Secret Key Cryptography RAIT Madhumita Chatterjee
Algorithm Types Stream Ciphers Block Ciphers Plaintext encrypted one bit at a time Disadvantage…time consuming. Block Ciphers A block of bits encrypted at one go. Disadvantage for repeating text….. RAIT Madhumita Chatterjee
Shannon concepts Confusion Diffusion Ciphertext gives no clue about original text. Achieved using substitution. Diffusion Increases redundancy of plaintext by spreading across rows and columns. Achieved using transposition or permutation. RAIT Madhumita Chatterjee
Algorithm modes ECB (Electronic Code Book) CBC (Cipher Block Chaining Mode) OFB (Output Feedback Mode) CFB (Cipher Feedback Mode) Stream Cipher RAIT Madhumita Chatterjee
Electronic Code Book (ECB) M1 M2 M3 M4 64 64 64 46 pad ENC ENC ENC ENC C1 C2 C3 C4 RAIT Madhumita Chatterjee
ECB Problem #1 (M1 == M3) => (C1 ==C3) M1 M2 M3 M4 64 64 64 46 pad 64 64 64 46 pad ENC ENC ENC ENC C1 C2 C3 C4 (M1 == M3) => (C1 ==C3) RAIT Madhumita Chatterjee
ECB Problem #2 Lack the basic protection against integrity attacks on the ciphertext at message level (i.e., multiple cipher blocks) Without additional integrity protection cipher block substitution and rearrangement attacks fabrication of specific information RAIT Madhumita Chatterjee
Cipher Block Chaining (CBC) M1 M2 M3 M4 pad 64 64 64 46 IV Initialization Vector ENC ENC ENC ENC C1 C2 C3 C4 (M1 == M3) very unlikely leads to (C1 == C3) RAIT Madhumita Chatterjee
CBC Decryption M1 M2 M3 M4 IV DEC DEC DEC DEC C1 C2 C3 C4 RAIT Madhumita Chatterjee
CBC Vulnerabilities Loss sync of block boundary garbles the rest of the stream Create desired change in decrypted block Pn by sacrificing block P n-1 RAIT Madhumita Chatterjee
CBC….. DEC P n-1 C n-1 Pn Cn RAIT Madhumita Chatterjee
Output Feedback Mode (OFB) Like a Random Number Generator... IV ENC ENC ENC ENC M1 M2 M3 M4 C1 C2 C3 C4 RAIT Madhumita Chatterjee
OFB Properties Advantages Allow pre-computing of pseudo-random stream (One-Time Pad); XOR can be implemented very efficiently No error propagation problem as in CBC Allow in-time encrypt/decrypt due to bit-wise computation (versus the fixed blocks) RAIT Madhumita Chatterjee
General k-bit Cipher Feedback Mode (CFB) ENC C1 C2 C3 M1 M2 M3 IV k k k K bits K bits K bits RAIT Madhumita Chatterjee
CFB Properties Advantage compared with CBC. With k=8, errors on one byte of ciphertext only affect 8 more bytes beyond. Disadvantage compared with OFB. Random stream can no longer be computed in advance. RAIT Madhumita Chatterjee
Generating MICs Only send last block of CBC (CBS residue) Send plaintext Any modification in plaintext modifies CBC residue Insures integrity RAIT Madhumita Chatterjee
CBC Plus Residue M1 M2 M3 M4 pad 64 64 64 46 IV Initialization Vector 64 64 64 46 IV Initialization Vector ENC ENC ENC ENC C1 C2 C3 C4 residue RAIT Madhumita Chatterjee
Elementary Cryptography DES Algorithm RAIT Madhumita Chatterjee
Background & History System developed by the US Govt. intended for public use in 1976 Many hardware and software systems designed with DES Goals were High level of security Specified and easy to understand Publishable, available Adaptable to diverse applications Economic to implement in elctronic devices Efficient to use and able to be validated RAIT Madhumita Chatterjee
Generic Block Encryption Convert block to another: one-to-one Long enough to avoid known-plaintext attack 64 bit typical, nice for RISC Naïve: 264 input values, 64 bits each, total 270 bits to store the mapping Output should look random No correlation between plaintext and ciphertext Bit spreading RAIT Madhumita Chatterjee
Generic Block Encryption (Cont’d) Substitution: 2k values: k 2k bits done by S-Boxes, adds confusion Permutation: change position for each bit: klog2k bits done by P-Boxes adds diffusion Round: combination of substitution chunks and permutation do often enough so that a bit change can affect every output bit How many rounds? A few but not fewer RAIT Madhumita Chatterjee
Block Cipher Scheme Encrypt Plaintext block of length N Cipher block Secret key Decrypt RAIT Madhumita Chatterjee
Overview of the DES A block cipher: encrypts blocks of 64 bits using a 64-bit key Key: 64 bit quantity=8-bit parity+56-bit key. Every 8th bit is a parity bit. outputs 64 bits of ciphertext A product cipher basic unit is the bit performs both substitution and transposition (permutation) on the bits RAIT Madhumita Chatterjee
Cipher consists of 16 rounds (iterations) each with a round key generated from the user-supplied key RAIT Madhumita Chatterjee
Key features Sheer complexity of tracing a single bit through 16 iterations of substitutions and transpositions discourages analysis 8 extra bits are used only for parity so key is 56 bits long Substitution provides confusion and transposition provides diffusion Uses only std. arithmetic and logical operations, and is repetitive an can be implemented on a single purpose chip. RAIT Madhumita Chatterjee
Cycles of Substitution and Permutation. RAIT Madhumita Chatterjee
Features : DES Data Encryption Standard (DES) Encodes plaintext in 64-bit chunks using a 64-bit key (56 bits + 8 bits parity) Uses a combination of diffusion and confusion to achieve security Was cracked in 1997 Parallel attack – exhaustively search key space Decryption in DES – it’s symmetric! Use KA again as input and then the same keys except in reverse order RAIT Madhumita Chatterjee
Overview: DES DES 64-bit input is permuted 16 stages of identical operation differ in the 48-bit key extracted from 56-bit key - complex R2= R1 is encrypted with K1 and XOR’d with L1 L2=R1, … Final inverse permutation stage RAIT Madhumita Chatterjee
Pictorial Representation For DES RAIT Madhumita Chatterjee
A more detailed picture RAIT Madhumita Chatterjee
DEScription: One Round 64 bits divided into left, right halves Right half goes through function f, mixed with key Right half added to left half Halves swapped (except in last round) Li-1 Ri-1 Li Ri RAIT Madhumita Chatterjee
DEScription: InsiDES Ri-1 Expand right side from 32 to 48 bits (some get reused) Add 48 bits of key (chosen by schedule) S-boxes: each set of 6 bits reduced to 4 P-box permutes 32 bits Expansion Ki Eight S-boxes P-box Output RAIT Madhumita Chatterjee
DES Top View …... 56-bit Key 64-bit Input 48-bit K1 Generate keys Permutation Initial Permutation 48-bit K1 Round 1 48-bit K2 Round 2 …... 48-bit K16 Round 16 Swap Swap 32-bit halves Permutation Final Permutation 64-bit Output RAIT Madhumita Chatterjee
Bit Permutation (1-to-1) 1 2 3 4 32 ……. 0 0 1 0 1 Input: 1 bit Output …….. 1 0 1 1 1 22 6 13 32 3 RAIT Madhumita Chatterjee
Bits Expansion (1-to-m) 1 2 3 4 5 32 Input: ……. 0 0 1 0 1 1 …….. 1 0 0 1 0 1 0 1 1 0 1 2 3 4 5 6 7 8 48 Output RAIT Madhumita Chatterjee
Initial and Final Permutations Initial permutation (IP) View the input as M: 8(-byte) by 8(-bit) matrix Transform M into M1 in two steps Transpose row x into column (9-x), 0<x<9 Apply permutation on the rows: For even column y, it becomes row y/2 For odd column y, it becomes row (5+y/2) Final permutation FP = IP-1 RAIT Madhumita Chatterjee
Per-Round Key Generation Initial Permutation of DES key C i-1 28 bits D i-1 28 bits Circular Left Shift Circular Left Shift One round Permutation with Discard Round 1,2,9,16: single shift Others: two bits 48 bits Ki C i D i 28 bits 28 bits RAIT Madhumita Chatterjee
A DES Round One Round Encryption 32 bits Ln 32 bits Rn E 48 bits Mangler Function 48 bits Ki S-Boxes P 32 bits 32 bits Ln+1 32 bits Rn+1 RAIT Madhumita Chatterjee
A Full Picture Of DES RAIT Madhumita Chatterjee
Cycles of Substitution and Permutation. RAIT Madhumita Chatterjee
A Cycle in the DES. RAIT Madhumita Chatterjee
Types of Permutations. RAIT Madhumita Chatterjee
Details of a Cycle. RAIT Madhumita Chatterjee
Pattern of Expansion Permutation. RAIT Madhumita Chatterjee
Mangler Function 4 6 + S8 S1 S2 S7 S3 S4 S5 S6 Permutation The permutation produces “spread” among the chunks/S-boxes! RAIT Madhumita Chatterjee
S-Box (Substitute and Shrink) 48 bits ==> 32 bits. (8*6 ==> 8*4) 2 bits used to select amongst 4 substitutions for the rest of the 4-bit quantity 2 bits row S i = 1,…8. I1 I2 I3 I4 I5 I6 O1 O2 O3 O4 4 bits column RAIT Madhumita Chatterjee
S1: one of the S-boxes Example: input: 100110 output: ??? Each row and column contain different numbers. 0 1 2 3 4 5 6 7 8 9…. 15 0 14 4 13 1 2 15 11 8 3 1 0 15 7 4 14 2 13 1 10 2 4 1 14 8 13 6 2 11 15 3 15 12 8 2 4 9 1 7 5 Example: input: 100110 output: ??? RAIT Madhumita Chatterjee
8 S-Boxes Logic behind the selection of the S-Boxes remains unpublished secret Is it a good idea technically to publish it? RAIT Madhumita Chatterjee
Decryption Apply the same operations (keys in reverse order: K16, K15, …, K1): Input: Rn+1|Ln+1 Due to the “swap” operation Output: Rn|Ln The swap operation at the end will produce the correct result: L|R RAIT Madhumita Chatterjee
DESign Principles: Inverses Equations for round i: In other words: So decryption is the same as encryption Last round, no swap: really is the same Li-1 Ri-1 Li Ri RAIT Madhumita Chatterjee
DES’s Problem Considered too weak Design decisions not public Diffie, Hellman prediction: “in a few years technology would allow DES to be broken in days” Design using 1999 technology published Design decisions not public S-boxes may have backdoors RAIT Madhumita Chatterjee
MoDES of Operation ECB: Electronic CodeBook mode: Encrypt each 64-bit block independently Attacker could build codebook CBC: Cipher Block Chaining mode: Encryption: Ci = EK(Pi Ci-1) Decryption: Pi = Ci-1 DK(Ci) CFB, OFB: allow byte-wise encryption Cipher FeedBack, Output FeedBack RAIT Madhumita Chatterjee
PeDEStrian attacks Obvious attack: guess the key. 256 keys Complementation Property: 255 keys 1 million per second: 1100 years Store EK(P1) for all K: 512 petabytes Time/Memory Tradeoff (Hellman, 1980): 1 terabyte 5 days RAIT Madhumita Chatterjee
DEStroying Security Differential Cryptanalysis (1990): Say you know plaintext, ciphertext pairs Difference dP = P1 P2, dC = C1 C2 Distribution of dC’s given dP may reveal key Need lots of pairs to get lots of good dP’s Look at pairs, build up key in pieces Could find some bits, brute-force for rest RAIT Madhumita Chatterjee
DEServing of Praise Against 8-round DES, attack requires: 214 = 16,384 chosen plaintexts, or 238 known plaintext-ciphertext pairs Against 16-round DES, attack requires: 247 chosen plaintexts, or Roughly 255.1 known plaintext-ciphertext pairs Differential cryptanalysis not effective RAIT Madhumita Chatterjee
DESperate measures Linear cryptanalysis: Look at algorithm structure: find places where, if you XOR plaintext and ciphertext bits together, you get key bits S-boxes not linear, but can approximate Need 243 known pairs; best known attack RAIT Madhumita Chatterjee
DES apparently not optimized against this Still, not an easy-to-mount attack RAIT Madhumita Chatterjee
DESuetude “Weakest link” is size of key Attacks take advantage of encryption speed 1993: Weiner: $1M machine, 3.5 hours 1998: EFF’s Deep Crack: $250,000 92 billion keys per second; 4 days on average 1999: distributed.net: 23 hours OK for some things (e.g., short time horizon) DES sliDES into wiDESpread DESuetude RAIT Madhumita Chatterjee
Triple-DES Run DES three times: If K2 = K3, this is DES ECB mode: If K2 = K3, this is DES Backwards compatibility Known not to be just DES with K4 (1992) Has 112 bits of security, not 3 56 = 168 RAIT Madhumita Chatterjee
What’s wrong with Double-DES? Why? What’s the attack? What’s wrong with Double-DES? RAIT Madhumita Chatterjee
DESpair Double-DES: Ci = EB(EA(Pi)) Given P1, C1: Note that DB(C1) = EA(P1) Make a list of every EK(P1). Try each L: if DL(C1) = EK(P1), then maybe K = A, L = B. (248 L’s might work.) RAIT Madhumita Chatterjee
Test with P2, C2: if it checks, it was probably right. Time roughly 256. Memory very large. RAIT Madhumita Chatterjee
DES’s Undesirable Properties 4 weak keys (They are their own inverses) 12 semi-weak keys (Each has another semi-weak key as inverse) Complementation property DESk(m) = c DESk´(m´) = c´ S-boxes exhibit irregular properties Distribution of odd, even numbers non-random Outputs of fourth box depends on input to third box RAIT Madhumita Chatterjee