1 / 16

Lecture 4: Using Block Ciphers

Lecture 4: Using Block Ciphers. Outline encrypting large messages checking integrity securing DES. M1. M2. M3. M4. E. E. E. E. C1. C2. C3. C4. Electronic Code Book (ECB). How to use a block cipher to encrypt a large message?. break message into blocks.

ulla-dawson
Download Presentation

Lecture 4: Using Block Ciphers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 4: Using Block Ciphers Outline • encrypting large messages • checking integrity • securing DES

  2. M1 M2 M3 M4 E E E E C1 C2 C3 C4 Electronic Code Book (ECB) How to use a block cipher to encrypt a large message? break message into blocks encrypt eachblock separately with secret key

  3. Problems with ECB • same plaintext block produces same ciphertext • can be analyzed, rearranged plaintext ECB encrypted ciphertext

  4. One-Time Pad • proven (Shannon): XOR a message with a (truly) random number (never reuse it again) – unbreakable (no information is given away) • one-time pad – such usage of random numbers • stream cipher – generates one-time pad and XORs it with the stream of plaintext to generate ciphertext

  5. Fixing ECB • consider this: generate random numbers and XOR with blocks before encoding M1 M2 M3 M4 transmit r1, c1, r2, c2, r3, c3, r4, c4 r1 r2 r3 r4 E E E E C1 C2 C3 C4 • problems: • need to send twice as much data • can still rearrange blocks • if two ciphertext blocks equal, know XOR of two plaintext blocks = XOR of the corresponding two random numbers

  6. Cipher Block Chaining (CBC) • randomizes output by using previous ciphertext block • first block is randomized using initialization vector (IV) IV M1 M2 M3 M4 E E E E IV C1 C2 C3 C4 • how does CBC do decoding?

  7. CBC Decryption & Analysis • What happens if Ci gets lost or garbled? How much data gets lost? • assume an attacker knows block Mi and wants to change it, what does it need to change? • can encryption/decryption be done in parallel? IV C1 C2 C3 C4 D D D D IV M1 M2 M3 M4

  8. Output Feedback (OFB) Mode k-bit shifting version of OFB • OFB is a stream cipher • IV – based, IV is transmitted in clear • two versions • no shifting • pad1=e(IV, key) • pad2=e(pad1, key) • padi=e(padi-1,key) • k-bit shifting (see pic) • advantages • the pad can be pre-generated – no costly operations at run-time (good for multimedia or resource-constrained devices) • how much info is affected if portion of ciphertext is garbled/lost? • problems • if known plaintext, can be altered • is random access possible? • can encryption/decryption be done in parallel?

  9. Cipher Feedback (CFB) Mode • similar to OFB • message data is alsoused to generatepadding • advantages • is random access possible? • what if part of ciphertext is garbled/lost/duplicated? • problems • is OFB-like pad pre-generation possible? • can it be altered if plaintext is known • can encryption/decryption be done in parallel?

  10. Counter (CTR) Mode • CTR is another stream cipher • to create pad, IV is incrementedand encrypted • is random access possible? • what if part of ciphertext is garbled/lost/duplicated? • is pad pre-generation possible • can encryption/decryption be done in parallel? • is known plaintext alteration possible?

  11. Integrity checking • automated integrity checking – computer should be able to detect tampering (a human presence should not be required any “garbage” can pass through) • message authentication code (MAC) – a cryptographic checksum generated with the help of a key • CBC, OFB, CFB and CTR – good security, integrity vulnerable

  12. IV M1 M2 M3 M4 E E E E IV C1 C2 C3 residue CBC Residue • Do CBC encryption on M using key K, throw away all but last block. • send message in clear + the “residue”, • Used in banking • Has property that if you don’t know the key you can’t generate (or verify) the MAC, or modify the message without (probably) changing the MAC • however, can generate an arbitrary message matching MAC

  13. Joint Privacy and Integrity • concurrently use two CBCs – one for privacy, the other for integrity • why can’t use only one for both?

  14. Securing DES • purpose: retain the same mechanism, expand key size • why not double DES? • encrypt with K1 twice. How much more work (over DES) for good guys? Bad guys? • encrypt with K1 then K2. What is time/memory for bad guys? Good guys? • subject to subtle known plaintext attack

  15. 3DES • Defined as doing EDE with K1, K2, K3, but standardly K1 is set equal to K3. • reason: because of known-plaintext attack, 3DES is considered to only have time-strength equal to 112 bit key, not 168. • also, 112 bits considered enough (for now). • why EDE instead of EEE? • Initial and final permutations would cancel each other out with EEE (minor advantage to EDE) • EDE compatible with single DES if K1=K2=K3.

  16. 3DES and CBC • CBC is defined to be done on the outside of 3DES • same integrity problems as with regular CBC • CBC can potentially be done on the inside of 3DES • more secure against tampering but • more work • garbling/loosing/duplicating of one block garbles the rest of message

More Related