Cryptography - Lecture 9 - Block Cipher Design and Usage

Objectives

Preliminary Reading

Lecture Content

Weak Keys

1. Weak Keys
   • with many block ciphers there are some keys that should be avoided
   • because of reduced cipher complexity
   • these keys have the same sub-key generated in more than one round
2. Weak Keys in DES
   • the same sub-key is generated for every round
   • DES has 4 weak keys
3. Semi-Weak Keys in DES
   • only two sub-keys are generated on alternate rounds
   • DES has 12 of these (in 6 pairs)
4. Demi-Semi Weak Keys in DES
   • have four sub-keys generated in groups
5. Handling Weak Keys
   • weak keys dont cause a problem
   • since they are a tiny fraction of all available keys
   • however they MUST be avoided by any key generation program

DES Design Principles

1. DES Design Principles
   • although the standard for DES is public
   • the design criteria used are classified
   • a few have since been made public
   • have seen reverse engineering to derive others
2. DES S-box Design
   • are four substitution functions, one selected by bits 1,6
   • map inputs 2,3,4,5 onto output bits
   • carefully chosen to provide avalanche & completeness
   • also now know designed for max resistance to differential cryptanalysis
   • some criteria were released, more have been deduced
3. DES Permutations Design
   • 5 permutations: IP and IP^-1, P, E, PC1, PC2
   • IP and IP^-1 and PC1 serve no cryptological function when DES is used in ECB or CBC modes
   • since they merely rearrange bits in a regular pattern
   • hence searches may be constructed with their effect ignored
   • E, P, and PC2 act with S-Boxes
   • to ensure dependence of the output bits on the input bits and key bits
   • ie provide avalanche and completeness effects
4. DES Key Schedule and PC-2 Design
   • the rotations are used to present different bits of the key for selection on successive rounds
   • PC-2 selects key-bits and distributes them over the S-box inputs

Triple DES

1. Triple DES
   • clearly need a replacement for DES given advances in key searching
   • Triple DES is a proposal based on the existing DES
   • standardised in ANSI X9.17 & ISO 8732 and in PEM for key management
   • proposed for general EFT standard by ANSI X9
   • backwards compatible with exisitng single DES (K1=K2=K3)
   • uses either 2 keys (where K1=K3) or 3 keys:

     C = DESK3 {DES-1K2{DESK1(P)}}
     

2. Security of Triple DES
   • no known practical attacks
     • brute force search impossible
     • meet-in-the-middle attacks need 2^(56) plaintext-ciphertext pairs per key
   • is a popular current alternative
   • major disadvantage is speed (3x slower)

Modes of Use

1. Modes of Use
   • block ciphers encrypt a fixed size block of information
   • eg. DES encrypts 64-bit blocks of data, using a 56-bit key
   • need some way of specifying how to use it in practise, given that we usually have an arbitrary amount of information to encrypt
   • way a block cipher is used is called its Mode of Use
   • four have been defined for DES in ANSI standard ANSI X3.106-1983 Modes of Use
   • modes are either:

     Block Modes

     processes message in blocks (ECB, CBC)

     Stream Modes

     processes message as a bit/byte stream (CFB, OFB)

     DES (or any block cipher) forms a basic building block, which en/decrypts a fixed sized block of data. However to use these in practise, we usually need to handle arbitrary amounts of data, which may be available in advance (in which case a block mode is appropriate), and may only be available a bit/byte at a time (in which case a tream mode is used).

2. Electronic Codebook Book (ECB)
   • message is broken into independent blocks which are encrypted
   • each block is a value which is substituted, like a codebook, hence name
   • each block is independent of all others

     Ci = DESK1 (Pi)
     

     
     Stallings Fig 3.11

     ECB is the simplest of the modes, used when only a single block of info needs to be sent (eg. a session key encrypted using a master key)

3. Advantages and Limitations of ECB
   • repetitions in message can be reflected in ciphertext
     • if aligned with message block
     • particularly with data such graphics
     • or with messages that change very little, which become a code-book analysis problem
   • weakness due to encrypted message blocks being independent
   • hence only really useful when sending a few blocks of data

     ECB is not appropriate for any quantity of data, since repetitions can be seen, esp. with graphics, and because the blocks can be shuffled/inserted without affecting the encryption.

4. Cipher Block Chaining (CBC)
   • message is broken into blocks
   • but these are linked together in the encryption operation
   • ie cipher blocks are chained with plaintext, hence name
   • use a known Initial Vector (IV) to start process

     Ci = DESK1(Pi XOR Ci-1)
     C-1 = IV
     

     
     Stallings Fig 3.12

     To overcome the problems of repetitions and order independence in ECB, want some way of making the ciphertext dependent on all blocks before it. This is what CBC gives us, by combining the previous ciphertext block with the current message block before encrypting. To start the process, use an Initial Value (IV), which is usually wellknown (often all 0's), or otherwise is sent, ECB encrypted, just before starting CBC use. CBC mode is applicable whenever large amounts of data need to be sent securely, provided that its available in advance (eg email, FTP, web etc)

5. Advantages and Limitations of CBC
   • each ciphertext block is dependent on all message blocks before it
   • most common mode of use when data available in advance
   • thus a change in the message affects the ciphertext block after the change as well as the original block
   • to start need an Initial Value (IV) which must be known by both sender and receiver
     • however if IV is sent in the clear, an attacker can change bits of the first block, and change IV to compensate
     • hence either IV must be a fixed value (as in EFTPOS) or it must be sent encrypted in ECB mode before rest of message
   • also at the end of the message, have to handle a possible last short block
     • either pad last block (usually with count of pad size)
     • eg. [ b1 b2 b3 0 0 0 0 5] <- 3 data bytes, then 5 bytes pad+count
     • or use some fiddling to double up last two blocks
     • see Davies section 4.2 for examples

     One issue is how to handle the last block, which may well not be complete. In general have to pad this block (typically with 0's), and then must recognise padding at other end - may be obvious (eg in text the 0 value should usually not occur), or otherwise must explicitly have the last byte as a count of how much padding was used (including the count). Note that if this is done, if the last block IS an even multiple of 8 bytes, will have to add an extra block, all padding so as to have a count in the last byte.

6. Cipher FeedBack (CFB)
   • the message is treated as a stream of bits
   • which are added to the output of the block cipher
   • result is feed back for next stage (hence name)
   • standard allows any number of bit (1,8 or 64 or whatever) to be feed back
   • denoted CFB-1, CFB-8, CFB-64 etc
   • in practice it is most efficient to consume all 64 bits
   • call this CFB-64

     Ci = Pi XOR DESK1 (Ci-1)
     C-1 = IV
     

     
     Stallings Fig 3.13

     If the data is only available a bit/byte at a time (eg. terminal session, sensor value etc), then must use some other approach to encrypting it, so as not to delay the info. Idea here is to use the block cipher essentially as a pseudo-random number generator (see stream cipher lecture later) and to combine these "random" bits with the message. Note as mentioned before, XOR is an easily inverted operator (just XOR with same thing again to undo). Again start with an IV to get things going, then use the ciphertext as the next input. As originally defined, idea was to "consume" as much of the "random" output as needed for each message unit (bit/byte) before "bumping" bits out of the buffer and re-encrypting. This is wasteful though, and slows the encrpytion down as more encrpytions are needed. An alternate way to think of it is to generate a block of "random" bits, consume them as message bits/bytes arrive, and when they're used up, only then feed a full block of ciphertext back. This is CFB-64 mode, the most efficient. This is the usual choice for quantities of stream oriented data, and for authentication use.

7. Advantages and Limitations of CFB
   • appropriate when data inherently arrives in bits/bytes
   • most common stream mode
   • limitation is need to stall while do block encryption after every 64 bits
   • block cipher is use in encryption mode at both ends
   • errors propogate for several blocks after the error

     CFB is the usual stream mode. As long as can keep up with the input, doing encryptions every 8 bytes. A possible problem is that if its used over a "noisy" link, then any corrupted bit will distroy values in the current and next blocks (since the current block feeds as input to create the random bits for the next). So either must use over a reliable network transport layer (pretty usual) or use OFB.

8. Output FeedBack (OFB)
   • the message is treated as a stream of bits
   • output of block cipher is added to the message
   • and output if then feed back (hence name)
   • thus feedback is independent of the message
   • can be computed in advance

     Ci = Pi XOR Oi
     Oi = DESK1(Oi-1)
     O-1 = IV
     

     
     Stallings Fig 3.14

     The alternative to CFB is OFB. Here the generation of the "random" bits is independent of the message being encrypted. The advantage is that firslty, they can be computed in advance, good fro bursty traffic, and secondly, any bit error only affects a single bit. Thus this is good for noisy links (eg satellite TV transmissions etc)

9. Advantages and Limitations of OFB
   • used where the error feedback is a problem
   • or where the encryptions must be done before the message is available
   • superficially similar to CFB
   • but the feedback is from the output of the block cipher and is independent of the message
   • a variation of a Vernam cipher
   • hence must never reuse the same sequence (key+IV)
   • sender and receiver must remain in sync, and some recovery method is needed to ensure this occurs
   • although originally specified with m-bit feedback in the standards
   • subsequent research has shown that only 64-bit OFB should ever be used
   • and this is the most efficient use anyway

     Because the "random" bits are independent of the message, they must never ever be used more than once (otherwise the 2 ciphertexts canbe combined, cancelling these bits, and leaving a "book" cipher to solve). Also, as noted, should only ever use afull block feedback ie OFB-64 mode.

Summary

1. Summary
   • DES design principles
   • triple-DES
   • block cipher modes of use: ECB, CBC, CFB, OFB

Exercises

1. Exercises
   1. Consider the avalanche effect in the DES cipher. If a single data input bit is changed, if it becomes a L half bit, roughly how many bits could be changed after round 1? After rounds 2, 3? Hint: if any input bit to an S-box is changed, potentially all that S-boxes output bits can change (given completeness in the S-box design). Now consider the case when a R half data bit is changed. How many bits could change after round 1, 2, 3? When a key bit is changed?
   2. For each of the four modes of use for block ciphers, think of an application where that mode would be the most appropriate, and in a few sentences describe the application and why the mode is the best choice

Additional References