Lecture 02
Symmetric Cryptography
Asst.Prof. Supakorn Kungpisdan, Ph.D.
[email protected]
NETE0519-ISEC0513
1
Outline











Overview of Cryptography
Symmetric Cryptography
Classical Cryptographic Techniques
Block Ciphers VS Stream Cipher
DES and 3DES
Advanced Encryption Standard (AES)
Design of Symmetric Cryptosystems
Locations of Encryption Devices
Key Distribution
Random Numbers
Problems of Symmetric Cryptography
NETE0519-ISEC0513
2
Basic Terminology
plaintext - original message
ciphertext - coded message
cipher - algorithm for transforming plaintext to ciphertext
key - info used in cipher known only to sender/receiver
encipher (encrypt) - converting plaintext to ciphertext
decipher (decrypt) - recovering ciphertext from plaintext
cryptography - study of encryption principles/methods
cryptanalysis (codebreaking) - study of principles/ methods of
deciphering ciphertext without knowing key
 cryptology - field of both cryptography and cryptanalysis








NETE0519-ISEC0513
3
How a Cryptosystem Works
Plaintext (M) (data file or messages)
encryption algorithm (E) +
secret key A (KA)
EKa(M) = C
DKb(C) = M
DKb(EKa(M)) = M
Ciphertext (C) (stored or transmitted safely)
decryption algorithm (D) +
secret key B (KB)
Plaintext (M) (original data or messages)
Note: Key A may be the same as Key B,
depending on the algorithm
NETE0519-ISEC0513
4
Brute Force Search
 always possible to simply try every key
 most basic attack, proportional to key size
 assume either know / recognise plaintext
Key Size (bits)
Number of Alternative
Keys
Time required at 1
decryption/µs
Time required at 106
decryptions/µs
32
232 = 4.3  109
231 µs
= 35.8 minutes
2.15 milliseconds
56
256 = 7.2  1016
255 µs
= 1142 years
10.01 hours
128
2128 = 3.4  1038
2127 µs
= 5.4  1024 years
5.4  1018 years
168
2168 = 3.7  1050
2167 µs
= 5.9  1036 years
5.9  1030 years
26! = 4  1026
2  1026 µs = 6.4  1012 years
26 characters
(permutation)
NETE0519-ISEC0513
6.4  106 years
5
Types of Cryptography
 Symmetric Cryptography
 Deploy the same secret key to encrypt and decrypt messages
 The secret key is shared between two parties
 Encryption algorithm is the same as decryption algorithm
 Asymmetric (Public-key) Cryptography
 Private key, Public key
 The secret key is not shared and two parties can still
communicate using their public keys
 Encryption alg. is different from decryption alg.
NETE0519-ISEC0513
6
Symmetric Cryptography
NETE0519-ISEC0513
7
Public-Key Cryptography
NETE0519-ISEC0513
8
Outline











Overview of Cryptography
Symmetric Cryptography
Classical Cryptographic Techniques
Block Ciphers VS Stream Ciphers
DES and 3DES
Advanced Encryption Standard (AES)
Design of Symmetric Cryptosystems
Locations of Encryption Devices
Key Distribution
Random Numbers
Problems of Symmetric Cryptography
NETE0519-ISEC0513
9
Model of Symmetric Cryptosystem
NETE0519-ISEC0513
10
What is Symmetric Encryption used for?
 Transmitting data over an insecure channel
 Secure stored data (encrypt & store)
 Provide integrity check
NETE0519-ISEC0513
11
Properties of Symmetric Cryptography
 Message Confidentiality
 Message Authentication
 Message Integrity
NETE0519-ISEC0513
12
Cryptanalysis
 Depending on what a cryptanalyst has to work with,
attacks can be classified into




Ciphertext only attack
Known plaintext attack
Chosen plaintext attack
Chosen ciphertext attack (most severe)
NETE0519-ISEC0513
13
Ciphertext-only Attack
 Collect ciphertexts of several messages encrypted using
the same encryption algorithm and try to recover plaintexts
or encrypting key(s).
Given: C1 = Ek(P1), C2=Ek(P2), ..., Ci=Ek(Pi)
Deduce: Either P1, P2, …, Pi; k; or an algorithm to infer Pi+1
from Ci+1=Ek(Pi+1)
NETE0519-ISEC0513
14
Known-plaintext Attack
 Able to collect ciphertext of several messages and
corresponding plaintext, and try to resolve the encrypting
key(s).
Given: P1, C1 = Ek(P1), P2, C2=Ek(P2), ..., Pi, Ci=Ek(Pi)
Deduce: Either k, or an algorithm
to infer Pi+1 from Ci+1=Ek(Pi+1)
NETE0519-ISEC0513
15
Chosen-plaintext Attack
 Able to collect ciphertext of several messages and associated
plaintext, and also able to choose the plaintext that gets encrypted.
Try to deduce the encrypting key(s).
 More powerful than known-plaintext attack
Given: P1, C1 = Ek(P1), P2, C2=Ek(P2), ..., Pi, Ci=Ek(Pi)
where the cryptanalyst gets to choose P1,…, Pi
Deduce: Either k, or an algorithm
to infer Pi+1 from Ci+1=Ek(Pi+1)
NETE0519-ISEC0513
16
Chosen-ciphertext Attack
 Able to choose different ciphertext to be decrypted and has access
to the decrypted plaintext. Try to deduce the key
 E.g. has access to a tamperproof box that does automatically
decryption.
Given: C1, P1 = Dk(C1), C2, P2=Dk(C2), ..., Ci, Pi=Dk(Ci)
Deduce: k
 Primarily applicable to public-key algorithms.
NETE0519-ISEC0513
17
More Definitions
 unconditional security
 no matter how much computer power or time is
available, the cipher cannot be broken since the
ciphertext provides insufficient information to uniquely
determine the corresponding plaintext
 computational security
 given limited computing resources (eg time needed for
calculations is greater than age of universe), the cipher
cannot be broken
NETE0519-ISEC0513
18
Outline











Overview of Cryptography
Symmetric Cryptography
Classical Cryptographic Techniques
Block Ciphers VS Stream Ciphers
DES and 3DES
Advanced Encryption Standard (AES)
Design of Symmetric Cryptosystems
Locations of Encryption Devices
Key Distribution
Random Numbers
Problems of Symmetric Cryptography
NETE0519-ISEC0513
19
Substitution Ciphers
 Character in plaintext is substituted for another character
in ciphertext
 Caesar Cipher: each plaintext character is replaced by the
character three to the right modulo 26. E.g. AD, BE,
XA
 ROT13: commonly found in UNIX systems. Every plaintext
character is rotated 13 places.
NETE0519-ISEC0513
20
Caesar Cipher





earliest known substitution cipher
by Julius Caesar
first attested use in military affairs
replaces each letter by 3rd letter on
example:
meet me after the toga party
PHHW PH DIWHU WKH WRJD SDUWB
NETE0519-ISEC0513
21
Caesar Cipher (cont.)
K=3
Outer: plaintext
Inner: ciphertext
NETE0519-ISEC0513
22
Caesar Cipher (cont.)
 can define transformation as:
a b c d e f g h i j k l m n o p q r s t u v w x y z
D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
 mathematically give each letter a number
a b c d e f g h i j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
 then have Caesar cipher as:
c = E(p) = (p + k) mod (26)
p = D(c) = (c – k) mod (26)
NETE0519-ISEC0513
23
Cryptanalysis of Caesar Cipher
 only have 26 possible ciphers
 A maps to A,B,..Z





could simply try each in turn
a brute force search
given ciphertext, just try all shifts of letters
do need to recognize when have plaintext
eg. break ciphertext "GCUA VQ DTGCM"
NETE0519-ISEC0513
24
Monoalphabetic Cipher
 rather than just shifting the alphabet
 could shuffle (jumble) the letters arbitrarily
 each plaintext letter maps to a different random ciphertext
letter
 hence key is 26 letters long
Plain: abcdefghijklmnopqrstuvwxyz
Cipher: DKVQFIBJWPESCXHTMYAUOLRGZN
Plaintext: ifwewishtoreplaceletters
Ciphertext: WIRFRWAJUHYFTSDVFSFUUFYA
NETE0519-ISEC0513
25
Monoalphabetic Cipher Security




now have a total of 26! = 4 x 1026 keys
with so many keys, might think is secure
but would be !!!WRONG!!!
problem is language characteristics
NETE0519-ISEC0513
26
Language Redundancy and
Cryptanalysis




human languages are redundant
eg "th lrd s m shphrd shll nt wnt"
letters are not equally commonly used
in English E is by far the most common letter
 followed by T,R,N,I,O,A,S
 other letters like Z,J,K,Q,X are fairly rare
 have tables of single, double & triple letter frequencies for
various languages
NETE0519-ISEC0513
27
English Letter Frequencies
NETE0519-ISEC0513
28
Use in Cryptanalysis
 key concept - monoalphabetic substitution ciphers do not
change relative letter frequencies
 discovered by Arabian scientists in 9th century
 calculate letter frequencies for ciphertext
 compare counts/plots against known values
 if caesar cipher look for common peaks/troughs
 peaks at: A-E-I triple, NO pair, RST triple
 troughs at: JK, X-Z
 for monoalphabetic must identify each letter
 tables of common double/triple letters help
NETE0519-ISEC0513
29
Example Cryptanalysis
 given ciphertext:
UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZ
VUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSX
EPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ




count relative letter frequencies (see text)
guess P & Z are e and t
guess ZW is th and hence ZWP is the
proceeding with trial and error finally get:
it was disclosed yesterday that several informal but
direct contacts have been made with political
representatives of the viet cong in moscow
NETE0519-ISEC0513
30
Vigenère Cipher







simplest polyalphabetic substitution cipher
effectively multiple caesar ciphers
key is multiple letters long K = k1 k2 ... kd
ith letter specifies ith alphabet to use
use each alphabet in turn
repeat from start after d letters in message
decryption simply works in reverse
NETE0519-ISEC0513
31
Example of Vigenère Cipher





write the plaintext out
write the keyword repeated above it
use each key letter as a caesar cipher key
encrypt the corresponding plaintext letter
eg using keyword deceptive
key:
deceptivedeceptivedeceptive
plaintext: wearediscoveredsaveyourself
ciphertext:ZICVTWQNGRZGVTWAVZHCQYGLMGJ
NETE0519-ISEC0513
32
Transposition Ciphers
 now consider classical transposition or
permutation ciphers
 these hide the message by rearranging the letter
order
 without altering the actual letters used
 can recognise these since have the same
frequency distribution as the original text
NETE0519-ISEC0513
33
Rail Fence cipher
 write message letters out diagonally over a number of rows
 then read off cipher row by row
 eg. write message out as:
m e m a t r h t g p r y
e t e f e t e o a a t
 giving ciphertext
MEMATRHTGPRYETEFETEOAAT
NETE0519-ISEC0513
34
Row Transposition Ciphers
 a more complex transposition
 write letters of message out in rows over a
specified number of columns
 then reorder the columns according to some key
before reading off the rows
Key:
3 4 2 1 5 6 7
Plaintext: a t t a c k p
o s t p o n e
d u n t i l t
w o a m x y z
Ciphertext: APTMTTNAAODWTSUOCOIXKNLYPETZ
NETE0519-ISEC0513
35
Steganography
 Plaintext can be hidden by two ways:
 Steganography: conceal the existence of the message
 Cryptography: render the message unintelligible to outsiders
using various kinds of transformation of the text
 Examples of Steganography
 Character marking: overwrite text with pencil
 Invisible ink: use special substance
 Pin punctures: pin puncture on selected letters
NETE0519-ISEC0513
36
One-Time Pad




One-time pad is a large non-repeating set of truly random key letters
Encryption is a additional modulo 26 of plaintext character
Pad length must be equal to the message length !!!
For example:
 Message: ONETIMEPAD
 Pad Sequence: TBFRGFARFM
 Ciphertext: IPKLPSFHGQ
Because
O+T mod 26 = I  15+20 mod 26 = 9
N+B mod 26 = P  14+2 mod 26 = 16
E+F mod 26 = K, etc.
NETE0519-ISEC0513
Decryption
P+K mod 26 = C
P = C-K mod 26
I-T mod 26 = 9-20 mod 26
= -11 mod 26
= -11+26 mod 26
= 15 mod 26
=O
37
One-Time Pad (cont.)
 if a truly random key as long as the message is used, the
cipher will be secure
 called a One-Time pad
 is unbreakable since ciphertext bears no statistical
relationship to the plaintext
 since for any plaintext & any ciphertext there exists a
key mapping one to other
 can only use the key once though
 problems in generation & safe distribution of key
NETE0519-ISEC0513
38
Outline











Overview of Cryptography
Symmetric Cryptography
Classical Cryptographic Techniques
Block Ciphers VS Stream Ciphers
DES and 3DES
Advanced Encryption Standard (AES)
Design of Symmetric Cryptosystems
Locations of Encryption Devices
Key Distribution
Random Numbers
Problems of Symmetric Cryptography
NETE0519-ISEC0513
39
Cryptographic Process
Message
m1
m2
Message
mn
m1
Encryption
c1
c2
Ciphertext
NETE0519-ISEC0513
m2
mn
Decryption
cn
c1
c2
cn
Ciphertext
40
Block Cipher VS Stream Cipher
 Block cipher: divides entire message in to blocks used to
produce ciphertext.
 Stream cipher: encrypts a data stream one bit or one byte
at a time.
NETE0519-ISEC0513
41
Stream Ciphers




process message bit by bit (as a stream)
have a pseudo random keystream
combined (XOR) with plaintext bit by bit
randomness of stream key completely destroys statistically
properties in message
 Ci = Mi XOR StreamKeyi
 but must never reuse stream key
 otherwise can recover messages (cf book cipher)
NETE0519-ISEC0513
42
Stream Cipher Structure
NETE0519-ISEC0513
43
Stream Cipher Properties
 some design considerations are:




long period with no repetitions
statistically random
depends on large enough key
large linear complexity
 properly designed, can be as secure as a block
cipher with same size key
 but usually simpler & faster
NETE0519-ISEC0513
44
RC4






a proprietary cipher owned by RSA DSI
another Ron Rivest design, simple but effective
variable key size, byte-oriented stream cipher
widely used (web SSL/TLS, wireless WEP)
key forms random permutation of all 8-bit values
uses that permutation to scramble input info processed a
byte at a time
NETE0519-ISEC0513
45
RC4 Key Schedule
 starts with an array S of numbers: 0..255
 use key to well and truly shuffle
 S forms internal state of the cipher
for i = 0 to 255 do
S[i] = i
T[i] = K[i mod keylen])
j = 0
for i = 0 to 255 do
j = (j + S[i] + T[i]) (mod 256)
swap (S[i], S[j])
NETE0519-ISEC0513
46
RC4 Encryption
 encryption continues shuffling array values
 sum of shuffled pair selects "stream key" value from
permutation
 XOR S[t] with next byte of message to en/decrypt
i = j = 0
for each message byte Mi
i = (i + 1) (mod 256)
j = (j + S[i]) (mod 256)
swap(S[i], S[j])
t = (S[i] + S[j]) (mod 256)
Ci = Mi XOR S[t]
NETE0519-ISEC0513
47
RC4 Overview
NETE0519-ISEC0513
48
RC4 Security
 claimed secure against known attacks
 have some analyses, none practical
 result is very non-linear
 since RC4 is a stream cipher, must never reuse a
key
 have a concern with WEP, but due to key handling
rather than RC4 itself
NETE0519-ISEC0513
49
Block Cipher Principles
 most symmetric block ciphers are based on a Feistel
Cipher Structure
 needed since must be able to decrypt ciphertext to
recover messages efficiently
 block ciphers look like an extremely large substitution
 would need table of 264 entries for a 64-bit block
 instead create from smaller building blocks
 using idea of a product cipher
NETE0519-ISEC0513
50
Ideal Block Cipher
NETE0519-ISEC0513
51
Claude Shannon and SubstitutionPermutation Ciphers
 Claude Shannon introduced idea of substitutionpermutation (S-P) networks in 1949 paper
 form basis of modern block ciphers
 S-P nets are based on the two primitive cryptographic
operations seen before:
 substitution (S-box)
 permutation (P-box)
 provide confusion & diffusion of message & key
NETE0519-ISEC0513
52
Diffusion and Confusion
 Confusion: hard to find any relationship between ciphertext
and key.
 Diffusion: spreads influence of individual plaintext or key
bits over as much of the ciphertext as possible.
 In particular, one bit change of plaintext or key must
increase the difficulty of cryptanalysis.
NETE0519-ISEC0513
53
Block Cipher
 Divide a message M into m1, …, mn
 Add padding to last block
 Use Ek to produce (ciphertext blocks) x1, …, xn
 Use Dk to recover M from m1, …, mn
 Modes of Block Ciphers:





Electronic Codebook
Cipher Block Chaining
Cipher Feedback
Output Feedback
Counter (CTR)
NETE0519-ISEC0513
54
Electronic Codebook
NETE0519-ISEC0513
55
Electronic Codebook (cont’d)
 Ideal for short amount of data transfer e.g. encryption key
 ECB produces the same message pattern if using the
same input.
 Not secure for lengthy message, easy for cryptanalysis.
NETE0519-ISEC0513
56
Cipher Block Chaining
NETE0519-ISEC0513
57
Cipher Feedback
NETE0519-ISEC0513
58
Output Feedback
NETE0519-ISEC0513
59
Counter (CTR)
 a “new” mode, though proposed early on
 similar to OFB but encrypts counter value rather
than any feedback value
 must have a different key & counter value for every
plaintext block (never reused)
Ci = Pi XOR Oi
Oi = DESK1(i)
 uses: high-speed network encryptions
NETE0519-ISEC0513
60
Counter (CTR) (cont.)
NETE0519-ISEC0513
61
Advantages and Limitations of CTR
 efficiency
 can do parallel encryptions in h/w or s/w
 can preprocess in advance of need
 good for bursty high speed links
 random access to encrypted data blocks
 provable security (good as other modes)
 but must ensure never reuse key/counter values,
otherwise could break (cf OFB)
NETE0519-ISEC0513
62
Outline











Overview of Cryptography
Symmetric Cryptography
Classical Cryptographic Techniques
Block Ciphers VS Stream Ciphers
DES and 3DES
Advanced Encryption Standard (AES)
Design of Symmetric Cryptosystems
Locations of Encryption Devices
Key Distribution
Random Numbers
Problems of Symmetric Cryptography
NETE0519-ISEC0513
63
Feistel Cipher Structure
 Virtually all conventional block encryption
algorithms, including DES have a structure first
described by Horst Feistel of IBM in 1973
 The realization of a Fesitel Network depends on the
choice of the following parameters and design
features (see next slide):
NETE0519-ISEC0513
64
Feistel Cipher Structure (cont.)
 Block size: larger block sizes mean greater security
 Key Size: larger key size means greater security
 Number of rounds: multiple rounds offer increasing
security
 Subkey generation algorithm: greater complexity will
lead to greater difficulty of cryptanalysis.
 Fast software encryption/decryption: the speed of
execution of the algorithm becomes a concern
 Roung Function (F): Greater complexity is better,
resistance to cryptanalysis
NETE0519-ISEC0513
65
Feistel Encryption
and Decryption
NETE0519-ISEC0513
66
Proof: LD1 = RE15
Encryption side:
LE16 = RE15
RE16 = LE15  F(RE15, K16)
Decryption side:
LD1 = RD0 = LE16 = RE15
RD1 = LD0  F(RD0, K16)
= RE16  F(RE15, K16)
= [LE15  F(RE15, K16)]  F(RE15, K16)
= LE15  [F(RE15, K16)  F(RE15, K16)]
= LE15  0
= LE15
NETE0519-ISEC0513
67
Data Encryption Standard (DES)
 most widely used block cipher in world
 adopted in 1977 by NBS (now NIST)
 as FIPS PUB 46
 encrypts 64-bit data using 56-bit key
 has widespread use
 has been considerable controversy over its security
NETE0519-ISEC0513
68
DES History
 IBM developed Lucifer cipher
 by team led by Feistel in late 60’s
 used 64-bit data blocks with 128-bit key
 then redeveloped as a commercial cipher with input
from NSA and others
 in 1973 NBS issued request for proposals for a
national cipher standard
 IBM submitted their revised Lucifer which was
eventually accepted as the DES
NETE0519-ISEC0513
69
DES Design Controversy
 although DES standard is public
 was considerable controversy over design
 in choice of 56-bit key (vs Lucifer 128-bit)
 and because design criteria were classified
 subsequent events and public analysis show in fact
design was appropriate
 use of DES has flourished
 especially in financial applications
 still standardised for legacy application use
NETE0519-ISEC0513
70
Data Encryption Standard (DES)
 A block of 64-bit data is encrypted using 56-bit key to
produce a 64-bit block of ciphertext.
 Decryption can be done by encrypting the ciphertext using
the same key.
NETE0519-ISEC0513
71
DES
Encryption
NETE0519-ISEC0513
72
Single Round of DES Encryption
NETE0519-ISEC0513
73
Permutation Table for DES
NETE0519-ISEC0513
74
Permutation Tables for DES
NETE0519-ISEC0513
75
DES Key Schedule Calculation
 Permuted Choice 1 and 2
NETE0519-ISEC0513
76
Calculation of F(R, K)
1.
2.
3.
4.
R is expanded to 48 bits.
The expanded R is XORed with 48-bit K.
Split 48-bit data into 8 groups of 6-bit data to enter S-Boxes
For each of the group, do the following:
1. For the 6-bit data to enter each Si, 1st and 6th bits form a 2-bit binary
number to identity the row number in Si.
2. The decimal value of 2nd – 5th bits identify the column number in Si.
3. The selected decimal value from Si is then converted into 4-bit binary
output of Si.
NETE0519-ISEC0513
77
DES S-Boxes
Permutation Function
NETE0519-ISEC0513
78
DES S-Boxes (cont.)
NETE0519-ISEC0513
79
DES S-Boxes (cont.)
NETE0519-ISEC0513
80
Example
 Input to S5: 100111




1st and 6th bits are 11 -> row 3
2nd-5th bits are 0011 -> column 3
The decimal value in row 3 and column 3 of S5 is 7.
The output value of S5 is 0111
S5
NETE0519-ISEC0513
2
14
4
11
12
11
2
8
4 1 7…
2 12 4 …
1 11 10 …
12 7 1 …
81
Avalanche Effect
 key desirable property of encryption alg
 where a change of one input or key bit results in changing
approx half output bits
 making attempts to “home-in” by guessing keys impossible
 DES exhibits strong avalanche
NETE0519-ISEC0513
82
Avalanche Effect in DES
NETE0519-ISEC0513
83
Strength of DES – Key Size
 56-bit keys have 256 = 7.2 x 1016 values
 brute force search looks hard
 recent advances have shown is possible




in 1997 on Internet in a few months
in 1998 on dedicated h/w (EFF) in a few days
in 1999 above combined in 22hrs!
Recently, ....
 still must be able to recognize plaintext
 must now consider alternatives to DES
NETE0519-ISEC0513
84
More about DES
 If only the attack on DES
is brute force, then use
longer key size.
NETE0519-ISEC0513
85
Multiple Encryption & DES
 clear a replacement for DES was needed
 theoretical attacks that can break it
 demonstrated exhaustive key search attacks
 AES is a new cipher alternative
 prior to this alternative was to use multiple encryption with
DES implementations
 Triple-DES (3DES) is the chosen form
NETE0519-ISEC0513
86
3DES with Two-Keys
 hence must use 3 encryptions
 would seem to need 3 distinct keys
 but can use 2 keys with E-D-E sequence
 C = EK1(DK2(EK1(P)))
 nb encrypt & decrypt equivalent in security
 if K1=K2 then can work with single DES
 standardized in ANSI X9.17 & ISO8732
 no current known practical attacks
NETE0519-ISEC0513
87
3DES with Two-Keys (cont.)
NETE0519-ISEC0513
88
Triple-DES with Three-Keys
 although are no practical attacks on two-key Triple-DES
have some indications
 can use Triple-DES with Three-Keys to avoid even these
 C = EK3(DK2(EK1(P)))
 has been adopted by some Internet applications, eg PGP,
S/MIME
NETE0519-ISEC0513
89
3DES with Three-Keys (cont.)
NETE0519-ISEC0513
90
Other Symmetric Block Ciphers
 International Data Encryption Algorithm (IDEA)
 128-bit key
 Used in PGP
 Blowfish
 Easy to implement
 High execution speed
 Run in less than 5K of memory
NETE0519-ISEC0513
91
Other Symmetric Block Ciphers
 RC5
 Suitable for hardware and software
 Fast, simple
 Adaptable to processors of different word lengths
 Variable number of rounds
 Variable-length key
 Low memory requirement
 High security
 Data-dependent rotations
 Cast-128
 Key size from 40 to 128 bits
 The round function differs from round to round
NETE0519-ISEC0513
92
Outline











Overview of Cryptography
Symmetric Cryptography
Classical Cryptographic Techniques
Block Ciphers VS Stream Ciphers
DES and 3DES
Advanced Encryption Standard (AES)
Design of Symmetric Cryptosystems
Locations of Encryption Devices
Key Distribution
Random Numbers
Problems of Symmetric Cryptography
NETE0519-ISEC0513
93
Origins
 clear a replacement for DES was needed
 have theoretical attacks that can break it
 have demonstrated exhaustive key search attacks






can use Triple-DES – but slow, has small blocks
US NIST issued call for ciphers in 1997
15 candidates accepted in Jun 98
5 were shortlisted in Aug-99
Rijndael was selected as the AES in Oct-2000
issued as FIPS PUB 197 standard in Nov-2001
NETE0519-ISEC0513
94
AES Requirements







private key symmetric block cipher
128-bit data, 128/192/256-bit keys
stronger & faster than Triple-DES
active life of 20-30 years (+ archival use)
provide full specification & design details
both C & Java implementations
NIST have released all submissions & unclassified
analyses
NETE0519-ISEC0513
95
AES
128-bit plaintext block
Key length -> 128, 192, 256 bits
10 rounds for each encryption and decryption
128-bit plaintext is divided into 16 8-bit (1-byte) blocks.
128-bit key is generated to 44 32-bit “words”, and 4
different words will be used in each round
 11 sets of 4-word keys are used in 10-round encryption !
 Decryption algorithm is not identical to encryption
algorithm





NETE0519-ISEC0513
96
AES Parameters
NETE0519-ISEC0513
97
AES Key Expansion
NETE0519-ISEC0513
98
AES Encryption
and Decryption
XOR
XOR
NETE0519-ISEC0513
99
AES Encryption
 4 stages in each round:
 Substitution bytes -> use S-box for byte-to-byte
substitution
 Shift rows -> simple row-by-row permutation
 Mix columns -> a substitution that alters each byte in a
column as a function of all of the bytes in the column
 Add round keys -> bitwise XOR of the current block with
the key
NETE0519-ISEC0513
100
AES Encryption Round
16 bytes
NETE0519-ISEC0513
101
SubBytes
NETE0519-ISEC0513
102
SubBytes (cont.)
S-box
NETE0519-ISEC0513
103
SubBytes (cont.)
Inverse S-box
NETE0519-ISEC0513
104
SubBytes (cont.)
NETE0519-ISEC0513
105
ShiftRows
NETE0519-ISEC0513
106
MixColumns
NETE0519-ISEC0513
107
MixColumns (cont.)
NETE0519-ISEC0513
108
AddRoundKey
NETE0519-ISEC0513
109
AddRoundKey (cont.)
NETE0519-ISEC0513
110
AES Operations
NETE0519-ISEC0513
111
Implementation Aspects
 can efficiently implement on 8-bit CPU
 byte substitution works on bytes using a table of 256
entries
 shift rows is simple byte shift
 add round key works on byte XOR’s
 mix columns requires matrix multiply in GF(28) which
works on byte values, can be simplified to use table
lookups & byte XOR’s
NETE0519-ISEC0513
112
Implementation Aspects (cont.)
 can efficiently implement on 32-bit CPU
 redefine steps to use 32-bit words
 can precompute 4 tables of 256-words
 then each column in each round can be computed
using 4 table lookups + 4 XORs
 at a cost of 4Kb to store tables
 designers believe this very efficient implementation
was a key factor in its selection as the AES cipher
NETE0519-ISEC0513
113
Outline











Overview of Cryptography
Symmetric Cryptography
Classical Cryptographic Techniques
Block Ciphers Vs Stream Ciphers
DES and 3DES
Advanced Encryption Standard (AES)
Design of Symmetric Cryptosystems
Locations of Encryption Devices
Key Distribution
Random Numbers
Problems of Symmetric Cryptography
NETE0519-ISEC0513
114
Design of Symmetric Cryptosystems
 A Cryptographic algorithm should be efficient for
good use
 It should be fast and key length should be of the right
length – e.g.; not too short
 Cryptographic algorithms are not impossible to
break without a key
 If we try all the combinations, we can get the original
message
NETE0519-ISEC0513
2-115
115
Design of Symmetric Cryptosystems (cont.)
 The security of a cryptographic algorithm depends
on how much work it takes for someone to break it
 E.g. If it takes 10 mil. years to break a cryptographic
algorithm X using all the computers of a state, X can be
thought of as a secure one – reason: cluster computers
and quantum computers are powerful enough to crack
many current cryptographic algorithms.
NETE0519-ISEC0513
116
Design of Symmetric Cryptosystems (cont.)
 Encryption Algorithm Design
 Should the block size of messages be small or
large?
 Should the keyspace be large?
 Should we consider other search rather than
brute-force search?
NETE0519-ISEC0513
2-117
117
Outline










Overview of Cryptography
Symmetric Cryptography
Classical Cryptographic Techniques
Block Ciphers VS Stream Ciphers
DES and 3DES
Advanced Encryption Standard (AES)
Design of Symmetric Cryptosystems
Locations of Encryption Devices
Key Distribution
Problems of Symmetric Cryptography
NETE0519-ISEC0513
118
Placement of Encryption
 have two major placement alternatives
 link encryption
 encryption occurs independently on every link
 implies must decrypt traffic between links
 requires many devices, but paired keys
 end-to-end encryption
 encryption occurs between original source and final
destination
 need devices at each end with shared keys
NETE0519-ISEC0513
119
Locations of Encryption Devices
NETE0519-ISEC0513
120
Placement of Encryption (cont.)
 when using end-to-end encryption must leave headers in
clear
 so network can correctly route information
 hence although contents protected, traffic pattern flows are
not
 ideally want both at once
 end-to-end protects data contents over entire path and
provides authentication
 link protects traffic flows from monitoring
NETE0519-ISEC0513
121
Placement of Encryption (cont.)
 can place encryption function at various layers in
OSI Reference Model
 link encryption occurs at layers 1 or 2, 3
 end-to-end can occur at layers 4, 6, 7
 as move higher less information is encrypted but it is
more secure though more complex with more entities
and keys
NETE0519-ISEC0513
122
Link Encryption VS End-to-end Encryption
NETE0519-ISEC0513
123
Encryption VS
Protocol Level
NETE0519-ISEC0513
124
Traffic Padding
NETE0519-ISEC0513
125
Outline











Overview of Cryptography
Symmetric Cryptography
Classical Cryptographic Techniques
Block Ciphers VS Stream Ciphers
DES and 3DES
Advanced Encryption Standard (AES)
Design of Symmetric Cryptosystems
Locations of Encryption Devices
Key Distribution
Random Numbers
Problems of Symmetric Cryptography
NETE0519-ISEC0513
126
Key Distribution
 The security of symmetric cryptosystem is based on the
security of key distribution.
 Important process  two hosts need a shared key before
transmitting a message securely.
 Secret key must be securely distributed between hosts,
and need to be updated frequently.
 But, HOW can we securely distribute the shared key?
NETE0519-ISEC0513
127
Key Exchange with Symmetric Cryptography
 Two kinds of keys:
 Session key
 temporary key
 used for encryption of data between users
 for one logical session then discarded
 Master key
 used to encrypt and distribute session keys
 shared by user & key distribution center
 Key Distribution Center (KDC)
 Shares permanent key with hosts
 Distributes session keys upon the requests of hosts
NETE0519-ISEC0513
128
Key Distribution Scenario
NETE0519-ISEC0513
129
Steps
1.
Alice sends a request (IDA, IDB) for a session key and a nonce (N1)
to KDC.
 Nonce may be a random number.
 What is nonce for?
2.
3.
4.
5.
KDC sends an encrypted message to A containing:
 Session key KS
 Encrypted session key for Bob EKb(KS, IDA)
Alice forwards EKb(KS, IDA) to Bob. Bob can decrypt it. (anyone
else?)
Bob confirms that he has received KS by sending Alice EKs[N2].
Alice responses by sending f(N2) encrypted with KS.
NETE0519-ISEC0513
130
Hierarchical Key Control
 In a very large network, a single KDC is not enough -> a hierarchy of
KDCs can be established.
 Local KDCs and a global KDC
 Local KDC is responsible for parties in the same domain, whereas
global KDC is taking care of communications of parties in different
domains.
NETE0519-ISEC0513
131
Key Distribution Issues
 hierarchies of KDC’s required for large networks,
but must trust each other
 session key lifetimes should be limited for greater
security
 use of automatic key distribution on behalf of users,
but must trust system
 use of decentralized key distribution
 controlling key usage
NETE0519-ISEC0513
132
Session Key Lifetime
 The more frequently session keys are exchanged, the
more secure they are.
 However, each session key distribution causes delays.
 In connection-oriented protocols, a new session key is
issued for each connection.
 However, if the connection is open for a long time, it may
be needed to retransmit a new session key.
 In connectionless protocols, not obvious how often the new
session key is exchanged.
 A better strategy is to use a given session key for a certain
fixed period only or for a certain number of transaction.
NETE0519-ISEC0513
133
A Transparent Key Control Scheme
NETE0519-ISEC0513
134
Decentralized Key Control
 Centralized Key Control -> KDC is normally
assumed to be trusted and secured from attacks.
 However, attacks may occur. -> try decentralized
approach
 Decentralization is suitable for local connection.
 Involved parties need a master key between pairs of
parties as many as [n(n-1)]/2 keys among n users.
NETE0519-ISEC0513
135
Decentralized Key Distribution
NETE0519-ISEC0513
136
Decentralized Key Distribution (cont.)
1. Alice and Bob share a master key MKm.
2. Alice sends a request for a session key with a nonce N1
to Bob.
3. Bob sends KS encrypted with shared master key MKm.
The message contains a nonce N2.
4. Alice responses with f(N2) encrypted with the session
key.
NETE0519-ISEC0513
137
Outline











Overview of Cryptography
Symmetric Cryptography
Classical Cryptographic Techniques
Block Ciphers VS Stream Ciphers
DES and 3DES
Advanced Encryption Standard (AES)
Design of Symmetric Cryptosystems
Locations of Encryption Devices
Key Distribution
Random Numbers
Problems of Symmetric Cryptography
NETE0519-ISEC0513
138
Random Numbers
 many uses of random numbers in cryptography




nonces in authentication protocols to prevent replay
session keys
public key generation
keystream for a one-time pad
 in all cases its critical that these values be
 statistically random, uniform distribution, independent
 unpredictability of future values from previous values
NETE0519-ISEC0513
139
Pseudorandom Number Generators
(PRNGs)
 often use deterministic algorithmic techniques to
create “random numbers”
 although are not truly random
 can pass many tests of “randomness”
 known as “pseudorandom numbers”
 created by “Pseudorandom Number Generators
(PRNGs)”
NETE0519-ISEC0513
140
Using Block Ciphers as PRNGs
 for cryptographic applications, can use a block cipher to
generate random numbers
 often for creating session keys from master key
 Counter Mode
Xi = EKm[i]
 Output Feedback Mode
Xi = EKm[Xi-1]
NETE0519-ISEC0513
141
ANSI X9.17 PRG
Date/time
Seed value
NETE0519-ISEC0513
142
ANSI X9.17 PRG (cont.)
 It uses date/time & seed inputs and 3 triple-DES encryptions to
generate a new seed & random value.




DTi - Date/time value at the beginning of ith generation stage
Vi - Seed value at the beginning of ith generation stage
Ri - Pseudorandom number produced by the ith generation stage
K1, K2 - DES keys used for each stage
 Then compute successive values as:
 Ri = EDE([K1, K2], [Vi XOR EDE([K1, K2], DTi)])
 Vi+1 = EDE([K1, K2], [Ri XOR EDE([K1, K2], DTi)])
NETE0519-ISEC0513
143
Natural Random Noise
 best source is natural randomness in real world
 find a regular but random event and monitor
 do generally need special h/w to do this
 eg. radiation counters, radio noise, audio noise, thermal noise in
diodes, leaky capacitors, mercury discharge tubes etc
 starting to see such h/w in new CPU's
 problems of bias or uneven distribution in signal
 have to compensate for this when sample and use
 best to only use a few noisiest bits from each sample
NETE0519-ISEC0513
144
Published Sources
 a few published collections of random numbers
 Rand Co, in 1955, published 1 million numbers
 generated using an electronic roulette wheel
 has been used in some cipher designs cf Khafre
 earlier Tippett in 1927 published a collection
 issues are that:
 these are limited
 too well-known for most uses
NETE0519-ISEC0513
145
Outline











Overview of Cryptography
Symmetric Cryptography
Classical Cryptographic Techniques
Block Ciphers VS Stream Ciphers
DES and 3DES
Advanced Encryption Standard (AES)
Design of Symmetric Cryptosystems
Locations of Encryption Devices
Key Distribution
Random Numbers
Problems of Symmetric Cryptography
NETE0519-ISEC0513
146
Problems of Symmetric Cryptography
 Keys must be distributed in secret.
 Keys are valuable as all the messages they encrypt.
 If a key is compromised, then so the security of the entire system.
 Not scalable -> assume that each pair of total n users shares
different secrets. Number of keys needed is n(n-1)/2 keys
 Algorithms are easy to break compared to public-key cryptographic
algorithms
 However symmetric one can be performed faster -> less time -> less
power consumption -> suitable for being implemented in mobile
devices
 Lack of necessary security services e.g. non repudiation, provide
low-level of integrity check
NETE0519-ISEC0513
147
Questions?
Next week
Public-key Cryptography
NETE0519-ISEC0513
148
Discussion
 Discuss two differences between Block Cipher and
Stream Cipher
 Explain how symmetric cryptography can provide
authentication
 Suggest a key distribution technique that provides
offline key generation and distribution
NETE0519-ISEC0513
149
Descargar

Lecture02: Symmetric Cryptography 1