Download - Excursus 02
-
8/12/2019 Excursus 02
1/41
STREAM CIPHERS
A.A. 2010/2011 1
Cryptography Part II
Stream Enciphering
michele elia
Politecnico di Torino
-
8/12/2019 Excursus 02
2/41
STREAM CIPHERS
A.A. 2010/2011 2
Stream enciphering is realized in two ways
- as a Bit by Bit operation, which is performed bymachines called Stream ciphers
- as a Block by Block operation, which is performed
by machines called Block ciphers
The Stream enciphering is intended to be theencryption operation of long sequences of bits.
-
8/12/2019 Excursus 02
3/41
STREAM CIPHERS
A.A. 2010/2011 3
Plain text binary sequence
m(1), m(2), , m(n) ...
Key binary sequence (produced by a FSM starting from a shortsequence K0 called the secret key
k(1), k(2), , k(n) ...
Encrypted binary sequence
k(1), k(2), , k(n) ...Encryption rule, referred to as Caesar enciphering
e(n) = m(n) + k(n)
Stream Ciphers
-
8/12/2019 Excursus 02
4/41
STREAM CIPHER
A.A. 2010/2011 4
Structure of a stream generator as Autonomous FSM
Periodic generator
Nonlinear
Function
k(n)
-
8/12/2019 Excursus 02
5/41
STREAM CIPHER
A.A. 2010/2011 5
Stream Cipher Cryptanalysis
The problem:Find the secret key K0 (the init ial state of the FSM)
knowing
- state transition function f,
- output function g,given a piece of generated enciphering stream
k1,k2, k3, , ks
-
8/12/2019 Excursus 02
6/41
STREAM CIPHER
A.A. 2010/2011 6
Structure of a Block Cipher
Nonlinear
Function
IN
P
U
T
Key
Oypute1 en
m1 mn
-
8/12/2019 Excursus 02
7/41
STREAM CIPHER
A.A. 2010/2011 7
Block Ciphers (classical)
Enigma: single character cipher
DES: Data Encryption Standard
AES: Advanced Encryption Standard
IDEA: International Data Encryption
Algorithm
-
8/12/2019 Excursus 02
8/41
STREAM CIPHERS
A.A. 2010/2011 8
Common structure
Input
Input Transformation
Round 1
Round 2
Round nOutput Transformation
Output
-
8/12/2019 Excursus 02
9/41
STREAM CIPHER
A.A. 2010/2011 9
Classic (Standard) Algorithms
Block Key Round
Enigma 1 carattere 3 caratteri 3 x2
DES 64=32+32 56 bit 16
AES 128=8x(4x4)128-192-256 bit 10-12-14
IDEA 64=16+16+16+16 128 bit 8
-
8/12/2019 Excursus 02
10/41
STREAM CIPHERS
A.A. 2010/2011 10
Enigma: Round structure
26 Alphabetic Characters represented as elements of Z26
T(X)= (X+k)-kEach round consist of a Caesar transformation
followed by a permutation (monoalphabetic
substitution) followed by the inverse of the Caesar
transformation.The machine state changes after the encryption of a
character with a period that depends on rotor notches
and is of the order 266
-
8/12/2019 Excursus 02
11/41
STREAM CIPHERS
A.A. 2010/2011 11
DATA ENCRYPTION STANDARD: DES
DES
Ei=DES(K0,Mi) (64bit)
Mi
(64bit)
K0 (56bit)
-
8/12/2019 Excursus 02
12/41
STREAM CIPHERS
A.A. 2010/2011 12
DES ROUND structure
Li Ri
Ri+1Li+1
Q(S(E(Ri)+ Ki ))
+
-
8/12/2019 Excursus 02
13/41
STREAM CIPHER
A.A. 2010/2011 13
DES function description
M is a vector with 64 entries (bits); consider
M=(L|R) decomposed into two vectors of dimension 32
P denotes an operator permuting the entries of a vector
denotes an involutory operator, that is M=(R|L) 2= where is the identity operator
denotes an operator such that M=(L+f(R)|R)
therefore is an involution, that is 2
= DES = P 16 15 14 1 P
-1
DES-1 = P 1 2 3 16 P-1
-
8/12/2019 Excursus 02
14/41
STREAM CIPHER
A.A. 2010/2011 14
Description of DES function Function f(.)
f(R)= S(E(R)+K)
K is a vector of 48 bits defined from K0, the key of 56 bits
E(.) is an expansion function of a vector of dimension 32 toa vector of dimension 48: this is obtained by replicating
some entries
S, called S-box, is a compression function from dimension48 to dimension 32 made of 8 boxes that define 8 s-
mappings from 6 bits to 4 bits: the vector of 48 bits ispartitioned into 8 vectors of 6 bits to which each s-mapping
is applied
-
8/12/2019 Excursus 02
15/41
STREAM CIPHER
A.A. 2010/2011 15
DES transformation
In standard applications a binary message is partitioned
into groups (vectors) of 64 bits
M0, M1, Mn,
Function DES is always applied with the same key K0 to
each vector
DES(K0, M0), DES(K0, M1), DES(K0, Mn), ...
-
8/12/2019 Excursus 02
16/41
-
8/12/2019 Excursus 02
17/41
STREAM CIPHER
A.A. 2010/2011 17
AES
128 bits of data are stored as bytes
in a 4 x 4 state matrix
Round operations are: Subbyte,
Shiftrow, Mixcolumn, andAddroundkey
ijX
-
8/12/2019 Excursus 02
18/41
STREAM CIPHER
A.A. 2010/2011 18
Round transformations
Subbyte
Shiftrow
Mixcolumn
Addroundkey
)1mod()( 43
0
3
0
xxXxaxXi
i
ij
i
i
ij
1 ijij XX
ijij XaAX
crjj 4wcc
-
8/12/2019 Excursus 02
19/41
STREAM CIPHER
A.A. 2010/2011 19
AES Round Structure
ijij XaAX
ijX
ijX
1 ijij XX
)1mod()( 43
0
3
0
xxXxaxXi
i
ij
i
i
ij
crjj
4wcc
-
8/12/2019 Excursus 02
20/41
STREAM CIPHER
A.A. 2010/2011 20
Legenda
Polynomial (fixed in the standard)
it is rel tively prime with Affine transformation on bytes
32
2
1
3
0)( axaxaxaxa
11111000
01111100
00111110
00011111
10001111
11000111
11100011
11110001
A
0
11
0
0
0
11
a
14 x
-
8/12/2019 Excursus 02
21/41
STREAM CIPHER
A.A. 2010/2011 21
Legenda (continue)
Each round requires 4 words (i.e. 128 bits) of key data plus 4words for the output transformation
A 128 bit key requires 4 x 11 words of key data w[i] (0i
-
8/12/2019 Excursus 02
22/41
STREAM CIPHER
A.A. 2010/2011 22
Legenda (continue)
Rotword takes a four byte word [a0,a1,a2,a3] asinput and returns [a1,a2,a3,a0]
Subword performs the Subbyte transformation
on every byte in the word
-
8/12/2019 Excursus 02
23/41
STREAM CIPHER
A.A. 2010/2011 23
IDEA Round structure
X1
X1
X2
X2
X3
X3
X4
X4
+
++
+
+ +
+
++
+
K1 K2 K3 K4
K5K6
-
8/12/2019 Excursus 02
24/41
STREAM CIPHER
A.A. 2010/2011 24
Legenda
XOR su 16 bit somma in
somma modulo 216 somma in
prodotto modulo 216+1 prodotto in
+
+
16
2Z
162
Z
1216Z
-
8/12/2019 Excursus 02
25/41
STREAM CIPHER
A.A. 2010/2011 25
ECB: Electronic Code Book
DES
Ei=DES(K0,Mi) (64bit)
Mi
(64bit)
K0(56bit)
-
8/12/2019 Excursus 02
26/41
STREAM CIPHER
A.A. 2010/2011 26
CBC: Cipher-Block Chaining
DES
Ei =DES(K0, Mi+Ei-1)
K0
+
Mi
-
8/12/2019 Excursus 02
27/41
STREAM CIPHER
A.A. 2010/2011 27
CFB: Cipher FeedBack
DES
ki=DES(K0, ki-1)
ki-1
K0
+
Mi
Ei
-
8/12/2019 Excursus 02
28/41
STREAM CIPHER
A.A. 2010/2011 28
OFB: Output FeedBack
DES
ki=DES(K0, Ei-1)
Ei-1
K0
+
Mi
Ei = ki+Mi
-
8/12/2019 Excursus 02
29/41
STREAM CIPHER
A.A. 2010/2011 29
Applications
GSM (Mobile telephony)
Authentication for correct accounting and
access control to the network
Confidentiality
No tracking
Internet Secure Connection
-
8/12/2019 Excursus 02
30/41
STREAM CIPHER
A.A. 2010/2011 30
GSM
Security in GSM is based on three
algorithms
A3 authentication algorithm (and protocol)
A5 confidentiality algorithm: a streamciphering with stream generator consisting
of three clock controlled LFSR
A8 algorithm: a one-way function used to
define the initial state for A5
Tracking is avoided using a secret alias for
any accepted user.
-
8/12/2019 Excursus 02
31/41
STREAM CIPHER
A.A. 2010/2011 31
GSM - A3 protocol
Users are ident i f ied by
a public user number PIN, the phone
number, and
a secret user number ID.
IDis stored on the SIMcard and in the
Contro l access compu ter sys tem of the
Provider.
-
8/12/2019 Excursus 02
32/41
-
8/12/2019 Excursus 02
33/41
STREAM CIPHER
A.A. 2010/2011 33
GSM - A3 protocol
BOB encrypts RANDOM combined with
his secret ID using A3 algorithm
ANSWER=A3(RANDOM, ID)
BOB sends ANSWER to BS
BS forwards ANSWER to P
P compares ANSWER with the locally
computed ANS = A3(RANDOM, ID)If ANS = ANSWER then access
is permitted, otherwise it
is denied.
-
8/12/2019 Excursus 02
34/41
STREAM CIPHER
A.A. 2010/2011 34
GSM - A3 protocol
If access is permitted then P sends an ack
to BS together with a SKEY5, a secret key
used by the encryption algorithm A5
BS sends an ack to BOB.
BOB computes his SKEY5 as
SKEY5 = A8(RANDOM, ID)
-
8/12/2019 Excursus 02
35/41
STREAM CIPHER
A.A. 2010/2011 35
GSM - A5 algorithm
It is composed of three LFSRs of length 19,
22, and 23.
The evolution is clock controlled: three
cells, in position 8, 10 and 10 of the threeRegisters respectively, are checked and
only the Registers with the majority symbol
(either 0 or 1) change of state
The output sequence is obtained as a sum
modulo 2 of the three binary sequences.
-
8/12/2019 Excursus 02
36/41
STREAM CIPHER
A.A. 2010/2011 36
GSM - A5 algorithm
Block scheme and polynomial generators
1)(
1)(
1)(
2723
23
2222
2519
19
xxxxxg
xxxg
xxxxxg
+
-
8/12/2019 Excursus 02
37/41
STREAM CIPHER
A.A. 2010/2011 37
GSM - Comments
A3 algorithm
Is Providers responsibility and choice
Must be a strong ONE-WAY function to
prevent cloning Must be easy to compute because of the
limited power of cell phones.
Definition is not publicly available.
Common to all Providers (possibly) as that
proposed by GSM group is used
-
8/12/2019 Excursus 02
38/41
STREAM CIPHER
A.A. 2010/2011 38
GSM - Comments
A5 algorithm Must be common to every Provider as it runs on every
Base Station
Must be reasonably strong but guarantee QoS
being a real time bit by bit encryption
Must need few computations because of the
limited power and energy available.
Is public. It was originally proposed by GSMstandardization group
Initial state of LFSRs provided by A8 algorithm
-
8/12/2019 Excursus 02
39/41
STREAM CIPHER
A.A. 2010/2011 39
GSM - Comments
A8 is Providers responsibility and choice
It must be a strong ONE-WAY function to
prevent cloning
The weakness is manifest only if A5 isbroken
It must be easy to compute because of the
limited power of cell phones.
At present the algorithm used is not public.It is common to all Providers as they use
that proposed by GSM standardization
group
-
8/12/2019 Excursus 02
40/41
STREAM CIPHER
A.A. 2010/2011 40
Internet secure connection
Internet confidentiality is based on
Secure Socket Layer (SSL) that
establishes an encrypted connection
with the secret keys distributed by a
Trusted Party using a PKC
SSL encrypts the bits that go through the
Internet channel
-
8/12/2019 Excursus 02
41/41
STREAM CIPHER
A A 2010/2011 41
Comparisson
Internet confidentiality
GSM confidentiality
are examples of two different security
models:
SSL encrypts the channel
GSM encrypts the message