Data Security and Encryption (CSE348) 1. Lecture # 9 2.

Slides:



Advertisements
Similar presentations
Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.
Advertisements

Chap. 5: Advanced Encryption Standard (AES) Jen-Chang Liu, 2005 Adapted from lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 5
Cryptography and Network Security Chapter 3
Cryptography and Network Security
Algorithm Scheme. AddRoundKey Each round uses four different words from the expanded key array. Each column in the state matrix is XORed with a different.
Cryptography1 CPSC 3730 Cryptography Chapter 3 DES.
AES clear a replacement for DES was needed
Advanced Encryption Standard. This Lecture Why AES? NIST Criteria for potential candidates The AES Cipher AES Functions and Inverse Functions AES Key.
Cryptography and Network Security (AES) Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 10/18/2009 INCS 741: Cryptography 10/18/20091Dr.
Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard "It seems very simple." "It is very simple. But if you don't know.
Cryptography and Network Security Chapter 5 Fourth Edition by William Stallings.
ICS 454 Principles of Cryptography Advanced Encryption Standard (AES) (AES) Sultan Almuhammadi.
Dr. Lo’ai Tawalbeh 2007 Chapter 5: Advanced Encryption Standard (AES) Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus.
Chapter 3 – Block Ciphers and the Data Encryption Standard
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
The Digital Encryption Standard CSCI 5857: Encoding and Encryption.
Chapter 5 Advanced Encryption Standard. Origins clear a replacement for DES was needed –have theoretical attacks that can break it –have demonstrated.
Cryptography and Network Security
1 University of Palestine Information Security Principles ITGD 2202 Ms. Eman Alajrami 2 nd Semester
Cryptography and Network Security
Chapter 5 –Advanced Encryption Standard "It seems very simple." "It is very simple. But if you don't know what the key is it's virtually indecipherable."
Cryptography and Network Security Chapter 3. Modern Block Ciphers  now look at modern block ciphers  one of the most widely used types of cryptographic.
Applied Cryptography Example: AES. Advanced Encryption Standard "It seems very simple." "It is very simple. But if you don't know what the key is it's.
9/17/15UB Fall 2015 CSE565: S. Upadhyaya Lec 6.1 CSE565: Computer Security Lecture 6 Advanced Encryption Standard Shambhu Upadhyaya Computer Science &
CIM Symmetric Ciphers 31 Advanced Encryption Standard Ch 5 of Cryptography and Network Security -Third Edition by William Stallings Modified from.
Advance Encryption Standard. Topics  Origin of AES  Basic AES  Inside Algorithm  Final Notes.
Information Security Lab. Dept. of Computer Engineering 122/151 PART I Symmetric Ciphers CHAPTER 5 Advanced Encryption Standard 5.1 Evaluation Criteria.
Rijndael Advanced Encryption Standard. Overview Definitions Definitions Who created Rijndael and the reason behind it Who created Rijndael and the reason.
Cryptography and Network Security
Advanced Encryption Standard. Origins NIST issued a new version of DES in 1999 (FIPS PUB 46-3) DES should only be used in legacy systems 3DES will be.
Fifth Edition by William Stallings
Chapter 2 (C) –Advanced Encryption Standard. Origins clearly a replacement for DES was needed –have theoretical attacks that can break it –have demonstrated.
Advanced Encryption Standard Dr. Shengli Liu Tel: (O) Cryptography and Information Security Lab. Dept. of Computer.
Computer and Network Security Rabie A. Ramadan Lecture 3.
Module :MA3036NI Symmetric Encryption -4 Lecture Week 5.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Data Security and Encryption (CSE348) 1. Lecture # 7 2.
Data Encryption Standard (DES) most widely used block cipher in world adopted in 1977 by NBS (now NIST) – as FIPS PUB 46 encrypts 64-bit data using 56-bit.
Computer Science and Engineering Computer System Security CSE 5339/7339 Lecture 7 September 9, 2004.
Module :MA3036NI Symmetric Encryption -3 Lecture Week 4.
Block Ciphers and the Data Encryption Standard. Modern Block Ciphers  One of the most widely used types of cryptographic algorithms  Used in symmetric.
Cryptography and Network Security Chapter 5
CSE565: Computer Security Lectures 5 & 6 Advanced Encryption Standard
Chapter3: Block Ciphers and the Data Encryption Standard
Triple DES.
Cryptography and Network Security
School of Computer Science and Engineering Pusan National University
Cryptography and Network Security Chapter 5
Data Security and Encryption (CSE348)
Cryptography and Network Security
Cryptography and Network Security Chapter 5
AES Objectives ❏ To review a short history of AES
Cryptography and Network Security
Fifth Edition by William Stallings
Cryptography and Network Security Chapter 5
Cryptography and Network Security Chapter 5
Chapter -2 Block Ciphers and the Data Encryption Standard
Chapter -3 ADVANCED ENCRYPTION STANDARD & BLOCK CIPHER OPERATION
Cryptography and Network Security Chapter 5
Feistel & DES -Sheetal Thapaliya.
Cryptography and Network Security Chapter 5
Origins AES = current federal standard for symmetric crypto (replacing DES) DES Key size is too small The variants are just patches can use Triple-DES.
Cryptography and Network Security Chapter 5
Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Advanced Encryption Standard
Cryptography and Network Security Chapter 5
Cryptography and Network Security Chapter 5
Presentation transcript:

Data Security and Encryption (CSE348) 1

Lecture # 9 2

Review – Data Encryption Standard (DES) – Strengths of DES – Differential & Linear Cryptanalysis – block cipher design principles 3

DES Encryption Overview 4

The overall scheme for DES encryption is illustrated in Stallings Figure which takes as input 64-bits of data and of key The left side shows the basic process for enciphering a 64-bit data block which consists of: an initial permutation (IP) which shuffles the 64-bit input block 16 rounds of a complex key dependent round function involving substitutions & permutations a final permutation, being the inverse of IP 5

DES Encryption Overview The right side shows the handling of the 56-bit key and consists of: an initial permutation of the key (PC1) which selects 56-bits out of the 64-bits input, in two 28-bit halves 16 stages to generate the 48-bit subkeys using a left circular shift and a permutation of the two 28-bit halves 6

Initial Permutation IP The initial permutation and its inverse are defined by Tables 3.2a and 3.2b The tables are to be interpreted as follows: The input to a table consists of 64 bits numbered left to right from 1 to 64 The 64 entries in the permutation table contain a permutation of the numbers from 1 to 64 7

Initial Permutation IP Each entry in the permutation table indicates the position of a numbered input bit in the output – which also consists of 64 bits Bit numbering for DES reflects IBM mainframe practice and is the opposite of what we now mostly use 8

Initial Permutation IP Numbers from Bit 1 (leftmost, most significant) to bit 32/48/64 etc (rightmost, least significant). For example, a 64-bit plaintext value of “675a6967 5e5a6b5a” (written in left & right halves) after permuting with IP becomes “ffb2194d 004df6fb” example values are specified using hexadecimal 9

Initial Permutation IP  first step of the data computation  IP reorders the input data bits  even bits to LH half, odd bits to RH half  quite regular in structure (easy in h/w)  example: IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb) 10

DES Round Structure We now review the internal structure of the DES round function F which takes R half & subkey, and processes them The round key Ki is 48 bits The R input is 32 bits 11

DES Round Structure This R input is first expanded to 48 bits by using a table that defines a permutation Plus an expansion that involves duplication of 16 of the R bits 12

DES Round Structure The resulting 48 bits are XORed with Ki This 48-bit result passes through a substitution function that produces a 32-bit output which is permuted as defined by Table 3.2d. follows the classic structure for a feistel cipher 13

DES Round Structure The s-boxes provide the “confusion” of data and key values Whilst the permutation P then spreads this as widely as possible So each S-box output affects as many S-box inputs in the next round as possible, giving “diffusion” 14

DES Round Structure uses two 32-bit L & R halves as for any Feistel cipher can describe as: L i = R i–1 R i = L i–1  F(R i–1, K i ) F takes 32-bit R half and 48-bit subkey: – expands R to 48-bits using perm E – adds to subkey using XOR – passes through 8 S-boxes to get 32-bit result – finally permutes using 32-bit perm P 15

DES Round Structure 16

Substitution Boxes S The substitution consists of a set of eight S-boxes, each of which accepts 6 bits as input and produces 4 bits as output These transformations are defined in Stallings Table which is interpreted as follows: The first and last bits of the input to box Si form a 2- bit binary number to select one of four substitutions defined by the four rows in the table for Si 17

Substitution Boxes S The middle four bits select one of the sixteen columns The decimal value in the cell selected by the row and column is then converted to its 4-bit representation to produce the output E.g, in S1, for input , the row is 01 (row 1) and the column is 1100 (column 12) The value in row 1, column 12 is 9, so the output is

Substitution Boxes S 19

Substitution Boxes S 20

Substitution Boxes S The example lists 8 6-bit values 18 in hex is in binary 09 hex is binary 12 hex is binary 3d hex is binary etc. Each of which is replaced following the process detailed above using the appropriate S-box 21

DES Key Schedule  The DES Key Schedule generates the subkeys needed for each data encryption round  64-bit key is used as input to the algorithm, though every eighth bit is ignored, as indicated by the lack of shading in Table 3.4a. 22

DES Key Schedule  It is first processed by Permuted Choice One (Stallings Table 3.4b)  The resulting 56-bit key is then treated as two 28-bit quantities C & D 23

DES Key Schedule  In each round, these are separately processed through a circular left shift (rotation) of 1 or 2 bits as shown in Stallings Table 3.4d  These shifted values serve as input to the next round of the key schedule 24

DES Key Schedule  They also serve as input to Permuted Choice Two (Stallings Table 3.4c)  which produces a 48-bit output that serves as input to the round function F 25

DES Key Schedule  The 56 bit key size comes from security considerations as we know now  It was big enough so that an exhaustive key search was about as hard as the best direct attack  a form of differential cryptanalysis called a T-attack, known by the IBM & NSA researchers, but no bigger 26

DES Key Schedule  The extra 8 bits were then used as parity (error detecting) bits  which makes sense given the original design use for hardware communications links  However we hit an incompatibility with simple s/w implementations since the top bit in each byte is 0 (since ASCII only uses 7 bits)  but the DES key schedule throws away the bottom bit 27

DES Decryption As with any Feistel cipher, DES decryption uses the same algorithm as encryption except that the subkeys are used in reverse order SK16.. SK1. If you trace through the DES overview diagram can see how each decryption step top to bottom with reversed subkeys undoes the equivalent encryption step moving from bottom to top 28

DES Decryption decrypt must unwind steps of data computation with Feistel design, do encryption steps again using subkeys in reverse order (SK16 … SK1) – IP undoes final FP step of encryption – 1st round with SK16 undoes 16th encrypt round – …. – 16th round with SK1 undoes 1st encrypt round – then final FP undoes initial encryption IP – thus recovering original data value 29

Chapter 5 –Advanced Encryption Standard "It seems very simple." "It is very simple. But if you don't know what the key is it's virtually indecipherable." —Talking to Strange Men, Ruth Rendell 30

Origins The Advanced Encryption Standard (AES) Published by NIST (National Institute of Standards and Technology) in 2001 AES is a symmetric block cipher That is intended to replace DES as the approved standard for a wide range of applications 31

Origins The AES cipher (& other candidates) form the latest generation of block ciphers Now we see a significant increase in the block size - from the old standard of 64-bits up to 128-bits keys from 128 to 256-bits In part this has been driven by the public demonstrations of exhaustive key searches of DES 32

Origins Whilst triple-DES is regarded as secure and well understood it is slow, especially in s/w In a first round of evaluation, 15 proposed algorithms were accepted A second round narrowed the field to 5 algorithms 33

Origins NIST completed its evaluation process and published a final standard (FIPS PUB 197) in November of 2001 NIST selected Rijndael as the proposed AES algorithm The two researchers who developed and submitted Rijndael for the AES are both cryptographers from Belgium – Dr. Joan Daemen and Dr. Vincent Rijmen 34

Origins clear a replacement for DES was needed – have theoretical attacks that can break it – have demonstrated exhaustive key search attacks can use Triple-DES – but slow, has small blocks US NIST issued call for ciphers in candidates accepted in Jun 98 5 were shortlisted in Aug-99 Rijndael was selected as the AES in Oct-2000 issued as FIPS PUB 197 standard in Nov

The AES Cipher - Rijndael The Rijndael proposal for AES defined a cipher In which the block length and the key length can be independently specified to be 128,192,or 256 bits The AES specification uses the same three key size alternatives But limits the block length to 128 bits 36

The AES Cipher - Rijndael Rijndael is an academic submission Based on the earlier Square cipher, from Belgium academics Dr Joan Daemen and Dr Vincent Rijmen It is an iterative cipher (operates on entire data block in every round) Rather than feistel (operate on halves at a time) 37

The AES Cipher - Rijndael Was designed to have characteristics of: – Resistance against all known attacks – Speed and code compactness on a wide range of platforms – Design simplicity 38

The AES Cipher - Rijndael designed by Rijmen-Daemen in Belgium has 128/192/256 bit keys, 128 bit data an iterative rather than feistel cipher – processes data as block of 4 columns of 4 bytes – operates on entire data block in every round designed to be: – resistant against known attacks – speed and code compactness on many CPUs – design simplicity 39

AES Encryption Process 40

AES Structure  The input to the AES encryption and decryption algorithms is a single 128-bit block  depicted in FIPS PUB 197, as a square matrix of bytes  This block is copied into the State array  which is modified at each stage of encryption or decryption 41

AES Structure  After the final stage, State is copied to an output  The key is expanded into 44/52/60 lots of 32-bit words  with 4 used in each round  The ordering of bytes within a matrix is by column 42

AES Structure  So, for example, the first four bytes of a 128-bit plaintext input to the encryption cipher occupy the first column of the in matrix  the second four bytes occupy the second column, and so on  Similarly, the first four bytes of the expanded key, which form a word, occupy the first column of the w matrix 43

AES Structure  The data computation then consists of an “add round key” step, then 9/11/13 rounds with all 4 steps  and a final 10 th /12 th /14 th step of byte subs + mix cols + add round key  This can be viewed as alternating XOR key & scramble data bytes operations  All of the steps are easily reversed, and can be efficiently implemented using XOR’s & table lookups 44

AES Structure  data block of 4 columns of 4 bytes is state  key is expanded to array of words  has 9/11/13 rounds in which state undergoes: byte substitution (1 S-box used on every byte) shift rows (permute bytes between groups/columns) mix columns (subs using matrix multiply of groups) add round key (XOR state with key material) view as alternating XOR key & scramble data bytes  initial XOR key material & incomplete last round  with fast XOR & table lookup implementation 45

AES Structure Figure 5.3 AES Encryption and Decryption 46

AES Structure  Stallings Figure 5.3 shows the structure of AES in more detail  The cipher consists of N rounds, where the number of rounds depends on the key length:  10 rounds for a 16-byte key;  12 rounds for a 24-byte key;  and 14 rounds for a 32-byte key 47

AES Structure  The first N – 1 rounds consist of four distinct transformation functions:  SubBytes,  ShiftRows,  MixColumns,  AddRoundKey,  which are described subsequently 48

AES Structure  The final round contains only 3 transformation  There is a initial single transformation (AddRoundKey) before the first round  Which can be considered Round 0  Each transformation takes one or more 4 x 4 matrices as input and produces a 4 x 4 matrix as output 49

AES Structure  Figure 5.1 shows that the output of each round is a 4 x 4 matrix  with the output of the final round being the ciphertext  Also, the key expansion function generates N + 1 round keys  each of which is a distinct 4 x 4 matrix  Each round key serve as one of the inputs to the AddRoundKey transformation in each round 50

Some Comments on AES 1.an iterative rather than feistel cipher 2.key expanded into array of 32-bit words 1.four words form round key in each round 3.4 different stages are used as shown 4.has a simple structure 5.only AddRoundKey uses key 6.AddRoundKey a form of Vernam cipher 7.each stage is easily reversible 8.decryption uses keys in reverse order 9.decryption does recover plaintext 10.final round has only 3 stages 51

Four Stages of AES Four different stages are used, one of permutation and three of substitution: – Substitute bytes: Uses an S-box to perform a byte- by-byte substitution of the block – ShiftRows: A simple permutation – MixColumns: A substitution that makes use of arithmetic over – AddRoundKey: A simple bitwise XOR of the current block with a portion of the expanded key 52

Substitute Bytes We now turn to a discussion of each of the four transformations used in AES For each stage, we mention the forward (encryption) algorithm The inverse (decryption) algorithm And the rationale for the design of that stage 53

Substitute Bytes The Substitute bytes stage uses an S-box to perform a byte-by-byte substitution of the block There is a single 8-bit wide S-box used on every byte This S-box is a permutation of all bit values Constructed using a transformation which treats the values as polynomials in Finite Field GF(2 8 ) – however it is fixed 54

Substitute Bytes So really only need to know the table when implementing Decryption requires the inverse of the table. These tables are given in Stallings Table 5.2. The table was designed to be resistant to known cryptanalytic attacks 55

Substitute Bytes Specifically, the Rijndael developers sought a design that has a low correlation between input bits and output bits With the property that the output cannot be described as a simple mathematical function of the input With no fixed points and no “opposite fixed points” 56

Substitute Bytes a simple substitution of each byte uses one table of 16x16 bytes containing a permutation of all bit values each byte of state is replaced by byte indexed by row (left 4-bits) & column (right 4-bits) – eg. byte {95} is replaced by byte in row 9 column 5 – which has value {2A} S-box constructed using defined transformation of values in GF(2 8 ) designed to be resistant to all known attacks 57

Substitute Bytes 58

Substitute Bytes 59

60

Substitute Bytes 61

Substitute Bytes  As this diagram from Stallings Fig 5.5a shows the Byte Substitution operates on each byte of state independently  with the input byte used to index a row/col in the table to retrieve the substituted value 62

Substitute Bytes Example Figure 5.5a example of the SubBytes transformation from the text 63

Shift Rows The ShiftRows stage provides a simple “permutation” of the data whereas the other steps involve substitutions Further, since the state is treated as a block of columns, it is this step which provides for diffusion of values between columns It performs a circular rotate on each row of 0, 1, 2 & 3 places for respective rows 64

Shift Rows When decrypting it performs the circular shifts in the opposite direction for each row This row shift moves an individual byte from one column to another which is a linear distance of a multiple of 4 bytes, and ensures that the 4 bytes of one column are spread out to four different columns 65

Shift Rows a circular byte shift in each – 1 st row is unchanged – 2 nd row does 1 byte circular shift to left – 3 rd row does 2 byte circular shift to left – 4 th row does 3 byte circular shift to left 66

Shift Rows 67

Inverse Shift Rows Decrypt inverts using shifts to right since state is processed by columns, this step permutes bytes between the columns The inverse shift row transformation, called InvShiftRows, performs the circular shifts in the opposite direction for each of the last three rows, with a 1-byte circular right shift for the second row, and so on 68

Summary – DES review – the AES selection process – the details of Rijndael – the AES cipher – looked at the steps in each round – Out of four AES stages, first two are discussed Substitute bytes Shift Rows 69