Cryptography -- Block Ciphers

Anita JonesCS451 Information Security

Copyright(C) Anita Jones

September, 2006

Overview

terms and principlesClaude ShannonFeistel cipherDES

September, 2006

A few terms

block cipher block of plaintext is treated as a whole & used to

produce a ciphertext block of equal length typical size: 64 bits most modern ciphers are block ciphers

stream cipher digital data is encrypted one bit (or one unit) at a

time

In both cases, plaintext is transformed incrementally

Symmetric ciphers

Symmetric implies ONE key

Secret key shared by sender & receiver

September, 2006

Background

ideally want one extremely large substitution not practical since would need a table with

264 entries in it for a 64-bit block so approximate the ideal by constructing

from smaller building blocks

September, 2006

Basis of modern ciphers

Claude Shannon (‘45) - information theoryproduct cipher

perform two or more ciphers in sequence so that result (product) is cryptographically stronger than any component cipher

alternate confusion & diffusionvirtually all significant symmetric block

ciphers currently in use are of this type

September, 2006

Shannon’s strategy

thwart cryptanalysis that is based on statistical analysis

hacker has some knowledge of statistical characteristic of plaintext

if statistics are reflected in ciphertext, then analyst may be able to deduce encryption key, or part of it

in Shannon’s ideal cipher, statistics of ciphertext are independent of plaintext

September, 2006

Shannon’s building blocks

confusion make relation between statistics of ciphertext

and the value of the encryption key as complex as possible

diffusion diffuse statistical property of plaintext digit

across a range of ciphertext digits i.e. each plaintext digits affects value of many

ciphertext digits

September, 2006

Shannon’s building blocks

Shannon proposed product ciphers with two components S-Boxes -- substitution

providing confusion of input bits

P-Boxes -- permutationproviding diffusion across S-box inputs

n rounds of S-P boxes

September, 2006

S-box (substitution)

01234567

3 bitinput

0

1

0

01234567

1

1

0

3 bitoutput

Word size of 3 bits => mapping of 23 = 8 values

Note: mapping can be reversed

September, 2006

P-box (permutation)

4 bitinput

1

1

0

1

1

0

1

1

1

1

0

1

1

0

1

1

Example 1 Note: reversible

Example 2 - swap twohalves of input

September, 2006

S-P networks

alternate S and P boxesBUT, in practice we must decrypt as well

as encryptso define the sequence of boxes so that

precisely the same system will decrypt as well as encrypt

just run it backwards

September, 2006

Feistel cipher

input plaintext of 2w bits key K = n sub-keys: K1, K2, …, Kn

sequence of n “rounds” each using Ki

substitution followed by a permutation

apply function F(Ki) to right half of data, then exclusive-OR it to left half of data

permutation: interchange two result halves of data

DES is essentially a Feistel cipher

September, 2006

Feistel cipher

Multiple roundsround i input is Li-1, Ri-1

Li = Ri-1

Ri = (Li-1 XOR F(Ri-1 , Ki))

L – left portion of intermediate dataR – right …..

plaintext (2w bits)

w bits w bitsL0R0

Round 1

K1

L1 R1

F+

Kn

Ln Rn

F+Round n

. . . . . .

Ln+1 Rn+1

ciphertext (2w bits)

September, 2006

Feistel cipher dependencies

block size – increasing size increases security – 64 bits common

key size – increasing size improves security, – 128 bits common

number of rounds – 16 is typicalsubkey generation – complex generation

makes cryptanalysis harderround function – complex function is stronger

… but all increases slow the implementation

September, 2006

Feistel decryption

same as encryption, exceptciphertext is inputuse keys in reverse orderat each round the output is equal to the

corresponding value of the encryption process with the two halves of the value swapped

final permutation (swap) realigns 2 halves

September, 2006

History of DES

DES – Data Encryption StandardHorst Feistel at IBM developed LUCIFER

about 1971, sold to Lloyds of London

Nat’l Bureau of Standards issued request for national cipher standard

IBM submitted (refined) LUCIFERNSA worked with IBM to refine cipheradopted in 1977 by Nat’l Bureau of Stds.

September, 2006

DES Characteristics

Plaintext is 64 bits long16 roundsKey length is 56 bits

16 sub-keys generated, one used in each round

DES algorithm is a variant of the Feistel algorithm

plaintext (64 bits)

init permutation

round 1K1

round 2K2

round nKn

inverse permutation

ciphertext (64 bits)

32 bit swap

56 bit key

. . .

permute

left circ shiftperm

left circ shiftperm

left circ shiftperm

. . .

September, 2006

DES cipher

round i input is Li-1, Ri-1

Li = Ri-1

Ri = (Li-1 XOR F(Ri-1 ,Ki))

<----32 bits------>

Li-1

exp/perm to 48

S-box

permutation

Ri-1

<----32 bits------>

x Ki

xLi

Ri

--- 48 bits

--- 48 bits

--- 32 bits

--- 32 bits

One DES Round

September, 2006

Key property

avalanche small change in plaintext or in key produces

significant change in ciphertext

test for avalanche encrypt two plaintext blocks that differ only in

one bit about half the (ciphertext) bits will differ

September, 2006

DES controversy

DES choice was intensely criticized: original LUCIFER key length was 128 bits, and

DES used 56 bit key (to fit on chip, they said) critics feared brute force attacks design criteria for the S-boxes was classified, so

users not sure that internal structure was free of hidden weak points that might let NSA break cipher

September, 2006

DES status

no weak points have surfacedDES is widely used1994, NIST reaffirmed DES for federal use NIST recommends DES use for all except

classified informationgenerally considered a sound standardNeed more security: use Triple DESFuture: Adv.d Encryption Standard (AES)

September, 2006

Cryptanalysis of DES

increased computing speed has made a 56 bit key susceptible to exhaustive key search

demonstrated breaks: 1997 – taking a few months, a large network of

computers broke DES 1998 – Electronic Frontier Foundation broke DES in a

few days on dedicated hardware 1999 – break accomplished in 22 hours

in practice DES is used, and works

September, 2006

1997 break

RSA issued reward of $10,000 for finding a DES key, given ciphertext for known and unknown plaintext

solution found in 96 days – involved 70,000 computers on the Internet

an embarrassingly parallel problem – just divide the key space being searched (brute force) each time a new computer joins in

found the key after searching 1/4 key space

September, 2006

So, how does the Prez talk? STU-III: http://webhome.idirect.com/~jproc/crypto/stuiii.html

http://www.tscm.com/stu.html

“A STU-III operates by taking an audio signal and digitizing it into a serial data stream (usually 8,000 bits per second). This is then mixed with a "keying stream" of data created by an internal ciphering algorithm. This mixed data is them passed though an internal CODEC to convert it back to audio so it can be passed over the phone lines. STU-III's also allow a serial data stream to pass though the phone and into the ciphering engine to allow its usage as an encrypted modem when not being

used for voice. The "keying stream" is a polymorphic regenerating mathematic algorithm which takes a initialization key and mathematically morphs it into a bit stream pattern. The "keying stream" is created by the "Key Generator" and is the actual heart of the STU. A portion of the "keying stream" are then mixed back into to the original key, and process repeated. The results is a pseudo-random bit stream that if properly implemented is extremely difficult (but not impossible) to decrypt.”Source: http://www.tscm.com/stu.html

September, 2006

Model for cryptography-revisit

Principal Principal

Message

SecretInformation

SecurityTransform

SecurityTransform

Message

SecretInformation

Trusted 3rd Party(arbitrates, distributessecret information)

Opponent

Info channel