Computer Security - Block Ciphers & DES (Data Encryption Standard)
Howon Kim 2019.3 Agenda
◼ Review
◼ Block Ciphers & Stream Ciphers
❑ Stream Ciphers
❑ Block Ciphers
◼ DES
◼ Modes of Operations
◼ Next…
2 Review: Attack Types
◼ Attack types ❑ Ciphertext only ◼ Eve has only a copy of the ciphertext. ❑ Known plaintext ◼ Eve has a copy of a ciphertext and the corresponding plaintext. ◼ For example, if Eve knows that Alice always starts her message with “Dear Bob,” then Eve has a small piece of ciphertext and corresponding plaintext. ❑ Chosen plaintext ◼ Eve gains temporary access to the encryption machine. ◼ She cannot open it to find the key, but she can encrypt a large number of suitably chosen plaintexts and try to use the resulting ciphertexts to deduce the key. ❑ Chosen ciphertext ◼ Eve obtains temporary access to the decryption machine.
3 Review: Ciphertext Only Attack
◼ Eve has only the ciphertext.
❑ Y M W J J U F W Y X
◼ Her best strategy is an exhaustive search.
❑ There are only 26 possible keys.
❑ If the message is longer than a few letters, it is unlikely that there is more than one meaningful message that could be the plaintext.
◼ Try to decrypt it!
4 Review: Known Plaintext Attack
◼ It’s trivial.(only for shift cipher. Generally, not.)
❑ If Eve knows just one letter of the plaintext along with the corresponding letter of ciphertext, she can deduce the key.
◼ In this above example…
❑ Ciphertext: Y M W J J U F W Y X
❑ Plaintext: ? ? ? ? ? p ? ? ? ?
5 Review: CPA, CCA
◼ Attack 3: Chosen plaintext attack
❑ Choose the letter a as the plaintext.
❑ The ciphertext gives the key itself.
❑ Example: a ➔ F (= 5)
◼ Attack 4: Chosen ciphertext attack
❑ Choose the letter A as the ciphertext.
❑ The plaintext is the negative of the key.
6 Block vs Stream Ciphers
◼ block ciphers process messages in into blocks, each of which is then en/decrypted
◼ like a substitution on very big characters
❑ 64-bits or more
◼ stream ciphers process messages a bit or byte at a time when en/decrypting
7 Block vs Stream Ciphers
Reference: Understanding Cryptography by C. Paar & J. Pelzl 8 Encryption & Decryption with Stream Ciphers
Reference: Understanding Cryptography by C. Paar & J. Pelzl 9 Synchronous vs. Asynchronous Stream Cipher
◼ Synchronous Stream Cipher
❑ Key stream depends only on the key (and possibly an initialization vector IV)
◼ Asynchronous Stream Cipher
❑ Key stream depends also on the ciphertext (dotted feedback enabled)
Reference: Understanding Cryptography by C. Paar & J. Pelzl 10 Why is mod 2 addition a good encryption function?
Random한 key stream Si의 특성이 ciphertext에도 그대로 반영됨.즉, XOR(mod 2) 연산은 si의 난수성을 ciphertext에 반영 특성 가짐. 그림에서 key stream si의 0과1 비율은 각각 0.5 확률 -> Mod add 2, 즉 XOR 연산하면, random stream si의 특성을 ciphertext yi가 갖게 됨
11 LFSR Sequences : Example of Stream Cipher
◼ Linear Feedback Shift Register (LFSR)
❑ defined by a linear recurrence.
❑ implemented very easily, especially in hardware.
❑ very fast (only the operating frequency is, not the throughput)
Example: xm+3 = xm+1 XOR xm
XOR gate
xm+2 xm+1 xm Ciphertext registers Plaintext Initial state (initial values): x1x2x3 = 010 Generated sequence: 0101110010111001… Plaintext (AB…): 0100000101000010… Ciphertext: 0001110111111011… 12 LFSR Sequences
Example: xm+3 = xm+1 XOR xm
(xm+3 = xm+1 XOR xm) XOR gate
xm+2 xm+1 xm Ciphertext registers Plaintext Initial state (intial values): x1x2x3 = 010 Generated sequence: 0101110010111001… Plaintext (AB…): 0100000101000010… Ciphertext: 0001110111111011…
xm+3 = xm+1 XOR xm m=7 : x =x xor x = 0 xor 0 = 0 m=1 : x4=x2 xor x1 = 1 xor 0 = 1 10 8 7 m=8 : x =x xor x = 1 xor 0 = 1 m=2: x5=x3 xor x2 = 0 xor 1 = 1 11 9 8 m=9 : x =x xor x = 0 xor 1 = 1 m=3: x6=x4 xor x3 = 1 xor 0 = 1 12 10 9 m=10: x =x xor x = 1 xor 0 = 1 m=4: x7=x5 xor x4 = 1 xor 1 = 0 13 11 10 m=11: x =x xor x = 1 xor 1 = 0 m=5: x8=x6 xor x5 = 1 xor 1 = 0 14 12 11 m=6: x =x xor x = 0 xor 1 = 1 m=12: x15=x13 xor x12 = 1 xor 1 = 0 9 7 6 13 LFSR Sequences
◼ Key length vs. Sequence length n ❑ Key length n ➔ sequence length ≤ 2 – 1.
❑ Above example
◼ Key length = 3
◼ Sequence length = 7
◼ An “approximation” to a one-time pad
❑ A small input generates a long binary sequence.
The one-time pad (OTP) is an encryption algorithm where the plaintext is combined with a random key or "pad" that is as long as the plaintext and used only once. A modular addition is used to combine the plaintext with the pad. (For binary data, the operation XOR amounts to the same thing.) [From wikipedia]
14 LFSR Sequences: Attack
◼ Unfortunately,
❑ This encryption method succumbs easily to a known plaintext attack.
❑ This is because the construction is linear.
❑ If we know only a few consecutive bits of plaintext, along with the corresponding bits of ciphertext, an attack can determine the whole sequence.
linear: - superposition property: f(x+y)=f(x)+f(y) - Homegeneity of degree 1 : f(ax)=a*f(x)
15 LFSR Sequences: Attack
◼ Example
❑ Suppose we know an initial segment of the (plaintext, ciphertext) pair.
Ciphertext: 10010100001110100100101010101011110010… Plaintext : 11111111111…
Sequence: 01101011110…
16 LFSR Sequences: Attack
◼ An attacker tries to recover the linear recurrence.
◼ She doesn’t know the size of the LFSR.
❑ First start with length 2.
xn+2 = c0xn + c1xn+1 (“+” means XOR) Let n = 1 and n = 2,
and use the known values x1= 0, x2 = 1, x3 = 1, x4 = 0. (Sequence: 01101011110…) we get
x3 = c0x1 + c1x2 1 = c0 0 + c11 c0 = 1, c1= 1
x4 = c0x2 + c1x3 0 = c0 1 + c11
x5 = x3 + x4=1 + 0 = 1 Generated seq. : 01101101… x6 = x4 + x5=0 + 1 = 1 Not correct ! x7 = x5 + x6=1 + 1 = 0 x8 = x6 + x7=1 + 0 = 1 … 17 LFSR Sequences: Attack
◼ Try another length 3.
❑ This is impossible, either.
◼ Try length = 4.
xn+4 = c0xn + c1xn+1 + c2xn+2 + c3xn+3 (Sequence: 01101011110…)
x5 = c0x1 + c1x2 + c2x3 + c3x4 x6 = c0x2 + c1x3 + c2x4 + c3x5 x7 = c0x3 + c1x4 + c2x5 + c3x6 x8 = c0x4 + c1x5 + c2x6 + c3x7
c0 = 1, c1= 1, c2 = 0, c3= 0
18 LFSR Sequences: Attack
◼ Generalization
❑ It is known that an attacker can recover the linear recurrence if 2n consecutive elements in the sequence is revealed.
❑ This is much smaller than the period length of a sequence, i.e., 2n – 1.
◼ Improvement
❑ The problem is that the recurrence is linear, and an attacker can make a matrix equation.
❑ So, we append some nonlinear elements.
19 Real Stream Cipher 1 – A5/1
◼ Example: GSM A5/1 Stream Cipher
❑ Used to encrypt mobile phone conversation R1 C1 m=Majority(C1,C2,C3)
Majority에 해당하는 R2 Register만clocking됨 즉, 2개의register혹은 C2 3개의 register가 clocking됨
R3 Ex1) If C1=0, C2=1, C3=0 then C3 Clocking R1 and R3 Ex2) If C1=1,C2=1,C3=1 then Clocking R1,R2 and R3
20 New Stream Cipher Standardization
◼ ECRYPT ❑ European Network of Excellence for Cryptology
◼ eSTREAM ❑ ECRYPT Stream Cipher Project ❑ Phase 1 (Nov. 2004 ~) ◼ submission for cryptographic primitives ❑ Phase 2 (Aug. 2006 ~) ◼ Seven SW-based candidates ◼ DRAGON, HC-256, LEX, Phelix, Py, Salsa20, SOSEMANUK ◼ Four HW-based candidates ◼ Grain, MICKEY-128, Phelix, Trivium ❑ Phase 3 (April 2007 ~) ◼ Eight SW-based candidates ◼ CryptMT,Dragon, HC, LEX, NLS, Rabbit, Salsa20, SOSEMANUK ◼ Eight HW-based candidates ◼ DECIM, Edon80,F-FCSR,Grain, MICKEY, Moustique, Pomaranch, Trivium ❑ eStream Portpolio (April 2008): Finalized ◼ S/W:HC-128, Rabbit, Salsa20/12, SOSEMANUK ◼ H/W:F-FCSR-H v2, Grain v1, MICKEY v2, Trivium
21 Real Stream Cipher 2 - Trivium
◼ A Modern Stream Cipher: Trivium(Developed by Bart Preneel)
❑ 3 nonlinear LFSR(NLFSR) of length 93, 84, 111
❑ Small in H/W
◼ Total register count : 288 , Non-linearity : 3 AND-gates
◼ 7 XOR-Gates (4 with three inputs)
22 Trivium
◼ Initialization
❑ Load leftmost 80-bit IV(Initial Vector) into A
❑ Load leftmost 80-bit key into B
❑ Set c109, c110, c111 = 1, all other register bits 0
◼ Warm-Up
❑ Clock cipher 4 x 288 = 1,152 times w/o generating output
◼ Encryption
❑ XOR-sum of all three NLFSR outputs generates key stream si
• IV는 randomizer역할을 하지만, 굳이 비밀로 유지할 필요 없음 (비밀정보는 무조건 key만!) • Stream cipher에서는 IV를 바꾸지 않으면, 동일한 key에 대해 동일한 key stream을 generate하므로, 안전도에 문제 생김. 이에, IV를 바꿔서 동일한 key에서도 다른 key stream이 나오도록 함 23 Agenda
◼ Review
◼ Block Ciphers & Stream Ciphers
❑ Stream Ciphers
❑ Block Ciphers
◼ DES
◼ Cryptanalysis
◼ Modes of Operations
◼ Next…
24 Block Cipher Principles
◼ most symmetric block ciphers are based on a Feistel Cipher Structure
◼ block ciphers look like an extremely large substitution 64 ◼ would need table of 2 entries for a 64-bit block
◼ instead create from smaller building blocks
◼ using idea of a product cipher
25 Claude Shannon and Substitution- Permutation Ciphers
◼ in 1949 Claude Shannon introduced idea of substitution-permutation (S-P) networks
❑ modern substitution-transposition product cipher
◼ these form the basis of modern block ciphers
◼ S-P networks are based on the two primitive cryptographic operations we have seen before:
❑ substitution (S-box)
❑ permutation (P-box)
◼ provide confusion and diffusion of message
26 Confusion and Diffusion
◼ cipher needs to be completely obscure statistical properties of original message
◼ a one-time pad does this
◼ more practically Shannon suggested combining elements to obtain:
◼ diffusion – dissipates statistical structure of plaintext over bulk of ciphertext
❑ Diffusion is associated with dependency of bits of the output on bits of the input.
❑ In a cipher with good diffusion, flipping an input bit should change each output bit with a probability of one half.
❑ Transposition is a technique for diffusion
◼ confusion – makes relationship between ciphertext and key as complex as possible
❑ Substitution (S-box) is a technique for confusion
27 Feistel Cipher Structure
◼ Horst Feistel devised the feistel cipher
❑ based on concept of invertible product cipher
◼ partitions input block into two halves
❑ process through multiple rounds which
❑ perform a substitution on left data half
❑ based on round function of right half & subkey
❑ then have permutation swapping halves
◼ implements Shannon’s substitution- permutation network concept
28 Feistel Cipher Structure
◼ The basic operation is as follows:
◼ For encryption,
❑ split the plaintext block into two equal pieces (L0,R0) ❑ For each round i=1,2,…,n compute,
◼ Li=Ri-1 ◼ Ri=Li-1 XOR f(Ri-1, Ki-1), where f is the round fn. Ki is the sub-key
◼ Then the ciphertext is (Ln,Rn)
◼ For decryption, input the (Ln,Rn) ❑ For each round i=n,n-1…,1. compute
◼ Ri-1=Li ◼ Li-1= Ri XOR f(Li,Ki)
29 Feistel Cipher Structure R L L0 R0 n n From 1 to n From n to 1 R =L L=R i-1 i i i-1 Li-1= Ri + Ri=Li-1 + f(Ri-1, Ki-1), f(Li,Ki)
L1 R1 Rn-1 Ln-1
L R R L0 n n 0 30 Feistel Cipher Design Principles
◼ block size ❑ increasing block size improves security, but slows cipher
◼ key size ❑ increasing key size improves security, makes exhaustive key searching harder, but may slow cipher
◼ number of rounds ❑ increasing number improves security, but slows cipher
◼ subkey generation ❑ greater complexity can make analysis harder, but slows cipher
◼ round function ❑ greater complexity can make analysis harder, but slows cipher
◼ fast software en/decryption & ease of analysis ❑ are more recent concerns for practical use and testing
31 Agenda
◼ Review
◼ Block Ciphers & Stream Ciphers
❑ Stream Ciphers
❑ Block Ciphers
◼ DES
◼ Cryptanalysis
◼ Modes of Operations
◼ Next…
32 Data Encryption Standard (DES)
◼ most widely used block cipher in world
◼ adopted in 1977 by NBS (now NIST)
❑ as FIPS PUB 46
◼ encrypts 64-bit data using 56-bit key
◼ has been considerable controversy over its security
www.nist.gov
33 Block Cipher Design Principles
◼ basic principles still like Feistel in 1970’s
◼ number of rounds
❑ more is better, exhaustive search best attack
◼ function f:
❑ provides “confusion”, is nonlinear, avalanche
❑ complex subkey creation, key avalanche
34 DES History
◼ IBM developed Lucifer cipher
❑ by team led by Feistel
❑ used 64-bit data blocks with 128-bit key
◼ then redeveloped as a commercial cipher with input from NSA(http://ww.nsa.gov) and others
◼ in 1973 NBS issued request for proposals for a national cipher standard
◼ IBM submitted their revised Lucifer which was eventually accepted as the DES
35 DES Design Controversy
◼ although DES standard is public
◼ was considerable controversy over design
❑ in choice of 56-bit key (vs Lucifer 128-bit)
❑ and because design criteria were classified, not opened to the public
◼ subsequent events and public analysis show in fact design was appropriate
◼ DES has become widely used, especially in financial applications
36 Data Encryption Standard: Structure
key K : 56-bit key K : 56-bit
Encryption Decryption Plaintext X Ciphertext Y Plaintext X algorithm of algorithm of 64-bit 64-bit 64-bit DES DES
Y = EK(X) X = DK(Y)
◼ Basic Operations
❑ substitution
❑ transposition
❑ linear operation (XOR)
37 Data Encryption Standard: Encryption
64-bit plaintext X Encryption
Transposition IP 64 K1 : 48-bit subkey round 1 64 round 2 K2 key schedule 56-bit key K
K16 round 16 64 32-bit Swap 64 IP-1
64-bit ciphertext Y 38 Data Encryption Standard: One Round
64-bit input Each Round Feistel system 32 32 (Feistel Cipher, L0 R0 Feistel Network)
32 48 f K1 K1 : 48-bit subkey Transposition 32 + 32 L1 R1 32 32
64-bit output 39 Data Encryption Standard: Nonlinear function f
R0 : 32-bit f
Expansion 48 48 + K1 K1 : 48-bit subkey 6 6 6 6 6 6 6 6
S1 S2 S3 S4 S5 S6 S7 S8 S-box : 4 4 4 4 4 4 4 4 Substitution Box Permutation : P
f (R0, K1) : 32-bit 40 plaintext 64 IP round 1 DES L0 R0 32 32 f 48 48 + K1 6 S1 S2 S3 S4 S5 S6 S7 S8 Key 4 56 P + key schedule 32 32 32
L1 R1 …
48 L16 R16 … K16
R16 L16 32-bit swap
IP-1 64 ciphertext 41 DES Details: Initial Permutation/Inverse Permutation
-1 ◼ X=IP(M), M=IP (X)
◼ M7 → (IP) → x64 숫자는 입력값의 비트 위치를 의미 해당 입력의 출력 비트 위치는 테이블의 위치 -1 ◼ X64 → (IP ) → m7
th th Through the IP, 7 bit of the input M is to be the 64 bit of the output
42 DES Details: Initial Permutation/Inverse Permutation
◼ IP operation illustrated (source : Wikipeia) m7
x6443 DES Details: Expansion Permutation E
◼ By duplications, the 32-bits are expanded to 48 bits
44 DES Details: Expansion Permutation E
◼ By duplications, the 32-bits are expanded to 48 bits
45 DES Details: S-Boxes
46 DES Details: S-Boxes
47 DES Details: S-Boxes
48 DES Details: S-Boxes
49 DES Details: S-Boxes
S-box: 6 bits inputs 4 bits outputs
50 DES Details: S-Boxes
Column: ◼ S-Box operation Middle 4 bits of input (total 16) 0 1 1 0 1 1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 00 01 10 S5 11 Row: outer two 1 0 0 1 bits of input
(source : Wikipedia) 51 DES Details: Permutation P
◼ Permutation table: 32bits →(P)→ 32bits
52 DES Details: Permutation P
◼ Permutation : 32bits →(P)→ 32bits
(source : Wikipedia) 53 DES Key Schedule
◼ Key K is a bitstring of length 64.
❑ Only 56 bits are real keys.
❑ 8 bits are parity-check bits for error detection
◼ The bits in positions 8, 16, …, 64 are defined so that each byte contains an odd number of 1’s.
54 DES Key Schedule
◼ forms subkeys used in each round
◼ consists of:
❑ initial permutation of the key (PC1) which selects 56-bits in two 28-bit halves (C,D)
❑ 16 stages consisting of:
◼ selecting 24-bits from each half
◼ permuting them by PC2 for use in function f,
◼ rotating each half (C,D) separately either 1 or 2 bits depending on the key rotation schedule K
55 DES Key Schedule
◼ Initial Key : 56 bits C D ◼ We get two 28-bit keys 56bits (C,D) after applying initial permutation of the key(PC1)
◼ At each round, we get 48 bits (two 24 bits) after PC2 permutations
◼ C and D are treated separately, the C and D are rotated left by one or two bits
56 DES Encryption Example
plain(64) : 01234567 89ABCDEF ◼
key (64 bits) Encrypter - including parity bits 56 bits are real key! 13345779 9BBCDFF1
cipher(64) : 85E81354 0F0AB405
57 57 plaintext 01234567 89ABCDEF 64 IP
L0 R0
58 plaintext 64 IP
L0 R0
32 32 E 48
59 59 plaintext 64 IP
L0 R0
32 32 E 48 48 + K1
key schedule
60 60 plaintext 64 IP
L0 R0
32 32 E 48 + K1 011000 substitution S1 5=0101 key schedule 1100 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 00 5
61 61 plaintext 64 IP
L0 R0
32 32 E 48 + K1
S1 S2 S3 S4 S5 S6 S7 S8
key schedule P 32
62 62 plaintext 64 IP
L0 R0
32 32 E 48 + K1
S1 S2 S3 S4 S5 S6 S7 S8
P + 32 key schedule
1110111101…
63 plaintext 64 IP
L0 R0
32 32 E 48 + K1
S1 S2 S3 S4 S5 S6 S7 S8
P + 32 key schedule 32 32 L1 R1 1110111101…
64 64 plaintext 64 IP
L0 R0
32 32
48 48 + K1 6 S1 S2 S3 S4 S5 S6 S7 S8 키
4 P 56 + key schedule 32 32 32
L1 R1 …
48 L16 R16 … K16
R16 L16 32-bit swap
IP-1
ciphertext 65 65 Data Encryption Standard: Decryption
◼ Same as encryption
❑ We can use the same structure, but with the subkeys used in reverse order.
66 Agenda
◼ Review
◼ Block Ciphers & Stream Ciphers
❑ Stream Ciphers
❑ Block Ciphers
◼ DES
◼ Cryptanalysis
◼ Modes of Operations
◼ Next…
67 Strength of DES – Key Size
56 16 ◼ 56-bit keys have 2 = 7.2 x 10 values
◼ brute force search looks hard
◼ But, recent advances have shown that it is possible
❑ in 1997 on Internet in a few months
❑ in 1998 on dedicated H/W in a few days
❑ in 1999 above combined in 22hrs!
◼ still must be able to recognize plaintext
◼ now considering alternatives to DES
68 Strength of DES – Timing Attacks
◼ attacks on actual implementation of cipher
◼ use knowledge of consequences of implementation to derive knowledge of some/all subkey bits
◼ specifically use the fact that calculations can take varying times depending on the value of the inputs to it
◼ particularly problematic on smartcards
69 Strength of DES – Analytic Attacks
◼ now have several analytic attacks on DES
◼ these utilize some deep structure of the cipher
❑ by gathering information about encryptions
❑ can eventually recover some/all of the sub-key bits
❑ if necessary then exhaustively search for the rest
◼ generally these are statistical attacks
◼ include
❑ differential cryptanalysis
❑ linear cryptanalysis
❑ related key attacks
70 Differential Cryptanalysis
◼ one of the most significant recent (public) advances in cryptanalysis
◼ known by NSA in 70's (The DES designer already knew this attacking technique)
◼ Murphy, Biham & Shamir published 1990
◼ powerful method to analyse block ciphers
◼ used to analyse most current block ciphers with varying degrees of success
◼ DES reasonably resistant to it
71 Differential Cryptanalysis
◼ a statistical attack against Feistel ciphers
◼ uses cipher structure not previously used
◼ design of S-P networks has output of function f influenced by both input & key
◼ hence cannot trace values back through cipher without knowing values of the key
◼ Differential Cryptanalysis compares two related pairs of encryptions
72 Linear Cryptanalysis
◼ another recent development
◼ also a statistical method
◼ must be iterated over rounds, with decreasing probabilities
◼ developed by Matsui et al in early 90's
◼ based on finding linear approximations 47 ◼ can attack DES with 2 known plaintexts, still in practise infeasible
73 History of Attacks on DES
◼
74 Agenda
◼ Review
◼ Block Ciphers & Stream Ciphers
❑ Stream Ciphers
❑ Block Ciphers
◼ DES
◼ Cryptanalysis
◼ Modes of Operations
◼ Next…
75 Modes of Operation
◼ block ciphers encrypt fixed size blocks
◼ eg. DES encrypts 64-bit blocks, with 56-bit key
◼ need way to use in practice, given usually have arbitrary amount of information to encrypt
◼ four were defined for DES in ANSI standard ANSI X3.106-1983 Modes of Use
◼ subsequently now have 5 for DES and AES
◼ have block and stream modes
76 Electronic Codebook (ECB)
◼ message is broken into independent blocks which are encrypted
◼ each block is a value which is substituted, like a codebook, hence name
◼ each block is encoded independently of the other blocks
Ci = DESK1 (Pi)
◼ uses: secure transmission of single values
77 Electronic Codebook (ECB)
78 Advantages and Limitations of ECB
◼ repetitions in message may show in ciphertext
❑ if aligned with message block
❑ particularly with data such graphics
❑ or with messages that change very little, which become a code-book analysis problem
◼ weakness due to encrypted message blocks being independent
◼ main use is sending a few blocks of data
79 ECB Weakness Demo
original ECB CBC
http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation Cipher Block Chaining (CBC)
◼ message is broken into blocks
◼ but these are linked together in the encryption operation
◼ each previous cipher blocks is chained with current plaintext block, hence name
◼ use Initial Vector (IV) to start process
Ci = DESK1(Pi XOR Ci-1)
C-1 = IV
◼ uses: bulk data encryption, authentication
81 Cipher Block Chaining (CBC)
82 Cipher Block Chaining Advantages and Limitations of CBC
◼ each ciphertext block depends on all message blocks
◼ thus a change in the message affects all ciphertext blocks after the change as well as the original block
◼ need Initial Value (IV) known to sender & receiver
❑ however if IV is sent in the clear, an attacker can change bits of the first block, and change IV to compensate
❑ hence either IV must be a fixed value (as in EFTPOS) or it must be sent encrypted in ECB mode before rest of message
◼ at end of message, handle possible last short block
❑ by padding either with known non-data value (eg nulls)
❑ or pad last block with count of pad size
◼ eg. [ b1 b2 b3 0 0 0 0 5] <- 3 data bytes, then 5 bytes pad+count
84 Cipher FeedBack (CFB)
◼ message is treated as a stream of bits
◼ added to the output of the block cipher
◼ result is feed back for next stage (hence name)
◼ standard allows any number of bit (1,8 or 64 or whatever) to be feed back
❑ denoted CFB-1, CFB-8, CFB-64 etc
◼ is most efficient to use all 64 bits (CFB-64)
Ci = Pi XOR DESK1(Ci-1)
C-1 = IV
◼ uses: stream data encryption, authentication
85 Cipher FeedBack (CFB)
86 Advantages and Limitations of CFB
◼ appropriate when data arrives in bits/bytes
◼ most common stream mode
◼ limitation is need to stall while do block encryption after every n-bits
◼ note that the block cipher is used in encryption mode at both ends
◼ errors propagate for several blocks after the error
87 Output FeedBack (OFB)
◼ message is treated as a stream of bits
◼ output of cipher is added to message
◼ output is then feed back (hence name)
◼ feedback is independent of message
◼ can be computed in advance
Ci = Pi XOR Oi
Oi = DESK1(Oi-1)
O-1 = IV
◼ uses: stream encryption over noisy channels
88 Output FeedBack (OFB)
89 Advantages and Limitations of OFB
◼ used when error feedback a problem or where need to encryptions before message is available
◼ superficially similar to CFB
◼ but feedback is from the output of cipher and is independent of message
◼ a variation of a Vernam cipher
❑ hence must never reuse the same sequence (key+IV)
◼ sender and receiver must remain in sync, and some recovery method is needed to ensure this occurs
◼ originally specified with m-bit feedback in the standards
◼ subsequent research has shown that only OFB-64 should ever be used 90 Counter (CTR)
◼ a “new” mode, though proposed early on
◼ similar to OFB but encrypts counter value rather than any feedback value
◼ must have a different key & counter value for every plaintext block (never reused)
Ci = Pi XOR Oi
Oi = DESK1(i)
◼ uses: high-speed network encryptions
91 Counter (CTR)
Counter+1 Counter+N-1
92 Advantages and Limitations of CTR
◼ efficiency
❑ can do parallel encryptions
❑ in advance of need
❑ good for bursty high speed links
◼ random access to encrypted data blocks
◼ provable security (good as other modes)
◼ but must ensure never reuse key/counter values, otherwise could break (cf OFB)
93 GCM(Galois Counter Mode)
◼ Encryption mode + MAC
❑ Alice(Sensor) makes cryptographic checksum and then append it to message
❑ Bob(Receiver) computes a MAC from the message and checks whether his MAC is the same as the one computed by Alice
❑ In this way, Bob can make sure that (1) the message was really created by Alice (2) that nobody tampered with the ciphertext during transmission → MAC(Message Authentication Code) :
◼ GCM consists of an underlying block cipher and a Galois field multiplier with which the two GCM function authenticated encryption & authenticated decryption are realized
94 GCM(Galois Counter Mode)
◼ Encryption + authentication
• Ek : encryption algorithm with key, k (ex: AES256) • 1st counter block is the IV followed by the 32bit • PT : Plain Text, CT: Cipher Text number “1” • All blocks are 128 bits in length • The output is the Cypher Text and Tag • IV: 96 bit Initialization Vector, which is a nonce • AD: Additional Data (which does not get encrypted)
95 ◼
Reference: Understanding Cryptography by C. Paar & J. Pelzl 96 GCM(Galois Counter Mode)
◼ On the sender side, GCM encrypts data using the Counter Mode (CTR) followed by
❑ the computation of a MAC value. For encryption, first an initial counter is derived from an IV and a serial number.
❑ Then the initial counter value is incremented, and this value is encrypted and XORed with the first plaintext block.
❑ For subsequent plaintexts, the counter is incremented and then encrypted.
◼ Note that the underlying block cipher is only used in encryption mode. GCM allows for precomputation of the block cipher function if the initialization vector is known ahead of time.
97 GCM(Galois Counter Mode)
◼ For authentication,
❑ GCM performs a chained Galois field multiplication.
❑ For every plaintext xi an intermediate authentication parameter gi is derived.
❑ gi is computed as the XOR sum of the current ciphertext yi and gi, and multiplied by the constant H.
❑ The value H is a hash subkey which is generated by encryption of the all-zero input with the block cipher. 128 ❑ All multiplications are in the 128-bit Galois field GF(2 ) with the irreducible polynomial P(x) = x128+x7+x2+x+1.
❑ Since only one multiplication is required per block cipher encryption, the GCM mode adds very little computational overhead to the encryption.
98 Next…
◼ We will study on the modular arithmetic and finite fields…
❑ Group
❑ Ring
❑ Field
❑ Modular arithmetic
❑ Finite field – Prime field, binary field, etc.
❑ Polynomial arithmetic, etc.
99 Q&A
100 DES cracker
◼ EFF(Electronic Frontier Foundation)’s DES cracker
❑ July 1998: DES Challenge II
◼ Electronic Frontier Foundation (EFF) built a DES code-cracker for $250k
◼ Cracked DES in 3 days
❑ Jan. 1999: DES Challenge III
◼ Distributed.Net used EFF DES cracker plus 100,000 PCs on the Internet to crack DES in 22 hours 15 min.
◼ Testing 245 billion keys/sec when key was found
101 Timing attack 추가 설명
◼
http://www.youtube.com/watch?feature=player_detailpage&v=BCmrBpKZl78
102 Timing attack 추가 설명
◼
http://www.youtube.com/watch?feature=player_detailpage&v=BCmrBpKZl78
Python built-in function 참고 103 Timing attack 추가 설명
◼
http://www.youtube.com/watch?feature=player_detailpage&v=BCmrBpKZl78
104