Network Security & Cryptography Lecture 8

Network Security

and

Cryptography

Lecture 8

Advanced Block Ciphers Triple DES, CAST, BLOWFISH, IDEA

Uday Prakash Pethakamsetty

[email protected]

Taxonomy of Cryptographic primitives

3/18/2013 2JNTUH CEH Network Security &

Cryptography

Private Key Algorithms

Encryption

Decryption

Key1

Key1

Cyphertext

Ekey1(M) = C

Dkey1(C) = M

Original Plaintext

Plaintext

What granularity of the message does Ek encrypt?


Cryptography

General Block Encryption

• The general way of encrypting a 64-bit block is to take

each of the:

264 input values and map it to a unique one of the 264

output values.

This would take (264 )*(64) = 270 bits. NOT practical.

• Secret key cryptographic systems take a reasonable length

key (e.g., 64 bits) and generate a one-to-one mapping

that appears, to someone who does not know the key, as

completely random.

I.e., any single bit change in the input results in a totally

independent random number output.


Cryptography

Structure of Multiround block ciphers

• These are private-key symmetric ciphers – same key for encrypt and decrypt

• Each single round must be invertible

• Key scheduling rounds do not need to be invertible

• If key is constant from block to block, this is a monoalphabetic, but with huge alphabet

• Strength comes from confusion and diffusion repeatedly applied

Single round Key scheduling round Inverse of single round

Single round

Single round

Key scheduling round

Key scheduling round

Inverse of single round

Inverse of single round

KeyPlaintext

input

Plaintextoutput

Ciphertext out Ciphertext in


Cryptography

Structure of a single round

• Invertible operations can include– Bitwise exclusive or

– Addition modulo block size

– Galois field but not conventional multiplication

– permutation

Partially

Encrypted text

From previous round

Non-feedback network of

Invertible operations

Key for this round

From key scheduler

Partially

Encrypted text

To next round

XOR

A

C

KXOR

A

C

KExample of an invertible

operation

If C = K xor A

Then A = K xor C


Cryptography

Types of transformation for k-bit blocks

o Substitution: Specify for each of the 2k possible values of

the input, the k-bit output. This takes k.2k bits. This is

reasonable for k=8.

o Permutation: Specify for each of the k input bits, the

output position to which it goes. This takes k*log2 k bits.

• Next slide shows a secret key algorithm based on rounds

of substitution and permutation. If we do only a

single round, then a bit of input can only affect 8 bits of

output. There is an optimal number of rounds to achieve

complete randomization. The algorithm take the same

effort to reverse (decrypt).


Cryptography

Example of block encryption


Cryptography

Private Key Algorithms

• Block Ciphers: blocks of bits at a time

– DES (Data Encryption Standard)Banks, linux passwords (almost), SSL, kerberos, …

– Blowfish (SSL as option)

– IDEA (used in PGP, SSL as option)

– Rinjdael (AES) – the new standard

• Stream Ciphers: one bit (or a few bits) at a time

– RC4 (SSL as option)

– PKZip

– Sober, Leviathan, Panama, …


Cryptography

Private Key: Block Ciphers

• Encrypt one block at a time (e.g., 64 bits)

• ci = f(k,mi) mi = f’(k,ci)

• Keys and blocks are often about the same size.

• Equal message blocks will encrypt to equal code blocks– Why is this a problem?

• Various ways to avoid this:– E.g. ci = f(k,ci-1 mi)

“Cipher block chaining” (CBC)

• Why could this still be a problem?

Solution: attach random block to the front of the message


Cryptography

Security of Block Ciphers

• Ideal:

– k-bit -> k-bit key-dependent substitution

(i.e. “random permutation”)

– If keys and blocks are k-bits, can be implemented

with 22k entry table.


Cryptography

Iterated Block Ciphers

• Consists of n rounds

• R = the “round” function

• si = state after round i

• ki = the ith round key

R

R

R

s1

.

.

.

m

c

.

.

.

key

k1

k2

kn

s2


Cryptography

Iterated Block Ciphers: Decryption

• Run the rounds in

reverse.

• Requires that R

has an inverse.

R-1

R-1

R-1

s1

.

.

.

m

c

.

.

.

key

k2

kn

s2

k1


Cryptography

Feistel Networks• If function is not invertible rounds can still be made

invertible. Requires at least 2 rounds to mix all bits.

Fki

XOR

Fki

XOR

high bits low bits

Forwards Backwards

R R-1

Used by DES (the Data Encryption Standard)


Cryptography

The Feistel block is a reversible round

One-way(nonreversible)

blockXOR

One-way(nonreversible)

blockXOR

Left halfi Right halfi

Left halfi+1

Left halfi

Left halfi+1Right halfi+1

Right halfi

Right halfi+1

Note: This block is reversible

The direction of signal flow does not change in the one-way block

The XOR is a reversible device3/18/2013 15JNTUH CEH Network Security &

Cryptography

More on the Feistel block

• Characteristics and limitations

– Essentially any one-way function can be used – doesn’t have to be reversible

– Because the block scrambles only one half the partial text at a time it is

possibly weaker than other ciphers, but more rounds (typically 16) can be used

– The one-way function is half the width of the block, so a 64-bit block can be

encrypted efficiently with a 32-bit processor

– The Feistel block is vulnerable to differential cryptanalysis, which is a chosen-

plaintext attack. With enough rounds, it is usable.


Cryptography

The equations for the Feistel block

• Comments– These equations are valid for any Feistel block, regardless of the

particular one-way function used

– They are the basis for differential and linear cryptanalysis

– A large number of present-day ciphers, but not all, use Feistel

The direct transformation

Li+1 = Li F(Ri, Ki )

Ri+1 = Li

The inverse transformation

Li = Li+1 F(Li+1, Ki )

Ri = Li+1

The recurrence relation used in differential cryptanalysis

Li+2 = Li+1 F(Li, Ki )


Cryptography

Product Ciphers

• Each round has two components:

– Substitution on smaller blocksDecorrelate input and output: “confusion”

– Permutation across the smaller blocksMix the bits: “diffusion”

• Substitution-Permutation Product Cipher

• Avalanche Effect: 1 bit of input should affectall output bits, ideally evenly, and for allsettings of other in bits


Cryptography

Data Encryption Standard (DES)

• Key length: 56 + 8 parity bits = 64 bits

• 8 bits are used for parity check, why is that?Possible reason: to make it 256 times lesssecure against exhaustive search!read p. 63 in the textbook.

• How secure is DES? In 1998, $150Kmachine can break the key in 5 days!For added security, triple DES is 256 moresecure.


Cryptography

The one-way function for DES

• Components– E-box – expansion and

permutation

– S-box – substitution – a 64 by 4 bit memory or array

– P-box – expansion and permutation

– E and P boxes were hardwired

– S-boxes were in on-chip ROM – 256 bytes per round

E-boxExpand/permute

64x4S-box

48-bit-wide XOR

P-box –permute only

32

48

6

32

4

6

4

48

Per-stage keyword

Input half

Output half


Cryptography

Basic structure of DES

3/18/2013 21

JNTUH CEH Network Security & Cryptography


Cryptography

Why decryption works?

• The output of the Mangler Function (M) is the same for both encryption and decryption.

• In encryption: M ® Ln = Rn+1

• In decryption: M ® Rn+1 = M ® ( M ® Ln ) = Ln

The Mangler Function

• Expands R from 32 bit to 48 bits as shown in Figure:

• It breaks R into eight 4-bit chunks and expand each to 6-bit by

concatenating the adjacent 2 bits. Let CRi refer to chunk i of

expanded R. The 48-bit K is broken to eight 6-bit chunks.

• Let CKi refer to chunk i of K. Let Si = CRi ® Cki; Si is fed into an

S-box, a substitution which produces a 4-bit output for each

possible 6-bit input.

• The 4-bit output of each of the eight S-boxes is permuted (it has

security value to ensure that the output of an S-box in one round

affects the input of multiple S-boxes on the next round).

Mangler Function in DES

Mangler Function

• 48-bit Key and the expanded 48-bit R are broken into 8 chunks of 6-

bits each.

S-boxes

DES Weak Keys

• With many block ciphers there are some keys that should be avoided,because of reduced cipher complexity

• These keys are such that the same sub-key is generated in more than oneround, and they include:

– Weak Keys• The same sub-key is generated for every round

• DES has 4 weak keys

– Semi-weak keys• Only two sub-keys are generated on alternate rounds

• DES has 12 of these (in 6 pairs)

– Demi-Semi Weak Keys• Have four sub-keys generated

• None of these causes a problem since they are a tiny fraction of allavailable keys

• However they MUST be avoided by any key generation program

3/18/2013Dept. of ECE Network Security &

Cryptography29

DES attacks

• Brute force attack

• The COPACOBANA

machine, built for

US$10,000 by the

Universities of Bochum and

Kiel, contains 120 low-cost

FPGAs and can perform an

exhaustive key search on

DES in ays on average. The

p9 dhoto shows the

backplane of the machine

with the FPGAs.


Cryptography30

DES attack : Faster than Brute force attack

• There are three attacks known that can break the full 16 rounds

of DES with less complexity than a brute-force search:

– differential cryptanalysis (DC),

– linear cryptanalysis (LC), and

– Davies' attack.

• However, the attacks are theoretical and are unfeasible to

mount in practice, these types of attack are sometimes termed

certificational weaknesses.


Cryptography31

Possible techniques for improving DES

• Design a complete new algorithm– Requires completely new infrastructure

• Multiple Enciphering with DES

– Double DES, Triple DES,…

• Extending DES to 128 bit data paths and 112

bit keys

• Extending the key expansion calculation.


Cryptography

Double DES

Using two encryption stages and two keys

– C = ek2(ek1(p))

– p=dk1(dk2(c))

It is proved that there is no key k3 such that

– C = e k 2 ( e k 1 ( p ) ) =e k 3 (p )

• Plaintext block length : 64bit block

• Ciphertext block length : 56 2=112 bits

But, meet in the middle attack is possible

Thus, 2-DES is not secure (if DES is broken)


Cryptography

Meet in the Middle attack

Assume C=Ek2 (Ek1(P))

Given the plaintext-cipher text pair, knownplaintext attack.

Encrypt P using all possible key k1

Decrypt C using all possible keys k2

o Check the result with the encrypted plaintext lists

o If match is found, then test the found keys again foranother plaintext and cipher text pair

o If it turns correct, then find the keys

o Otherwise keep decrypting C


Cryptography

3/18/2013 35

Breaking double DES


Breaking double DES-MIM attack

3/18/2013JNTUH CEH Network Security &

Cryptography36

• Given a pair of messages P, and its ciphertext C

(encrypted using some unknown keys k1 and k2).

• When decrypt C using all keys, and encrypt P

using all keys, some results will match

– The expected number of matching's is 256*2

56=2

48.

• When we have another pair of (P2 ,C2), the

possible key pairs that work for them is also 248.

• Then, among these two sets of key pools found, the expected common key

pairs is only

Triple DES

• DES variant

• Standardized in ANSI X.917 & ISO 8732 and in PEM for key management

• Proposed for general EFT standard by ANSI X9

• Backwards compatible with many DES schemes

• Uses either two or three keys.


Cryptography

Triple DES

• Use three keys and three executions of the DES algorithm (encrypt-decrypt-encrypt)

• C = ciphertext

• P = Plaintext

• EK[X] = encryption of X using key K

• DK[Y] = decryption of Y using key K

• Effective key length of 168 bits

C = EK3[DK2[EK1[P]]]


Cryptography

Triple DES with two keys


Cryptography

Triple DES with three keys


Cryptography

Other Symmetric Block Ciphers

• DES has reached the end of its useful lifetime.

• New symmetric encryption schemes have beenproposed in last decade.

Examples:– International Data Encryption Algorithm (IDEA)

– Blowfish

– RC5

– Cast-128.


Cryptography

CAST 128

• By Carlisle Adams and Stafford Tavares

– Defined in RFC 2144

– Use key size varying from 40 to 128 bits

– Structure of Feistel network

– 16 rounds on 64 bit data block

– The round function differs from round to round

– Four primitive operations

• Addition, subtraction (mod 232)

• Bitwise exclusive-OR


Cryptography

Blowfish

Easy to implement (simple structrure)

Two basic operations: addition, XOR

High execution speed

Similar to Feistel Scheme

Run in less than 5K of memory

Variable security: key length is variable (between 32 and448 bits).

> Allows a tradeoff between speed and security.

-The key is used to generate 18 32-bit subkeys.

-Encryption/decryption consist of 16 rounds.

The sub key and s-boxes are complicated. So, not suitablewhen key changes often.


Cryptography

Blowfish…

• Encryption:

Uses two primitive operations:

1. Addition: performed modulo 232.

2. Bitwise Exclusive-OR.

> These two operations do not commute.

>Making cryptanalysis difficult.


Cryptography

Blowfish…

• Encryption Algorithm:

-Plaintext is divided into two 32 bit halves.

-Go through 16 rounds of transformation usingsubkeys.

-Each rounds takes two 32 bit inputs and produces two32 outputs.

-Output of a round is fed into the next round.

-The output of 16th round is exclusive-ORed with 17th

and 18th subkeys to produce the ciphertext.


Cryptography

Blowfish…

• Details of a Single Round:

- Each round includes complex use of addition modulo232, Ex-OR, and substitution using S-Boxes.

- 32 bit input to the function F is divided into fourbytes.

-Each byte goes through a separate S-box and isexpanded into 32 bits.

-32 bit outputs go through complex transformationusing addition modulo 232 and Ex-OR.


Cryptography

International Data Encryption Algorithm (IDEA)

• Encrypts 64-bit blocks using 128-bit key.

It is similar to DES since it:

– operates in rounds

– the mangler function runs in the same direction for both encryption and decryption

• It differs from DES since:

– Designed to be efficient in software (as opposed to DES’s hardware orientation)

– The encryption and decryption keys are different but related in a complex manner.

• Used in PGP

• Confusion: (the ciphertext should depend upon the plaintext and key in a complex way)

– Confusion is achieved by using three operations.

• Diffusion: (Each plaintext bit should influence as many ciphertext bits as possible)

-IDEA very effective in achieving diffusion.


Cryptography

IDEA...

Confusion:

-Achieved by mixing three different operations.

-Each operation takes two 16-bit inputs and produces a 16-bit output.

Three Operations:

1. Bit-by-bit Exclusive-OR.

2. Addition of integers modulo 2^16 (=65536)

3. Addition of integers modulo 216...-inputs and output are treated as 16 bit unsunged integers.

4. Multiplication of integers modulo 216+1 (=65537).-inputs and output are treated as 16 bit unsunged integers.-A block of all zeros is treated as 216.


Cryptography

IDEA…

• Three Operations:..

“in combination provide a complex transformation

making cryptanalysis very difficult.”

• Three operations are incompatible:

>No two satisfy distributive law.

>No two satisfy associate law.


Cryptography

IDEA…

• Diffusion:

Provided by a multiplication/addition structure

(MA).

>Takes two inputs:

(1) Two 16 bit values derived from plaintext.

(2) Two 16 bit subkeys derived from the key.

>Produces two 16 bit outputs.


Cryptography

IDEA…

• Diffusion:

>Each output bit depends on every input bit and

on every bit of the subkeys.

//meaning lot of diffusion.//

>This structure is repeated 8 times in the

encryption algorithm.

//provides very effective diffusion.//


Cryptography

IDEA…

• Encryption Algorithm:

>Consists of eight rounds.

>64 bit input is divided into four 16-bit sub-blocks.

>Each round uses six 16-bit keys.

>Each round produces four 16-bit outputs.

>Output of a round is fed into the next round.


Cryptography

IDEA…

Details of a Single Round:

Four input sub-blocks are combined with four sub-keys producing 4 output sub-blocks.

Four output sub-blocks are combined using XORoperation to from two 16 bit blocks.

These two blocks are fed into the MA structure.

MA structure takes & produces two 16-bit outputs.

Four outputs of upper transformation are combinedwith the two outputs of MA structure to produce fouroutput blocks for this round.


Cryptography

Basic structure of IDEA

3/18/2013 54


IDEA primitive operations• ® exclusive OR

+ addition mod 216 and

x multiplication mod 216+1

• These operations are reversible:

• a ® K = A » A ® K = a since (a ® K) ® K = a

a + K = A » A + (-K) = a since (a + K) + (-K) = a

a x K = A » A x (K-1) = a since (a x K) x (K-1) = a

K-1 is the multiplicative inverse of K such that K K-1 = 1 mod (216+1)

• Example: K = 1101; -K=0000-1101=0011, a=1001, K-1 = 0100 (Since

4*13=52 = 1+3*17 (17 = 24+1); Euclid’s algorithm sec 7.4)

• a ® K=0100; (a ® K) ® K=1001;

• a+K= 0110; (a+K)+(-K)=1001

• axK= 9*13 mod 17=15; (axK)xK-1mod 17 = 60 mod 17 = 9 = 1001


Cryptography

Key Expansion (Encryption)

• The 128-bit key is expanded into 52 16-bit keys: K1, K2 , ....K52.

Step 1: Keys K1….K8 are generated by taking 8 chunks of 16-bits each

Step 2: Keys K9…K16 are generated by starting from the 25th bit, wrapping

around the first 25 bits at the end, and taking 16-bit chunks.

Step 3: Wrap around 25 more bits to the end, and generate keys K17…K24.

This process is repeated until all keys K1…K52 are generated


Cryptography

IDEA Odd Round

• X is the modified multiply operation, and + is a

modified add.

• To get the original values back, the inverse of Ka is

used for X and –Xb (mod 216) for +.


Cryptography

IDEA Decryption

• Same code can perform either encryption ordecryption given different expanded keys.

• The inverses of the encryption keys and usethem in the opposite order (use the inverseof the last-used encryption key as the firstused when doing encryption).

• Since the last encryption round (an odd-round) used keys K49,K50,K51,K52,

• The first decryption round uses the inversesof the keys K49-K52.


Cryptography

IDEA Even Round


Cryptography

RC 5

• Developed by R. Rivest– Suitable for hardware or software– Fast, simple– Variable number of rounds– Variable-length key– Low memory requirement– High security– Data-dependent rotations (circular bit shifts)

– Fast, simple, low memory, data-dependent rotations

– Adaptable to processors of different word length• A family of algorithms determined by word length, number of rounds, size of

secret key

– Decryption and encryption are not the same• With little variations

– Primitive operations• Addition, XOR, left circular rotation


Cryptography60

RC4

• Ron Rivest (of the famous RCA) is the inventor

• A long random string is called a one-time pad.

• A stream cipher generates a one-time pad and

applies it to a stream of plain text with ®.

• RC4 is a stream cipher designed by Ron Rivest.


Cryptography

C code for RC4 one-time pad generator


Cryptography

Key features of advanced symmetric block ciphers


Cryptography

64

Location of Encryption Device

• Link encryption:

– A lot of encryption devices

– High level of security

– Decrypt each packet at every switch

• End-to-end encryption

– The source encrypt and the receiver decrypts

– Payload encrypted

– Header in the clear

• High Security: Both link and end-to-end encryptionare needed


Cryptography


Cryptography

66

Key Distribution

1. A key could be selected by A and physicallydelivered to B.

2. A third party could select the key and physicallydeliver it to A and B.

3. If A and B have previously used a key, one partycould transmit the new key to the other, encryptedusing the old key.

4. If A and B each have an encrypted connection to athird party C, C could deliver a key on theencrypted links to A and B.


Cryptography

67

Key Distribution

• Session key:

– Data encrypted with a one-time session key. At the

conclusion of the session the key is destroyed

• Permanent key:

– Used between entities for the purpose of

distributing session keys


Cryptography


Cryptography

References

• Behrouz A. Forouzan, Debdeep Mukhopadhyay,

“Cryptography and Network Security” 2e, McGraw Hill

Publications, ISBN 978-0-07-070208-0.

• William Stallings, “Cryptography and Network Security-

Principles and Practices”, 4e, Pearson-Printice Hall

publications, ISBN 81-7758-774-9.

• Stallings, W. Cryptography and Network Security: Principlesand Practice, 2nd edition. Prentice Hall, 1999

• Scneier, B. Applied Cryptography, New York: Wiley, 1996

• Mel, H.X. Baker, D. Cryptography Decrypted. AddisonWesley, 2001.


Cryptography

Network Security & Cryptography Lecture 8

Documents

Transcript of Network Security & Cryptography Lecture 8