Symmetric Cryptography Block Ciphers and Stream Ciphers Stream Ciphers K Seeded by a key K the stream cipher Stream ⃗z generates a random bit-stream z. Cipher A stream of plain-text bits p is XORed with the pseudo-random stream to obtain the cipher text stream c ⃗c=⃗p⊕⃗z and ⃗p=⃗c⊕⃗z ⃗c cipher text ⃗p plain text The same stream generator (using the same seed) ⃗z key stream used for both encryption and decryption Stream Ciphers K →¯zk ¯c=¯p⊕¯z k ¯ci=¯pi ⊕¯z k ¯c j=¯p j ⊕¯zk Attacker has access to ¯ci and ¯c j ¯ci⊕¯c j=(¯pi⊕¯zk )⊕(¯p j⊕¯z k)=¯pi⊕ ¯p j ● XORing two cipher-texts encrypted using the same seed results in XOR of corresponding plain-texts ● Redundancy in plain-text structure can be easily used to determine both plain- texts ● And hence, the key stream ● Never reuse seed? ● Impractical ● Extend seed using an initial value (IV) which can be sent in the clear ● Never reuse IV Block Ciphers ● C=E(P,K) ● P=D(C,K) ● E() and D() are algorithms ● P is a block of “plain text” (m bits) ● C is the corresponding “cipher text” (also m bits) ● K is the secret key (k bits long) ● (k,m) block cipher – k-bit keysize, m-bit blocksize ● (m+k)-bit input, m-bit output Desired Properties ● The most efficient attack should be the brute-force attack (complexity depends only on key length) ● Knowledge of any number of plain-cipher text pairs, still does not reveal any information regarding any bit of the key. – Even if attacker has the ability to choose plain-text/cipher-text – Think of the cipher as encryption/decryption black boxes (with key inside the boxes). Attacker with access to the black-boxes can ● input any plain text to encryption block to get cipher text, and ● can input any cipher text to get corresponding plain text – The attacker should still not be able to determine the key Confusion and Diffusion ● Confusion is “making the relationship between the ciphertext and the symmetric key as complex and involved as possible.” ● Diffusion refers to “dissipating the statistical structure of plaintext over bulk of ciphertext.” ● A block cipher with good confusion and diffusion properties will meet the desired goals Block Cipher Properties: Another Perspective ● m+k input bits ● m output bits ● If ith input bit is changed what is the probability that the jth output bit changes? ● 1≤i≤m+k and 1≤ j≤m ● The probability should be as close to 0.5 as possible for all 1≤i≤m+k and 1≤ j≤m Feistel Structure Li−1 Ri−1 Ri Li F F + K i + K i Li Ri Ri−1 Li−1 Encryption Decryption Li=Ri−1 Ri−1=Li Ri=Li−1⊕F (Ri−1 , Ki) Li−1= Ri⊕F (Li , Ki) ● Block ciphers constructed from repeated Feistel rounds ● Each round has the same F block, but a different round key ● Why? ● F() need not be invertible for the block cipher to be invertible! ● F() can be made as complex/non-linear as desired Feistel Block Cipher (16 Rounds) L0 R0 F K 1 L1 R1 F K 2 L2 R2 L15 R15 K F 16 L16 R16 Encrypting Bulk Data ● For example, a file, or a packet ● Segment data into blocks of size m bits (block size) ● Encrypt each block using the same key – Key set-up is expensive ● Issues – Encrypted file/packet should reveal as little information as possible regarding the contents of the file/packet Block Cipher Modes ● Electronic Codebook (ECB) ● Cipher Blockchaining (CBC) ● Cipher Feedback (CFB) ● Output Feedback (OFB) ● Counter mode (CTR) ECB Mode Ci=E(P i) ECB Mode P i= D(Ci) P 1 P 2 P n C1 C2 Cn E E ... E D D ... D C1 C2 Cn P1 P 2 P n ● Sender to receiver: n blocks C1 to Cn ● Identical plain-text bocks produce identical cipher-text blocks ● This can reveal some information regarding the plain text ● Encryption/Decryption can be parallelized P = E(C )⊕C where C =IV Ci=E(P i⊕Ci−1) where C0=IV i i i−1 0 C P P P C1 2 C Cn 1 2 3 P n n−1 + + + + D D D ... IV E E ... E IV + + + C0 C1 C2 Cn−1 Cn P1 P2 P n CBCCBC ModeMode ● Sender to Receiver: IV, and C1 to Cn ● Tx error in Ck affects decryption of Pk and Pk+1 ● Encryption/decryption can not be parallelized ● A change in any bit of any plain-text block will dramatically modify the all following cipher text blocks (useful for key based message authentication) ● What happens if a bit of the IV is modified in transit? ● IV should be encrypted in ECB mode (recommended) Ci=E(Ci−1)⊕P i , C0= IV P i= E(Ci−1)⊕Ci , C0= IV IV IV E E ... E E E ... E + + + + + + P P P P P 1 2 n P 1 2 n C Cn C Cn C1 2 Cn−1 C1 2 Cn−1 CFBCFB ModeMode ● Sender to Receiver: IV, and C1 to Cn ● Tx error in Ck affects decryption of Pk and Pk+1 ● Encryption/decryption can not be parallelized ● A change in any bit of any plain-text block will dramatically modify the all following cipher text blocks (useful for key based message authentication) ● Block cipher used in encryption mode for both encryption and decryption (advantages?) Oi= E(Oi−1) ,O0=IV C =P ⊕O i i i Pi=Ci⊕Oi IV O1 O2 IV O1 O2 E E E E E E ... OFBOFB ModeMode ... + + + + + + P 1 P 2 P 3 P 1 P 2 P 3 C1 C2 C3 C1 C2 C3 ● Converts a block cipher into a stream cipher ● Not parallelizable ● If a bit of any cipher text is inverted the corresponding plain-text bit will be inverted. ● Preferable for encrypting streaming data over noisy channels ● If data integrity is crucial then some additional mechanism should be used to ensure that. CTRCTR ModeMode ● Can be parallelized (like ECB) ● Same plain-text will not produce same cipher text (unlike ECB) ● Two of the most recommended modes are currently CTR and CBC Counter X Ci=P i⊕ E( X +i) P i=Ci⊕ E( X +i) X+1 X+2 X+3 X+1 X+2 X+3 E E E E E E ... ... + + + + + + P 1 P2 P 3 P 1 P 2 P 3 C1 C2 C3 C1 C2 C3 Summary ● ECB: Random access, but reveals patterns in plain text ● CBC: Useful for MAC. Encrypt IV ● CFB: Useful for MAC. ● OFB: Stream Cipher ● CTR: Random Access without revealing plain- text patterns. Summary ● Do not use stream cipher if integrity is crucial – Attacker can modify specific bits – Use only if noise resilience is necessary – If integrity is necessary an additional mechanism is to be used ● For the same reason watch out for CTR mode – Use only if random access is necessary – If integrity is also essential it can be achieved with an extra cost ● An additional block cipher operation instead of XOR ● Use E(X+i) as a key for encrypting block I. ● CBC/CFB for message authentication .