Cryptography and Network Security Block Ciphers and DES

Cryptography and Network Security Block Ciphers and DES, and modes of operation M. Sakalli Reviewed, from Stallings

Goals • To introduce the notion of block ciphers, ideal block cipher and its infeasibility, the Feistel Cipher Structure. • DES: its strength and weakness. 2

Stream vs. Block Ciphers • Symmetric cipher: same key used for encryption and decryption – Block cipher: encrypts a block of plaintext at a time (typically 64 or 128 bits), cryptographic checksum to ensure content not changed. . Hardware friendly. – Stream cipher: encrypts data one bit or one byte at a time, all classical ciphers 3

Claude Shannon and Substitution. Permutation Ciphers • in 1949 Claude Shannon introduced idea of substitution-permutation (S-P) networks • Modern substitution-transposition product cipher based on these two primitive operations: – substitution (S-box), provide confusion to dissipate statistical structure of PT over the bulk of CT – permutation (P-box), provide diffusion make the relationship between CT and key as complex as possible

Ideal Block Cipher • A block of N PT bits replaced wt a block of N CT bits. (N = 64 or 128. ), a block cipher is a monoalphabetic cipher, and each block represents a gigantic “character. ” Each particular cipher is a one-to-one mapping from the PT alphabet to the CT alphabet. • 2 N! such mappings, and block cipher would allow the use of any such mapping and the secret key indicates which mapping to use. 5

Key Size of Ideal Block Cipher • Since there are 2 N! different mappings, there are 2 N! different keys. the required key length will be log 2(2 N!) ≈ N × 2 N ≈ 1021 bits ≈ 1011 GB. • That is infeasible! • Modern block ciphers use a key of K bits to specify a random subset of 2 K mappings. • If N ≈ K, – 2 K is much smaller than 2 N! – But is still very large • If the selection of the 2 K mappings is random, a good approximation of the ideal block cipher is possible. • Horst Feistel, in 1970 s, proposed a method to achieve this. 6

The Feistel Cipher Structure • Partitions the input block into halves of L and R. • Goes through a number of rounds. – R goes intact to left. – L goes through an operation that depends on R and a round key derived from the encryption key. • LUCIFER 7

Li-1 Ri-1 2 w bits partitioned into halves; • L & R each 32 bits • Li = Ri– 1 • Ri = Li– 1 F(Ri– 1, Ki) F Ki

Mathematically what it is 9

DES: The Data Encryption Standard • Adopted by NIST in 1977. Most widely used block cipher in the world. • Features: Based on the Feistel cipher, block size = 64 bits, key size 56 bits, number of rounds =16 • Specifics: Subkey generation, and the design of the round function F. • Speed: fast software en/decryption & ease of analysis – Any further increase in key or/and block size and the # of rounds improves the security, but slows the cipher. 11

• 16 round keys are generated from the main key by a sequence of permutations. • Each round key is results in 48 bits. • Initial Permutation: IP, reorders the input data bits. The last step is inverse IP. IP and IP-1: specified by tables, has no impact on security, due to the implementation in chips. DES Encryption

DES Round Structure L (even) &R (odd) each has 32 bits, as in any Feistel cipher: Li = Ri– 1 Ri = Li– 1 F(Ri– 1, Ki) 1 - Expands 32 bit R to 48 bits using expansion perm E, 2 - XOR 48 - K and expanded R both 48 bit, 3 - S boxes (8 of) to shrinks to 32 -bits, 4 - Permuting 32 -bit

1 - Expands 32 bit R to 48 -bits using expansion perm E, 2 - XOR 48 b K and expanded R both 48 -bit, 3 - S boxes (8 of) to shrinks to 32 -bits, 4 - Permuting 32 -bit The Expansion Permutation E Permutation P DES Round Structure 16 7 20 21 29 12 28 17 1 15 23 26 5 18 31 10 2 8 24 14 32 27 3 9 19 13 30 6 22 11 4 25

0 0 1 2 3 4 5 6 7 8 9 4 13 1 2 15 11 8 3 10 10 11 12 13 14 15 14 0 15 4 5 9 0 7 6 12 11 6 5 3 8 3 10 5 0 7 4 14 2 13 1 14 8 13 6 2 11 15 12 9 1 3 14 10 15 12 8 4 1 10 6 12 7 5 11 7 0 6 13 • Eight S-boxes, each map 6 bits to 4 bits S Boxes • Each: 4 x 16 table – each row is a permutation of 0 -15 – outer bits of 6 bits indicates one of the four rows – inner 4 bits are to select the column • For example, S 1(101010) = 6 = 0110 15 • Each box has a different layout.

Round Key Generation • Main key: 64 bits, but only 56 bits are used. 57 • 16 round keys (48 bits each) are 1 generated from the main key by a 10 sequence of permutations. 19 • Select and permute 56 -bits using 63 Permuted Choice One (PC 1). 7 • Then divide them into two 28 -bit 14 halves. 21 • At each round: – Rotate each half separately by either 1 or 2 bits according to a rotation schedule. – Select 24 -bits from each half & permute them (48 bits) by PC 2. This forms a round key. 49 41 33 25 17 9 58 50 42 34 26 18 2 59 51 43 35 27 11 3 60 52 44 36 55 47 39 31 23 15 62 54 46 38 30 22 6 61 53 45 37 29 13 5 28 20 12 4

Avalanche Effect • A small change in the PT or in the KEY results in a significant change in the CT. This is an evidence of high degree of diffusion and confusion. • SAC strict avalanche condition, any output bit of ct should change with pr = ½, when any input is changed. • BIC bit independence criterion, states that out bits should change independently, when any input bit is changed. • Both criteria seems strengthening confusion. • DES exhibits a strong avalanche effect – Changing 1 bit in the plaintext affects 34 bits in the ciphertext on average. – 1 -bit change in the key affects 35 bits in the ciphertext on average.

Strength of DES – Key Size • Brute force search looks hard, key search – needs plaintext-ciphertext samples – trying 1 key per microsecond would take 1000+ years on average, due to the large key space size, 256 ≈ 7. 2× 1016. • DES is theoretically broken using Differential or Linear Cryptanalysis • In practise it says unlikely to be a problem yet. But the rapid advances in computing speed though have rendered the 56 bit key susceptible to exhaustive key search, as predicted by Diffie & Hellman. Have demonstrated breaks: – 1997 on a large network of computers in a few months – 1998 on dedicated h/w in a few days, des cracker worth of $250, containing 1536 chips, (EFF). – 1999 above combined in 22 hrs!

Differential Cryptanalysis • one of the most significant recent (public) advances in cryptanalysis • known by NSA in 70's cf DES design • Murphy, Biham & Shamir published 1990 • powerful method to analyse block ciphers • used to analyse most current block ciphers with varying degrees of success • DES reasonably resistant to it, cf Lucifer

Differential Cryptanalysis • a statistical attack against Feistel ciphers • uses cipher structure not previously used • design of S-P networks has output of function f influenced by both input & key • hence cannot trace values back through cipher without knowing values of the key • Differential Cryptanalysis compares two related pairs of encryptions

Differential Cryptanalysis Compares Pairs of Encryptions • with a known difference in the input • searching for a known difference in output • when same subkeys are used

Differential Cryptanalysis • have some input difference giving some output difference with probability p • if find instances of some higher probability input / output difference pairs occurring • can infer subkey that was used in round • then must iterate process over many rounds (with decreasing probabilities)

Differential Cryptanalysis

Differential Cryptanalysis • perform attack by repeatedly encrypting plaintext pairs with known input XOR until obtain desired output XOR • when found – if intermediate rounds match required XOR have a right pair – if not then have a wrong pair, relative ratio is S/N for attack • can then deduce keys values for the rounds – right pairs suggest same key bits – wrong pairs give random values • for large numbers of rounds, probability is so low that more pairs are required than exist with 64 -bit inputs • Biham and Shamir have shown how a 13 -round iterated characteristic can break the full 16 -round DES

Linear Cryptanalysis • another recent development • also a statistical method • must be iterated over rounds, with decreasing probabilities • developed by Matsui et al in early 90's • based on finding linear approximations • can attack DES with 247 known plaintexts, still in practise infeasible

Linear Cryptanalysis • find linear approximations with prob p != ½ P[i 1, i 2, . . . , ia] xor C[j 1, j 2, . . . , jb] = K[k 1, k 2, . . . , kc] where ia, jb, kc are bit locations in P, C, K • • gives linear equation for key bits get one key bit using max likelihood alg using a large number of trial encryptions effectiveness given by: |p–½|

Block Cipher Design Principles • basic principles still like Feistel in 1970’s • number of rounds – more is better, exhaustive search best attack • function f: – provides “confusion”, is nonlinear, avalanche • key schedule – complex subkey creation, key avalanche

Modes of Operation • block ciphers encrypt fixed size blocks • eg. DES encrypts 64 -bit blocks, with 56 -bit key • need way to use in practise, given usually have arbitrary amount of information to encrypt • four were defined for DES in ANSI standard ANSI X 3. 106 -1983 Modes of Use • subsequently now have 5 for DES and AES • have block and stream modes

Electronic Codebook Book (ECB) • message is broken into independent blocks which are encrypted • each block is a value which is substituted, like a codebook, hence name • each block is encoded independently of the other blocks Ci = DESK 1 (Pi) • uses: secure transmission of single values

Electronic Codebook Book (ECB)

Advantages and Limitations of ECB • repetitions in message may show in ciphertext – if aligned with message block – particularly with data such graphics – or with messages that change very little, which become a code-book analysis problem • weakness due to encrypted message blocks being independent • main use is sending a few blocks of data

Cipher Block Chaining (CBC) • message is broken into blocks • but these are linked together in the encryption operation • each previous cipher blocks is chained with current plaintext block, hence name • use Initial Vector (IV) to start process Ci = DESK 1(Pi XOR Ci-1) C-1 = IV • uses: bulk data encryption, authentication

Cipher Block Chaining (CBC)

Advantages and Limitations of CBC • each ciphertext block depends on all message blocks • thus a change in the message affects all ciphertext blocks after the change as well as the original block • need Initial Value (IV) known to sender & receiver – however if IV is sent in the clear, an attacker can change bits of the first block, and change IV to compensate – hence either IV must be a fixed value (as in EFTPOS) or it must be sent encrypted in ECB mode before rest of message • at end of message, handle possible last short block – by padding either with known non-data value (eg nulls) – or pad last block with count of pad size • eg. [ b 1 b 2 b 3 0 0 5] <- 3 data bytes, then 5 bytes pad+count

Cipher Feed. Back (CFB) • • message is treated as a stream of bits added to the output of the block cipher result is feed back for next stage (hence name) standard allows any number of bit (1, 8 or 64 or whatever) to be feed back – denoted CFB-1, CFB-8, CFB-64 etc • is most efficient to use all 64 bits (CFB-64) Ci = Pi XOR DESK 1(Ci-1) C-1 = IV • uses: stream data encryption, authentication

Cipher Feed. Back (CFB)

Advantages and Limitations of CFB • appropriate when data arrives in bits/bytes • most common stream mode • limitation is need to stall while do block encryption after every n-bits • note that the block cipher is used in encryption mode at both ends • errors propagate for several blocks after the error

Output Feed. Back (OFB) • • • message is treated as a stream of bits output of cipher is added to message output is then feed back (hence name) feedback is independent of message can be computed in advance Ci = Pi XOR Oi Oi = DESK 1(Oi-1) O-1 = IV • uses: stream encryption over noisy channels

Output Feed. Back (OFB)

Advantages and Limitations of OFB • used when error feedback a problem or where need to encrypt before message is available • superficially similar to CFB • but feedback is from the output of cipher and is independent of message • a variation of a Vernam cipher – hence must never reuse the same sequence (key+IV) • sender and receiver must remain in sync, and some recovery method is needed to ensure this occurs • originally specified with m-bit feedback in the standards • subsequent research has shown that only OFB-64 should ever be used

Counter (CTR) • must have a different key & counter value for every plaintext block (never reused) Ci = Pi XOR Oi Oi = DESK 1(i) • uses: high-speed network encryptions

Counter (CTR)

Advantages and Limitations of CTR • efficiency – can do parallel encryptions – in advance of need – good for bursty high speed links • random access to encrypted data blocks • provable security (good as other modes) • but must ensure never reuse key/counter values, otherwise could break (cf OFB)

Summary • have considered: – block cipher design principles – DES • details • strength – Differential & Linear Cryptanalysis – Modes of Operation • ECB, CBC, CFB, OFB, CTR