Computer Security- Block Ciphers & DES (Data Encryption Standard)
Howon Kim
2019.3
2
Agenda
Review
Block Ciphers & Stream Ciphers
Stream Ciphers
Block Ciphers
DES
Cryptanalysis
Modes of Operations
Next…
3
Review: Attack Types
Attack types Ciphertext only
Eve has only a copy of the ciphertext.
Known plaintext Eve has a copy of a ciphertext and the corresponding plaintext. For example, if Eve knows that Alice always starts her message
with “Dear Bob,” then Eve has a small piece of ciphertext and corresponding plaintext.
Chosen plaintext Eve gains temporary access to the encryption machine. She cannot open it to find the key, but she can encrypt a large
number of suitably chosen plaintexts and try to use the resulting ciphertexts to deduce the key.
Chosen ciphertext Eve obtains temporary access to the decryption machine.
4
Review: Ciphertext Only Attack
Eve has only the ciphertext.
Y M W J J U F W Y X
Her best strategy is an exhaustive search.
There are only 26 possible keys.
If the message is longer than a few letters, it is unlikely that there is more than one meaningful message that could be the plaintext.
Try to decrypt it!
5
Review: Known Plaintext Attack
It’s trivial.(only for shift cipher. Generally, not.)
If Eve knows just one letter of the plaintext along with the corresponding letter of ciphertext, she can deduce the key.
In this above example…
Ciphertext: Y M W J J U F W Y X
Plaintext: ? ? ? ? ? p ? ? ? ?
6
Review: CPA, CCA
Attack 3: Chosen plaintext attack
Choose the letter a as the plaintext.
The ciphertext gives the key itself.
Example: a F (= 5)
Attack 4: Chosen ciphertext attack
Choose the letter A as the ciphertext.
The plaintext is the negative of the key.
7
Block vs Stream Ciphers
block ciphers process messages in into blocks, each of which is then en/decrypted
like a substitution on very big characters
64-bits or more
stream ciphers process messages a bit or byte at a time when en/decrypting
Reference: Understanding Cryptography by C. Paar & J. Pelzl 8
Block vs Stream Ciphers
Reference: Understanding Cryptography by C. Paar & J. Pelzl 9
Encryption & Decryption with Stream Ciphers
Reference: Understanding Cryptography by C. Paar & J. Pelzl 10
Synchronous vs. Asynchronous Stream Cipher
Synchronous Stream Cipher Key stream depends only on the key (and possibly an initialization vector IV)
Asynchronous Stream Cipher Key stream depends also on the ciphertext (dotted feedback enabled)
11
Why is mod 2 addition a good encryption function?
Random한 key stream Si의 특성이 ciphertext에도 그대로 반영됨.즉, XOR(mod 2) 연산은 si의난수성을 ciphertext에 반영 특성 가짐. 그림에서 key stream si의 0과1 비율은 각각 0.5 확률 -> Mod add 2, 즉 XOR 연산하면, random stream si의 특성을 ciphertext yi가 갖게 됨
12
LFSR Sequences : Example of Stream Cipher
Linear Feedback Shift Register (LFSR)
defined by a linear recurrence.
implemented very easily, especially in hardware.
very fast (only the operating frequency is, not the throughput)
xm+2 xm+1 xm Ciphertext
Plaintext
Example: xm+3 = xm+1 XOR xm
Initial state (initial values): x1x2x3 = 010
registers
XOR gate
Generated sequence: 0101110010111001…
Plaintext (AB…): 0100000101000010…
Ciphertext: 0001110111111011…
13
LFSR Sequences
xm+2 xm+1 xm Ciphertext
Plaintext
Example: xm+3 = xm+1 XOR xm
Initial state (intial values): x1x2x3 = 010
registers
XOR gate
Generated sequence: 0101110010111001…
Plaintext (AB…): 0100000101000010…
Ciphertext: 0001110111111011…
(xm+3 = xm+1 XOR xm)
xm+3 = xm+1 XOR xm
m=1 : x4=x2 xor x1 = 1 xor 0 = 1
m=2: x5=x3 xor x2 = 0 xor 1 = 1
m=3: x6=x4 xor x3 = 1 xor 0 = 1
m=4: x7=x5 xor x4 = 1 xor 1 = 0
m=5: x8=x6 xor x5 = 1 xor 1 = 0
m=6: x9=x7 xor x6 = 0 xor 1 = 1
m=7 : x10=x8 xor x7 = 0 xor 0 = 0
m=8 : x11=x9 xor x8 = 1 xor 0 = 1
m=9 : x12=x10 xor x9 = 0 xor 1 = 1
m=10: x13=x11 xor x10 = 1 xor 0 = 1
m=11: x14=x12 xor x11 = 1 xor 1 = 0
m=12: x15=x13 xor x12 = 1 xor 1 = 0
14
LFSR Sequences
Key length vs. Sequence length
Key length n sequence length ≤ 2n – 1.
Above example
Key length = 3
Sequence length = 7
An “approximation” to a one-time pad
A small input generates a long binary sequence.
The one-time pad (OTP) is an encryption algorithm where the plaintext is combined with a random key or "pad" that is as long as the plaintext and used only once. A modular addition is used to combine the plaintext with the pad. (For binary data, the operation XOR amounts to the same thing.) [From wikipedia]
http://en.wikipedia.org/wiki/Encryptionhttp://en.wikipedia.org/wiki/Algorithmhttp://en.wikipedia.org/wiki/Plaintexthttp://en.wikipedia.org/wiki/Key_(cryptography)http://en.wikipedia.org/wiki/Modular_arithmetichttp://en.wikipedia.org/wiki/XOR
15
LFSR Sequences:Attack
Unfortunately,
This encryption method succumbs easily to a known plaintext attack.
This is because the construction is linear.
If we know only a few consecutive bits of plaintext, along with the corresponding bits of ciphertext, an attack can determine the whole sequence.
linear:
- superposition property: f(x+y)=f(x)+f(y)
- Homegeneity of degree 1 : f(ax)=a*f(x)
16
LFSR Sequences:Attack
Example
Suppose we know an initial segment of the (plaintext, ciphertext) pair.
Sequence: 01101011110…
Plaintext : 11111111111…
Ciphertext: 10010100001110100100101010101011110010…
17
LFSR Sequences:Attack
An attacker tries to recover the linear recurrence.
She doesn’t know the size of the LFSR.
First start with length 2.
xn+2 = c0xn + c1xn+1 (“+” means XOR)
Let n = 1 and n = 2,
and use the known values x1= 0, x2 = 1, x3 = 1, x4 = 0.
(Sequence: 01101011110…)
x3 = c0x1 + c1x2
x4 = c0x2 + c1x3
1 = c0 0 + c11
0 = c0 1 + c11
c0 = 1, c1= 1
x5 = x3 + x4=1 + 0 = 1
x6 = x4 + x5=0 + 1 = 1
x7 = x5 + x6=1 + 1 = 0
x8 = x6 + x7=1 + 0 = 1
…
we get
Generated seq. : 01101101…
Not correct !
18
LFSR Sequences:Attack
Try another length 3.
This is impossible, either.
Try length = 4.
xn+4 = c0xn + c1xn+1 + c2xn+2 + c3xn+3
(Sequence: 01101011110…)
x5 = c0x1 + c1x2 + c2x3 + c3x4x6 = c0x2 + c1x3 + c2x4 + c3x5x7 = c0x3 + c1x4 + c2x5 + c3x6x8 = c0x4 + c1x5 + c2x6 + c3x7
c0 = 1, c1= 1, c2 = 0, c3= 0
19
LFSR Sequences:Attack
Generalization
It is known that an attacker can recover the linear recurrence if 2n consecutive elements in the sequence is revealed.
This is much smaller than the period length of a sequence, i.e., 2n – 1.
Improvement
The problem is that the recurrence is linear,and an attacker can make a matrix equation.
So, we append some nonlinear elements.
20
Real Stream Cipher 1 – A5/1
Example: GSM A5/1 Stream Cipher
Used to encrypt mobile phone conversation
C1
C2
C3
m=Majority(C1,C2,C3)
Majority에해당하는Register만clocking됨즉, 2개의register혹은
3개의 register가 clocking됨
R1
R2
R3Ex1) If C1=0, C2=1, C3=0 then
Clocking R1 and R3
Ex2) If C1=1,C2=1,C3=1 then
Clocking R1,R2 and R3
http://en.wikipedia.org/wiki/Image:A5-1.pnghttp://en.wikipedia.org/wiki/Image:A5-1.png
21
New Stream Cipher Standardization
ECRYPT European Network of Excellence for Cryptology
eSTREAM ECRYPT Stream Cipher Project Phase 1 (Nov. 2004 ~)
submission for cryptographic primitives
Phase 2 (Aug. 2006 ~) Seven SW-based candidates
DRAGON, HC-256, LEX, Phelix, Py, Salsa20, SOSEMANUK
Four HW-based candidates Grain, MICKEY-128, Phelix, Trivium
Phase 3 (April 2007 ~) Eight SW-based candidates
CryptMT,Dragon, HC, LEX, NLS, Rabbit, Salsa20, SOSEMANUK
Eight HW-based candidates DECIM, Edon80,F-FCSR,Grain, MICKEY, Moustique, Pomaranch, Trivium
eStream Portpolio (April 2008): Finalized S/W:HC-128, Rabbit, Salsa20/12, SOSEMANUK H/W:F-FCSR-H v2, Grain v1, MICKEY v2, Trivium
22
Real Stream Cipher 2 - Trivium A Modern Stream Cipher: Trivium(Developed by Bart Preneel)
3 nonlinear LFSR(NLFSR) of length 93, 84, 111
Small in H/W Total register count : 288 , Non-linearity : 3 AND-gates
7 XOR-Gates (4 with three inputs)
23
Trivium
Initialization
Load leftmost 80-bit IV(Initial Vector) into A
Load leftmost 80-bit key into B
Set c109, c110, c111 = 1, all other register bits 0
Warm-Up
Clock cipher 4 x 288 = 1,152 times w/o generating output
Encryption
XOR-sum of all three NLFSR outputs generates key stream si
• IV는 randomizer역할을 하지만, 굳이 비밀로 유지할 필요 없음 (비밀정보는 무조건 key만!)• Stream cipher에서는 IV를 바꾸지 않으면, 동일한 key에 대해 동일한 key stream을 generate하므로, 안전도에 문제 생김. 이에, IV를 바꿔서 동일한 key에서도 다른 key stream이 나오도록 함
24
Agenda
Review
Block Ciphers & Stream Ciphers
Stream Ciphers
Block Ciphers
DES
Cryptanalysis
Modes of Operations
Next…
25
Block Cipher Principles
most symmetric block ciphers are based on a Feistel Cipher Structure
block ciphers look like an extremely large substitution
would need table of 264 entries for a 64-bit block
instead create from smaller building blocks
using idea of a product cipher
26
Claude Shannon and Substitution-Permutation Ciphers
in 1949 Claude Shannon introduced idea of substitution-permutation (S-P) networks
modern substitution-transposition product cipher
these form the basis of modern block ciphers
S-P networks are based on the two primitive cryptographic operations we have seen before:
substitution (S-box)
permutation (P-box)
provide confusion and diffusion of message
27
Confusion and Diffusion cipher needs to be completely obscure statistical properties of
original message
a one-time pad does this
more practically Shannon suggested combining elements to obtain:
diffusion – dissipates statistical structure of plaintext over bulk of ciphertext Diffusion is associated with dependency of bits of the output on
bits of the input.
In a cipher with good diffusion, flipping an input bit should change each output bit with a probability of one half.
Transposition is a technique for diffusion
confusion – makes relationship between ciphertext and key as complex as possible Substitution (S-box) is a technique for confusion
28
Feistel Cipher Structure
Horst Feistel devised the feistel cipher based on concept of invertible product cipher
partitions input block into two halves process through multiple rounds which
perform a substitution on left data half
based on round function of right half & subkey
then have permutation swapping halves
implements Shannon’s substitution-permutation network concept
29
Feistel Cipher Structure
The basic operation is as follows:
For encryption, split the plaintext block into two equal pieces (L0,R0)
For each round i=1,2,…,n compute, Li=Ri-1 Ri=Li-1 XOR f(Ri-1, Ki-1), where f is the round fn. Ki is the
sub-key
Then the ciphertext is (Ln,Rn)
For decryption, input the (Ln,Rn) For each round i=n,n-1…,1. compute
Ri-1=Li Li-1= Ri XOR f(Li,Ki)
30
Feistel Cipher Structure
From 1 to n
Li=Ri-1Ri=Li-1 + f(Ri-1, Ki-1),
L0LnR0 Rn
Ln Rn
L1 R1 Ln-1Rn-1
L0R0
From n to 1Ri-1=Li
Li-1= Ri + f(Li,Ki)
31
Feistel Cipher Design Principles block size
increasing block size improves security, but slows cipher
key size increasing key size improves security, makes exhaustive key
searching harder, but may slow cipher
number of rounds increasing number improves security, but slows cipher
subkey generation greater complexity can make analysis harder, but slows
cipher
round function greater complexity can make analysis harder, but slows
cipher
fast software en/decryption & ease of analysis are more recent concerns for practical use and testing
32
Agenda
Review
Block Ciphers & Stream Ciphers
Stream Ciphers
Block Ciphers
DES
Cryptanalysis
Modes of Operations
Next…
33
Data Encryption Standard (DES)
most widely used block cipher in world
adopted in 1977 by NBS (now NIST)
as FIPS PUB 46
encrypts 64-bit data using 56-bit key
has been considerable controversy over its security
www.nist.gov
34
Block Cipher Design Principles
basic principles still like Feistel in 1970’s
number of rounds
more is better, exhaustive search best attack
function f:
provides “confusion”, is nonlinear, avalanche
key schedule
complex subkey creation, key avalanche
35
DES History
IBM developed Lucifer cipher by team led by Feistel
used 64-bit data blocks with 128-bit key
then redeveloped as a commercial cipher with input from NSA(http://ww.nsa.gov) and others
in 1973 NBS issued request for proposals for a national cipher standard
IBM submitted their revised Lucifer which was eventually accepted as the DES
http://ww.nsa.gov/
36
DES Design Controversy
although DES standard is public
was considerable controversy over design
in choice of 56-bit key (vs Lucifer 128-bit)
and because design criteria were classified, not opened to the public
subsequent events and public analysis show in fact design was appropriate
DES has become widely used, especially in financial applications
37
Data Encryption Standard:Structure
Basic Operations
substitution
transposition
linear operation (XOR)
Encryption
algorithm of
DES
Plaintext X
64-bit
Ciphertext Y
64-bit
Y = EK(X)
key K : 56-bit
Decryption
algorithm of
DES
Plaintext X
64-bit
key K : 56-bit
X = DK(Y)
38
Data Encryption Standard:Encryption
Transposition IP
round 1
round 2
round 16
IP-1
K2
K16
56-bit key
64-bit plaintext
64-bit ciphertext
key schedule K
X
Y
Encryption
K1 : 48-bit subkey64
64
64
32-bit Swap
64
39
Data Encryption Standard:One Round
Each Round
L0
64-bit input
64-bit output
R0
L1 R1
K1 K1 : 48-bit subkey
f
+
32 32
32 32
32
32
48
32Transposition
Feistel system
(Feistel Cipher,
Feistel Network)
40
Data Encryption Standard:Nonlinear function f
R0 : 32-bit
K1 :
48-bit subkey
Expansion
K1+
6 6 6 6 6 6 6 6
S1 S2 S3 S4 S5 S6 S7 S8
48
48
4 4 4 4 4 4 4 4
f (R0, K1) : 32-bit
f
S-box :
Substitution
BoxPermutation : P
41
DES
S1 S2 S3 S4 S5 S6 S7 S8
+
L0 R0
L1 R1
+
48
32
6
4
32
323232
K148
f
IP64
K16
key schedule
L16 R16
…
plaintext
Key
56
…48
round 1
P
ciphertext
IP-1
64
R16 L16 32-bit swap
42
DES Details:Initial Permutation/Inverse Permutation
X=IP(M), M=IP-1(X)
M7 (IP) x64
X64 (IP-1) m7
Through the IP, 7th
bit of the input M is to be the 64th
bit of the output
숫자는입력값의비트위치를의미해당입력의출력비트위치는테이블의위치
43
DES Details:Initial Permutation/Inverse Permutation
IP operation illustrated (source : Wikipeia)m7
x64
44
DES Details:Expansion Permutation E
By duplications, the 32-bits are expanded to 48 bits
45
DES Details:Expansion Permutation E
By duplications, the 32-bits are expanded to 48 bits
46
DES Details:S-Boxes
47
DES Details:S-Boxes
48
DES Details:S-Boxes
49
DES Details:S-Boxes
50
DES Details:S-Boxes
S-box:6 bits inputs
4 bits outputs
51
DES Details:S-Boxes
S-Box operation
(source : Wikipedia)
Row: outer two
bits of input
Column:Middle 4 bits of input (total 16)
S5
00011011
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 150 1 1 0 1 1
1 0 0 1
52
DES Details:Permutation P
Permutation table: 32bits (P) 32bits
53
DES Details:Permutation P
Permutation : 32bits (P) 32bits
(source : Wikipedia)
54
Key K is a bitstring of length 64.
Only 56 bits are real keys.
8 bits are parity-check bits for error detection
The bits in positions 8, 16, …, 64 are defined
so that each byte contains an odd number of 1’s.
DES Key Schedule
55
DES Key Schedule
forms subkeys used in each round
consists of:
initial permutation of the key (PC1) which selects 56-bits in two 28-bit halves (C,D)
16 stages consisting of:
selecting 24-bits from each half
permuting them by PC2 for use in function f,
rotating each half (C,D) separately either 1 or 2 bits depending on the key rotation schedule K
56
DES Key Schedule
Initial Key : 56 bits
We get two 28-bit keys
(C,D) after applying
initial permutation of the
key(PC1)
At each round, we get 48
bits (two 24 bits) after
PC2 permutations
C and D are treated
separately, the C and D
are rotated left by one or
two bits
C D56bits
57
DES Encryption Example
key (64 bits)
- including parity bits
56 bits are real key!
13345779 9BBCDFF1
plain(64) : 01234567 89ABCDEF
cipher(64) : 85E81354 0F0AB405
Encrypter
57
L0 R0
IP
64plaintext 01234567 89ABCDEF
58
59
L0 R0
IP
64
48
3232E
plaintext
59
60
K1
key schedule
L0 R0
IP
64
+48
3232
48
E
plaintext
60
61
S1
K1
key schedule
L0 R0
IP
64
+48
3232E
substitution
011000
5=0101
1100
plaintext
00 5
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
61
62
S1
K1
key schedule
L0 R0
IP
64
+48
3232E
S3 S4 S5 S6 S7 S8S2
32P
S1
K1
key schedule
L0 R0
IP
64
+48
3232E
S3 S4 S5 S6 S7 S8S2
plaintext
62
63
S1
K1
key schedule
L0 R0
IP
64
+48
3232E
S3 S4 S5 S6 S7 S8
+
S2
32
1110111101…
P
plaintext
64
S1
K1
key schedule
L0 R0
IP
64
+48
3232E
S3 S4 S5 S6 S7 S8
+
S2
32
L1 R1
3232
P
plaintext
1110111101…
64
65
S1 S2 S3 S4 S5 S6 S7 S8
+
L0 R0
L1 R1
+
48
32
6
4
32
323232
K148
IP
64
key schedule
키
56
ciphertext
K16…48
P
plaintext
L16 R16
…
IP-1
R16 L16 32-bit swap
65
66
Data Encryption Standard:Decryption
Same as encryption
We can use the same structure, but with the subkeys used in reverse order.
67
Agenda
Review
Block Ciphers & Stream Ciphers
Stream Ciphers
Block Ciphers
DES
Cryptanalysis
Modes of Operations
Next…
68
Strength of DES – Key Size
56-bit keys have 256 = 7.2 x 1016 values
brute force search looks hard
But, recent advances have shown that it is possible
in 1997 on Internet in a few months
in 1998 on dedicated H/W in a few days
in 1999 above combined in 22hrs!
still must be able to recognize plaintext
now considering alternatives to DES
69
Strength of DES – Timing Attacks
attacks on actual implementation of cipher
use knowledge of consequences of implementation to derive knowledge of some/all subkey bits
specifically use the fact that calculations can take varying times depending on the value of the inputs to it
particularly problematic on smartcards
70
Strength of DES – Analytic Attacks
now have several analytic attacks on DES
these utilize some deep structure of the cipher by gathering information about encryptions
can eventually recover some/all of the sub-key bits
if necessary then exhaustively search for the rest
generally these are statistical attacks
include differential cryptanalysis
linear cryptanalysis
related key attacks
71
Differential Cryptanalysis
one of the most significant recent (public) advances in cryptanalysis
known by NSA in 70's (The DES designer already knew this attacking technique)
Murphy, Biham & Shamir published 1990
powerful method to analyse block ciphers
used to analyse most current block ciphers with varying degrees of success
DES reasonably resistant to it
72
Differential Cryptanalysis
a statistical attack against Feistel ciphers
uses cipher structure not previously used
design of S-P networks has output of function f influenced by both input & key
hence cannot trace values back through cipher without knowing values of the key
Differential Cryptanalysis compares two related pairs of encryptions
73
Linear Cryptanalysis
another recent development
also a statistical method
must be iterated over rounds, with decreasing probabilities
developed by Matsui et al in early 90's
based on finding linear approximations
can attack DES with 247 known plaintexts, still in practise infeasible
74
Agenda
Review
Block Ciphers & Stream Ciphers
Stream Ciphers
Block Ciphers
DES
Cryptanalysis
Modes of Operations
Next…
75
Modes of Operation
block ciphers encrypt fixed size blocks
eg. DES encrypts 64-bit blocks, with 56-bit key
need way to use in practice, given usually have arbitrary amount of information to encrypt
four were defined for DES in ANSI standard ANSI X3.106-1983 Modes of Use
subsequently now have 5 for DES and AES
have block and stream modes
76
Electronic Codebook (ECB)
message is broken into independent blocks which are encrypted
each block is a value which is substituted, like a codebook, hence name
each block is encoded independently of the other blocks Ci = DESK1 (Pi)
uses: secure transmission of single values
77
Electronic Codebook (ECB)
78
Advantages and Limitations of ECB
repetitions in message may show in ciphertext if aligned with message block
particularly with data such graphics
or with messages that change very little, which become a code-book analysis problem
weakness due to encrypted message blocks being independent
main use is sending a few blocks of data
ECB Weakness Demo
original ECB CBC
http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation
80
Cipher Block Chaining (CBC)
message is broken into blocks
but these are linked together in the encryption operation
each previous cipher blocks is chained with current plaintext block, hence name
use Initial Vector (IV) to start process Ci = DESK1(Pi XOR Ci-1)
C-1 = IV
uses: bulk data encryption, authentication
81
Cipher Block Chaining (CBC)
Cipher Block Chaining
83
Advantages and Limitations of CBC
each ciphertext block depends on all message blocks
thus a change in the message affects all ciphertext blocks after the change as well as the original block
need Initial Value (IV) known to sender & receiver however if IV is sent in the clear, an attacker can change
bits of the first block, and change IV to compensate
hence either IV must be a fixed value (as in EFTPOS) or it must be sent encrypted in ECB mode before rest of message
at end of message, handle possible last short block by padding either with known non-data value (eg nulls)
or pad last block with count of pad size eg. [ b1 b2 b3 0 0 0 0 5]
84
Cipher FeedBack (CFB) message is treated as a stream of bits
added to the output of the block cipher
result is feed back for next stage (hence name)
standard allows any number of bit (1,8 or 64 or whatever) to be feed back denoted CFB-1, CFB-8, CFB-64 etc
is most efficient to use all 64 bits (CFB-64)Ci = Pi XOR DESK1(Ci-1)
C-1 = IV
uses: stream data encryption, authentication
85
Cipher FeedBack (CFB)
86
Advantages and Limitations of CFB
appropriate when data arrives in bits/bytes
most common stream mode
limitation is need to stall while do block encryption after every n-bits
note that the block cipher is used in encryption mode at both ends
errors propagate for several blocks after the error
87
Output FeedBack (OFB)
message is treated as a stream of bits
output of cipher is added to message
output is then feed back (hence name)
feedback is independent of message
can be computed in advanceCi = Pi XOR Oi
Oi = DESK1(Oi-1)
O-1 = IV
uses: stream encryption over noisy channels
88
Output FeedBack (OFB)
89
Advantages and Limitations of OFB
used when error feedback a problem or where need to encryptions before message is available
superficially similar to CFB
but feedback is from the output of cipher and is independent of message
a variation of a Vernam cipher hence must never reuse the same sequence (key+IV)
sender and receiver must remain in sync, and some recovery method is needed to ensure this occurs
originally specified with m-bit feedback in the standards
subsequent research has shown that only OFB-64should ever be used
90
Counter (CTR)
a “new” mode, though proposed early on
similar to OFB but encrypts counter value rather than any feedback value
must have a different key & counter value for every plaintext block (never reused)Ci = Pi XOR Oi
Oi = DESK1(i)
uses: high-speed network encryptions
91
Counter (CTR)
Counter+1 Counter+N-1
92
Advantages and Limitations of CTR
efficiency
can do parallel encryptions
in advance of need
good for bursty high speed links
random access to encrypted data blocks
provable security (good as other modes)
but must ensure never reuse key/counter values, otherwise could break (cf OFB)
93
Next…
We will study on the modular arithmetic and finite fields…
Group
Ring
Field
Modular arithmetic
Finite field – Prime field, binary field, etc.
Polynomial arithmetic, etc.
94
Q&A
95
DES cracker EFF(Electronic Frontier Foundation)’s DES cracker
July 1998: DES Challenge II
Electronic Frontier Foundation (EFF) built a DES code-cracker for $250k
Cracked DES in 3 days
Jan. 1999: DES Challenge III
Distributed.Net used EFF DES cracker plus 100,000 PCs on the Internet to crack DES in 22 hours 15 min.
Testing 245 billion keys/sec when key was found
http://en.wikipedia.org/wiki/File:Board300.jpghttp://en.wikipedia.org/wiki/File:Board300.jpg
96
Timing attack 추가 설명
http://www.youtube.com/watch?feature=player_detailpage&v=BCmrBpKZl78
97
Timing attack 추가 설명
http://www.youtube.com/watch?feature=player_detailpage&v=BCmrBpKZl78
Python built-in function 참고
98
Timing attack 추가 설명
http://www.youtube.com/watch?feature=player_detailpage&v=BCmrBpKZl78