Cryptography and Network Security Sixth Edition by William Stallings Chapter 6 Block Cipher Operation Many savages at the present day regard their names as vital parts of themselves, and therefore take great pains to conceal their real

names, lest these should give to evil-disposed persons a handle by which to injure their owners. The Golden Bough, Sir James George Frazer Double DES Meet-in-the-Middle Attack The use of double DES results in a mapping that is

not equivalent to a single DES encryption The meet-in-the-middle attack algorithm will attack this scheme and does not depend on any particular property of DES but will work against any block encryption cipher Triple-DES with Two-Keys Obvious counter to the meet-in-the-middle attack is

to use three stages of encryption with three different keys This raises the cost of the meet-in-the-middle attack to 2112, which is beyond what is practical Has the drawback of requiring a key length of 56 x 3 = 168 bits, which may be somewhat unwieldy As an alternative Tuchman proposed a triple encryption method that uses only two keys 3DES with two keys is a relatively popular alternative to DES and has been adopted for use in the key management standards ANSI X9.17 and ISO 8732

Multiple Encryption Triple DES with Three Keys Many researchers now feel that three-key 3DES is the preferred alternative Three-key 3DES has an effective key length of 168 bits and is defined as: C = E( K3, D( K2, E( K1, P)))

Backward compatibility with DES is provided by putting: K3 = K2 or K1 = K2 A number of Internet-based applications have adopted three-key 3DES including PGP and S/MIME Modes of Operation A technique for enhancing the effect of a cryptographic algorithm or adapting the algorithm

for an application To apply a block cipher in a variety of applications, five modes of operation have been defined by NIST The five modes are intended to cover a wide variety of applications of encryption for which a block cipher could be used These modes are intended for use with any symmetric block cipher, including triple DES and AES Electronic Codebook Mode (ECB)

Criteria and properties for evaluating and constructing block cipher modes of operation that are superior to ECB:

Overhead Error recovery Error propagation Diffusion Security Cipher Block Chaining (CBC)

Cipher Feedback Mode For AES, DES, or any block cipher, encryption is performed on a block of b bits In the case of DES b = 64 In the case of AES b = 128 There are three modes that make it possible to convert a block cipher into a stream cipher:

Cipher feedback (CFB) mode Output feedback (OFB) mode Counter (CTR) mode s-bit Cipher

Feedback (CFB) Mode Output Feedback (OFB) Mode Counter (CTR) Mode

Advantages of CTR Hardware efficiency Software efficiency

Preprocessing Random access Provable security Simplicity Feedback Characteristics of Modes of Operation XTS-AES Mode for Block-Oriented

Storage Devices Approved as an additional block cipher mode of operation by NIST in 2010 Mode is also an IEEE Standard, IEEE Std 1619-2007 Standard describes a method of encryption for data stored in sector-based devices where the threat model includes possible access to stored data by the adversary Has received widespread industry support Tweakable Block Ciphers XTS-AES mode is based on the concept of a

tweakable block cipher General structure: Has three inputs: A plaintext P A symmetric key K

A tweak T Tweak need not be kept secret Purpose is to provide variability Produces a ciphertext output C

Tweakable Block Cipher XTS-AES Operation on Single Block XTS AES Mode Summary Multiple encryption

and triple DES Double DES Triple DES with two keys Triple DES with three keys Electronic code book Cipher block chaining mode Cipher feedback

mode Output feedback mode Counter mode XTS-AES mode for block-oriented storage devices Storage encryption requirements Operation on a single block Operation on a sector

Chapter 7 Pseudorandom Number Generation and Stream Ciphers The comparatively late rise of the theory of probability shows how hard it is to grasp, and the many paradoxes show clearly that we, as humans, lack a well grounded intuition in this matter. In probability theory there is a great deal of art in setting up the model, in solving the problem, and in applying the results back to the real world actions that will follow.

The Art of Probability, Richard Hamming Random Numbers A number of network security algorithms and protocols based on cryptography make use of random binary numbers: Key distribution and reciprocal authentication schemes Session key generation Generation of keys for the RSA public-key encryption algorithm Generation of a bit stream for symmetric stream encryption

There are two distinct requirements for a sequence of random numbers: Randomness Unpredictability Randomness The generation of a sequence of allegedly random numbers being random in some

well-defined statistical sense has been a concern Two criteria are used to validate that a sequence of numbers is random: Uniform distribution The frequency of occurrence of ones and zeros should be approximately equal Independence No one subsequence in the sequence can be inferred from the others Unpredictability

The requirement is not just that the sequence of numbers be statistically random, but that the successive members of the sequence are unpredictable With true random sequences each number is statistically independent of other numbers in the sequence and therefore unpredictable True random numbers have their limitations, such as inefficiency, so it is more common to implement algorithms that generate sequences of numbers that appear to be random Care must be taken that an opponent not be able to predict future elements of the sequence on the basis of earlier elements

Pseudorandom Numbers Cryptographic applications typically make use of algorithmic techniques for random number generation These algorithms are deterministic and therefore produce sequences of numbers that are not statistically random If the algorithm is good, the resulting sequences will pass many tests of randomness and are referred to as pseudorandom numbers

True Random Number Generator (TRNG) Takes as input a source that is effectively random The source is referred to as an entropy source and is drawn from the physical environment of the computer Includes things such as keystroke timing patterns, disk electrical activity, mouse movements, and instantaneous values of the system clock The source, or combination of sources, serve as input to an algorithm that produces random binary output The TRNG may simply involve conversion of an analog source to a binary output

The TRNG may involve additional processing to overcome any bias in the source Pseudorandom Number Generator (PRNG) Takes as input a fixed value, called the seed, and produces a sequence of output bits using a deterministic algorithm Quite often the seed is generated by a TRNG

The output bit stream is determined solely by the input value or values, so an adversary who knows the algorithm and the seed can reproduce the entire bit stream Other than the number of bits

produced there is no difference between a PRNG and a PRF Two different forms of PRNG Pseudorandom number generator Pseudorandom function (PRF) An algorithm that is used to produce an

open-ended sequence of bits Input to a symmetric stream cipher is a common application for an open-ended sequence of bits Used to produce a pseudorandom string of bits of some fixed length Examples are

symmetric encryption keys and nonces PRNG Requirements The basic requirement when a PRNG or PRF is used for a cryptographic application is that an adversary who does not know the seed is unable to determine the pseudorandom string The requirement for secrecy of the output of a PRNG or PRF leads to specific requirements in the areas of: Randomness Unpredictability

Characteristics of the seed Randomness The generated bit stream needs to appear random even though it is deterministic There is no single test that can determine if a PRNG generates numbers that have the characteristic of randomness If the PRNG exhibits randomness on the basis of multiple tests, then it can be assumed to satisfy the randomness requirement NIST SP 800-22 specifies that the tests should seek

to establish three characteristics: Uniformity Scalability Consistency Randomness Tests SP 800-22 lists 15 separate tests of randomness Runs test Frequency test The most basic test and must be included

in any test suite Purpose is to determine whether the number of ones and zeros in a sequence is approximately the same as would be expected for a truly random sequence Focus of this test is the total number of runs in the sequence,

where a run is an uninterrupted sequence of identical bits bounded before and after with a bit of the opposite value Purpose is to determine whether the number of runs of ones and zeros of various lengths is as expected for a random sequence Three tests Maurers

universal statistical test Focus is the number of bits between matching patterns Purpose is to detect whether or not the sequence can be significantly compressed without loss of information. A significantly compressible

sequence is considered to be non-random Unpredictability A stream of pseudorandom numbers should exhibit two forms of unpredictability: Forward unpredictability If the seed is unknown, the next output bit in the sequence should be unpredictable in spite of any knowledge of previous bits in the sequence Backward unpredictability

It should not be feasible to determine the seed from knowledge of any generated values. No correlation between a seed and any value generated from that seed should be evident; each element of the sequence should appear to be the outcome of an independent random event whose probability is 1/2 The same set of tests for randomness also provides a test of unpredictability A random sequence will have no correlation with a fixed value (the seed) Seed Requirements The seed that serves as input to the

PRNG must be secure and unpredictable The seed itself must be a random or pseudorandom number Typically the seed is generated by TRNG Generation of Seed Input to PRNG Algorithm Design Algorithms fall into two categories: Purpose-built algorithms Algorithms designed specifically and solely for the purpose of generating pseudorandom bit streams

Algorithms based on existing cryptographic algorithms Have the effect of randomizing input data Three broad categories of cryptographic algorithms are commonly used to create PRNGs: Symmetric block ciphers Asymmetric ciphers Hash functions and message authentication codes Linear Congruential Generator An algorithm first proposed by Lehmer that is parameterized with four numbers:

m the modulus m > 0 a the multiplier 0 < a< m c the increment 0 c < m X0 the starting value, or seed 0 X0 < m The sequence of random numbers {Xn} is obtained via the following iterative equation: Xn+1 = (aXn + c) mod m If m , a , c , and X0 are integers, then this technique will produce a sequence of integers with each integer in the range 0 Xn < m The selection of values for a , c , and m is critical in developing a good random number generator

Blum Blum Shub (BBS) Generator Has perhaps the strongest public proof of its cryptographic strength of any purpose-built algorithm Referred to as a cryptographically secure pseudorandom bit generator (CSPRBG) A CSPRBG is defined as one that passes the next-bit-test if there is not a polynomial-time algorithm that, on input of the first k bits of an output sequence, can predict the (k + 1)st bit with probability significantly greater than 1/2 The security of BBS is based on the difficulty of factoring n

Table 7.1 Example Operation of BBS Generator PRNG Using Block Cipher Modes of Operation Two approaches that use a block cipher to build a PNRG have gained widespread acceptance: CTR mode Recommended in NIST SP 800-90, ANSI standard X.82, and RFC 4086

OFB mode Recommended in X9.82 and RFC 4086 Table 7.2 Example Results for PRNG Using OFB Table 7.3 Example Results for PRNG Using CTR ANSI X9.17 PRNG One of the

strongest PRNGs is specified in ANSI X9.17 A number of applications employ this technique including financial security applications and PGP Input Two pseudorandom inputs drive

the generator. One is a 64-bit representation of the current date and time. The other is a 64-bit seed value; this is initialized to some arbitrary value and is updated during the generation process. The algorithm makes use of triple DES for encryption. Ingredients are: Output The output consists of a 64-bit

pseudorandom number and a 64-bit seed value. Keys The generator makes use of three triple DES encryption modules. All three make use of the same pair of 56-bit keys, which must be kept secret and are used only for pseudorandom number generation. NIST CTR_DRBG Counter mode-deterministic random bit generator

PRNG defined in NIST SP 800-90 based on the CTR mode of operation Is widely implemented and is part of the hardware random number generator implemented on all recent Intel processor chips DRBG assumes that an entropy source is available to provide random bits Entropy is an information theoretic concept that measures unpredictability or randomness The encryption algorithm used in the DRBG may be 3DES with three keys or AES with a key size of 128, 192, or 256 bits

Table 7.4 CTR_DRBG Parameters CTR_DRBG Functions Stream Ciphers Stream Cipher Design Considerations The encryption sequence should have a large period A pseudorandom number generator uses a function that

produces a deterministic stream of bits that eventually repeats; the longer the period of repeat the more difficult it will be to do cryptanalysis The keystream should approximate the properties of a true random number stream as close as possible There should be an approximately equal number of 1s and 0s If the keystream is treated as a stream of bytes, then all of the 256 possible byte values should appear approximately equally often

The output of the pseudorandom number generator is A key length of at least 128 bits conditioned on the value of the input key is desirable The same considerations that apply to block ciphers are valid With a properly designed pseudorandom number generator a stream cipher can be as secure as a block cipher of comparable key length

A potential advantage is that stream ciphers that do not use block ciphers as a building block are typically faster and use far less code than block ciphers RC4 Designed in 1987 by Ron Rivest for RSA Security Variable key size stream cipher with byte-oriented operations Based on the use of a random permutation Eight to sixteen machine operations are required per output byte and the cipher can be expected to run very quickly in software Used in the Secure Sockets Layer/Transport Layer Security

(SSL/TLS) standards that have been defined for communication between Web browsers and servers Is also used in the Wired Equivalent Privacy (WEP) protocol and the newer WiFi Protected Access (WPA) protocol that are part of the IEEE 802.11 wireless LAN standard Strength of RC4 A number of papers have been published analyzing methods of attacking RC4 None of these approaches is practical against RC4 with a reasonable key length

A more serious problem is that the WEP protocol intended to provide confidentiality on 802.11 wireless LAN networks is vulnerable to a particular attack approach The problem is not with RC4 itself, but the way in which keys are generated for use as input Problem does not appear to be relevant to other applications and can be remedied in WEP by changing the way in which keys

are generated Problem points out the difficulty in designing a secure system that involves both cryptographic functions and protocols that make use of them Entropy Sources A true random number generator (TRNG) uses a nondeterministic source to produce randomness Most operate by measuring unpredictable natural processes such as pulse detectors of ionizing radiation events, gas discharge tubes, and leaky capacitors

Intel has developed a commercially available chip that samples thermal noise by amplifying the voltage measured across undriven resistors LavaRnd is an open source project for creating truly random numbers using inexpensive cameras, open source code, and inexpensive hardware The system uses a saturated CCD in a light-tight can as a chaotic source to produce the seed; software processes the result into truly random numbers in a variety of formats Possible Sources of Randomness RFC 4086 lists the following possible sources of randomness that can be used on a computer to

generate true random sequences: Sound/video input Disk drives The input from a sound digitizer with no source plugged in or from a camera with the lens cap on is essentially thermal noise

Have small random fluctuations in their rotational speed due to chaotic air turbulence If the system has enough gain to detect anything, such input can provide reasonable high quality random bits The addition of low-level disk seek-time instrumentation produces a series of

measurements that contain this randomness There is also an online service ( http://www.random.org/ ) which can deliver random sequences securely over the Internet. Table 7.5 Comparison of PRNGs and TRNGs Skew A TRNG may produce an output that is biased in some way, such as having more ones than zeros or vice versa

Deskewing algorithms Methods of modifying a bit stream to reduce or eliminate the bias One approach is to pass the bit stream through a hash function such as MD5 or SHA-1 RFC 4086 recommends collecting input from multiple hardware sources and then mixing these using a hash function to produce random output Operating systems typically provide a built-in mechanism for generating random numbers Linux uses four entropy sources: mouse and keyboard activity, disk I/O operations, and specific interrupts Bits are generated from these four sources and combined in a pooled buffer When random bits are needed the appropriate number of bits are read from

the buffer and passed through the SHA-1 hash function Intel Digital Random Number Generator TRNGs have traditionally been used only for key generation and other applications where only a small number of random bits were required This is because TRNGs have generally been inefficient with a low bit rate of random bit production The first commercially available TRNG that achieves bit production rates comparable with that of PRNGs is the Intel digital random number generator offered on new multicore chips since May 2012

It is implemented entirely in hardware The entire DRNG is on the same multicore chip as the processors Intel DRNG Logical Structure (Figure 7.10 is located on page 226 in textbook) Summary Principles of pseudorandom

number generation The use of random numbers TRNGs, PRNGs, and PRFs PRNG requirements Algorithm design Pseudorandom number generators

Linear congruential generators Blum Blum Shub generator Pseudorandom number generation using a block cipher PRNG using block cipher modes of operation ANSI X9.17 PRNG NIST CTR_DRBG Stream ciphers RC4

Initialization of S Stream generation Strength of RC4 True random number generators Entropy sources Comparison of PRNGs and TRNGs Skew

Intel digital random number generator DRNG hardware architecture DRNG logical structure