Secret Key Cryptography

Ø          General Block Encryption:

The general way of encrypting a 64-bit block is to take each of the:
2⁶⁴ input values and map it to a unique one of the 2⁶⁴ output values.

This would take (2⁶⁴ )*(64) = 2⁷⁰  bits to store this map.

This is NOT practical.

 

Secret key cryptographic systems take a reasonable length key

(e.g., 64 bits) and generate a one-one mapping that looks,

to someone who does not know the key, completely random.

I.e., any single bit change in the input results in

a totally independent random number output.

 

Types of transformation for k-bit blocks:
 

·    Substitution:

For small values of k, specify for each of the

2^k possible values of the input, the k-bit output.

 

This takes k*2^k bits.

 

E.g., for k=8, we need 2048 bits.
 

·    Permutation:

For each of the I input bits, 

specify the output position to which it goes.

 

This takes I*log₂ I  bits.

E.g., for I=64, we need 64*5=320 bits

 

·     Rounds

 

If we do only a single round,

then a bit of input can only affect 8 bits of output.

 

There is optimal number of rounds to achieve complete randomization, e.g., 16.

 

The following figure (Fig. 3-1) shows a secret key algorithm based on rounds of substations and permutation.

 

It takes the same effort to reverse (decrypt).

 

 

 

 

Ø     Data Encryption Standard (DES):

 

 

Key length: 64 bits

8 bits are used for parity check,
why is that?

to make it 265 times less secure!

Read why 56 bits? section in the textbook J

 

How secure is DES?

 

In 1998,  $150K machine can break the key in 5 days!
For added security triple DES is used.

 

q       Basic Structure of DES: (Fig. 3-2)
 

The decryption works by essentially running DES backward

with keys in reverse order: K16 .. K1.

 

q       The Permutation of Data (Fig. 3-3 )

This is not random,

See  Fig. 3-3  to get IP, and

Reverse the arrows to get IP^-1

 

^{In the IP table:}

^{bit 1 comes from bit 58,}

^{bit 2 comes from bit 50,  etc.}

^{The first octet of the input (ABC....H) is distributed over the 8 octets of the output:}

^{A to 5th octet,}

^{B to 1st Octet, ...}

^{H to 4th octet.}

q       Generating the Per-Round Keys:
 

• Key-Permutation: (Fig. 3-4) Produces C₀ and D₀

 

         C0                       D0

• Key-Generation: (Fig. 3-5)

Eight bits are discarded at positions:

9,   18, 22, 25  from C_i  & 35, 38, 43, 54  from D_i

so that each K_i  is 48 bits.

 

q       A DES Round:  (Fig. 3-6)

 
Why decryption works?

 

• The output of the Mangler Function  (M)

is the same for both encryption and decryption.

• In encryption: M ® L_n = R_n+1
• In decryption: M ® R_n+1 = M ® ( M ® L_n ) = L_n

 

q       The Mangler Function: 

• Expands R from 32 bit à 48 bits as shown in Fig3-7:

It breaks R into eight 4-bit chunks and

Expand each to 6-bit by concatenating the adjacent  2 bits.

 

• Let CR_i refer to i^th  chunk of the expanded R.

 

• The 48-bit K is broken to eight 6-bit chunks.

 

• Let CK_i refer to the i^th  chunk of  K.

 

• Let S_i  = CR_i ® CK_i

 

• S_i is fed into an S-box, a substitution which produces

   4-bit output for each possible 6-bit input (Figure 3-8)

    i.e., 4 inputs are mapped to 1 output.

• The 8 S-boxes are specified  in  Fig. 3-9 to 3-16:

Two of these tables are shown below.

 

 

• The output of the eight S-boxes is permuted as shown in Fig. 3-17.

This is to ensure that the output of an S-box in one round

affects the input of multiple  S-boxes on the next round.

 

 

 

 

q       What's So Special about DES?
 

The S-boxes!

Are they random? No one knows.

Playing around with the S-boxes can be dangerous!

 

 

 

Ø          International Data Encryption Algorithm (IDEA):

 

Encrypts 64-bit blocks using 128-bit key.

It is similar to DES since it:

• operates in rounds
• the mangler function runs in the same direction

   for both encryption and decryption.

 Fig. 3-18 shows the basic Structure of IDEA:

 

IDEA operations:
 

®   Exclusive OR
+    Addition mod 2¹⁶ and
x    Multiplication mod 2¹⁶

 

     These operations are reversible:

a ® K = A     »      A ® K     =  a          since    (a ® K) ® K   = a
a + K = A      »     A + (-K)  =  a           since   (a + K) + (-K) = a
a x K  = A     »     A x (K^-1) =  a           since   (a x K) x (K^-1) = a
 
 

Key Expansion:

^{The 128-bit key is expanded into:}

      ^{Fifty two  16-bit-keys:  K1, K2 , ....K52.
After generating the first 8 keys (Fig. 3-19),
Shift  25 bits  and continue the generation (Fig. 3-20).}

 

    Figure 3-20
 

Rounds:

      Total number of rounds: 17:

    odd: 1, 3, ...17  & 

    even 2, 4, .., 16

 

Odd Round:  (Fig. 3-21) 

This is reversible using the inverse keys.

 

 

Even Round: (Fig. 3-22)

 

 

How to reverse?

Just apply it again, using the same keys

(not the inverse  keys as in odd rounds!).

Why?

From Figure 3-22 we have:   

X'a = Xa ® Yout
X'b = Xb ® Yout
Yin = Xa ® Xb

Thus:
      X'a ®  X'b = (Xa ® Yout ) ® (Xb ® Yout)
                        = Xa ® Xb
                        = Yin

Yin is the same if we use  either (Xa ,  Xb)  or  (X'a , X'b)

Similarly,

Zin  is the same if we use either (Xc ,  Xd)  or  (X'c , X'd)

Thus,

Yout  & Zout are the same in both encryption and decryption.

Since we know Yout and Zout we can get:   

X'a ® Yout = (Xa  ® Yout) ® Yout = Xa

 

      Similarly we can get: Xb,  Xc and  Xd

 

Inverse Keys for Decryption:
 

Encryption keys:

        K1           K2        K3          K4          K5      K6         ......

Decryption Keys:

     (K49)^-1   -(K50)   -(K51)    (K52)^-1   K47    K48         ......

 

 

Ø          Advanced  Encryption Standard (AES):

 

   Developed with the help of NIST as an

Efficient,

Flexible,

Secure and

Unencumbered (free to implement)

Encryption Standard for protecting:

     sensitive, non-classified, U.S. government information.

 
NIST selected an algorithm called Rijndael,

     named after two Belgium cryptographers.

It uses a variety of block and key sizes:

     128, 192 and 256

 and the standards are named:

AES-128, AES-192, AES-256

Block sizes are fixed in all to 128 bits.

It is similar to both DES and IDEA in that there is

rounds and key expansion.

 

Basic Structure: (Figure 3-23)

 

 

Nb: the number of 32-bit words in an encryption block.

for AES-128:  Nb = 4.

 

Nk: the number of 32-bit words in an encryption key.

       for AES-128: Nk = 4.

 

Nr: the number of rounds. It should be large enough to allow sufficient mixing   so   that each bit of a plain text block or a key has a complex effect on each bit of the resulting cipher text.

 
           Nr = 6 + Max (Nb, Nk),

for AES-128: Nr = 10.

Primitive Operations:
 

• ® XOR
• Octet-Substitution (S-box, Figure 3-24)
•  Rearrangement of octets (rotating rows and columns)
• An MixColumn operation:  Replace a column with another:

1.  Each octet of the input column is used as index to retrieve a column from a table (Figure 3-26).

2.  Each retrieved column is rotated and

3.  The four rotated columns are ®'d to produce the output column (Figure 3-25).

 

 

                        Figure 3-26. MixColumn Table

Inverse Cipher:

 

·         ® is its own inverse

·         The inverse of S-box is given by a different table (Fig 3-27)

·         Rotating is inverted by another rotation in the opposite direction.

·         The inverse of MixColumn is called InvMixCoumn

    is similar to  MixColumn using a different table (Fig 3-28).

 

Key Expansion:

Arrange the key as Nk columns and

Iteratively generate the next Nk columns (see Figure 3-29 and 3-30).

The Ci are constants defined  in Figure 3-31.
 

 

Rounds:

Each round is an identical sequence of 3 operations:

1. Each octet of the state has the S-box applied.
2. For AES-128:
    Row  i of the state  is rotated  left i columns (i=0, 1, 2, 3).
3. Each column of the state has MixColumn applied to it
   

Inverse Rounds:

Since each operation is invertible, decryption is done by performing the inverse of each operation in the opposite order and using the round keys in the reverse order.

 

 

Ø          RC4

 

RC4 is a stream cipher designed by Ron Rivest.

 

A long random string is called a one-time pad.

Page 93 gives a C code for RC4 one-time pad generator.

 

A stream cipher generates a one-time pad and

applies it to a stream of plain text with ®.

 

 

Ø          Block Chaining: Encrypting a Large Massage

 

·     Electronic Code Book (ECB):

Break the message into 64-bit blocks (padding the last one) and

Encrypt each block with the secret key.

Two problems:

·      Two identical plaintext blocks produces two identical cipher blocks

·      Blocks can be rearranged or modified.

 

Example: See Fig. 4-3 where an eavesdropper:

·      Can see which sets of employees have identical or similar salaries &

·     Can alter own salary to match another employee with higher salary.