Network Security Lec4

Data Encryption Standard (DES) most widely used block cipher in world adopted in 1977 by NBS (now NIST) as FIPS PUB 46 encrypts 64-bit data using 56-bit key has widespread use has been considerable controversy over its security

DES Round Structure uses two 32-bit L & R halves as for any Feistel cipher can describe as: L i = R i –1 R i = L i –1  F( R i –1 , K i ) F takes 32-bit R half and 48-bit subkey: expands R to 48-bits using perm E adds to subkey using XOR passes through 8 S-boxes to get 32-bit result finally permutes using 32-bit perm P

Substitution Boxes (S-box) have eight S-boxes which map 6 to 4 bits each S-box is actually 6 x 4 bit boxes outer bits 1 & 6 ( row bits) select one row of 4 inner bits 2-5 ( col bits) are substituted result is 8 lots of 4 bits, or 32 bits row selection depends on both data & key feature known as autoclaving (autokeying) example: S(18 09 12 3d 11 17 38 39) = 5fd25e03

DES Key Schedule forms subkeys used in each round initial permutation of the key (PC1) which selects 56-bits in two 28-bit halves 16 stages consisting of: rotating each half separately either 1 or 2 places depending on the key rotation schedule K selecting 28-bits from each half & compression permuting them (56 to 48) by PC2 for use in round function F note practical use issues in h/w vs s/w

DES Decryption decrypt must unwind steps of data computation with Feistel design, do encryption steps again using subkeys in reverse order (SK16 … SK1) IP undoes final FP step of encryption 1st round with SK16 undoes 16th encrypt round … . 16th round with SK1 undoes 1st encrypt round then final FP undoes initial encryption IP thus recovering original data value

Strength of DES – Key Size 56-bit keys have 2 56 = 7.2 x 10 16 values brute force search looks hard recent advances have shown is possible in 1997 on Internet in a few months in 1998 on dedicated h/w (EFF) in a few days in 1999 above combined in 22hrs! still must be able to recognize plaintext must now consider alternatives to DES

DES Design Criteria as reported by Coppersmith in [COPP94] S-boxes provide for non-linearity resistance to differential cryptanalysis good confusion criteria for permutation P provide for increased diffusion

Block Cipher Design basic principles still like Feistel’s in 1970’s number of rounds more is better, exhaustive search best attack function f: provides “confusion”, is nonlinear, avalanche have issues of how S-boxes are selected key schedule complex subkey creation, key avalanche

Strength of DES – Analytic Attacks now have several analytic attacks on DES these utilise some deep structure of the cipher by gathering information about encryptions can eventually recover some/all of the sub-key bits if necessary then exhaustively search for the rest generally these are statistical attacks include differential cryptanalysis linear cryptanalysis

Avalanche Effect key desirable property of encryption alg where a change of one input or key bit results in changing approx half output bits making attempts to “home-in” by guessing keys impossible DES exhibits strong avalanche

Strength of DES – Timing Attacks attacks actual implementation of cipher use knowledge of consequences of implementation to derive information about some/all subkey bits specifically use fact that calculations can take varying times depending on the value of the inputs to it

Origins clear a replacement for DES was needed have theoretical attacks that can break it have demonstrated exhaustive key search attacks can use Triple-DES – but slow, has small blocks US NIST issued call for ciphers in 1997 15 candidates accepted in Jun 98 5 were shortlisted in Aug-99 Rijndael was selected as the AES in Oct-2000 issued as FIPS PUB 197 standard in Nov-2001

AES Requirements private key symmetric block cipher 128-bit data, 128/192/256-bit keys stronger & faster than Triple-DES active life of 20-30 years (+ archival use) provide full specification & design details both C & Java implementations NIST have released all submissions & unclassified analyses

AES Evaluation Criteria initial criteria: security – effort for practical cryptanalysis cost – in terms of computational efficiency algorithm & implementation characteristics final criteria general security ease of software & hardware implementation implementation attacks flexibility (in en/decrypt, keying, other factors)

AES Shortlist after testing and evaluation, shortlist in Aug-99: MARS (IBM) - complex, fast, high security margin RC6 (USA) - v. simple, v. fast, low security margin Rijndael (Belgium) - clean, fast, good security margin Serpent (Euro) - slow, clean, v. high security margin Twofish (USA) - complex, v. fast, high security margin then subject to further analysis & comment saw contrast between algorithms with few complex rounds verses many simple rounds which refined existing ciphers verses new proposals

The AES Cipher - Rijndael designed by Rijmen-Daemen in Belgium has 128/192/256 bit keys, 128 bit data an iterative rather than feistel cipher processes data as block of 4 columns of 4 bytes operates on entire data block in every round designed to be: resistant against known attacks speed and code compactness on many CPUs design simplicity

Rijndael data block of 4 columns of 4 bytes is state key is expanded to array of words has 10/12/14 rounds in which state undergoes: byte substitution (1 S-box used on every byte) shift rows (permute bytes between groups/columns) mix columns (subs using matrix multipy of groups) add round key (XOR state with key material) view as alternating XOR key & scramble data bytes initial XOR key material & incomplete last round with fast XOR & table lookup implementation

AES Bytes and Words Blocks represented as arrays of smaller groups of bits Byte : 8 bits Word : 32 bits (4 bytes in word)

AES States Each word (each 4 bytes) corresponds to column in state Used to simplify mathematics

AES Round Structure SubBytes : Each byte transformed by an S-Box ShiftRows : Permutation to swap bytes around MixColumns : Matrix multiplication to permute bits within bytes AddRoundKey : XOR result with current round key Notes: Extra AddRoundKey before first round No MixColumns in last round

Byte Substitution 128-bit input  16 bytes a simple substitution of each byte uses one table of 16x16 bytes containing a permutation of all 256 8-bit values each byte of state is replaced by byte indexed by row (left 4-bits) & column (right 4-bits) eg. byte {95} is replaced by byte in row 9 column 5 which has value {2A} S-box constructed using defined transformation of values in GF(2 8 ) designed to be resistant to all known attacks

S-Box Basis Inverse of each byte computed in GF(2 8 ) using x 8 + x 4 + x 3 + x+1 Additional confusion created by array multiplication and addition Multiplication/addition in mod 2 Resulting byte with bits b 0 – b 7 multiplied by 8 x 8 matrix X Each output bit c j is effectively xor of different b i ’s Resulting byte with bits c 0 – c 7 added to 8 x 1 matrix d Has effect of inverting bits 0, 1, 5, and 6

Inverse S-Box Subtract matrix d Multiply by inverse of matrix X Invert in GF(2 8 )

Shift Rows Stage Goal: Swap bytes around within a state State = bytes arranged in columns Shift rows around within this 2 dimensional structure to add diffusion

ShiftRows Stage Left Circular shift used on each row Each row shifted by different number of bytes Inverse just reverses shift (right)

ShiftRows Example Input: 63F2C9FA C9F2C963FE637D823026D4D4 Output: 63F27DD4C963D4FAFE26C96330F2C982 Shift 0 Shift 1 Shift 2 Shift 3

Modes of Operation block ciphers encrypt fixed size blocks eg. DES encrypts 64-bit blocks with 56-bit key need some way to en/decrypt arbitrary amounts of data in practise ANSI X3.106-1983 Modes of Use (now FIPS 81) defines 4 possible modes subsequently 5 defined for AES & DES have block and stream modes

Electronic Codebook Book (ECB) message is broken into independent blocks which are encrypted each block is a value which is substituted, like a codebook, hence name each block is encoded independently of the other blocks C i = DES K1 (P i ) uses: secure transmission of single values

Advantages & Limitations of ECB message repetitions may show in ciphertext if aligned with message block particularly with data such graphics or with messages that change very little, which become a code-book analysis problem weakness is due to the encrypted message blocks being independent Error propagation (no), parallel processing (yes), random access of data filed/ database fields (yes) main use is sending a few blocks of data

Cipher Block Chaining (CBC) message is broken into blocks linked together in encryption operation each previous cipher blocks is chained with current plaintext block, hence name use Initial Vector (IV) to start process C i = DES K1 (P i XOR C i-1 ) C -1 = IV uses: bulk data encryption, authentication

Message Padding at end of message must handle a possible last short block which is not as large as blocksize of cipher pad either with known non-data value (eg nulls) or pad last block along with count of pad size eg. [ b1 b2 b3 0 0 0 0 5] means have 3 data bytes, then 5 bytes pad+count this may require an extra entire block over those in message there are other, more esoteric modes, which avoid the need for an extra block

Advantages & Limitations of CBC a ciphertext block depends on all blocks before it any change to a block affects all following ciphertext blocks Error propagate(yes), Parallel process (no), Random access (no) need Initialization Vector (IV) which must be known to sender & receiver if sent in clear, attacker can change bits of first block, and change IV to compensate hence IV must either be a fixed value or must be sent encrypted in ECB mode before rest of message

Cipher FeedBack (CFB) message is treated as a stream of bits added to the output of the block cipher result is feed back for next stage (hence name) standard allows any number of bits (1,8, 64 or 128 etc) to be fed back denoted CFB-1, CFB-8, CFB-64, CFB-128 etc most efficient to use all bits in block (64 or 128) C i = P i XOR DES K1 (C i-1 ) C -1 = IV uses: stream data encryption, authentication

Advantages & Limitations of CFB appropriate when data arrives in bits/bytes most common stream mode limitation is need to stall while do block encryption after every n-bits note that the block cipher is used in encryption mode at both ends errors propagate for several blocks after the error

Output FeedBack (OFB) message is treated as a stream of bits output of cipher is added to message output is then fed back (hence name) feedback is independent of message can be computed in advance C i = P i XOR O i O i = DES K1 (O i-1 ) O -1 = IV uses: stream encryption on noisy channels

Advantages & Limitations of OFB bit errors do not propagate more vulnerable to message stream modification a variation of a Vernam cipher hence must never reuse the same sequence (key+IV) sender & receiver must remain in sync originally specified with m-bit feedback subsequent research has shown that only full block feedback (ie CFB-64 or CFB-128) should ever be used

Counter (CTR) a “new” mode, though proposed early on Same plaintext block NOT same cipertext block similar to OFB but encrypts counter value rather than any feedback value must have a different key & counter value for every plaintext block (never reused) C i = P i XOR O i O i = DES K1 (i) No Error propagation uses: high-speed network encryptions

Advantages and Limitations of CTR efficiency can do parallel encryptions in h/w or s/w can preprocess in advance of need good for bursty high speed links random access to encrypted data blocks provable security (good as other modes) but must ensure never reuse key/counter values, otherwise could break (cf OFB)

Stream Ciphers process message bit by bit (as a stream) have a pseudo random keystream combined (XOR) with plaintext bit by bit randomness of stream key completely destroys statistically properties in message C i = M i XOR StreamKey i but must never reuse stream key otherwise can recover messages (cf book cipher)

Network Security Lec4

More Related Content

What's hot (20)

Similar to Network Security Lec4 (20)

More from Federal Urdu University (20)

Recently uploaded (20)

Network Security Lec4

Editor's Notes