Upcoming SlideShare
×

# Unit 2

943

Published on

FEISTEL CIPHER ,DES , IDEA , BLOWFISH , CAST 128 , RC5

Published in: Engineering, Technology
0 Likes
Statistics
Notes
• Full Name
Comment goes here.

Are you sure you want to Yes No
• Be the first to comment

• Be the first to like this

Views
Total Views
943
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
66
0
Likes
0
Embeds 0
No embeds

No notes for slide

### Unit 2

1. 1. Prof. Chintan Patel Information Security CE Department. Unit - 2 MEFGI , RAJKOT
2. 2. • A stream cipher : is one that encrypts the digital data stream one bit or one byte at a time  Example : Vigenere cipher or vernam cipher.  GATE : Its also called as a block cipher where size = 1. • A block cipher : Asymmetric key modern cipher that encrypts n bit block of plain text and decrypts n bits block of cipher text • PADDING :  If the message has fewer than n bits , padding must be done to make it n bits.  If message size is not multiple of n bits then it should be divided into n bits and last block should be padded.
3. 3. • Can we model substitution as a permutation ??? • Yes , n bits of input and outputs can be represented as 2^n bit sequences , with 1’s and 0’s . 0 1 2 3 4 5 6 8 7 4 3 2 1 0 6 5
4. 4. • Reversible mapping : which produces unique cipher text blocks . Plain text Cipher text 00 11 01 10 10 00 11 01 Plain text Cipher text 00 11 01 10 10 01 11 01 a. Reversible mapping b. Irreversible mapping
5. 5. • Can be used to define any reversible mapping between plain text and cipher text. Feistel refers it as a ideal block cipher
6. 6. PLAIN TEXT CIPHER TEXT 0000 1110 0001 0100 0010 1101 0011 0001 0100 0010 0101 1111 0110 1011 0111 1000 1000 0011 1001 1010 1010 0110 1011 1100 1100 0101 1101 1001 1110 0000 1111 0111 CIPHER TEXT CIPHER TEXT 0000 1110 0001 0011 0010 0100 0011 1000 0100 0001 0101 1100 0110 1010 0111 1111 1000 0111 1001 1101 1010 1001 1011 0110 1100 1011 1101 0010 1110 0000 1111 0101
7. 7. • Ideal block cipher for large no. of block size is not practical , how ever for implementation and performance point of view , Mapping it self constitutes key. • “Basic aim of key was to produce unique cipher text but here every plain text it self is giving unique cipher text ”…. • So total key size is if n = 4 (refer previous slide table where n = 4) is 4(number of bits) * 16(no. of rows) = 64bits. • In general , if n bits is there than n * 2^n bits.
8. 8. • Substitutions : Each plaintext element or group of element is uniquely replaced by a corresponding cipher text elements or group of elements. • Permutation : A sequence of plain text element is replaced by a permutation of that sequence . There is no elements are added or deleted or replaced only order of the elements is changed.
9. 9. • “ Based on knowledge of statistical characteristic of plain text , Attacker can assume the probable words of message.”………so Claude Shannon refers a concept in which • Relationship between plain text and cipher text was hidden : called diffusion • And Relation between cipher text and key was hidden : called confusion • The mechanism of diffusion seeks to make the statistical relationship between the P.T and C.T as complex as possible in order to thwart attempts to deduce the key. • In confusion , Even if the attacker can get handle on some statistics of C.T , the way in which the key was used to produce the that cipher text is so complex as to make it difficult to deduce the key.
10. 10. • Diffusion can be achieved by repeatedly performing the some permutation : The effect is that bits from different positions in the original P.T contribute to a single bits of character in cipher text. • Confusion can be achieved by the use of complex substitution algorithm like hill cipher or Playfair cipher.
11. 11. Data Encryption Standard (DES) The Data Encryption Standard (DES) is a symmetric- key block cipher published by the National Institute of Standards and Technology (NIST).
12. 12. •In 1973, NIST published a request for proposals for a national symmetric-key cryptosystem. •A proposal from IBM, a modification of a project called Lucifer, was accepted as DES. •DES was published in the Federal Register in March 1975 as a draft of the Federal Information Processing Standard (FIPS).
13. 13. Encryption and decryption with DES
14. 14. General structure of DES
15. 15. Initial and final permutation steps in DES
16. 16. The initial and final permutations are straight P-boxes that are inverses of each other. They have no cryptography significance in DES. Note
17. 17. DES uses 16 rounds. Each round of DES is a Feistel cipher. A round in DES (encryption site)
18. 18. The heart of DES is the DES function. The DES function applies a 48-bit key to the rightmost 32 bits to produce a 32- bit output. DES function
19. 19. Expansion P-box Since RI−1 is a 32-bit input and KI is a 48-bit key, we first need to expand RI−1 to 48 bits. Expansion permutation
20. 20. Although the relationship between the input and output can be defined mathematically, DES uses below Table to define this P-box. Expansion P-box table
21. 21. Whitener (XOR) After the expansion permutation, DES uses the XOR operation on the expanded right section and the round key. Note that both the right section and the key are 48- bits in length. Also note that the round key is used only in this operation.
22. 22. S-Boxes The S-boxes do the real mixing (confusion). DES uses 8 S- boxes, each with a 6-bit input and a 4-bit output. S-boxes
23. 23. S-box rule
24. 24. S-box 1 Example : The input to S-box 1 is 100011. What is the output? If we write the first and the sixth bits together, we get 11 in binary, which is 3 in decimal. The remaining bits are 0001 in binary, which is 1 in decimal. We look for the value in row 3, column 1, in Table (S- box 1). The result is 12 in decimal, which in binary is 1100. So the input 100011 yields the output 1100.
25. 25. Straight Permutation
26. 26. Figure Key generation
27. 27. Parity-bit drop table
28. 28. • DES Design Criteria  Design criteria for S-Box(substitution)  Design criteria for P-Box(permutation) • Number of Rounds • Design of The function F. • Key scheduling
29. 29. • No o/p bit of any S-Box should be too close a linear function of i/p bits. • Each row of an S-Box should include all 16 possible o/p bit combination • If 2 i/p to an S-Box differ by 1 bit , than o/p must differ by at least 2 bits. • If 2 i/p to an S-Box differ in two middle bit exactly , than o/p must differ by at least 2 bits. • If 2 i/p to an S-Box differ in their first 2 bits and identical in their last 2 bits, than o/p must not be same. This criteria are intended to increase the confusion of the algorithm
30. 30. • 4 O/P Bits from each round I are distributed so that 2 of them affect “middle bits” of round(i+1) and other 2 affects end bits. • 4 o/p bits from each S-box affect 6 different S-box on next round and no two affect the same S-Box. • This criteria are intended to increase the diffusion of the algorithm
31. 31. • Schneier observes that for 16-rounds DES, a differential crypt analysis attack is less efficient than brute force. • Differential cryptanalysis requires 2^55.1 operations while brute force requires 2^55. • If DES has 15 or lesser rounds, Differential cryptanalysis requires less effort than brute force attack
32. 32. • SAC(STRONG AVALNCHE CRITERIA) • It must provide avalanche effect :  Small changes in plain text and key must produce different cipher text • BIC(BIT INDEPENDENT CRITERIA)  O/P bit j and k should change independently , when any single bit input I is inverted. BIC and SAC criteria appear to strengthen the effectiveness of confusion • Select the key to maximize the difficulty of deducing individual subkeys and difficulty of working back the main key.
33. 33. • Multiple encryption and Triple DES •Block Cipher Modes of Operation •Book : William Stalling (Chapter 6)
34. 34. • Topics to be covered….  Introduction  Double DES  Triple DES With 2 keys  Triple DES with 3 keys..
35. 35. • Multiple Encryption : Encryption algorithm is used multiple times. • Triple DES : 3 stages of DES algorithms with 2 or 3 keys…
36. 36. • Is it true that some K3 which can be prepare from K1 and K2……..????? • Following is true ??? • E(K2 , E(K1 , p)) = E(K3 , P) • No its not possible. DES is not a group cipher like Caeser cipher. • So double DES results in mapping which is not equal to a Single DES encryption
37. 37. • Thus double DES results in mapping which is not equal to a Single DES encryption. • C = E(K2 , E(K1 , P))….. • X = E(K1 , P) = D(K2 , C).. • • Based on Given (P,C) pair…. • Encrypt the P using K1 . Store these result in a table and then sort table by value of X. • Decrypt the C using K2 . Store these result in a table and match with X. If 2 k same keys found than try on cipher text if it produce correct plain text than accept as a correct keys..
38. 38. • hence must use 3 encryptions  would seem to need 3 distinct keys • but can use 2 keys with E-D-E sequence  C = EK1(DK2(EK1(P)))  and encrypt & decrypt equivalent in security  if K1=K2 then can work with single DES
39. 39. • although are no practical attacks on two-key Triple-DES have some indications • can use Triple-DES with Three-Keys to avoid even these  C = EK3(DK2(EK1(P))) • has been adopted by some Internet applications, eg PGP, S/MIME
40. 40. • a “new” mode, though proposed early on • similar to OFB but encrypts counter value rather than any feedback value • must have a different key & counter value for every plaintext block (never reused) • uses: high-speed network encryptions
41. 41. • Hardware Efficiency : In CTR mode encryption can be done parallel on multiple plaintext block. • Software Efficiency : Because of parallel work , functions like aggressive pipelining , multiple instruction dispatch , and large no. of register can be done effectively. • Preprocessing : Encryption does not depend on plaintext or cipher text, preprocessing can be used to prepare the output of encryption boxes that feed into XOR. • Simplicity : • Provable security :
42. 42. • IDEA (International Data Encryption Algorithms) • Blowfish • RC2 , RC 5 • Cast 128
43. 43. • It is a minor revision of an earlier cipher, PES (Proposed Encryption Standard); • IDEA was originally called IPES (Improved PES). • IDEA was used as the symmetric cipher in early versions of the Pretty Good Privacy cryptosystem.
44. 44. • The IDEA encryption algorithm  provides high level security not based on keeping the algorithm a secret, but rather upon ignorance of the secret key  is fully specified and easily understood  is available to everybody  is suitable for use in a wide range of applications  can be economically implemented in electronic components (VLSI Chip)  can be used efficiently  may be exported world wide  is patent protected to prevent fraud and piracy
45. 45. • The algebraic idea behind IDEA is the mixing of three incompatible algebraic  operations on 16-bit blocks:  bitwise XOR,  addition modulo 216, and  Multiplication modulo 216 + 1.
46. 46. • 64 bit plain text is divided into 4 , 16bit blocks. Which are Called X1,X2,X3,X4. • 128 Bit key is divided into 8 , bit blocks.
47. 47. • 1. Multiply X1 and the first subkey Z1. • 2. Add X2 and the second subkey Z2. • 3. Add X3 and the third subkey Z3. • 4. Multiply X4 and the fourth subkey Z4. • 5. Bitwise XOR the results of steps 1 and 3. • 6. Bitwise XOR the results of steps 2 and 4. • 7. Multiply the result of step 5 and the fifth subkey Z5. • 8. Add the results of steps 6 and 7. • 9. Multiply the result of step 8 and the sixth subkey Z6. • 10. Add the results of steps 7 and 9. • 11. Bitwise XOR the results of steps 1 and 9. • 12. Bitwise XOR the results of steps 3 and 9. • 13. Bitwise XOR the results of steps 2 and 10. • 14. Bitwise XOR the results of steps 4 and 10.
48. 48. • final transformation occurs: • 1. Multiply X1 and the first subkey Z1. • 2. Add X2 and the second subkey Z2. • 3. Add X3 and the third subkey Z3. • 4. Multiply X4 and the fourth subkey Z4.
49. 49. • Each of the eight complete rounds requires six subkeys, and the final transformation “half round” requires four subkeys; so, the entire process requires 52 subkeys. • The 128-bit key is split into eight 16-bit subkeys. • The bits are shifted to the left 25 bits. • The resulting 128-bit string is split into eight 16-bit blocks that become the next eight subkeys. • The shifting and splitting process is repeated until 52 subkeys are generated. • The shifts of 25 bits ensure that repetition does not occur in the subkeys. • Six subkeys are used in each of the 8 rounds. The final 4 subkeys are used in • the ninth “half round” final transformation.
50. 50. • simplified IDEA encrypts a 16-bit block of plaintext to a 16-bit block of cipher text. It uses a 32-bit key. The simplified algorithm consists of four identical rounds and a “half round” final transformation.
51. 51. • IDEA Supports all,  ECB(Electronic code book)  CBC(cipher block chaining)  CFB(Cipher feedback mode)  OFB(Output Feedback mode)
52. 52. • IDEA-based security solutions available in many market areas, ranging from Financial Services, and Broadcasting to Government. • The IDEA algorithm can easily be embedded in any encryption software. Data encryption can be used to protect data transmission and storage. Typical fields are: • – Audio and video data for cable TV, pay TV, video conferencing, distance learning, business TV, VoIP • – Sensitive financial and commercial data • – Email via public networks • – Transmission links via modem, router or ATM link, GSM technology • – Smart cards
53. 53. Source : Internet and Book : Atul Kahate.
54. 54. • Developed by Bruce Schneier in 1993/94 . • Design objectives :  Fast : Blowfish encryption rate on 32 bit microprocessor is 26 clock cycles per byte.  Compact : It can be executed in less than 5 kb memory.  Simple : Uses only primitive operations like XOR , and table lookup making its design and implementation simple.  Secure : Blowfish has a variable key length up to a maximum of 448 and minimum 32 bit , to make it flexible and secure.  Used in applications where key remains constant for a long time (e.g. Communication link.) but not where key changes frequently.(e.g. Packet switching).
55. 55. • Encrypts a 64 bit blocks with a variable-length key. And contains 2 parts.  Subkeys Generation : Generates the key up to 448 bit long to subkeys totaling 4168 bits.  Data encryption : Iteration of feistel function 16 times. each round contains a key dependent permutation and key and data dependent substitution.
56. 56. • 1. Uses large no. of subkeys. And key must be ready before encryption and decryption. Key size ranges from 32 bits to 448 bits. Means 1 to 14 words with 32 bit/word. K1, K2,K3,……..Kn ….each block contains 32 bits. • 2. P-Array , consisting of 18, 32 bit subkeys. P1,P2…..P18..  Schneier recommends the usage of the bits of fractional parts of constant pi=22/7. P1 = 24F6C98 P2 = 85F6A88…….. P18 = 84F6D84.
57. 57. • 3. 4 S-boxes , each containing 256, 32 bit entries.  S1,0 ………………………..S1, 255  S2,0……………………… ..S2,255  S3,0…………………………S3,255  S4,0…………………………S4,255  Initialized same as P-Array with some hexadecimal value of fractional part of constant pi = 22/7. • 4. SO bitwise XOR Operation of P1 With K1, P2 with K2 ,…….P14 with K14. after that key array K will be exhausted and hence for P15 to P18….K1 to K4.  P1 = P1 XOR K1  P2 = P2 XOR K2…….  ….  P18= P18 XOR K4
58. 58. • Symmetric block cipher developed by Ron Rivest. • Quite Fast because uses only addition , XOR and shift operation. • Allows variable no. of rounds and variable size key to add the flexibility. • Requires less memory for execution and therefore suitable not only for desktop application but also for smart card and other devices.
59. 59. Parameter Allowed values Word size in bits 16,32,64 Number of Rounds 0……….255 Number of 8-bit bytes in the key 0……….255 Word size , number of rounds and key , all can be of variable length. These are variable means before execution of a particular instance of RC 5, These values can be chosen from those allowed unlike DES and IDEA. RC 5 Uses 2-words blocks RC5-w/r/b where w = word size , r = number of rounds , b = number of 8 bit byte in the key.. EX. RC-5 32/16/16 …Means 64(32*2) bits , 16 rounds , 16 bytes key
60. 60. • Input plain text is divided into equal size blocks A and B. • To produce C and D , S[0] is added to A , S[1] is added to B
61. 61. • Step 1 : XOR C and D to produce E. • Step 2. : Circular left of E by D bits. • Step 3 : Add E with next sub key to produce F.
62. 62. • Step 4 : XOR D and F • Step 5 : Circular left shift G. • Step 6 : Add G and next sub-key
63. 63. • To check weather all rounds are finish or not.
64. 64. • Step 1 : The sub keys S[0],S[1]……..are generated. • Step 2 : The original key is called L. all Sub keys (S[0],S[1]……) are mixed with corresponding sub portion of original keys (L[0],L[1]…..)
65. 65. • typically have a hierarchy of keys • session key  temporary key  used for encryption of data between users  for one logical session then discarded • master key  used to encrypt session keys  shared by user & key distribution center
66. 66. Henric Johnson 134 SESSION KEY LIFE TIME
67. 67. hierarchies of KDC’s required for large networks, but must trust each other session key lifetimes should be limited for greater security(connection oriented and less) use of automatic key distribution on behalf of users, but must trust system use of decentralized key distribution controlling key usage
68. 68. • for cryptographic applications, can use a block cipher to generate random numbers • often for creating session keys from master key • Counter Mode Xi = EKm[i] • Output Feedback Mode Xi = EKm[Xi-1]
69. 69. • often use deterministic algorithmic techniques to create “random numbers”  although are not truly random  can pass many tests of “randomness” • known as “pseudorandom numbers” • created by “Pseudorandom Number Generators (PRNGs)”
70. 70. • common iterative technique using: • Xn+1 = (aXn + c) mod m • given suitable values of parameters can produce a long random-like sequence • suitable criteria to have are: • function generates a full-period • generated sequence should appear random • efficient implementation with 32-bit arithmetic • note that an attacker can reconstruct sequence given a small number of values • have possibilities for making this harder
71. 71. • Also called as Blum, Blum, Shub generator. • Choose any two large prime number that both have remainder 3 when divided by 4. • Let n = p*q , Choose random s, such that s is relatively prime to n. • p and q can be factor s.
72. 72. • Xo = S^2 mod n • For I = 0 to infinity. • Xi = (X(i-1))^2 mod n • Bi = Xi mod 2. • BBS is also referred as Cryptographically secure pseudorandom bit generator(CSPRBG).
73. 73. Cast 128 , RC 2
74. 74. • Developed by Ron Rivest (RSA Data Security) • 64-bit block cipher • Variable key size (from one byte up to 128 bytes) • Designed to be easy to implement on 16-bit microprocessor  Use 16-bit word, 16-bit arithmetic (addition, XOR, AND, ~, rotate) • Non-Feistel • 18 rounds (mixing/mashing) • Used in S/MIME
75. 75. • RC2 assumes 128 (64 word) byte key buffer  For byte operation, key array is L[0], …, L[127]; each L[i] is a byte  For word operation, key array is K[0], …, K[63]; each K[i] is a 16-bit word  These are alternative views of the same key buffer • Key expansion  Assume that exactly T bytes of key are supplied, 1  T  128  The purpose of key expansion algorithm is to modify the key buffer so that each bit of the expanded key depends in a complicated way on every bit of the supplied input key  Key expansion begins by placing the supplied T-byte key into bytes L[0], …, L[T-1] of the key buffer  L array is then computed making use of an auxiliary array P  P array is a random permutation of values of 0,…,255, which is constructed based on p=3.14159… (See next page)  The computation is K[i] = L[2*i] + 256*L[2*i+1].
76. 76. Here is the P array in hexadecimal notation: 0 1 2 3 4 5 6 7 8 9 a b c d e f 00: d9 78 f9 c4 19 dd b5 ed 28 e9 fd 79 4a a0 d8 9d 10: c6 7e 37 83 2b 76 53 8e 62 4c 64 88 44 8b fb a2 20: 17 9a 59 f5 87 b3 4f 13 61 45 6d 8d 09 81 7d 32 30: bd 8f 40 eb 86 b7 7b 0b f0 95 21 22 5c 6b 4e 82 40: 54 d6 65 93 ce 60 b2 1c 73 56 c0 14 a7 8c f1 dc 50: 12 75 ca 1f 3b be e4 d1 42 3d d4 30 a3 3c b6 26 60: 6f bf 0e da 46 69 07 57 27 f2 1d 9b bc 94 43 03 70: f8 11 c7 f6 90 ef 3e e7 06 c3 d5 2f c8 66 1e d7 80: 08 e8 ea de 80 52 ee f7 84 aa 72 ac 35 4d 6a 2a 90: 96 1a d2 71 5a 15 49 74 4b 9f d0 5e 04 18 a4 ec a0: c2 e0 41 6e 0f 51 cb cc 24 91 af 50 a1 f4 70 39 b0: 99 7c 3a 85 23 b8 b4 7a fc 02 36 5b 25 55 97 31 c0: 2d 5d fa 98 e3 8a 92 ae 05 df 29 10 67 6c ba c9 d0: d3 00 e6 cf e1 9e a8 2c 63 16 01 3f 58 e2 89 a9 e0: 0d 38 34 1b ab 33 ff b0 bb 48 0c 5f b9 b1 cd 2e f0: c5 f3 db 47 e5 a5 9c 77 0a a6 20 68 fe 7f c1 ad
77. 77. • Encryption algorithm takes a 64-bit input stored in R[0], R[1], R[2], R[3], and places the result back in R[0] thru R[3]. • Algorithm consists of 18 rounds of two types: mixing and mashing • Mixing round: R[0] = R[0] + K[j] + (R[3] & R[2]) + ((~R[3] & R[1]); R[0] = R[0] <<< 1; j = j + 1; R[1] = R[1] + K[j] + (R[0] & R[3]) + ((~R[0] & R[2]); R[1] = R[1] <<< 2; j = j + 1; R[2] = R[2] + K[j] + (R[1] & R[0]) + ((~R[1] & R[3]); R[2] = R[2] <<< 3; j = j + 1; R[3] = R[3] + K[j] + (R[2] & R[1]) + ((~R[2] & R[0]); R[3] = R[3] <<< 5; j = j + 1; Here j is the global variable; K[j] is the first subkey word that has not yet been used
78. 78. • Decryption: Inverse operation of encryption with the keys used in reverse order Mashing Round : R[j] = + k[R[j-1] % 64]
79. 79. • 64-bit iterated block cipher • key: 40 bits up to 128 bits (increments of 8 bits) • 12 up to 16 rounds • Feistel Network structure • designed by C. Adams and S.Tavares (1996) • S-box design procedure patented by Entrust Technologies Inc: U.S. patent 5,511,123, filed Aug. 4, 1994, issued Apr. 3, 1996
80. 80. • CAST-128 is part of the GnuPG suite of cryptographic algorithms (nicknamed CAST-5) • CAST-128 uses fixed 8x32-bit S-boxes: for encryption and decryption (S1, S2, S3, S4) and for the key schedule (S5, S6, S7, S8) • round operations: +, -, <<<,  • three round functions: f1, f2 and f3 • An official algorithm for use with the Canadian Government: http://www.cse-cst.gc.ca/services/crypto-services/crypto-algorithms-e.html
81. 81. f1 f2 f3 Round functions
82. 82. • Three different round functions are used in CAST-128. The rounds are as follows (where "D" is the data input to the f function and "Ia" - "Id" are the most significant byte through least significant byte of I, respectively). • Note that "+" and "-" are addition and subtraction modulo 2**32, "^" is bitwise XOR, and "<<<" is the circular left- shift operation. • Type 1: I = ((Kmi + D) <<< Kri), f = ((S1[Ia] ^ S2[Ib]) - S3[Ic]) + S4[Id] • Type 2: I = ((Kmi ^ D) <<< Kri), f = ((S1[Ia] - S2[Ib]) + S3[Ic]) ^ S4[Id] • Type 3: I = ((Kmi - D) <<< Kri), f = ((S1[Ia] + S2[Ib]) ^ S3[Ic]) - S4[Id] • Rounds 1, 4, 7, 10, 13, and 16 use f function Type 1. • Rounds 2, 5, 8, 11, and 14 use f function Type 2. • Rounds 3, 6, 9, 12, and 15 use f function Type 3.
83. 83. • Variable key length  Blowfish, RC5, CAST-128, RC2 • Mixed operators  More than one arithmetic and/or Boolean operator, especially ones that are not associative or distributive  These operators provide nonlinearity as an alternative to S-boxes • Data-dependent rotation  Provide excellent confusion and diffusion  RC5 • Key-dependent rotation  CAST-128 Key features found in advanced symmetric block ciphers (not in DES)
84. 84. • Key-dependent S-boxes  Blowfish • Expensive key schedule computation  Blowfish • Variable round function (F)  CAST-128 • Variable plaintext/ciphertext block length  RC5 • Variable number of rounds  RC5 • Operation on both data halves each round  IDEA, Blowfish, RC5
1. #### A particular slide catching your eye?

Clipping is a handy way to collect important slides you want to go back to later.