Secret Key: stream ciphers & block ciphers Stream Ciphers - PowerPoint PPT Presentation

Secret Key: stream ciphers & block ciphers

Stream Ciphers Idea: try to simulate one-time pad • define a secret key (“seed”) • Using the seed generates a byte stream ( Keystream): i-th byte is function – only of the key (synchronous Stream cypher) or – Of the key and first i -1 bytes of ciphertext (asynchronous Stream cypher). • obtain ciphertext by using XOR of textplain and keystream (bi-wise)

Synchronous Stream Cipher encryption Key Stream ⊕ Plaintext = Ciphertext

Synchronous Stream Cipher decryption Key Stream ⊕ Ciphertext = Plaintext

Cipher Streams in practice • Many codes before 1940 • Enigma - II world war (Germany) • A5 – GSM (encryption cell phone- base station) • WEP - used in ethernet 802.11 (wireless) • RC-4 (Ron’s Code)

Example: RC-4 • RC: code proposed by Ron (Ron’s Code, Ron=Ronald Rivest) • Considered safe: 1987 - 1994 kept secret, after ‘94 extensively studied • Good for exporting (complain US restrictions) • Easy to program, fast • Very popular: Lotus Notes, SSL, Wep etc.

RC4: properties • variable key lenght (byte) • synchronous • starting from the key it generates a apparently random permutation: •Eventually the sequence will repeat •However long period > 10 100 [in this way it simulates one-time-pad ] • very fast: 1 byte of output requires 8-16 instruction

RC-4 initialization 1. j=0 2. S 0 =0, S 1 =1, …, S 255 =255 3. Assume a key of 255 (bytes) k 0 ,…,k 255 (if the key is shorter repeat) 4. For i=0 to 255 j = (j + S i + k i ) mod 256 exchange S i and S j In this way we obtain a permutation of 0, 1, …,255, the resulting permutation is a function of the key

RC-4 Key-stream generation Input: i,j, permutation of 0,1,…255 1. i = (i+1) mod 256 2. j = (j +S i ) mod 256 3. exchange S i and S j 4. t = (S i + S j ) mod 256 5. B = S t Output: B Recall: ciphertext EXOR of 1 byte of plaintext and 1 byte of ciphertext

Real World Block Ciphers • DES, 3-DES - (64 bit block, 56 bit key) • AES (Rijndael) (128-256 block) • RC-2 • RC-5 • IDEA ((64 bit block, 128 bit key) • Blowfish, Cast • Gost

ECB Mode Encryption (Electronic Code Book) P 1 P 2 P 3 E k E k E k C 1 C 2 C 3 encrypt each plaintext block separately

Properties of ECB • Simple and efficient • Parallel implementation possible • Does not conceal plaintext patterns • Active attacks are possible (plaintext can be easily manipulated by removing, repeating, or interchanging blocks).

ECB: plaintext repetitions plaintext ciphertext ECB good cyphertext

CBC (Cipher Block Chaining) mode seed m 1 m 2 m 3 E k E k E k C 1 C 2 C 3 Previous ciphertext is XORed with current plaintext before encrypting current block. • Seed is used to start the process; it can be sent without encryption • Seed =0 safe in most but NOT all cases (eg assume the file with salaries is sent once a month, with the same seed we can detect changes in the salaries) therefore a random seed is better

CBC (Cipher Block Chaining): decryption seed m 1 m 2 m 3 D k D k D k C 1 C 2 C 3 Problem IF a transmission error changes one bit of C (i-1) - THEN block m i changes in a predicatble way BUT there are unpredictable changes in m (i-1) ; Solution: always use error detecting codes (for example CRC) to check quality of transmissione

Properties of CBC • Asynchronous stream cipher • Errors in one ciphertext block propagate • Conceals plaintext patterns • No parallel implementation known • Plaintext cannot be easily manipulated. • Standard in most systems: SSL, IPSec etc.

OFB Mode (Output FeedBack) s 0 = seed An initialization vector s 0 is use as a ``seed'’ for a sequence of data blocks s i

OFB mode Discussion • If f is public (known to the adversary) then initial seed s 0 must be encrypted (why?) • If f is a cryptographic funnction that depends on a secret key then initial sees can be sent in the clear (why?) • Initial seed must be modified for EVERY new message - even if is protected and unknown to the adversary (in fact if the adv knows a pair message, initial seed then he can encode every message - why?) • Extension: it can be modified in such a way that only k bits are used to compute the ciphertext (k-OFB)

Properties of OFB • Synchronous stream cipher • Errors in ciphertext do not propagate • Pre-processing is possible • Conceals plaintext patterns • No parallel implementation known • Active attacks by manipulating plaintext are possible

CTR (Counter Mode) seed seed +1 seed +2 E k E k E k m 1 m 2 m 3 C 1 C 2 C 3 Similar to OFB •There are problems in repeated use of same seed (like OFB) •CTR vs OFB: using CTR you can decrypt the message starting from block i for any i (i.e. You do not need to decrypt from the first block as in OFB)

AES Proposed Modes • CTR (Counter) mode (OFB modification): Parallel implementation, offline pre- processing, provable security, simple and efficient • OCB (Offset Codebook) mode - parallel implementation, offline preprocessing, provable security (under specific assumptions), authenticity

Strengthening a Given Cipher • Design multiple key lengths – AES • Whitening - the DESX idea • Iterated ciphers – Triple DES (3- DES), triple IDEA and so on

Triple Cipher - Diagram P E k1 E k2 E k3 C

Iterated Ciphers • Plaintext undergoes encryption repeatedly by underlying cipher • Ideally, each stage uses a different key • In practice triple cipher is usually C= E k1 (E k2 (E k1 (P))) [EEE mode] or C= E k1 (D k2 (E k1 (P))) [EDE mode] EDE is more common in practice

Two or Three Keys • Sometimes only two keys are used in 3-DES • Identical key must be at beginning and end • Legal advantage (export license) due to smaller overall key size • Used as a KEK in the BPI protocol which secures the DOCSIS cable modem standard

Adverary’s goal • Final goal: find the secret key • Partial goals: – Reduee the no of possible keys – Detect patterns in the text – Decode part of the text – Modify the cipertext obtaining a plausible text (even without breaking the cipher; even without knowing which modifications)

Repeated coding • To increase the robustness perform multiple encryption. How many times? 2,3, 678? • In practice triple cipher C= E k1 (E k2 (E k1 (P))) [EEE mode ] or C= E k1 (D k2 (E k1 (P))) [EDE mode] EDE more used

Double DES: man in the middle attack Cipher twice with two different keys? NO Man in th emiddle attack. Requirements – Known plaintext and ciphertext – 2 k+1 encryption and decryption (2 keys of k bit) – |k|2 |k| memory space – Idea: try all possible encryptions of the plaintext and all possible decryption of the ciphertext. Check for a pair of keys that transform the palintext in the ciphertext. – Note: the method can be applied to all block codes

Triple encoding P E k1 E k2 E k3 C

Triple encoding and CBC M 1 M 2 M n 0000000 ... . E k1 E k1 E k1 . . E k2 E k2 . .... E k3 E k3 C 1 C 2 In the picture: External CBC: code (using triple encoding) each block ; then concatenate Other possibility: Internal CBC (the concatenation depends on the level of encoding)

Group and Fields AES Advanced Encryption Standard

+,0, and -a are only notations! Review - Groups Def (group): A set G with a binary operation + (addition) is called a commutative group if 1 ∀ a,b ∈ G, a+b ∈ G 2 ∀ a,b,c ∈ G, (a+b)+c=a+(b+c) 3 ∀ a,b ∈ G, a+b=b+a 4 ∃ 0 ∈ G, ∀ a ∈ G, a+0=a 5 ∀ a ∈ G, ∃ -a ∈ G, a+(-a)=0

Sub-groups • Let (G, +) be a group, (H,+) is a sub-group of (G,+) if it is a group, and H ⊆ G. • Claim: Let (G, +) be a finite group, and H ⊆ G. If H is closed under +, then (H,+) is a sub-group of (G,+). • Examples • Lagrange theorem: if G is finite and (H,+) is a sub-group of (G,+) then |H| divides |G|

Order of Elements • Let a n denote a+…+a (n times) • We say that a is of order n if a n = 0, and for any m<n, a m ≠ 0 • Examples • Euler theorem: In the multiplicative group of Z m , every element is of order at most φ (m).

Cyclic Groups • Claim: let G be a group and a be an element of order n. The set <a>={1, a,…,a n-1 } is a sub-group of G. • a is called the generator of <a>. • If G is generated by a, then G is called cyclic, and a is called a primitive element of G. • Theorem: for any prime p, the multiplicative group of Z p is cyclic

Group Z set of integers (positive and negative) ; Z n integer modulo n (0,,2,3,…,n-1); Z* n =(1,2,3,…,n-1); - Z and addition (0 identity; -a inverse of a) is a group - Zn and addition addizione is a group (0 identity; -a inverse of a) - Zn and multiplication is NOT a group (inverse exist only for 1 and -1) - Set of rational numbers and multiplication is a group - Z* n [a mod n] and multiplication IS NOT ALWAYS a group - n=6 then {1,2,3,4,5} is not close (2*3= 0 mod 6) - n prime then it is a group - Z n * [a mod n] and multiplication if MCD(a,n) = 1 is a group ( 1 is identity - And if as + nt = 1 mod n then s is inverse of a - n =15 then {1,2,4,7,8,11,13,14} - n=5 {1,2,3,4} (in fact all numbers are prim ewith 5)