html5-img
1 / 44

Chap. 6: Contemporary Symmetric Ciphers

Chap. 6: Contemporary Symmetric Ciphers. Jen-Chang Liu, 2004 Adapted from Lecture slides by Lawrie Brown.

jeanette-shaw
Download Presentation

Chap. 6: Contemporary Symmetric Ciphers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chap. 6: Contemporary Symmetric Ciphers Jen-Chang Liu, 2004 Adapted from Lecture slides by Lawrie Brown

  2. "I am fairly familiar with all the forms of secret writings, and am myself the author of a trifling monograph upon the subject, in which I analyze one hundred and sixty separate ciphers," said Holmes. —The Adventure of the Dancing Men, Sir Arthur Conan Doyle

  3. Outline • Characteristics of advanced symmetric block cipher • Triple DES • Blowfish • RC5 • RC4 stream cipher

  4. Feistel cipher + • Key • Key length • subkey generation • block • block length • two halves of block • no. of round • encryption algorithm • S-box • XOR + +

  5. Key features not found in DES Variable length key : Blowfish, RC5 • Key • Key length • subkey generation • block • block length • two halves of block • no. of round • encryption algorithm • S-box • XOR Complex subkey generation process: Blowfish Variable plain/ciphertext block length: RC5 Operate on both halves each round: Blowfish, RC5 Variable no. of round: RC5 Key-dependent S-box: Blowfish Data/key-dependent rotation: RC5 Mixed operation: more than one arithmetic and Boolean operations

  6. Outline • Characteristics of advanced symmetric block cipher • Triple DES • Blowfish • RC5 • RC4 stream cipher

  7. Triple DES • clear a replacement for DES was needed • theoretical attacks that can break it • demonstrated exhaustive key search attacks • AES is a new cipher alternative • prior to this alternative was to use multiple encryption with DES implementations

  8. Double-DES? • why not Double-DES? 56x2=112 bits key Q1: Is that possible for some K3 ?

  9. Space of mapping 1. The whole space of mapping 64-bit plaintext 64-bit ciphertext mapping 2. Space of mapping defined by DES 56-key => 256 mapping 264! > 10347380000000000000000 256 < 1017 264! 256 Double-DES is likely to produce a new mapping !

  10. Q2: meet-in-the-middle attack • DES:O(256)to attack • 2DES: O(2112)to attack? 1. Given a (P,C) 2. Encrypt P with 256 keys 3. Decrypt C with 256 keys K2 K1 X X … 000…00000 000…00000 0101…0101 000…00001 000…00001 1101…0111 0001…0110 000…00010 000…00010 … 000…00011 000…00011 0001…0110 … … Match! … 111…11111 111…11111

  11. Triple-DES 3 E 3 • 3 DES encryption with 3 keys (56x3=168 bits) • Avoid meet-in-the-middle attack with O(256)complexity • E-D-E application of DES: PGP, S/MIME • Backward compatible with DES: K3=K2 or K1=K2

  12. Standardized 3DES • 3DES standardized in ANSI X9.17 & ISO8732 • 2 56-bit keys Compatible with DES

  13. Attack on 3DES • Idea: if A and C are known, then it becomes an attack on double DES 0100…101 1001…011 … 0110…100 1001…001 1100…111 1011…001 … 0100…101 1101…010 K1,1 K1,1 0110…000 a K2 K1,2 K1,2 1110…011 1. Given n known (P,C) pairs 3. Search 256 keys for K1 2. Select an arbitrary a for A 4. Search 256 keys for K2

  14. Complexity of attack on 3DES • Brute-force key search: 2112 • Known plaintext-ciphertext attack on previous slide: • No practical attack is known for now

  15. Outline • Characteristics of advanced symmetric block cipher • Triple DES • Blowfish • RC5 • RC4 stream cipher

  16. Blowfish • a symmetric block cipher designed by Bruce Schneier in 1993/94 • Characteristics • 64-bit block cipher • Variable length key (32 bits to 448 bits) • Complex subkey generation • Key-dependent S-boxes • Simple operations – fast implementation • Modulo 232 addition • Bitwise XOR

  17. Blowfish + + + + + + + + + + + + 18 subkeys Pi

  18. Blowfish single round 256-entry S-box, 32-bit output/entry + + + Modulo 232 addition

  19. Subkey and S-box generation • uses a 32 to 448 bit key • 1 word = 32 bits, 1 to 14 words • to generate • 18 32-bit subkeys stored in P-array • four 256 entry S-boxes, 1 word in each entry 1<= j <= 14 K1, K2, K3, K4, …, Kj P1, P2, P3, P4, …, P18 S1,0, S1,1, S1,2, S1,3, …, S1,255 S2,0, S2,1, S2,2, S2,3, …, S2,255 Totally 1024 words S3,0, S3,1, S3,2, S3,3, …, S3,255 S4,0, S4,1, S4,2, S4,3, …, S4,255

  20. Subkey and S-box generation 1. initialize P-array and then 4 S-boxes usingp 2. XOR P-array with K-array (reuse as needed) 用p的小數點依序填入 P 和 S 陣列 … P2 = 85A308D3 S4,255 = 3AC372E6 P1 = 243F6A88 P1, P2, P3, P4, … P14, P15, P16, P17, P18 + + + + + + + + + K1, K2, K3, K4, …, K14 ,K1, K2, K3, K4 (Suppose input key is 14 words)

  21. Subkey and S-box generation 3. loop repeatedly encrypting data using current P & S and replace successive pairs of P then S values P1, P2 = EP,S [0] 用現在P,S值當參數的 Blowfish, 加密 0 更新 P1, P2 P3, P4 = EP,S [P1 || P2] … S1,0, S1,1 = EP,S [P17 || P18] … S4,254, S4,255 = EP,S [S4,252 || S4,253] Totally 521 executions of Blowfish encryption => not suitable for frequent key changes

  22. Blowfish Encryption + and  do not commute + + + + + + + + +

  23. Discussion • key dependent S-boxes and subkeys, generated using cipher itself, makes analysis very difficult • changing both halves in each round increases security (c.f. Feistel cipher) • brute-force key search is not practical (maximally 448 bits)

  24. Discussion (cont.) • fast

  25. Outline • Characteristics of advanced symmetric block cipher • Triple DES • Blowfish • RC5 • RC4 stream cipher

  26. RC5 • designed by Ronald Rivest (of RSA fame) • used in RSA Data Security, Inc.’s products • can vary key size / data size / no rounds • very clean and simple design • easy implementation on various CPUs • yet still regarded as secure

  27. RC5 Ciphers • RC5 is a family of ciphers RC5-w/r/b • w = word size in bits (16/32/64), block data=2w • r = number of rounds (0..255) • b = number of bytes in key (0..255) • nominal version is RC5-32/12/16 • i.e. 32-bit words so encrypts 64-bit data blocks • using 12 rounds • with 16 bytes (128-bit) secret key

  28. Simple operations: subkey w w • Addition: modulo 2w • Bitwise XOR • Circular shift (rotation): • x <<< y, x is left rotate y bits + + (nonlinear and data dependent !!!) A Substitution-permutation round: • Substitution depends on both • words • 2. Permutation depends on both • words • 3. Substitution depends on key + +

  29. RC5 Key Expansion • RC5 uses t=2r+2 subkey words (w-bits) (決定subkeys 大小和個數)

  30. RC5 subkey initialization e = 2.718281828459… • Pw=Odd[(e-2)2w] = B7E1 (16 bits) B7E15163 (32 bits) f= 1.618033988749… • Qw=Odd[(f -1)2w] = 9E37 (16 bits) 9E3779B9 (32 bits) /* initialize subkey array */ S[0] = Pw for i=1 to t-1 do S[i] = S[i-1] + Qw

  31. RC5 Decryption + + + + + + + +

  32. RC5 Modes • RFC2040 defines 4 modes used by RC5 • RC5 Block Cipher, is ECB mode • RC5-CBC, is CBC (cipher block chaining) mode • RC5-CBC-PAD, is CBC with padding by bytes with value being the number of padding bytes • RC5-CTS, a variant of CBC which is the same size as the original message, uses ciphertext stealing to keep size same as original Plaintext message may not be a multiple of the block size

  33. RC5 ciphertext stealing mode Ciphertext chaining Not transmitted

  34. Summary: Block Cipher Characteristics • features seen in modern block ciphers are: • variable key length / block size / no rounds • mixed operators, data/key dependent rotation • key dependent S-boxes • more complex key scheduling • operation of full data in each round • varying non-linear functions

  35. Outline • Characteristics of advanced symmetric block cipher • Triple DES • Blowfish • RC5 • RC4 stream cipher

  36. Stream cipher diagram + + Recall: One-time pad in Chap. 2

  37. Stream Cipher Properties • some design considerations are: • A pseudorandom number generator produces a deterministic stream that eventually repeats • The period should be long • Keystream should approximate a true random stream • Ex. Approximately equal number of 1s and 0s • The key needs to be sufficiently long • Ex. 128 bits or longer key to avoid brute-force attack

  38. Advantage of stream cipher • Fasters than block ciphers

  39. Disadvantage of stream cipher • never reuse stream key Ciphertext 1 = plaintext 1  keystream Ciphertext 2 = plaintext 2  keystream Ciphertext 1  Ciphertext 2 = (plaintext 1  keystream)  (plaintext 2  keystream) = plaintext 1  plaintext 2 If plaintexts are text string, credit card no., or other streams with known properties, then cryptanalysis may be successful

  40. RC4 • Designed by Ron Rivest in 1987, owned by RSA DSI • variable key size, byte-oriented stream cipher • widely used (web SSL/TLS, wireless WEP) • SSL: secure sockets layer • TLS: transport layer security • WEP: wired equivalent privacy • Main steps: • key forms random permutation of all 8-bit values (state vector S[0],S[1],…,S[255]) • uses that permutation to scramble input info processed a byte at a time

  41. RC4 Key Schedule • starts with an array S of numbers: 0…255 • S forms internal state of the cipher • given a key K of length keylen bytes (1 to 256 bytes) 253 254

  42. RC4 key scheduling and stream generation j=0, for i=0 to 255 i=0, j=0 While(1){ i=i+1 mod 256, …} Plaintext  k = ciphertext

  43. RC4 Encryption • encryption continues shuffling array values • sum of shuffled pair selects "stream key" value • XOR with next byte of message to en/decrypt i = j = 0 for each message byte Mi i = (i + 1) (mod 256) j = (j + S[i]) (mod 256) swap(S[i], S[j]) t = (S[i] + S[j]) (mod 256) Ci = Mi XOR S[t]

  44. RC4 Security • The period of RC4 > 10100 • claimed secure against known attacks • have some analyses, none practical • result is very non-linear • since RC4 is a stream cipher, must never reuse a key • have a concern with WEP, but due to key handling rather than RC4 itself

More Related