• 沒有找到結果。

Contemporary Symmetric Ciphers

N/A
N/A
Protected

Academic year: 2021

Share "Contemporary Symmetric Ciphers"

Copied!
40
0
0

加載中.... (立即查看全文)

全文

(1)

Chapter 6 – Contemporary

Symmetric Ciphers

• Triple DES

• Blowfish

• RC5

• Characteristics of advanced

symmetric block ciphers

(2)

2

Symmetric Ciphers

1

Cipher Year Text size Key size

Feistel 1973 64 -bit 128 -bit

DES 1977 64 56

S-DES 1996 8 10

3DES 1999 64 168/2, 3 Keys

(3)

Symmetric Ciphers

2

Cipher Year Text size Key size

3DES 1999 64 168/2, 3 Keys

Blowfish 1993 64 32-448 variable

RC5 1994 32/64/128 0-2040 bits

(4)

4

Triple DES

1

• clearly a replacement for DES was needed

– theoretical attacks that can break it • Differential: O(247) chosen plaintext

• Linear: O(247) known plaintext

– demonstrated exhaustive key search attacks • Brute force: O(255)

(5)

Triple DES

2

• Alternative:

– New algorithms • E.g. AES

– Use multiple encryption of current ciphers • E.g. 3DES

(6)

6

Triple DES

3

(7)

Why Triple-DES?

1

(8)

8

Why Triple-DES?

2

• why not Double-DES?

– NOT same as some other single-DES use,

– EK2[EK1[P]]!= EK3[P], proved in 1992

• but have meet-in-the-middle attack [1977] – works against any block encryption cipher

– since X = EK1[P] = DK2[C]

– attack by encrypting P with all keys and store – then decrypt C with keys and match X value

(9)

Triple-DES with Two-Keys

1

• hence must use 3 encryptions

– would seem to need 3 distinct keys

• but can use 2 keys with E-D-E sequence

– C = EK1[DK2[EK1[P]]]

– no encrypt & decrypt equivalent in security – if K1=K2 then can work with single DES

(10)

10

Triple-DES with Two-Keys

2

• No current known practical attacks • [Coppersmith94]

– Brute-force key search: 2112  5 * 1033 – Estimated differential cryptanalysis

• Exceeds 1052

• [Merkel and Hellman81]

– 256 with 256 chosen plaintext-cipher text pairs

• [Oorschot,Wiener94] – (256)264/n = 2120-log

(11)

Triple-DES with Three-Keys

• although are no practical attacks on two-key

Triple-DES have some indications

• can use Triple-DES with Three-Keys to

avoid even these

– C = EK3[DK2[EK1[P]]]

• has been adopted by some Internet

applications, eg PGP, S/MIME

(12)

12

Blowfish

1

• a symmetric block cipher designed by

Bruce Schneier in 1993/94

• characteristics

– fast implementation on 32-bit CPUs

– compact in use of memory, < 5K memory

– simple structure eases analysis/implementation – variable security by varying key size

(13)
(14)

14

• Single Blowfish round

(15)

Blowfish Encryption

• uses two primitives: addition(modulo 232) & XOR

• data is divided into two 32-bit halves L0 & R0

for i = 1 to 16 do Ri = Li-1 XOR Pi; Li = F[Ri] XOR Ri-1; L17 = R16 XOR P18; R17 = L16 XOR i17; • where

F[a,b,c,d] = ((S1,a + S2,b) XOR S3,c) +

(16)

16

Blowfish subkey & S-box

1

• uses a 32 to 448 bit key ( 1 to 14 32-bit words)

• used to generate

– 18 32-bit subkeys stored in K-array Kj

– four 8x32 S-boxes stored in Si,j

• key schedule consists of:

– initialize P-array and then 4 S-boxes using pi – XOR P-array with key bits (reuse as needed)

– loop repeatedly encrypting data using current P & S and replace successive pairs of P then S values

(17)

Blowfish subkey & S-box

2

• the keys are stored in a K-array

– K1, K2, …, Kj, 1j  14

• the subkeys are stored in a P-array

– P1, P2, …, P18

• the four S-boxes, eahc with 256 32-bit entries

– S1,0, S1,1, …, S1,255 – S2,0, S2,1, …, S2,255 – S3,0, S3,1, …, S3,255 – S4,0, S4,1, …, S4,255

(18)

18

Blowfish subkey & S-box

3

• The steps in generating P-array and S-boxes are:

• Initialize first the P-array and then the four S-boxes using the bits of the fractional part of the constant 

– P1 = 243F6A88 – P2 = 85A308D3 – …

– S4,255 = 3AC372E6

• Perform a bitwise XOR of the P-array & K-array

(19)

Blowfish subkey & S-box

4

• Update P-array and S-boxes

– P1 , P2 = EP,S[0] – P3 , P4 = EP,S[P1 || P2 ] – … – P17 , P18 = EP,S[P15 || P16 ] – S1,0 , S1,1 = EP,S[P17 || P18 ] – … – S4,254 , S4,255 = EP,S[S4,252 || S4,253 ]

• A total of 521 execution of Blowfish encryption required

– Not suitable for frequently changing keys

(20)

20

Blowfish Discussion

1

• analysis very difficult

– S-boxes dependent on key

– subkeys and S-boxes generated using cipher itself • changing both halves in each round increases

security

• provided key is large enough, brute-force key search is not practical, especially given the high key schedule cost

(21)

Blowfish Discussion

2

• Fast to execute

(22)

22

RC5

• a proprietary cipher owned by RSA Data Security Inc. (RSADSI)

• designed by Ronald Rivest (of RSA fame) • used in various RSADSI products

• can vary key size / data size / no rounds • very clean and simple design

• easy implementation on various CPUs • yet still regarded as secure

(23)

RC5 Ciphers

• RC5 is a family of ciphers RC5-w/r/b

– w = word size in bits (16/32/64), data block=2w

– r = number of rounds (0..255)

– b = number of bytes in key (0..255)

• nominal version is RC5-32/12/16

– ie 32-bit words so encrypts 64-bit data blocks

– using 12 rounds

(24)

24

RC5 Key Expansion

1

• RC5 uses t=2r+2 subkey words (w-bits) – E.g. r=12, t=26

• subkeys are stored in array S[i], i=0..t-1 • then the key schedule consists of

– initializing S to a fixed pseudorandom value, based on

constants e and phi

– the byte key (array K, e.g. b=16) is copied (little-endian

machine) into a c-word array L (e.g. c=4)

– a mixing operation then combines L and S to form the

(25)

RC5 Key Expansion

2

little endian machine

(26)

26

(27)

RC5 Encryption

2

• split input into two halves A & B

L0 = A + S[0];

R0 = B + S[1];

for i = 1 to r do

Li = ((Li-1 XOR Ri-1) <<< Ri-1) + S[2 x i]; Ri = ((Ri-1 XOR Li) <<< Li) + S[2 x i + 1];

• 3 primitive operations

– Addition(subtraction) of modulo 2w

– Bitwise XOR

(28)

28

RC5 Encryption

3

• Not Feistel structure, but each round is like

2 DES rounds

• Note rotation is main source of

non-linearity ( <<<, >>> )

• need reasonable number of rounds (eg

12-16)

• Decryption is easily derived from

encryption

(29)

RC5 Modes

• RFC2040 defines 4 modes used by RC5

– RC5 Block Cipher, is ECB mode – RC5-CBC, is CBC mode

– RC5-CBC-PAD, is CBC with padding by bytes with value being the number of padding bytes – RC5-CTS, a variant of CBC which is the same

size as the original message, uses ciphertext stealing to keep size same as original

(30)

30

Block Cipher Characteristics

• features seen in modern block ciphers are:

– variable key length / block size / no rounds – mixed operators, data/key dependent rotation – key dependent S-boxes

– more complex key scheduling

– operation of full data in each round

(31)

Stream Ciphers

1

• process the message bit by bit (as a stream) • typically have a (pseudo) random key stream • combined (XOR) with plaintext bit by bit

• randomness of key stream completely destroys any statistically properties in the message

– Ci = Mi XOR KeyStreami

• what could be simpler!!!!

• but must never reuse stream key

(32)

32

Stream Ciphers

2

(33)

Stream Ciphers

3

• Speed comparisons of symmetric

(34)

34

Stream Cipher Properties

• some design considerations are:

– key stream has long period with no repetitions – statistically random, e,g, equal # of 1s and 0s – depends on large enough key, .e.g., K>=128 bits – large linear complexity

– correlation immunity – confusion

– diffusion

(35)

RC4

1

• a proprietary cipher owned by RSA DSI

• another Ron Rivest design, simple but effective • variable key size, byte-oriented stream cipher • widely used (web SSL/TLS, wireless WEP)

• key forms random permutation of all 8-bit values • uses that permutation to scramble input info

(36)

36

(37)

RC4 Key Schedule

• starts with an array S of numbers: 0..255 • use key to well and truly shuffle

• S forms internal state of the cipher

• input: key k of length l bytes; output: S[0]…S[255] for i = 0 to 255 do

S[i] = i

j = 0

for i = 0 to 255 do

(38)

38

RC4 Encryption

• encryption continues shuffling S array values • sum of shuffled pair selects " key stream" value • S[t] XOR with next byte of message to en/decrypt

i = j = 0

for each message byte Mi

i = (i + 1) (mod 256)

j = (j + S[i]) (mod 256) swap(S[i], S[j])

t = (S[i] + S[j]) (mod 256)

(39)

RC4 Security

• claimed secure against known attacks

– have some analyses, none practical

• result is very non-linear

• since RC4 is a stream cipher, must never

reuse a key

• have a concern with WEP, but due to key

handling rather than RC4 itself

(40)

40

Summary

• have considered:

– some other modern symmetric block ciphers – Triple-DES

– Blowfish – RC5

– briefly introduced stream ciphers – RC4

參考文獻

相關文件

• Curriculum Leadership and Management for the English Language Education Key Learning Area: Holistic Planning and Implementation of the Secondary English Language Curriculum

Specifically, the senior secondary English Language curriculum comprises a broad range of learning targets, objectives and outcomes that help students consolidate what they

In the third paragraph, please write a 100-word paragraph to talk about what you’d do in the future to make this research better and some important citations if any.. Please help

Through study in various knowledge contexts and through engaging in a range of learning activities, students will acquire technological concepts and knowledge and develop

Continue to serve as statements of curriculum intentions setting out more precisely student achievement as a result of the curriculum.

This glossary provides Chinese translations of those English terms commonly used in the teaching of enriched Technology Education Key Learning Area Curriculum (Secondary

Structured programming 14 , if used properly, results in programs that are easy to write, understand, modify, and debug.... Steps of Developing A

Activate prior knowledge about the genre Language access strategies. While-reading activities Reading in