conventional encryption & message confidentiality

Dr. Reuven Aviv, Nov 2008

Conventional Encryption 1

Conventional Encryption & Message Confidentiality

Acknowledgements for slides Henric JohnsonBlekinge Institute of Technology, Sweden

King Mongkut’s Univerity of TechnologyKing Mongkut’s Univerity of TechnologyFaculty of Information TechnologyFaculty of Information Technology

Network SecurityNetwork SecurityProf. Reuven AvivProf. Reuven Aviv

Dr. Reuven Aviv, 2008 Conventional Encryption 2

Outline

• Conventional Encryption Principles

• Conventional Encryption Algorithms

• Cipher Block Modes of Operation

• Key Distribution

Prof Reuven Aviv, 2008 Conventional Encryption 3

Conventional Encryption Principles

• An encryption scheme has five ingredients:

– Plaintext

– Encryption algorithm

– Secret Key

– Ciphertext

– Decryption algorithm

• Security depends on the secrecy of the key, not the secrecy of the algorithm

Prof. Reuven Aviv, 2008 Conventional Encryption 4

Conventional Encryption Process

What do we require from the algorithm?


Requirements

• The Encryption algorithm should be strong– Opponent who knows the algorithm &

ciphertexts would be unable to reveal the plaintext or the key

• The key is to be distributed in a secure way

• Low cost chip implementation why?• Important for wide spread use• Secrecy of algorithm NOT required why?


Classification of Cryptographic Systems

• The type of operations used for transforming plaintext to ciphertext examples?

• The number of keys used

– symmetric (single key)

– asymmetric (two-keys, - public-key encryption)

• The way in which the plaintext is processed

– Block cipher, stream cipher

Dr. Reuven Aviv, June 2002 Conventional Encryption 7

A model for Encryption algorithm

• Horst Feistel of IBM in 1973

• Input –

– block of plaintext in two halves: (L0, R0)

– Secret Key K

• Encryption: N rounds of “processing”

– Li-1, Ri-1, Ki Li, Ri,Ki+1

– Sub-keys Ki derived from K

• One round of encryption:

– Ri = apply special F(Ki, Ri-1), XOR with Li-1

– Li = Ri-1 what is XOR?


Transmission and Decryption

• Transmission: Two halves of ciphertext

• Decryption at the receiver (receiver knows K)

• Input:

– Two halves of Ciphertext (Ln+1, Rn+1)

– Last sub-key: Kn How receiver knows this?

• Receiver uses same algorithm as encryption

– Each step: create Ki , (Li, Ri ) in reverse order

– Output: plaintext (L0, R0)

• how to make the algorithm stronger?


Increasing the strength of the algorithm

• Larger Block size

• Larger Key Size

• Increasing Number of rounds

– Output bits depend on more input bits

• Complex Subkey generation algorithm

• More complex F()

• What’s the price of all this?

• All of the above reduce speed

• why is that important?


Conventional Encryption Algorithms

• Data Encryption Standard (DES)

– The most widely used encryption scheme

– DES encrypts block after block (block cypher)

– The plaintext is processed in 64-bit blocks

– The key K is 56-bits in length

• Triple DES (TDES)

– 3 keys, three executions of DES

• Advanced Encryption Standard (AES)


DES

• Encryption:– Initial permutation of the input 64-bit block ??– 16 rounds ( using a special F function)– Swap two halves– Inverse of initial permutation ciphertext

• Decryption– Initial permutation of ciphertext 64-bit block– 16 rounds (use sub-keys in reverse order)– Swap plaintext


Concerns about DES• algorithm vulnerable? (easy way to break?)

– No vulnerability found, but

– The function F is very complex

• Key length

– DES cracker built

– less $250,000, three days work to break (find key)

– Much faster cracking done using internet

• DES is not considered a strong algorithm

• What a cracker want? What does he do?


Cracking methods

• If plaintext is really text– Use statistical distribution of letters, syllables– Use existence of structure: headers, …– In conjunction with brute force

• If plaintext is not text but a general binary file– Use structure if known– Brute force

• Note most files have some structure– E.g. program files– Otherwise attacker would not know if he

succeeded


Cryptanalysis: Average time required for exhaustive key search

Key Size (bits)

Number of Alternative Keys

Time required at 106 Decryption/µs

32 232 = 4.3 x 109 2.15 milliseconds

56 256 = 7.2 x 1016 10 hours

128 2128 = 3.4 x 1038 5.4 x 1018 years

168 2168 = 3.7 x 1050 5.9 x 1030 years


Triple DES

• Encryption: Use three keys and three executions of the DES algorithm (encrypt-decrypt-encrypt)

• P = Plaintext

• C = ciphertext

• EK[X] = encryption of X using key K

• DK[Y] = decryption of Y using key K

• Effective key length of 168 bits

• We use decryption in the middle. Why?

C = EK3[DK2[EK1[P]]]


Triple DES


TDES: Decryption

C = EK3[DK2[EK1[P]]]

DK3[C] = DK2[EK1[P]]

EK2[DK3[C] = EK1[P]

P = Dk1[EK2[DK3[C]]]

Encryption of Messages

Dr. Reuven Aviv, June 2002


How a long message is encrypted?


Cipher Block Operation: ECB mode

• “Electronic Code Book”

• Divide message into blocks; encrypt each block

• For every block a ciphertext block

– Like a gigantic table: plaintext, ciphertext

• plaintext blocks repeats? same ciphertext block

– cracker identifies blocks, easier to crack

• Improvement: design method so that repeat plaintext blocks different ciphertext blocks!

• How?


Cipher Block Chaining Mode (CBC)

• Ciphertext block i , Ci:

• Do XOR of the current plaintext block Pi and the preceding ciphertext block, Ci-1

• Then encrypt

ii1i1iiK1i

i1iiK

i1iKKiK

i1iki

PPCC][CDC

)P(C][CD

)]P(C[ED][CD

]P[CEC



CBC Encryption

Create “initial value” block XOR with first Plaintext block Encrypt first ciphertext block XOR with second plaintext block,…


Decryption in CBC mode

• Decrypt first ciphertext block• XOR result with Initial Value Block

first Plaintext block• Decrypt second ciphertext block• XOR with first ciphertext block

second plaintext block. …


The Initial Value block IV

• First ciphertext block C1 = EK (IVP1)

• First Plaintext block P1 = IVDK(C1)

• IV should be sent to receiver for decryption


Intitial value attcak• Consider bit j of P1 :

– P1[j] = IV[j]DK(C1)[j]

– If IV[j] is inverted, so is P1[j]

• If attacker gets IV on the way, change it and re-send it to receiver, he can predictably change bits of P1

• What can we do to avoid this attack?

• Better encrypt IV on its way

• IV can be encrypted as a single block, with no chaining

Key Distribution




Types and Usages of Keys• Session key:

– Data encrypted with a short lived session key

– At the end of the session the key is destroyed

• Permanent (or Master) key:

– Used for distributing a (first/new) session key

– session key encrypted by master key, sent

– A (or B) can do this,

– or 3’rd party C with shared master keys Ka, Kb

• C is Key Distribution Center (KDC)

• How Ka, Kb, are created / distributed?


Using KDC: 1. A KDC

• A sends non encrypted Request for a session Key for communicating with B

– Contents: { A id, B id, N1 Nonce}

• Identifier of sender (A) (e.g. Address | port)

• Identifier of intended party (B)

• A random string (Nonce) what’s that for?

• A expects that the nonce will be echoed by the receiver of this message (the KDC)

– It will be encrypted so that A will know that it was echoed by KDC and not by an imposter


Using KDC: 2. KDC A

• 2 parts reply encrypted by master key Ka:

• Part I – to be used by A:

– One time (first/new) session key

– Original request (including the nonce)

• A now knows session key came from KDC

• A knows it’s not a replay of old reply why?

• Part II - encrypted by Kb, will be sent later to B:

• Session key and A id

Key Distribution Scenario




Using KDC: 3. A B

• A stores the session key, forwarding Part II to B

– Both A and B now know the session key

– B knows that session key was created by KDC

– But B is not sure whether A is not an imposter

– May be it is D, who stole part II, sends to B

– B checks if sender knows the session key how• 4. B A: nonce N2, encrypted by the session key

• 5. A B: some predefined function of N2 f(N2)

– B checks result, if OK, A knows the session key

• This is Challenge response authentication


Key Distribution Scenario

conventional encryption & message confidentiality

Documents