Secret Key Cryptography - PowerPoint PPT Presentation

1 / 43
About This Presentation
Title:

Secret Key Cryptography

Description:

Once the ciphertext is produced it is transmitted ... New block ciphers have had mixed fortunes. DES is still considered secure. 25. Stream Ciphers ... – PowerPoint PPT presentation

Number of Views:130
Avg rating:3.0/5.0
Slides: 44
Provided by: cetink
Category:

less

Transcript and Presenter's Notes

Title: Secret Key Cryptography


1
Secret Key Cryptography
2
Outline
  • Conventional encryption
  • Block ciphers
  • DES, IDEA, Skipjack, RC5
  • Cryptanalysis
  • Attacks
  • Key Distribution

3
Conventional Encryption
  • The original message, referred to as plaintext,
    is converted into random nonsense, referred to as
    ciphertext.
  • The encryption algorithm consists of an algorithm
    and a key.

4
Conventional Encryption 2
  • The algorithm produces a different output for
    every different key being used
  • Once the ciphertext is produced it is transmitted
  • Upon reception the ciphertext can be transformed
    back to the original plaintext by using a
    decryption algorithm and the same key

5
Conventional Encryption 3
  • The security depends on several factors
  • It must be impractical to decrypt a message with
    only the knowledge of the ciphertext
  • It must be still impractical to decrypted a
    message also if the algorithm is known. In other
    words only the encryption/decryption key is
    needed to be kept secret

6
Block Ciphers
  • Ek(m) c
  • Some modes of use
  • Electronic Code Book ECB
  • Cipher Block Chaining CBC
  • Cipher Feedback Mode CFB
  • Output Feedback Mode OFB

7
Block Ciphers 2
  • Electronic Code Book
  • Each plaintext block is encrypted independently
  • Not very secure for highly formatted data
  • The blocks of encrypted messages are not linked
  • Cipher Block Chaining
  • Output of one enciphering step is used to modify
    the input of the next
  • Self-synchronizing on clock boundaries
  • At most two blocks are decrypted in error when
    one block is received in error

8
General Principles
  • Confusion
  • Make the relation between the key and the
    ciphertext as complex as possible
  • Diffusion
  • Spread the influence of a single plaintext digit
    over many ciphertext digits
  • Transposition Cipher
  • Rearrange the order of the plaintext digits
  • Substitution Cipher
  • Replace occurrences of certain patterns with
    other patterns

9
DESIBM (1974), adopted as a national standard
1977
  • 64-bit block cipher, 56-bit key, 16 rounds
  • Key transformed into 16 partial keys using a key
    scheduling algorithm
  • Confusion provided by the key scheduling and the
    S-boxes
  • Diffusion provided by the mixing and permutations
  • Up to 1 Gbit/sec in hardware (250 MHz)

10
DES
INPUT
INITIAL PERMUTATION

R0
L0
f
R0L0?f(R0,K1)
L1R0
f
L16
R16
INVERSE INITIAL PERMUTATION
OUTPUT
11
IDEA
  • PES (1990), revised to IPES (1991)
  • 64-bit block cipher 128-bit key
  • 8 rounds key scheduling provides 52 subkeys of
  • 16 bits
  • Confusion provided by a mix of incompatible
    arithmetic operations
  • Diffusion provided by the architecture of the
    algorithm
  • Between 45 Mbits/sec and 115Mbits/sec in hardware

12
RC5
  • Rivest (1994)
  • Basic features
  • variable block size variable-length secret key
  • iterative cipher with a variable number of rounds
  • secret key is used to fill an expanded key table
    S.
  • security provided by heavy use of data-dependent
    rotations and mixture of different operation

13
SkipjackDesigned by NSA as part of the Capstone
project
  • 64-bit block cipher
  • 80-bit key
  • Iterative, 32 rounds
  • Reporter to be secure against publicly known
    attacks
  • 16 Mbit/sec
  • Intended for use with the proposed Clipper chip

14
Cryptanalysis
  • Main Types
  • Ciphertext only
  • Known plaintext
  • Chosen plaintext
  • Some Methods
  • Brute force
  • Differential cryptanalysis
  • Other

15
Brute Force
  • For any block cipher, it is possible to try all
    possible keys
  • For DES there are 256 possible keys
  • There is a complementation property for DES
  • Using the complementation property a brute force
    attack requires only 255 DES operations
  • How expensive is exhaustive search

16
Multiple Encryption
  • Ek2(Ek1(m))
  • Merkle and Hellman (1981) - an attack using known
    plaintext/ciphertext pairs
  • DES - 256 operations and 256 words of memory
  • Ek1(Dk2(Ek1(m)))
  • A chosen plaintext attack
  • DES - 256 operations and 256 memory
  • Ek3(Dk2(Ek1(m)))
  • Recommended

17
Differential Cryptanalysis
  • Iterated ciphers with a weak round function
  • Choosing pairs of plaintext, observe the effect
    of the difference between them on the difference
    between resulting ciphertext pairs
  • Assign probabilities to the possible keys
  • Locate the most probable key
  • 16 round DES can be cryptanalysed using 247
    chosen plaintext pairs

18
Characteristics
  • A structure consisting of several rounds
  • The difference between two inputs is fixed
  • The difference between outputs is specified
  • The intermediate differences between rounds are
    specified
  • the key is unknown
  • The characteristic has a probability attached

19
Characteristics 2
  • Each input pair with the correct difference is
    either a right pair or a wrong pair
  • Right pair yields useful key information
  • Wrong pair yields random key information
  • Characteristics can be combined
  • The smaller the probability, the more pairs we
    need

20
Results
  • Differential cryptanalysis has been used with
    success on
  • FEAL-N and N-Hash
  • Snefru and Khafre
  • REDOC-II
  • LOKI
  • Lucifier
  • DES
  • (Biham and Shamir still consider DES secure)

21
Differential Cryptanalysis and DES
  • Coppersmith reports that differential
    cryptanalysis was known to the designers of DES
  • S-box design
  • Further hints

22
Other Attacks
  • Cycling Attacks
  • For each pair of keys k1 and k2 is there a third
  • key k3, such that Ek1(Ek2(m))Ek2(m) ?
  • If so
  • we can decrypt using k1 and k2 instead of k3, and
  • there is an attack requiring 228 operations

23
Other Attacks
  • Key Scheduling Attack
  • Iterated ciphers
  • Chosen key attack
  • LOKI91, requires 232 chosen plaintexts, 248
    known plaintexts
  • DES is not susceptible
  • The key scheduling algorithm is important

24
Summary
  • Recent advances in cryptanalysis
  • New block ciphers have had mixed fortunes
  • DES is still considered secure

25
Stream Ciphers
  • Motivation
  • Well developed ground rules
  • Strong analytical framework
  • Analogy with the one-time pad
  • Fast

26
Design Approaches
  • Information theoretic
  • The opponent has unlimited resources
  • Complexity theoretic
  • The security depends on a difficult problem
  • Randomized stream ciphers
  • The opponent is forced to solve a problem of
    infeasible size
  • System theoretic
  • Belief in security depends on the state of the art

27
One-time PadVernam (1926), Shannon (1949)
  • Choose r1, r2 independently and at random
    (keystream)
  • Write the plaintext as m1, m2, , mn (message
    stream)
  • The ciphertext is c1, c2, , cm where cimi?ri
  • Provably secure
  • Drawback-key is large as the message

28
Two Types
  • Synchronous
  • Keystream generated independently of the message
    stream
  • No error propagation
  • Requires perfect synchronization

29
Two Types
  • Self-synchronizing
  • Keystream generation depends on n previous
    ciphertext digits
  • Limited error propagation
  • Can resynchronize

30
OFB and CFB
  • Two modes of use for a block cipher
  • OFB generates a keystream independently of the
    plaintext
  • CFB employs feedback and is self synchronizing
  • For both OFB and CFB, each iteration encrypts m
    bits at a time, where for DES 1 ? m ? 64
  • OFB is only considered secure with DES if m64

31
Basic Properties
  • What properties do we want the keystream to have?
  • Large period
  • Golombs Postulates (1967) address the following
    issues
  • Balance
  • Pattern distribution
  • Correlation
  • Sequences that satisfy Golombs Postulates are
    termed pseudo-noise or PN-sequences

32
Shift Registers
  • A Linear Feedback Shift Register, (LFSR), of
    length n can produce a sequence of period 2n-1
  • Such a sequence also satisfies Golombs
    Postulates
  • Shift registers are very fast to implement
  • On their own, cryptographically weak

33
Linear Complexity
  • A sequence S of period p can be generated on a
    LFSR of length ? p
  • The length of the shortest LFSR that can generate
    S is called the linear complexity
  • If a sequence has linear complexity n, then there
    is an algorithm that identifies the minimum LFSR
    after 2n successive bits Massey (1969)
  • A good keystream should have a large linear
    complexity

34
Linear Complexity 2
  • Consider a sequence S
  • Computer the linear complexity of the sequence
    after each new bit is added
  • This gives a linear complexity profile
  • Rueppel provides results on the linear complexity
    profile
  • A good keystream should have a good linear
    complexity profile

35
  • Filter generator
  • Take the output from a single register in an
    unconventional way
  • Combination generator
  • Combine the output of several registers

36
Correlation Attacks
  • Geffe generator
  • f(x1,x2,x3)x1x2?x1x3 ?x2x3
  • Using registers of length 3, 5 and 7 we can
    generate sequences of period 24,559 with linear
    complexity 71
  • If x10 then with probability 3/4
  • f(x1,x2,x3)x2x30
  • If x11 then with probability 3/4
  • f(x1,x2,x3)x2x3 x2x3 1
  • x1f(x1,x2,x3) with probability 3/4

37
  • Suppose the feedbacks are known and the key is
    the initial starting values of the registers
  • Choose an initial value for register 1
  • Generate the sequence from register 1
  • count the propagation of agreements with the
    target sequence

38
  • What properties do we require for the combining
    (filter) function?
  • High non-linearity
  • Correlation immunity
  • Siegenthaler showed that there is a conflict
    between these goals
  • Rueppel showed that this conflict can be avoided
    using a more sophisticated combining function
    with memory

39
Different Types
  • Combination and filter generators
  • Clock control
  • Stop-Go, Alternating, Cascade
  • Feedback clock control
  • Multiplexer - One LFSR is used to index the
    output bit from another LFSR
  • Multiplicative congruential generator output
    obtained from xi where
  • xi1 axi mod n
  • RC4

40
RC4Designed by Rivest for RSA Data Security, Inc.
  • Variable key size
  • Security depends on the use of a random
    permutation
  • Period overwhelmingly likely to be greater than
    10100
  • No known bad keys
  • Encryption rate ? Mbyte/sec

41
Summary
  • No standard form of design
  • Many individual analytic techniques
  • Well developed theory
  • Very appealing performance

42
Key Distribution
  • The strength of any cryptographic systems rests
    with the key distribution technique. For two
    parties A and B, distribution can be achieved in
    a number of ways
  • A key can be selected by A and physically
    delivered to B
  • A third party can select the key and physically
    deliver it to A and B
  • If A and B have previously and recently used a
    key, one party can transmit the new key to the
    order, encrypted by using the old key.
  • If A and B has an encrypted connection to a third
    party C, C and deliver a key on the encrypted
    links to A and

43
Key Distribution 2
  • Use of a key distribution center (KDC)
  • Communication between end systems is encrypted
    using a temporary key (session key)
  • For each system user, there is a unique master
    key which is shared with the KDC
  • For N entities, N(N-1)/2 session keys and N
    master keys are required
Write a Comment
User Comments (0)
About PowerShow.com