NET 311 Information Security Networks and Communication Department Lec3 : Block Ciphers and the Data Encryption Standard (DES)

lecture contents: Simple Modern Ciphers Block and Stream Ciphers XOR Cipher Rotation Cipher S-boxes and P-boxes Data Encryption Standard (DES) 9-Nov-18 Networks and Communication Department

Symmetric Key Cryptography Asymmetric Key Cryptography Traditional ciphers Simple Modern ciphers Round Modern ciphers DES Triple DES AES XOR Cipher Substitution Ciphers Transposition Cipher Shift (Ceasar) Mono alphabetic Polyalphabetic Rotation Cipher S-box P-box 9-Nov-18 Networks and Communication Department

Simple Modern Ciphers Vs Traditional Ciphers The traditional ciphers are character-oriented; however, Simple Modern Ciphers are bit-oriented. Bit-oriented ciphers are needed because: Information to be encrypted is not just text, it can be graphics, audio, and video data. It provides more security. Modern ciphers is made up of simple ciphers.

Block vs Stream Ciphers block ciphers process messages in blocks, each of which is then en/decrypted like a substitution on very big characters 64-bits or more stream ciphers process messages a bit or byte at a time when en/decrypting many current ciphers are block ciphers better analysed broader range of applications Block ciphers work a on block / word at a time, which is some number of bits. All of these bits have to be available before the block can be processed. Stream ciphers work on a bit or byte of the message at a time, hence process it as a “stream”. Block ciphers are currently better analysed, and seem to have a broader range of applications, hence focus on them. facts about stream ciphers vs. block ciphers: 1. In practice, in particular for encrypting computer communication on the Internet, block ciphers are used more often than stream ciphers. 2. Because stream ciphers tend to be small and fast, they are particularly relevant for applications with little computational resources, e.g., for cell phones or other small embedded devices. A prominent example for a stream cipher is the A5/1 cipher, which is part of the GSM mobile phone standard and is used for voice encryption. However, stream ciphers are sometimes also used for encrypting Internet traffic, especially the stream cipher RC4. 3. Traditionally, it was assumed that stream ciphers tended to encrypt more effi- ciently than block ciphers. Efficient for software-optimized stream ciphers means that they need fewer processor instructions (or processor cycles) to encrypt one bit of plaintext. For hardware-optimized stream ciphers, efficient means they need fewer gates (or smaller chip area) than a block cipher for encrypting at the same data rate. However, modern block ciphers such as AES are also very efficient in software. Moreover, for hardware, there are also highly efficient block ciphers, such as PRESENT, which are as efficient as very compact stream ciphers.

Block vs Stream Ciphers A block cipher is one in which a block of plaintext is treated as a whole and used to produce a ciphertext block of equal length. Typically, a block size of 64 or 128 bits is used. As with a stream cipher, the two users share a symmetric encryption key (Figure b). A stream cipher is one that encrypts a digital data stream one bit or one byte at a time. In the ideal case, a one-time pad version of the Vernam cipher would be used (Figure 2.7), in which the keystream (k ) is as long as the plaintext bit stream (p). Accordingly, for practical reasons, the bit-stream generator must be implemented as an algorithmic procedure, so that the cryptographic bit stream can be produced by both users. In this approach , the bit-stream generator is a key-controlled algorithm and must produce a bit stream that is cryptographically strong.Now, the two users need only share the generating key, and each can produce the keystream.

XOR Cipher An XOR operation needs two data inputs: plaintext and a key. The size of the plaintext, key, and ciphertext are the same. XOR ciphers have a very interesting property: the encryption and decryption are the same.

XOR cipher Example: Block: 01101010 XOR Key: 10101100  11000110  11000110 9-Nov-18 Networks and Communication Department

Example: So far, stream ciphers look unbelievably easy: One simply takes the plaintext, performs an XOR operation with the key and obtains the ciphertext. On the receiving side, Bob does the same. The “only” thing left to discuss is the last question from above. - Encryption by Alice turns the uppercase A into the lower case letter m. - Oscar, the attacker who eavesdrops on the channel, only sees the ciphertext letter m. - ----- Decryption by Bob with the same key stream reproduces the plaintext A again. 9-Nov-18 Networks and Communication Department

Rotation Cipher In rotation cipher, the input bits are rotated to the left or right. The rotation cipher can be considered a special case of the transpositional cipher using bits instead of characters

After 1 rotation to the left: 1 1 0 1 0 (1st rotation) Example: 0 1 1 0 1 After 1 rotation to the left: 1 1 0 1 0 (1st rotation) After ….. rotations to the left: 1 0 1 0 1 (2nd rotation) 0 1 0 1 1 (3rd rotation) 1 0 1 1 0 (4th rotation) 0 1 1 0 1 (5th rotation) 9-Nov-18 Networks and Communication Department

NOTES in Rotation Cipher If the length of the original stream is N, after N rotation, we get the original message. The decryption algorithm for the rotation cipher uses the same key and the opposite rotation direction.

Substitution Cipher: S-box The S-box is normally keyless. The function that matches the input to the output is defined either mathematically or by a table.

S-BOXES Simple example: Input : 1010 (4bits) Output: 10 (2bits) *00* *01* *10* *11* 0**0 01 00 11 10 0**1 1**0 1**1 9-Nov-18 Networks and Communication Department

Permutation Cipher: P-box

Straight permutation example: 1 2 3 Plaintext : 010 Ciphertext: 001 9-Nov-18 Networks and Communication Department

Expansion permutation example: 1 2 3 1 2 3 4 Plaintext: 001 Ciphertext: 0101 9-Nov-18 Networks and Communication Department

Compression permutation example: 1 2 3 4 1 2 3 Plaintext: 1100 Ciphertext: 001 9-Nov-18 Networks and Communication Department

Modern Round Ciphers The ciphers of today are called round ciphers because they involve multiple rounds. Each round is a complex cipher made up of simple ciphers. The key used in each round is a subset or variation of the general key called the round key.

Modern Round Ciphers There are three modern symmetric key ciphers: Data Encryption Standard (DES). Triple DES. Advanced Encryption Standard (AES).

overview: 9-Nov-18 Networks and Communication Department

Data Encryption Standard (DES)

DES IP(M) Initial permutation The initial permutation and its inverse are defined by tables, as shown in Stallings Tables 3.2a and 3.2b, respectively. The tables are to be interpreted as follows. The input to a table consists of 64 bits numbered left to right from 1 to 64. The 64 entries in the permutation table contain a permutation of the numbers from 1 to 64. Each entry in the permutation table indicates the position of a numbered input bit in the output, which also consists of 64 bits. IP(M)

DES Example: Find the output of the initial permutation if the input was: 0000 0080 0000 0002

The input has only two 1s (bit 25 and 63). Convert Hex to binary: 0000  0000 0000 0000 0000 0080  0000 0000 1000 0000 0002  0000 0000 0000 0010 The input has only two 1s (bit 25 and 63). Based on the previous permutation table, bit 25 becomes bit 37 and bit 63 becomes 57 of the permutation. 9-Nov-18 Networks and Communication Department

DES M IP(M) Bit 37 Bit 57

The result of the permutation is : Therefore, IP(M): 0000 0000 0000 0000 0000 1000 0000 0000 0000 0000 1000 0000 The result of the permutation is : 0000 0000 0800 0080 9-Nov-18 Networks and Communication Department

Data Encryption Standard (DES) Inputs: the plaintext must be 64 bits in the lenght and the key is 56 bits (8 bits can be used as parity bits). The bits of m are permuted by a fixed initial permutation to obtain m0= IP(m). M0 = L0 R0 32 bits 32 bits 2. For i=1:16 Do Li= Ri-1 Ri= Li-1 XOR f(Ri-1, ki) Ki: string of 48 bits obtained from the key k 3. Switch left and right then apply the inverse of the initial permutation.

DES Round Structure uses two 32-bit L & R halves as for any Feistel cipher can describe as: Li = Ri–1 Ri = Li–1  F(Ri–1, Ki) F takes 32-bit R half and 48-bit subkey: expands R to 48-bits using perm E adds to subkey using XOR passes through 8 S-boxes to get 32-bit result finally permutes using 32-bit perm P We now review the internal structure of the DES round function F, which takes R half & subkey, and processes them. The round key Ki is 48 bits. The R input is 32 bits. This R input is first expanded to 48 bits by using a table that defines a permutation plus an expansion that involves duplication of 16 of the R bits (Table 3.2c). The resulting 48 bits are XORed with Ki This 48-bit result passes through a substitution function that produces a 32-bit output, which is permuted as defined by Table 3.2d. This follows the classic structure for a feistel cipher. Note that the s-boxes provide the “confusion” of data and key values, whilst the permutation P then spreads this as widely as possible, so each S-box output affects as many S-box inputs in the next round as possible, giving “diffusion”.

The round takes LI−1 and RI−1 from previous round (or the initial permutation box) and creates LI and RI, which go to the next round (or final permutation box). we can assume that each round has two cipher elements (mixer and swapper). Each of these elements is invertible. The swapper is obviously invertible. It swaps the left half of the text with the right half. The mixer is invertible because of the XOR operation. All noninvertible elements are collected inside the function f (RI−1, KI).

One round in DES ciphers -1 -1 -1 -1 f (Ri-1 ,Ki) f (Ri-1 ,Ki)

DES Function: The heart of DES is the DES function. The DES function applies a 48-bit key to the rightmost 32 bits (RI−1) to produce a 32-bit output. This function is made up of four sections: an expansion D-box, a whitener (that adds key), a group of S-boxes, and a straight D-box as shown in Fig. 6.5. Expansion D-box: Since RI−1 is a 32-bit input and KI is a 48-bit key, we first need to expand RI−1 to 48 bits. RI−1 is divided into 8 4-bit sections. Each 4-bit section is then expanded to 6 bits. This expansion permutation follows a predetermined rule. For each section, input bits 1, 2, 3, and 4 are copied to output bits 2, 3, 4, and 5, respectively. Output bit 1 comes from bit 4 of the previous section; output bit 6 comes from bit 1 of the next section. If sections 1 and 8 can be considered adjacent sections, the same rule applies to bits 1 and 32. Fig. 6.6 shows the input and output in the expansion permutation.

The 48-bit data from the second operation is divided into eight 6-bit chunks, and each chunk is fed into a box. The result of each box is a 4-bit chunk; when these are combined the result is a 32-bit text. The substitution in each box follows a pre-determined rule based on a 4-row by 16-column table. The combination of bits 1 and 6 of the input defines one of four rows; the combination of bits 2 through 5 defines one of the sixteen columns as shown in Fig. 6.8. 9-Nov-18 Networks and Communication Department

Key Generation : The round-key generator creates sixteen 48-bit keys out of a 56-bit cipher key . However, the cipher key is normally given as a 64-bit key in which 8 extra bits are the parity bits, which are dropped before the actual key-generation process, as shown in Fig. 6.10. Parity Drop The preprocess before key expansion is a compression transposition step that we call parity bit drop. It drops the parity bits (bits 8, 16, 24, 32, …, 64) from the 64-bit key and permutes the rest of the bits.

Confusion and Diffusion cipher needs to completely obscure statistical properties of original message a one-time pad does this combining S & P elements to obtain: diffusion – dissipates statistical structure of plaintext over bulk of ciphertext confusion – makes relationship between ciphertext and key as complex as possible The terms diffusion and confusion were introduced by Claude Shannon to capture the two basic building blocks for any cryptographic system. Shannon's concern was to thwart cryptanalysis based on statistical analysis. Every block cipher involves a transformation of a block of plaintext into a block of ciphertext, where the transformation depends on the key. The mechanism of diffusion seeks to make the statistical relationship between the plaintext and ciphertext as complex as possible in order to thwart attempts to deduce the key. Confusion seeks to make the relationship between the statistics of the ciphertext and the value of the encryption key as complex as possible, again to thwart attempts to discover the key. So successful are diffusion and confusion in capturing the essence of the desired attributes of a block cipher that they have become the cornerstone of modern block cipher design.

Strength of DES – Key Size 56-bit keys have 256 = 7.2 x 1016 values brute force search looks hard recent advances have shown is possible in 1997 on Internet in a few months in 1998 on dedicated h/w (EFF) in a few days in 1999 above combined in 22hrs! still must be able to recognize plaintext must now consider alternatives to DES Since its adoption as a federal standard, there have been lingering concerns about the level of security provided by DES in two areas: key size and the nature of the algorithm. With a key length of 56 bits, there are 256 possible keys, which is approximately 7.2*1016 keys. Thus a brute-force attack appeared impractical. However DES was finally and definitively proved insecure in July 1998, when the Electronic Frontier Foundation (EFF) announced that it had broken a DES encryption using a special-purpose "DES cracker" machine that was built for less than $250,000. The attack took less than three days. The EFF has published a detailed description of the machine, enabling others to build their own cracker [EFF98]. There have been other demonstrated breaks of the DES using both large networks of computers & dedicated h/w, including: - 1997 on a large network of computers in a few months - 1998 on dedicated h/w (EFF) in a few days - 1999 above combined in 22hrs! It is important to note that there is more to a key-search attack than simply running through all possible keys. Unless known plaintext is provided, the analyst must be able to recognize plaintext as plaintext. Clearly must now consider alternatives to DES, the most important of which are AES and triple DES.

Triple DES Algorithm: - Encrypt with DES using key1 - Decrypt with DES using key2 - Encrypt with DES using key3 Triple DES has a considerably longer key (3*56=168) 2^168 alternative key 9-Nov-18 Networks and Communication Department

AES It has been tested and proved to be very good Can work with keys consisting of 128 or 192 or 256 bits Used till now. 9-Nov-18 Networks and Communication Department

References Cryptography and Network Security: Principles and practice’, William Stallings Fifth edition, 2011. C. Paar, J. Pelzl, Understanding Cryptography, 29 DOI 10.1007/978-3-642-04101-3 2, c Springer- Verlag Berlin Heidelberg 2010 9-Nov-18 Networks and Communication Department