Computer Security HKUST, Hong Kong Computer Security Cunsheng - - PowerPoint PPT Presentation

computer security hkust hong kong computer security
SMART_READER_LITE
LIVE PREVIEW

Computer Security HKUST, Hong Kong Computer Security Cunsheng - - PowerPoint PPT Presentation

Jan 15, 2023 369 likes •628 views

CUNSHENG DING Computer Security HKUST, Hong Kong Computer Security Cunsheng DING, HKUST COMP4631 CUNSHENG DING Computer Security HKUST, Hong Kong Lecture 07: Several One-Key Block Ciphers Outline of this Lecture One-key

slide-1
SLIDE 1

CUNSHENG DING HKUST, Hong Kong

Computer Security

Computer Security

Cunsheng DING, HKUST COMP4631

slide-2
SLIDE 2

CUNSHENG DING HKUST, Hong Kong

Computer Security

Lecture 07: Several One-Key Block Ciphers

Outline of this Lecture

  • One-key stream ciphers
  • The Data Encryption Standard (DES)
  • The Triple DES
  • The Advanced Encryption Standard (AES)
  • A method for padding messages
  • The Cipher Block Chaining (CBC) mode

Page 1 COMP4631

slide-3
SLIDE 3

CUNSHENG DING HKUST, Hong Kong

Computer Security

One-key Stream Ciphers

A 6-tuple (M, C, K, Ek, Dk, u), where

  • M, C, K are respectively the plaintext space, ciphertext space, and key

space;

  • Any k ∈ K could be the encryption and decryption key; and
  • u is a time-variable parameter stored in a memory device.
  • Ek and Dk are encryption and decryption transformations with

Dk(Ek(m, u), u) = m for each m ∈ M. Remark: The ciphertext c = Ek(m, u) depends on k, m and u, and is time-dependent, as u is time-variable. We will see one-key stream ciphers today.

Page 2 COMP4631

slide-4
SLIDE 4

CUNSHENG DING HKUST, Hong Kong

Computer Security

The Data Encryption Standard in Brief

  • It is a block cipher with key length 56 bits.
  • It was designed by IBM in 1976 for the National Bureau of Standards

(NBS), with approval from the National Security Agency (NSA).

  • It had been used as a standard for encryption until 2000. In 2001 a new

encryption standard, AES, replaced the DES, because its key length is too short.

  • Although its wide spread use came to an end, its design idea is still

used in most block ciphers.

Page 3 COMP4631

slide-5
SLIDE 5

CUNSHENG DING HKUST, Hong Kong

Computer Security

The DES Encryption and Decryption

Decryption process Encryption process

D_k E_k

64 bits 64 bits 56 bits 56 bits 64 bits 64 bits key key m_i c_i c_i m_i

Page 4 COMP4631

slide-6
SLIDE 6

CUNSHENG DING HKUST, Hong Kong

Computer Security

L15 R1 L1 R0 L0

input block

. . . . . .

R15

1

Why swap?

L16 R16 swap R16 L16

−1

IP

  • utput block

Round 1 Round 2 Round 16 IP f f f k16 k2 k1

key schedule algorithm 56−bit key k16 k2 k1 . . .

Page 5 COMP4631

slide-7
SLIDE 7

CUNSHENG DING HKUST, Hong Kong

Computer Security

. . . . . .

input block

f f f IP Round 16 Round 2 Round 1

  • utput block

IP

  • 1

swap

Decryption

R16 L16 k16 k1 R0 L0 L1 R15 R1 L15 k15 L0 R0

IP-1 (R16||L16) IP-1 (L0||R0)

Page 6 COMP4631

slide-8
SLIDE 8

CUNSHENG DING HKUST, Hong Kong

Computer Security

DES Design Criteria

Remark: Details of the building blocks and their design criteria are out of the scope of this course, and can be found in the reading materials posted

  • n the course webpage.

Further information may be found in:

  • B. Schneier, Applied Cryptography, 2nd Edition, John Wiley & Sons,

1996, pp. 293–294.

  • D. Coppersmith, The Data Encryption Standard (DES) and Its

Strength Against Attacks, IBM Journal of Research and Development, May 1994.

Page 7 COMP4631

slide-9
SLIDE 9

CUNSHENG DING HKUST, Hong Kong

Computer Security

Security of DES

Question: Is DES really secure? Answer: It is not regarded as secure only because its key length is too short, in view of today’s hardware technology. So DES has been replaced by the AES – Advanced Encryption Standard (Rijndael). In the public literature there is no practical attack on DES that is based on the structure of DES. But it is possible that some secret organization has a practical attack.

  • D. Coppersmith, The Data Encryption Standard (DES) and Its

Strength Against Attacks, IBM Journal of Research and Development, May 1994.

Page 8 COMP4631

slide-10
SLIDE 10

CUNSHENG DING HKUST, Hong Kong

Computer Security

The DES Variants

Triple DES: Let Ek and Dk be the encryption and decryption function of DES. Encryption: c = Ek1(Dk2(Ek3(m))). Decryption: m = Dk3(Ek2(Dk1(c))). Key length 168 bits. If k1 = k3 = k2, it is called Triple DES with two keys. Other Variants: DES with Independent Subkeys, and CRYPT(3) (used in Unix system), etc. Reference: B. Schneier, Applied Cryptography, 2nd Edition, John Wiley & Sons, 1996, pp. 294–300.

Page 9 COMP4631

slide-11
SLIDE 11

CUNSHENG DING HKUST, Hong Kong

Computer Security

The Advanced Encryption Standard (AES)

Background: The key length of DES is too short and should be replaced. NIST issued a call for proposals for a new Advanced Encryption Standard in 1997. The basic requirements are:

  • Its security strength should be equal to or better than 3DES and

should be much more efficient.

  • AES must be a symmetric block cipher with a key length of 128 bits,

and support for key lengths 192 and 256 bits.

Page 10 COMP4631

slide-12
SLIDE 12

CUNSHENG DING HKUST, Hong Kong

Computer Security

The Advanced Encryption Standard (AES)

Rijndael: Many international proposals were received. After three rounds

  • f selection and evaluation, in 2000 Rijndael was selected as the new AES

by NIST. Designers: Joan Daemen and Vincent Rijmen from Belgium.

  • Key lengths: 128, 192, 256 bits.
  • Plaintext block length: 128 bits.

Page 11 COMP4631

slide-13
SLIDE 13

CUNSHENG DING HKUST, Hong Kong

Computer Security

The AES Encryption and Decryption

128, 192, 256 bits 128, 192, 256 bits 128 bits 128 bits 128 bits 128 bits Decryption process Encryption process

D_k E_k

key key m_i c_i c_i m_i

Page 12 COMP4631

slide-14
SLIDE 14

CUNSHENG DING HKUST, Hong Kong

Computer Security

The Advanced Encryption Standard (AES)

References:

  • J. Daemen and V. Rijmen, The Design of Rijndael, Springer-Verlag,

2001.

  • W. Stallings, Cryptography and Network Security: Principles and

Practices, 3rd Edition, Pearson Education, 2003.

Page 13 COMP4631

slide-15
SLIDE 15

CUNSHENG DING HKUST, Hong Kong

Computer Security

Why Padding Messages

Question: If you use AES to encrypt your message, you need to break it into blocks, each with 128 bits. However, it is possible that the last block is not a complete block of 128 bits. How would you encrypt the last block?

Page 14 COMP4631

slide-16
SLIDE 16

CUNSHENG DING HKUST, Hong Kong

Computer Security

A Method for Padding Messages length of message extra block padding 2/3 block

  • riginal m, three blocks + 1/3
  • Page 15

COMP4631

slide-17
SLIDE 17

CUNSHENG DING HKUST, Hong Kong

Computer Security

Five Modes of Operations for Block Ciphers

  • Electronic Codebook (ECB) Mode
  • Cipher Block Chaining (CBC) Mode
  • Cipher Feedback (CFB) Mode (not introduced in COMP4631)
  • Output Feedback (OFB) Mode (not introduced in COMP4631)
  • Counter Mode (not introduced in COMP4631)

Page 16 COMP4631

slide-18
SLIDE 18

CUNSHENG DING HKUST, Hong Kong

Computer Security

Assumptions on the Underlying Block Cipher

The underlying block cipher (M, C, K, Ek, Dk) maps a plaintext block of n bits into a ciphertext of n bits. Padding the last block if necessary. Let m = m1m2 · · · mh be the message, where the mi are plaintext blocks of n bits, and let c = c1c2 · · · ch be the corresponding ciphertext, where the ci are ciphertext blocks of n bits.

Page 17 COMP4631

slide-19
SLIDE 19

CUNSHENG DING HKUST, Hong Kong

Computer Security

Electronic Codebook Mode (ECB)

Page 18 COMP4631

slide-20
SLIDE 20

CUNSHENG DING HKUST, Hong Kong

Computer Security

Electronic Codebook Mode: Pictorial

Remarks: No internal memory.

m_i c_i c_i m_i k k E_k D_k encryption decription

Page 19 COMP4631

slide-21
SLIDE 21

CUNSHENG DING HKUST, Hong Kong

Computer Security

Electronic Codebook Mode: Mathematical

Encryption: ci = Ek(mi) for each i. Decryption: mi = Dk(ci) for each i. Application: secure transmission of single values (e.g., encryption key), not for lengthy message. Remark: Same plaintext block is always encrypted to the same ciphertext block.

Page 20 COMP4631

slide-22
SLIDE 22

CUNSHENG DING HKUST, Hong Kong

Computer Security

Cipher Block Chaining Mode (CBC)

Page 21 COMP4631

slide-23
SLIDE 23

CUNSHENG DING HKUST, Hong Kong

Computer Security

Cipher Block Chaining Mode: Pictorial Choose any n-bit vector IV as the initial value, and define c0 = IV . It is stored in a register (memory device) with n bit memory.

m_i c_i k E_k c_i m_i k IV IV D_k encryption decrption c_i-1 c_i-1

Page 22 COMP4631

slide-24
SLIDE 24

CUNSHENG DING HKUST, Hong Kong

Computer Security

Cipher Block Chaining Mode: Mathematical

Operation: Set t = n. Choose any n-bit vector IV as the initial value, and define c0 = IV . Encryption: ci = Ek(mi ⊕ ci−1) for each i ≥ 1. Decryption: mi = Dk(ci) ⊕ ci−1 for each i ≥ 1. Application: general-purpose block-oriented transmission, authentication.

Page 23 COMP4631