Slide 1

Cryptography continuedToday Information security principlesCode book Rotor machine Block vs stream ciphersFeistel cipher designInformation Security Principles 310 generally accepted basic principles Principle 1:There is no such thing as absolute Security Given enough time, tools, skills and inclination ; a hacker can break through any security measure .E.g. safes & vaults: are usually rated according to their resistance to attacks.How long would it take ? 4Principle 2: C-I-AAll information security tries to address at least one of the three:Protect the Confidentiality of dataPreserve Integrity of dataPromote the Availability of data

5CIA Triad 6

PreventDetect Response

E.g. BankHuman guard/door lockCCTV/Motion sensorAlarm/Tear gasE.g Internet attached devices Firewall(IPS)IDS/Traffic analyzer Auto traffic block

7Principle 3: Defense in depthLayered security approachPrinciple 4: people are easy to be tricked into giving up secrets. Studies have proved it !Pen for password study.I love you virus.8Principle 5: Security through ObscurityIf hackers dont know how software is secured, does it make security is better ?WRONG!!!!!Leads to false sense of security !9Principle 6: Security = RiskmanagementCareful balance of the above two. E.g buy $500 safe to secure $200 jewelryRisk analysis MitigateInsurance Accept Likely hood/consequence 10Principle 7: 3 types of security controls Preventive DetectiveResponsive 11Principle 8: people, process &technologyAll are needed to adequately secure a system E.g firewall with out process Dual controlSeparation of duties12Principle 9:Open disclosure of vulnerabilities is good for security!

To disclose or not to disclose; that is the question !

E.g. Automobile defects

13The ethical Question is how should that valuable information be disseminated to the good guys while keeping it away from the bad guys!

Anyhow Hackers know about most vulnerability long before the public!

Problem shared is half solved!14Principle 10: Complexity is the enemy of security.

With too many interfaces b/n programs and other systems, the interface became difficult to secure. 15Codebook CipherLiterally, a book filled with codewordsZimmerman Telegram encrypted via codebookFebruar13605fest13732finanzielle13850folgender13918Frieden17142Friedenschluss17149: :Modern block ciphers are codebooks!More about this laterCodebook Cipher: AdditiveIn practice, also used additiveAdditive book of random numbersSender encrypts msg with codebookThen chooses position in additive bookAdds additive numbers to get ciphertextSend ciphertext and additive position (MI)Recipient subtracts additives before decryptingWhy use an additive sequence? ZimmermanTelegramPerhaps most famous codebook ciphertext everA major factor in U.S. entry into WWI

ZimmermanTelegramDecryptedBritish had recovered partial codebookThen able to fill in missing parts

Rotor Machinesbefore modern ciphers, rotor machines were most common complex ciphers in usewidely used in WW2German Enigma, Allied Hagelin, Japanese Purpleimplemented a very complex, varying substitution cipherused a series of cylinders, each giving one substitution, which rotated and changed after each letter was encryptedwith 3 cylinders have 263=17576 alphabets20The next major advance in ciphers required use of mechanical cipher machines which enabled to use of complex varying substitutions.A rotor machine consists of a set of independently rotating cylinders through which electrical pulses can flow. Each cylinder has 26 input pins and 26 output pins, with internal wiring that connects each input pin to a unique output pin. If we associate each input and output pin with a letter of the alphabet, then a single cylinder defines a monoalphabetic substitution. After each input key is depressed, the cylinder rotates one position, so that the internal connections are shifted accordingly. The power of the rotor machine is in the use of multiple cylinders, in which the output pins of one cylinder are connected to the input pins of the next, and with the cylinders rotating like an odometer, leading to a very large number of substitution alphabets being used, eg with 3 cylinders have 263=17576 alphabets used.They were extensively used in world war 2, and the history of their use and analysis is one of the great stories from WW2.Hagelin Rotor Machine

21This photo of an Allied Hagelin machine was taken by Lawrie Brown at Eurocrypt'93 in Norway. Note pen for scale, and the rotating cipher wheels near the front.Rotor Machine Principles

The basic principle of the rotor machine is illustrated in Figure 2.8. The machine consists of a set of independently rotating cylinders through which electrical pulses can flow. Each cylinder has 26 input pins and 26 output pins, with internal wiring that connects each input pin to a unique output pin. If we associate each input and output pin with a letter of the alphabet, then a single cylinder defines a monoalphabetic substitution. If an operator depresses the key for the letter A, an electric signal is applied to the first pin of the first cylinder and flows through the internal connection to the twenty-fifth output pin. Consider a machine with a single cylinder. After each input key is depressed, the cylinder rotates one position, so that the internal connections are shifted accordingly. Thus, a different monoalphabetic substitution cipher is defined. After 26 letters of plaintext, the cylinder would be back to the initial position. Thus, we have a polyalphabetic substitution algorithm with a period of 26. A single-cylinder system is trivial and does not present a formidable cryptanalytic task. The power of the rotor machine is in the use of multiple cylinders, in which the output pins of one cylinder are connected to the input pins of the next. Figure 2.8 shows a three-cylinder system. With multiple cylinders, the one closest to the operator input rotates one pin position with each keystroke. The right half of Figure 2.8 shows the system's configuration after a single keystroke. For every complete rotation of the inner cylinder, the middle cylinder rotates one pin position. Finally, for every complete rotation of the middle cylinder, the outer cylinder rotates one pin position. The result is that there are 26 " 26 " 26 = 17,576 different substitution alphabets used before the system repeats. 22What have we learned? Old cryptoBasicsSubstitution Monoalphabetic PolyalphabeticOnetime Code book Transposition Spartans(skytale),Rail fenceRow transposProduct chipersModern crypto Taxonomy of CryptographyModern world.Symmetric keySame key for encryption and decryptionTwo types : Stream Cipher, Block Cipher Public key (or asymmetric crypto)Two keys, one for encryption (public), and one for decryption (private)Also, digital signaturesnot possible before Hash algorithms (Crypto hash function)One way crypto for integrity

Symmetric Key CryptoStream cipher like a one-time padExcept that key is relatively shortKey is stretched into a long keystreamKeystream is used just like a one-time pad.Employs substitution only Block cipher based on codebook conceptBlock cipher key determines a codebookEach key yields a different codebookEmploys both substitution and transpositionBlock vs. Stream Ciphers

A block cipher is one in which a block of plaintext is treated as a whole and used to produce a ciphertext block of equal length. Typically, a block size of 64 or 128 bits is used. As with a stream cipher, the two users share a symmetric encryption key (Figure 3.1b). A stream cipher is one that encrypts a digital data stream one bit or one byte at a time. In the ideal case, a one-time pad version of the Vernam cipher would be used (Figure 2.7), in which the keystream (k ) is as long as the plaintext bit stream (p). 26Block vs. Stream CiphersBlock ciphers: process messages in blocks, each of which is then en/decrypted. like a substitution on very big characters64-bits or more Stream ciphers: process messages a bit or byte at a time when en/decrypting.many current ciphers are block ciphers27Block ciphers work a on block / word at a time, which is some number of bits. All of these bits have to be available before the block can be processed. Stream ciphers work on a bit or byte of the message at a time, hence process it as a stream. Block ciphers are currently better analysed, and seem to have a broader range of applications, hence focus on them.Stream cipherLike one time padWhat was good?What was Bad?Trade the provable security of onetimepad for practicality !!!E.g A5/1(Hw based)Gsm Mobile communication Use shift registers to generate the key streamRC4(Sw based)Uses lookup tables generated based on the keyMost widely used in WEP to secure wireless network Secure sockets Layer (SSL) to protect internet trafficCloud ShannonFather of information TheoryHe proposed the foundation concepts for modern cryptography .Confusion: Obscure the relationship between plaintext and cipher text.E.g. Simple substitution (how do we break these?)Diffusion: spread plaintext statistics through the cipher text. E.g.TranspostionBlock cipher Like Code bookreplaces a block of N plaintext bits with a block of N ciphertext bits.How big is the block? (64,128,192, 256bits)But here we have many code bookskey determines which codebook to useRemember it works with block of bits

(Ideal )block ciphern bits plaintext block produce a n bits cipher text block.2n possible different plaintext blocks each must produce a 2n unique cipher text block. Such that a transformation is called reversible

Reversible

2n possible unique mappingE.g. n=2( using 2 bit 4 unique (plain-cipher))Plaintext Ciphertext00(4possible)1101101000 (01 irreversible )11012n! code book => 24 code bookA secret key indicates which mapping to use64 =>264 !codebooks32Ideal Block CipherAn ideal block cipher would allow us to use any of these 2N! mappings.The key space would be extremely large.But this would require a key space of 2N! bits.

If N = 64, 1011 GB.

Infeasible!

3333Practical Block Ciphers(Iterated)Modern block ciphers use a key of K bits to specify a random subset of 2K mappings.

If K N, 2K is much smaller than 2N!But is still very large.

If the selection of the 2K mappings is random, the resulting cipher will be a good approximation of the ideal block cipher. (with iterating the functions)Horst Feistel, in1970s, proposed a method to achieve this.

3434Block Cipher Principlesmost symmetric block ciphers are based on a Feistel Cipher StructureBlock ciphern bits plaintext block produce a n bits ciphertext block like an extremely large substitution(one time)substitution cipher for a large block size is not practical, from an implementation and performance point of view.

35Most symmetric block encryption algorithms in current use are based on a structure referred to as a Feistel block cipher. A block cipher operates on a plaintext block of n bits to produce a ciphertext block of n bits. An arbitrary reversible substitution cipher for a large block size is not practical, however, from an implementation and performance point of view. In general, for an n-bit general substitution block cipher, the size of the key is n x 2n. For a 64-bit block, which is a desirable length to thwart statistical attacks, the key size is 64x 264 = 270 = 1021 bits. In considering these difficulties, Feistel points out that what is needed is an approximation to the ideal block cipher system for large n, built up out of components that are easily realizable.

Feistel CipherInstead of extremely large substitutionFeistel proposed that we can approximate the ideal block cipher by utilizing the concept of a product cipher.which is the execution of two or more simple ciphers in sequence in such a way that the final result or product is cryptographically stronger.

Feistel proposed [FEIS73] that we can approximate the ideal block cipher by utilizing the concept of a product cipher, which is the execution of two or more simple ciphers in sequence in such a way that the final result or product is cryptographically stronger than any of the component ciphers. The essence of the approach is to develop a block cipher with a key length of k bits and a block length of n bits, allowing a total of 2k possible transformations, rather than the 2n! transformations available with the ideal block cipher36Substitution-Permutation Ciphersuse of concept of a product cipher that alternates substitutions and permutationsThis idea was originally proposed by Claude Shannon in 1949.form basis of modern block ciphers S-P nets are based on the two primitive cryptographic operations seen before: substitution (S-box)permutation (P-box)provide confusion & diffusion of message & key

Confusion and Diffusioncipher needs to completely obscure statistical properties of original messagea one-time pad does thismore practically Shannon suggested combining S & P elements to obtain:diffusion scatters statistical structure of plaintext over bulk of ciphertextconfusion makes relationship between ciphertext and key as complex as possible38The terms diffusion and confusion were introduced by Claude Shannon to capture the two basic building blocks for any cryptographic system. Shannon's concern was to thwart cryptanalysis based on statistical analysis. Every block cipher involves a transformation of a block of plaintext into a block of ciphertext, where the transformation depends on the key. The mechanism of diffusion seeks to make the statistical relationship between the plaintext and ciphertext as complex as possible in order to thwart attempts to deduce the key. Confusion seeks to make the relationship between the statistics of the ciphertext and the value of the encryption key as complex as possible, again to thwart attempts to discover the key.So successful are diffusion and confusion in capturing the essence of the desired attributes of a block cipher that they have become the cornerstone of modern block cipher design.

Feistel Cipher: EncryptionFeistel cipher is a type of block cipher design, not a specific cipherSplit plaintext block into left and right halves: P = (L0,R0)For each roundi = 1,2,...,n, computeLi= Ri1 Ri= Li1F(Ri1,Ki)where F is round functionand Ki is subkeyCiphertext: C = (Ln,Rn)Feistel Cipher: DecryptionStart with ciphertext C =(Ln,Rn)For each round i= n,n1,,1, computeRi1 = LiLi1 = RiF(Ri1,Ki) where F is round functionand Ki is subkeyPlaintext: P=(L0,R0)Formula works for any function FBut only secure for certain functions FFeistel Cipher Design ElementsBlock size - increasing size improves security, but slows cipher

Key size - increasing size improves security, makes exhaustive key searching harder,

Number of rounds - increasing number improves security, but slows cipher

Subkey generation algorithm - greater complexity can make analysis harder, but slows cipher

41The exact realization of a Feistel network depends on the choice of the following parameters and design features: block size - increasing size improves security, but slows cipher key size - increasing size improves security, makes exhaustive key searching harder, but may slow cipher number of rounds - increasing number improves security, but slows cipher subkey generation algorithm - greater complexity can make analysis harder, but slows cipher round function - greater complexity can make analysis harder, but slows cipher fast software en/decryption - more recent concern for practical use ease of analysis - for easier validation & testing of strengthFeistel Cipher Design Elementsround function - greater complexity can make analysis harder, but slows cipher

fast software en/decryption - more recent concern for practical use

ease of analysis - for easier validation & testing of strength

Summary Stream cipher like a one-time padKey is stretched into a long keystream then XORPsudorandom key stream generatorConfusion only just like a one-time padEfficient for hardware implementation (low powered device)Block cipher based on codebook conceptBlock cipher key determines a codebookEmploys both confusion and diffusionFaster, Good for Software implementationUsed in Most of the current ciphersData encryption standard (DES)Data Encryption StandardMost widely used block cipher in world DES developed in 1970sBased on IBM revised Lucifer cipherU.S. government standardDES development was controversialNSA secretly involvedDesign process was secretKey length reduced from 128 to 56 bitsclever changes to Lucifer algorithmThe most widely used private key block cipher, is the Data Encryption Standard (DES). It was adopted in 1977 by the National Bureau of Standards as Federal Information Processing Standard 46 (FIPS PUB 46). DES encrypts data in 64-bit blocks using a 56-bit key. The DES enjoys widespread use. It has also been the subject of much controversy its security.

DES is analgorithmthat takes a fixed-length string of plaintextbits and transforms it through a series of complicated operations into another ciphertextbitstring of the same length. In the case of DES, theblock sizeis 64 bits. DES also uses akeyto customize the transformation, so that decryption can supposedly only be performed by those who know the particular key used to encrypt. The key ostensibly consists of 64 bits; however, only 56 of these are actually used by the algorithm. Eight bits are used solely for checkingparity, and are thereafter discarded. Hence the effectivekey lengthis 56 bits, and it is never quoted as such. Every 8th bit of the selected key is discarded, that is, positions 8, 16, 24, 32, 40, 48, 56, 64 are removed from the 64 bit key leaving behind only the 56 bit key.45DES Design Controversyalthough DES standard is publicwas considerable controversy over design in choice of 56-bit key (vs Lucifer 128-bit)and because design criteria were classified subsequent events and public analysis show in fact design was appropriate.use of DES has flourishedespecially in financial applicationsstill standardised for legacy application use

46Before its adoption as a standard, the proposed DES was subjected to intense & continuing criticism over the size of its key & the classified design criteria.Recent analysis has shown despite this controversy, that DES is well designed. DES is theoretically broken using Differential or Linear Cryptanalysis but in practise is unlikely to be a problem yet. Also rapid advances in computing speed though have rendered the 56 bit key susceptible to exhaustive key search, as predicted by Diffie & Hellman. DES has flourished and is widely used, especially in financial applications. It is still standardized for legacy systems, with either AES or triple DES for new applications.DESDES is a Feistel cipher with64 bit block length56 bit key length16 rounds48 bits of key used each round (subkey)Each round is simple (for a block cipher)Security depends heavily on S-boxesEach S-boxes maps 6 bits to 4 bitsDES Encryption Overview

48The overall scheme for DES encryption is illustrated in Stallings Figure 3.4, which takes as input 64-bits of data and of key.The left side shows the basic process for enciphering a 64-bit data block which consists of: - an initial permutation (IP) which shuffles the 64-bit input block- 16 rounds of a complex key dependent round function involving substitutions & permutations- a final permutation, being the inverse of IP The right side shows the handling of the 56-bit key and consists of:- an initial permutation of the key (PC1) which selects 56-bits out of the 64-bits input, in two 28-bit halves - 16 stages to generate the 48-bit subkeys using a left circular shift and a permutation of the two 28-bit halves

Initial Permutation IPIP: the first step of the encryption.It reorders the input data bits. The last step of encryption is the inverse of IP.IP and IP-1 are specified by tables49Example Initial permutation 58504234261810260524436282012462544638302214664564840322416857494133251791595143352719113615345372921135635547393123157LRexpandshiftshiftkeykeyS-boxescompressLR28282828282848324832323232OneRound ofDES4832KiP boxDES Round Structure

52Stallings Figure 3.7 illustrates the internal structure of the DES round function F. The R input is first expanded to 48 bits by using expansion table E that defines a permutation plus an expansion that involves duplication of 16 of the R bits (Stallings Table 3.2c). The resulting 48 bits are XORed with key Ki . This 48-bit result passes through a substitution function comprising 8 S-boxes which each map 6 input bits to 4 output bits, producing a 32-bit output, which is then permuted by permutation P as defined by Stallings Table 3.2d. DES Round Structureuses two 32-bit L & R halvesas for any Feistel cipher can describe as:Li = Ri1Ri = Li1 F(Ri1, Ki)F takes 32-bit R half and 48-bit subkey:expands R to 48-bits using perm Eadds to subkey using XORpasses through 8 S-boxes to get 32-bit resultfinally permutes using 32-bit perm P53We now review the internal structure of the DES round function F, which takes R half & subkey, and processes them. The round key Ki is 48 bits. The R input is 32 bits. This R input is first expanded to 48 bits by using a table that defines a permutation plus an expansion that involves duplication of 16 of the R bits (Table 3.2c). The resulting 48 bits are XORed with Ki This 48-bit result passes through a substitution function that produces a 32-bit output, which is permuted as defined by Table 3.2d. This follows the classic structure for a feistel cipher.Note that the s-boxes provide the confusion of data and key values, whilst the permutation P then spreads this as widely as possible, so each S-box output affects as many S-box inputs in the next round as possible, giving diffusion.DES Expansion PermutationInput 32 bits 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 1516 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31Output 48 bits31 0 1 2 3 4 3 4 5 6 7 8 7 8 9 10 11 12 11 12 13 14 15 1615 16 17 18 19 20 19 20 21 22 23 2423 24 25 26 27 28 27 28 29 30 31 0DES S-box8 substitution boxes or S-boxesEach S-box maps 6 bits to 4 bitsS-box number 1

input bits (0,5) input bits (1,2,3,4) | 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111------------------------------------------------------------------------------------00 | 1110 0100 1101 0001 0010 1111 1011 1000 0011 1010 0110 1100 0101 1001 0000 011101 | 0000 1111 0111 0100 1110 0010 1101 0001 1010 0110 1100 1011 1001 0101 0011 100010 | 0100 0001 1110 1000 1101 0110 0010 1011 1111 1100 1001 0111 0011 1010 0101 000011 | 1111 1100 1000 0010 0100 1001 0001 0111 0101 1011 0011 1110 1010 0000 0110 1101DES P-boxInput 32 bits0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Output 32 bits15 6 19 20 28 11 27 16 0 14 22 25 4 17 30 9 1 7 23 13 31 26 2 8 18 12 29 5 21 10 3 24DES Key Scheduleforms sub keys used in each roundinitial permutation of the key (PC1) which selects 56-bits in two 28-bit halves 16 stages consisting of: rotating each half separately either 1 or 2 places depending on the key rotation schedule Kselecting 24-bits from each half & permuting them by PC2 for use in round function F 57The DES Key Schedule generates the subkeys needed for each data encryption round. A 64-bit key is used as input to the algorithm, though every eighth bit is ignored, as indicated by the lack of shading in Table 3.4a. It is first processed by Permuted Choice One (Stallings Table 3.4b). The resulting 56-bit key is then treated as two 28-bit quantities C & D. In each round, these are separately processed through a circular left shift (rotation) of 1 or 2 bits as shown in Stallings Table 3.4d. These shifted values serve as input to the next round of the key schedule. They also serve as input to Permuted Choice Two (Stallings Table 3.4c), which produces a 48-bit output that serves as input to the round function F.

The 56 bit key size comes from security considerations as we know now. It was big enough so that an exhaustive key search was about as hard as the best direct attack (a form of differential cryptanalysis called a T-attack, known by the IBM & NSA researchers), but no bigger. The extra 8 bits were then used as parity (error detecting) bits, which makes sense given the original design use for hardware communications links. However we hit an incompatibility with simple s/w implementations since the top bit in each byte is 0 (since ASCII only uses 7 bits), but the DES key schedule throws away the bottom bit! A good implementation needs to be cleverer!

DES Subkey56 bit DES key, numbered 0,1,2,,55Left half key bits, LK49 42 35 28 21 14 7 0 50 43 36 29 22 15 8 1 51 44 37 30 2316 9 2 52 45 38 31Right half key bits, RK55 48 41 34 27 20 13 6 54 47 40 33 26 1912 5 53 46 39 32 2518 11 4 24 17 10 3DES Last Word (Almost)An initial permutation before round 1Halves are swapped after last roundA final permutation (inverse of initial perm) applied to (R16,L16)None of this serves security purposeDES Encryption Overview

60The overall scheme for DES encryption is illustrated in Stallings Figure 3.4, which takes as input 64-bits of data and of key.The left side shows the basic process for enciphering a 64-bit data block which consists of: - an initial permutation (IP) which shuffles the 64-bit input block- 16 rounds of a complex key dependent round function involving substitutions & permutations- a final permutation, being the inverse of IP The right side shows the handling of the 56-bit key and consists of:- an initial permutation of the key (PC1) which selects 56-bits out of the 64-bits input, in two 28-bit halves - 16 stages to generate the 48-bit subkeys using a left circular shift and a permutation of the two 28-bit halves

DES review The left side shows the basic process for enciphering a 64-bit data block which consists of: - an initial permutation (IP) which shuffles the 64-bit input block- 16 rounds of a complex key dependent round function involving substitutions & permutations- a final permutation, being the inverse of IP The right side shows the handling of the 56-bit key and consists of:- an initial permutation of the key (PC1) which selects 56-bits out of the 64-bits input, in two 28-bit halves - 16 stages to generate the 48-bit subkeys using a left circular shift and a permutation of the two 28-bit halves

DES Decryptiondecrypt must unwind steps of data computation with Feistel design, do encryption steps again using subkeys in reverse order (SK16 SK1)IP undoes final FP( IP inverse) step of encryption 1st round with SK16 undoes 16th encrypt round.16th round with SK1 undoes 1st encrypt round then final FP undoes initial encryption IP thus recovering original data value 62As with any Feistel cipher, DES decryption uses the same algorithm as encryption except that the subkeys are used in reverse order SK16 .. SK1.If you trace through the DES overview diagram can see how each decryption step top to bottom with reversed subkeys, undoes the equivalent encryption step moving from bottom to top.Avalanche Effect desirable property of any encryption algorithm is that a small change in either the plaintext or the key should produce a significant change in the ciphertext. If the change were small, this might provide a way to reduce the size of the plaintext or key space to be searchedDES exhibits strong avalanche 63A t. In particular, a change in one bit of the plaintext or one bit of the key should produce a change in many bits of the ciphertext. If the change were small, this might provide a way to reduce the size of the plaintext or key space to be searched. DES exhibits a strong avalanche as may be seen in Stallings Table 3.5.

Strength of DES Key Size56-bit keys have 256 = 7.2 x 1016 valuesbrute force search looks hardrecent advances have shown is possiblein 1997 on Internet in a few months in 1998 on dedicated h/w (EFF) in a few days in 1999 above combined in 22hrs!still must be able to recognize plaintextmust now consider alternatives to DES65Since its adoption as a federal standard, there have been lingering concerns about the level of security provided by DES in two areas: key size and the nature of the algorithm.With a key length of 56 bits, there are 256 possible keys, which is approximately 7.2*1016 keys. Thus a brute-force attack appeared impractical. However DES was finally and definitively proved insecure in July 1998, when the Electronic Frontier Foundation (EFF) announced that it had broken a DES encryption using a special-purpose "DES cracker" machine that was built for less than $250,000. The attack took less than three days. The EFF has published a detailed description of the machine, enabling others to build their own cracker [EFF98].There have been other demonstrated breaks of the DES using both large networks of computers & dedicated h/w, including: - 1997 on a large network of computers in a few months - 1998 on dedicated h/w (EFF) in a few days - 1999 above combined in 22hrs!It is important to note that there is more to a key-search attack than simply running through all possible keys. Unless known plaintext is provided, the analyst must be able to recognize plaintext as plaintext.Clearly must now consider alternatives to DES, the most important of which are AES and triple DES.

Block Cipher Designbasic principles still like Feistels in 1970snumber of roundsmore is better, exhaustive search best attackfunction f:provides confusion, is nonlinear, avalanchehave issues of how S-boxes are selectedkey schedulecomplex subkey creation, key avalanche

66The cryptographic strength of a Feistel cipher derives from three aspects of the design: the number of rounds, the function F, and the key schedule algorithm. Briefly discuss these.The greater the number of rounds, the more difficult it is to perform cryptanalysis, even for a relatively weak F. In general, the criterion should be that the number of rounds is chosen so that known cryptanalytic efforts require greater effort than a simple brute-force key search attack. This criterion is attractive because it makes it easy to judge the strength of an algorithm and to compare different algorithms.The function F provides the element of confusion in a Feistel cipher, want it to be difficult to unscramble the substitution performed by F. One obvious criterion is that F be nonlinear. The more nonlinear F, the more difficult any type of cryptanalysis will be. We would like it to have good avalanche properties, or even the strict avalanche criterion (SAC). Another criterion is the bit independence criterion (BIC). One of the most intense areas of research in the field of symmetric block ciphers is that of S-box design. Would like any change to the input vector to an S-box to result in random-looking changes to the output. The relationship should be nonlinear and difficult to approximate with linear functions. A final area of block cipher design, and one that has received less attention than S-box design, is the key schedule algorithm. With any Feistel block cipher, the key schedule is used to generate a subkey for each round. Would like to select subkeys to maximize the difficulty of deducing individual subkeys and the difficulty of working back to the main key. The key schedule should guarantee key/ciphertext Strict Avalanche Criterion and Bit Independence Criterion.

Multiple Encryption & DESclear a replacement for DES was neededtheoretical attacks that can break itdemonstrated exhaustive key search attacksAES is a new cipher alternativeprior to this alternative was to use multiple encryption with DES implementationsTriple-DES is the chosen form67Given the potential vulnerability of DES to a brute-force attack,there has been considerable interest in finding an alternative. One approach is to design a completely new algorithm, of which AES is a prime example. Another alternative, which would preserve the existing investment in software and equipment, is to use multiple encryption with DES and multiple keys. We examine the widely accepted triple DES (3DES) approach. Triple DESToday, 56 bit DES key is too smallExhaustive key search is feasibleBut DES is everywhere, so what to do?Triple DES or 3DES (112 bit key)C = E(D(E(P,K1),K2),K1)P = D(E(D(C,K1),K2),K1)Why Encrypt-Decrypt-Encrypt with 2 keys?Backward compatible: E(D(E(P,K),K),K) = E(P,K)And 112 bits is enough

Reading assignmentsDifferential and linear cryptanalysis attackDifferent block cipher modes Deniable encryption