1. Cryptography and Network Security Block Ciphers and DES, and modes of operation M. Sakalli Reviewed, from Stallings

2. Goals To introduce the notion of block ciphers, ideal block cipher and its infeasibility, the Feistel Cipher Structure. DES: its strength and weakness. 2

3. Stream vs. Block Ciphers Symmetric cipher: same key used for encryption and decryption –Block cipher: encrypts a block of plaintext at a time (typically 64 or 128 bits), cryptographic checksum to ensure content not changed.. Hardware friendly. –Stream cipher: encrypts data one bit or one byte at a time, all classical ciphers 3

4. Claude Shannon and Substitution- Permutation Ciphers in 1949 Claude Shannon introduced idea of substitution-permutation (S-P) networks Modern substitution-transposition product cipher based on these two primitive operations: –substitution (S-box), provide confusion to dissipate statistical structure of PT over the bulk of CT –permutation (P-box), provide diffusion make the relationship between CT and key as complex as possible

5. Ideal Block Cipher 5 A block of N PT bits replaced wt a block of N CT bits. (N = 64 or 128.), a block cipher is a mono- alphabetic cipher, and each block represents a gigantic “character.” Each particular cipher is a one-to-one mapping from the PT alphabet to the CT alphabet. 2 N ! such mappings, and block cipher would allow the use of any such mapping and the secret key indicates which mapping to use.

6. Key Size of Ideal Block Cipher Since there are 2 N ! different mappings, there are 2 N ! different keys. the required key length will be log 2 (2 N !) ≈ N × 2 N ≈ 10 21 bits ≈ 10 11 GB. That is infeasible! Modern block ciphers use a key of K bits to specify a random subset of 2 K mappings. If N ≈ K, –2 K is much smaller than 2 N ! –But is still very large If the selection of the 2 K mappings is random, a good approximation of the ideal block cipher is possible. Horst Feistel, in1970s, proposed a method to achieve this. 6

7. The Feistel Cipher Structure Partitions the input block into halves of L and R. Goes through a number of rounds. –R goes intact to left. –L goes through an operation that depends on R and a round key derived from the encryption key. LUCIFER 7

8. F L i-1 R i-1 KiKi  2w bits partitioned into halves; L & R each 32 bits L i = R i–1 R i = L i–1  F(R i–1, K i )

9. Mathematically what it is 9

11. DES: The Data Encryption Standard Adopted by NIST in 1977. Most widely used block cipher in the world. Features: Based on the Feistel cipher, block size = 64 bits, key size 56 bits, number of rounds =16 Specifics: Subkey generation, and the design of the round function F. Speed: fast software en/decryption & ease of analysis –Any further increase in key or/and block size and the # of rounds improves the security, but slows the cipher. 11

12. DES Encryption 16 round keys are generated from the main key by a sequence of permutations. Each round key is results in 48 bits. Initial Permutation: IP, reorders the input data bits. The last step is inverse IP. IP and IP -1 : specified by tables, has no impact on security, due to the implementation in chips.

13. DES Round Structure L (even) &R (odd) each has 32 bits, as in any Feistel cipher: L i = R i–1 R i = L i–1  F(R i–1, K i ) 1- Expands 32 bit R to 48- bits using expansion perm E, 2- XOR 48- K and expanded R both 48- bit, 3- S boxes (8 of) to shrinks to 32-bits, 4- Permuting 32-bit

14. DES Round Structure The Expansion Permutation E Permutation P 1672021 29122817 1152326 5183110 282414 322739 1913306 2211425 1- Expands 32 bit R to 48-bits using expansion perm E, 2- XOR 48b K and expanded R both 48-bit, 3- S boxes (8 of) to shrinks to 32-bits, 4- Permuting 32-bit

15. 15 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 1441312151183106125907 0157414213110612116538 4114813621115129731050 1512824917511314100613 01230123 Eight S-boxes, each map 6 bits to 4 bits Each: 4 x 16 table –each row is a permutation of 0-15 –outer bits of 6 bits indicates one of the four rows –inner 4 bits are to select the column For example, S1(101010) = 6 = 0110 Each box has a different layout. S Boxes

16. Round Key Generation Main key: 64 bits, but only 56 bits are used. 16 round keys (48 bits each) are generated from the main key by a sequence of permutations. Select and permute 56-bits using Permuted Choice One (PC1). Then divide them into two 28-bit halves. At each round: –Rotate each half separately by either 1 or 2 bits according to a rotation schedule. –Select 24-bits from each half & permute them (48 bits) by PC2. This forms a round key. 5749413325179 1585042342618 1025951433527 1911360524436 63554739312315 7625446383022 1466153453729 211352820124

17. Avalanche Effect A small change in the PT or in the KEY results in a significant change in the CT. This is an evidence of high degree of diffusion and confusion. SAC strict avalanche condition, any output bit of ct should change with pr = ½, when any input is changed. BIC bit independence criterion, states that out bits should change independently, when any input bit is changed. Both criteria seems strengthening confusion. DES exhibits a strong avalanche effect –Changing 1 bit in the plaintext affects 34 bits in the ciphertext on average. –1-bit change in the key affects 35 bits in the ciphertext on average.

18. Strength of DES – Key Size Brute force search looks hard, key search –needs plaintext-ciphertext samples –trying 1 key per microsecond would take 1000+ years on average, due to the large key space size, 2 56 ≈ 7.2×10 16. DES is theoretically broken using Differential or Linear Cryptanalysis In practise it says unlikely to be a problem yet. But the rapid advances in computing speed though have rendered the 56 bit key susceptible to exhaustive key search, as predicted by Diffie & Hellman. Have demonstrated breaks: –1997 on a large network of computers in a few months –1998 on dedicated h/w in a few days, des cracker worth of $250, containing1536 chips, (EFF). –1999 above combined in 22hrs!

19. Differential Cryptanalysis one of the most significant recent (public) advances in cryptanalysis known by NSA in 70's cf DES design Murphy, Biham & Shamir published 1990 powerful method to analyse block ciphers used to analyse most current block ciphers with varying degrees of success DES reasonably resistant to it, cf Lucifer

20. Differential Cryptanalysis a statistical attack against Feistel ciphers uses cipher structure not previously used design of S-P networks has output of function f influenced by both input & key hence cannot trace values back through cipher without knowing values of the key Differential Cryptanalysis compares two related pairs of encryptions

21. Differential Cryptanalysis Compares Pairs of Encryptions with a known difference in the input searching for a known difference in output when same subkeys are used

22. Differential Cryptanalysis have some input difference giving some output difference with probability p if find instances of some higher probability input / output difference pairs occurring can infer subkey that was used in round then must iterate process over many rounds (with decreasing probabilities)

23. Differential Cryptanalysis

24. perform attack by repeatedly encrypting plaintext pairs with known input XOR until obtain desired output XOR when found –if intermediate rounds match required XOR have a right pair –if not then have a wrong pair, relative ratio is S/N for attack can then deduce keys values for the rounds –right pairs suggest same key bits –wrong pairs give random values for large numbers of rounds, probability is so low that more pairs are required than exist with 64-bit inputs Biham and Shamir have shown how a 13-round iterated characteristic can break the full 16-round DES

25. Linear Cryptanalysis another recent development also a statistical method must be iterated over rounds, with decreasing probabilities developed by Matsui et al in early 90's based on finding linear approximations can attack DES with 2 47 known plaintexts, still in practise infeasible

26. Linear Cryptanalysis find linear approximations with prob p != ½ P[i1,i2,...,ia] xor C[j1,j2,...,jb] = K[k1,k2,...,kc] where ia,jb,kc are bit locations in P,C,K gives linear equation for key bits get one key bit using max likelihood alg using a large number of trial encryptions effectiveness given by: |p–½|

27. Block Cipher Design Principles basic principles still like Feistel in 1970’s number of rounds –more is better, exhaustive search best attack function f: –provides “confusion”, is nonlinear, avalanche key schedule –complex subkey creation, key avalanche

28. Modes of Operation block ciphers encrypt fixed size blocks eg. DES encrypts 64-bit blocks, with 56-bit key need way to use in practise, given usually have arbitrary amount of information to encrypt four were defined for DES in ANSI standard ANSI X3.106-1983 Modes of Use subsequently now have 5 for DES and AES have block and stream modes

29. Electronic Codebook Book (ECB) message is broken into independent blocks which are encrypted each block is a value which is substituted, like a codebook, hence name each block is encoded independently of the other blocks C i = DES K1 (P i ) uses: secure transmission of single values

30. Electronic Codebook Book (ECB)

31. Advantages and Limitations of ECB repetitions in message may show in ciphertext –if aligned with message block –particularly with data such graphics –or with messages that change very little, which become a code-book analysis problem weakness due to encrypted message blocks being independent main use is sending a few blocks of data

32. Cipher Block Chaining (CBC) message is broken into blocks but these are linked together in the encryption operation each previous cipher blocks is chained with current plaintext block, hence name use Initial Vector (IV) to start process C i = DES K1 (P i XOR C i-1 ) C -1 = IV uses: bulk data encryption, authentication

33. Cipher Block Chaining (CBC)

34. Advantages and Limitations of CBC each ciphertext block depends on all message blocks thus a change in the message affects all ciphertext blocks after the change as well as the original block need Initial Value (IV) known to sender & receiver –however if IV is sent in the clear, an attacker can change bits of the first block, and change IV to compensate –hence either IV must be a fixed value (as in EFTPOS) or it must be sent encrypted in ECB mode before rest of message at end of message, handle possible last short block –by padding either with known non-data value (eg nulls) –or pad last block with count of pad size eg. [ b1 b2 b3 0 0 0 0 5] <- 3 data bytes, then 5 bytes pad+count

35. Cipher FeedBack (CFB) message is treated as a stream of bits added to the output of the block cipher result is feed back for next stage (hence name) standard allows any number of bit (1,8 or 64 or whatever) to be feed back –denoted CFB-1, CFB-8, CFB-64 etc is most efficient to use all 64 bits (CFB-64) C i = P i XOR DES K1 (C i-1 ) C -1 = IV uses: stream data encryption, authentication

36. Cipher FeedBack (CFB)

37. Advantages and Limitations of CFB appropriate when data arrives in bits/bytes most common stream mode limitation is need to stall while do block encryption after every n-bits note that the block cipher is used in encryption mode at both ends errors propagate for several blocks after the error

38. Output FeedBack (OFB) message is treated as a stream of bits output of cipher is added to message output is then feed back (hence name) feedback is independent of message can be computed in advance C i = P i XOR O i O i = DES K1 (O i-1 ) O -1 = IV uses: stream encryption over noisy channels

39. Output FeedBack (OFB)

40. Advantages and Limitations of OFB used when error feedback a problem or where need to encrypt before message is available superficially similar to CFB but feedback is from the output of cipher and is independent of message a variation of a Vernam cipher –hence must never reuse the same sequence (key+IV) sender and receiver must remain in sync, and some recovery method is needed to ensure this occurs originally specified with m-bit feedback in the standards subsequent research has shown that only OFB-64 should ever be used

41. Counter (CTR) must have a different key & counter value for every plaintext block (never reused) C i = P i XOR O i O i = DES K1 (i) uses: high-speed network encryptions

42. Counter (CTR)

43. Advantages and Limitations of CTR efficiency –can do parallel encryptions –in advance of need –good for bursty high speed links random access to encrypted data blocks provable security (good as other modes) but must ensure never reuse key/counter values, otherwise could break (cf OFB)

44. Summary have considered: –block cipher design principles –DES details strength –Differential & Linear Cryptanalysis –Modes of Operation ECB, CBC, CFB, OFB, CTR