secret_key_crypotography

Secret Key Cryptography

Ø General Block Encryption:

000	101
001	110
010	001
011	000
100	100
101	011
110	111
111	010

For block size of 3 bits, the table size is: 2³ *(3) = 8*3=24 bits.

ü The general way of encrypting a 64-bit block is to take each of the:
2⁶⁴ input values and map it to a unique one of the 2⁶⁴ output values.

But this would take (2⁶⁴ )*(64) = 2⁷⁰ bits to store this map table.

This is about 10²¹and since a tera is 10¹² that is about a billion tera bits.

This is NOT practical.

ü Secret key cryptographic systems take a reasonable length key (e.g., 64 bits) and generate a one-one mapping that looks,

to someone who does not know the key, completely random.

I.e., any single bit change in the input results in a totally independent random number output.

âTypes of transformation for k-bit blocks:

· Substitution:

For small values of k, specify for each of the 2^kpossible values of the input, the k-bit output.

This takes k*2^k bits for the map table.

E.g., for k=8, we need 2048 bits.

· Permutation:

000	001	010	011	100	101	110	111
011	100	101	010	110	111	001	000

Table size: 8*log₂ 8 = 8*3=24 bits

For each of the n input bits, specify the output position to which it goes.

This takes n*log₂ n bits.

E.g., for n=64, we need 64*6=384 bits

· Rounds:

If we do only a single round, then a bit of input can only affect 8 bits of output.

There is optimal number of rounds to achieve complete randomization, e.g., 16.

The following figure (Fig. 3-1) shows a secret key algorithm based on rounds of substations & permutation.

It takes the same effort to reverse (decrypt).

Ø Data Encryption Standard (DES):

ü Key length: 64 bits

8 bits are used for parity check, why is that? To make it 256 times less secure!

Read why 56 bits? section in the textbook J

How secure is DES?

In 1998, $150K machine can break the key in 5 days! For added security triple DES is used.

âBasic Structure of DES: (Fig. 3-2)

ü The decryption works by essentially running DES backward with keys in reverse order: K16 .. K1.

âThe Permutation of Data (Fig. 3-3 )

This is not random, See Fig. 3-3 to get IP, and Reverse the arrows to get IP ^-1

^{In the IP table:}^{bit 1 comes from bit
58 of input, bit 2 comes from bit 50 of input, etc.}

^{The first octet of the input (ABC....H)
is distributed over the 8 octets of the output:}^{A to 5th octet, B to 1st Octet, ... H to
4th octet.}

Generating the Per-Round Keys:

ü Key-Permutation: (Fig. 3-4) Produces C₀and D₀

C0 D0

ü Key-Generation: (Fig. 3-5)

Eight bits are discarded at positions:

9,18, 22, 25 from C_i & 35, 38, 43, 54 from D_i

so that each K_i is 48 bits.

âA DES Round: (Fig. 3-6)

Why decryption works?

The output of the Mangler Function (M) is the same for both encryption and decryption.

ü In encryption: M ® L_n = R_n+1

ü In decryption: M ® R_n+1 = M ® ( M ® L_n) = L_n

âThe Mangler Function:

ü Expands R from 32 bit à 48 bits as shown in Fig3-7:

It breaks R into eight 4-bit chunks and expand each to 6-bit by concatenating the adjacent 2 bits.

ü Let CR_irefer to i^th chunk of the expanded R.

ü The 48-bit K is broken to eight 6-bit chunks.

ü Let CK_irefer to the i^th chunk of K.

ü Let S_i= CR_i® CK_i

ü S_iis fed into an S-box, a substitution which produces 4-bit output for each possible 6-bit input (Figure 3-8)

i.e., 4 inputs are mapped to 1 output.

ü The 8 S-boxes are specified in Fig. 3-9 to 3-16:

Two of these tables are shown below.

ü The output of the eight S-boxes is permuted as shown in Fig. 3-17.

This is to ensure that the output of an S-box in one round affects the input of multiple S-boxes on the next round.

What's So Special about DES?

The S-boxes!

Are they random? No one knows.

Playing around with the S-boxes can be dangerous!

Ø International Data Encryption Algorithm (IDEA):

Encrypts 64-bit blocks using 128-bit key.

It is similar to DES since it:

ü Operates in rounds.

ü the mangler function runs in the same direction for both encryption and decryption.

Fig. 3-18 shows the basic Structure of IDEA:

âIDEA operations:

®    Exclusive OR
+    Addition mod 2¹⁶and
x    Multiplication mod 2¹⁶

These operations are reversible:

P ® K = C     »     C ® K     =   P          since    (P ® K) ® K   = P
P + K = C     »     C + (-K) = P           since   (P + K) + (-K) = P
P x K = C     »     C x   (K^-1) = P         since   (P x K) x (K^-1) = P

âKey Expansion:

^{The 128-bit key is expanded into Fifty two 16-bit-keys: K1,
K2 , ....K52.}
^{After generating the first 8 keys (Fig. 3-19),
Shift 25
bits and continue the generation (Fig. 3-20).}

Figure 3-20

âRounds:

Total number of rounds: 17: odd: 1, 3, ...17 & even 2, 4, .., 16

Odd Round: (Fig. 3-21)

This is reversible using the inverse keys.

Even Round: (Fig. 3-22)

How to reverse?

Just apply it again, using the same keys (not the inverse keys as in the odd rounds!).

Why?

From Figure 3-22 we have:

X'_a = X_a ® Y_out
X'_b = X_b ® Y_out
Y_in = X_a ® X_b

X'_a ® X'_b = (X_a ® Y_out) ® (X_b ® Y_out) = X_a ® X_b = Y_in

Thus Y_in is the same if we use either (X_a, X_b) or (X'_a, X'_b)

Similarly Z_in is the same if we use either (X_c , X_d) or (X'_c , X'_d)

Therefore Y_out & Z_out are the same in both encryption and decryption.

Since we know Y_out and Z_out we can get:

X'_a ® Y_out = (X_a ® Y_out) ® Y_out = X_a

Similarly we can get: X_b, X_c and X_d

âInverse Keys for Decryption:

Encryption keys:

K1 K2 K3 K4 K5 K6 ......

Decryption Keys:

(K49)^-1 -(K50) -(K51) (K52)^-1 K47 K48 ......

Ø Advanced Encryption Standard (AES):

ü Developed with the help of NIST as an Efficient, Flexible, Secure and Unencumbered (free to implement) encryption standard for protecting: sensitive, non-classified, U.S. government information.

ü NIST selected an algorithm called Rijndael, named after two Belgium cryptographers.

ü It uses a variety of key sizes: 128, 192 and 256 and the standards are named:

AES-128, AES-192, AES-256

ü Block sizes are fixed in all to 128 bits.

ü It is similar to both DES and IDEA in that there is rounds and key expansion.

âBasic Structure: (Figure 3-23)

N_b: the number of 32-bit words in an encryption block.

N_k: the number of 32-bit words in an encryption key.

N_r: the number of rounds. It should be large enough to allow sufficient mixing so that each bit of a plain text block or a key has a complex effect on each bit of the resulting cipher text.

N_r = 6 + Max (N_b, N_k)

For AES-128: N_k = 4, N_b = 4 & N_r = 10.

âPrimitive Operations:

§ ® XOR

§ Octet-Substitution (S-box, Figure 3-24)

§ Rearrangement of octets (rotating rows and columns)

§ MixColumn operation: Replace a column with another:

ü Each octet of the input column is used as index to retrieve a column from a table (Figure 3-26).

ü Each retrieved column is rotated and

ü The four rotated columns are ®'d to produce the output column (Figure 3-25).

âRounds:

Each round is an identical sequence of 3 operations:

1. Each octet of the state has the S-box applied.
2. For AES-128: Row i of the state is rotated left i columns (i=0, 1, 2, 3).
3. Each column of the state has MixColumn applied to it

Figure 3-26. MixColumn Table

âKey Expansion:

Arrange the key as N_k columns and

Iteratively generate the next N_k columns (see Figure 3-29 and 3-30).

The C_i are constants defined in Figure 3-31.

â Inverse Rounds:

Since each operation is invertible, decryption is done by performing the inverse of each operation in the opposite order and using the round keys in the reverse order.

â Inverse Cipher:

§ ® is its own inverse

§ The inverse of S-box is given by a different table (Fig 3-27)

§ Rotating is inverted by another rotation in the opposite direction.

§ The inverse of MixColumn is called InvMixCoumnis using a different table (Fig 3-28).

Ø RC4

RC4 is a stream cipher designed by Ron Rivest.

A long random string is called a one-time pad is XOR with the plain text.

(Page 93 gives a C code for RC4)

Ø Block Chaining: Encrypting a Large Massage

â Electronic Code Book (ECB):

Break the message into 64-bit blocks (padding the last one) and

Encrypt each block with the secret key.

Two Problems:

1) Two identical plaintext blocks produces two identical cipher blocks

2) Blocks can be rearranged or modified.

Example: See Fig. 4-3 where an eavesdropper:

ü Can see which sets of employees have identical or similar salaries &

ü Can alter own salary to match another employee with higher salary.

â Cipher Block Chaining (CBC):

See Figure Fig. 4-5 (encryption) & Fig 4-6 (decryption).

ü IV (Initialization Vector) is a randomly chosen number.

ü Two identical plain messages produce two different cipher messages.

ü Thus “continue holding”, “continue holding”“start attack” produces different cipher blocks.

ü This also prevents the Chosen plain text attach.

CBC Threat Modifying Cipher Blocks

You can modify the contents of one cipher block to make the next plain text block as you wish. However the preceding plain text block will be garbled.

For example in Figure 4-6:

To change m₆ to m'₆ we can change c₅ to c'₅

Where c'₅ is computed as: (c₅ ® m₆ ) ® m'₆

However, the content of m₅ will be garbage.

E.g: change Jo Tacker salary from ~$54K to ~$74K:

Note: if some bits of one cipher text get garbled (not by design) two plain text blocks get garbled.

â Output Feedback Mode (OFB):

It is a stream cipher, Encryption/Decryption is performed by X®ing the message m_i with one-time pad p_i generated as follows:

§ A 64-bit IV is generated (and is transmitted with the encrypted message).

§ p₁is the DES encryption of IV with the secret key K.

§ p_i , i > 1, is the DES encryption of p_i-1with secret key K.

§ The resulting one-time pad is: p1 | p2 | p3 | .......

§ c_i= p_i® m_ifor i =1, 2, ...

Major advantages of OFB:

The pad can be generated in advance of the message arrival.

Major disadvantages of OFB:

· If one block is lost, the rest of the blocks will be garbled.

· If data is stored on disk, you can not randomly read any block unless you decrypt all the preceding blocks.

· If some bits of one cipher text get garbled, only the corresponding bits in the plain text get garbled. This can be bad as it will not raise suspicion if intentionally changed to make specific changes to a plain text (e.g., give salary raise!, see next).

· If the <plaintext m, ciphertext c> are known by Trudy, he can modify m into anything he wants m'.

How?

§ Sends: c' instead of c.

â Cipher Feedback Mode (CFB):

CFB solves the first two problems of OFB:

· If one block is lost, only the next block is garbled and the rest of the blocks will decrypt properly.

· To randomly access one block, you only need to access the preceding block.

CFB steps:

§ A 64-bit IV is generated (and is transmitted with the encrypted message).

§ b₁is the DES encryption of IV with the secret key.

§ b_i , i > 1, is the DES encryption of c_i-1 with secret key.
(Thus you can't generate a one-time pad in advance like OFB)

§ c_i= b_i® m_ifor i =1, 2, ...

â Counter Mode (CTR):

CTR (Figure 4-10)

Advantages:

· You can generate the one-time pad in advance.

· You can randomly access any block without decrypting all the preceding blocks.

Disadvantage:

If one block is lost, the rest of the blocks will be garbled.

Figure 4-10

Ø Multiple Encryption DES

It is called 3DES or EDE (Encrypt-Decrypt-Encrypt):

m>>>> E >>>> D >>>> E >>>>c
               |             |             |
             K1         K2        K1
               |             |             |
c >>>> E >>>> D >>>> E >>>> m

CBC is used for stream encryption as shown is Fig. 4-15:

Why EDE instead EEE?

  P >>> P^{-1 .}P >>> P^-1.P >>> P^-1
^{E
E                      E}

     P >>> P^-1.P^-1 >>> P. P >>> P^-1
^{E
D
        E}

Thus, there is security gain by having permutation done between stages using EDE.