DOCSLIB.ORG

Optimizing Authenticated Encryption Algorithms

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Optimizing Authenticated Encryption Algorithms Masaryk University Faculty of Informatics Optimizing authenticated encryption algorithms Master’s Thesis Ondrej Mosnáček Brno, Fall 2017 Masaryk University Faculty of Informatics Optimizing authenticated encryption algorithms Master’s Thesis Ondrej Mosnáček Brno, Fall 2017 This is where a copy of the official signed thesis assignment and a copy ofthe Statement of an Author is located in the printed version of the document. Declaration Hereby I declare that this paper is my original authorial work, which I have worked out on my own. All sources, references, and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Ondrej Mosnáček Advisor: Ing. Milan Brož i Acknowledgement I would like to thank my advisor, Milan Brož, for his guidance, pa- tience, and helpful feedback and advice. Also, I would like to thank my girlfriend Ludmila, my family, and my friends for their support and kind words of encouragement. If I had more time, I would have written a shorter letter. — Blaise Pascal iii Abstract In this thesis, we look at authenticated encryption with associated data (AEAD), which is a cryptographic scheme that provides both confidentiality and integrity of messages within a single operation. We look at various existing and proposed AEAD algorithms and compare them both in terms of security and performance. We take a closer look at three selected candidate families of algorithms from the CAESAR competition. Then we discuss common facilities provided by the two most com- mon CPU architectures – x86 and ARM – that can be used to implement cryptographic algorithms efficiently. Finally, we introduce our con- tribution of implementing the selected CAESAR candidates for the Linux kernel Crypto API. iv Keywords authenticated encryption, AEAD, CAESAR, GCM, Linux, cryptogra- phy, optimization, assembly, MORUS, AEGIS, OCB, AES-NI, SSE2, AVX2 v Contents 1 Introduction1 1.1 Goals .............................2 1.2 Chapter contents .......................2 2 Authenticated encryption3 2.1 Properties ...........................5 2.2 Generic composition .....................7 2.2.1 Encrypt-then-MAC.................8 2.2.2 Encrypt-and-MAC.................9 2.2.3 MAC-then-Encrypt.................9 2.2.4 Properties of generic composition........ 10 2.3 GCM ............................. 10 2.3.1 Properties...................... 13 2.4 ChaCha20-Poly1305 ..................... 14 2.4.1 Properties...................... 16 2.5 CCM ............................. 17 2.5.1 Properties...................... 18 2.6 SIV .............................. 19 2.6.1 Properties...................... 20 2.7 GCM-SIV ........................... 21 2.7.1 Properties...................... 22 3 CAESAR competition 25 3.1 What is CAESAR? ...................... 25 3.2 Third round candidates .................... 26 3.3 MORUS ............................ 28 3.3.1 Operation...................... 29 3.3.2 Properties...................... 30 3.4 AEGIS ............................. 31 3.4.1 Operation...................... 31 3.4.2 Properties...................... 32 3.5 OCB .............................. 33 3.5.1 Operation...................... 34 3.5.2 Properties...................... 35 3.6 Comparison .......................... 36 vii 4 Linux Kernel Crypto API 39 4.1 Architecture .......................... 40 4.1.1 Cipher and driver names............. 40 4.1.2 Templates...................... 40 4.1.3 Synchronous and asynchronous operations... 40 4.1.4 Priorities....................... 40 4.1.5 Input parameter sizes............... 41 4.1.6 Scatter-gather lists................. 41 4.2 AEAD interface ........................ 42 4.2.1 Input/output data layout............. 42 4.2.2 For users....................... 42 4.2.3 For implementations................ 44 5 Software optimization of cryptographic algorithms 47 5.1 Intel/AMD (x86 architecture) ................ 48 5.1.1 SSE, AVX....................... 48 5.1.2 AES-NI........................ 49 5.1.3 SHA extensions................... 50 5.1.4 CLMUL....................... 50 5.2 ARM ............................. 50 6 Implementation of selected CAESAR candidates 51 6.1 Contents of the attached source code ............. 51 6.1.1 Implementation limitations............ 53 6.1.2 Merging into the upstream Linux repository.. 54 6.2 Performance measurements .................. 54 6.2.1 Direct speed comparison.............. 55 6.2.2 Comparison of Dm-crypt performance..... 56 6.2.3 Summary of results................. 58 7 Conclusion 59 7.1 Contribution ......................... 59 7.2 Future work .......................... 60 Bibliography 61 viii 1 Introduction When cryptographically protecting data, we often use encryption to ensure confidentiality of the payload, which means that only authorized parties are able to read it [57, 27]. However, in practice, confidentiality alone is not sufficient to protect users from certain attacks. For example, when sending an encrypted message over the net- work, an attacker might be able to (depending on the encryption method used) modify the message in such a way that the decrypted message is still meaningful but different and the receiver is unable to detect the malicious modification. In order to protect from similar attacks, it is necessary to use addi- tional cryptographic mechanisms that achieve integrity of the payload, which means that unauthorized parties cannot modify the payload without detection. When one aims to achieve both confidentiality and integrity of data, there are generally two possible approaches: 1. To use a traditional stream cipher to achieve confidentiality and to ensure integrity in some other way, e.g. using message authentication code (MAC) or digital signature. 2. To use a dedicated scheme for authenticated encryption with as- sociated data (AEAD), which provides both confidentiality and integrity in a single package. Since authenticated encryption is needed in many applications, especially in network protocols/applications and file encryption, it is a frequent target of research in cryptography. Since the introduction of the concept in 2000 [39], there have been many proposed schemes for authenticated encryption. However, the most widely adopted al- gorithm – AES-GCM1 – has several drawbacks and there is generally a lack of consensus on the best alternative. This situation has motivated the initiation of the CAESAR competi- tion, which is an open competition with the goal of selecting a portfolio of the best authenticated encryption schemes in terms of security and both hardware and software performance. 1. AES-GCM = Advanced Encryption Standard in Galois-Counter Mode 1 1. Introduction 1.1 Goals The goals of this thesis are: 1. to compare some of the existing and proposed AEAD algo- rithms in terms of security and performance, 2. to produce implementations of selected CAESAR competition candidates for the Linux kernel cryptographic subsystem, 3. and to perform and analyze performance measurements of these implementations. 1.2 Chapter contents The thesis consists of seven chapters. The first chapter is the introduction. In the second chapter wede- fine authenticated encryption and describe some of the most common existing AEAD algorithms and modes. In the third chapter we intro- duce the CAESAR competition, shortly characterize the third-round candidates, and select three candidates that we describe in more detail. In the fourth chapter we shortly describe the Linux kernel Crypto API with focus on its AEAD interface. In the fifth chapter we discuss the possibilities of software optimization of cryptographic algorithms with focus on the x86 and ARM architectures. In the sixth chapter we describe implementations of the three se- lected CAESAR candidates that we developed as part of the thesis, targeting the Linux kernel Crypto API. At the end of this chapter we provide and analyze performance measurements of our implementa- tions. The seventh chapter contains the conclusion. 2 2 Authenticated encryption Authenticated encryption (also referred to as authenticated encryption with additional data – AEAD) in practice uses symmetric-key cryptogra- phy and is usually based on a stream cipher and a message authen- tication code (MAC), even though the computation of both is often merged into a single operation. Encryption using an AEAD scheme takes the following inputs: ∙ a symmetric key (K) of some fixed size, ∙ a nonce (N) of some fixed size1, ∙ an optional stream of associated data (A) that is only authenti- cated, not encrypted, ∙ the message plaintext (P) of any length (subject to some practical constraints), which is both authenticated and encrypted. The output of the AEAD encryption process is the encrypted mes- sage ciphertext (C) and a fixed-size authentication tag (T), which carries the information needed to verify the authenticity of the message and associated data. We will denote AEAD encryption as follows: (C, T) = AEAD-EK(N, A, P) 1. In some cases the nonce size can be variable or configurable. Nonce AD Plaintext Key AEAD-E Ciphertext Tag Figure 2.1: AEAD encryption diagram 3 2. Authenticated encryption Nonce AD Ciphertext Tag Key AEAD-D Plaintext Verification OK? Figure 2.2: AEAD decryption diagram Some AEAD schemes can also produce a truncated authentication tag which is shorter but provides smaller guarantee against message forgery. The decryption process takes the following inputs: ∙ the key (K) as used when encrypting, ∙ the nonce (N) as used when encrypting, ∙ an optional stream of associated
Load more

Recommended publications
  • GPU-Based Password Cracking on the Security of Password Hashing Schemes Regarding Advances in Graphics Processing Units
    Radboud University Nijmegen Faculty of Science Kerckhoffs Institute Master of Science Thesis GPU-based Password Cracking On the Security of Password Hashing Schemes regarding Advances in Graphics Processing Units by Martijn Sprengers [email protected] Supervisors: Dr. L. Batina (Radboud University Nijmegen) Ir. S. Hegt (KPMG IT Advisory) Ir. P. Ceelen (KPMG IT Advisory) Thesis number: 646 Final Version Abstract Since users rely on passwords to authenticate themselves to computer systems, ad- versaries attempt to recover those passwords. To prevent such a recovery, various password hashing schemes can be used to store passwords securely. However, recent advances in the graphics processing unit (GPU) hardware challenge the way we have to look at secure password storage. GPU's have proven to be suitable for crypto- graphic operations and provide a significant speedup in performance compared to traditional central processing units (CPU's). This research focuses on the security requirements and properties of prevalent pass- word hashing schemes. Moreover, we present a proof of concept that launches an exhaustive search attack on the MD5-crypt password hashing scheme using modern GPU's. We show that it is possible to achieve a performance of 880 000 hashes per second, using different optimization techniques. Therefore our implementation, executed on a typical GPU, is more than 30 times faster than equally priced CPU hardware. With this performance increase, `complex' passwords with a length of 8 characters are now becoming feasible to crack. In addition, we show that between 50% and 80% of the passwords in a leaked database could be recovered within 2 months of computation time on one Nvidia GeForce 295 GTX.
    [Show full text]
  • FIPS 140-2 Non-Proprietary Security Policy
    Kernel Crypto API Cryptographic Module version 1.0 FIPS 140-2 Non-Proprietary Security Policy Version 1.3 Last update: 2020-03-02 Prepared by: atsec information security corporation 9130 Jollyville Road, Suite 260 Austin, TX 78759 www.atsec.com © 2020 Canonical Ltd. / atsec information security This document can be reproduced and distributed only whole and intact, including this copyright notice. Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Table of Contents 1. Cryptographic Module Specification ..................................................................................................... 5 1.1. Module Overview ..................................................................................................................................... 5 1.2. Modes of Operation ................................................................................................................................. 9 2. Cryptographic Module Ports and Interfaces ........................................................................................ 10 3. Roles, Services and Authentication ..................................................................................................... 11 3.1. Roles .......................................................................................................................................................11 3.2. Services ...................................................................................................................................................11
    [Show full text]
  • A Quantitative Study of Advanced Encryption Standard Performance
    United States Military Academy USMA Digital Commons West Point ETD 12-2018 A Quantitative Study of Advanced Encryption Standard Performance as it Relates to Cryptographic Attack Feasibility Daniel Hawthorne United States Military Academy, [email protected] Follow this and additional works at: https://digitalcommons.usmalibrary.org/faculty_etd Part of the Information Security Commons Recommended Citation Hawthorne, Daniel, "A Quantitative Study of Advanced Encryption Standard Performance as it Relates to Cryptographic Attack Feasibility" (2018). West Point ETD. 9. https://digitalcommons.usmalibrary.org/faculty_etd/9 This Doctoral Dissertation is brought to you for free and open access by USMA Digital Commons. It has been accepted for inclusion in West Point ETD by an authorized administrator of USMA Digital Commons. For more information, please contact [email protected]. A QUANTITATIVE STUDY OF ADVANCED ENCRYPTION STANDARD PERFORMANCE AS IT RELATES TO CRYPTOGRAPHIC ATTACK FEASIBILITY A Dissertation Presented in Partial Fulfillment of the Requirements for the Degree of Doctor of Computer Science By Daniel Stephen Hawthorne Colorado Technical University December, 2018 Committee Dr. Richard Livingood, Ph.D., Chair Dr. Kelly Hughes, DCS, Committee Member Dr. James O. Webb, Ph.D., Committee Member December 17, 2018 © Daniel Stephen Hawthorne, 2018 1 Abstract The advanced encryption standard (AES) is the premier symmetric key cryptosystem in use today. Given its prevalence, the security provided by AES is of utmost importance. Technology is advancing at an incredible rate, in both capability and popularity, much faster than its rate of advancement in the late 1990s when AES was selected as the replacement standard for DES. Although the literature surrounding AES is robust, most studies fall into either theoretical or practical yet infeasible.
    [Show full text]
  • The Order of Encryption and Authentication for Protecting Communications (Or: How Secure Is SSL?)?
    The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)? Hugo Krawczyk?? Abstract. We study the question of how to generically compose sym- metric encryption and authentication when building \secure channels" for the protection of communications over insecure networks. We show that any secure channels protocol designed to work with any combina- tion of secure encryption (against chosen plaintext attacks) and secure MAC must use the encrypt-then-authenticate method. We demonstrate this by showing that the other common methods of composing encryp- tion and authentication, including the authenticate-then-encrypt method used in SSL, are not generically secure. We show an example of an en- cryption function that provides (Shannon's) perfect secrecy but when combined with any MAC function under the authenticate-then-encrypt method yields a totally insecure protocol (for example, ¯nding passwords or credit card numbers transmitted under the protection of such protocol becomes an easy task for an active attacker). The same applies to the encrypt-and-authenticate method used in SSH. On the positive side we show that the authenticate-then-encrypt method is secure if the encryption method in use is either CBC mode (with an underlying secure block cipher) or a stream cipher (that xor the data with a random or pseudorandom pad). Thus, while we show the generic security of SSL to be broken, the current practical implementations of the protocol that use the above modes of encryption are safe. 1 Introduction The most widespread application of cryptography in the Internet these days is for implementing a secure channel between two end points and then exchanging information over that channel.
    [Show full text]
  • Block Ciphers and the Data Encryption Standard
    Lecture 3: Block Ciphers and the Data Encryption Standard Lecture Notes on “Computer and Network Security” by Avi Kak ([email protected]) January 26, 2021 3:43pm ©2021 Avinash Kak, Purdue University Goals: To introduce the notion of a block cipher in the modern context. To talk about the infeasibility of ideal block ciphers To introduce the notion of the Feistel Cipher Structure To go over DES, the Data Encryption Standard To illustrate important DES steps with Python and Perl code CONTENTS Section Title Page 3.1 Ideal Block Cipher 3 3.1.1 Size of the Encryption Key for the Ideal Block Cipher 6 3.2 The Feistel Structure for Block Ciphers 7 3.2.1 Mathematical Description of Each Round in the 10 Feistel Structure 3.2.2 Decryption in Ciphers Based on the Feistel Structure 12 3.3 DES: The Data Encryption Standard 16 3.3.1 One Round of Processing in DES 18 3.3.2 The S-Box for the Substitution Step in Each Round 22 3.3.3 The Substitution Tables 26 3.3.4 The P-Box Permutation in the Feistel Function 33 3.3.5 The DES Key Schedule: Generating the Round Keys 35 3.3.6 Initial Permutation of the Encryption Key 38 3.3.7 Contraction-Permutation that Generates the 48-Bit 42 Round Key from the 56-Bit Key 3.4 What Makes DES a Strong Cipher (to the 46 Extent It is a Strong Cipher) 3.5 Homework Problems 48 2 Computer and Network Security by Avi Kak Lecture 3 Back to TOC 3.1 IDEAL BLOCK CIPHER In a modern block cipher (but still using a classical encryption method), we replace a block of N bits from the plaintext with a block of N bits from the ciphertext.
    [Show full text]
  • Analysis of Selected Block Cipher Modes for Authenticated Encryption
    Analysis of Selected Block Cipher Modes for Authenticated Encryption by Hassan Musallam Ahmed Qahur Al Mahri Bachelor of Engineering (Computer Systems and Networks) (Sultan Qaboos University) – 2007 Thesis submitted in fulfilment of the requirement for the degree of Doctor of Philosophy School of Electrical Engineering and Computer Science Science and Engineering Faculty Queensland University of Technology 2018 Keywords Authenticated encryption, AE, AEAD, ++AE, AEZ, block cipher, CAESAR, confidentiality, COPA, differential fault analysis, differential power analysis, ElmD, fault attack, forgery attack, integrity assurance, leakage resilience, modes of op- eration, OCB, OTR, SHELL, side channel attack, statistical fault analysis, sym- metric encryption, tweakable block cipher, XE, XEX. i ii Abstract Cryptography assures information security through different functionalities, es- pecially confidentiality and integrity assurance. According to Menezes et al. [1], confidentiality means the process of assuring that no one could interpret infor- mation, except authorised parties, while data integrity is an assurance that any unauthorised alterations to a message content will be detected. One possible ap- proach to ensure confidentiality and data integrity is to use two different schemes where one scheme provides confidentiality and the other provides integrity as- surance. A more compact approach is to use schemes, called Authenticated En- cryption (AE) schemes, that simultaneously provide confidentiality and integrity assurance for a message. AE can be constructed using different mechanisms, and the most common construction is to use block cipher modes, which is our focus in this thesis. AE schemes have been used in a wide range of applications, and defined by standardisation organizations. The National Institute of Standards and Technol- ogy (NIST) recommended two AE block cipher modes CCM [2] and GCM [3].
    [Show full text]
  • Authenticated Key-Exchange: Protocols, Attacks, and Analyses
    The HMAC construction: A decade later Ran Canetti IBM Research What is HMAC? ● HMAC: A Message Authentication Code based on Cryptographic Hash functions [Bellare-C-Krawczyk96]. ● Developed for the IPSec standard of the Internet Engineering Task Force (IETF). ● Currently: - incorporated in IPSec, SSL/TLS, SSH, Kerberos, SHTTP, HTTPS, SRTP, MSEC, ... - ANSI and NIST standards - Used daily by all of us. Why is HMAC interesting? ● “Theoretical” security analysis impacts the security of real systems. ● Demonstrates the importance of modelling and abstraction in practical cryptography. ● The recent attacks on hash functions highlight the properties of the HMAC design and analysis. ● Use the HMAC lesson to propose requirements for the next cryptographic hash function. Organization ● Authentication, MACs, Hash-based MACs ● HMAC construction and analysis ● Other uses of HMAC: ● Pseudo-Random Functions ● Extractors ● What properties do we want from a “cryptographic hash function”? Authentication m m' A B The goal: Any tampering with messages should be detected. “If B accepts message m from A then A has sent m to B.” • One of the most basic cryptographic tasks • The basis for any security-conscious interaction over an open network Elements of authentication The structure of typical cryptographic solutions: • Initial entity authentication: The parties perform an initial exchange, bootstrapping from initial trusted information on each other. The result is a secret key that binds the parties to each other. • Message authentication: The parties use the key to authenticate exchanged messages via message authentication codes. Message Authentication Codes m,t m',t' A B t=FK(m) t' =? FK(m') • A and B obtain a common secret key K • A and B agree on a keyed function F • A sends t=FK(m) together with m • B gets (m',t') and accepts m' if t'=FK(m').
    [Show full text]
  • Constructing Low-Weight Dth-Order Correlation-Immune Boolean Functions Through the Fourier-Hadamard Transform Claude Carlet and Xi Chen*
    1 Constructing low-weight dth-order correlation-immune Boolean functions through the Fourier-Hadamard transform Claude Carlet and Xi Chen* Abstract The correlation immunity of Boolean functions is a property related to cryptography, to error correcting codes, to orthogonal arrays (in combinatorics, which was also a domain of interest of S. Golomb) and in a slightly looser way to sequences. Correlation-immune Boolean functions (in short, CI functions) have the property of keeping the same output distribution when some input variables are fixed. They have been widely used as combiners in stream ciphers to allow resistance to the Siegenthaler correlation attack. Very recently, a new use of CI functions has appeared in the framework of side channel attacks (SCA). To reduce the cost overhead of counter-measures to SCA, CI functions need to have low Hamming weights. This actually poses new challenges since the known constructions which are based on properties of the Walsh-Hadamard transform, do not allow to build unbalanced CI functions. In this paper, we propose constructions of low-weight dth-order CI functions based on the Fourier- Hadamard transform, while the known constructions of resilient functions are based on the Walsh-Hadamard transform. We first prove a simple but powerful result, which makes that one only need to consider the case where d is odd in further research. Then we investigate how constructing low Hamming weight CI functions through the Fourier-Hadamard transform (which behaves well with respect to the multiplication of Boolean functions). We use the characterization of CI functions by the Fourier-Hadamard transform and introduce a related general construction of CI functions by multiplication.
    [Show full text]
  • KLEIN: a New Family of Lightweight Block Ciphers
    KLEIN: A New Family of Lightweight Block Ciphers Zheng Gong1, Svetla Nikova1;2 and Yee Wei Law3 1Faculty of EWI, University of Twente, The Netherlands fz.gong, [email protected] 2 Dept. ESAT/SCD-COSIC, Katholieke Universiteit Leuven, Belgium 3 Department of EEE, The University of Melbourne, Australia [email protected] Abstract Resource-efficient cryptographic primitives become fundamental for realizing both security and efficiency in embedded systems like RFID tags and sensor nodes. Among those primitives, lightweight block cipher plays a major role as a building block for security protocols. In this paper, we describe a new family of lightweight block ciphers named KLEIN, which is designed for resource-constrained devices such as wireless sensors and RFID tags. Compared to the related proposals, KLEIN has ad- vantage in the software performance on legacy sensor platforms, while its hardware implementation can be compact as well. Key words. Block cipher, Wireless sensor network, Low-resource implementation. 1 Introduction With the development of wireless communication and embedded systems, we become increasingly de- pendent on the so called pervasive computing; examples are smart cards, RFID tags, and sensor nodes that are used for public transport, pay TV systems, smart electricity meters, anti-counterfeiting, etc. Among those applications, wireless sensor networks (WSNs) have attracted more and more attention since their promising applications, such as environment monitoring, military scouting and healthcare. On resource-limited devices the choice of security algorithms should be very careful by consideration of the implementation costs. Symmetric-key algorithms, especially block ciphers, still play an important role for the security of the embedded systems.
    [Show full text]
  • Roccat Ryos Mk Pro Gigabyte Force K7
    WESTERN DO-IT-YOURSELF GIGABYTE DIGITAL BLACK2 STEAM BOX BRIX PRO SSD and HDD How to get SteamOS Full-on desktop together in one running on your PC power you can hold chassis! PG. 82 PG. 66 in your hand! PG. 53 minimum BS • mARCH 2014 • www.maximumpc.com THE CHEAPSKATE'S GUIDE TO POWER COMPUTING • Tips for saving on hardware • Pointers to the best deal sites • A guide to free and cheap digital content • Instructions for building a $600 PC • And so much more! GAMING KEYBOARDS We review six high- performance planks PG. 40 where we put stuff table of contents WESTERN DO IT YOURSELF GIGABYTE DIGITAL BLACK2 STEAM BOX BRIX PRO SSD and HDD How to get SteamOS Full-on desktop together in one running on your PC power you can hold chassis! PG. 82 PG. 66 in your hand! PG. 53 MINIMUM BS • MARCH 2014 • www.maximumpc.com THE inside CHEAPSKATE'S TO POWER COMPUTING On the Cover GUIDE Illustration by • Tips for saving on hardware Georg Zumbulev MARCH 2014 • Pointers to the best deal sites • A guide to free and cheap digital content QUICKSTART • Instructions for building a $600 PC • And so much more! GAMING KEYBOARDS We review six high- performance planks PG. 40 08 THE NEWS Hardware vendors commit to SteamOS; Windows XP death watch; Gigabit Internet over phone lines? FEATURES 14 THE LIST The 10 coolest things we saw 22 at CES. 16 HEAD TO HEAD Nvidia GeForce Experience vs. AMD Gaming Evolved beta. R&D Razer Project Christine 61 HOW TO What Windows could learn from smartphones; fine-tune your SSD; edit photos with Gimp.
    [Show full text]
  • Chapter 3 – Block Ciphers and the Data Encryption Standard
    Symmetric Cryptography Chapter 6 Block vs Stream Ciphers • Block ciphers process messages into blocks, each of which is then en/decrypted – Like a substitution on very big characters • 64-bits or more • Stream ciphers process messages a bit or byte at a time when en/decrypting – Many current ciphers are block ciphers • Better analyzed. • Broader range of applications. Block vs Stream Ciphers Block Cipher Principles • Block ciphers look like an extremely large substitution • Would need table of 264 entries for a 64-bit block • Arbitrary reversible substitution cipher for a large block size is not practical – 64-bit general substitution block cipher, key size 264! • Most symmetric block ciphers are based on a Feistel Cipher Structure • Needed since must be able to decrypt ciphertext to recover messages efficiently Ideal Block Cipher Substitution-Permutation Ciphers • in 1949 Shannon introduced idea of substitution- permutation (S-P) networks – modern substitution-transposition product cipher • These form the basis of modern block ciphers • S-P networks are based on the two primitive cryptographic operations we have seen before: – substitution (S-box) – permutation (P-box) (transposition) • Provide confusion and diffusion of message Diffusion and Confusion • Introduced by Claude Shannon to thwart cryptanalysis based on statistical analysis – Assume the attacker has some knowledge of the statistical characteristics of the plaintext • Cipher needs to completely obscure statistical properties of original message • A one-time pad does this Diffusion
    [Show full text]
  • Implementation and Performance Analysis of PBKDF2, Bcrypt, Scrypt Algorithms
    Implementation and Performance Analysis of PBKDF2, Bcrypt, Scrypt Algorithms Levent Ertaul, Manpreet Kaur, Venkata Arun Kumar R Gudise CSU East Bay, Hayward, CA, USA. [email protected], [email protected], [email protected] Abstract- With the increase in mobile wireless or data lookup. Whereas, Cryptographic hash functions are technologies, security breaches are also increasing. It has used for building blocks for HMACs which provides become critical to safeguard our sensitive information message authentication. They ensure integrity of the data from the wrongdoers. So, having strong password is that is transmitted. Collision free hash function is the one pivotal. As almost every website needs you to login and which can never have same hashes of different output. If a create a password, it’s tempting to use same password and b are inputs such that H (a) =H (b), and a ≠ b. for numerous websites like banks, shopping and social User chosen passwords shall not be used directly as networking websites. This way we are making our cryptographic keys as they have low entropy and information easily accessible to hackers. Hence, we need randomness properties [2].Password is the secret value from a strong application for password security and which the cryptographic key can be generated. Figure 1 management. In this paper, we are going to compare the shows the statics of increasing cybercrime every year. Hence performance of 3 key derivation algorithms, namely, there is a need for strong key generation algorithms which PBKDF2 (Password Based Key Derivation Function), can generate the keys which are nearly impossible for the Bcrypt and Scrypt.
    [Show full text]