View
214
Download
0
Category
Preview:
Citation preview
1
Lecture 4: Using Block Ciphers
Outline• encrypting large messages• checking integrity• securing DES
2
Electronic Code Book (ECB)How to use a block cipher to encrypt a large message?
M2
C2
E
M1
C1
E
M4
C4
E
M3
C3
E
break messageinto blocks
encrypt eachblock separatelywith secret key
3
Problems with ECB• same plaintext block produces same ciphertext
– can be analyzed, rearranged
plaintext ECB encrypted ciphertext
4
One-Time Pad
• proven (Shannon): XOR a message with a (truly) random number (never reuse it again) – unbreakable (no information is given away)
• one-time pad – such usage of random numbers• stream cipher – generates one-time pad and XORs it
with the stream of plaintext to generate ciphertext
5
Fixing ECB• consider this: generate random numbers and XOR with blocks before encoding
M1 M2 M3 M4
C1 C2 C3 C4
E E E E
r2r1 r3 r4
transmit r1, c1,r2, c2, r3, c3, r4, c4
problems:• need to send twice as much data• can still rearrange blocks• if two ciphertext blocks equal, know XOR of two plaintext blocks
= XOR of the corresponding two random numbers
6
Cipher Block Chaining (CBC)• randomizes output by using previous ciphertext block• first block is randomized using initialization vector (IV)
IV M1 M2 M3 M4
IV C1 C2 C3 C4
E E E E
• how does CBC do decoding?
7
CBC Decryption & Analysis
• What happens if Ci gets lost or garbled? How much data gets lost?
• assume an attacker knows block Mi and wants to change it, what
does it need to change?• can encryption/decryption be done in parallel?
IV C1 C2 C3 C4
IV M1 M2 M3 M4
D D D D
8
Output Feedback (OFB) Mode• OFB is a stream cipher• IV – based, IV is
transmitted in clear• two versions
– no shifting
• pad1=e(IV, key)
• pad2=e(pad1, key)
• padi=e(padi-1,key)
– k-bit shifting (see pic)• advantages
– the pad can be pre-generated – no costly operations at run-time (good for multimedia or resource-constrained devices)
– how much info is affected if portion of ciphertext is garbled/lost?• problems
– if known plaintext, can be altered– is random access possible?– can encryption/decryption be done in parallel?
k-bit shifting version of OFB
9
Cipher Feedback (CFB) Mode
• similar to OFB• message data is also
used to generatepadding
• advantages– is random access possible?– what if part of ciphertext is garbled/lost/duplicated?
• problems– is OFB-like pad pre-generation possible?– can it be altered if plaintext is known– can encryption/decryption be done in parallel?
10
Counter (CTR) Mode• CTR is another stream cipher• to create pad, IV is incremented
and encrypted
– is random access possible?– what if part of ciphertext is garbled/lost/duplicated?– is pad pre-generation possible– can encryption/decryption be done in parallel?– is known plaintext alteration possible?
11
Integrity checking
• automated integrity checking – computer should be able to detect tampering (a human presence should not be required any “garbage” can pass through)
• message authentication code (MAC) – a cryptographic checksum generated with the help of a key
• CBC, OFB, CFB and CTR – good security, integrity vulnerable
12
CBC Residue• Do CBC encryption on M using key K, throw away all but last block.• send message in clear + the “residue”, • Used in banking• Has property that if you don’t know the key you can’t generate (or verify)
the MAC, or modify the message without (probably) changing the MAC • however, can generate an arbitrary message matching MAC
IV M1 M2 M3 M4
IV C1 C2 C3 residue
E E E E
13
Joint Privacy and Integrity
• concurrently use two CBCs – one for privacy, the other for integrity
• why can’t use only one for both?
14
Securing DES
• purpose: retain the same mechanism, expand key size• why not double DES?
– encrypt with K1 twice. How much more work (over DES) for good guys? Bad guys?
– encrypt with K1 then K2. What is time/memory for bad guys? Good guys?
• subject to subtle known plaintext attack
15
3DES
• Defined as doing EDE with K1, K2, K3, but standardly K1 is set equal to K3.
– reason: because of known-plaintext attack, 3DES is considered to only have time-strength equal to 112 bit key, not 168.
– also, 112 bits considered enough (for now).
• why EDE instead of EEE?
– Initial and final permutations would cancel each other out with EEE (minor advantage to EDE)
– EDE compatible with single DES if K1=K2=K3.
16
3DES and CBC• CBC is defined to be
done on the outside of 3DES
– same integrity problems as with regular CBC
• CBC can potentially be done on the inside of 3DES– more secure against
tampering
but– more work– garbling/loosing/
duplicating of one block garbles the rest of message
Recommended