1 / 53

CIS 5371 Cryptography

symmetric cryptography. 2. Cryptographic systems. Cryptosystem: (M,C,K,K',G,E,D)M, plaintext message spaceC, ciphertext message space K, K', encryption and decryption key spacesG : N ? K?K', key generation algorithmE : M?K ? C, encryption algorithmD : C?K' ? M, decryption algorithmG,E,D must

celestyn
Download Presentation

CIS 5371 Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. symmetric cryptography 1 CIS 5371 Cryptography 7. Symmetric encryption

    2. symmetric cryptography 2 Cryptographic systems Cryptosystem: (M,C,K,K’,G,E,D) M, plaintext message space C, ciphertext message space K, K’, encryption and decryption key spaces G : N ? K?K’, key generation algorithm E : M?K ? C, encryption algorithm D : C?K’ ? M, decryption algorithm G,E,D must be efficient

    3. symmetric cryptography 3 Examples Cryptosystem: (M,C,K,K’,G,E,D) Substitution Cipher: M = C = Z26, with K=K’ The encryption algorithm is a mapping Ek:M ? C -- Ek(x) = p(x), where k?K is the key. The dencryption algorithm is a mapping Dk:M ? C -- Dk(y) = p-1(y). Shift Cipher: M = C = K = K’ = Z26, with -- Ek(x) = x + k mod 26 -- Dk(y) = y – k mod 26 where x,y ? Z26

    4. symmetric cryptography 4 Examples Polyalphabetic ciphers: a plaintext message can be encrypted into any ciphertext Vigenere cipher --

    5. symmetric cryptography 5 Vernam cipher –the one-time pad M = C = K = K’ = {0,1}n , n > 1. The keys k = k1,k2 ,…, kn are selected at random in K with uniform distribution. Encryption is bit by bit at a time, with each ciphertext bit obtained by XORing each message bit with the corresponding key bit. Decryption is the same as encryption since the XOR operation is its own inverse. The special case when M = C = K = K’ = {0,1}*, and the key is only used once (one-time key) gives us a cipher with a strong security property: perfect secrecy.

    6. symmetric cryptography 6 Transposition (permutation) cipher Example M = C = (Z26)m , m > 1, K=K’ is the set of all permutations of {1,…,m}. For a key (permutation) p -- ep(x1, …, xm) = (xp(1), …, xp(m)) -- dp(y1, …, ym) = (yp-1(1), …, yp-1(1)) where p-1(1) is the inverse of p.

    7. symmetric cryptography 7 Structure of classical ciphers Classical ciphers are based on: Substitution and Transposition. This is also the basis for modern ciphers

    8. symmetric cryptography 8 Cryptanalysis: attacks on cryptosystems Ciphertext only attacks: the opponent possesses a string of ciphertexts: y1, y2, … Known plaintext attack: the opponent possesses a string of plaintexts x1, x2, … and the corresponding string of ciphertexts: y1, y2, …

    9. symmetric cryptography 9 Usefulness of classical ciphers Cryptanalysis of substitution ciphers: Known plaintext attack –- easy to get the keys Ciphertext only attack -- use statistical properties of the language. Cryptanalysis of polyalphabetic (Vigenere) cipher: Known plaintext attack –- easy to get the keys Ciphertext only attack -- use statistical: properties of the language.

    10. symmetric cryptography 10 Requirements for secure use of classical ciphers The notion of information-theoretic cryptographic security was developed by Shannon and requires that: |K| ? |M| k ?U K and is used only once in each encryption This kind of security is not practical for most applications.

    11. symmetric cryptography 11 The one-time-pad -- Perfect secrecy Assume that there is a distribution on P, K . Then the plaintext and the keys are chosen with a certain probability. That is we have: Pr[x = x] and Pr[k = k], where x, k are random variables (r.v.’s).

    12. symmetric cryptography 12 The one-time-pad -- Perfect secrecy The probability distribution on P and K induces a distribution on C, for which: Pr [y = y] = S Pr [k = k] Pr [x = dk(y)] k: y=ek (x), x e P For this distribution we have, Pr [x, y] = Pr [x = x] ? S Pr [k = k] k: x=dk (y)

    13. symmetric cryptography 13 Using Bayes’ theorem we get: Pr [x = x] ? S Pr [k = k] K: x=dK (y) Pr [ x = x | y = y] = S Pr [k = k] Pr [x = dk(y)] k: y=ek (x), x e P this Perfect secrecy

    14. symmetric cryptography 14 Perfect secrecy Definition: We have perfect secrecy if: Pr[x = x| y = y] = Pr[x = x] , for all x e P, y e C.

    15. symmetric cryptography 15 Perfect secrecy Theorem The One-Time-Pad provides perfect secrecy. Proof We have: Pr [k = k] = 1 / |K| , and for each x e P, y e C there is exactly one key k with y = ek(x).

    16. symmetric cryptography 16 Perfect secrecy Proof (continued) Then Pr [y = y] = S Pr [k = k] ? Pr [x = dk(y)] k: y=ek (x), x e P = 1 / |K| ?? S Pr [x = dk(y)] k: y=ek (x), x e P = 1/|K| .

    17. symmetric cryptography 17 Perfect secrecy Proof (continued) Using Bayes’ theorem: Pr [x=x|y=y] = Pr [y=y|x=x] ? Pr [x=x] / Pr [y=y] = Pr [k=k] Pr [x=x] / Pr [y=y] We have just seen that: Pr [k=k] = Pr[y=y]. It follows that: Pr [x=x|y=y] = Pr [x=x] , so we have perfect secrecy.

    18. symmetric cryptography 18 Iterating Block ciphers 1. Key schedule (Binary) key k ? round keys: k1,..., kNr,

    19. symmetric cryptography 19 Iterated cipher …

    20. symmetric cryptography 20 Iterated cipher … For decryption we must have: g(.,k) must be invertible for all k Then decryption is the reverse of encryption (bottom-up)

    21. symmetric cryptography 21 DES DES is a special type of iterated cipher called a Feistel cipher. Block length 64 bits Key length 56 bits Ciphertext length 64 bits

    22. symmetric cryptography 22 DES The round function is: g ([Li-1,Ri-1 ]), Ki ) = (Li , Ri), where Li = Ri-1 and Ri = Li-1 XOR f (Ri-1, Ki).

    23. symmetric cryptography 23 DES round encryption

    24. symmetric cryptography 24 DES inner function

    25. symmetric cryptography 25 DES computation path

    26. symmetric cryptography 26 One DES Round One DES round only scrambles half of the input data (the right half). Since the last step in the mangle is to reverse the halfs, the other half of the data is scrambled in the second (and fourth ... and 6th, and 8th, etc. rounds). Also, as stated by the scribe: "The 32 bit Right half becomes the 32 bit Left half for the next round (not the mangled output) unless the textbook diagram is wrong also (Page 68 of the text Figure 3-6). The Right half goes into the mangler and that output is XOR'd with the 32 bit Left half to create the 32 bit Right half for the next round. The Right half (unmangled) simply becomes the Left half for the next round, according to the book and the formulas they give for reversing it. " One DES round only scrambles half of the input data (the right half). Since the last step in the mangle is to reverse the halfs, the other half of the data is scrambled in the second (and fourth ... and 6th, and 8th, etc. rounds). Also, as stated by the scribe: "The 32 bit Right half becomes the 32 bit Left half for the next round (not the mangled output) unless the textbook diagram is wrong also (Page 68 of the text Figure 3-6). The Right half goes into the mangler and that output is XOR'd with the 32 bit Left half to create the 32 bit Right half for the next round. The Right half (unmangled) simply becomes the Left half for the next round, according to the book and the formulas they give for reversing it. "

    27. symmetric cryptography 27 Inner Function Combine 32 bit input and 48 bit key into 32 bit output Expand 32 bit input to 48 bits XOR the 48 bit key with the expanded 48 bit input Apply the S-boxes to the 48 bit input to produce 32 bit output Permute the resulting 32 bits This helps diffusion, by making a single bit change in the plaintext ripple throughout the ciphertext. It also explains how the decryption works, when the four bit ciphertext can map back to any of four possible plaintexts. You'll see in a minute.This helps diffusion, by making a single bit change in the plaintext ripple throughout the ciphertext. It also explains how the decryption works, when the four bit ciphertext can map back to any of four possible plaintexts. You'll see in a minute.

    28. symmetric cryptography 28 Inner Function Expand 32 bit input to 48 bits by adding a bit to the front and the end of each 4 bit segment. These bits are taken from adjacent bits. This helps diffusion, by making a single bit change in the plaintext ripple throughout the ciphertext. It also explains how the decryption works, when the four bit ciphertext can map back to any of four possible plaintexts. You'll see in a minute.This helps diffusion, by making a single bit change in the plaintext ripple throughout the ciphertext. It also explains how the decryption works, when the four bit ciphertext can map back to any of four possible plaintexts. You'll see in a minute.

    29. symmetric cryptography 29 S Boxes There are 8 different S-Boxes, 1 for each chunk S-box process maps 6 bit input to 4 bit output S box performs substitution on 4 bits There are 8 possible substitutions in each S box Inner 4 bits are fed into an S box Outer 2 bits determine which substitution is used

    30. symmetric cryptography 30 S Boxes 100101 will return 1000 (11 X 0010)100101 will return 1000 (11 X 0010)

    31. symmetric cryptography 31 DES: The Initial and Final Permutations There is also an initial and a final permutation: the final permutation is the inverse of the initial Permutation.

    32. symmetric cryptography 32 Decrypting DES DES (and all Feistel structures) is invertible through “reverse” encryption because The input to the nth step is the output of the n-1th step Everything needed (except the key) to produce the input to the inner function of the n-1th step is available from the output of the nthstep.

    33. symmetric cryptography 33 Encrypt round n Decrypt round n+1 Ln+1 was not changed in round n. It started round n as Rn and was used as the input to the mangler function. We can apply the mangler function to Ln+1 which gives the same value that was xor'ed with Ln to get Rn+1. So, when we xor the mangled Ln+1 with Rn+1, we get Ln. Ln+1 was not changed in round n. It started round n as Rn and was used as the input to the mangler function. We can apply the mangler function to Ln+1 which gives the same value that was xor'ed with Ln to get Rn+1. So, when we xor the mangled Ln+1 with Rn+1, we get Ln.

    34. symmetric cryptography 34 Key schedule INPUT: 64-bit key: k1, k2, … , k64 OUTPUT: sixteen 48-bit keys: k1, k2, … , k16 The algorithm used for generating the key schedule combines and selects bits of K to generate the round keys two bit selection tables. -- for details see Handbook of Applied Cryptography. C is the encryption key D is the decryption keyC is the encryption key D is the decryption key

    35. symmetric cryptography 35 Weak Keys Let Co and Do are the 28 bit key halves There are 4 week keys in the keyspace (256) C0 = All zeros & D0 = All zeros C0 = All ones & D0 = All zeros C0 = All zeros & D0 = All ones C0 = All ones & D0 = All ones There are 12 semi-weak keys, where Co & Do are the following in some combination All zeros, All ones, 010101…, 101010… -- for details see Handbook of Applied Cryptography. C is the encryption key D is the decryption keyC is the encryption key D is the decryption key

    36. symmetric cryptography 36 Attacks on iterated ciphers Suppose that there a probabilistic linear relation between some plaintext bits and state bits immediately preceding the last round. Say the bits XOR to 0 with probability bounded away from ½. Linear cryptanalysis is a known plaintext attack. The attacker needs to know a large number of pairs (xi,yi) encrypted with the same key K, and uses a linear relation to decrypt a given cipher

    37. symmetric cryptography 37 Kerchoffs’ assumption The adversary knows all details of the encrypting function except the secret key

    38. symmetric cryptography 38 Diffusion and Confusion -- Shannon Diffusion. The relationship between the statistics of the plaintext and the ciphertext is as complex as possible: the value of each plaintext bit affects many plaintext bits. Confusion: the relationship between the statistics of the ciphertext and the value of the key is as complex as possible.

    39. symmetric cryptography 39 Attacks on DES Brute force Linear Cryptanalysis -- Known plaintext attack Differential cryptanalysis Chosen plaintext attack Modify plaintext bits, observe change in ciphertext No dramatic improvement on brute force - Brute force we've already discussed. If a suitable "Break DES" version were created, brute force could find the key in a matter of hours because of computing power advances. - Brute force we've already discussed. If a suitable "Break DES" version were created, brute force could find the key in a matter of hours because of computing power advances.

    40. symmetric cryptography 40 Linear cryptanalysis (known plantext) For each pair (xi,yi), decrypt using all possible candidate keys for the last round and determine if the linear relation holds. If it does, increment a frequency counter for the candidate key used. Hopefully, at the end, this counter can be used to determine the correct values for the subkey bits.

    41. symmetric cryptography 41 Differential cryptanalysis (chosen plaintext) Differential cryptanalysis is a chosen plaintext attack. In this case the XOR of two inputs x, x* is compared with that of the corresponding outputs y, y*. In general we look for pairs x, x* for which x’=x+x* is fixed. For each such pair, decrypt y, y* using all possible candidate keys for the last round, and determine if their XOR has a certain value. Again use a frequency counter. Hopefully, at the end, this counter can be used to determine the correct values for the subkey bits.

    42. symmetric cryptography 42 The security of DES None of these attacks have a serious impact on the security of DES. The main problem with DES is that it has relatively short key length. Consequently it is subject to brute-force or exhaustive key search attacks. One solution to overcome this problem is to run DES a multiple number of times.

    43. symmetric cryptography 43 Countering Attacks Large keyspace combats brute force attack Triple DES, typically two key mode: Ek1Dk2Ek1 Use AES

    44. symmetric cryptography 44 Triple DES Encryption: c = Ek1(Dk2(Ek1(m)) Decryption: m = Dk1(Ek2(Dk1(c))

    45. symmetric cryptography 45 AES Block length 128 bits. Key lengths 128 (or 192 or 256). The AES is an iterated cipher with Nr=10 (or 12 or 14) In each round we have: Subkey mixing: State ? Roundkey XOR State A substitution: SubBytes(State) A permutation: ShiftRows(State) & MixColumns(State)

    46. symmetric cryptography 46 Modes of operation Four basic modes of operation are available for block ciphers: Electronic codebook mode: ECB Cipher block chaining mode: CBC Cipher feedback mode: CFB Output feedback mode: OFB

    47. symmetric cryptography 47 Electronic Codebook mode, ECB Each plaintext xi is encrypted with the same key K: yi = eK(xi). So, the naïve use of a block cipher.

    48. symmetric cryptography 48 ECB One DES round only scrambles half of the input data (the left half). Since the last step in the mangle is to reverse the halfs, the other half of the data is scrambled in the second (and fourth ... and 6th, and 8th, etc. rounds). Also, as stated by the scribe: "The 32 bit Right half becomes the 32 bit Left half for the next round (not the mangled output) unless the textbook diagram is wrong also (Page 68 of the text Figure 3-6). The Right half goes into the mangler and that output is XOR'd with the 32 bit Left half to create the 32 bit Right half for the next round. The Right half (unmangled) simply becomes the Left half for the next round, according to the book and the formulas they give for reversing it. " One DES round only scrambles half of the input data (the left half). Since the last step in the mangle is to reverse the halfs, the other half of the data is scrambled in the second (and fourth ... and 6th, and 8th, etc. rounds). Also, as stated by the scribe: "The 32 bit Right half becomes the 32 bit Left half for the next round (not the mangled output) unless the textbook diagram is wrong also (Page 68 of the text Figure 3-6). The Right half goes into the mangler and that output is XOR'd with the 32 bit Left half to create the 32 bit Right half for the next round. The Right half (unmangled) simply becomes the Left half for the next round, according to the book and the formulas they give for reversing it. "

    49. symmetric cryptography 49 Cipher Block Chaining mode, CBC Each cipher block yi-1 is xor-ed with the next plaintext xi : yi = eK(yi-1 XOR xi) before being encrypted to get the next plaintext yi. The chain is initialized with an initialization vector: y0 = IV with length, the block size.

    50. symmetric cryptography 50 CBC One DES round only scrambles half of the input data (the left half). Since the last step in the mangle is to reverse the halfs, the other half of the data is scrambled in the second (and fourth ... and 6th, and 8th, etc. rounds). Also, as stated by the scribe: "The 32 bit Right half becomes the 32 bit Left half for the next round (not the mangled output) unless the textbook diagram is wrong also (Page 68 of the text Figure 3-6). The Right half goes into the mangler and that output is XOR'd with the 32 bit Left half to create the 32 bit Right half for the next round. The Right half (unmangled) simply becomes the Left half for the next round, according to the book and the formulas they give for reversing it. " One DES round only scrambles half of the input data (the left half). Since the last step in the mangle is to reverse the halfs, the other half of the data is scrambled in the second (and fourth ... and 6th, and 8th, etc. rounds). Also, as stated by the scribe: "The 32 bit Right half becomes the 32 bit Left half for the next round (not the mangled output) unless the textbook diagram is wrong also (Page 68 of the text Figure 3-6). The Right half goes into the mangler and that output is XOR'd with the 32 bit Left half to create the 32 bit Right half for the next round. The Right half (unmangled) simply becomes the Left half for the next round, according to the book and the formulas they give for reversing it. "

    51. symmetric cryptography 51 Cipher and Output feedback modes (CFB & OFB) CFB z0 = IV and recursively: zi = eK(yi-1) and yi = xi XOR zi OFB z0 = IV and recursively: zi = eK(zi-1) and yi = xi XOR zi

    52. symmetric cryptography 52 CFB mode

    53. symmetric cryptography 53 OFB mode

    54. symmetric cryptography 54 Key Channel Establishment for symmetric cryptosystems Conventional techniques Public-key techniques Quantum Key distribution techniques

More Related