Documente Academic
Documente Profesional
Documente Cultură
Improving DES
DES with 56-bit key is too weak. What to do? Double DES: use two keys: c = Ek2 (Ek1 (m)), m = Dk1 (Dk2 (c)). Key is 2112 bits, should require 2111 tests to break.
Risk: idempotence (i.e. c = Ek3 (m) for some k3 ) unlikely: 264 ! 1010
mappings between M and C possible, but only keys available, so low probability for two keys to give same mapping as one 256
20
cryptanalysis > 1052 . known-plaintext attack with eort 256 , but requires 256 m, c pairs! 3TDES: use three keys, so c = Ek3 (Dk2 (Ek1 (m))) key size 2168 used by S/MIME and PGP meet-in-the-middle attack now 2112 eort too much
2112 /264 dierent keys produce same ciphertext (on average). so 248 1 false positives may be found.
Use one more m, c pair, decrease risk to 24864 = 216 . Eort is on the order of 256 tests, i.e. only double to DES.
Still, too slow (e.g. 3 16 = 48 rounds) and too small blocks: AES is faster and better!
4
Modes: ECB
Time = 1
P1
Time = 2
P2
Time = N
PN
DES Encrypt
DES Encrypt
DES Encrypt
CN
block
decryption as usual: use same key for each block repetitions in plaintext (at block level) give repetitions in
C1
C2
CN
ciphertext
blocks can be swapped, repeated, replaced without recipient
DES Decrypt
DES Decrypt
DES Decrypt
PN
Modes: CBC
Cipher Block Chaining (CBC) mode avoids repetitions to show up in ciphertext.
next plaintext block is XORed with previous ciphertext block
IV Time = 1 P1 Time = 2 P2
Modes: CBC
Time = N PN
+
DES Encrypt
+
DES Encrypt
CN-1
+
DES Encrypt
before encryption
same key used for each block decryption: previous ciphertext XORed with next decryption
K K
C1 (a) Encryption C1
C2
CN
C2
CN
(IV)
repetitions in plaintext do not show up in ciphertext modications are detected: each cipher block depends on all
K DES Decrypt K DES Decrypt
DES Decrypt
previous ones
if attacker can modify receivers IV, can ip selected bits in
IV
+
P1
+
P2
CN-1
+
PN
(b) Decryption
Modes: CFB
Cipher FeedBack (CFB) mode. Makes a stream cipher from a block cipher: encrypt smaller amount (e.g. byte) at a time, using generated stream of keys. Encryption:
encrypt a shift register (initial content: IV) use j most signicant bits: XOR with j bits of plaintext to give
K IV Shift register 64 - j bits j bits 64 DES Encrypt 64 Select j bits j Discard 64 - j bits Select j bits Discard 64 - j bits K DES Encrypt CM-1 Shift register 64 - j bits j bits
Modes: CFB
DES Encrypt
ciphertext
shift register j bits, inserting previous ciphertext, repeat
Select j bits
Discard 64 - j bits
Decryption: the same but XORing with cipher instead of plaintext. Compare with Vernam cipher: this is such a cipher, and the block cipher is used to generate the key stream.
+
j P1 (a) Encryption
C1
+
P2
C2
+
PM
CM
10
DES Encrypt
DES Encrypt
DES Encrypt
Modes: OFB
Output FeedBack (OFB) mode.
like CFB, but feed back the encryption output instead of the
Select j bits
Discard 64 - j bits
Select j bits
Discard 64 - j bits
IV
C1
C2
CM
ciphertext.
transmission errors do not propagate: only the current
Select j bits
Discard 64 - j bits
+
P1 (a) Encryption
C1
+
P2
C2
+
PM
CM
Modes: CTR
Counter (CTR) mode (block cipher).
encrypt a secret counter, always with same key XOR result with plaintext block increment counter modulo block size decryption: same key block stream can be pre-generated encryption can be done in parallel on many blocks (cf.
Stream ciphers
Using e.g. DES in CFB mode to produce a stream cipher is inecient: better use a native stream cipher to generate the key stream. The RC4 cipher is such a cipher (or pseudo-random-number generator), and can be 10 times faster than DES. Can be very insecure if used improperly. Developed in 1987 for RSA Data Security, Inc, by Ron Rivest (R of RSA). Proprietary, but 1994 someone posted the source anonymously. RC4 trademarked, so sometimes called ARCFOUR or ARC4 (for alleged RC4).
chaining)
en/decryption of blocks can be done in any order like CFB and OFB, only needs encryption
Used in IPsec and ATM. Exercise: What happens with small block size?
13 14
RC4 algorithm
Components:
state vector S[256] represents a permutation of 0-255; key vector K [klen] initializes permutation; indices i and j into state vector.
15
16
RC4 initialization
RC4
Very simple, and ecient software implementations. Key sequence very probably has a period of > 10100 .
the rst part of the output is not random enough (discard rst
Initialization: identity permutation for i = 0..255: S[i] = i; Initial permutation of S: j = 0; for i = 0..255: j = (j + S[i] + K[i mod klen]) mod 256; swap(S[i], S[j]);
3K bytes to be safe)
never reuse a generated key stream (cf. one-time-pad) use at least 128-bit keys use random and fresh keys
Used e.g. in SSL (Secure Socket Layer, https) and WEP (Wired Equivalent Privacy). WEP severly broken, mainly because it doesnt use the advice above.
17
18