. The primary advantage of a stream cipher is that stream ciphers are almost always faster and use far less code than do block ciphers. Table 6.2 compares execution times of RC4 with three well-known symmetric block ciphers. For applications that require encryption/decryption of a stream of data, such as over a data communications channel or a browser/Web link, a stream cipher might be the better alternative. For applications that deal with blocks of data, such as file transfer, e-mail, and database, block ciphers may be more appropriate.
6.3. Stream Ciphers and RC4 The RC4 Algorithm RC4 is a stream cipher designed in 1987 by Ron Rivest for RSA Security. It is a variable key-size stream cipher with byte-oriented operations. The algorithm is based on the use of a random permutation. RC4 is used in the SSL/TLS (Secure Sockets Layer/Transport Layer Security) standards that have been defined for communication between Web browsers and servers. It is also used in the WEP (Wired Equivalent Privacy) protocol and the newer WiFi Protected Access (WPA) protocol that are part of the IEEE 802.11 wireless LAN standard. RC4 was kept as a trade secret by RSA Security. The RC4 algorithm is remarkably simply and quite easy to explain. A variable-length key of from 1 to 256 bytes (8 to 2048 bits) is used to initialize a 256-byte state vector S, with elements S[0], S[1],..., S[255]. At all times, S contains a permutation of all 8-bit numbers from 0 through 255. For encryption and decryption, a byte k (see Figure 6.9) is generated from S by selecting one of the 255 entries in a systematic fashion. As each value of k is generated, the entries in S are once again permuted.
6.3. Stream Ciphers and RC4 The RC4 Algorithm
6.3. Stream Ciphers and RC4 The RC4 Algorithm Strength of RC4 A number of papers have been published analyzing methods of attacking RC4. None of these approaches is practical against RC4 with a reasonable key length, such as 128 bits. Any questions? Thank you!!