Lecture 2 Symmetric Encryption
What are the advantages and disadvantages to block ciphers?
- Block ciphers typically require more memory, since they work on larger chunks of data and often have "carry over" from previous blocks, whereas since stream ciphers work on only a few bits at a time they have relatively low memory requirements (and therefore cheaper to implement in limited scenarios such as embedded devices, firmware, and esp. hardware). - Because block ciphers encrypt a whole block at a time (and furthermore have "feedback" modes which are most recommended), they are more susceptible to noise in transmission, that is if you mess up one part of the data, all the rest is probably unrecoverable. Whereas with stream ciphers bytes are individually encrypted with no connection to other chunks of data (in most ciphers/modes), and often have support for interruptions on the line. - Because of all the above, stream ciphers are usually best for cases where the amount of data is either unknown, or continuous - such as network streams. Block ciphers, on the other hand, or more useful when the amount of data is pre-known - such as a file, data fields, or request/response protocols, such as HTTP where the length of the total message is known already at the beginning.
What are some Cryptanalytic attacks?
- In a known plaintext attack, the analyst may have access to some or all of the plaintext of the ciphertext; the analyst's goal in this case is to discover the key used to encrypt the message and decrypt the message. Once the key is discovered, an attacker can decrypt all messages that had been encrypted using that key. - In a chosen plaintext attack, the analyst either knows the encryption algorithm or has access to the device used to do the encryption. The analyst can encrypt the chosen plaintext with the targeted algorithm to derive information about the key.
What are the three properties of hash functions?
1: The first main property of a random function is one-wayness. Given knowledge of an input x we can easily compute the hash value h(x), but it is very difficult given the hash value h(x) to find a corresponding preimage x if one is not already known. 2: A second property of pseudorandom functions is that the output will not give any information at all about even part of the input. Thus a one-way encryption of the value x can be accomplished by concatenating it with a secret key k and computing h(x, k). If the hash function isn't random enough, though, using it for one-way encryption in this manner is asking for trouble. 3: A third property of pseudorandom functions with sufficiently long outputs is that it is hard to find collisions, that is, different messages M1 ̸= M2 with h(M1) = h(M2).
Stream cipher is one of the two symmetric cryptographic methods. How does it work?
A stream cipher is an encryption algorithm that encrypts 1 bit or byte of plaintext at a time. It uses an infinite stream of pseudorandom bits as the key. For a stream cipher implementation to remain secure, its pseudorandom generator should be unpredictable and the key should never be reused. Stream ciphers are designed to approximate an idealized cipher, known as the One-Time Pad.
What are the advantages and disadvantages to stream ciphers?
Advantages to Stream: - Speed of transformation: algorithms are linear in time and constant in space. - Low error propogation: an error in encrypting one symbol likely will not affect subsequent symbols. Disadvantages to Stream: - Susceptibility to insertions/ modifications: an active interceptor who breaks the algorithm might insert spurious text that looks authentic.
What is Block Cipher Modes of Operation and what are the modes?
Block Cipher Modes of Operation specifies how to use symmetric block ciphers for practical applications. NIST SP 800-38A specifies five modes of operation: - ECB: Electronic Code Book - CBC: Cipher Block Chaining - CFB: Cipher Feedback Mode - OFB - CTR: Counter Mode They are confidentiality mods (do not ensure integrity)
Block ciphers typically iterate a weaker round function. Explain!
Block ciphers typically iterate a weaker round function Iterated product ciphers carry out encryption in multiple rounds, each of which uses a different subkey derived from the original key. The subkey, mixed in with the input block, is again permutated in the next round with a new subkey. - AES-128: 10 rounds - AES-192: 12 rounds - AES-256: 14 rounds - DES: 16 rounds
What is Cipher FeedBack Mode?
Cipher feedback, or CFB, mode is another kind of stream cipher. It was designed to be self-synchronizing, in that even if we get a burst error and drop a few bits, the system will recover synchronization after one block length. This is achieved by using our block cipher to encrypt the last n bits of ciphertext, and then adding one of the output bits to the next plaintext bit. With decryption, the reverse operation is performed, with ciphertext feeding in from the right. Thus even if we get a burst error and drop a few bits, as soon as we've received enough ciphertext bits to fill up the shift register, the system will resynchronize. Cipher feedback is not much used any more.
What is DES?
Des is a variation of a Feistel network, and is expired and should no longer be used! It is a Feistel cipher, with a 64-bit block and 56-bit key (too short today). Its round function operates on 32-bit half blocks and consists of three operations: - first, the block is expanded from 32 bits to 48; - next, 48 bits of round key are mixed in using exclusive-or; - the result is passed through a row of eight S-boxes, each of which takes a six-bit input and provides a four-bit output; - finally, the bits of the output are permuted according to a fixed pattern.
How is Electronic Code Book use and why is is insecure?
Electronic code book is the easiest block cipher mode of functioning. It is easier because of direct encryption of each block of input plaintext and output is in form of blocks of encrypted ciphertext. Generally, if a message is larger than b bits in size, it can be broken down into bunch of blocks and the procedure is repeated. Identical plaintext blocks (encrypted with the same key) result in identical ciphertext blocks - may be insecure. Prone to cryptanalysis since there is a direct relationship between plaintext and ciphertext.
What is a Feistel cipher? (used by DES)
Feistel Cipher is not a specific scheme of block cipher. It is a design model from which many different block ciphers are derived. DES is just one example of a Feistel Cipher. A cryptographic system based on Feistel cipher structure uses the same algorithm for both encryption and decryption.
How does the RC4 key stream generator work for encryption and decryption?
For each byte plaintext/ciphertext: shuffle S and generate keystream value that is XORed with plaintext/ciphertext byte: RC4 basically generates a very long key to fit your message. Encryption and decryption is simply xoring with the output of RC4 for that particular position in the key stream. In general, most stream ciphers work that way. The complex part is that the algorithm should generate a very long key that is not susceptible to attack (the ideal being a one-time pad of the same length as the message).
What is Cipher Block Chaining (CBS) mode?
In CBC, previous cipher block is given as input to next encryption algorithm after XOR with original plaintext block. In a nutshell here, a cipher block is produced by encrypting a XOR output of previous cipher block and present plaintext block. - The IV must be unpredictable (but does not need to be secret) - Does not provide integrity protection - Correct decryption depends on correct receipt of the corresponding and previous ciphertext block - Can not be parallelized well (decryption can to some extent) - Needs to pad last block if the plaintext is not a multiple of the block size (can be avoided using ciphertext stealing) Advantages: - CBC works well for input greater than b bits. - CBC is a good authentication mechanism. - Better resistive nature towards cryptanalsis than ECB Disadvantages of CBC - Parallel encryption is not possible since every encryption requires previous cipher.
What is the Calois Counter Mode (GCM)?
In applications needing both integrity and privacy, the standard procedure used to be to first calculate a MAC on the message using one key, and then CBC encrypt it using a different key. (If the same key is used for both encryption and authentication, then the security of the latter is no longer guaranteed; cut-and-splice attacks are still possible.) In CBC mode, you encrypt a block of data by taking the current plaintext block and exclusive-oring that wth the previous ciphertext block (or IV), and then sending the result of that through the block cipher; the output of the block cipher is the ciphertext block. GCM mode provides both privacy (encryption) and integrity. To provide encryption, GCM maintains a counter; for each block of data, it sends the current value of the counter through the block cipher. Then, it takes the output of the block cipher, and exclusive or's that with the plaintext to form the ciphertext. • Mode of operation that combines encryption and authentication (i.e., authenticated encryption) • To be used with 128-bit block cipher (typically AES) • Uses a variation of CTR mode encryption for confidentiality • Uses a keyed hash function to create the authentication tag
What is the Output feedback mode (OFB)?
It has some similarities to the ciphertext feedback mode in that it permits encryption of differing block sizes, but has the key difference that the output of the encryption block function is the feedback (instead of the ciphertext). The XOR (exclusive OR) value of each plaintext block is created independently of both the plaintext and ciphertext. It is this mode that is used when there can be no tolerance for error propagation, as there are no chaining dependencies. Like the ciphertext feedback mode, it uses an initialization vector (IV). Changing the IV in the same plaintext block results in different ciphertext. In terms of error correction, output feedback can tolerate ciphertext bit errors, but is incapable of self-synchronization after losing ciphertext bits, as it disturbs the synchronization of the aligning keystream. A problem with output feedback is that the plaintext can be easily altered, but using a digital signature scheme can overcome this problem. Decryption is the same as encryption, using the ciphertext (instead of the plaintext) as input.
In regards to streaming cipher, how are the numbers random?
Often use a Pseudorandom Number Generator (PRNG): - Deterministic sequence of outputs, given a seed(e.g.,the secret key) as input - Such pseudo random numbers are not truly random but can pass many tests of randomness. - Maybe based on e.g., symmetric/asymmetric ciphers or hash functions
Why are block cipher modes of operation needed?
One of the main issues with block ciphers is that they only allow you to encrypt messages the same size as their block length. If you're using TEA, which has a block size of 64 bits, to encrypt a 65 bit message, you need a way to define how the second block should be encrypted. The solution to this is called block cipher modes of operation. Several block cipher modes of operation exist with varying advantages and disadvantages. Block ciphers only allow us to encrypt entire blocks. What if our message is longer/shorter than the block size? When this happens, we use modes of operations.
RC4 is one type of a stream cipher. Explain!
RC4 is a variable key-size, byte-oriented stream cipher making use of a permutation of all 8-bit values. RC4 generates a pseudo-random stream of bits (a key-stream). As with any stream cipher, these can be used for encryption by combining it with the plaintext using bit-wise exclusive-or. Decryption is performed the same way (since exclusive-or is a symmetric operation). To generate the key stream, the cipher makes use of a secret internal state which consists of two parts: - 1. A permutation of all 256 possible bytes (denoted "S" below). - 2. Two 8-bit index-pointers (denoted "i" and "j").
What are some problems with RC4?
Small deviations or wrong assumptions can cause insecurity (we here use the One-Time Pad for illustration) In their basic form, stream ciphers do not provide integrity/authenticity: - E.g., OTP: D(K, C ⨁ i) = P ⨁ i (i.e., changes to C are not detected and results in predictable changes to P) - Lesson: only depend on a cryptographic mechanism for its intended purpose(s)! A stream cipher is insecure if the same keystream is used twice: - E.g.,OTP:C1⨁C2=(K⨁P1)⨁(K⨁P2)=P1⨁P2 - Lesson: only use keys for their intended purpose and duration! The keystream must be completely unpredictable! - May other wise become vulnerable to known plaintext attacks
Rijndael/AES round function uses four invertible operations. What are these?
Substitute bytes: Byte-by-byte substitution, based on table (S-box). Shift rows: Permutation performed by rotating row by row Mix Colums: Substitution altering each byte in a column based on all the bytes in the column
What is a Block Cipher?
Symmetric block ciphers maps a fixed size input block to a fixed size output block. A block cipher is an encryption algorithm that encrypts a fixed size of n-bits of data - known as a block - at one time. The usual sizes of each block are 64 bits, 128 bits, and 256 bits. So for example, a 64-bit block cipher will take in 64 bits of plaintext and encrypt it into 64 bits of ciphertext. In cases where bits of plaintext is shorter than the block size, padding schemes are called into play. Majority of the symmetric ciphers used today are actually block ciphers. DES, Triple DES, AES, IDEA, and Blowfish are some of the commonly used encryption algorithms that fall under this group. Here, the function is invertible, and the input plaintext and the output ciphertext are of a fixed size. A block cipher is a keyed family of pseudorandom permutations. For each key, we have a single permutation which is independent of all the others. We can think of each key as corresponding to a different scroll. The intuitive idea is that a cipher machine should output the ciphertext given the plaintext and the key, and output the plaintext given the ciphertext and the key, but given only the plaintext and the ciphertext it should output nothing.
What is the difference between symmetric and asymmetric cryptographic cipher types?
Symmetric uses one key, i.e. shared secret key between two participants. A symmetric encryption can either be a stream or a block. Asymmetric uses two keys, i.e., a public and a private key.
What is Counter (CTR) mode?
The Counter Mode or CTR is a simple counter based block cipher implementation. Every time a counter initiated value is encrypted and given as input to XOR with plaintext which results in ciphertext block. The CTR mode is independent of feedback use and thus can be implemented in parallel. Hardware and software efficiency: - Encryption/decryption can be done in parallel - Preprocessing - The underlying encryption algorithm does not depend on plaintext or ciphertext input • Random access to ciphertext/plaintext blocks • Only requires implementation of the encryption algorithm and not the decryption algorithm • Does not provide integrity protection
AES uses the Rijndael block cipher. Explain this cipher.
The Rijndael algorithm is a new generation symmetric block cipher that supports key sizes of 128, 192 and 256 bits, with data handled in 128-bit blocks - however, in excess of AES design criteria, the block sizes can mirror those of the keys. Rijndael uses a variable number of rounds, depending on key/block sizes, as follows: - 9 rounds if the key/block size is 128 bits - 11 rounds if the key/block size is 192 bits - 13 rounds if the key/block size is 256 bits You take a plaintext (16 bytes), add round key to it, substitute bytes, shift rows, mix volumes, and then that's one round. The key (16 bytes) is expanded into 11 round keys, each 4x4 byte, and part of it given to the round, for example 0,3 for this round, and 4,7 for the next. Once you're done, you end up with the Ciphertext (16 bytes). When decrypting, you also add round key, but then you inverse shift rows, inverse sub bytes, add round key, inverse mix columns etc until you get plaintext (16 bytes).
What is a hash function and how are they used?
They are used to compute checksums on files in forensic applications: presented with a computer seized from a suspect, you can compute hash values of the files to identify which files are already known (such as system files) and which are novel (such as user data). Hash values are also used as a means of checking the integrity of files, as they will change if a file is corrupted. In messaging applications, hashes are often known as message digests; given a message M we can pass it through a pseudorandom function to get a digest, say h(M), which can stand in for the message in various applications. One example is digital signature: signature algorithms tend to be slow if the message is long, so it's usually convenient to sign a message digest rather than the message itself.
How does a RC4 initialization work?
To generate the key stream, the cipher makes use of a secret internal state which consists of two parts: 1. A permutation of all 256 possible bytes (denoted "S" below). 2. Two 8-bit index-pointers (denoted "i" and "j"). The permutation is initialized with a variable length key, typically between 40 and 256 bits, using the key-scheduling algorithm (KSA). Then the stream of bits is generated by a pseudo-random generation algorithm.
What is the one-time pad (The Vernam cipher)?
To use a one-time pad, you need 2 copies of the "pad" which is a block of random data equal in length to the message you wish to encode. The word "random" is used in its most literal possible sense here. If the data on the pad is not TRULY RANDOM, the security of the pad is reduced, potentially to near zero. One-time pads are used in pairs. The more copies of a given pad, the greater the likelihood is that one may be captured, in which case the system is completely broken. One copy of the pad is kept by each user, and pads must be exchanged via a secure channel [e.g.: face to face on floppy disks]. The pad is used by XORing every bit of the pad with every bit of the original message. Once the message is encoded with the pad, the pad is destroyed and the encoded message is sent. On the recipient's side, the encoded message is XORed with the duplicate copy of the pad and the plaintext message is generated. One-time pad provides perfect secrecy if truly random (and is fast), but it requires a one-time key as long as the plaintext.
There are three notions of cryptographic security. What are they?
Unconditional security - The system cannot be broken even with infinite computational resources Computational security - It is impossible to break the system in practice due to the computational resources required by the best known algorithms for breaking the system Provable security - Breaking the system is equivalent to solving a difficult problem (factoring, discrete logarithm)
How does a symmetric encryption work?
You take a Plaintext (P) and encryptions it using the Secret Key (K), to get the Ciphertext (C). The decrypter then decrypts (C) using the secret key, and gets the Plaintext. The secret key (used for both encryption and decryption) must be distributed over a secure channel, while the encryption algorithm is assumed to be publicly known
What is Cryptanalysis?
• Objective is to find the key or some unknown plaintext • Brute-forceattack - On average half the keys must be tried - Must be able to recognize valid plaintext - Mitigated by sufficient key length • Cryptanalyticattack - Weaknesses may result in much less resources/effort being required than for a brute-force attack
Define plaintext, cipher text, cipher, key, encipher, decipher, cryptography, cryptanalysis, cryptology.
• plaintext (P) - original message/data • ciphertext (C)- coded message/data • cipher - algorithm for transforming plaintext to ciphertext or ciphertext to plaintext • key (K)- info used in cipher known only to sender/receiver • encipher (encrypt) (E) - converting plaintext to ciphertext • decipher (decrypt) (D) - recovering plaintext from ciphertext • cryptography - study of encryption principles/methods • cryptanalysis (code breaking) - study of principles/ methods of recovering key or deciphering ciphertext without knowing key • cryptology - field of both cryptography and cryptanalysis