Presentation is loading. Please wait.

Presentation is loading. Please wait.

CPSC415 Biometrics and Cryptography1 Conventional Cryptography (Symmetric Ciphers)

Similar presentations


Presentation on theme: "CPSC415 Biometrics and Cryptography1 Conventional Cryptography (Symmetric Ciphers)"— Presentation transcript:

1 CPSC415 Biometrics and Cryptography1 Conventional Cryptography (Symmetric Ciphers)

2 CPSC415 Biometrics and Cryptography2 Outline Stream Ciphers and Block Ciphers Confusion and Diffusion DES (Data Encryption Standard) Exhaustive Key Search Triple DES, DESX AES (Advanced Encryption Standard) Operation Modes

3 CPSC415 Biometrics and Cryptography3 Symmetric Encryption or conventional / secret-key / single- key sender and recipient share a common key all classical encryption algorithms are private-key was only type prior to invention of public-key in 1970’s

4 CPSC415 Biometrics and Cryptography4 Symmetric Cipher Model

5 CPSC415 Biometrics and Cryptography5 Symmetric Key Cryptography symmetric key crypto: Bob and Alice share know same (symmetric) key: K e.g., key is knowing substitution pattern in mono alphabetic substitution cipher plaintext ciphertext K A-B encryption algorithm decryption algorithm A-B K plaintext message, m K (m) A-B K (m) A-B m = K ( ) A-B

6 CPSC415 Biometrics and Cryptography6 Requirements two requirements for secure use of symmetric encryption: –a strong encryption algorithm –a secret key known only to sender / receiver Y = E K (X) X = D K (Y) assume encryption algorithm is known implies a secure channel to distribute key

7 CPSC415 Biometrics and Cryptography7 Cryptography can characterize by: –type of encryption operations used substitution / transposition / product –number of keys used single-key or private / two-key or public –way in which plaintext is processed block / stream

8 CPSC415 Biometrics and Cryptography8 Symmetric Key Cryptosystems Stream ciphers –Operate on the plaintext a single bit (or sometimes byte) at a time –Simple substitution –Poly-alphabetic substitution –Feedback Shift Register Sequences –e.g. SEAL, RC4 (used by WLAN IEEE 802.11 in WEP) Block ciphers –Operate on the plaintext in groups of bits. The groups of bits are called blocks. –Typical block size is 64 bits or multiple of it E.g. 128 bits, 256 bits. –DES, AES (Rijndael) –Others include IDEA, Blowfish, RC5, … –Different modes of operation

9 CPSC415 Biometrics and Cryptography9 Properties that one would like to have in an encryption scheme Easy to encrypt Easy to decrypt Provides fast encryption and decryption speed Minimal bandwidth expansion Generate diffusion and confusion (security)

10 CPSC415 Biometrics and Cryptography10 Confusion and Diffusion Shannon in 1948 introduced two concepts as basic building blocks for designing cryptographic systems Diffusion: to obscure the statistical structure of the plaintext from the ciphertext. –By having each ciphertext digit be affected by more than one plaintext digit –In other words, to have the statistical structure of the plaintext be dissipated into long-range statistics of the ciphertext. –e.g. –where message M = m 1, m 2, … and a ciphertext letter y n is obtained by adding k successive plaintext (English) letters. Confusion: to obscure the statistical dependence between the encryption key and the ciphertext –to thwart attempts to discover the key –simple linear substitution generates little confusion –This can be achieved by using complex substitution algorithms.

11 CPSC415 Biometrics and Cryptography11 Block Ciphers An encryption algorithm that takes a fixed length block of message letters (plaintext) and a key (not necessarily the same length), and produces a block of ciphertext of the same length as the plaintext. The key is reused for different plaintext blocks Typical block sizes (value of n): 64 bits, 128 bits Complex modes of operation are used in practice Key sizes (value of k): 56 bits (DES), 128/192/256 bits (AES) secret key (k bits) Message (n bits) Ciphertext (n bits)

12 CPSC415 Biometrics and Cryptography12 Common Block Cipher Design Approach Iterative cipher –start with a simple but useful function f –iterative f many rounds until it is “secure” –F : Feistel structure is quite common (e.g., DES) message ciphertext F F F

13 CPSC415 Biometrics and Cryptography13 Block Cipher Operation (Simplified) Block of plaintext SSSS SSSS SSSS Key Add some secret key bits to provide confusion Each S-box permutes its input bits in a “random-looking” way to provide diffusion (spread plaintext bits throughout ciphertext) repeat for several rounds Block of ciphertext Procedure must be reversible (for decryption)

14 CPSC415 Biometrics and Cryptography14 Block Cipher Principles needed since must be able to decrypt ciphertext to recover messages efficiently block ciphers look like an extremely large substitution instead create from smaller building blocks using idea of a product cipher

15 CPSC415 Biometrics and Cryptography15 Data Encryption Standard (DES) DES was adopted as a US federal standard for commercial encryption in 1975. Feistel Cipher: the fundamental building block of DES designed by IBM. Design requirements: –must provide high level of security (commercial standard) –Security must not depend on secrecy of algorithm (Kerckhoff’s principle) –Must be easily and economically implemented

16 CPSC415 Biometrics and Cryptography16 Overview of DES C = DES (K, M) Block size = 64 bits Key size = 56 bits Number of rounds = 16 IP- Initial Permutation IP -1 - The inverse of IP f- A nonlinear function K i - Round i subkey (48 bits) Each Feistel block can be described as L i = R i-1 R i = L i-1  f (R i-1, K i )

17 CPSC415 Biometrics and Cryptography17 The Initial Permutation How to read this table? The 58 th bit of input x will be the 1 st bit of output IP (x), the 50 th bit of x is the second bit of IP (x), etc. Do not affect security. As far as anyone can tell, it makes things awkward for 1975- era general-purpose computers. (DES predates 16-bit or 32-bit microprocessor busses)

18 CPSC415 Biometrics and Cryptography18 Feistel Transformation Block In Round i, –Separate message block into two 32-bit halves, L i and R i –Introduce confusion by using a “complex” nonlinear function f –f has two inputs: R i and a 48-bit round key, K i –Introduce diffusion by “adding” L i and the output of f DES(K, ·) is a sequence of Feistel transforms. L i+1 = R i R i+1 = L i  f(R i, K i+1 ) L i-1 R i-1 f LiLi RiRi  K i+1

19 CPSC415 Biometrics and Cryptography19 Nonlinear Function f in Feistel Transformation f(R, K) : (32 bits, 48 bits)  32 bits –expand R to 48 bits R’ using permutation and repetition –R’ XOR with K –subdivide the result into 8 blocks of 6 bits each –each 6-bit block goes through a S-box to produce 4 bits –permute the 32-bit string

20 CPSC415 Biometrics and Cryptography20 S1S1 6 44444444 6666666 LiLi R i-1 R i+1 L i+1 S2S2 S3S3 S4S4 S5S5 S6S6 S7S7 S8S8 Expansion K i+1 Permutation 32 48 32

21 CPSC415 Biometrics and Cryptography21 Expansion Permutation Output bits 32, 1, 2, 3, 4, 5, then 4, 5 again, and so on. For each output group of six bits (one row in the E table), the two outer bits select a row of a S-box, and the four bits in the middle chooses the substitution value.

22 CPSC415 Biometrics and Cryptography22 S-box 1: Bit Bits 2, 3, 4, and 5 form: 1 6 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 0 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 0 1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 1 0 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0 1 1 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13 The S-Box Substitution There are eight S-boxes. Each takes 6 bits to 4 bits. Take the 6-bit input b 1, b 2, b 3, b 4, b 5, b 6 Interpret b 1 b 6 as a row number, between 0 and 3. Interpret b 2 b 3 b 4 b 5 as a column number, 0 through 15.

23 CPSC415 Biometrics and Cryptography23 A Summary of One DES Round

24 CPSC415 Biometrics and Cryptography24 DES Key Schedule (Subkey Generation) 56-bit key K Permutation P1 Permutation P2 C0C0 D0D0 Cyclic Shift K1K1 C1C1 D1D1 8-byte key has 8 parity check bits Each has 28 bits Number of shifts are dependent on i for each K i 56 48

25 CPSC415 Biometrics and Cryptography25 Security of DES Avalanche Effect –Change in one input bit produces independent changes in at least two output bits Bit Independence –No dependence on the changes of input bits with the changes of output bits Number of rounds –15 or fewer rounds make cryptanalytic attacks against reduced-round DES easier than brute force key search (which needs to try a total of 2 56 keys in the worst case) Security of DES mainly relies on the nonlinearity of the f (i.e. the S-boxes)

26 CPSC415 Biometrics and Cryptography26 DES Controversy When DES was proposed as a standard in 1975, there was considerable criticism. One objection to DES concerned the S-boxes: all computations in DES, with the exception of the S-boxes, are linear. The S-boxes, being the non-linear component of the cryptosystem, are vital to its security. However, the design criteria of the S-boxes are not completely known. Due to the NSA collaboration, several people have suggested that the S-boxes might contain hidden “trapdoors” which would allow the NSA to decrypt messages while maintaining that DES is “secure”. It is of course, impossible to disprove such an assertion, but no evidence has come to light that indicates that trapdoors in DES do in fact exist. The most pertinent criticism of DES is the reduction of key length from original 112-bits down to 56-bits. The size of the keyspace, 2 56, is “too small” to be really secure.

27 CPSC415 Biometrics and Cryptography27 Exhaustive Key Search Given a plaintext x and corresponding ciphertext y, every possible key would be tested until a key K is found such that E K (x) = y Note: there may be more than one such key K. Total number of keys = 2 56  7.2  10 16 keys Assume at a speed of 10 6 encryptions per second, it would need more than 1000 years to break DES. Diffie and Hellman postulated in 1977 that a DES cracking machine with 10 6 processors, each could test 10 6 keys per second, could be built for about US$20M. –This machine could break DES in about 10 hours.

28 CPSC415 Biometrics and Cryptography28 Exhaustive Key Search In 1993, Michael Wiener presented a pipelined chip which does 16 encryptions simultaneously and tests 5  10 7 DES keys per second. Each chip could be built for US$10 using current technology. A frame consisting of 5760 chips can be built for $100K. In 1997, cost cut by a factor of 6 Software version of DES cracking effort can be found at http://www.distributed.net/des/ Current Record: 22 hrs and 15 mins to break DES by distributed software cracking effort.

29 CPSC415 Biometrics and Cryptography29 How to strengthen DES?

30 CPSC415 Biometrics and Cryptography30 Triple DES and DESX Triple DES: two 56-bit keys DESX: three 56-bit keys C = K 3  DES(K 2, M  K 1 ) DESDES -1 DES M C K1K1 K2K2 K1K1   M K1K1 K2K2 K3K3 C Similar security to DES using differential cryptanalysis and linear cryptanalysis But much harder to break using exhaustive key search than DES.

31 CPSC415 Biometrics and Cryptography31 DES Replacements The most popular DES replacements in US are RC2, RC4 and RC5. The first two are used by SSL version 3. The most popular DES replacement in Europe is IDEA The most popular DES replacement in Japan is FEAL-N. AES (Advanced Encryption Standard) is the ‘official’ replacement of DES. The AES algorithm is called Rijndael.

32 CPSC415 Biometrics and Cryptography32 Overview of Rijndael Rijndael: the algorithm chosen for AES (Advanced Encryption Standard) Both the key size and the block size may be chosen to be any of 128, 192, or 256 bits, although the AES only requires key size to be selectable in one of these lengths and the block size is fixed to be 128 bits long. Number of rounds is a function of the block and key length: –10 rounds if both the block and the key are 128 bits long; –12 rounds if either the block or the key is 192 bits long, and neither of them is longer than that; –14 rounds if either the block or the key is 256 bits long. From their Web page: If you’re Dutch, Flemish, Indonesian, Surinamer or South-African, it’s pronounced like you think it should be. Otherwise, you could pronounce it like “Reign Dahl”, “Rain Doll”, “Rhine Dahl”. We’re not picky. As long as you make it sound different from “Region Deal”.

33 CPSC415 Biometrics and Cryptography33 Fully byte-oriented good for both software and hardware implementations Rijndael is composed of 1.An initial XOR step (AddRoundKey) 2.Regular round transformations (or rounds) 3.Final round Each regular round involves four steps: 1.ByteSub 2.ShiftRow 3.MixColumn 4.AddRoundKey The final round is a regular round but with MixColumn omitted. Rijndael Round Function

34 CPSC415 Biometrics and Cryptography34 The Round Transformation ByteSub Each byte of the data block is substituted according to values given in an S-Box. ShiftRow Rows (except first row) of the State are cyclic shifted left independently. MixColumn AddRoundKey http://www.nist.gov/aes http://www.esat.kuleuven.ac.be/~rij men/rijndael/

35 CPSC415 Biometrics and Cryptography35 Rijndael Wrap Up The Rijndael algorithm is not a Feistel system In a Feistel system, half of the bits are moved but not changed during each round. In Rijndael, all bits are treated uniformly. This has the effect of diffusing the input bits faster. It can be shown that two rounds are sufficient to obtain full diffusion, namely, each of the 128 output bits depends on each of the 128 input bits. So far, there is no known attack beats brute force for seven or more rounds. It was felt that four extra rounds provide a large enough margin of safety. Of course, the number of rounds could easily be increased if needed.

36 CPSC415 Biometrics and Cryptography36 Operation Modes How to encrypt a plaintext which is longer than the size of a cipher block? –E.g. Using AES to encrypt 1024-bit plaintext How to encrypt a plaintext which is not a multiple of cipher block size? –E.g. Using AES to encryption 129-bit plaintext

37 CPSC415 Biometrics and Cryptography37 Electronic Codebook Mode (ECB) C i = DES (K, M i ) Each block is encoded independently using the same key Padding is needed Used to transmit fixed length messages, e.g. session key One bit transmission error affects one cipher block Repeated plaintext blocks produce the same cipher blocks Not frequently used in practice –Why? M1M1 DES KKK C1C1 C2C2 CtCt M2M2 MtMt

38 CPSC415 Biometrics and Cryptography38 Cipher Block Chaining (CBC) Goal: repeated plaintext blocks produce different ciphertext blocks C i = DES(K, M i  C i-1 ) Initiation vector (IV = C 0 ) is used for randomization Padding is required If one bit of M 1 is changed, all subsequent blocks will be affected –can be used for constructing a MAC – Message Authentication Code Maintain IV secret to strengthen security of the system Generally used for block oriented transmission DES M1M1 M2M2 C1C1 C2C2 IV KK

39 CPSC415 Biometrics and Cryptography39 Counter Mode Goal: to eliminate padding and error propagation –use block cipher as a pseudorandom bit generator Encryption algorithm: –Encrypt a known string of numbers in ECB mode, producing a string of output blocks DES(K, I i ) –Compute C i = M i  DES(K, I i ) One bit transmission error spoils one bit only I1I1 DES KKK C1C1 CtCt I2I2 ItIt    M1M1 M2M2 MtMt C2C2

40 CPSC415 Biometrics and Cryptography40 Comparison on Symmetric Encryption Algorithm AlgorithmStrengthFeatures (Key length) 3DESStrong64, 112, 168 AESStrong128, 192, 256 IDEA (International Data Encryption Algorithm) Strong64, 128 BlowfishWeak32, 448 RC4Weak RC5Strong32, 64, 128

41 CPSC415 Biometrics and Cryptography41 Problems with Symmetric Encryption A single key must be shared in pairs of each sender and receiver. In a distributed environment with large numbers of combination pairs involved in many-to-one communication topology, it is difficult for the one recipient to keep so many keys in order to support all communication. Key management: setting up and acquisition of the secret key. The integrity of data can be compromised because the receiver cannot verify that the message has not been altered before receipt. It is possible for the sender to repudiate the message because there are no mechanisms for the receiver to make sure that the message has been sent by the claimed sender.


Download ppt "CPSC415 Biometrics and Cryptography1 Conventional Cryptography (Symmetric Ciphers)"

Similar presentations


Ads by Google