Outline

Improving DES

DES with 56-bit key is too weak. What to do? Double DES: use two keys: c = Ek2 (Ek1 (m)), m = Dk1 (Dk2 (c)). Key is 2112 bits, should require 2111 tests to break.
Risk: idempotence (i.e. c = Ek3 (m) for some k3 ) unlikely: 264 ! 1010

Improving DES Modes of using block cipher Stream cipher basics

mappings between M and C possible, but only keys available, so low probability for two keys to give same mapping as one 256

20

proven impossible (1992)

Double DES attack

c = Ek2 (Ek1 (m)), m = Dk1 (Dk2 (c)). Meet-in-the-middle attack:
c = Ek2 (Ek1 (m)) Ek1 (m) = Dk2 (c) Known-plaintext attack with m, c : 1 encrypt m for all 256 keys, sort them (and remember key) 2 decrypt c for all 256 keys, look up in table 3 When match they, the keys are found or are they? Only 264 ciphertexts produced, from 2112 possible keys. Thus

Triple DES: TDES

Two ways: 2TDES: use two keys, so c = Ek1 (Dk2 (Ek1 (m)))
D in the middle for backwards compatibility:

Ek1 (Dk1 (Ek1 (m))) = Ek1 (m)

hard to break: brute-force is 2112 5 1033 , dierential

cryptanalysis > 1052 . known-plaintext attack with eort 256 , but requires 256 m, c pairs! 3TDES: use three keys, so c = Ek3 (Dk2 (Ek1 (m))) key size 2168 used by S/MIME and PGP meet-in-the-middle attack now 2112 eort too much

2112 /264 dierent keys produce same ciphertext (on average). so 248 1 false positives may be found.
Use one more m, c pair, decrease risk to 24864 = 216 . Eort is on the order of 256 tests, i.e. only double to DES.

Still, too slow (e.g. 3 16 = 48 rounds) and too small blocks: AES is faster and better!
4

Using block ciphers: modes

DES and AES work on a block (64/128/256 bits). How can such a cipher be used? Simplest: Electronic Code Book (ECB) mode.
split plaintext in blocks (e.g. 64 bits for DES) encrypt each block separately using the same key for each
C1 (a) Encryption C2 K

Modes: ECB
Time = 1
P1

Time = 2
P2

Time = N
PN

DES Encrypt

DES Encrypt

DES Encrypt

CN

block
decryption as usual: use same key for each block repetitions in plaintext (at block level) give repetitions in

C1

C2

CN

ciphertext
blocks can be swapped, repeated, replaced without recipient

DES Decrypt

DES Decrypt

DES Decrypt

noticing Good for short data (e.g. DES keys).

5 6
(b) Decryption P1 P2

PN

Figure3.11 Electronic Codebook (ECB) Mode

Modes: CBC
Cipher Block Chaining (CBC) mode avoids repetitions to show up in ciphertext.
next plaintext block is XORed with previous ciphertext block
IV Time = 1 P1 Time = 2 P2

Modes: CBC
Time = N PN

+
DES Encrypt

+
DES Encrypt

CN-1

+
DES Encrypt

before encryption
same key used for each block decryption: previous ciphertext XORed with next decryption
K K

output, giving plaintext

rst block has no previous: use a secret Initialization Vector

C1 (a) Encryption C1

C2

CN

C2

CN

(IV)
repetitions in plaintext do not show up in ciphertext modications are detected: each cipher block depends on all
K DES Decrypt K DES Decrypt

DES Decrypt

previous ones
if attacker can modify receivers IV, can ip selected bits in

IV

+
P1

+
P2

CN-1

+
PN

rst plaintext block (without having the plaintext or the key)

7 8

(b) Decryption

Figure 3.12 Cipher Block Chaining (CBC) Mode

Modes: CFB
Cipher FeedBack (CFB) mode. Makes a stream cipher from a block cipher: encrypt smaller amount (e.g. byte) at a time, using generated stream of keys. Encryption:
encrypt a shift register (initial content: IV) use j most signicant bits: XOR with j bits of plaintext to give
K IV Shift register 64 - j bits j bits 64 DES Encrypt 64 Select j bits j Discard 64 - j bits Select j bits Discard 64 - j bits K DES Encrypt CM-1 Shift register 64 - j bits j bits

Modes: CFB

Shift register 64 - j bits j bits

DES Encrypt

ciphertext
shift register j bits, inserting previous ciphertext, repeat

Select j bits

Discard 64 - j bits

Decryption: the same but XORing with cipher instead of plaintext. Compare with Vernam cipher: this is such a cipher, and the block cipher is used to generate the key stream.

+
j P1 (a) Encryption

C1

+
P2

C2

+
PM

CM

10

IV Shift register 64 - j bits j bits

CM-1 Shift register 64 - j bits j bits Shift register 64 - j bits j bits

DES Encrypt

DES Encrypt

DES Encrypt

Modes: OFB
Output FeedBack (OFB) mode.
like CFB, but feed back the encryption output instead of the

Select j bits

Discard 64 - j bits

Select j bits

Discard 64 - j bits

Modes: OFB Select Discard

j bits 64 - j bits
OM-1

+ Shift register 64 - j bits j bits

P1 DES K Decryption (b) Encrypt

IV

C1

+ Shift register 64 - j bits j bits

P2
K DES Encrypt

C2

+ Shift register 64 - j bits j bits

PM
K DES Encrypt

CM

ciphertext.
transmission errors do not propagate: only the current

ciphertext is aected, since (decryption) keys are generated locally

key stream can be pre-generated more vulnerable to message stream modication: ip a bit in

Figure 3.13 J-Bit Cipher Feedback (CFB) Mode

Select j bits Discard 64 - j bits Select j bits Discard 64 - j bits

Select j bits

Discard 64 - j bits

cipher ip a bit in plaintext!

need good integrity checks (anti-modication mechanisms)

+
P1 (a) Encryption

C1

+
P2

C2

+
PM

CM

IV Shift register 64 - j bits j bits

11 12

OM-1 Shift register 64 - j bits j bits Shift register 64 - j bits j bits

Modes: CTR
Counter (CTR) mode (block cipher).
encrypt a secret counter, always with same key XOR result with plaintext block increment counter modulo block size decryption: same key block stream can be pre-generated encryption can be done in parallel on many blocks (cf.

Stream ciphers
Using e.g. DES in CFB mode to produce a stream cipher is inecient: better use a native stream cipher to generate the key stream. The RC4 cipher is such a cipher (or pseudo-random-number generator), and can be 10 times faster than DES. Can be very insecure if used improperly. Developed in 1987 for RSA Data Security, Inc, by Ron Rivest (R of RSA). Proprietary, but 1994 someone posted the source anonymously. RC4 trademarked, so sometimes called ARCFOUR or ARC4 (for alleged RC4).

chaining)
en/decryption of blocks can be done in any order like CFB and OFB, only needs encryption

Used in IPsec and ATM. Exercise: What happens with small block size?
13 14

RC4 algorithm

RC4 key stream generator

i, j = 0; loop forever: i = (i+1) mod 256; j = (j + S[i]) mod 256; swap(S[i], S[j]); output k = S[(S[i] + S[j]) mod 256];

Components:
state vector S[256] represents a permutation of 0-255; key vector K [klen] initializes permutation; indices i and j into state vector.

klen can be 1-256 bytes (typically 5-16 i.e. 40-128 bits).

15

16

RC4 initialization

RC4
Very simple, and ecient software implementations. Key sequence very probably has a period of > 10100 .
the rst part of the output is not random enough (discard rst

Initialization: identity permutation for i = 0..255: S[i] = i; Initial permutation of S: j = 0; for i = 0..255: j = (j + S[i] + K[i mod klen]) mod 256; swap(S[i], S[j]);

3K bytes to be safe)
never reuse a generated key stream (cf. one-time-pad) use at least 128-bit keys use random and fresh keys

Used e.g. in SSL (Secure Socket Layer, https) and WEP (Wired Equivalent Privacy). WEP severly broken, mainly because it doesnt use the advice above.

17

18