part_02_b&w
TRANSCRIPT
-
8/12/2019 Part_02_B&W
1/21
1
STREAM CIPHERS
A.A. 2009/2010 1
Cryptography Part II
Stream Enciphering
michele elia
Politecnico di Torino
STREAM CIPHERS
A.A. 2009/2010 2
Stream enciphering is realized in two ways
- as a Bit by Bit operation, which is performed by
machines called Stream ciphers
- as a Block by Block operation, which is performed
by machines called Block ciphers
The Stream enciphering is intended to be theencryption operation of long sequences of bits.
-
8/12/2019 Part_02_B&W
2/21
2
STREAM CIPHERS
A.A. 2009/2010 3
Plain text binary sequence
m(1), m(2), , m(n) ...
Key binary sequence (produced by a FSM starting from a short
sequence K0 called the secret keyk(1), k(2), , k(n) ...
Encrypted binary sequence
k(1), k(2), , k(n) ...
Encryption rule, referred to as Caesar enciphering
e(n) = m(n) + k(n)
Stream Ciphers
STREAM CIPHER
A.A. 2009/2010 4
Structure of a stream generator as Autonomous FSM
Periodic generator
Nonlinear
Function
k(n)
-
8/12/2019 Part_02_B&W
3/21
3
STREAM CIPHER
A.A. 2009/2010 5
Stream Cipher Cryptanalysis
The problem:Find the secret key K0 (the initial state of the FSM)knowing
- state transition function f,
- output function g,given a piece of generated enciphering stream
k1,k2, k3, , ks
STREAM CIPHER
A.A. 2009/2010 6
Structure of a Block Cipher
Nonlinear
Function
I
N
P
UT
Key
Oypute1 en
m1 mn
-
8/12/2019 Part_02_B&W
4/21
4
STREAM CIPHER
A.A. 2009/2010 7
Block Ciphers (classical)
Enigma: single character cipher
DES: Data Encryption Standard
AES: Advanced Encryption Standard
IDEA: International Data EncryptionAlgorithm
STREAM CIPHERS
A.A. 2009/2010 8
Common structure
Input
Input Transformation
Round 1
Round 2
Round n
Output Transformation
Output
-
8/12/2019 Part_02_B&W
5/21
5
STREAM CIPHER
A.A. 2009/2010 9
Classic (Standard) Algorithms
STREAM CIPHERS
A.A. 2009/2010 10
Enigma: Round structure
26 Alphabetic Characters represented as elements of Z26
T(X)= (X+k)-kEach round consist of a Caesar transformation
followed by a permutation (monoalphabetic
substitution) followed by the inverse of the Caesar
transformation.
The machine state changes after the encryption of a
character with a period that depends on rotor notches
and is of the order 266
-
8/12/2019 Part_02_B&W
6/21
6
STREAM CIPHERS
A.A. 2009/2010 11
DATA ENCRYPTION STANDARD: DES
DES
Ei=DES(K0,Mi) (64bit)
Mi
(64bit)
K0 (56bit)
STREAM CIPHERS
A.A. 2009/2010 12
DES ROUND structure
Li Ri
Ri+1Li+1
Q(S(E(Ri)+ Ki ))
+
-
8/12/2019 Part_02_B&W
7/21
7
STREAM CIPHER
A.A. 2009/2010 13
DES function description
M is a vector with 64 entries (bits); consider
M=(L|R) decomposed into two vectors of dimension 32
P denotes an operator permuting the entries of a vector
denotes an involutory operator, that is M=(R|L)
2= where is the identity operator
denotes an operator such that M=(L+f(R)|R)therefore is an involution, that is 2=
DES = P 16 15 14 1 P-1
DES-1 = P 1 2 3 16 P-1
STREAM CIPHER
A.A. 2009/2010 14
Description of DES function Function f(.)
f(R)= S(E(R)+K)
K is a vector of 48 bits defined from K0, the key of 56 bits
E(.) is an expansion function of a vector of dimension 32 toa vector of dimension 48: this is obtained by replicatingsome entries
S, called S-box, is a compression function from dimension48 to dimension 32 made of 8 boxes that define 8 s-mappings from 6 bits to 4 bits: the vector of 48 bits ispartitioned into 8 vectors of 6 bits to which each s-mappingis applied
-
8/12/2019 Part_02_B&W
8/21
8
STREAM CIPHER
A.A. 2009/2010 15
DES transformation
In standard applications a binary message is partitionedinto groups (vectors) of 64 bits
M0, M1, Mn,
Function DES is always applied with the same key K0 toeach vector
DES(K0, M0), DES(K0, M1), DES(K0, Mn), ...
STREAM CIPHER
A.A. 2009/2010 16
DES strengths and weaknesses
DES is a good encryption function
Few (4) known keys are weak
DES(K0, DES(K0, M) = M
Few (6) known pairs of keys are weak
DES(K1, DES(K2, M) = M
It is highly probable that the 256 DES transformationsdo not form a group: otherwise the complexity to breakthe system, namely to find the secret key from a pair of plain
and cipher texts, would be 228
-
8/12/2019 Part_02_B&W
9/21
9
STREAM CIPHER
A.A. 2009/2010 17
AES
128 bits of data are stored as bytesin a 4 x 4 state matrix
Round operations are: Subbyte,Shiftrow, Mixcolumn, andAddroundkey
STREAM CIPHER
A.A. 2009/2010 18
Round transformations
Subbyte
Shiftrow
Mixcolumn
Addroundkey
-
8/12/2019 Part_02_B&W
10/21
10
STREAM CIPHER
A.A. 2009/2010 19
AES Round Structure
STREAM CIPHER
A.A. 2009/2010 20
Legenda
Polynomial (fixed in the standard)
Affine transformation on bytes
-
8/12/2019 Part_02_B&W
11/21
11
STREAM CIPHER
A.A. 2009/2010 21
Legenda (continue)
Each round requires 4 words (i.e. 128 bits) of key data plus 4words for the output transformation
A 128 bit key requires 4 x 11 words of key data w[i] (0i
-
8/12/2019 Part_02_B&W
12/21
12
STREAM CIPHER
A.A. 2009/2010 23
IDEA Round structure
X1
X1
X2
X2
X3
X3
X4
X4
++ +
+
+ +
++
+
+
K1 K2 K3 K4
K5K6
STREAM CIPHER
A.A. 2009/2010 24
Legenda
XOR su 16 bit somma in
somma modulo 216 somma in
prodotto modulo 216+1 prodotto in
+
+
-
8/12/2019 Part_02_B&W
13/21
13
STREAM CIPHER
A.A. 2009/2010 25
ECB: Electronic Code Book
DES
Ei=DES(K0,Mi) (64bit)
Mi
(64bit)
K0 (56bit)
STREAM CIPHER
A.A. 2009/2010 26
CBC: Cipher-Block Chaining
DES
Ei =DES(K0, Mi+Ei-1)
K0
+
Mi
-
8/12/2019 Part_02_B&W
14/21
14
STREAM CIPHER
A.A. 2009/2010 27
CFB: Cipher FeedBack
DES
ki=DES(K0, ki-1)
ki-1
K0
+
Mi
Ei
STREAM CIPHER
A.A. 2009/2010 28
OFB: Output FeedBack
DES
ki=DES(K0, Ei-1)
Ei-1
K0
+
Mi
Ei = ki+Mi
-
8/12/2019 Part_02_B&W
15/21
15
STREAM CIPHER
A.A. 2009/2010 29
Applications
GSM (Mobile telephony)Authentication for correct accounting and
access control to the network
Confidentiality
No tracking
Internet Secure Connection
STREAM CIPHER
A.A. 2009/2010 30
GSM
Security in GSM is based on threealgorithms
A3 authentication algorithm (and protocol)
A5 confidentiality algorithm: a stream
ciphering with stream generator consistingof three clock controlled LFSR
A8 algorithm: a one-way function used todefine the initial state for A5
Tracking is avoided using a secret alias forany accepted user.
-
8/12/2019 Part_02_B&W
16/21
16
STREAM CIPHER
A.A. 2009/2010 31
GSM - A3 protocol
Users are identified by
a public user number PIN, the phonenumber, and
a secret user number ID.
ID is stored on the SIM card and in theControl access computer system of theProvider.
STREAM CIPHER
A.A. 2009/2010 32
GSM - A3 protocol
BOB sends an access request to
Base Station (BS) (the distributedaccess points of the cellular network)with clear PIN.
BS forwards the request to provider P.
P returns a RANDOM number to BS.
BS sends RANDOM to BOB
-
8/12/2019 Part_02_B&W
17/21
17
STREAM CIPHER
A.A. 2009/2010 33
GSM - A3 protocol
BOB encrypts RANDOM combined withhis secret ID using A3 algorithm
ANSWER=A3(RANDOM, ID)
BOB sends ANSWER to BS
BS forwards ANSWER to P
P compares ANSWER with the locallycomputed ANS = A3(RANDOM, ID)If ANS = ANSWER then access
is permitted, otherwise itis denied.
STREAM CIPHER
A.A. 2009/2010 34
GSM - A3 protocol
If access is permitted then P sends an ackto BS together with a SKEY5, a secret keyused by the encryption algorithm A5
BS sends an ack to BOB.
BOB computes his SKEY5 as
SKEY5 = A8(RANDOM, ID)
-
8/12/2019 Part_02_B&W
18/21
18
STREAM CIPHER
A.A. 2009/2010 35
GSM - A5 algorithm
It is composed of three LFSRs of length 19,22, and 23.
The evolution is clock controlled: threecells, in position 8, 10 and 10 of the threeRegisters respectively, are checked and
only the Registers with the majority symbol(either 0 or 1) change of state
The output sequence is obtained as a summodulo 2 of the three binary sequences.
STREAM CIPHER
A.A. 2009/2010 36
GSM - A5 algorithm
Block scheme and polynomial generators
+
-
8/12/2019 Part_02_B&W
19/21
19
STREAM CIPHER
A.A. 2009/2010 37
GSM - Comments
A3 algorithmIs Providers responsibility and choice
Must be a strong ONE-WAY function toprevent cloning
Must be easy to compute because of the
limited power of cell phones.Definition is not publicly available.
Common to all Providers (possibly) as thatproposed by GSM group is used
STREAM CIPHER
A.A. 2009/2010 38
GSM - Comments
A5 algorithm Must be common to every Provider as it runs on every
Base Station
Must be reasonably strong but guarantee QoSbeing a real time bit by bit encryption
Must need few computations because of thelimited power and energy available.
Is public. It was originally proposed by GSMstandardization group
Initial state of LFSRs provided by A8 algorithm
-
8/12/2019 Part_02_B&W
20/21
20
STREAM CIPHER
A.A. 2009/2010 39
GSM - Comments
A8 is Providers responsibility and choice
It must be a strong ONE-WAY function toprevent cloning
The weakness is manifest only if A5 isbroken
It must be easy to compute because of the
limited power of cell phones.
At present the algorithm used is not public.
It is common to all Providers as they usethat proposed by GSM standardizationgroup
STREAM CIPHER
A.A. 2009/2010 40
Internet secure connection
Internet confidentiality is based onSecure Socket Layer (SSL) thatestablishes an encrypted connectionwith the secret keys distributed by a
Trusted Party using a PKCSSL encrypts the bits that go through the
Internet channel
-
8/12/2019 Part_02_B&W
21/21
21
STREAM CIPHER
A.A. 2009/2010 41
Comparisson
Internet confidentiality
GSM confidentiality
are examples of two different securitymodels:
SSL encrypts the channelGSM encrypts the message
Ria Slides CARTA ESCRITA NO ANO 2070 www ww w www w W w w ww w w w w ww w w w www wW w w ww w w w ww
Ria Slides CARTA ESCRITA EN EL AÑO 2070 www ww w www w W w w ww w w w w ww w w w www wW w w ww w w w
Ria Slides LETTRE ECRITE EN 2070 www ww w www w W w w ww w w w w ww w w w www wW w w ww w w w ww www