Post on 23-Dec-2015
Cryptography -- Block Ciphers
Anita JonesCS451 Information Security
Copyright(C) Anita Jones
September, 2006
Overview
terms and principlesClaude ShannonFeistel cipherDES
September, 2006
A few terms
block cipher block of plaintext is treated as a whole & used to
produce a ciphertext block of equal length typical size: 64 bits most modern ciphers are block ciphers
stream cipher digital data is encrypted one bit (or one unit) at a
time
In both cases, plaintext is transformed incrementally
Symmetric ciphers
Symmetric implies ONE key
Secret key shared by sender & receiver
September, 2006
Background
ideally want one extremely large substitution not practical since would need a table with
264 entries in it for a 64-bit block so approximate the ideal by constructing
from smaller building blocks
September, 2006
Basis of modern ciphers
Claude Shannon (‘45) - information theoryproduct cipher
perform two or more ciphers in sequence so that result (product) is cryptographically stronger than any component cipher
alternate confusion & diffusionvirtually all significant symmetric block
ciphers currently in use are of this type
September, 2006
Shannon’s strategy
thwart cryptanalysis that is based on statistical analysis
hacker has some knowledge of statistical characteristic of plaintext
if statistics are reflected in ciphertext, then analyst may be able to deduce encryption key, or part of it
in Shannon’s ideal cipher, statistics of ciphertext are independent of plaintext
September, 2006
Shannon’s building blocks
confusion make relation between statistics of ciphertext
and the value of the encryption key as complex as possible
diffusion diffuse statistical property of plaintext digit
across a range of ciphertext digits i.e. each plaintext digits affects value of many
ciphertext digits
September, 2006
Shannon’s building blocks
Shannon proposed product ciphers with two components S-Boxes -- substitution
providing confusion of input bits
P-Boxes -- permutationproviding diffusion across S-box inputs
n rounds of S-P boxes
September, 2006
S-box (substitution)
01234567
3 bitinput
0
1
0
01234567
1
1
0
3 bitoutput
Word size of 3 bits => mapping of 23 = 8 values
Note: mapping can be reversed
September, 2006
P-box (permutation)
4 bitinput
1
1
0
1
1
0
1
1
1
1
0
1
1
0
1
1
Example 1 Note: reversible
Example 2 - swap twohalves of input
September, 2006
S-P networks
alternate S and P boxesBUT, in practice we must decrypt as well
as encryptso define the sequence of boxes so that
precisely the same system will decrypt as well as encrypt
just run it backwards
September, 2006
Feistel cipher
input plaintext of 2w bits key K = n sub-keys: K1, K2, …, Kn
sequence of n “rounds” each using Ki
substitution followed by a permutation
apply function F(Ki) to right half of data, then exclusive-OR it to left half of data
permutation: interchange two result halves of data
DES is essentially a Feistel cipher
September, 2006
Feistel cipher
Multiple roundsround i input is Li-1, Ri-1
Li = Ri-1
Ri = (Li-1 XOR F(Ri-1 , Ki))
L – left portion of intermediate dataR – right …..
plaintext (2w bits)
w bits w bitsL0R0
Round 1
K1
L1 R1
F+
Kn
Ln Rn
F+Round n
. . . . . .
Ln+1 Rn+1
ciphertext (2w bits)
September, 2006
Feistel cipher dependencies
block size – increasing size increases security – 64 bits common
key size – increasing size improves security, – 128 bits common
number of rounds – 16 is typicalsubkey generation – complex generation
makes cryptanalysis harderround function – complex function is stronger
… but all increases slow the implementation
September, 2006
Feistel decryption
same as encryption, exceptciphertext is inputuse keys in reverse orderat each round the output is equal to the
corresponding value of the encryption process with the two halves of the value swapped
final permutation (swap) realigns 2 halves
September, 2006
History of DES
DES – Data Encryption StandardHorst Feistel at IBM developed LUCIFER
about 1971, sold to Lloyds of London
Nat’l Bureau of Standards issued request for national cipher standard
IBM submitted (refined) LUCIFERNSA worked with IBM to refine cipheradopted in 1977 by Nat’l Bureau of Stds.
September, 2006
DES Characteristics
Plaintext is 64 bits long16 roundsKey length is 56 bits
16 sub-keys generated, one used in each round
DES algorithm is a variant of the Feistel algorithm
plaintext (64 bits)
init permutation
round 1K1
round 2K2
round nKn
inverse permutation
ciphertext (64 bits)
32 bit swap
56 bit key
. . .
permute
left circ shiftperm
left circ shiftperm
left circ shiftperm
. . .
September, 2006
DES cipher
round i input is Li-1, Ri-1
Li = Ri-1
Ri = (Li-1 XOR F(Ri-1 ,Ki))
<----32 bits------>
Li-1
exp/perm to 48
S-box
permutation
Ri-1
<----32 bits------>
x Ki
xLi
Ri
--- 48 bits
--- 48 bits
--- 32 bits
--- 32 bits
One DES Round
September, 2006
Key property
avalanche small change in plaintext or in key produces
significant change in ciphertext
test for avalanche encrypt two plaintext blocks that differ only in
one bit about half the (ciphertext) bits will differ
September, 2006
DES controversy
DES choice was intensely criticized: original LUCIFER key length was 128 bits, and
DES used 56 bit key (to fit on chip, they said) critics feared brute force attacks design criteria for the S-boxes was classified, so
users not sure that internal structure was free of hidden weak points that might let NSA break cipher
September, 2006
DES status
no weak points have surfacedDES is widely used1994, NIST reaffirmed DES for federal use NIST recommends DES use for all except
classified informationgenerally considered a sound standardNeed more security: use Triple DESFuture: Adv.d Encryption Standard (AES)
September, 2006
Cryptanalysis of DES
increased computing speed has made a 56 bit key susceptible to exhaustive key search
demonstrated breaks: 1997 – taking a few months, a large network of
computers broke DES 1998 – Electronic Frontier Foundation broke DES in a
few days on dedicated hardware 1999 – break accomplished in 22 hours
in practice DES is used, and works
September, 2006
1997 break
RSA issued reward of $10,000 for finding a DES key, given ciphertext for known and unknown plaintext
solution found in 96 days – involved 70,000 computers on the Internet
an embarrassingly parallel problem – just divide the key space being searched (brute force) each time a new computer joins in
found the key after searching 1/4 key space
September, 2006
So, how does the Prez talk? STU-III: http://webhome.idirect.com/~jproc/crypto/stuiii.html
http://www.tscm.com/stu.html
“A STU-III operates by taking an audio signal and digitizing it into a serial data stream (usually 8,000 bits per second). This is then mixed with a "keying stream" of data created by an internal ciphering algorithm. This mixed data is them passed though an internal CODEC to convert it back to audio so it can be passed over the phone lines. STU-III's also allow a serial data stream to pass though the phone and into the ciphering engine to allow its usage as an encrypted modem when not being
used for voice. The "keying stream" is a polymorphic regenerating mathematic algorithm which takes a initialization key and mathematically morphs it into a bit stream pattern. The "keying stream" is created by the "Key Generator" and is the actual heart of the STU. A portion of the "keying stream" are then mixed back into to the original key, and process repeated. The results is a pseudo-random bit stream that if properly implemented is extremely difficult (but not impossible) to decrypt.”Source: http://www.tscm.com/stu.html
September, 2006
Model for cryptography-revisit
Principal Principal
Message
SecretInformation
SecurityTransform
SecurityTransform
Message
SecretInformation
Trusted 3rd Party(arbitrates, distributessecret information)
Opponent
Info channel