Cryptography and

Network Security
Chapter 6
Fifth Edition
by William Stallings
 Strength of DES – Key Size
 56-bit keys have 256 = 7.2 x 1016 values
 brute force search looked hard
 advances have shown is possible
 in 1997 on Internet in a few months
 in 1998 on dedicated h/w (EFF) in a few days
 in 1999 above combined in 22hrs!
 still
must be able to recognize plaintext
 Forced to consider alternatives to DES
 Strength of DES – Analytic
Attacks
 now have several analytic attacks on DES
 these utilize some deep structure of the cipher
 by gathering information about encryptions
 can eventually recover some/all of the sub-key bits
 if necessary then exhaustively search for the rest
 generally these are statistical attacks
 differential cryptanalysis
 linear cryptanalysis
 related key attacks
 Strength of DES – Timing
Attacks
 attacks actual implementation of cipher
 use knowledge of consequences of
implementation to derive information about
some/all subkey bits
 specifically use fact that calculations can
take varying times depending on the value
of the inputs to it
 Differential Cryptanalysis
 one of the most significant recent (public)
advances in cryptanalysis
 Murphy, Biham & Shamir published in 90’s
 powerful method to analyse block ciphers
 used to analyze most current block ciphers
with varying degrees of success
 DES reasonably resistant to it, cf Lucifer
 Differential Cryptanalysis
a statistical attack against Feistel ciphers
 uses cipher structure not previously used
 design of S-P networks has output of
function f influenced by both input & key
 hence cannot trace values back through
cipher without knowing value of the key
 differential cryptanalysis compares two
related pairs of encryptions (differential)
 Differential Cryptanalysis
Compares Pairs of Encryptions
 Differentialcryptanalysis compares two
related pairs of encryptions
 with known difference in the input m0||m1
 searching for a known difference in output
 when same subkeys are used
 Differential Cryptanalysis
 have some input difference giving some
output difference with probability p
 if find instances of some higher probability
input / output difference pairs occurring
 can infer subkey that was used in round
 then must iterate process over many
rounds (with decreasing probabilities)
 Differential Cryptanalysis
 perform attack by repeatedly encrypting plaintext pairs
with known input XOR until obtain desired output XOR
 when found, assume intermediate deltas match
 if intermediate rounds match required XOR have a right pair
 if not then have a wrong pair, relative ratio is S/N for attack
 can then deduce keys values for the rounds
 right pairs suggest same key bits
 wrong pairs give random values
 for large numbers of rounds, probability is so low that
more pairs are required than exist with 64-bit inputs
 Biham and Shamir have shown how a 13-round
iterated characteristic can break the full 16-round DES
 Linear Cryptanalysis
 another fairly recent development
 also a statistical method
 must be iterated over rounds, with
decreasing probabilities
 developed by Matsui et al in early 90's
 based on finding linear approximations
 can attack DES with 243 known plaintexts,
easier but still in practice infeasible
 Linear Cryptanalysis
 find linear approximations with prob p != ½
P[i1,i2,...,ia]  C[j1,j2,...,jb] =
K[k1,k2,...,kc]
where ia,jb,kc are bit locations in P,C,K
 gives linear equation for key bits
 get one key bit using max likelihood alg
 using a large number of trial encryptions
 effectiveness given by: |p–1/2|
Seven Criteria for DES S-boxes
 No output bit of any S-box should be too close to a
linear function of the input bits
 Each row of an S-box should include all 16 possible
output bit combinations
 If two inputs to an S-box differ in exactly one bit, the
outputs must differ in at least two bits
 If two inputs to an S-box differ in the two middle bits,
the outputs must differ in >= 2 bits
 If two inputs differ in their first two bits and are
identical in last two bits, the two outputs must not be
the same
 For any nonzero 6-bit difference in inputs, no more
than 8 of the 32 pairs with that difference may result
in the same output difference
Three Criteria for DES P-box
 The four output bits from each S-box are
distributed so that two are “middle” bits and
two are “outer” bits in their nybbles
 The four output bits from each S-box affect six
different S-boxes in the next round, and no
two affect the same S-box
 For two S-boxes, j and k, if an output bit from
Sj affects a middle bit of Sk in the next round,
then an output bit from Sk cannot affect a
middle bit of Sj (so Sj output can't be a middle
bit of Sj in next round)
 DES Design Criteria
 as reported by Coppersmith in [COPP94]
 7 criteria for S-boxes provide for
 non-linearity
 resistance to differential cryptanalysis
 good confusion
3 criteria for permutation P provide for
 increased diffusion
 Modes of Operation
 block ciphers encrypt fixed size blocks
 e.g., DES encrypts 64-bit blocks
 need some way to en/decrypt arbitrary
amounts of data in practice
 NIST SP 800-38A defines 5 modes
 have block and stream modes
 to cover a wide variety of applications
 can be used with any block cipher
Electronic Codebook Book (ECB)
 message is broken into independent
blocks that are encrypted
 each block is a value which is substituted,
like a codebook, hence name
 each block is encoded independently of
the other blocks
Ci = EK(Pi)
 uses:secure transmission of single
values
Electronic
Codebook
Book
(ECB)
 Advantages and Limitations of
ECB
 message repetitions may show in ciphertext
 if aligned with message block
 particularly with data such graphics
 or with messages that change very little, which
become a code-book analysis problem
 weakness is due to the encrypted message
blocks being independent
 vulnerable to cut-and-paste attacks
 main use is sending a few blocks of data
Cipher Block Chaining (CBC)
 message is broken into blocks
 linked together in encryption operation
 each previous cipher block is chained with
current plaintext block, hence name
 use Initial Vector (IV) to start process
Ci = EK(Pi XOR Ci-1)
C-1 = IV
 IVprevents same P from making same C
 uses: bulk data encryption, authentication
 Cipher
Block
Chaining
(CBC)
 Advantages and Limitations of
CBC
a ciphertext block depends on all blocks
before it
 any change to a block affects all following
ciphertext blocks... avalanche effect
 need Initialization Vector (IV)
 which must be known to sender & receiver
 if sent in clear, attacker can change bits of first block,
by changing corresponding bits of IV
 hence IV must either be a fixed value (as in EFTPOS)
 or derived in way hard to manipulate
 or sent encrypted in ECB mode before rest of message
 or message integrity must be checked otherwise
 Stream Modes of Operation
 blockmodes encrypt entire block
 may need to operate on smaller units
 real time data
 convert block cipher into stream cipher
 cipher feedback (CFB) mode
 output feedback (OFB) mode
 counter (CTR) mode
 Cipher FeedBack (CFB)
 message is treated as a stream of bits
 added to the output of the block cipher
 result is feed back for next stage (hence name)
 standard allows any number of bits (1,8, 64 or
128 etc) to be feed back
 denoted CFB-1, CFB-8, CFB-64, CFB-128, etc.
 most efficient to use all bits in block (64 or 128)
Ci = Pi XOR EK(Ci-1)
C-1 = IV
 uses: stream data encryption, authentication
 s-bit
Cipher
FeedBack
(CFB-s)
 Advantages and Limitations of
CFB
 most common stream mode
 appropriate when data arrives in bits/bytes
 limitation is need to stall while do block
encryption after every s-bits
 note that the block cipher is used in
encryption mode at both ends (XOR)
 errors propagate for several blocks after
the error ... how many?
 Output FeedBack (OFB)
 message is treated as a stream of bits
 output of cipher is added to message
 output is then feed back (hence name)
Oi = EK(Oi-1)
Ci = Pi XOR Oi
O-1 = IV
 feedback is independent of message
 can be computed in advance
 uses: stream encryption on noisy channels
Why noisy channels?
 Output
FeedBack
(OFB)
 Advantages and Limitations of
OFB
 needs an IV which is unique for each use
 if ever reuse attacker can recover outputs...

 OTP

 can pre-compute
 bit errors do not propagate
 more vulnerable to message stream modification...
 change arbitrary bits by changing ciphertext
 sender & receiver must remain in sync
 only use with full block feedback
 subsequent research has shown that only full block
feedback (ie CFB-64 or CFB-128) should ever be used
 Counter (CTR)
a “new” mode, though proposed early on
 similar to OFB but encrypts counter value
rather than any feedback value
Oi = EK(i)
Ci = Pi XOR Oi
 must have a different key & counter value
for every plaintext block (never reused)
 again, OTP issue
 uses: high-speed network encryptions
Counter
(CTR)
 Advantages and Limitations of
CTR
 efficiency
 can do parallel encryptions in h/w or s/w
 can preprocess in advance of need
 good for bursty high speed links
 random access to encrypted data blocks
 provable security (good as other modes)
 never have cycle less than 2b
 but must ensure never reuse key/counter
values, otherwise could break (cf OFB)
Feedback
Character-
istics