Cryptography and Network Security Chapter 6

4/19/2010

Cryptography and Network Chapter 6 –Block Cipher Operation Security Chapter 6 Many savages at the present day regard their names as vital parts of themselves, and therefore take great pains to conceal their real names, lest these should give to evil‐disposed Fifth Edition persons a handle by which to injure their by William Stallings owners. — The Golden Bough, Sir James George Frazer Lecture slides by Lawrie Brown

Multiple Encryption & DES Double‐DES?

• clear a replacement for DES was needed • could use 2 DES encrypts on each block – theoretical attacks that can break it – C = EK2(EK1(P)) – demonstrated exhaustive key search attacks • issue of reduction to single stage • AES is a new cihipher alterna tive • and have “meet‐in‐the‐middle” attack • prior to this alternative was to use multiple – works whenever use a cipher twice encryption with DES implementations – since X = EK1(P) = DK2(C) • Triple‐DES is the chosen form – attack by encrypting P with all keys and store – then decrypt C with keys and match X value – can show takes O(256) steps

Triple‐DES with Two‐Keys Triple‐DES with Three‐Keys

• hence must use 3 encryptions • although are no practical attacks on two‐key – would seem to need 3 distinct keys Triple‐DES have some indications • but can use 2 keys with E‐D‐E sequence • can use Triple‐DES with Three‐Keys to avoid

– C=EC = EK1(DK2(EK1(P))) even these – nb encrypt & decrypt equivalent in security – C = EK3(DK2(EK1(P))) – if K1=K2 then can work with single DES • has been adopted by some Internet • standardized in ANSI X9.17 & ISO8732 applications, eg PGP, S/MIME • no current known practical attacks – several proposed impractical attacks might become basis of future attacks

1 4/19/2010

Modes of Operation Electronic Codebook Book (ECB)

• block ciphers encrypt fixed size blocks • message is broken into independent blocks – eg. DES encrypts 64‐bit blocks with 56‐bit key which are encrypted • need some way to en/decrypt arbitrary • each block is a value which is substituted, like amounts of data in practise a codebook, hence name • NIST SP 800‐38A defines 5 modes • each block is encoded independently of the • have block and stream modes other blocks C = E (P ) • to cover a wide variety of applications i K i • uses: secure transmission of single values • can be used with any block cipher

Advantages and Limitations of ECB

message repetitions may show in ciphertext Electronic if aligned with message block particularly with data such graphics Codebook or with messages that change very little, which Book (ECB) become a code‐book analysis problem weakness is due to the encrypted message blocks being independent main use is sending a few blocks of data

Cipher Block Chaining (CBC)

• message is broken into blocks Cipher • linked together in encryption operation Block • each previous cipher blocks is chained with current plaintext block, hence name Chaining • use Initial Vector (IV) to start process (CBC)

Ci = EK(Pi XOR Ci-1)

C-1 = IV • uses: bulk data encryption, authentication

2 4/19/2010

Message Padding Advantages and Limitations of CBC

at end of message must handle a possible last a ciphertext block depends on all blocks before short block it which is not as large as blocksize of cipher any change to a block affects all following pad either with known non‐data value (eg nulls) ciphertext blocks or pad last block along with count of pad size need Initialization Vector (IV) • eg. [ b1 b2 b3 0 0 0 0 5]  which must be known to sender & receiver • means have 3 data bytes, then 5 bytes pad+count  if sent in clear, attacker can change bits of first block, and this may require an extra entire block over those in change IV to compensate message  hence IV must either be a fixed value (as in EFTPOS) there are other, more esoteric modes, which  or must be sent encrypted in ECB mode before rest of avoid the need for an extra block message

Stream Modes of Operation Cipher FeedBack (CFB)

• block modes encrypt entire block • message is treated as a stream of bits • may need to operate on smaller units • added to the output of the block cipher – real time data • result is feed back for next stage (hence name) • standard allows any number of bit (1,8, 64 or 128 • convert block cipher into stream cipher etc) to be feed back – cipher feedback (CFB) mode – denoted CFB‐1, CFB‐8, CFB‐64, CFB‐128 etc – output feedback (OFB) mode • most efficient to use all bits in block (64 or 128) – counter (CTR) mode Ci = Pi XOR EK(Ci-1) C = IV • use block cipher as some form of pseudo‐ -1 • uses: stream data encryption, authentication random number generator

Advantages and Limitations of CFB

appropriate when data arrives in bits/bytes s‐bit most common stream mode Cipher limitation is need to stall while do block FeedkdBack encryption after every n‐bits (CFB‐s) note that the block cipher is used in encryption mode at both ends errors propogate for several blocks after the error

3 4/19/2010

Output FeedBack (OFB)

• message is treated as a stream of bits • output of cipher is added to message Output • output is then feed back (hence name) FeedBack • fdbkfeedback is iidndepen den t of message • can be computed in advance (OFB)

Oi = EK(Oi-1) Ci = Pi XOR Oi O-1 = IV • uses: stream encryption on noisy channels

Advantages and Limitations of OFB Counter (CTR)

 needs an IV which is unique for each use • a “new” mode, though proposed early on  if ever reuse attacker can recover outputs • similar to OFB but encrypts counter value  bit errors do not propagate rather than any feedback value  more vulnerable to message stream modification  sender & receiver must remain in sync • must have a different key & counter value for  only use with full block feedback every plaintext block (never reused)  subsequent research has shown that only full block Oi = EK(i) feedback (ie CFB‐64 or CFB‐128) should ever be used Ci = Pi XOR Oi • uses: high‐speed network encryptions

Advantages and Limitations of CTR

• efficiency – can do parallel encryptions in h/w or s/w Counter – can preprocess in advance of need (CTR) – good for bursty high speed links • random access to encrypted data blocks • provable security (good as other modes) • but must ensure never reuse key/counter values, otherwise could break (cf OFB)

4 4/19/2010

XTS‐AES Mode • new mode, for block oriented storage use Feedback – in IEEE Std 1619‐2007 • concept of tweakable block cipher Character‐ • different requirements to transmitted data istics • uses AES twice for each block j Tj = EK2(i) XOR α

Cj = EK1(Pj XOR Tj) XOR Tj where iis tweak & j is sector no • each sector may have multiple blocks

XTS‐AES XTS‐AES Mode Mode per block Overview

Advantages and Limitations of XTS‐AES Summary

efficiency • Multiple Encryption & Triple‐DES can do parallel encryptions in h/w or s/w • Modes of Operation random access to encrypted data blocks – ECB, CBC, CFB, OFB, CTR, XTS‐AES has bbthoth nonce & counter addresses security concerned related to stored data