Symmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)

Transcription

1 Symmetric Ciphers Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)

2 Symmetric Cryptography C = E(P,K) P = D(C,K) Requirements Given C, the only way to obtain P should be with the knowledge of K Any attempt to attack the cipher should be comparable in complexity to brute-force method Should resist known cipher text attacks given one or even many C and P attacker should not be able to determine K. Should be very efficient!

3 Desired Characteristics Confusion How does changing a bit of the key affect the ciphertext? Diffusion How does changing one bit of the plaintext affect the ciphertext?

4 Two Basic Types Block Ciphers Typically 64, 128 bit blocks A k-bit plaintext block maps to a k-bit ciphertext block Can be seen as a substitution cipher which uses a size 2 k look-up table (for each key!) Usually employ Fiestel structure. Stream Ciphers A key is used to generate a stream of pseudo-random bits key stream Just XOR plaintext bits with the key stream for encryption For decryption generate the key stream and XOR with the ciphertext!

5 Fiestel Structure L i 1 R i 1 F K i L i R i Encryption L i =R i 1 R i =L i 1 F R i 1, K i Decryption R i 1 =L i L i 1 =R i F L i,k i

6 Fiestel Block Cipher L 0 R 0 F K 1 L 1 R 1 F K 2 L 2 R 2 L 15 R 15 F K 16 L 16 R 16

7 Fiestel Block Cipher - DES L 0 R 0 F K 1 L i =R i 1 R i =L i 1 F R i 1,K i L i R i 1 L 1 R 1 F K 2 32 to 48 bits Expansion Permutation K i L 2 R 2 8 S Boxes 6 to 4 bits S-Box Substitution 32 to 32 (Straight) Permutation P-Box Permutation L 15 R 15 F K 16 L i 1 L 16 R 16 R i

8 DES Round Key Generation L 0 R 0 F K 1 8 S Boxes each 6 to 4 bits Key L 1 R 1 R i 1 Shift Shift F K 2 32 to 48 bits Expansion Permutation Compression Permutation 56 to 48 bits L 2 R 2 8 S Boxes 6 to 4 bits S-Box Substitution K i Key L 15 R to 32 P-Box Permutation F K 16 L 16 R 16 R i

9 DES Initial and Final Permutation L 0 R 0 F K 1 Initial Permutation L 1 R 1 F K 2 L 2 R 2 L 15 R 15 F K 16 Final Permutation L 16 R 16

10 DES Algorithmic Overview T 64 bit input K 64 bit key - leads to K 0 56 bit key K 1, K 2,...,K 16 (generated by round key generation) T 1 =IP T (Initial Permutation) L 0, R 0 =T 1 (split into two 32 bit quantities) L 1, R 1 = R 0, L 0 F R 0, K 1 L 2, R 2 = R 1, L 1 F R 1, K 2 L 16,R 16 = R 15,L 15 F R 15,K 16 C 1 = R 16,L 16 (swapping) C=FP C 1 (Final Permutation)

11 IP and FP Initial Permutation Final Permutation

12 DES Round Function R 1 =F R 0, k R 0 32 bit round input k 48 bit round key X =E R 0 (Expansion Permutation) X 1 =X k (XOR with round key) X 2 =S X 1 (apply S-Box substitution - output 32 bits) R 1 =P X 2 (apply round permutation) R i 1 Expansion Permutation K i E Expansion Permutation P Round Permutation R i S-Box Substitution P-Box Permutation

13 DES S-Boxes X input - 48 bit data S 1 S 8 8 S-Boxes X 1, X 2,, X 8 split X Y = S 1 X 1,,S 1 X 8 Each S-Box has 4 rows and 16 columns Each row is a permutation of 0 to 15 6 b X i chooses the row of S i 3b b 5b 4 of X i chooses the column of S i

14 DES Key Schedule Shift Key Compression Permutation 56 to 48 bits K i Key Shift K 64 bit key r i left shifts in round i r i =1 for i=1,2,9,16 r 1 =2 for all other i K 1 =PC K (Effective Key length is 56) C 0, D 0 =K 1 C 1, D 1 = r 1 C 0,r 1 D 0 k 1 =CP C 1, D 1 C 2, D 2 = r 2 C 1,r 2 D 1 k 2 =CP C 2, D 2 k 16 =CP C 16,D 16 PC (Permuted Choice) CP - (Compression Permutation)

15 DES At a glance T 64 bit input K 0 64 bit key - leads to K 56 bit key K 1, K 2,...,K 16 generated by round key generation T 1 =IP T Initial Permutation L 0, R 0 =T 1 split into two 32 bit quantities L 1, R 1 = R 0, L 0 F R 0, K 1 L 2, R 2 = R 1, L 1 F R 1, K 2 L 16,R 16 = R 15,L 15 F R 15,K 16 C 1 = R 16,L 16 (swapping) C=FP C 1 Final Permutation Round function R 1 =F R 0, k R 0 32 bit round input k 48 bit round key X =E R 0 Expansion Permutation X 1 =X k XOR with round key X 2 =S X 1 apply S-Box substitution (output 32 bits) R 1 =P X 2 apply round permutation S-Box Function X input - 48 bit data S 1 S 8 8 S-Boxes X 1, X 2,, X 8 split X Y = S 1 X 1,,S 1 X 8 Each S-Box has 4 rows and 16 columns Each row is a permutation of 0 to 15 6 b X i chooses the row of S i 3b b 5b 4 of X i chooses the column of S i Key Schedule K 0 64 bit key r i left shift in round i r i =1 for i=1,2,9,16 and 2 for all other i K =PC K 0 = C 0, D 0 K is 56 bits C 1, D 1 = r 1 C 0,r 1 D 0 k 1 =CP C 1, D 1 C 2, D 2 = r 2 C 1,r 2 D 1 k 2 =CP C 2, D 2 k 16 =CP C 16,D 16

16 Block Cipher Modes ECB - Electronic Codebook CBC Cipher Block Chaining CFB Cipher Feedback OFB Output Feedback CTR - Counter

17 ECB Electronic Codebook Mode Message is broken into independent blocks which are encrypted Each block is encoded independently of the other blocks C i = DES K (P i ) Applications secure transmission of single values Databases (retrieval of single fields)

18 ECB Electronic Codebook Mode

19 ECB Pros and Cons Weakness - encrypted message blocks are independent Strength in some applications the independednce of message blocks is very useful Databases Parallelizing encryption / decryption

20 CBC (Cipher Block Chaining) Message is broken into blocks Linked together during encryption each previous cipher block is chained with current plaintext block Initial Vector (IV) used to start process C i = DES K (P i XOR C i-1 ) C 0 = IV Applications: bulk data encryption, authentication

21 CBC

22 CBC Pros and Cons Each ciphertext block depends on all message blocks A change in a message block affects all ciphertext blocks after the change (as well as the original block) Need Initial Value (IV) known to sender & receiver however if IV is sent in the clear, an attacker can change bits of the first block, and change IV to compensate hence either IV must be a fixed value - or it must be sent encrypted in ECB mode before rest of message

23 CFB (Cipher Feedback Mode) Message is treated as a stream of bits Added to the output of the block cipher Result is feed back for next stage (hence name) Standard allows any number of bit (1,8 or 64 or whatever) to be feed back denoted CFB-1, CFB-8, CFB-64 etc CFB-64 is used most often (most efficient) C i = P i XOR DES K (C i-1 ) C 0 = IV Applications: stream data encryption, authentication

24 CFB

25 CFB Pros and Cons Appropriate when data arrives in bits/bytes Most common stream mode Block cipher is used in encryption mode at both ends! Errors propagate for several blocks after the error (depending on s)

26 OFB (Output Feedback Mode) Message treated as a stream of bits Output of cipher is added to message Output is then fed back feedback is independent of message Can be computed in advance C i = P i XOR O i O i = DES K (O i-1 ) O 0 = IV Applications: stream encryption over noisy channels

27 OFB

28 OFB- Pros and Cons Used when error feedback is a serious problem Superficially similar to CFB but feedback is from the output of cipher and is independent of message a variation of a Vernam cipher hence must never reuse the same sequence (key+iv) Sender and receiver must remain in sync, and some recovery method is needed to ensure this occurs Originally specified with s-bit feedback in the standards Subsequent research has shown that only OFB-64 should be used

29 CTR (Counter Mode) A new mode, though proposed in '79 Similar to OFB but encrypts counter value rather than any feedback value Must have a different key & counter value for every plaintext block (never reused) C i = P i XOR O i O i = DES K (i) Applications: high-speed network encryptions

30 CTR

31 CTR - Pros and Cons Efficiency can do parallel encryptions in advance of need good for bursty high speed links Random access to encrypted data blocks Provable security (good as other modes) must ensure key/counter values are not reused

32 Block Cipher Modes Overview CBC C 0 =IV C j =E K C j 1 P j P 1 =D K C 1 IV P j =D K C j C j 1 CFB C 0 =IV C j =E K C j 1 P j OFB O 0 =IV O j =E K O j 1 C j =O j P j O 0 =IV O j =E K O j 1 P j =O j C j CTR O j =E K CTR j C j =O j P j O j =E K CTR j P j =O j C j P 1 =E K IV C 1 P j =E K C j 1 C j

33 CBC vs CFB CBC C 0 =IV C j =E K C j 1 P j P 1 =D K C 1 IV P j =D K C j C j 1 If specific bits of IV are flipped same bits of P 1 are flipped after decoding (Solution: Encrypt IV!) If specific bits of C 2 are flipped same bits of P 3 are flipped, and random bits of P 2 are flipped after decoding CFB C 0 =IV C j =E K C j 1 P j P 1 =E K IV C 1 P j =E K C j 1 C j If specific bits of C 2 are flipped same bits of P 2 are flipped, and random bits of P 3 are flipped after decoding

34 Double and Triple DES Double DES C =E K 1 E K 2 P Can we find a K 3 such that E K 1 E K 2 P =E K 3 P Highly improbable: Each of the 2 56 keys define a random mapping between two tables of size ! possible mappings only a very small fraction (2 56 ) is defined by single-des Repeated application of mappings is highly unlikely to produce a mapping provided by a single key!

35 Meet-in-the-Middle Attack Unfortunately, double DES does not increase brute force complexity! Meet-in-the-middle attack P 1 and C 1 known X =E K 1 P =D K 2 C Try X =D K C 1 for all 2 56 possible values of K 2 Sort the table ( 2 56 entries) Compute E K P 1 for all 2 56 possible values of K 1 Values for which E K 1 P 1 =D K 2 C 1 are possible candidates High probability of false alarm with only one known P-C pair On an average /2 64 keys will map P 1 to the same C 1 With two known P-C pairs probability of false alarm reduces to p f =2 112 /2 64 /2 64 =2 16 With three known P-C pairs p f =2 80

36 Triple DES Triple DES with three keys brute-force complexity Triple DES with two keys - equivalent to 80- bit security Most commonly used C=E K 1 D K 2 E K 1 P With K 1 =K 2, Triple DES becomes DES Compatibility with old encrypters

37 RC-4 Stream Cipher. Extremely simple! Very fast especially in software Easily adapts to any key length (1 byte to 256 bytes) Used in SSL / TLS WEP (Was) protected by trade secret exposed (anonymously posted on the web) in 1994

38 RC-4 Key Initialization K[0]...K[keylen-1] --- key bytes For i = 0 to 255 S[i] = i; T[i] = K[i mod keylen]; j = 0; For i = 0 to 255 j = (j + S[i] + T[i]) mod 256; SWAP(S[i], S[j]); Throw away T, K; (retain S)

39 RC-4 Stream Generation i,j = 0; while (true) i = (i+1) mod 256; j = (j+ S[i]) mod 256; SWAP(S[i],S[j]); t = (S[i] + S[j]) mod 256; k = S[t]; The vector S, at any time, is a random permutation of 1 to 256 (only swap performed on the vector).

40 TEA Tiny Encryption Algorithm (David Wheeler, Roger Needham) void code(long* v, long* k) { unsigned long y=v[0],z=v[1], sum=0, /* set up */ delta=0x9e3779b9, n=32 ; /* a key schedule constant */ while (n-->0) { /* basic cycle start */ sum += delta ; y += (z<<4)+k[0] ^ z+sum ^ (z>>5)+k[1] ; z += (y<<4)+k[2] ^ y+sum ^ (y>>5)+k[3] ; /* end cycle */ } v[0]=y ; v[1]=z ; } Input v 64 bits As two 32 bit quantities v[0], v[1] void decode(long* v,long* k) { unsigned long n=32, sum, y=v[0], z=v[1], delta=0x9e3779b9 ; sum=delta<<5 ; /* start cycle */ while (n-->0) { z-= (y<<4)+k[2] ^ y+sum ^ (y>>5)+k[3] ; y-= (z<<4)+k[0] ^ z+sum ^ (z>>5)+k[1] ; sum-=delta ; } /* end cycle */ v[0]=y ; v[1]=z ; } k 128 bits As four 32 bit quantities k[0],k[1],k[2],k[3]

41 Hash Functions h = H(M) M can be of any size h is always of fixed size Typically h << size(m) h=h(x) is easy to compute given x Virtually impossible to calculate x given h Weak collision resistance Infeasible to find x y such that H x =H y Strong Collision resistance Infeasible to find any x,y such that H x =H y

42 Birthday Paradox 50 people in a room what is the probability that two people have the same birthday? Extremely high about A message M hashes to N bits say h. What is the probability that another message M 1 hashes to h? 1/2 N we need to search 2 N to see a hit. What is the probability that two messages have the same hash? We need to search only 2 N/2 messages 64 bit hash is not strongly collision resistant Normally we use 128 or 160 bit hash functions

43 Compression Functions Hash functions are built using compression functions C :{0,1} m t {0,1} m If the compression function satisfies the requirements (pre-image resistance and collision resistance) for some t > 1, we can construct a hash function using the Merkle- Damagard Construction Compression function used in MD5: m=128, t=512

44 MD5 128 bit hash (Merkle-Damagard Construction) Message length K Pad message with P bits such that K+P is 448 mod 512 (64 bits less than a multiple of 512) Padding is done even if K is already 448 mod 512 Padding is 1 followed by P-1 zeros Length of padding is at least 1. Maximum value is 512 Append length as a 64 bit value. Total length is L x 512 IV initialized to four fixed 32 bit quantities A,B,C,D

45 MD5 Block 1 Block 2 Block L 512 bit 512 bit 512 bit IV 128 bit HMD5 HMD5 HMD5 128 bit 128 bit 128 bit 128 bit Each HMD5 block involves 64 rounds of data mangling 4 stages of 16 rounds each Each stage has different compression functions F,G,H,I Each round uses an entry from a fixed Table of length 64 Every bit of the hash code is a function of every bit of input Other hash functions SHA, SHA-1, RIPEMD-160

46 Keyed Message Authentication Code (HMAC) A shared key can be used to establish a private channel between the sender and the receiver It can also be used to authenticate messages In principle, HMAC for a message M, using a hash function h(), and a shared key K is computed as h(m,k). h(m,k) appended to the message Receiver (using the key K) can verify that the sender has access to K the message has not been modified en route

47 HMAC Special constructions based on hash functions are used for HMAC Standard HMAC using any hash function HMAC=h K opad h K ipad M opad=0x5c5c... 5c5c ipad=0x CBC or OFB modes (with any block cipher) is also frequently used