UNIT 2 Simple DES Differential cryptanalysis DES Modes of operation Triple DES AES RC4 RSA Attacks Primality test Factoring
Simple DES:
Cipher PrinciplesBlock Cipher vs Stream Cipher:
Block Cipher Stream CipherA block of plaintext is treated as a whole and used to produce a ciphertext block of equal length.Block size of 64 or 128 bits is used.
Encrypts a data stream one bit or one byte at a time.
Block Cipher Principles Most symmetric block ciphers are based on a Feistel Cipher Structure Using idea of a product cipher performing of two or more basic ciphers in sequence in
such a way that the final result or product is cryptographically strong.
Claude Shannon and Substitution-Permutation Ciphers
Claude Shannon introduced idea of substitution-permutation (S-P) networks S-P networks are based on the two primitive cryptographic operations we have seen
before: Substitution (S-box)
A binary word is replaced by some other binary word Whole substitution function forms the key If use n bit words,
The key space is 2n! Permutation (P-box)
A binary word has its bits reordered (permuted) The re-ordering forms the key If we use n bit words,
The key space is n! (Less secure than substitution)
Substitution-permutation Network: Shannon combined these two primitives He called these mixing transformations A special form of product ciphers where
o S-boxes Provide confusion of input bits o P-boxes Provide diffusion across s-box inputs
Confusion and Diffusion: More practically Shannon suggested combining elements to obtain:
Diffusion – The statistical structure of plaintext is dissipated into long range statistics of ciphertext. Confusion – Makes relationship between ciphertext and key as
complex as possible.Feistel Cipher Structure Horst Feistel devised the Feistel cipher
Concept: Input to the encryption algo.: Plaintext block of length 2w bits and key K.
o Plaintext is divided into two halves L0 and R0
o The two halves of the data pass through n rounds of processing o Then combine to produce the ciphertext block.o Each round i has as inputs Li-1 and Ri-1, derived from the previous rounds, as
well as a subkey Ki derived from the overall K. Substitution : is performed on the left half of the data
o By applying round function F to the right half of the data o Then taking the XOR of the output of that function and the left half of the
data. Permutation: is performed that consists of interchange of the two halves of the data.Feistel Cipher Design Principles Block size Increasing size improves security, but slows cipher Key size Increasing size improves security, makes exhaustive key searching harder,
but may slow cipher Number of rounds Increasing number improves security, but slows cipher Subkey generation Greater complexity can make analysis harder Round function Greater complexity can make analysis harder Fast software en/decryption & ease of analysis Are more recent concerns for
execution speed, practical use and testing
Feistel Cipher Encryption & Decryption:For ith iteration of the encryption algorithm,
LE0 = REi-1 REi = LEi-1XOR F(REi-1, Ki)
Data Encryption Standard (DES) The most widely used encryption scheme is based on the Data Encryption Standard
(DES) adopted in 1977 by the National Bureau of Standards, now the National Institute of Standards and Technology (NIST), as Federal Information Processing Standard 46 (FIPS PUB 46).
The algorithm itself is referred to as the Data Encryption Algorithm (DEA). For DES, data are encrypted in 64-bit blocks using a 56-bit key. The same steps, with the same key, are used to reverse the encryption.
DES Encryption:The basic process consists of:
An initial permutation (IP) 16 rounds of a complex key dependent calculation f A final permutation, being the inverse of IP
DES key schedule: (Operation on key) The bits are numbered from 1 to 64, every 8 bit is ignored. 64 bit key is used as an input to the algorithm. Forms sub keys used in each round
Consists of: Initial permutation of the key (PC1) which selects 56-bits in two 28-bit halves C0 and
D0
16 stages consisting of: At each round, the two halves are separately subjected to circular shift or rotation
of 1 or 2 bits. These shifted values serve as input to the next round. They also serve as input to permuted choice 2 (PC2), which produces a 48 bit
output that serves as input to the function F (Ri-1 , Ki )General DES encryption Algorithm:
Explanation of the phases:Initial Permutation:
Inverse IP: 40 8 48 16 56 24 64 32 39 7 47 15 55 23 63 31 38 6 46 14 54 22 62 30 37 5 45 13 53 21 61 29 36 4 44 12 52 20 60 28 35 3 43 11 51 19 59 27 34 2 42 10 50 18 58 26 33 1 41 9 49 17 57 25
Expansion Permutation (E):32 1 2 3 4 5
4 5 6 7 8 9 8 9 10 11 12 13 12 13 14 15 16 17 16 17 18 19 20 21 20 21 22 23 24 25 24 25 26 27 28 29 28 29 30 31 32 1
Permutation Function (P):
Initial Permutation IP: This is the first step of the data computation IP reorders the input data bits& it changes the even bits to LH half, odd bits to RH half
DES Round Structure: Input is divided into 2 halves Li–1 and Ri–1
Li = Ri–1 Ri = Li–1 xor F(Ri–1, Ki)
F takes 32-bit R half and 48-bit roundkey and: Expands R to 48-bits using Expansion permutation (E) The resulting 48 bits are XORed with Ki
48 bit result passes through 8 Subtitution function (S-boxes) to get 32-bit result Finally permutes this using 32-bit perm P and produces 32 bit output.
Substitution Boxes S: Substitution has eight S-boxes, each of which accepts 6 bits as input and produces 4 bits
as output. Outer bits 1 & 6 (row bits) select one row of 4. The first and last bits of the input box
Si form a 2 bit binary number to select one of four substitutions defined by the four rows in the table Si.
Inner bits 2-5 (column bits) are substituted. The middle four bits select one of the 16 columns.
The decimal value in the cell selected by the row and column is then converted to its 4 bits representation to produce the output.
Row selection depends on both data & key.
Single Round of DES Algorithm:
Calculation of F(R,K):
DES Decryption: With Feistel design, decryption uses the same algorithm as encryption, except that the
application of sub keys is reversed (SK16 … SK1)
Avalanche Effect: DES exhibits strong avalanche effect. Key desirable property of encryption algorithm is that a change in either the plaintext or
key should produce a significant change in the ciphertext. In particular, a change in one bit of the plaintext or one bit of the key should produce a
change in many bits of the ciphertext. If the change were small, this might produce a way to reduce the size of the plaintext or
key space to be searched.
Strength of DES – Key Size: 56-bit key length have 256 key values Brute force search looks hard
Strength of DES – Analytic Attacks:
Now have several analytic attacks on DES These utilize some deep structure of the cipher
By gathering information about encryptions Can eventually recover some/all of the sub-key bits If necessary then exhaustively search for the rest
Generally these are statistical attacks includes Differential cryptanalysis – It is capable of breaking DES in less than 255chosen
plaintext.o This scheme can cryptanalyze DES with an effort on the order of 247,
requiring 247chosen plaintext. Linear cryptanalysis – This method can find a DES key given 243known
plaintext, as compared to 247chosen plaintexts for differential cryptanalysis.o It may be easier to acquire known plaintext rather than chosen plaintext.
Modes of Operation:
Block ciphers encrypt fixed size blocks Eg. DES encrypts 64-bit blocks, with 56-bit key
Need way to use in practice, given usually have arbitrary amount of information to encrypt
Four were defined for DES in ANSI standard ANSI X3.106-1983 Modes of Use Have block and stream modes
Electronic Codebook Book (ECB): Message is broken into independent blocks which are encrypted Each block is a value which is substituted, like a codebook (hence name) Each block is encoded independently of the other blocks Ci = DESK1 (Pi) Uses: secure transmission of single values
Advantages and Limitations of ECB Repetitions in message may show in ciphertext
If aligned with message block Particularly with data such graphics Or with messages that change very little, which become a code-book analysis
problem Weakness due to encrypted message blocks being independent Main use is sending a few blocks of data
Cipher Block Chaining (CBC) Message is broken into blocks But these are linked together in the encryption operation Each previous cipher blocks is chained with current plaintext block (hence name) Use Initial Vector (IV) to start process
Ci = DESK1(Pi XOR Ci-1) C-1 = IV
Uses: bulk data encryption, authentication
Advantages and Limitations of CBC Each ciphertext block depends on all message blocks before it Thus a change in the message affects all ciphertext blocks
Need Initial Value (IV) Which must be known to sender & receiver If IV is sent in the clear, an attacker can change bits of the first block, and change
IV to compensate Hence either IV must be a fixed value (as in EFTPOS) or it must be sent
encrypted in ECB mode before rest of message
Message Padding: At end of message, handle possible last short block which is not as large as block size of
cipher. Pad either with known non-data value (eg nulls) Or pad last block with count of pad size
Eg. [ b1 b2 b3 0 0 0 0 5] Means have 3 data bytes, then 5 bytes pad + count
Cipher Feed Back (CFB) Message is treated as a stream of bits Added to the output of the block cipher Result is feedback for next stage (hence name) Standard allows any number of bit (1,8 or 64 or whatever) to be feed back
Denoted CFB-1, CFB-8, CFB-64, CFB-128 etc Is most efficient to use all 64 bits in block
Ci = Pi XOR DESK1(Ci-1) C-1 = IV
Uses: stream data encryption, authentication
Advantages and Limitations of CFB Appropriate when data arrives in bits/bytes Most common stream mode Limitation is need to stall while do block encryption after every n-bits Note that the block cipher is used in encryption mode at both ends Errors propagate for several blocks after the error
Output Feed Back (OFB) Message is treated as a stream of bits Output of cipher is added to message Output is then feedback (hence name) Feedback is independent of message Can be computed in advance
Ci = Pi XOR Oi
Oi = DESK1(Oi-1) O-1 = IV
Uses: stream encryption on noisy channels
Advantages and Limitations of OFB Used when error feedback a problem or where need to encryptions before message is
available More vulnerable to message stream modification But feedback is from the output of cipher and is independent of message A variation of a vernam cipher
Hence must never reuse the same sequence (key + IV) Sender and receiver must remain in sync, and some recovery method is needed to ensure
this occurs Originally specified with m-bit feedback in the standards Subsequent research has shown that only full block feedback (i.e., CFB-64 or CFB-128)
should ever be used
Counter (CTR) A “new” mode, though proposed early on Similar to OFB but encrypts counter value rather than any feedback value Must have a different key & counter value for every plaintext block (never reused)
Ci = Pi XOR Oi Oi = DESK1(i)
Uses: high-speed network encryptions
Advantages and Limitations of CTR Efficiency
Can do parallel encryptions in hardware or software Can preprocess in advance of need Good for bursty high speed links
Random access to encrypted data blocks Provable security (good as other modes) But must ensure never reuse key/counter values, otherwise could break (cf OFB)
Advanced Encryption Standard (AES) Evaluation CriteriaOrigins:
Clear a replacement for DES was needed Have theoretical attacks that can break it Have demonstrated exhaustive key search attacks
Can use Triple-DES – but slow, has small blocks
AES Evaluation Criteria Initial criteria:
Security – Effort required for practical cryptanalysis Cost – AES must have high computational efficiency Algorithm & implementation characteristics – Includes flexibility, suitability for a
variety of h/w and s/w implementations and simplicity. Final criteria
General security Software & hardware implementation ease Implementation attacks and Flexibility (in en/decrypt, keying, other factors)
AES Cipher - Rijendael Designed by Rijmen - Daemen in Belgium Has 128/192/256 bit keys, 128 bit data An iterative rather than Feistel cipher
Processes data as block of 4 columns of 4 bytes Operates on entire data block in every round
Designed to be: Resistant against known attacks Speed and code compactness on wide range of platforms
Rijndael: Data block of 4 columns of 4 bytes (state) Key is expanded to array of forty four 32 bit words Four different stages are used, one of permutation and three of substitution
Byte substitution Uses an S-box to perform a byt-by-byte substitution of the block
Shift rows A simple permutation Mix columns A substitution that makes use of arithmetic over GF(28) Add round key A simple bitwise XOR of the current block with a portion of
the expanded key All operations can be combined into XOR and table lookups - hence very fast & efficient
AES encryption and decryption:
Byte Substitution: A simple substitution of each byte AES defines 16x16 matrix of byte values containing a permutation of all 256 8-bit values Each individual byte of state is mapped into a new byte in the following way: row (left most 4-bits) & column (right most 4-bits)
Eg. Byte {95} is replaced by row 9 col 5 byte which has the value {2A}
Shift Rows:
A circular byte shift in each 1st row is unchanged 2nd row does 1 byte circular shift to left 3rd row does 2 byte circular shift to left 4th row does 3 byte circular shift to left
Decrypt does shifts to right
Mix Columns: Each column is processed separately Each byte is mapped into a new value that is a function of all 4 bytes in the column. Effectively a matrix multiplication in GF(28) using prime poly m(x) =x8+x4+x3+x+1 Can express each col as 4 equations
To derive each new byte in col In GF(28) addition is bitwise XOR operation and that multiplication can be performed
according to the rule.
Decryption requires use of inverse matrix With larger coefficients, hence a little harder
Add Round Key: Lastly is the Add Round Key stage, in which the 128 bits of state are bitwise XORed with
the 128 bits of the round key. The first matrix is state and the 2nd matrix is the round key. Inverse for decryption is identical since XOR is own inverse, just with correct round key.
AES Round
AES Key Expansion Takes 4 word (16-byte) key and expands into array of 44 words (156 bytes) Key expansion algorithm:
KeyExpansion (byte key[16], word w[44]){ Word temp
For(i=0;i<4;i++)W[i]= (key[4*i],key[4*i+1], key[4*i+2], key [4*i+3]);For (i=4;i<44;i++)
{ Temp =w[i-1];If(i mod 4=0) Temp =SubWord (RotWord (temp) XOR Rcon[i/4];W[i]=w[i-4] XOR temp
}} Start by copying key into first 4 words Remainder of the expanded key is filled in four words at a time. Each word w[i] depends on the immediately preceding word w[i-1] and the word four
positions back, w[i-4]. Symbol g represents the complex function. It contains the following sub function.
1. Rotword performs a one byte circular left shift on a word.2. Subword performs a byte substitution on each byte of its i/p word using S box.3. Result of steps 1 and 2 is XORed with a round constant, Rcon[j].
Triple DES Clear a replacement for DES was needed due to brute force attack Demonstrated exhaustive key search attacks AES is a new cipher alternative Prior to this alternative was to use multiple encryption with DES implementations
Double DES: Using two encryption stages and two keys
C=Ek2(Ek1(P)) P=Dk1(Dk2(C))
It is proved that there is no key k3 by such that C=Ek2(Ek1(P))=Ek3(P)
But there is a possibility for meet-in-the-middle attack Thus 2DES is NOT secure (if DES is broken)
Meet-in-the-Middle Attack: Assume C=Ek2(Ek1(P)) Given the plaintext P and ciphertext C Encrypt P using all possible keys k1 Decrypt C using all possible keys k2
o Check the result with the encrypted plaintext lists o If found match, then test the two resulting keys against a new known plaintext and
ciphertext pair o If it turns correct, accept them as keys o Otherwise keep decrypting C
Why Triple-DES? Why not Double-DES?
NOT same as some other single-DES use, but have Meet-in-the-middle attack Works whenever use a cipher twice
Triple-DES with Two-Keys Counter to the meet in the middle attack is to use 3 encryptions with 3 different keys. Has the drawback of requiring a key length of 56*3 =168 bits. But can use 2 keys with E-D-E sequence
C = EK1[DK2[EK1[P]]] If K1=K2 then can work with single DES
Standardized in ANSI X9.17 & ISO 8732 Brute force attack is impossible in 3DES and it is very hard.
Triple-DES with Three-Keys Although are no practical attacks on two-key Triple-DES have some indications Can use Triple-DES with Three-Keys to avoid even these
o C = EK3[DK2[EK1[P]]] Has been adopted by some Internet applications, eg PGP, S/MIME.
RSA Algorithm: Introduced by Rivest, Shamir & Adleman of MIT in 1977 Best used public-key scheme It is a block cipher in which plaintext and ciphertext are integers between 0 to n-1 for some n. Typical size of n is 1024 RSA makes use of expressions with exponentials Security due to cost of factoring large numbers
Factorization takes o(e log n log log n) operations (hard) RSA algorithm:The ingredients of RSA algorithm are as follows:
1. p, q, two prime numbers private, chosen2. n= pq public, calculated3. e, with gcd (e , ø(n))=1 , Where 1<e<ø(n) public, chosen4. d ≡ e-1 mod ø(n) private, calculated
RSA Key generation:Each user generates a public/private key pair by:
1. Select p , q p and q are prime numbers , p is not equal to q 2. Calculate n = p * q3. Calculate ø(n)=(p-1)(q-1) 4. Select integer e
gcd (e , ø(n))=1 , Where 1<e<ø(n)5. Calculate d
d ≡ e-1 mod ø(n) 6. Public key: KU={e , n} 7. Private key: KR={d , n}
RSA Encryption and decryption: Encryption:
Plaintext: M<nCiphertext: C=Me mod N
Decryption:Ciphertext: CPlaintext: M=Cd mod N
RSA example:1. Select primes: p=17 & q=112. Compute n = pq =17×11=1873. Compute ø(n)=(p–1)(q-1)=16×10=1604. Select e : gcd (e,160)=1; choose e=75. Determine d:
d ≡ e-1 mod ø(n) d ≡ 7-1 mod 160 = 23 (Using EEA)
6. Publish public key KU={7,187}7. Private key KR={23,187}
Given message M = 88 Encryption:
C = 887 mod 187 = 11 Decryption:
M = 1123 mod 187 = 88 Computational aspects of RSA: Consider two issues in RSA:
o Encryption and decryptiono Key generation
Encryption and decryption: Both encryption and decryption in RSA involves raising an integer to an integer power mod n
(exponentiation) Another consideration is the efficiency of exponentiation RSA makes use of large exponents and fast modular exponentiation algorithm is used to compute
ab mod n.
Variable c is not needed. It is included for explanatory purposes. The value of c is the value of the exponent.
Key generation: Users of RSA must:
o Determine two primes at random - p, q o Select either e or d and compute the other
Primes p , q must not be easily derived from modulus n=p . qo Means must be sufficiently large
Exponents e, d are inverses, so use inverse algorithm to compute the other (Extended Euclid’s algorithm)
RSA security: Three approaches to attacking RSA:
o Brute force key search (trying all possible private keys) o Mathematical attacks (factoring the product of two primes)o Timing attacks (depends on running of decryption algorithm)
Factoring problem:o Factor n into its two prime factors p and q. Calculate of ø(n) and find d o Determine ø(n) directly and compute d o Determine d directly, without first determining ø(n)
Have seen slow improvements over the years o As of aug-99 best is 512 bit with GNFS
Biggest improvement comes from improved algorithmo “quadratic sieve” to “generalized number field sieve”
Ensure p, q of similar size and matching other constraints
The threat to larger key sizes is twofold: the continuous increase in computing power and the continuing refinement of factoring problems.
Timing attack: Attacker can determine a private key by keeping track of how long a computer takes to decipher
the message.o Attack may be from completely unexpected directiono And it may be a ciphertext only attack
Exploit timing variations in operations using fast modular exponentiation algorithmo Eg. Multiplying by small vs large number
If the observed time to execute the decryption algorithm is always slow when the particular iteration is slow with a bit 1, then it is assumed to be 1.
If the observed time for the entire algorithm is fast, then this bit is assumed to be 0. Countermeasures:
o Constant exponentiation time ensure that all exponentiations take the same amount of time before returning a result.
o Random delay better performance can be achieved by adding a random delay to the exponentiation algorithm to confuse the timing attack.
o Blinding multiply the ciphertext by random number before performing exponentiation. This process prevents the attacker from knowing what ciphertext bits are being processes inside the computer and therefore prevents the bit by bit analysis essential to the timing attack.
Primality Testing: An integer p> 1 is a prime number if and only if its only divisors are + 1 and + p. Eg. 2,3,5,7 are prime 4,6,8,9,10 are not prime list of prime number less than 200 is:
o 2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59 61 67 71 73 79 83 89 97 101 103 107 109 113 127 131 137 139 149 151 157 163 167 173 179 181 191 193 197 199
Example:
Fermat Primality Test:
Miller – Rabin Primality Test:
Examples:
Solovay – Strassen PRimality Test:
Example:
Factoring:The basic method of dividing an integer n by all primes p≤√n is too much slow for most purposes.
It works well when n is the product of two primes that are very close together. But if the two primes are randomly selected it won’t work that much efficiently.There are some more modern methodologies for factoring. They are as follows:
P-1 Factoring Algorithm:
Choosing of B values:
Quadratic Sieve Methodology:
Universal Exponent Factorization Method:
Exponent Factorization Method:
