Nội dung

Network Security Lecture 16 Presented by: Dr. Munam Ali Shah Part 2 (c) Symmetric Key Cryptography Stream Ciphers Summary of the Previous Lecture  Discussed AES which was designed by Rijmen and Daemen in Belgium  has 128/192/256 bit keys, 128 bit data  processes data as block of 4 columns  operates on entire data block in every round  designed to be:  resistant against known attacks  speed and code compactness on wide range of platforms  design simplicity AES Stages  Four stages of AES: (Permutation, Substitution) 1. Substitute Byte : Each byte of the block is replaced by its substitution 2. Shift Rows : 1-byte circular shift is performed 3. Mix columns : each byte of a column is mapped in to a new value. 4. Add round key: The block is XOR with subkey Outlines of today’s lecture  Stream Cipher features and characteristics  We will explore RC4, RC5, Blowfish and Triple DES Objectives  You would be able to present an understanding of the principles for stream and block ciphers.  You would be able use and understand the different techniques used for stream ciphers. Block Cipher Characteristics  features seen in modern block ciphers are:  variable key length / block size / no rounds  mixed operators, data/key dependent rotation  key dependent S-boxes  more complex key scheduling  operation of full data in each round  varying non-linear functions Stream Ciphers  process the message bit by bit (as a stream)  typically have a (pseudo) random stream key  combined (XOR) with plaintext bit by bit  randomness of stream key completely destroys any statistically properties in the message  Ci = Mi XOR StreamKeyi  Keystream is XORed with plaintext bit by bit  but must never reuse stream key  otherwise can remove effect and recover messages Stream Cipher Properties  some design considerations are:      long period with no repetitions statistically random depends on large enough key large linear complexity use of highly non-linear boolean functions Stream Ciphers  Message is processed bit by bit or byte by byte as a stream  A key stream is used which is generated using a pseudo random number generator Stream Ciphers  Randomness of keystream completely destroys statistical properties in message  Ci = Mi Keystreami Stream Ciphers  The basic idea is borrowed from One Time Pad  Ci = Pi Ki  Pi = Ci Ki  The main difference is random vs pseudorandom key stream  Basic idea of all stream ciphers is:  Generate a key stream from a key  Combine (XOR) the key stream with the plaintext  The most popular stream cipher is RC4 Stream Ciphers  The key stream appears to be random  Number of 0s and 1s approximately equal  All byte values approximately equal  Properly designed, can be as secure as a block cipher with same size key  Stream ciphers are much faster and simpler than block ciphers but key cannot be reused Stream Cipher Illustration RC4  a proprietary cipher owned by RSA another Ron Rivest design, simple but effective  variable key size (1-256 bytes)  byte-oriented stream cipher  widely used (web SSL/TLS, wireless WEP)  key forms random permutation of all 8-bit values  uses that permutation to scramble input info processed a byte at a time  Remained trade secret till 1994 RC4 Working 1. Initialize state vector S 2. Permute S 3. Generate key stream RC4 Working 1. Initialize S for i = 0 to 255 do S[i] = i T[i] = K[i mod keylen] where K and T are vectors representing the key and the cascaded key, respectively RC4 Working 2. Permute S j = 0 for i = 0 to 255 do j = (j + S[i] + T[i])(mod 256) swap (S[i], S[j]) RC4 Working 3. Generate Key Stream i = j = 0 for each message byte Mi i = (i + 1) (mod 256) j = (j + S[i]) (mod 256) swap(S[i], S[j]) t = (S[i] + S[j]) (mod 256) Ci = Mi XOR S[t] RC4 Security  Key should not be reused  No practical attacks reported  Attack against WEP using RC4 is reported but it is due to key handling rather than RC4 itself Triple DES  clear a replacement for DES was needed  theoretical attacks that can break it  demonstrated exhaustive key search attacks  AES is a new cipher alternative  prior to this alternative was to use multiple encryption with DES implementations  Triple-DES is the chosen form Triple-DES with Two-Keys  Uses 3 encryptions  would seem to need 3 distinct keys  but can use 2 keys with E-D-E sequence  C = EK1[DK2[EK3[P]]]  encrypt & decrypt equivalent in security  if K1=K2 then can work with single DES  standardized in ANSI X9.17 & ISO8732  no current known practical attacks Triple-DES with Three-Keys  although are no practical attacks on two-key Triple-DES have some indications  can use Triple-DES with Three-Keys to avoid even these  has been adopted by some Internet applications, eg PGP, S/MIME  Triple-DES with two keys is a popular alternative to single-DES, but suffers from being 3 times slower to run.  Although there are no practical attacks, have some indications of attack approaches.  Hence some are now adopting Triple-DES with three keys for greater security. Blowfish  a symmetric block cipher designed by Bruce Schneier in 1993/94  characteristics  fast implementation on 32-bit CPUs  compact in use of memory  simple structure eases analysis/implementation  variable security by varying key size  has been implemented in various products Blowfish Key Schedule  uses a 32 to 448 bit key  used to generate  18 32-bit subkeys stored in K-array Kj  four 8x32 S-boxes stored in Si,j  key schedule consists of:  initialize P-array and then 4 S-boxes using pi  XOR P-array with key bits (reuse as needed)  loop repeatedly encrypting data using current P & S and replace successive pairs of P then S values  requires 521 encryptions, hence slow in rekeying Discussion  key dependent S-boxes and subkeys, generated using cipher itself, makes analysis very difficult  changing both halves in each round increases security  provided key is large enough, brute-force key search is not practical, especially given the high key schedule cost RC5  a proprietary cipher owned by RSADSI  designed by Ronald Rivest (of RSA fame)  used in various RSADSI products  can vary key size / data size / no rounds  very clean and simple design  easy implementation on various CPUs  yet still regarded as secure RC5 Ciphers  RC5 is a family of ciphers RC5-w/r/b  w = word size in bits (16/32/64) nb data=2w  r = number of rounds (0..255)  b = number of bytes in key (0..255)  nominal version is RC5-32/12/16  i.e., 32-bit words so encrypts 64-bit data blocks  using 12 rounds  with 16 bytes (128-bit) secret key RC5 Key Expansion  RC5 uses 2r+2 subkey words (w-bits)  subkeys are stored in array S[i], i=0..t-1  then the key schedule consists of    initializing S to a fixed pseudorandom value, based on constants e and phi the byte key is copied (little-endian) into a c-word array L a mixing operation then combines L and S to form the final S array RC5 Encryption  split input into two halves A & B L0 = A + S[0]; R0 = B + S[1];  each round is like 2 DES rounds  note rotation is main source of non-linearity  need reasonable number of rounds (eg 12-16) RC5 Modes  RFC2040 defines 4 modes used by RC5  RC5 Block Cipher, is ECB mode  RC5-CBC, is CBC mode  RC5-CBC-PAD, is CBC with padding by bytes with value being the number of padding bytes  RC5-CTS, a variant of CBC which is the same size as the original message, uses ciphertext stealing to keep size same as original RC4 Security  claimed secure against known attacks  have some analyses, none practical  result is very non-linear  since RC4 is a stream cipher, must never reuse a key  have a concern with WEP, but due to key handling rather than RC4 itself Summary  We have discussed stream ciphers and have explored how they work. Some symmetric stream ciphers were discussed in detail such as:  RC4  Triple DES  RC5  Blowfish Next lecture topics  We will move to the part (d) i.e.,  Public key cryptography The End