Applied CryptographyApplied Cryptography(Symmetric)(Symmetric)

Part IPart I

Many savages at the present day regard their Many savages at the present day regard their names as vital parts of themselves, and names as vital parts of themselves, and therefore take great pains to conceal their real therefore take great pains to conceal their real names, lest these should give to evil-disposed names, lest these should give to evil-disposed persons a handle by which to injure their persons a handle by which to injure their owners. owners.

——The Golden Bough, The Golden Bough, Sir James George FrazerSir James George Frazer

Symmetric EncryptionSymmetric Encryption

or conventional / or conventional / private-keyprivate-key / single-key / single-key sender and recipient share a common keysender and recipient share a common key all classical encryption algorithms are all classical encryption algorithms are

private-keyprivate-key was only type prior to invention of public-was only type prior to invention of public-

key in 1970’skey in 1970’s and by far most widely usedand by far most widely used

Some Basic TerminologySome Basic Terminology

plaintextplaintext - original message - original message ciphertextciphertext - coded message - coded message ciphercipher - algorithm for transforming plaintext to ciphertext - algorithm for transforming plaintext to ciphertext keykey - info used in cipher known only to sender/receiver - info used in cipher known only to sender/receiver encipher (encrypt)encipher (encrypt) - converting plaintext to ciphertext - converting plaintext to ciphertext decipher (decrypt)decipher (decrypt) - recovering ciphertext from plaintext - recovering ciphertext from plaintext cryptographycryptography - study of encryption principles/methods - study of encryption principles/methods cryptanalysis (codebreaking)cryptanalysis (codebreaking) - study of principles/ - study of principles/

methods of deciphering ciphertext methods of deciphering ciphertext withoutwithout knowing key knowing key cryptologycryptology - field of both cryptography and cryptanalysis - field of both cryptography and cryptanalysis

Symmetric Cipher ModelSymmetric Cipher Model

RequirementsRequirements

two requirements for secure use of two requirements for secure use of symmetric encryption:symmetric encryption: a strong encryption algorithma strong encryption algorithm a secret key known only to sender / receivera secret key known only to sender / receiver

mathematically have:mathematically have:Y Y = E= EKK((XX))

X X = D= DKK((YY)) assume encryption algorithm is knownassume encryption algorithm is known implies a secure channel to distribute keyimplies a secure channel to distribute key

CryptographyCryptography

Classify Classify cryptographic system by:cryptographic system by: type of encryption operations usedtype of encryption operations used

• substitution / transposition / productsubstitution / transposition / product number of keys usednumber of keys used

• single-key or private / two-key or publicsingle-key or private / two-key or public way in which plaintext is processedway in which plaintext is processed

• block / streamblock / stream

CryptanalysisCryptanalysis

objective to recover key not just messageobjective to recover key not just message general approaches:general approaches:

cryptanalytic attackcryptanalytic attack brute-force attackbrute-force attack

More DefinitionsMore Definitions unconditional securityunconditional security

no matter how much computer power or time no matter how much computer power or time is available, the cipher cannot be broken is available, the cipher cannot be broken since the ciphertext provides insufficient since the ciphertext provides insufficient information to uniquely determine the information to uniquely determine the corresponding plaintext corresponding plaintext

computational securitycomputational security given limited computing resources (eg time given limited computing resources (eg time

needed for calculations is greater than age of needed for calculations is greater than age of universe), the cipher cannot be broken universe), the cipher cannot be broken

Brute Force SearchBrute Force Search

always possible to simply try every key always possible to simply try every key most basic attack, proportional to key size most basic attack, proportional to key size assume either know / recognise plaintextassume either know / recognise plaintext

Key Size (bits) Number of Alternative Keys

Time required at 1 decryption/µs

Time required at 106 decryptions/µs

32 232 = 4.3 109 231 µs = 35.8 minutes 2.15 milliseconds

56 256 = 7.2 1016 255 µs = 1142 years 10.01 hours

128 2128 = 3.4 1038 2127 µs = 5.4 1024 years 5.4 1018 years

168 2168 = 3.7 1050 2167 µs = 5.9 1036 years 5.9 1030 years

26 characters (permutation)

26! = 4 1026 2 1026 µs = 6.4 1012 years 6.4 106 years

Modern Modern Block CiphersBlock Ciphers

now look at modern block ciphersnow look at modern block ciphers one of the most widely used types of one of the most widely used types of

cryptographic algorithms cryptographic algorithms provide secrecy /authentication servicesprovide secrecy /authentication services focus on DES (Data Encryption Standard)focus on DES (Data Encryption Standard) to illustrate block cipher design principlesto illustrate block cipher design principles

Block vs StreamBlock vs Stream Ciphers Ciphers

block ciphers process messages in blocks, block ciphers process messages in blocks, each of which is then en/decrypted each of which is then en/decrypted

like a substitution on very big characterslike a substitution on very big characters 64-bits or more64-bits or more

stream ciphers stream ciphers process messages process messages a bit or a bit or byte at a timebyte at a time when en/decrypting when en/decrypting

many current ciphers are block ciphersmany current ciphers are block ciphers broader range of applicationsbroader range of applications

Block Cipher PrinciplesBlock Cipher Principles

most symmetric most symmetric block ciphersblock ciphers are based on a are based on a Feistel CipherFeistel Cipher Structure Structure

block ciphers look like an extremely large block ciphers look like an extremely large substitution substitution

would need table of 2would need table of 26464 entries for a 64-bit block entries for a 64-bit block instead create from smaller building blocks instead create from smaller building blocks using idea of a product cipher using idea of a product cipher

Ideal Block CipherIdeal Block Cipher

Claude Shannon and Substitution-Claude Shannon and Substitution-Permutation CiphersPermutation Ciphers

Claude Shannon introduced idea of Claude Shannon introduced idea of substitution-substitution-permutation (S-P)permutation (S-P) networks in 1949 paper networks in 1949 paper

form basis of modern block ciphers form basis of modern block ciphers S-P nets are based on the S-P nets are based on the two primitive two primitive

cryptographic operationscryptographic operations seen before: seen before: substitutionsubstitution ( (S-boxS-box)) permutation permutation ((P-boxP-box))

provide provide confusionconfusion & & diffusiondiffusion of message & key of message & key

Confusion and DiffusionConfusion and Diffusion

cipher needs to completely obscure cipher needs to completely obscure statistical properties of original messagestatistical properties of original message

a one-time pad does thisa one-time pad does this more practically Shannon suggested more practically Shannon suggested

combining S & P elements to obtain:combining S & P elements to obtain: diffusiondiffusion – dissipates – dissipates statistical statistical structure structure

of plaintext over bulk of ciphertextof plaintext over bulk of ciphertext confusionconfusion – makes relationship between – makes relationship between

ciphertextciphertext and and key key as complex as possibleas complex as possible

Feistel Cipher StructureFeistel Cipher Structure

Horst Feistel devised the Horst Feistel devised the feistel cipherfeistel cipher based on concept of invertible product cipherbased on concept of invertible product cipher

partitions input block into two halvespartitions input block into two halves process through multiple rounds whichprocess through multiple rounds which perform a perform a substitutionsubstitution on left data half on left data half based on round function of right half &based on round function of right half & subkey subkey then have permutation swapping halvesthen have permutation swapping halves

implements Shannon’s S-P net conceptimplements Shannon’s S-P net concept

Feistel Cipher StructureFeistel Cipher Structure

Feistel Cipher Design ElementsFeistel Cipher Design Elements

block size block size key size key size number of rounds number of rounds subkeysubkey generation algorithm generation algorithm round function round function fast software en/decryptionfast software en/decryption ease of analysisease of analysis

Feistel Cipher Feistel Cipher DecryptionDecryption

Data Encryption Standard (DES)Data Encryption Standard (DES)

most widelymost widely used used block cipherblock cipher in world in world adopted in 1977 by NISTadopted in 1977 by NIST

as FIPS PUB 46as FIPS PUB 46 encrypts 64-bit data using 56-bit keyencrypts 64-bit data using 56-bit key has widespread usehas widespread use has been considerable controversy over has been considerable controversy over

its securityits security

DES Encryption OverviewDES Encryption Overview

DES Round StructureDES Round Structure

uses two 32-bit L & R halvesuses two 32-bit L & R halves as for any Feistel cipher can describe as:as for any Feistel cipher can describe as:

LLii = = RRii–1–1

RRii = = LLii–1–1 FF((RRii–1–1, , KKii))

Function FFunction F takes 32-bit R half and 48-bit subkey: takes 32-bit R half and 48-bit subkey: expands R to 48-bits using permutation expands R to 48-bits using permutation EE adds to subkey using XORadds to subkey using XOR passes through 8 S-boxes to get 32-bit resultpasses through 8 S-boxes to get 32-bit result finally permutes using 32-bit perm Pfinally permutes using 32-bit perm P

DES Round StructureDES Round Structure

Substitution Boxes SSubstitution Boxes S

have eight S-boxes which have eight S-boxes which map 6 to 4 bitsmap 6 to 4 bits each S-box is actually 4 little 4 bit boxes each S-box is actually 4 little 4 bit boxes

outer bits 1 & 6 (outer bits 1 & 6 (rowrow bits) select one row of 4 bits) select one row of 4 inner bits 2-5 (inner bits 2-5 (colcol bits) are substituted bits) are substituted result is 8 groups of 4 bits, or 32 bitsresult is 8 groups of 4 bits, or 32 bits

row selection depends on both data & keyrow selection depends on both data & key feature known as autoclaving (feature known as autoclaving (autokeyingautokeying))

example:example: S(18 09 12 3d 11 17 38 39) = 5fd25e03S(18 09 12 3d 11 17 38 39) = 5fd25e03

s1

DES DES KeyKey Schedule Schedule

forms forms subkeyssubkeys used in each round used in each round initial permutation of the key (PC1) which initial permutation of the key (PC1) which

selects 56-bits in two 28-bit halves selects 56-bits in two 28-bit halves 16 stages16 stages consisting of: consisting of:

• rotating rotating each halfeach half separately either 1 or 2 places separately either 1 or 2 places depending on the depending on the key rotation schedulekey rotation schedule K K

• selecting 24-bits from each half & permuting them selecting 24-bits from each half & permuting them by PC2 for use in round function F by PC2 for use in round function F

note practical use issues in h/w vs s/wnote practical use issues in h/w vs s/w

Avalanche Effect Avalanche Effect

key desirable property of encryption key desirable property of encryption algorithmsalgorithms

where a change of where a change of one one input or key bitinput or key bit results in changing approx results in changing approx halfhalf output bits output bits

making attempts to “home-in” by guessing making attempts to “home-in” by guessing keys impossiblekeys impossible

DES exhibits strong avalancheDES exhibits strong avalanche

Stream CiphersStream Ciphers

process message process message bit by bitbit by bit (as a stream) (as a stream) have a have a pseudo random pseudo random keystreamkeystream combined (XOR) with plaintext bit by bit combined (XOR) with plaintext bit by bit randomness of randomness of stream keystream key completely completely

destroys statistically properties in messagedestroys statistically properties in message CCii = M = Mii XOR StreamKey XOR StreamKeyii

but must never reuse stream keybut must never reuse stream key otherwise can recover messages (cf book otherwise can recover messages (cf book

cipher)cipher)

Stream Cipher StructureStream Cipher Structure

Stream Cipher PropertiesStream Cipher Properties

some design considerations are:some design considerations are: long period with no repetitions long period with no repetitions statistically random statistically random depends on large enough keydepends on large enough key large linear complexitylarge linear complexity

properly designed, can be properly designed, can be as secure as a as secure as a block cipherblock cipher with same size key with same size key

but but usually simpler & fasterusually simpler & faster

RC4RC4

a proprietary cipher owned by RSA DSI a proprietary cipher owned by RSA DSI another Ron Rivest design, simple but effectiveanother Ron Rivest design, simple but effective variable key size, variable key size, byte-orientedbyte-oriented stream cipherstream cipher widely used (widely used (web SSL/TLS, wireless WEPweb SSL/TLS, wireless WEP) ) key forms random permutation of all 8-bit values key forms random permutation of all 8-bit values uses that permutation to scramble input info uses that permutation to scramble input info

processed a byte at a timeprocessed a byte at a time

RC4 EncryptionRC4 Encryption

encryption continues shuffling array valuesencryption continues shuffling array values sum of shuffled pair selects "stream key" sum of shuffled pair selects "stream key"

value from permutationvalue from permutation XOR S[t] with next byte of message to XOR S[t] with next byte of message to

en/decrypten/decrypti = j = 0 i = j = 0

for for each message byte Meach message byte Mii

i = (i + 1) (mod 256)i = (i + 1) (mod 256)j = (j + S[i]) (mod 256)j = (j + S[i]) (mod 256)swap(S[i], S[j])swap(S[i], S[j])t = (S[i] + S[j]) (mod 256)t = (S[i] + S[j]) (mod 256)

CCii = M = Mii XOR S[ XOR S[tt]]

RC4 OverviewRC4 Overview

RC4 SecurityRC4 Security

claimed secure against known attacksclaimed secure against known attacks have some analyses, none practical have some analyses, none practical

result is very non-linear result is very non-linear since RC4 is a stream cipher, must since RC4 is a stream cipher, must never never

reuse a keyreuse a key have a concern with WEP, but due to key have a concern with WEP, but due to key

handling rather than RC4 itself handling rather than RC4 itself