1、第6章 分组密码的工作模式,Multiple Encryption & 3DES,clear a replacement for DES was neededtheoretical attacks that can break itdemonstrated exhaustive key search attacksAES is a new cipher alternativeprior to this alternative was to use multiple encryption with DES implementationsTriple DES (3DES) is the chose
2、n form,Why not Double-DES?,could use 2 DES encrypts on each blockC = E(K2, E(K1, P)P = D(K1, D(K2, C)issue of reduction to single stage(约化为单次加密), and have “meet-in-the-middle” attackworks whenever use a cipher twicesince X = E(K1, P) = D(K2, C), attack by encrypting P with all keys and store, then d
3、ecrypt C with keys and match X valuecan show takes O(256) stepsRequire know ,Triple-DES with Two-Keys,hence must use 3 encryptionswould seem to need 3 distinct keysbut can use 2 keys with E-D-E sequenceC = EK1(DK2(EK1(P)nb encrypt & decrypt equivalent in securityif K1=K2 then can work with single DE
4、Sstandardized in ANSI X9.17 & ISO8732no current known practical attacksO(2112) 穷举攻击 / 1052 差分密码分析,Triple-DES with Three-Keys,although are no practical attacks on two-key Triple-DES have some indicationscan use Triple-DES with Three-Keys to avoid even theseC = EK3(DK2(EK1(P)has been adopted by some I
5、nternet applications, eg PGP, S/MIME,Modes of Operation,block ciphers encrypt fixed size blockseg. DES encrypts 64-bit blocks with 56-bit key need some way to en/decrypt arbitrary amounts of data in practiseNIST (SP800-38A) Modes of Use defines 5 possible modes defined for AES & DEShave block and st
6、ream modesto cover a wide variety of applicationscan be used with any block cipher,Electronic Codebook Book (ECB),message is broken into independent blocks which are encrypted each block is a value which is substituted, like a codebook, hence name each block is encoded independently of the other blo
7、cks Ci = DESK1(Pi)uses: secure transmission of single values,Electronic Codebook Book (ECB),Advantages and Limitations of ECB,message repetitions may show in ciphertext if aligned with message block particularly with data such graphics or with messages that change very little, which become a code-bo
8、ok analysis problem weakness is due to the encrypted message blocks being independent main use is sending a few blocks of data,Cipher Block Chaining (CBC),message is broken into blocks linked together in encryption operation each previous cipher blocks is chained with current plaintext block, hence
9、name use Initial Vector (IV) to start process Ci = DESK1(Pi XOR Ci-1)C-1 = IV uses: bulk data encryption, authentication,Cipher Block Chaining (CBC),Message Padding,at end of message must handle a possible last short block which is not as large as blocksize of cipher, pad either with known non-data
10、value (eg nulls), or pad last block along with count of pad size eg. b1 b2 b3 0 0 0 0 5, means have 3 data bytes, then 5 bytes pad+countthis may require an extra entire block over those in messagethere are other, more esoteric modes, which avoid the need for an extra block,Ciphertext Stealing,Use to
11、 make ciphertext length same as plaintext lengthRequires more than one block of plaintext,Pn-1,En-1,Pn,En-1,Pn,Head n,T,T,Head n,Advantages and Limitations of CBC,a ciphertext block depends on all blocks before it, any change to a block affects all following ciphertext blocks (雪崩效应)need Initializati
12、on Vector (IV) which must be known to sender & receiver if sent in clear, attacker can change bits of first block, and change IV to compensate hence IV must either be a fixed value (as in EFTPOS) or derived in way hard to manipulateor sent encrypted in ECB mode before rest of messageor message integ
13、rity must be checked otherwise,Stream Modes of Operation,block modes encrypt entire blockmay need to operate on smaller unitsreal time dataconvert block cipher into stream ciphercipher feedback (CFB) modeoutput feedback (OFB) modecounter (CTR) modeuse block cipher as some form of pseudo-random numbe
14、r generator.,Vernam cipher,Vernam cipher,Vernam cipher,Cipher FeedBack (CFB),message is treated as a stream of bits, added to the output of the block cipher result is feed back for next stage (hence name) standard allows any number of bit (1,8, 64 or 128 etc) to be feed back denoted CFB-1, CFB-8, CF
15、B-64, CFB-128 etc most efficient to use all bits in block (64 or 128)Ci = Pi XOR DESK1(Ci-1)C-1 = IV uses: stream data encryption, authentication,Cipher FeedBack (CFB),Advantages and Limitations of CFB,most common stream mode appropriate when data arrives in bits/bytes limitation is need to stall wh
16、ile do block encryption after every s-bits note that the block cipher is used in encryption mode at both ends errors propogate for several blocks after the error how many?,Output FeedBack (OFB),message is treated as a stream of bits, output of cipher is added to message output is then feed back (hen
17、ce name) feedback is independent of message can be computed in advanceCi = Pi XOR Oi Oi = DESK1(Oi-1)O-1 = IVuses: stream encryption on noisy channels,?,Output FeedBack (OFB),Advantages and Limitations of OFB,bit errors do not propagate more vulnerable to message stream modificationa variation of a
18、Vernam cipher hence must never reuse the same sequence (key+IV) sender & receiver must remain in syncoriginally specified with m-bit feedbacksubsequent research has shown that only full block feedback (ie CFB-64 or CFB-128) should ever be used,Counter (CTR),a “new” mode, though proposed early on sim
19、ilar to OFB but encrypts counter value rather than any feedback valuemust have a different key & counter value for every plaintext block (never reused)Ci = Pi XOR Oi Oi = DESK1(i)uses: high-speed network encryptions,Counter (CTR),Advantages and Limitations of CTR,efficiencycan do parallel encryption
20、s in h/w or s/wcan preprocess in advance of needgood for bursty high speed linksrandom access to encrypted data blocksprovable security (good as other modes)but must ensure never reuse key/counter values, otherwise could break (cf OFB),Feedback Character-istics,XTS-AES Mode,new mode, for block orien
21、ted storage use (面向分组的存储设备)in IEEE Std 1619-2007concept of tweakable block cipher (可微调分组密码)different requirements to transmitted datauses AES twice for each blockTj = EK2(i) j Cj = EK1(Pj Tj) Tjwhere i is tweak & j is sector no.each sector may have multiple blocks,XTS-AES Modeper block,XTS-AESModeOv
22、erview,Advantages and Limitations of XTS-AES,efficiencycan do parallel encryptions in h/w or s/wrandom access to encrypted data blockshas both nonce & counteraddresses security concerns related to stored data,Summary,Multiple Encryption & Triple-DESModes of Operation ECB, CBC, CFB, OFB, CTR, XTS-AES,