Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter6: More on Symmetric Ciphers

Published byLoreen Delphia Newton Modified over 6 years ago

Similar presentations

Presentation on theme: "Chapter6: More on Symmetric Ciphers"— Presentation transcript:

1 Chapter6: More on Symmetric Ciphers
NUIST School of Computer and Software Jian Shen, PhD, Professor

2 6.1. Multiple Encryption and Triple DES
DES--brute-force attack One approach is AES Another alternative is to use multiple encryption with DES and multiple keys--triple DES (3DES) approach The simplest form of multiple encryption has two encryption stages and two keys (Figure 6.1a). Given a plaintext P and two encryption keys K1 and K2, ciphertext C is generated as C = E(K2, E(K1, P))

3 6.1. Multiple Encryption and Triple DES
Decryption requires that the keys be applied in reverse order: P = D(K1, D(K2, C)) Key length: 56 x 2 = 112 bits

4 6.1. Multiple Encryption and Triple DES
Reduction to a Single Stage Suppose it were true for DES, for all 56-bit key values, that given any two keys K1 and K2, it would be possible to find a key K3 such that E(K2, E(K1, P))=E(K3, P) If this were the case, then double encryption would be useless because the result would be equivalent to a single encryption with a single 56-bit key. Conclude: it does not appear that E(K2, E(K1, P))=E(K3, P) is likely to hold. Consider that encryption with DES is a mapping of 64-bit blocks to 64-bit blocks. we consider all 264 possible input blocks, DES encryption with a specific key will map each block into a unique 64-bit block. With 264 possible inputs, how many different mappings are there that generate a permutation of the input blocks? The value is easily seen to be

5 6.1. Multiple Encryption and Triple DES
Reduction to a Single Stage On the other hand, DES defines one mapping for each different key, for a total number of mappings: 256>1017 Therefore, it is reasonable to assume that if DES is used twice with different keys, it will produce one of the many mappings that are not defined by a single application of DES. Meet-in-the-Middle Attack Thus, the use of double DES results in a mapping that is not equivalent to a single DES encryption. But there is a way to attack this scheme, one that does not depend on any particular property of DES but that will work against any block encryption cipher. C = E(K2, E(K1, P)) X = E(K1, P) = D(K2, C) Given a known pair, (P, C), the attack proceeds as follows. First, encrypt P for all 256 possible values of K1 Store these results in a table and then sort the table by the values of X. Next, decrypt C using all 256 possible values of K2. As each decryption is produced, check the result against the table for a match. If a match occurs, then test the two resulting keys against a new known plaintext-ciphertext pair.

6 6.1. Multiple Encryption and Triple DES
Triple DES with Two Keys Use three stages of encryption with three different keys. It has the drawback of requiring a key length of 56 x 3 = 168 bits, which may be somewhat unwieldy. As an alternative, Tuchman proposed a triple encryption method that uses only two keys. The function follows an encrypt-decrypt-encrypt (EDE) sequence (Figure 6.1b): C = E(K1, D(K2, E(K1, P)))

7 6.1. Multiple Encryption and Triple DES
Triple DES with Two Keys Currently, there are no practical cryptanalytic attacks on 3DES. The cost of a brute-force key search on 3DES is on the order of 2112 and estimates that the cost of differential cryptanalysis suffers an exponential growth, compared to single DES, exceeding 1052. It is worth looking at several proposed attacks on 3DES that, although not practical, give a flavor for the types of attacks that have been considered and that could form the basis for more successful future attacks. The first serious proposal came from Merkle and Hellman. finding plaintext values that produce a first intermediate value of A = 0 and then using the meet-in-the-middle attack to determine the two keys. The level of effort is 256, but the technique requires 256 chosen plaintext-ciphertext pairs, a number unlikely to be provided by the holder of the keys.

8 6.1. Multiple Encryption and Triple DES
Triple DES with Two Keys A known-plaintext attack

9 6.1. Multiple Encryption and Triple DES
Triple DES with Three Keys Currently, there are no practical cryptanalytic attacks on 3DES. Although the attacks just described appear impractical, anyone using two-key 3DES may feel some concern. Thus, many researchers now feel that three-key 3DES is the preferred alternative C = E(K3, D(K2, E(K1, P))) A number of Internet-based applications have adopted three-key 3DES, including PGP and S/MIME, both discussed in Chapter 15.

10 6.2. Block Cipher Modes of Operation
A block cipher algorithm is a basic building block for providing data security. A mode of operation is a technique for enhancing the effect of a cryptographic algorithm or adapting the algorithm for an application These modes are intended for use with any symmetric block cipher, including triple DES and AES. The modes are summarized in Table 6.1.

11 6.2. Block Cipher Modes of Operation
Electronic Codebook Mode The simplest mode is the electronic codebook (ECB) mode plaintext is handled one block at a time and each block of plaintext is encrypted using the same key (Figure 6.3).

12 6.2. Block Cipher Modes of Operation
Electronic Codebook Mode For a message longer than b bits, the procedure is simply to break the message into b-bit blocks, padding the last block if necessary. The ECB method is ideal for a short amount of data, such as an encryption key. DES key The most significant characteristic of ECB is that the same b-bit block of plaintext. For lengthy messages, the ECB mode may not be secure. If the message is highly structured, it may be possible for a cryptanalyst to exploit these regularities.

13 6.2. Block Cipher Modes of Operation
Cipher Block Chaining Mode To overcome the security deficiencies of ECB, we would like a technique in which the same plaintext block, if repeated, produces different ciphertext blocks. A simple way to satisfy this requirement is the cipher block chaining (CBC) mode (Figure 6.4). Initialization Vector (IV)

14 6.2. Block Cipher Modes of Operation
Cipher Feedback Mode A stream cipher eliminates the need to pad a message to be an integral number of blocks. It also can operate in real time. Thus, if a character stream is being transmitted, each character can be encrypted and transmitted immediately using a character-oriented stream cipher. One desirable property of a stream cipher is that the ciphertext be of the same length as the plaintext. Figure 6.5 depicts the CFB scheme. In the figure, it is assumed that the unit of transmission is s bits; a common value is s = 8. As with CBC, the units of plaintext are chained together, so that the ciphertext of any plaintext unit is a function of all the preceding plaintext. In this case, rather than units of b bits, the plaintext is divided into segments of s bits.

15 6.2. Block Cipher Modes of Operation
Output Feedback Mode The output feedback (OFB) mode is similar in structure to that of CFB, as illustrated in Figure 6.6. As can be seen, it is the output of the encryption function that is fed back to the shift register in OFB, whereas in CFB the ciphertext unit is fed back to the shift register.

16 6.2. Block Cipher Modes of Operation
Counter Mode Application: ATM (asynchronous transfer mode) network security and IPSec (IP security) Figure 6.7 depicts the CTR mode. A counter, equal to the plaintext block size is used. The only requirement stated in SP A is that the counter value must be different for each plaintext block that is encrypted.

17 6.3. Stream Ciphers and RC4 Stream Cipher Structure
A typical stream cipher encrypts plaintext one byte at a time, although a stream cipher may be designed to operate on one bit at a time or on units larger than a byte at a time. Figure 6.8 is a representative diagram of stream cipher structure. In this structure a key is input to a pseudorandom bit generator that produces a stream of 8-bit numbers that are apparently random.

18 6.3. Stream Ciphers and RC4 Stream Cipher Structure
Important design considerations for a stream cipher: The encryption sequence should have a large period. A pseudorandom number generator uses a function that produces a deterministic stream of bits that eventually repeats. The keystream should approximate the properties of a true random number stream as close as possible. Note from Figure 6.8 that the output of the pseudorandom number generator is conditioned on the value of the input key. To guard against brute-force attacks, the key needs to be sufficiently long. With a properly designed pseudorandom number generator, a stream cipher can be as secure as block cipher of comparable key length. The primary advantage of a stream cipher is that stream ciphers are almost always faster and use far less code than do block ciphers. Table 6.2 compares execution times of RC4 with three well-known symmetric block ciphers. For applications that require encryption/decryption of a stream of data, such as over a data communications channel or a browser/Web link, a stream cipher might be the better alternative. For applications that deal with blocks of data, such as file transfer, , and database, block ciphers may be more appropriate.

19 6.3. Stream Ciphers and RC4 The RC4 Algorithm
RC4 is a stream cipher designed in 1987 by Ron Rivest for RSA Security. It is a variable key-size stream cipher with byte-oriented operations. The algorithm is based on the use of a random permutation. RC4 is used in the SSL/TLS (Secure Sockets Layer/Transport Layer Security) standards that have been defined for communication between Web browsers and servers. It is also used in the WEP (Wired Equivalent Privacy) protocol and the newer WiFi Protected Access (WPA) protocol that are part of the IEEE wireless LAN standard. RC4 was kept as a trade secret by RSA Security. The RC4 algorithm is remarkably simply and quite easy to explain. A variable-length key of from 1 to 256 bytes (8 to 2048 bits) is used to initialize a 256-byte state vector S, with elements S[0], S[1],..., S[255]. At all times, S contains a permutation of all 8-bit numbers from 0 through 255. For encryption and decryption, a byte k (see Figure 6.9) is generated from S by selecting one of the 255 entries in a systematic fashion. As each value of k is generated, the entries in S are once again permuted.

20 6.3. Stream Ciphers and RC4 The RC4 Algorithm

21 6.3. Stream Ciphers and RC4 The RC4 Algorithm
Strength of RC4 A number of papers have been published analyzing methods of attacking RC4. None of these approaches is practical against RC4 with a reasonable key length, such as 128 bits. Any questions? Thank you!!

Download ppt "Chapter6: More on Symmetric Ciphers"

Similar presentations

Block Cipher Modes of Operation and Stream Ciphers

Block Cipher Modes of Operation and Stream Ciphers
ECE454/CS594 Computer and Network Security

ECE454/CS594 Computer and Network Security
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
Modern Symmetric-Key Ciphers

Modern Symmetric-Key Ciphers
Modern Symmetric-Key Ciphers

Modern Symmetric-Key Ciphers
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Block Ciphers and the Data Encryption Standard

Block Ciphers and the Data Encryption Standard
Cryptography and Network Security Chapter 6. Chapter 6 – Block Cipher Operation Many savages at the present day regard their names as vital parts of themselves,

Cryptography and Network Security Chapter 6. Chapter 6 – Block Cipher Operation Many savages at the present day regard their names as vital parts of themselves,
Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.

Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.
Cryptography and Network Security, resuming some notes Dr. M. Sakalli.

Cryptography and Network Security, resuming some notes Dr. M. Sakalli.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 5 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 5 Wenbing Zhao Department of Electrical and Computer Engineering.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
Lecture 3: Cryptographic Tools modified from slides of Lawrie Brown.

Lecture 3: Cryptographic Tools modified from slides of Lawrie Brown.
Block Cipher Transmission Modes CSCI 5857: Encoding and Encryption.

Block Cipher Transmission Modes CSCI 5857: Encoding and Encryption.
Modes of Operation. Topics  Overview of Modes of Operation  EBC, CBC, CFB, OFB, CTR  Notes and Remarks on each modes.

Modes of Operation. Topics  Overview of Modes of Operation  EBC, CBC, CFB, OFB, CTR  Notes and Remarks on each modes.
Cryptography and Network Security Chapter 6. Multiple Encryption & DES  clear a replacement for DES was needed theoretical attacks that can break it.

Cryptography and Network Security Chapter 6. Multiple Encryption & DES  clear a replacement for DES was needed theoretical attacks that can break it.
Chapter 20 Symmetric Encryption and Message Confidentiality.

Chapter 20 Symmetric Encryption and Message Confidentiality.
Chapter 20 Symmetric Encryption and Message Confidentiality.

Chapter 20 Symmetric Encryption and Message Confidentiality.
Cryptography and Network Security

Cryptography and Network Security

Similar presentations

Ads by Google