Secret Key Cryptography

1
Secret Key Cryptography
2
Outline

• Conventional encryption
• Block ciphers
• DES, IDEA, Skipjack, RC5
• Cryptanalysis
• Attacks
• Key Distribution

3
Conventional Encryption

• The original message, referred to as plaintext,
  is converted into random nonsense, referred to as
  ciphertext.
• The encryption algorithm consists of an algorithm
  and a key.

4
Conventional Encryption 2

• The algorithm produces a different output for
  every different key being used
• Once the ciphertext is produced it is transmitted
• Upon reception the ciphertext can be transformed
  back to the original plaintext by using a
  decryption algorithm and the same key

5
Conventional Encryption 3

• The security depends on several factors
• It must be impractical to decrypt a message with
  only the knowledge of the ciphertext
• It must be still impractical to decrypted a
  message also if the algorithm is known. In other
  words only the encryption/decryption key is
  needed to be kept secret

6
Block Ciphers

• Ek(m) c
• Some modes of use
• Electronic Code Book ECB
• Cipher Block Chaining CBC
• Cipher Feedback Mode CFB
• Output Feedback Mode OFB

7
Block Ciphers 2

• Electronic Code Book
• Each plaintext block is encrypted independently
• Not very secure for highly formatted data
• The blocks of encrypted messages are not linked
• Cipher Block Chaining
• Output of one enciphering step is used to modify
  the input of the next
• Self-synchronizing on clock boundaries
• At most two blocks are decrypted in error when
  one block is received in error

8
General Principles

• Confusion
• Make the relation between the key and the
  ciphertext as complex as possible
• Diffusion
• Spread the influence of a single plaintext digit
  over many ciphertext digits
• Transposition Cipher
• Rearrange the order of the plaintext digits
• Substitution Cipher
• Replace occurrences of certain patterns with
  other patterns

9
DESIBM (1974), adopted as a national standard
1977

• 64-bit block cipher, 56-bit key, 16 rounds
• Key transformed into 16 partial keys using a key
  scheduling algorithm
• Confusion provided by the key scheduling and the
  S-boxes
• Diffusion provided by the mixing and permutations
• Up to 1 Gbit/sec in hardware (250 MHz)

10
DES
INPUT
INITIAL PERMUTATION

R0
L0
f
R0L0?f(R0,K1)
L1R0
f
L16
R16
INVERSE INITIAL PERMUTATION
OUTPUT
11
IDEA

• PES (1990), revised to IPES (1991)
• 64-bit block cipher 128-bit key
• 8 rounds key scheduling provides 52 subkeys of
• 16 bits
• Confusion provided by a mix of incompatible
  arithmetic operations
• Diffusion provided by the architecture of the
  algorithm
• Between 45 Mbits/sec and 115Mbits/sec in hardware

12
RC5

• Rivest (1994)
• Basic features
• variable block size variable-length secret key
• iterative cipher with a variable number of rounds
• secret key is used to fill an expanded key table
  S.
• security provided by heavy use of data-dependent
  rotations and mixture of different operation

13
SkipjackDesigned by NSA as part of the Capstone
project

• 64-bit block cipher
• 80-bit key
• Iterative, 32 rounds
• Reporter to be secure against publicly known
  attacks
• 16 Mbit/sec
• Intended for use with the proposed Clipper chip

14
Cryptanalysis

• Main Types
• Ciphertext only
• Known plaintext
• Chosen plaintext
• Some Methods
• Brute force
• Differential cryptanalysis
• Other

15
Brute Force

• For any block cipher, it is possible to try all
  possible keys
• For DES there are 256 possible keys
• There is a complementation property for DES
• Using the complementation property a brute force
  attack requires only 255 DES operations
• How expensive is exhaustive search

16
Multiple Encryption

• Ek2(Ek1(m))
• Merkle and Hellman (1981) - an attack using known
  plaintext/ciphertext pairs
• DES - 256 operations and 256 words of memory
• Ek1(Dk2(Ek1(m)))
• A chosen plaintext attack
• DES - 256 operations and 256 memory
• Ek3(Dk2(Ek1(m)))
• Recommended

17
Differential Cryptanalysis

• Iterated ciphers with a weak round function
• Choosing pairs of plaintext, observe the effect
  of the difference between them on the difference
  between resulting ciphertext pairs
• Assign probabilities to the possible keys
• Locate the most probable key
• 16 round DES can be cryptanalysed using 247
  chosen plaintext pairs

18
Characteristics

• A structure consisting of several rounds
• The difference between two inputs is fixed
• The difference between outputs is specified
• The intermediate differences between rounds are
  specified
• the key is unknown
• The characteristic has a probability attached

19
Characteristics 2

• Each input pair with the correct difference is
  either a right pair or a wrong pair
• Right pair yields useful key information
• Wrong pair yields random key information
• Characteristics can be combined
• The smaller the probability, the more pairs we
  need

20
Results

• Differential cryptanalysis has been used with
  success on
• FEAL-N and N-Hash
• Snefru and Khafre
• REDOC-II
• LOKI
• Lucifier
• DES
• (Biham and Shamir still consider DES secure)

21
Differential Cryptanalysis and DES

• Coppersmith reports that differential
  cryptanalysis was known to the designers of DES
• S-box design
• Further hints

22
Other Attacks

• Cycling Attacks
• For each pair of keys k1 and k2 is there a third
• key k3, such that Ek1(Ek2(m))Ek2(m) ?
• If so
• we can decrypt using k1 and k2 instead of k3, and
• there is an attack requiring 228 operations

23
Other Attacks

• Key Scheduling Attack
• Iterated ciphers
• Chosen key attack
• LOKI91, requires 232 chosen plaintexts, 248
  known plaintexts
• DES is not susceptible
• The key scheduling algorithm is important

24
Summary

• Recent advances in cryptanalysis
• New block ciphers have had mixed fortunes
• DES is still considered secure

25
Stream Ciphers

• Motivation
• Well developed ground rules
• Strong analytical framework
• Analogy with the one-time pad
• Fast

26
Design Approaches

• Information theoretic
• The opponent has unlimited resources
• Complexity theoretic
• The security depends on a difficult problem
• Randomized stream ciphers
• The opponent is forced to solve a problem of
  infeasible size
• System theoretic
• Belief in security depends on the state of the art

27
One-time PadVernam (1926), Shannon (1949)

• Choose r1, r2 independently and at random
  (keystream)
• Write the plaintext as m1, m2, , mn (message
  stream)
• The ciphertext is c1, c2, , cm where cimi?ri
• Provably secure
• Drawback-key is large as the message

28
Two Types

• Synchronous
• Keystream generated independently of the message
  stream
• No error propagation
• Requires perfect synchronization

29
Two Types

• Self-synchronizing
• Keystream generation depends on n previous
  ciphertext digits
• Limited error propagation
• Can resynchronize

30
OFB and CFB

• Two modes of use for a block cipher
• OFB generates a keystream independently of the
  plaintext
• CFB employs feedback and is self synchronizing
• For both OFB and CFB, each iteration encrypts m
  bits at a time, where for DES 1 ? m ? 64
• OFB is only considered secure with DES if m64

31
Basic Properties

• What properties do we want the keystream to have?
• Large period
• Golombs Postulates (1967) address the following
  issues
• Balance
• Pattern distribution
• Correlation
• Sequences that satisfy Golombs Postulates are
  termed pseudo-noise or PN-sequences

32
Shift Registers

• A Linear Feedback Shift Register, (LFSR), of
  length n can produce a sequence of period 2n-1
• Such a sequence also satisfies Golombs
  Postulates
• Shift registers are very fast to implement
• On their own, cryptographically weak

33
Linear Complexity

• A sequence S of period p can be generated on a
  LFSR of length ? p
• The length of the shortest LFSR that can generate
  S is called the linear complexity
• If a sequence has linear complexity n, then there
  is an algorithm that identifies the minimum LFSR
  after 2n successive bits Massey (1969)
• A good keystream should have a large linear
  complexity

34
Linear Complexity 2

• Consider a sequence S
• Computer the linear complexity of the sequence
  after each new bit is added
• This gives a linear complexity profile
• Rueppel provides results on the linear complexity
  profile
• A good keystream should have a good linear
  complexity profile

35

• Filter generator
• Take the output from a single register in an
  unconventional way
• Combination generator
• Combine the output of several registers

36
Correlation Attacks

• Geffe generator
• f(x1,x2,x3)x1x2?x1x3 ?x2x3
• Using registers of length 3, 5 and 7 we can
  generate sequences of period 24,559 with linear
  complexity 71
• If x10 then with probability 3/4
• f(x1,x2,x3)x2x30
• If x11 then with probability 3/4
• f(x1,x2,x3)x2x3 x2x3 1
• x1f(x1,x2,x3) with probability 3/4

37

• Suppose the feedbacks are known and the key is
  the initial starting values of the registers
• Choose an initial value for register 1
• Generate the sequence from register 1
• count the propagation of agreements with the
  target sequence

38

• What properties do we require for the combining
  (filter) function?
• High non-linearity
• Correlation immunity
• Siegenthaler showed that there is a conflict
  between these goals
• Rueppel showed that this conflict can be avoided
  using a more sophisticated combining function
  with memory

39
Different Types

• Combination and filter generators
• Clock control
• Stop-Go, Alternating, Cascade
• Feedback clock control
• Multiplexer - One LFSR is used to index the
  output bit from another LFSR
• Multiplicative congruential generator output
  obtained from xi where
• xi1 axi mod n
• RC4

40
RC4Designed by Rivest for RSA Data Security, Inc.

• Variable key size
• Security depends on the use of a random
  permutation
• Period overwhelmingly likely to be greater than
  10100
• No known bad keys
• Encryption rate ? Mbyte/sec

41
Summary

• No standard form of design
• Many individual analytic techniques
• Well developed theory
• Very appealing performance

42
Key Distribution

• The strength of any cryptographic systems rests
  with the key distribution technique. For two
  parties A and B, distribution can be achieved in
  a number of ways
• A key can be selected by A and physically
  delivered to B
• A third party can select the key and physically
  deliver it to A and B
• If A and B have previously and recently used a
  key, one party can transmit the new key to the
  order, encrypted by using the old key.
• If A and B has an encrypted connection to a third
  party C, C and deliver a key on the encrypted
  links to A and

43
Key Distribution 2

• Use of a key distribution center (KDC)
• Communication between end systems is encrypted
  using a temporary key (session key)
• For each system user, there is a unique master
  key which is shared with the KDC
• For N entities, N(N-1)/2 session keys and N
  master keys are required