Lecture-03-SecretKeyCryptography_2.pdf

Secret Key Secret Key C hC hCryptographyCryptography

Dr. Nguyen Tuan NamDr. Nguyen Tuan [email protected]@yahoo.com

IntroductionIntroductionIntroductionIntroduction

Describes how secret key algorithms workDescribes how secret key algorithms workDescribes how secret key algorithms workDescribes how secret key algorithms work DESDES IDEAIDEA

TakeTake FixedFixed--length block of message (64 bits)length block of message (64 bits) FixedFixed--length key length key

56 bits for DES56 bits for DES 128 bit f r IDEA128 bit f r IDEA 128 bits for IDEA128 bits for IDEA

Generate a block of outputGenerate a block of output Same length as the inputSame length as the input

2Nguyen Tuan Nam/NetSec/Win2010

Same length as the inputSame length as the input

Generic Block EncryptionGeneric Block EncryptionGeneric Block EncryptionGeneric Block Encryption

A cryptographic algorithm converts a plaintextA cryptographic algorithm converts a plaintextA cryptographic algorithm converts a plaintext A cryptographic algorithm converts a plaintext block into an encrypted block block into an encrypted block If the key length too short If the key length too short not be secure (why?)not be secure (why?)y gy g ( y )( y ) How about if the block length is too short? Too How about if the block length is too short? Too

long? long? 64 bits is a reasonable length64 bits is a reasonable length Most general way of encrypting a 64Most general way of encrypting a 64--bit blockbit block

Each of the 2Each of the 26464 input values is mapped to a unique input values is mapped to a unique 6464one of the 2one of the 26464 output valuesoutput values

Necessary that the mapping be Necessary that the mapping be oneone--toto--oneone. Why?. Why?


How to Specify a Mapping?How to Specify a Mapping?How to Specify a Mapping?How to Specify a Mapping?

How to specify a monoHow to specify a mono--alphabetic cipher with English alphabetic cipher with English p yp y p p gp p gletters?letters? 26 specifications of 26 possible values26 specifications of 26 possible values

How to specify a mapping of all possible 64 bit input How to specify a mapping of all possible 64 bit input values?values? How many bits of information is needed to specify aHow many bits of information is needed to specify a How many bits of information is needed to specify a How many bits of information is needed to specify a

mapping?mapping? The mapping acts like a secret key that 2 parties share The mapping acts like a secret key that 2 parties share cannot be too largecannot be too large


Mapping for Cryptographic SystemsMapping for Cryptographic SystemsMapping for Cryptographic SystemsMapping for Cryptographic Systems

Secret key cryptographic systems are designed to Secret key cryptographic systems are designed to y yp g p y gy yp g p y g Take a Take a reasonablereasonable--length keylength key Generate a Generate a oneone--toto--one mappingone mapping that looks, to someone who doesn’t that looks, to someone who doesn’t

know the key, completely know the key, completely randomrandom If the mapping is truly randomIf the mapping is truly random

Any single bit change to the input results in a Any single bit change to the input results in a totally independently totally independently chosen random number outputchosen random number outputpp

How about:How about: 33rdrd bit of output always changes if the 12bit of output always changes if the 12thth bit of input changes?bit of input changes?

Cryptographic algorithms are designed to Cryptographic algorithms are designed to spread bits aroundspread bits aroundyp g p g gyp g p g g pp A single input bit should have influence on all the bits of outputA single input bit should have influence on all the bits of output Able to change any one of them with a probability of about 50%Able to change any one of them with a probability of about 50%


Transformation on a Block of DataTransformation on a Block of DataTransformation on a Block of DataTransformation on a Block of Data

Two kinds of simple transformationsTwo kinds of simple transformations Two kinds of simple transformationsTwo kinds of simple transformations SubstitutionsSubstitutions PermutationsPermutations PermutationsPermutations


SubstitutionSubstitutionSubstitutionSubstitution

Specifies the kSpecifies the k--bit output for each of the 2bit output for each of the 2kk Specifies the kSpecifies the k bit output for each of the 2bit output for each of the 2possible values of the inputpossible values of the input

Is it practical to build substitution for 64Is it practical to build substitution for 64 bitbit Is it practical to build substitution for 64Is it practical to build substitution for 64--bit bit blocks? 8blocks? 8--bit blocks?bit blocks?I l h h i f i d dI l h h i f i d d In general, how much information needed to In general, how much information needed to specify a completely randomly chosen specify a completely randomly chosen

b i i f kb i i f k bi bl k ?bi bl k ?substitution for ksubstitution for k--bit blocks?bit blocks?


PermutationPermutationPermutationPermutation

Specifies, for each of the k input bits, the outputSpecifies, for each of the k input bits, the outputSpecifies, for each of the k input bits, the output Specifies, for each of the k input bits, the output position to which it goesposition to which it goes 11stst bit becomes the 13bit becomes the 13thth bit of outputbit of output

How many bits of information are needed to specify a How many bits of information are needed to specify a completely randomly chosen permutation of k bits?completely randomly chosen permutation of k bits?

Permutation is a special case of a substitution. Why?Permutation is a special case of a substitution. Why? The number of permutations is sufficiently small that it The number of permutations is sufficiently small that it

is possible to specify and build an arbitrary 64is possible to specify and build an arbitrary 64--bit bit permuterpermuter


Example of Block EncryptionExample of Block EncryptionExample of Block EncryptionExample of Block Encryption


Data Encryption Standard (DES)Data Encryption Standard (DES)Data Encryption Standard (DES)Data Encryption Standard (DES)

Published in 1977 by the National Bureau of Standard (renamed to the Published in 1977 by the National Bureau of Standard (renamed to the N ti l I tit t f St d d d T h lN ti l I tit t f St d d d T h l NIST)NIST)National Institute of Standards and Technology National Institute of Standards and Technology –– NIST) NIST) Designed by IBM based on their Lucifer cipher and input from NSA (National Designed by IBM based on their Lucifer cipher and input from NSA (National

Security Agency)Security Agency) For use in commercial and unclassified US Government applicationsFor use in commercial and unclassified US Government applications Uses a 56Uses a 56--bit keybit key

The key actually The key actually looks like a 64looks like a 64--bit keybit key Maps a 64Maps a 64--bit input block into a 64bit input block into a 64--bit output blockbit output block

Effi i i l i h dEffi i i l i h d Efficient to implement in hardwareEfficient to implement in hardware Relatively slow if implemented in softwareRelatively slow if implemented in software

People have asserted that DES was specifically designed to make software People have asserted that DES was specifically designed to make software implementation difficultimplementation difficultpp

Advances in CPUs Advances in CPUs feasible to do DES in software nowfeasible to do DES in software now


Why 56 Bits?Why 56 Bits?Why 56 Bits?Why 56 Bits?

Disadvantage?Disadvantage? Disadvantage? Disadvantage? How much less secure against exhaustive search?How much less secure against exhaustive search?

Ad t ?Ad t ? Advantage?Advantage? SanitySanity--check for corrupted key? check for corrupted key? Really?Really?

So why?So why?


KeyKey--Length RevisitedLength RevisitedKeyKey Length RevisitedLength Revisited

Advances inAdvances in semiconductor technologysemiconductor technology makemakeAdvances in Advances in semiconductor technologysemiconductor technology make make the keythe key--length issue more length issue more criticalcritical DES keys can be broken with a bit of cleverness and DES keys can be broken with a bit of cleverness and yy

exhaustive searchexhaustive search Given hardware price/performance improving Given hardware price/performance improving

about 40% per year, how much should keys about 40% per year, how much should keys grow?grow? Assuming 56 bits was just sufficient in 1979 (when Assuming 56 bits was just sufficient in 1979 (when

DES was standardized), how about 64 bits (which DES was standardized), how about 64 bits (which year) and 128 bits?year) and 128 bits?


year), and 128 bits?year), and 128 bits?

QuizQuizQuizQuiz

Suppose you have a single block of <plaintextSuppose you have a single block of <plaintext Suppose you have a single block of <plaintext, Suppose you have a single block of <plaintext, ciphertext>ciphertext>

Is it possible for a cryptanalyst to find theIs it possible for a cryptanalyst to find the Is it possible for a cryptanalyst to find the Is it possible for a cryptanalyst to find the “wrong” key, given a particular pair?“wrong” key, given a particular pair?

Mi h 2 diff k h l i hMi h 2 diff k h l i h Might 2 different keys map the same plaintext to the Might 2 different keys map the same plaintext to the same cipher?same cipher?

If h DES k th r pIf h DES k th r p If so, how many DES keys on the average map a If so, how many DES keys on the average map a particular pair?particular pair?


How Secure is DES?How Secure is DES?How Secure is DES?How Secure is DES?

Brute force search on encryption of 7Brute force search on encryption of 7--bit ASCIIbit ASCIIypyp The 8The 8thth bit of an ASCII is 0bit of an ASCII is 0 If the decryption yields 0 on the 8If the decryption yields 0 on the 8thth bit bit possible of correct possible of correct

k ( h f i t k i 1/256 i lid )k ( h f i t k i 1/256 i lid )key (chance of incorrect key is 1/256: see previous slide)key (chance of incorrect key is 1/256: see previous slide) In 1977:In 1977:

$20 million machine can find a DES key in 12 hours given a$20 million machine can find a DES key in 12 hours given a $20 million machine can find a DES key in 12 hours given a $20 million machine can find a DES key in 12 hours given a <plaintext, ciphertext> pair<plaintext, ciphertext> pair

In 1998In 1998 EFF DES Cracker for under $250K to find a DES key in 4.5 EFF DES Cracker for under $250K to find a DES key in 4.5

daysdays Solutions?Solutions?


Solutions?Solutions?

DES OverviewDES OverviewDES OverviewDES Overview

Inverse of initial


Inverse of initial permutation

The Permutation of DataThe Permutation of DataThe Permutation of DataThe Permutation of Data

Do essentially nothing to enhance DES’ security. Why?


W y?

Example of PermutationExample of PermutationExample of PermutationExample of Permutation

Input is 8 octets, output is 8 octets

Bit f th ith t t f i t t d i t th (9 i)th bit f ll th t t


Bits of the ith octet of input get spread into the (9-i)th bits of all the octets

Generating PerGenerating Per--Round KeyRound KeyGenerating PerGenerating Per Round KeyRound Key

6464--bit keysbit keys 16 4816 48--bit keys: Kbit keys: K11, K, K22, …, K, …, K16166464 bit keys bit keys 16 4816 48 bit keys: Kbit keys: K11, K, K22, …, K, …, K1616 Initial permutation on the 56 useful bits of the key Initial permutation on the 56 useful bits of the key 5656--bit output bit output divided into two 28divided into two 28--bit values, bit values, called Ccalled C00 and Dand D00


Example of CExample of C00 and Dand D00Example of CExample of C00 and Dand D00


PerPer--Round Key KRound Key KiiPerPer Round Key KRound Key Kii


DES RoundDES RoundDES RoundDES Round

DES is reversible without constraining the mangler function DES is reversible without constraining the mangler function


g gg gto be reversibleto be reversible

Can the mangler map all values to zero? Why?Can the mangler map all values to zero? Why?The mangler is never The mangler is never

run backwardsrun backwards

The Mangler FunctionThe Mangler FunctionThe Mangler FunctionThe Mangler Function

InputInputInputInput 3232--bit Rbit Rnn (R)(R) 4848--bit Kbit Knn (K)(K)nn ( )( )

OutputOutput 3232--bit outputbit output

ManglerMangler 3232--bit R bit R 4848--bit valuebit value

Eight 4Eight 4--bit chunk bit chunk Eight 6Eight 6--bit chunkbit chunk

4848--bit Kbit K Eight 6Eight 6 bit chunkbit chunk


Eight 6Eight 6--bit chunkbit chunk

Expansion of R to 48 BitsExpansion of R to 48 BitsExpansion of R to 48 BitsExpansion of R to 48 Bits

Taking adjacent bits and concatenating them toTaking adjacent bits and concatenating them to Taking adjacent bits and concatenating them to Taking adjacent bits and concatenating them to the chunk the chunk The leftmost and rightmost bitsThe leftmost and rightmost bits The leftmost and rightmost bitsThe leftmost and rightmost bits


Chunk TransformationChunk TransformationChunk TransformationChunk Transformation


SS--BoxesBoxesSS BoxesBoxes

InputInput InputInput 66--bit number (XOR result of 2 chunks)bit number (XOR result of 2 chunks)

O t tO t t OutputOutput 44--bitbit

PatternPattern Inner 4Inner 4--bits serving as inputbits serving as input Outer 2Outer 2--bits selecting which of the four 4bits selecting which of the four 4--bit Sbit S--

boxes to useboxes to use


Example of SExample of S--Box 1 and 2Box 1 and 2Example of SExample of S Box 1 and 2Box 1 and 2

26Nguyen Tuan Nam/NetSec/Win2010reversible?

QuizQuizQuizQuiz

Why uses 8 SWhy uses 8 S--boxes instead of 1 Sboxes instead of 1 S--box for thebox for the Why uses 8 SWhy uses 8 S boxes instead of 1 Sboxes instead of 1 S box for the box for the whole input?whole input?


Final Permutation of the Mangler Final Permutation of the Mangler FunctionFunction

44--bit output of each of the eight Sbit output of each of the eight S--boxes isboxes is 44 bit output of each of the eight Sbit output of each of the eight S boxes is boxes is combined combined 3232--bit quantity bit quantity permutedpermuted

Ensure that the bits of the output of an SEnsure that the bits of the output of an S boxbox Ensure that the bits of the output of an SEnsure that the bits of the output of an S--box box on one round affects the input of multiple Son one round affects the input of multiple S--boxes on the next roundboxes on the next roundboxes on the next roundboxes on the next round


Weak and SemiWeak and Semi--Weak KeysWeak KeysWeak and SemiWeak and Semi Weak KeysWeak Keys

CC00 and Dand D00 are one of the four valuesare one of the four values CC00 and Dand D00 are one of the four valuesare one of the four values All onesAll ones All zerosAll zeros All zerosAll zeros Alternating ones and zerosAlternating ones and zeros

Alt ti dAlt ti d Alternating zeros and onesAlternating zeros and ones

16 keys16 keys


What’s So Special About DES?What’s So Special About DES?What s So Special About DES?What s So Special About DES?

Swapping SSwapping S--box 3 with Sbox 3 with S--box 7box 7 DES is aboutDES is about Swapping SSwapping S box 3 with Sbox 3 with S box 7 box 7 DES is about DES is about an order of magnitude less secure in the face of an order of magnitude less secure in the face of a specific attacka specific attacka specific attacka specific attack


International Data Encryption International Data Encryption Algorithm (IDEA)Algorithm (IDEA)

Designed to be efficient to compute in softwareDesigned to be efficient to compute in softwareg pg p Encrypts a 64Encrypts a 64--bit block of plaintext into a 64bit block of plaintext into a 64--bit block of bit block of

ciphertextciphertext Uses 128Uses 128 bit keybit key Uses 128Uses 128--bit keybit key Published in 1991Published in 1991

So far no weakness has been found, at least by the good guysSo far no weakness has been found, at least by the good guys Similar to DES in some waysSimilar to DES in some ways

Operate in roundsOperate in rounds Have complicated mangler function that does not have to be reversibleHave complicated mangler function that does not have to be reversiblep gp g

Both DES and IDEABoth DES and IDEA Encryption and decryption keys are identical except for key expansionEncryption and decryption keys are identical except for key expansion


Basic Structure of IDEABasic Structure of IDEABasic Structure of IDEABasic Structure of IDEA


Key ExpansionKey ExpansionKey ExpansionKey Expansion

128128--bit key is expandedbit key is expanded 52 1652 16--bit keys Kbit keys K11, K, K22, …,, …, 128128 bit key is expanded bit key is expanded 52 1652 16 bit keys Kbit keys K11, K, K22, …, , …, KK5252 128128--bit key bit key eight 16eight 16--bit keysbit keys The next eight keys are generated by starting at bit 25 and The next eight keys are generated by starting at bit 25 and

wrapping aroundwrapping aroundTh i h k d b ff i 25 biTh i h k d b ff i 25 bi The next eight keys are generated by offsetting 25 more bitsThe next eight keys are generated by offsetting 25 more bits

Bits 1 through 22 and bits 87 through 128 get used in Bits 1 through 22 and bits 87 through 128 get used in how many keys?how many keys?how many keys?how many keys?

Warning: keys KWarning: keys K5050 and Kand K5151 are swappedare swapped


Key ExpansionKey ExpansionKey ExpansionKey Expansion


IDEA RoundsIDEA RoundsIDEA RoundsIDEA Rounds

17 rounds17 rounds Each round takes 64Each round takes 64--bit input and treats it as four 16bit input and treats it as four 16--bit bit

quantities Xquantities Xaa, X, Xbb, X, Xcc, X, Xdd Odd rounds use four of the KOdd rounds use four of the K :: KK KK KK KK Odd rounds use four of the KOdd rounds use four of the Kii:: KKaa, K, Kbb, K, Kcc, K, Kdd Even rounds use two KEven rounds use two Kii: K: Kee, K, Kff Total 52 keysTotal 52 keys Input of odd roundsInput of odd rounds

XXaa, X, Xbb, X, Xcc, X, Xdd KK KKbb KK KKdd KKaa, K, Kbb, K, Kcc, K, Kdd

Input of even roundsInput of even rounds XXaa, X, Xbb, X, Xcc, X, Xdd

KK KK


KKee, K, Kff

Odd RoundOdd RoundOdd RoundOdd Round


Even RoundEven RoundEven RoundEven Round


AESAESAESAES

HomeworkHomework HomeworkHomework


Date post:	29-Nov-2015
Category:	Documents
Upload:	hung-nguyen
View:	12 times
Download:	2 times

Lecture-03-SecretKeyCryptography_2.pdf

Documents