Title: Part One CRYPTOGRAPHY
1Part One CRYPTOGRAPHY Chapter 2 Symmetric Enc
ryption
and Message Confidentiality
Symmetric encryption, also referred to as
conventional encryption, secret-key, or
single-key encryption, was the only type of
encryption in use prior to the development of
public-key encryption in the late 1970s. It
remains by far the most widely used of the two
types of encryption.
2.1 Symmetric Encryption Principles
2Recall
Alice
Bob
Darth
3Fig 2.1
Five Ingredients
1. Plaintext
2. Encryption algorithm 3. Secret key
4. ciphertext
5. Decryption algorithm (secret key)
4The decryption algorithm is often the encryption
algorithm run in reverse (not true for the
Advanced Encryption Standard)
Obviously, the encryption and decryption
algorithms are inverse functions
C EK ( P ) P DK ( C )
P DK EK ( P )
5Two requirements for secure use of symmetric
encryption
1. Strong encryption algorithm
opponent who knows algorithm and has cipher
text (only) must be unable to
recover plaintext extension even if opponent
has samples of plaintext, unable to recover fur
ther plaintext
- Key
- Sender and receiver must have
obtained
- copies of the secret key, and must keep
it secret
THE ALGORITHM IS NOT SECRET !!!
6Cryptography Three independent dimensions
1. type of operation substitution
transposition
Combinations used
all operations must be reversible !
2. number of keys used 1 for symmetric"
cryptography 2 for "public-key" cryptograp
hy
- way in which plaintext is processed
- block ciphers (processed one block at a
time)
- stream ciphers (can be decrypted while
being received)
7Substitution cipher replace letter with next
letter in alphabet (Caesar).
Transposition cipher
key
pad
8(No Transcript)
9Types of attack on encrypted messages (continued)
Ciphertext only - only ciphertext and algorithm
known - exhaustive search of all possible keys
(brute force)
How do you know when youve won?
10Types of attack on encrypted messages (continued)
Partially-known plaintext
E-mail headers
Hitlers Birthday!
11RSA challenges known plaintext
In 1999 a 56-bit key was cracked in 22 hours by
EFF machine
With known plaintext, you know when youve won!
12Types of attack on encrypted messages (continued)
During WEP authentication in wireless networks
the access point sends to the station a message
The station encrypts the message and returns it
to the access point Both unencrypted and encrypt
ed forms are easily visible.
13Types of attack on encrypted messages (continued)
Consider a wireless LAN, connected to the
Internet and an attacker who can eavesdrop on the
traffic within the LAN and who has access to an
outside computer. Attacker can send chosen messag
e from outside machine to inside machine, and
observe encrypted form on the wireless link.
Both unencrypted and encrypted forms are
available to the attacker.
14Boolean Logic
OR ( Inclusive OR )
XOR (exclusive OR
15Boolean Logic
XOR (exclusive OR
Arithmetic ADD
16Feistel Cipher Structure
17Key
Feistel Parameters Block size (2w)
Size of key K
Number of rounds (n)
Subkey generation algorithm (K1, etc.)
Round function (F)
Decryption run in reverse Insert ciphertext at
top, use nth subkey in first round.
18Two other considerations in the design of a
symmetric block cipher
? Fast software encryption/decryption
? Ease of analysis ( ! )
19Data Encryption Standard (DES/DEA) is a minor
variation on the Feistel structure.
Block size 64 bits
Key length 56 bits
Number of rounds 16 Sixteen subkeys generated fr
om original key.
Decryption run in reverse insert ciphertext
at top, use sixteenth subkey in first round.
20Data Encryption Standard
Strength has been exhaustively studied no
known holes
Weakness 56-bit key length too short
(in 1999 was cracked in 22 hours by EFF
machine)
In ciphertext-only situation, exhaustive key
search is the only way but how do you
know when youve won?
21Triple DES
If 56-bit key is too short, but DES is a solid
algorithm, just apply it two or three times!
22Effective key length is 168 bits
There is no cryptographic significance to the
use of decryption in the second stage gives
compatibility with single-stage implementations.
It is easy to see that 3DES is a formidable
algorithm
23However, 3DES is not a reasonable candidate for
long-term use.
The algorithm is relatively sluggish in software
the original DES was designed for mid-1970s
hardware implementation.
The 64-bit block length is too short larger
block lengths give better efficiency and security.
On page 39, the heading Advanced Encryption
Standard belongs 1/3 way down page.
24Advanced Encryption Standard
History In 1997 NIST issued a call for proposals
for a new Advanced Encryption Standard AES),
which should have a security strength the same
as, or better than, 3DES and significantly
improved efficiency.
After extensive consideration of proposals, in
2001 the algorithm by Joan Daemen and Vincent
Rijmen was chosen known as Rijndael.
The new AES is not a Feistel structure!
Decryption algorithm different.
Parameters block length 128 bits key length
128, 192, or 256 bits (focus on 128)
rounds 10
stages 4
The 128-bit key and the 128-bit blocks are
expressed as 4-byte x 4-byte matrices, processed
by column.
25Original key W ( 0 3 )
Expanded key W ( 4 43 ) Enough for 10 rounds.
There is an algorithm for expanding the key.
26During execution of the algorithm work is done
in the state array.
Output
Input
State array
27AES preliminary (round zero)
28Round zero
10 rounds all except the last have four phases
29(No Transcript)
30Phase 1 substitute bytes
State(t)
State(t1)
31(No Transcript)
32Phase 2 shift rows
I call this rotate, not shift. You
may see the term circular shift.
Row 0 unchanged Row 1 rotate left 1 byte Row
2 rotate left 2 bytes Row 3 rotate left 3 by
tes
33Phase 3 mix columns
34Phase 3 - Mix columns is matrix multiplication
for byte data elements
35Phase 4 Add round key is actually XOR
Phase 4 is the only phase that involves the key
36Decryption is not just encryption run backwards
(as Feistel) the functions are different
(except XOR)
XOR its own inverse Data 1 1 0 0 Key 0 1 1 0
XOR 1 0 1 0
Key 0 1 1 0 Data 1 1 0 0
37Row 0 unchanged Row 1 rotate right 1 byte
. etc.
38Inverse sub bytes
39Multiplication by inverse matrix
40(No Transcript)
41(No Transcript)
422.3 Stream Ciphers Block ciphers process text on
e block at a time Stream ciphers process text on
e byte at a time
Advantages encryption and decryption can start
when first byte received. no padding of
last (incomplete) block faster than bloc
k ciphers
Disadvantage not as secure as block ciphers
vulnerable to alteration of content
43Stream cipher structure Given the key, a key-st
ream is generated as long as the plaintext.
For each byte, encryption consists of forming
the XOR of the key-stream byte with the
plaintext byte plaintext 1 1 0 0 1 1 0 0 XOR
key-stream 0 1 1 0 1 1 0 0 ciphertext 1 0
1 0 0 0 0 0
Decryption consists of forming the XOR of the
ciphertext byte with the key-stream byte
ciphertext 1 0 1 0 0 0 0 0
XOR key-stream 0 1 1 0 1 1 0 0
plaintext 1 1 0 0 1 1 0 0
The XOR function is its own inverse
44128 bits
Length of Message
45Design considerations for a stream cipher
1. The key-stream is generated from the key by a
pseudo-random number generator, so the
key-stream will ultimately repeat the
period should be as long as possible.
2. The key-stream should approximate the
properties of a true random number as
closely as possible.
3. The key should be as long as possible (often
128 or 256 bits)
Caution if two plaintexts are encrypted with the
same key-stream, the XOR of the two ciphertexts
gives the XOR of the two plaintexts (factoring
out the key-stream). This is a great help in
cryptanalysis.
One-time pad uses the key-stream just once!
It must be as long as the message.
46Alteration of message
1
1
1
Undetectable change in message!
47Encryption with RC4 stream cipher
plaintext 0 1 1 0 1 1 1 1 1 0 1 1 0 0 1 1 k
eystream 1 0 1 1 0 0 0 1 1 0 1 0 0 1 1
0 ciphertext 1 1 0 1 1 1 1 0 0 0 0 1 0 1
0 1
Detection of the keystream C XOR P (K XOR
P) XOR P K plaintext 0 1 1 0 1 1 1 1 1
0 1 1 0 0 1 1 ciphertext 1 1 0 1 1 1 1 0
0 0 0 1 0 1 0 1 keystream 1 0 1 1 0 0 0 1 1
0 1 0 0 1 1 0
Conclusion If you can see the plaintext and the
ciphertext of the same message, you can easily
compute the keystream.
This is the keystream, not the key itself.
48The RC4 Algorithm
Key is 8 to 2048 bits (1 to 256 bytes).
RC4 uses 256-byte vectors S and T
Initialization of S and T Initially the entries i
n S are set equal to the values from 0 to 255 in
ascending order the key is copied into T (if key
is shorter than 128 bytes, copy several times)
for i 0 to 255 do S i i T i
K i mod keylen
49Initial permutation of S Work incrementally thro
ugh S, swapping each successive byte with a byte
dictated by T j 0 for i 0 to 255 do
j ( j S i T i ) mod 256
swap S i , S j
After this we have no more use for T ( contains
the key)
50Stream Generation Copy specific bytes of S into
the keystream k i, j 0 while ( true )
i ( i 1 ) mod 256 j ( j S i ) m
od 256 swap ( S i , S j ) t ( S
i S j ) mod 256 k S t
K is the next byte of the keystream
RSA recommends discarding the first 256 bytes of
the generated key-stream.
Encryption XOR k with next byte of plaintext.
Decryption XOR k with next byte of ciphertext.
51253254255
Figure 2.8 RC4
52Back to block ciphers
53ECB
54Problems with using ECB ? duplication in plaint
ext produces duplication in ciphertext,
which makes cryptanalysis easier.
? consequence vulnerable to cut and paste
attack (next slide)
55ECB is vulnerable to a cut-and-paste attack
56(No Transcript)
57Cipher Block Chaining (CBC) Before encryption o
f a plaintext block, XOR it with the previou
s ciphertext block.
For first block, need an Initialization Vector.
After decryption of a ciphertext block,
XOR the result with the previous ciphertext
block.
Since XOR is its own inverse, this recovers the
original plaintext block.
58(No Transcript)
59Alternative description of CBC, from Smiths book
Repeat of the same plaintext does not give same
ciphertext
60(No Transcript)
61CBC
CFB
CFB like stream cipher with constantly changing
key
62(No Transcript)
632.5 Location of Encryption Devices
Link encryption must decrypt packet at each
router, to read header
End-to-end encryption cannot encrypt packet
headers.
Combination end-to-end for data only, link for
entire packet.
642.6 Key Distribution Possible methods of key s
haring between A and B
1. A selects key, physically delivers to B
2. Third party C selects key, physically
delivers to A and B
3. If A and B have previously shared a key,
a new key could be chosen by one of them
and sent to the other encrypted
with the old key
4. If A and B each have an encrypted connection
to a trusted third party C, C could generate
the key and transmit it to A and B
over the encrypted connections
652.6 Key Distribution - continued
C
Permanent key B ? C
Permanent key A ? C
A
Session key A ? B
B