Cryptography

1
Cryptography

• Block Ciphers and Feistel Functions

2
About the Speaker

• Chuck Easttom chuck_at_chuckeasttom.com
  www.ChuckEasttom.com
• Certifications A,Network, iNet, Server,
  Linux, MCP (Windows 2000 Pro, VB 6 Desktop and
  Distributed), MCAD, MCSE, MCDBA, MCSA, MCT, MCTS
  (Windows Server 2008, SQL Server 2008, Visual
  Studio 2010, Windows 7), MCITP(Windows 7 and SQL
  Server 2008) CIW Security Analyst, CEH,
  CHFI,ECSA, EC Council certified instructor,
  CISSP, ISSAP, and others.
• Education B.A. and M.Ed. from Southeastern
  Oklahoma State University. Ph.D. in progress from
  Northcentral University.
• Publications 13 computer science books including
  2 widely used security text books. One has a new
  version coming out next month
• Worked as a subject matter expert for CompTIA in
  the creation of the Security, Server, and
  Linux exams as well as revising the CTT.
• Created the CAST 615 Cryptography course for the
  EC Council
• Experience many years in IT, 10 years of
  teaching/training.
• Frequent expert witness in computer related
  computer cases both criminal and civil including
  cases directly involving cryptography, VPNs, and
  related topics.
• 7 Provisional patents, 4 are directly related to
  security, all are computer patents

3
What Cryptography is about

• Dont Panicit is not as hard as you think, so
  why do you think its hard?
• Some Basics
• Kerkchoffs principle
• Symmetric v Asymmetric
• Asymmetric relationships in number theory
• Symmetric Transposition and Substitution
• Block v Stream Cipher

4
Symmetric ciphers

• Block ciphers
• Substitution and Transposition
• Historical ciphers (all substitution)
• ATBASH
• Playfair
• Caesar
• Vigenere

5
Information Theory Cryptography Concepts

• Diffusion Diffusion literally means having
  changes to one character in the plain text,
  affect multiple characters in the cipher text.
  Unlike historical algorithms (Caesar Cipher,
  Atbash, Vigenere) where each plain text character
  only affected one cipher text character.
• Confusion attempts to make the relationship
  between the statistical frequencies of the cipher
  text and the actual key as complex as possible.
  This occurs by using a complex substitution
  algorithm.

6
Information Theory Cryptography concepts

• Avalanche This term means that a small change
  yields large effects in the output, like an
  avalanche. This is Fiestels variation on Claude
  Shannons concept of diffusion.
• Obviously a high avalanche impact is desirable in
  any cryptographic algorithm. Ideally a change in
  one bit in the plain text would affect all the
  bits of the cipher text. This would be complete
  avalanche.

7
The Feistel Function

• This function is named after its inventor, the
  German-born physicist and cryptographer Horst
  Feistel.
• At the heart of most block ciphers is a Feistel
  function. This function forms the basis for most
  block ciphers. This makes it one of the most
  influential developments in symmetric block
  ciphers. It is also known as a Feistel Network or
  a Feistel cipher.

8
Feistel History

• Used in DES, CAST-128, BlowFish, TwoFish, RC5,
  and others.
• First seen in IBMs Lucifer algorithm (the
  precursor to DES).
• Michael Luby and Charles Rackoff analyzed the
  Feistel cipher construction and proved that if
  the round function is a cryptographically secure
  pseudorandom function, then 3 rounds is
  sufficient to make the block cipher a
  pseudorandom permutation, while 4 rounds is
  sufficient to make it a "strong" pseudorandom
  permutation

9
The Feistel Function-Continued

• This function starts by splitting the bock of
  plain text data (often 64 bits) into two parts
  (traditionally termed L0 and R0)
• The round function F is applied to 1 of the
  halves. The term round function simply means a
  function performed with each iteration, or round,
  of the Feistel cipher. The details of the round
  function F can vary with different
  implementations. Usually these are relatively
  simple functions, to allow for increased speed of
  the algorithm.
• The output of each round function F is then xord
  with the other half. What this means is that,
  for example, you take L0, pass it through the
  round function F, then take the result and xor it
  with R0.
• Then the halves are transposed. So L0 gets moved
  to the right and R0 gets moved to the left.
• This process is repeated a given number of times.
  The main difference between Feistel based
  cryptography algorithms is the exact nature of
  the round function F, and the number of
  iterations.

10
A simple view of a single Round
11
The Feistel Function

• Here is a general overview of a basic round of a
  Feistel cipher.

Block from the Plain Text
½ of block L0
½ of block Ro
XOR
Round Function F
Output of XOR of Output of F And Ro
Output of F
Then swap L0 and Ro
12
Feistel Encryption and Decryption
13
Basic Facts

• Larger Block sizes increase security.
• Larger Key sizes increase security.
• If the round function is secure, then more rounds
  increase security.

14
P-Boxes and S-Boxes

• An s-box is just a substitution box. It defines
  that each of the input bits are substituted with
  a new bit.
• A p-box, or permutation box is a variation on the
  s-box. Instead of each input bit being mapped to
  a bit in found in a lookup table, the bits that
  are input are transposed or permuted. Some may be
  transposed, and others left in place. For example
  a 6 bit p-box may swap the 1st and 4th bits, swap
  the 2nd and 3rd bit, but leave the 5th bit in
  place.

15
Using the Feistel FUNCTION

• The classic example is DES, The Data Encryption
  Standard is a classic in that annals of
  cryptography. It was selected by the National
  Bureau of Standards as an official Federal
  Information Processing Standard (FIPS) for the
  United States in 1976. While it is now considered
  outdated and is not recommended for use, it was
  the premier block cipher for many years and bears
  study. Many cryptography textbooks and university
  courses use this as the primary example of block
  ciphers.
• DES uses a 56-bit key applied to a 64 bit block.
  (note there is actually a 64 bit key generated
  but 8 bits are just for error correction.)
• DES is a Feistel cipher with 16 rounds and a
  48-bit round key for each round. So its general
  functionality follows the Feistel method of
  dividing the 64 bit block into two halves (32
  bits each), applying the round function to one
  half, then xoring that output with the other
  half, and finally swapping the halves.
• DES REALLY HAS ONLY 4 STEPS

16
DES

• The actual algorithm Generating the round key
• Step 1 To generate the round keys, the 56-bit
  key is split into two 28-bit halves and those
  halves are circularly shifted after each round by
  one or two bits. In other words the halves are
  first subjected to a round function, then the
  keys are shifted by 1 to 2 bits. 48 bits are
  selected from this process each round to create
  the round key. So each round has a slightly
  different key.
• Step 2 Then the 32 bit halves are expanded to 48
  bits (8 6 bit blocks), this is permutation. The
  48 bit halves are xord with the round key. Then
  the round function (next slide) is applied.

17
DES- Continued

• Step 3 The DES round function uses eight
  S-boxes. The term s-box just means substitution
  boxes and they are look-up tables. Each item
  passed into the box, is substituted with the item
  that matches it in the lookup table. This is a
  very common tactic in symmetric key algorithms.
  Each one of the DES s-boxes takes in 6 bits and
  produces 4 bits. The middle 4 bits of the 6 bit
  input are used to lookup the 4 bit replacement.
  This produces 8 4 bit blocks, that are
  concatenated into one 32 bit block.
• Step 4 The 32 bit block is put through a P-box
• This is done each round of DES, and remember that
  DES has 16 rounds. So this is an effective way to
  scramble the plain text. We get high diffusion
  and confusion.

18
Unbalanced Feistel Cipher

• There is a variation of the Feistel network
  called an Unbalanced Feistel cipher. Unbalanced
  Feistel ciphers use a modified structure where L0
  and R0 are not of equal lengths. This means that
  L0 might be 32 bits and R0 could be 64 bits
  (making a 96 bit block of text). This variation
  is actually used in the Skipjack algorithm.
• Note one can also have an expanding or
  contracting unbalanced cipher.

19
KFC (Krazy Feistel Cipher)

• Developed by Thomas Baignères and Matthieu
  Finiasz, presented at AsiaCrypt 2006
• Instead of computing the advantage of the best
  d-limited adversary, KFC will bound it by a
  function of the advantage of the best (d -
  1)-limited adversary.

20
KFC Continued

• Note this image comes from Baigneres and Finiasz
  paper

21
KFC - Continued

• Idea Replace the layers of random permutations
  with layers of random functions
• The following image is also from their
  paper/presentation

22
Dual Feistel

• This is my own variation. It involves two round
  functions, one being applied to each half.

Block from the Plain Text
½ of block L0
½ of block Ro
Round Function F2
XOR
Round Function F
Output of F2
Output of F
23
Simple ways to improve block ciphers

• Without any math at all you can improve any block
  cipher with some simple techniques
• Whitening
• Cipher block chaining mode
• Cipher feedback mode
• Initialization Vector

24
Whitening

• Just xor a key with the text either before the
  round function, after the round function, or both

25
Whitening
plain text block for round
plain text block for round
plain text block for round
XOR
XOR
pseudo plain text
Random key same size as block
Random key same size as block
round function
pseudo plain text
XOR
pseudo plain text
Random key same size as block
round function
XOR
round function
Random key same size as block
26
Electronic codebook (ECB)

• The most basic encryption mode is the electronic
  codebook (ECB) mode. The message is divided into
  blocks and each block is encrypted separately.
  The problem is that if you submit the same plain
  text more than once, you always get the same
  cipher text. This gives attackers a place to
  begin analyzing the cipher to attempt to derive
  the key.

27
Cipher-block chaining (CBC)

• When using cipher-block chaining (CBC) mode, each
  block of plaintext is XORed with the previous
  ciphertext block before being encrypted. This
  means there is significantly more randomness in
  the final ciphertext. This is much more secure
  than electronic codebook mode and is the most
  common mode.

28
CBC
plain text block for round i
XOR
cipher text produced in round i-1
pseudo plain text
round function
29
Cipher feedback (CFB)

• In CFB mode the previous ciphertext block is
  encrypted then the ciphertext produced is XORd
  back with the plaintext to produce the current
  ciphertext block. Essentially it loops back on
  itself, increasing the randomness of the
  resultant ciphertext.

30
CBC
plain text block for round i
round function
cipher text for round i
XOR
cipher text produced in round i-1
31
Initialization vector (IV)

• An IV is a fixed-size input to a cryptographic
  primitive that is random or pseudorandom. Some
  cryptographic methods require the IV only to be
  non-repeating, not truly random. In this case,
  the IV is commonly called a nonce (number used
  once), and the methods are described as stateful
  as opposed to randomized.
• In a block ciphers using Electronic Code Book
  (ECB) mode, encryption of the same plain text
  with the same key results in the same ciphertext.
  Use of an initialization vector that is xord
  with the first block of plaintext or included in
  front of the plaintext prior to encryption solves
  this problem.

32
Additional Resources

• The original article describing Feistel ciphers
  H. Feistel, "Cryptography and Computer Privacy,"
  Scientific American, v. 228, n. 5, May 73, pp.
  15-23.
• Bruce Schneier on unbalanced Feistel ciphers
  http//www.schneier.com/paper-unbalanced-feistel.p
  df
• Elastic Block Ciphers http//www.cs.columbia.edu/t
  echreports/cucs-021-04.pdf
• KFC http//www.baigneres.net/papers/kfc_slides.pdf
  
• KFC http//www.iacr.org/archive/asiacrypt2006/4284
  0384/42840384.pdf