docNotes for Chapter 3 and 4
download 
Report Transcription
Notes for Chapter 3 and 4
CS 266 secret block Secret Key Cryptography fixed-size block, fixed-size key DES, IDEA message into blocks? Spring -- 2009 1 CS 266 secret Generic Block Encryption convert block into another, one-to-one bits (peta) long enough to avoid known-plaintext attack input values, 64 bits each 64 bit typical (nice for RISC!) naive: output should look random values mapped bits bits) plain, ciphertext: no correlation (half the same, half different) bit spreading substitution: permutation: change bit position of each bit round: combination of substitution of chunks and permutation do often enough so that a bit can affect every output bit – but no more Spring -- 2002 2 CS 266 secret Data Encryption Standard (DES) published in 1977 by National Bureau of Standards developed at IBM (“Lucifer”) 56-bit key, with parity bits 64-bit blocks easy in hardware, slow in software 50 MIPS: 300 kB/s 10.7 Mb/s on a 90 MHz Pentium in 32-bit protected mode grow 1 bit every 2 years Spring -- 2009 3 CS 266 secret 500,000 MIPS years Breaking DES brute force: check all keys easy if you have known plaintext decryption have to know something about plaintext (ASCII, GIF, . . . ) commercial DES chips not helpful: key loading time time easy to do with FPGA, without arousing suspicion easily defeated with repeated encryption Spring -- 2009 4 CS 266 secret DES Overview 64-bit output 16 48-bit per-round keys (different subset) initial permutation 56-bit key 16 rounds: 64 bit input + 48-bit key reverse key order final permutation (inverse of initial) decryption: run backwards Spring -- 2009 5 CS 266 secret Permutation th bits just slow down software th byte even-numbered bits into byte 1-4 odd-numbered bits into byte 5-8 no security value: if we can decrypt innards, we could decrypt DES Spring -- 2009 6 CS 266 secret 56-bit key : : Generating Per-Round Keys 16 48-bit keys bits 8, 16, . . . , 64 are parity permutation split into 28-bit pieces again, no security value rounds 1, 2, 9, 16: single-bit rotate left otherwise: two-bit rotate left 48-bit key in each round permutation for left/right half of discard a few bits Spring -- 2009 7 CS 266 secret XOR Arithmetic Spring -- 2009 8 CS 266 secret DES Round mangler function can be non-reversible – – decryption – – Spring -- 2009 9 CS 266 secret Mangler Function expand from 32 to 48 bits: 4-bit chunks, borrow bits from neighbors 6-bit chunks: expanded S box: 6 bit (64 entries) into 4 bit (16) table: 4 each four separate 4x4 S-boxes, selected by outer bits of chunk 8 different S-boxes for each 4 bits of data random permutation: P-box Spring -- 2009 10 CS 266 secret 16 keys to avoid: avoid low-numbered keys 0. . . 0, 1. . . 1, 0101. . . , 1010. . . Weak Keys sequential key search weak keys: own inverses = encrypt( ) = decrypt( ) Spring -- 2009 11 CS 266 secret IDEA International Data Encryption Algorithm ETH Zurich, 1991 similar to DES: 64 bit blocks 128-bit keys Spring -- 2009 12 CS 266 secret 2 16-bit reversible or example: reason: of , Euclid’s algorithm Primitive Operations 1 16-bit : inverse is prime Spring -- 2009 13 CS 266 secret 128-bit key IDEA Key Expansion 52 16-bit keys eight 16-bit keys eight 16-bit keys encryption, decryption different chop of 16 bits start at bit -- chop again repeat Spring -- 2009 14 CS 266 secret IDEA: One Round 4 16-bit: 17 rounds, even and odd 64 bit input operations odd rounds: even rounds: Spring -- 2009 15 CS 266 secret reverse with inverses of IDEA: Odd Round : Spring -- 2009 16 CS 266 secret mangler: 1. 2. 3. Even Round Spring -- 2009 17 CS 266 secret Encrypting a Large Message Electronic Code Book (ECB) Cipher Block Chaining (CBC) -bit Cipher Feedback Mode (CFB) -bit Output Feedback Mode (OFB) Spring -- 2009 20 CS 266 secret Electronic Code Book (ECB) break into 64-bit blocks same ciphertext encrypt each block independently some plaintext easy to change message by copying blocks bit errors do not propagate rarely used Spring -- 2009 21 CS 266 secret Cipher Block Chaining (CBC) ciphertext blocks with 64-bit random number repeats in plaintext simple scheme: can remove selected blocks real CBC: : previous block of ciphertext random initialization vector (IV): avoid equal initial text removes ability to detect changes in plaintext can’t feed chosen plaintext to encryption but: can twiddle some bits (while modifying others): modify to change desired (and ) combine with MICs Spring -- 2009 22 CS 266 secret encrypt Output Feedback Mode (OFB) encrypt 64-bit OFB: IV: limited plaintext damage with message, transmit with IV ciphertext damage modify plaintext into anything can be transmitted byte-by-byte but: known plaintext extra/missing characters garble whole rest -bit OFB Spring -- 2009 23 CS 266 secret with plaintext Cipher Feedback Mode (CFB) bits, bits of ciphertext instead of IV-generated similar to OFB: generate use bits will resynchronize after byte loss/insertion can’t generate ahead of time 8-bit requires encryption for each Spring -- 2009 24 CS 266 secret CBC residue Generating MICs only send last block of CBC any modification in plaintext modifies CBC residue replicating last CBC block doesn’t work P+I: use separate (but maybe related) secret keys for encryption and MIC two encryption passes CBC(message hash) Spring -- 2009 25 CS 266 secret Multiple Encryption DES applicable to any encryption, important for DES , just reverse: encrypt-decrypt-encrypt (EDE): just reversible functions two keys decryption standard CBC Spring -- 2009 26 CS 266 secret security plaintext Triple DES: Why 3? EDE? efficiency , , etc. encrypted, decrypted, sorted , : twice the work for encryption, cryptanalyst (ciphertext) not quite equivalent to 112 bit key: – ( TB) entries for each – Table A: sorted , pairs, test against candidates entries for each , – Table B: – find – if multiple Table A: Spring -- 2009 27 CS 266 secret (64 bits) ... 1234567890abcd00 1234567890abcd03 1234567890abcd04 1234567890abcd08 ... Table B: (64 bits) ... 1234567890abcd00 1234567890abcd03 1234567890abcd07 1234567890abcd09 ... computation: (56 bits) ab485095845922 12834893573257 43892ab8348a85 185ab80184092c (56 bits) 38acd043858ac0 91870ab8a8d8a0 058a0fa858abcd fd884a90407821 Spring -- 2009 28 CS 266 secret Triple DES garble rest EDE: can run as single DES with more permutations single bit change outside – can be used with any chaining method – self-synchronizing: wrong bit in block changed, others unaffected garbled, Spring -- 2009 29
