Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography: Block Ciphers David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012 Coursera crypto class,

Published byMarsha Harper Modified over 9 years ago

Similar presentations

Presentation on theme: "Cryptography: Block Ciphers David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012 Coursera crypto class,"— Presentation transcript:

1 Cryptography: Block Ciphers David Brumley dbrumley@cmu.edu Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012 Coursera crypto class, which is awesome! TODO: 1.go through slides and make slide fonts/colors consistent 2.emphasize encryption must be randomized to be secure (multi-message semantic security) (slide 50)

2 What is a block cipher? Block ciphers are the crypto work horse Canonical examples: 1.3DES: n = 64 bits, k = 168 bits 2.AES: n = 128 bits, k = 128, 192, 256 bits Block of plaintext n bits Key k bits Block of ciphertext n bits E, D 2

3 Block ciphers built by iteration key expansion key k 1 key k 2 key k 3 key k n key k m R(k 1, ∙)R(k n, ∙)R(k 3, ∙)R(k 2, ∙) c R(k, m) is called a round function for 3DES (n=48), for AES128 (n=10) mc m1m1 m2m2 m3m3 3

4 Performance: Stream vs. block ciphers Crypto++ 5.6.0 [Wei Dai] AMD Opteron, 2.2 GHz (Linux) CipherBlock/key sizeThroughput [MB/s] Stream RC4126 Salsa20/12643 Sosemanuk727 Block 3DES64/16813 AES128128/128109 4

5 Abstractly: PRFs Pseudo Random Function (PRF) defined over (K,X,Y): such that there exists an “efficient” algorithm to evaluate F(k,x) X Y F(k,⋅), k ∊ K 5

6 Abstractly: PRPs Pseudo Random Permutation (PRP) defined over (K,X) such that: 1.Exists “efficient” deterministic algorithm to evaluate E(k,x) 2.The function E(k, ∙) is one-to-one 3.Exists “efficient” inversion algorithm D(k,y) XX E(k,⋅), k ∊ K D(k, ⋅), k ∊ K 6

7 Running example Example PRPs: 3DES, AES, … Functionally, any PRP is also a PRF. - PRP is a PRF when X = Y and is efficiently invertible 7

8 Secure PRFs Intuition: a PRF is secure if A random function in Funs[X,Y] is indistinguishable from a random function in S F SFSF Funs[X,Y] Size |K| Size |Y| |X| 8

9 Secure PRFs SFSF Funs[X,Y] Size |K| Size |Y| |X| How many functions when |x| = |y| = 128bits (x∈X, y∈Y)? Answer: 9

10 Secure PRF: Definition For b = 0,1 define experiment EXP(b) as: Def: F is a secure PRF if for all “efficient” A: is “negligible”. EXP(b) 10 Adv. A Adv definition not pretty.

11 Quiz Let be a secure PRF. Is the following G a secure PRF? o No, it is easy to distinguish G from a random function o Yes, an attack on G would also break F o It depends on F 11

12 Secure PRPs (secure block cipher) Intuition: a PRP is secure if A random function in Perms[X] is indistinguishable from a random function in S F 12

13 Secure PRP: (secure block cipher) For b = 0,1 define experiment EXP(b) as: Def: E is a secure PRP if for all “efficient” A: is “negligible”. EXP(b) 13 Adv. A same font/spacing problem here.

14 Block ciphers The Data Encryption Standard (DES) 14

15 History of DES 1970s: Horst Feistel designs Lucifer at IBM key = 128 bits, block = 128 bits 1973: NBS asks for block cipher proposals. IBM submits variant of Lucifer. 1976: NBS adopts DES as federal standard key = 56 bits, block = 64 bits 1997: DES broken by exhaustive search 2000: NIST adopts Rijndael as AES to replace DES. AES currently widely deployed in banking, commerce and Web 15

16 DES: core idea – Feistel network Given functions Goal: build invertible function R1R1 L1L1 R2R2 L2L2 RdRd LdLd R d-1 L d-1 fdfd ⊕ n-bits R0R0 L0L0 f1f1 ⊕ f2f2 ⊕ input output In symbols: 16 fix colors

17 Feistel network - inverse Claim: for all Feistel network is invertible Proof: construct inverse n-bits R1R1 L1L1 R2R2 L2L2 RdRd LdLd R d-1 L d-1 fdfd ⊕ R0R0 L0L0 f1f1 ⊕ f2f2 ⊕ inputoutput R i+1 L i+1 RiRi LiLi f i+1 ⊕ inverse RiRi LiLi R i+1 L i+1 f i+1 ⊕ 17

18 L d-1 R d-1 L d-2 R d-2 Decryption circuit RdRd LdLd fdfd ⊕ n-bits f d-1 ⊕ R0R0 L0L0 L1L1 R1R1 f1f1 ⊕ Inversion is basically the same circuit, with f 1, …, f d applied in reverse order General method for building invertible functions (block ciphers) from arbitrary functions. Used in many block ciphers … but not AES 18

19 a secure PRF ⇒ 3-round Feistel is a secure PRP Luby-Rackoff Theorem (1985) n-bits input R0R0 L0L0 f ⊕ R1R1 L1L1 f ⊕ R3R3 L3L3 R2R2 L2L2 f ⊕ output 19

20 DES: 16 round Feistel network key expansion key k 1 key k 64 bits IP -1 IP R1R1 L1L1 R2R2 L2L2 R 16 L 16 R 15 L 15 f 16 R0R0 L0L0 f1f1 ⊕ f2f2 ⊕⊕ 16 round Feistel network 56 bits 48 bits key k 2 key k 16 To invert, use keys in reverse order 20

21 The function F(k i, x) x 32 bits E x’ 48 bits kiki ⊕ P 32 bits y 6 4 S1S1 6 4 S2S2 6 4 S3S3 6 4 S4S4 6 4 S5S5 6 4 S6S6 6 4 S7S7 6 4 S8S8 S-box: function {0,1} 6 ⟶ {0,1} 4, implemented as lookup table. 21

22 The S-boxes 22 e.g., 011011 ⟶ 1001

23 Block ciphers Attacks (and defenses) on DES 23

24 Exhaustive Search for block cipher key Goal: given a few input output pairs (m i, c i = E(k, m i )) i=1,..,nfind key k. Lemma: Suppose DES is an ideal cipher ( 2 56 random invertible functions ) Then ∀ m, c there is at most one key k s.t. c = DES(k, m) Proof: [with prob. ≥ 1 – 1/256 ≈ 99.5%] 24

25 Exhaustive Search for block cipher key Unicity: For two DES pairs (M = {m 1, m 2 }) (m 1, c 1 =DES(k, m 1 )), (m 2, c 2 =DES(k, m 2 )) unicity prob. ≈ 1 - 1/2 71 For AES-128: given two input/output pairs, unicity prob. ≈ 1 - 1/2 128 ⇒ two input/output pairs are enough for exhaustive key search. 25

26 msg = “The unknown messages is:XXXX…“ CT = c 1 c 2 c 3 c 4 Goal: find k ∈ {0,1} 56 s.t. DES(k, m i ) = c i for i=1,2,3 1997: Internet search -- 3 months 1998: EFF machine (deep crack) -- 3 days (250K $) 1999: combined search -- 22 hours 2006: COPACOBANA (120 FPGAs) -- 7 days (10K $) ⇒ 56-bit ciphers should not be used !! (128-bit key ⇒ 2 72 days) DES challenge 26 64 bits ugly

27 Strengthening DES against ex. search Method 1: Triple-DES Let E : K × M ⟶ M be a block cipher Define 3E: K 3 × M ⟶ M as 3E ( (k 1,k 2,k 3 ), m ) = E(k 1, D(k 2, E(k 3, m) ) ) 3DES -Key-size: 3×56 = 168 bits -3×slower than DES -Simple attack in time: ≈2 118 What if k 1 = k 2 = k 3 ? => DES 27

28 Define 2E( (k 1,k 2 ), m) = E(k 1, E(k 2, m) ) Naïve Attack: M = (m 1,…, m 10 ), C = (c 1,…,c 10 ). Why not double DES? key-len = 112 bits for 2DES m E(k 2,⋅)E(k 1,⋅) c For each k 2 ∈{0,1} 56: For each k 1 ∈{0,1} 56: if E(k 2, E(k 1, m i )) = c i then (k 2, k 1 ) m c' … … c’’ … … 2 112 checks c’’ = c? 28

29 Meet in the middle attack Define 2E( (k 1,k 2 ), m) = E(k 1, E(k 2, m) ) key-len = 112 bits for 2DES Idea: key found when c’ = c’’: E(k i, m) = D(k j, c) m c' … … c … … c’’ m E(k 2,⋅)E(k 1,⋅) c 29

30 Meet in the middle attack Define 2E( (k 1,k 2 ), m) = E(k 1, E(k 2, m) ) Attack: M = (m 1,…, m 10 ), C = (c 1,…,c 10 ). step 1: build table. sort on 2 nd column key-len = 112 bits for 2DES k 0 = 00…00 k 1 = 00…01 k 2 = 00…10 ⋮ k N = 11…11 k 0 = 00…00 k 1 = 00…01 k 2 = 00…10 ⋮ k N = 11…11 E(k 0, M) E(k 1, M) E(k 2, M) ⋮ E(k N, M) E(k 0, M) E(k 1, M) E(k 2, M) ⋮ E(k N, M) 2 56 entries m E(k 2,⋅)E(k 1,⋅) c 30 ugly

31 Meet in the middle attack M = (m 1,…, m 10 ), C = (c 1,…,c 10 ) step 1: build table. Step 2: for all k∈{0,1} 56 do: test if D(k, C) is in 2 nd column. if so then E(k i,M) = D(k,C) ⇒ (k i,k) = (k 2,k 1 ) k 0 = 00…00 k 1 = 00…01 k 2 = 00…10 ⋮ k N = 11…11 k 0 = 00…00 k 1 = 00…01 k 2 = 00…10 ⋮ k N = 11…11 E(k 0, M) E(k 1, M) E(k 2, M) ⋮ E(k N, M) E(k 0, M) E(k 1, M) E(k 2, M) ⋮ E(k N, M) m E(k 2,⋅)E(k 1,⋅) c 31 ugly

32 Meet in the middle attack Time = 2 56 log(2 56 ) + 2 56 log(2 56 ) < 2 63 << 2 112 Space ≈ 2 56 [Table Size] Same attack on 3DES: Time = 2 118, Space ≈ 2 56 m m E(k 2, ⋅ ) E(k 1, ⋅ ) c c E(k 3, ⋅ ) [Build & Sort Table] [Search Entries] m E(k 2,⋅)E(k 1,⋅) c 32

33 Method 2: DESX E : K × {0,1} n ⟶ {0,1} n a block cipher Define EX as EX( (k 1,k 2,k 3 ), m) = k 1 ⨁ E(k 2, m⨁k 3 ) For DESX: key-len = 64+56+64 = 184 bits … but easy attack in time 2 64+56 = 2 120 Note: k 1 ⨁E(k 2, m) and E(k 2, m⨁k 1 ) does nothing! 33 why green background? ugly.

34 Attacks on the implementation 1. Side channel attacks: – Measure time to do enc/dec, measure power for enc/dec 2. Fault attacks: – Computing errors in the last round expose the secret key k ⇒ do not even implement crypto primitives yourself … [Kocher, Jaffe, Jun, 1998] smartcard 34 Card is doing DES IPIP -1 16 rounds

35 Block ciphers AES – Advanced encryption standard 35

36 The AES process 1997: NIST publishes request for proposal 1998: 15 submissions 1999: NIST chooses 5 finalists 2000: NIST chooses Rijndael as AES (developed by Daemen and Rijmen at K.U. Leuven, Belgium) Key sizes: 128, 192, 256 bits Block size: 128 bits 36

37 AES core idea: Subs-Perm network DES is based on Feistel networks AES is based on the idea of substitution-permutation networks That is, alternating steps of substitution and permutation operations 37

38 AES: Subs-Perm network input ⊕ k1k1 output ⊕ k2k2 S1S1 S2S2 S3S3 S8S8 S1S1 S2S2 S3S3 S8S8 S1S1 S2S2 S3S3 S8S8 ⊕ knkn subs. layer perm. layer inversion 38

39 AES128 schematic ⊕ input 4 4 k0k0 k1k1 k2k2 k9k9 ⊕⊕ (1) ByteSub (2) ShiftRow (3) MixColumn (1) ByteSub (2) ShiftRow (3) MixColumn ⊕ (1) ByteSub (2) ShiftRow ⊕ output 4 4 k 10 key Key expansion: 16 bytes ⟶176 bytes 10 rounds 4 4 39

40 ByteSub: a 1 byte S-box. 256 byte table (easily computable) ShiftRows: MixColumns: The round function s 0,0 s 0,1 s 0,2 s 0,3 s 1,0 s 1,1 s 1,2 s 1,3 s 2,0 s 2,1 s 2,2 s 2,3 s 3,0 s 3,1 s 3,2 s 3,3 s 0,0 s 0,1 s 0,2 s 0,3 s 1,1 s 1,2 s 1,3 s 1,0 s 2,2 s 2,3 s 2,0 s 2,1 s 3,3 s 3,0 s 3,1 s 3,2 s 0,0 s 0,1 s 0,2 s 0,3 s 1,0 s 1,1 s 1,2 s 1,3 s 2,0 s 2,1 s 2,2 s 2,3 s 3,0 s 3,1 s 3,2 s 3,3 s’ 0,0 s’ 0,1 s’ 0,2 s’ 0,3 s’ 1,0 s’ 1,1 s’ 1,2 s’ 1,3 s’ 2,0 s’ 2,1 s’ 2,2 s’ 2,3 s’ 3,0 s’ 3,1 s’ 3,2 s’ 3,3 s 0,c s 1,c s 2,c s 3,c s’ 0,c s’ 1,c s’ 2,c s’ 3,c MixColumns() 40

41 Code size/performance tradeoff Code sizePerformance Pre-compute round functions (24KB or 4KB) largest fastest: table lookups and xors Pre-compute S-box only (256 bytes) smallerslower No pre- computation smallestslowest 41

42 Size + performance (Javascript AES) AES in the browser AES library (6.4KB) No pre-computed tables (1)Uncompress code (one time effort) (2)Pre-compute tables (one time effort) (3)Perform encryption using tables Implementation: Stanford Javascript Crypto Library https://crypto.stanford.edu/sjcl/ 42

43 AES in hardware Advanced Encryption Standard (AES) Instruction Set Proposed seven AES instructions in 2008 Intel Westmere (2010 Intel Core + later), AMD Bulldozer ( + later) aesenc, aesenclast : do one round of AES 128 bit registers: xmm1=state, xmm2=round key aesenc xmm1, xmm2 ; puts result in xmm1 aeskeygenassist : performs AES key expansion Claim 2-10x speed-up over OpenSSL on same hardware 43

44 Block ciphers Modes of operation 44

45 Incorrect use of PRP Electronic Code Book (ECB) mode Problem: m 1 = m 2 ⟶ c 1 = c 2 45 m1m1 m2m2 PT: c1c1 c2c2 CT:

46 What can possibly go wrong? 46 PlaintextCiphertext Images from Wikipedia

47 Semantic security for ECB mode 47 ECB is not semantically secure for messages that contain more than one block Adv. A m 0 = “Hello World” m 1 = “Hello Hello” Two blocks (c 1, c 2 ) ← E(k,m b ) if c 1 = c 2 output 0 else output 1 Adv SS [A,ECB] = 1

48 Deterministic counter mode 48 from a PRF F: E DETCTR (k,m) = Stream cipher built from a PRF (e.g. AES, 3DES) Better than ECB but only works as long as key is only used once (one-time-key) m[0]m[1] m[L] m[2] F(k,0)F(k,1) F(k,L) F(k,2) ⊕ c[0]c[1] c[L] c[2] ugly

49 Deterministic counter mode security 49 Theorem: For any L > 0, If F is a secure PRF over (K,X,X) then E DETCTR is a sem. secure cipher over (K,X L,X L ). In particular, for any eff. adversary A attacking E DETCTR there exists an eff. PRF adversary B s.t.: Adv SS [A,EDETCTR] = 2 ∙Adv PRF [B,F]

50 An attacker can learn that two encrypted files (two encrypted packets) are the same Semantic security under CPA 50 Ciphers that return the same ciphertext (e.g., ECB, CTR) for the same plaintext are not semantically secure under a chosen plaintext attack (CPA) (many-time-key) Adv. A if c b = c 0 output 0 else output 1 m 0, m 0 ∊ M C 0 ← E(k,m) m 0, m 1 ∊ M C b ← E(k,m b ) ugly emphasize that this means encryption must be randomized!

51 Semantic security under CPA 51 An attacker can learn that two encrypted files (two encrypted packets) are the same Two solutions: 1.Randomized encryption Encrypting the same msg twice gives different ciphertexts (w.h.p.) Ciphertext must be longer than plaintext 2.Nonce-based encryption

52 Nonce-based encryption 52 Nonce n: a value that changes for each msg. E(k,m,n) / D(k,c,n) (k,n) pair never used more than once m,n E k E(k,m,n) = c D c,n k E(k,c,n) = m

53 Nonce-based encryption 53 Method 1: Nonce is a counter (e.g., packet counter) Used when encryptor keeps state from msg to msg If decryptor has same state, nonce need not be transmitted (i.e., len(PT) = len(CT)) Method 2: encryptor chooses a random nonce No state required but nonce has to be transmitted with CT

54 Cipher block chaining mode (CBC) 54 Let(E,D) be a PRP. E CBC (k,m): chose random IV ∊ X and do: ⊕⊕ c[0]c[1]c[2]c[3]IV ⊕⊕ E(k,∙) m[0]m[1]m[2]m[3]IV ciphertext Decryption: c[0] = E(k, IV ⊕ m[0]) ⟶ m[0] = D(k,c[0]) ⊕ IV

55 Attack on CBC with random IV 55 CBC where attacker can predict the IV is not CPA-secure Suppose given c ← E CBC (k,m) Adv. can predict IV for next msg. Bug in SSL/TLS 1.1: IV for record #i is last CT block of record #(i-1) Adv. A 0 ∊ X output 0 if c[1] = c 1 [1] c 1 ← [IV 1, E(k,0 ⊕ IV 1 )] m 0 = IV ⊕IV 1, m 0 ≠ m 1 ∊ M c ← [IV, E(k,IV 1 )] or c ← [IV, E(k,m 1 ⊕ IV)] (IV ⊕ IV 1 ) ⊕IV

56 Nonce-based CBC 56 CBC with unique nonce: key = (k, k 1 ) two independent keys unique nonce means: (key,n) pair is used for only one msg. ⊕⊕ c[0]c[1]c[2]c[3]nonce ⊕⊕ E(k,∙) E(k 1,∙) m[0]m[1]m[2]m[3]nonce ciphertext IV Included only if unknown to decryptor

57 CBC: padding 57 TLS: for n > 0 n byte pad is: If no pad needed, add a dummy block: ⊕⊕ c[0]c[1]c[2]c[3]nonce ⊕⊕ E(k,∙) E(k 1,∙) m[0]m[1]m[2]m[3] || padnonce IV nn…n removed during decryption 16 …

58 Cipher block chaining mode (CBC) 58 Example applications: 1.File system encryption: use the same AES key to encrypt all files (e.g., loopaes) 2.IPsec: use the same AES key to encrypt multiple packets Problem: If attacker can predict IV, CBC is not CPA-secure

59 Summary Block ciphers – Map fixed length input blocks to same length output blocks – Canonical block ciphers: 3DES, AES – PRPs are effectively block ciphers – PRPs can be created from arbitrary functions through Feistel networks 3DES based on Feistel networks AES based on substitution-permutation networks 59

60 Questions? 60

61 END

62 Linear and differential attacks [BS’89,M’93] Given many inp/out pairs, can recover key in time less than 2 56. Linear cryptanalysis (overview) : let c = DES(k, m) Suppose for random k,m : Pr [ m[i 1 ]⨁⋯⨁m[i r ] ⨁ c[j j ]⨁⋯⨁c[j v ] = k[l 1 ]⨁⋯⨁k[l u ] ] = ½ + ε For some ε. For DES, this exists with ε = 1/2 21 ≈ 0.0000000477 62

63 Linear attacks Pr [ m[i 1 ]⨁⋯⨁m[i r ] ⨁ c[j j ]⨁⋯⨁c[j v ] = k[l 1 ]⨁⋯⨁k[l u ] ] = ½ + ε Thm: given 1/ε 2 random (m, c=DES(k, m)) pairs then k[l 1,…,l u ] = MAJ [ m[i 1,…,i r ] ⨁ c[j j,…,j v ] ] with prob. ≥ 97.7% ⇒ with 1/ε 2 inp/out pairs can find k[l 1,…,l u ] in time ≈1/ε 2. 63

64 Linear attacks For DES, ε = 1/2 21 ⇒ with 2 42 inp/out pairs can find k[l 1,…,l u ] in time 2 42 Roughly speaking: can find 14 key “bits” this way in time 2 42 Brute force remaining 56−14=42 bits in time 2 42 Total attack time ≈2 43 ( << 2 56 ) with 2 42 random inp/out pairs 64

65 Lesson A tiny bit of linearity in S 5 lead to a 2 42 time attack. ⇒ don’t design ciphers yourself !! 65

66 Quantum attacks Generic search problem: Let f: X ⟶ {0,1} be a function. Goal: find x∈X s.t. f(x)=1. Classical computer: best generic algorithm time = O( |X| ) Quantum computer [Grover ’96] : time = O( |X| 1/2 ) Can quantum computers be built: unknown 66

67 Quantum exhaustive search Given m, c=E(k,m) define Grover ⇒ quantum computer can find k in time O( |K| 1/2 ) DES: time ≈2 28, AES-128: time ≈2 64 quantum computer ⇒ 256-bits key ciphers (e.g. AES-256) 1if E(k,m) = c 0 otherwise f(k) = 67

Download ppt "Cryptography: Block Ciphers David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012 Coursera crypto class,"

Similar presentations

Dan Boneh Using block ciphers Modes of operation: one time key Online Cryptography Course Dan Boneh example: encrypted email, new key for every message.

Dan Boneh Using block ciphers Modes of operation: one time key Online Cryptography Course Dan Boneh example: encrypted , new key for every message.
Dan Boneh Block ciphers Exhaustive Search Attacks Online Cryptography Course Dan Boneh.

Dan Boneh Block ciphers Exhaustive Search Attacks Online Cryptography Course Dan Boneh.
Cryptography: Block Ciphers

Cryptography: Block Ciphers
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
Online Cryptography Course Dan Boneh

Online Cryptography Course Dan Boneh
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Cryptography: Review Day David Brumley Carnegie Mellon University.

Cryptography: Review Day David Brumley Carnegie Mellon University.
1 PRPs and PRFs CS255: Winter 2008 1.Abstract ciphers: PRPs and PRFs, 2.Security models for encryption, 3.Analysis of CBC and counter mode Dan Boneh, Stanford.

1 PRPs and PRFs CS255: Winter Abstract ciphers: PRPs and PRFs, 2.Security models for encryption, 3.Analysis of CBC and counter mode Dan Boneh, Stanford.
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley Carnegie Mellon University.

Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley Carnegie Mellon University.
Cryptography and Network Security Chapter 3

Cryptography and Network Security Chapter 3
1 Brief PRP-PRF Recap CS255 Winter ‘06. 2 PRPs and PRFs PRF: F: K  X  Y such that: exists “efficient” algorithm to eval. F(k,x) PRP: E: K  X  X such.

1 Brief PRP-PRF Recap CS255 Winter ‘06. 2 PRPs and PRFs PRF: F: K  X  Y such that: exists “efficient” algorithm to eval. F(k,x) PRP: E: K  X  X such.
Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.

Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.
CMSC 414 Computer (and Network) Security Lecture 5 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 5 Jonathan Katz.
AES clear a replacement for DES was needed

AES clear a replacement for DES was needed
1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.

1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.
CSE331: Introduction to Networks and Security Lecture 18 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 18 Fall 2002.
Introduction to Modern Cryptography Lecture 2 Symmetric Encryption: Stream & Block Ciphers.

Introduction to Modern Cryptography Lecture 2 Symmetric Encryption: Stream & Block Ciphers.
Cryptography and Network Security (AES) Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 10/18/2009 INCS 741: Cryptography 10/18/20091Dr.

Cryptography and Network Security (AES) Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 10/18/2009 INCS 741: Cryptography 10/18/20091Dr.
1 CS 255 Lecture 4 Attacks on Block Ciphers Brent Waters.

1 CS 255 Lecture 4 Attacks on Block Ciphers Brent Waters.

Similar presentations

Ads by Google