1 / 76

Applied Cryptography

Applied Cryptography. Spring 2014. Symmetric Ciphers. Types of ciphers. Symmetric  Asymmetric (public key Block ciphers  Stream ciphers. Symmetric vs. asymmetric cryptography. Symmetric ciphers – sender and recipient use the same key D key ( E key ( m )) = m

alika
Download Presentation

Applied Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Applied Cryptography Spring 2014 Symmetric Ciphers

  2. Types of ciphers Symmetric  Asymmetric (public key Block ciphers  Stream ciphers

  3. Symmetric vs. asymmetric cryptography • Symmetric ciphers – sender and recipient use the same key • Dkey(Ekey(m)) = m • Substitution cipher is an example of a symmetric cipher • Impractical for big systems – number of keys is quadratic in the number of users • The solution – asymmtric algorithms. Think of a locked mailbox! Different keys for encryption and decryption • Dprivate key(Epublic key(m)) = m

  4. Block ciphers • A block cipher B is an encryption function Ekey:{0,1}k {0,1}l and a decryption function Dkey:{0,1}l {0,1}k such thatDkey(Ekey(m)) = m. • The value k is called block length. Usually k = l. Clear (plain) text Cipher text n bits Key

  5. Stream ciphers

  6. Kerchoff's principle (1883) The strength of encryption should not depend on: • Knowledge of encryption algorithm • Knowledge of the size of key • Knowledge of plaintext-ciphertext pairs

  7. Simple substitution cipher • The key is a permutation of the letters of the alphabet, i.e. a bijection • Encryption is performed by substituting each letter for its corresponding letter • Decryption is the same as encryption with the difference that the inverse is used

  8. Simple substitution cipher – example • Example: Encrypt MY DOG ATE YOUR CAT using the key U

  9. Vigenère cipher (poly-alphabetic) • Example: Encryption key - string of n characters e.g. "gold" We represent it with numbers corresponding to symbols from alphabet - (6,14,11,13) To encrypt i-th symbol from the block of length n, we add to it i-th number from the key (modulo size of alphabet) U

  10. Vernam cipher (XOR) Message: m1,...,mn n bits Key: k1,...,kn n bits Ciphertext: c1,...,cn, where ci = mi ki U

  11. Transposition ciphers Message: block of b symbols from some alphabet Key: permutation p = (p(1),...,p(b)) U

  12. General Block Encryption • The general way of encrypting a 64-bit block is to take each of the:264 input values and map it to a unique one of the 264 output values.This would take (264 )*(64) = 270  bits. NOT practical. • Secret key cryptographic systems take a reasonable length key (e.g., 64 bits) and generate a one-to-one mapping that appears, to someone who does not know the key, as completely random.I.e., any single bit change in the input results in a totally independent random number output. [From Ravi Mukkamala]

  13. Types of transformation for k-bit blocks • Substitution:Specify for each of the 2k possible values of the input, the k-bit output.This takes k.2k bits. This is reasonable for k=8. • Permutation:Specify for each of the k input bits, the output position to which it goes.This takes k*log2 k bits. • Figure 3-1 shows a secret key algorithm based on rounds of substations and permutation. If we do only a single  round, then a bit of input can only affect 8 bits of output. There is optimal number of rounds to achieve complete randomization.The algorithm take the same effort to reverse (decrypt). [From Ravi Mukkamala]

  14. Types of transformation for k-bit blocks [From Ravi Mukkamala]

  15. Feistel ciphers Li-1 Ri-1 f(Ri-1,K) K + Li Ri U

  16. Lai-Massey ciphers U

  17. DES Feistel scheme: 1) (L0,R0)  IP(input) 2) 16 rounds: Li Ri-1 Ri  Li-1  f(Ri-1,K) 3) output  IP-1(R16,L16) U

  18. Data Encryption Standard (DES) • Financial companies found the need for a cryptographic algorithm that would have the blessing of the US government (= NSA) • First call for candidates in May 73, followed by a new call in August 74 • Not very many submissions (Why?) • IBM submitted Lucifer • NSA worked with IBM in redesigning the algorithm [From Andre L. M. dos Santos ]

  19. NSA

  20. DES • DES became a federal standard in November 76 • NBS (NIST) hardware standard in January 77 • ANSI X3.92-1981 (hardware + software) • ANSI X3.106-1983 (modes of operation) • Australia AS2805.5-1985 • Used in most EFT and EFTPOS from banking industry • It was reconfirmed as a standard for 5 years twice • Currently 3DES is recommended [From Andre L. M. dos Santos ]

  21. DES • The standard is public, the design criteria is classified • One of the biggest controversies is the key size (56 bits) • W Diffie, M Hellman "Exhaustive Cryptanalysis of the NBS Data Encryption Standard" IEEE Computer 10(6), June 1977, pp74-84 • M Hellman "DES will be totally insecure within ten years" IEEE Spectrum 16(7), Jul 1979, pp 31-41 • Another controversy: is there a back door? [From Andre L. M. dos Santos ]

  22. DES • DES has proven a well designed code • 56 bits has been proven inadequate • EFF built a cracker for around $200,000 • Increase the key to 112 bits? • The best way known to cryptanalyze DES is (after brute force) the differential analysis • NSA new this from the design?? [From Andre L. M. dos Santos ]

  23. DES characteristics A symmetric encryption algorithm Both sender and receiver share the same secret key value Data can be recovered from cipher only by using exactly the same key that was used to encrypt it A DES key consists of 64 bits of which 56 bits are randomly generated (used directly by the algorithm). The remaining 8 bits are used for error detection (used to make the parity of each 8-bit byte of the key odd). [From Sai Kovvuri]

  24. DES [From Ravi Mukkamala]

  25. DES - Initial/final permutations [From Ravi Mukkamala]

  26. DES - Initial/final permutations

  27. DES - Initial/final permutations

  28. DES [From Henric Johnson]

  29. DES - E boxes Cipher function f(R,K) E is a bit-selection function which takes a block of 32 bits as input and yields a block of 48 bits as output E BIT-SELECTION TABLE 32 1 2 3 4 5 4 5 6 7 8 9 8 9 10 11 12 13 12 13 14 15 16 17 16 17 18 19 20 21 20 21 22 23 24 25 24 25 26 27 28 29 28 29 30 31 32 1 [From Sai Kovvuri]

  30. DES - E boxes Cipher function f(R,K)

  31. DES - S boxes Cipher function f(R,K) Selection function (Si) Each selection function takes a 6 bit block as input and yields a 4 bit block as output (following the table below) S1 Column Number Row No. 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 2 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0 3 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13 There are 8 S-boxes [From Sai Kovvuri]

  32. DES - S boxes Determining S1(B) Let B (a 6 bit block) = 011011 The row no for the selection table is derived from the first and last bits = 01 (1) The column no is derived from the remaining four middle bits = 1101(13) Therefore the output for block 011011 is the bit representation of the number at (1,13) = 5 (0101) S1(B) = 0101 [From Sai Kovvuri]

  33. DES - P boxes Determining P(L) The permutation function P yields a 32-bit output from a 32-bit input by permuting the bits of the input block. Such a function is defined by the following table: P 16 7 20 21 29 12 28 17 1 15 23 26 5 18 31 10 2 8 24 14 32 27 3 9 19 13 30 6 22 11 4 25 The permuted output P(L) for L is derived from Taking 16th bit of L as the 1st bit Taking 7th bit of L as the 2nd . . . Taking 25th bit of L as the 32nd [From Sai Kovvuri]

  34. DES - Key derivation Every 8th bit of initial key is discarded:) Key is divided intwo 28-bit halves In each round each half is shifted for: 1 bit in rounds 1,2,9,16 2 bits in all other rounds All bits are used roughly the same number of times [From Ravi Mukkamala]

  35. Triple DEA Works on a bundle of keys (k1,k2,k3) For TDEA encryption: The encrypted output O is generated by applying the following transformation to the input I : O = EK3( DK2(EK1 (I) ) ) For TDEA decryption: The data I is generated by applying the following transformation to the encrypted data O : I = DK1( EK2(DK3 (I) ) ) Keying Options: K1, K2, K3 are independent keys K1 and K2 are independent keys and K3 = K1 K1 = K2 = K3 [From Sai Kovvuri]

  36. Triple DEA • Use three keys and three executions of the DES algorithm (encrypt-decrypt-encrypt) • C = ciphertext • P = Plaintext • EK[X] = encryption of X using key K • DK[Y] = decryption of Y using key K • Effective key length of 168 bits C = EK3[DK2[EK1[P]]] [From Henric Johnson]

  37. Triple DEA [From Henric Johnson]

  38. Triple DES Consider a message m, two keys k1 and k2, ciphertext C, and the encryption scheme C = E(k1,D(k2,E(k1,m))) Even though triple DES only doubles the key length from 56 to 112 bits (and is the same as double DES), it is effective against all feasible known attacks. [From Jagdish S. Gangolly]

  39. International Data Encryption Algorithm (IDEA) • Encrypts 64-bit blocks using 128-bit key.It is similar to DES since it: • operates in rounds • the mangler function runs in the same direction for both encryption and decryption • It differs from DES since: • Designed to be efficient in software (as opposed to DES’s hardware orientation) • The encryption and decryption keys are different but related in a complex manner. [From Ravi Mukkamala]

  40. International Data Encryption Algorithm (IDEA) • International Data Encryption Algorithm (IDEA) • A block cipher with block size 64 bits • 128-bit key • Used in PGP • Confusion: (the ciphertext should depend upon the plaintext and key in a complex way) • Confusion is achieved by using three operations. • Diffusion: (Each plaintext bit should influence as many ciphertext bits as possible) • -IDEA very effective in achieving diffusion. Designed by James Massey of ETH Zurich and Xuejia Lai and was first described in 1991 [From Henric Johnson]

  41. IDEA - Basic structure [From Ravi Mukkamala]

  42. IDEA - Basic structure

  43. IDEA - Even Round [From Ravi Mukkamala]

  44. IDEA - NXT (FOX) 64 bit block 128 bit key 128 bit block 256 bit key

  45. Feistel and Lai-Massey schemes

  46. AES - History • 1997: NIST requests proposals for a new Advanced Encryption Standard (AES) to replace DES • NIST required that the algorithm be: • A symmetric-key cryptosystem • A block cipher • Capable of supporting a block size of 128 bits • Capable of supporting key lengths of 128, 192, and 256 bits • Available on a worldwide, non-exclusive, royalty-free basis • Evaluation criteria: • Security - soundness of the mathematical basis and the results of analysis by the research community • Computational efficiency, memory requirements, flexibility, and simplicity

  47. AES – Round 1 of the Competition • NIST selects 15 submissions for evaluation: • CAST-256 (Entrust Technologies, Inc.) • Crypton (Future Systems, Inc.) • DEAL (Richard Outerbridge, Lars Knudsen) • DFC (Centre National pour la Recherche Scientifique—Ecole Normale Superieure) • E2 (Nippon Telegraph and Telephone Corporation) • Frog (TecApro Internacional S.A.) • HPC (Rich Schroeppel) • Loki97 (Lawrie Brown, Josef Pieprzyk, Jennifer Seberry) • Magenta (Deutsche Telekom AG) • MARS (IBM) • RC6 (RSA Laboratories) • Rijndael (Joan Daemen, Vincent Rijmen) • SAFER+ (Cylink Corporation) • Serpent (Ross Anderson, Eli Biham, Lars Knudsen) • Twofish (Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels Ferguson)

  48. AES – Round 1 Results • After eight months of analysis and public comment, NIST: • Eliminated DEAL, Frog, HPC, Loki97, and Magenta • Had what NIST considered major security flaws • Were among the slowest algorithms submitted • Eliminated Crypton, DFC, E2, and SAFER+ • Had what NIST considered minor security flaws • Had unimpressive characteristics on the other evaluation criteria • Eliminated CAST-256 • Had mediocre speed and large ROM requirements • Five candidates, MARS, RC6, Rijndael, Serpent, and Twofish, advanced to the second round

  49. AES – Results • Analysis and public comment on the five finalists • October 2000: NIST: • Eliminates MARS • High security margin • Eliminates RC6 • Adequate security margin, fast encryption and decryption on 32-bit platforms • Eliminates Serpent • High security margin • Eliminates Twofish • High security margin • Selects Rijndael • Adequate security margin, fast encryption, decryption, and key setup speeds, low RAM and ROM requirements

  50. AES – The Rijndael Algorithm • Symmetric-key block cipher • Block sizes are 128, 192, or 256 bits • Key lengths are 128, 192, or 256 bits • Performs several rounds of operations to transform each block of plaintext into a block of ciphertext • The number of rounds depends on the block size and the length of the key: • Nine regular rounds if both the block and key are 128 bits • Eleven regular rounds if either the block or key are 192 bits • Thirteen regular rounds if either the block or key is 256 bits • One, slightly different, final round is performed after the regular rounds

More Related