Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
53 views97 pages

Chapter2 Symmetric Encryption

This document provides an overview of symmetric encryption techniques. It discusses general ideas of symmetric encryption including block ciphers and stream ciphers. It then describes several specific symmetric encryption algorithms like the Caesar cipher, column transposition cipher, Playfair cipher, Hill cipher, Vigenère cipher, and the one-time pad.

Uploaded by

med kudo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
53 views97 pages

Chapter2 Symmetric Encryption

This document provides an overview of symmetric encryption techniques. It discusses general ideas of symmetric encryption including block ciphers and stream ciphers. It then describes several specific symmetric encryption algorithms like the Caesar cipher, column transposition cipher, Playfair cipher, Hill cipher, Vigenère cipher, and the one-time pad.

Uploaded by

med kudo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 97

Introduction to Cyber Security

Chapter 2: Symmetric Encryption

WiSe 23/24

Chair of IT Security
Chapter Overview

§ General Idea of Symmetric Encryption


§ Block ciphers
§ Modes to use block ciphers
§ Stream ciphers
§ (Pseudo) Random Number Generators

2 IT-Security 1 - Chapter 2: Symmetric Encryption


General Idea of Symmetric Encryption

§ The two communication endpoints share a secret key


§ The secret key is used for both encryption and
decryption

3 IT-Security 1 - Chapter 2: Symmetric Encryption


Encryption

§ A symmetric encryption scheme consists of


§ A key generation algorithm
§ An encryption algorithm
§ A decryption algorithm
§ An encryption algorithm E is an algorithm that
§ Takes a plaintext message M of arbitrary length M Є {0,1}*
§ and a key K Є {0,1}n as input
§ and outputs a ciphertext C = EK(M) Є {0,1}*
§ A decryption algorithm D is an algorithm that
§ Takes a ciphertext C and a key K as input
§ And outputs a plaintext M = DK(C)
§ For every K and every M, DK(EK(M)) = M

4 IT-Security 1 - Chapter 2: Symmetric Encryption


Kerckhoffs’ Principle & Avalanche Effect

§ A cryptosystem should be secure even if everything


about the system, except the key, is public
knowledge

§ In contrast, keeping the design of a cryptosystem


secret is often referred to “security through obscurity”

§ Avalanche effect: small change in either plaintext or


the key should produce a significant change in the
ciphertext
Full name: Jean-Guillaume-Hubert-Victor-François-Alexandre-Auguste Kerckhoffs
von Nieuwenhof

5 IT-Security 1 - Chapter 2: Symmetric Encryption


Preview: Diffie-Hellman Key Exchange

(src: Wikipedia)
6 IT-Security 1 - Chapter 2: Symmetric Encryption
Diffie-Hellman Key Exchange: Idea

§ Prime numbers p and primitive root g to p are


publicly known
§ Alice picks a secret number a and computes
ga mod p (let’s call it A) and sends the result to Bob.
§ Bob does the same thing, but with its own secret
number b. So gb mod p (called B) is sent to Alice
§ Now, Alice can compute Ba mod p.
§ Bob can do the same with the input he got from
Alice: Ab mod p.

7 IT-Security 1 - Chapter 2: Symmetric Encryption


Caesar Cipher

§ Caesar cipher is a shift cipher. It shifts letters by a


fixed value, e.g.,
A B C D E F G H I J K L M ...
F G H I J K L M N O P Q R...

HELLO => MJQQT


Encryption EK(x) = x + k mod 26
Decryption DK(y) = y – k mod 26
§ Another example: Column transposition
§ Problems: brute force attack and frequency analysis

8 IT-Security 1 - Chapter 2: Symmetric Encryption


Column Transposition

§ Plaintext is written down in a rectangle, row by row,


and read column by column. The order of columns is
the key.

§ Key: 4312567
§ Plaintext: a t t a c k p
ost pone
dunt i l t
woamxyz
§ Ciphertext: ttnaaptm…

9 IT-Security 1 - Chapter 2: Symmetric Encryption


Playfair Cipher
• Makes use of a 5x5 matrix of letters constructed
using a keyword (here: monarchy)
• Remainder is filled with the remaining alphabet
letters
• Encryption:
• Encrypt two letters at a time
• Repeating letters are separated with a
filter letter, say, „x“ . E.g., hello => he lx lo
• If both the letters are in the same
column: Take the letter below each one Examples:
• me = cl
(going back to the top if at the bottom)
• If both the letters are in the same row: • st = tl
Take the letter to the right of each one • nt = rq
(going back to the leftmost if at the
rightmost position).
• If neither of the above rules is true: Form
a rectangle with the two letters and take
the letters on the horizontal opposite
corner of the rectangle.
10 IT-Security 1 - Chapter 2: Symmetric Encryption
Hill Cipher

§ Invented by Lester S. Hill in 1929


§ Idea: Plaintext msg has to be expressed as a
sequence of integers p = (p1, …, pm)
§ The key k is an m×m matrix
§ The resulting ciphertext c = ek(p) = p×k will be a
string (c1, …, cm) of length m
§ To decrypt the ciphertext one should apply the
inverse linear transformation. In other words
p = c×k-1, where kk-1 mod 26 = I.

11 IT-Security 1 - Chapter 2: Symmetric Encryption


Mono vs. Polyalphabetic Ciphers

§ Monoalphabetic cipher – fixed


substitution over the entire message
§ Polyalphabetic cipher – number of
substitutions at different positions
§ To thwart frequency analysis

Alberti Cipher, 1467

12 IT-Security 1 - Chapter 2: Symmetric Encryption


Vigenère cipher

§ 26 Caesar ciphers with shifts of 0 to 25


Encryption EK(xi) = xi + ki mod m mod 26
Decryption DK(yi) = yi – ki mod m mod 26
§ Use of tabula recta:
table of alphabets
§ Choose a keyword and repeat
it until it matches the length of
the plaintext
§ Find a substitution according
to the current key element
(only as many keys are used
as unique letters in the key string)
13 IT-Security 1 - Chapter 2: Symmetric Encryption
One-Time Pad

----- 10111101…
-----
----- = 10111101…
Å 10001111… Å
= 00110010… 00110010… =

Key is a random bit sequence


as long as the plaintext Decrypt by bitwise XOR of
ciphertext and key:
ciphertext Å key =
Encrypt by bitwise XOR of (plaintext Å key) Å key =
plaintext and key: plaintext Å (key Å key) =
ciphertext = plaintext Å key plaintext

§ (If key is repeated: Vernam cipher)


§ Cipher achieves perfect secrecy if and only if there are
as many possible keys as possible plaintexts, and
every key is equally likely (Claude Shannon, 1949)
14 IT-Security 1 - Chapter 2: Symmetric Encryption
Advantages of One-Time Pad

§ Easy to compute
§ Encryption and decryption are the same operation
§ Bitwise XOR is very cheap to compute
§ As secure as theoretically possible
§ Given a ciphertext, all plaintexts are equally likely,
regardless of attacker’s computational resources
§ …as long as the key sequence is truly random
□ True randomness is expensive to obtain in large quantities
§ …as long as each key is same length as plaintext
□ But how does the sender communicate the key to receiver?

15 IT-Security 1 - Chapter 2: Symmetric Encryption


Problems with One-Time Pad

§ Key must be as long as plaintext


§ Impractical in most realistic scenarios
§ Still used for diplomatic and intelligence traffic
§ Does not guarantee integrity
§ One-time pad only guarantees confidentiality
§ Attacker cannot recover plaintext, but can easily change it to
something else
§ Insecure if keys are reused
§ Attacker can obtain XOR of plaintexts

§ Obviously not practical

16 IT-Security 1 - Chapter 2: Symmetric Encryption


Brute Force Attacks

§ Try every possible key


§ Successful on average after trying half of the keys
§ Difficulty of brute force attack (2N) is proportional to key size N
§ On average the half of it

17 IT-Security 1 - Chapter 2: Symmetric Encryption


Brute-Force

§ Try every possible key („exhaustive key search“)


§ Successful on average after trying half of the keys
§ Issue:
l How to (automatically) know that one is done?
§ Solution:
l Make use of the entropy

18 Title of the current lecture


Shannon‘s Entropy

§ Originates from the physics of the 19th century


§ Measure of disorder (uncertainty) of a physical system
§ Boltzmann: „Systems go from a less likely to a more
likely state while increasing their value of entropy“

§ Shannon Entropy (1948): loss of information in


communication

§ b determines the unit of entropy


□ b = 2 [bits] b = e [nat] b = 10 [dit]

19 Title of the current lecture


The Mathematics of Entropy

§ Let X be a discrete random variable with possible


values {x1, x2, x3, …, xn }

§ Probability of xi :

§ Uncertainty:

§ Entropy is the expectation value of uncertainty:

20 Title of the current lecture


An Example

§ Example Message: “HELLO WORLD”

§ 1. Count Frequencies:
2. Calculate Probability:

3. Entropy Value:

21 Title of the current lecture


Summary

§ Shannon’s Entropy serves as measure of goodness


of encrypted text

§ Plain-Text
□ Usually natural language or structured data, e.g., header
□ Low Disorder of Information
→ low Entropy due to „smaller data distribution“

§ Cipher-Text
□ Usually high disorder of information (chaos)
→ high Entropy due to wider spread data distribution

Idea: Find the key yielding in smallest entropy value

22 Title of the current lecture


The Hill-Climbing Algorithm

§ Brute-Force have to try any possible key


□ Issue: We try key‘s may not providing improvements
□ Solution: Only apply keys yielding improvement

§ Hill-Climbing
□ Depiction of a climber in the mountains
□ „Look around and only walk into a certain
direction if an improvement is expected“

23 Title of the current lecture


Hill-Climbing
§ Successive Improvements of the cost-function
§ Three critical questions to ask:
□ Where to start?
□ How to update from one step to the next?
□ How to measure goodness?

§ Answers to these questions are specific to the


cryptography system under consideration
□ Here: Application to Mono-alphabetic substitution

24 Title of the current lecture


Breaking mono-alphabetic Substitution
using Hill-Climbing

§ A mono-alphabetic substitution key is mathematically


spoken a permutation only
§ Each permutation can be generated as a sequence of
simple transpositions of two letters
l E.g., ABCDEF → AFCDEB → AFCEDB

§ The key becomes:


§

I … initial alphabet, e.g., ABCDEF...XYZ


Ti … ith transposition

25 Title of the current lecture


The Hill-Climbing Algorithm
1) Select initial alphabet I
l E.g., normal alphabet ABC...Z

2) Randomly choose two positions in the alphabet and


swap their characters

3) Evaluate their goodness using a cost-function


l E.g., Entropy or n-Grams

4) If and only if an improvement was detected, update the


key. Otherwise we discard the operation!

5) Continue with 2) until a certain goodness is achieved

26 Title of the current lecture


Block and Stream Ciphers

§ Block ciphers encrypt blocks of plaintext of the same


length with the same key
§ Stream ciphers produce a pseudo-random stream of
key bits
§ Plaintext is XORed bitwise with the key stream to produce
ciphertext
§ Block ciphers can, however, be turned into stream
ciphers as we will see
§ Stream ciphers are also block ciphers with a block
size of “1”
§ I. e. this distinction is somewhat blurred, particularly
at the edges
27 IT-Security 1 - Chapter 2: Symmetric Encryption
Block Ciphers

§ Operate on a single chunk (“block”) of plaintext


§ For example, 64 bits for DES, 128 bits for AES
§ Same key is reused for each block (can use short keys)
§ Result should look like a random permutation
§ “As if” plaintext bits were randomly shuffled
§ Only computational guarantee of secrecy
§ Not impossible to break, just very expensive
□ If there is no efficient algorithm (unproven assumption!), then
can only break by brute-force, try-every-possible-key search
§ Time and cost of breaking the cipher exceed the value
and/or useful lifetime of protected information

28 IT-Security 1 - Chapter 2: Symmetric Encryption


Commonly known Block Ciphers

§ DES
§ 3DES
§ AES
§ Twofish
§ MARS
§ …

29 IT-Security 1 - Chapter 2: Symmetric Encryption


DES

§ Published in 1977 by the National Bureau of Standards*


§ Designed by IBM and the NSA
§ Uses a 64-bit key and a block length of 64 bit
§ Main operations: substitutions and permutations
§ 8 bits of the key are used as parity bits
§ Effective key size is 56 bits

* called the National Institute of Standards and Technology (NIST) since 1988
30 IT-Security 1 - Chapter 2: Symmetric Encryption
Diffusion and Confusion

A „good“ cipher should use at least two following atomic


operations (Shannon):
§ Confusion – relationship between plain and
ciphertext ist is obscured
§ E.g., substitution table
§ Role: hide key
§ Diffusion – the influence of each plaintext bit is
spread over many ciphertext bits
§ E.g., permutation
§ Role: hide statistical relationship between plain and
ciphertext

31 IT-Security 1 - Chapter 2: Symmetric Encryption


Principle of an N round product cipher

32 IT-Security 1 - Chapter 2: Symmetric Encryption


Iterative Structure of DES

33 IT-Security 1 - Chapter 2: Symmetric Encryption


Feistel Network

34 IT-Security 1 - Chapter 2: Symmetric Encryption


Initial and Final Permutation (1/2)

35 IT-Security 1 - Chapter 2: Symmetric Encryption


Initial and Final Permutation (2/2)

§ Bitwise permutations („crosswiring“)


§ Inverse operations
§ Described by tables IP and IP-1

36 IT-Security 1 - Chapter 2: Symmetric Encryption


Puprose on Initial/Final Permutation

„Interestingly, permutations can be very easily


implemented in hardware but are not particularly fast in
software. Note that both permutations do not increase
the security of DES at all. The exact rationale for the
existence of these two permutations is not known, but it
seems likely that their original purpose was to arrange
the plaintext, ciphertext and bits in a bytewise manner
to make data fetches easier for 8-bit data busses, which
were the state-of-the-art register size in the early
1970s.“ Paar and Pelzl „Understanding Cryptography“

37 IT-Security 1 - Chapter 2: Symmetric Encryption


The f-Function

• Expansion E (diffusion)
• XOR with round key
• S-box substitution (confusion)
• Permutation

38 IT-Security 1 - Chapter 2: Symmetric Encryption


Expansion and S-box S1

row

column

39 IT-Security 1 - Chapter 2: Symmetric Encryption


The Permutation P

§ Bitwise permutation
§ Introduces diffusion
§ Output bits of one s-box affect several s-boxes in the
next round
§ After round 5, every bit is a function of each key bit
and each plaintext bit (thanks to P, E, and S-Boxes)

40 IT-Security 1 - Chapter 2: Symmetric Encryption


Principles of DES

§ First, each input block is subjected to a fixed input


permutation
§ Over the two resulting 32-bit blocks L and R, 16
similar encryption steps are executed, each
depending on a 48-bit sub-key of the external (56-
bit) key k.
§ Sub-keys are generated by a key selection procedure
§ Finally, execution of an output permutation inverse to
the input permutation
§ Decryption analogous to encryption
§ 16 sub-keys are required in reverse order

41 IT-Security 1 - Chapter 2: Symmetric Encryption


DES Key Schedule

§ The input key size of the DES is 64 bit: 56 bit key


and 8 bit parity
§ Parity bits are removed in the first permuted choice
PC-1:

42 IT-Security 1 - Chapter 2: Symmetric Encryption


DES Key Schedule

• In rounds i = 1,2,9, 16 the two halves


are each rotated left by 1 bit
• In all other rounds -- by 2 bits
• The total number of rotations is
4*1 + 12*2=28, C0=C16, D0=D16
• 48 out 56 permuted bits of the input
key k are used in every round
• Each bit is used in ca. 14 of the 16
round keys

43 IT-Security 1 - Chapter 2: Symmetric Encryption


DES Decryption

• In Feistel ciphers only the key schedule


has to be modified for decryption
• Generate 16 round keys in reverse order
• Reversed key schedule applying PC-2
• No rotation in round 1
• One bit rotation to the right in
rounds 2,9,16
• Two bit rotations to the right in all
other rounds

44 IT-Security 1 - Chapter 2: Symmetric Encryption


DES Decryption

Hence, after the first decryption round we have the same values as before
the last encryption round => first decryption reverses last encryption round.
(see plot from the lecture with two Feistel networks (last encryption and
first decryption round) for details)
e-encryption, d-decryption

45 IT-Security 1 - Chapter 2: Symmetric Encryption


DES Decryption/The effect of the final swap

46 IT-Security 1 - Chapter 2: Symmetric Encryption


Security of DES

§ January 13th, 1999: DES key broken within 22 hours


and 15 minutes
§ In a contest sponsored by RSA Labs using
§ EFF's Deep Crack custom DES cracker ...
§ … and the idle CPU time of around 100,000 computers
§ 2006: COPACOBANA: 6.4 days at a cost of 10KEur
§ It is no longer advisable to use DES
§ Especially not for new applications
§ Biggest weakness still is the key length of 56 bits only!
§ Otherwise the best known attack needs 243 chosen
ciphertexts ((x,y) pairs) under the same key

47 IT-Security 1 - Chapter 2: Symmetric Encryption


Problems with 2DES

§ First idea to increase the key size of DES


§ Use DES twice in a row with two independent keys k1, k2
§ Problem: this does not double the effective key size
§ “Meet-in-the-middle-attack”
§ Assume attacker has a plaintext/ciphertext pair (M,C) with
DES(k2,DES(k1,M)) = C but no knowledge of the keys k1, k2
§ Attacker can compute a list of intermediate ciphertexts Z by
encrypting M with each possibile key k1: 256 DES operations
§ Attacker can decrypt C with all possible k2 until he finds one that
matches one of the Z's: again at most 256 DES operations
§ Overall: at most 2*256 DES operations to find the keys k1, k2
§ This is a known-plaintext attack against 2DES with a complexity of
257

48 IT-Security 1 - Chapter 2: Symmetric Encryption


3DES = “Triple DES”

§ Use DES three times in a row


§ Two variants in use: 3-key 3DES and 2-key 3DES
§ Both variants first use encryption with key1, decryption with
key2, encryption with key3
§ 3-key 3DES: k1, k2, k3 pairwise different
§ 2-key 3DES: k1 = k3

49 IT-Security 1 - Chapter 2: Symmetric Encryption


AES

§ Goals
§ More secure than 3DES
§ More efficient than 3DES
§ Support different key lengths

50 IT-Security 1 - Chapter 2: Symmetric Encryption


AES Selection

§ January 1997: National Institute of Standardization


§ “[...] the AES would specify an unclassified, publicly disclosed
encryption algorithm, available royalty-free, worldwide.“
§ August 1998: presentation of 15 candidates
§ Cast-256, Crypton, DEAL, DFC, E2, Frog, HPC, Loki97,
Magenta, MARS, RC6, Rijndael, SAFER+, Serpent, Twofish
§ Broken under public scrutiny: DEAL, Frog, HPC, Loki97,
Magenta
§ August 1999: selection of 5 candidates for the next
round
§ October 2000: Rijndael is selected as AES
§ November 2001: AES is standardized in FIPS 197

51 IT-Security 1 - Chapter 2: Symmetric Encryption


Structure of AES

§ AES is round based


§ AES uses a State Matrix with byte entries to
represent the input and output of each round

52 IT-Security 1 - Chapter 2: Symmetric Encryption


Operations used in each round

Mix Column (MC) Shift Row (SR)

53 IT-Security 1 - Chapter 2: Symmetric Encryption


Rounds

§ The round key is different for each round and


generated from the secret key
§ * No Mix Column takes place in the last round

54 IT-Security 1 - Chapter 2: Symmetric Encryption


Number of Rounds

§ Depends on the key length


§ 128 bit key – 10 rounds
§ 192 bit key – 12 rounds
§ 256 bit key – 14 rounds

55 IT-Security 1 - Chapter 2: Symmetric Encryption


Recap Galois Fields

§ See blackboard notes


§ Group, Ring, Field
§ Finite (Galois) Field
§ Prime Fields and Extension Fields
□ Arithmetic
§ Set of elements
§ How to compute on those elements

§ See math books at the end of the chapter (if needed)

56 IT-Security 1 - Chapter 2: Symmetric Encryption


Definition: Group (Paar & Pelzl)

57 IT-Security 1 - Chapter 2: Symmetric Encryption


Definition: Field (Paar & Pelzl)

58 IT-Security 1 - Chapter 2: Symmetric Encryption


AES Overview

59 IT-Security 1 - Chapter 2: Symmetric Encryption


AES round function

60 IT-Security 1 - Chapter 2: Symmetric Encryption


AES S-Box

61 IT-Security 1 - Chapter 2: Symmetric Encryption


Mathematical description of the S-Box

62 IT-Security 1 - Chapter 2: Symmetric Encryption


ShiftRow Sublayer

63 IT-Security 1 - Chapter 2: Symmetric Encryption


MixColumn Sublayer

In GF(28)
0000 0001 = 1
0000 0010 = x
0000 0011 = x+1

64 IT-Security 1 - Chapter 2: Symmetric Encryption


Recent Attacks Against AES

§ May and August 2009, Biryukov et al. University of


Luxembourg
§ Related-key attacks on AES-256 and AES-192
□ Currently best attack against AES-256: key recovery attack with
time complexity of 2119
□ Attack against AES-192: key recovery within 2176
§ Related-key attacks
□ Requires access to plaintexts encrypted with multiple keys that
are related in a specific way
§ No reason to worry yet
§ No attacks against full round AES-128 known that are better
than brute force
§ No practical attacks against full round AES-256, AES-192

65 IT-Security 1 - Chapter 2: Symmetric Encryption


Overview on time-complexity of Attacks Against AES-256

Time complexity

# rounds

66 IT-Security 1 - Chapter 2: Symmetric Encryption


Encrypting a Large Message

§ So, we’ve got a good block cipher, but our plaintext is


larger than 128-bit block size
§ Electronic Code Book (ECB) mode
§ Split plaintext into blocks, encrypt each one separately using
the block cipher
§ Cipher Block Chaining (CBC) mode
§ Split plaintext into blocks, XOR each block with the result of
encrypting previous blocks
§ Also various counter modes, feedback modes, etc.

67 IT-Security 1 - Chapter 2: Symmetric Encryption


ECB Mode

...

§ Encryption: ci = EK(mi)
... § Decryption: mi = DK(ci)

...

§ Disadvantages
§ Same plaintext block always leads to the same output block
§ Patterns in the plaintext block still show in the ciphertext
§ Re-ordering or deletion of ciphertexts cannot be detected
68 IT-Security 1 - Chapter 2: Symmetric Encryption
Why ECB is Not Enough

Plaintext ECB-encrypted CBC-encrypted

§ Ciphertext as a whole in ECB Mode reveals


information about the original plaintext as a whole
§ Even if an individual block does not reveal anything

69 IT-Security 1 - Chapter 2: Symmetric Encryption


Cipher Block Chaining Mode

§ IV : = c0
§ Encryption: ci = Ek(mi xor ci-1 )
§ Decryption: mi = Dk(ci) xor ci-1

§ Uses the xor of plaintext block and the ciphertext block


corresponding to the previous plaintext as input to the block
cipher
§ Advantages
§ Deletion of a ciphertext block can be detected
§ Re-ordering of ciphertext blocks can be detected
§ Self-synchronizing on transmission errors
70 IT-Security 1 - Chapter 2: Symmetric Encryption
Self-Synchronization

...

...

...

§ Transmission error in c2 will only influence m2 and m3


§ Subsequent plaintext will be correctly recovered

71 IT-Security 1 - Chapter 2: Symmetric Encryption


Cipher Feedback Mode (CFB) - Simplified

§ IV public, IV : = c0
§ Encryption: ci = Ek(ci-1) xor mi
§ Decryption: mi = ci xor Ek(ci-1)

§ Generates a key stream that depends on the ciphertext


§ In the non-simplified version
§ block length of the encryption function is longer than plaintext block
§ part of the output of the encryption function is discarded
§ Non-discarded part is used to shuffle the bits of IV to the left
72 IT-Security 1 - Chapter 2: Symmetric Encryption
Output Feedback Mode (OFB) - Simplified

§ IV public
§ Encryption: ci = Eki(IV) xor mi
§ IV encrypted i-times
§ Decryption: mi = ci xor Eki(IV)

§ Generates a key stream that does not depend on the ciphertext


§ Key stream can be pre-computed as soon as IV is known
§ Non simplified version as cipher feedback mode

73 IT-Security 1 - Chapter 2: Symmetric Encryption


Counter Mode (CTR)

§ IV public
§ Encryption: ci = Eki(IV+i) xor mi
§ Decryption: mi = ci xor Eki(IV+i)

§ Like OFB turns a block cipher into a stream cipher


§ Can additionally be parallelized as there is no feedback

74 IT-Security 1 - Chapter 2: Symmetric Encryption


Important Properties of the Modes

§ OFB, CFB and CTR


§ Not restricted to complete blocks
§ Turn a block cipher into a stream cipher (to some extent)
□ Plaintext is xored with key stream bits, key stream depends on
IV, Counter, and/or the last ciphertext block
§ ECB, CBC
§ Require padding to complete blocks
§ Padding has to be easy to strip-off

75 IT-Security 1 - Chapter 2: Symmetric Encryption


When Is a Cipher “Secure”?

§ Hard to recover the key?


§ What if attacker can learn plaintext without learning the key?
§ Hard to recover plaintext from ciphertext?
§ What if attacker learns some bits or some function of bits?
§ Fixed mapping from plaintexts to ciphertexts?
§ What if attacker sees two identical ciphertexts and infers
that the corresponding plaintexts are identical?
§ Implication: encryption must be randomized or stateful

76 IT-Security 1 - Chapter 2: Symmetric Encryption


How Can a Cipher Be Attacked?

§ Attackers knows ciphertext and encryption algorithm


§ Main question: what else does the attacker know?
§ Depends on the application in which the cipher is used!
§ Brute-force attack: try out all possible keys
§ Ciphertext-only attack
§ Known-plaintext attack (stronger)
§ Knows some plaintext/ciphertext pairs
§ Chosen-plaintext attack (even stronger)
§ Can obtain ciphertext for any plaintext of his choice
§ Chosen-ciphertext attack (very strong)
§ Can decrypt any ciphertext except the target before target is known
§ Adaptive chosen-ciphertext attack
§ Can decrypt any ciphertext chosen adaptively, i.e. depending on the
target and the result of the previous ciphertexts

77 IT-Security 1 - Chapter 2: Symmetric Encryption


Ciphertext-only Attack

§ An attacker tries to recover the plaintext but has


access only to the ciphertext

78 IT-Security 1 - Chapter 2: Symmetric Encryption


Known-plaintext Attack

§ The attacker tries to recover the plaintext from the


ciphertext ...
§ … and has access to some pairs of plaintext and
ciphertext

79 IT-Security 1 - Chapter 2: Symmetric Encryption


Chosen-plaintext Attack

§ The attacker tries to recover the plaintext from the


ciphertext ...
§ … and can obtain ciphertexts for plaintexts of his
choice

80 IT-Security 1 - Chapter 2: Symmetric Encryption


Chosen-ciphertext Attack

§ The attacker tries to recover the plaintext from the


ciphertext ...
§ … and can select ciphertexts (other than the target)
for which he can obtain plaintexts

81 IT-Security 1 - Chapter 2: Symmetric Encryption


Stream Ciphers

§ Remember the one-time pad?


§ EK(M) = M xor Key
§ Key must be a random bit sequence as long as message
§ Idea: replace “random” with “pseudo-random”
§ Encrypt with pseudo-random number generator (PRNG)
§ PRNG takes a short, truly random secret seed and expands
it into a long “random-looking” sequence
□ E.g., 128-bit seed into a 1600-bit pseudo-random sequence
§ EK(M) = IV, M xor PRNG(IV,K)
§ Message processed bit by bit, not in blocks

82 IT-Security 1 - Chapter 2: Symmetric Encryption


Properties of Stream Ciphers

§ Usually very fast (faster than block ciphers)


§ Used where speed is important: WiFi, SSL, DVD, speech
§ Unlike one-time pad, stream ciphers do not provide
perfect secrecy
§ Only as secure as the underlying PRNG
§ If used properly, can be as secure as block ciphers
§ PRNG is, by definition, unpredictable
§ Given the stream of PRNG output (but not the seed!), it’s hard
to predict what the next bit will be
□ If PRNG(unknown random seed)=b1…bi, then bi+1 is “0” with
probability ½, “1” with probability ½

83 IT-Security 1 - Chapter 2: Symmetric Encryption


Weaknesses of Stream Ciphers

§ No integrity
§ Associativity & commutativity: (X xor Y) xor Z=(X xor Z) xor Y
§ (M1 xor PRNG(seed)) xor M2 = (M1 xor M2) xor PRNG(seed)
§ Known-plaintext attack is very dangerous if keystream is
ever repeated
§ Self-cancellation property of XOR: X xor X=0
§ (M1 xor PRNG(seed)) xor (M2 xor PRNG(seed)) = M1 xor M2
§ If attacker knows M1, then easily recovers M2
□ Most plaintexts contain enough redundancy that knowledge of M1
or M2 is not even necessary to recover both from M1 xor M2

84 IT-Security 1 - Chapter 2: Symmetric Encryption


Stream Cipher Terminology

§ Seed of pseudo-random generator often consists of


initialization vector (IV) and key
§ IV is usually sent with the ciphertext
§ The key is a secret known only to the sender and the
recipient, not sent with the ciphertext
§ The pseudo-random bit stream produced by
PRNG(IV,key) is referred to as keystream
§ PRNG must be cryptographically secure
§ Encrypt message by XORing with keystream
§ ciphertext = message xor keystream

85 IT-Security 1 - Chapter 2: Symmetric Encryption


Examples for Stream Ciphers

§ RC4
§ Used, e.g. in WLAN, TLS, IPsec
§ A5/1, A5/2
§ Used in GSM/GPRS
§ SEAL
§ ...

86 IT-Security 1 - Chapter 2: Symmetric Encryption


RC4

§ Designed by Ron Rivest for RSA in 1987


§ Simple, fast, widely used
§ SSL/TLS for Web security, WLAN

§ Structure:
Key Key Stream
K S Key stream
Scheduler Generator

256 byte
array

87 IT-Security 1 - Chapter 2: Symmetric Encryption


RC4 Key Stream Generation

Swap!

§ Key scheduler fills 256 byte array S


§ Key stream byte K generated as illustrated above

88 IT-Security 1 - Chapter 2: Symmetric Encryption


Key Stream Generator

§ In each round of the loop a key stream byte is


generate

i = j := 0
loop
i := (i+1) mod 256
j := (j+S[i]) mod 256
swap(S[i],S[j])
output S[(S[i]+S[j]) mod 256]
end loop

89 IT-Security 1 - Chapter 2: Symmetric Encryption


RC4 Key scheduler – How S is filled
Key can be any length
Divide key K into L bytes up to 2048 bits
for i = 0 to 255 do
S[i] := i Generate initial
j := 0 permutation
from key K
for i = 0 to 255 do
j := (j+S[i]+K[i mod L]) mod 256
swap(S[i],S[j])

§ To use RC4, usually pre-pend initialization vector (IV) to the key


§ IV can be random or a counter
§ RC4 is not random enough! 1st byte of generated sequence
depends only on 3 cells of state array S. This can be used to
Fluhrer-Mantin-
extract the key. Shamir attack
§ To use RC4 securely, RSA suggests discarding first 256 bytes

90 IT-Security 1 - Chapter 2: Symmetric Encryption


(Pseudo) Random Number Generators

§ Random Numbers can be generated by repeating an


experiment with a random result
§ E.g. throwing a coin

§ Pseudo Random Numbers just “look random” but are


generated by a deterministic process with feed back
using a (smaller) random “seed” as input

Deterministic
Random seed Random stream
Process

Feedback

91 IT-Security 1 - Chapter 2: Symmetric Encryption


PRNGs

§ Pseudo Random Number Generators (PRNGs) are


used in cryptography for many different purposes
§ Generation of symmetric keys
§ Generation of asymmetric keys or parameters used in key
generation
§ Generation of random challenges in authentication
mechanisms
§ PRNGs are typically based on PR Bit Gs that
generate one pseudo random output bit
§ Some standards also use the term Pseudo Random
Function (PRF) instead of PRNG

92 IT-Security 1 - Chapter 2: Symmetric Encryption


PRBGs

§ A PRBG is said to pass the next bit test if there is no


polynomial-time algorithm, which on input of the first
k bits of the output of PRBG can predict the next bit
with probability greater than ½
§ A PRNG that is based on a PRBG that passes the
next bit test is called cryptographically secure
§ Cryptographically secure PRBGs can be constructed
from
§ (Keyed) Hash functions (see next chapter)
§ Block ciphers
§ Number theoretic problems

93 IT-Security 1 - Chapter 2: Symmetric Encryption


Blum Blum Shub (BBS) Generator

§ Proposed in 1986
§ p and q are two large prime numbers
§ (p mod 4) = (q mod 4) = 3
§ n=p*q
§ Choose a random number s that is relatively prime to
n
§ x0=s2 mod n
§ xi=(xi-1)2mod n
§ bi=xi mod n => the output at each iteration

94 IT-Security 1 - Chapter 2: Symmetric Encryption


Cryptographically Secure PRNG

§ Next-bit test
§ Given N bits of the pseudo-random sequence, predict
(N+1)st bit
□ Probability of correct prediction should be very close to 1/2 for
any efficient adversarial algorithm
§ PRNG state compromise
§ Even if attacker learns complete or partial state of the
PRNG, he should not be able to reproduce the previously
generated sequence
□ … or future sequence, if there’ll be future random input(s)
§ Common PRNGs are not cryptographically secure

95 IT-Security 1 - Chapter 2: Symmetric Encryption


Reading and Figure Credits

§ Basics
§ Stallings: Chapter on Symmetric Encryption
§ Kaufman: Chapters 3 and 4
§ Paar & Pelzl : Understanding Cryptography
§ Katz & Lindell: Introduction to Modern Cryptography
§ Further Reading
§ Random Numbers: RFC 1750
§ Really nice comic on AES
□ http://www.moserware.com/2009/09/stick-figure-guide-to-
advanced.html
§ Figure Credits: Forouzan “Introduction to
Cryptography and Network Security” and Paar
“Understanding Cryptography”
96 IT-Security 1 - Chapter 2: Symmetric Encryption
Optional Math Books

§ Basics
§ Ronald Graham, Donald Knuth, Oren Patashnik: Concrete
Mathematics: A Foundation for Computer Science
§ Kenneth H. Rosen: Discrete Mathematics and Its
Applications

97 IT-Security 1 - Chapter 2: Symmetric Encryption

You might also like