1 / 52

Applied Cryptography

Applied Cryptography. Spring 2014. Chaining Modes. Chaining ciphers - ECB. Clear text. Key. Enc. Enc. Enc. Enc. Cipher text. What happens when the clear text is longer than the block length k ? Most simple solution — encrypt each block separately.

fola
Download Presentation

Applied Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Applied Cryptography Spring 2014 Chaining Modes

  2. Chaining ciphers - ECB Clear text Key Enc Enc Enc Enc Cipher text • What happens when the clear text is longer than the block length k? • Most simple solution — encrypt each block separately. • This mode is called ECB, Electronic Code Book [From Mårten Trolin]

  3. Chaining ciphers - ECB Problems with ECB: • two transmissions of the same plaintext will be identical (i.e. if, you know, that there were 2 identical transmissions, you can guess the ciphertext of these). This could be dealt with timestamps. • block replay. A poptential cure is the use of MAC, however this still remains an unpleasant feature. ECB still can be used in some cases for transmission of short messages e.g. cipher keys

  4. Chaining ciphers - ECB Padding k - block length, n - message length • if n is a multiple of k, there are no problems • what to do with the last block, if n is not a multiple of k? • extra bytes can be added at the end of the last block, however, it ould be useful to know, where the actual message ends...

  5. Chaining ciphers - ECB Some padding schemes • add padding in all cases (i.e., also when n is a multiple of k) • if m bytes are added, fill each of them with value m (used in e.g. RC5-CBC-PAD) • if m bytes are added, fill each of them with values 1,2,..., m (used in e.g. ESP and IPSec)

  6. ECB - Example Original ECB mode "other" mode

  7. Cipher Block Chaining Clear text IV Key Enc Enc Enc Enc Cipher text • A feedback is introduced to link the blocks together [From Mårten Trolin]

  8. Cipher Block Chaining

  9. CBC - issues Errors • error in plaintext • bit error in ciphertext • syncronisation error in ciphertext? What should be done with IV? • no need to be secret • should be transmitted • can IV be reused?

  10. CBC - padding Can be done similarly as in ECB • add padding in all cases (i.e., also when n is a multiple of k) • if m bytes are added, fill each of them with value m (used in e.g. RC5-CBC-PAD) • if m bytes are added, fill each of them with values 1,2,..., m (used in e.g. ESP and IPSec)

  11. CBC - padding Some problems with padding .... • assume that the same IV is used for all transmissions, as well as one of the 2 padding schemes described above. Also, assume that there is an oracle, that gives an answer, whether a given message ends with a correct padding (available e.g. in e-mail server using SSL/TLS). Is this secure? • try to send to oracle blocks r,Ci ...

  12. CBC - alternative encryption of the last block

  13. CBC - ciphertext stealingg

  14. Stream and block ciphers - Definition ?

  15. Stream ciphers

  16. Keystream generator

  17. Self synchronizing stream cipher Ciphertext Auto-Key (CTAK) Another possibility: Key Auto-Key (KAK)

  18. Stream ciphers - Insertion attack

  19. Key generators - CFB (cipher_feedback) mode

  20. Key generators - LFSR (linear feedback shift registers)

  21. Key generators - A5/1 A register is clocked if its clocking bit (orange) agrees with the majority of the clocking bits of all three registers. A5/1 - used in GSM "less than one minute of computations, and a few seconds of known conversation".

  22. Key generators - RC4 • for i=0,…,N-1 S[i]=i • j=0 • for i=0…N-1 • j=j+S[i]+Key[i mod l] • Swap[S[i], S[j]] • i=i+1 • j=j+S[i] • Swap(S[i],S[j]) • Output z =S[S[i]+S[j]] Ron Rivest (RSA Security) 1987 Widely used in SSL, WEP etc 104-bit RC4 used in WEP can be cracked in less than a minute

  23. Key generators - RC4 • Easy computation • Fast • Can use large bit blocks and keys • Stream based encryption • Key can be made to change at regular intervals using fancy programming • Implementation in Popular languages (C, perl) well documented. • Vulnerable to brute force attacks • Require a large data structure • Proven Breakable by researchers at ATT and Rice Univ. (August, 2001) • “One hour of brute force computation to break standard WEP” • Once Key is broken all messages are easily readable.

  24. Quadratic residues and Blum Integers If p and q are two primes, and both are congruent to 3 modulo 4, then n = p*q is sometimes called a Blum integer. If n is a Blum integer, each quadratic residue has exactly four square roots. One of them is also a square - the principal square root. The function f:Zn* → Zn* defined by f(x) = x2 mod n is a permutation. The inverse function of f is: f -1(x) = x((p-1)(q-1)+4)/8 mod n.

  25. Quadratic residues and Blum Integers The function f:Zn* → Zn* defined by f(x) = x2 mod n is a permutation. The inverse function of f is: f -1(x) = x((p-1)(q-1)+4)/8 mod n. p,q - primes, n = pq Guessing the last significant bit of square root of x mod n with any non-negligible advantage is as hard as factoring n.

  26. Blum, Blum and Shub (BBS) key generator Let n be a Blum integer. Choose a random quadratic residue x0 (modulo n). For i  0 let xi+1 = xi2 mod n, bi= the least significant bit of xi For each integer i, let BBSn, i (x0) = b0…bi-1 be the first i bits of the pseudo-random sequence generated from the seed x0 by the BBS pseudo-random generator. Note that biis the least significant bit of xi =x0(2i )mod(p-1)(q-1)

  27. BBS pseudo-random generator - analysis Choose random x, relatively prime to n, compute x0 = x 2 mod n x i+1 = xi2 mod n, bi = the least significant bit of xi BBSn, i (x0) = b0…b i-1 Assume that the BBS pseudo-randomize generator with a Blum integer is not unpredictable to the left. Let y be a quadratic residue from Zn*. Compute BBSn, i -1 (y) for some i>1. Note that the last (i -1) of BBSn, i (x) are also the first (i -1) bits of BBSn, i -1 (y), where x is the principal square root of y. Hence, if the BBS pseudo-random generator is not unpredictable to the left, then there exists a better method than coin-tossing to determine the least significant bit of x, what is, as mentioned above, impossible.

  28. Key generators - OFB (output feedback) mode

  29. Keystream generator in OFB mode

  30. CFB (cipher_feedback) mode

  31. Chaining in CFB mode

  32. CFB - issues Errors • error in plaintext • bit error in ciphertext • syncronisation error in ciphertext? What should be done with IV? • no need to be secret • should be transmitted • should be unique!

  33. OFB (output feedback) mode

  34. Chaining in OFB mode

  35. Chaining in OFB mode

  36. Chaining in OFB mode Just as with other stream ciphers, flipping a bit in the ciphertext produces a flipped bit in the plaintext at the same location. This property allows many error correcting codes to function normally even when applied before encryption.

  37. Chaining in counter (CTR) mode

  38. Data integrity and MAC

  39. CBC-MAC Issues: - not secure for variable length messages (we can inludemessage length in computation, still it doesn’t help too much...) - different keys should be used for chaining and MAC (ok, this should always be the case !)

  40. CMAC

  41. Length of MAC? Birthday paradox: What should be the size k of a group of people, such that with probablity 1/2 at least two persons from the group will have birthday on the same day?

  42. Length of MAC?

  43. Length of MAC?

  44. Combining chaining and data integrity CCM Counter with CBC-MAC EAX Authenticated Encryption with Associated Data GCM Galois/Counter Mode OCB Offset Codebook Mode OCB mode

  45. GCM mode (Galois/Counter Mode) Combines privacy and data integrity protection Defined for 128 bit blocks multH - multiplication in GF(27)

  46. Disk encryption • Some additional constraints: • limited length chaining (e.g. at sector level, around 512 bytes) • implementation shall efficiently encrypt and decrypt data in any sector • implementation shall use only constant amount of additional storage for a device of arbitrary size • integrity problem is important CBC : IV for each sector derived from the sector number etc LRW (Tweakable Narrow-Block Encryption): K - key, F - additional key, I - block index (tweak)

  47. ECB - overview

  48. CBC - overview Probably most useful. Best for encrypting files (usually no synchronization errors).

  49. CFB - overview Recoverable synchronization errors. Mainly used in stream mode.

  50. OFB - overview Recommended for error-prone environments.

More Related