DOCSLIB.ORG

11-Crypto-Block-Ciphers.Pdf

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
11-Crypto-Block-Ciphers.Pdf Cryptography: Block Ciphers Edward J. Schwartz Carnegie Mellon University Credits: Slides originally designed by David Brumley. Many other slides are from Dan Boneh’s June 2012 Coursera crypto class. What is a block cipher? Block ciphers are the crypto work horse n bits n bits Block of plaintext E, D Block of ciphertext Key k bits Canonical examples: 1. 3DES: n = 64 bits, k = 168 bits 2. AES: n = 128 bits, k = 128, 192, 256 bits 2 Block ciphers built by iteration key k key expansion key k1 key k2 key k3 key kn m1 m2 m3 mm R(k1, ∙) R(k2, ∙) R(k3, ∙) R(kn, ∙) c R(k, m) is called a round function Ex: 3DES (n=48), AES128 (n=10) 3 Performance: Stream vs. block ciphers Crypto++ 5.6.0 [Wei Dai] AMD Opteron, 2.2 GHz (Linux) Cipher Block/key size Throughput [MB/s] Stream RC4 126 Salsa20/12 643 Sosemanuk 727 Block 3DES 64/168 13 AES128 128/128 109 4 Block ciphers The Data Encryption Standard (DES) 5 History of DES • 1970s: Horst Feistel designs Lucifer at IBM key = 128 bits, block = 128 bits • 1973: NBS asks for block cipher proposals. IBM submits variant of Lucifer. • 1976: NBS adopts DES as federal standard key = 56 bits, block = 64 bits • 1997: DES broken by exhaustive search • 2000: NIST adopts Rijndael as AES to replace DES. AES currently widely deployed in banking, commerce and Web 6 DES: core idea – Feistel network Given one-way functions Goal: build invertible function n - bits R0 R1 R2 Rd-1 Rd n f1 f2 • • • fd - bits L0 L1 L2 Ld-1 Ld ⊕ ⊕ ⊕ input output In symbols: 7 Feistel network - inverse Claim: Feistel function F is invertible Proof: construct inverse ⊕ Ri Ri+1 inverse Ri+1 Ri fi+1 fi+1 Li Li+1 Li+1 Li ⊕ 8 Decryption circuit ⊕ ⊕ n ⊕ - bits R R d d-1 Rd-2 R1 R0 n f f d d-1 • • • f1 - bits L L d d-1 Ld-2 L1 L0 • Inversion is basically the same circuit, with f1, …, fd applied in reverse order • General method for building invertible functions (block ciphers) from arbitrary functions. • Used in many block ciphers … but not AES 9 Recall from Last Time: Block Ciphers are (Modeled As) PRPs Pseudo Random Permutation (PRP) defined over (K,X) such that: 1. Exists “efficient” deterministic algorithm to evaluate E(k,x) 2. The function E(k, ∙) is one-to-one 3. Exists “efficient” inversion algorithm D(k,y) X E(k,⋅), k ∊ K X D(k, ⋅), k ∊ K 10 Luby-Rackoff Theorem (1985) is a secure PRF ⇒ 3-round Feistel is a secure PRP n - bits R0 R1 R2 R3 f f f n - bits L0 L1 L2 L3 ⊕ ⊕ ⊕ input output 11 DES: 16 round Feistel network 56 bits key k 48 bits key expansion key k1 key k2 • • • key k16 64 bits 64 bits 64 R0 R1 R2 R15 R16 -1 IP f1 f2 • • • f16 IP L0 L1 L2 L15 L16 ⊕ ⊕ ⊕ 16 round Feistel network To invert, use keys in reverse order 12 The function F(ki, x) 32 bits x ki 48 bits E 48 bits x’ ⊕ 48 bits 6 6 6 6 6 6 6 6 S1 S2 S3 S4 S5 S6 S7 S8 4 4 4 4 4 4 4 4 32 bits P S-box: function {0,1}6 ⟶ {0,1}4, 32 bits implemented as lookup table. y 13 The S-boxes e.g., 011011 ⟶ 1001 14 The S-boxes • Alan Konheim (one of the designers of DES) commented, "We sent the S-boxes off to Washington. They came back and were all different.“ • 1990: (Re-)Discovery of differential cryptanalysis – DES S-boxes resistant to differential cryptanalysis! – Both IBM and NSA knew of attacks, but they were classified 15 Block cipher attacks 16 Exhaustive Search for block cipher key Goal: given a few input output pairs (mi, ci = E(k, mi)) i=1,..,n find key k. Attack: Brute force to find the key k. Homework: What is the probability that the key k found with one <m,c> pair is correct? For two pairs? 17 DES challenge msg = “The unknown messages is:XXXXXXXX…“ CT = c1 c2 c3 c4 56 Goal: find k ∈ {0,1} s.t. DES(k, mi) = ci for i=1,2,3 -1 Proof: Reveal DES (k, c4) 1976 DES adopted as federal standard 1997 Distributed search 3 months 1998 EFF deep crack 3 days $250,000 1999 Distributed search 22 hours 2006 COPACOBANA (120 FPGAs) 7 days $10,000 ⇒ 56-bit ciphers should not be used (128-bit key ⇒ 272 days) 18 Strengthening DES Method 1: Triple-DES Let E : K × M ⟶ M be a block cipher Define 3E: K3 × M ⟶ M as: 3E( (k1,k2,k3), m) = E(k1, D(k2, E(k3, m) ) ) 3DES - Key-size: 3×56 = 168 bits k1 = k2 = k3 => DES - 3×slower than DES - Simple attack in time: ≈2118 19 Why not 2DES? • Define 2E( (k1,k2), m) = E(k1 , E(k2 , m) ) key-len = 112 bits for 2DES m E(k2,⋅) E(k1,⋅) c Naïve Attack: M = (m1,…, m10), C = (c1,…,c10). 56: For each k2∈{0,1} 56: For each k1∈{0,1} if E(k2, E(k1, mi)) = ci then (k2, k1) k … k … 2 1 2112 checks m c' c’’ … … c’’ = c? 20 Meet in the middle attack • Define 2E( (k1,k2), m) = E(k1 , E(k2 , m) ) key-len = 112 bits for 2DES m E(k2,⋅) E(k1,⋅) c … … m c' c’’ c … … Idea: key found when c’ = c’’: E(ki, m) = D(kj, c) 21 Meet in the middle attack • Define 2E( (k1,k2), m) = E(k1 , E(k2 , m) ) key-len = 112 bits for 2DES m E(k2,⋅) E(k1,⋅) c Attack: M = (m1,…, m10) , C = (c1,…,c10). • step 1: build table. k0 = 00…00 E(k0 , M) 1 1 nd k = 00…01 E(k , M) 56 sort on 2 column 2 2 2 k = 00…10 E(k , M) entries ⋮ ⋮ maps c’ to k2 kN = 11…11 E(kN , M) 22 Meet in the middle attack m E(k2,⋅) E(k1,⋅) c k0 = 00…00 E(k0 , M) M = (m1,…, m10) , C = (c1,…,c10) k1 = 00…01 E(k1 , M) k2 = 00…10 E(k2 , M) ⋮ ⋮ • step 1: build table. kN = 11…11 E(kN , M) • Step 2: for each k∈{0,1}56: test if D(k, c) is in 2nd column. i i if so then E(k ,M) = D(k,C) ⇒ (k ,k) = (k2,k1) 23 Meet in the middle attack m E(k2,⋅) E(k1,⋅) c Time = 256log(256) + 256 log(256) < 263 << 2112 [Build & Sort Table] [Search Entries] Space ≈ 256 [Table Size] Same attack on 3DES: Time = 2118 , Space ≈ 256 m E(k3,⋅) E(k2,⋅) E(k1,⋅) c 24 Method 2: DESX E : K × {0,1}n ⟶ {0,1}n a block cipher Define EX as EX(k1, k2, k3, m) = k1 ⨁ E(k2, m⨁k3 ) For DESX: key-len = 64+56+64 = 184 bits … but easy attack in time 264+56 = 2120 Note: k1⨁E(k2, m) and E(k2, m⨁k1) does nothing! 25 Attacks on the implementation 1. Side channel attacks: – Measure time to do enc/dec, measure power for enc/dec 16 rounds [Kocher, Jaffe, Jun, 1998] Card is doing DES smartcard IP IP-1 2. Fault attacks: – Computing errors in the last round expose the secret key k ⇒ never implement crypto primitives yourself … 26 Block ciphers AES – Advanced encryption standard 27 The AES process • 1997: DES broken by exhaustive search • 1997: NIST publishes request for proposal • 1998: 15 submissions • 1999: NIST chooses 5 finalists • 2000: NIST chooses Rijndael as AES (developed by Daemen and Rijmen at K.U. Leuven, Belgium) Key sizes: 128, 192, 256 bits Block size: 128 bits 28 AES core idea: Subs-Perm network DES is based on Feistel networks AES is based on the idea of substitution-permutation networks That is, alternating steps of substitution and permutation operations 29 AES: Subs-Perm network k1 k2 kn S1 S1 S1 S2 S2 S2 S3 S3 S3 ⊕ ⊕ • • • ⊕ input output S8 S8 S8 subs. perm. inversion layer layer 30 AES128 schematic 10 rounds 4 (1) ByteSub (1) ByteSub (1) ByteSub 4 (2) ShiftRow (2) ShiftRow input ⊕ ⊕ ⊕ • • • ⊕ (2) ShiftRow (3) MixColumn (3) MixColumn k0 k1 k2 k9 ⊕ 4 k 4 10 output 4 4 key Key expansion: 16 bytes ⟶176 bytes 31 The round function • ByteSub: a 1 byte S-box. 256 byte table (easily computable) • ShiftRows: s0,0 s0,1 s0,2 s0,3 s0,0 s0,1 s0,2 s0,3 s1,0 s1,1 s1,2 s1,3 s1,1 s1,2 s1,3 s1,0 s2,0 s2,1 s2,2 s2,3 s2,2 s2,3 s2,0 s2,1 s3,0 s3,1 s3,2 s3,3 s3,3 s3,0 s3,1 s3,2 • MixColumns: MixColumns() s’ s0,0 s0,10,c s0,2 s0,3 s’0,0 s’0,c0,1 s’0,2 s’0,3 s’ s1,0 s1,11,c s1,2 s1,3 s’1,0 s’1,c1,1 s’1,2 s’1,3 s’ s2,0 s2,12,c s2,2 s2,3 s’2,0 s’2,c2,1 s’2,2 s’2,3 s’ s3,0 s3,13,c s3,2 s3,3 s’3,0 s’3,c3,1 s’3,2 s’3,3 32 Code size/performance tradeoff Code size Performance Pre-compute round fastest: table largest functions lookups and xors (24KB or 4KB) Pre-compute S-box only smaller slower (256 bytes) No pre- smallest slowest computation 33 Size + performance (Javascript AES) AES in the browser AES library (6.4KB) No pre-computed tables (1) Uncompress code (one time effort) (2) Pre-compute tables (one time effort) (3) Perform encryption using tables Implementation: Stanford Javascript Crypto Library https://crypto.stanford.edu/sjcl/ 34 Modes of operation 36 Electronic Code Book (ECB) Mode • • • PT: m1 m2 m3 m4 m5 mn E(k, mi) • • • CT: c1 c2 c3 c4 c5 cn Problem: m1 = m2 ⟶ c1 = c2 37 What can possibly go wrong? Plaintext Ciphertext Images from Wikipedia 38 Semantic security for ECB mode ECB is not semantically secure for messages that contain more than one block Two blocks m0 = “Hello World” Challenger m1 = “Hello Hello” Adversary A k ← K (c1, c2) ← E(k,mb) if c1 = c2 output 1 else output 0 AdvSS[A,ECB] = 1 39 Deterministic counter mode from a PRF F: EDETCTR(k,m) = m[0] m[1] m[2] • • • m[L] ⊕ F(k,0) F(k,1) F(k,2) • • • F(k,L) c[0] c[1] c[2] • • • c[L] Stream cipher built from a PRF (e.g.
Load more

Recommended publications
  • Block Ciphers and the Data Encryption Standard
    Lecture 3: Block Ciphers and the Data Encryption Standard Lecture Notes on “Computer and Network Security” by Avi Kak ([email protected]) January 26, 2021 3:43pm ©2021 Avinash Kak, Purdue University Goals: To introduce the notion of a block cipher in the modern context. To talk about the infeasibility of ideal block ciphers To introduce the notion of the Feistel Cipher Structure To go over DES, the Data Encryption Standard To illustrate important DES steps with Python and Perl code CONTENTS Section Title Page 3.1 Ideal Block Cipher 3 3.1.1 Size of the Encryption Key for the Ideal Block Cipher 6 3.2 The Feistel Structure for Block Ciphers 7 3.2.1 Mathematical Description of Each Round in the 10 Feistel Structure 3.2.2 Decryption in Ciphers Based on the Feistel Structure 12 3.3 DES: The Data Encryption Standard 16 3.3.1 One Round of Processing in DES 18 3.3.2 The S-Box for the Substitution Step in Each Round 22 3.3.3 The Substitution Tables 26 3.3.4 The P-Box Permutation in the Feistel Function 33 3.3.5 The DES Key Schedule: Generating the Round Keys 35 3.3.6 Initial Permutation of the Encryption Key 38 3.3.7 Contraction-Permutation that Generates the 48-Bit 42 Round Key from the 56-Bit Key 3.4 What Makes DES a Strong Cipher (to the 46 Extent It is a Strong Cipher) 3.5 Homework Problems 48 2 Computer and Network Security by Avi Kak Lecture 3 Back to TOC 3.1 IDEAL BLOCK CIPHER In a modern block cipher (but still using a classical encryption method), we replace a block of N bits from the plaintext with a block of N bits from the ciphertext.
    [Show full text]
  • Related-Key Cryptanalysis of 3-WAY, Biham-DES,CAST, DES-X, Newdes, RC2, and TEA
    Related-Key Cryptanalysis of 3-WAY, Biham-DES,CAST, DES-X, NewDES, RC2, and TEA John Kelsey Bruce Schneier David Wagner Counterpane Systems U.C. Berkeley kelsey,schneier @counterpane.com [email protected] f g Abstract. We present new related-key attacks on the block ciphers 3- WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA. Differen- tial related-key attacks allow both keys and plaintexts to be chosen with specific differences [KSW96]. Our attacks build on the original work, showing how to adapt the general attack to deal with the difficulties of the individual algorithms. We also give specific design principles to protect against these attacks. 1 Introduction Related-key cryptanalysis assumes that the attacker learns the encryption of certain plaintexts not only under the original (unknown) key K, but also under some derived keys K0 = f(K). In a chosen-related-key attack, the attacker specifies how the key is to be changed; known-related-key attacks are those where the key difference is known, but cannot be chosen by the attacker. We emphasize that the attacker knows or chooses the relationship between keys, not the actual key values. These techniques have been developed in [Knu93b, Bih94, KSW96]. Related-key cryptanalysis is a practical attack on key-exchange protocols that do not guarantee key-integrity|an attacker may be able to flip bits in the key without knowing the key|and key-update protocols that update keys using a known function: e.g., K, K + 1, K + 2, etc. Related-key attacks were also used against rotor machines: operators sometimes set rotors incorrectly.
    [Show full text]
  • Chapter 3 – Block Ciphers and the Data Encryption Standard
    Symmetric Cryptography Chapter 6 Block vs Stream Ciphers • Block ciphers process messages into blocks, each of which is then en/decrypted – Like a substitution on very big characters • 64-bits or more • Stream ciphers process messages a bit or byte at a time when en/decrypting – Many current ciphers are block ciphers • Better analyzed. • Broader range of applications. Block vs Stream Ciphers Block Cipher Principles • Block ciphers look like an extremely large substitution • Would need table of 264 entries for a 64-bit block • Arbitrary reversible substitution cipher for a large block size is not practical – 64-bit general substitution block cipher, key size 264! • Most symmetric block ciphers are based on a Feistel Cipher Structure • Needed since must be able to decrypt ciphertext to recover messages efficiently Ideal Block Cipher Substitution-Permutation Ciphers • in 1949 Shannon introduced idea of substitution- permutation (S-P) networks – modern substitution-transposition product cipher • These form the basis of modern block ciphers • S-P networks are based on the two primitive cryptographic operations we have seen before: – substitution (S-box) – permutation (P-box) (transposition) • Provide confusion and diffusion of message Diffusion and Confusion • Introduced by Claude Shannon to thwart cryptanalysis based on statistical analysis – Assume the attacker has some knowledge of the statistical characteristics of the plaintext • Cipher needs to completely obscure statistical properties of original message • A one-time pad does this Diffusion
    [Show full text]
  • Optimization of Core Components of Block Ciphers Baptiste Lambin
    Optimization of core components of block ciphers Baptiste Lambin To cite this version: Baptiste Lambin. Optimization of core components of block ciphers. Cryptography and Security [cs.CR]. Université Rennes 1, 2019. English. NNT : 2019REN1S036. tel-02380098 HAL Id: tel-02380098 https://tel.archives-ouvertes.fr/tel-02380098 Submitted on 26 Nov 2019 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. THÈSE DE DOCTORAT DE L’UNIVERSITE DE RENNES 1 COMUE UNIVERSITE BRETAGNE LOIRE Ecole Doctorale N°601 Mathématique et Sciences et Technologies de l’Information et de la Communication Spécialité : Informatique Par Baptiste LAMBIN Optimization of Core Components of Block Ciphers Thèse présentée et soutenue à RENNES, le 22/10/2019 Unité de recherche : IRISA Rapporteurs avant soutenance : Marine Minier, Professeur, LORIA, Université de Lorraine Jacques Patarin, Professeur, PRiSM, Université de Versailles Composition du jury : Examinateurs : Marine Minier, Professeur, LORIA, Université de Lorraine Jacques Patarin, Professeur, PRiSM, Université de Versailles Jean-Louis Lanet, INRIA Rennes Virginie Lallemand, Chargée de Recherche, LORIA, CNRS Jérémy Jean, ANSSI Dir. de thèse : Pierre-Alain Fouque, IRISA, Université de Rennes 1 Co-dir. de thèse : Patrick Derbez, IRISA, Université de Rennes 1 Remerciements Je tiens à remercier en premier lieu mes directeurs de thèse, Pierre-Alain et Patrick.
    [Show full text]
  • Chapter 2 the Data Encryption Standard (DES)
    Chapter 2 The Data Encryption Standard (DES) As mentioned earlier there are two main types of cryptography in use today - symmet- ric or secret key cryptography and asymmetric or public key cryptography. Symmet- ric key cryptography is the oldest type whereas asymmetric cryptography is only being used publicly since the late 1970’s1. Asymmetric cryptography was a major milestone in the search for a perfect encryption scheme. Secret key cryptography goes back to at least Egyptian times and is of concern here. It involves the use of only one key which is used for both encryption and decryption (hence the use of the term symmetric). Figure 2.1 depicts this idea. It is necessary for security purposes that the secret key never be revealed. Secret Key (K) Secret Key (K) ? ? - - - - Plaintext (P ) E{P,K} Ciphertext (C) D{C,K} Plaintext (P ) Figure 2.1: Secret key encryption. To accomplish encryption, most secret key algorithms use two main techniques known as substitution and permutation. Substitution is simply a mapping of one value to another whereas permutation is a reordering of the bit positions for each of the inputs. These techniques are used a number of times in iterations called rounds. Generally, the more rounds there are, the more secure the algorithm. A non-linearity is also introduced into the encryption so that decryption will be computationally infeasible2 without the secret key. This is achieved with the use of S-boxes which are basically non-linear substitution tables where either the output is smaller than the input or vice versa. 1It is claimed by some that government agencies knew about asymmetric cryptography before this.
    [Show full text]
  • Thesis Submitted for the Degree of Doctor of Philosophy
    Optimizations in Algebraic and Differential Cryptanalysis Theodosis Mourouzis Department of Computer Science University College London A thesis submitted for the degree of Doctor of Philosophy January 2015 Title of the Thesis: Optimizations in Algebraic and Differential Cryptanalysis Ph.D. student: Theodosis Mourouzis Department of Computer Science University College London Address: Gower Street, London, WC1E 6BT E-mail: [email protected] Supervisors: Nicolas T. Courtois Department of Computer Science University College London Address: Gower Street, London, WC1E 6BT E-mail: [email protected] Committee Members: 1. Reviewer 1: Professor Kenny Paterson 2. Reviewer 2: Dr Christophe Petit Day of the Defense: Signature from head of PhD committee: ii Declaration I herewith declare that I have produced this paper without the prohibited assistance of third parties and without making use of aids other than those specified; notions taken over directly or indirectly from other sources have been identified as such. This paper has not previously been presented in identical or similar form to any other English or foreign examination board. The following thesis work was written by Theodosis Mourouzis under the supervision of Dr Nicolas T. Courtois at University College London. Signature from the author: Abstract In this thesis, we study how to enhance current cryptanalytic techniques, especially in Differential Cryptanalysis (DC) and to some degree in Al- gebraic Cryptanalysis (AC), by considering and solving some underlying optimization problems based on the general structure of the algorithm. In the first part, we study techniques for optimizing arbitrary algebraic computations in the general non-commutative setting with respect to sev- eral metrics [42, 44].
    [Show full text]
  • Miss in the Middle Attacks on IDEA and Khufu
    Miss in the Middle Attacks on IDEA and Khufu Eli Biham? Alex Biryukov?? Adi Shamir??? Abstract. In a recent paper we developed a new cryptanalytic techni- que based on impossible differentials, and used it to attack the Skipjack encryption algorithm reduced from 32 to 31 rounds. In this paper we describe the application of this technique to the block ciphers IDEA and Khufu. In both cases the new attacks cover more rounds than the best currently known attacks. This demonstrates the power of the new cryptanalytic technique, shows that it is applicable to a larger class of cryptosystems, and develops new technical tools for applying it in new situations. 1 Introduction In [5,17] a new cryptanalytic technique based on impossible differentials was proposed, and its application to Skipjack [28] and DEAL [17] was described. In this paper we apply this technique to the IDEA and Khufu cryptosystems. Our new attacks are much more efficient and cover more rounds than the best previously known attacks on these ciphers. The main idea behind these new attacks is a bit counter-intuitive. Unlike tra- ditional differential and linear cryptanalysis which predict and detect statistical events of highest possible probability, our new approach is to search for events that never happen. Such impossible events are then used to distinguish the ci- pher from a random permutation, or to perform key elimination (a candidate key is obviously wrong if it leads to an impossible event). The fact that impossible events can be useful in cryptanalysis is an old idea (for example, some of the attacks on Enigma were based on the observation that letters can not be encrypted to themselves).
    [Show full text]
  • Applications of Search Techniques to Cryptanalysis and the Construction of Cipher Components. James David Mclaughlin Submitted F
    Applications of search techniques to cryptanalysis and the construction of cipher components. James David McLaughlin Submitted for the degree of Doctor of Philosophy (PhD) University of York Department of Computer Science September 2012 2 Abstract In this dissertation, we investigate the ways in which search techniques, and in particular metaheuristic search techniques, can be used in cryptology. We address the design of simple cryptographic components (Boolean functions), before moving on to more complex entities (S-boxes). The emphasis then shifts from the construction of cryptographic arte- facts to the related area of cryptanalysis, in which we first derive non-linear approximations to S-boxes more powerful than the existing linear approximations, and then exploit these in cryptanalytic attacks against the ciphers DES and Serpent. Contents 1 Introduction. 11 1.1 The Structure of this Thesis . 12 2 A brief history of cryptography and cryptanalysis. 14 3 Literature review 20 3.1 Information on various types of block cipher, and a brief description of the Data Encryption Standard. 20 3.1.1 Feistel ciphers . 21 3.1.2 Other types of block cipher . 23 3.1.3 Confusion and diffusion . 24 3.2 Linear cryptanalysis. 26 3.2.1 The attack. 27 3.3 Differential cryptanalysis. 35 3.3.1 The attack. 39 3.3.2 Variants of the differential cryptanalytic attack . 44 3.4 Stream ciphers based on linear feedback shift registers . 48 3.5 A brief introduction to metaheuristics . 52 3.5.1 Hill-climbing . 55 3.5.2 Simulated annealing . 57 3.5.3 Memetic algorithms . 58 3.5.4 Ant algorithms .
    [Show full text]
  • Feistel Cipher
    Chapter 3 – Block Ciphers and the CryptographyCryptography andand Data Encryption Standard Network Security Network Security All the afternoon Mungo had been working on Stern's code, principally with the aid of the latest ChapterChapter 33 messages which he had copied down at the Nevin Square drop. Stern was very confident. He must be well aware London Central knew Fifth Edition about that drop. It was obvious that they didn't care how often Mungo read their messages, so by William Stallings confident were they in the impenetrability of the Lecture slides by Lawrie Brown code. —Talking to Strange Men, Ruth Rendell (with edits by RHB) Outline Modern Block Ciphers • will consider: • now look at modern block ciphers – Block vs stream ciphers • one of the most widely used types of – Feistel cipher design & structure cryptographic algorithms – DES • provide secrecy/authentication services • details • Initially look at Data Encryption Standard • strength (DES) to illustrate block cipher design – Differential & linear cryptanalysis issues – Block cipher design principles Block vs Stream Ciphers Block vs Stream Ciphers Block vs Stream Ciphers • block ciphers process messages in blocks, each of which is then en/decrypted • like a substitution on very big characters – 64 -bits or more (these days, 128 or more) • stream ciphers process messages a bit or byte at a time when en/de -crypting • many current ciphers are block ciphers – better analysed – broader range of applications Block Cipher Principles Ideal Block Cipher • many symmetric block ciphers
    [Show full text]
  • Hands-On Assignment
    MIT OpenCourseWare http://ocw.mit.edu 6.033 Computer System Engineering Spring 2009 For information about citing these materials or our Terms of Use, visit: http://ocw.mit.edu/terms. This course makes use ofAthena, MIT's UNIX-based computing environment. OCW does not provide access tothis environment. M.I.T. DEPARTMENT OF EECS 6.033 - Computer System Engineering Crypto Hands-On Assignment Hands-on 6: Cryptography and Certificates This hands-on assignment is due at the beginning of Recitation 23. The goal of this hands-on is to give you an introduction to mathematics and the algorithmic building blocks of moderns cryptographic protocols. Before attempting this hands-on, you should read Chapter 11 of the class notes. Part 1: Big Numbers and Brute-Force Attacks One way to unseal a sealed message is to try every possible key. This kind of attack is known as a brute-force attack or a key search attack. The longer the key, the harder the attack. Keys are almost always represented as blocks of binary data. Some cryptographic transformations use a fixed number of bits, while others allow a variable number. The table below lists some common cryptographic transformations and the key sizes that they use: Cipher Key Size The Data Encryption Standard (DES) 56 bits RC-2 40-1024 bits RC-4 40-1024 bits Advanced Encryption Standard (AES) 128, 192 or 256 bits Although there are many factors that come into play when evaluating the strength of a cryptographic transformation, the length of the key is clearly important. This is because an attacker who is in possession of a sealed message can always mount a brute-force attack.
    [Show full text]
  • Data Encryption Standard (DES)
    6 Data Encryption Standard (DES) Objectives In this chapter, we discuss the Data Encryption Standard (DES), the modern symmetric-key block cipher. The following are our main objectives for this chapter: + To review a short history of DES + To defi ne the basic structure of DES + To describe the details of building elements of DES + To describe the round keys generation process + To analyze DES he emphasis is on how DES uses a Feistel cipher to achieve confusion and diffusion of bits from the Tplaintext to the ciphertext. 6.1 INTRODUCTION The Data Encryption Standard (DES) is a symmetric-key block cipher published by the National Institute of Standards and Technology (NIST). 6.1.1 History In 1973, NIST published a request for proposals for a national symmetric-key cryptosystem. A proposal from IBM, a modifi cation of a project called Lucifer, was accepted as DES. DES was published in the Federal Register in March 1975 as a draft of the Federal Information Processing Standard (FIPS). After the publication, the draft was criticized severely for two reasons. First, critics questioned the small key length (only 56 bits), which could make the cipher vulnerable to brute-force attack. Second, critics were concerned about some hidden design behind the internal structure of DES. They were suspicious that some part of the structure (the S-boxes) may have some hidden trapdoor that would allow the National Security Agency (NSA) to decrypt the messages without the need for the key. Later IBM designers mentioned that the internal structure was designed to prevent differential cryptanalysis.
    [Show full text]
  • Differential Cryptanalysis of the Data Encryption Standard
    Differential Cryptanalysis of the Data Encryption Standard Eli Biham1 Adi Shamir2 December 7, 2009 1Computer Science Department, Technion – Israel Institute of Technology, Haifa 32000, Israel. Email: [email protected], WWW: http://www.cs.technion.ac.il/˜biham/. 2Department of Applied Mathematics and Computer Science, The Weizmann Institute of Science, Rehovot 76100, Israel. Email: [email protected]. This versionofthebookisprocessedfromtheauthor’soriginalLaTeXfiles,andmaybe differentlypaginatedthantheprintedbookbySpringer(1993). Copyright:EliBihamandAdiShamir. Preface The security of iterated cryptosystems and hash functions has been an active research area for many years. The best known and most widely used function of this type is the Data Encryption Standard (DES). It was developed at IBM and adopted by the National Bureau of Standards in the mid 70’s, and has successfully withstood all the attacks published so far in the open literature. Since the introduction of DES, many other iterated cryptosystems were developed, but their design and analysis were based on ad-hoc heuristic arguments, with no theoretical justification. In this book, we develop a new type of cryptanalytic attack which can be successfully applied to many iterated cryptosystems and hash functions. It is primarily a chosen plaintext attack but under certain circumstances, it can also be applied as a known plaintext attack. We call it “differen- tial cryptanalysis”, since it analyzes the evolution of differences when two related plaintexts are encrypted under the same key. Differential cryptanalysis is the first published attack which is capable of breaking the full 16-round DES in less than 255 complexity. The data analysis phase computes the key by analyzing about 236 ciphertexts in 237 time.
    [Show full text]