secret_key_crypotography

Secret Key Cryptography

General Block Encryption:

The general way of encrypting a 64-bit block is to take each of the:
2⁶⁴ input values and map it to a unique one of the 2⁶⁴ output values.

This would take (2⁶⁴ )*(64) = 2⁷⁰ bits to store this map.

This is NOT practical.

Secret key cryptographic systems take a reasonable length key

(e.g., 64 bits) and generate a one-one mapping that looks,

to someone who does not know the key, completely random.

I.e., any single bit change in the input results in

a totally independent random number output.

Types of transformation for k-bit blocks:

Substitution:

For small values of k, specify for each of the

2^kpossible values of the input, the k-bit output.

This takes k*2^kbits.

E.g., for k=8, we need 2048 bits.

Permutation:

For each of the I input bits,

specify the output position to which it goes.

This takes I*log₂ I bits.

E.g., for I=64, we need 64*6=384 bits

Rounds:

If we do only a single round,

then a bit of input can only affect 8 bits of output.

There is optimal number of rounds to achieve complete randomization, e.g., 16.

The following figure (Fig. 3-1) shows a secret key algorithm based on rounds of substations and permutation. It takes the same effort to reverse (decrypt).

Data Encryption Standard (DES):

Key length: 64 bits

8 bits are used for parity check,
why is that?

to make it 265 times less secure!

Read why 56 bits? section in the textbook J

How secure is DES?

In 1998, $150K machine can break the key in 5 days!
For added security triple DES is used.

Basic Structure of DES: (Fig. 3-2)

The decryption works by essentially running DES backward

with keys in reverse order: K16 .. K1.

The Permutation of Data (Fig. 3-3 )

This is not random,

See Fig. 3-3 to get IP, and

Reverse the arrows to get IP^-1

^{In the IP table:}

^bit^{1 comes from bit 58,}

^bit^{2 comes from bit 50, etc.}

^{The first octet of the input (ABC....H) is distributed over the 8 octets of the
output:}

^{A to 5th octet,}

^{B to 1st Octet, ...}

^{H to 4th octet.}

Generating the Per-Round Keys:

Key-Permutation: (Fig. 3-4) Produces C₀and D₀

C0 D0

Key-Generation: (Fig. 3-5)

Eight bits are discarded at positions:

9, 18, 22, 25 from C_i & 35, 38, 43, 54 from D_i

so that each K_i is 48 bits.

A DES Round: (Fig. 3-6)

Why decryption works?

The output of the Mangler Function (M)

is the same for both encryption and decryption.

In encryption: M ® L_n = R_n+1

In decryption: M ® R_n+1 = M ® ( M ® L_n) = L_n

The Mangler Function:

Expands R from 32 bit à 48 bits as shown in Fig3-7:

It breaks R into eight 4-bit chunks and

Expand each to 6-bit by concatenating the adjacent 2 bits.

Let CR_irefer to i^th chunk of the expanded R.

The 48-bit K is broken to eight 6-bit chunks.

Let CK_irefer to the i^th chunk of K.

Let S_{i =} CR_i® CK_i

S_iis fed into an S-box, a substitution which produces

4-bit output for each possible 6-bit input (Figure 3-8)

i.e., 4 inputs are mapped to 1 output.

The 8 S-boxes are specified in Fig. 3-9 to 3-16:

Two of these tables are shown below.

The output of the eight S-boxes is permuted as shown in Fig. 3-17.

This is to ensure that the output of an S-box in one round

affects the input of multiple S-boxes on the next round.

What's So Special about DES?

The S-boxes!

Are they random? No one knows.

Playing around with the S-boxes can be dangerous!

International Data Encryption Algorithm (IDEA):

Encrypts 64-bit blocks using 128-bit key.

It is similar to DES since it:

Operates in rounds.

The mangler function runs in the same direction for both encryption and decryption.

Fig. 3-18 shows the basic Structure of IDEA:

IDEA operations:

®   Exclusive OR
+    Addition mod 2¹⁶and
x    Multiplication mod 2¹⁶

These operations are reversible:

a ® K = A     »      A ® K     = a          since    (a ® K) ® K   = a
a + K = A      »     A + (-K) = a           since   (a + K) + (-K) = a
a x K = A     »     A x (K^-1) = a         since   (a x K) x (K^-1) = a

Key Expansion:

^{The 128-bit key is expanded into:}

^{Fifty two 16-bit-keys: K1, K2 , ....K52.}
^{After generating the first 8 keys (Fig. 3-19),

Shift 25
bits and continue the generation (Fig. 3-20).}

Figure 3-20

Rounds:

Total number of rounds: 17:

odd: 1, 3, ...17 & even 2, 4, .., 16

Odd Round: (Fig. 3-21)

This is reversible using the inverse keys.

Even Round: (Fig. 3-22)

How to reverse?

Just apply it again, using the same keys

(not the inverse keys as in the odd rounds!).

Why?

From Figure 3-22 we have:

X'a = Xa ® Yout
X'b = Xb ® Yout
Yin = Xa ® Xb

Thus:
      X'a ® X'b = (Xa ® Yout ) ® (Xb ® Yout)
                        = Xa ® Xb
                        = Yin
Yin is the same if we use either (Xa , Xb) or (X'a , X'b)

Similarly,

Zin is the same if we use either (Xc , Xd) or (X'c , X'd)

Thus,

Yout & Zout are the same in both encryption and decryption.

Since we know Yout and Zout we can get:

X'a ® Yout = (Xa ® Yout) ® Yout = Xa

Similarly we can get: Xb, Xc and Xd

Inverse Keys for Decryption:

Encryption keys:

K1 K2 K3 K4 K5 K6 ......

Decryption Keys:

(K49)^-1 -(K50) -(K51) (K52)^-1 K47 K48 ......

Advanced Encryption Standard (AES):

Developed with the help of NIST as an

Efficient, Flexible, Secure and

Unencumbered (free to implement)

Encryption Standard for protecting:

sensitive, non-classified, U.S. government information.

NIST selected an algorithm called Rijndael,

named after two Belgium cryptographers.

It uses a variety of key sizes:

128, 192 and 256

and the standards are named:

AES-128, AES-192, AES-256

Block sizes are fixed in all to 128 bits.

It is similar to both DES and IDEA in that there is

rounds and key expansion.

Basic Structure: (Figure 3-23)

Nb: the number of 32-bit words in an encryption block.

for AES-128: Nb = 4.

Nk: the number of 32-bit words in an encryption key.

for AES-128: Nk = 4.

Nr: the number of rounds. It should be large enough to allow sufficient mixing

so that each bit of a plain text block or a key has a complex effect on each bit of the resulting cipher text.

Nr = 6 + Max (Nb, Nk),

For AES-128: Nr = 10.

Primitive Operations:

· ® XOR

· Octet-Substitution (S-box, Figure 3-24)

· Rearrangement of octets (rotating rows and columns)

· MixColumn operation: Replace a column with another:

· Each octet of the input column is used as index to retrieve a column from a table (Figure 3-26).

· Each retrieved column is rotated and

· The four rotated columns are ®'d to produce the output column (Figure 3-25).

Rounds:

· Each round is an identical sequence of 3 operations:

· Each octet of the state has the S-box applied.
For AES-128:
Row i of the state is rotated left i columns (i=0, 1, 2, 3).

· Each column of the state has MixColumn applied to it

Figure 3-26. MixColumn Table

Key Expansion:

Arrange the key as Nk columns and

Iteratively generate the next Nk columns (see Figure 3-29 and 3-30).

The Ci are constants defined in Figure 3-31.

Inverse Rounds:

Since each operation is invertible, decryption is done by performing the inverse of each operation in the opposite order and using the round keys in the reverse order.

Inverse Cipher:

· ® is its own inverse

· The inverse of S-box is given by a different table (Fig 3-27)

· Rotating is inverted by another rotation in the opposite direction.

· The inverse of MixColumn is called InvMixCoumn

is similar to MixColumn using a different table (Fig 3-28).

RC4

RC4 is a stream cipher designed by Ron Rivest.

A long random string is called a one-time pad.

Page 93 gives a C code for RC4 one-time pad generator.

A stream cipher generates a one-time pad and applies it to a stream of plain text with ®.

Block Chaining: Encrypting a Large Massage

Electronic Code Book (ECB):

Break the message into 64-bit blocks (padding the last one) and

Encrypt each block with the secret key.

Two problems:

· Two identical plaintext blocks produces two identical cipher blocks

· Blocks can be rearranged or modified.

Example: See Fig. 4-3 where an eavesdropper:

· Can see which sets of employees have identical or similar salaries &

· Can alter own salary to match another employee with higher salary.

Cipher Block Chaining (CBC):

See Figure Fig. 4-5 (encryption) & Fig 4-6 (decryption).

IV (Initialization Vector) is a randomly chosen number.

Two identical plain messages produce two different cipher messages.

Thus “continue holding”, “continue holding”... “Start attack” produces different cipher blocks.

This also prevents the Chosen plain text attach.

CBC Threat: Modifying Cipher Blocks

You can modify the contents of one cipher block to make the plain text of next block as you wish. However the preceding plain text block will be garbled.

For example in Figure 4-6:

To change m6 to m'6, we can change c5 to c'5,

Where c'5 is computed as: (c5 ® m6 ) ® m'6

However, the content of m5 will be garbage.

E.g: change Jo Tacker salary from ~$54K to ~$74K:

Note: if some bits of one cipher text get garbled (not by design),

two plain text blocks get garbled.

Output Feedback Mode (OFB):

It is a stream cipher, Encryption/Decryption is performed by X®ing the message with one-time pad generated as follows:

1. A 64-bit IV is generated (and is transmitted with the encrypted message).

2. b₁is the DES encryption of IV with the secret key.

3. b_i , i > 1, is the DES encryption of b_i-1with secret key.

4. The resulting one-time pad is: b1 | b2 | b3 | .......

5. c_i= b_i® m_ifor i =1, 2, ...

Major advantages of OFB:

The pad can be generated in advance of the message arrival.

Note that if some bits of one cipher text get garbled, only the corresponding bits in the plain text get garbled.

This can be bad as it will not raise suspicion if intentionally changed to make specific changes to a plain text (e.g., give salary raise!).

Major disadvantages of OFB:

· If one block is lost, the rest of the blocks will be garbled.

· If data is stored on disk, you can not randomly read any block unless you decrypt all the preceding blocks.

· If the <plaintext m, ciphertext c> are known by Trudy,

he can modify m into anything he wants m'.

How?

· Calculate:

X = c ® m

· Sends: c' instead of c.

Cipher Feedback Mode (CFB):

CFB solves the first two problems of OFB:

· If one block is lost, only the next block is garbled and the rest of the blocks will decrypt properly.

· To randomly access one block, you only need to access the preceding block.

CFB steps:

1. A 64-bit IV is generated (and is transmitted with the encrypted message).

2. b₁is the DES encryption of IV with the secret key.

3. b_i , i > 1, is the DES encryption of c_i-1 with secret key.
(Thus you can't generate a one-time pad in advance like OFB)

4. c_i= b_i® m_ifor i =1, 2, ...

Counter Mode (CTR):

CTR (Figure 4-10)

Advantages:

· You can generate the one-time pad in advance.

· You can randomly access any block without decrypting all the preceding blocks.

Disadvantage:

If one block is lost, the rest of the blocks will be garbled.

Figure 4-10

Multiple Encryption DES

It is called 3DES or EDE (encrypt-decrypt-encrypt):

m>>>> E >>>> D >>>> E >>>>c
               |             |             |
             K1         K2        K1
               |             |             |
c >>>> E >>>> D >>>> E >>>> m

CBC is used for stream encryption as shown is Fig. 4-15:

Why EDE instead EEE?

  P >>> P^{-1 .}P >>> P^-1.P >>> P^-1
^{E
E                         E}

P >>> P^-1.P^-1>>> P. P >>> P^-1
^{E D E}

Thus, there is security gain by having permutation done between stages using EDE.