sign in sign up
<<
Home , EFF DES cracker

Course Overview Course Requirements

EECS 498-7/8 ◊ www.citi.umich.edu/u/honey/security ◊ and Network Security: Computer Security ◊ Monday & Friday, 9:00 – 10:30 Principles and Practice (Third Edition) Wednesday, 9:00 - 10:00 William Stallings 1005 Dow Prentice-Hall ISBN 0130914290 4 credits ◊ Weekly (or more) homework + programming ◊ EECS Technical Elective? Peter Honeyman assignments: 50% ◊ Presumably -- working on it. Center for Information Technology Integration ◊ Exams: 25% ea.

Outline of Lectures Outline of Lectures Computer Security

◊ Models of security ◊ Number theory ◊ Host security & network security ◊ Asymmetric cryptography ◊ Classical ◊ Equally important ◊ Message authentication ◊ Substitution and transposition ciphers ◊ Often no clear boundary between them ◊ Digital signatures ◊ Symmetric key cryptography ◊ Examples ◊ Applications ◊ DES, AES, others ◊ Morris’ Internet worm ◊ Kerberos ◊ Confidentiality ◊ Mitnick’s attack on Shimomura ◊ SSL, X.509, and PKI ◊ Credit card theft from e-commerce sites ◊ Key distribution ◊ IPSec

◊ Distributed denial of service attacks

1 X.800 Security Services X.800 Security Services X.800 Security Services

◊ Authentication ◊ Data confidentiality ◊ Data integrity

◊ ◊ Peer entity identification ◊ Protection from unauthorized disclosure Protection from unauthorized modification, insertion, deletion, replay ◊ Guards against masquerade and unauthorized replay ◊ Granularity ◊ Granularity ◊ Data origin ◊ Session ◊ Session, message, or field(s) ◊ Useful in connectionless communication ◊ Message ◊ Connection-oriented or connectionless ◊ Fields in a message ◊ Access control ◊ Detection and/or recovery ◊ Traffic analysis ◊ Prevent unauthorized use of resources

◊ Presupposes some sort of authentication

X.800 Security Services X.800 Security Mechanisms Security Attacks

◊ Nonrepudiation ◊ Encryption ◊ Passive attacks

◊ Origin (sender) ◊ ◊ Interception ◊ Traffic analysis ◊ Destination (receiver) ◊ Access control

◊ Data integrity ◊ Active attacks ◊ Availability ◊ Authentication exchange ◊ Masquerade ◊ Security? Reliability? ◊ Replay ◊ Traffic ◊ Content modification ◊ Routing control ◊ Denial of service ◊ Notarization

2 Model for Network Security Model for Network Security Designing a Security Service

◊ Principals ◊ Sender injects message, receiver extracts it ◊ Select an algorithm for the security-related ◊ Sender and receiver communicate over information transformation (cipher) ◊ Sender channel ◊ Generate the security-related information to be ◊ Receiver ◊ Sender and receiver provide security-related used by the algorithm (keys) ◊ Adversary information ◊ Select a method for distribution of security-related

◊ Trusted third party ◊ Possibly shared with or generated by T3P information (key distribution) ◊ Security-related transformation is applied to ◊ Select a protocol for the communicating principals message that uses the security algorithm (cryptographic

◊ Adversary may control information channel protocol)

Classical Encryption Symmetric Key Cryptography Dimensions of Cryptography

◊ Symmetric, or single-key encryption ◊ Sender combines and key to produce ◊ Type of operations used in cipher ◊ Substitution ◊ Model: Fig 2.1, p. 25 ◊ Called enciphering or encryption ◊ Transposition

key ◊ Y = E(K, X) or Y = EK(X) ◊ Number of keys ◊ Receiver combines ciphertext and key to recover laintextplaintextpl Kdksfvkmv.dp [shk laintextplaintextpl aintextplaintextplai munhgsee22g49ghl;, aintextplaintextplai ◊ Symmetric vs. asymmetric ntextplaintextplaint ,g00f9kfckmcvlvvpn ntextplaintextplaint extplaintextplaintex ,.ddejrt6yo7074kdn extplaintextplaintex ciphertext tplaintextplaintext syug253tdbhbdjnfije tplaintextplaintext plaintextplaintextpl 88uyy4e6wews3srcf plaintextplaintextpl ◊ Plaintext processing aintextplaintextplai encrypt dbghk,k,lophp0u=k;’l decrypt aintextplaintextplai ◊ Called deciphering or decryption ntextplaintextplaint ’,.gkmfcubdyew6534 ntextplaintextplaint extplaintextplaintex uhd7dubfncvlfr0of9 extplaintextplaintex tplaintextplaintextp r5954r9d82512e5e tplaintextplaintextp ◊ laintextplaintextplai 67ewppee[l;fmdfpk[f laintextplaintextplai ◊ X = D(K, Y) or X = DK(Y) ntextplaintextplaint fpfgmglndw83fxo93 ntextplaintextplaint extplaintextplaintex ckldoed0d23dcbndx extplaintextplaintex ◊ ◊ Cryptography is the study of ciphers

3 Model Goals of Cryptanalytic Attacks

◊ Fig. 2.2, p. 26 augments earlier model in two ways ◊ Recover plaintext ◊ In all cases, cryptanalyst has complete knowledge of ◊ Key distribution via the cipher and some ciphertext to be decoded ◊ Adversary cryptanalyzes ciphertext ◊ Recover key ◊ Ciphertext only ◊ Adversary has complete information about the ◊ Most common attack encryption and decryption methods ◊ Known plaintext ◊ Only the key is secret ◊ Cryptanalyst has plaintext-ciphertext pair(s) ◊ Kerckhoff’s principle, 1883 ◊ Surprisingly easy to obtain or infer plaintext ◊ Necessary for any practical cipher ◊ Chosen plaintext ◊ Alternatively, refer to all the secret information as the key ◊ Cryptanalyst has plaintext-ciphertext pair(s) ◊ Example: gzip | dd conv=swab | tr -c ◊ Cryptanalyst (somehow) was able to select the plaintext and force its encryption

Cryptanalysis Unconditionally Secure Cipher Computationally Secure Cipher

◊ Chosen ciphertext ◊ A cipher is unconditionally secure if no ◊ A cipher is computationally secure if

◊ Cryptanalyst has plaintext-ciphertext pair(s) amount of ciphertext suffices to determine ◊ The cost of breaking the cipher exceeds the value of the encrypted information, or ◊ Cryptanalyst (somehow) was able to select the uniquely the plaintext ◊ The time required to break the cipher exceeds ciphertext and force its decryption ◊ Shannon showed that there is only one cipher that the useful lifetime of the information ◊ Chosen text is unconditionally secure ◊ plays an important role ◊ It is not practical in most instances ◊ Cryptanalyst is able to produce chosen plaintext ◊ So does computational power and chosen ciphertext pairs ◊ Table 2.2, p. 26

4 Exhaustive Search and Key Size Computationally Secure Cipher Substitution Ciphers

Key @ 1 per msec @ 1 per picosec ◊ Note that DES can no longer be considered ◊ Plaintext characters are replaced by other plaintext characters according to some rule 32 bits 35.8 min 2.15 ms computationally secure ◊ Caesar cipher: E(C) = P + 3 (mod 26), D(P) = C - 3 ◊ Cracking DES: Secrets of Encryption 56 bits 1,142 years 10.01 hours (mod 26) Research, Wiretap Politics & Chip Design, ◊ ROT13: E(C) = P + 13 (mod 26), D = E 128 bits 5.4 ¥ 1024 5.4 ¥ 1018 Electronic Frontier Foundation, John Gilmore ◊ General Caesar cipher: E(C) = P + k (mod 26) years years (Editor), O'Reilly & Associates, ISBN: ◊ k is the key Substitution 6.4 ¥ 1012 6.4 ¥ 106 years ◊ Cryptanalysis: try k = 0, …, 25 years 1565925203 ◊ Works for known (or probable) plaintext

Caesar Ciphers Monoalphabetic Substitution Cipher Polygram Substitution Cipher

◊ Cryptanalysis is easy because ◊ Let S = {A, B, …, Z} ◊ Playfair ◊ E(P P ) = C C through key-based 5 ¥ 5 transformation ◊ Algorithm is known i i+1 i i+1 ◊ Let P: S Æ S be a permutation table ◊ Only 26 keys to try ◊ Cryptanalysis: digram frequency ◊ Key space is now 26! ª 288 ◊ Known or probable plaintext ◊ Hill cipher ◊ Much too large to search ◊ Defeating cryptanalysis ◊ C = KP, where C and P are d-dimensional column vectors and K is a nonsingular d ¥ d matrix ◊ ◊ But this is still easy to cryptanalyze through Pre-scramble plaintext, e.g., compress it -1 ◊ P = K C ◊ Increase the key space letter frequency analysis ◊ Hides d-1 letter sequence analysis ◊ E(C) = P + k (mod 26), k = 0, …, 1,000,000? :-) ◊ ETAOINSHRDLU or something like that ◊ Easily broken with known plaintext

5 Polyalphabetic Substitution Cipher Periodic Substitution Ciphers Periodic Substitution Ciphers

◊ E: S Æ 2S, pick one ◊ Special class of polyalphabetic substitution ciphers ◊ Vigenère autokey system: after key is

◊ Typically a set of monoalphabetic substitution ◊ Example: Vigenère cipher exhausted, use plaintext for running key rules is used ◊ Each key letter determines one of 26 Caesar ciphers ◊ Can still detect regularities, e.g., E encrypted ◊ C = E(P ) = P + k ◊ Key determines which rule to use i i i i mod(key length) with E ◊ Given a sufficient amount of ciphertext, common sequences are repeated, exposing the period

◊ Frequently occurring letters in the key will be used to encrypt frequently occur plaintext letters

Vernam Cipher Transposition Rotor Machines

◊ Key length equal to plaintext length ◊ Rail-fence technique ◊ Enigma, ca. WWII ◊ Ri-ec ehiu ◊ A.k.a. “one-time pad” alfnetcnqe ◊ Each rotor corresponds to a substitution ◊ Generalization: columnar technique ◊ Plaintext and ciphertext are statistically cipher ◊ Cuathq independent omrenu ◊ A one-rotor machine produces a ln cie ◊ Unconditionally secure (Shannon, 1948) ◊ Augment with permuted rows polyalphabetic cipher with period 26

◊ Generalization: multiple transpositions ◊ Key generation and distribution are difficult ◊ Output of each rotor is input to next rotor ◊ Does not change letter frequencies

6 Rotor Machines Chapter 2 Homework Chapter 3

◊ After each symbol, the “fast” rotor is ◊ Pick any five problems ◊ Simplified DES

rotated ◊ Extra credit for more than five ◊ Block cipher principles

◊ After a full rotation, the adjacent rotor is ◊ DES rotated ◊ Block cipher modes of operation ◊ An n rotor machine produces a polyalphabetic cipher with period 26n

Simplified DES Simplified DES S-DES

◊ Five stages ◊ Block cipher: 8-bit blocks ◊ 10-bit key is generator for two 8-bit keys, K1 ◊ Initial permutation (IP) ◊ Input and output and K2 ◊ Key-dependent scrambler (f) ◊ 10-bit key ◊ Mixes permutation and substitution ◊ K1 = select and permute8 ° paired circular left ◊ 8-bit key ◊ shift1 ° permute10(K) Complex, multi-stage algorithm ◊ Swap of L and R ◊ f again (different key) ◊ K2 = select and permute8 ° paired circular left -1 ◊ Inverse permutation IP shift2 ° paired circular left shift1 ° -1 ◊ DES: IP ° fK2 ° swap ° fK1 ° IP permute10(K) -1 -1 ◊ DES : IP ° fK1 ° swap ° fK2 ° IP

7 S-DES Key Schedule S-DES Initial Permutation fK

◊ Permute10 ◊ IP = 2 6 3 1 4 8 5 7 ◊ Combination of substitution and permutation 3 5 2 7 4 10 1 9 8 6 -1 ◊ IP = 4 1 3 5 7 2 8 6 ◊ Let input8 = L4 R4 ◊ Paired circular left shift1 ◊ Let F: {0,1}4 Æ {0,1}4, not necessarily 1-1 2 3 4 5 1 7 8 9 10 6 ◊ fK(L, R) = L ⊕ F(R, Ki), R) ◊ Select and permute8 6 3 7 4 8 5 10 9 ◊ Note the structure: Feistel network

◊ Paired circular left shift2 ◊ We will revisit this soon 4 5 1 2 3 9 10 6 7 8

F F S-boxes

◊ F takes a 4-bit input, expands it to 8 bits ◊ View this as a matrix ◊ S0: 4¥4 matrix of 2-bit entries 1 0 3 2 ◊ 4 1 2 3 2 3 4 1 p0,0 p0,1 p0,2 p0,3 3 2 1 0 p1,0 p1,1 p1,2 p1,3 ◊ Then adds the key 0 2 1 3 ◊ First row is fed into S-box S0 3 1 3 2 n4 + K11 n1 + K12 n2 + K13 n3+ K14 Second row is fed into S-box S ◊ S n2 + K15 n3 + K16 n4 + K17 n1 + K18 1 1 ◊ Each produces two bits 0 1 2 3 2 0 1 3 ◊ Results are concatenated for 4-bit output 3 0 1 0 2 1 0 3

8 S-boxes S-DES Example Analysis of S-DES

◊ Select row px,0, px,3 of Sx ◊ Big, hairy example ◊ Exhaustive search (brute force) on key space

◊ Select column px,1 and px,2 of Sx ◊ Known plaintext attack ◊ Concatenate and permute the resulting 2-bit S-box entries ◊ For each ciphertext bit, can write an ◊ 2 4 3 1 equation ◊ Complete the computation of f ◊ ci = g(p1, p2, …, p8, k1, k2, …, k10) ◊ xor with L, append R ◊ 8 equations in 10 unknowns, many (like 29) ◊ N.B.: F is applied only to R, but after swapping, F is applied to the former L. terms

Relationship to DES Block Cipher Principles Block Cipher Principles

◊ DES has 64-bit blocks, 56-bit key, 48-bit ◊ Stream cipher: one bit or byte at a time ◊ F: 2n Æ 2n

subkeys, 16 rounds ◊ E.g., Vigenere, Vernam ◊ F must be reversible, i.e., 1-1 correspondence

◊ F acts on 32-bits ◊ Block cipher: large block, typically 8 bytes, at ◊ 2n! bijections fi O(n ¥ 2n) bit keys 70 21 ◊ 8 S boxes, 4 by 16, containing 4-bit values a time ◊ 64 bit block fi ª 2 ª 10 bit key, which is far -1 ◊ Large block thwarts statistical attacks too long ◊ IP º fK16 º SW º fK15 º SW º … º fK1 º IP

9 Product Ciphers Product Ciphers Structure

◊ Apply operations to thwart statistical analysis ◊ Confusion ◊ Substitution on L input

◊ Diffusion ◊ Makes statistical relationship between ciphertext ◊ Substitution is based on operations applied to R

◊ Thwart letter frequency analysis by dissipating statistical and key complex ◊ Result is modified L and original R, allowing decryption

structure into long-range statistics relating plaintext and ◊ Generally a complex, key-dependent substitution ◊ Followed by a permutation, swapping L and R ciphertext algorithm ◊ ◊ Accomplished by making each plaintext character affect Multiple rounds many ciphertext characters

◊ Equivalently, each ciphertext is affected by many

Feistel Cipher Features Feistel Cipher Features Decryption

◊ Block size ◊ Subkey generation algorithm ◊ Reverse the encryption steps ◊ Greater complexity leads to more difficult cryptanalysis ◊ Bigger is better, but slower ◊ Recall the Feistel round step: (L, R) ‹ (R, L ⊕ ◊ Round function ◊ Key size F(K, R)) ◊ Greater complexity leads to more difficult cryptanalysis ◊ Bigger is better, but slower ◊ Reverse with (L, R) = (R, R ⊕ F(K, L)) ◊ Hardware vs. software speed

◊ Number of rounds ◊ Fast software implementation is desirable ◊ F need not be reversible

◊ S-DES: 8-bit block, 10-bit key, 2 rounds ◊ Ease of analysis

◊ DES: 64-bit block, 56-bit key, 16 rounds

10 DES DES Round Function S-box Details

◊ 64-bit block, 56-bit key, 16 rounds ◊ Operates on 32-bit units ◊ Eight S-boxes, each maps 6-bits to 4-bits

◊ 48-bit subkeys ◊ 32-bit Æ 48-bit expansion/permutation (E ◊ One S-box contains 64 entries, each 4-bits

◊ Initial and final (inverse) permutations table) ◊ Can be viewed as four permutations of {0, …, ◊ XOR with 48 bit subkey 15}

◊ S-box computation returns 32 bits ◊ The particular permutation is selected with

◊ Round permutation the additional bits added by the E table

◊ Followed by Feistel XOR and swap

DES Key Generation DES Decryption DES

◊ 56-bit key is split into 28-bit L and R ◊ Just as in S-DES, apply the subkeys in ◊ In any good cipher, any change in the key or plaintext, no matter how large or small, should ◊ Subkeys are generated by various circular reverse order change approximately half the ciphertext bits left shifts of L and R ◊ The Feistel structure does the rest ◊ Examples in Table 3.5 on p. 81

◊ Bits are permuted and selected ◊ Change one bit in the plaintext or key

◊ After 3 or 4 rounds, approximately half of the ciphertext bits are changed

◊ After 16 rounds, a lot of scrambling has taken place

◊ Thwarts key guessing attacks

11 Strength of DES DES Design Criteria DES S-Box Design Criteria

◊ EFF DES cracker ◊ S-box weaknesses? ◊ The S-box is the only source of nonlinearity in DES ◊ Brute force attack on 56-bit key based on Weiner’s design ◊ No publicly known weaknesses ◊ No S-box output bit should be too close to a linear ◊ $250K custom h/w exhausts key space in about a week function of the input bits (or any subset of them) ◊ Final nail in DES’ coffin ◊ Design criteria remain classified ◊ In practical terms, if we select any output bit and ◊ Timing and power attacks ◊ Why? any subset of the input bits, then the fraction of ◊ Paul Kocher smart card attacks ◊ What we know is based mostly on D. ◊ Use knowledge of an actual implementation under test to inputs for which the output bit is the xor of the infer key bits Coppersmith, “The input bits should be close to 1/2 ◊ Relies on internal calculations varying in time or power (DES) and Its Strength Against Attacks,” depending on input value IBM J. of R. and D. (May 1994)

DES S-Box Design Criteria DES S-Box Design Criteria Statistical Attacks on DES

◊ Each row of an S-box should be a permutation ◊ If two inputs to an S-box differ in their first two ◊ Differential cryptanalysis bits and are identical in their last two bits, then the ◊ Attack on Feistel structure ◊ If two inputs to an S-box differ in exactly two outputs should not be the same one bit, then the outputs must differ in at ◊ Murphy (FEAL), then Biiham and Shamir (DES) ◊ Etc., see text. The remaining criteria have mostly to ◊ Look for inputs with some fixed difference that least two bits do with avalanche and resistance to differential produce outputs with a predictable difference

◊ If two inputs to an S-box differ in exactly cryptanalysis ◊ This allows inference of key bits

the middle two bits, then the outputs must ◊ See the text for general information about design ◊ Round by round analysis, so more rounds Æ more differ in at least two bits criteria for the round function, S-box design, and difficult analysis 47 key schedule algorithm design ◊ Leads to a 2 chosen plaintext attack

12 Statistical Attacks on DES Statistical Attacks on DES Block Cipher Modes of Operation

◊ Smonewhat surprisingly, DES resists ◊ How to encrypt more than one block?

◊ Matsui differential cryptanalysis ◊ Block modes

◊ Also iterated over rounds with decreasing ◊ Apparently known to NSA in 70s ◊ Electronic codebook (ECB) effectiveness 8 ◊ Cipher block chaining (CBC) ◊ Eight round requires 2 chosen 47 ◊ 2 known plaintexts plaintexts ◊ Stream modes 14 ◊ Eight round DES requires 2 chosen plaintexts ◊ Cipher feedback (CFB) ◊ Output feedback (OFB)

◊ Counter mode (CTR)

Electronic Codebook (ECB) Cipher Block Chaining Considerations

◊ Each plaintext block is independently encrypted with ◊ Prior to encrypting a plaintext block, xor it ◊ IV must be known to sender and receiver the same key with the previous ciphertext block ◊ Stallings (and others) recommend security ◊ Last block is padded appropriately for the IV ◊ Ci = DES(K, Ci-1 ⊕ Pi) ◊ Useful for transmission of a single block or a small ◊ This prevents the adversary from modifying -1 number of blocks ◊ Pi = DES (K, Ci) ⊕ Pi-1 selected bits in the plaintext by complementing corresponding bits in the IV ◊ Called a codebook because, for a given key, each ◊ For first block, need “initialization vector” block of plaintext produces a unique ciphertext ◊ In practice, it is effective to use a fixed

◊ ECB has certain weaknesses … value, say, 0

13 Cipher Feedback Mode Cipher Feedback Decryption Output Feedback Mode

◊ Allows use of DES as a stream cipher ◊ Reverse steps ◊ Encrypt IV

◊ Shift IV by j bits, insert j bits of DES output ◊ Start with IV ◊ Start with IV ◊ XOR same j bits of output with j bit plaintext ◊ Encrypt ◊ Encrypt ◊ Result is ciphertext

◊ XOR j bits of output with j bit plaintext ◊ XOR j bits of output with j bit ciphertext ◊ Similar to a Vernam cipher: XOR with PRNG bits

◊ Result is ciphertext ◊ Result is plaintext ◊ Only use j = 64

◊ Shift IV by j bits, insert ciphertext ◊ Shift IV by j bits, insert ciphertext ◊ Decryption reverses these steps

◊ Must not reuse IV+key pair ◊ Most efficient to use j = 64

CFB and OFB comparison Counter Mode Other Block Ciphers

◊ Errors do not propagate in OFB ◊ Similar to OFB but encrypts a counter (or ◊ Triple DES

◊ This makes OFB vulnerable to modification Gray code or …) instead ◊

◊ Ci = Pi ⊕ DESK(i) ◊ Rijndael ◊ Supports random access

◊ Provably as secure as other modes

◊ Must not reuse counter+key pair

14 Triple DES Meet In The Middle Attack Triple DES

◊ First consider double DES ◊ Let X = EK1(P). Clearly X = DK2(C) ◊ C = EK1(DK2(EK3(P))) (EDE) 56 ◊ Given a known , construct a table of size 2 ◊ No cryptographic significance to middle decrypt ◊ C = EK2(EK1(P)) with all values of K1 and EK1(P) operation ◊ ◊ D and E have equivalent security 112 bit key is safe from brute force attack ◊ Sort on EK1(P) ◊ Allows single DES by setting K = K = K ◊ Now decrypt C with all values of K . Check all results 1 2 3 ◊ But … $ K3 s.t. EK2(EK1(P)) = EK3(P) 2 against table ◊ Two-key 3DES: K1 = K3 (EDE) ◊ No — DES is not closed ◊ Shorter key is easier to work with ◊ Any match is a candidate pair ◊ Textbook describes several impractical attacks ◊ Not surprising, as DES occupies only a tiny portion 56 112 ◊ Total effort is O(2 ), not 2 of the space of 64-bit substitution ciphers ◊ Three-key 3DES ◊ Works for any F = f2 ° f1 ◊ Hence, need three

Other Block Ciphers IDEA IDEA Round Function

◊ IDEA ◊ Xuejia Lai and James Massey, ETH ◊ Round function mixes four 16-bit blocks

◊ Each round takes six 16-bit subkeys ◊ Blowfish ◊ Patented ◊ Final transformation uses four 16-bit subkeys ◊ RC5 (not covered) ◊ Used in PGP ◊ Total of 52 subkeys

◊ CAST-128 ◊ 128-bit key, 64-bit block ◊ Subkeys are derived through circular shifts

◊ Uses three operations ◊ RC2 ◊ Variant Feistel network ◊ XOR ◊ Rijndael (AES) ◊ Eight rounds + final transformation 16 ◊ Addition modulo 2 16 ◊ Multiplication modulo 2 + 1

15 Blowfish Blowfish Initialization Blowfish Encryption

◊ Bruce Schneier, ca. ‘93 ◊ P and S are initialized with fractional part of ◊ Slight variant on classic Feistel network ◊ L and R are both processed in each round ◊ Freely available π ◊ 16 rounds ◊ Used in SSH, OpenBSD, IPSec ◊ P is XORed with the key (reusing key bits if ◊ Two extra XORs at the end 32 ◊ 64-bit block, 32- to 448-bit keys necessary) ◊ Uses addition modulo 2 and XOR ◊ Fast encryption, small memory footprint ◊ Round function processes four bytes ◊ P and S are churned through Blowfish ◊ Slow key schedule computation ◊ F(a, b, c, d) = ((S1,a + S2,b) ⊕ S3,c) + S4,d ◊ 521 executions in total ◊ Followed by Feistel swap ◊ Four S-boxes, each containing 256 32-bit values ◊ ◊ 18 32-bit subkeys (“P array”) ◊ Excellent defense against dictionary attack This is fast

CAST-128 CAST-128 Round Function CAST-128 Round Function

◊ Carlisle Adams and Stafford Tavares ◊ Two subkeys per round, one 32-bit, one 5-bit ◊ Round function uses four S-boxes

◊ Used in IPSec ◊ Three different round functions ◊ Fixed values ◊ Indexed by four 8-bit blocks ◊ 64-bit block, 40- to 128-bit keys ◊ Four operations: addition and subtraction 32 ◊ Each contains 256 32-bit values ◊ Classic Feistel network modulo 2 , XOR, and (variable) circular shift ◊ 32-bit values are combined in round-dependent ◊ 5-bit subkey determines shift amount ◊ Sixteen rounds ways

◊ Produces 32-bit output

16 Characteristics of Advanced Block Ciphers Characteristics of Advanced Block Ciphers Rijndael

◊ Variable key length ◊ Key-dependent S-boxes ◊ Selected as AES ◊ Blowfish, RC5, CAST-128, RC2 ◊ Expensive key schedule computation ◊ 128-bit block, 128-, 192-, or 256-bit key, 9, ◊ Blowfish ◊ Mixed operators 11, or 13 rounds ◊ ◊ Especially ones that are not associative or distributive Variable round function ◊ CAST-128 ◊ Simple and fast ◊ Data-dependent rotation ◊ Variable block length ◊ RC5 ◊ Variable number of rounds ◊ Key-dependent rotation ◊ Operation on L and R in the round function ◊ CAST-128

Rijndael Round Function GF(28) GF(28) Multiplication

◊ Substitution ◊ All representations of a finite field over a ◊ Multiplication prime power (in this case 2) are isomorphic ◊ Permutation ◊ Multiplication of polynomials modulo an irreducible ◊ Treat a byte b7b6b5b4b3b2b1b0 as a polynomial binary polynomial of degree 8 ◊ Multiplication over GF(28) 7 6 5 4 3 2 1 0 ◊ b7x + b6x + b5x + b4x + b3x + b2x + b1x + b0x ◊ For Rijndael, it is 0x11B ◊ 8 Addition over GF(2 ) 8 4 3 ◊ Addition: bitwise modulo 2, i.e., XOR ◊ x + x + x + x + 1

◊ Not a Feistel network ◊ 0x57 + 0x83 = 0xD4 ◊ 0101 0111 + 1000 0011 1101 0100 = 0xD4

17 GF(28) Multiplication Example GF(28) GF(28)

◊ 0x57 ¥ 0x83 = 0xC1 ◊ Addition is an Abelian group: closed, associative, ◊ Distributive law holds over addition and ◊ 0101 0111 commutative, every element has an inverse (itself), multiplication ¥ 1000 0011 and there is an additive identity (0) 0101 0111 ◊ a ¥ (b + c) = ab + ac ◊ Multiplication: closed, associative, commutative, 0 1010 1110 ◊ GF(28) is a field 01 0101 1100 0000 there is a multiplicative identity (0x01), every 010 1011 0111 1001 = 0x2B79 element (except 0) has an inverse

◊ 0x2B79 modulo 0x11B = 0xC1 ◊ Also an Abelian group (ignoring 0)

Polynomials with coefficients in GF(28) Rijndael Round Function Rijndael Round Function

◊ Treat a four-byte vector as four coefficients ◊ Substitution ◊ Multiplication of polynomials over GF(28)

of a polynomial of degree less than four ◊ S-box replaces each byte with its multiplicative ◊ Can be represented as matrix multiplication inverse followed by addition of 0x63 ◊ Addition is still XOR ◊ Addition over GF(28) ◊ Permutation ◊ For multiplication, use polynomial x4 + 1 ◊ Add round key ◊ Represent 16 bytes as 4 ¥ 4 block ◊ th ◊ Not irreducible, but relatively prime to the ◊ i row is shifted by i elements (0 £ i £ 3) Initialize with round key addition polynomials we multiply with, so the step is ◊ Same for 24 bytes (4 ¥ 6) ◊ Last round omits multiply invertible. ◊ For 32 bytes (4 ¥ 8), extra shift for rows 2 and 3

18 Rijndael Key Schedule Rijndael Decryption Rijndael Performance

◊ Expand cipher key into (block length) ¥ ◊ Each step is invertible ◊ 8-bit mP

(number of rounds + 1) bits ◊ ~ 1 KB code size, < 100 bytes RAM, 10-50K clock cycles ◊ Round keys are taken from the expanded key in the natural way ◊ 32-bit mP

◊ 300-3,000 cycles for key schedule, 1,500-4,000 ◊ Key expansion is defined recursively, using cycles for inverse key schedule rotation, S-boxes, and XOR with a round constant ◊ 20-50 Mbits/sec encryption speed on 200 Mhz Pentium

19