15-04.html

Wiley - Applied Cryptography, Protocols, Algorthms, and Source Code in C

			<option value="/reference/dir.productivityapplications1.html">Prod Apps
			<option value="/reference/dir.programminglanguages.html">Programming
			<option value="/reference/dir.security1.html">Security	
			<!-- <option value="/reference/dir.ewtraining1.html">Training Guides -->
			<option value="/reference/dir.userinterfaces.html">UI
			<option value="/reference/dir.webservices.html">Web Services
			<option value="/reference/dir.webmasterskills1.html">Webmaster
			<option value="/reference/dir.y2k1.html">Y2K
			<option value="">-----------
			<option value="/reference/whatsnew.html">New Titles
			<option value="">-----------
			<option value="/reference/dir.archive1.html">Free Archive		
			</SELECT>
			</font></td>
	</tr>
	</table>
	</form>
<!-- LEFT NAV SEARCH END -->

		</td>
		
<!-- PUB PARTNERS END -->
<!-- END LEFT NAV -->

<td rowspan="8" align="right" valign="top"><img src="/images/iswbls.gif" width=1 height=400 alt="" border="0"></td>
<td><img src="/images/white.gif" width="5" height="1" alt="" border="0"></td>
<!-- end of ITK left NAV -->

<!-- begin main content -->
<td width="100%" valign="top" align="left">


<!-- END SUB HEADER -->

<!--Begin Content Column -->

<FONT FACE="Arial,Helvetica" SIZE="-1">
To access the contents, click the chapter and section titles.
</FONT>
<P>
<B>Applied Cryptography, Second Edition: Protocols,  Algorthms, and Source Code in C (cloth)</B>
<FONT SIZE="-1">
<BR>
<I>(Publisher: John Wiley & Sons, Inc.)</I>
<BR>
Author(s): Bruce Schneier
<BR>
ISBN: 0471128457
<BR>
Publication Date: 01/01/96
</FONT>
<P>
<form name="Search" method="GET" action="http://search.earthweb.com/search97/search_redir.cgi">

<INPUT TYPE="hidden" NAME="Action" VALUE="Search">
<INPUT TYPE="hidden" NAME="SearchPage" VALUE="http://search.earthweb.com/search97/samples/forms/srchdemo.htm">
<INPUT TYPE="hidden" NAME="Collection" VALUE="ITK">
<INPUT TYPE="hidden" NAME="ResultTemplate" VALUE="itk-full.hts">
<INPUT TYPE="hidden" NAME="ViewTemplate" VALUE="view.hts">

<font face="arial, helvetica" size=2><b>Search this book:</b></font><br>
<INPUT NAME="queryText" size=50 VALUE="">&nbsp;<input type="submit" name="submitbutton" value="Go!">
<INPUT type=hidden NAME="section_on" VALUE="on">
<INPUT type=hidden NAME="section" VALUE="http://www.itknowledge.com/reference/standard/0471128457/">

</form>


<!-- Empty Reference Subhead -->

<!--ISBN=0471128457//-->
<!--TITLE=APPLIED CRYPTOGRAPHY, SECOND EDITION: Protocols, Algorithms, and Source Code in C//-->
<!--AUTHOR=Bruce Schneier//-->
<!--PUBLISHER=Wiley Computer Publishing//-->
<!--CHAPTER=15//-->
<!--PAGES=363-366//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->

<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="15-03.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="15-05.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<H3><A NAME="Heading5"></A><FONT COLOR="#000077">15.4 Other Multiple Encryption Schemes</FONT></H3>
<P>The problem with two-key triple encryption is that it only doubles the size of the keyspace, but it requires three encryptions per block of plaintext. Wouldn&#146;t it be nice to find some clever way of combining two encryptions that would double the size of the keyspace?
</P>
<P><FONT SIZE="+1"><B><I>Double OFB/Counter</I></B></FONT></P>
<P>This method uses a block algorithm to generate two keystreams, which are then used to encrypt the plaintext.
</P>
<DL>
<DD><I>S</I><SUB>i</SUB> = <I>E</I><SUB>K1</SUB>(<I>S</I><SUB>i - 1</SUB> &#8853; <I>I</I><SUB>1</SUB>); <I>I</I><SUB>1</SUB> = <I>I</I><SUB>1</SUB> &#43; 1
<DD><I>T</I><SUB>i</SUB> = <I>E</I><SUB>K2</SUB>(<I>T</I><SUB>i - 1</SUB> &#8853; <I>I</I><SUB>2</SUB>); <I>I</I><SUB>2</SUB> = <I>I</I><SUB>2</SUB> &#43; 1
<DD><I>C</I><SUB>i</SUB> = <I>P</I><SUB>i</SUB> &#8853; <I>S</I><SUB>i</SUB> &#8853; <I>T</I><SUB>i</SUB>
</DL>
<I><P><A NAME="Fig3"></A><A HREF="javascript:displayWindow('images/15-03.jpg',269,212 )"><IMG SRC="images/15-03t.jpg"></A>
<BR><A HREF="javascript:displayWindow('images/15-03.jpg',269,212)"><FONT COLOR="#000077"><B>Figure 15.3</B></FONT></A>&nbsp;&nbsp;Doubling the block length.</I>
</P>
<P><I>S</I><SUB>i</SUB> and <I>T</I><SUB>i</SUB> are internal variables, and <I>I</I><SUB>1</SUB> and <I>I</I><SUB>2</SUB> are counters. Two copies of the block algorithm run in a kind of hybrid OFB/counter mode, and the plaintext, <I>S</I><SUB>i</SUB>, and <I>T</I><SUB>i</SUB> are XORed together. The two keys, <I>K</I><SUB>1</SUB> and <I>K</I><SUB>2</SUB>, are independent. I know of no cryptanalysis of this variant.</P>
<P><FONT SIZE="+1"><B><I>ECB &#43; OFB</I></B></FONT></P>
<P>This method was designed for encrypting multiple messages of a fixed length, for example, disk blocks [186,188]. Use two keys: <I>K</I><SUB>1</SUB> and <I>K</I><SUB>2</SUB>. First, use the algorithm and <I>K</I><SUB>1</SUB> to generate a mask of the required block length. This mask will be used repeatedly to encrypt messages with the same keys. Then, XOR the plaintext message with the mask. Finally, encrypt the XORed plaintext with the algorithm and K2 in ECB mode.</P>
<P>This mode has not been analyzed outside the paper in which it was proposed. Clearly it is at least as strong as a single ECB encryption and may be as strong as two passes with the algorithm. Possibly, a cryptanalyst could search for the two keys independently, if several known plaintext files are encrypted with the same key.</P>
<P>To thwart analysis of identical blocks in the same positions of different messages, you can add an IV. Unlike an IV in any other mode, here the IV is XORed with every block of the message before ECB encryption.</P>
<P>Matt Blaze designed this mode for his UNIX Cryptographic File System (CFS). It is a nice mode because the latency is only one encryption in ECB mode; the mask can be generated once and stored. In CFS, DES is the block algorithm.</P>
<P><FONT SIZE="+1"><B><I>xDESi</I></B></FONT></P>
<P>In [1644,1645], DES is used as a building block for a series of block algorithms with both larger key sizes and larger block sizes. These constructions do not depend on DES in any way and can be used with any block algorithm.
</P>
<P>The first, xDES<SUP>1</SUP>, is simply a Luby-Rackoff construction with the block cipher as the underlying function (see Section 14.11). The block size is twice the size of the underlying block cipher and the key size is three times the size of the underlying block cipher. In each of 3 rounds, encrypt the right half with the block algorithm and one of the keys, XOR the result with the left half, and swap the two halves.</P>
<P>This is faster than conventional triple encryption, since three encryptions encrypt a block twice as large as the underlying algorithm. But there is also a simple meet-in-the-middle attack that finds the key with a table the size of 2<SUP><I>k</I></SUP>, where k is the key size of the underlying algorithm. Encrypt the right half of a plaintext block with all possible values of <I>K</I><SUB>1</SUB>, XOR the left half of the plaintext, and store these values in a table. Then, encrypt the right half of the ciphertext with all possible values of <I>K</I><SUB>3</SUB> and look for a match in the table. If you find one, the key pair <I>K</I><SUB>1</SUB> and <I>K</I><SUB>3</SUB> are possible candidates for the right key. Repeat the attack a few times, and only one candidate will remain. This shows that xDES<SUP>1</SUP> is not an ideal solution. Even worse, there is a chosen plaintext attack that proves xDES<SUP>1</SUP> is not much stronger than the underlying block cipher [858].</P>
<P>xDES<SUP>2</SUP> extends this idea to a 5-round algorithm with a block size 4 times that of the underlying block cipher and a key size 10 times that of the underlying block cipher. Figure 15.4 is one round of xDES<SUP>2</SUP>; each of the four sub-blocks are the size of the underlying block ciphers and all 10 keys are independent.</P>
<P>This scheme is also faster than triple encryption: Ten encryptions are used to encrypt a block four times the size of the underlying block cipher. However, it is vulnerable to differential cryptanalysis [858] and should not be used. The scheme is even vulnerable if DES with independent round keys is used.</P>
<I><P><A NAME="Fig4"></A><A HREF="javascript:displayWindow('images/15-04.jpg',223,119 )"><IMG SRC="images/15-04t.jpg"></A>
<BR><A HREF="javascript:displayWindow('images/15-04.jpg',223,119)"><FONT COLOR="#000077"><B>Figure 15.4</B></FONT></A>&nbsp;&nbsp;One round of xDES<SUP>2</SUP>.</I>
</P>
<P>For <I>i</I> &#8805; 3, xDES<SUP><I>i</I></SUP> is probably too big to be useful as a block algorithm. For example, the block size for xDES<SUP>3</SUP> is 6 times that of the underlying cipher, the key size is 21 times, and 21 encryptions are required to encrypt a block 6 times that of the underlying block cipher. Triple encryption is faster.</P>
<P><FONT SIZE="+1"><B><I>Quintuple Encryption</I></B></FONT></P>
<P>If triple encryption isn&#146;t secure enough&#151;perhaps you need to encrypt triple-encryption keys using an even stronger algorithm&#151;then higher multiples might be in order. Quintuple encryption is very strong against meet-in-the-middle attacks. (Similar arguments to the ones used with double encryption can show that quadruple encryption provides minimal security improvements over triple encryption.)
</P>
<DL>
<DD><I>C</I> = <I>E</I><SUB>K1</SUB>(<I>D</I><SUB>K2</SUB>(<I>E</I><SUB>K3</SUB>(<I>D</I><SUB>K2</SUB>(<I>E</I><SUB>K1</SUB>(<I>P</I>)))))
<DD><I>P</I> = <I>D</I><SUB>K1</SUB>(<I>E</I><SUB>K2</SUB>(<I>D</I><SUB>K3</SUB>(<I>E</I><SUB>K2</SUB>(<I>D</I><SUB>K1</SUB>(<I>C</I>)))))
</DL>
<P>This construction is backwards compatible with triple encryption if <I>K</I><SUB>2</SUB> = <I>K</I><SUB>3</SUB>, and is backwards compatible with single encryption if <I>K</I><SUB>1</SUB> = <I>K</I><SUB>2</SUB> = <I>K</I><SUB>3</SUB>. Of course, it would be even stronger if all five keys were independent.</P><P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="15-03.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="15-05.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>

[an error occurred while processing this directive]
<!-- all of the reference materials (books) have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- BEGIN SUB FOOTER -->
		<br><br>
		</TD>
    </TR>
	</TABLE>

		
	<table width="640" border=0 cellpadding=0 cellspacing=0>
		<tr>
		<td align="left" width=135><img src="/images/white.gif" width=100 height="1" alt="" border="0"></td>
		
		
<!-- END SUB FOOTER -->

<!-- all of the books have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- FOOTER -->
			
		<td width="515" align="left" bgcolor="#FFFFFF">
<font face="arial, helvetica" size="1"><b><a href="/products.html"><font color="#006666">Products</font></a>&nbsp;|&nbsp; <a href="/contactus.html"><font color="#006666">Contact Us</font></a>&nbsp;|&nbsp; <a href="/aboutus.html"><font color="#006666">About Us</font></a>&nbsp;|&nbsp; <a href="http://www.earthweb.com/corporate/privacy.html" target="_blank"><font color="#006666">Privacy</font></a> &nbsp;|&nbsp; <a href="http://www.itmarketer.com/" target="_blank"><font color="#006666">Ad Info</font></a> &nbsp;|&nbsp; <a href="/"><font color="#006666">Home</font></a></b>
		<br><br>
		
		Use of this site is subject to certain <a href="/agreement.html">Terms &amp; Conditions</a>, <a href="/copyright.html">Copyright &copy; 1996-1999 EarthWeb Inc.</a><br> 
All rights reserved.  Reproduction whole or in part in any form or medium without express written permision of EarthWeb is prohibited.</font><p>
</td>
		</tr>
</table>
</BODY>
</HTML>

<!-- END FOOTER -->