Upload
hope-parks
View
291
Download
2
Tags:
Embed Size (px)
Citation preview
1
Chapter 3Symmetric Key
CryptoStream Ciphers
Block CiphersBlock Cipher Modes
Integrity
Chapter 3 Symmetric Key Crypto
Chapter 3 Symmetric Key Crypto 2
Symmetric Key Crypto
Stream cipher like a one-time pad Key is relatively short Key is stretched into a long keystream Keystream is then used like a one-time pad
except provable security Employ confusion only
Chapter 3 Symmetric Key Crypto 3
Symmetric Key Crypto Examples of Stream cipher
A5/1: employed GSM cell phones Representative stream cipher based in H/W
RC4: used SSL protocol Almost unique stream cipher since efficiently implemented
in S/W
Chapter 3 Symmetric Key Crypto 4
Symmetric Key Crypto
Block cipher based on codebook concept Block cipher key determines a “electronic”
codebook Each key yields a different codebook Employ both “confusion” and “diffusion”
Chapter 3 Symmetric Key Crypto 5
Symmetric Key Crypto
Examples of Block cipher Data Encryption Stantard(DES): relatively
simple, Advanced Encryption STD(AES) International Data Encrytption Alg.(IEDA) Blowfish, RC6 Tiny Encryption Algorithm
Symmetric Key Crypto
Mode of Operation of block cipher Examples of block cipher mode Op
Electronic codebook (EOB) Cipher-block chaining (CBC) Cipher feedback (CFB) Output feedback (OFB) Counter (CTR)
Data integrity of block cipher Message Authentication code (MAC)
Chapter 3 Symmetric Key Crypto 6
Symmetric Key Crypto
Goal of this section Introduce symmetric ciphers Understand their inner working and
uses Focus more on the “how” than the
“why” To understand :”why” -> need to
understand cryptanalysis (Chapter 6)
Chapter 3 Symmetric Key Crypto 7
Chapter 3 Symmetric Key Crypto 8
Stream Ciphers
Chapter 3 Symmetric Key Crypto 9
Stream Ciphers
Not as popular today as block ciphers Key K of n bits stretches it into a long
keystream Function of stream cipher
StreamCipher(K) = S where K:key, S:keystream S is used like a one-time pad
c0 = p0 s0, c1 = p1 s1, c2 = p2 s2, … p0 = c0 s0, p1 = c1 s1, p2 = c2 s2, …
Sender and receiver have same stream cipher algorithm and both know the key K
Chapter 3 Symmetric Key Crypto 10
Stream Ciphers We’ll discuss two examples A5/1
Based on linear feedback shift registers Used in GSM mobile phone system
A5/1 is used in Europe and the United States; A5/2, is used in countries that are not
considered trustworthy enough to have strong crypto.
RC4 Based on a changing lookup table Used many places – SSL
Chapter 3 Symmetric Key Crypto 11
A5/1
Chapter 3 Symmetric Key Crypto 12
A5/1
A5/1 is Representative stream cipher based in H/W
Consists of 3 Linear feedback shift registers
X: 19 bits (x0, x1, x2, …, x18)
Y: 22 bits (y0, y1, y2, ………, y21)
Z: 23 bits (z0, z1, z2, ………….,z22)
X+Y+Z = 64 bits
Chapter 3 Symmetric Key Crypto 13
A5/1
At each step: m = maj(x8, y10, z10) Examples: maj(0,1,0) = 0 and maj(1,1,0) = 1
If x8 = m then X steps t = x13 x16 x17 x18 xi = xi1 for i = 18, 17, …, 1 and x0 = t
If y10 = m then Y steps t = y20 y21 yi = yi1 for i = 21, 20, …, 1 and y0 = t
If z10 = m then Z steps t = z7 z20 z21 z22 zi = zi1 for i = 22, 21, …, 1 and z0 = t
Keystream bit is x18 y21 z22
Chapter 3 Symmetric Key Crypto 14
A5/1
Each value is a single bit Key is used as initial fill of registers Each register steps or not, based on (x8, y10, z10) Keystream bit is XOR of right bits of registers
y0 y1 y2 y3 y4 y5 y6 y7 y8 y9 y10 y11 y12 y13 y14 y15 y16 y17 y18 y19 y20 y21
z0 z1 z2 z3 z4 z5 z6 z7 z8 z9 z10 z11 z12 z13 z14 z15 z16 z17 z18 z19 z20 z21 z22
X
Y
Z
x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18
From Wikipedia
Chapter 3 Symmetric Key Crypto 15
Chapter 3 Symmetric Key Crypto 16
A5/1
In this example, m = maj(x8, y10, z10) = maj(1,0,1) = 1 Register X steps, Y does not step, and Z steps Keystream bit is XOR of right bits of registers Here, keystream bit will be 0 1 0 = 1
1 1 0 0 1 1 0 0 1 1 0 0 1 1 0 0 1 1 0 0 0 1
1 1 1 0 0 0 0 1 1 1 1 0 0 0 0 1 1 1 1 0 0 0 1
X
Y
Z
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
Chapter 3 Symmetric Key Crypto 17
RC4
Chapter 3 Symmetric Key Crypto 18
RC4
RC4 Optimized for software implementation, whereas A5/1 for hardware
RC4 produces a keystream BYTE at each step, whereas A5/1 only produce a single keystream bit
Chapter 3 Symmetric Key Crypto 19
RC4
RC4 is remarkably simple Because it is essentially just lookup
table containing permutation of the 256(28)-byte values
Each time a byte of keystream is produced, the lookup table is modified in such a way that the table always contains a permutation of {0,1,2,…256}
Chapter 3 Symmetric Key Crypto 20
RC4 Initialization The first phase -
initialize the lookup table using key Key: key[i] for
i=0,1,…,N-1 where key[i] is a byte
Lookup table: S[i] is a byte
Key can be any length 0 to 256 bytes Key is only use to
initialize the permutation S
S[] is permutation of 0,1,…,255
key[] contains N bytes of key
for i = 0 to 255S[i] = iK[i] = key[i (mod N)]
next ij = 0for i = 0 to 255
j = (j + S[i] + K[i]) mod 256
swap(S[i], S[j])next ji = j = 0
Chapter 3 Symmetric Key Crypto 21
RC4 Keystream The next phase – each keystream byte is
generated according the following algorithm
i = (i + 1) mod 256j = (j + S[i]) mod 256swap(S[i], S[j])t = (S[i] + S[j]) mod 256keystreamByte = S[t]
Use keystream bytes like a one-time pad Note: first 256 bytes must be discarded
Otherwise attacker may be able to recover key
Chapter 3 Symmetric Key Crypto 22
Stream Ciphers
Stream ciphers were big in the past Efficient in hardware Speed needed to keep up with voice,
etc. Today, processors are fast, so
software-based crypto is fast enough Future of stream ciphers?
Shamir: “the death of stream ciphers” May be exaggerated…
Chapter 3 Symmetric Key Crypto 23
Block Ciphers
Chapter 3 Symmetric Key Crypto 24
Block Cipher
Plaintext and ciphertext consists of fixed sized blocks
Design goal: security and efficiency It is not easy to design a block cipher that is
secure and efficient
Chapter 3 Symmetric Key Crypto 25
(Iterated) Block Cipher
Ciphertext obtained from plaintext by iterating a round function
Input to round function consists of key and the output of previous round
Usually implemented in software
Typical Type is Feistel Cipher
Chapter 3 Symmetric Key Crypto 26
Feistel Cipher
Feistel cipher refers to a type of block cipher design, not a specific cipher
Split plaintext block into left and right halves: Plaintext = (L0,R0)
For each round i=1,2,...,n, computeLi= Ri1
Ri= Li1 F(Ri1,Ki)
where F is round function and Ki is subkey
Ciphertext = (Ln,Rn)
Chapter 3 Symmetric Key Crypto 27
Feistel Cipher
Decryption: Ciphertext = (Ln,Rn) For each round i=n,n1,…,1, compute
Ri1 = Li
Li1 = Ri F(Ri1,Ki)
where F is round function and Ki is subkey
Plaintext = (L0,R0) Formula “works” for any function F But only secure for certain functions F
Ex: F(Ri-1, Ki) = 0 for all Ri-1 and Ki -> not secure
Chapter 3 Symmetric Key Crypto 28
Data Encryption Standard
Chapter 3 Symmetric Key Crypto 29
Data Encryption Standard
DES developed in 1970’s Based on IBM Lucifer cipher U.S. government standard DES development was controversial
NSA was secretly involved Design process not open Key length was reduced Subtle changes to Lucifer algorithm
National Security Agency/Central Security Service
Chapter 3 Symmetric Key Crypto 30
Chapter 3 Symmetric Key Crypto 31
DES Numerology ( 수비학 )
DES is a Feistel cipher 64 bit block length 56 bit key length 16 rounds 48 bits of key used each round (subkey)
Each round is simple (for a block cipher) Security depends primarily on “S-boxes”
Each S-boxes maps 6 bits to 4 bits Total 8 S-boxes
Chapter 3 Symmetric Key Crypto 32
One Round of DES
L
expandL
R
S-boxes(8)
P Box
L R
key
R
Compress
key
48
32 32
32
48
32
32
32
48
28
2828
28
28 28
Next Slide
Chapter 3 Symmetric Key Crypto 33
DES Expansion Permutation
Input 32 bits
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Output 48 bits
31 0 1 2 3 4 3 4 5 6 7 8
7 8 9 10 11 12 11 12 13 14 15 16
15 16 17 18 19 20 19 20 21 22 23 24
23 24 25 26 27 28 27 28 29 30 31 0 BACK
Chapter 3 Symmetric Key Crypto 34
DES S-box 8 “substitution boxes” or S-boxes Each S-box maps 6 bits to 4 bits S-box number 1
0000
0001
0010
0011
0100
0101
0110
0111
1000
1001
1010
1011
1100
1101
1110
1111
00
1110
0100
1101
0001
0010
1111
1011
1000
0011
1010
0110
1100
0101
1001
0000
0111
01
0000
1111
0111
0100
1110
0010
1101
0001
1010
0110
1100
1011
1001
0101
0011
1000
10
0100
1101
1110
1000
1101
0110
0010
1011
1111
1100
1001
0111
0011
1010
0101
0000
11
1111
1100
1000
0010
0100
1001
0001
0111
0111
1011
0011
1110
1010
0000
0110
1101
input bits (0,5)
input bits (1,2,3,4)
BACK
Chapter 3 Symmetric Key Crypto 35
DES P-box
Input 32 bits
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Output 32 bits15 6 19 20 28 11 27 16 0 14 22 25 4 17 30 9
1 7 23 13 31 26 2 8 18 12 29 5 21 10 3 24
BACK
Chapter 3 Symmetric Key Crypto 36
DES Subkey
56 bit DES key, numbered 0,1,2,…,55
49 42 35 28 21 14 7
0 50 43 36 29 22 15
8 1 51 44 37 30 23
16 9 2 52 45 38 31
Left half key bits, LK
Right half key bits, RK55 48 41 34 27 20 13
6 54 47 40 33 26 19
12 5 53 46 39 32 25
18 11 4 24 17 10 3
Chapter 3 Symmetric Key Crypto 37
DES Subkey
For rounds i=1,2,...,16 Let LK = (LK circular shift left by ri) Let RK = (RK circular shift left by ri) Left half of subkey Ki is of LK bits13 16 10 23 0 4 2 27 14 5 20 922 18 11 3 25 7 15 6 26 19 12 1
Right half of subkey Ki is RK bits12 23 2 8 18 26 1 11 22 16 4 1915 20 10 27 5 24 17 13 21 7 0 3
Chapter 3 Symmetric Key Crypto 38
DES Subkey
For rounds 1, 2, 9 and 16 the shift ri is 1, and in all other rounds ri is 2
Bits 8,17,21,24 of LK omitted each round Bits 6,9,14,25 of RK omitted each round Compression permutation yields 48 bit
subkey Ki from 56 bits of LK and RK Key schedule generates subkey
BACK
Chapter 3 Symmetric Key Crypto 39
DES Last Word (Almost)
An initial perm P before round 1 Halves are swapped after last round A final permutation (inverse of P) is
applied to (R16,L16) to yield ciphertext None of these serve any security
purpose
Chapter 3 Symmetric Key Crypto 40
Security of DES
Security of DES depends a lot on S-boxes Everything else in DES is linear
Thirty years of intense analysis has revealed no “back door”
Attacks today use exhaustive key search Inescapable conclusions
Designers of DES knew what they were doing Designers of DES were ahead of their time
Exhaustive Key Search time
Key size(bits)
# of possible keys
Execution time(1 Encypt/us)
Execution time(10 Encypt/us)
3256128168
232=4.3X109
256=7.2X1016
2128=4.3X103
8
2168=4.3X105
0
231us=35.8 min 255 us=1142 yrs 2127 us=5.4X1024
yr 2167 us=5.9X1036
yr
2.15 ms10.01 hrs5.4X1018 yrs5.9X1030 yr
Chapter 3 Symmetric Key Crypto 42
Block Cipher Notation
P = plaintext block C = ciphertext block Encrypt P with key K to get ciphertext C
C = E(P, K) Decrypt C with key K to get plaintext P
P = D(C, K) Note that
P = D(E(P, K), K) and C = E(D(C, K), K)
Chapter 3 Symmetric Key Crypto 43
Double DES
DES’s key length is insufficient today. A clear way to use DES with a larger key
length: intuitively “double DES” C = E(E(P,K),K) ?
Problem: Still just 56 bit key
C = E(E(P,K1),K2) ? There is an attack that is more-or-less
equivalent to single DES Although the attack is somewhat impractical,
it’s close enough to being practical
Chapter 3 Symmetric Key Crypto 44
Double DES attack
C = E(E(P,K1),K2) Attack: chosen plaintext attack For particular P, precompute table of E(P,K)
for every possible key K (resulting table has 256 entries)
Given this table(C= E(P,K), K) and C corresponding to chosen P
Then for each possible K2, compute D(C,K2) until a match in table is found Here, P = D(C,K2) → E(P,K2) = E(D(C,K2), K2) = C,
that is, D(C,K2) should be in the table
Chapter 3 Symmetric Key Crypto 45
Double DES attack
When match is found, have E(P,K1) = D(C,K2)
Result is keys: C = E(E(P,K1),K2) where K1 and K2 are known, i.e. C is decrypted
Neglecting the work needed to precompute the table, the work consists of computing D(C,K) until we find a match in the table
This has an expected work of 255 : single DES exhausted key search work
So, double DES is not secure
Chapter 3 Symmetric Key Crypto 46
Triple DES
Logical approach to triple DES
But practically, Triple DES is C = E(D(E(P,K1),K2),K1)
P = D(E(D(C,K1),K2),K1) (112 bit key)
Chapter 3 Symmetric Key Crypto 47
Triple DES
Why use Encrypt-Decrypt-Encrypt (EDE) with 2 keys? (Why not EEE and not 3 keys?) Backward compatible with single DES:
If K1=K2=K then E(D(E(P,K),K),K) = E(P,K) And 112 bits is enough
3DES is popular today, But with coming of the AES, 3DES should fade from use over time
Chapter 3 Symmetric Key Crypto 48
Advanced Encryption STD
Chapter 3 Symmetric Key Crypto 49
AES History
Needs for replacement for DES DES had outlived its usefulness
Attacked by exhaustive key search: Special purpose DES crackers and distributed attack at internet
3DES is very resistant to crypto analysis but No efficient software code Too slow: 3 times as many rounds as DES 3DES use 64-bit block size: for reasons of both
efficient and security, a larger blk size desirable So, 3DES is not solution for long-term use
In 1997, NIST made a formal call for advanced encryption standard algorithms
AES History
GOAL: replace DES for both government and private sector encryption.
ROC of AES Unclassified, publicly disclosed encryption
algorithm, available royalty-free, worldwide. The algorithm must implement symmetric key Cryptography as a block cipher and (at a minimum)
support block sizes of 128-bits and key sizes of 128- , 192-, and 256-bits.
In 1998, NIST announced a group of 15 AES candidate algorithms.
Chapter 3 Symmetric Key Crypto 50
Chapter 3 Symmetric Key Crypto 51
AES History
Criteria for selecting AES: Security, Robustness, Speed
In 1999, out of 15, the selection was narrowed to 5 candidates: MARS, RC6, Rijndael, Serpent, and Twofish.
All the five protocols were thought to be secure On October 2, 2000, NIST has selected Rijndael
to propose for the AES. Pronounced like “Rain Doll” or “Rhine Doll” Invented by Joan Daemen and Vincent Rijmen
AES Features
Designed to be efficient in both hardware and software across a variety of platforms.
Not a Feistel Network Iterated block cipher (like DES) Not a Feistel cipher (unlike DES) “Secure forever” – Shamir
Chapter 3 Symmetric Key Crypto 52
AES Features
Rijndael proposed a variable block size, 128,192, 256-bits, key size of 128-, 192-, or 256-bits. Variable number of rounds (10, 12, 14):
10 if B = K = 128 bits 12 if either B or K is 192 and the other is ≤
192 14 if either B or K is 256 bits
But note: AES uses a 128-bit block size.
Chapter 3 Symmetric Key Crypto 53
AES Overview
Definition: State→ 4X4 array of bytes 128 bits = 16 bytes
Variable number of rounds (10, 12, 14): 10 if K is 128 bits 12 if K is 192 bites 14 if K is 256 bits
128-bit round key used for each round: 128 bits = 16 bytes = 4 words needs Nr+1 round keys for Nr rounds
needs 44 words for 128-bit key (10 rounds)
Chapter 3 Symmetric Key Crypto 54
Chapter 3 Symmetric Key Crypto 55
AES Overview
Each round uses 4 functions (in 3 “layers”) 4 functions: 1 of permutation and 3 substitutions 3 layers: Linear, Nonlinear and Key addition
Permutation Linear mixing layer: ShiftRow (State)
Substitutions Nonlinear layer: ByteSub (State, S-box) Nonlinear layer: MixColumn (State) Key addition layer: AddRoundKey (State, KeyNr)
AES: High-Level Description
State = XAddRoundKey(State, Key0) (op1)for r = 1 to Nr - 1
SubBytes(State, S-box) (op2)ShiftRows(State) (op3)MixColumns(State) (op4)AddRoundKey(State, KeyNr)
endforSubBytes(State, S-box)ShiftRows(State)AddRoundKey(State, KeyNr)Y = State
Chapter 3 Symmetric Key Crypto 56
State: 4 X 4 array of bytes: 128 bits = 16 bytes
Chapter 3 Symmetric Key Crypto 57
AES AddRoundKey
RoundKey (subkey) determined by key schedule algorithm
We will ignore the AES key schedule
XOR subkey with block: Assume 128-bits block
Chapter 3 Symmetric Key Crypto 58
AES ByteSub
ByteSub is AES’s “S-box” Can be viewed as nonlinear (but invertible)
composition of two math operations
Assume 128 bit block, i.e. 4ⅹ4 bytes
AES BytesSub
Byte substitution using non-linear S-Box (independently on each byte).
S-box is represented as a 16x16 array, rows and columns indexed by hexadecimal bits
8 bits replaced as follows: 8 bits defines a hexadecimal number
(r,c), then (sr,sc) = binary(Sbox(r, c))
Chapter 3 Symmetric Key Crypto 59
Chapter 3 Symmetric Key Crypto 60
AES “S-box”
First 4bits ofinput
Last 4 bits of input
Example: hexa 53 is replaced with hexa ED
Chapter 3 Symmetric Key Crypto 61
AES ShiftRow
Cyclic shift rows
Chapter 3 Symmetric Key Crypto 62
AES MixColumn
Implemented as a (big) lookup table
Nonlinear, invertible operation applied to each column
Chapter 3 Symmetric Key Crypto 63
AES Decryption
To decrypt, process must be invertible Inverse of AddRoundKey is easy, since
is its own inverse MixColumn is invertible (inverse is also
implemented as a lookup table) Inverse of ShiftRow is easy (cyclic shift
the other direction) ByteSub is invertible (inverse is also
implemented as a lookup table)
AES Design Rationale
Substitute Byte To be resistant to known cryptanalytic
attacks by making a low correlation between input bits and output bits.
Shift Row Note input and output are treated as
State(4X4 array) To move an individual byte from one
column to another
Chapter 3 Symmetric Key Crypto 64
AES Design Rationale
Mix Column To ensure a good mixing the bytes of
each column Add Round Key
To affect every bit of State The complexity of the round key
expension ensure security
Chapter 3 Symmetric Key Crypto 65
Chapter 3 Symmetric Key Crypto 66
A Few Other Block Ciphers
Briefly… IDEA Blowfish RC6
More detailed… TEA
Chapter 3 Symmetric Key Crypto 67
IDEA
International Data Encryption Alg Invented by Xuejia Lai ( 學嘉來 ) and James
Massey One of the giants of modern crypto Used in Pretty Good Privacy(PGP) V2.0
Characteristics IDEA uses mixed-mode arithmetic
IDEA the first to use this approach Frequently used today
64-bit block, 128-bit key 8 rounds, operates on 16-bit numbers
Chapter 3 Symmetric Key Crypto 68
IDEA
mixed-mode arithmetic
Bitwise eXclusive OR (denoted with a blue ⊕)
Addition modulo 216 (denoted with a green )
Multiplication modulo 216+1, where the all-zero word (0x0000) is interpreted as 216 (denoted by a red )
Chapter 3 Symmetric Key Crypto 69
Blowfish
Invented by Bruce Schneier Characteristics
Block length: 64-bit blocks Key is variable length, up to 448 bits Fast Compact: can run in less than 5K of memory Simple: simple structure and to implement Variably secure: dependent on the key
length Key-dependent S-boxes
S-boxes determined by the key
Chapter 3 Symmetric Key Crypto 70
Blowfish Almost a Feistel
cipherRi = Li1 Ki
Li = Ri1 F(Li1 Ki)
The round function F uses 4 S-boxes Each S-box maps
8 bits to 32 bits Key-dependent
S-boxes S-boxes
determined by the key
Where Pi: round key
Chapter 3 Symmetric Key Crypto 71
RC6
Invented by Ron Rivest Public key: RSA, Block cipher: RC6 Stream cipher: RC4, Hash function: MD5,
Characteristics Variables
Block size, Key size, Number of rounds Very fast, Clean and simple design An AES finalist Uses data dependent rotations
Unusual to rely on data as part of algorithm
Chapter 3 Symmetric Key Crypto 72
Tiny Encryption Algorithm
Invented by David Wheeler Characteristics
64 bit block, 128 bit key Assumes 32-bit arithmetic
Targeting 32-bit computer Operation based on modulo 232
Number of rounds is variable 32 is considered secure
Uses “weak” round function, so large number rounds required
Chapter 3 Symmetric Key Crypto 73
Tiny Encryption Algorithm
Trade off between complexity of each round and no. of rounds DES: balance between these two. (16) AES: reduce the no. of rounds and more
complex round function (10,12,14) TEA: simple round function and large
no. of rounds 32 is considered secure
Chapter 3 Symmetric Key Crypto 74
TEA EncryptionAssuming 32 rounds:
(<<: L shift, >> R shift)
(K[0],K[1],K[2],K[3]) = 128 bit key
(L,R) = plaintext (64-bit block)delta = 0x9e3779b9sum = 0for i = 1 to 32 sum = sum+delta L = L +
((R<<4)+K[0])^(R+sum) ^((R>>5)+K[1])
R = R + ((L<<4)+K[2])^(L+sum)
^((L>>5)+K[3])next iciphertext = (L,R)
Chapter 3 Symmetric Key Crypto 75
TEA Decryption
Assuming 32 rounds:(K[0],K[1],K[2],K[3]) = 128 bit key(L,R) = ciphertext (64-bit block)delta = 0x9e3779b9sum = delta << 5for i = 1 to 32 R = R - ((L<<4)+K[2])^(L+sum)^((L>>5)+K[3]) L = L - ((R<<4)+K[0])^(R+sum)^((R>>5)+K[1])
sum = sum - deltanext iplaintext = (L,R)
Chapter 3 Symmetric Key Crypto 76
TEA comments
Almost a Feistel cipher Uses + and - instead of (XOR) Need to separate encryption and decryption
routines Simple, easy to implement, fast, low
memory requirement, etc. Possibly a related key attack
If a cryptanalyst knows that two TEA messages are encrypted with keys that are related to each other in a special way, then the plaintext can be recovered
Chapter 3 Symmetric Key Crypto 77
TEA comments
eXtended TEA (XTEA) eliminates related key attack (slightly more complex)
Simplified TEA (STEA) insecure version used as an example for cryptanalysis
Chapter 3 Symmetric Key Crypto 78
Block Cipher Modes
Chapter 3 Symmetric Key Crypto 79
Symmetric cipher encryption
Stream cipher is easy: keystream is the same length as the
plaintext and XOR How to encrypt multiple blocks?
A new key for each block? As bad as (or worse than) a one-time pad!
Encrypt each block independently? Make encryption depend on previous
block(s), i.e., “chain” the blocks together? How to handle partial blocks?
Chapter 3 Symmetric Key Crypto 80
Modes of Operation
Many encryption ways (modes of operation) for multiple block cipher we discuss three Electronic Codebook (ECB) mode
Obvious thing to do Encrypt each block independently There is a serious weakness
Cipher Block Chaining (CBC) mode Chain the blocks together More secure than ECB, virtually no extra work
Counter Mode (CTR) mode Acts like a stream cipher Popular for random access
Chapter 3 Symmetric Key Crypto 81
ECB(Electronic Codebook) Mode
Notation: C=E(P,K) Given plaintext P0, P1, …, Pm, … Obvious way to use a block cipher is
Encrypt DecryptC0 = E(P0, K), P0 = D(C0, K),
C1 = E(P1, K), P1 = D(C1, K),
C2 = E(P2, K),… P2 = D(C2, K),…
For a fixed key K, this is an electronic version of a codebook cipher
A new codebook for each key
ECB Mode
Chapter 3 Symmetric Key Crypto 82
Chapter 3 Symmetric Key Crypto 83
ECB Cut and Paste Attack
Suppose plaintext is Alice digs Bob. Trudy digs Tom.
Assuming 64-bit blocks and 8-bit ASCII:P0 = “Alice di”, P1 = “gs Bob. ”,
P2 = “Trudy di”, P3 = “gs Tom. ” Ciphertext: C0, C1, C2, C3
Trudy cuts and pastes 복사 - 붙여넣기공격 : C0, C3, C2, C1
Decrypts asAlice digs Tom. Trudy digs Bob.
Chapter 3 Symmetric Key Crypto 84
ECB Weakness
Suppose Pi = Pj
Then Ci = Cj and Trudy knows Pi = Pj
This gives Trudy some information, even if she does not know Pi or Pj
We should not give the cryptanalyst anything for free.
Trudy might know Pi
Is this a serious issue? -> Next slide
Chapter 3 Symmetric Key Crypto 85
Alice Hates ECB Mode
Alice’s uncompressed image, Alice ECB encrypted (TEA)
Why does this happen? Same plaintext block same ciphertext!
Solution??? -> Next slide
Chapter 3 Symmetric Key Crypto 86
Cipher Block Chaining Mode
Blocks are “chained” together A random initialization vector, or IV, is
required to initialize CBC mode IV is random, but need not be secret
Encryption Decryption
C0 = E(IV P0, K), P0 = IV D(C0, K),
C1 = E(C0 P1, K), P1 = C0 D(C1, K),
C2 = E(C1 P2, K),… P2 = C1 D(C2, K),…
Cipher Block Chaining Mode
Chapter 3 Symmetric Key Crypto 87
Main drawbacks encryption is sequential (i.e., it cannot be
parallelized), the message must be padded to a multiple of the
cipher blk size.
Chapter 3 Symmetric Key Crypto 88
CBC Mode
Identical plaintext blocks yield different ciphertext blocks
Cut and paste is still possible, but more complex (and will cause garbles)
If C1 is garbled to, say, G then
P1 C0 D(G, K), P2 G D(C2, K)
But P3 = C2 D(C3, K), P4 = C3 D(C4, K),…
Automatically recovers from errors!
Chapter 3 Symmetric Key Crypto 89
Alice Likes CBC Mode
Alice’s uncompressed image, Alice CBC encrypted (TEA)
Why does this happen? Same plaintext yields different ciphertext!
Chapter 3 Symmetric Key Crypto 90
Counter (CTR) Mode
CTR is popular for random access Use block cipher like stream cipher
Encryption DecryptionC0 = P0 E(IV, K), P0 = C0 E(IV, K),
C1 = P1 E(IV+1, K), P1 = C1 E(IV+1, K),
C2 = P2 E(IV+2, K),… P2 = C2 E(IV+2, K),…
EBC can also be used for random access!!!
Chapter 3 Symmetric Key Crypto 91
Counter (CTR) Mode