session_02_confidentiality_-_symmetric_encryption_090708

session_02_confidentiality_-_symmetric_encryption_090708 -...

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Cryptography and Network Security TECH 6350 Session 2 Confidentiality – Symmetric Encryption Manuel Mogollon [email protected] Graduate School of Management Information Assurance University of Dallas 0 Session 2 – Contents • Types of Crypto Systems — Symmetric Encryption – Stream Cipher – Block Cipher Systems — Asymmetric encryption • Basic Theory of Enciphering • Shift Registers — Linear Shift Registers — Non-Linear Combinations of LFSR Devices • Key Generators • Block Ciphers — Data Encryption Standard (DES) (FIPS 46-3) — Modes of Operation (FIPS 81) — Triple DES (FIPS 46-3 and ANXI X9.52) — Advanced Encryption Standard (AES) Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 1 1 What is Confidentiality? • confidentiality / Protection against unauthorized individuals reading information that is supposed to be kept private. Confidentiality is achieved by enciphering the information using encryption algorithms. Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 2 2 Confidentiality and its Security Mechanisms Confidentiality Protection of data from unauthorized disclosure Encryption Algorithms Symmetric Stream Ciphers Asymmetric Block Cipher Public-Key DES MARS RC5 CAST Pohlig Hellman Blowfish IDEA OFB SelfSynchronous AES 3DES Synchronous RSA CFB ElGamal Schnorr ECC RC4 Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 3 • Confidentiality and security are not the same • Confidentiality – protection of information to ensure that it is not disclosed to unauthorized audiences • Security – protection of systems, resources, and information from unintended and unauthorized access or misuse. 3 Types of Crypto Systems • Symmetric Cryptography – Secret Key — A single key serves as both the encryption and the decryption key. — Initial arrangements need to be made for individuals to share the secret key. — Stream Ciphers and Block Ciphers (DES, AES) • Asymmetric Cryptography – Public-Key — One key is used to encipher and another to decipher. — Privacy is achieved without having to keep the enciphering key secret because a different key is used for deciphering. — Pohlig Hellman, Schnorr, RSA, ElGamal, and Elliptic Curve Cryptography (ECC) are popular asymmetric crypto systems. Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 4 • Essentially, there are two main types of modern crypto systems: symmetric and asymmetric encryption. • The type of crypto system in which enciphering and deciphering keys are the same is called symmetric (i.e., secret key) encryption. The system is analogous to having a box with a lock on it that can be locked and unlocked with the same key. • An asymmetric crypto system, uses a pair of keys, mathematically related but different, to encipher and decipher messages. Messages encoded with either one of the keys can be decoded by the other. It is possible to make one of the keys public; however, the other one must be kept secret. 4 Symmetric Key Crypto System Secret Key Plaintext As the market requirements for secure products has exponentially increased, our strategy will be to …. Encryption Algorithm Encipher Ciphertext Asdfe8i4*(74mjsd( 9&*nng654mKhna mshy75*72mnasja dif3%j*j^3cdf(#421 5kndh_!8g,kla/”2a cd:{qien*38mnap4 *h&fk>0820&ma01 2M Encryption Algorithm Decipher Plaintext As the market requirements for secure products has exponentially increased, our strategy will be to …. • Security is based on the secret key, not on the encryption algorithm. • The sharing of secret keys is necessary. • Strengths: Fast, good for encrypting large amounts of data. • Weakness: Key delivery. • There are two types of symmetric crypto systems: Stream Cipher (RC4) and Block Ciphers (DES, AES, RC5, CAST, IDEA). Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 5 • If a number of individuals wishes to send secure information, symmetric cryptosystems require that initial arrangements be made for the individuals to share a unique secret key. The key must be distributed to the individuals via some secure, protected means to ensure key confidentiality and integrity. Knowledge of the ciphering key implies knowledge of the deciphering key and vice versa. • In order to establish the secure channel, it is necessary to deliver the secret key to the individuals using a protected medium such as a courier. Of course, transporting the key in this way is risky, troublesome, slow, and expensive. In addition, two users that have not exchanged a secret key cannot send each other secure messages, because they first have to agree on a secret key. 5 Asymmetric Key Crypto System (Public Key Algorithm) One Key to Encipher Plaintext As the market requirements for secure products has exponentially increased, our strategy will be to …. • • • • • • • Another Key to Decipher Ciphertext Encryption Algorithm Encryption Algorithm Asdfe8i4*(74mjsd( 9&*nng654mKhna mshy75*72mnasja dif3%j*j^3cdf(#421 5kndh_!8g,kla/”2a cd:{qien*38mnap4 *h&fk>0820&ma01 2M Encipher Decipher Plaintext As the market requirements for secure products has exponentially increased, our strategy will be to …. Public key encryption involves two mathematically related keys. Either key can be used to encipher. One of the keys can be made public and the other kept private. public private Strengths: No key delivery issues, can be used for non-repudiation. Weakness: Slow, inefficient for large amounts of data, computationally expensive. Algorithms: RSA, ElGamal, Schnorr, Pohlig-Hellman, Elliptic Curve Cryptography. Used mainly for key exchange or digital signatures. Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 6 • In their paper "New Directions in Cryptography," Diffie and Hellman (1976) proposed a new kind of cipher system in which the enciphering and deciphering keys are related but different: one is made public, while the other is kept private. This type of crypto system is called asymmetric, since it provides encryption in only one direction —a second pair of keys is needed to communicate in the other direction. Once the two mathematically related keys are calculated, there is no way to find out the private key from the public key. Asymmetric public cryptosystems allow two users to communicate securely over an insecure channel without any key prearrangement. • The system is analogous to having a box with two locks on it: the one used to lock can be given to anyone (it is public), and another key, used to unlock, is kept secret. The public key —to lock the box— is different from the secret key —to unlock the box— and there is no way to find out the secret key from the public key. If a person wants to receive a secure message, he can send an open box and the key to lock the box. The person who receives the box places the message inside it and locks it using the "lock" key. The box with the message already inside is sent back to the recipient, who opens the box using the "unlock" key. 6 Stream Ciphers • Plaintext is broken up into successive bits, and each one is enciphered with a bit from a keystream • If the key stream repeats itself after n characters, the stream is periodic; otherwise, it is non-periodic. • Types of Stream Ciphers — Synchronous stream cipher — Self-synchronous stream cipher 1 1 1 0 0 1 0 0 Output 1 1 0 0 1 1 0 One-time Keypad Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 7 • Stream ciphers can be synchronous or self-synchronous (Denning, 1983). In a stream cipher, plaintext is broken into successive bits, and each one is enciphered with a bit from a keystream produced by a key generator. If the keystream repeats itself after p characters, the stream cipher is periodic; otherwise, it is non-periodic. The Vernam cipher (one-time pad) and running-key ciphers are non-periodic. • It is like a wheel with a lot of compartments. Depending on the secret key, the compartments are filled with 0s and 1s. 7 Stream Cipher Encryption Using Modulo-2 Key Stream Key Stream Plaintext Ciphertext + + Encryption Algorithm Modulo 2 Adder Decipher Encryption Algorithm Modulo 2 Adder Encipher Modulo 2 Adder 1+0=1 0+1=1 1+1=0 0+0=0 Enciphering Plaintext Keystream Ciphertext 10011000101000110 10110011100100011 00101011001100101 Deciphering Ciphertext Keystream Plaintext Encryption Systems Plaintext 00101011001100101 10110011100100011 10011000101000110 Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 8 • Stream cipher crypto machines use a keystream, also called running key, to transform the plaintext into ciphertext. The set of rules used by the cipher system to mix the plaintext information with the keystream in order to obtain the ciphertext is called the encryption algorithm. We will use a stream cipher system to explain the basics of enciphering and deciphering. • The keystream can be produced by a random noise (one-time tape) generator or by a pseudorandom bit generator. The one-time tape cannot be reproduced, and it needs to be delivered to the receiving side. The pseudorandom bit generator has the properties of random noise and can be duplicated at the receiving unit if both the sending and receiving units use the same cryptographic variables. If the keystream is obtained from shift registers, the inputs or initial states of the shift registers in the transmitting and receiving side need to be the same. • To encipher a plaintext, a sequence of 1s and 0s, each bit of the plaintext is modulo-2 added to one bit from the keystream to get the ciphertext. At the receiving side, the ciphertext is again modulo-2 added to the same keystream to obtain the plaintext. If both keystream sequences are not exactly the same, we will not be able to correctly decipher the message because the plaintext will not be exactly the same as the plaintext. 8 Symmetric Key Stream Cipher Cryptographic Variables (CV) Cryptographic Variables (CV) Key Generator Initialization Vector (IV) Synchronization Key Generator Key Stream Key Stream Plaintext Initialization Vector (IV) Ciphertext + Plaintext + Encryption Algorithm Modulo 2 Adder Decipher Encryption Algorithm Modulo 2 Adder Encipher • Key stream generated independently of the cleartext or cipher text. • Crypto variable and initialization vector required. • Periodic key stream Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 9 • Plaintext is broken into successive bits, and each one is enciphered with a bit from a keystream produced by a key generator. • In a stream cipher, the keystream is generated independently of the clear or cipher text. Stream ciphers adds modulo-2 the plaintext to the keystream output of the key generator. The deciphering process is also the addition of the keystream to the ciphertext. • Since the key generator algorithm is fixed, a variable keystream is obtained by varying the cryptographic variables, which are loaded by the user. The Initialization Vector (IV), also called random seed, is the randomly generated variable which causes each cryptographic session to start at a different point in the keystream. • The initialization vector/random seed (IV) is normally generated by the transmitting cipher machine, and then transmitted to the receiving unit in clear. This cleartext transmission does not compromise the system’s security because both sender and receiver use a shared secret method (H*) to transform the publicly known random seed into a secret H*(IV) called message key. The transmitting and receiving machines load the message key into the key generator as part of the crypto synchronization. Normally, the transmitting and the receiving machines know the random seed (IV) just before the communication session begins. • If the units lose synchronization, they must reinitialize, i.e. begin a new communication session with a new initialization vector. For security reasons, the keystream should be different for each session; this is achieved by having a different message key each time the unit synchronizes. 9 Bit Flip and Missing Bits A bit is not received correctly (bit flip) A bit is missing Enciphering Modulo-2 Adder 1+0=1 1+1=0 0+1=1 0+0=0 Enciphering Plaintext 10011000101000110 Plaintext 10011000101000110 Keystream 10110011100100011 Keystream 10110011100100011 Ciphertext 00101011001100101 Ciphertext 00101011001100101 Deciphering Ciphertext Deciphering 10101011001100101 Ciphertext Keystream 10110011100100011 Keystream 10110011100100011 Plaintext 00011000101000110 Plaintext 10011101111101000 Encryption Systems Stream Ciphers Shift Registers DES 0010111001100101 AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 10 Effects of Bit Errors on Reception • In the left side example, let's suppose that the first bit of the ciphertext is not received correctly (bit flip); for example, instead of a 0 we received a 1. It can be seen that the only difference between the plaintext and the deciphered text is the first bit; the rest of the bits are the same. When the receiver’s crypto unit gets a bad ciphertext bit, it will not interfere with the deciphering of the next ciphertext bit. In a message communication, one character will be incorrectly deciphered, and in a voice communication, only a hiss or a click will be heard. Effect on Missing Bits during Reception • When one bit is missed, right side example, the keystream is offset, the plaintext after the missing bit is not the same as the plaintext, and the plaintext is garbled. We can see that the first five bits of the plaintext are the same as the plaintext, but later on the plaintext goes awry. 10 Self-Synchronous Stream Cipher Cryptographic Variables (CV) Key Generator N-bit Feedback Shift Register Key Stream Plaintext + Cryptographic Variables (CV) Key Generator Key Stream Ciphertext + Encipher Plaintext Decipher • Keystream function of the ciphertext • Allows late entry. • Non-periodic Key stream. Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 11 • In a self-synchronous stream cipher, also called Ciphertext-Auto-Key (CTAK), part of the ciphertext is continuously fed back into the key generator. Consequently, each bit of the keystream depends on a fixed number n of ciphertext bits, n being the length of the feedback shift register used. The key generator's keystream is a function of the ciphertext. • There is no real need for an initialization vector (IV). The sender unit starts transmitting ciphertext, and, after just n incorrectly deciphered bits, the receiving unit begins deciphering the traffic correctly; the system is self-synchronizing. In broadcast communications, it is not necessary to be listening from the beginning of a communication session to decipher correctly the last parts of the message -late entry is possible. • The CTAK stream cipher prevents an active wiretapper (spoofer) from altering a segment of the ciphertext bit-stream. When the spoofer changes k bits in the ciphertext, due to the n-bit error propagation, it will produce n + k bad ciphertext bits; on the average, half of the corresponding deciphered bits will be incorrect. If this is not normal in the communications environment in which the cipher system is operating, the receiver will suspect that spoofing has occurred. • The self-synchronization and authentication characteristics of CTAK self-synchronous stream ciphers are very attractive because they make the key generator design much less complicated than the synchronous stream cipher, and their features are widely used for message verification. 11 Perfect Crypto System • From the theoretical point of view, the only system that offers perfect secrecy is the one in which the keystream is — totally random, — infinitely long, — and used only one time. • A perfect crypto system is achieved only with Vernam's cipher, the One-Time key, in which the keystream is random, is as long as the message, and is used only one time. • However, Vernam's cipher system is not widely used because of the following problems: — The length of the key is as long as the plaintext and can be cumbersome. — There is an immense volume of key material that needs to be sent to the receiver. — The cryptographer needs to find a safe way of letting the recipient know the key that was used to encipher the message. Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 12 • From the theoretical point of view, the only system that offers perfect secrecy is the one in which the keystream is totally random, infinitely long, and used only one time. A perfect crypto system is achieved only with Vernam's cipher, the one-time key, in which the keystream is random, as long as the message, and used only one time. However, Vernam's cipher system is not widely used because of the following problems: • The length of the key should be at least as long as the plaintext. • There is an immense volume of key material that needs to be sent to the receiver. • It is imperative that the cryptographer find a safe way of letting the recipient know the key that was used to encipher the message. • In today's communications, there is a great volume of traffic, and the number of messages sent and received in any corporation, army, or branch of government is immense. If a one-time key system is used, a great deal of equipment and resources are necessary to ensure that each keystream sequence is used only once. This is the reason why a one-time key system is only used for top-secret messages in high-level strategic communications. • Several mathematicians and cryptologists have proven that Vernam's cipher, the one-time pad, is unbreakable. As a result, many cryptographers believed that if they could emulate the one-time key system in some way, without the key management problems mentioned before, they would have a system with a guaranteed high level of security. Vernam's conditions led to the introduction of the keystream generator, most commonly known as key generator, which emulates the conditions for perfect secrecy. 12 Perfect Key Generator • Random Keystream — 56, 64, 128, 256, 512, 1028, 2056 bits 1 1 Infinite Number of Crypto Variables (Keys) • Starting position 1 0 1 0 1 Key Variable 1 0 1 — A pseudorandom keystream that is random for all statistical tests, but which can be re-created by the same type of key generator when the same crypto variables are loaded in both key generators. 0 1 0 0 1 0 1 Cycle Length Starting position • • — Random Starting Places (Message Key, Initialization Vector). With many different message keys (starting positions in the key generator), the probability that the key used to encipher a message is used only one time is very high. This is one of the most important of Vernam's conditions for a perfect keystream. 10 40 0 1 0 0 1 1 0 Key Variable 0 1 2128 Infinite Cycle Length Random Starting Places 1 • Fail Safe-Alarms. 1 0 0 Encryption Systems 1 0 Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 13 • • The following are some of the characteristics of a perfect key generator, if one could be built: 1. Infinite Number of Crypto Variables (Keys). In order to maintain the highest level of security, a different key would be used to encipher each message. Therefore, the perfect key generator would have an infinite number of keys from which to choose. 2. Completely Random Keystream. Ideally, the keystream from a perfect key generator would be completely random, such as the output of a white noise generator. The value of this concept lies in the inability to re-create exactly the same keystream. 3. Infinite Cycle Length. Each keystream of the perfect key generator would be infinitely long to ensure that the keystream in use would never repeat itself. 4. Random Starting Places. The perfect key generator would never start enciphering a message with a portion of the keystream already used to encipher a previous message. To prevent this occurrence, the key generator would start at a different place on its infinitely long cycle length each time a new message was enciphered. 5. Fail Safe-Alarms. An alarm system would be present to prevent any transmissions if the key generator fails. In the real world, a key generator is very close to being perfect by having the following characteristics and advantages: 1. Code-Setting Control. A code-setting control actually changes the generated keystream; thus, two identical devices can "talk to each other" only if they have the same code setting or crypto variables. A good key generator should have more than 1080 crypto variables. 2. Pseudorandom Keystream. A completely random keystream would be impractical because it could not be recreated and, thus, could not be deciphered. A more practical unit would be a key generator that produces a pseudorandom keystream that is random for all statistical tests, but which can be re-created, by the same type of key generator, when the same crypto variables are loaded into both key generators. 3. A Very Long Cycle Length. A very long cycle period -more than 1090- is satisfactory. 4. Random Starting Places. By randomizing the starting position for the enciphering sequence, the keystream is changed for every single message. This concept is called message key or initialization vector (IV). With many different message keys (starting positions in the key generator), the probability that the key used to encipher a message is used only one time is very high. This is one of the most important of Vernam's conditions for a perfect keystream. In some crypto systems, the IV size is the same size as the block size, i.e., in AES the IV is 128 bits. 5. Fail-Safe Alarms. Most key generators employ an alarm system to monitor their own operation to prevent transmission if a failure is detected. 13 Linear Shift Register Advantages Disadvantages • They produce sequences of 1s • They are described by a single and 0s. recursion equation. • Identical shift registers with the same initial input behave alike and produce exactly the same outputs. • They easily produce long cycles. • Their outputs are statistically calculated. • In the initial starting condition, all zeros must be avoided to prevent collapse. Setting at least one of the stages to 1 prevents this problem. • Improper selection of the balanced. feedback taps may not produce maximum length periods. • They have well known properties. Encryption Systems • Previous stages are easily Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 14 • As mentioned before, information written in binary digits can be enciphered by XORing the plaintext and keystream. An electrical-noise, random bit generator could be used to generate a stream sequence of 1’s and 0’s, with the great advantage that it is totally random; however, since the sequence cannot be reproduced, the keystream must be sent to the receiver to decipher the message. This situation would lead back to the key management problem of Vernam's cipher, the one-time key system. • A shift register, implemented as a random sequence generator, generates the same keystream sequence used to encipher and decipher information. Key generators based on shift registers generate the sequence using only 1’s and 0’s, the sequence looks random, and slight modifications to the shift register generate different sequences or keystreams. • Shift registers are devices consisting of n consecutive, 2-state memory-storage units (usually flipflops). These registers are connected so that the state of each stage memory can be transferred to its neighbor to the immediate left or right under the control of a single clock signal. • An n-stage shift register consists of n consecutive storage or memory units regulated by a clock signal. Each storage unit stores a 1 or a 0. At each clock signal, the state (1 or 0) of each memory stage is shifted to the next stage in line. 14 Linear Feedback Shift Registers (LFSR) S1 C1 S2 C2 S3 Sn-1 C3 Cn- Sn Cn 1 + + + S1 Co X0 + S2 S3 Sn-1 C1 X1 + C2 X2 + C3 X3 + Cn-1 Xn-1 Sn Cn Xn n f (x) = ∑ C n x n n= 0 + The polynomial f(x) of any shift register, called the Characteristic Polynomial, can be determined as the sum of the values of CiXi for which the Si stage is fed back into the modulo-2 adder. f (x) = 1 + C 1 x 1 + C 2 x 2 + C 3 x 3 + ...... C n-1 x n-1 + x n Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 15 • The shift register can be kept active during a longer period by including a feedback loop, which computes a new term for the first stage based on the states of certain other stages. To compute the new state (1 or 0) for the first stage, AND, OR, and XOR gates (or a combination of them) are used. Linear shift registers use only XOR gates. • The term Linear Feedback Shift Register (LFSR) is used to refer to a shift register with an XOR function and a feedback line; shift register sequence is used to refer to the output, which is normally from the last stage, but it can be from any stage. • A shift register can be represented using the equation shown above. • Each of the feedback coefficients, Ci, is either 1 when the feedback is connected or 0 when it is disconnected. The symbol ⊕ denotes addition modulo-2. Cn = 1 means that the last feedback switch is always connected; otherwise, the last stage is not used. C0 =1 since the new computed term is always loaded into the first stage. The characteristic polynomial is expressed as a modulo2 addition (in which the contents of each of the feedback coefficients is Ci = 1 or 0). • Polynomial notation is a very convenient way to represent LFSRs. For example, the vector 1 1 0 1 1 0 0 0 1 may be represented as f(x) = x0 + x1 + x3 + x4 + x8, where the first bit starting from left to right indicates the coefficient of x0. The polynomial f(x) of any shift register, called the characteristic polynomial, can be determined as the sum of the values of Cixi for which the Si stage is fed back into the modulo-2 adder. 15 Shift Register Theory 1 0 1 1 Step 1 0 1 0 1 Step 2 0 0 1 0 Step 3 0 0 0 1 Step 4 0 0 0 Modulo-2 Adder 1+0=1 1+1=0 0+1=1 0+0=0 0 x0 x1 x2 x3 x4 0 0 0 1 + f(x) = 1 + x + x4 Characteristic Polynomial of a Shift Register f (x) = 1 + x 1 + x 2 + x 3 + ...... x n - 1 + x n Maximum length of a four-stage shift Maximum length of a four-stage shift register: register: Period = 15 = 2 44–1 Period = 15 = 2 –1 Number of “ones = 2 44 ––11 Number of “ones = 2 Clock (Initial) 1 2 3 4 5 6 7 8 9 States 0001 1000 1100 1110 1111 0111 1011 0101 1010 1101 Clock States 10 11 12 13 14 15 16 17 18 0110 0011 1001 0100 0010 0001 1000 1100 1110 Number of “zeros” = 2 44 ––11 –1 Number of “zeros” = 2 –1 Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 16 • In the four-stage linear shift register, stages 1 and 4 are tapped and modulo-2 added, with the result being fed back to stage 1. The state diagram shows the initial state and the sequence of successive states of the shift register. • At the fifteenth clock signal, the state of the shift register returns to the initial state and starts repeating itself. It can be said that the sequence is periodic with a period of p = 15 = 24 - 1. Because all possible binary vectors of length 4, except 0000, occur in the shift register, it is possible to say that p = 15 = 24 - 1 is the maximum length of a four-stage shift register. • The shift register sequence is the output of the shift register, which can be taken from any of the stages. If the output is taken from the fourth stage, the sequence will be the following: 0 0 0 1 1 1 1 0 1 0 1 1 0 0 1 0 0 0 1 1 1 1 0 1 0 1 1 0 0 1. • Note that the sequence starts repeating itself after the 15th bit, even if the output sequence is taken from any of the stages. Also, in the output sequence of any of the stages, there is one more ones than zeros. In this case, there are eight 1’s and seven 0’s. This is the balance property of maximum sequences in which there are 2n -1 ones and 2n-1 - 1 zeros. 16 Shift Register Theory x0 x1 x2 x3 x4 0 0 0 1 x0 x1 x2 x3 x4 1 0 1 Modulo-2 Adder 1+0=1 1+1=0 0+1=1 0+0=0 1 + x0 Clock (Initial) 1 2 3 4 5 6 States 0001 1000 0100 1010 0101 0010 0001 Clock (Initial) 1 2 3 Stream Ciphers x4 0 0 1 + + f(x) = 1 + x + x2 + x3 + x4 States 1011 1101 0110 1011 If an LFSRs doesn’t have maximum length, the initial conditions (the initial sequence loaded into the shift register) determine which sequence is generated and the period of such sequence. Encryption Systems x3 + f(x) = 1 + x2 + x4 x2 0 + x1 Shift Registers Clock (Initial) 1 2 3 4 5 States 0001 1000 1100 0110 0011 0001 In any LFSR, the feedback connections determine whether the sequence will be maximum or not. DES AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 17 • In the above left example, (1) when the initial state is 0 0 0 1, the sequence starts repeating itself after six clock signals; (2) when the initial state is 1 0 1 1, the period is 3; and (3) the characteristic polynomial, f(x) = x0 + x2 + x4, is reducible (that is, it can be factored); we may say that if the characteristic polynomial f(x) is reducible, the period depends on the initial conditions. • In the LFSR on the right, the sequence starts repeating itself after five clock signals, and the period is not maximum; therefore, the length of a shift register sequence is not always p = 2n - 1, but the length depends on how the feedback taps are selected. 17 Shift Register Properties • A Shift Register produces sequences that depend upon the number of stages, feedback tap connections, and initial conditions. • The succession of states in a Shift Register is periodic, with a period p ≤ 2n 1, where n is the number of stages. The value of p depends on the feedback coefficients, but a period of (2n - 1) can sometimes be achieved. • A sequence generated by an n-stage Shift Register is said to have maximum length if its period is p = 2n - 1. This maximum length holds, no matter what the initial state of the shift register is. Also, if a Shift Register sequence has a period of p = 2n - 1, then every possible binary vector (except all zeros) of length n occurs exactly once in each period. • In any LFSR, the feedback connections determine whether the sequence will be maximum or not. • In LFSRs with reducible characteristic polynomials (non-maximal sequences), the initial conditions (the initial sequence loaded into the shift register) determine which sequence is generated and the period of such sequence. Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 18 • Shift registers have some important properties when used as key generators; most of these properties have been mathematically proven. 18 Shift Register Properties • If all the exponents of a polynomial are even, then the characteristic polynomial is reducible, and it can’t have a maximum length sequence; e.g., the characteristic polynomial f (x) = 1 + x 2 + x 4 is reducible. • If a shift register sequence has maximum length, its characteristic polynomial is irreducible; however, the converse of this property does not hold true. There actually are irreducible polynomials which correspond to no maximum-length sequences. • If the characteristic polynomial of a LFSR is primitive, the shift register sequence has maximum length. • A maximum length sequence cannot be generated from a Shift Register that has an odd number of taps because this means that f(x) is divisible by (x - 1). • The number of ways to achieve maximum length (p = 2n - 1) in a Shift Register is given by φ ( 2 n - 1) 2 n ≈ N m (n) = n n Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 19 19 Shift Register Properties • If a sequence has an irreducible characteristic polynomial of degree n, the period of the sequence is a factor of 2n - 1, and it may or may not be maximum. The period is always the same, regardless of the initial state. However, if the maximal length, p = 2n - 1, is prime, every irreducible polynomial of degree n corresponds to a shift register sequence of maximum length. When p = 2n - 1 is prime, it is known as Mersenne Prime. • If a sequence has an irreducible characteristic polynomial of degree n, its maximum length does not depend on the initial conditions, except for the initial condition, "all 0s." • If a sequence has a primitive characteristic polynomial of degree n, its period is the smallest positive integer p for which the characteristic polynomial f(x) divides xp - 1, modulo 2. Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 20 20 Non-Linear Combination of LFSR Devices LFSR 1 0 Initialization Vector Key Generator 0 0 0 Key Stream Plaintext + 0 0 + 6 Maximum Length = 2 – 1 = 63 (63 x 15 x 7) = ( 9 x 7) x (5 x 3) x 7) 315 (3 x 7) + 1 + 0 Ml = Key Stream Maximum Length LFSR 1 LFSR 1 LFSR 1 Replace LFSR 1 for a six stage SR Ml = 0 + LFSR 3 Ciphertext 1 + LFSR 2 0 1 5 2 – 1 = 31 4 2 – 1 = 15 3 2 –1=7 ( P 1 x P 2 x P 3 x .... P n ) Any common factors of P 1 , P 2 , P 3 , .... P n Maximum Length = 31 x 15 x 7 = 3255 Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 21 • Golomb demonstrated that shift register sequences satisfy all three of his randomness properties. Shift registers are thus very good candidates to generate the sequences needed for stream ciphers. In the examples above, however, linear shift registers with periods p, 2n – 1, have certain disadvantages: (1) the entire sequence is known once it has been determined how the feedback taps are connected; and (2) if the input is not changed before 2n clocks signals, the keystream reverts to its initial state -it starts repeating the original sequence. By solving 2n independent equations involving the feedback coefficients and the initial states, a cryptanalyst would be able to obtain the entire sequence. • Most key generators consist of several mostly maximum-length LFSRs whose output sequences are combined in a non-linear function F to produce the keystream. Some of the functions used to introduce some non-linearity into the keystream are multiple registers, dynamic interconnection between registers, stepping between registers, and random starting points. • In the example presented in this diagram, three shift registers are used: one with five stages, another with four, and another with three with their outputs XORed. Since the feedback taps in each of the shift registers have been selected so as to produce a maximum length, the combination of the three shift registers will produce a sequence that will start repeating itself, for S.R.1 ⊕ S.R.2 at 31 x 15 = 465, and for SR1 ⊕ SR2 ⊕ SR3 at 31 x 15 x 7 = 3255, or (25 - 1) x (24 - 1) x (23 - 1). • Will there be a longer sequence if a shift register with a greater number of stages is used instead of the shift register with 5 stages? Perhaps not; for example, the maximum sequence obtained with a shift register that has periods of 63, 15, and 7 is 315 instead of (26 - 1) x (24 - 1) x (23 - 1) or 63 x 15 x 7 = 6615. Quite a difference! The reason is that when several shift registers are combined to produce a long sequence, the maximum length Ml of the sequence is equal to the formula shown above. 21 Gears and Shift Registers When will the marked teeth return to their original position? 15, 31, 127 Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 22 • Establishing the similarity between shift registers and gears helps explain how to produce long sequences using small shift registers. In a gear with t teeth, one of the teeth of the gear is marked and the gear is rotated one step at a time; after t clock signals, the marked tooth will return to its original position. The period of the gear is the same as the number of teeth in the gear. But if two gears are used in which the number of teeth do not have any common factors (for example 127 and 31), then the period will be equal to 127 x 31 = 3937. • Likewise, if there are three gears with lengths of 127, 31, 15, then the period will be 127 x 31 x 15; this is equivalent to having three shift registers, each one with a number of stages: n1 = 7; n2 = 5; and n3 = 4. If the feedbacks are chosen correctly, the maximum length of each shift register sequence will be 2n -1, or 127, 31, and 15. 22 Block Cipher • Encryption algorithm is used to transform x bits of Plaintext into x bits of ciphertext. • Every bit of the plaintext has an effect on every bit of the ciphertext. • Each block is independent, no influence between blocks. • Identical plaintext blocks produce identical ciphertext blocks. • Error in ciphertext has an effect only on that block. • Types of Block Ciphers — DES Electronic Code Book — DES Cipher Block Chaining — Advanced Encryption Standard Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 23 • A block cipher uses an encryption algorithm, in conjunction with cryptographic variables, to transform a plaintext block of x bits into a ciphertext block of x bits (Denning, 1983. The positive integer x is the block size. In the block cipher system, the block of x bits is encrypted by the encryption algorithm. The enciphering and deciphering functions are such that every bit in the ciphertext block depends jointly on every bit in the plaintext and on the cryptographic variable. Block cipher systems are similar to codebooks in which, for every possible plaintext block, there is a corresponding ciphertext block. A block cipher cryptosystem can be configured as a block cipher or as a block stream cipher. 23 Block Cipher Plaintext Block Cipher Block Crypto Variables Block Cipher Algorithm Block Cipher Algorithm Block Size DES: 64-bit AES: 128-bit cipher block Plaintext Blocks Encipher Encryption Systems Stream Ciphers Crypto Variables Shift Registers Decipher DES AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 24 • In the block cipher system , several Plaintext bits are encrypted at the same time by the encryption algorithm, and every Plaintext bit affects every ciphertext bit within the block. • Each block is treated independently, and there is no influence between blocks; i.e., two identical plaintext blocks will produce identical ciphertext blocks. As in codebooks, decryption can be performed on isolated blocks in an arbitrary order without any loss of crypto synchronization. This was the initial mode of the DES algorithm known as the Electronic Code Book (ECB). • When each block is enciphered independently with the same key variable, block ciphers are especially susceptible to spoofing because one enciphered block can be replaced by another, or blocks can be inserted or deleted. These changes do not affect surrounding blocks. For example, in a credit transaction, the ciphertext block corresponding to the amount transferred could be changed, and the message could be deciphered without the receiver noticing. 24 Data Encryption Standard (DES) • Approved in 1977. • Enciphers a 64-bit block of plaintext into a 64-bit block of ciphertext, under the control of a 64-bit crypto variable where 56 bits are the key and 8 bits are used for parity. • Uses transposition and substitution. • Has 16 separate rounds of encipherment. Each round involves operations with a different 48-bit key developed from the original 64-bit cryptographic key. • Distributed.Net, a worldwide coalition of computer enthusiasts, worked with EFF's DES Cracker and a global network of nearly 100,000 PCs in 1998 and broke a DES 56-bit key in 22 hours and 15 minutes. Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 25 • In May 1973, the National Bureau of Standards (NBS), recognizing the need to adopt a standard algorithm to encipher digital communications used by the government, industry, and private organizations, requested several companies to propose techniques and algorithms for enciphering computer data information with the idea that those techniques and algorithms might then be considered for use in a Federal Standard. • Several companies presented their proposals. The National Security Agency, NSA, tested all the algorithms presented, and, according to the NBS, only the algorithm submitted by IBM was found acceptable. On March 17, 1975, the National Bureau of Standards published the algorithm in the Federal Register for public comment and published the proposed standard in the Federal Register in August 1975. In January 1977, the proposed algorithm became the Data Encryption Standard (DES) and was then published as a federal standard, FIPS PUB 46. • The DES algorithm enciphers a 64-bit block of plaintext into a 64-bit block of ciphertext, under the control of a 56-bit crypto variable. DES keys are 64-bit binary vectors consisting of 56 independent information bits and 8 parity bits. The parity bits are reserved for error detection purposes and are not used by the encryption algorithm. • The DES encryption algorithm has been broke using brute force, trying all the possible key combinations, but no one has prove that there is a fault in the design. 25 INPUT DES -Steps Initial Permutation Perform an initial permutation on the bit string according to a function derived from the encryption key. L0 Key 1 + Perform a set of constant substitution functions using 8 S-boxes (4 x 16 matrix) followed by the permutation. Key 2 f L2 = R1 R2 = L1 + f (R1 +K2) Key n + f L15 = R14 R15 = L14 + f (R14 +K15) + Shift Registers Key 16 f R16 = L15 + f (R15 +K16) Perform a final permutation, the inverse of the initial permutation. Stream Ciphers R1 = L0 + f (R0 +K1) + Encipher the right half with an encryption key, using 48 bits of the original 56-bit of the encryption key. Encryption Systems f L1 = R0 Split the 64-bit permuted block of data into 32-bit halves and expand the 32bit string to 48 bits. Repeat the whole set of functions 16 times with a different encryption key every time. R0 L16 = R15 Inverse Initial Permutation DES AESINPUT Block Cipher Modes of Operation M. Mogollon – 01/08 - 26 • The encryption process consists of 16 separate rounds of encryption. First, the 64-bit block of data undergoes a permutation that rearranges the bits according to a matrix; then the 64-bit permuted block of data is split into two 32-bit halves. The right half is enciphered with a key K1, obtained from the original 56-bit crypto variable, and then is XORed to the left half. • For the second round of encryption, the result just obtained becomes the right half, and the unaltered right half from the first round becomes the left. The procedure is repeated 16 times with a different key, K, used each time. Figure above shows the enciphering compilation. After the 16 rounds of encryption, the 64-bit block of data undergoes a final permutation, the inverse initial permutation, thus producing the ciphered 64-bit block. 26 Advanced Encryption Standard • In September 1997, the NIST issued a Federal Register Notice soliciting encryption algorithms to replace the DES. • Fifteen algorithms were presented and five were selected for the second round: — — — — MARS, submitted by IBM (United States). RC6, submitted by RSA Laboratories (United States). Rijndael, submitted by Joan Daemen and Vincent Rijmen (Belgium). Serpent, submitted by Ross Anderson (United Kingdom), Eli Biham (Israel), and Lars Knudsen (Norway). — Twofish, submitted by Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, and Niels Ferguson (United States). • On October 2, 2000, the NIST announced that it had selected Rijndael for the AES. • The standard became effective May 26, 2002. • The AES can be used by U.S. government organizations to protect secret and top secret (classified) information. Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 27 • The Advanced Encryption Standard (AES) is the new cryptographic algorithm for use by U.S. government organizations. Initially, AES was endorsed to protect sensitive (unclassified) electronic data. In June 2003, the National Security Agency conducted a review (Committee on National Security Systems CNSS Policy 15, and determined that the design and strength of all key lengths of the AES algorithm (i.e., 128, 192, and 256) were sufficient to protect classified information up to the SECRET level. NSA’s policy stated that TOP SECRET information would require use of either the 192 or 256 key lengths. • NIST made a formal call for algorithms stipulating that the AES would be an unclassified, publicly disclosed encryption algorithm(s), and available royalty-free worldwide. In addition, the algorithm(s) must implement symmetric key cryptography as a block cipher and (at a minimum) support block sizes of 128-bits and key sizes of 128, 192, and 256 bits. • By August 20, 1998, members of the cryptographic community from around the world submitted fifteen AES candidate algorithms. After an initial review of the algorithms, the NIST selected five algorithms for the second round: • MARS, submitted by IBM (United States). • RC6, submitted by RSA Laboratories (United States). • Rijndael, submitted by Joan Daemen and Vincent Rijmen (Belgium). • Serpent, submitted by Ross Anderson (United Kingdom), Eli Biham (Israel), and Lars Knudsen (Norway). • Twofish, submitted by Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, and Niels Ferguson (United States). • On October 2, 2000, the NIST announced that it selected Rijndael for the AES. The standard became effective on May 26, 2002. 27 AES • Symmetric block cipher that uses cryptographic keys of 128, 192, and 256 bits to encrypt and decrypt data blocks of 128 bits. • Substitution and linear transformation are done with different numbers of rounds depending on the key size: 10 (128 bits), 12 (192 bits) or 14 (256 bits). • A data block to be processed using the AES is partitioned into an array of bytes, and each of the cipher operations is byte-oriented. • The AES encryption consists of the following: — Key expansion — An initial round key addition — Several rounds of ByteSub, ShiftRow, MixColumn, and AddRoundKey — Final round of ByteSub, ShiftRow, and AddRoundKey • The S-box has a mathematical structure, based on the combination of inversion over a Galois field and an affine transformation. Although this mathematical structure might conceivably aid an attack, the structure is not hidden as would be the case for a trapdoor. If the S-box were suspected of containing a trapdoor, then the S-box could be replaced. Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 28 • The AES is a symmetric block cipher that can process data blocks of 128 bits, using cipher keys with lengths of 128, 192, and 256 bits. The Rijndael algorithm was designed to handle additional block sizes and cipher key lengths, but were not adopted in the AES algorithm. • The input and the output for the AES algorithm each consists of block sequences of 128 bits (digits with values of 0 or 1). The cipher key for the AES algorithm is a sequence of 128, 192 or 256 bits. Other input, output, and Cipher Key lengths are not permitted by the AES standard. • The AES encryption consists of the following • Key expansion • An initial round key addition • Several rounds of SubByte, ShiftRow, MixColumn, and AddRoundKey • Final round of ByteSub, ShiftRow, and AddRoundKey • In the Rijndael algorithm, the number of standard rounds depends on the data block size and the cipher key length. Because the AES algorithm currently only uses data blocks of 128 bits, the number of standard rounds is 10 rounds for a 128 bit cipher key length, 12 rounds for a 192 bit cipher key length, or 14 rounds for a 256 bit cipher key length. Block \ Key Length 128 192 256 128 10 12 14 192 12 12 14 256 14 14 14 28 State Array Block Length = 128 bits = 16 bytes Input bit sequence 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 1 0 Byte number Bit number in bytes 7 6 5 4 3 2 1 0 7 6 5 23 2 4 3 2 1 0 7 6 5 4 3 2 Byte 0 Byte 4 Byte 8 Byte 12 in0 in4 in8 in12 S0,0 S0,1 S0,2 Byte 5 Byte 9 Byte 13 in1 in5 in9 in13 S1,0 S1,1 S1,2 S1,3 Byte 2 Byte 6 Byte 10 Byte 14 in2 in6 in10 in14 S2,0 S2,1 S2,2 S2,3 Byte 3 Byte 7 Byte 11 Byte 15 in3 in7 in11 in15 S3,0 S3,1 S3,2 0 S0,3 Byte 1 1 …. …. …. S3,3 Bytes Array Encryption Systems Stream Ciphers Input Bytes Array Shift Registers DES State Array AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 29 • The basic unit for processing in the AES algorithm is a byte, a sequence of eight bits treated as a single entity. During the ciphering and deciphering processes, the input, output, and cipher key bit sequences are processed as bytes (eight continuous bits) in array form. The bytes in the resulting array are referenced as inn or as Sr,c where r is the row number in the array and c is the column number in the array. • Internally, the AES algorithm’s operations are performed in a two dimensional array of bytes called the State. • The array’s number of rows is always 4, so there are 32 bits per column. The number of columns depends on the cipher key length. The cipher keys may have lengths of 128, 192, or 256, so the number of columns is calculated as follows: • Cipher Key length = 128 bits, columns = 128 / 32 = 4 • Cipher Key length = 192 bits, columns = 192 / 32 = 6 • Cipher Key length = 256 bits, columns = 256 / 32 = 8 29 AES Standard Round Transformations Round transformations are composed of four steps • SubByte: A nonlinear substitution that replaces the bytes in the State Array by the byte determined by the row and column intersection in a substitution box, S-box. Provides non-linearity. • ShiftRow: Rows of the State Array are shifted for inter-column diffusion (linear mixing). • MixColumn: Every column in the State Array is transformed using a matrix multiplication for inter-byte diffusion within columns (linear mixing). In the last round, the column mixing is omitted. • Round Key Addition: Subkey bytes are XORed into each byte of the array. Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 30 30 AES Implementation Key Plaintext Key Expansion (Nr + 1 ) Initial Round AddRoundKey Nr - 1 Standard Round SubBytes ShiftRows MixColumns AddRoundKey Final Round SubBytes ShiftRows AddRoundKey K(0) K(1)...K(Nr-1) K(Nr) Picture from: http://home.ecn.ab.ca/~jsavard/crypto/co040401.htm Ciphertext Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 31 Key Length 128 192 256 10 12 14 Standard Rounds 9 11 13 Final Round 1 1 1 11 13 15 Number of Rounds Key Expansion 31 Key Expansion • The AES algorithm takes the Cipher Key, K, and performs a Key Expansion routine to generate a key schedule. • Key Expansion routine generates a total of Nb (Nr +1) words. • Nb is equal to number of columns in the data block. For a data block of 128 bits, Nb is equal to 4 • Nr is the number of rounds • For a data block and Cipher Key of 128 bits, it generates 4 x (10 + 1) = 44 words • The Cipher Key becomes the first words. All other words are calculated using the following transformation: temp = SubWord(RotWord (temp)) xor Rcon [ i / nk] w0 w1 w2 w3 Cipher Key : 2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c w0 w2 w3 2b 28 ab 7e ae f7 d2 15 88 w40 w7 w41 w42 w43 3c K0 Encryption Systems w06 4f a6 w5 cf 15 w4 09 16 For a 128-bit Data Block and Cipher Key w1 Stream Ciphers •••• • K1 Shift Registers DES K10 AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 32 • The AES algorithm takes the cipher key, K (128, 192, or 256 bits), and performs a key expansion routine to generate a key schedule with a total number of sub-keys equal to the required number of rounds. First, the cipher key is grouped in words. A word is a group of 32 bits that is treated either as a single entity or as an array of four bytes. • Then, the key expansion routine generates a total of Nb (Nr +1) words where • Nb is equal to number of columns in the data block. For a data block of 128 bits, Nb is equal to 4. • Nr is the number of rounds. • For a 128-bit data block and cipher key, the key expansion generates 4 x (10 + 1) = 44 words. The cipher key becomes the first words. All other words are calculated using the following transformation: temp = SubWord(RotWord (temp)) xor Rcon [ i / nk] • In the case of a key length of 128, the cipher key, K, will be expanded to generate 44 words which are grouped in 11 sub-keys; K(0), K(1), K(2), K(3), K(4) ………. K(10). Each sub-key has four words. K(0) is used in the first AddRoundKey, and the cipher sub-keys K(1) to K(10) are used in each of the different rounds. 32 SubBytes Transformation S-Box 0 1 2 3 4 5 6 7 8 9 a b c d e f 0 63 ca b7 04 09 53 d0 51 cd 60 e0 e7 ba 70 e1 8c 1 7c 82 fd c7 83 d1 ef a3 0c 81 32 c8 78 3e f8 a1 2 77 c9 93 23 2c 00 aa 40 13 4f 3a 37 25 b5 98 89 3 7b 7d 26 c3 1a ed fb 8f ec dc 0a 6d 2e 66 11 0d 4 f2 fa 36 18 1b 20 43 92 5f 22 49 8d 1c 48 69 bf 5 6b 59 3f 96 6e fc 4d 9d 97 2a 06 d5 a6 03 d9 e6 6 6f 47 f7 05 5a b1 33 38 44 90 24 4e b4 f6 8e 42 7 c5 f0 cc 9a a0 5b 85 f5 17 88 5c a9 c6 0e 94 68 8 30 ad 34 07 52 6a 45 bc c4 46 c2 6c e8 61 9b 41 9 01 d4 a5 12 3b cb f9 b6 a7 ee d3 56 dd 35 1e 99 a 67 a2 e5 80 d6 be 02 da 7e b8 ac f4 74 57 87 2d b 2b af f1 e2 b3 39 7f 21 3d 14 62 ea 1f b9 e9 0f c fe 9c 71 eb 29 4a 50 10 64 de 91 65 4b 86 ce b0 d d7 a4 d8 27 e3 4c 3c ff 5d 5e 95 7a bd c1 55 54 e ab 72 31 b2 2f 58 9f f3 19 0b e4 ae 8b 1d 28 bb f 76 c0 15 75 84 cf a8 d2 73 db 79 08 8a 9e df 16 S1,1 = 0 1 0 1 0 0 1 1 = S{53} S1,1 = 0 1 0 1 0 0 1 1 = S{53} S’1,1 = S’{ed} = 1 1 1 0 1 1 0 1 S’1,1 = S’{ed} = 1 1 1 0 1 1 0 1 S-Box S0,0 S0,1 S0,2 S0,3 S’0,0 S’0,1 S’0,2 S’0,3 S1,0 S1,1 S1,2 S1,3 S’1,0 S’1,1 S’1,2 S’1,3 S2,0 S2,1 S2,2 S2,3 S’2,0 S’2,1 S’2,2 S’2,3 S3,0 S3,1 S3,2 S3,3 S’3,0 S’3,1 S’3,2 S’3,3 State Array Encryption Systems Stream Ciphers State’ Array Shift Registers DES AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 33 • The SubByte transformation is a nonlinear substitution that replaces the bytes in the State Array with the byte determined by the row and column intersection in a substitution box, S-box. • For example, if S1,1 = 0 1 0 1 0 0 1 1 = S{53}, then the substitution value would be determined by the intersection of row 5 and column 3. This would be the value of S’1,1 = S’{ed} = 1 1 1 1 1 1 1 0 1. • The S-box has a mathematical structure based on the combination of inversion over a Galois field and an affine transformation. Although this mathematical structure might conceivably aid an attack, the structure is not hidden, as would be the case for a trapdoor. The Rijndael specification asserts that if the S-box were suspected of containing a trapdoor, then the S-box could be replaced. 33 ShiftRows Transformation S0,0 S0,1 S0,2 S0,3 S’0,0 S’0,1 S’0,2 S’0,3 S1,0 S1,1 S1,2 S1,3 S’1,1 S’1,2 S’1,3 S’1,0 S2,0 S2,1 S2,2 S2,3 S’2,2 S’2,3 S’2,0 S’2,1 S3,0 S3,1 S3,2 S3,3 S’3,3 S’3,0 S’3,1 S’3,2 The bytes in the last three rows of the State The bytes in the last three rows of the State Array are shifted 1, 2, or 3 times to the left. Array are shifted 1, 2, or 3 times to the left. Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 34 • In the ShiftRow transformation, the bytes in the last three rows of the State Array are shifted 1, 2, or 3 times to the left. 34 MixColumns Transformation MixColumn S0,0 S0,1 S1,0 S0,2 S0,3 S’0,0 S’0,1 S’0,2 S’0,3 S1,1 S1,2 S1,3 S’1,0 S’1,1 S’1,2 S’1,3 S2,0 S2,1 S2,2 S2,3 S’2,0 S’2,1 S’2,2 S’2,3 S3,0 S3,1 S3,2 S3,3 S’3,0 S’3,1 S’3,2 S’3,3 State Array The MixColumns transformation treats each column as The MixColumns transformation treats each column as a four term polynomial over GF(288)and multiplied a four term polynomial over GF(2 ) and multiplied modulo x44+ 1 with a fixed polynomial a(x), given by modulo x + 1 with a fixed polynomial a(x), given by a ( x ) = {03} x 3 + {01} x 2 + {01} x + {02} s’(x) = a(x) X s(x) Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 35 35 AddRoundKey Transformation In the AddRoundKey transformation, every entry in the State Array is XOR with its corresponding entry in the cipher sub-key. Input = {32} = 00110010 Cipher Key = {2b} = 00101011 State Array = {19} = 00011001 32 88 31 e0 43 5a 31 37 f6 30 98 Modulo-2 Adder (XOR) 1+0=1 1+1=0 0+1=1 0+0=0 2b + 28 ab 7e ae f7 19 cf a0 9a e9 3d 09 f4 c6 f8 = 15 07 d2 15 4f e3 e2 8d 48 16 a6 88 3c be 2b 2a 08 XOR a8 8d a2 34 State Array (Before the Transformation) Encryption Systems Stream Ciphers Cipher Key Array Shift Registers DES State Array (After the Transformation) AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 36 • In the AddRoundKey transformation every entry in the State Array is XOR with its corresponding entry in the cipher sub-key. 36 AES Advanced Validation Suite • The AES Advanced Validation Suite provides the basic design and configuration of a battery of tests designed to perform automated tests on an AES implementation. • The battery of tests includes the following: — Known Answer Test (KAT) — Multi-block Message Test (MMT) — Monte Carlo Test (MCT). • The successful completion of the tests as they are described in the AES Advanced Validation Suite is required to claim conformance to the Advanced Encryption Standard FIFS 197. Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 37 • FIFS 197, “Advanced Encryption Standard” provides information on how to implement the AES algorithm. When the AES is implemented in software or hardware, the “Implementation Under Test” (IUT), as it is called for testing purposes, needs to be used to determine if the design is correct. The AES Advanced Validation Suite, (Bassham, L, 2002), provides the basic design and configuration of a battery of tests designed to perform automated tests on the IUT. • The battery of tests includes the following: Known Answer Test (KAT), the Multi-Block Message Test (MMT), and the Monte Carlo Test (MCT). The successful completion of the tests as they are described in the AES Advanced Validation Suite is required to claim conformance to the Advanced Encryption Standard FIPS 197. • Known Answer Test (KAT) • For a specific Key, Input Variable (IV), and plaintext, the IUT should produce (Response) the same cipher text for encryption or plaintext for decryption. • Multi-block Message Test • Block ciphers have several modes of operation in which the encryption process "chains" successive ciphertext and plaintext blocks together until the last plaintext block of data is enciphered. The Multi-Block Message Test checks if the IUT is able to chain information from one block to another. • Monte Carlo Test • The Monte Carlo Test uses a specific algorithm to generate 100 pseudorandom texts. The 100 texts are enciphered by the AES Algorithm Validation Suite and by the IUT. The results, the cipher text after encryption or plaintext after decryption, from the AES Algorithm Validation Suite and from the IUT should be the same. 37 Block Cipher Modes of Operation Electronic Code Book (ECB) Electronic EBC Encryption EBC Decryption Plaintext Ciphertext • Basic mode; x-bit block input, x-bit block output. Input Block CIPHK CIPHK Output Block Output Block Ciphertext • Identical plaintext blocks Input Block Plaintext produce identical ciphertext blocks. • Same as a code book. • Easier to cryptoanalyze. • One bit error propagates over the x-bit block. Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 38 • The Electronic Codebook (ECB) mode is a basic, block cryptographic mode that transforms x bits of input to x bits of output, as specified in FIPS 800-38A. • In this mode of operation, x bits of data are loaded into the block input register, and the output register yields the encrypted x bits of ciphertext. This method establishes a reference for cryptanalysis because enciphering the same plaintext with the same key always produces the same ciphertext, thus its comparison to a codebook. • When each block is enciphered independently with the same key variable, block ciphers are especially susceptible to spoofing because one enciphered block can be replaced by another, or blocks can be inserted or deleted. These changes do not affect surrounding blocks. • From the viewpoint of cryptanalysis, if certain blocks of the plaintext are the same in several messages, the corresponding ciphertext blocks will be the same, thus enabling the attacker to compile a codebook of plaintext/ciphertext pairs. • To avoid this, encryption systems have an additional key that changes with every message, block, or IP packet. In stream ciphers, the additional key is called message key or initialization vector; in block ciphers, it is only called initialization vector. The additional key doesn’t need to be secret, but it should not be used twice with the same key. • In ECB, a one-bit error is propagated throughout the entire x-bit block which causes the deciphered plaintext to have an average error rate of fifty percent. All block ciphers support the ECB mode of operation. 38 Cipher Block Chaining (CBC) Initialization Vector Plaintext n + + Input Block 1 Input Block 2 Input Block n CIPHK CIPHK CIPHK Output Block 1 Output Block 2 Output Block n Ciphertext 1 Ciphertext 2 Ciphertext n Ciphertext 1 Ciphertext 2 Ciphertext n Input Block 1 Input Block 2 Input Block n CIPH-1K CIPH-1K CIPH-1K Output Block 1 Encrypt Plaintext 2 + Decrypt Plaintext 1 Output Block 2 Output Block n + Initialization Vector Encryption Systems + + Plaintext 1 Plaintext 2 Plaintext n Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 39 • In block ciphers, the initialization vector could be XOR with the first plaintext block, as it is done in the cipher block chaining (CBC) mode, or used as dummy plaintext in the cipher feedback (CFB) mode, output feedback (OFB) mode, and counter (CTR) mode. • In the CBC mode, the data to be encrypted is divided into blocks, and the first input block is formed by XORing the first block of data to an x-bit initialization vector (IV). The IV doesn’t need to be secret, but it must be unpredictable . • An initialization vector or random seed is used as the first block. Two identical, plaintext blocks in different parts of the message will produce two different ciphertext blocks if the previous plaintext blocks are not identical. • The input block is processed through the block cipher algorithm in the encrypting state, and the resulting output block is used as the ciphertext. The first ciphertext block is then XORed to the second plaintext block of data to produce the second input block. The latter is processed through the cipher block algorithm in the encrypting state to produce the second block of ciphertext block. This encryption process continues to "chain" successive ciphertext and plaintext blocks together until the last plaintext block of data is enciphered. A one-bit error during transmission will affect the deciphering of two blocks, the block with the error and the next block. Block synchronization between the enciphering and deciphering units is required and is accomplished by loading the same initialization vector into both units. If bits are loaded or lost in a ciphertext, synchronization is lost. However, cryptographic synchronization will automatically be reestablished x bits after block boundaries have been established. The cipher block chaining mode is self-synchronizing. 39 Cipher Feedback (CFB) Mode Initialization Vector Input Block 2 (b-s) Bits s Bits Encrypt Input Block 1 Input Block n (b-s) Bits s Bits CIPHK CIPHK CIPHK Output Block 1 Output Block 2 Output Block n Select s Bits Select S Bits Discard (b–s) bits + Plaintext 1 Plaintext 2 Ciphertext 1 Discard (b–s ) bits Select s Bits + Plaintext n Ciphertext 2 Discard (b–s) bits + Ciphertext n Initialization Vector Input Block n (b-s) Bits s Bits Input Block 2 (b-s) Bits s Bits Input Block 1 Decrypt CIPHK CIPHK CIPHK Output Block 1 Output Block 2 Output Block 2 Select s Bits Ciphertext 1 Select s Bits Discard (b–s) bits + Plaintext 1 Encryption Systems Stream Ciphers + Ciphertext 2 Ciphertext n Plaintext 2 Shift Registers DES Select s Bits Discard (b–s) bits AES Discard (b–s) bits + Plaintext n Block Cipher Modes of Operation M. Mogollon – 01/08 - 40 • In Cipher Feedback (CFB) mode, Output Feedback (OFB) mode, and Counter (CTR) mode) the initialization vector is used as dummy plaintext. • The CFB mode is a stream method of encryption. In this method, the block cipher is used to generate pseudorandom bits that are XORed to binary plaintext to form ciphertext. • The plaintext and ciphertext consist of data units each containing s bits, such that (1 ≤ s ≥ b). The value of s is sometimes incorporated into the name of the mode, e.g., the 1-bit CFB mode, the 8bit CFB mode, the 64-bit CFB mode,, or the 128-bit CFB mode. • In CFB encryption, the first input block is the IV and the most significant s bits of the forward cipher function are XORed to the s-bit plaintext to produce a s-bit of ciphertext. The unused bits of the forward cipher function, b – s, are discarded. • The second input block is created by concatenating the b – s least significant bits of the IV with the s bits of the ciphertext. This is done by shifting the first input block s positions to the left, and then filling the empty bits with the s bits from the ciphertext. The process is repeated, and each successive ciphertext block is input into the next input block to form the new input block. • A one-bit error in any s-bit unit of ciphertext will affect the deciphering of succeeding ciphertexts until the bits in error have been shifted out of the CFB input block. This normally occurs x bits after the s-bit boundaries have been reestablished. The cipher feedback method does not pass data directly through the block encryption algorithm; instead, it uses the algorithm as a randomnumber generator. • The CFB turns into a self-synchronous stream cipher, one-bit error in the ciphertext causes a onebit error in the corresponding plaintext block and complete corruption of the following plaintext blocks; however, after several blocks it self-synchronizes and all subsequent plaintext blocks are decrypted normally. 40 Output Feedback (OFB) Mode Initialization Vector Input Block 2 CIPHK CIPHK CIPHK Output Block 1 Encrypt Input Block 1 Output Block 2 Output Block n + Plaintext 1 Plaintext 2 Ciphertext 1 Input Block n + + Plaintext n Ciphertext 2 Ciphertext n Initialization Vector CIPHK CIPHK Output Block 1 Ciphertext 1 Input Block 2 CIPHK Decrypt Input Block 1 Output Block 2 Output Block n + Plaintext 1 Encryption Systems Stream Ciphers + Ciphertext 2 Input Block n Ciphertext n Plaintext 2 Shift Registers DES + Plaintext n AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 41 • OFB mode turns a block cipher into a stream cipher. • The Output Feedback mode operates in a way similar to the cipher feedback mode, except that the feedback is taken directly from the output block and not from the ciphertext. • In the OFB mode, the IV is transformed by the forward cipher function to produce the first output block, which is fed back as the second input block and so on. Each output block is XORed with the plaintext block producing the ciphertext block. • For the last block, which may be a partial block of u bits, only the most significant bits of the last output block of the forward cipher function are used for the exclusive-OR operation. The remaining b – u bits are discarded. • This feedback is completely independent of all plaintext and all ciphertext. As a result, there is no error extension in the OFB mode. • A one-bit error in the ciphertext causes only a one-bit error in the decrypted ciphertext block. Bit errors within a ciphertext block do not affect the decryption of any other blocks. In the OFB mode, bit errors in the IV affect the decryption of every ciphertext block until cryptographic initialization is performed again. The OFB mode is not a self-synchronizing cryptographic mode. • The deletion or insertion of bits into a ciphertext block (or segment) causes that bit errors in the bit position of the inserted or deleted bit, and in every subsequent bit position, as well as all subsequent ciphertext blocks (or segments) until synchronization is restored. 41 Counter (CTR) Mode Counter 2 Counter n Input Block 1 Input Block 2 Input Block n CIPHK CIPHK CIPHK Output Block 1 Encrypt Counter 1 Output Block 2 Output Block n + Plaintext 1 Plaintext 2 Ciphertext 1 + + Plaintext n Ciphertext 2 Ciphertext n Counter n Input Block 2 Input Block n CIPHK CIPHK CIPHK Output Block 1 Ciphertext 1 Counter 2 Input Block 1 Decrypt Counter 1 Output Block 2 Output Block n + Ciphertext 2 Plaintext 1 Encryption Systems Stream Ciphers + Ciphertext n Plaintext 2 Shift Registers DES + Plaintext n AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 42 • The CTR mode, as well as the CFB and OFB modes, is a stream method of encryption. In this method, the block cipher is used to generate pseudorandom bits that are XORed to binary plaintext to form ciphertext. • In CFB and OFB modes, the bits in the input blocks I2 ….In depend on the previous ciphertext blocks or output blocks. In the CRT mode, input blocks don’t depend on the ciphertext nor the output blocks. The input blocks are blocks of bits called counters that must have the property that each counter block in the sequence is different form every other counter block. The counters for a given message are denoted T1, T2, T3, ….Tn and there are several methods to generate them. • The forward cipher function is invoked on each counter block, and the resulting output blocks are XORed with the corresponding plaintext blocks to produce the ciphertext blocks. As in the OFM mode, for the last block, which may be a partial block of u bits, only the most significant bits of the last output block of the forward cipher function are used for the XOR operation. The remaining b – u bits are discarded. • Note that in the counter mode, the nonce is the same thing as an initialization vector (IV). • Bit error(s) in the decrypted ciphertext block (or segment) occur in the same bit position(s) as in the ciphertext block (or segment); the other bit positions are not affected. Bit errors within a ciphertext block do not affect the decryption of any other blocks. 42 Block Cipher Multiple Encryption • Double DES with two crypto variables M C = C K 2 ( C K 1 ( M )) M D = D K1 ( D K 2 ( M C ) • Triple DES with two crypto variables M C = C K 1 ( D K 2 ( C K 1 ( M ) )) M D = D K1 ( C K 2 ( D K1 ( M C ))) • Triple DES with three crypto variables MC Encryption Systems =C MD =D Stream Ciphers K K 3 1 (D (C K 2 K 2 (C K 1 (D K 3 Shift Registers ( M ))) ( MC ))) DES AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 43 • Comparison of different forms of DES multiple encryption * # of Encryptions # of Keys Computation Type of attack single 1 256 - known plaintext 1 238 238 chosen plaintext chosen plaintext single single 1 - 256 double 2 2112 - known plaintext 2 256 256 known plaintext known plaintext double double 2 - 2112 triple 2 256 256 256 known plaintext triple 2 2120 - t 2t 2 t known plaintext triple 2 - 256 chosen plaintext triple 3 2112 256 known plaintext triple 3 256 2112 chosen plaintext * B. Preneel. The State of DES. 1994 RSA Laboratories Seminar Series, August 1994 43 IP Encryption Message Block 1 IV Message Block 2 Message Block n + + + DK 2 CK1 DK 2 C K3 CK3 C K3 Block Cipher 1 Or, CK1 DK 2 IPSec uses a DES encryption algorithm with three crypto variables in the Cipher Block Chaining mode to encipher the IP packets. Block Cipher 2 Block Cipher n CK1 ~ ~ DK 2 IPSec uses a 3DES-CBC to encipher the IP packets. Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 44 • Most encryption mechanisms that use 3DES-CBC mode with three crypto variables as shown in the above slide. 44 To Probe Further • • Golomb, S. (1967). Shift Register Sequences. San Francisco: Holden-Day Publishers Articles related to Solomon W. Golomb Shift Register Sequences http://citeseer.nj.nec.com/nrelatedgid/35609 • Data Encryption Standard (DES) Federal Information Standards Publication FIPS PUB 46-3. • DES Modes of Operation • Advanced Encryption Standard (AES) web site http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf http://csrc.nist.gov/publications/fips/fips81/fips81.htm http://csrc.nist.gov/encryption/aes/ • Rijndael Home Page, Authors: Joan Daemen, Vicent Rijmem • Encryption Standards: AES vs. DES, Author: Gerwin Sturm, 2000 • Randomness Recommendations for Security http://www.esat.kuleuven.ac.be/~rijmen/rijndael/ http://stud3.tuwien.ac.at/~e9825530/computerscience/aes/ http://www.ietf.org/rfc/rfc1750.txt?number=1750 Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 45 45 To Probe Further • The AES Algorithm Validation Suite document specifies the procedures involved in validating implementation of the Advanced Encryption Standard (AES) algorithm in FIPS 197. Author: Lawrence E. Bassham III, 2002 http://csrc.nist.gov/cryptval/aes/AESAVS.pdf • AES Matlab Implementation, Author: Jörg Buchholz — This documentation describes a Matlab implementation of the Advanced Encryption Standard (AES) http://www.mathworks.co.uk/matlabcentral/fileexchange/loadFile.do?objectId=1190&objectType=file • A Specification for Rijndael Algorithm, Author: Dr. Brian Gladman, 2002 http://fp.gladman.plus.com/cryptography_technology/rijndael/aesspec.pdf Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation M. Mogollon – 01/08 - 46 46 ...
View Full Document

This note was uploaded on 05/26/2010 for the course TECH 6350 taught by Professor Mogollon during the Spring '10 term at University of Arkansas for Medical Sciences.

Ask a homework question - tutors are online