Computer Security - Block Ciphers & DES (Data Encryption Standard) Howon Kim 2019.3 Agenda ◼ Review ◼ Block Ciphers & Stream Ciphers ❑ Stream Ciphers ❑ Block Ciphers ◼ DES ◼ Cryptanalysis ◼ Modes of Operations ◼ Next… 2 Review: Attack Types ◼ Attack types ❑ Ciphertext only ◼ Eve has only a copy of the ciphertext. ❑ Known plaintext ◼ Eve has a copy of a ciphertext and the corresponding plaintext. ◼ For example, if Eve knows that Alice always starts her message with “Dear Bob,” then Eve has a small piece of ciphertext and corresponding plaintext. ❑ Chosen plaintext ◼ Eve gains temporary access to the encryption machine. ◼ She cannot open it to find the key, but she can encrypt a large number of suitably chosen plaintexts and try to use the resulting ciphertexts to deduce the key. ❑ Chosen ciphertext ◼ Eve obtains temporary access to the decryption machine. 3 Review: Ciphertext Only Attack ◼ Eve has only the ciphertext. ❑ Y M W J J U F W Y X ◼ Her best strategy is an exhaustive search. ❑ There are only 26 possible keys. ❑ If the message is longer than a few letters, it is unlikely that there is more than one meaningful message that could be the plaintext. ◼ Try to decrypt it! 4 Review: Known Plaintext Attack ◼ It’s trivial.(only for shift cipher. Generally, not.) ❑ If Eve knows just one letter of the plaintext along with the corresponding letter of ciphertext, she can deduce the key. ◼ In this above example… ❑ Ciphertext: Y M W J J U F W Y X ❑ Plaintext: ? ? ? ? ? p ? ? ? ? 5 Review: CPA, CCA ◼ Attack 3: Chosen plaintext attack ❑ Choose the letter a as the plaintext. ❑ The ciphertext gives the key itself. ❑ Example: a ➔ F (= 5) ◼ Attack 4: Chosen ciphertext attack ❑ Choose the letter A as the ciphertext. ❑ The plaintext is the negative of the key. 6 Block vs Stream Ciphers ◼ block ciphers process messages in into blocks, each of which is then en/decrypted ◼ like a substitution on very big characters ❑ 64-bits or more ◼ stream ciphers process messages a bit or byte at a time when en/decrypting 7 Block vs Stream Ciphers Reference: Understanding Cryptography by C. Paar & J. Pelzl 8 Encryption & Decryption with Stream Ciphers Reference: Understanding Cryptography by C. Paar & J. Pelzl 9 Synchronous vs. Asynchronous Stream Cipher ◼ Synchronous Stream Cipher ❑ Key stream depends only on the key (and possibly an initialization vector IV) ◼ Asynchronous Stream Cipher ❑ Key stream depends also on the ciphertext (dotted feedback enabled) Reference: Understanding Cryptography by C. Paar & J. Pelzl 10 Why is mod 2 addition a good encryption function? Random한 key stream Si의 특성이 ciphertext에도 그대로 반영됨.즉, XOR(mod 2) 연산은 si의 난수성을 ciphertext에 반영 특성 가짐. 그림에서 key stream si의 0과1 비율은 각각 0.5 확률 -> Mod add 2, 즉 XOR 연산하면, random stream si의 특성을 ciphertext yi가 갖게 됨 11 LFSR Sequences : Example of Stream Cipher ◼ Linear Feedback Shift Register (LFSR) ❑ defined by a linear recurrence. ❑ implemented very easily, especially in hardware. ❑ very fast (only the operating frequency is, not the throughput) Example: xm+3 = xm+1 XOR xm XOR gate xm+2 xm+1 xm Ciphertext registers Plaintext Initial state (initial values): x1x2x3 = 010 Generated sequence: 0101110010111001… Plaintext (AB…): 0100000101000010… Ciphertext: 0001110111111011… 12 LFSR Sequences Example: xm+3 = xm+1 XOR xm (xm+3 = xm+1 XOR xm) XOR gate xm+2 xm+1 xm Ciphertext registers Plaintext Initial state (intial values): x1x2x3 = 010 Generated sequence: 0101110010111001… Plaintext (AB…): 0100000101000010… Ciphertext: 0001110111111011… xm+3 = xm+1 XOR xm m=7 : x =x xor x = 0 xor 0 = 0 m=1 : x4=x2 xor x1 = 1 xor 0 = 1 10 8 7 m=8 : x =x xor x = 1 xor 0 = 1 m=2: x5=x3 xor x2 = 0 xor 1 = 1 11 9 8 m=9 : x =x xor x = 0 xor 1 = 1 m=3: x6=x4 xor x3 = 1 xor 0 = 1 12 10 9 m=10: x =x xor x = 1 xor 0 = 1 m=4: x7=x5 xor x4 = 1 xor 1 = 0 13 11 10 m=11: x =x xor x = 1 xor 1 = 0 m=5: x8=x6 xor x5 = 1 xor 1 = 0 14 12 11 m=6: x =x xor x = 0 xor 1 = 1 m=12: x15=x13 xor x12 = 1 xor 1 = 0 9 7 6 13 LFSR Sequences ◼ Key length vs. Sequence length n ❑ Key length n ➔ sequence length ≤ 2 – 1. ❑ Above example ◼ Key length = 3 ◼ Sequence length = 7 ◼ An “approximation” to a one-time pad ❑ A small input generates a long binary sequence. The one-time pad (OTP) is an encryption algorithm where the plaintext is combined with a random key or "pad" that is as long as the plaintext and used only once. A modular addition is used to combine the plaintext with the pad. (For binary data, the operation XOR amounts to the same thing.) [From wikipedia] 14 LFSR Sequences: Attack ◼ Unfortunately, ❑ This encryption method succumbs easily to a known plaintext attack. ❑ This is because the construction is linear. ❑ If we know only a few consecutive bits of plaintext, along with the corresponding bits of ciphertext, an attack can determine the whole sequence. linear: - superposition property: f(x+y)=f(x)+f(y) - Homegeneity of degree 1 : f(ax)=a*f(x) 15 LFSR Sequences: Attack ◼ Example ❑ Suppose we know an initial segment of the (plaintext, ciphertext) pair. Ciphertext: 10010100001110100100101010101011110010… Plaintext : 11111111111… Sequence: 01101011110… 16 LFSR Sequences: Attack ◼ An attacker tries to recover the linear recurrence. ◼ She doesn’t know the size of the LFSR. ❑ First start with length 2. xn+2 = c0xn + c1xn+1 (“+” means XOR) Let n = 1 and n = 2, and use the known values x1= 0, x2 = 1, x3 = 1, x4 = 0. (Sequence: 01101011110…) we get x3 = c0x1 + c1x2 1 = c0 0 + c11 c0 = 1, c1= 1 x4 = c0x2 + c1x3 0 = c0 1 + c11 x5 = x3 + x4=1 + 0 = 1 Generated seq. : 01101101… x6 = x4 + x5=0 + 1 = 1 Not correct ! x7 = x5 + x6=1 + 1 = 0 x8 = x6 + x7=1 + 0 = 1 … 17 LFSR Sequences: Attack ◼ Try another length 3. ❑ This is impossible, either. ◼ Try length = 4. xn+4 = c0xn + c1xn+1 + c2xn+2 + c3xn+3 (Sequence: 01101011110…) x5 = c0x1 + c1x2 + c2x3 + c3x4 x6 = c0x2 + c1x3 + c2x4 + c3x5 x7 = c0x3 + c1x4 + c2x5 + c3x6 x8 = c0x4 + c1x5 + c2x6 + c3x7 c0 = 1, c1= 1, c2 = 0, c3= 0 18 LFSR Sequences: Attack ◼ Generalization ❑ It is known that an attacker can recover the linear recurrence if 2n consecutive elements in the sequence is revealed. ❑ This is much smaller than the period length of a sequence, i.e., 2n – 1. ◼ Improvement ❑ The problem is that the recurrence is linear, and an attacker can make a matrix equation. ❑ So, we append some nonlinear elements. 19 Real Stream Cipher 1 – A5/1 ◼ Example: GSM A5/1 Stream Cipher ❑ Used to encrypt mobile phone conversation R1 C1 m=Majority(C1,C2,C3) Majority에 해당하는 R2 Register만clocking됨 즉, 2개의register혹은 C2 3개의 register가 clocking됨 R3 Ex1) If C1=0, C2=1, C3=0 then C3 Clocking R1 and R3 Ex2) If C1=1,C2=1,C3=1 then Clocking R1,R2 and R3 20 New Stream Cipher Standardization ◼ ECRYPT ❑ European Network of Excellence for Cryptology ◼ eSTREAM ❑ ECRYPT Stream Cipher Project ❑ Phase 1 (Nov. 2004 ~) ◼ submission for cryptographic primitives ❑ Phase 2 (Aug. 2006 ~) ◼ Seven SW-based candidates ◼ DRAGON, HC-256, LEX, Phelix, Py, Salsa20, SOSEMANUK ◼ Four HW-based candidates ◼ Grain, MICKEY-128, Phelix, Trivium ❑ Phase 3 (April 2007 ~) ◼ Eight SW-based candidates ◼ CryptMT,Dragon, HC, LEX, NLS, Rabbit, Salsa20, SOSEMANUK ◼ Eight HW-based candidates ◼ DECIM, Edon80,F-FCSR,Grain, MICKEY, Moustique, Pomaranch, Trivium ❑ eStream Portpolio (April 2008): Finalized ◼ S/W:HC-128, Rabbit, Salsa20/12, SOSEMANUK ◼ H/W:F-FCSR-H v2, Grain v1, MICKEY v2, Trivium 21 Real Stream Cipher 2 - Trivium ◼ A Modern Stream Cipher: Trivium(Developed by Bart Preneel) ❑ 3 nonlinear LFSR(NLFSR) of length 93, 84, 111 ❑ Small in H/W ◼ Total register count : 288 , Non-linearity : 3 AND-gates ◼ 7 XOR-Gates (4 with three inputs) 22 Trivium ◼ Initialization ❑ Load leftmost 80-bit IV(Initial Vector) into A ❑ Load leftmost 80-bit key into B ❑ Set c109, c110, c111 = 1, all other register bits 0 ◼ Warm-Up ❑ Clock cipher 4 x 288 = 1,152 times w/o generating output ◼ Encryption ❑ XOR-sum of all three NLFSR outputs generates key stream si • IV는 randomizer역할을 하지만, 굳이 비밀로 유지할 필요 없음 (비밀정보는 무조건 key만!) • Stream cipher에서는 IV를 바꾸지 않으면, 동일한 key에 대해 동일한 key stream을 generate하므로, 안전도에 문제 생김. 이에, IV를 바꿔서 동일한 key에서도 다른 key stream이 나오도록 함 23 Agenda ◼ Review ◼ Block Ciphers & Stream Ciphers ❑ Stream Ciphers ❑ Block Ciphers ◼ DES ◼ Cryptanalysis ◼ Modes of Operations ◼ Next… 24 Block Cipher Principles ◼ most symmetric block ciphers are based on a Feistel Cipher Structure ◼ block ciphers look like an extremely large substitution 64 ◼ would need table of 2 entries for a 64-bit block ◼ instead create from smaller building blocks ◼ using idea of a product cipher 25 Claude Shannon and Substitution- Permutation Ciphers ◼ in 1949 Claude Shannon introduced idea of substitution-permutation (S-P) networks ❑ modern substitution-transposition product cipher ◼ these form the basis of modern block ciphers ◼ S-P networks are based on the two primitive cryptographic operations we have seen before: ❑ substitution (S-box) ❑ permutation (P-box) ◼ provide confusion and diffusion of message 26 Confusion and Diffusion ◼ cipher needs to be completely obscure statistical properties of original message ◼ a one-time pad does this ◼ more practically Shannon suggested combining elements to obtain: ◼ diffusion – dissipates statistical structure of plaintext over bulk of ciphertext ❑ Diffusion is associated with dependency of bits of the output on bits of the input. ❑ In a cipher with good diffusion, flipping an input bit should change each output bit with a probability of one half.