Applied CryptographyApplied Cryptography(Symmetric)(Symmetric)
Part IPart I
Many savages at the present day regard their Many savages at the present day regard their names as vital parts of themselves, and names as vital parts of themselves, and therefore take great pains to conceal their real therefore take great pains to conceal their real names, lest these should give to evil-disposed names, lest these should give to evil-disposed persons a handle by which to injure their persons a handle by which to injure their owners. owners.
——The Golden Bough, The Golden Bough, Sir James George FrazerSir James George Frazer
Symmetric EncryptionSymmetric Encryption
or conventional / or conventional / private-keyprivate-key / single-key / single-key sender and recipient share a common keysender and recipient share a common key all classical encryption algorithms are all classical encryption algorithms are
private-keyprivate-key was only type prior to invention of public-was only type prior to invention of public-
key in 1970’skey in 1970’s and by far most widely usedand by far most widely used
Some Basic TerminologySome Basic Terminology
plaintextplaintext - original message - original message ciphertextciphertext - coded message - coded message ciphercipher - algorithm for transforming plaintext to ciphertext - algorithm for transforming plaintext to ciphertext keykey - info used in cipher known only to sender/receiver - info used in cipher known only to sender/receiver encipher (encrypt)encipher (encrypt) - converting plaintext to ciphertext - converting plaintext to ciphertext decipher (decrypt)decipher (decrypt) - recovering ciphertext from plaintext - recovering ciphertext from plaintext cryptographycryptography - study of encryption principles/methods - study of encryption principles/methods cryptanalysis (codebreaking)cryptanalysis (codebreaking) - study of principles/ - study of principles/
methods of deciphering ciphertext methods of deciphering ciphertext withoutwithout knowing key knowing key cryptologycryptology - field of both cryptography and cryptanalysis - field of both cryptography and cryptanalysis
Symmetric Cipher ModelSymmetric Cipher Model
RequirementsRequirements
two requirements for secure use of two requirements for secure use of symmetric encryption:symmetric encryption: a strong encryption algorithma strong encryption algorithm a secret key known only to sender / receivera secret key known only to sender / receiver
mathematically have:mathematically have:Y Y = E= EKK((XX))
X X = D= DKK((YY)) assume encryption algorithm is knownassume encryption algorithm is known implies a secure channel to distribute keyimplies a secure channel to distribute key
CryptographyCryptography
Classify Classify cryptographic system by:cryptographic system by: type of encryption operations usedtype of encryption operations used
• substitution / transposition / productsubstitution / transposition / product number of keys usednumber of keys used
• single-key or private / two-key or publicsingle-key or private / two-key or public way in which plaintext is processedway in which plaintext is processed
• block / streamblock / stream
CryptanalysisCryptanalysis
objective to recover key not just messageobjective to recover key not just message general approaches:general approaches:
cryptanalytic attackcryptanalytic attack brute-force attackbrute-force attack
More DefinitionsMore Definitions unconditional securityunconditional security
no matter how much computer power or time no matter how much computer power or time is available, the cipher cannot be broken is available, the cipher cannot be broken since the ciphertext provides insufficient since the ciphertext provides insufficient information to uniquely determine the information to uniquely determine the corresponding plaintext corresponding plaintext
computational securitycomputational security given limited computing resources (eg time given limited computing resources (eg time
needed for calculations is greater than age of needed for calculations is greater than age of universe), the cipher cannot be broken universe), the cipher cannot be broken
Brute Force SearchBrute Force Search
always possible to simply try every key always possible to simply try every key most basic attack, proportional to key size most basic attack, proportional to key size assume either know / recognise plaintextassume either know / recognise plaintext
Key Size (bits) Number of Alternative Keys
Time required at 1 decryption/µs
Time required at 106 decryptions/µs
32 232 = 4.3 109 231 µs = 35.8 minutes 2.15 milliseconds
56 256 = 7.2 1016 255 µs = 1142 years 10.01 hours
128 2128 = 3.4 1038 2127 µs = 5.4 1024 years 5.4 1018 years
168 2168 = 3.7 1050 2167 µs = 5.9 1036 years 5.9 1030 years
26 characters (permutation)
26! = 4 1026 2 1026 µs = 6.4 1012 years 6.4 106 years
Modern Modern Block CiphersBlock Ciphers
now look at modern block ciphersnow look at modern block ciphers one of the most widely used types of one of the most widely used types of
cryptographic algorithms cryptographic algorithms provide secrecy /authentication servicesprovide secrecy /authentication services focus on DES (Data Encryption Standard)focus on DES (Data Encryption Standard) to illustrate block cipher design principlesto illustrate block cipher design principles
Block vs StreamBlock vs Stream Ciphers Ciphers
block ciphers process messages in blocks, block ciphers process messages in blocks, each of which is then en/decrypted each of which is then en/decrypted
like a substitution on very big characterslike a substitution on very big characters 64-bits or more64-bits or more
stream ciphers stream ciphers process messages process messages a bit or a bit or byte at a timebyte at a time when en/decrypting when en/decrypting
many current ciphers are block ciphersmany current ciphers are block ciphers broader range of applicationsbroader range of applications
Block Cipher PrinciplesBlock Cipher Principles
most symmetric most symmetric block ciphersblock ciphers are based on a are based on a Feistel CipherFeistel Cipher Structure Structure
block ciphers look like an extremely large block ciphers look like an extremely large substitution substitution
would need table of 2would need table of 26464 entries for a 64-bit block entries for a 64-bit block instead create from smaller building blocks instead create from smaller building blocks using idea of a product cipher using idea of a product cipher
Ideal Block CipherIdeal Block Cipher
Claude Shannon and Substitution-Claude Shannon and Substitution-Permutation CiphersPermutation Ciphers
Claude Shannon introduced idea of Claude Shannon introduced idea of substitution-substitution-permutation (S-P)permutation (S-P) networks in 1949 paper networks in 1949 paper
form basis of modern block ciphers form basis of modern block ciphers S-P nets are based on the S-P nets are based on the two primitive two primitive
cryptographic operationscryptographic operations seen before: seen before: substitutionsubstitution ( (S-boxS-box)) permutation permutation ((P-boxP-box))
provide provide confusionconfusion & & diffusiondiffusion of message & key of message & key
Confusion and DiffusionConfusion and Diffusion
cipher needs to completely obscure cipher needs to completely obscure statistical properties of original messagestatistical properties of original message
a one-time pad does thisa one-time pad does this more practically Shannon suggested more practically Shannon suggested
combining S & P elements to obtain:combining S & P elements to obtain: diffusiondiffusion – dissipates – dissipates statistical statistical structure structure
of plaintext over bulk of ciphertextof plaintext over bulk of ciphertext confusionconfusion – makes relationship between – makes relationship between
ciphertextciphertext and and key key as complex as possibleas complex as possible
Feistel Cipher StructureFeistel Cipher Structure
Horst Feistel devised the Horst Feistel devised the feistel cipherfeistel cipher based on concept of invertible product cipherbased on concept of invertible product cipher
partitions input block into two halvespartitions input block into two halves process through multiple rounds whichprocess through multiple rounds which perform a perform a substitutionsubstitution on left data half on left data half based on round function of right half &based on round function of right half & subkey subkey then have permutation swapping halvesthen have permutation swapping halves
implements Shannon’s S-P net conceptimplements Shannon’s S-P net concept
Feistel Cipher StructureFeistel Cipher Structure
Feistel Cipher Design ElementsFeistel Cipher Design Elements
block size block size key size key size number of rounds number of rounds subkeysubkey generation algorithm generation algorithm round function round function fast software en/decryptionfast software en/decryption ease of analysisease of analysis
Feistel Cipher Feistel Cipher DecryptionDecryption
Data Encryption Standard (DES)Data Encryption Standard (DES)
most widelymost widely used used block cipherblock cipher in world in world adopted in 1977 by NISTadopted in 1977 by NIST
as FIPS PUB 46as FIPS PUB 46 encrypts 64-bit data using 56-bit keyencrypts 64-bit data using 56-bit key has widespread usehas widespread use has been considerable controversy over has been considerable controversy over
its securityits security
DES Encryption OverviewDES Encryption Overview
DES Round StructureDES Round Structure
uses two 32-bit L & R halvesuses two 32-bit L & R halves as for any Feistel cipher can describe as:as for any Feistel cipher can describe as:
LLii = = RRii–1–1
RRii = = LLii–1–1 FF((RRii–1–1, , KKii))
Function FFunction F takes 32-bit R half and 48-bit subkey: takes 32-bit R half and 48-bit subkey: expands R to 48-bits using permutation expands R to 48-bits using permutation EE adds to subkey using XORadds to subkey using XOR passes through 8 S-boxes to get 32-bit resultpasses through 8 S-boxes to get 32-bit result finally permutes using 32-bit perm Pfinally permutes using 32-bit perm P
DES Round StructureDES Round Structure
Substitution Boxes SSubstitution Boxes S
have eight S-boxes which have eight S-boxes which map 6 to 4 bitsmap 6 to 4 bits each S-box is actually 4 little 4 bit boxes each S-box is actually 4 little 4 bit boxes
outer bits 1 & 6 (outer bits 1 & 6 (rowrow bits) select one row of 4 bits) select one row of 4 inner bits 2-5 (inner bits 2-5 (colcol bits) are substituted bits) are substituted result is 8 groups of 4 bits, or 32 bitsresult is 8 groups of 4 bits, or 32 bits
row selection depends on both data & keyrow selection depends on both data & key feature known as autoclaving (feature known as autoclaving (autokeyingautokeying))
example:example: S(18 09 12 3d 11 17 38 39) = 5fd25e03S(18 09 12 3d 11 17 38 39) = 5fd25e03
s1
DES DES KeyKey Schedule Schedule
forms forms subkeyssubkeys used in each round used in each round initial permutation of the key (PC1) which initial permutation of the key (PC1) which
selects 56-bits in two 28-bit halves selects 56-bits in two 28-bit halves 16 stages16 stages consisting of: consisting of:
• rotating rotating each halfeach half separately either 1 or 2 places separately either 1 or 2 places depending on the depending on the key rotation schedulekey rotation schedule K K
• selecting 24-bits from each half & permuting them selecting 24-bits from each half & permuting them by PC2 for use in round function F by PC2 for use in round function F
note practical use issues in h/w vs s/wnote practical use issues in h/w vs s/w
Avalanche Effect Avalanche Effect
key desirable property of encryption key desirable property of encryption algorithmsalgorithms
where a change of where a change of one one input or key bitinput or key bit results in changing approx results in changing approx halfhalf output bits output bits
making attempts to “home-in” by guessing making attempts to “home-in” by guessing keys impossiblekeys impossible
DES exhibits strong avalancheDES exhibits strong avalanche
Stream CiphersStream Ciphers
process message process message bit by bitbit by bit (as a stream) (as a stream) have a have a pseudo random pseudo random keystreamkeystream combined (XOR) with plaintext bit by bit combined (XOR) with plaintext bit by bit randomness of randomness of stream keystream key completely completely
destroys statistically properties in messagedestroys statistically properties in message CCii = M = Mii XOR StreamKey XOR StreamKeyii
but must never reuse stream keybut must never reuse stream key otherwise can recover messages (cf book otherwise can recover messages (cf book
cipher)cipher)
Stream Cipher StructureStream Cipher Structure
Stream Cipher PropertiesStream Cipher Properties
some design considerations are:some design considerations are: long period with no repetitions long period with no repetitions statistically random statistically random depends on large enough keydepends on large enough key large linear complexitylarge linear complexity
properly designed, can be properly designed, can be as secure as a as secure as a block cipherblock cipher with same size key with same size key
but but usually simpler & fasterusually simpler & faster
RC4RC4
a proprietary cipher owned by RSA DSI a proprietary cipher owned by RSA DSI another Ron Rivest design, simple but effectiveanother Ron Rivest design, simple but effective variable key size, variable key size, byte-orientedbyte-oriented stream cipherstream cipher widely used (widely used (web SSL/TLS, wireless WEPweb SSL/TLS, wireless WEP) ) key forms random permutation of all 8-bit values key forms random permutation of all 8-bit values uses that permutation to scramble input info uses that permutation to scramble input info
processed a byte at a timeprocessed a byte at a time
RC4 EncryptionRC4 Encryption
encryption continues shuffling array valuesencryption continues shuffling array values sum of shuffled pair selects "stream key" sum of shuffled pair selects "stream key"
value from permutationvalue from permutation XOR S[t] with next byte of message to XOR S[t] with next byte of message to
en/decrypten/decrypti = j = 0 i = j = 0
for for each message byte Meach message byte Mii
i = (i + 1) (mod 256)i = (i + 1) (mod 256)j = (j + S[i]) (mod 256)j = (j + S[i]) (mod 256)swap(S[i], S[j])swap(S[i], S[j])t = (S[i] + S[j]) (mod 256)t = (S[i] + S[j]) (mod 256)
CCii = M = Mii XOR S[ XOR S[tt]]
RC4 OverviewRC4 Overview
RC4 SecurityRC4 Security
claimed secure against known attacksclaimed secure against known attacks have some analyses, none practical have some analyses, none practical
result is very non-linear result is very non-linear since RC4 is a stream cipher, must since RC4 is a stream cipher, must never never
reuse a keyreuse a key have a concern with WEP, but due to key have a concern with WEP, but due to key
handling rather than RC4 itself handling rather than RC4 itself