Information Security and Management 3. Block Ciphers and the Data Encryption Standard Chih-Hung Wang Fall

Block Ciphers and Stream Ciphers ▫Block ciphers is one in which a block of plaintext is treated as a whole and used to produce a ciphertext block of equal length. ▫like a substitution on very big characters  64/128-bits or more ▫Stream ciphers is one that encrypts a digital data stream one bit or one byte at a time. ▫Many current ciphers are block ciphers 2 Block Cipher Principles

Block Ciphers and Stream Ciphers 3

Motivation Reversible Mapping PlaintextCiphertext Reversible Mapping PlaintextCiphertext Irreversible Mapping

A General Substitution Cipher If a small block size, such n=4, is used, then the system is equivalent to a classical substitution cipher.  are vulnerable to statistical analysis of the plaintext. An arbitrary reversible substitution cipher for a large block size is not practical. 5

6 A General Substitution Cipher The size of key is For a 64-bits block, key size is bits

most symmetric block ciphers are based on a Feistel Cipher Structure Feistel proposed the use of a cipher that alternates substitutions and permutations needed since must be able to decrypt ciphertext to recover messages efficiently block ciphers look like an extremely large substitution would need table of 2 64 entries for a 64-bit block instead create from smaller building blocks using idea of a product cipher 7 Block Cipher Principles

in 1949 Claude Shannon introduced idea of substitution-permutation (S-P) networks ▫modern substitution-transposition product cipher these form the basis of modern block ciphers S-P networks are based on the two primitive cryptographic operations we have seen before: ▫substitution (S-box) ▫permutation (P-box) provide confusion and diffusion of message 8 Claude Shannon and Substitution- Permutation Ciphers

Cipher needs to completely obscure statistical properties of original message a one-time pad does this more practically Shannon suggested combining elements to obtain: diffusion – the statistical structure of the plaintext is dissipated into long range statistics of the ciphertext confusion – makes relationship between ciphertext and key as complex as possible 9 Diffusion and Confusion

Horst Feistel devised the feistel cipher ▫based on concept of invertible product cipher Partitions input block into two halves ▫The two halves of the data pass through n rounds of processing and then combine to produce the ciphertext block. Implements Shannon’s substitution- permutation network concept 10 Feistel Cipher Structure

11 Feistel Cipher Structure

Block size ▫larger block sizes mean greater security but reduced e/d speed Key size ▫increasing size improves security, makes exhaustive key searching harder, but may slow cipher Number of rounds ▫a single round offers inadequate security ▫increasing number improves security, but slows cipher Subkey generation ▫greater complexity should lead to greater difficulty of cryptanalysis Round function ▫greater complexity means greater resistance to cryptanalysis Fast software encryption/decryption Ease of analysis ▫DES does not have an easily analyzed functionality 12 Feistel Cipher Design Principles

Feistel Cipher Decryption Use the ciphertext as input to the algorithm, but use subkey K i in reverse order. 13 Decryption

14 Feistel Cipher Decryption

15 General Form of Feistel Cipher

History ▫National Bureau of Standards (now the National Institute of Standards and Technology:NIST) 1977-> as Federal Information Processing Standard 46(FIPS PUB 46) ▫1960:IBM LUCIFER project 16 Data Encryption Standard (DES)

Critique ▫The key length  In IBM’s original LUCIFER algorithm is 128 bits, but that of the proposed system was only 56 bits. ▫Design Criteria for the internal structure  S-boxes  Any hidden weak points that could enable NSA to decipher message without benefit the key?  Differential cryptanalysis -> DES has a very strong internal structure 17 DES

Not Secure? ▫DES has flourished and is widely used, especially in financial applications ▫In 1994, NIST reaffirmed DES for federal use for another five years ▫NIST recommends the use of DES for applications other than protection of classified information 18 DES

Data are encrypted in 64-bit blocks using 56 bit key. Transforms 64-bit input in a series of steps into 64-bit output. 19 DES Encryption

20 The Structure of Block Cipher Plaintext Ciphertext n bits K 1 K 2 K t Key k bits Weak cipher Sub-key generator Weak cipher Weak cipher …... 1-st round 2-nd roundt-th round

21 General Depiction

22 Details of Single Round

L i = R i-1 ; R i = L i-1 ⊕ f(R i-1, K i ) (i=1…15) L i = L i-1 ⊕ f(R i-1, K i ) ; R i = R i-1 (i=16) 23 Details of Single Round

24 Feistel Encryption IP Input 1,2,3,… ….. 64 R0R0 1,2,3,…. … 32 L0L0 f R1R1 L1L1 k1k1 f R2R2 L2L2 k2k2 f RiRi LiLi kiki f R 16 1,2,3,…. … 32 L 16 1,2,3,…. … 32 k 16 Output 1,2,3,… ….. 64 IP -1

25 IP and IP -1 IP (Initial Permutation) IP -1 (Inverse Initial Permutation)

26 Expansion & Permutation Expansion (E) Permutation (P)

27 Calculation of F(R,K) E S1S1 S2S2 S3S3 S4S4 S5S5 S6S6 S7S7 S8S8 48 bitsSubkey k i (48bits) R (32 bits) P Output F (32 bits)

28 S-box (EX. S1) row column

29 Key Generation PC-1 56-bit Key 1,2,3,..… …….. 64 Left shift PC-2 k1k1 Left shift PC-2 kiki Left shift PC-2 k 16 C0C0 1,2,3 ….. 28 D0D0 C1C1 D1D1 CiCi DiDi D 16 1,2,3 ….. 28 C 16 1,2,3 …

30 Key Generation

Decryption uses the same algorithm as encryption, except that the application of the subkeys is reversed. ▫K16, K15, …, K1 31 DES Decryption

DES Example 32

DES exhibits a strong avalanche effect ▫Two plaintexts differ by one bit ▫Two keys differ by one bit 33 The Avalanche Effect (a)Change in Plaintext (1 bits) Round Number of bits that differ (b) Change in Key (1 bits) Round Number of bits that differ

DES Avalanche Effect-Change in Plaintext 34

DES Avalanche Effect-Change in Key 35

56-bit DES ▫1977 Diffie & Hellman  Parallel machine with 1 million encryption devices, each of which could perform one encryption per microsecond.  Average search time down to about 10 hours  The cost would be about $20 million 36 The Strength of DES

▫1993 Wiener  Key search rate of 50 million keys per second  Design a module that costs $100,000 and contains 5750 key search chips 37 The Strength of DES Key search machine Unit Cost Expected search time $100,00035 hours $1,000, hours $10,000,00021 minutes

RSA Laboratories ▫The Challenge  Offered a $10,000 reward, was to find a DES key given a ciphertext for a plaintext consisting of an unknown plaintext message preceeded by three known blocks of text containing the 24-character phrase “the unknown message is:”  January 29, 1997, developed a brute-force program and distributed it over the internet.  The project linked numerous machines over the Internet and eventually grew to over 70,000 systems  Ended 96 days later when the correct key was found after examining about one-quarter of all possible keys. 38 The Strength of DES

Differential Cryptanalysis ▫Biham and Shamir [1993] [BIHA93]  Can successfully cryptanalyze DES with an effort on the order 2 47, requiring 2 47 chosen plaintexts (brute-force method: 2 55 )  Not very well. The differential cryptanalysis was known to the IBM team as early as ▫Linear Cryptanalysis ▫Weak keys; Semi-weak keys 39 Cryptanalysis of DES

A statistical attack against Feistel ciphers Uses cipher structure not previously used Design of S-P networks has output of function f influenced by both input & key Hence cannot trace values back through cipher without knowing values of the key Differential Cryptanalysis compares two related pairs of encryptions 40 Differential Cryptanalysis

With a known difference in the input Searching for a known difference in output When same subkeys are used 41 Differential Cryptanalysis Compares Pairs of Encryptions

42 Differential Cryptanalysis (Three Round of DES)

Another recent development Also a statistical method Must be iterated over rounds, with decreasing probabilities Developed by Matsui et al in early 90's [MATS93] Based on finding linear approximations Can attack DES given 2 47 known plaintexts, still infeasible as an attack on DES 43 Linear Cryptanalysis

Basic principles still like Feistel in 1970’s DES design criteria [COPP94] (Coppersmith) Number of rounds ▫The greater the number of rounds, the more difficult it is to perform cryptanalysis, even for a relatively weak F. Design of function F: ▫S-box design ▫Provides “confusion”, is nonlinear, avalanche Key schedule ▫Complex subkey creation, key (strict) avalanche, bit independence [ADAM94] 44 Block Cipher Design Principles

45 Block Cipher Modes 64 bits … Plaintext M DES Cipher Ciphertext C Apply DES in Multiple Data Blocks

Four modes have been defined (FIPS PUB 74, 81) ▫Electronic Codebook (ECB) ▫Cipher Block Chaining (CBC) ▫Cipher Feedback (CFB) ▫Output Feedback (OFB) NIST has expanded the list of recommended modes to five in special Publication A ▫** Counter (CTR) 46 Block Cipher Modes

47 ECB

Each block of 64 plaintext bits is encoded independently using the same key Typical Application ▫Secure transmission of single values (e.g., an encryption key) 48 ECB

Security ▫For lengthy messages, the ECB mode may not be secure.  If the message is highly structured, it may be possible for a cryptanalyst to exploit these regularities.  For example: the message always starts out with certain predefined fields.  The message has repetitive elements, with a period of repetition a multiple of 64 bits. 49 ECB

50 CBC

The input to the encryption algorithm is the XOR of the next 64 bits of plaintext and the preceding 64 bits of ciphertext. Typical Application ▫General-purpose block-oriented transmission 51 CBC

Expression ▫Encryption  C n = E K (C n-1 P n ) ▫Decryption  D K [C n ] = D K [E K (C n-1 P n ) = (C n-1 P n ) => C n-1 D K [C n ] = C n-1 C n-1 P n = P n 52 CBC

IV: initialization vector ▫Must be known to both the sender and receiver. ▫IV should be protected as well as the key. ▫This should be done by sending the IV using ECB encryption ▫If an opponent can predictably change bits in IV, the corresponding bits of the received value of P 1 can be changed. 53 CBC

Encryption 54 CFB

Decryption 55 CFB

5e book (CFB) 56

Input is processed J bits at a time. Preceding ciphertext is used as input to the encryption algorithm to produce pseudorandom output, which is XORed with plaintext to produce next unit of ciphertext. Typical Application ▫General-purpose stream-oriented transmission ▫Authentication 57 CFB

Stream Cipher ▫It is possible to convert DES into a stream cipher, using either CFB or OFB. ▫A stream cipher eliminates the need to pad a message to be an integral number of blocks. ▫A stream cipher can operate in real time. 58 CFB

Encryption 59 OFB

Decryption 60 OFB

5e book OFB 61

Similar to CFB, except that the input to the encryption algorithm is the preceding DES output. Typical Application ▫Stream-oriented transmission over noisy channel (e.g., satellite communication) 62 OFB

Advantage ▫Bit errors in transmission do not propagate. If a bit error occurs in C 1, only the recovered value of P 1 is affected. Disadvantage ▫It is more vulnerable to a message stream modification attack than is CFB. 63 OFB

Counter Mode (CTR) Encryption 64

CTR Decryption 65

This mode was proposed early on [DIFF79] Applications to ATM (asynchronous transfer mode) network security and IPSec (IP Security) Advantages [LIPM00] ▫Hardware efficiency ▫Software efficiency ▫Preprocessing ▫Random access ▫Provable ▫Simplicity 66 CTR

5e book CTR 67