UNIVERSITY OF INFORMATION TECHNOLOGY – VNU-HCM

Faculty of Computer Networks and Communications

NT219 - CRYPTOGRAPHY
 Today:
• Block cipher security
• 2DES, 3DES
• AES
• Block cipher Operation

Reading:
• CS Chapter 6, 7

Where we are today…

NT219 – Cryptography
v.2020.1
[email protected] 2
Learning objectives
Overview

We will focus on two questions:

• Can you use a block cipher multiple times to increase security?
• How to use a block cipher to encrypt more than a single block?

NT219 – Cryptography
v.2020.1
04. Block cipher Operation [email protected] 3
 Block ciphers Security
DES security

○ What is the serious vulnerability of DES? Brute-force attack

Number of Alternative Time Required at Time Required at
Key Size (bits) Cipher
Keys 109 Decryptions/s 1013 Decryptions/s
56 DES 256 ≈ 7.2 * 1016 255 ns = 1.125 years 1 hour
128 AES 2128 ≈ 3.4 * 1038 2127 ns = 5.3 * 1021 years 5.3 * 1017 years
168 Triple DES 2168 ≈ 3.7 * 1050 2167 ns = 5.8 * 1033 years 5.8 * 1029 years
192 AES 2192 ≈ 6.3 * 1057 2191 ns = 9.8 * 1040 years 9.8 * 1036 years
256 AES 2256 ≈ 1.2 * 1077 2255 ns = 1.8 * 1060 years 1.8 * 1056 years
26 characters
Monoalphabetic 2! = 4 * 1026 2 * 1026 ns = 6.3 * 109 years 6.3 * 106 years
(permutation)

How to increase security ?

Two approaches have been taken.
1. Design a completely new algorithm that is resistant to both cryptanalytic and brute-force attacks
Example: AES
2. Use multiple encryption with DES and multiple keys.
Example: 3DES (TDEA)
NT219 – Cryptography
v.2020.1
04. Block cipher Operation [email protected] 4
Double-DES (2DES)
Could we use 2DES to increase security ?

○ C = E(K2, E(K1, P))

○ P = D(K1, D(K2, C))
è Key-length = 112 bits. Will it’s more secure?
Why we shouldn’t use 2DES?

Meet-in-the-middle attack (proposed by Diffie and Hellman 1977)

C = E(K2, E(K1, P))
è X = E(K1, P) = D(K2, C)
Given a known pair (P, C)
1. Encrypt P for all 256 possible values of K1, then store and sort
2. Decrypt C using all 256 possible values of K2
à check the result against the table for a match
è K1, K2
NT219 – Cryptography
v.2020.1
04. Block cipher Operation [email protected] 5
 Triple-DES (3DES)
Using a block cipher multiple times to increase security

Sometimes called “EDE Encryption”

or Triple Data Encryption Algorithm
(TDEA)

Why put D in the middle?

○ Two-key version: 112-bit effective key length (proposed by Tuchman 1979)

• C = E(K1, D(K2, E(K1, P)))
• P = D(K1, E(K2, D(K1, C)))
○ Three-key version: 168-bit effective key length (proposed by Kaliski et al. 1996, NIST recommendation 2012)
• C = E(K3, D(K2, E(K1, P)))
• P = D(K3, E(K2, D(K1, C)))
NT219 – Cryptography
v.2020.1
04. Block cipher Operation [email protected] 6
 AES (Advanced Encryption Standard) Selection Process
From DES to AES

○ 1993-1995: Clipper Chip fiasco

○ 1997: Request for proposals for new standard block cipher

• Must use 128-bit block
• Must support 128-bit, 192-bit, and 256-bit keys
• Selection process through open evaluation

○ 1999: 15 good submissions narrowed to 5 finalists

○ 2000: Winner selected

• Winner was an algorithm named Rijndael (limited to 128-bit blocks)
• Invented/submitted by Vincent Rijmen and Joan Daemen (Belgians)

Important points:
• Very open, public process
• No secret modifications More trust!
• Not rushed
NT219 – Cryptography
v.2020.1
[email protected] 7
 AES Encryption Process
AES

AES cipher takes:

• plaintext block size of 128 bits, or 16 bytes.
• key length can be 16, 24, or 32 bytes (128, 192,
or 256 bits).
à AES-128, AES-192, or AES-256

NT219 – Cryptography
v.2020.1
04. Block cipher Operation [email protected] 8
AES Encryption Process
AES
in0

in1
in4

in5
in8

in9
in12

in13
s0,0

s1,0
s0,1

s1,1
s0,2

s1,2
s0,3

s1,3
○ Input: 128-bit block (is depicted as
in2 in6 in10 in14 s2,0 s2,1 s2,2 s2,3
a 4*4 square matrix of bytes)
in3 in7 in11 in15 s3,0 s3,1 s3,2 s3,3

• This block is copied into the State

s0,0

s1,0
s0,1

s1,1
s0,2

s1,2
s0,3

s1,3
out0 out4 out8 out12

out1 out5 out9 out13

array, which is modified at each
s2,0 s2,1 s2,2 s2,3 out2 out6 out10 out14 stage of encryption or decryption.
s3,0 s3,1 s3,2 s3,3 out3 out7 out11 out15

(a) Input, state array, and output

• After the final stage, State is copied
to an output matrix
k0 k4 k8 k12

k1

k2
k5

k6
k9

k10
k13

k14
○ Key is also depicted as a square
k3 k7 k11 k15
matrix of bytes.
• Then expanded into an array of key
w0 w1 w2 • • • w42 w43 schedule words

(b) Key and expanded key

Figure 6.2 AES Data Structures

NT219 – Cryptography
v.2020.1
04. Block cipher Operation [email protected] 9
 AES Parameters
AES

○ The cipher consists of N rounds, where the number of rounds depends on the key length: 10
rounds for a 16-byte key, 12 rounds for a 24-byte key, and 14 rounds for a 32-byte key
○ The first N - 1 rounds consist of four distinct transformation functions: SubBytes, ShiftRows,
MixColumns, and AddRoundKey, which are described subsequently.
○ The final round contains only three transformations, and there is an initial single transformation
(AddRoundKey) before the first round, which can be considered Round 0

NT219 – Cryptography
v.2020.1
04. Block cipher Operation [email protected] 10
 AES cipher in more detail
AES

Four different stages are used:

• Substitute bytes – uses an S-box to perform a byte-by-byte
substitution of the block
• ShiftRows – a simple permutation
• MixColumns – a substitution that makes use of arithmetic
over GF(28)
• AddRoundKey – a simple bitwise XOR of the current block
with a portion of the expanded key

○ The cipher begins and ends with an AddRoundKey stage

○ Each stage is easily reversible

More detail: You can refer to AES Visualization (using Cryptool 2)

or the supplement slides for more detail
NT219 – Cryptography
v.2020.1
04. Block cipher Operation [email protected] 11
 AES
Some Final Points

○ In 20 years, no practical cryptanalytic attacks discovered

○ Approved for protecting classified information

• 128-bit keys for SECRET
• 192- or 256-bit keys for TOP SECRET
• Note: implementation must be approved

○ Efficiency
• Works on byte/word units: Efficient in software!
• Widespread standard → special fast CPU instructions now
• Intel AES-NI instructions: over 10 gigabits/sec on a single core!
• OpenSSL

○ Still simple enough for special-purpose hardware

• 30+ Gbps possible

NT219 – Cryptography
v.2020.1
[email protected] 12
 Block Cipher Modes
Encrypt muliple blocks

○ Question: How to use a block cipher to encrypt multiple blocks?

○ Four modes introduced with DES standard
• Electronic Codebook (ECB)
• Cipher Block Chaining (CBC)
• Cipher Feedback (CFB)
• Output Feedback (OFB)

○ An additional mode introduced later (standardized with AES)

• Counter (CTR)

○ Each mode has tradeoffs in terms of flexibility, security, parallelizability, ...

NT219 – Cryptography
v.2020.1
04. Block cipher Operation [email protected] 13
Electronic Codebook (ECB) Mode
Encrypting plaintext longer than one block

○ The simplest, “Common Sense” mode

• Cj =E(K,Pj) j=1,c,N
• Pj =D(K,Cj) j=1,c,N
○ Does not hide repeated block patterns
• should be used only to secure messages
shorter than a single block of underlying
cipher (i.e., 64 bits for 3DES and 128 bits for AES),
such as to encrypt a secret key
• è insecure for lengthy messages,
so don’t use!

NT219 – Cryptography
v.2020.1
04. Block cipher Operation [email protected] 14
Cipher Block Chaining (CBC) Mode
How to overcome the security deficiencies of ECB?

○ IV must be random
• Transmit with ciphertext
• the specific choice of IV is unimportant

○ Randomizes next block

• Breaks up pattern
• Changing block affects all following blocks

C1 = E(K, [P1 ⊕ IV])

Cj =E(K, [Pj ⊕ Cj-1]) where j=2,c,N
P1 = D(K,C1) ⊕ IV
Pj = D(K, Cj) ⊕ Cj-1 where j=2,c,N

But: Can’t parallelize

○ Breaking assumptions: BEAST attack (2011)

NT219 – Cryptography
v.2020.1
04. Block cipher Operation [email protected] 15
Cipher Block Chaining (CBC) Mode
Limitations

○ Questions
• If transmission error in ciphertext block, how
many errors in recovered plaintext?
• If 500 MB encrypted, how can you decrypt
the second half?
• What if input is not a multiple of block size?

NT219 – Cryptography
v.2020.1
04. Block cipher Operation [email protected] 16
 Padding
What if input is not a multiple of block size?

○ ECB and CBC modes must encrypt full blocks of plaintext!

○ What if you have 192 bits of plaintext with AES/CBC?
○ Technique 1 (bit padding):
• No matter how long the plaintext, always append a 1 bit, followed by as many 0’s as needed to fill out block.
• Example: 8-bit blocks, 10111010 110 becomes 10111010 11010000
• Advantage: plaintext can be any number of bits
• Question: Why “always append 1”? What if plaintext is already a multiple of block size?

○ Technique 2 (byte count padding - or PKCS#7 / PKCS#5):

• Count how many bytes of padding needed (at least 1), say c
• Add c bytes each with value c
• Ex (32-bit blocks, hex): 42 1a 49 c3 21 becomes 42 1a 49 c3 21 03 03 03
• Only works for padding full bytes!

NT219 – Cryptography
v.2020.1
04. Block cipher Operation [email protected] 17
 Quiz
ECB and CBC

○ Encrypt the following image in two modes: ECB and CBC (You will do in Lab 2)

Here is the result.

Could you identify which encrypted image in ECB and which in CBC? Why?

A B

NT219 – Cryptography
v.2020.1
04. Block cipher Operation [email protected] 18
Cipher Feedback (CFB) Mode (s-bit)
s-bit CFB encryption

○ Benefit: Can encrypt in units less than a full

block (stream cipher)
• For example, can encrypt character by
character (terminals)

○ Can’t parallelize and multiple block

encryptions per plaintext “block”
• Question: What about decryption?

LSB: left shift b-s bits

MSB: most significant s bits

NT219 – Cryptography
v.2020.1
04. Block cipher Operation [email protected] 19
Cipher Feedback (CFB) Mode (s-bit)
s-bit CFB decryption

In CFB decryption, the required forward

cipher operations can be performed in
parallel if the input blocks are first constructed
(in series) from the IV and the ciphertext.

○ CFB can be viewed as a stream cipher,

it does not conform to the typical
construction of a stream cipher
• the stream of bits that is XORed with the
plaintext also depends on the plaintext.

○ Not really used these days...

LSB: left shift b-s bits
MSB: most significant s bits

NT219 – Cryptography
v.2020.1
04. Block cipher Operation [email protected] 20
Output Feedback (OFB) Mode
Similar in structure to CFB
○ The nonce (IV) must be unique to each execution. Why?

○ OFB operates on full blocks of plaintext and ciphertext

○ Can’t parallelize But can precompute!

○ Pros: Bit errors in transmission do not propagate

○ Cons: more vulnerable to a message stream modification

attack than is CFB.

○ No real advantage over CTR mode, so....

à Not really used these days

NT219 – Cryptography
v.2020.1
04. Block cipher Operation [email protected] 21
Counter (CTR) Mode
Block cipher makes a “pseudo random one-time pad”

○ The counter is initialized to some value and then incremented

by 1 for each subsequent block.
• Counter sequences: T1, T2, …., Tn

○ Fully parallelizable! (Compare to OFB mode)

○ Just like one-time pad

• Must never repeat counter values (then not one-time!)
• Question 1: What about malleability?
• Question 2: How do ciphertext errors propagate in recovered
plaintext?

○ Applications: ATM (asynchronous transfer mode) network

security and IPsec (IP security)
NT219 – Cryptography
v.2020.1
04. Block cipher Operation [email protected] 22
Recap
Modes of Operation

Mode Description Typical Application

Electronic Codebook Each block of plaintext bits is encoded independently using the • Secure transmission of single values
(ECB) same key. (e.g., an encryption key)
• General-purpose block-oriented
Cipher Block Chaining The input to the encryption algorithm is the XOR of the next
transmission
(CBC) block of plaintext and the preceding block of ciphertext.
• Authentication
Input is processed s bits at a time. Preceding ciphertext is used
• General-purpose stream-oriented
Cipher Feedback as input to the encryption algorithm to produce pseudorandom
transmission
(CFB) output, which is XORed with plaintext to produce next unit of
• Authentication
ciphertext.
Similar to CFB, except that the input to the encryption
Output Feedback • Stream-oriented transmission over noisy
algorithm is the preceding encryption output, and full blocks
(OFB) channel (e.g., satellite communication)
are used.
• General-purpose block- oriented
Counter Each block of plaintext is XORed with an encrypted counter.
transmission
(CTR) The counter is incremented for each subsequent block.
• Useful for high-speed requirements

NT219 – Cryptography
v.2020.1
04. Block cipher Operation [email protected] 23
Key terms
Things to remember

• block cipher modes of operation

• cipher block chaining mode (CBC)
• cipher feedback mode (CFB)
• counter mode (CTR)
• electronic codebook mode (ECB)
• meet-in-the-middle attack nonce
• output feedback mode (OFB)
• Triple DES (3DES)

NT219 – Cryptography
v.2020.1
04. Block cipher Operation [email protected] 24
 Homework 03 à Lab 2: Block cipher operations
Learn by practice

○ Work in team.
○ Tasks: SEED Lab - Secret-Key Encryption
• Description: https://seedsecuritylabs.org/Labs_20.04/Crypto/Crypto_Encryption/
Mandatory tasks:
• Task 2: Encryption using Different Ciphers and Modes
• Task 3: Encryption Mode – ECB vs. CBC
• Task 4: Padding
• Task 5: Error Propagation – Corrupted Cipher Text
Optional (bonus points)
• Task 6: Initial Vector (IV)
• Task 7: Programming using the Crypto Library

NT219 – Cryptography
v.2020.1
04. Block cipher Operation [email protected] 25
 For next class…
Looking ahead

○ Today: Block cipher operation

○ Ready for next class: Asymmetric ciphers (RSA)

• Reading: CS book, Chapter 9

○ Ready for the Project Proposal (April 27th):

• 5 mins/team. 3-5 slides is recommended
• Introduction
• Goal
• Methods, potential technologies, system design (if possible)
• References

NT219 – Cryptography
v.2020.1
04. Block cipher Operation [email protected] 26
Today end,
Congrats!
Hoa Nguyen-Thanh

[email protected]
NT219 - Cryptography