Presentation is loading. Please wait.

Presentation is loading. Please wait.

Part 1  Cryptography 1 Chapter 3: Symmetric Key Crypto.

Published byCecil Gilbert Modified over 8 years ago

Similar presentations

Presentation on theme: "Part 1  Cryptography 1 Chapter 3: Symmetric Key Crypto."— Presentation transcript:

1

2 Part 1  Cryptography 1 Chapter 3: Symmetric Key Crypto

3 Part 1  Cryptography 2 Symmetric Key Crypto  Stream cipher  based on one-time pad o Except that key is relatively short o Key is stretched into a long keystream o Keystream is used just like a one-time pad  Block cipher  based on codebook concept o Block cipher key determines a codebook o Each key yields a different codebook o Employs both “confusion” and “diffusion”

4 Part 1  Cryptography 3 Stream Ciphers

5 Part 1  Cryptography 4 Stream Ciphers  Once upon a time, not so very long ago, stream ciphers were the king of crypto  Today, not as popular as block ciphers  We’ll discuss two stream ciphers…  A5/1 o Based on shift registers o Used in GSM mobile phone system  RC4 o Based on a changing lookup table o Used many places

6 Part 1  Cryptography 5 A5/1: Shift Registers  A5/1 uses 3 shift registers o X : 19 bits (x 0,x 1,x 2, …,x 18 ) o Y : 22 bits (y 0,y 1,y 2, …,y 21 ) o Z : 23 bits (z 0,z 1,z 2, …,z 22 )

7 Part 1  Cryptography 6 A5/1: Keystream  At each step: m = maj(x 8, y 10, z 10 ) o Examples: maj(0,1,0) = 0 and maj(1,1,0) = 1  If x 8 = m then X steps o t = x 13  x 16  x 17  x 18 o x i = x i  1 for i = 18,17,…,1 and x 0 = t  If y 10 = m then Y steps o t = y 20  y 21 o y i = y i  1 for i = 21,20,…,1 and y 0 = t  If z 10 = m then Z steps o t = z 7  z 20  z 21  z 22 o z i = z i  1 for i = 22,21,…,1 and z 0 = t  Keystream bit is x 18  y 21  z 22

8 Part 1  Cryptography 7 A5/1  Each variable here is a single bit  Key is used as initial fill of registers  Each register steps (or not) based on maj (x 8, y 10, z 10 )  Keystream bit is XOR of rightmost bits of registers y0y0 y1y1 y2y2 y3y3 y4y4 y5y5 y6y6 y7y7 y8y8 y9y9 y 10 y 11 y 12 y 13 y 14 y 15 y 16 y 17 y 18 y 19 y 20 y 21 z0z0 z1z1 z2z2 z3z3 z4z4 z5z5 z6z6 z7z7 z8z8 z9z9 z 10 z 11 z 12 z 13 z 14 z 15 z 16 z 17 z 18 z 19 z 20 z 21 z 22 X Y Z     x0x0 x1x1 x2x2 x3x3 x4x4 x5x5 x6x6 x7x7 x8x8 x9x9 x 10 x 11 x 12 x 13 x 14 x 15 x 16 x 17 x 18

9 Part 1  Cryptography 8 A5/1  In this example, m = maj(x 8, y 10, z 10 ) = maj(1,0,1) = 1  Register X steps, Y does not step, and Z steps  Keystream bit is XOR of right bits of registers  Here, keystream bit will be 0  1  0 = 1 1100110011001100110001 11100001111000011110001 X Y Z     1010101010101010101

10 Part 1  Cryptography 9 Shift Register Crypto  Shift register crypto efficient in hardware  Often, slow if implement in software  In the past, very popular  Today, more is done in software due to fast processors  Shift register crypto still used some o Resource-constrained devices

11 Part 1  Cryptography 10 Stream Ciphers  Stream ciphers were popular in the past o Efficient in hardware o Speed was needed to keep up with voice, etc. o Today, processors are fast, so software-based crypto is usually more than fast enough  Future of stream ciphers? o Shamir declared “the death of stream ciphers” o May be greatly exaggerated…

12 Part 1  Cryptography 11 Block Ciphers

13 Part 1  Cryptography 12 (Iterated) Block Cipher  Plaintext and ciphertext consist of fixed-sized blocks  Ciphertext obtained from plaintext by iterating a round function  Input to round function consists of key and output of previous round  Usually implemented in software

14 Part 1  Cryptography 13 Feistel Cipher: Encryption  Feistel cipher is a type of block cipher, not a specific block cipher  Split plaintext block into left and right halves: P = (L 0,R 0 )  For each round i = 1,2,...,n, compute L i = R i  1 R i = L i  1  F(R i  1,K i ) where F is round function and K i is subkey  Ciphertext: C = (L n,R n )

15 Part 1  Cryptography 14 Feistel Cipher: Decryption  Start with ciphertext C = (L n,R n )  For each round i = n,n  1,…,1, compute R i  1 = L i L i  1 = R i  F(R i  1,K i ) where F is round function and K i is subkey  Plaintext: P = (L 0,R 0 )  Formula “works” for any function F o But only secure for certain functions F

16 Part 1  Cryptography 15

17 Part 1  Cryptography 16 Data Encryption Standard  DES developed in 1970’s  Based on IBM’s Lucifer cipher  DES was U.S. government standard  DES development was controversial o NSA secretly involved o Design process was secret o Key length reduced from 128 to 56 bits o Subtle changes to Lucifer algorithm

18 Part 1  Cryptography 17 DES Numerology  DES is a Feistel cipher with… o 64 bit block length o 56 bit key length o 16 rounds o 48 bits of key used each round (subkey)  Each round is simple (for a block cipher)  Security depends heavily on “S-boxes” o Each S-boxes maps 6 bits to 4 bits

19 Part 1  Cryptography 18 LR expand shift key S-boxes compress LR 28 48 32 48 32 One Round of DES 48 32 KiKi P box  

20 DES Expansion Permutation Part 1  Cryptography 19  Input 32 bits 0123456789101112131415 16171819202122232425262728293031 Output 48 bits 31 0 1 234345678 7 89101112111213141516 151617181920192021222324 23242526272827282930310

21 Part 1  Cryptography 20 DES S-box  8 “substitution boxes” or S-boxes  Each S-box maps 6 bits to 4 bits  S-box number 1 00 01 00 10 00 11 01 00 01 10 01 11 10 00 10 01 10 11 00 11 01 11 10 11 0 10 01 00 11 01 00 01 00 10 11 10 11 10 00 11 10 01 10 11 00 01 10 01 00 01 11 0101 00 11 01 11 01 00 11 10 00 10 11 01 00 01 10 01 10 11 00 10 11 10 01 00 11 10 00 1010 01 00 11 01 11 10 00 11 01 10 00 10 11 00 10 01 11 00 11 10 01 00 1 11 00 10 00 10 01 00 10 01 00 01 11 01 11 10 11 00 11 10 00 01 10 11 01 input bits (0,5)  input bits (1,2,3,4)

22 DES P-box Part 1  Cryptography 21  Input 32 bits 0123456789101112131415 16171819202122232425262728293031 Output 32 bits 1561920281127160142225417309 17231331262818122952110324

23 DES Subkey Part 1  Cryptography 22  56 bit DES key : (0,1,2,…,55) 4942352821147 0504336292215 815144373023 169252453831 Left half key bits, LK Right half key bits, RK 55484134272013 6544740332619 1255346393225 181142417103

24 Part 1  Cryptography 23 DES Subkey  For rounds i=1,2,...,16 o Let LK = (LK circular shift left by r i ) o Let RK = (RK circular shift left by r i ) o Left half of subkey K i is of LK bits 13 16 10 23 0 4 2 27 14 5 20 9 22 18 11 3 25 7 15 6 26 19 12 1 o Right half of subkey K i is RK bits 12 23 2 8 18 26 1 11 22 16 4 19 15 20 10 27 5 24 17 13 21 7 0 3

25 Part 1  Cryptography 24 DES Subkey  For rounds 1, 2, 9 and 16 the shift r i is 1, and in all other rounds r i is 2  Bits 8,17,21,24 of LK omitted each round  Bits 6,9,14,25 of RK omitted each round  Compression permutation yields 48 bit subkey K i from 56 bits of LK and RK  Key schedule generates subkey

26 Part 1  Cryptography 25 DES Last Word (Almost)  An initial permutation before round 1  Halves are swapped after last round  A final permutation (inverse of initial perm) applied to (R 16,L 16 )  None of this serves security purpose

27 Part 1  Cryptography 26 Security of DES  Security depends heavily on S-boxes o Everything else in DES is linear  Thirty+ years of intense analysis has revealed no “back door”  Attacks, essentially exhaustive key search  Inescapable conclusions o Designers of DES knew what they were doing o Designers of DES were way ahead of their time

28 Part 1  Cryptography 27 Block Cipher Notation  P = plaintext block  C = ciphertext block  Encrypt P with key K to get ciphertext C o C = E(P, K)  Decrypt C with key K to get plaintext P o P = D(C, K)  Note: P = D(E(P, K), K) and C = E(D(C, K), K) o But P  D(E(P, K 1 ), K 2 ) and C  E(D(C, K 1 ), K 2 ) when K 1  K 2

29 Exhaustive Key Search time Key size (bits) # of possible keysExecution time (if 1 decypt/us) Execution time (if 10 6 decypt/us) 32 56 128 168 2 32 =4.3X10 9 2 56 =7.2X10 16 2 128 =4.3X10 38 2 168 =4.3X10 50 2 31 us=35.8 min 2 55 us=1142 yrs 2 127 us=5.4X10 24 yr 2 167 us=5.9X10 36 yr 2.15 ms 10.01 hrs 5.4X10 18 yrs 5.9X10 30 yr

30 Part 1  Cryptography 29 Triple DES  Today, 56 bit DES key is too small o Exhaustive key search is feasible  But DES is everywhere, so what to do?  Triple DES or 3DES (112 bit key) o C = E(D(E(P,K 1 ),K 2 ),K 1 ) o P = D(E(D(C,K 1 ),K 2 ),K 1 )  Why Encrypt-Decrypt-Encrypt with 2 keys? o Backward compatible: E(D(E(P,K),K),K) = E(P,K) o And 112 bits is enough

31 Part 1  Cryptography 30 Advanced Encryption Standard  Replacement for DES  AES competition (late 90’s) o NSA openly involved o Transparent process o Many strong algorithms proposed o Rijndael Algorithm ultimately selected (pronounced like “Rain Doll” or “Rhine Doll”)  Iterated block cipher (like DES)  Not a Feistel cipher (unlike DES)

32 Part 1  Cryptography 31 AES Overview  Block size: 128 bits (others in Rijndael)  Key length: 128, 192 or 256 bits (independent of block size)  10 to 14 rounds (depends on key length)  Each round uses 4 functions (3 “layers”) o ByteSub (nonlinear layer) o ShiftRow (linear mixing layer) o MixColumn (nonlinear layer) o AddRoundKey (key addition layer)

33 AES: High-Level Description Part 1  Cryptography 32 State = X AddRoundKey(State, Key0) (op1) for r = 1 to Nr - 1 SubBytes(State, S-box) (op2) ShiftRows(State) (op3) MixColumns(State) (op4) AddRoundKey(State, KeyNr) endfor SubBytes(State, S-box) ShiftRows(State) AddRoundKey(State, KeyNr) Y = State State: 4 X 4 byte matrix : 128 bits = 16 bytes

34 AES AddRoundKey  RoundKey (subkey) determined by key schedule algorithm subkey data

35 AES BytesSub  ByteSub is AES’s “S-box”  Can be viewed as nonlinear (but invertible) composition of two math operations  Treat 128 bit block as 4x4 byte array

36 Part 1  Cryptography 35 AES “S-box” First 4 bits of input Last 4 bits of input

37 AES ShiftRow  Cyclic shift rows

38 AES MixColumn  Implemented as a (big) lookup table  Invertible, linear operation applied to each column

39 Part 1  Cryptography 38 AES Decryption  To decrypt, process must be invertible  Inverse of MixAddRoundKey is easy, since “  ” is its own inverse  MixColumn is invertible (inverse is also implemented as a lookup table)  Inverse of ShiftRow is easy (cyclic shift the other direction)  ByteSub is invertible (inverse is also implemented as a lookup table)

40 Part 1  Cryptography 39 A Few Other Block Ciphers  Briefly… o IDEA o Blowfish o RC6  More detailed… o TEA

41 Part 1  Cryptography 40 Block Cipher Modes

42 Part 1  Cryptography 41 Multiple Blocks  How to encrypt multiple blocks?  Do we need a new key for each block? o As bad as (or worse than) a one-time pad!  Encrypt each block independently?  Make encryption depend on previous block? o That is, can we “chain” the blocks together?  How to handle partial blocks? o We won’t discuss this issue

43 Part 1  Cryptography 42 Modes of Operation  Many modes  we discuss 3 most popular  Electronic Codebook (ECB) mode o Encrypt each block independently o Most obvious, but has a serious weakness  Cipher Block Chaining (CBC) mode o Chain the blocks together o More secure than ECB, virtually no extra work  Counter Mode (CTR) mode o Block ciphers acts like a stream cipher o Popular for random access

44 Part 1  Cryptography 43 ECB Mode  Notation: C = E(P,K)  Given plaintext P 0,P 1,…,P m,…  Most obvious way to use a block cipher: Encrypt Decrypt C 0 = E(P 0, K)P 0 = D(C 0, K) C 1 = E(P 1, K)P 1 = D(C 1, K) C 2 = E(P 2, K) …P 2 = D(C 2, K) …  For fixed key K, this is “electronic” version of a codebook cipher (without additive) o With a different codebook for each key

45 Part 1  Cryptography 44 ECB Cut and Paste SSuppose plaintext is Alice digs Bob. Trudy digs Tom. AAssuming 64-bit blocks and 8-bit ASCII: P 0 = “Alice di”, P 1 = “gs Bob. ”, P 2 = “Trudy di”, P 3 = “gs Tom. ” CCiphertext: C 0,C 1,C 2,C 3 TTrudy cuts and pastes: C 0,C 3,C 2,C 1 DDecrypts as Alice digs Tom. Trudy digs Bob.

46 Part 1  Cryptography 45 ECB Weakness  Suppose P i = P j  Then C i = C j and Trudy knows P i = P j  This gives Trudy some information, even if she does not know P i or P j  Trudy might know P i  Is this a serious issue?

47 Part 1  Cryptography 46 Alice Hates ECB Mode  Alice’s uncompressed image, and ECB encrypted (TEA)  Why does this happen?  Same plaintext yields same ciphertext!

48 Part 1  Cryptography 47 CBC Mode  Blocks are “chained” together  A random initialization vector, or IV, is required to initialize CBC mode  IV is random, but not secret Encryption Decryption C 0 = E(IV  P 0, K),P 0 = IV  D(C 0, K), C 1 = E(C 0  P 1, K),P 1 = C 0  D(C 1, K), C 2 = E(C 1  P 2, K),…P 2 = C 1  D(C 2, K),…  Analogous to classic codebook with additive

49 CBC 모드 weakness Each block encryption is chained. (parallel processing is not possible) Massage should be aligned with block size.(if not, padding is necessary)

50 Part 1  Cryptography 49 CBC Mode  Identical plaintext blocks yield different ciphertext blocks  this is good!  If C 1 is garbled to, say, G then P 1  C 0  D(G, K), P 2  G  D(C 2, K)  But P 3 = C 2  D(C 3, K), P 4 = C 3  D(C 4, K),…  Automatically recovers from errors!  Cut and paste is still possible, but more complex (and will cause garbles)

51 Part 1  Cryptography 50 Alice Likes CBC Mode  Alice’s uncompressed image, Alice CBC encrypted (TEA)  Why does this happen?  Same plaintext yields different ciphertext!

52 Part 1  Cryptography 51 Counter Mode (CTR)  CTR is popular for random access  Use block cipher like a stream cipher EncryptionDecryption C 0 = P 0  E(IV, K),P 0 = C 0  E(IV, K), C 1 = P 1  E(IV+1, K),P 1 = C 1  E(IV+1, K), C 2 = P 2  E(IV+2, K),…P 2 = C 2  E(IV+2, K),…

53 Counter (CTR) Mode

54 Part 1  Cryptography 53 Integrity

55 Part 1  Cryptography 54 Data Integrity  Integrity  detect unauthorized writing (i.e., modification of data)  Example: Inter-bank fund transfers o Confidentiality may be nice, integrity is critical  Encryption provides confidentiality (prevents unauthorized disclosure)  Encryption alone does not provide integrity o One-time pad, ECB cut-and-paste, etc.

56 Part 1  Cryptography 55 MAC  Message Authentication Code ( MAC ) o Used for data integrity o Integrity not the same as confidentiality  MAC is computed as CBC residue o That is, compute CBC encryption, saving only final ciphertext block, the MAC

57 Part 1  Cryptography 56 MAC Computation  MAC computation (assuming N blocks) C 0 = E(IV  P 0, K), C 1 = E(C 0  P 1, K), C 2 = E(C 1  P 2, K),… C N  1 = E(C N  2  P N  1, K) = MAC  MAC sent with IV and plaintext  Receiver does same computation and verifies that result agrees with MAC  Note: receiver must know the key K

58 Part 1  Cryptography 57 Does a MAC work?  Suppose Alice has 4 plaintext blocks  Alice computes C 0 = E(IV  P 0,K), C 1 = E(C 0  P 1,K), C 2 = E(C 1  P 2,K), C 3 = E(C 2  P 3,K) = MAC  Alice sends IV,P 0,P 1,P 2,P 3 and MAC to Bob  Suppose Trudy changes P 1 to X  Bob computes C 0 = E(IV  P 0,K), C 1 = E(C 0  X,K), C 2 = E(C 1  P 2,K), C 3 = E(C 2  P 3,K) = MAC  MAC  That is, error propagates into MAC  Trudy can’t make MAC == MAC without K

59 Part 1  Cryptography 58 Uses for Symmetric Crypto  Confidentiality o Transmitting data over insecure channel o Secure storage on insecure media  Integrity ( MAC )  Authentication protocols (later…)  Anything you can do with a hash function (upcoming chapter…)

Download ppt "Part 1  Cryptography 1 Chapter 3: Symmetric Key Crypto."

Similar presentations

DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.

DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.

Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.
Stream Ciphers Part 1  Cryptography 3 Stream Ciphers.

Stream Ciphers Part 1  Cryptography 3 Stream Ciphers.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.

1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 3

Cryptography and Network Security Chapter 3
The Advanced Encryption Standard (AES) Simplified.

The Advanced Encryption Standard (AES) Simplified.
Data Encryption Standard (DES)

Data Encryption Standard (DES)
Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.

Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.
Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.

Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.
Block Ciphers 1 Block Ciphers Block Ciphers 2 Block Ciphers  Modern version of a codebook cipher  In effect, a block cipher algorithm yields a huge.

Block Ciphers 1 Block Ciphers Block Ciphers 2 Block Ciphers  Modern version of a codebook cipher  In effect, a block cipher algorithm yields a huge.
Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.

Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.
DES 1 Data Encryption Standard DES 2 Data Encryption Standard  DES developed in 1970’s  Based on IBM Lucifer cipher  U.S. government standard  DES.

DES 1 Data Encryption Standard DES 2 Data Encryption Standard  DES developed in 1970’s  Based on IBM Lucifer cipher  U.S. government standard  DES.
1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.

1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.
Advanced Encryption Standard. This Lecture Why AES? NIST Criteria for potential candidates The AES Cipher AES Functions and Inverse Functions AES Key.

Advanced Encryption Standard. This Lecture Why AES? NIST Criteria for potential candidates The AES Cipher AES Functions and Inverse Functions AES Key.
1 Chapter 3 – Block Ciphers and the Data Encryption Standard Modern Block Ciphers  now look at modern block ciphers  one of the most widely used types.

1 Chapter 3 – Block Ciphers and the Data Encryption Standard Modern Block Ciphers  now look at modern block ciphers  one of the most widely used types.
1 Chapter 3 – Block Ciphers and the Data Encryption Standard Modern Block Ciphers  now look at modern block ciphers  one of the most widely used types.

1 Chapter 3 – Block Ciphers and the Data Encryption Standard Modern Block Ciphers  now look at modern block ciphers  one of the most widely used types.

Similar presentations

Ads by Google