Symmetric (Conventional) Encryption

(Parts of the slides were provided by: Henric Johnson, Blekinge Institute of Technology, Sweden)

Symmetric Encryption Principles

A symmetric encryption scheme has five ingredients:
Plaintext Encryption algorithm Secret Key Ciphertext Decryption algorithm

Security depends on the secrecy of the key, not the secrecy of the algorithm
2

Symmetric Encryption Principles

E (m) (m) k

D (E (m)) = m (m)) k k
3

Cryptography
Classified along three independent dimensions:
The type of operations used for transforming plaintext to ciphertext (substitution, transposition) The number of keys used
symmetric (conventional, secret key) asymmetric (two-keys, or public-key encryption)

The way in which the plaintext is processed (block cipher, stream cipher)
4

Cryptanalysis
Type of Attack Known to Cryptanalyst
Ciphertext only Known plaintext Encryption Algorithm Cihpertext to be decoded Encryption algorithm Ciphertext to be decoded One or more plaintext-ciphertext pairs Encryption algorithm Ciphertext to be decoded Plaintext message chosen by cyptanalyst, together with its corresponding ciphertext
5

Chosen plaintext

Cryptanalysis (cont.)
Methods: Brute-force (exhaustive key search) Statistical analysis

Average time required for exhaustive key search

Time required at Key Size Number of (bits) Alternative Keys 106 Decryption/s 32 56 128 168 232 = 4.3 x 109 256 = 7.2 x 1016 2128 = 3.4 x 1038 2168 = 3.7 x 1050 2.15 milliseconds 10 hours 5.4 x 1018 years 5.9 x 1030 years
7

Simple Substitution Cipher

Caesar Cipher: shifts each letter of alphabet forward by k positions (moduls size of alphabet) Key = k (Caesar used k=3) Example: m=

COMPUTER SECURITY k=3

Ek(m) = FRPSXWHU VHFXULWB Cryptanalysis: Exhaustive key search (26 possible keys)
8

Monoalphabetic Cipher
Ciphertext letters correspond to plaintext letters in an arbitrary manner Example: m= ABCDEFGHIJKLMNOPQRSTUVWXYZ key = permutation Ek(m) = QWERTYUIOPASDFGHJKLZXCVBNM Cryptanalysis:
Brute force is infeasible (26 ! = 4 * 1026 possible keys) Statistical Frequency Analysis

Statistical Frequency Analysis

Uses structure and statistics of the plaintext language that is still inherited in the ciphertext language Characteristics of the English language: One letter ciphertext words will probably correspond to a or I The most frequent occurring biagrams in a ciphertext will
probably correspond to th or he Most frequent triagrams correspond to the, ing, and, ion

10

Statistical Frequency Analysis (cont.)

Frequency distribution of letters: A 8.167 J 0.153 B 1.492 K 0.772 C 2.782 L 4.025 D 4.253 M 2.406 E 12.702 N 6.749 F 2.228 O 7.507 G 2.015 P 1.929 H 6.094 Q 0.095 I 6.966 R 5.987 S T U V W X Y Z 6.327 9.056 2.758 0.978 2.360 0.150 1.974 0.074

Key reconstruction with help of frequency distribution of letters, biagrams, triagrams

11

Polyalphabetic Ciphers
A number of monalphabetic ciphers used in strict rotation, period: number of ciphers Example: Polyalphabetic cipher with 3 monoalphabetic ciphers M1, M2, M3

abcdefghijklmnopqrstuvwxyz M1:KDNHPAWXCZIMQJBYETUGVRFOSL M2:PAGUKHJBYDSOEMQNWFZITCVLXR M3:JMFZRNLDOWGIAKESUCQVHYXTPB

The plaintext message is enciphered to:

now is the time for every good man JQX CZ VXH VCER AQC PCRTX LBQZ QPK
12

Polyalphabetic Ciphers (cont.)

Cryptanalysis:
If the period is known -> the individual monoalphabetic ciphers may be analysed Period can be determined by Index of Coincidence (IC) IC measures the variation in the frequency of letters (decreases with increasing period):

Period: 1 2 3 4 5 10 large

IC: 0.066 0.052 0.047 0.045 0.044 0.041 0.038

13

One Time Pad

One-time pad offers perfect secrecy by using completely random keys at least as long as the messages they encipher: random sequence k1, k2, .., kn mixer message sequence m1, m2, .., mn Problem: key management
14

ciphertext c1, c2,...,cn

One Time Pad (cont.)

Condition for perfect secrecy of a cipher system: PC (m) = P (m) PC(m) : probability that m was sent given that C was received P(m) : probability of plaintext message m --> Intercepting ciphertext provides no additional information about plaintext message Requirement for perfect secrecy: key space >= message space (otherwise there is a message m, such that for a given C no key K deciphers C into m, implying Pc(m) = 0).
15

Transposition Ciphers
Rearranges characters according to some scheme, e.g., permutation of plaintext characters with a fixed period d Zd = [1..d] f: Zd Zd Permutation over Zd Key K = (d,f), Decryption by inverse Permutation f -1 Plaintext = M = m1 ... md md+1 ... m2d EK(M) = mf(1) ... mf(d) md+f(1) ... md+f(d) Example: d=4, Permutation f is defined by: i: 1234, f(i): 2413 M = RENA ISSA NCE EK(M) = EARN SAIS CNE
16

Transposition Ciphers (cont.)

Cryptanalysis: Easy to recognise (frequencies of letters closely matches expected frequencies for plaintext) Restoring disarranged set of letters into original position, with the help of diagram and triagram frequency distribution
17

Feistel Cipher Structure

Most symmetric block encryption algorithms, including DES, have a structure first described by Horst Feistel of IBM in 1973 The realization of a Feistel Cipher depends on the choice of the following parameters and design features (see next slide):
18

Feistel Cipher Structure (cont.)

Block size: larger block sizes mean greater security Key Size: larger key size means greater security Number of rounds: multiple rounds offer increasing security Subkey generation algorithm: greater complexity will lead to greater difficulty of cryptanalysis.

19

20

10

Symmetric Encryption Algorithms

Data Encryption Standard (DES)
The most widely used encryption scheme The algorithm is referred to the Data Encryption Algorithm (DEA) DES is a block cipher The plaintext is processed in 64-bit blocks The key is 56-bits in length
21

22

11

23

DES
The overall processing at each iteration: Li = Ri-1 Ri = Li-1 F(Ri-1, Ki)

Concerns about:
The algorithm and the key length (56bits)
24

12

Time to break a code (106 decryptions/s)

25

Triple DEA
Use three keys and three executions of the DES algorithm (encrypt-decryptencrypt)
C = EK3[DK2[EK1[P]]]
C = ciphertext P = Plaintext EK[X] = encryption of X using key K DK[Y] = decryption of Y using key K

Effective key length of 168 bits

26

13

Triple DEA

27

Advanced Encryption Standard: AES

1997: Call for proposals for a new advanced encryption standard (AES) by NIST Symmetric block cipher with a block length of 128, 192, 256 bits Selected algorithm Rijndael (by V.Rijmen, J.Daemen / Belgium) variable block length and key length. currently specified how to use keys with a length of 128, 192, or 256 bits to encrypt blocks with al length of 128, 192 or 256 bits Both block length and key length can be extended very easily to multiples of 32 bits can be implemented very efficiently on a wide range of processors and hardware http://www.esat.kuleuven.ac.be/~rijmen/rijndael/
28

14

AES Encryption and Decryption

29

AES Encryption Round

30

15

Cipher Block Modes of Operation

Cipher Block Chaining Mode (CBC) The input to the encryption algorithm is the XOR of the current plaintext block and the preceding ciphertext block. Repeating pattern of 64-bits are not exposed C i = E k [C i -1 Pi ]
D K [C i ] = D K [E K (C i -1 Pi )] D K [C i ] = (C i -1 Pi ) C i -1 D K [C i ] = C i -1 C i -1 Pi = Pi
31

32

16

33

Cipher Feedback Mode

IV Shift register 64 - j bits j bits 64 DES Encrypt 64 Select j bits j Discard 64 - j bits Select j bits Discard 64 - j bits DES Encrypt DES Encrypt CM-1 Shift register 64 - j bits j bits Shift register 64 - j bits j bits

Select j bits

Discard 64 - j bits

+
j P1 (a) Encryption

C1

+
P2

C2

+
PM

CM

34

17

IV Shift register 64 - j bits j bits

CM-1 Shift register 64 - j bits j bits Shift register 64 - j bits j bits

DES Encrypt

DES Encrypt

DES Encrypt

Select j bits

Discard 64 - j bits

Select j bits

Discard 64 - j bits

Select j bits

Discard 64 - j bits

+
P1 (b) Decryption

C1

+
P2

C2

+
PM

CM

Figure 2.8 J-Bit Cipher Feedback (CFB) Mode

C1= P1 Sj (E(IV)), Sj(X) : most significant j bits of X P1 = C1 Sj(E(IV))

35

Location of Encryption Device

Link encryption:
A lot of encryption devices High level of security Decrypt each packet at every switch

End-to-end encryption
The source encrypt and the receiver decrypts Payload encrypted Header in the clear

High Security: Both link and end-to-end encryption are needed (see Figure 2.9)
36

18

37

Key Distribution
1. A key could be selected by A and physically delivered to B. 2. A third party could select the key and physically deliver it to A and B. 3. If A and B have previously used a key, one party could transmit the new key to the other, encrypted using the old key. 4. If A and B each have an encrypted connection to a third party C, C could deliver a key on the encrypted links to A and B. 38

19

Key Distribution (See Figure 2.10)

Session key:
Data encrypted with a one-time session key.At the conclusion of the session the key is destroyed

Permanent key:
Used between entities for the purpose of distributing session keys

39

40

20