DOCSLIB.ORG

Outline Block Ciphers

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Outline Block Ciphers Block Ciphers: DES, AES Guevara Noubir http://www.ccs.neu.edu/home/noubir/Courses/CSG252/F04 Textbook: —Cryptography: Theory and Applications“, Douglas Stinson, Chapman & Hall/CRC Press, 2002 Reading: Chapter 3 Outline n Substitution-Permutation Networks n Linear Cryptanalysis n Differential Cryptanalysis n DES n AES n Modes of Operation CSG252 Classical Cryptography 2 Block Ciphers n Typical design approach: n Product cipher: substitutions and permutations n Leading to a non-idempotent cipher n Iteration: n Nr: number of rounds → 1 2 Nr n Key schedule: k k , k , …, k , n Subkeys derived according to publicly known algorithm i n w : state n Round function r r-1 r n w = g(w , k ) 0 n w : plaintext x n Required property of g: ? n Encryption and Decryption sequence CSG252 Classical Cryptography 3 1 SPN: Substitution Permutation Networks n SPN: special type of iterated cipher (w/ small change) n Block length: l x m n x = x(1) || x(2) || … || x(m) n x(i) = (x(i-1)l+1, …, xil) n Components: π l → l n Substitution cipher s: {0, 1} {0, 1} π → n Permutation cipher (S-box) P: {1, …, lm} {1, …, lm} n Outline: n Iterate Nr times: m substitutions; 1 permutation; ⊕ sub-key; n Definition of SPN cryptosytems: n P = ?; C = ?; K ⊆ ?; n Algorithm: n Designed to allow decryption using the same algorithm n What are the parameters of the decryption algorithm? CSG252 Classical Cryptography 4 SPN: Example n l = m = 4; Nr = 4; n Key schedule: n k: (k1, …, k32) 32 bits r n k : (k4r-3, …, k4r+12) z 0 1 2 3 4 5 6 7 8 9 A B C D E F π S(z) E 4 D 1 2 F B 8 3 A 6 C 5 9 0 7 z 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 π P(z) 1 5 9 13 2 6 10 14 3 7 11 15 4 8 12 16 n K = 0011 1010 1001 0100 1101 0110 0011 1111 n x = 0010 0110 1011 0111 n y = 1011 1100 1101 0110 CSG252 Classical Cryptography 5 Linear Cryptanalysis n Assumption: n Assume there exists a probabilistic linear relationship between a subset of plaintext bits and a subset of state bits immediately preceding the last substitution n Attacker has a large amount of plaintext-ciphertext encrypted using the same key n Principle: n Consider a set of potential sub-keys, whenever a sub- key verifies the linear relation, increment its counter n The sub-key best matching probability could contain the correct values of key bits CSG252 Classical Cryptography 6 2 Piling-up Lemma n Given: n X1, X2, … independent random variables ≤ ≤ n Pr[Xi=0] = pi ; Pr[Xi=1] = 1-pi; 0 pi 1 ε n Let i = pi - ² denote the bias of the distribution n Piling-up Lemma: ε ⊕ ⊕ n Let i1,i2,…,ik denote the bias of the random variable Xi1 Xi2 … ⊕ k Xik. Then: ε = k −1 ε i1,i2,...,ik 2 ∏ ij j=1 n Corollary: ε ε n If ij= 0 for one variable i1,i2,…,ik =0 CSG252 Classical Cryptography 7 Linear Approximations of S-boxes n S-box: Π m → n n S: {0, 1} {0, 1} n Input: n X = (x1, …, xm) n Each coordinate defines a random variable Xi with bias 0 n Variables Xis are independent n Output: n Y = (y1, …, yn) n Variables Yis are not independent from each other and Xis ≠ Π n If (y1, …, yn) S(x1, …, xm) Pr[X1= x1, …, Xm= xm, Y1= y1, …, Yn= yn, ] = ? Π n If (y1, …, yn) = S(x1, …, xm) Pr[X1= x1, …, Xm= xm, Y1= y1, …, Yn= yn, ] = ? ⊕ ⊕ ⊕ ⊕ ⊕ n Therefore: one can compute the bias of: Xi1 … Xik Yj1 … Yjl CSG252 Classical Cryptography 8 Example Π S Table X1 X2 X3 X4 Y1 Y2 Y3 Y4 ⊕ ⊕ 0 0 0 0 1 1 1 0 • Pr[X1 X4 Y2=0]= ? ⊕ ⊕ ⊕ 0 0 0 1 0 1 0 0 • Pr[X3 X4 Y1 Y4=0]= ? 0 0 1 0 1 1 0 1 • In general one computes the 0 0 1 1 0 0 0 1 biases for all possible subsets: 0 1 0 0 0 0 1 0 4 4 0 1 0 1 1 1 1 1 ⊕ ⊕ ⊕ 0 1 1 0 1 0 1 1 ( ai X i ) ( biYi ) i=1 i=1 0 1 1 1 1 0 0 0 • Derive a table (a, b) Number of 1 0 0 0 0 0 1 1 1 0 0 1 1 0 1 0 times we get a 0: NL(a, b) Entry for a=3, b=9: 2 1 0 1 0 0 1 1 0 ε 1 0 1 1 1 1 0 0 Bias (a, b) = (NL(a, b)-8)/16 1 1 0 0 0 1 0 1 1 1 0 1 1 0 0 1 NL(3, 9) = 2 1 1 1 0 0 0 0 0 NL(2, E) = 2 1 1 1 1 0 1 1 1 CSG252 Classical Cryptography 9 3 Linear Attack on SPN n Approach: n Find a set of linear approximations of S-boxes that can be used to derive a linear approximation of the SPN (excluding the last round) n Derive the bias value using pilling-up lemma n This linear approximation depends on some subset of the key bits n For each possible pair (plaintext, ciphertext), and each key increment the counter of the subkey if the approximation equation gives a 0 n Hopefully the correct value for sub-keys will have the expected bias CSG252 Classical Cryptography 10 Example n Approximation equations: = 1 ⊕ 1 ⊕ 1 ⊕ 1 T1 U5 U 7 U8 V6 n T1 has bias ³ = 2 ⊕ 2 ⊕ 2 n T2 has bias -³ T2 U6 V6 V8 n T3 has bias -³ = 3 ⊕ 3 ⊕ 3 T3 U6 V6 V8 n T has bias -1/4 4 = 3 ⊕ 3 ⊕ 3 T4 U14 V14 V16 n If T1, T2, T3, T4, were independentthen the bias of ⊕ ⊕ ⊕ n T1 T2 T3 T4 would be -1/32 n We will make this non-rigorous approximations, because it seems to work in practice ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ 3 ⊕ 3 ⊕ 3 ⊕ 3 ⊕ 1 ⊕ 1 n T1 T2 T3 T4 = X5 X7 X8 V 6 V 8 V 14 V 16 K 5 K 7 ⊕ 1 ⊕ 2 ⊕ 3 ⊕ 3 ⊕ ⊕ ⊕ 4 ⊕ 4 ⊕ 4 ⊕ 4 ⊕ K 8 K 6 K 6 K 14 = X5 X7 X8 U 6 U 14 U 8 U 16 1 ⊕ 1 ⊕ 1 ⊕ 2 ⊕ 3 ⊕ 3 ⊕ 4 ⊕ 4 ⊕ 4 ⊕ 4 K 5 K 7 K 8 K 6 K 6 K 14 K 6 K 8 K 14 K 16 CSG252 Classical Cryptography 11 x K1 u1 v1 w1 K2 u2 v2 w2 K3 u3 v3 w3 K4 u4 v4 K5 y 4 Example (Cont.) n If the key bits in: 1 ⊕ 1 ⊕ 1 ⊕ 2 ⊕ 3 ⊕ 3 ⊕ 4 ⊕ 4 ⊕ 4 ⊕ 4 n K 5 K 7 K 8 K 6 K 6 K 14 K 6 K 8 K 14 K 16 are fixed n Then the random variable: ⊕ ⊕ ⊕ 4 ⊕ 4 ⊕ 4 ⊕ 4 ± n X5 X7 X8 U 6 U 14 U 8 U 16 has bias 1/32 n This allows us to derive 8 bits for last subkey: 5 5 n K (2) and K (2) n Outline of alg: 5 5 n Build a table for all possible 256 values of K (2) and K (4) n For each (x, y) pair of plaintext and ciphertext; for each candidate subkey: u4 u4 n Obtain the values of (2) and (4) by decrypting y ⊕ ⊕ ⊕ 4 ⊕ 4 ⊕ 4 ⊕ 4 n Compute x5 x7 x8 u 6 u 14 u 8 u 16 5 5 n If equal 0 : increment counter of corresponding K (2) and K (2) 5 n The table entry that has bias close to 1/32 is the right value for K (2) 5 and K (2) CSG252 Classical Cryptography 13 Requirements for Linear Cryptanalysis n A bias of ε requires: -2 n T = cε pairs of plaintext-ciphertext n For the previous example T = 8000 was usually successful c ≈ 8 CSG252 Classical Cryptography 14 Differential Cryptanalysis n Similar to Linear Cryptanalysis: n Compares the x-or of two inputs to the x-or of the corresponding two outputs: x‘ = x⊕x* and y‘ = y⊕y* n Adversary has a large number of chosen plaintext tuples (x, x*, y, y*) s.t. x‘ is fixed n Approach: n For each candidate key: decrypt y, and y* n For each candidate key: compute the values of certain state bits n If the state bits match the most likely value for the input x-or then increment the candidate key counter n Proposed Encryption Standard (PES) which is the original proposal for the International Data Encryption Standard (IDEA used in PGP) was modified to resist to this kind of attacks n GSM A3 algorithm is sensitive to this kind of attacks n SIM card secret key can be recovred=> GSM cloning CSG252 Classical Cryptography 15 5 Differential Cryptanalysis n ∆(x‘) = {(x, x⊕x‘) : x ∈ {0, 1}m } ∈ ∆ Π ⊕ Π n ND(x‘, y‘) = |{ (x, x*) (x‘) : S(x) S(x*) = y‘}| n Similarly to Linear cryptanalysis build the table: N (a, b) D N (a',b') n Define propagation ratio: R (a',b') = D p 2m n Differential Trail: n Is multi-round combination n Permutations and key XORs do not impact the differential n Sub-key recovery and filtering n Example: n Rp(1011, 0010) = ²; Rp(0100, 0110) = 3/8; Rp(0010, 0101) = 3/8; Rp(0010, 0101) = 3/8 n Propagation ratio of differential trail: 27/1024 n Complete attack requires between 50 and 100 tuples to find sub-key CSG252 Classical Cryptography 16 x K1 u1 v1 w1 K2 u2 v2 w2 K3 u3 v3 w3 K4 u4 v4 K5 y Today‘s Block Encryption Algorithms n Key size: n Two short => easy to guess n Block size: n Two short easy to build a table by the attacker: (plaintext, ciphertext) n Reasonable size: 64 bits n Properties: n One-to-one mapping n Mapping should look random to someone who doesn‘t have the key n Efficient to compute/reverse n How? n Substitution (small chunks) & permutation (long chunks) n Multiple rounds CSG252 Classical Cryptography 18 6 Data Encryption Standard (DES) n Developed by IBM for the US government n Based on Lucifer (64-bits, 128-bits key in 1971) n To respond to the National Bureau of Standards CFP (now called NIST) n Modified characteristics (with help from NSA): n 64-bits block size, 56 bits key length n Concerns about trapdoors, key size, sbox structure n Adopted in 1977 as the DES (FIPS PUB 46, ANSI X3.92) and reaffirmed in 1994 for 5 more years n Today replaced by AES CSG252 Classical Cryptography 19 Plaintext: 64 IP 32 32 L 0 R0 48 f K1 Feistel Cipher: L1 = R0 R = L ⊕ f(R , K ) 1 0 0 1 Li = Ri-1 ⊕ Ri = Li-1 f(Ri-1, Ki) f K2 ⊕ L2 = R1 R2 = L1 f(R1, K2) ⊕ L15 = R14 R15 = L14 f(R14, K15) f K16 ⊕ L = R R16 = L15 f(R15, K16) 16 15 IP-1 Ciphertext Feistel Cipher n Function f does not have to be injective! n Li = Ri-1 ⊕ n Ri = Li-1 f(Ri-1, Ki) n How can we invert one round? CSG252 Classical Cryptography 21 7 One DES Round Key (56 bits) 28 28 L Shift Shift i-1 Ri-1 32 32 Compression Permutation Expansion Permutation 48 48 S-Box Substitution P-Box Permutation Key (56 bits) ⊕ Li = Ri-1 Ri = Li-1 f(Ri-1, Ki) CSG252 Classical Cryptography 22 S-Box Substitution 48-Bit Input S-Box 1 S-Box 2 S-Box 3 S-Box 4 S-Box 5 S-Box 6 S-Box 7 S-Box 8 32-Bit Output n S-Box heart of DES security n S-Box: 4x16 entry table n Input 6 bits: b1b2b3b4b5b6 n 2 bits (b1b6): determine the table row (1-4) n 4 bits (b2b3b4b5): determine the table entry n Output: 4 bits n Example: S1(101000) = 1101 n S-Boxes are optimized against Differential cryptanalysis CSG252 Classical Cryptography 23 Double/Triple DES K1 K2 n Double DES P X C E E n Vulnerable to Meet-in-the- Middle Attack [DH77] K2 K1 C X P D D K1 K2 K1 n Triple DES P A B C E D E n Used two keys K1 and K2 n Compatible with simple DES K1 K2 K1 (K1=K2) C A B E D E D n Used in ISO 8732, PEM CSG252 Classical Cryptography 24 8 DES Linear/Differential Cryptanalysis n Differential cryptanalysis n —Rediscovered“ by E.
Load more

Recommended publications
  • Public Key Cryptography And
    PublicPublic KeyKey CryptographyCryptography andand RSARSA Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 [email protected] Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/ Washington University in St. Louis CSE571S ©2011 Raj Jain 9-1 OverviewOverview 1. Public Key Encryption 2. Symmetric vs. Public-Key 3. RSA Public Key Encryption 4. RSA Key Construction 5. Optimizing Private Key Operations 6. RSA Security These slides are based partly on Lawrie Brown’s slides supplied with William Stallings’s book “Cryptography and Network Security: Principles and Practice,” 5th Ed, 2011. Washington University in St. Louis CSE571S ©2011 Raj Jain 9-2 PublicPublic KeyKey EncryptionEncryption Invented in 1975 by Diffie and Hellman at Stanford Encrypted_Message = Encrypt(Key1, Message) Message = Decrypt(Key2, Encrypted_Message) Key1 Key2 Text Ciphertext Text Keys are interchangeable: Key2 Key1 Text Ciphertext Text One key is made public while the other is kept private Sender knows only public key of the receiver Asymmetric Washington University in St. Louis CSE571S ©2011 Raj Jain 9-3 PublicPublic KeyKey EncryptionEncryption ExampleExample Rivest, Shamir, and Adleman at MIT RSA: Encrypted_Message = m3 mod 187 Message = Encrypted_Message107 mod 187 Key1 = <3,187>, Key2 = <107,187> Message = 5 Encrypted Message = 53 = 125 Message = 125107 mod 187 = 5 = 125(64+32+8+2+1) mod 187 = {(12564 mod 187)(12532 mod 187)... (1252 mod 187)(125 mod 187)} mod 187 Washington University in
    [Show full text]
  • Chapter 3 – Block Ciphers and the Data Encryption Standard
    Chapter 3 –Block Ciphers and the Data Cryptography and Network Encryption Standard Security All the afternoon Mungo had been working on Stern's Chapter 3 code, principally with the aid of the latest messages which he had copied down at the Nevin Square drop. Stern was very confident. He must be well aware London Central knew about that drop. It was obvious Fifth Edition that they didn't care how often Mungo read their messages, so confident were they in the by William Stallings impenetrability of the code. —Talking to Strange Men, Ruth Rendell Lecture slides by Lawrie Brown Modern Block Ciphers Block vs Stream Ciphers now look at modern block ciphers • block ciphers process messages in blocks, each one of the most widely used types of of which is then en/decrypted cryptographic algorithms • like a substitution on very big characters provide secrecy /hii/authentication services – 64‐bits or more focus on DES (Data Encryption Standard) • stream ciphers process messages a bit or byte at a time when en/decrypting to illustrate block cipher design principles • many current ciphers are block ciphers – better analysed – broader range of applications Block vs Stream Ciphers Block Cipher Principles • most symmetric block ciphers are based on a Feistel Cipher Structure • needed since must be able to decrypt ciphertext to recover messages efficiently • bloc k cihiphers lklook like an extremely large substitution • would need table of 264 entries for a 64‐bit block • instead create from smaller building blocks • using idea of a product cipher 1 Claude
    [Show full text]
  • On the NIST Lightweight Cryptography Standardization
    On the NIST Lightweight Cryptography Standardization Meltem S¨onmez Turan NIST Lightweight Cryptography Team ECC 2019: 23rd Workshop on Elliptic Curve Cryptography December 2, 2019 Outline • NIST's Cryptography Standards • Overview - Lightweight Cryptography • NIST Lightweight Cryptography Standardization Process • Announcements 1 NIST's Cryptography Standards National Institute of Standards and Technology • Non-regulatory federal agency within U.S. Department of Commerce. • Founded in 1901, known as the National Bureau of Standards (NBS) prior to 1988. • Headquarters in Gaithersburg, Maryland, and laboratories in Boulder, Colorado. • Employs around 6,000 employees and associates. NIST's Mission to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. 2 NIST Organization Chart Laboratory Programs Computer Security Division • Center for Nanoscale Science and • Cryptographic Technology Technology • Secure Systems and Applications • Communications Technology Lab. • Security Outreach and Integration • Engineering Lab. • Security Components and Mechanisms • Information Technology Lab. • Security Test, Validation and • Material Measurement Lab. Measurements • NIST Center for Neutron Research • Physical Measurement Lab. Information Technology Lab. • Advanced Network Technologies • Applied and Computational Mathematics • Applied Cybersecurity • Computer Security • Information Access • Software and Systems • Statistical
    [Show full text]
  • Choosing Key Sizes for Cryptography
    information security technical report 15 (2010) 21e27 available at www.sciencedirect.com www.compseconline.com/publications/prodinf.htm Choosing key sizes for cryptography Alexander W. Dent Information Security Group, University Of London, Royal Holloway, UK abstract After making the decision to use public-key cryptography, an organisation still has to make many important decisions before a practical system can be implemented. One of the more difficult challenges is to decide the length of the keys which are to be used within the system: longer keys provide more security but mean that the cryptographic operation will take more time to complete. The most common solution is to take advice from information security standards. This article will investigate the methodology that is used produce these standards and their meaning for an organisation who wishes to implement public-key cryptography. ª 2010 Elsevier Ltd. All rights reserved. 1. Introduction being compromised by an attacker). It also typically means a slower scheme. Most symmetric cryptographic schemes do The power of public-key cryptography is undeniable. It is not allow the use of keys of different lengths. If a designer astounding in its simplicity and its ability to provide solutions wishes to offer a symmetric scheme which provides different to many seemingly insurmountable organisational problems. security levels depending on the key size, then the designer However, the use of public-key cryptography in practice is has to construct distinct variants of a central design which rarely as simple as the concept first appears. First one has to make use of different pre-specified key lengths.
    [Show full text]
  • Chapter 3 – Block Ciphers and the Data Encryption Standard
    Symmetric Cryptography Chapter 6 Block vs Stream Ciphers • Block ciphers process messages into blocks, each of which is then en/decrypted – Like a substitution on very big characters • 64-bits or more • Stream ciphers process messages a bit or byte at a time when en/decrypting – Many current ciphers are block ciphers • Better analyzed. • Broader range of applications. Block vs Stream Ciphers Block Cipher Principles • Block ciphers look like an extremely large substitution • Would need table of 264 entries for a 64-bit block • Arbitrary reversible substitution cipher for a large block size is not practical – 64-bit general substitution block cipher, key size 264! • Most symmetric block ciphers are based on a Feistel Cipher Structure • Needed since must be able to decrypt ciphertext to recover messages efficiently Ideal Block Cipher Substitution-Permutation Ciphers • in 1949 Shannon introduced idea of substitution- permutation (S-P) networks – modern substitution-transposition product cipher • These form the basis of modern block ciphers • S-P networks are based on the two primitive cryptographic operations we have seen before: – substitution (S-box) – permutation (P-box) (transposition) • Provide confusion and diffusion of message Diffusion and Confusion • Introduced by Claude Shannon to thwart cryptanalysis based on statistical analysis – Assume the attacker has some knowledge of the statistical characteristics of the plaintext • Cipher needs to completely obscure statistical properties of original message • A one-time pad does this Diffusion
    [Show full text]
  • Quantum Computing Threat: How to Keep Ahead
    Think openly, build securely White paper: Quantum Computing Threat: How to Keep Ahead Ë PQShield Ƕ February 2021 © PQShield Ltd | www.pqshield.com | PQShield Ltd, Oxford, OX2 7HT, UK Cryptographic agility and a clear roadmap to the upcoming NIST standards are key to a smooth and secure transition. 1 Background 1.1 New Cryptography Standards The NIST (U.S. National Institute of Standards and Technology) Post‐Quantum Cryptography (PQC) Project has been running since 2016 and is now in its third, final evaluation round. This project standardizes new key establishment and digital signature algorithms that have been designed to be resistant against attacks by quantum computers. These new algorithms are intended to replace current classical‐security RSA and Elliptic Cryptography (ECDH, ECDSA) standards in applications. The particular mathematical problems that RSA and Elliptic Cryptography are based onareeasy (polynomial‐time solvable) for quantum computers. Unless complemented with quantum‐safe cryptography, this will allow for the forgery of digital signatures (integrity compromise) and de‐ cryption of previously encrypted data (confidentiality compromise) in the future. This is aheight‐ ened risk for organizations that need to secure data for long periods of time; government orga‐ nizations that handle and secure classified information have largely been the drivers ofthepost‐ quantum standardization and its adoption in the field, but banks, financial services, healthcare providers, those developing intellectual property and many others increasingly feel the need to ensure that they can protect their customers and IP – now and in the future. 1.2 Quantum Threat and Post-Quantum Cryptography The current position of NCSC (UK’s National Cyber Security Centre) and NSA (USA’s National Se‐ curity Agency) is that the best mitigation against the threat of quantum computers is quantum‐ safe cryptography, also known as post‐quantum cryptography (PQC).
    [Show full text]
  • A Tutorial on the Implementation of Block Ciphers: Software and Hardware Applications
    A Tutorial on the Implementation of Block Ciphers: Software and Hardware Applications Howard M. Heys Memorial University of Newfoundland, St. John's, Canada email: [email protected] Dec. 10, 2020 2 Abstract In this article, we discuss basic strategies that can be used to implement block ciphers in both software and hardware environments. As models for discussion, we use substitution- permutation networks which form the basis for many practical block cipher structures. For software implementation, we discuss approaches such as table lookups and bit-slicing, while for hardware implementation, we examine a broad range of architectures from high speed structures like pipelining, to compact structures based on serialization. To illustrate different implementation concepts, we present example data associated with specific methods and discuss sample designs that can be employed to realize different implementation strategies. We expect that the article will be of particular interest to researchers, scientists, and engineers that are new to the field of cryptographic implementation. 3 4 Terminology and Notation Abbreviation Definition SPN substitution-permutation network IoT Internet of Things AES Advanced Encryption Standard ECB electronic codebook mode CBC cipher block chaining mode CTR counter mode CMOS complementary metal-oxide semiconductor ASIC application-specific integrated circuit FPGA field-programmable gate array Table 1: Abbreviations Used in Article 5 6 Variable Definition B plaintext/ciphertext block size (also, size of cipher state) κ number
    [Show full text]
  • Symmetric Key Ciphers Objectives
    Symmetric Key Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives • Definition of Symmetric Types of Symmetric Key ciphers – Modern Block Ciphers • Full Size and Partial Size Key Ciphers • Components of a Modern Block Cipher – PBox (Permutation Box) – SBox (Substitution Box) –Swap – Properties of the Exclusive OR operation • Diffusion and Confusion • Types of Block Ciphers: Feistel and non-Feistel ciphers D. Mukhopadhyay Crypto & Network Security IIT Kharagpur 1 Symmetric Key Setting Communication Message Channel Message E D Ka Kb Bob Alice Assumptions Eve Ka is the encryption key, Kb is the decryption key. For symmetric key ciphers, Ka=Kb - Only Alice and Bob knows Ka (or Kb) - Eve has access to E, D and the Communication Channel but does not know the key Ka (or Kb) Types of symmetric key ciphers • Block Ciphers: Symmetric key ciphers, where a block of data is encrypted • Stream Ciphers: Symmetric key ciphers, where block size=1 D. Mukhopadhyay Crypto & Network Security IIT Kharagpur 2 Block Ciphers Block Cipher • A symmetric key modern cipher encrypts an n bit block of plaintext or decrypts an n bit block of ciphertext. •Padding: – If the message has fewer than n bits, padding must be done to make it n bits. – If the message size is not a multiple of n, then it should be divided into n bit blocks and the last block should be padded. D. Mukhopadhyay Crypto & Network Security IIT Kharagpur 3 Full Size Key Ciphers • Transposition Ciphers: – Involves rearrangement of bits, without changing value. – Consider an n bit cipher – How many such rearrangements are possible? •n! – How many key bits are necessary? • ceil[log2 (n!)] Full Size Key Ciphers • Substitution Ciphers: – It does not transpose bits, but substitutes values – Can we model this as a permutation? – Yes.
    [Show full text]
  • Network Security Chapter 8
    Network Security Chapter 8 Network security problems can be divided roughly into 4 closely intertwined areas: secrecy (confidentiality), authentication, nonrepudiation, and integrity control. Question: what does non-repudiation mean? What does “integrity” mean? • Cryptography • Symmetric-Key Algorithms • Public-Key Algorithms • Digital Signatures • Management of Public Keys • Communication Security • Authentication Protocols • Email Security -- skip • Web Security • Social Issues -- skip Revised: August 2011 CN5E by Tanenbaum & Wetherall, © Pearson Education-Prentice Hall and D. Wetherall, 2011 Network Security Security concerns a variety of threats and defenses across all layers Application Authentication, Authorization, and non-repudiation Transport End-to-end encryption Network Firewalls, IP Security Link Packets can be encrypted on data link layer basis Physical Wireless transmissions can be encrypted CN5E by Tanenbaum & Wetherall, © Pearson Education-Prentice Hall and D. Wetherall, 2011 Network Security (1) Some different adversaries and security threats • Different threats require different defenses CN5E by Tanenbaum & Wetherall, © Pearson Education-Prentice Hall and D. Wetherall, 2011 Cryptography Cryptography – 2 Greek words meaning “Secret Writing” Vocabulary: • Cipher – character-for-character or bit-by-bit transformation • Code – replaces one word with another word or symbol Cryptography is a fundamental building block for security mechanisms. • Introduction » • Substitution ciphers » • Transposition ciphers » • One-time pads
    [Show full text]
  • Cryptographic Algorithms and Key Sizes for Personal Identity Verification
    Archived NIST Technical Series Publication The attached publication has been archived (withdrawn), and is provided solely for historical purposes. It may have been superseded by another publication (indicated below). Archived Publication Series/Number: NIST Special Publication 800-78-2 Title: Cryptographic Algorithms and Key Sizes for Personal Identity Verification Publication Date(s): February 2010 Withdrawal Date: December 2010 Withdrawal Note: SP 800-78-2 is superseded in its entirety by the publication of SP 800-78-3 (December 2010). Superseding Publication(s) The attached publication has been superseded by the following publication(s): Series/Number: NIST Special Publication 800-78-3 Title: Cryptographic Algorithms and Key Sizes for Personal Identity Verification Author(s): W. Timothy Polk, Donna F. Dodson, William E. Burr, Hildegard Ferraiolo, David Cooper Publication Date(s): December 2010 URL/DOI: http://dx.doi.org/10.6028/NIST.SP.800-78-3 Additional Information (if applicable) Contact: Computer Security Division (Information Technology Lab) Latest revision of the SP 800-78-4 (as of August 7, 2015) attached publication: Related information: http://csrc.nist.gov/groups/SNS/piv/ Withdrawal N/A announcement (link): Date updated: ƵŐƵƐƚϳ, 2015 NIST Special Publication 800-78-2 Cryptographic Algorithms and Key Sizes for Personal Identity Verification W. Timothy Polk Donna F. Dodson William. E. Burr I N F O R M A T I O N S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD, 20899-8930 February 2010 U.S. Department of Commerce Gary Locke, Secretary National Institute of Standards and Technology Dr.
    [Show full text]
  • The Whirlpool Secure Hash Function
    Cryptologia, 30:55–67, 2006 Copyright Taylor & Francis Group, LLC ISSN: 0161-1194 print DOI: 10.1080/01611190500380090 The Whirlpool Secure Hash Function WILLIAM STALLINGS Abstract In this paper, we describe Whirlpool, which is a block-cipher-based secure hash function. Whirlpool produces a hash code of 512 bits for an input message of maximum length less than 2256 bits. The underlying block cipher, based on the Advanced Encryption Standard (AES), takes a 512-bit key and oper- ates on 512-bit blocks of plaintext. Whirlpool has been endorsed by NESSIE (New European Schemes for Signatures, Integrity, and Encryption), which is a European Union-sponsored effort to put forward a portfolio of strong crypto- graphic primitives of various types. Keywords advanced encryption standard, block cipher, hash function, sym- metric cipher, Whirlpool Introduction In this paper, we examine the hash function Whirlpool [1]. Whirlpool was developed by Vincent Rijmen, a Belgian who is co-inventor of Rijndael, adopted as the Advanced Encryption Standard (AES); and by Paulo Barreto, a Brazilian crypto- grapher. Whirlpool is one of only two hash functions endorsed by NESSIE (New European Schemes for Signatures, Integrity, and Encryption) [13].1 The NESSIE project is a European Union-sponsored effort to put forward a portfolio of strong cryptographic primitives of various types, including block ciphers, symmetric ciphers, hash functions, and message authentication codes. Background An essential element of most digital signature and message authentication schemes is a hash function. A hash function accepts a variable-size message M as input and pro- duces a fixed-size hash code HðMÞ, sometimes called a message digest, as output.
    [Show full text]
  • Symmetric Key Cryptosystems Definition
    Symmetric Key Cryptosystems Debdeep Mukhopadhyay IIT Kharagpur Definition • Alice and Bob has the same key to encrypt as well as to decrypt • The key is shared via a “secured channel” • Symmetric Ciphers are of two types: – Block : The plaintext is encrypted in blocks – Stream: The block length is 1 • Symmetric Ciphers are used for bulk encryption, as they have better performance than their asymmetric counter-part. 1 Block Ciphers What we have learnt from history? • Observation: If we have a cipher C1=(P,P,K1,e1,d1) and a cipher C2 (P,P,K2,e2,d2). • We define the product cipher as C1xC2 by the process of first applying C1 and then C2 • Thus C1xC2=(P,P,K1xK2,e,d) • Any key is of the form: (k1,k2) and e=e2(e1(x,k1),k2). Likewise d is defined. Note that the product rule is always associative 2 Question: • Thus if we compute product of ciphers, does the cipher become stronger? – The key space become larger –2nd Thought: Does it really become larger. • Let us consider the product of a 1. multiplicative cipher (M): y=ax, where a is co-prime to 26 //Plain Texts are characters 2. shift cipher (S) : y=x + k Is MxS=SxM? • MxS: y=ax+k : key=(a,k). This is an affine cipher, as total size of key space is 312. • SxM: y=a(x+k)=ax+ak – Now, since gcd(a,26)=1, this is also an affine cipher. – key = (a,ak) – As gcd(a,26)=1, a-1 exists. There is a one-one relation between ak and k.
    [Show full text]