symmetric key cryptography
DESCRIPTION
symmetric key cryptography. [email protected]. Symmetric Encryption. Classic ciphers also known as (AKA) single key Secret key sender and recipient share a common key was only type prior to invention of public-key cryptography until second half of 1970 ’ s. Symmetric Cipher Model. - PowerPoint PPT PresentationTRANSCRIPT
![Page 2: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/2.jpg)
Symmetric Encryption
• Classic ciphers• also known as (AKA)
– single key– Secret key
• sender and recipient share a common key• was only type prior to invention of public-key
cryptography– until second half of 1970’s
2
![Page 3: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/3.jpg)
Symmetric Cipher Model
there must be a secure mechanism
for the distribution of this key a priori
3source: William Stallings
![Page 4: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/4.jpg)
Requirements
• two requirements for secure use of symmetric encryption:– a strong encryption algorithm– a secret key known only to sender / receiver
Y = EK(X)
X = DK(Y)
• assume encryption algorithm is known– Kerckhoffs’s Principle: A cryptosystem should be secure even if
everything about the system, except the key, is public knowledge
• imply a secure channel to distribute the key
4
![Page 5: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/5.jpg)
cryptographic attacks
• The language of the plaintext and the nature of the cipher are assumed to be known to the adversary.
• Ciphertext-only attack: The adversary knows only a number of ciphertexts.
• Known-plaintext attack: The adversary knows some pairs of ciphertext and corresponding plaintext.
• Chosen-plaintext attack: The adversary can choose a number of messages and obtain the ciphertexts
• Chosen-ciphertext attack: The adversary can choose a number of ciphertexts and obtain the plaintexts.
5
* These attacks are also applicable to PKC
![Page 6: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/6.jpg)
requirements for a secure cipher
• In cryptography, confusion and diffusion are two properties of the operation of a secure cipher [Claude Shannon]
• Diffusion means that if we change a character of the plain-text, then several characters of the ciphertext should change, and similarly, if we change a character of the ci-phertext, then several characters of the plaintext should change
• Confusion means that the key does not relate in a simple way to the ciphertext. In particular, each character of the ci-phertext should depend on several parts of the key
6
![Page 7: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/7.jpg)
popular primitives
• Substitution• Permutation/transposition• exclusive-OR:
7
![Page 8: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/8.jpg)
first substitution (shift) cipher
• Caesar Cipher: E(x) = x+3 (mod 26)– monoalphabetic cipher
8
• then, how to decrypt? D(y)?
• is it secure?
![Page 9: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/9.jpg)
affine cipher
• another monoalphabetic substitution cipher• for English alphabet, m is 26 below• E(x) = (ax+b) mod m• D(y) = a-1(y-b) mod m
• how many keys?– 26 letters– 12 numbers for a, 26 numbers for b
• is it secure?
9
![Page 10: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/10.jpg)
10
Monoalphabetic Substitution Cipher
• The key space: all permutations of = {A, B, C, …, Z}• Encryption given a key :
– each letter X in the plaintext P is replaced with (X)• Decryption given a key :
– each letter Y in the ciphertext C is replaced with -1(Y)
Example: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
= B A D C Z H W Y G O Q X S V T R N M L K J I P F E U
BECAUSE AZDBJSZ
• is it secure?
![Page 11: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/11.jpg)
frequency analysis• Frequency analysis is based on the fact that, in any given
stretch of written language, certain letters and combina-tions of letters occur with varying frequencies.
11
0
2
4
6
8
10
12
14
a b c d e f g h i j k l m n o p q r s t u v w x y z
Series1
![Page 12: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/12.jpg)
another hints to guess
• Most common English bigrams (frequency in 1000 words)
12
![Page 13: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/13.jpg)
polyalphabetic (polygraphic) substitution
[A=0, B=1, …, Z=25], Zn= {0, 1, …, n-1}, P = C = (Z26)* Definition:
Given m (key length), and K = (k1, k2, … , km) a key, Encryption:
ek(p1, p2… pm) = (p1+k1, p2+k2…pm+km) (mod 26) Decryption:
dk(c1, c2… cm) = (c1-k1, c2-k2 … cm- km) (mod 26) Example: Plaintext: C R Y P T O G R A P H Y Key: L U C K L U C K L U C K Ciphertext: N L A Z E I I B L J J I
13
Vigenère Cipher
![Page 14: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/14.jpg)
Vigenère Cipher
• An attacker can figure out key length m?
• If the attacker finds the key length, then what happens?
14
![Page 15: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/15.jpg)
Hill Cipher
• polygraphic substitution cipher based on linear algebra
15
C1 = 9*p1 + 18*p2 + 10*p3 (mod 26)
C2 = 16*p1 + 21*p2 + 1*p3 (mod 26)
C3 = 5*p1 + 12*p2 + 23*p3 (mod 26)
C1 9 18 10 p1
C2 = 16 21 1 p2 (mod 26)
C3 5 12 23 p3
• how to decrypt?
![Page 16: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/16.jpg)
Hill cipher: A key is a matrix
16
k11 k12 k13 k21 k22 k23 k31 k32 k33
• Generalize to any size, larger blocks• matrix multiplication can provide diffusion• Matrix must be invertible
• is it secure?– is vulnerable to a known-plaintext attack
![Page 17: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/17.jpg)
transposition cipher
• aka permutation cipher
17
columnar cipher
![Page 18: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/18.jpg)
X-or() in cryptography• Sender wants to send M to receiver• M (Original plaintext): 1010• K (Key): 0011• M K = 1001 (Encrypted ciphertext)
1001 transmitted
• Receiver already knows K• (M K) K= 1001 0011 = 1010 = M
-> original message is restored! 18
![Page 19: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/19.jpg)
one time pad (OTP)
• The one-time pad, which is a provably secure cryptosystem, Gilbert Vernam in 1918.– aka Vernam cipher
• The message is represented as a binary string (a sequence of 0’s and 1’s using a coding mecha-nism such as ASCII coding.
• The key is a truly random sequence of 0’s and 1’s of the same length as the message.
• The encryption is done by adding the key to the message modulo 2, bit by bit. This process is of-ten called exclusive or, XOR ()
![Page 20: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/20.jpg)
OTP: Example• message =‘IF’ • then its ASCII code =(1001001 1000110) • key = (1010110 0110001)• Encryption:
– 1001001 1000110 plaintext– 1010110 0110001 key– 0011111 1110110 ciphertext
• Decryption:– 0011111 1110110 ciphertext– 1010110 0110001 key– 1001001 1000110 plaintext
![Page 21: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/21.jpg)
OTP problems
• Key should be as long as plaintext– key should not be reused
• Key distribution & Management difficult
21
![Page 22: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/22.jpg)
Two types of symmetric ciphers
• Stream cipher– Encrypts one bit at a time
• mimicking OTP– e.g. RC4
• Block cipher– Encrypts a block of bits at a time– e.g. DES, AES
22
![Page 23: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/23.jpg)
stream cipher• Generalization of one-time pad• Stream cipher is initialized with key • Key is “stretched” into long keystream• Keystream plaintext = ciphertext• Stream cipher is a keystream generator
23
=
Key
Ciphertext
Stream
Plaintext
KeystreamGenerator
KeystreamGenerator
Ki
Ki
Pi P
iC
i
Keystream Keystream
PlaintextPlaintextCiphertext
Å Å
![Page 24: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/24.jpg)
stream cipher: LFSR
24
S0 S1 S2
0 0 1
0 1 0
1 0 1
0 1 1
1 1 1
1 1 0
1 0 0
-----------------
0 0 1
Initial fill determines the sequence of states
Generates a periodic sequence
…0010111...
Maximal period 23-1=7
st+3 = st+1+ st S0 S1 S2
• linear feedback shift register (LFSR)
![Page 25: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/25.jpg)
revisit confusion and diffusion
• confusion refers to making the relationship between the ciphertext and the symmetric key as complex and in-volved as possible;
• diffusion refers to dissipating the statistical structure of plaintext over bulk of ciphertext.
• This complexity is generally implemented through a series of substitutions and permutations– The simplest way to achieve both diffusion and confusion is to use
a substitution-permutation network
25
![Page 26: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/26.jpg)
advanced encryption standard (AES)• based on Rijndael cipher• data block viewed as 4-by-4 table of bytes• Such a table is called the current state• 3 key lengths (128/192/256), 128 bit key is assumed here• key is expanded to array of words
– each word is 128 bit long• has 10 rounds in which state goes through the following
transformations (called `layers’): – SubBytes: byte substitution (1 S-box used on every byte) – ShiftRows: shift rows (permute bytes between groups/columns) – MixColumns: mix columns (uses matrix multiplication in GF(256)) – AddRoundKey: add round key (XOR state with round key)
• First and last round are a little bit different
26
![Page 27: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/27.jpg)
AES: 50,000 feet view
27
![Page 28: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/28.jpg)
AES: SubBytes (S-box)• a simple substitution of each byte• a byte = two nibbles• S-box has 16x16 entries: all possible 8-bit values• each byte of state is replaced by byte indexed by row (left
4-bits) & column (right 4-bits)
28
![Page 29: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/29.jpg)
AES: ShiftRows• a circular byte shift in each row (permutation)
– 1st row is unchanged– 2nd row does 1 byte circular shift to left– 3rd row does 2 byte circular shift to left– 4th row does 3 byte circular shift to left
29
![Page 30: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/30.jpg)
AES: Mix Columns• each column is processed separately• each byte is replaced by a value dependent on all 4 bytes
in the column• effectively a matrix multiplication (Hill Cipher)
30
![Page 31: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/31.jpg)
AES: Add Round Key
• XOR state with 128-bits of the round key
31
![Page 32: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/32.jpg)
Modes of Operations
• message is typically longer than the block size• DES and AES have multiple modes of operations• depending on how consecutive blocks are processed• five modes
– ECB– CBC– CFB– OFB– CTR
32
![Page 33: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/33.jpg)
Electronic CodeBook (ECB)
• message is broken into independent blocks which are en-crypted
• each block is a value which is substituted, like a code-book, hence name
• each block is encoded independently of the other blocks Ci = EK1 (Pi)
• uses: secure transmission of single values
33
![Page 34: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/34.jpg)
Electronic Codebook Mode (ECB)
Ciphertext = (C0 C
1 ... C
n)
Ek
Ek
Ek
Pi-1
Pi
Pi+1
Ci-1
Ci
Ci+1
Dk
Dk
Dk
Pi-1
Pi
Pi+1
Ci-1
Ci
Ci+1
64 bit (8 byte) blocks in DES
![Page 35: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/35.jpg)
Advantages and Limitations of ECB
• repetitions in message may show in ciphertext – if aligned with message block – particularly with data such graphics – or with messages that change very little, which become
a code-book analysis problem
• weakness due to encrypted message blocks be-ing independent
• ECB mode is susceptible to substitution attacks• main use is sending a few blocks of data
![Page 36: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/36.jpg)
Cipher Block Chaining (CBC)
• Two identical plain messages produce two different cipher messages.
• This prevents Chosen plaintext attack.
36
![Page 37: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/37.jpg)
Cipher Block Chaining (CBC)
• message is broken into blocks • but these are linked together in the encryption
operation • each previous cipher blocks is chained with cur-
rent plaintext block, hence name • use Initialization Vector (IV) to start process
Ci = EK1(Pi XOR Ci-1)
C-1 = IV • uses: bulk data encryption, authentication
![Page 38: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/38.jpg)
Cipher Block Chaining Mode (CBC)
Ci = E
k(P
i Å C
i-1)
C0 = E
k(P
0 Å IV)
Pi = C
i-1 Å D
k(C
i)
P0 = IV Å D
k(C
0)
Ciphertext = (IV C0 C
1 ... C
n)
Å
Ek
Å
Ek
P0
Å
Ek
Å
Ek
IV
C0
Pi-1
Pi
Pi+1
Ci-2
Ci-1
Ci
Ci+1
Å
Dk
Å
Dk
Å
Dk
Pi-1
Pi
Pi+1
Ci-2
Ci-1
Ci
Ci+1
Encryption Decryption
![Page 39: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/39.jpg)
CBC – Error Propagation
• 1 bit error in the plaintext feed• Will affect that block and all others• Decryption will correct all but the flipped bit
• 1 bit error in the ciphertext feed• Will affect two blocks
• CBC mode is self recovering
![Page 40: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/40.jpg)
CBC – Initialization Vector (IV)
• If IV is same, every encryption of the same plaintext is the same.
• With the IV being a random number, the same plain-text will be all different
• IV can be in public, but should satisfy two req’s – otherwise, some attacks possible
• two requirements for IV usage– no IV is reused under the same key– IV change should be unpredictable
![Page 41: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/41.jpg)
Advantages and Limitations of CBC
• each ciphertext block depends on all previous blocks • encrypting a block requires the finish of encryption of all
the previous blocks• no parallelism in encryption• parallelism in decryption
![Page 42: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/42.jpg)
Cipher FeedBack (CFB)
• message is treated as a stream of bits – can be a stream cipher
• added to the output of the block cipher • result is feed back for next stage (hence name) • standard allows any number of bits (1,8 or 64 or
whatever) to be feedback – denoted CFB-1, CFB-8, CFB-64 etc
• is most efficient to use all 64 bits (CFB-64)Ci = Pi XOR EK1(Ci-1)
C-1 = IV
![Page 43: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/43.jpg)
Cipher Feedback Mode (CFB)
Ek
Å
Pi-1
Ci-2
Ci-1
Ek
Å
Pi
Ci
Å
Pi+1
Ci+1
Ci = P
i Å E
k(C
i-1)
C0 = P
0 Å E
k(IV)
Pi = C
i Å E
k(C
i-1)
P0 = E
k(IV) Å C
0
Ciphertext = (IV C0 C
1 ... C
n)
Ek
Ci-1
Ek
Å
Ci
Pi
Å
Ci+1
Pi+1
Encryption Decryption
EkIV Å
P0
C0
![Page 44: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/44.jpg)
CFB – Initialization Vector
• CFB must use an IV• same requirements as CBC
![Page 45: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/45.jpg)
CFB – Error Propagation• CFB mode is self recovering• one bit error in ciphertext corrupts some # of blocks
– CFB-8 -> 8 bytes are garbled
Bit errors in the incoming cipher block (i.e. a byte) will cause bit error at the same bit positions in the first plaintext block. This cipher block will then be fed to the shift register and cause bit errors in the plaintext for as long as the erroneous bits stay in the shift register. Hence, for 8-bit CFB, the following 8 bytes will be garbled. After that, the system recovers, and all following bytes is decrypted correctly.
![Page 46: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/46.jpg)
Advantages and Limitations of CFB
• appropriate when data arrives in bits/bytes: stream cipher• most common stream mode • encryption is not parallelizable
– keystream cannot be generated in advance• decryption is parallelizable• note that the block cipher is used in encryption mode at
both ends
![Page 47: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/47.jpg)
output feedback mode (OFB)
• can be a stream cipher• IV is used as a seed to generate OTP• actual encryption/decryption is only X-or
– fast
• no dependency– parallel encryption/decryption
47
![Page 48: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/48.jpg)
Output Feedback Mode (OFB)
Ci = P
i Å E
k(S
i-1)
C0 = P
0 Å E
k(IV)
Pi = C
i Å E
k(S
i-1)
P0 = E
k(IV) Å C
0
Encryption Decryption Note: The plaintext is never encrypted. IV and successive encryptions act as an one time pad generator.
![Page 49: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/49.jpg)
OFB: advantages and limitations
• no error propagation– 1 bit error in ciphertext affects only one bit in plaintext
• a (key)stream can be generated in advance• fast due to parallelism• if attacker knows plaintext and ciphertext, he can modify
the plaintext
![Page 50: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/50.jpg)
counter mode (CTR)
• can be a stream cipher• IV is called a counter• highly parallelizable
– no linkage between blocks– very fast
• counter should not be repeated for the same key• can decrypt from any arbitrary position unlike OFB• attacker can get of two plaintext blocks by taking the of
two ciphertext blocks like OFB
50
![Page 51: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/51.jpg)
counter (CTR) mode
51
![Page 52: symmetric key cryptography](https://reader034.vdocument.in/reader034/viewer/2022042603/56813b61550346895da45dc7/html5/thumbnails/52.jpg)
other usage of modes of operations: message authentication code (MAC)• CBC can be used to check message integrity
52