Block Ciphers & DES

全文

(1)

Chapter 3 – Block Ciphers and the

Data Encryption Standard

• Simplified DES

• Block Ciphers (Feistel cipher)

• Data Encryption Standard (DES)

• Differential & Linear Cryptanalysis

• Block Ciphers Design Principles

(2)

2

Simplified DES

1

• Similar properties and structure to DES with smaller parameters

• Education scheme by professor Edward Schaefer of Santa Clara University

• Encryption takes an 8-bit block of plaintext and a 10-bit key as input and produces 8-bit block of ciphertext as output

• Decryption reverses the process with the same 10-bit key

(3)

Simplified DES

2

• Scheme

– Ciphertext = IP-1(f k2(SW(fk1(IP(plaintext))))) • K1=P8(Shift(P10(key))) • K2=P8(Shift(Shift(P10(key)))) – Plaintext = IP-1(f k1(SW(fk2(IP(ciphertext )))))

(4)

4

(5)

• Key generation

(6)

6

Simplified DES

5

• Key generation example

• P10(k1k2k3k4k5k6k7k8k9k10)=(k3k5k2k7k4k10k1k9k8k6) • P8(k1k2k3k4k5k6k7k8k9k10)=(k6k3k7k4k8k5k10k9) • K=(10100 00010) – P10(10100 00010)=(10000 01100) – LS-1(10000)=(00001) – LS-1(01100)=(11000) – K1=P8(00001 11000)=(1010 0100) • Similarly – K2= P8(LS-2(00001) LS-2(11000))=P8(00100 00011) =(0100 0011)

(7)

• Detail

encryption

(8)

8

Simplified DES

7

• 5 functions involved

– IP, fk1(L, R), SW, fk2(L,R), IP-1 – IP(i1i2i3i4 i5i6i7i8)=(i2i6i3i1i4i5i8i7) – IP-1(i 2i6i3i1i4i5i8i7)=(i1i2i3i4 i5i6i7i8)

– SW: switch the left and right 4 bits – fk(L, R) = (LF(R, SK), R)

• L: left 4 bits; R: right 4 bits •  : XOR

• F: a mapping involving E/P, S0 box, S1 box, P4 • SK: subkey

(9)

Simplified DES

8

• F function:

– EP(n1n2n3n4)=(n4n1n2n3n2n3n4n1)

– Let 8-bit subkey K1=(k11k12k13k14k15k16k17k18) – E/P  K1 : 18 1 14 3 17 4 13 2 16 3 12 1 15 2 11 4

k

n

k

n

k

n

k

n

k

n

k

n

k

n

k

n

       

(10)

10

• E/P  K1 (rename): • S0 box:

• S1 box:

• The 1st 4 bit (1st row) are fed into S0 box to produce a 2-bit output

• The last 4 bit (2nd row) are fed into S1 box to produce another 2-bit output

Simplified DES

9

3 , 1 3 , 0 2 , 1 2 , 0 1 , 1 1 , 0 0 , 1 0 , 0

p

p

p

p

p

p

p

p

             2 3 1 3 3 1 2 0 0 1 2 3 2 3 0 1 0 s              3 0 1 2 0 1 0 3 3 1 0 2 3 2 1 0 1 s

(11)

• P4

(n

1

n

2

n

3

n

4

)=(n

2

n

4

n

3

n

1

)

(12)

12

Simplified DES

11

• Encryption example

• 8-bit plain text: (1011 1101)

• IP(1011 1101)=(0111

1110

)

• EP(n

1

n

2

n

3

n

4

)=(n

4

n

1

n

2

n

3

n

2

n

3

n

4

n

1

)

• EP(

1110

)=(0111 1101)

• Let 8-bit subkey K

1

=

(1010 0100) • E/P

K

1 : 0 1 0 1 0 0 1 1 1 1 0 1 0 1 1 0        

(13)

• E/P

K1 :

• (P00,P03)=(11)  3, (P01,P02)=(10)  2

– From S0 box, row 3, column 2, gets 3 (11) in binary

• (P10,P13)=(11)  3, (P11,P12)=(00)  0

– From S1 box, row 3, column 0, gets 2 (10) in binary

• After S0, S1 boxes, we get (1110)

• P4(1110)=(1011) // end of F function

Simplified DES

12

0 1 0 1 0 0 1 1 1 1 0 1 0 1 1 0        

(14)

14

• f

k1

(L, R) = (L

F(R, SK), R)

– = ((0111)  (1011), 1110) – = (1100 1110)

• SW(1100 1110)=(1110 1100)

• Starting the fk2 function

• EP(1100)=(0110 1001)

• K

2

=

(0100 0011) • E/P

K2 :

Simplified DES

13

1 1 0 0 1 0 0 1 0 0 1 1 0 1 0 0        

(15)

• E/P

K2 :

• (P00,P03)=(00)  0, (P01,P02)=(01)  1

– From S0 box, row 0, column 1, gets 0 (00) in binary

• (P10,P13)=(10)  2, (P11,P12)=(01)  1

– From S1 box, row 2, column 1, gets 0 (00) in binary

• After S0, S1 boxes, we get (0000)

• P4(0000)=(0000) // end of F function

Simplified DES

14

0 0 1 1 0 0 1 0

(16)

16

• f

k2

(L, R) = (L

F(R, SK), R)

– = ((1110)  (0000), 1100) – = (1110 1100)

• IP

-1

(1110 1100)=

(0111 0101)

– Ciphertext of plain text: (1011 1101)

– using keys: K1=(1010 0100), K2=(0100 0011)

(17)

Block Ciphers

1

• block ciphers

process messages in into

blocks, each of which is then en/decrypted

• like a substitution on very big characters

– 64-bits or more

• stream ciphers

process messages a bit or

byte at a time when en/decrypting

• many current ciphers are block ciphers

• hence are focus of course

(18)

18

Block Cipher Principles

• most symmetric block ciphers are based on a

Feistel Cipher Structure

• needed since must be able to decrypt ciphertext to recover messages efficiently

• block ciphers look like an extremely large substitution

• would need table of 264 entries for a 64-bit block

• instead create from smaller building blocks • using idea of a product cipher

(19)

Claude Shannon and

Substitution-Permutation Ciphers

• in 1949 Claude Shannon introduced idea of substitution-permutation (S-P) networks

– modern substitution-transposition product cipher

• these form the basis of modern block ciphers • S-P networks are based on the two primitive

cryptographic operations we have seen before:

– substitution (S-box) – permutation (P-box)

(20)

20

Confusion and Diffusion

• cipher needs to completely obscure statistical properties of original message

• a one-time pad does this

• more practically Shannon suggested combining elements to obtain:

• diffusion – dissipates statistical structure of plaintext over bulk of ciphertext

• confusion – makes relationship between ciphertext and key as complex as possible

(21)

Feistel Cipher Structure

• Horst Feistel devised the feistel cipher

– based on concept of invertible product cipher

• partitions input block into two halves

– process through multiple rounds which – perform a substitution on left data half

– based on round function of right half & subkey – then have permutation swapping halves

• implements Shannon’s substitution-permutation network concept

(22)

22

Feistel Cipher Structure

Substitution Permutation

(23)

Feistel Cipher Design Principles

• block size

– increasing size improves security, but slows cipher

• key size

– increasing size improves security, makes exhaustive key searching harder, but may slow cipher

• number of rounds

– increasing number improves security, but slows cipher

• subkey generation

– greater complexity can make analysis harder, but slows cipher

• round function

– greater complexity can make analysis harder, but slows cipher

• fast software en/decryption & ease of analysis

(24)

24

(25)

Data Encryption Standard (DES)

• most widely used block cipher in world

• adopted in 1977 by NBS (now NIST)

– as FIPS PUB 46

• encrypts 64-bit data using 56-bit key

• has widespread use

• has been considerable controversy over its

security

(26)

26

DES History

• IBM developed Lucifer cipher

– by team led by Feistel

– used 64-bit data blocks with 128-bit key

• then redeveloped as a commercial cipher with input from NSA and others

• in 1973 NBS issued request for proposals for a national cipher standard

• IBM submitted their revised Lucifer which was eventually accepted as the DES

(27)

DES Design Controversy

• although DES standard is public

• was considerable controversy over design

– in choice of 56-bit key (vs Lucifer 128-bit) – and because design criteria were classified

• subsequent events and public analysis show

in fact design was appropriate

• DES has become widely used, esp in

financial applications

(28)

28

(29)

Initial Permutation IP

• first step of the data computation

• IP reorders the input data bits

• even bits to LH half, odd bits to RH half

• quite regular in structure (easy in h/w)

• see text Table 3.2

• example:

– 64 bits, 4 bits for each symbol

(30)

30

(31)
(32)

32

(33)

DES Round Structure

• uses two 32-bit L & R halves

• as for any Feistel cipher can describe as:

Li = Ri–1

Ri = Li–1 xor F(Ri–1, Ki)

• takes 32-bit R half and 48-bit subkey and:

– expands R to 48-bits using perm E – adds to subkey

– 48 bits partitioned into 8 6-bit inputs to the 8 s-boxes – passes through 8 S-boxes to get 32-bit result

(34)

34

(35)

DES S Boxes

• 6 bits input to S

1

box

0

1100

1

– 01 ->1, row # 1; 1100 ->12, column #12

(36)

36

DES Key Schedule

• forms subkeys used in each round • consists of:

– initial permutation of the key (PC1) which selects 56-bits in two 28-bit halves

• Table 3.4 (a), (b)

– 16 stages consisting of:

• selecting 28-bits from each half, Ci, Di

• rotating each half separately either 1 or 2 places depending on the key rotation schedule K

(37)
(38)

38

(39)
(40)

40

DES Decryption

• decrypt must unwind steps of data computation • with Feistel design, do encryption steps again

• using subkeys in reverse order (SK16 … SK1)

• note that IP undoes final FP step of encryption • 1st round with SK16 undoes 16th encrypt round • ….

• 16th round with SK1 undoes 1st encrypt round • then final FP undoes initial encryption IP

(41)

Avalanche Effect

• key desirable property of encryption

algorithm

• where a change of one input or key bit

results in changing approx half output bits

• making attempts to “home-in” by guessing

keys impossible

(42)

42

(43)

Strength of DES – Key Size

• 56-bit keys have 2

56

= 7.2 x 10

16

values

• brute force search looks hard

• recent advances have shown is possible

– in 1997 on Internet in a few months

– in 1998 on dedicated h/w (EFF) in a few days – in 1999 above combined in 22hrs!

• still must be able to recognize plaintext

• now considering alternatives to DES

(44)

44

Strength of DES – Analytic Attacks

• now have several analytic attacks on DES

• these utilise some deep structure of the cipher

– by gathering information about encryptions

– can eventually recover some/all of the sub-key bits – if necessary then exhaustively search for the rest

• generally these are statistical attacks • include

– differential cryptanalysis: 247 chosen plaintext – linear cryptanalysis: 247 known plaintext

(45)

Differential Cryptanalysis

• one of the most significant recent (public)

advances in cryptanalysis

• known by NSA in 70's cf DES design

• Murphy, Biham & Shamir published 1990

• powerful method to analyse block ciphers

• used to analyse most current block ciphers

with varying degrees of success

(46)

46

Differential Cryptanalysis

• a statistical attack against Feistel ciphers

• uses cipher structure not previously used

• design of S-P networks has output of

function f influenced by both input & key

• hence cannot trace values back through

cipher without knowing values of the key

• Differential Cryptanalysis compares two

(47)

Differential Cryptanalysis Compares

Pairs of Encryptions

• with a known difference in the input

• searching for a known difference in output

• when same subkeys are used

(48)

48

Differential Cryptanalysis

• have some input difference giving some

output difference with probability p

• if find instances of some higher probability

input / output difference pairs occurring

• can infer subkey that was used in round

• then must iterate process over many rounds

(with decreasing probabilities)

(49)
(50)

50

Differential Cryptanalysis

• perform attack by repeatedly encrypting plaintext pairs with known input XOR until obtain desired output XOR • when found

– if intermediate rounds match required XOR have a right pair – if not then have a wrong pair, relative ratio is S/N for attack

• can then deduce keys values for the rounds

– right pairs suggest same key bits – wrong pairs give random values

• for large numbers of rounds, probability is so low that more pairs are required than exist with 64-bit inputs • Biham and Shamir have shown how a 13-round iterated

(51)

Linear Cryptanalysis

• another recent development

• also a statistical method

• must be iterated over rounds, with

decreasing probabilities

• developed by Matsui et al in early 90's

• based on finding linear approximations

• can attack DES with 2

47

known plaintexts,

(52)

52

Linear Cryptanalysis

• find linear approximations with prob p != ½

P[i1,i2,...,ia](+)C[j1,j2,...,jb] = K[k1,k2,...,kc]

where ia,jb,kc are bit locations in P,C,K

• gives linear equation for key bits

• get one key bit using max likelihood alg • using a large number of trial encryptions • effectiveness given by: |p–½|

(53)

Block Cipher Design Principles

• basic principles still like Feistel in 1970’s

• number of rounds

– more is better, exhaustive search best attack

• function f:

– provides “confusion”, is nonlinear, avalanche

• key schedule

(54)

54

Modes of Operation

• block ciphers encrypt fixed size blocks

• eg. DES encrypts 64-bit blocks, with 56-bit key • need way to use in practise, given usually have

arbitrary amount of information to encrypt • four were defined for DES in ANSI standard

ANSI X3.106-1983 Modes of Use

• subsequently now have 5 for DES and AES • have block and stream modes

(55)
(56)

56

Electronic Codebook Book (ECB)

• message is broken into independent blocks

which are encrypted

• each block is a value which is substituted, like

a codebook, hence name

• each block is encoded independently of the

other blocks

Ci = DESK1 (Pi)

• uses: secure transmission of single values

(57)
(58)

58

Advantages and Limitations of ECB

• repetitions in message may show in ciphertext

– if aligned with message block

– particularly with data such graphics

– or with messages that change very little, which become a code-book analysis problem

• weakness due to encrypted message blocks being independent

(59)

Cipher Block Chaining (CBC)

• message is broken into blocks

• but these are linked together in the encryption operation

• each previous cipher blocks is chained with current plaintext block, hence name

• use Initial Vector (IV) to start process

Ci = DESK1(Pi XOR Ci-1) C-1 = IV

(60)

60

(61)

Advantages and Limitations of CBC

• each ciphertext block depends on all message blocks

• thus a change in the message affects all ciphertext blocks after the change as well as the original block

• need Initial Value (IV) known to sender & receiver

– however if IV is sent in the clear, an attacker can change bits of the first block, and change IV to compensate

– hence either IV must be a fixed value (as in EFTPOS) or it must be sent encrypted in ECB mode before rest of message

• at end of message, handle possible last short block

– by padding either with known non-data value (eg nulls) – or pad last block with count of pad size

(62)

62

Cipher FeedBack (CFB)

• message is treated as a stream of bits • added to the output of the block cipher

• result is feed back for next stage (hence name) • standard allows any number of bit (1,8 or 64 or

whatever) to be feed back

– denoted CFB-1, CFB-8, CFB-64 etc

• is most efficient to use all 64 bits (CFB-64)

Ci = Pi XOR DESK1(Ci-1) C-1 = IV

(63)
(64)

64

Advantages and Limitations of CFB

• appropriate when data arrives in bits/bytes

• most common stream mode

• limitation is need to stall while do block

encryption after every n-bits

• note that the block cipher is used in

encryption mode at both ends

• errors propogate for several blocks after the

error

(65)

Output FeedBack (OFB)

• message is treated as a stream of bits • output of cipher is added to message • output is then feed back (hence name) • feedback is independent of message • can be computed in advance

Ci = Pi XOR Oi Oi = DESK1(Oi-1) O-1 = IV

(66)

66

(67)

Advantages and Limitations of OFB

• used when error feedback a problem or where need to encryptions before message is available

• superficially similar to CFB

• but feedback is from the output of cipher and is independent of message

• a variation of a Vernam cipher

– hence must never reuse the same sequence (key+IV)

• sender and receiver must remain in sync, and some recovery method is needed to ensure this occurs

• originally specified with m-bit feedback in the standards • subsequent research has shown that only OFB-64 should

(68)

68

Counter (CTR)

• a “new” mode, though proposed early on

• similar to OFB but encrypts counter value

rather than any feedback value

• must have a different key & counter value

for every plaintext block (never reused)

Ci = Pi XOR Oi Oi = DESK1(i)

(69)
(70)

70

Advantages and Limitations of CTR

• efficiency

– can do parallel encryptions – in advance of need

– good for bursty high speed links

• random access to encrypted data blocks

• provable security (good as other modes)

• but must ensure never reuse key/counter

(71)

Summary

• have considered:

• block cipher design principles

• DES

– details – strength

• Differential & Linear Cryptanalysis

• Modes of Operation

數據

Updating...

參考文獻

Updating...

相關主題 :