Professional Documents
Culture Documents
Chapter2 Symmetric Encryption
Chapter2 Symmetric Encryption
Chapter2 Symmetric Encryption
WiSe 23/24
Chair of IT Security
Chapter Overview
(src: Wikipedia)
6 IT-Security 1 - Chapter 2: Symmetric Encryption
Diffie-Hellman Key Exchange: Idea
§ Key: 4312567
§ Plaintext: a t t a c k p
ost pone
dunt i l t
woamxyz
§ Ciphertext: ttnaaptm…
----- 10111101…
-----
----- = 10111101…
Å 10001111… Å
= 00110010… 00110010… =
§ Easy to compute
§ Encryption and decryption are the same operation
§ Bitwise XOR is very cheap to compute
§ As secure as theoretically possible
§ Given a ciphertext, all plaintexts are equally likely,
regardless of attacker’s computational resources
§ …as long as the key sequence is truly random
□ True randomness is expensive to obtain in large quantities
§ …as long as each key is same length as plaintext
□ But how does the sender communicate the key to receiver?
§ Probability of xi :
§ Uncertainty:
§ 1. Count Frequencies:
2. Calculate Probability:
3. Entropy Value:
§ Plain-Text
□ Usually natural language or structured data, e.g., header
□ Low Disorder of Information
→ low Entropy due to „smaller data distribution“
§ Cipher-Text
□ Usually high disorder of information (chaos)
→ high Entropy due to wider spread data distribution
§ Hill-Climbing
□ Depiction of a climber in the mountains
□ „Look around and only walk into a certain
direction if an improvement is expected“
§ DES
§ 3DES
§ AES
§ Twofish
§ MARS
§ …
* called the National Institute of Standards and Technology (NIST) since 1988
30 IT-Security 1 - Chapter 2: Symmetric Encryption
Diffusion and Confusion
• Expansion E (diffusion)
• XOR with round key
• S-box substitution (confusion)
• Permutation
row
column
§ Bitwise permutation
§ Introduces diffusion
§ Output bits of one s-box affect several s-boxes in the
next round
§ After round 5, every bit is a function of each key bit
and each plaintext bit (thanks to P, E, and S-Boxes)
Hence, after the first decryption round we have the same values as before
the last encryption round => first decryption reverses last encryption round.
(see plot from the lecture with two Feistel networks (last encryption and
first decryption round) for details)
e-encryption, d-decryption
§ Goals
§ More secure than 3DES
§ More efficient than 3DES
§ Support different key lengths
In GF(28)
0000 0001 = 1
0000 0010 = x
0000 0011 = x+1
Time complexity
# rounds
...
§ Encryption: ci = EK(mi)
... § Decryption: mi = DK(ci)
...
§ Disadvantages
§ Same plaintext block always leads to the same output block
§ Patterns in the plaintext block still show in the ciphertext
§ Re-ordering or deletion of ciphertexts cannot be detected
68 IT-Security 1 - Chapter 2: Symmetric Encryption
Why ECB is Not Enough
§ IV : = c0
§ Encryption: ci = Ek(mi xor ci-1 )
§ Decryption: mi = Dk(ci) xor ci-1
...
...
...
§ IV public, IV : = c0
§ Encryption: ci = Ek(ci-1) xor mi
§ Decryption: mi = ci xor Ek(ci-1)
§ IV public
§ Encryption: ci = Eki(IV) xor mi
§ IV encrypted i-times
§ Decryption: mi = ci xor Eki(IV)
§ IV public
§ Encryption: ci = Eki(IV+i) xor mi
§ Decryption: mi = ci xor Eki(IV+i)
§ No integrity
§ Associativity & commutativity: (X xor Y) xor Z=(X xor Z) xor Y
§ (M1 xor PRNG(seed)) xor M2 = (M1 xor M2) xor PRNG(seed)
§ Known-plaintext attack is very dangerous if keystream is
ever repeated
§ Self-cancellation property of XOR: X xor X=0
§ (M1 xor PRNG(seed)) xor (M2 xor PRNG(seed)) = M1 xor M2
§ If attacker knows M1, then easily recovers M2
□ Most plaintexts contain enough redundancy that knowledge of M1
or M2 is not even necessary to recover both from M1 xor M2
§ RC4
§ Used, e.g. in WLAN, TLS, IPsec
§ A5/1, A5/2
§ Used in GSM/GPRS
§ SEAL
§ ...
§ Structure:
Key Key Stream
K S Key stream
Scheduler Generator
256 byte
array
Swap!
i = j := 0
loop
i := (i+1) mod 256
j := (j+S[i]) mod 256
swap(S[i],S[j])
output S[(S[i]+S[j]) mod 256]
end loop
Deterministic
Random seed Random stream
Process
Feedback
§ Proposed in 1986
§ p and q are two large prime numbers
§ (p mod 4) = (q mod 4) = 3
§ n=p*q
§ Choose a random number s that is relatively prime to
n
§ x0=s2 mod n
§ xi=(xi-1)2mod n
§ bi=xi mod n => the output at each iteration
§ Next-bit test
§ Given N bits of the pseudo-random sequence, predict
(N+1)st bit
□ Probability of correct prediction should be very close to 1/2 for
any efficient adversarial algorithm
§ PRNG state compromise
§ Even if attacker learns complete or partial state of the
PRNG, he should not be able to reproduce the previously
generated sequence
□ … or future sequence, if there’ll be future random input(s)
§ Common PRNGs are not cryptographically secure
§ Basics
§ Stallings: Chapter on Symmetric Encryption
§ Kaufman: Chapters 3 and 4
§ Paar & Pelzl : Understanding Cryptography
§ Katz & Lindell: Introduction to Modern Cryptography
§ Further Reading
§ Random Numbers: RFC 1750
§ Really nice comic on AES
□ http://www.moserware.com/2009/09/stick-figure-guide-to-
advanced.html
§ Figure Credits: Forouzan “Introduction to
Cryptography and Network Security” and Paar
“Understanding Cryptography”
96 IT-Security 1 - Chapter 2: Symmetric Encryption
Optional Math Books
§ Basics
§ Ronald Graham, Donald Knuth, Oren Patashnik: Concrete
Mathematics: A Foundation for Computer Science
§ Kenneth H. Rosen: Discrete Mathematics and Its
Applications