Date post: | 29-Nov-2015 |
Category: |
Documents |
Upload: | hung-nguyen |
View: | 12 times |
Download: | 2 times |
Secret Key Secret Key C hC hCryptographyCryptography
Dr. Nguyen Tuan NamDr. Nguyen Tuan [email protected]@yahoo.com
IntroductionIntroductionIntroductionIntroduction
Describes how secret key algorithms workDescribes how secret key algorithms workDescribes how secret key algorithms workDescribes how secret key algorithms work DESDES IDEAIDEA
TakeTake FixedFixed--length block of message (64 bits)length block of message (64 bits) FixedFixed--length key length key
56 bits for DES56 bits for DES 128 bit f r IDEA128 bit f r IDEA 128 bits for IDEA128 bits for IDEA
Generate a block of outputGenerate a block of output Same length as the inputSame length as the input
2Nguyen Tuan Nam/NetSec/Win2010
Same length as the inputSame length as the input
Generic Block EncryptionGeneric Block EncryptionGeneric Block EncryptionGeneric Block Encryption
A cryptographic algorithm converts a plaintextA cryptographic algorithm converts a plaintextA cryptographic algorithm converts a plaintext A cryptographic algorithm converts a plaintext block into an encrypted block block into an encrypted block If the key length too short If the key length too short not be secure (why?)not be secure (why?)y gy g ( y )( y ) How about if the block length is too short? Too How about if the block length is too short? Too
long? long? 64 bits is a reasonable length64 bits is a reasonable length Most general way of encrypting a 64Most general way of encrypting a 64--bit blockbit block
Each of the 2Each of the 26464 input values is mapped to a unique input values is mapped to a unique 6464one of the 2one of the 26464 output valuesoutput values
Necessary that the mapping be Necessary that the mapping be oneone--toto--oneone. Why?. Why?
3Nguyen Tuan Nam/NetSec/Win2010
How to Specify a Mapping?How to Specify a Mapping?How to Specify a Mapping?How to Specify a Mapping?
How to specify a monoHow to specify a mono--alphabetic cipher with English alphabetic cipher with English p yp y p p gp p gletters?letters? 26 specifications of 26 possible values26 specifications of 26 possible values
How to specify a mapping of all possible 64 bit input How to specify a mapping of all possible 64 bit input values?values? How many bits of information is needed to specify aHow many bits of information is needed to specify a How many bits of information is needed to specify a How many bits of information is needed to specify a
mapping?mapping? The mapping acts like a secret key that 2 parties share The mapping acts like a secret key that 2 parties share cannot be too largecannot be too large
4Nguyen Tuan Nam/NetSec/Win2010
Mapping for Cryptographic SystemsMapping for Cryptographic SystemsMapping for Cryptographic SystemsMapping for Cryptographic Systems
Secret key cryptographic systems are designed to Secret key cryptographic systems are designed to y yp g p y gy yp g p y g Take a Take a reasonablereasonable--length keylength key Generate a Generate a oneone--toto--one mappingone mapping that looks, to someone who doesn’t that looks, to someone who doesn’t
know the key, completely know the key, completely randomrandom If the mapping is truly randomIf the mapping is truly random
Any single bit change to the input results in a Any single bit change to the input results in a totally independently totally independently chosen random number outputchosen random number outputpp
How about:How about: 33rdrd bit of output always changes if the 12bit of output always changes if the 12thth bit of input changes?bit of input changes?
Cryptographic algorithms are designed to Cryptographic algorithms are designed to spread bits aroundspread bits aroundyp g p g gyp g p g g pp A single input bit should have influence on all the bits of outputA single input bit should have influence on all the bits of output Able to change any one of them with a probability of about 50%Able to change any one of them with a probability of about 50%
5Nguyen Tuan Nam/NetSec/Win2010
Transformation on a Block of DataTransformation on a Block of DataTransformation on a Block of DataTransformation on a Block of Data
Two kinds of simple transformationsTwo kinds of simple transformations Two kinds of simple transformationsTwo kinds of simple transformations SubstitutionsSubstitutions PermutationsPermutations PermutationsPermutations
6Nguyen Tuan Nam/NetSec/Win2010
SubstitutionSubstitutionSubstitutionSubstitution
Specifies the kSpecifies the k--bit output for each of the 2bit output for each of the 2kk Specifies the kSpecifies the k bit output for each of the 2bit output for each of the 2possible values of the inputpossible values of the input
Is it practical to build substitution for 64Is it practical to build substitution for 64 bitbit Is it practical to build substitution for 64Is it practical to build substitution for 64--bit bit blocks? 8blocks? 8--bit blocks?bit blocks?I l h h i f i d dI l h h i f i d d In general, how much information needed to In general, how much information needed to specify a completely randomly chosen specify a completely randomly chosen
b i i f kb i i f k bi bl k ?bi bl k ?substitution for ksubstitution for k--bit blocks?bit blocks?
7Nguyen Tuan Nam/NetSec/Win2010
PermutationPermutationPermutationPermutation
Specifies, for each of the k input bits, the outputSpecifies, for each of the k input bits, the outputSpecifies, for each of the k input bits, the output Specifies, for each of the k input bits, the output position to which it goesposition to which it goes 11stst bit becomes the 13bit becomes the 13thth bit of outputbit of output
How many bits of information are needed to specify a How many bits of information are needed to specify a completely randomly chosen permutation of k bits?completely randomly chosen permutation of k bits?
Permutation is a special case of a substitution. Why?Permutation is a special case of a substitution. Why? The number of permutations is sufficiently small that it The number of permutations is sufficiently small that it
is possible to specify and build an arbitrary 64is possible to specify and build an arbitrary 64--bit bit permuterpermuter
8Nguyen Tuan Nam/NetSec/Win2010
Example of Block EncryptionExample of Block EncryptionExample of Block EncryptionExample of Block Encryption
9Nguyen Tuan Nam/NetSec/Win2010
Data Encryption Standard (DES)Data Encryption Standard (DES)Data Encryption Standard (DES)Data Encryption Standard (DES)
Published in 1977 by the National Bureau of Standard (renamed to the Published in 1977 by the National Bureau of Standard (renamed to the N ti l I tit t f St d d d T h lN ti l I tit t f St d d d T h l NIST)NIST)National Institute of Standards and Technology National Institute of Standards and Technology –– NIST) NIST) Designed by IBM based on their Lucifer cipher and input from NSA (National Designed by IBM based on their Lucifer cipher and input from NSA (National
Security Agency)Security Agency) For use in commercial and unclassified US Government applicationsFor use in commercial and unclassified US Government applications Uses a 56Uses a 56--bit keybit key
The key actually The key actually looks like a 64looks like a 64--bit keybit key Maps a 64Maps a 64--bit input block into a 64bit input block into a 64--bit output blockbit output block
Effi i i l i h dEffi i i l i h d Efficient to implement in hardwareEfficient to implement in hardware Relatively slow if implemented in softwareRelatively slow if implemented in software
People have asserted that DES was specifically designed to make software People have asserted that DES was specifically designed to make software implementation difficultimplementation difficultpp
Advances in CPUs Advances in CPUs feasible to do DES in software nowfeasible to do DES in software now
10Nguyen Tuan Nam/NetSec/Win2010
Why 56 Bits?Why 56 Bits?Why 56 Bits?Why 56 Bits?
Disadvantage?Disadvantage? Disadvantage? Disadvantage? How much less secure against exhaustive search?How much less secure against exhaustive search?
Ad t ?Ad t ? Advantage?Advantage? SanitySanity--check for corrupted key? check for corrupted key? Really?Really?
So why?So why?
11Nguyen Tuan Nam/NetSec/Win2010
KeyKey--Length RevisitedLength RevisitedKeyKey Length RevisitedLength Revisited
Advances inAdvances in semiconductor technologysemiconductor technology makemakeAdvances in Advances in semiconductor technologysemiconductor technology make make the keythe key--length issue more length issue more criticalcritical DES keys can be broken with a bit of cleverness and DES keys can be broken with a bit of cleverness and yy
exhaustive searchexhaustive search Given hardware price/performance improving Given hardware price/performance improving
about 40% per year, how much should keys about 40% per year, how much should keys grow?grow? Assuming 56 bits was just sufficient in 1979 (when Assuming 56 bits was just sufficient in 1979 (when
DES was standardized), how about 64 bits (which DES was standardized), how about 64 bits (which year) and 128 bits?year) and 128 bits?
12Nguyen Tuan Nam/NetSec/Win2010
year), and 128 bits?year), and 128 bits?
QuizQuizQuizQuiz
Suppose you have a single block of <plaintextSuppose you have a single block of <plaintext Suppose you have a single block of <plaintext, Suppose you have a single block of <plaintext, ciphertext>ciphertext>
Is it possible for a cryptanalyst to find theIs it possible for a cryptanalyst to find the Is it possible for a cryptanalyst to find the Is it possible for a cryptanalyst to find the “wrong” key, given a particular pair?“wrong” key, given a particular pair?
Mi h 2 diff k h l i hMi h 2 diff k h l i h Might 2 different keys map the same plaintext to the Might 2 different keys map the same plaintext to the same cipher?same cipher?
If h DES k th r pIf h DES k th r p If so, how many DES keys on the average map a If so, how many DES keys on the average map a particular pair?particular pair?
13Nguyen Tuan Nam/NetSec/Win2010
How Secure is DES?How Secure is DES?How Secure is DES?How Secure is DES?
Brute force search on encryption of 7Brute force search on encryption of 7--bit ASCIIbit ASCIIypyp The 8The 8thth bit of an ASCII is 0bit of an ASCII is 0 If the decryption yields 0 on the 8If the decryption yields 0 on the 8thth bit bit possible of correct possible of correct
k ( h f i t k i 1/256 i lid )k ( h f i t k i 1/256 i lid )key (chance of incorrect key is 1/256: see previous slide)key (chance of incorrect key is 1/256: see previous slide) In 1977:In 1977:
$20 million machine can find a DES key in 12 hours given a$20 million machine can find a DES key in 12 hours given a $20 million machine can find a DES key in 12 hours given a $20 million machine can find a DES key in 12 hours given a <plaintext, ciphertext> pair<plaintext, ciphertext> pair
In 1998In 1998 EFF DES Cracker for under $250K to find a DES key in 4.5 EFF DES Cracker for under $250K to find a DES key in 4.5
daysdays Solutions?Solutions?
14Nguyen Tuan Nam/NetSec/Win2010
Solutions?Solutions?
DES OverviewDES OverviewDES OverviewDES Overview
Inverse of initial
15Nguyen Tuan Nam/NetSec/Win2010
Inverse of initial permutation
The Permutation of DataThe Permutation of DataThe Permutation of DataThe Permutation of Data
Do essentially nothing to enhance DES’ security. Why?
16Nguyen Tuan Nam/NetSec/Win2010
W y?
Example of PermutationExample of PermutationExample of PermutationExample of Permutation
Input is 8 octets, output is 8 octets
Bit f th ith t t f i t t d i t th (9 i)th bit f ll th t t
17Nguyen Tuan Nam/NetSec/Win2010
Bits of the ith octet of input get spread into the (9-i)th bits of all the octets
Generating PerGenerating Per--Round KeyRound KeyGenerating PerGenerating Per Round KeyRound Key
6464--bit keysbit keys 16 4816 48--bit keys: Kbit keys: K11, K, K22, …, K, …, K16166464 bit keys bit keys 16 4816 48 bit keys: Kbit keys: K11, K, K22, …, K, …, K1616 Initial permutation on the 56 useful bits of the key Initial permutation on the 56 useful bits of the key 5656--bit output bit output divided into two 28divided into two 28--bit values, bit values, called Ccalled C00 and Dand D00
18Nguyen Tuan Nam/NetSec/Win2010
Example of CExample of C00 and Dand D00Example of CExample of C00 and Dand D00
19Nguyen Tuan Nam/NetSec/Win2010
PerPer--Round Key KRound Key KiiPerPer Round Key KRound Key Kii
20Nguyen Tuan Nam/NetSec/Win2010
DES RoundDES RoundDES RoundDES Round
DES is reversible without constraining the mangler function DES is reversible without constraining the mangler function
21Nguyen Tuan Nam/NetSec/Win2010
g gg gto be reversibleto be reversible
Can the mangler map all values to zero? Why?Can the mangler map all values to zero? Why?The mangler is never The mangler is never
run backwardsrun backwards
The Mangler FunctionThe Mangler FunctionThe Mangler FunctionThe Mangler Function
InputInputInputInput 3232--bit Rbit Rnn (R)(R) 4848--bit Kbit Knn (K)(K)nn ( )( )
OutputOutput 3232--bit outputbit output
ManglerMangler 3232--bit R bit R 4848--bit valuebit value
Eight 4Eight 4--bit chunk bit chunk Eight 6Eight 6--bit chunkbit chunk
4848--bit Kbit K Eight 6Eight 6 bit chunkbit chunk
22Nguyen Tuan Nam/NetSec/Win2010
Eight 6Eight 6--bit chunkbit chunk
Expansion of R to 48 BitsExpansion of R to 48 BitsExpansion of R to 48 BitsExpansion of R to 48 Bits
Taking adjacent bits and concatenating them toTaking adjacent bits and concatenating them to Taking adjacent bits and concatenating them to Taking adjacent bits and concatenating them to the chunk the chunk The leftmost and rightmost bitsThe leftmost and rightmost bits The leftmost and rightmost bitsThe leftmost and rightmost bits
23Nguyen Tuan Nam/NetSec/Win2010
Chunk TransformationChunk TransformationChunk TransformationChunk Transformation
24Nguyen Tuan Nam/NetSec/Win2010
SS--BoxesBoxesSS BoxesBoxes
InputInput InputInput 66--bit number (XOR result of 2 chunks)bit number (XOR result of 2 chunks)
O t tO t t OutputOutput 44--bitbit
PatternPattern Inner 4Inner 4--bits serving as inputbits serving as input Outer 2Outer 2--bits selecting which of the four 4bits selecting which of the four 4--bit Sbit S--
boxes to useboxes to use
25Nguyen Tuan Nam/NetSec/Win2010
Example of SExample of S--Box 1 and 2Box 1 and 2Example of SExample of S Box 1 and 2Box 1 and 2
26Nguyen Tuan Nam/NetSec/Win2010reversible?
QuizQuizQuizQuiz
Why uses 8 SWhy uses 8 S--boxes instead of 1 Sboxes instead of 1 S--box for thebox for the Why uses 8 SWhy uses 8 S boxes instead of 1 Sboxes instead of 1 S box for the box for the whole input?whole input?
27Nguyen Tuan Nam/NetSec/Win2010
Final Permutation of the Mangler Final Permutation of the Mangler FunctionFunction
44--bit output of each of the eight Sbit output of each of the eight S--boxes isboxes is 44 bit output of each of the eight Sbit output of each of the eight S boxes is boxes is combined combined 3232--bit quantity bit quantity permutedpermuted
Ensure that the bits of the output of an SEnsure that the bits of the output of an S boxbox Ensure that the bits of the output of an SEnsure that the bits of the output of an S--box box on one round affects the input of multiple Son one round affects the input of multiple S--boxes on the next roundboxes on the next roundboxes on the next roundboxes on the next round
28Nguyen Tuan Nam/NetSec/Win2010
Weak and SemiWeak and Semi--Weak KeysWeak KeysWeak and SemiWeak and Semi Weak KeysWeak Keys
CC00 and Dand D00 are one of the four valuesare one of the four values CC00 and Dand D00 are one of the four valuesare one of the four values All onesAll ones All zerosAll zeros All zerosAll zeros Alternating ones and zerosAlternating ones and zeros
Alt ti dAlt ti d Alternating zeros and onesAlternating zeros and ones
16 keys16 keys
29Nguyen Tuan Nam/NetSec/Win2010
What’s So Special About DES?What’s So Special About DES?What s So Special About DES?What s So Special About DES?
Swapping SSwapping S--box 3 with Sbox 3 with S--box 7box 7 DES is aboutDES is about Swapping SSwapping S box 3 with Sbox 3 with S box 7 box 7 DES is about DES is about an order of magnitude less secure in the face of an order of magnitude less secure in the face of a specific attacka specific attacka specific attacka specific attack
30Nguyen Tuan Nam/NetSec/Win2010
International Data Encryption International Data Encryption Algorithm (IDEA)Algorithm (IDEA)
Designed to be efficient to compute in softwareDesigned to be efficient to compute in softwareg pg p Encrypts a 64Encrypts a 64--bit block of plaintext into a 64bit block of plaintext into a 64--bit block of bit block of
ciphertextciphertext Uses 128Uses 128 bit keybit key Uses 128Uses 128--bit keybit key Published in 1991Published in 1991
So far no weakness has been found, at least by the good guysSo far no weakness has been found, at least by the good guys Similar to DES in some waysSimilar to DES in some ways
Operate in roundsOperate in rounds Have complicated mangler function that does not have to be reversibleHave complicated mangler function that does not have to be reversiblep gp g
Both DES and IDEABoth DES and IDEA Encryption and decryption keys are identical except for key expansionEncryption and decryption keys are identical except for key expansion
31Nguyen Tuan Nam/NetSec/Win2010
Basic Structure of IDEABasic Structure of IDEABasic Structure of IDEABasic Structure of IDEA
32Nguyen Tuan Nam/NetSec/Win2010
Key ExpansionKey ExpansionKey ExpansionKey Expansion
128128--bit key is expandedbit key is expanded 52 1652 16--bit keys Kbit keys K11, K, K22, …,, …, 128128 bit key is expanded bit key is expanded 52 1652 16 bit keys Kbit keys K11, K, K22, …, , …, KK5252 128128--bit key bit key eight 16eight 16--bit keysbit keys The next eight keys are generated by starting at bit 25 and The next eight keys are generated by starting at bit 25 and
wrapping aroundwrapping aroundTh i h k d b ff i 25 biTh i h k d b ff i 25 bi The next eight keys are generated by offsetting 25 more bitsThe next eight keys are generated by offsetting 25 more bits
Bits 1 through 22 and bits 87 through 128 get used in Bits 1 through 22 and bits 87 through 128 get used in how many keys?how many keys?how many keys?how many keys?
Warning: keys KWarning: keys K5050 and Kand K5151 are swappedare swapped
33Nguyen Tuan Nam/NetSec/Win2010
Key ExpansionKey ExpansionKey ExpansionKey Expansion
34Nguyen Tuan Nam/NetSec/Win2010
IDEA RoundsIDEA RoundsIDEA RoundsIDEA Rounds
17 rounds17 rounds Each round takes 64Each round takes 64--bit input and treats it as four 16bit input and treats it as four 16--bit bit
quantities Xquantities Xaa, X, Xbb, X, Xcc, X, Xdd Odd rounds use four of the KOdd rounds use four of the K :: KK KK KK KK Odd rounds use four of the KOdd rounds use four of the Kii:: KKaa, K, Kbb, K, Kcc, K, Kdd Even rounds use two KEven rounds use two Kii: K: Kee, K, Kff Total 52 keysTotal 52 keys Input of odd roundsInput of odd rounds
XXaa, X, Xbb, X, Xcc, X, Xdd KK KKbb KK KKdd KKaa, K, Kbb, K, Kcc, K, Kdd
Input of even roundsInput of even rounds XXaa, X, Xbb, X, Xcc, X, Xdd
KK KK
35Nguyen Tuan Nam/NetSec/Win2010
KKee, K, Kff
Odd RoundOdd RoundOdd RoundOdd Round
36Nguyen Tuan Nam/NetSec/Win2010
Even RoundEven RoundEven RoundEven Round
37Nguyen Tuan Nam/NetSec/Win2010
AESAESAESAES
HomeworkHomework HomeworkHomework
38Nguyen Tuan Nam/NetSec/Win2010