Computer Security- Block Ciphers & DES (Data Encryption Standard)

Howon Kim

2019.3

2

Agenda

Review

Block Ciphers & Stream Ciphers

Stream Ciphers

Block Ciphers

DES

Cryptanalysis

Modes of Operations

Next…

3

Review: Attack Types

Attack types Ciphertext only

Eve has only a copy of the ciphertext.

Known plaintext Eve has a copy of a ciphertext and the corresponding plaintext. For example, if Eve knows that Alice always starts her message

with “Dear Bob,” then Eve has a small piece of ciphertext and corresponding plaintext.

Chosen plaintext Eve gains temporary access to the encryption machine. She cannot open it to find the key, but she can encrypt a large

number of suitably chosen plaintexts and try to use the resulting ciphertexts to deduce the key.

Chosen ciphertext Eve obtains temporary access to the decryption machine.

4

Review: Ciphertext Only Attack

Eve has only the ciphertext.

Y M W J J U F W Y X

Her best strategy is an exhaustive search.

There are only 26 possible keys.

If the message is longer than a few letters, it is unlikely that there is more than one meaningful message that could be the plaintext.

Try to decrypt it!

5

Review: Known Plaintext Attack

It’s trivial.(only for shift cipher. Generally, not.)

If Eve knows just one letter of the plaintext along with the corresponding letter of ciphertext, she can deduce the key.

In this above example…

Ciphertext: Y M W J J U F W Y X

Plaintext: ? ? ? ? ? p ? ? ? ?

6

Review: CPA, CCA

Attack 3: Chosen plaintext attack

Choose the letter a as the plaintext.

The ciphertext gives the key itself.

Example: a F (= 5)

Attack 4: Chosen ciphertext attack

Choose the letter A as the ciphertext.

The plaintext is the negative of the key.

7

Block vs Stream Ciphers

block ciphers process messages in into blocks, each of which is then en/decrypted

like a substitution on very big characters

64-bits or more

stream ciphers process messages a bit or byte at a time when en/decrypting

Reference: Understanding Cryptography by C. Paar & J. Pelzl 8

Block vs Stream Ciphers

Reference: Understanding Cryptography by C. Paar & J. Pelzl 9

Encryption & Decryption with Stream Ciphers

Reference: Understanding Cryptography by C. Paar & J. Pelzl 10

Synchronous vs. Asynchronous Stream Cipher

Synchronous Stream Cipher Key stream depends only on the key (and possibly an initialization vector IV)

Asynchronous Stream Cipher Key stream depends also on the ciphertext (dotted feedback enabled)

11

Why is mod 2 addition a good encryption function?

Random한 key stream Si의 특성이 ciphertext에도 그대로 반영됨.즉, XOR(mod 2) 연산은 si의난수성을 ciphertext에 반영 특성 가짐. 그림에서 key stream si의 0과1 비율은 각각 0.5 확률 -> Mod add 2, 즉 XOR 연산하면, random stream si의 특성을 ciphertext yi가 갖게 됨

12

LFSR Sequences : Example of Stream Cipher

Linear Feedback Shift Register (LFSR)

defined by a linear recurrence.

implemented very easily, especially in hardware.

very fast (only the operating frequency is, not the throughput)

xm+2 xm+1 xm Ciphertext

Plaintext

Example: xm+3 = xm+1 XOR xm

Initial state (initial values): x1x2x3 = 010

registers

XOR gate

Generated sequence: 0101110010111001…

Plaintext (AB…): 0100000101000010…

Ciphertext: 0001110111111011…

13

LFSR Sequences

xm+2 xm+1 xm Ciphertext

Plaintext

Example: xm+3 = xm+1 XOR xm

Initial state (intial values): x1x2x3 = 010

registers

XOR gate

Generated sequence: 0101110010111001…

Plaintext (AB…): 0100000101000010…

Ciphertext: 0001110111111011…

(xm+3 = xm+1 XOR xm)

xm+3 = xm+1 XOR xm

m=1 : x4=x2 xor x1 = 1 xor 0 = 1

m=2: x5=x3 xor x2 = 0 xor 1 = 1

m=3: x6=x4 xor x3 = 1 xor 0 = 1

m=4: x7=x5 xor x4 = 1 xor 1 = 0

m=5: x8=x6 xor x5 = 1 xor 1 = 0

m=6: x9=x7 xor x6 = 0 xor 1 = 1

m=7 : x10=x8 xor x7 = 0 xor 0 = 0

m=8 : x11=x9 xor x8 = 1 xor 0 = 1

m=9 : x12=x10 xor x9 = 0 xor 1 = 1

m=10: x13=x11 xor x10 = 1 xor 0 = 1

m=11: x14=x12 xor x11 = 1 xor 1 = 0

m=12: x15=x13 xor x12 = 1 xor 1 = 0

14

LFSR Sequences

Key length vs. Sequence length

Key length n sequence length ≤ 2n – 1.

Above example

Key length = 3

Sequence length = 7

An “approximation” to a one-time pad

A small input generates a long binary sequence.

The one-time pad (OTP) is an encryption algorithm where the plaintext is combined with a random key or "pad" that is as long as the plaintext and used only once. A modular addition is used to combine the plaintext with the pad. (For binary data, the operation XOR amounts to the same thing.) [From wikipedia]

http://en.wikipedia.org/wiki/Encryptionhttp://en.wikipedia.org/wiki/Algorithmhttp://en.wikipedia.org/wiki/Plaintexthttp://en.wikipedia.org/wiki/Key_(cryptography)http://en.wikipedia.org/wiki/Modular_arithmetichttp://en.wikipedia.org/wiki/XOR

15

LFSR Sequences:Attack

Unfortunately,

This encryption method succumbs easily to a known plaintext attack.

This is because the construction is linear.

If we know only a few consecutive bits of plaintext, along with the corresponding bits of ciphertext, an attack can determine the whole sequence.

linear:

- superposition property: f(x+y)=f(x)+f(y)

- Homegeneity of degree 1 : f(ax)=a*f(x)

16

LFSR Sequences:Attack

Example

Suppose we know an initial segment of the (plaintext, ciphertext) pair.

Sequence: 01101011110…

Plaintext : 11111111111…

Ciphertext: 10010100001110100100101010101011110010…

17

LFSR Sequences:Attack

An attacker tries to recover the linear recurrence.

She doesn’t know the size of the LFSR.

First start with length 2.

xn+2 = c0xn + c1xn+1 (“+” means XOR)

Let n = 1 and n = 2,

and use the known values x1= 0, x2 = 1, x3 = 1, x4 = 0.

(Sequence: 01101011110…)

x3 = c0x1 + c1x2

x4 = c0x2 + c1x3

1 = c0 0 + c11

0 = c0 1 + c11

c0 = 1, c1= 1

x5 = x3 + x4=1 + 0 = 1

x6 = x4 + x5=0 + 1 = 1

x7 = x5 + x6=1 + 1 = 0

x8 = x6 + x7=1 + 0 = 1

…

we get

Generated seq. : 01101101…

Not correct !

18

LFSR Sequences:Attack

Try another length 3.

This is impossible, either.

Try length = 4.

xn+4 = c0xn + c1xn+1 + c2xn+2 + c3xn+3

(Sequence: 01101011110…)

x5 = c0x1 + c1x2 + c2x3 + c3x4x6 = c0x2 + c1x3 + c2x4 + c3x5x7 = c0x3 + c1x4 + c2x5 + c3x6x8 = c0x4 + c1x5 + c2x6 + c3x7

c0 = 1, c1= 1, c2 = 0, c3= 0

19

LFSR Sequences:Attack

Generalization

It is known that an attacker can recover the linear recurrence if 2n consecutive elements in the sequence is revealed.

This is much smaller than the period length of a sequence, i.e., 2n – 1.

Improvement

The problem is that the recurrence is linear,and an attacker can make a matrix equation.

So, we append some nonlinear elements.

20

Real Stream Cipher 1 – A5/1

Example: GSM A5/1 Stream Cipher

Used to encrypt mobile phone conversation

C1

C2

C3

m=Majority(C1,C2,C3)

Majority에해당하는Register만clocking됨즉, 2개의register혹은

3개의 register가 clocking됨

R1

R2

R3Ex1) If C1=0, C2=1, C3=0 then

Clocking R1 and R3

Ex2) If C1=1,C2=1,C3=1 then

Clocking R1,R2 and R3

http://en.wikipedia.org/wiki/Image:A5-1.pnghttp://en.wikipedia.org/wiki/Image:A5-1.png

21

New Stream Cipher Standardization

ECRYPT European Network of Excellence for Cryptology

eSTREAM ECRYPT Stream Cipher Project Phase 1 (Nov. 2004 ~)

submission for cryptographic primitives

Phase 2 (Aug. 2006 ~) Seven SW-based candidates

DRAGON, HC-256, LEX, Phelix, Py, Salsa20, SOSEMANUK

Four HW-based candidates Grain, MICKEY-128, Phelix, Trivium

Phase 3 (April 2007 ~) Eight SW-based candidates

CryptMT,Dragon, HC, LEX, NLS, Rabbit, Salsa20, SOSEMANUK

Eight HW-based candidates DECIM, Edon80,F-FCSR,Grain, MICKEY, Moustique, Pomaranch, Trivium

eStream Portpolio (April 2008): Finalized S/W:HC-128, Rabbit, Salsa20/12, SOSEMANUK H/W:F-FCSR-H v2, Grain v1, MICKEY v2, Trivium

22

Real Stream Cipher 2 - Trivium A Modern Stream Cipher: Trivium(Developed by Bart Preneel)

3 nonlinear LFSR(NLFSR) of length 93, 84, 111

Small in H/W Total register count : 288 , Non-linearity : 3 AND-gates

7 XOR-Gates (4 with three inputs)

23

Trivium

Initialization

Load leftmost 80-bit IV(Initial Vector) into A

Load leftmost 80-bit key into B

Set c109, c110, c111 = 1, all other register bits 0

Warm-Up

Clock cipher 4 x 288 = 1,152 times w/o generating output

Encryption

XOR-sum of all three NLFSR outputs generates key stream si

• IV는 randomizer역할을 하지만, 굳이 비밀로 유지할 필요 없음 (비밀정보는 무조건 key만!)• Stream cipher에서는 IV를 바꾸지 않으면, 동일한 key에 대해 동일한 key stream을 generate하므로, 안전도에 문제 생김. 이에, IV를 바꿔서 동일한 key에서도 다른 key stream이 나오도록 함

24

Agenda

Review

Block Ciphers & Stream Ciphers

Stream Ciphers

Block Ciphers

DES

Cryptanalysis

Modes of Operations

Next…

25

Block Cipher Principles

most symmetric block ciphers are based on a Feistel Cipher Structure

block ciphers look like an extremely large substitution

would need table of 264 entries for a 64-bit block

instead create from smaller building blocks

using idea of a product cipher

26

Claude Shannon and Substitution-Permutation Ciphers

in 1949 Claude Shannon introduced idea of substitution-permutation (S-P) networks

modern substitution-transposition product cipher

these form the basis of modern block ciphers

S-P networks are based on the two primitive cryptographic operations we have seen before:

substitution (S-box)

permutation (P-box)

provide confusion and diffusion of message

27

Confusion and Diffusion cipher needs to be completely obscure statistical properties of

original message

a one-time pad does this

more practically Shannon suggested combining elements to obtain:

diffusion – dissipates statistical structure of plaintext over bulk of ciphertext Diffusion is associated with dependency of bits of the output on

bits of the input.

In a cipher with good diffusion, flipping an input bit should change each output bit with a probability of one half.

Transposition is a technique for diffusion

confusion – makes relationship between ciphertext and key as complex as possible Substitution (S-box) is a technique for confusion

28

Feistel Cipher Structure

Horst Feistel devised the feistel cipher based on concept of invertible product cipher

partitions input block into two halves process through multiple rounds which

perform a substitution on left data half

based on round function of right half & subkey

then have permutation swapping halves

implements Shannon’s substitution-permutation network concept

29

Feistel Cipher Structure

The basic operation is as follows:

For encryption, split the plaintext block into two equal pieces (L0,R0)

For each round i=1,2,…,n compute, Li=Ri-1 Ri=Li-1 XOR f(Ri-1, Ki-1), where f is the round fn. Ki is the

sub-key

Then the ciphertext is (Ln,Rn)

For decryption, input the (Ln,Rn) For each round i=n,n-1…,1. compute

Ri-1=Li Li-1= Ri XOR f(Li,Ki)

30

Feistel Cipher Structure

From 1 to n

Li=Ri-1Ri=Li-1 + f(Ri-1, Ki-1),

L0LnR0 Rn

Ln Rn

L1 R1 Ln-1Rn-1

L0R0

From n to 1Ri-1=Li

Li-1= Ri + f(Li,Ki)

31

Feistel Cipher Design Principles block size

increasing block size improves security, but slows cipher

key size increasing key size improves security, makes exhaustive key

searching harder, but may slow cipher

number of rounds increasing number improves security, but slows cipher

subkey generation greater complexity can make analysis harder, but slows

cipher

round function greater complexity can make analysis harder, but slows

cipher

fast software en/decryption & ease of analysis are more recent concerns for practical use and testing

32

Agenda

Review

Block Ciphers & Stream Ciphers

Stream Ciphers

Block Ciphers

DES

Cryptanalysis

Modes of Operations

Next…

33

Data Encryption Standard (DES)

most widely used block cipher in world

adopted in 1977 by NBS (now NIST)

as FIPS PUB 46

encrypts 64-bit data using 56-bit key

has been considerable controversy over its security

www.nist.gov

34

Block Cipher Design Principles

basic principles still like Feistel in 1970’s

number of rounds

more is better, exhaustive search best attack

function f:

provides “confusion”, is nonlinear, avalanche

key schedule

complex subkey creation, key avalanche

35

DES History

IBM developed Lucifer cipher by team led by Feistel

used 64-bit data blocks with 128-bit key

then redeveloped as a commercial cipher with input from NSA(http://ww.nsa.gov) and others

in 1973 NBS issued request for proposals for a national cipher standard

IBM submitted their revised Lucifer which was eventually accepted as the DES

http://ww.nsa.gov/

36

DES Design Controversy

although DES standard is public

was considerable controversy over design

in choice of 56-bit key (vs Lucifer 128-bit)

and because design criteria were classified, not opened to the public

subsequent events and public analysis show in fact design was appropriate

DES has become widely used, especially in financial applications

37

Data Encryption Standard:Structure

Basic Operations

substitution

transposition

linear operation (XOR)

Encryption

algorithm of

DES

Plaintext X

64-bit

Ciphertext Y

64-bit

Y = EK(X)

key K : 56-bit

Decryption

algorithm of

DES

Plaintext X

64-bit

key K : 56-bit

X = DK(Y)

38

Data Encryption Standard:Encryption

Transposition IP

round 1

round 2

round 16

IP-1

K2

K16

56-bit key

64-bit plaintext

64-bit ciphertext

key schedule K

X

Y

Encryption

K1 : 48-bit subkey64

64

64

32-bit Swap

64

39

Data Encryption Standard:One Round

Each Round

L0

64-bit input

64-bit output

R0

L1 R1

K1 K1 : 48-bit subkey

f

+

32 32

32 32

32

32

48

32Transposition

Feistel system

(Feistel Cipher,

Feistel Network)

40

Data Encryption Standard:Nonlinear function f

R0 : 32-bit

K1 :

48-bit subkey

Expansion

K1+

6 6 6 6 6 6 6 6

S1 S2 S3 S4 S5 S6 S7 S8

48

48

4 4 4 4 4 4 4 4

f (R0, K1) : 32-bit

f

S-box :

Substitution

BoxPermutation : P

41

DES

S1 S2 S3 S4 S5 S6 S7 S8

+

L0 R0

L1 R1

+

48

32

6

4

32

323232

K148

f

IP64

K16

key schedule

L16 R16

…

plaintext

Key

56

…48

round 1

P

ciphertext

IP-1

64

R16 L16 32-bit swap

42

DES Details:Initial Permutation/Inverse Permutation

X=IP(M), M=IP-1(X)

M7 (IP) x64

X64 (IP-1) m7

Through the IP, 7th

bit of the input M is to be the 64th

bit of the output

숫자는입력값의비트위치를의미해당입력의출력비트위치는테이블의위치

43

DES Details:Initial Permutation/Inverse Permutation

IP operation illustrated (source : Wikipeia)m7

x64

44

DES Details:Expansion Permutation E

By duplications, the 32-bits are expanded to 48 bits

45

DES Details:Expansion Permutation E

By duplications, the 32-bits are expanded to 48 bits

46

DES Details:S-Boxes

47

DES Details:S-Boxes

48

DES Details:S-Boxes

49

DES Details:S-Boxes

50

DES Details:S-Boxes

S-box:6 bits inputs

4 bits outputs

51

DES Details:S-Boxes

S-Box operation

(source : Wikipedia)

Row: outer two

bits of input

Column:Middle 4 bits of input (total 16)

S5

00011011

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 150 1 1 0 1 1

1 0 0 1

52

DES Details:Permutation P

Permutation table: 32bits (P) 32bits

53

DES Details:Permutation P

Permutation : 32bits (P) 32bits

(source : Wikipedia)

54

Key K is a bitstring of length 64.

Only 56 bits are real keys.

8 bits are parity-check bits for error detection

The bits in positions 8, 16, …, 64 are defined

so that each byte contains an odd number of 1’s.

DES Key Schedule

55

DES Key Schedule

forms subkeys used in each round

consists of:

initial permutation of the key (PC1) which selects 56-bits in two 28-bit halves (C,D)

16 stages consisting of:

selecting 24-bits from each half

permuting them by PC2 for use in function f,

rotating each half (C,D) separately either 1 or 2 bits depending on the key rotation schedule K

56

DES Key Schedule

Initial Key : 56 bits

We get two 28-bit keys

(C,D) after applying

initial permutation of the

key(PC1)

At each round, we get 48

bits (two 24 bits) after

PC2 permutations

C and D are treated

separately, the C and D

are rotated left by one or

two bits

C D56bits

57

DES Encryption Example

key (64 bits)

- including parity bits

56 bits are real key!

13345779 9BBCDFF1

plain(64) : 01234567 89ABCDEF

cipher(64) : 85E81354 0F0AB405

Encrypter

57

L0 R0

IP

64plaintext 01234567 89ABCDEF

58

59

L0 R0

IP

64

48

3232E

plaintext

59

60

K1

key schedule

L0 R0

IP

64

+48

3232

48

E

plaintext

60

61

S1

K1

key schedule

L0 R0

IP

64

+48

3232E

substitution

011000

5=0101

1100

plaintext

00 5

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

61

62

S1

K1

key schedule

L0 R0

IP

64

+48

3232E

S3 S4 S5 S6 S7 S8S2

32P

S1

K1

key schedule

L0 R0

IP

64

+48

3232E

S3 S4 S5 S6 S7 S8S2

plaintext

62

63

S1

K1

key schedule

L0 R0

IP

64

+48

3232E

S3 S4 S5 S6 S7 S8

+

S2

32

1110111101…

P

plaintext

64

S1

K1

key schedule

L0 R0

IP

64

+48

3232E

S3 S4 S5 S6 S7 S8

+

S2

32

L1 R1

3232

P

plaintext

1110111101…

64

65

S1 S2 S3 S4 S5 S6 S7 S8

+

L0 R0

L1 R1

+

48

32

6

4

32

323232

K148

IP

64

key schedule

키

56

ciphertext

K16…48

P

plaintext

L16 R16

…

IP-1

R16 L16 32-bit swap

65

66

Data Encryption Standard:Decryption

Same as encryption

We can use the same structure, but with the subkeys used in reverse order.

67

Agenda

Review

Block Ciphers & Stream Ciphers

Stream Ciphers

Block Ciphers

DES

Cryptanalysis

Modes of Operations

Next…

68

Strength of DES – Key Size

56-bit keys have 256 = 7.2 x 1016 values

brute force search looks hard

But, recent advances have shown that it is possible

in 1997 on Internet in a few months

in 1998 on dedicated H/W in a few days

in 1999 above combined in 22hrs!

still must be able to recognize plaintext

now considering alternatives to DES

69

Strength of DES – Timing Attacks

attacks on actual implementation of cipher

use knowledge of consequences of implementation to derive knowledge of some/all subkey bits

specifically use the fact that calculations can take varying times depending on the value of the inputs to it

particularly problematic on smartcards

70

Strength of DES – Analytic Attacks

now have several analytic attacks on DES

these utilize some deep structure of the cipher by gathering information about encryptions

can eventually recover some/all of the sub-key bits

if necessary then exhaustively search for the rest

generally these are statistical attacks

include differential cryptanalysis

linear cryptanalysis

related key attacks

71

Differential Cryptanalysis

one of the most significant recent (public) advances in cryptanalysis

known by NSA in 70's (The DES designer already knew this attacking technique)

Murphy, Biham & Shamir published 1990

powerful method to analyse block ciphers

used to analyse most current block ciphers with varying degrees of success

DES reasonably resistant to it

72

Differential Cryptanalysis

a statistical attack against Feistel ciphers

uses cipher structure not previously used

design of S-P networks has output of function f influenced by both input & key

hence cannot trace values back through cipher without knowing values of the key

Differential Cryptanalysis compares two related pairs of encryptions

73

Linear Cryptanalysis

another recent development

also a statistical method

must be iterated over rounds, with decreasing probabilities

developed by Matsui et al in early 90's

based on finding linear approximations

can attack DES with 247 known plaintexts, still in practise infeasible

74

Agenda

Review

Block Ciphers & Stream Ciphers

Stream Ciphers

Block Ciphers

DES

Cryptanalysis

Modes of Operations

Next…

75

Modes of Operation

block ciphers encrypt fixed size blocks

eg. DES encrypts 64-bit blocks, with 56-bit key

need way to use in practice, given usually have arbitrary amount of information to encrypt

four were defined for DES in ANSI standard ANSI X3.106-1983 Modes of Use

subsequently now have 5 for DES and AES

have block and stream modes

76

Electronic Codebook (ECB)

message is broken into independent blocks which are encrypted

each block is a value which is substituted, like a codebook, hence name

each block is encoded independently of the other blocks Ci = DESK1 (Pi)

uses: secure transmission of single values

77

Electronic Codebook (ECB)

78

Advantages and Limitations of ECB

repetitions in message may show in ciphertext if aligned with message block

particularly with data such graphics

or with messages that change very little, which become a code-book analysis problem

weakness due to encrypted message blocks being independent

main use is sending a few blocks of data

ECB Weakness Demo

original ECB CBC

http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation

80

Cipher Block Chaining (CBC)

message is broken into blocks

but these are linked together in the encryption operation

each previous cipher blocks is chained with current plaintext block, hence name

use Initial Vector (IV) to start process Ci = DESK1(Pi XOR Ci-1)

C-1 = IV

uses: bulk data encryption, authentication

81

Cipher Block Chaining (CBC)

Cipher Block Chaining

83

Advantages and Limitations of CBC

each ciphertext block depends on all message blocks

thus a change in the message affects all ciphertext blocks after the change as well as the original block

need Initial Value (IV) known to sender & receiver however if IV is sent in the clear, an attacker can change

bits of the first block, and change IV to compensate

hence either IV must be a fixed value (as in EFTPOS) or it must be sent encrypted in ECB mode before rest of message

at end of message, handle possible last short block by padding either with known non-data value (eg nulls)

or pad last block with count of pad size eg. [ b1 b2 b3 0 0 0 0 5]

84

Cipher FeedBack (CFB) message is treated as a stream of bits

added to the output of the block cipher

result is feed back for next stage (hence name)

standard allows any number of bit (1,8 or 64 or whatever) to be feed back denoted CFB-1, CFB-8, CFB-64 etc

is most efficient to use all 64 bits (CFB-64)Ci = Pi XOR DESK1(Ci-1)

C-1 = IV

uses: stream data encryption, authentication

85

Cipher FeedBack (CFB)

86

Advantages and Limitations of CFB

appropriate when data arrives in bits/bytes

most common stream mode

limitation is need to stall while do block encryption after every n-bits

note that the block cipher is used in encryption mode at both ends

errors propagate for several blocks after the error

87

Output FeedBack (OFB)

message is treated as a stream of bits

output of cipher is added to message

output is then feed back (hence name)

feedback is independent of message

can be computed in advanceCi = Pi XOR Oi

Oi = DESK1(Oi-1)

O-1 = IV

uses: stream encryption over noisy channels

88

Output FeedBack (OFB)

89

Advantages and Limitations of OFB

used when error feedback a problem or where need to encryptions before message is available

superficially similar to CFB

but feedback is from the output of cipher and is independent of message

a variation of a Vernam cipher hence must never reuse the same sequence (key+IV)

sender and receiver must remain in sync, and some recovery method is needed to ensure this occurs

originally specified with m-bit feedback in the standards

subsequent research has shown that only OFB-64should ever be used

90

Counter (CTR)

a “new” mode, though proposed early on

similar to OFB but encrypts counter value rather than any feedback value

must have a different key & counter value for every plaintext block (never reused)Ci = Pi XOR Oi

Oi = DESK1(i)

uses: high-speed network encryptions

91

Counter (CTR)

Counter+1 Counter+N-1

92

Advantages and Limitations of CTR

efficiency

can do parallel encryptions

in advance of need

good for bursty high speed links

random access to encrypted data blocks

provable security (good as other modes)

but must ensure never reuse key/counter values, otherwise could break (cf OFB)

93

Next…

We will study on the modular arithmetic and finite fields…

Group

Ring

Field

Modular arithmetic

Finite field – Prime field, binary field, etc.

Polynomial arithmetic, etc.

94

Q&A

95

DES cracker EFF(Electronic Frontier Foundation)’s DES cracker

July 1998: DES Challenge II

Electronic Frontier Foundation (EFF) built a DES code-cracker for $250k

Cracked DES in 3 days

Jan. 1999: DES Challenge III

Distributed.Net used EFF DES cracker plus 100,000 PCs on the Internet to crack DES in 22 hours 15 min.

Testing 245 billion keys/sec when key was found

http://en.wikipedia.org/wiki/File:Board300.jpghttp://en.wikipedia.org/wiki/File:Board300.jpg

96

Timing attack 추가 설명

http://www.youtube.com/watch?feature=player_detailpage&v=BCmrBpKZl78

97

Timing attack 추가 설명

http://www.youtube.com/watch?feature=player_detailpage&v=BCmrBpKZl78

Python built-in function 참고

98

Timing attack 추가 설명

http://www.youtube.com/watch?feature=player_detailpage&v=BCmrBpKZl78