Upload
shiv161
View
225
Download
0
Embed Size (px)
Citation preview
8/4/2019 crypto7_1
1/16
DES Modes of Operation
Block modes:
Electronic Codebook Book (ECB)
Message is broken into independent blocks of 64bits
Cipher Block Chaining (CBC)
Message is broken in independent blocks of 64 bits,
but next input depends of previous output
Ci= Ek(PiCi-1), with C-1=IV
8/4/2019 crypto7_1
2/16
DES Modes of Operation
Stream Modes
Cipher FeedBack (CFB)
The message is xored with the feedback ofencrypting the previous block
Ci=PiEk(Ci-1), with C-1=IV
Output feedback
The feedback is independent of the message
Ci=PiEk(Oi-1), with O-1=IV
8/4/2019 crypto7_1
3/16
Limitation of the modes
ECB
repetitions in message can be reflected in
ciphertext if aligned with message block
particularly with data such graphics
or with messages that change very little, which
become a code-book analysis problemweakness is because enciphered message
blocks are independent of each other
8/4/2019 crypto7_1
4/16
Limitation of the modes
CBC
use result of one encryption to modify input of next hence each ciphertext block is dependent on all message
blocks before it
thus a change in the message affects the ciphertext block afterthe change as well as the original block
to start need an Initial Value (IV) which must beknown by both sender and receiver
however if IV is sent in the clear, an attacker can change bitsof the first block, and change IV to compensate
hence either IV must be a fixed value (as in EFTPOS) or itmust be sent encrypted in ECB mode before rest of message
Need padding at the end
8/4/2019 crypto7_1
5/16
Limitation of the modes
CFB
when data is bit or byte oriented, want to operate on it
at that level, so use a stream mode the block cipher is use in encryption mode at both
ends, with input being a feed-back copy of the
ciphertext
can vary the number of bits feed back, trading offefficiency for ease of use
again errors propogate for several blocks after the error
8/4/2019 crypto7_1
6/16
Limitation of the modes
CFB
8/4/2019 crypto7_1
7/16
Limitation of the modes OFB
also a stream mode, but intended for use where theerror feedback is a problem, or where the encryptionswant to be done before the message is available
is superficially similar to CFB, but the feedback is fromthe output of the block cipher and is independent of themessage, a variation of a Vernam cipher
again an IV is needed
sender and receiver must remain in sync, and somerecovery method is needed to ensure this occurs
although originally specified with varying m-bitfeedback in the standards, subsequent research hasshown that only 64-bit OFB should ever be used (and
this is the most efficient use anyway),
8/4/2019 crypto7_1
8/16
Limitation of the modes
OFB
8/4/2019 crypto7_1
9/16
DES Weak Keys
with many block ciphers there are somekeys that should be avoided, because of
reduced cipher complexity these keys are such that the same sub-key is
generated in more than one round
Weak Keys:The same sub-key is generated for every round
DES has 4 weak keys
8/4/2019 crypto7_1
10/16
DES Weak Keys
Semi-Weak Keys
only two sub-keys are generated on alternate rounds
DES has 12 of these (in 6 pairs)
Demi-Semi Weak Keys
have four sub-keys generated
None of these cause a problem since they are a
tiny fraction of all available keys However they MUST be avoided by any key
generation program
8/4/2019 crypto7_1
11/16
DES variations
Double DES:
Use 2 keys: K1 and K2.
Encryption is EK1(EK2(P)) Is double DES reducible to DES? (Crypto 92)
Triple DES
Use 2 or 3 keys
Encryption:
EK1(EK2(EK3(P))))
EK1(DK2(EK1(P))))
8/4/2019 crypto7_1
12/16
Cryptanalysis of DES
If you can choose the plaintext:
Brute Force: try all 256 possible keys No memory necessary
The encryption with all keys may be too slow
Build a dictionary Each plaintext may result in 264 different ciphertext, but there is
only 256 possible values
Encrypt the known plaintext with all possible keys
You have a look up table
Very effective if you can inject plaintext and want to findmany different keys
8/4/2019 crypto7_1
13/16
Cryptanalysis of DES
There are some algorithms that tradememory/space requirements
Linear Cryptanalysis Linear approximation to describe DES DES can be broke:
8 rounds: 221 known plaintext
16 rounds: 243 or 247 known plaintext
M. Matsui, Eurocrypt 93
Assuming you have a n bits plaintext and ciphertext,and a m bits key
8/4/2019 crypto7_1
14/16
Cryptanalysis of DES
Linear cryptanalisis
Find bit locations s on plain, s on
ciphertext and s on key such that
has a probability higher than .5Use many different plaintext and analyze the
left hand side. Infer the right hand side.
)...()...()...(1121
11KKKyyyxxx
cba
8/4/2019 crypto7_1
15/16
Cryptanalysis of DES
Differential cryptanalysis:
First suggested by Murphy for the cryptanalysis of
FEAL-4 Assume that we label each left and right part of any
block in the 16 rounds of DES as xi, starting from x0
and x1.
Assume that we have two known plaintext x and x, andwe know x = xx
DES in each round produces xi+1 = xi-1F(xi,Ki)
8/4/2019 crypto7_1
16/16
Cryptanalysis of DES
Differential analysis
Using that, we have
xi+1 = xi-1F(xi,Ki) F(xi,Ki)If F(xi,Ki) F(xi,Ki) is a function of xi with
high probability, then:
Knowing xi-1 and xi then we know xi+1
Test this hypotheses for different x and startgetting information about Ki
This can break DES with 247 chosen plaintext