1. Applied Cryptography (Symmetric) Part I

2. Many savages at the present day regard their names as vital parts of themselves, and therefore take great pains to conceal their real names, lest these should give to evil-disposed persons a handle by which to injure their owners. —The Golden Bough, Sir James George Frazer

3. Symmetric Encryption  or conventional / private-key / single-key  sender and recipient share a common key  all classical encryption algorithms are private-key  was only type prior to invention of public- key in 1970’s  and by far most widely used

4. Some Basic Terminology  plaintext - original message  ciphertext - coded message  cipher - algorithm for transforming plaintext to ciphertext  key - info used in cipher known only to sender/receiver  encipher (encrypt) - converting plaintext to ciphertext  decipher (decrypt) - recovering ciphertext from plaintext  cryptography - study of encryption principles/methods  cryptanalysis (codebreaking) - study of principles/ methods of deciphering ciphertext without knowing key  cryptology - field of both cryptography and cryptanalysis

5. Symmetric Cipher Model

6. Requirements  two requirements for secure use of symmetric encryption: a strong encryption algorithm a strong encryption algorithm a secret key known only to sender / receiver a secret key known only to sender / receiver  mathematically have: Y = E K (X) X = D K (Y)  assume encryption algorithm is known  implies a secure channel to distribute key

7. Cryptography  Classify cryptographic system by: type of encryption operations used type of encryption operations used substitution / transposition / productsubstitution / transposition / product number of keys used number of keys used single-key or private / two-key or publicsingle-key or private / two-key or public way in which plaintext is processed way in which plaintext is processed block / streamblock / stream

8. Cryptanalysis  objective to recover key not just message  general approaches: cryptanalytic attack cryptanalytic attack brute-force attack brute-force attack

9. More Definitions  unconditional security no matter how much computer power or time is available, the cipher cannot be broken since the ciphertext provides insufficient information to uniquely determine the corresponding plaintext no matter how much computer power or time is available, the cipher cannot be broken since the ciphertext provides insufficient information to uniquely determine the corresponding plaintext  computational security given limited computing resources (eg time needed for calculations is greater than age of universe), the cipher cannot be broken given limited computing resources (eg time needed for calculations is greater than age of universe), the cipher cannot be broken

10. Brute Force Search  always possible to simply try every key  most basic attack, proportional to key size  assume either know / recognise plaintext Key Size (bits)Number of Alternative Keys Time required at 1 decryption/µs Time required at 10 6 decryptions/µs 32 2 32 = 4.3  10 9 2 31 µs= 35.8 minutes2.15 milliseconds 56 2 56 = 7.2  10 16 2 55 µs= 1142 years10.01 hours 128 2 128 = 3.4  10 38 2 127 µs= 5.4  10 24 years5.4  10 18 years 168 2 168 = 3.7  10 50 2 167 µs= 5.9  10 36 years5.9  10 30 years 26 characters (permutation) 26! = 4  10 26 2  10 26 µs= 6.4  10 12 years6.4  10 6 years

11. Modern Block Ciphers  now look at modern block ciphers  one of the most widely used types of cryptographic algorithms  provide secrecy /authentication services  focus on DES (Data Encryption Standard)  to illustrate block cipher design principles

12. Block vs Stream Ciphers  block ciphers process messages in blocks, each of which is then en/decrypted  like a substitution on very big characters 64-bits or more 64-bits or more  stream ciphers process messages a bit or byte at a time when en/decrypting  many current ciphers are block ciphers  broader range of applications

13. Block Cipher Principles  most symmetric block ciphers are based on a Feistel Cipher Structure  block ciphers look like an extremely large substitution  would need table of 2 64 entries for a 64-bit block  instead create from smaller building blocks  using idea of a product cipher

14. Ideal Block Cipher

15. Claude Shannon and Substitution- Permutation Ciphers  Claude Shannon introduced idea of substitution- permutation (S-P) networks in 1949 paper  form basis of modern block ciphers  S-P nets are based on the two primitive cryptographic operations seen before: substitution (S-box) substitution (S-box) permutation (P-box) permutation (P-box)  provide confusion & diffusion of message & key

16. Confusion and Diffusion  cipher needs to completely obscure statistical properties of original message  a one-time pad does this  more practically Shannon suggested combining S & P elements to obtain:  diffusion – dissipates statistical structure of plaintext over bulk of ciphertext  confusion – makes relationship between ciphertext and key as complex as possible

17. Feistel Cipher Structure  Horst Feistel devised the feistel cipher based on concept of invertible product cipher based on concept of invertible product cipher  partitions input block into two halves process through multiple rounds which process through multiple rounds which perform a substitution on left data half perform a substitution on left data half based on round function of right half & subkey based on round function of right half & subkey then have permutation swapping halves then have permutation swapping halves  implements Shannon’s S-P net concept

18. Feistel Cipher Structure

19. Feistel Cipher Design Elements  block size  key size  number of rounds  subkey generation algorithm  round function  fast software en/decryption  ease of analysis

20. Feistel Cipher Decryption

21. Data Encryption Standard (DES)  most widely used block cipher in world  adopted in 1977 by NIST as FIPS PUB 46 as FIPS PUB 46  encrypts 64-bit data using 56-bit key  has widespread use  has been considerable controversy over its security

22. DES Encryption Overview

23. DES Round Structure  uses two 32-bit L & R halves  as for any Feistel cipher can describe as: L i = R i–1 R i = L i–1  F(R i–1, K i )  Function F takes 32-bit R half and 48-bit subkey: expands R to 48-bits using permutation E expands R to 48-bits using permutation E adds to subkey using XOR adds to subkey using XOR passes through 8 S-boxes to get 32-bit result passes through 8 S-boxes to get 32-bit result finally permutes using 32-bit perm P finally permutes using 32-bit perm P

24. DES Round Structure

25. Substitution Boxes S  have eight S-boxes which map 6 to 4 bits  each S-box is actually 4 little 4 bit boxes outer bits 1 & 6 (row bits) select one row of 4 outer bits 1 & 6 (row bits) select one row of 4 inner bits 2-5 (col bits) are substituted inner bits 2-5 (col bits) are substituted result is 8 groups of 4 bits, or 32 bits result is 8 groups of 4 bits, or 32 bits  row selection depends on both data & key feature known as autoclaving (autokeying) feature known as autoclaving (autokeying)  example: S(18 09 12 3d 11 17 38 39) = 5fd25e03 S(18 09 12 3d 11 17 38 39) = 5fd25e03 s1

26. DES Key Schedule  forms subkeys used in each round initial permutation of the key (PC1) which selects 56-bits in two 28-bit halves initial permutation of the key (PC1) which selects 56-bits in two 28-bit halves 16 stages consisting of: 16 stages consisting of: rotating each half separately either 1 or 2 places depending on the key rotation schedule Krotating each half separately either 1 or 2 places depending on the key rotation schedule K selecting 24-bits from each half & permuting them by PC2 for use in round function Fselecting 24-bits from each half & permuting them by PC2 for use in round function F  note practical use issues in h/w vs s/w

27. Avalanche Effect  key desirable property of encryption algorithms  where a change of one input or key bit results in changing approx half output bits  making attempts to “home-in” by guessing keys impossible  DES exhibits strong avalanche

28. Stream Ciphers  process message bit by bit (as a stream)  have a pseudo random keystream  combined (XOR) with plaintext bit by bit  randomness of stream key completely destroys statistically properties in message C i = M i XOR StreamKey i C i = M i XOR StreamKey i  but must never reuse stream key otherwise can recover messages (cf book cipher) otherwise can recover messages (cf book cipher)

29. Stream Cipher Structure

30. Stream Cipher Properties  some design considerations are: long period with no repetitions long period with no repetitions statistically random statistically random depends on large enough key depends on large enough key large linear complexity large linear complexity  properly designed, can be as secure as a block cipher with same size key  but usually simpler & faster

31. RC4  a proprietary cipher owned by RSA DSI  another Ron Rivest design, simple but effective  variable key size, byte-oriented stream cipher  widely used (web SSL/TLS, wireless WEP)  key forms random permutation of all 8-bit values  uses that permutation to scramble input info processed a byte at a time

32. RC4 Encryption  encryption continues shuffling array values  sum of shuffled pair selects "stream key" value from permutation  XOR S[t] with next byte of message to en/decrypt i = j = 0 for each message byte M i i = (i + 1) (mod 256) j = (j + S[i]) (mod 256) swap(S[i], S[j]) t = (S[i] + S[j]) (mod 256) C i = M i XOR S[t]

33. RC4 Overview

34. RC4 Security  claimed secure against known attacks have some analyses, none practical have some analyses, none practical  result is very non-linear  since RC4 is a stream cipher, must never reuse a key  have a concern with WEP, but due to key handling rather than RC4 itself