BLOCK CIPHER OPERATION 1 ABHILASH SREERAMANENI Department Of Computer Science Seoul National University Of Science And Technology 2013-2014 CONTENTS Multiple Encryption and Triple DES Electronic Code Book (ECB) Cipher Block Chaining Mode(CBC) Cipher Feedback Mode (CFB) Output Feedback Mode (OFB) Counter Mode(CTR) XTS-AES Mode 2 MULTIPLE ENCRYPTION AND TRIPLE DES Double DES Triple DES with Two Keys Triple DES with Three Keys 3 MULTIPLE ENCRYPTION AND TRIPLE DES Double DES The simplest form of multiple encryption has two encryption stages and two keys . Given a plaintext P and two encryption keys K1 and K2, ciphertext C is generated as C = E(K2, E(K1, P)) Decryption requires that the keys be applied in reverse order: P = D(K1, D(K2, C)) For DES, this scheme apparently involves a key length of 56 * 2 = 112 bits, resulting in a dramatic increase in cryptographic strength. 4 MULTIPLE ENCRYPTION AND TRIPLE DES DOUBLE ENCYPTION K1 Encryption K2 P E X E C K2 Decryption K1 C X P D D 5 MULTIPLE ENCRYPTION AND TRIPLE DES Encryption and decryption with DES 6 MULTIPLE ENCRYPTION AND TRIPLE DES REDUCTION TO A SINGLE STAGE For DES, for all 56-bit key values, that given any two keys K1 and K2, it would be possible to find a key K3. E(K2, E(K1, P)) = E(K3, P) Number of stages of multiple encryption with DES, would be useless because the result would be equivalent to a single encryption with a single 56-bit key. DES is a mapping of 64-bit blocks to 64-bit blocks. If we consider all 264 possible input blocks, DES encryption with a specific key will map each block into a unique 64-bit block . The value is easily seen to be 20 (264)! = 10347380000000000000000 > (1010 ) DES defines one mapping for each different key, for a total number of mappings: 256 < 1017 DES is used twice with different keys, it will produce one of the many mappings that are not defined by a single application of DES. 7 MULTIPLE ENCRYPTION AND TRIPLE DES MEET-IN-THE-MIDDLE ATTACK Double DES results in a mapping that is not equivalent to a single DES encryption C = E(K2, E(K1, P)) X = E(K1, P) = D(K2, C) 56 First, encrypt P for all 2 possible values of K1. Decrypt C 56 using all 2 possible values of K2. As each decryption is produced, If a match occurs, then test the two resulting keys against a new known plaintext– ciphertext pair. If the two keys produce the correct ciphertext, accept them as the correct keys. Double DES uses, in effect as 112-bit key,so that there are 2112 8 possible keys. MULTIPLE ENCRYPTION AND TRIPLE DES A given plaintext P, the number of different 112-bit keys that will produce a given ciphertext C is 2112/264 = 248. 64 bits of known plaintext and ciphertext, the false alarm rate is reduced to 248 - 64 = 2- 16. Meet-in-the-middle attack is performed on two blocks of known plaintext–ciphertext, the probability that the correct keys are determined is 1-2-16. Plaintext attack will succeed against double DES, which has a key size of 112 bits, with an effort on the order of 256. 9 MULTIPLE ENCRYPTION AND TRIPLE DES Double DES Multiple Encryption P E (P) K1 EK2[EK1(P)] Intermediate Plaintext Ciphertext Ciphertext Encryption Encryption X K1 K2 meet-in-the-middle attack 10 MULTIPLE ENCRYPTION AND TRIPLE DES Triple DES With Two Keys An obvious counter to the meet-in-the-middle attack is to use three stages of encryption with three different keys. This raises the cost of the meet-in-the-middle attack to 2112. It has the drawback of requiring a key length of 56 * 3 = 168 bits. Tuchman proposed a triple encryption method that uses only two keys. Function follows an Encrypt-Decrypt-Encrypt (EDE) C = E(K1, D(K2, E(K1, P))) 11 P = D(K1, E(K2, D(K1, C))) MULTIPLE ENCRYPTION AND TRIPLE DES It allows users of 3DES to decrypt data encrypted by users of the older single DES C = E(K1, D(K1, E(K1, P))) = E(K1, P) P = D(K1, E(K1, D(K1, C))) = D(K1, C) DES and has been adopted for use in the key management standards ANS X9.17 and ISO 8732.1 Coppersmith [COPP94] notes that the cost of a brute-force key search on 3DES is on the order of 2112 ≈ (5 *1033) , compared to single DES, exceeding 1052. several proposed attacks on 3DES that, although not practical . The first serious proposal came from Merkle and Hellman [MERK81]. Their plan involves finding plaintext values that produce a first intermediate value of A = 0and then using the meet-in-the- middle attack to determine the two keys. 12 MULTIPLE ENCRYPTION AND TRIPLE DES Triple Encryption K1 K2 K1 P A B C E D E Encryption K1 K2 K1 C B A P D E D Decryption 13 MULTIPLE ENCRYPTION AND TRIPLE DES The attack is based on the observation that if we know A and C . Attacker does not know A, even if P and C are known, as long as the two keys are unknown. However, attacker can choose a potential value of A and then try to find a known (P, C) pair that produces A. 1.Obtain n (P, C) pairs. This is the known plaintext. sorted on the values of P. 56 2.Pick an arbitrary value a for A.For each of the 2 possible keys K1 = i, calculate the plaintext value Pi that produces a: Pi = D(i, a) For each Pi that matches the K1 value and the value of B that is produced for the (P, C) pair , assuming that value of K1: 14 B = D(i, C) MULTIPLE ENCRYPTION AND TRIPLE DES 56 For each of the 2 possible keys K2 = j, the second intermediate value for our chosen value of a: Bj = D(j, a) If there is a match, then the corresponding key i plus this value of j are candidate values for the unknown keys (K1, K2). Pair of keys produces the desired ciphertext, the task is complete. Probability of selecting the unique value of a that leads to success is 1/264. Probability of success for a single selected value of a is n/264. From probability theory is that the expected number of draws required to draw one red ball out of a bin containing n red balls and N - n green balls is (N + 1)/(n + 1) if the balls are not replaced. Thus, the expected running time of the attack is on the order of 15 MULTIPLE ENCRYPTION AND TRIPLE DES Two-key triple encryption with candidate pair of keys i j i a Bj Pi E D E Ci 16 MULTIPLE ENCRYPTION AND TRIPLE DES Triple DES with Three Keys Although the attacks just described appear impractical, anyone using two-key 3DES may feel some concern. Researchers now feel that three-key 3DES is the preferred alternative. Three-key 3DES has an effective key length of 168 bits and is defined as C=E(K3 ,D(K2,E(K1,P))) 17 ELECTRONIC CODE BOOK The electronic codebook (ECB) mode, in which plaintext is handled one block at a time and each block of plaintext is encrypted using the same key. Codebook is used because, for a given key there is a unique ciphertext for every b-bit block of plaintext. The procedure is simply to break the message into b-bit blocks, padding the last block. Decryption is performed one block at a time, always using the same key. 18 ELECTRONIC CODE BOOK ENCRYPTION P1 P2 PN K ENCRYPT K ENCRYPT …… K ENCRYPT C1 C2 CN 19 ELECTRONIC CODE BOOK DECRYPTION C1 C2 CN K K ……. K DECRYPT DECRYPT DECRYPT N P1 P2 P 20 ELECTRONIC CODE BOOK plaintext consists of a sequence of b-bit blocks, P1, P2, ……. , PN. corresponding sequence of ciphertext blocks C1,C2,……,CN . ECB C j=E(K,P j) j=1,…………,N P j=E(K,Cj) j=1,..,N The ECB method is ideal for a short amount of data, such as an encryption key. Lengthy messages, the ECB mode may not be secure. If the message has repetitive elements with a period of repetition a multiple of bits,then these elements can be identified by the analyst. 21 LIMITATIONS OF ECB Message repetitions may show in ciphertext Weakness is due to the encrypted message blocks being independent. Vulnerable to cut-and-paste attacks. Main use is sending a few blocks of data. 22 CIPHER BLOCK CHAINING MODE Input to the encryption algorithm is the XOR of the current plaintext block and the preceding ciphertext block the same key is used for each block. Chained together the processing of the sequence of plaintext blocks. No fixed relationship to the plaintext block. As with the ECB mode, the CBC mode requires that the last block be padded to a full b-bits if it is a partial block. Result is XORed with the preceding ciphertext block to produce the plaintext block. 23 CIPHER BLOCK CHAINING MODE Cj = E(K, [Cj-1 ⊕ Pj]) ENCRYPTION IV CN-1 P1 P2 PN K K K ENCRYPT ENCRYPT ENCRYPT C1 C2 CN 24 CIPHER BLOCK CHAINING MODE DECRYPTION C 1 C 2 CN-1 CN K K K DECRYPT DECRYPT DECRYPT IV P1 P2 PN 25 CIPHER BLOCK CHAINING MODE Then D(K, Cj) = D(K, E(K, [Cj-1 ⊕ Pj])) D(K, Cj) = Cj-1 ⊕ Pj Cj-1 ⊕ D(K, Cj) = Cj-1 ⊕ Cj-1 ⊕ Pj = Pj To produce the first block of ciphertext, an Initialization vector (IV) is XORed with the first block of plaintext.