Post on 23-Dec-2015
Chapter 20Symmetric Encryption and Message Confidentiality
Symmetric Encryption
also referred to as: conventional encryption secret-key or single-key encryption
only alternative before public-key encryption in 1970’s
still most widely used alternative
has five ingredients: plaintext encryption algorithm secret key ciphertext decryption algorithm
Cryptography
classified along three independent dimensions:
the type of operations used for transforming plaintext to ciphertext• substitution – each
element in the plaintext is mapped into another element
• transposition – elements in plaintext are rearranged
the number of keys used• sender and receiver
use same key – symmetric
• sender and receiver each use a different key - asymmetric
the way in which the plaintext is processed• block cipher –
processes input one block of elements at a time
• stream cipher – processes the input elements continuously
Cryptanalysis
type of attack
known to cryptanalyst
Computationally Secure Encryption Schemes
encryption is computationally secure if: cost of breaking cipher exceeds value of
information time required to break cipher exceeds the
useful lifetime of the information
usually very difficult to estimate the amount of effort required to break
can estimate time/cost of a brute-force attack
Feistel Cipher
Structure
Block Cipher Structure
symmetric block cipher consists of: a sequence of rounds with substitutions and permutations
controlled by key
parameters and design features:
block size key size number of rounds subkey generation algorithm round function
fast software encryption/decryption ease of analysis
DES
Most Widely used Encryption Minor variation on Feistel Network Modern symmetric-key cryptosystems
Data Encryption Standard (DES) Adopted in 1976 Block size = 64 bits Key length = 56 bits
Advanced Encryption Standard (AES) Adopted in 2000 Block sizes = 128, 192, or 256 bits Key lengths = 128, 192, or 256 bits
1973: NBS (now NIST) solicits proposals for crypto algorithm which: Provides a high level of security Completely specified and easy to understand Is available royalty-free Is efficient
DES - Keys
Any 56-bit string can be a DES key There are 256 keys
72,057,594,037,927,936 DES keys
Test one trillion keys per second 2 hours to find the key
A very small number of “weak keys”
DES – The Algorithm
To encrypt a 64-bit plaintext block
An initial permutation 16 rounds of
substitution, transposition
48-bit subkey added to each round,
Subkeys derived from 56-bit DES key
Final permutation
DES Initial Permutation
Permutes 64 bits of the plaintext
58th bit is moved to position 1 50th bit is moved to position 2
…. 7th bit is moved to position 64
DES – Subkey Generation
DES key: 64-bits (eight parity bits) A 56-bit DES key
11010001101010101000101011101010101000100011010101010101
The 64-bit representation 11010001110101001010001101011100101010100001000111
01010010101010
Sixteen 48-bit subkeys generated from 64-bit DES key (one for each round)
DES – Subkey (cont)
64-bit DES key 110100011101010010100011010111001010101
0000100011101010010101010
A key permutation removes eight parity bits and
The 57th bit is moved to position 1 The 49th bit is moved to position 2
… The 4th bit is moved to position 56
64-bit “key” to 56-bit DES key
DES – Subkey Gen (cont)
56 key bits (after permutation) divided into two 28-bit halves
Each half circularly shifted left by one bit (rounds 1,2,9 and 16) or 2 bits (all other rounds)
Halves recombined into 56 bit string
DES – Compression Perm
Compression permutation selects 48 bits
14th bit goes to output 117th bit goes to output 2
….32nd bit goes to output 48
DES Round 1 Subkey & Subkey overview
DES Round 1 Subkey DES - Subkey Overview
DES – Rounds
Each of 16 rounds takes 64-bit block of input to 64-bit block of output
The output from initial perm is input to round one
Round one output is input to round twoRound two output is input to round
three
Round 16 output is ciphertext
DES – Round 1
Subkey1
Input block (64)
L1 (32) R1 (32)
EP
XOR
S-box
P-box
XOR
L2 (32) R2 (32)
Output block (64)
DES Rounds
64-bit input divided into two 32-bit halves
Right half sent through expansion perm which produces 48 bits by Rearranging the input bits Repeating some input bits
more than once
Expansion permutation
DES – XOR Operation
XOR is applied to the 48-bit output of expansion perm and subkey
The resulting 48-bits go to S-boxes
DES – S-boxes
S-boxes perform substitution 8 different S-boxes Each S-box maps 6 bits to 4 bits
Bits 1-6 are input to S-box 1 Bits 7-12 are input to S-box 2, etc.
DES – Inside an S-box
Each S-box has 4 rows, 16 columns. First and last input bits specify the row. Middle four input bits specify the column e.g. S-box 1
S-box entry is the four-bit output. Examples with S-box 1
011010 row 0, column 13 9 = 1001 (output) 110010 row 2, column 9 12 = 1100 (output) 000011 row 1, column 1 15 = 1111 (output)
DES – S-boxes
DES – P-box
32-bit output of S-boxes goes to P-box
P-box permutes the bits
The first bit is moved to position 16 The second bit is moved to position 7 The third bit is moved to position 20
: The thirty-second bit is moved into
position 25
Chapter 3 Symmetric Key Cryptosystems
25
DES – Second XOR Operation
Output of P-box is XORed with the left half of 64-bit input block
32-bit output of the XOR operation: 01101111011011000110111010010010
DES – Rounds
64-bit output from round 1 is input for round 2
Output from round 2 is input for round 3:
Output from round 16 is passed through a final permutation
DES – Final Perm
Final permutation is inverse of initial perm
40th bit is moved into the 1st position 8th bit is moved into the 2nd position
: 25th bit is moved into the 64th
position Output of final permutation is
ciphertextDES – Encryption
Overview
DES - Decryption
Same algorithm and key as encryption Subkeys are applied in opposite order
Subkey 16 used in first round Subkey 15 used in second round
: Subkey 1 used in 16th round
AES
1997: NIST requests proposals for a new Advanced Encryption Standard (AES) to replace DES
NIST required that the algorithm be: A symmetric-key cryptosystem A block cipher Capable of supporting a block size of 128 bits Capable of supporting key lengths of 128, 192, and 256
bits Available on a worldwide, non-exclusive, royalty-free basis
Evaluation criteria: Security - soundness of the mathematical basis and the
results of analysis by the research community Computational efficiency, memory requirements, flexibility,
and simplicity
AES – Round 1 Results
After eight months of analysis and public comment, NIST: Eliminated DEAL, Frog, HPC, Loki97, and Magenta
Had what NIST considered major security flaws Were among the slowest algorithms submitted
Eliminated Crypton, DFC, E2, and SAFER+ Had what NIST considered minor security flaws Had unimpressive characteristics on the other evaluation
criteria Eliminated CAST-256
Had mediocre speed and large ROM requirements Five candidates, MARS, RC6, Rijndael, Serpent, and
Twofish, advanced to the second round Analysis and public comment on the five finalists circa 2000
Selects Rijndael Adequate security margin, fast encryption, decryption, and key setup
speeds, low RAM and ROM requirements
AES – Rijndael Algorithm
Symmetric-key block cipher Block sizes are 128, 192, or 256 bits Key lengths are 128, 192, or 256 bits
Performs several rounds of operations to transform each block of plaintext into a block of ciphertext The number of rounds depends on the block size
and the length of the key: Nine regular rounds if both the block and key are 128
bits Eleven regular rounds if either the block or key are
192 bits Thirteen regular rounds if either the block or key is
256 bits One, slightly different, final round is performed
after the regular rounds
AES – Rijndael Algorithm (cont)
For a 128-bit block of plaintext and a 128-bit key the algorithm performs: An initial AddRoundKey (ARK)
operation Nine regular rounds composed
of four operations: ByteSub (BSB) ShiftRow (SR) MixColumn (MC) AddRoundKey (ARK)
One final (reduced) round composed of three operations: ByteSub (BSB) ShiftRow (SR) AddRoundKey (ARK)
AES – Rijndael Keys
Keys are expressed as 128-bit (or bigger) quantities Keyspace contains at least 2128 elements:
340,282,366,920,938,463,463,374,607,431,768,211,456 Exhaustive search at one trillion keys per second
takes: 1x1019 years (the universe is thought to be about 1x1010 years
old) Blocks and keys are represented as a two-dimensional
array of bytes with four rows and four columns: Block = 128 bits = 16 bytes = b0 , b1, . . ., b15
Key = 128 bits = 16 bytes = k0 , k1, . . ., k15
AES Round Structu
re
AES - The ByteSub Operation
An S-box is applied to each of the 16 input bytes independently
Each byte is replaced by the output of the S-box:
AES – The Rijndael S-box
The input to the S-box is one byte:
Example 1: b0 = 01101011 (binary) = 6b (hex) b’0 = row 6, column b = 7f (hex) =
01111111 (binary) Example 2:
b1 = 00001000 (binary) = 08 (hex) b’1 = row 0, column 8 = 30 (hex) =
00110000 (binary) Example 3:
b2 = 11111001 (binary) = f9 (hex) b’2 = row f, column 9 = 99 (hex) =
10011001 (binary)
AES - ShiftRow Operation
Each row of the input is circularly left shifted: First row by zero places Second row by one place Third row by two places Fourth row by three places
AES - The MixColumn Operation
The four bytes in each input column are replaced with four new bytes:
AES - The AddRoundKey Operation
Each byte of the input block is XORed with the corresponding byte of the round subkey:
AES – Rijndael Overview
Advanced
Encryption
Standard (AES)
AES Summary
The research community participated very actively and expertly in the design and evaluation of the candidate algorithms
The AES selection process served to raise public awareness of cryptography and its importance
The AES algorithm is widely used The AES should offer useful cryptographic
protection for at least the next few decades
Triple DES (3DES)
first used in financial applications
in DES FIPS PUB 46-3 standard of 1999
uses three keys and three DES executions:
C = E(K3, D(K2, E(K1, P)))
decryption same with keys reversed
use of decryption in second stage gives compatibility with original DES users
effective 168-bit key length, slow, secure
AES will eventually replace 3DES
Stream Ciphers
processes input elements continuously
key input to a pseudorandom bit generator produces stream of random like numbers unpredictable without knowing input key XOR keystream output with plaintext bytes
are faster and use far less code
design considerations: encryption sequence should have a large period keystream approximates random number
properties uses a sufficiently long key
Table 20.3
Source: http://www.cryptopp.com/benchmarks.html
Speed Comparisons of Symmetric Ciphers on a Pentium 4
The RC4 Algorithm
Block Cipher Modes
Many modes of operation We discuss two in particular later on
Electronic Codebook (ECB) mode Obvious thing to do Encrypt each block independently There is a serious weakness
Cipher Block Chaining (CBC) mode Chain the blocks together More secure than ECB, virtually no
extra work
Modes of Operation
Electronic Codebook (ECB)
simplest mode
plaintext is handled b bits at a time and each block is encrypted using the same key
“codebook” because have unique ciphertext value for each plaintext block not secure for long messages since repeated
plaintext is seen in repeated ciphertext
to overcome security deficiencies you need a technique where the same plaintext block, if repeated, produces different ciphertext blocks
Alice Hates ECB Mode
Alice’s uncompressed image, Alice ECB encrypted (TEA)
Why does this happen? Same plaintext block same ciphertext!
CBC Mode
Blocks are “chained” togetherA random initialization vector, or IV,
is required to initialize CBC modeIV is random, but need not be secret
Encryption DecryptionC0 = E(IVP0,K), P0 = IVD(C0,K),
C1 = E(C0P1,K), P1 = C0D(C1,K),
C2 = E(C1P2,K),… P2 = C1D(C2,K),…
Cipher Block Chaining (CBC)
Intro to Information Security 52
CBC Mode
Identical plaintext blocks yield different ciphertext blocks
Cut and paste is still possible, but more complex (and will cause garbles)
If C1 is garbled to, say, G thenP1 C0D(G,K), P2 GD(C2,K)
But, P3 = C2D(C3,K), P4 = C3D(C4,K), …Automatically recovers from errors!
Alice Likes CBC Mode
Alice’s uncompressed image, Alice CBC encrypted (TEA)
Why does this happen? Same plaintext yields different ciphertext!
Location of Encryption
Key Distribution
the means of delivering a key to two parties that wish to exchange data without allowing others to see the key
two parties (A and B) can achieve this by:1
•a key could be selected by A and physically delivered to B
2
•a third party could select the key and physically deliver it to A and B
3
•if A and B have previously and recently used a key, one party could transmit the new key to the other, encrypted using the old key
4
•if A and B each have an encrypted connection to a third party C, C could deliver a key on the encrypted links to A and B
Key Distribution
Chapter Summary
symmetric encryption principles cryptography
cryptanalysis
Feistel cipher structure
data encryption standard triple DES
advanced encryption standard algorithm details
key distribution
stream ciphers and RC4 stream cipher
structure
RC4 algorithm
cipher block modes of operation electronic codebook mode
cipher block chaining mode
cipher feedback mode
counter mode
location of symmetric encryption devices