Lecture 2.3: Private Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 2.3: Private Key Cryptography III

CS 436/636/736 Spring 2012

Nitesh Saxena

Course Administration

• TA/Grader: Eric Frees: – Email: [email protected]– Office hrs: 2-4pm on Wednesdays, Ugrad lab (CH

154)

• HW1 heads up– To be posted by this weekend– Covers lecture 1, 2.1 – 2.3– At least 12 days for you to work on it

Lecture 2.3 - Private Key Cryptography III

04/19/23 2

mailto:[email protected]

Outline of today’s lecture

•Block Ciphers: Modes of Encryption•AES (at home reading assignment)


04/19/23 3


Block Cipher Encryption modes

• Electronic Code Book (ECB)• Cipher Block Chain (CBC)– Most popular one

• Cipher Feed Back (CFB)• Output Feed Back (OFB)

04/19/23 4


Analysis

We will analyze each of the modes in terms of:•Security•Computational Efficiency (parallelizing encryption/decryption)•Transmission Errors•Integrity Protection

04/19/23 5


Electronic Code Book (ECB) Mode• Although DES encrypts 64 bits (a block) at a time, it can

encrypt a long message (file) in Electronic Code Book (ECB) mode.

• Deterministic -- If same key is used then identical plaintext blocks map to identical ciphertext

04/19/23 6

Example – why ECB is bad?

04/19/23Lecture 2.3 - Private Key

Cryptography III7

Tux Tux encrypted with AES in ECB mode


Cipher Block Chain (CBC) Mode

04/19/23 8

encryption

decryption


CBC Traits

• Randomized encryption • IV – Initialization vector serves as the

randomness for first block computation; the ciphertext of the previous block serves as the randomness for the current block computation

• IV is a random value• IV is no secret; it is sent along with the

ciphertext blocks (it is part of the ciphertext)04/19/23 9

Example – why CBC is good?

04/19/23Lecture 2.3 - Private Key

Cryptography III10

Tux Tux encrypted with AES in CBC mode


CBC – More Properties• What happens if k-th cipher block CK gets

corrupted in transmission.– With ECB – Only decrypted PK is affected.– With CBC?

• Only blocks PK and PK+1 are affected!!

• What if one plaintext block PK is changed?– With ECB only CK affected.– With CBC all subsequent ciphertext blocks will be

affected.• “Avalanche effect”

– This leads to an effective integrity protection mechanism (or message authentication code (MAC))

04/19/23 11

Cipher Feedback Mode (CFB)

04/19/23 12


CFB Properties

• Randomized encryption – good for security (Tux won’t be visible after encryption!)

• Change in one plaintext bit is going to affect all subsequent ciphertext bits. So can be used for MAC.

• Change in ciphertext bit results in?

04/19/23 13

Output Feedback Mode (OFB)

04/19/23 14


OFB Properties

• Randomized encryption – good for security (Tux won’t be visible after encryption!)

• Bit errors in transmission do not propagate (except for the IV)

• Not good for authentication – no avalanche effect

04/19/23 15

Security of Block Cipher Modes• ECB is not even secure against eavesdroppers

(ciphertext only and known plaintext attacks)• CBC, CFB and OFB are secure against CPA attacks

(assuming 3-DES or AES is used in each block computation); automatically secure against eavesdropping attacks

• However, none is secure against CCA. Why?• Intuitively, this is because the ciphertext can be

“massaged” in a meaningful way -- see whiteboard (please take notes)

16

Summary of CCA Attacks• Assume adversary has eavesdropped upon a ciphertext

– (C0, C1, C2) -- corresponding to a plaintext (M1, M2). C0 is IV.

• Adversary is not allowed to query for (C0, C1, C2) itself • With CBC, adversary queries for (C0’, C1, C2) and

obtains (M1’, M2)• With CFB, he queries for (C0, C1, C2’) and obtains (M1,

M2’)• With OFB, he queries for (C0, C1’,C2)/(C0,C1, C2’)/(C0,

C1’,C2’) and obtains (M1’,M2)/(M1,M2’)/(M1’,M2’), respectively

17

How to achieve CCA security?• Prevent any massaging of the ciphertext• Intuitively, this can be achieved by using

integrity protection mechanisms (such as MACs), which we will study later

• The ciphertext is generated using CBC/CFB/OFB and a MAC is generated on this ciphertext

• Both ciphertext and the MAC is sent off• The other party decrypts only if MAC is valid04/19/23


18

Advanced Encryption Standard (AES)

• National Institute of Science and Technology– DES is an aging standard that no longer addresses today’s needs for

strong encryption– Triple-DES: Endorsed by NIST as today’s defacto standard

• AES: The Advanced Encryption Standard– Finalized in 2001– Goal – To define Federal Information Processing Standard (FIPS) by

selecting a new powerful encryption algorithm suitable for encrypting government documents

– AES candidate algorithms were required to be:• Symmetric-key, supporting 128, 192, and 256 bit keys• Royalty-Free• Unclassified (i.e. public domain)• Available for worldwide export


04/19/23 19

AES

• AES Round-3 Finalist Algorithms:– MARS

• Candidate offering from IBM– RC6

• Developed by Ron Rivest of RSA Labs, creator of the widely used RC4 algorithm

– Twofish• From Counterpane Internet Security, Inc.

– Serpent• Designed by Ross Anderson, Eli Biham and Lars Knudsen

– Rijndael: the winner!• Designed by Joan Daemen and Vincent Rijmen


04/19/23 20

Other Symmetric Ciphers and their applications

• IDEA (used in PGP)• Blowfish (password hashing in OpenBSD)• RC4 (used in WEP), RC5• SAFER (used in Bluetooth)


04/19/23 21

Some Questions• C=DES(K,P); where (P, C are 64-bit long blocks). What would

be DES(K,”PPPP”) in ECB mode? What it would be in CBC mode?

• ECB is secure for sending just one block of data: true or false?• Is it okay to re-use IV in CBC? Why/why not?

• Alice needs to send a *long* top-secret message to Bob. Which of the ciphers that we studied today can she use?


04/19/23 22

AES: Rinjdael

At home reading assignment!


04/19/23 23

Rijndael

• Joan Daemen (of Proton World International) and Vincent Rijmen (of Katholieke Universiteit Leuven).

• (pronounced “Rhine-doll”)• Allows only 128, 192, and 256-bit key sizes (unlike the other

candidates)• Variable block length of 128, 192, or 256 bits. All nine

combinations of key/block length possible.• A block is the smallest data size the algorithm will encrypt• Vast speed improvement over DES in both hardware and

software implementations– 8416 bytes/sec on a 20MHz 8051 (@ 12 CPI)– 8.8 Mbytes/sec on a 200MHz Pentium Pro


04/19/23 24

Rijndael Structure• Rijndael consists of

– an initial Round Key addition;– Nr-1 Rounds;– a final round.

• In pseudo C code, this gives:

Rijndael(State,CipherKey) {

KeyExpansion(CipherKey,ExpandedKey) ; AddRoundKey(State,ExpandedKey); For( i=1 ; i<Nr ; i++ ) Round(State,ExpandedKey + Nb*i) ; FinalRound(State,ExpandedKey + Nb*Nr);

}


04/19/23 25

Rijndael


X R1

Key

R2 Rn-1 RnR3 YRn-2

K1 K2 Kn-1 KnK3 Kn-2

W KE Key Expansion

RoundKeys

Encryption Rounds r1 … rn

Key is expanded to a set of n round keysKey is expanded to a set of n round keys Input block X undergoes n rounds of operations (each Input block X undergoes n rounds of operations (each

operation is based on value of the nth round key), until it operation is based on value of the nth round key), until it reaches a final round.reaches a final round.

Strength relies on the fact that it’s difficult to obtain the Strength relies on the fact that it’s difficult to obtain the intermediate result (or intermediate result (or statestate) of round n from round n+1 ) of round n from round n+1 without the round key.without the round key.

04/19/23 26

Number of Rounds• Number of rounds (Nr) as a function of the block

(Nb) and key length (Nk) in 32 bit words.

Nr Nb = 4

Nb = 6

Nb = 8

Nk = 4

10 12 14

Nk = 6

12 12 14

Nk = 8

14 14 14


04/19/23 27

Rijndael


Detailed view of round i

Each round performs the following operations:Each round performs the following operations: Non-linear Layer: No linear relationship between the input Non-linear Layer: No linear relationship between the input

and output of a roundand output of a round Linear Mixing Layer: Guarantees high diffusion over Linear Mixing Layer: Guarantees high diffusion over

multiple roundsmultiple rounds Very small correlation between bytes of the round input Very small correlation between bytes of the round input

and the bytes of the outputand the bytes of the output Key Addition Layer: Bytes of theKey Addition Layer: Bytes of the input are simply XOR’ed input are simply XOR’ed

with the expanded round keywith the expanded round key

ByteSub ShiftRow MixColumn AddRoundKey

Ki

Result from round i-1

Pass toround i+1

04/19/23 2804/19/23

Rijndael

• Three layers provide strength against known types of cryptographic attacks: Rijndael provides “full diffusion” after only two rounds– Linear and differential cryptanalysis– Known-key and related-key attacks– Square attack– Interpolation attacks– Weak-keys

• Rijndael has been shown to be K-secure:– No key-recovery attacks faster than exhaustive search exist– No known symmetry properties in the round mapping– No weak keys– No related-key attacks: No two keys have a high number of expanded

round keys in commonLecture 2.3 - Private Key

Cryptography III04/19/23 29

Rijndael: ByteSub


• Each byte at the input of a round undergoes a non-linear byte substitution according to the following: 1. First, taking the multiplicative inverse in GF(28). ‘00’ is mapped onto itself. 2. Then, applying an affine (over GF(2)) transformation.

Substitution (“S”)-box Affine Transform04/19/23 30

Rijndael: ShiftRow


Depending on the block length, each “row” of the block is cyclically shifted according to the above table

04/19/23 31

Rijndael: MixColumn


Each column is multiplied by a fixed polynomialC(x) = ’03’*X3 + ’01’*X2 + ’01’*X + ’02’

This corresponds to matrix multiplication b(x) = c(x) a(x):

04/19/23 32

Rijndael: Key Expansion and Addition


Each word is simply XOR’ed with the expanded round key

KeyExpansion(int* Key[4*Nk], int* EKey[Nb*(Nr+1)]){ for(i = 0; i < Nk; i++) EKey[i] = (Key[4*i],Key[4*i+1],Key[4*i+2],Key[4*i+3]); for(i = Nk; i < Nb * (Nr + 1); i++) { temp = EKey[i - 1]; if (i % Nk == 0) temp = SubByte(RotByte(temp)) ^ Rcon[i / Nk]; EKey[i] = EKey[i - Nk] ^ temp; }}

Key Expansion algorithm:

04/19/23 33

Rijndael: Implementations

• Rijndael is well suited for software implementations on 8-bit processors (important for “Smart Cards”)– Operations focus on bytes and nibbles, not 32 or 64 bit integers– Layers such as ByteSub can be efficiently implemented using small tables

in ROM (e.g. < 256 bytes). – No special instructions are required to speed up operation

• For 32-bit implementations:– An entire round can be implemented via a fast table lookup routine on

machines with 32-bit or higher word lengths– Considerable parallelism exists in the algorithm

• Each layer operates in a parallel manner on bytes of the round state, all four component transforms act on individual parts of the block

• Although the Key expansion is complicated and cannot be parallelised, it only needs to be performed once until the two parties switch keys.


04/19/23 34

Rijndael: Implementations

• Hardware Implementations– Performs very well in software, but in some cases more performance is

required (e.g. server and VPN applications).– Multiple S-Box engines, round-key EXORs, and byte shifts can all be

implemented efficiently in hardware when absolute speed is required– Small amount of hardware can vastly speed up 8-bit implementations

• Inverse Cipher– Except for the non-linear ByteSub step, each part of Rijndael has a

straightforward inverse and the operations simply need to be undone in the reverse order.

– Same code that encrypts a block can also decrypt the same block simply by changing certain tables and polynomials for each layer. The rest of the operation remains identical.


04/19/23 35

Rijndael Future

• Rijndael is an extremely fast, state-of-the-art, highly secure algorithm

• Has efficient implementations in both hardware and software; it requires no special instructions to obtain good performance on any computing platform

• Despite being the chosen by NIST as the AES candidate winner, Rijndael is not yet automatically the new encryption standard– Triple-DES, still highly secure and supported by NIST, is expected

to be common for the foreseeable future.


04/19/23 36

Further Reading

• Chapter 6 of Stallings – Modes of Operations; Chapter 5 for AES

• Chapter 7 of HAC – Modes of Operation


04/19/23 37

Lecture 2.3: Private Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Documents

private key cryptography

ecb mode slide

cbc mode slide

encryption decryption

cipher block chain cbc

tux tux

nitesh saxena slide

previous block