Cryptography and Network Chapter 6 Block Cipher Operation Security - PDF document

4/19/2010 Cryptography and Network Chapter 6 – Block Cipher Operation Security Many savages at the present day regard their Chapter 6 names as vital parts of themselves, and therefore take great pains to conceal their real f g p names, lest these should give to evil ‐ disposed Fifth Edition persons a handle by which to injure their by William Stallings owners. — The Golden Bough, Sir James George Frazer Lecture slides by Lawrie Brown Multiple Encryption & DES Double ‐ DES? • clear a replacement for DES was needed • could use 2 DES encrypts on each block – theoretical attacks that can break it – C = E K2 (E K1 (P)) – demonstrated exhaustive key search attacks • issue of reduction to single stage • AES is a new cipher alternative AES i i h lt ti • and have “meet ‐ in ‐ the ‐ middle” attack • prior to this alternative was to use multiple – works whenever use a cipher twice encryption with DES implementations – since X = E K1 (P) = D K2 (C) • Triple ‐ DES is the chosen form – attack by encrypting P with all keys and store – then decrypt C with keys and match X value – can show takes O(2 56 ) steps Triple ‐ DES with Two ‐ Keys Triple ‐ DES with Three ‐ Keys • hence must use 3 encryptions • although are no practical attacks on two ‐ key Triple ‐ DES have some indications – would seem to need 3 distinct keys • but can use 2 keys with E ‐ D ‐ E sequence • can use Triple ‐ DES with Three ‐ Keys to avoid – C = E K1 (D K2 (E K1 (P))) C = E (D (E (P))) even these even these – nb encrypt & decrypt equivalent in security – C = E K3 (D K2 (E K1 (P))) – if K1=K2 then can work with single DES • has been adopted by some Internet • standardized in ANSI X9.17 & ISO8732 applications, eg PGP, S/MIME • no current known practical attacks – several proposed impractical attacks might become basis of future attacks 1

4/19/2010 Modes of Operation Electronic Codebook Book (ECB) • message is broken into independent blocks • block ciphers encrypt fixed size blocks which are encrypted – eg. DES encrypts 64 ‐ bit blocks with 56 ‐ bit key • each block is a value which is substituted, like • need some way to en/decrypt arbitrary a codebook hence name a codebook, hence name amounts of data in practise f d i i • each block is encoded independently of the • NIST SP 800 ‐ 38A defines 5 modes other blocks • have block and stream modes C i = E K (P i ) • to cover a wide variety of applications • uses: secure transmission of single values • can be used with any block cipher Advantages and Limitations of ECB  message repetitions may show in ciphertext  if aligned with message block Electronic  particularly with data such graphics Codebook  or with messages that change very little which  or with messages that change very little, which become a code ‐ book analysis problem Book (ECB)  weakness is due to the encrypted message blocks being independent  main use is sending a few blocks of data Cipher Block Chaining (CBC) • message is broken into blocks Cipher • linked together in encryption operation Block • each previous cipher blocks is chained with Chaining Chaining current plaintext block, hence name (CBC) • use Initial Vector (IV) to start process C i = E K (P i XOR C i-1 ) C -1 = IV • uses: bulk data encryption, authentication 2

4/19/2010 Message Padding Advantages and Limitations of CBC  at end of message must handle a possible last  a ciphertext block depends on all blocks before short block it  which is not as large as blocksize of cipher  any change to a block affects all following  pad either with known non ‐ data value (eg nulls) pad either with known non data value (eg nulls) ciphertext blocks ciphertext blocks  or pad last block along with count of pad size  need Initialization Vector (IV) • eg. [ b1 b2 b3 0 0 0 0 5]  which must be known to sender & receiver • means have 3 data bytes, then 5 bytes pad+count  if sent in clear, attacker can change bits of first block, and  this may require an extra entire block over those in change IV to compensate message  hence IV must either be a fixed value (as in EFTPOS)  there are other, more esoteric modes, which  or must be sent encrypted in ECB mode before rest of avoid the need for an extra block message Stream Modes of Operation Cipher FeedBack (CFB) • block modes encrypt entire block • message is treated as a stream of bits • may need to operate on smaller units • added to the output of the block cipher • result is feed back for next stage (hence name) – real time data • standard allows any number of bit (1,8, 64 or 128 • convert block cipher into stream cipher • convert block cipher into stream cipher etc) to be feed back – cipher feedback (CFB) mode – denoted CFB ‐ 1, CFB ‐ 8, CFB ‐ 64, CFB ‐ 128 etc – output feedback (OFB) mode • most efficient to use all bits in block (64 or 128) C i = P i XOR E K (C i-1 ) – counter (CTR) mode C -1 = IV • use block cipher as some form of pseudo ‐ • uses: stream data encryption, authentication random number generator Advantages and Limitations of CFB  appropriate when data arrives in bits/bytes s ‐ bit  most common stream mode Cipher  limitation is need to stall while do block FeedBack d k encryption after every n ‐ bits i f bi  note that the block cipher is used in (CFB ‐ s) encryption mode at both ends  errors propogate for several blocks after the error 3

4/19/2010 Output FeedBack (OFB) • message is treated as a stream of bits • output of cipher is added to message Output • output is then feed back (hence name) FeedBack • feedback is independent of message f db k i i d d t f (OFB) • can be computed in advance O i = E K (O i-1 ) C i = P i XOR O i O -1 = IV • uses: stream encryption on noisy channels Counter (CTR) Advantages and Limitations of OFB  needs an IV which is unique for each use • a “new” mode, though proposed early on  if ever reuse attacker can recover outputs • similar to OFB but encrypts counter value  bit errors do not propagate rather than any feedback value  more vulnerable to message stream modification • must have a different key & counter value for h diff k & l f  sender & receiver must remain in sync every plaintext block (never reused)  only use with full block feedback  subsequent research has shown that only full block O i = E K (i) feedback (ie CFB ‐ 64 or CFB ‐ 128) should ever be used C i = P i XOR O i • uses: high ‐ speed network encryptions Advantages and Limitations of CTR • efficiency – can do parallel encryptions in h/w or s/w Counter – can preprocess in advance of need – good for bursty high speed links good for bursty high speed links (CTR) (CTR) • random access to encrypted data blocks • provable security (good as other modes) • but must ensure never reuse key/counter values, otherwise could break (cf OFB) 4

4/19/2010 XTS ‐ AES Mode • new mode, for block oriented storage use – in IEEE Std 1619 ‐ 2007 Feedback • concept of tweakable block cipher Character ‐ • different requirements to transmitted data • different requirements to transmitted data istics • uses AES twice for each block T j = E K2 (i) XOR α j C j = E K1 (P j XOR T j ) XOR T j where i is tweak & j is sector no • each sector may have multiple blocks XTS ‐ AES XTS ‐ AES Mode Mode per block Overview Summary Advantages and Limitations of XTS ‐ AES  efficiency • Multiple Encryption & Triple ‐ DES  can do parallel encryptions in h/w or s/w • Modes of Operation  random access to encrypted data blocks – ECB, CBC, CFB, OFB, CTR, XTS ‐ AES  h  has both nonce & counter b th & t  addresses security concerned related to stored data 5