DOCSLIB.ORG

Attacks on Stream Ciphers: a Perspective

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Attacks on Stream Ciphers: a Perspective Attacks on Stream Ciphers: A Perspective Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India [email protected] First Asian Workshop on Symmetric Key Cryptography – ASK 2011, 30th August 2011 isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 1 / 55 Overview of the Talk Background. Correlation Attacks. Algebraic Attacks. Differential Attacks. Time/Memory Trade-Off Attacks. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 2 / 55 Background. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 3 / 55 Model of Symmetric Key Encryption Sender Receiver message M public channel Encrypt ciphertext Decrypt secret key K adversary secret key K isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 4 / 55 One-Time Pad message 1 0 0 1 1 1 true random sequence 0 01 1 1 0 ciphertext 1 0 1 0 0 1 isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 5 / 55 Model of Additive Stream Cipher secret key K Initialise initialisation state 1 update state 2 update vector output output keystream keystream blk blk message blk message blk ciphertext blk ciphertext blk Key: k bits; IV: (usually) ≤ k bits; state: (usually) ≥ 2k bits; initialise, update, output: functions (deterministic algorithms); isilogo keystream blk, msg blk, cpr blk: ≥ 1 bit. Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 6 / 55 Self-Synchronizing Stream Cipher message m0 m1 m2 ··· mi ··· keystream k0 k1 k2 ··· ki ··· ciphertext c0 c1 c2 ··· ci ··· ci = mi ⊕ ki . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 7 / 55 Self-Synchronizing Stream Cipher message m0 m1 m2 ··· mi ··· keystream k0 k1 k2 ··· ki ··· ciphertext c0 c1 c2 ··· ci ··· ci = mi ⊕ ki . ki is completely determined by the secret key K andci−n,..., ci−1. Correctly receiving n ciphertext bits allow correct generation of the next keystream bit. Robust against channel errors: bit flip/drop/insert. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 7 / 55 Self-Synchronizing Stream Cipher message m0 m1 m2 ··· mi ··· keystream k0 k1 k2 ··· ki ··· ciphertext c0 c1 c2 ··· ci ··· ci = mi ⊕ ki . ki is completely determined by the secret key K andci−n,..., ci−1. Correctly receiving n ciphertext bits allow correct generation of the next keystream bit. Robust against channel errors: bit flip/drop/insert. More generally, mi is completely determined by the secret key K and the last n ciphertext bits. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 7 / 55 Attack Models: Adversarial Access Ciphertext only attack: the attacker has access to only ciphertext(s); isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 8 / 55 Attack Models: Adversarial Access Ciphertext only attack: the attacker has access to only ciphertext(s); Known plaintext attack: the attacker knows (P1, C1),..., (Pt , Ct ); isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 8 / 55 Attack Models: Adversarial Access Ciphertext only attack: the attacker has access to only ciphertext(s); Known plaintext attack: the attacker knows (P1, C1),..., (Pt , Ct ); Chosen plaintext attack: the attacker chooses P1,..., Pt ; receives C1,..., Ct ; For additive stream ciphers, this is the same as known plaintext attack. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 8 / 55 Attack Models: Adversarial Access (contd.) Known/Chosen IV attack: (resynchronization attack) the attacker knows/chooses IV1,..., IVt ; receives the corresponding keystreams. Obtaining keystreams correspond to known plaintexts. IVs are always known. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 9 / 55 Attack Models: Adversarial Access (contd.) Known/Chosen IV attack: (resynchronization attack) the attacker knows/chooses IV1,..., IVt ; receives the corresponding keystreams. Obtaining keystreams correspond to known plaintexts. IVs are always known. Chosen ciphertext attack. the attacker chooses C1,..., Ct ; receives P1,..., Pt ; Not very meaningful for usual additive stream ciphers. Serious threat for self-synchronising stream ciphers. Serious threat for stream ciphers which combine encryption and authentication in a single composite primitive. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 9 / 55 Attack Models: Adversarial Goals Key recovery: the ultimate goal of the adversary. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 10 / 55 Attack Models: Adversarial Goals Key recovery: the ultimate goal of the adversary. State recovery: This allows forward generation of the keystream. If the state update function is invertible, then this allows to move backwards. If the initialisation function is invertible, then this allows key recovery. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 10 / 55 Attack Models: Adversarial Goals Key recovery: the ultimate goal of the adversary. State recovery: This allows forward generation of the keystream. If the state update function is invertible, then this allows to move backwards. If the initialisation function is invertible, then this allows key recovery. Distinguishing attack: Define a test statistic on a bit string such that the values it takes for uniform random strings and for the real keystream are ‘significantly’ different. Sometimes distinguishing attacks can be converted to key recovery attacks. In case of chosen IV attacks, the goal is to distinguish between the set of keystreams and a set of uniform random strings of the same lengths. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 10 / 55 Encrypting Short Fixed Length Strings msg blk cpr blk key K Encryptkey K Decrypt cpr blk msg blk isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 11 / 55 Encrypting Short Fixed Length Strings msg blk cpr blk key K Encryptkey K Decrypt cpr blk msg blk Block Cipher. E : {0, 1}k × {0, 1}n → {0, 1}n. D : {0, 1}k × {0, 1}n → {0, 1}n. For each K ∈ {0, 1}k , isilogo DK (EK (M)) = M. Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 11 / 55 Modes of Operations message: M1, M2, M3,... (n-bit blocks); initialization vector: n-bit IV (used as nonce). Cipher block chaining (CBC) mode: C1 = EK (M1 ⊕ IV); Ci = EK (Mi ⊕ Ci−1), i ≥ 2. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 12 / 55 CBC Mode PPPP1 2 m−1 m IV EK EK EK EK C1 C2 Cm−1 Cm isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 13 / 55 Modes of Operations (contd.) message: M1, M2, M3,... (n-bit blocks); initialization vector: n-bit IV (used as nonce). Output feedback (OFB) mode: Z1 = EK (IV); Zi = EK (Zi−1), i ≥ 2; Ci = Mi ⊕ Zi , i ≥ 1. This is essentially an additive stream cipher. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 14 / 55 Modes of Operations (contd.) message: M1, M2, M3,... (n-bit blocks); initialization vector: n-bit IV (used as nonce). Output feedback (OFB) mode: Z1 = EK (IV); Zi = EK (Zi−1), i ≥ 2; Ci = Mi ⊕ Zi , i ≥ 1. This is essentially an additive stream cipher. Cipher feedback (CFB) mode: C1 = M1 ⊕ EK (IV); Ci = Mi ⊕ EK (Ci−1), i ≥ 2. Can be used as a self-synchronizing stream cipher in a 1-bit feedback mode. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 14 / 55 Modes of Operations (contd.) message: M1, M2, M3,... (n-bit blocks); initialization vector: n-bit IV (used as nonce). Output feedback (OFB) mode: Z1 = EK (IV); Zi = EK (Zi−1), i ≥ 2; Ci = Mi ⊕ Zi , i ≥ 1. This is essentially an additive stream cipher. Cipher feedback (CFB) mode: C1 = M1 ⊕ EK (IV); Ci = Mi ⊕ EK (Ci−1), i ≥ 2. Can be used as a self-synchronizing stream cipher in a 1-bit feedback mode. Counter (CTR) mode: Ci = Mi ⊕ EK (nonce||bin(i)), i ≥ 1. Other variants of the CTR mode have been proposed. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 14 / 55 Linear Feedback Shift Register Given (non-zero) initial state (a0,..., an−1) generates a sequence a0, a1, a2,..., ai ,... where ai = cn−1ai−1 ⊕···⊕ c1ai−n+1 + c0ai−n. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 15 / 55 Linear Feedback Shift Register Given (non-zero) initial state (a0,..., an−1) generates a sequence a0, a1, a2,..., ai ,... where ai = cn−1ai−1 ⊕···⊕ c1ai−n+1 + c0ai−n. Characteristic (connection) polynomial: n n−1 τ(x)= x ⊕ cn−1x ⊕···⊕ c1x ⊕ c0. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 15 / 55 Linear Feedback Shift Register Given (non-zero) initial state (a0,..., an−1) generates a sequence a0, a1, a2,..., ai ,... where ai = cn−1ai−1 ⊕···⊕ c1ai−n+1 + c0ai−n. Characteristic (connection) polynomial: n n−1 τ(x)= x ⊕ cn−1x ⊕···⊕ c1x ⊕ c0. n If τ(x) is primitive over GF(2), then the period of {ai } is 2 − 1. Other well-understood “randomness-like” properties. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 15 / 55 Linear Feedback Shift Register Given (non-zero) initial state (a0,..., an−1) generates a sequence a0, a1, a2,..., ai ,... where ai = cn−1ai−1 ⊕···⊕ c1ai−n+1 + c0ai−n. Characteristic (connection) polynomial: n n−1 τ(x)= x ⊕ cn−1x ⊕···⊕ c1x ⊕ c0. n If τ(x) is primitive over GF(2), then the period of {ai } is 2 − 1. Other well-understood “randomness-like” properties. Any bit of the sequence is a linear combination of the first n bits. Given any n bits of the sequence, it is easy to get the initial state. Unsuitable for direct use in cryptography. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 15 / 55 Nonlinear Combiner Model (1) X i LFSR 1 mi (2) X LFSR i 2 kic i f (n) X i LFSRn mi = length of LFSR i isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 16 / 55 Correlation Attacks. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 17 / 55 Correlation Attack Suppose 1 Pr X (i) = k = p = . h 1 i i 2 Divide-and-conquer attack.
Load more

Recommended publications
  • Vector Boolean Functions: Applications in Symmetric Cryptography
    Vector Boolean Functions: Applications in Symmetric Cryptography José Antonio Álvarez Cubero Departamento de Matemática Aplicada a las Tecnologías de la Información y las Comunicaciones Universidad Politécnica de Madrid This dissertation is submitted for the degree of Doctor Ingeniero de Telecomunicación Escuela Técnica Superior de Ingenieros de Telecomunicación November 2015 I would like to thank my wife, Isabel, for her love, kindness and support she has shown during the past years it has taken me to finalize this thesis. Furthermore I would also liketo thank my parents for their endless love and support. Last but not least, I would like to thank my loved ones such as my daughter and sisters who have supported me throughout entire process, both by keeping me harmonious and helping me putting pieces together. I will be grateful forever for your love. Declaration The following papers have been published or accepted for publication, and contain material based on the content of this thesis. 1. [7] Álvarez-Cubero, J. A. and Zufiria, P. J. (expected 2016). Algorithm xxx: VBF: A library of C++ classes for vector Boolean functions in cryptography. ACM Transactions on Mathematical Software. (In Press: http://toms.acm.org/Upcoming.html) 2. [6] Álvarez-Cubero, J. A. and Zufiria, P. J. (2012). Cryptographic Criteria on Vector Boolean Functions, chapter 3, pages 51–70. Cryptography and Security in Computing, Jaydip Sen (Ed.), http://www.intechopen.com/books/cryptography-and-security-in-computing/ cryptographic-criteria-on-vector-boolean-functions. (Published) 3. [5] Álvarez-Cubero, J. A. and Zufiria, P. J. (2010). A C++ class for analysing vector Boolean functions from a cryptographic perspective.
    [Show full text]
  • A Quantitative Study of Advanced Encryption Standard Performance
    United States Military Academy USMA Digital Commons West Point ETD 12-2018 A Quantitative Study of Advanced Encryption Standard Performance as it Relates to Cryptographic Attack Feasibility Daniel Hawthorne United States Military Academy, [email protected] Follow this and additional works at: https://digitalcommons.usmalibrary.org/faculty_etd Part of the Information Security Commons Recommended Citation Hawthorne, Daniel, "A Quantitative Study of Advanced Encryption Standard Performance as it Relates to Cryptographic Attack Feasibility" (2018). West Point ETD. 9. https://digitalcommons.usmalibrary.org/faculty_etd/9 This Doctoral Dissertation is brought to you for free and open access by USMA Digital Commons. It has been accepted for inclusion in West Point ETD by an authorized administrator of USMA Digital Commons. For more information, please contact [email protected]. A QUANTITATIVE STUDY OF ADVANCED ENCRYPTION STANDARD PERFORMANCE AS IT RELATES TO CRYPTOGRAPHIC ATTACK FEASIBILITY A Dissertation Presented in Partial Fulfillment of the Requirements for the Degree of Doctor of Computer Science By Daniel Stephen Hawthorne Colorado Technical University December, 2018 Committee Dr. Richard Livingood, Ph.D., Chair Dr. Kelly Hughes, DCS, Committee Member Dr. James O. Webb, Ph.D., Committee Member December 17, 2018 © Daniel Stephen Hawthorne, 2018 1 Abstract The advanced encryption standard (AES) is the premier symmetric key cryptosystem in use today. Given its prevalence, the security provided by AES is of utmost importance. Technology is advancing at an incredible rate, in both capability and popularity, much faster than its rate of advancement in the late 1990s when AES was selected as the replacement standard for DES. Although the literature surrounding AES is robust, most studies fall into either theoretical or practical yet infeasible.
    [Show full text]
  • Block Ciphers and the Data Encryption Standard
    Lecture 3: Block Ciphers and the Data Encryption Standard Lecture Notes on “Computer and Network Security” by Avi Kak ([email protected]) January 26, 2021 3:43pm ©2021 Avinash Kak, Purdue University Goals: To introduce the notion of a block cipher in the modern context. To talk about the infeasibility of ideal block ciphers To introduce the notion of the Feistel Cipher Structure To go over DES, the Data Encryption Standard To illustrate important DES steps with Python and Perl code CONTENTS Section Title Page 3.1 Ideal Block Cipher 3 3.1.1 Size of the Encryption Key for the Ideal Block Cipher 6 3.2 The Feistel Structure for Block Ciphers 7 3.2.1 Mathematical Description of Each Round in the 10 Feistel Structure 3.2.2 Decryption in Ciphers Based on the Feistel Structure 12 3.3 DES: The Data Encryption Standard 16 3.3.1 One Round of Processing in DES 18 3.3.2 The S-Box for the Substitution Step in Each Round 22 3.3.3 The Substitution Tables 26 3.3.4 The P-Box Permutation in the Feistel Function 33 3.3.5 The DES Key Schedule: Generating the Round Keys 35 3.3.6 Initial Permutation of the Encryption Key 38 3.3.7 Contraction-Permutation that Generates the 48-Bit 42 Round Key from the 56-Bit Key 3.4 What Makes DES a Strong Cipher (to the 46 Extent It is a Strong Cipher) 3.5 Homework Problems 48 2 Computer and Network Security by Avi Kak Lecture 3 Back to TOC 3.1 IDEAL BLOCK CIPHER In a modern block cipher (but still using a classical encryption method), we replace a block of N bits from the plaintext with a block of N bits from the ciphertext.
    [Show full text]
  • Breaking Crypto Without Keys: Analyzing Data in Web Applications Chris Eng
    Breaking Crypto Without Keys: Analyzing Data in Web Applications Chris Eng 1 Introduction – Chris Eng _ Director of Security Services, Veracode _ Former occupations . 2000-2006: Senior Consulting Services Technical Lead with Symantec Professional Services (@stake up until October 2004) . 1998-2000: US Department of Defense _ Primary areas of expertise . Web Application Penetration Testing . Network Penetration Testing . Product (COTS) Penetration Testing . Exploit Development (well, a long time ago...) _ Lead developer for @stake’s now-extinct WebProxy tool 2 Assumptions _ This talk is aimed primarily at penetration testers but should also be useful for developers to understand how your application might be vulnerable _ Assumes basic understanding of cryptographic terms but requires no understanding of the underlying math, etc. 3 Agenda 1 Problem Statement 2 Crypto Refresher 3 Analysis Techniques 4 Case Studies 5 Q & A 4 Problem Statement 5 Problem Statement _ What do you do when you encounter unknown data in web applications? . Cookies . Hidden fields . GET/POST parameters _ How can you tell if something is encrypted or trivially encoded? _ How much do I really have to know about cryptography in order to exploit implementation weaknesses? 6 Goals _ Understand some basic techniques for analyzing and breaking down unknown data _ Understand and recognize characteristics of bad crypto implementations _ Apply techniques to real-world penetration tests 7 Crypto Refresher 8 Types of Ciphers _ Block Cipher . Operates on fixed-length groups of bits, called blocks . Block sizes vary depending on the algorithm (most algorithms support several different block sizes) . Several different modes of operation for encrypting messages longer than the basic block size .
    [Show full text]
  • Constructing Low-Weight Dth-Order Correlation-Immune Boolean Functions Through the Fourier-Hadamard Transform Claude Carlet and Xi Chen*
    1 Constructing low-weight dth-order correlation-immune Boolean functions through the Fourier-Hadamard transform Claude Carlet and Xi Chen* Abstract The correlation immunity of Boolean functions is a property related to cryptography, to error correcting codes, to orthogonal arrays (in combinatorics, which was also a domain of interest of S. Golomb) and in a slightly looser way to sequences. Correlation-immune Boolean functions (in short, CI functions) have the property of keeping the same output distribution when some input variables are fixed. They have been widely used as combiners in stream ciphers to allow resistance to the Siegenthaler correlation attack. Very recently, a new use of CI functions has appeared in the framework of side channel attacks (SCA). To reduce the cost overhead of counter-measures to SCA, CI functions need to have low Hamming weights. This actually poses new challenges since the known constructions which are based on properties of the Walsh-Hadamard transform, do not allow to build unbalanced CI functions. In this paper, we propose constructions of low-weight dth-order CI functions based on the Fourier- Hadamard transform, while the known constructions of resilient functions are based on the Walsh-Hadamard transform. We first prove a simple but powerful result, which makes that one only need to consider the case where d is odd in further research. Then we investigate how constructing low Hamming weight CI functions through the Fourier-Hadamard transform (which behaves well with respect to the multiplication of Boolean functions). We use the characterization of CI functions by the Fourier-Hadamard transform and introduce a related general construction of CI functions by multiplication.
    [Show full text]
  • Key Differentiation Attacks on Stream Ciphers
    Key differentiation attacks on stream ciphers Abstract In this paper the applicability of differential cryptanalytic tool to stream ciphers is elaborated using the algebraic representation similar to early Shannon’s postulates regarding the concept of confusion. In 2007, Biham and Dunkelman [3] have formally introduced the concept of differential cryptanalysis in stream ciphers by addressing the three different scenarios of interest. Here we mainly consider the first scenario where the key difference and/or IV difference influence the internal state of the cipher (∆key, ∆IV ) → ∆S. We then show that under certain circumstances a chosen IV attack may be transformed in the key chosen attack. That is, whenever at some stage of the key/IV setup algorithm (KSA) we may identify linear relations between some subset of key and IV bits, and these key variables only appear through these linear relations, then using the differentiation of internal state variables (through chosen IV scenario of attack) we are able to eliminate the presence of corresponding key variables. The method leads to an attack whose complexity is beyond the exhaustive search, whenever the cipher admits exact algebraic description of internal state variables and the keystream computation is not complex. A successful application is especially noted in the context of stream ciphers whose keystream bits evolve relatively slow as a function of secret state bits. A modification of the attack can be applied to the TRIVIUM stream cipher [8], in this case 12 linear relations could be identified but at the same time the same 12 key variables appear in another part of state register.
    [Show full text]
  • KLEIN: a New Family of Lightweight Block Ciphers
    KLEIN: A New Family of Lightweight Block Ciphers Zheng Gong1, Svetla Nikova1;2 and Yee Wei Law3 1Faculty of EWI, University of Twente, The Netherlands fz.gong, [email protected] 2 Dept. ESAT/SCD-COSIC, Katholieke Universiteit Leuven, Belgium 3 Department of EEE, The University of Melbourne, Australia [email protected] Abstract Resource-efficient cryptographic primitives become fundamental for realizing both security and efficiency in embedded systems like RFID tags and sensor nodes. Among those primitives, lightweight block cipher plays a major role as a building block for security protocols. In this paper, we describe a new family of lightweight block ciphers named KLEIN, which is designed for resource-constrained devices such as wireless sensors and RFID tags. Compared to the related proposals, KLEIN has ad- vantage in the software performance on legacy sensor platforms, while its hardware implementation can be compact as well. Key words. Block cipher, Wireless sensor network, Low-resource implementation. 1 Introduction With the development of wireless communication and embedded systems, we become increasingly de- pendent on the so called pervasive computing; examples are smart cards, RFID tags, and sensor nodes that are used for public transport, pay TV systems, smart electricity meters, anti-counterfeiting, etc. Among those applications, wireless sensor networks (WSNs) have attracted more and more attention since their promising applications, such as environment monitoring, military scouting and healthcare. On resource-limited devices the choice of security algorithms should be very careful by consideration of the implementation costs. Symmetric-key algorithms, especially block ciphers, still play an important role for the security of the embedded systems.
    [Show full text]
  • Indifferentiable Authenticated Encryption
    Indifferentiable Authenticated Encryption Manuel Barbosa1 and Pooya Farshim2;3 1 INESC TEC and FC University of Porto, Porto, Portugal [email protected] 2 DI/ENS, CNRS, PSL University, Paris, France 3 Inria, Paris, France [email protected] Abstract. We study Authenticated Encryption with Associated Data (AEAD) from the viewpoint of composition in arbitrary (single-stage) environments. We use the indifferentiability framework to formalize the intuition that a \good" AEAD scheme should have random ciphertexts subject to decryptability. Within this framework, we can then apply the indifferentiability composition theorem to show that such schemes offer extra safeguards wherever the relevant security properties are not known, or cannot be predicted in advance, as in general-purpose crypto libraries and standards. We show, on the negative side, that generic composition (in many of its configurations) and well-known classical and recent schemes fail to achieve indifferentiability. On the positive side, we give a provably indifferentiable Feistel-based construction, which reduces the round complexity from at least 6, needed for blockciphers, to only 3 for encryption. This result is not too far off the theoretical optimum as we give a lower bound that rules out the indifferentiability of any construction with less than 2 rounds. Keywords. Authenticated encryption, indifferentiability, composition, Feistel, lower bound, CAESAR. 1 Introduction Authenticated Encryption with Associated Data (AEAD) [54,10] is a funda- mental building block in cryptographic protocols, notably those enabling secure communication over untrusted networks. The syntax, security, and constructions of AEAD have been studied in numerous works. Recent, ongoing standardization processes, such as the CAESAR competition [14] and TLS 1.3, have revived interest in this direction.
    [Show full text]
  • Ohio IT Standard ITS-SEC-01 Data Encryption and Cryptography
    Statewide Standard State of Ohio IT Standard Standard Number: Title: ITS-SEC-01 Data Encryption and Cryptography Effective Date: Issued By: 03/12/2021 Ervan D. Rodgers II, Assistant Director/State Chief Information Officer Office of Information Technology Ohio Department of Administrative Services Version Identifier: Published By: 2.0 Investment and Governance Division Ohio Office of Information Technology 1.0 Purpose This state IT standard defines the minimum requirements for cryptographic algorithms that are cryptographically strong and are used in security services that protect at-risk or sensitive data as defined and required by agency or State policy, standard or rule. This standard does not classify data elements; does not define the security schemes and mechanisms for devices such as tape backup systems, storage systems, mobile computers or removable media; and does not identify or approve secure transmission protocols that may be used to implement security requirements. 2.0 Scope Pursuant to Ohio Administrative Policy IT-01, “Authority of the State Chief Information Officer to Establish Ohio IT Policy,” this state IT standard is applicable to every organized body, office, or agency established by the laws of the state for the exercise of any function of state government except for those specifically exempted. 3.0 Background The National Institute for Science and Technology (NIST) conducts extensive research and development in cryptography techniques. Their publications include technical standards for data encryption, digital signature and message authentication as well as guidelines for implementing information security and managing cryptographic keys. These standards and guidelines have been mandated for use in federal agencies and adopted by state governments and private enterprises.
    [Show full text]
  • Towards the Generation of a Dynamic Key-Dependent S-Box to Enhance Security
    Towards the Generation of a Dynamic Key-Dependent S-Box to Enhance Security 1 Grasha Jacob, 2 Dr. A. Murugan, 3Irine Viola 1Research and Development Centre, Bharathiar University, Coimbatore – 641046, India, [email protected] [Assoc. Prof., Dept. of Computer Science, Rani Anna Govt College for Women, Tirunelveli] 2 Assoc. Prof., Dept. of Computer Science, Dr. Ambedkar Govt Arts College, Chennai, India 3Assoc. Prof., Dept. of Computer Science, Womens Christian College, Nagercoil, India E-mail: [email protected] ABSTRACT Secure transmission of message was the concern of early men. Several techniques have been developed ever since to assure that the message is understandable only by the sender and the receiver while it would be meaningless to others. In this century, cryptography has gained much significance. This paper proposes a scheme to generate a Dynamic Key-dependent S-Box for the SubBytes Transformation used in Cryptographic Techniques. Keywords: Hamming weight, Hamming Distance, confidentiality, Dynamic Key dependent S-Box 1. INTRODUCTION Today communication networks transfer enormous volume of data. Information related to healthcare, defense and business transactions are either confidential or private and warranting security has become more and more challenging as many communication channels are arbitrated by attackers. Cryptographic techniques allow the sender and receiver to communicate secretly by transforming a plain message into meaningless form and then retransforming that back to its original form. Confidentiality is the foremost objective of cryptography. Even though cryptographic systems warrant security to sensitive information, various methods evolve every now and then like mushroom to crack and crash the cryptographic systems. NSA-approved Data Encryption Standard published in 1977 gained quick worldwide adoption.
    [Show full text]
  • A Novel and Highly Efficient AES Implementation Robust Against Differential Power Analysis Massoud Masoumi K
    A Novel and Highly Efficient AES Implementation Robust against Differential Power Analysis Massoud Masoumi K. N. Toosi University of Tech., Tehran, Iran [email protected] ABSTRACT been proposed. Unfortunately, most of these techniques are Developed by Paul Kocher, Joshua Jaffe, and Benjamin Jun inefficient or costly or vulnerable to higher-order attacks in 1999, Differential Power Analysis (DPA) represents a [6]. They include randomized clocks, memory unique and powerful cryptanalysis technique. Insight into encryption/decryption schemes [7], power consumption the encryption and decryption behavior of a cryptographic randomization [8], and decorrelating the external power device can be determined by examining its electrical power supply from the internal power consumed by the chip. signature. This paper describes a novel approach for Moreover, the use of different hardware logic, such as implementation of the AES algorithm which provides a complementary logic, sense amplifier based logic (SABL), significantly improved strength against differential power and asynchronous logic [9, 10] have been also proposed. analysis with a minimal additional hardware overhead. Our Some of these techniques require about twice as much area method is based on randomization in composite field and will consume twice as much power as an arithmetic which entails an area penalty of only 7% while implementation that is not protected against power attacks. does not decrease the working frequency, does not alter the For example, the technique proposed in [10] adds area 3 algorithm and keeps perfect compatibility with the times and reduces throughput by a factor of 4. Another published standard. The efficiency of the proposed method is masking which involves ensuring the attacker technique was verified by practical results obtained from cannot predict any full registers in the system without real implementation on a Xilinx Spartan-II FPGA.
    [Show full text]
  • Chapter 3 – Block Ciphers and the Data Encryption Standard
    Symmetric Cryptography Chapter 6 Block vs Stream Ciphers • Block ciphers process messages into blocks, each of which is then en/decrypted – Like a substitution on very big characters • 64-bits or more • Stream ciphers process messages a bit or byte at a time when en/decrypting – Many current ciphers are block ciphers • Better analyzed. • Broader range of applications. Block vs Stream Ciphers Block Cipher Principles • Block ciphers look like an extremely large substitution • Would need table of 264 entries for a 64-bit block • Arbitrary reversible substitution cipher for a large block size is not practical – 64-bit general substitution block cipher, key size 264! • Most symmetric block ciphers are based on a Feistel Cipher Structure • Needed since must be able to decrypt ciphertext to recover messages efficiently Ideal Block Cipher Substitution-Permutation Ciphers • in 1949 Shannon introduced idea of substitution- permutation (S-P) networks – modern substitution-transposition product cipher • These form the basis of modern block ciphers • S-P networks are based on the two primitive cryptographic operations we have seen before: – substitution (S-box) – permutation (P-box) (transposition) • Provide confusion and diffusion of message Diffusion and Confusion • Introduced by Claude Shannon to thwart cryptanalysis based on statistical analysis – Assume the attacker has some knowledge of the statistical characteristics of the plaintext • Cipher needs to completely obscure statistical properties of original message • A one-time pad does this Diffusion
    [Show full text]