Shift Cipher. Ahmet Burak Can Hacettepe University. Substitution Cipher. Enigma Machine. How perfect secrecy can be satisfied?

Similar documents
Lecture 4 Data Encryption Standard (DES)

1 Data Encryption Algorithm

How To Attack A Block Cipher With A Key Key (Dk) And A Key (K) On A 2Dns) On An Ipa (Ipa) On The Ipa 2Ds (Ipb) On Pcode)

Cryptography and Network Security Block Cipher

Cryptography and Network Security

Network Security. Chapter 3 Symmetric Cryptography. Symmetric Encryption. Modes of Encryption. Symmetric Block Ciphers - Modes of Encryption ECB (1)

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Network Security - ISA 656 Introduction to Cryptography

Network Security: Secret Key Cryptography

How To Encrypt With A 64 Bit Block Cipher

Overview of Symmetric Encryption


Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Block encryption. CS-4920: Lecture 7 Secret key cryptography. Determining the plaintext ciphertext mapping. CS4920-Lecture 7 4/1/2015

CSCE 465 Computer & Network Security

The Advanced Encryption Standard (AES)

Cryptography: Motivation. Data Structures and Algorithms Cryptography. Secret Writing Methods. Many areas have sensitive information, e.g.

How To Understand And Understand The History Of Cryptography

IT Networks & Security CERT Luncheon Series: Cryptography

Cryptography and Network Security Chapter 3

EXAM questions for the course TTM Information Security May Part 1

lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

Table of Contents. Bibliografische Informationen digitalisiert durch

AES Cipher Modes with EFM32

Cryptography and Network Security Chapter 12

SSL Firewalls

F3 Symmetric Encryption

Developing and Investigation of a New Technique Combining Message Authentication and Encryption

A PPENDIX G S IMPLIFIED DES

Modes of Operation of Block Ciphers

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Network Security. Modes of Operation. Steven M. Bellovin February 3,

SAMPLE EXAM QUESTIONS MODULE EE5552 NETWORK SECURITY AND ENCRYPTION ECE, SCHOOL OF ENGINEERING AND DESIGN BRUNEL UNIVERSITY UXBRIDGE MIDDLESEX, UK

Secret File Sharing Techniques using AES algorithm. C. Navya Latha Garima Agarwal Anila Kumar GVN

The Misuse of RC4 in Microsoft Word and Excel

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

6 Data Encryption Standard (DES)

CIS433/533 - Computer and Network Security Cryptography

Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL

Message Authentication

Introduction. Where Is The Threat? Encryption Methods for Protecting Data. BOSaNOVA, Inc. Phone: Web:

A PPENDIX H RITERIA FOR AES E VALUATION C RITERIA FOR

Lecture Note 8 ATTACKS ON CRYPTOSYSTEMS I. Sourav Mukhopadhyay

MAC. SKE in Practice. Lecture 5

CS 758: Cryptography / Network Security

Talk announcement please consider attending!

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Symmetric Key cryptosystem

Common Pitfalls in Cryptography for Software Developers. OWASP AppSec Israel July The OWASP Foundation

7! Cryptographic Techniques! A Brief Introduction

Introduction to Hill cipher

The Encryption Technology of Automatic Teller Machine Networks

WINTER SCHOOL ON COMPUTER SECURITY. Prof. Eli Biham

Evaluation of the RC4 Algorithm for Data Encryption

CRC Press has granted the following specific permissions for the electronic version of this book:

Network Security. Omer Rana

Solutions to Problem Set 1

CS 0427 Network Security. Slides Courtesy of William Stallings, Cryptography & Network Security, Pearson Education, 4th Edition

Network Security. Chapter 2 Basics 2.1 Symmetric Cryptography. Cryptographic algorithms: outline. Basic Terms: Block cipher and Stream cipher

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Authentication requirement Authentication function MAC Hash function Security of

Network Security: Cryptography CS/SS G513 S.K. Sahay

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

Cryptographic Engine

Effective Secure Encryption Scheme [One Time Pad] Using Complement Approach Sharad Patil 1 Ajay Kumar 2

Security (WEP, WPA\WPA2) 19/05/2009. Giulio Rossetti Unipi

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

The Advanced Encryption Standard: Four Years On

Message Authentication Codes. Lecture Outline

{(i,j) 1 < i,j < n} pairs, X and X i, such that X and X i differ. exclusive-or sums. ( ) ( i ) V = f x f x

IronKey Data Encryption Methods

SeChat: An AES Encrypted Chat

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

A Comparison of the 3DES and AES Encryption Standards

Cryptography and Network Security Chapter 11

Computer Networks. Network Security 1. Professor Richard Harris School of Engineering and Advanced Technology

Cryptography Exercises

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

A Comparative Study Of Two Symmetric Encryption Algorithms Across Different Platforms.

ARCHIVED PUBLICATION

Lecture 9 - Network Security TDTS (ht1)

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

A NEW APPROACH FOR COMPLEX ENCRYPTING AND DECRYPTING DATA

RSA BSAFE. Crypto-C Micro Edition for MFP SW Platform (psos) Security Policy. Version , October 22, 2012

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

Introduction to Encryption

Chapter 8. Cryptography Symmetric-Key Algorithms. Digital Signatures Management of Public Keys Communication Security Authentication Protocols

Lecture 3: Block Ciphers and the Data Encryption Standard. Lecture Notes on Computer and Network Security. by Avi Kak

Chapter 8. Network Security

AVR1318: Using the XMEGA built-in AES accelerator. 8-bit Microcontrollers. Application Note. Features. 1 Introduction

Today. Network Security. Crypto as Munitions. Crypto as Munitions. History of Cryptography

Improving Performance of Secure Data Transmission in Communication Networks Using Physical Implementation of AES

Cryptography and Network Security, PART IV: Reviews, Patches, and Theory 1 / 53

Computer Security CS 426. CS426 Fall 2010/Lecture 40 1

Cryptographic mechanisms

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Karagpur

AStudyofEncryptionAlgorithmsAESDESandRSAforSecurity

Secure Network Communication Based on Text-to-Image Encryption

Message Authentication Code

Transcription:

One Time Pad, Block Ciphers, Encryption Modes Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr Basic Ciphers Shift Cipher Brute-force attack can easily break Substitution Cipher Frequency analysis can reduce the search space Vigenere Cipher Kasiski test can reveal the length of key Enigma Machine The capture of the daily codebook How perfect secrecy can be satisfied? 1 2 One Time Pad Basic Idea: Extend Vigenère cipher so that the key is as long as the plaintext Key is a random string and is used only once Encryption is similar to Vigenère Cannot be broken by frequency analysis or Kasiski test Plaintext P = (x 1 x 2 x n ) Key K = (k 1 k 2 k n ) Ciphertext C = (y 1 y 2 y n ) The Binary Version of One-Time Pad Plaintext space = Ciphtertext space = Keyspace = {0,1} n Key is chosen randomly For example: Plaintext 11011011 Key 01101001 Ciphertext 10110010 E k (X) = (x 1 +k 1 x 2 +k 2 x n +k n ) mod m D k (Y) = (y 1 -k 1 y 2 -k 2 y n -k n ) mod m 3 4 Security of One Time Pad How good is the security of one time pad? The key is random, so ciphertext is completely random Any plaintext can correspond to a ciphertext with the same length A scheme has perfect secrecy if ciphertext provides no information about plaintext C. E. Shannon, 1949 One-time pad has perfect secrecy For example, suppose that the ciphertext is Hello, can we say any plaintext is more likely than another plaintext? Importance of Key Randomness For perfect secrecy, key-length msg-length What if a One-Time Pad key is not chosen randomly, instead, texts from, e.g., a book is used. this is not One-Time Pad anymore this does not have perfect secrecy and can be broken The key in One-Time Pad should never be reused. If it is reused, it is insecure! How to send the key to the receiver of the ciphertext? These requirements make One Time Pad impractical. 5 6

Block Ciphers Block Cipher = Symmetric key encryption = Conventional Encryption Block ciphers can be considered as substitution ciphers with large block size ( 64 bits) Map n-bit plaintext blocks to n-bit ciphertext blocks (n: block size). For n-bit plaintext and ciphertext blocks and a fixed key, the encryption function is a one-to-one function Block Ciphers Block size: in general larger block sizes mean greater security. Key size: larger key size means greater security (larger key space). Number of rounds: multiple rounds offer increasing security. Encryption modes: define how messages larger than the block size are encrypted, very important for the security of the encrypted message. 7 8 A Simple Block Cipher: Hill Cipher The key k is a matrix. The message is considered as vectors. Encryption and decryption operations are matrix multiplication operations Encryption: C = k.p (mod 26) Decryption: P = k -1.C (mod 26) Example: The plaintext is `CAT` converted to numeric values (2, 0, 19). If the key is An Insecure Block Cipher Hill cipher is insecure since it uses linear matrix operations. Each output bit is a linear combination of the input bits An insecure block cipher uses linear equations Hill Cipher can easily be broken by known-plaintext attack An attacker knowing a plaintext and ciphertext pair can easily figure out the key matrix. Encryption: C=`FIN` 9 10 Feistel Network A Feistel Network is fully specified given the block size: n = 2w number of rounds: d d round functions f 1, f 2, f d : {0,1} w {0,1} w Each f function is a SP cipher Feistel Network Encryption L 1 =R 0 R 1 =L 0 f 0 (R 0 ) L 2 =R 1 R 2 =L 1 f 1 (R 1 ) w bits Plaintext (2w bits) w bits L d=r d-1 R d=l d-1 f d-1(r d-1) L 0 R 0 Feistel Network are used in DES, IDEA, RC5, and many other block ciphers. Not used in AES Decryption R d-1 =L d L d-1 =R d f d-1 (L d ) R 0 =L 1 L 0 =R 1 f 0 (L 1 ) f 0 L 1 R 1 f 1 K 0 K 1 11 12

History of Data Encryption Standard (DES) 1967: Feistel at IBM Lucifer: block size 128; key size 128 bit 1972: NBS asks for an encryption standard 1975: IBM developed DES (modification of Lucifer) block size 64 bits; key size 56 bits 1975: NSA suggests modification 1977: NBS adopts DES as encryption standard in (FIPS 46-1, 46-2). 2001: NIST adopts Rijndael (AES) as replacement to DES. DES Features Features: Block size = 64 bits Key size = 56 bits Number of rounds = 16 16 intermediary keys, each 48 bits 13 14 DES Structure Details of DES Rounds An initial permutation is applied on the plaintext IP(x) = L 0 R 0 In each round: L i = R i-1 R i = L i-1 f(r i-1, K i ) 15 16 Details of DES Rounds DES f Function After the last round y = IP -1 (R 16 L 16 ) 17 18

DES S-boxes S-boxes are the only non-linear elements in DES design B(6 bits) S-Box C(4 bits) B = b 1 b 2 b 3 b 4 b 5 b 6 -> row=b 1 b 6 column=b 2 b 3 b 4 b 5 Example: B = 011011 row= 01 column=1101 Middle 4 bits of input 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111 DES Weak Keys Weak keys: keys make the same sub-key to be generated in more than one round. Result: reduce cipher complexity Weak keys can be avoided at key generation. DES has 4 weak keys: 0000000 0000000 0000000 FFFFFFF FFFFFFF 0000000 FFFFFFF FFFFFFF Oute r bits 00 0010 1100 0100 0001 0111 1010 1011 0110 1000 0101 0011 1111 1101 0000 1110 1001 01 1110 1011 0010 1100 0100 0111 1101 0001 0101 0000 1111 1010 0011 1001 1000 0110 10 0100 0010 0001 1011 1010 1101 0111 1000 1111 1001 1100 0101 0110 0011 0000 1110 11 1011 1000 1100 0111 0001 1110 0010 1101 0110 1111 0000 1001 1010 0100 0101 0011 C = 1001 Semi-weak keys: A pair of DES semi-weak keys is a pair (K 1,K 2 ) with E K1 (E K2 (x))=x There are six pairs of DES semi-weak keys 19 20 Dictionary Attack to DES Even without having weak/semi-weak keys DES is vulnerable to dictionary attacks: Each plaintext may result in 2 64 different ciphertexts, but there are only 2 56 possible different key values. Given a PT/CT pair (M,C) Encrypt the known plaintext M with all possible keys. Keep a look up table of size 2 56. Look up C in the table Double DES DES uses a 56-bit key, this raised concerns about brute force attacks. One proposed solution: Double DES. Apply DES twice using two keys, K 1 and K 2. C = E K2 [ E K1 [ P ] ] P = D K1 [ D K2 [ C ] ] This leads to a 2x56=112 bit key, so it is more secure than DES. Is it? 21 22 Meet-in-the-middle Attack Goal: given the pair (P, C) find keys K 1 and K 2. Based on the observation: C = E K2 [ E K1 [ P ] ] D K2 [ C ] = E K1 [ P ] Encrypt P with all 2 56 possible keys K 1 Store all pairs ( K 1, E K1 [P] ), sorted by E K1 [P]. Decrypt C using all 2 56 possible keys K 2 For each decrypted result, check to see if there is a match D K2 (C) = E K1 (P). If a match is found, (K 1,K 2 ) is a possible match The attack has a higher chance of succeeding if another pair (P, C ) is available to the cryptanalysis. Triple DES Two key version is widely used and standard Key space is 56 x 2 = 112 bits Encrypt: C = E K1 [ D K2 [ E K1 [P] ] ] Decrypt: P = D K1 [ E K2 [ D K1 [C] ] ] Three key version is possible but not standard Key space is 56 x 3 = 168 bits Encrypt: C = E K3 [ D K2 [ E K1 [P] ] ] Decrypt: P = D K1 [ E K2 [ D K3 [C] ] ] No known practical attack against it. Some protocols/applications use 3DES (such as PGP) 23 24

Encryption Modes Electronic Code Book (ECB) Cipher Block Chaining (CBC) Output Feedback Mode (OFB) Cipher Feedback Mode (CFB) Counter Mode (CTR) Electronic Code Book (ECB) Message is broken into independent blocks of block_size bits. Electronic Code Book (ECB): each block encrypted separately. Encryption: C i = E k (P i ) Decrytion: P i = D k (C i ) 25 26 Properties of ECB Deterministic: the same data block gets encrypted the same way. This reveals patterns of data when a data block repeats. Malleable: reordering ciphertext results in reordered plaintext. Errors in one ciphertext block do not propagate. Usage: not recommended to encrypt more than one block of data. Cipher Block Chaining (CBC) Cipher Block Chaining (CBC): next input depends upon previous output Encryption: Decryption: C i = E k (M i C i-1 ), with C 0 =IV M i = C i-1 D k (C i ), with C 0 =IV 27 28 Properties of CBC Randomized encryption: repeated text gets mapped to different encrypted data. can be proven to be secure assuming that the block cipher has desirable properties and that random IV s are used A ciphertext block depends on all preceding plaintext blocks Sequential encryption, cannot use parallel hardware Block Ciphers vs. Stream Ciphers A block cipher operates on blocks of fixed length. A stream cipher is a symmetric key cipher where plaintext bits are combined with a pseudorandom cipher bit stream (keystream), typically by an exclusiveor (xor) operation. Errors in one block of ciphertext propagate to two blocks one bit error in C j affects all bits in M j and one bit in M j+1 29 30

Output Feedback (OFB) Output feedback (OFB): construct a pseudorandom number generator (PRNG) to obtain a one time pad and XOR the message with the pad y 0 =IV y i = E k [y i-1 ] Properties of OFB Randomized encryption Sequential encryption, but preprocessing possible Generate the key before the message comes Error propagation limited Only the changed bits are lost It can only be used as a stream cipher 31 32 Cipher Feedback (CFB) Cipher Feedback (CFB): the message is XORed with the feedback of encrypting the previous block Counter Mode (CTR) Counter Mode (CTR): Another way to construct pseudo random number generator using DES Y i = E k [counter+i] C i = Y i P i Sender and receiver share a counter value (does not need to be secret) and the secret key 33 34 Properties of CTR Software and hardware efficiency: different blocks can be encrypted in parallel. Preprocessing: the encryption part can be done offline and when the message is known, just do the XOR. Random Access: decryption of a block can be done in random order, very useful for hard-disk encryption. Messages of Arbitrary Length: ciphertext is the same length with the plaintext (i.e., no IV). 35

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information