Sei sulla pagina 1di 69

Network Security and Cryptography Lecture 8 Advanced Block Ciphers

Triple DES, CAST, BLOWFISH, IDEA

Uday Prakash Pethakamsetty


Udayprakash.jntuhceh@gmail.com

Taxonomy of Cryptographic primitives

3/18/2013

JNTUH CEH Network Security & Cryptography

Private Key Algorithms


Plaintext Encryption Ekey1(M) = C Key1

Cyphertext Key1 Decryption Dkey1(C) = M

Original Plaintext What granularity of the message does Ek encrypt?

3/18/2013

JNTUH CEH Network Security & Cryptography

General Block Encryption


The general way of encrypting a 64-bit block is to take each of the: 264 input values and map it to a unique one of the 264 output values. This would take (264 )*(64) = 270 bits. NOT practical. Secret key cryptographic systems take a reasonable length key (e.g., 64 bits) and generate a one-to-one mapping that appears, to someone who does not know the key, as completely random. I.e., any single bit change in the input results in a totally independent random number output.

3/18/2013

JNTUH CEH Network Security & Cryptography

Structure of Multiround block ciphers


Plaintext input Single round Key Key scheduling round Plaintext output Inverse of single round

Single round

Key scheduling round

Inverse of single round

Single round Ciphertext out


Key scheduling round

Inverse of single round Ciphertext in

These are private-key symmetric ciphers same key for encrypt and decrypt Each single round must be invertible Key scheduling rounds do not need to be invertible If key is constant from block to block, this is a monoalphabetic, but with huge alphabet Strength comes from confusion and diffusion repeatedly applied
JNTUH CEH Network Security & Cryptography 5

3/18/2013

Structure of a single round


Partially Encrypted text From previous round
Key for this round From key scheduler

Invertible operations can include


Bitwise exclusive or Addition modulo block size Galois field but not conventional multiplication permutation

Non-feedback network of Invertible operations Partially Encrypted text To next round A XOR C
3/18/2013

XOR

C
JNTUH CEH Network Security & Cryptography

Example of an invertible operation If C = K xor A Then A = K xor C


6

Types of transformation for k-bit blocks


o Substitution: Specify for each of the 2k possible values of the input, the k-bit output. This takes k.2k bits. This is reasonable for k=8. o Permutation: Specify for each of the k input bits, the output position to which it goes. This takes k*log2 k bits. Next slide shows a secret key algorithm based on rounds of substitution and permutation. If we do only a single round, then a bit of input can only affect 8 bits of output. There is an optimal number of rounds to achieve complete randomization. The algorithm take the same effort to reverse (decrypt).
3/18/2013 JNTUH CEH Network Security & Cryptography 7

Example of block encryption

3/18/2013

JNTUH CEH Network Security & Cryptography

Private Key Algorithms


Block Ciphers: blocks of bits at a time
DES (Data Encryption Standard) Banks, linux passwords (almost), SSL, kerberos, Blowfish (SSL as option) IDEA (used in PGP, SSL as option) Rinjdael (AES) the new standard

Stream Ciphers: one bit (or a few bits) at a time


RC4 (SSL as option) PKZip Sober, Leviathan, Panama,
3/18/2013 JNTUH CEH Network Security & Cryptography 9

Private Key: Block Ciphers


Encrypt one block at a time (e.g., 64 bits) ci = f(k,mi) mi = f (k,ci) Keys and blocks are often about the same size. Equal message blocks will encrypt to equal code blocks
Why is this a problem?

Various ways to avoid this:


E.g. ci = f(k,ci-1 mi) Cipher block chaining (CBC)

Why could this still be a problem?


Solution: attach random block to the front of the message

3/18/2013

JNTUH CEH Network Security & Cryptography

10

Security of Block Ciphers


Ideal:
k-bit -> k-bit key-dependent substitution (i.e. random permutation) If keys and blocks are k-bits, can be implemented with 22k entry table.

3/18/2013

JNTUH CEH Network Security & Cryptography

11

Iterated Block Ciphers


m R key

k1 s1 k2
. . .

Consists of n rounds R = the round function si = state after round i ki = the ith round key
12

s2
. . .

R c

kn

3/18/2013

JNTUH CEH Network Security & Cryptography

Iterated Block Ciphers: Decryption


m R-1 key

k1 k2
. . .

s1
R-1

Run the rounds in reverse. Requires that R has an inverse.

s2
. . .

R-1 c

kn

3/18/2013

JNTUH CEH Network Security & Cryptography

13

Feistel Networks
If function is not invertible rounds can still be made invertible. Requires at least 2 rounds to mix all bits.
high bits low bits
R F XOR R-1

ki

F XOR

ki

Forwards Used by DES (the Data Encryption Standard)

Backwards

3/18/2013

JNTUH CEH Network Security & Cryptography

14

The Feistel block is a reversible round


Left halfi Right halfi Left halfi Right halfi

XOR

One-way (nonreversible) block

XOR

One-way (nonreversible) block

Left halfi+1

3/18/2013

Right halfi+1 Right halfi+1 Left halfi+1 Note: This block is reversible The direction of signal flow does not change in the one-way block JNTUH CEH Network Security & The XOR is a reversible device 15
Cryptography

More on the Feistel block


Characteristics and limitations
Essentially any one-way function can be used doesnt have to be reversible Because the block scrambles only one half the partial text at a time it is

possibly weaker than other ciphers, but more rounds (typically 16) can be used
The one-way function is half the width of the block, so a 64-bit block can be encrypted efficiently with a 32-bit processor The Feistel block is vulnerable to differential cryptanalysis, which is a chosenplaintext attack. With enough rounds, it is usable.

3/18/2013

JNTUH CEH Network Security & Cryptography

16

The equations for the Feistel block


Comments
These equations are valid for any Feistel block, regardless of the particular one-way function used They are the basis for differential and linear cryptanalysis A large number of present-day ciphers, but not all, use Feistel

The direct transformation Li+1 = Li F(Ri, Ki ) Ri+1 = Li

The inverse transformation Li = Li+1 F(Li+1, Ki ) Ri = Li+1

The recurrence relation used in differential cryptanalysis Li+2 = Li+1 F(Li, Ki )

3/18/2013

JNTUH CEH Network Security & Cryptography

17

Product Ciphers
Each round has two components:
Substitution on smaller Decorrelate input and output: confusion Permutation across the smaller Mix the bits: diffusion blocks blocks

Substitution-Permutation Product Cipher Avalanche Effect: 1 bit of input should affect all output bits, ideally evenly, and for all settings of other in bits
3/18/2013 JNTUH CEH Network Security & Cryptography 18

Data Encryption Standard (DES)


Key length: 56 + 8 parity bits = 64 bits 8 bits are used for parity check, why is that? Possible reason: to make it 256 times less secure against exhaustive search! read p. 63 in the textbook. How secure is DES? In 1998, $150K machine can break the key in 5 days! For added security, triple DES is 256 more secure.
3/18/2013 JNTUH CEH Network Security & Cryptography 19

The one-way function for DES


Input half 32 Per-stage keyword E-box Expand/permute 48 48-bit-wide XOR 6 64x4 S-box 4 P-box permute only Output half
3/18/2013 JNTUH CEH Network Security & Cryptography 20

48

Components
6
E-box expansion and permutation S-box substitution a 64 by 4 bit memory or array P-box expansion and permutation E and P boxes were hardwired S-boxes were in on-chip ROM 256 bytes per round

32

Basic structure of DES

3/18/2013

JNTUH CEH Network Security & Cryptography

21

3/18/2013

JNTUH CEH Network Security & Cryptography

22

3/18/2013

JNTUH CEH Network Security & Cryptography

23

Why decryption works?


The output of the Mangler Function (M) is the same for both encryption and decryption. In encryption: M Ln = Rn+1 In decryption: M Rn+1 = M ( M Ln ) = Ln

The Mangler Function


Expands R from 32 bit to 48 bits as shown in Figure: It breaks R into eight 4-bit chunks and expand each to 6-bit by concatenating the adjacent 2 bits. Let CRi refer to chunk i of expanded R. The 48-bit K is broken to eight 6-bit chunks. Let CKi refer to chunk i of K. Let Si = CRi Cki; Si is fed into an S-box, a substitution which produces a 4-bit output for each possible 6-bit input. The 4-bit output of each of the eight S-boxes is permuted (it has security value to ensure that the output of an S-box in one round affects the input of multiple S-boxes on the next round).

Mangler Function in DES

Mangler Function
48-bit Key and the expanded 48-bit R are broken into 8 chunks of 6bits each.

S-boxes

DES Weak Keys


With many block ciphers there are some keys that should be avoided, because of reduced cipher complexity These keys are such that the same sub-key is generated in more than one round, and they include: Weak Keys
The same sub-key is generated for every round DES has 4 weak keys

Semi-weak keys
Only two sub-keys are generated on alternate rounds DES has 12 of these (in 6 pairs)

Demi-Semi Weak Keys


Have four sub-keys generated

None of these causes a problem since they are a tiny fraction of all available keys However they MUST be avoided by any key generation program
3/18/2013 Dept. of ECE Network Security & Cryptography 29

DES attacks
Brute force attack The COPACOBANA machine, built for US$10,000 by the Universities of Bochum and Kiel, contains 120 low-cost FPGAs and can perform an exhaustive key search on DES in ays on average. The p9 dhoto shows the backplane of the machine with the FPGAs.
3/18/2013 Dept. of ECE Network Security & Cryptography 30

DES attack : Faster than Brute force attack


There are three attacks known that can break the full 16 rounds of DES with less complexity than a brute-force search:
differential cryptanalysis (DC), linear cryptanalysis (LC), and Davies' attack.

However, the attacks are theoretical and are unfeasible to mount in practice, these types of attack are sometimes termed certificational weaknesses.

3/18/2013

Dept. of ECE Network Security & Cryptography

31

Possible techniques for improving DES


Design a complete new algorithm
Requires completely new infrastructure

Multiple Enciphering with DES


Double DES, Triple DES,

Extending DES to 128 bit data paths and 112 bit keys Extending the key expansion calculation.

3/18/2013

JNTUH CEH Network Security & Cryptography

32

Double DES
Using two encryption stages and two keys
C = ek2(ek1(p)) p=dk1(dk2(c))

It is proved that there is no key k3 such that


C =ek2(ek1(p))=ek3(p) Plaintext block length : 64bit block Ciphertext block length : 56 2=112 bits

But, meet in the middle attack is possible


Thus, 2-DES is not secure (if DES is broken)
3/18/2013 JNTUH CEH Network Security & Cryptography 33

Meet in the Middle attack


Assume C=Ek2 (Ek1(P)) Given the plaintext-cipher text pair, known plaintext attack. Encrypt P using all possible key k1 Decrypt C using all possible keys k2
o Check the result with the encrypted plaintext lists o If match is found, then test the found keys again for another plaintext and cipher text pair o If it turns correct, then find the keys o Otherwise keep decrypting C
3/18/2013 JNTUH CEH Network Security & Cryptography 34

Breaking double DES

3/18/2013

JNTUH CEH Network Security & Cryptography

35

Breaking double DES-MIM attack


Given a pair of messages P, and its ciphertext C (encrypted using some unknown keys k1 and k2). When decrypt C using all keys, and encrypt P using all keys, some results will match
The expected number of matching's is 256*256=248.

When we have another pair of (P2 ,C2), the possible key pairs that work for them is also 248. Then, among these two sets of key pools found, the expected common key
pairs is only
JNTUH CEH Network Security & Cryptography

3/18/2013

36

Triple DES
DES variant Standardized in ANSI X.917 & ISO 8732 and in PEM for key management Proposed for general EFT standard by ANSI X9 Backwards compatible with many DES schemes Uses either two or three keys.

3/18/2013

JNTUH CEH Network Security & Cryptography

37

Triple DES
Use three keys and three executions of the DES algorithm (encrypt-decrypt-encrypt)
C = EK3[DK2[EK1[P]]]
C = ciphertext P = Plaintext EK[X] = encryption of X using key K DK[Y] = decryption of Y using key K

Effective key length of 168 bits


3/18/2013 JNTUH CEH Network Security & Cryptography 38

Triple DES with two keys

3/18/2013

JNTUH CEH Network Security & Cryptography

39

Triple DES with three keys

3/18/2013

JNTUH CEH Network Security & Cryptography

40

Other Symmetric Block Ciphers


DES has reached the end of its useful lifetime. New symmetric encryption schemes have been proposed in last decade. Examples:
International Data Encryption Algorithm (IDEA) Blowfish RC5 Cast-128.

3/18/2013

JNTUH CEH Network Security & Cryptography

41

CAST 128
By Carlisle Adams and Stafford Tavares
Defined in RFC 2144 Use key size varying from 40 to 128 bits Structure of Feistel network 16 rounds on 64 bit data block The round function differs from round to round Four primitive operations
Addition, subtraction (mod 232) Bitwise exclusive-OR
3/18/2013 JNTUH CEH Network Security & Cryptography 42

Blowfish
Easy to implement (simple structrure) Two basic operations: addition, XOR High execution speed Similar to Feistel Scheme Run in less than 5K of memory Variable security: key length is variable (between 32 and 448 bits). > Allows a tradeoff between speed and security. -The key is used to generate 18 32-bit subkeys. -Encryption/decryption consist of 16 rounds. The sub key and s-boxes are complicated. So, not suitable when key changes often.
3/18/2013 JNTUH CEH Network Security & Cryptography 43

Blowfish
Encryption: Uses two primitive operations: 1. Addition: performed modulo 232. 2. Bitwise Exclusive-OR. > These two operations do not commute. >Making cryptanalysis difficult.

3/18/2013

JNTUH CEH Network Security & Cryptography

44

Blowfish
Encryption Algorithm: -Plaintext is divided into two 32 bit halves. -Go through 16 rounds of transformation using subkeys. -Each rounds takes two 32 bit inputs and produces two 32 outputs. -Output of a round is fed into the next round. -The output of 16th round is exclusive-ORed with 17th and 18th subkeys to produce the ciphertext.
JNTUH CEH Network Security & Cryptography

3/18/2013

45

Blowfish
Details of a Single Round: - Each round includes complex use of addition modulo 232, Ex-OR, and substitution using S-Boxes. - 32 bit input to the function F is divided into four bytes. -Each byte goes through a separate S-box and is expanded into 32 bits. -32 bit outputs go through complex transformation using addition modulo 232 and Ex-OR.

3/18/2013

JNTUH CEH Network Security & Cryptography

46

International Data Encryption Algorithm (IDEA)


Encrypts 64-bit blocks using 128-bit key.

It is similar to DES since it:


operates in rounds the mangler function runs in the same direction for both encryption and decryption

It differs from DES since:

Designed to be efficient in software (as opposed to DESs hardware orientation)


The encryption and decryption keys are different but related in a complex manner.

Used in PGP Confusion: (the ciphertext should depend upon the plaintext and key in a complex way) Confusion is achieved by using three operations.

Diffusion: (Each plaintext bit should influence as many ciphertext bits as possible) -IDEA very effective in achieving diffusion.

3/18/2013

JNTUH CEH Network Security & Cryptography

47

IDEA...
Confusion: -Achieved by mixing three different operations. -Each operation takes two 16-bit inputs and produces a 16-bit output. Three Operations: 1. Bit-by-bit Exclusive-OR. 2. Addition of integers modulo 2^16 (=65536) 3. Addition of integers modulo 216... -inputs and output are treated as 16 bit unsunged integers. 4. Multiplication of integers modulo 216+1 (=65537). -inputs and output are treated as 16 bit unsunged integers. -A block of all zeros is treated as 216.

3/18/2013

JNTUH CEH Network Security & Cryptography

48

IDEA
Three Operations:.. in combination provide a complex transformation making cryptanalysis very difficult. Three operations are incompatible:
>No two satisfy distributive law. >No two satisfy associate law.

3/18/2013

JNTUH CEH Network Security & Cryptography

49

IDEA
Diffusion: Provided by a multiplication/addition structure (MA). >Takes two inputs: (1) Two 16 bit values derived from plaintext. (2) Two 16 bit subkeys derived from the key. >Produces two 16 bit outputs.
3/18/2013 JNTUH CEH Network Security & Cryptography 50

IDEA
Diffusion: >Each output bit depends on every input bit and on every bit of the subkeys. //meaning lot of diffusion.// >This structure is repeated 8 times in the encryption algorithm. //provides very effective diffusion.//
3/18/2013 JNTUH CEH Network Security & Cryptography 51

IDEA
Encryption Algorithm:
>Consists of eight rounds. >64 bit input is divided into four 16-bit sub-blocks. >Each round uses six 16-bit keys. >Each round produces four 16-bit outputs. >Output of a round is fed into the next round.

3/18/2013

JNTUH CEH Network Security & Cryptography

52

IDEA
Details of a Single Round: Four input sub-blocks are combined with four subkeys producing 4 output sub-blocks. Four output sub-blocks are combined using XOR operation to from two 16 bit blocks. These two blocks are fed into the MA structure. MA structure takes & produces two 16-bit outputs. Four outputs of upper transformation are combined with the two outputs of MA structure to produce four output blocks for this round.

3/18/2013

JNTUH CEH Network Security & Cryptography

53

Basic structure of IDEA

3/18/2013

JNTUH CEH Network Security & Cryptography

54

IDEA primitive operations


exclusive OR + addition mod 216 and x multiplication mod 216+1 These operations are reversible:
aK=A AK = a since (a K) K = a a + K = A A + (-K) = a since (a + K) + (-K) = a a x K = A A x (K-1) = a since (a x K) x (K-1) = a K-1 is the multiplicative inverse of K such that K K-1 = 1 mod (216+1) Example: K = 1101; -K=0000-1101=0011, a=1001, K-1 = 0100 (Since 4*13=52 = 1+3*17 (17 = 24+1); Euclids algorithm sec 7.4) a K=0100; (a K) K=1001; a+K= 0110; (a+K)+(-K)=1001 axK= 9*13 mod 17=15; (axK)xK-1mod 17 = 60 mod 17 = 9 = 1001
3/18/2013 JNTUH CEH Network Security & Cryptography 55

Key Expansion (Encryption)


The 128-bit key is expanded into 52 16-bit keys: K1, K2 , ....K52. Step 1: Keys K1.K8 are generated by taking 8 chunks of 16-bits each Step 2: Keys K9K16 are generated by starting from the 25th bit, wrapping around the first 25 bits at the end, and taking 16-bit chunks. Step 3: Wrap around 25 more bits to the end, and generate keys K17K24. This process is repeated until all keys K1K52 are generated

3/18/2013

JNTUH CEH Network Security & Cryptography

56

IDEA Odd Round


X is the modified multiply operation, and + is a modified add. To get the original values back, the inverse of Ka is used for X and Xb (mod 216) for +.

3/18/2013

JNTUH CEH Network Security & Cryptography

57

IDEA Decryption
Same code can perform either encryption or decryption given different expanded keys. The inverses of the encryption keys and use them in the opposite order (use the inverse of the last-used encryption key as the first used when doing encryption). Since the last encryption round (an oddround) used keys K49,K50,K51,K52, The first decryption round uses the inverses of the keys K49-K52.
3/18/2013 JNTUH CEH Network Security & Cryptography 58

IDEA Even Round

3/18/2013

JNTUH CEH Network Security & Cryptography

59

RC 5
Developed by R. Rivest
Suitable for hardware or software Fast, simple Variable number of rounds Variable-length key Low memory requirement High security Data-dependent rotations (circular bit shifts) Fast, simple, low memory, data-dependent rotations Adaptable to processors of different word length
A family of algorithms determined by word length, number of rounds, size of secret key

Decryption and encryption are not the same


With little variations

Primitive operations
Addition, XOR, left circular rotation
3/18/2013 JNTUH CEH Network Security & Cryptography 60

RC4
Ron Rivest (of the famous RCA) is the inventor A long random string is called a one-time pad. A stream cipher generates a one-time pad and applies it to a stream of plain text with . RC4 is a stream cipher designed by Ron Rivest.

3/18/2013

JNTUH CEH Network Security & Cryptography

61

C code for RC4 one-time pad generator

3/18/2013

JNTUH CEH Network Security & Cryptography

62

Key features of advanced symmetric block ciphers

3/18/2013

JNTUH CEH Network Security & Cryptography

63

Location of Encryption Device


Link encryption:
A lot of encryption devices High level of security Decrypt each packet at every switch

End-to-end encryption
The source encrypt and the receiver decrypts Payload encrypted Header in the clear

High Security: Both link and end-to-end encryption are needed


3/18/2013 JNTUH CEH Network Security & Cryptography 64

3/18/2013

JNTUH CEH Network Security & Cryptography

65

Key Distribution
1. A key could be selected by A and physically delivered to B. 2. A third party could select the key and physically deliver it to A and B. 3. If A and B have previously used a key, one party could transmit the new key to the other, encrypted using the old key. 4. If A and B each have an encrypted connection to a third party C, C could deliver a key on the encrypted links to A and B.
3/18/2013 JNTUH CEH Network Security & Cryptography 66

Key Distribution
Session key:
Data encrypted with a one-time session key. At the conclusion of the session the key is destroyed

Permanent key:
Used between entities for the purpose of distributing session keys

3/18/2013

JNTUH CEH Network Security & Cryptography

67

3/18/2013

JNTUH CEH Network Security & Cryptography

68

References
Behrouz A. Forouzan, Debdeep Mukhopadhyay, Cryptography and Network Security 2e, McGraw Hill Publications, ISBN 978-0-07-070208-0. William Stallings, Cryptography and Network SecurityPrinciples and Practices, 4e, Pearson-Printice Hall publications, ISBN 81-7758-774-9. Stallings, W. Cryptography and Network Security: Principles and Practice, 2nd edition. Prentice Hall, 1999 Scneier, B. Applied Cryptography, New York: Wiley, 1996 Mel, H.X. Baker, D. Cryptography Decrypted. Addison Wesley, 2001.
3/18/2013 JNTUH CEH Network Security & Cryptography 69

Potrebbero piacerti anche