IT-Security

Chapter 2: Symmetric Encryption

Prof. Dr.-Ing. Ulrike Meyer

Overview

● Introduction ● Computational Security

What is an Can a cipher
► Intuition ► Attacker models encryption be perfectly
scheme secure?
► Formal definition § Knowledge

► Historic examples § Goal

§ Strategy

● Perfect Secrecy ● Practical Schemes

► Definition ► Stream ciphers

► Shanon’s theorem ► Block ciphers How can we
How do
model
► One-time-pad ► Modes of encryption modern
attackers?
ciphers work
and how are
they used?

IT-Security - Chapter 2 Symmetric Encryption 2

Intuition on Symmetric Ciphers

● Alice wants to send a confidential

plaintext to Bob
● Alice and Bob share a secret key

● Alice uses the key to encrypt plaintext to Secret Key

Plaintext
Plaintext
ciphertext 3

● Bob uses the key to decrypt ciphertext Encryption Decryption

algorithm algorithm
to plaintext
● Decryption is ”difficult” without the key
Ciphertext Ciphertext
3

Secret Key
Insecure channel

IT-Security - Chapter 2 Symmetric Encryption 3

Formal Definition of Encryption Scheme

● An encryption scheme is a five-tuple (𝒫 ,𝒞,𝒦,ℰ,𝒟 ) consisting of

► The plaintext space 𝒫 of plaintexts (e.g., 𝒫 = {0,1}n for some n ∈ℕ)

► The cipher space 𝒞 of ciphertexts (e.g., 𝒞 = {0,1}m for some m ∈ℕ)
► A key space 𝒦 of keys (e.g., 𝒦 = {0,1}k for some k ∈ℕ)
► A family ℰ = {𝐸! : 𝐾 ∈ 𝒦 } of functions 𝐸𝐾 ∶ 𝒫 → 𝒞 called encryption functions
► A family 𝒟 = {𝐷! : 𝐾 ∈ 𝒦} of functions 𝐷𝐾 ∶ 𝒞 → 𝒫 called decryption functions

● Such that for any 𝑲𝟏 ∈ 𝒦 there is a 𝑲𝟐 ∈ 𝒦 such that

► For all 𝑃 ∈ 𝒫 it holds that 𝐷!! (𝐸!" (𝑃)) = 𝑃

● In a symmetric encryption scheme the encryption and decryption keys are the same

● Note that this definition does not cover any notion of security yet

IT-Security - Chapter 2 Symmetric Encryption 4

Kerckhoff’s Principle 1883

A cryptosystem should be secure even if everything

about the system, except the key, is public knowledge

● In contrast:

► Keeping the design of a cryptosystem secret is often referred to as

“security by obscurity”

IT-Security - Chapter 2 Symmetric Encryption 5

Example Caesar Cipher

● The cipher

► Plaintext space = ciphertext space = {A,…, Z}, Key space = {1,…,25}

► Replace each plaintext letter with the one k letters after it. E.g., for k = 4

Plaintext A B C D E F G H I J K L M
Ciphertext E F G H I J K L M N O P Q

Plaintext N O P Q R S T U V W X Y Z
● Security of the Caesar cipher Ciphertext R S T U V W X Y Z A B C D
► Assume a message has been encrypted letter by letter using the Cesar cipher

► Try out each of the 25 keys and check if the resulting plaintext makes sense
§ Requires recognizable plaintext
► The key space is too small!

A secure cipher requires a large key space

IT-Security - Chapter 2 Symmetric Encryption 6

Brute Force Attack on the Caesar Cipher

Plaintext A B C D E F G H I J K L M
Ciphertext E F G H I J K L M N O P Q

Plaintext N O P Q R S T U V W X Y Z
Ciphertext R S T U V W X Y Z A B C D

WIGYVMXC ● If the message is short, multiple keys may lead

k=1? VHFXULWB
k=2? UGEWTKVA to sense making plaintexts
SECURITY k=3? TFDVSJUY ● If the message is long enough, on average key
k=4 SECURITY
k=5? RDBTQHSX found after ½ |𝒦| tries
WIGYVMXC … ● Brute force attacks are also known as

exhaustive search attacks

IT-Security - Chapter 2 Symmetric Encryption 7

Monoalphabetic Substitution Cipher

● Idea

► Replace each plaintext letter with one specific other letter according to a substitution table
► Plaintext space = ciphertext space = {A,…Z}
► Key space = all permutations of the letters A,…, Z
► Size of the key space: |𝒦| = 26! = 4.0329146 · 1026
● Example
Plaintext A B C D E F G H I J K L M
Ciphertext D H C E Z W V S J M L O Q

Plaintext N O P Q R S T U V W X Y Z
Ciphertext P A F K G N B R T Y I X U

● Trying out each possible key is quite time consuming!

IT-Security - Chapter 2 Symmetric Encryption 8

Exhaustive Search for Monoalphabetic Ciphers

● Let’s assume we Difficulty of exhaustive search depends on

► Can decrypt 5 characters per ms ► size of key space

► resources of attacker
► Need to decrypt 100 characters to be sure we found the right key
𝟏 𝟏𝟎𝟎 𝟏
● Then we will on average need ( (| 𝒦 =| ( 𝟐𝟎 (| 𝒦 |ms to find the right key
𝟐 𝟓 𝟐

► That is 10 4 4.0329146 · 1026 ms = 4.0329146 · 1027 ms = 4.0329146 · 1024 s = 6.7215243 4 1022 min
= 1.2788288 · 1017 years
● Let’s assume we

► Can decrypt 500 000 characters per ms and still need to decrypt 100 characters in order to be sure
𝟏 𝟏𝟎𝟎 𝟏 𝟏
● Then we will on average need ( ( |𝒦|= ( ( |𝒦|ms to find the right key
𝟐 𝟓𝟎𝟎 𝟎𝟎𝟎 𝟐 𝟓 𝟎𝟎𝟎

► That is 10-4 4 4.0329146 · 1026 ms = 4.0329146 · 1022 ms = 4.0329146 · 1019 s = 6.7215243 4 1017 min
= 1.2788288 · 1012 years

IT-Security - Chapter 2 Symmetric Encryption 9

Example Letter Frequencies

● For any given language and text basis one can determine the relative letter frequencies

Letter ENG GER Letter ENG GER Letter ENG GER

A 8.167% 6.516% J 0.153% 0.268% S 6.327% 7.270%
B 1.492% 1.886% K 0.772% 1.417% T 9.056% 6.154% Top 5 letters in English texts

C 2.782% 2.732% L 4.025% 3.437% U 2.758% 4.166% Letter ENG

D 4.253% 5.076% M 2.406% 2.534% V 0.978% 0.846% E 12.702%
E 12.702% 16.396% N 6.749% 9.776% W 2.360% 1.921% T 9.056%
F 2.228% 1.656% O 7.507% 2.594% X 0.150% 0.034% A 8.167%
G 2.015% 3.009% P 1.929% 0.670% Y 1.974% 0.039% O 7.507%
H 6.094% 4.577% Q 0.095% 0.018% Z 0.074% 1.134% I 6.966%
I 6.966% 6.550% R 5.987% 7.003%

● Other useful frequencies include, Bigrams, double letters, etc.

IT-Security - Chapter 2 Symmetric Encryption 10

 Frequency Analysis

● Can be used to Frequency Analysis

► Break any cipher that preserves frequencies ► Given a (long) ciphertext in a known language
§ As long as enough ciphertext is available that has ► Count the frequency of each letter occurring in
been produced by the same key the ciphertext
● E.g., Monoalphabetic Substitution Ciphers can ► Replace them according to their frequency in
be broken this way the natural language
► Check if the resulting plaintext makes sense
A large key space is necessary but does
not guarantee a secure cipher

So, how can we get a secure cipher

and what does secure mean anyway

IT-Security - Chapter 2 Symmetric Encryption 11

Example Frequency Analysis on Monoalphabetic Substitution Cipher

Top 5
● Ciphertext C
E
► JW XAR DGZ FDGDPAJE XAR HZOJZTZ BSDB D TZGX ZTJO DBBDCLZG JN ARB BA VZB XAR
T
► JW XAR DGZ FDGDPAJE XAR HZOJZTZ BSDB D TZGX ZTJO DBBDCLZG JN ARB BA VZB XAR
A
► I? ?O? A?E ?A?A?OI? ?O? ?E?IE?E T?AT A ?E?? E?I? ATTA??E? I? O?T TO ?ET ?O?
O
I
Letter in C Z B D A J G C L X R W F P E D T O N V H
Frequency 8 7 7 6 5
Replace E T A O I R C K Y U F P N D H V L S G B
with
► I? ?O? ARE ?ARA?OI? ?O? ?E?IE?E T?AT A ?ER? E?I? ATTACKER I? O?T TO ?ET ?O?
► I? YOU ARE ?ARA?OI? YOU ?E?IE?E T?AT A ?ERY E?I? ATTACKER I? OUT TO ?ET YOU
► IF YOU ARE PARANOID YOU BELIEVE THAT A VERY EVIL ATTACKER IS OUT TO GET YOU

● Gives us 20 letters for which the mapping is known, i.e. 76,9% of the key

IT-Security - Chapter 2 Symmetric Encryption 12

Overview

● Introduction ● Computational Security

What is an Can a cipher
► Intuition ► Attacker models encryption be perfectly
scheme secure?
► Formal definition § Knowledge

► Historic examples § Goal

§ Strategy

● Perfect Secrecy ● Practical Schemes

► Definition ► Stream ciphers

► Shanon’s theorem ► Block ciphers How can we
How do
model
► One-time-pad ► Modes of encryption modern
attackers?
ciphers work
and how are
they used?

IT-Security - Chapter 2 Symmetric Encryption 13

Perfect Secrecy

● Idea of Shanon

► A ciphertext should not reveal any new information on the plaintext Whether or not C is
observed, P is as
Definition: likely as its
occurrence in the
An encryption scheme is said to provide perfect secrecy if plaintext space
Given a probability distribution Pr on 𝒫, and Pr(𝑃) > 0 for all plaintexts 𝑃
For each 𝑃 ∈ 𝒫, 𝐶 ∈ 𝒞 and 𝐾 ∈ 𝒦 chosen uniformly at random Pr(𝑷|𝑪) = Pr(𝑷)

● This implies: |𝒦| ≥ |𝒞| ≥ |𝒫| for a perfectly secure encryption scheme
► |𝒞| ≥ |𝒫| holds for any encryption scheme as the encryption functions need to be injective
► If |𝒦| < |𝒞| would hold, then for any 𝑃 ∈ 𝒫, { 𝐸" (𝑃) | 𝑘 ∈ 𝒦} ≠ 𝒞, i.e., there is a 𝐶
∈ 𝒞 that does not occur as ciphertext of 𝑃 such that Pr(𝑃|𝐶) = 0 for this 𝐶
► As we assume Pr(𝑃) > 0, this contradict the perfect forward secrecy

IT-Security - Chapter 2 Symmetric Encryption 14

 Equivalent Formulations for Perfect secrecy

Definition:
Given a probability distribution Pr on 𝒫, and Pr(𝑃) > 0 for all plaintexts 𝑃
An encryption scheme is said to provide perfect secrecy if
For each 𝑃 ∈ 𝒫, 𝐶 ∈ 𝒞 and 𝐾 ∈ 𝒦 chosen uniformly at random
Pr(𝑷|𝑪) = Pr(𝑷) Equivalent
1. Pr(C|P) = Pr(C)
2. Pr(C|P1) = Pr(C|P2)
Proof of 1.:
"# 𝐶𝑃 "#(%)
“⇐ ”: Assume Pr(𝐶|𝑃) = Pr(𝐶), then = Pr(P)
"#(')

as Pr(𝐶|𝑃)𝑃(𝑃) = Pr(𝑃|𝐶) Pr(𝐶) it follows that Pr(𝑃)

= Pr(𝑃|𝐶)
“⇒”: Symmetrical argument

IT-Security - Chapter 2 Symmetric Encryption 15

 Equivalent Formulations for Perfect secrecy

Definition: Equivalent
Given a probability distribution Pr on 𝒫, and Pr(𝑃) > 0 for all plaintexts 𝑃 1. Pr(C|P) = Pr(C)
2. Pr(C|P1) = Pr(C|P2)
An encryption scheme is said to provide perfect secrecy if
For each 𝑃 ∈ 𝒫, 𝐶 ∈ 𝒞 and 𝐾 ∈ 𝒦 chosen uniformly at random
Pr(𝑷|𝑪) = Pr(𝑷)

Proof of 2.: Proof of 2.:

“⟹ ”: Follows directly from 1.
“⇐ ”: If Pr 𝐶 𝑃1 = Pr 𝐶 𝑃2 = 𝑥 for any 𝑃1, 𝑃2 ∈ 𝒫,
If Pr(𝐶|𝑃) = Pr(𝐶) for any 𝑃 ∈ 𝒫, 𝐶 ∈ 𝒞
𝐶 ∈ 𝒞, then
then Pr(𝐶|𝑃1) = Pr(𝐶|𝑃2) for any 𝑃1, 𝑃2 ∈ 𝒫, 𝐶 ∈ 𝒞
Pr(𝐶) = ∑% Pr(𝐶|𝑃) Pr 𝑃 = 𝑥 ∑% 𝑃𝑟(𝑃) = 𝑥 =
Pr 𝐶 𝑃

IT-Security - Chapter 2 Symmetric Encryption 16

Shannon’s Theorem 1949

Shannon’s Theorem:
Let | 𝒫| = |𝒞| = | 𝒦|, and Pr(𝑃) > 0 for all plaintexts 𝑃.
Then an encryption scheme provides perfect secrecy ⇔
1. K chosen uniformly at random for each plaintext to encrypt and
2. for each 𝑷 ∈ 𝒫 and 𝑪 ∈ 𝒞 there is exactly one 𝑲 ∈ 𝒦 with 𝑬𝑲(𝑷) = 𝑪

A cipher providing perfect secrecy cannot be broken by an attacker.

Not even by one with infinite computational resources and infinite time

IT-Security - Chapter 2 Symmetric Encryption 17

Proof Sketch for Shanon’s Theorem

Proof
“⟹ “Assume encryption scheme is perfectly secure “⟸” Assume each key is equally likely and for each 𝑃,
► Let 𝑃 ∈ 𝒫 and assume there is a 𝐶 ∈ 𝒞 such that there 𝐶 and there is exactly one 𝐾 such that 𝐸𝐾 (𝑃) = 𝐶.
is no 𝐾 with 𝐸𝐾 (𝑃) = 𝐶, &
► Then, Pr(𝐶|𝑃) = |𝒦|
such that for any 𝐶 and 𝑃1, 𝑃2 it
► then Pr(𝑃|𝐶) = 0 and thus Pr(𝑃) ≠ Pr(𝑃|𝐶) which
&
contradicts the perfect secrecy. holds that Pr(𝐶|𝑃1) = Pr(𝐶|𝑃2) = |𝒦| , such that the
► Consequently, there must be at least one 𝐾 such that
second equivalent definition of perfect secrecy holds
𝐸𝐾 (𝑃) = 𝐶. As there are as many keys as ciphertexts,
there must be exactly one such 𝐾 for each 𝑃 and 𝐶.
► If 𝐾 was not chosen uniformly, then given 𝐶, there
would be some plaintexts that is more likely, than
others. This again contradicts the perfect secrecy.

IT-Security - Chapter 2 Symmetric Encryption 18

The One-Time-Pad (OTP)

● Plaintext space, ciphertext space, key space Also Known as

► 𝒫 = 𝒞= 𝒦 = {0,1}n for some 𝑛 ∈ ℕ, Vernam Cipher or
Vernam’s one-time-pad
● Key Generation:

► Pick 𝐾 ∈ 𝒦 uniformly at random for each 𝑃 ∈ 𝒫 to encrypt

● Encryption:
𝑃 = 10111101
𝐶 = 𝑃 ⊕ 𝐾
⊕
● Decryption 𝐾 = 00110010

=
𝐶 ⊕ 𝐾 = 𝑃 ⊕ 𝐾 ⊕ 𝐾 = 𝑃 𝐶 = 10001111

𝐶 = 10001111
⊕
𝐾 = 00110010

=
𝑃 = 10111101

IT-Security - Chapter 2 Symmetric Encryption 19

Perfect Secrecy of the One-Time-Pad

Theorem:
The One-Time-Pad provides perfect secrecy

Proof:
► Follows directly from Shannon’s Theorem:
§ As | 𝒫| = |𝒞| = | 𝒦| per definition of the OTP, we can apply Shannon’s
Theorem
§ Key is selected uniformly at random in one-time pad ⟹ each key is
equally likely
§ Given any pair 𝐶, 𝑃 of ciphertext and plaintext there is a key K that
encrypts 𝑃 to 𝐶, namely 𝐾 = 𝑃 ⨁ 𝐶:
𝐸𝐾 (𝑃) = 𝑃 ⨁ 𝐾 = 𝑃 ⨁ (𝑃 ⨁ 𝐶) = 𝐶

IT-Security - Chapter 2 Symmetric Encryption 20

Properties of the One-Time-Pad

Advantages Disadvantages
● Easy to compute ● Key must be as long as plaintext

► Encryption and decryption are the same
operation
► Bitwise XOR is very cheap to compute
● As secure as theoretically possible
► Given a ciphertext, all plaintexts are equally
likely
► Security independent on the attacker’s
computational resources
► Impractical in most realistic scenarios
► Still used for diplomatic and intelligence traffic
● Does not guarantee integrity
► One-time pad only guarantees confidentiality
► Attacker cannot recover plaintext, but can easily
change it to something else without being detected
● Insecure if keys are reused
► Attacker can obtain XOR of plaintexts
● Obviously not practical for all applications

IT-Security - Chapter 2 Symmetric Encryption 21

Overview

● Introduction ● Computational Security

What is an Can a cipher
► Intuition ► Attacker models encryption be perfectly
scheme secure?
► Formal definition § Knowledge

► Historic examples § Goal

§ Strategy

● Perfect Secrecy ● Practical Schemes

► Definition ► Stream ciphers

► Shanon’s theorem ► Block ciphers How can we
How do
model
► One-time-pad ► Modes of encryption modern
attackers?
ciphers work
and how are
they used?

IT-Security - Chapter 2 Symmetric Encryption 22

Practical Modern Encryption Schemes

● Most encryption schemes used in practice do not provide perfect secrecy

► Stream ciphers try to simulate the OTP based on a small random seed
► Block cipher encrypt complete blocks of plaintexts instead of single bits
● When do we call such encryption schemes secure?

Computational Security
An encryption scheme is called computationally secure if
► All known attacks against the cipher are computationally infeasible
► I.e., theoretically possible but would take too much time to be practical for any
(reasonable) amount of resources
● How can we attack encryption schemes

IT-Security - Chapter 2 Symmetric Encryption 23

Attacker Models

General assumption in any attack Power of attacker

► Attacker knows which cipher is used ► Cipher-text-only attack

Strength of attacker increases

► In line with Kerckhoff’s principle § Attacker knows only ciphertext
► Known-plaintext attack
§ Knows some pairs of plaintext and ciphertext
Attack result
► Chosen-plaintext attack Chapter 4
► (Partial) key recovery § Can obtain ciphertext for plaintexts of his choice
§ Attacker tries to retrieve (part of ) the key
► Chosen-ciphertext attack Chapter 4
► (Partial) plaintext recovery § Can obtain plaintext for ciphertexts of his choice
§ Attacker tries to retrieve (part of ) the plaintext before target ciphertext is known
Key recovery implies plaintext recovery but not
the other way round

IT-Security - Chapter 2 Symmetric Encryption 24

Illustration of Ciphertext-only Attack

● A classical eavesdropper has access to

ciphertext
● Thus, he can collect ciphertext(s) and try to

► Recover the key and/or

► Recover the plaintext ? 3

?
3

Encryption
Decryption

IT-Security - Chapter 2 Symmetric Encryption 25

Illustration of Known-Plaintext Attack

● Attacker observes ciphertext and has access to one or more pair of plaintext and ciphertext

► E.g., as he is able to guess plaintext for some ciphertexts

§ E.g., due to Bob’s reaction on receiving the ciphertext
► Tries to recover key and/or plaintext

Example: ? 3

► Substitution cipher vulnerable to 3

?
a known plaintext attack
Encryption
► One pair of plaintext / ciphertext Decryption

sufficient to break (part of) the 3

key

IT-Security - Chapter 2 Symmetric Encryption 26

Example: Exhaustive Key Search

● Try out all possible keys from the key space

► Ciphertext-only setting
§ Try out each key to decrypt the ciphertext and check if resulting plaintext “makes sense”
§ Only works if valid plaintexts are recognizable for the attacker
► Known-plaintext setting
§ Try out each key to decrypt the ciphertext
§ Check if it decrypts to the known plaintext

● Ciphertext-only setting is more difficult for the attacker

► Consequently: being secure against a ciphertext-only attack is easier to achieve

● Security in a chosen-ciphertext setting is hardest to achieve

IT-Security - Chapter 2 Symmetric Encryption 27

Difficulty of Known-Plaintext Brute Force Attack

● Difficulty of exhaustive key search is proportional to the key size

|𝒦|
► On average attacker will have to try out keys
*

● And proportional to the resources of the attacker

IT-Security - Chapter 2 Symmetric Encryption 28

Other Attack Strategies besides Brute Force and Frequency Analysis

● Time-memory trade-off ● Differential cryptoanalysis

► Can be used to accelerate known-plaintext ► Chosen-plaintext attack
attacks ► Attacker tries to recover key using known differences
► Exploits a trade-off between time, memory and between plaintexts and comparing them to the
key space size differences in the ciphertexts

● Algebraic attacks ● Related key attacks

► Reduces breaking a cipher to solving a system of ► Chosen-plaintext attack
linear equations with the key bits as unknowns ► Assumes attacker has access to chosen plaintext
► Can work very well in a known-plaintext setting encrypted with keys
► Attacker knows relations between keys

IT-Security - Chapter 2 Symmetric Encryption 29

Overview

● Introduction ● Computational Security

What is an Can a cipher
► Intuition ► Attacker models encryption be perfectly
scheme secure?
► Formal definition § Knowledge

► Historic examples § Goal

§ Strategy

● Perfect Secrecy ● Practical Schemes

► Definition ► Stream ciphers

► Shanon’s theorem ► Block ciphers How can we
How do
model
► One-time-pad ► Modes of encryption modern
attackers?
ciphers work
and how are
they used?

IT-Security - Chapter 2 Symmetric Encryption 30

Stream Ciphers

● The one-time pad 𝐶 = 𝑃 ⊕ 𝐾 is perfectly secure

► If the key is chosen uniformly at random for each P
● Idea of stream cipher
► Replace 𝐾 with pseudo-random bit-generator PRBG
§ Seed PRBG with ”truly random” key 𝑲
§ Include a fresh initialization vector 𝑰𝑽 for each 𝑷
► Encryption/Decryption very fast
§ Key stream can be pre-generated
● The PRNG should be cryptographically secure
► We typically cannot proof that a PRBG is
cryptographically secure, we assume it is if no
attack is known
Stream cipher
For each plaintext P select a fresh IV and set
𝑪 = 𝑬𝑲 (𝑷) = 𝑰𝑽 ∥ 𝑷 ⊕ PRBG(𝑰𝑽, 𝑲).
PRBG(IV,K) is also referred to as key stream
The same key 𝑲 is used for multiple plaintexts
A PRBG is said to be cryptographically secure iff
There is no polynomial-time algorithm which on
input of the first k bits of the output of PRBG can
predict the next bit with probability > ½ . I.e., it
passes the next bit test.

IT-Security - Chapter 2 Symmetric Encryption 31

General Stream Cipher Weakness

● If the IV is ever reused with the same key

► Stream ciphers are vulnerable to a known-plaintext attack

● Why?

► Assume attacker known 𝑃1, 𝐶1

§ As 𝐶1 = 𝐸) (𝑃1) = 𝐼𝑉 ∥ 𝑃1 ⊕ PRBG(𝐼𝑉, 𝐾) attacker knows 𝐼𝑉 and PRBG(𝐼𝑉, 𝐾)
§ Thus, if 𝐼𝑉 and 𝐾 are reused to encrypt 𝑃2, and attacker observes 𝐶2
§ Then he can decrypt 𝑃2 by 𝐶2 ⊕ 𝐼𝑉 ∥ PRBG(𝐼𝑉, 𝐾) = 0 ∥ 𝑃2

● As, e.g., been used to attack the security architecture WPA2 for WLAN

► Known as KRACK attack

IT-Security - Chapter 2 Symmetric Encryption 32

Examples for Stream Ciphers

● Well-known insecure stream ciphers ● Well-known (yet) unbroken stream ciphers

► RC4 ► SNOW 3G
§ Before its break used in WLAN, TLS, … § Supported by 3G/LTE/5G networks

► A5/1, A5/2 ► CHACHA20

§ Supported by GSM (2G mobile networks) § Supported by TLS, IPSec,…

► E0 ► Unbroken Block ciphers in CTR Mode

§ Supported by old Bluetooth versions § Supported by LTE/5G networks

► … § Supported by TLS, IPSec,…

► …

● Any cipher that only provides computational security can break at any point in time
► We need to be prepared and always ensure that we can easily switch from one cipher to another

IT-Security - Chapter 2 Symmetric Encryption 33

Block Ciphers

● Operate on plaintext blocks of a specific length

► Called the block length b ∈ℕ of the cipher

► Plaintext space 𝒫 = {0,1}b and ciphertext space 𝒞 = {0,1}b
► For each key 𝐾 in the key space 𝒦 = {0,1}k , 𝐸𝐾 ∶ 𝒫 → 𝒞

● Typically need to be used in a specific mode of encryption

► Specifies how plaintexts of length > 𝑏 bits are encrypted

Later in this Chapter

IT-Security - Chapter 2 Symmetric Encryption 34

Examples for Block Ciphers

● Well-known insecure block ciphers ● Well-known (yet) unbroken block ciphers

► DES ► KASUMI
§ Before its break used in IPSec, TLS, … § Supported by 3G/LTE/5G networks

► IDEA ► AES
§ Supported by TLS, IPSec,…

► … ► Camellia
§ Supported by TLS
► …

● Any cipher can break at any point in time

► We need to be prepared and always ensure that we can easily switch from one cipher to another

IT-Security - Chapter 2 Symmetric Encryption 35

Example Block Cipher: DES

● Published in 1977 by the National Bureau of Standards*

► Designed by IBM and the NSA

● Uses a 64-bit key K and a block length of 64 bit

► But: 8 bits of the key are used as parity bits

● Effective key size is 56 bits

Plaintext Ciphertext
DESK
(64 bit) (64 bit)

* called National Institute of Standards and Technology (NIST) since 1988

IT-Security - Chapter 2 Symmetric Encryption 36

Security of DES

● January 13th, 1999: DES key broken within 22 hours and 15 minutes

► In a contest sponsored by RSA Labs using

► Brute force key search using
► the Electronic Frontier Foundation’s Deep Crack custom DES cracker ...
► … and the idle CPU time of around 100,000 computers
● Since then, DES is considered insecure

● Biggest weakness still is the key length of 56 bits only!

IT-Security - Chapter 2 Symmetric Encryption 37

First Proposed Fix: 2DES

● First idea to increase the key size of DES

Complexity of the attack:
► Use DES twice with two independently chosen keys
► 2 4 256 = 257 DES operations
Plaintext DESK’ DESK* Ciphertext ► Effective key size only increased by one!

● Problem: this does not double the key size!

Meet in the middle attack on 2DES

► Assume attacker has access to (𝑃, 𝐶), where 𝐶 = DESK* (DESK’(𝑃))
► Attacker can encrypt 𝑃 with any possible key (256 DES operations)
§ And thus, create lookup talbe 𝐸𝐾(𝑃) = 𝑍 𝐾 for 𝐾 ∈ {0,1}() of intermediate
ciphertext
► Attacker can decrypt 𝐶 with all possible keys (at most 256 DES operations)
§ And compute 𝐷𝐾(𝐶) = 𝑋* , 𝐾 ∈ {0,1}()until 𝑋*! = 𝑍*" is found in the lookup
table

► Then 𝐾* = 𝐾′ and 𝐾+ = 𝐾 ∗ with high probability

IT-Security - Chapter 2 Symmetric Encryption 38

3DES = ”Triple DES”

● Use DES three times in a row

Plaintext DESK1 DESK2-1 DESK3 Ciphertext

● Variants

► 3-key DES: K1, K2, and K3 are pairwise different

§ Provides an effective key size of 112 bit according to NIST
► 2-key DES: K1 = K3
§ Provides and effective key size of 80 bit according to NIST
► Both variants use encryption with K1, decryption with K2 and encryption with K3
§ Setting K1=K2=K3 this allows 3DES-only capable senders to communicate with DES-
only capable receivers

IT-Security - Chapter 2 Symmetric Encryption 39

The Advanced Encryption Standard (AES)

● Goals of the NIST Call for AES ● Timeline of AES Selection

► More secure than 3DES ► Jan. 1997 NIST-call published

► More efficient than 3DES ► Aug. 1998: 15 candidates presented
► Support different key lengths § Cast-256, Crypton, DEAL, DFC, E2, Frog, HPC, Loki97,
§ 128, 192, and 256 bit Magenta, MARS, RC6, Rijndael, SAFER+, Serpent,

► The block length of the cipher is 128 bit Twofish

§ Regardless of the key length § Broken shortly afterwards (or during presentation)
– DEAL, Frog, HPC, Loki97, Magenta
► Aug. 1999 finalists announced
§ MARS, RC6, Rijndael, Serpent, Twofish
Plaintext Ciphertext ► Oct. 2000 Rijndael selected as AES
AESK
(128 bit) (128 bit) ► Nov. 2001 AES standardized in FIPS 197

IT-Security - Chapter 2 Symmetric Encryption 40

Selection Criteria

Taken from http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html

IT-Security - Chapter 2 Symmetric Encryption 41

Structure of AES

● AES operates in rounds

► Input and output of each round represented as 4x4 byte matrices 02 03 01 01

𝑖0 𝑖4 𝑖8 𝑖12 𝑠00 𝑠01 𝑠02 𝑠03 𝑜0 𝑜4 𝑜8 𝑜12 01 02 03 01

𝐴=
𝑠10 𝑠11 𝑠12 𝑠13 01 01 02 03
𝑖1 𝑖5 𝑖9 𝑖13 𝑜1 𝑜5 𝑜9 𝑜13
𝑠20 𝑠21 𝑠22 𝑠23 03 01 01 02
𝑖2 𝑖6 𝑖10 𝑖14 𝑜2 𝑜6 𝑜10 𝑜14
𝑖3 𝑖7 𝑖11 𝑖15 𝑠30 𝑠31 𝑠32 𝑠33 𝑜3 𝑜7 𝑜11 𝑜15
Multiplication in GF(28)

● Round operations 128 bit Round Key

= 𝐴·

S ⊕ 𝐴·

Substitute Byte (SB) Round Key Addition (KA) Shift Row (SR) Mix Column (MC)

IT-Security - Chapter 2 Symmetric Encryption 42

Reminder: Multiplication in GF(28) with x8 +x4 +x3 +x+1 as irreducible Polynomial

● For example, (in hex notation) 57 • 83 = c1 in GF(28) because

► 57 = 01010111 ⋍ 𝑥6 + 𝑥4 + 𝑥2 + 𝑥 + 1
► 83 = 10000011 ⋍ 𝑥7 + 𝑥 + 1
► (𝑥6 + 𝑥4 + 𝑥2 + 𝑥 + 1) (𝑥7 + 𝑥 + 1) = 𝑥13 + 𝑥11 + 𝑥9 + 𝑥8 + 𝑥7 + 𝑥7 + 𝑥5 + 𝑥3 + 𝑥2 + 𝑥 + x6 + x4 +
x2 + x + 1 = 𝑥13 + 𝑥11 + 𝑥9 + 𝑥8 + 𝑥6 + 𝑥5 + 𝑥4 + 𝑥3 + 1

► 𝑥13 + 𝑥11 + 𝑥9 + 𝑥8 + 𝑥6 + 𝑥5 + 𝑥4 + 𝑥3 + 1 modulo 𝑥8 + 𝑥4 + 𝑥3 + 𝑥 + 1 = 𝑥7 + 𝑥6 + 1

⋍ 1100 0001
= 𝑐1

IT-Security - Chapter 2 Symmetric Encryption 43

 Substitute Byte (SB)

Each byte 𝑏 = 𝑏0𝑏1𝑏2𝑏3𝑏4𝑏5𝑏6𝑏7 is

Column 3
38 replaced with byte in S in
column 𝑏0𝑏1𝑏2𝑏3 and row 𝑏4𝑏5𝑏6𝑏7

35

Row 2

11000100

S-Box
lowest order bit here!

IT-Security - Chapter 2 Symmetric Encryption 44

AES Operation Overall

plaintext

KA SB SR MC* KA

next round

ciphertext

● The round key is always 128 bit key MC*: no mix column operation in the last round
► Different for each round, generated from the secret key
● Number of rounds depends on the key size

► 128 bit key: 10 rounds 192 bit key: 12 rounds 256 bit key: 14 rounds

IT-Security - Chapter 2 Symmetric Encryption 45

Modes of Encryption

● Block ciphers of block length 𝒃 ● Modes we cover here

► Allow us to encrypt a plaintext 𝑷 of 𝒃 bit ► Electronic Code Book (ECB) mode
► How can we encrypt longer plaintexts? ► Cipher Block Chaining (CBC) mode
► Counter Mode (CTR)
● Mode of encryption ● Modes we may cover in exercises
► Let 𝑷 = 𝑷𝟏 ∥ 𝑷𝟐 ∥ 𝑷𝟑 ∥ 𝑷𝟒 ∥ 444 ∥ 𝑷𝒏 ► Cipher Feedback Mode (CFB)
with 𝑷𝒊 ∈ {𝟎, 𝟏}𝒃 for 𝑖 = 1, … , 𝑛 − 1 ► Output Feedback Mode (OFB)
and 𝑷𝒏 ∈ {𝟎, 𝟏}𝒍 for some 0 < 𝑙 ≦ 𝑏 ● AEAD Modes Chapter 3
► A mode of encryption specifies how to ► Authenticated Encryption with Associated
encrypt plaintext 𝑷 based on a 𝐛 bit block Data (AEAD) Modes
cipher 𝑬𝑲 (4) § E.g., Gallois Counter Mode (GCM)

IT-Security - Chapter 2 Symmetric Encryption 46

Electronic Codebook Mode (ECB)

ECB Mode Illustration of encryption in ECB Mode

Encryption: 𝐶4 = 𝐸5 𝑃4 for 𝑖 = 1, … , 𝑛 …
𝑃1 𝑃2 𝑃3 𝑃4 𝑃𝑛
Decryption: 𝑃4 = 𝐷5 (𝐶4 ) for 𝑖 = 1, … , 𝑛
Requires padding of 𝑃6 to 𝑏 bit
𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾 … 𝐸𝐾

𝐶1 𝐶2 𝐶3 𝐶4 … 𝐶
● Problem 𝑛

► Same 𝑃4 leads to same 𝐶4

Plaintext ECB-encrypted
► Thus, patterns in plaintext lead
to patterns in ciphertext
► ECB mode should not be used!

IT-Security - Chapter 2 Symmetric Encryption 47

Cipher Block Chaining Mode (CBC)

Illustration of encryption in CBC Mode

CBC Mode
𝑃1 𝑃2 𝑃3 𝑃4 … 𝑃𝑛
IV ∶ = C8
Encryption: C9 = E: P9 ⊕ C9;< for 𝑖 = 1, … , 𝑛 IV ⊕ ⊕ ⊕ ⊕… ⊕
Decryption: P9 = D: C9 ⊕ C9;< for 𝑖 = 1, … , 𝑛
𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾 … 𝐸𝐾
Requires padding of P= to b bit
x x

𝐶1 𝐶2 𝐶3 𝐶4 … 𝐶𝑛

● Requires a fresh IV for each plaintext to encrypt

► If same IV is reused on 𝑃 and 𝑃 ∗

§ then 𝐶1 and 𝐶&∗ reveal, whether 𝑃1 = 𝑃&∗
► Is vulnerable to a so-called padding-oracle attack Should not be used anymore

IT-Security - Chapter 2 Symmetric Encryption 48

Counter Mode (CTR)

Illustration of encryption in CTR Mode

CTR Mode
IV public, fresh for each plaintext
𝐼𝑉 + 1 𝐼𝑉 + 2 𝐼𝑉 + 3 … 𝐼𝑉 + 𝑛
Encryption: C9 = E: IV + 𝑖 ⊕ 𝑃4 for 𝑖 = 1, … , 𝑛
Decryption: P9 = 𝐶4 ⊕ E: IV + 𝑖 for 𝑖 = 1, … , 𝑛
𝐸𝐾 𝐸𝐾 𝐸𝐾
… 𝐸𝐾

Properties of CTR Mode

𝑃1 ⊕ 𝑃2 ⊕ 𝑃3 ⊕… 𝑃𝑛 ⊕
► CTR Mode does not require padding of 𝑷𝒏 to 𝒃 bit …
𝐶1 𝐶2 𝐶3 𝐶𝑛
► Ciphertext is of the same size as plaintext
► CTR Modes turns a block cipher into a stream cipher
► CTR mode encryption and decryption can be parallelized

IT-Security - Chapter 2 Symmetric Encryption 49

Summary

● Symmetric Encryption Schemes provide confidentiality

► Require a secret key shared between the communicating entities
● Perfect secrecy can be obtained by the one-time-pad
► Requires key chosen uniformly at random and as long as the plaintext for each plaintext
► Impractical to use in many situations
● Practical encryption schemes only provide computational security
► Can in theory always be broken with a brute force attack in a known plaintext setting
§ Require long keys to make brute force attack practically impossible

● Different attacker models make different assumptions with respect to

► The knowledge of the attacker (ciphertext-only, known plaintext,…)
► The goal of the attacker (plaintext recovery, key recovery)
► The approach the attacker takes (brute force, frequency analysis, differential analysis…)

IT-Security - Chapter 2 Symmetric Encryption 50

Summary

● Practical symmetric encryption schemes can be divided into

► Stream ciphers, e.g., ChaCha20
► Block ciphers, e.g., AES
● Stream ciphers encrypt a plaintext by xoring it with a key stream
► Key stream is generated by
§ a (longer term) secret key that is reused for multiple plaintext
§ and fresh IV for each plaintext to encrypt
► Should never reuse IVs with the same key
● Block ciphers require the use of a mode of encryption
► Specifies how to encrypt plaintext that are longer than one block-length of the block cipher
► These modes have a strong influence of the security of the encryption scheme
§ Used with in an insecure mode, a secure block cipher may become insecure
► The effective key size of a block cipher cannot be doubled by applying the cipher twice

IT-Security - Chapter 2 Symmetric Encryption 51

References

● More details on symmetric encryption

► Johannes Buchmann, Einführung in die Kryptographie, 6. Auflage, Springer Verlag 2016

§ Kapitel 3 - Kapitel 6
► W. Stallings, Cryptography and Network Security: Principles and Practice, 8th edition, Pearson 2022
§ Chapters 3, 4, 6, and 7

● Standard Documents

► FIPS 197: Advanced Encryption Standard

§ https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197-upd1.pdf
► FIPS 46-3: Data Encryption Standards (DES)
§ https://csrc.nist.gov/files/pubs/fips/46-3/final/docs/fips46-3.pdf

IT-Security - Chapter 2 Symmetric Encryption 52