Your SlideShare is downloading. ×
0
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And Others
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Ch03 Ch06 Des And Others

3,581

Published on

Published in: Technology, Education
1 Comment
1 Like
Statistics
Notes
No Downloads
Views
Total Views
3,581
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
239
Comments
1
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Transcript

    • 1. Cryptography and Network Security.
      • By.-----
      • William Stalling.
      • B.Forouzan
      • Bruce Schneier
      • P. van Oorschot, and S. Vanstone,
    • 2. Chapter 3 & Chapter 6 – Block Ciphers 、 DES 、 Others 3.1 Simplified DES 3.2 Block Cipher Principles 3.3 The Data Encryption Standard 3.4 The Strength of DES 3.5 Differential and Linear Cryptanalysis 3.6 Block Cipher Design Principles 3.7 Block Cipher Modes of Operation Ch06- Contemporary symmetric ciphers
    • 3. 3.0 Modern Block Ciphers
      • will now look at modern block ciphers
      • one of the most widely used types of cryptographic algorithms
      • provide secrecy and/or authentication services
      • in particular will introduce DES (Data Encryption Standard)
    • 4. Block vs Stream Ciphers
      • block ciphers process messages in into blocks, each of which is then en/decrypted
      • like a substitution on very big characters
        • 64-bits or more
      • stream ciphers process messages a bit or byte at a time when en/decrypting
      • many current ciphers are block ciphers
      • hence are focus of course
    • 5. Simplified DES (S-DES)
      • An educational algorithm
      • A product cipher
        • two identical sub-ciphers
      • Each sub-cipher
        • Permutation
        • Substitution
    • 6. S-DES
      • Encryption
        • Input: 8-bit plaintext
        • Input: 10-bit key K
        • Output: 8-bit ciphertext
      • Decryption
        • Input: 8-bit ciphertext
        • Input: 10-bit key K
        • Output: 8-bit plaintext
    • 7. Simplified DES (cont.)
      • Key generation
        • P10: a permutation of 10 bits
        • shift: shift (rotate) the input
        • P8: a permutation of 8-bit
      • Encryption/Decryption
        • IP: initial permutation
        • f K : a complex function (substitution+permutation)
        • SW: a simple permutation (swapping)
        • IP -1 : the inverse of IP
    • 8.  
    • 9. Overview of S-DES
      • Subkey generation
        • K 1 =P8  shift  P10 ( K )
        • K 2 =P8  shift  shift  P10 ( K )
      • Encryption
        • C= IP -1  f K 2  SW  f K 1  IP ( P )
      • Decryption
        • P= IP -1  f K1  SW  f K2  IP ( C )
    • 10. Sub-key generation
    • 11. Sub-key generation (cont.) P10 ( k1 k2 k3 k4 k5 k6 k7 k8 k9 k10 )  k3 k5 k2 k7 k4 k10 k1 k9 k8 k6 e.g. K= 10100 00010 P10(K) = P10 ( 10100 00010 ) = 10000 01100
      • P10: 10-bit permutation
      6 8 9 1 10 4 7 2 5 3 P10
    • 12. Sub-key generation (cont.)
      • LS-1: rotate left for 1 bit
      e.g. LS-1( 10000 ) = 00001 LS-1 ( 01100 ) = 11000
    • 13. Sub-key generation (cont.) P8 ( k1 k2 k3 k4 k5 k6 k7 k8 k9 k10 )  k6 k3 k7 k4 k8 k5 k10 k9 e.g. K 1 = P8 ( 00001 11000 ) = 010100100
      • P8: a permutation with 10-bit input and 8-bit output
      9 10 5 8 4 7 3 6 P8
    • 14. Sub-key generation (cont.)
      • LS-2: rotate left for 2 bits
      e.g. LS-2( 00001 ) = 00100 LS-2 ( 11000 ) = 00011
    • 15. Sub-key generation (cont.) P8 ( k1 k2 k3 k4 k5 k6 k7 k8 k9 k10 )  k6 k3 k7 k4 k8 k5 k10 k9 e.g. K 2 = P8 ( 00100 00011 ) = 01000011
      • P8: a permutation with 10-bit input and 8-bit output
      9 10 5 8 4 7 3 6 P8
    • 16. S-DES encryption
    • 17. S-DES encryption (cont.)
      • Initial and final permutations: IP, IP -1
      IP -1 • IP (X) = X = IP • IP -1 (X) 7 5 8 4 1 3 6 2 IP 6 8 2 7 5 3 1 4 IP -1
    • 18. S-DES encryption (cont.)
    • 19. S-DES encryption (cont.)
      • Function f K
        • Permutation + substitution .
        • f K ( L , R )=( L  F(R,SK) , R )
          • SK: A subkey Ki (i = 1, 2)
          • L: Leftmost 4 bits
          • R: Rightmost 4 bits
          • F: A mapping from 4-bit strings to 4-bit strings.
          •  : bit-wise XOR
    • 20. S-DES encryption (cont.)
      • Function f K
        • Example:
          • Input is 1011 1101  L=1011 , R=1101
          • F( 1101 , SK) = 1110
          • f K ( 1011 1101 ) = 1011  1110 || 1101 = 0101 1101
    • 21. S-DES encryption (cont.)
      • Mapping F(R, SK)
      R SK
    • 22. S-DES encryption (cont.)
      • Mapping F(R, SK)
        • Expansion/permutation (E/P): 4-bit R  8 bits
        • XOR with subkey SK  8 bits
        • 2 S-box  4 bits
        • P4 permutation  4 bits (output)
    • 23. S-DES encryption (cont.)
      • E/P: 4-bit  8-bit
      Example: E/P( 1001 )= 11000011 1 4 3 2 3 2 1 4 E/P
    • 24. S-DES encryption (cont.)
      • S-box (substitution box)
        • S0, S1: 4 bits  2 bits
      S0( b1 b2 b3 b4 ) 10 11 01 11 11 11 01 10 00 10 00 01 10 11 01 10 11 00 01 00 11 10 01 00 b2b3 b1b4
    • 25. S-DES encryption (cont.) S1( b1 b2 b3 b4 ) Example: S0(0 01 0)=00, S1(0 01 0)=10 11 00 01 10 11 00 01 00 11 10 11 01 00 10 01 11 10 10 00 00 11 10 01 00 b2b3 b1b4
    • 26. S-DES encryption (cont.)
      • P4: 4-bit permutation
      3 1 4 2 P4
    • 27. S-DES encryption (cont.) 1001 1001 1001 1100 0011 0101 1010 01 00 1000
    • 28. S-DES Encryption (cont.)
      • SW: switch function
        • Interchange the left and right 4 bits
      b1 b2 b3 b4 b5 b6 b7 b8 b1 b2 b3 b4 b5 b6 b7 b8
    • 29. S-DES Encryption (cont.)
      • 2 nd round: same as the first round except
          • Sub-key K 2 is used
          • Final permutation IP -1 is applied.
    • 30. S-DES encryption (cont.)
      • Key: K=1010000010
      • Plaintext: P=11110011
      • Sub-key generation
        • K1 = P8 • LS-1 • P10 ( 1010000010 ) = 10100100
        • K2 = P8 • LS-2 • LS-1 • P10 ( 1010000010 ) = 01000011
      • Plaintext: 11110011
        • IP (11110011) = 1011 1101 = L || R
        • F (R, K 1 )
          • E/P ( 1101 )  K 1 = 11101011  10100100 = 0100 1111
          • S0 ( 0100 ) = 11
          • S1 ( 1111 ) = 11
          • P4 (1111) = 1111
    • 31. S-DES encryption (cont.)
        • f K1 ( 1011 1101 ) = ( L  F( R , K 1 ), R ) = ( 1011  1111, 1101 ) = 0100 1101
        • SW ( 0100 1101)= 1101 0100 = L || R
        • F(R, K 2 )
          • E/P ( 0100 )  K 2 = 00101000  01000011 = 0110 1011
          • S0 ( 0110 ) = 10
          • S1 ( 1011 ) = 01
          • P4 (1001) = 0101
        • f K2 ( 1101 0100 ) = ( L  F( R , K 2 ), R ) = ( 1101  0101 , 0100 ) = 0000100
        • IP -1 (10000100) = 01000001
      • Ciphertext C=01000001
    • 32. S-DES decryption
    • 33. S-DES decryption (cont.)
      • C = IP -1  f K 2  SW  f K 1  IP ( P )
      • IP -1  f K1  SW  f K2  IP ( C ) = IP -1  f K1  SW  f K2  IP  IP -1  f K 2  SW  f K 1  IP ( P ) = IP -1  f K1  SW  f K2  f K 2  SW  f K 1  IP ( P ) = IP -1  f K1  SW  SW  f K 1  IP ( P ) = IP -1  f K1  f K 1  IP ( P ) = IP -1  IP ( P ) = P
    • 34. S-DES decryption (cont.)
      • Only sub-keys are fed in reverse order
      • SW • SW = I (identity)
      • IP -1 • IP = IP • IP -1 = I (identity)
      • f K1 • f K1 (X,Y) = f K1 ( X  F(Y, K 1 ) , Y) = ( X  F(Y, K 1 )  F(Y, K 1 ), Y) = (X, Y)
      • f K2 • f K2 (X,Y) = f K2 ( X  F(Y, K 2 ) , Y) = ( X  F(Y, K 2 )  F(Y, K 2 ), Y) = (X, Y)
    • 35. S-DES decryption (cont.)
      • Generate sub-keys in reverse order
    • 36. S-DES decryption (cont.)
      • Generate sub-keys in reverse order
      • P10(K)=k1 k2 … k10
      • Encryption
        • LS-1(k1 k2 k3 k4 k5) = k2 k3 k4 k5 k1
        • LS-2 (k2 k3 k4 k5 k1) = k4 k5 k1 k2 k3
      • Decryption
        • RS-2 (k1 k2 k3 k4 k5) = k4 k5 k1 k2 k3
        • RS-2 (k4 k5 k1 k2 k3) = k2 k3 k4 k5 k1
    • 37. S-DES decryption (cont.)
      • Generate sub-keys in reverse order
      RS-2 RS-2 RS-2 RS-2 K2 K1
    • 38. S-DES decryption Encrytion/Decryption e/d flag P/ C K 1 / K 2 K 2 / K 1 C/ P
    • 39. 3.2& 3.6 Block Cipher Principles
      • most symmetric block ciphers are based on a Feistel Cipher Structure
      • needed since must be able to decrypt ciphertext to recover messages efficiently
      • block ciphers look like an extremely large substitution
      • would need table of 2 64 entries for a 64-bit block
      • instead create from smaller building blocks
      • using idea of a product cipher
    • 40. Claude Shannon and Substitution-Permutation Ciphers
      • in 1949 Claude Shannon introduced idea of substitution-permutation (S-P) networks
        • modern substitution-transposition product cipher
      • these form the basis of modern block ciphers
      • S-P networks are based on the two primitive cryptographic operations we have seen before:
        • substitution (S-box)
        • permutation (P-box)
      • provide confusion and diffusion of message
    • 41. Shannon introduced the concept of a product cipher. A product cipher is a complex cipher combining substitution, permutation, and other components discussed in previous sections. 5.1.4 Product Ciphers
    • 42. Diffusion The idea of diffusion is to hide the relationship between the ciphertext and the plaintext. 5.1.4 Continued Diffusion hides the relationship between the ciphertext and the plaintext. Note
    • 43. Confusion The idea of confusion is to hide the relationship between the ciphertext and the key. 5.1.4 Continued Confusion hides the relationship between the ciphertext and the key. Note
    • 44. Rounds Diffusion and confusion can be achieved using iterated product ciphers where each iteration is a combination of S-boxes, P-boxes, and other components. 5.1.4 Continued
    • 45.  
    • 46. Confusion and Diffusion
      • Shannon suggests to thwart “statistical analysis”
      • Confusion
        • Blur the relation between the ciphertext and the encryption key
        • Substitution
      • Diffusion
        • Each ciphertext alphabet is affected by many plaintext alphabet
        • Repeated permutations
    • 47. Feistel Cipher Structure
      • Horst Feistel devised the feistel cipher
        • based on concept of invertible product cipher
      • partitions input block into two halves
        • process through multiple rounds which
        • perform a substitution on left data half
        • based on round function of right half & subkey
        • then have permutation swapping halves
      • implements Shannon’s substitution-permutation network concept
    • 48. Feistel Cipher Structure
    • 49. Feistel Cipher Design Principles
      • block size
        • increasing size improves security, but slows cipher
      • key size
        • increasing size improves security, makes exhaustive key searching harder, but may slow cipher
      • number of rounds
        • increasing number improves security, but slows cipher
      • subkey generation
        • greater complexity can make analysis harder, but slows cipher
      • round function
        • greater complexity can make analysis harder, but slows cipher
      • fast software en/decryption & ease of analysis
        • are more recent concerns for practical use and testing
    • 50. Feistel Cipher Decryption
    • 51. Average time required for exhaustive key search 2.15 milliseconds 2 32 = 4.3 x 10 9 32 5.9 x 10 30 years 2 168 = 3.7 x 10 50 168 5.4 x 10 18 years 2 128 = 3.4 x 10 38 128 10 hours 2 56 = 7.2 x 10 16 56 Time required at 10 6 Decryption/ µs Number of Alternative Keys Key Size (bits)
    • 52. 3.3 Data Encryption Standard (DES)
      • most widely used block cipher in world
      • adopted in 1977 by NBS (now NIST)
        • as FIPS PUB 46
      • encrypts 64-bit data using 56-bit key
      • has widespread use
      • has been considerable controversy over its security
    • 53. DES History
      • IBM developed Lucifer cipher
        • by team led by Feistel
        • used 64-bit data blocks with 128-bit key
      • then redeveloped as a commercial cipher with input from NSA and others
      • in 1973 NBS issued request for proposals for a national cipher standard
      • IBM submitted their revised Lucifer which was eventually accepted as the DES
    • 54. Security analysis of DES
      • Why 56 bits?
        • Lucifer’s key is 128-bit long
        • Rumor: it was deliberately reduced so that NSA can break it
        • Facts
          • 1997: distributed exhaustive key search all over the world takes 3 months.
          • 1998: specialized key search chips take 56 hours
          • 1999: the search device is improved and achieves the record of 22 hours
    • 55.  
    • 56. A single round
    • 57. 6.2.3 Continued Figure 6.10 Key generation
    • 58.  
    • 59.  
    • 60.  
    • 61.  
    • 62. Avalanche effect
      • A small change in either the plaintext or the key should produce a significant change in the ciphertext
      • In particular, one bit change in either the plaintext or the key  half bits change in ciphertext
    • 63. Avalanche effect (cont.)
      • For example
        • P1=0000 0000  0000
        • P2=1000 0000  0000
        • K=0000001 1001011 0100100 1100010 0011100 0011000 0011100 0110010]
        • Then, 34 bits differ in C=R 16 L 16
          • Avalanche effect
    • 64. Fast avalanche effect
      • The avalanche effect within the first few rounds; for example, the first 3 rounds.
    • 65. 3.7 Modes of Operation
      • block ciphers encrypt fixed size blocks
      • eg. DES encrypts 64-bit blocks, with 56-bit key
      • need way to use in practise, given usually have arbitrary amount of information to encrypt
      • four were defined for DES in ANSI standard ANSI X3.106-1983 Modes of Use
      • subsequently now have 5 for DES and AES
      • have block and stream modes
        • Recall ch03-3
        • stream ciphers process messages a bit or byte at a time when en/decrypting
    • 66. Modes of operations (Overview)
      • Advantages and disadvantages: goals
        • Same plaintext blocks => Same Cipher blocks
        • Padding
        • Stream cipher => Error propagation
        • Parallel encryption/decryption
      • Padding message (64bits block)
        • Electronic codebook mode (ECB)
        • Cipher block chaining mode (CBC)
      • Convert DES to Stream cipher (1 bit or 8 bits)
        • Cipher feedback mode (CFB)
        • Output feedback mode (OFB)
      • P arallel encryptions
        • Counter (CTR)
    • 67.  
    • 68. ECB mode
      • Simplest mode
      • Each block of 64-bit plaintext is handled independently
      • It is like a codebook (huge) lookup
      • The same 64-bit block has the same cipher text
      • Same key is used in all block encryption.
      • APPLICATION :-
      • Secured Transmission of Key.
    • 69. ECB mode (cont.)
      • Encryption
        • Key: K
        • Plaintext: P=P 1 P 2 …P N-1 P N
        • Padded plaintext: P’=P 1 P 2 …P N-1 P N ’
          • P 1 , P 2 ,…, P N-1 are 64-bit blocks
          • P N-1 ’ is the last (padded) 64-bit block
          • Padding pattern: 10…0
        • Ciphertext C=C 1 C 2 …C N
          • C i = E K (P i ), 1  i  N
    • 70. ECB mode (cont.)
    • 71. ECB mode (cont.)
      • Decryption
        • Key: K
        • Ciphertext: C=C 1 C 2 …C N
        • Padded plaintext: P’=P 1 P 2 …P N-1 P N ’
        • Plaintext: P 1 P 2 …P N-1 P N
    • 72. ECB mode (cont.)
    • 73. Advantages and Limitations of ECB
      • repetitions in message may show in ciphertext
        • if aligned with message block
        • particularly with data such graphics
        • or with messages that change very little, which become a code-book analysis problem
      • weakness due to encrypted message blocks being independent
      • main use is sending a few blocks of data
    • 74. Cipher Block Chaining (CBC)
      • message is broken into blocks
      • but these are linked together in the encryption operation
      • each previous cipher blocks is chained with current plaintext block, hence name
      • use Initial Vector (IV) to start process
        • C i = DES K1 (P i XOR C i-1 )
        • C -1 = IV
      • uses: bulk data encryption, authentication
    • 75. CBC mode (Cont….)
      • Goal : the same plaintext block is encrypted into different ciphertext block
      • Initial vector (IV)
        • 64-bit long
        • Fixed, or negotiated between sender and receiver
      • Padded plaintext: P’= P 1 P 2 …P N
      • Ciphertext: C = C 1 C 2 …C N
        • C 1 =E K (IV  P 1 )
        • C i =E K (C i-1  P i ), 2  i  N
    • 76. CBC mode (cont.)
    • 77. CBC mode (cont.)
      • Decryption
        • Key: K
        • Ciphertext: C=C 1 C 2 …C N
        • Padded plaintext: P=P 1 P 2 …P N
          • P 1 =D K (C 1 )  IV
          • P i = D K (C i )  C i-1 = C i-1  P i  C i-1
    • 78. CBC mode (cont.)
    • 79. Advantages and Limitations of CBC
      • each ciphertext block depends on all message blocks
      • thus a change in the message affects all ciphertext blocks after the change as well as the original block
      • need Initial Value (IV) known to sender & receiver
        • however if IV is sent in the clear, an attacker can change bits of the first block, and change IV to compensate
        • hence either IV must be a fixed value (as in EFTPOS) or it must be sent encrypted in ECB mode before rest of message
      • at end of message, handle possible last short block
        • by padding either with known non-data value (eg nulls)
        • or pad last block with count of pad size
          • eg. [ b1 b2 b3 0 0 0 0 5] <- 3 data bytes, then 5 bytes pad+count
    • 80. CFB mode (Cipher feedback)
      • Stream cipher mode
      • One-time pad
      • Block size: J bits, 1  J  64
      • Need no padding in most cases
        • For example, between key board and computer, we set J=8
    • 81. CFB mode (cont.)
      • Encryption: J-bit CFB
        • Plaintext: P = P 1 P 2  P N , P i ’s are J-bit blocks
        • S J (X): the leftmost J bits of X
        • T 64-J (Y): the rightmost 64-J bits of Y
        • Algorithm
          • R=IV
          • For i=1 to N
            • C i = P i  S J (E K (R))
            • R=T 64-J (R)||C i-1
    • 82. CFB mode (cont.)
      • Decryption: J-bit CFB
        • Ciphertext: C= C 1 C 2  C N , C i ’s are J-bit blocks
        • S J (X): the leftmost J bits of X
        • T 64-J (Y): the rightmost 64-J bits of Y
        • Algorithm
          • R=IV
          • For i=1 to N
            • P i = C i  S J (E K (R))
            • R=T 64-J (R)||C i-1
    • 83.  
    • 84. Advantages and Limitations of CFB
      • appropriate when data arrives in bits/bytes
      • most common stream mode
      • limitation is need to stall while do block encryption after every n-bits
      • note that the block cipher is used in encryption mode at both ends
      • errors propagate for several blocks after the error
    • 85. OFB mode (Output feedback)
      • Similar to CFB, but output (not ciphertext) is fed back
      • uses: stream encryption over noisy channels
      • Advantage
        • Bit errors in C i won’t propagate to decryption errors of C j , j>I
      • Disadvantage
        • Complement bits of C i result in complementing bits in P i
          • Not suitable for error-correcting (See the next decryption figure)( modify one bit of C1)
    • 86.  
    • 87. Counter (CTR)
      • a “new” mode, though proposed early on
      • similar to OFB but encrypts counter value rather than any feedback value
      • must have a different key & counter value for every plaintext block (never reused)
        • C i = P i XOR O i
        • O i = DES K1 (i)
      • uses: high-speed network encryptions
    • 88. Counter (CTR)
    • 89. Advantages and Limitations of CTR
      • efficiency
        • can do parallel encryptions
        • in advance of need
        • good for bursty high speed links
      • random access to encrypted data blocks
      • provable security (good as other modes) ?
      • but must ensure never reuse key/counter values, otherwise could break (cf OFB)
    • 90. Modes of operations ( Summary )
      • Advantages and disadvantages: goals
        • Same plaintext blocks => Same Cipher blocks
        • Padding problem
        • Stream cipher => Error propagation
        • Parallel encryption/decryption
    • 91. Ch06 - Double DES
      • Key size K=(K 1 , K 2 ): 112 bits
      • C=E K2 (E K1 (P))
    • 92. The first approach is to use double DES (2DES). 6.4.1 Double DES Meet-in-the-Middle Attack However, using a known-plaintext attack called meet-in-the-middle attack proves that double DES improves this vulnerability slightly (to 2 57 tests), but not tremendously (to 2 112 ).
    • 93. Double DES (cont.)
      • Meet-in-the-middle attack
        • Given a pair (P, C)
        • Let K i be the i th key of the key space, 0  i  2 56 -1
        • Compute M i =E Ki (P), 0  i  2 56 -1
        • Compute N j =D Kj (C), 0  i  2 56 -1
        • Check whether Mi=Nj
          • If so, K=(Ki, Kj) is very likely to be the secret key
        • Time: 2 56 +2 56 =2 57
        • The memory size for Mi’s: 2 56 ×64 bits
          • we need not store Nj’s.
    • 94. 6.4.1 Continued Figure 6.14 Meet-in-the-middle attack for double DES
    • 95. 6.4.1 Continued Figure 6.15 Tables for meet-in-the-middle attack
    • 96. 6.4.2 Triple DES Figure 6.16 Triple DES with two keys
    • 97. Triple DES
      • Plaintext, ciphertext: 64 bits
      • Key K=(K 1 , K 2 ): 112 bits
      • Encryption: C=E K1 (D K2 (E K1 (P)))
      • Decryption: P=D K1 (E K2 (D K1 (P)))
      • Advantages
        • Key size is larger
        • Compatible with regular one-key DES
          • Set K 1 =K 2 =K (56-bit)
          • C =E K (D K (E K (P)))=E K (P)
          • P =D K (E K (D K (P)))=D K (P)
    • 98.  
    • 99. 6.4.2 Continuous Triple DES with Three Keys The possibility of known-plaintext attacks on triple DES with two keys has enticed some applications to use triple DES with three keys. Triple DES with three keys is used by many applications such as PGP (See Chapter 16).
    • 100. IDEA… (International Data Encryption Algorithm)
      • Plain text = 64 bit.
      • Key =128 bit.
      • Sub key = 52. (16 bit each)
      • Cipher text = 64.
      • Number of identical rounds =8.(6 key in each round)
      • And one output transformation round(4 key)
    • 101. Design Issues
      • The design philosophy behind the algorithm is one of “ mixing operation from different algebraic groups”.
      • 1) XOR
      • 2)Addition modulo 2 16
      • 3) Multiplication modulo 2 16 + 1
    • 102.  
    • 103. Encryption Key Generation.
    • 104. Encryption Algorithm.
    • 105. Sequence of operation
      • 1)Multiply x1 and first sub key(sk)
      • 2)Add x2 and second sk
      • 3)Add x3 and third sk
      • 4)Multiply x4 and fourth sk
      • 5) Step 1  step 3
      • 6) Step 2  step 4
      • 7)Multiply step 5 with fifth sk.
      • 8)Add result of step 6 and step 7
      • 9) Multiply result of step 8 with sixth sk.
      • 10)Add result of step 7 and step 9.
    • 106. Continue..
      • 11) XOR result of steps 1 and step 9.
      • 12) XOR result of steps 3 and step 9.
      • 13) XOR result of steps 2 and step 10.
      • 14) XOR result of steps 2 and step 10.
    • 107. Operation in output transformation
      • 1)Multiply x1 with first sk.
      • 2)Add x2 and second sk.
      • 3)Add x3 and third sk.
      • 4)Multiply x4 and fourth sk.
    • 108. Next generation
      • NIST begin the process of selecting the next-generation secret-key encryption algorithm in 1998.
      • Advanced encryption standard (AES)
        • Rijndael ( Chapter 5 )
      • Plaintext, ciphertext: at least 128 bits .
      • Key size: flexible, at least 128 bits .
      • You can check its web.
        • Http://www.nist.gov/aes
    • 109. Stream Ciphers
      • process the message bit by bit (or byes) (as a stream)
      • typically have a (pseudo) random stream key
      • combined ( XOR ) with plaintext bit by bit
      • randomness of stream key completely destroys any statistically properties in the message
        • C i = M i XOR StreamKey i
      • what could be simpler!!!!
      • but must never reuse stream key
        • otherwise can remove effect and recover messages
    • 110. Stream Cipher Properties
      • some design considerations are:
        • long period with no repetitions
        • statistically random
        • depends on large enough key
        • large linear complexity
        • correlation immunity
        • confusion
        • diffusion
        • use of highly non-linear boolean functions
    • 111. Stream Cipher : RC4
      • a proprietary cipher owned by RSA DSI
      • another Ron Rivest design, simple but effective
      • variable key size, byte-oriented stream cipher
      • widely used (web SSL/TLS, WLAN WEP-not secure)
      • key forms random permutation of all 8-bit values
      • uses that permutation to scramble input info processed a byte at a time
    • 112. WLAN WEP (WLAN security requirement and some attacks.ppt)
      • WLANs 環境屬性定義
      • protocol standard : IEEE 802.11a 、 802.11b 、 802.11g (WEP) 、 802.11i (TKIP short-term solution)
    • 113. WLAN WEP (WLAN security requirement and some attacks.ppt)
      • Problems with WEP
        • 24-bit IVs are too short
        • The CRC checksum is used by WEP for integrity protection
        • WEP combines the IV with the key in a way that enables cryptanalytic attacks
        • Integrity protection for source and destination addresses is not provided
    • 114. WLAN WEP (WLAN security requirement and some attacks.ppt)
      • TKIP : IEEE 802.11i short-term solution
        • A message integrity code (MIC), called Michael,to defeat forgeries;
        • A packet sequencing discipline, to defeat replay attacks
        • A per-packet key mixing function, to prevent attack
      • Long-term solution
        • A single key to provide confidentiality and integrity
        • Provide integrity protection for the plaintext packet header, as well as
    • 115. WLAN WEP (WLAN security requirement and some attacks.ppt) IEEE802.1X None Key Management Michael Enforcing IV sequencing CRC-32 None Packet Data Replay detection 48-bit IV TKIP mixing function 24-bit wrapping IV Concatenate IV to base key Key Lifetime Per-packet-key RC4 128-bit encryption 64-bit authentication RC4 40 or 104-bit encryption Cipher Key Size(s) TKIP WEP
    • 116. WLAN EAP (EAP series methods on wireless security.ppt)
      • IEEE 802.1X provide both authentication and key management
      EAP RADIUS
    • 117.
      • EAP series
        • Password-based
          • LEAP
          • EAP-SKE
          • EAP-SRP
          • EAP-SPEKE
          • EAP-SIM (GSM/GPRS, SIM card)
          • EAP-AKA (3G-UMTS, USIM card)
        • Certificate-based
          • EAP-TLS
          • EAP-TTLS
          • PEAP
      WLAN EAP (EAP series methods on wireless security.ppt)

    ×