Conventional Cryptography

1
Conventional Cryptography

• Dr. Ron Rymon
• Efi Arazi School of Computer Science
• IDC, Herzliya. 2007/8

Pre-Requisites Simple Math Background
2
Overview

• Symmetric Cryptography
• Cipher Block Modes
• Key Management
• Message Authentication Using Conventional
  Cryptography

3
Symmetric Cryptography
Main sources Network Security Essentials /
Stallings Applied
Cryptography / Schneier
4
Symmetric Cryptography Protocol

• A typical protocol
• Alice and Bob agree on cryptosystem (algorithm)
• Alice and Bob agree on a key
• Alice encrypts her message with the key
• Alice sends the message to Bob
• Bob decrypts the messages using same key
• A common variation is where a new key is issued
  for each session (set of messages) and is
  corresponded encrypted using the master key

5
Feistel Networks

• Most block encryption algorithms use this general
  structure, due to Horst Feistel (1973)
• Inputs Plaintext (halved) , Key, Round function
  F
• Uses n rounds, in each (e.g., n16)
• Inputs Li and Ri Ki is derived from K
  (sub-key)
• Li1Ri
• Ri1Li?F(Ri,Ki)
• F (round function) selects certain bits,
  duplicates some, and permutes them. Ki is derived
  from K
• Final ciphertext is combination of Ln and Rn
• At IBM, Feistel built Lucifer, the first such
  system

6
?
7
Notes on Feistel Cipher Structure

• Decryption The same process is reversible
• Ri-1Li
• Li-1Ri?F(Ri-1,Ki-1)
• Same algorithm can be used but with keys reversed
• Security Considerations
• Larger block size results in fewer blocks and
  increased security
• Larger key size also increases security (recall
  Shannon)
• More rounds considered to offer better security
  (?)
• Greater complexity of subkey generation may help
  security
• Greater complexity of round function may increase
  security

8
Design Goals for Block Ciphers

• Highly secure more of everything
• Fast fewer rounds that use simpler operations
• Low communication overheads
• Low battery consumption in hand-helds
• Easy to implement in hardware
• Simple, ubiquitous operations
• Efficient in memory usage
• Can run on a smart card
• Require less secret material (keys, boxes)
• Sometimes put on expensive tamper-proof memory

9
Design Principles for Feistel Round Function

• Feistel is a family of algorithms
• Depends on choice of F, and subkey generation
  algorithm
• Can be designed to fit needs
• Non-Linearity. F is as difficult as possible to
  approximate with a set of linear equations
• Avalanche
• Strict Avalanche Criterion (SAC) with the
  change of any one input bit, every output bit
  shall change with probability of exactly ½
• Bit Independence Criterion (BIC) output bits
  i,j shall change independently from each other
  when an input bit is inverted
• Guaranteed Avalanche at least n output bits
  will change whenever any single input bit is
  inverted

10
Data Encryption Standard (DES)

• Without a standard, software and hardware cannot
  interoperate, or at least it is very expensive
• In 1973, National Institute for Standards and
  Technology (NIST) issued RFP for Data Encryption
  Algorithm (DEA)
• provide high level of security
• completely specified and easy to understand
• the security must reside in the key
• available to all users
• adaptable to diverse applications
• economically implementable in hardware
• efficient to use
• validated
• exportable

11
Data Encryption Standard (DES)

• NIST (NBS) issued a Request For Proposal (RFP)
• Only serious proposal came from IBM
• Patented and based on Lucifer (Feistel et al)
• NIST issued a Request For Comments (RFC)
• For first time, a crypto algorithm is reviewed by
  experts (NSA)
• Quite a few were concerned about NSA backdoor
• NSA reduced the key size from 112 to 56 bits
• Diffie and Helman presented a 20MM 1-day DES
  cracking machine
• NSA had also changed the original S-boxes design
• There were some claims of linearity in the new
  design
• DES was adopted in 1977, and renewed in 1983
• In 1987, under NSA pressure, DES almost not
  re-certified
• Concerned about the details of the algorithm
  being open and available to software
  implementations
• Certified only hardware implementations until 1994

12
Data Encryption Standard (DES)

• A Feistel block cipher structure
• 64-bit blocks
• 56-bit keys
• 16 rounds
• Adds initial and final permutation of the text
  (irrelevant to security)
• Key shifted circularly for next round, and 48
  bits are selected for Ki

13
One Round of DES
14
One Round of DES

• Key Transformation
• Each key-half is shifted 1 or 2 bits in each
  round (per given table)
• The 56 key bits are permuted and 48 bits are
  chosen (per table)
• Text transformations
• Expansion of Ri from 32 to 48 bits (size of key)
• Avalanche effect some bits are duplicated
• 48 bits are XORed with Ki
• Substitution, using 8 S-Boxes with 6-bit input
  and 4-bit output
• S-boxes are well chosen to introduce
  non-linearity
• 32 bits are permuted according to specified P-Box
• 32 bits are XORed with Li to create Ri1

15
Data Encryption Standard (DES)

• Confusion
• Obtained through permutations, substitutions, and
  number of rounds
• Diffusion
• Good avalanche effect 1 bit difference in
  plaintext quickly results in a large difference
  in bits, even after few rounds
• Software implementations are slow
• On IBM Mainframe 32,000 blocks / second
• Hardware implementations are very fast
• VLSI Technology 6868 (Gatekeeper) DESes in 8
  clock cycles
• DEC built GaAs gate array that DESes 16.8 million
  blocks / second

16
DES Avalanche Effect

• (a) Difference between two plaintexts with 1-bit
  original difference
• (b) Difference between two keys with 1-bit
  original difference

17
Data Encryption Standard (DES)

• Weak keys
• All 0s, or all 1s in each half would result in
  same subkeys
• Note if Kcomplement of K, then Ek(P)
  complement of Ek(P)
• Claims that the S-boxes were weakened by the NSA
• Notable DES Attacks
• In 1990, Eli Biham and Adi Shamir presented
  differential cryptanalysis
• A chosen-plaintext attack that uses two
  plaintexts with specific difference. Then, based
  on the difference in the ciphertext (and also
  internal rounds), one can update the a priori
  probability of keys
• Similar to the T-attack that was originally
  developed at IBM and was classified by NSA
• In 1993, Mitsuru Matsui showed linear
  cryptanalysis attack
• Certain XORs of plaintext and ciphertext bits
  will result in a certain XOR of key bits with
  some probability p?1/2

18
EFFs DES Cracker

• In 1996, a public debate about security of DES.
• US Agencies (FBI, NSA) claiming that they cannot
  practically break DES (takes weeks on many
  computers)
• Offer companies software export license in return
  for establishing a key recovery system
• Electronic Frontier Foundation DES Cracker
  project
• DES is slow in software but fast in hardware
• Used easily available Field Programmable Gate
  Arrays
• Total budget is 200,000
• Used hardware to winnow false positives
  (plaintext recognizer) then software to test the
  remaining
• A 1996 paper by top cryptographers suggests a
  minimum key size of 75 bits, and 90 bits needed
  to hold for 20 years

19
RC5

• Also a block cipher, invented by Ron Rivest
  (1994)
• Similar in structure to Feistel
• Operations XORs, Additions (mod bitsize), and
  Rotations
• Word-oriented, Low-cycle operations Fast in
  software
• Variable length blocks, keys, and number of
  rounds (r)
• Each block is made of 2 w-bits blocks (A, B)
  (w16,/32/64)
• Each key is made of bx8 bits (0ltblt255 can be
  larger than a block)
• Round keys (S2i , S2i1), each with w bits, are
  derived from the key
• Encryption and decryption consist of r rounds
• With 16 rounds, RC5 resists differential attack
• 12 round RC5 shown susceptible with 244 chosen
  plaintexts
• Data-dependent shifts is one of the innovations
  of RC5

20
RC5 Encryption and Decryption
B
A

• S2i ,S2i1 are round sub-keys
• Start AAS0 BBS1
• In each encryption round (i1..r)
• A((A ? B)ltltltB) S2i
• B((A ? B)ltltltA) S2i1
• In each decryption round (ir1)
• B((B-S2i1)gtgtgtA) ? A
• A((A-S2i)gtgtgtB) ? B
• Finish AA-S0 BB-S1

S2i
S2i1
A
B
21
RC5 Subkey Generation

• Sub-keys are a mix of original key with two words
  
• POdd((e-2)2w) e is the natural log 2.71
• QOdd((Phi-1)2w) Phi is golden ratio
  (1sqrt(5))/2 1.61
• Initialize a c-word sub-key array
• S0P
• For i12r1
• Si(Si-1Q)
• Mix with key bits
• L is a c-word array filled with 0-padded
  concatenation of key bits
• c rounds the key bytes into words
• ij0 AB0
• Do 3n times (nmax2(r1),c)
• A Si(Si AB)ltltlt3
• B Lj(Lj AB)ltltlt(AB)
• i(i1) mod 2(r1)
• j(j1) mod c

22
Variants in Other Block Ciphers

• Blowfish (Schneier)
• Simple additions, XORs, and table lookups
• Table lookups may require large memory
• Variable key length
• CAST
• The round function differs from one round to next
• Intl Data Encryption Alg (IDEA), Lai and Masey
• Plaintext, key, and ciphertext are divided to 4
  parts
• Uses XORs, additions, and multiplications in 8
  rounds
• 128-bit key, 52 16-bit subkeys (can be
  independent)
• Resists differential cryptanalysis
• Used in PGP

23
Triple DES (3DES)

• In 1999, DES becomes too weak
• NIST replaces DES with 3DES
• 3DES (EDE) uses three 56-bit keys

• CEk3(Dk2(Ek1(P)))
• PDk1(Ek2(Dk3(C)))
• Note if K1K2 then 3DESDES
• Double encryption doesnt work well
• Merkle-Hellman chosen plaintext man-in-the-middle
  attack requires only 2n1 trials (instead of 22n)
• Quintuple encryption also ok
• CEk1(Dk2(Ek3(Dk2(Ek1(P)))

24
Stream Ciphers
Keystream Generator
Ki
Pi
Ci

• A pseudorandom keystream generator
• Keystream depends only on generating key
• Keystream bits are XORed with the plaintext to
  produce the ciphertext, and vice-versa
• Similar to one-time pads, except that not
  strictly random
• Keystream period should be as long as possible
• Other options
• Keystream may change according also to previous
  encryptions, block index, etc.
• In synchronous stream ciphers, keystream does not
  depend on text, otherwise, it is called
  self-synchronizing

25
RC4

• Byte-based stream cipher, with variable key size
• Uses an S-box, with all possible 8-bit
  key-entries
• Initialized so that Sii, i0255
• Sis are initially permuted, based on the key
• j0
• for i0 to 255
• j(jSiKi) mod 256 // Ki is original key
• Swap Si and Sj
• In each iteration
• Indices i,j are updated
• ii1 mod 256 j(jSi) mod 256
• Si and Sj are swapped for current i,j
• KS(SiSj mod 256
• The keystream K is then XORed with the plaintext
• RC4 with up to 40-bit keys was approved by NSA,
  and is used in Lotus Notes, CDPD, WEP, and
  original SSL

26
Summary of Cryptographic Tools

• Rounds structure
• Key generation
• Mixing key bits for confusion and diffusion
• Use of state matrix for session key
• Encryption
• Mix round key with plaintext for
  confusion/diffusion
• Bit permutation
• Substitution with S-boxes for non-linearity
• Data dependent operations (e.g., shifts) to add
  complexity
• Use of processor-friendly operations for software
  speed
• Key size, block size, many rounds add to security
• Multi-application of encryption with more key
  bits
• Block ciphers vs. Stream Ciphers

27
Advanced Encryption Standard (AES)

• NIST put out the RFP in 1997
• In meantime, 3DES replaces DES in 1999
• Main criteria for evaluation
• Security
• Cost and performance of implementation
• General evaluation of design features
• Five finalists (out of 21)
• In October 2000, NIST recommended Rijndael
• Approved 2002

28
Rijndael Block Cipher

• By Belgians Joan Daemen, and Vincent Rijmen
• Variables block size and key size
• Number of rounds determined by block and key size
• Does not use Feistel structure
• Instead, each round uses a state and 4 operations
• Non-linear layer, uses optimized S-boxes, for
  confusion
• 16x16 S-box with all byte values, and a separate
  inverse S-box
• Linear mixing layer for diffusion
• Row shifts on the state matrix
• Column mixes on the state matrix
• Key addition layer, using a simple XOR
• AES set to use Rijndael with 128bit blocks, key
  size of 128-192-256 bits, and 10-12-14 rounds

29
Rijndael Structure
30
Rijndael Round
31
Next Class

• Cipher Block Modes
• Key Management
• Message Authentication Using Conventional
  Cryptography