Lecture 5, October 8. DES System (Modification)

Transcription

1 Lecture 5, October 8. 10/10/01 Gene Tsudk, ICS 268 Fall Encrypton Process 64 Bt Plantext Intal Permutaton 32 Bt L0 32 Bt R0 + F(R0,K1) DES System (Modfcaton) Festel Network Buldng Block Key Schedule 64 Bt Key Permutaton Choce 1 56 Bt Key 28 Bt C0 28 Bt D0 32 Bt L1 32 Bt R1 K1(48 bts) Left Shft Rght Shft C1 D1 32 Bt L15 32 Bt R15 + F(R15,K16) Permuted Choce 2 K16(48 bts) C16 D16 32 Bt L16 32 Bt R16 Fnal Permutaton Permuted Choce 2 64 Bt Cphertext 10/10/01 Gene Tsudk, ICS 268 Fall

2 DES System (Modfed) Input IP L 0 Input R 0 f K 1 L 1 Input R 1 f K 2 L 15 Input R 15 f K 16 L 16 Input R 16 IP -1 Output 10/10/01 Gene Tsudk, ICS 268 Fall F Funton S R -1 E K S 2 S 3 S 4 S 5 S 6 S 7 S 8 Provde randomness by non-lnear functon S-boxS Every other operaton of DES s lnear Each S-box S s 6 bt nput, 4 bt output P 10/10/01 Gene Tsudk, ICS 268 Fall

3 S-box 10/10/01 Gene Tsudk, ICS 268 Fall Answer to Last Class Queston Queston: f functon has expanson and compresson. How can you decrypt? Answer: It does not matter ;-); Decrypton L 1D = R 16 = R 15 R 1D = L 16 f (R 16, K 16 ) = L 15 f (R 15, K 16 ) f (R 15, K 16 = L ) 10/10/01 Gene Tsudk, ICS 268 Fall

4 Modes of operaton I 1 =IV x k E E -1 k c x ECB r-bt shft r-bt shft I I c 0 =IV C -1 x k E I 1 =IV I O -1 E x CBC I k O -1 C -1 k E E k k E E k O O O O x CFB x x OFB x 10/10/01 Gene Tsudk, ICS 268 Fall ECB Modes of operaton (cnt( cnt.) 1. Encrypton: c E K (x ) 2. Decrypton: x E 1 K (c ) CBC Identcal plantext (under the same key) result n dentcal cphertext blocks are encphered ndependently of other blocks bt errors n a sngle cphertext affect decpherment of that block only 1. Encrypton: c 0 IV, c E K (c 1 x ) 2. Decrypton: c 0 IV, x c 1 E1 1 K (c ) channg causes cphertext c to depend on all precedng plantext a sngle bt error n c affects decpherment of blocks c and c +1 self-synchronzng: synchronzng: error c (not c +1, c +2) ) s correctly decrypted to x +2 Can use as a MAC: x 1, x 2,, x n, c n /10/01 Gene Tsudk, ICS 268 Fall

5 Modes of operaton (cnt( cnt.) CFB 1. Encrypton: I 1 IV 1. O E K (I ). (Compute the block cpher output) 2. t : r leftmost bts of O (Assume the leftmost s dentfed as bt 1) 3. c x t. (Transmt the r-bt r cphertext block c ) 4. Shft c nto rght end of shft regster 2. Decrypton: I 1 IV, x c t,where t, O and I are as above re-orderng cphertext blocks affects decrypton one or more bt errors n any sngle r-bt r cphertext block c affects the decpherment of next n/r cphertext blocks self-synchronzng synchronzng smlar to CBC, but requres n/r blocks to recover. for r <n, throughput s decreased by a factor of n/r 10/10/01 Gene Tsudk, ICS 268 Fall CFB Modes of operaton (cnt( cnt.) 1. Encrypton: I 1 IV 1. O E K (I ). (Compute the block cpher output) 2. t : r leftmost bts of O (Assume the leftmost s dentfed as bt 1) 3. c x t. (Transmt the r-bt r cphertext block c ) 4. Shft o nto rght end of shft regster 2. Decrypton: I 1 IV, x c t,where t, O and I are as above keystream s plantext-ndependent ndependent bt errors affects the decpherment of only that character recovers from cphertext bt errors, but cannot self- synchronze for r <n, throughput s decreased as per the CFB mode 10/10/01 Gene Tsudk, ICS 268 Fall

6 Breakng DES (Cryptanalyss) Dfferental Cryptanalyss Dfferental cryptanalyss dscovered n 1990; vrtually all block cphers from before that tme are vulnerable......except DES. IBM (and NSA) knew about t 15 years earler Looks for correlatons n f()-functon functon nput and output More precsely, the relaton between nput xor and output xor Pr[ f(x) f(x ) ) = Y Y X X = X] Lnear cryptanalyss Looks for correlatons between key and cpher nput and output More precsely, relaton between lnear combnaton of nput bts and lnear combnaton of output bts Related-key cryptanalyss Looks for correlatons between key changes and cpher nput/output 10/10/01 Gene Tsudk, ICS 268 Fall Breakng DES (Cryptanalyss) Strength of DES Key sze = 56 bts Brute force = 2^55 attempts Dfferental cryptanalyss = 2^47 attempts Lnear cryptanalyss = 2^43 attempts Longer than 56 bt keys don't make t any stronger More than 16 rounds don't make t any stronger DES Key Problems: Weak keys (all 0s, all 1s, a few others) Key sze = 56 bts = 8 * 7-bt 7 ASCII Alphanumerc-only password converted to uppercase = 8 * ~5-bt chars = 40 bts 10/10/01 Gene Tsudk, ICS 268 Fall

7 Breakng DES (COST) DES was desgned for effcency n early-70's hardware Makes t easy to buld ppelned brute-force breakers n late-90's hardware 16 stages, tests 1 key per clock cycle Can buld a DES-breaker usng: * Feld-programmable gate array (FPGA), software programmable hardware * Applcaton-specfc IC (ASIC) 100 MHz ASIC = 100M keys per second per chp Chps = $10 n 5K+ quanttes $50,000 = 500 bllon keys/sec = 20 hours/key (40-bt DES takes 1 sec) 10/10/01 Gene Tsudk, ICS 268 Fall Breakng DES (COST) $1M = 1 hour per key (1/20 sec for 40 bt) $10M = 6 mnutes per key (1/200 sec for 40 bts) US black budget s ~$25-30 bllon!!! dstrbuted.net = ~70 bllon keys/sec wth 20,000 computers (how long?) EFF (US non-proft) broke full DES n 2 1/2 days Amortsed cost over 3 years = 8 cents per key If your secret s worth more than 8 cents, don't encrypt t wth DES September 1998: German court rules DES "out of date and unsafe" for fnancal applcatons 10/10/01 Gene Tsudk, ICS 268 Fall

8 DES Varants 2-DES (double DES) = E(K2,E(K1,X)) or D(K2,E(K1,X)) --- weak! 3-DES (trple DES) = E(K1,D(K2,E(K1,X)))or E(K3,D(K2,E(K1,X))) --- same securty? DESx = K3 XOR E(K2, K1 XOR X): securty proved by Rogaway K1 XOR E(K1,X)? E(K1, K1 XOR X)? 10/10/01 Gene Tsudk, ICS 268 Fall DES summary Permutaton/substtuton block cpher 64-bt data blocks 56-bt keys (8 party bts) 16 rounds (shfts,xors) Key schedule DES agng 2-DES: rendezvous attack 3-DES: 112-bt securty? DESX : 64-bt securty? S-box selecton secret 10/10/01 Gene Tsudk, ICS 268 Fall

9 Other cphers Skpack Classfed algorthm orgnally desgned for Clpper, declassfed n rounds, breakable wth 31 rounds 80 bt key, nadequate for long-term securty GOST GOST 28147, Russan answer to DES 32 rounds, 256 bt key Incompletely specfed 10/10/01 Gene Tsudk, ICS 268 Fall IDEA (X. La, J. Massey, ETH) Other popular cphers Developed as PES (proposed encrypton standard), adapted to resst dfferental cryptanalyss as IPES, then IDEA Ganed popularty va PGP, 128 bt key Patented (Ascom CH) Blowfsh (B. Schneer, Counterpane) Optmsed for hgh-speed executon on 32-bt processors 448 bt key, relatvely slow key setup Fast for bulk data on most PCs/laptops 10/10/01 Gene Tsudk, ICS 268 Fall

10 New Generaton Block Cpher AES (Advanced Encrypton Standard) Jan. 1997: ntaton of the AES development Sep. 1997: formal call for algorthms unclassfed, publcly dsclosed encrypton algorthm(s), avalable royalty-free, worldwde block sze: 128b, key sze: 128, 192, 256b Aug. 1998: a group of ffteen AES canddate Mar. 1999: 2nd AES2, selected fve algorthms MARS, RC6, Rndael,, Serpent, and Twofsh Oct. 2000: Rndael to propose for the AES Fast for hardware/software mplementaton Pretty strong 10/10/01 Gene Tsudk, ICS 268 Fall How do Alce and Bob get to share a secret key n the frst place? Or Why do we need publc key cryptography 10/10/01 Gene Tsudk, ICS 268 Fall

11 0 < < 2 SK, PK random ndex = random (secret) value Puzzle S n = N secret keys P = { ndex, SK, S} fxed strng,e.g.," Alce to Bob" Merkle s Puzzles (1974) PK { P 0 < < 2 n } Look up ndex Obtan SK ndex Encrypted communcaton wth SK Pck random,0 < < 2 Select P Break PK by brute force Obtan {ndex, SK } n? 10/10/01 Gene Tsudk, ICS 268 Fall < < 2 SK, PK K A = N Alce' s own secret key ndex = {, SK, etc} Puzzle P = { ndex, SK, S} S fxed strng n random secret keys K A Merkle s Puzzles (modfed) PK { P 0 < < 2 n } decrypt ndex wth K A and obtan K ndex Encrypted communcaton wth SK? Pck random,0 < < 2 Select P Break PK by brute force Obtan {ndex, SK } n 10/10/01 Gene Tsudk, ICS 268 Fall

12 Merkle s Puzzles (contd.) Alce: O(N) work to generate, compose, send puzzles Memory: Ka Bob O(N) work to break a sngle puzzle Eve O(N^2) work to break, on the average N/2 puzzles Can we get better than N^2 to N advantage? 10/10/01 Gene Tsudk, ICS 268 Fall