One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic - PDF document

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers Encryption Modes Encryption Modes � Shift Cipher ◦ Brute%force attack can easily break Ahmet Burak Can � Substitution Cipher Hacettepe University ◦ Frequency analysis can reduce the search space abc@hacettepe.edu.tr � Vigenere Cipher � Vigenere Cipher ◦ Kasiski test can reveal the length of key � Enigma Machine ◦ The capture of the daily codebook � How perfect secrecy can be satisfied? 1 2 One Time Pad One Time Pad The Binary The Binary Version of One Version of One% %Time Pad Time Pad � Basic Idea: Extend Vigenère cipher so that the key is as � Plaintext space = Ciphtertext space = Keyspace = {0,1} n long as the plaintext � Key is chosen randomly ◦ Key is a random string and is used only once � For example: ◦ Encryption is similar to Vigenère Plaintext �������� ◦ Cannot be broken by frequency analysis or Kasiski test Key Key �������� �������� Ciphertext �������� Plaintext ������ � � � ��� � � Key ������ � � � ��� � � Ciphertext ������ � � � ��� � � � � �������� � �� � � � �� � ��� � �� � ������� � � �������� � �� � � � �� � ��� � �� � ������� 3 4 Security of One Time Pad Security of One Time Pad Importance of Key Randomness Importance of Key Randomness � How good is the security of one time pad? � For perfect secrecy, key%length ≥ msg%length ◦ The key is random, so ciphertext is completely random ◦ Any plaintext can correspond to a ciphertext with the same � What if a One%Time Pad key is not chosen randomly, length instead, texts from, e.g., a book is used. � A scheme has perfect secrecy if ciphertext provides no ◦ this is not One%Time Pad anymore this is not One%Time Pad anymore “information” about plaintext “information” about plaintext ◦ this does not have perfect secrecy and can be broken ◦ �������������� ���� � One%time pad has perfect secrecy � The key in One%Time Pad should never be reused. ◦ For example, suppose that the ciphertext is “Hello”, can we say ◦ If it is reused, it is insecure! any plaintext is more likely than another plaintext? ◦ How to send the key to the receiver of the ciphertext? � These requirements make One Time Pad impractical. 5 6

Block Ciphers Block Ciphers Block Ciphers Block Ciphers � Block Cipher = Symmetric key encryption = � Block size �� in general larger block sizes mean greater Conventional Encryption security. � Key size: larger key size means greater security (larger key space). � Block ciphers can be considered as substitution ciphers with large block size (≥ 64 bits) with large block size (≥ 64 bits) � Number of rounds: multiple rounds offer increasing � Number of rounds: multiple rounds offer increasing security. � Encryption modes: define how messages larger than the � Map n%bit plaintext blocks to n%bit ciphertext blocks block size are encrypted, very important for the (n: block size). security of the encrypted message. ◦ For n%bit plaintext and ciphertext blocks and a fixed key, the encryption function is a one%to%one function 7 8 A Simple Block Cipher: Hill Cipher A Simple Block Cipher: Hill Cipher An Insecure Block Cipher An Insecure Block Cipher � The key k is a matrix. The message is considered as � Hill cipher is insecure since it uses linear matrix vectors. Encryption and decryption operations are operations. matrix multiplication operations ◦ Each output bit is a linear combination of the input bits ◦ Encryption: ◦ An insecure block cipher uses linear equations ���������������� ◦ Decryption: � ��� �� �� �������� � Example: � Hill Cipher can easily be broken by known%plaintext ◦ The plaintext is `CAT` converted to numeric values (2, 0, 19). attack ◦ An attacker knowing a plaintext and ciphertext pair can easily ◦ If the key is figure out the key matrix. ◦ Encryption: ◦ C=`FIN` 9 10 Feistel Feistel Network Network Feistel Feistel Network Network � A Feistel Network is fully specified given � Encryption Plaintext (2w bits) ◦ the block size: n = 2w L 1 =R 0 R 1 =L 0 ⊕ f 0 (R 0 ) ◦ number of rounds: d R 2 =L 1 ⊕ f 1 (R 1 ) L 2 =R 1 ◦ d round functions f 1 , f 2 …, f d : {0,1} w → {0,1} w … w bits w bits ◦ Each f function is a SP cipher L d =R d%1 L d =R d%1 R d =L d%1 ⊕ f d%1 (R d%1 ) R d =L d%1 ⊕ f d%1 (R d%1 ) L 0 L 0 R 0 R 0 f 0 K 0 � Feistel Network are used in DES, IDEA, RC5, and many other block ciphers. � Decryption L 1 R 1 � Not used in AES R d%1 =L d L d%1 =R d ⊕ f d%1 (L d ) f 1 K 1 … L 0 =R 1 ⊕ f 0 (L 1 ) R 0 =L 1 12 11

History of Data Encryption Standard (DES) History of Data Encryption Standard (DES) DES Features DES Features � 1967: Feistel at IBM � Features: ◦ Lucifer: block size 128; key size 128 bit ◦ Block size = 64 bits ◦ Key size = 56 bits � 1972: NBS asks for an encryption standard ◦ Number of rounds = 16 � 1975: IBM developed DES (modification of Lucifer) ◦ 16 intermediary keys, each 48 bits ◦ block size 64 bits; key size 56 bits ◦ block size 64 bits; key size 56 bits � 1975: NSA suggests modification � 1977: NBS adopts DES as encryption standard in (FIPS 46%1, 46%2). � 2001: NIST adopts Rijndael (AES) as replacement to DES. 13 14 DES Structure DES Structure Details of DES Rounds Details of DES Rounds � An initial permutation is applied on the plaintext IP(x) = L 0 R 0 � In each round: L i = R i%1 R i = L i%1 ⊕ f(R i%1 , K i ) ⊕ 16 15 Details of DES Rounds Details of DES Rounds DES f Function DES f Function � After the last round y = IP %1 (R 16 L 16 ) 17 18

DES S DES S% %boxes boxes DES Weak Keys DES Weak Keys S%boxes are the only non%linear elements in DES design � � Weak keys: keys make the same sub%key to be generated in more than one round. B(6 bits) C(4 bits) S%Box ◦ Result: reduce cipher complexity ◦ Weak keys can be avoided at key generation. DES has 4 weak B = b 1 b 2 b 3 b 4 b 5 b 6 ��� row=b 1 b 6 column=b 2 b 3 b 4 b 5 � keys: ��������������� ��������������� Example: Example: � ��������������� B = 011011 row= 01 column=1101 � ��������������� Middle 4 bits of input ��������������� 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111 00 0010 1100 0100 0001 0111 1010 1011 0110 1000 0101 0011 1111 1101 0000 1110 1001 � Semi%weak keys: A pair of DES semi%weak keys is a pair 01 1110 1011 0010 1100 0100 0111 1101 0001 0101 0000 1111 1010 0011 1001 1000 0110 Oute r bits (K 1 ,K 2 ) with E K1 (E K2 (x))=x 10 0100 0010 0001 1011 1010 1101 0111 1000 1111 1001 1100 0101 0110 0011 0000 1110 11 1011 1000 1100 0111 0001 1110 0010 1101 0110 1111 0000 1001 1010 0100 0101 0011 ◦ There are six pairs of DES semi%weak keys C = 1001 19 20 Dictionary Attack to DES Dictionary Attack to DES Double DES Double DES � Even without having weak/semi%weak keys DES is � DES uses a 56%bit key, this raised concerns about brute vulnerable to dictionary attacks: force attacks. � Each plaintext may result in 2 64 different ciphertexts, but � One proposed solution: Double DES. there are only 2 56 possible different key values. there are only 2 possible different key values. � Apply DES twice using two keys, K 1 and K 2 . � Apply DES twice using two keys, K 1 and K 2 . � C = E K2 [ E K1 [ P ] ] � P = D K1 [ D K2 [ C ] ] � Given a PT/CT pair ( ���� ◦ Encrypt the known plaintext M with all possible keys. � This leads to a 2x56=112 bit key, so it is more secure ◦ Keep a look up table of size 2 56 . than DES. Is it? ◦ Look up C in the table 21 22 Meet Meet% %in in% %the the% %middle Attack middle Attack Triple DES Triple DES � Goal: given the pair (P, C) find keys K 1 and K 2 . � Two key version is widely used and standard � Based on the observation: ◦ Key space is 56 x 2 = 112 bits C = E K2 [ E K1 [ P ] ] Encrypt: C = E K1 [ D K2 [ E K1 [P] ] ] D K2 [ C ] = E K1 [ P ] Decrypt: P = D K1 [ E K2 [ D K1 [C] ] ] � Encrypt P with all 2 56 possible keys K 1 � Encrypt P with all 2 56 possible keys K 1 � Three key version is possible but not standard � Three key version is possible but not standard ◦ Store all pairs ( K 1 , E K1 [P] ), sorted by E K1 [P]. ◦ Key space is 56 x 3 = 168 bits Encrypt: C = E K3 [ D K2 [ E K1 [P] ] ] � Decrypt C using all 2 56 possible keys K 2 Decrypt: P = D K1 [ E K2 [ D K3 [C] ] ] ◦ For each decrypted result, check to see if there is a match D K2 (C) = E K1 (P). If a match is found, (K 1 ,K 2 ) is a possible match � No known practical attack against it. � The attack has a higher chance of succeeding if another pair � Some protocols/applications use 3DES (such as PGP) (P’, C’) is available to the cryptanalysis. 23 24