Download presentation
Presentation is loading. Please wait.
Published byAlfred Pearson Modified over 8 years ago
1
Data Security and Encryption (CSE348) 1
2
Lecture # 9 2
3
Review – Data Encryption Standard (DES) – Strengths of DES – Differential & Linear Cryptanalysis – block cipher design principles 3
4
DES Encryption Overview 4
5
The overall scheme for DES encryption is illustrated in Stallings Figure which takes as input 64-bits of data and of key The left side shows the basic process for enciphering a 64-bit data block which consists of: an initial permutation (IP) which shuffles the 64-bit input block 16 rounds of a complex key dependent round function involving substitutions & permutations a final permutation, being the inverse of IP 5
6
DES Encryption Overview The right side shows the handling of the 56-bit key and consists of: an initial permutation of the key (PC1) which selects 56-bits out of the 64-bits input, in two 28-bit halves 16 stages to generate the 48-bit subkeys using a left circular shift and a permutation of the two 28-bit halves 6
7
Initial Permutation IP The initial permutation and its inverse are defined by Tables 3.2a and 3.2b The tables are to be interpreted as follows: The input to a table consists of 64 bits numbered left to right from 1 to 64 The 64 entries in the permutation table contain a permutation of the numbers from 1 to 64 7
8
Initial Permutation IP Each entry in the permutation table indicates the position of a numbered input bit in the output – which also consists of 64 bits Bit numbering for DES reflects IBM mainframe practice and is the opposite of what we now mostly use 8
9
Initial Permutation IP Numbers from Bit 1 (leftmost, most significant) to bit 32/48/64 etc (rightmost, least significant). For example, a 64-bit plaintext value of “675a6967 5e5a6b5a” (written in left & right halves) after permuting with IP becomes “ffb2194d 004df6fb” example values are specified using hexadecimal 9
10
Initial Permutation IP first step of the data computation IP reorders the input data bits even bits to LH half, odd bits to RH half quite regular in structure (easy in h/w) example: IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb) 10
11
DES Round Structure We now review the internal structure of the DES round function F which takes R half & subkey, and processes them The round key Ki is 48 bits The R input is 32 bits 11
12
DES Round Structure This R input is first expanded to 48 bits by using a table that defines a permutation Plus an expansion that involves duplication of 16 of the R bits 12
13
DES Round Structure The resulting 48 bits are XORed with Ki This 48-bit result passes through a substitution function that produces a 32-bit output which is permuted as defined by Table 3.2d. follows the classic structure for a feistel cipher 13
14
DES Round Structure The s-boxes provide the “confusion” of data and key values Whilst the permutation P then spreads this as widely as possible So each S-box output affects as many S-box inputs in the next round as possible, giving “diffusion” 14
15
DES Round Structure uses two 32-bit L & R halves as for any Feistel cipher can describe as: L i = R i–1 R i = L i–1 F(R i–1, K i ) F takes 32-bit R half and 48-bit subkey: – expands R to 48-bits using perm E – adds to subkey using XOR – passes through 8 S-boxes to get 32-bit result – finally permutes using 32-bit perm P 15
16
DES Round Structure 16
17
Substitution Boxes S The substitution consists of a set of eight S-boxes, each of which accepts 6 bits as input and produces 4 bits as output These transformations are defined in Stallings Table which is interpreted as follows: The first and last bits of the input to box Si form a 2- bit binary number to select one of four substitutions defined by the four rows in the table for Si 17
18
Substitution Boxes S The middle four bits select one of the sixteen columns The decimal value in the cell selected by the row and column is then converted to its 4-bit representation to produce the output E.g, in S1, for input 011001, the row is 01 (row 1) and the column is 1100 (column 12) The value in row 1, column 12 is 9, so the output is 1001 18
19
Substitution Boxes S 19
20
Substitution Boxes S 20
21
Substitution Boxes S The example lists 8 6-bit values 18 in hex is 011000 in binary 09 hex is 001001 binary 12 hex is 010010 binary 3d hex is 111101 binary etc. Each of which is replaced following the process detailed above using the appropriate S-box 21
22
DES Key Schedule The DES Key Schedule generates the subkeys needed for each data encryption round 64-bit key is used as input to the algorithm, though every eighth bit is ignored, as indicated by the lack of shading in Table 3.4a. 22
23
DES Key Schedule It is first processed by Permuted Choice One (Stallings Table 3.4b) The resulting 56-bit key is then treated as two 28-bit quantities C & D 23
24
DES Key Schedule In each round, these are separately processed through a circular left shift (rotation) of 1 or 2 bits as shown in Stallings Table 3.4d These shifted values serve as input to the next round of the key schedule 24
25
DES Key Schedule They also serve as input to Permuted Choice Two (Stallings Table 3.4c) which produces a 48-bit output that serves as input to the round function F 25
26
DES Key Schedule The 56 bit key size comes from security considerations as we know now It was big enough so that an exhaustive key search was about as hard as the best direct attack a form of differential cryptanalysis called a T-attack, known by the IBM & NSA researchers, but no bigger 26
27
DES Key Schedule The extra 8 bits were then used as parity (error detecting) bits which makes sense given the original design use for hardware communications links However we hit an incompatibility with simple s/w implementations since the top bit in each byte is 0 (since ASCII only uses 7 bits) but the DES key schedule throws away the bottom bit 27
28
DES Decryption As with any Feistel cipher, DES decryption uses the same algorithm as encryption except that the subkeys are used in reverse order SK16.. SK1. If you trace through the DES overview diagram can see how each decryption step top to bottom with reversed subkeys undoes the equivalent encryption step moving from bottom to top 28
29
DES Decryption decrypt must unwind steps of data computation with Feistel design, do encryption steps again using subkeys in reverse order (SK16 … SK1) – IP undoes final FP step of encryption – 1st round with SK16 undoes 16th encrypt round – …. – 16th round with SK1 undoes 1st encrypt round – then final FP undoes initial encryption IP – thus recovering original data value 29
30
Chapter 5 –Advanced Encryption Standard "It seems very simple." "It is very simple. But if you don't know what the key is it's virtually indecipherable." —Talking to Strange Men, Ruth Rendell 30
31
Origins The Advanced Encryption Standard (AES) Published by NIST (National Institute of Standards and Technology) in 2001 AES is a symmetric block cipher That is intended to replace DES as the approved standard for a wide range of applications 31
32
Origins The AES cipher (& other candidates) form the latest generation of block ciphers Now we see a significant increase in the block size - from the old standard of 64-bits up to 128-bits keys from 128 to 256-bits In part this has been driven by the public demonstrations of exhaustive key searches of DES 32
33
Origins Whilst triple-DES is regarded as secure and well understood it is slow, especially in s/w In a first round of evaluation, 15 proposed algorithms were accepted A second round narrowed the field to 5 algorithms 33
34
Origins NIST completed its evaluation process and published a final standard (FIPS PUB 197) in November of 2001 NIST selected Rijndael as the proposed AES algorithm The two researchers who developed and submitted Rijndael for the AES are both cryptographers from Belgium – Dr. Joan Daemen and Dr. Vincent Rijmen 34
35
Origins clear a replacement for DES was needed – have theoretical attacks that can break it – have demonstrated exhaustive key search attacks can use Triple-DES – but slow, has small blocks US NIST issued call for ciphers in 1997 15 candidates accepted in Jun 98 5 were shortlisted in Aug-99 Rijndael was selected as the AES in Oct-2000 issued as FIPS PUB 197 standard in Nov-2001 35
36
The AES Cipher - Rijndael The Rijndael proposal for AES defined a cipher In which the block length and the key length can be independently specified to be 128,192,or 256 bits The AES specification uses the same three key size alternatives But limits the block length to 128 bits 36
37
The AES Cipher - Rijndael Rijndael is an academic submission Based on the earlier Square cipher, from Belgium academics Dr Joan Daemen and Dr Vincent Rijmen It is an iterative cipher (operates on entire data block in every round) Rather than feistel (operate on halves at a time) 37
38
The AES Cipher - Rijndael Was designed to have characteristics of: – Resistance against all known attacks – Speed and code compactness on a wide range of platforms – Design simplicity 38
39
The AES Cipher - Rijndael designed by Rijmen-Daemen in Belgium has 128/192/256 bit keys, 128 bit data an iterative rather than feistel cipher – processes data as block of 4 columns of 4 bytes – operates on entire data block in every round designed to be: – resistant against known attacks – speed and code compactness on many CPUs – design simplicity 39
40
AES Encryption Process 40
41
AES Structure The input to the AES encryption and decryption algorithms is a single 128-bit block depicted in FIPS PUB 197, as a square matrix of bytes This block is copied into the State array which is modified at each stage of encryption or decryption 41
42
AES Structure After the final stage, State is copied to an output The key is expanded into 44/52/60 lots of 32-bit words with 4 used in each round The ordering of bytes within a matrix is by column 42
43
AES Structure So, for example, the first four bytes of a 128-bit plaintext input to the encryption cipher occupy the first column of the in matrix the second four bytes occupy the second column, and so on Similarly, the first four bytes of the expanded key, which form a word, occupy the first column of the w matrix 43
44
AES Structure The data computation then consists of an “add round key” step, then 9/11/13 rounds with all 4 steps and a final 10 th /12 th /14 th step of byte subs + mix cols + add round key This can be viewed as alternating XOR key & scramble data bytes operations All of the steps are easily reversed, and can be efficiently implemented using XOR’s & table lookups 44
45
AES Structure data block of 4 columns of 4 bytes is state key is expanded to array of words has 9/11/13 rounds in which state undergoes: byte substitution (1 S-box used on every byte) shift rows (permute bytes between groups/columns) mix columns (subs using matrix multiply of groups) add round key (XOR state with key material) view as alternating XOR key & scramble data bytes initial XOR key material & incomplete last round with fast XOR & table lookup implementation 45
46
AES Structure Figure 5.3 AES Encryption and Decryption 46
47
AES Structure Stallings Figure 5.3 shows the structure of AES in more detail The cipher consists of N rounds, where the number of rounds depends on the key length: 10 rounds for a 16-byte key; 12 rounds for a 24-byte key; and 14 rounds for a 32-byte key 47
48
AES Structure The first N – 1 rounds consist of four distinct transformation functions: SubBytes, ShiftRows, MixColumns, AddRoundKey, which are described subsequently 48
49
AES Structure The final round contains only 3 transformation There is a initial single transformation (AddRoundKey) before the first round Which can be considered Round 0 Each transformation takes one or more 4 x 4 matrices as input and produces a 4 x 4 matrix as output 49
50
AES Structure Figure 5.1 shows that the output of each round is a 4 x 4 matrix with the output of the final round being the ciphertext Also, the key expansion function generates N + 1 round keys each of which is a distinct 4 x 4 matrix Each round key serve as one of the inputs to the AddRoundKey transformation in each round 50
51
Some Comments on AES 1.an iterative rather than feistel cipher 2.key expanded into array of 32-bit words 1.four words form round key in each round 3.4 different stages are used as shown 4.has a simple structure 5.only AddRoundKey uses key 6.AddRoundKey a form of Vernam cipher 7.each stage is easily reversible 8.decryption uses keys in reverse order 9.decryption does recover plaintext 10.final round has only 3 stages 51
52
Four Stages of AES Four different stages are used, one of permutation and three of substitution: – Substitute bytes: Uses an S-box to perform a byte- by-byte substitution of the block – ShiftRows: A simple permutation – MixColumns: A substitution that makes use of arithmetic over – AddRoundKey: A simple bitwise XOR of the current block with a portion of the expanded key 52
53
Substitute Bytes We now turn to a discussion of each of the four transformations used in AES For each stage, we mention the forward (encryption) algorithm The inverse (decryption) algorithm And the rationale for the design of that stage 53
54
Substitute Bytes The Substitute bytes stage uses an S-box to perform a byte-by-byte substitution of the block There is a single 8-bit wide S-box used on every byte This S-box is a permutation of all 256 8-bit values Constructed using a transformation which treats the values as polynomials in Finite Field GF(2 8 ) – however it is fixed 54
55
Substitute Bytes So really only need to know the table when implementing Decryption requires the inverse of the table. These tables are given in Stallings Table 5.2. The table was designed to be resistant to known cryptanalytic attacks 55
56
Substitute Bytes Specifically, the Rijndael developers sought a design that has a low correlation between input bits and output bits With the property that the output cannot be described as a simple mathematical function of the input With no fixed points and no “opposite fixed points” 56
57
Substitute Bytes a simple substitution of each byte uses one table of 16x16 bytes containing a permutation of all 256 8-bit values each byte of state is replaced by byte indexed by row (left 4-bits) & column (right 4-bits) – eg. byte {95} is replaced by byte in row 9 column 5 – which has value {2A} S-box constructed using defined transformation of values in GF(2 8 ) designed to be resistant to all known attacks 57
58
Substitute Bytes 58
59
Substitute Bytes 59
60
60
61
Substitute Bytes 61
62
Substitute Bytes As this diagram from Stallings Fig 5.5a shows the Byte Substitution operates on each byte of state independently with the input byte used to index a row/col in the table to retrieve the substituted value 62
63
Substitute Bytes Example Figure 5.5a example of the SubBytes transformation from the text 63
64
Shift Rows The ShiftRows stage provides a simple “permutation” of the data whereas the other steps involve substitutions Further, since the state is treated as a block of columns, it is this step which provides for diffusion of values between columns It performs a circular rotate on each row of 0, 1, 2 & 3 places for respective rows 64
65
Shift Rows When decrypting it performs the circular shifts in the opposite direction for each row This row shift moves an individual byte from one column to another which is a linear distance of a multiple of 4 bytes, and ensures that the 4 bytes of one column are spread out to four different columns 65
66
Shift Rows a circular byte shift in each – 1 st row is unchanged – 2 nd row does 1 byte circular shift to left – 3 rd row does 2 byte circular shift to left – 4 th row does 3 byte circular shift to left 66
67
Shift Rows 67
68
Inverse Shift Rows Decrypt inverts using shifts to right since state is processed by columns, this step permutes bytes between the columns The inverse shift row transformation, called InvShiftRows, performs the circular shifts in the opposite direction for each of the last three rows, with a 1-byte circular right shift for the second row, and so on 68
69
Summary – DES review – the AES selection process – the details of Rijndael – the AES cipher – looked at the steps in each round – Out of four AES stages, first two are discussed Substitute bytes Shift Rows 69
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.