DES Analysis and Attacks CSCI 5857: Encoding and Encryption

Outline Confusion and diffusion Attacks and weaknesses –Linear cryptanalysis attacks –Weak keys Exhaustive search attacks –Use of multiple keys –Meet in the middle attacks –Triple DES

Confusion and Diffusion Use of inputs to create round key assures each plaintext bit affects many ciphertext bits Use of shifts and permutations in key generation assures each key bit affects many ciphertext bits

Cryptanalysis Differential Cryptanalysis: Using similar plaintexts to look for patterns in how ciphertext generated Linear Cryptanalysis: Attempting to approximate entire cipher as one big set of linear equations –Finding solutions to set of linear equations well studied in engineering –Possible if all S-boxes linear –n bit key requires n known plaintexts to solve

Linear S-Boxes Linear n x m S-Box can be expressed as linear equation of form: c 1 = a 11 x 1  a 12 x 2  …  a 1n x n c 2 = a 21 x 1  a 22 x 2  …  a 2n x n … c m = a m1 x 1  a m2 x 2  …  a mn x n where x i is ith input bit c i is ith ciphertext bit a ij is either 0 or 1 Each cipherbit character is defined as the XOR of certain input bits

Linear S-Boxes Example of linear 3x3 S-Box: Corresponding linear equations c 1 = x 1  x 2 = 1  x 1  1  x 2  0  x 3 c 2 = x 1  x 2  x 3 = 1  x 1  1  x 2  1  x 3 c 3 = x 2  x 3 = 0  x 1  1  x 2  1  x

Linear Cryptanalysis Example Example: Above S-Box used after XOR stage

Linear Cryptanalysis Example S-Box input bit x i = p i  k i Resulting equations: c 1 = (p 1  k 1 )  (p 2  k 2 ) c 2 = (p 1  k 1 )  (p 2  k 2 )  (p 3  k 3 ) c 3 = (p 2  k 2 )  (p 3  k 3 ) Can now solve for key bits! k 1 = p 1  (c 1  c 2  c 3 ) k 2 = p 1  (c 1  c 2 ) k 3 = p 1  (c 2  c 3 )

Linear Cryptanalysis Possible if cipher uses only linear components –Permutation boxes linear by definition! Shifting from position i to position j is equation c j = 0  p 1  0  p 2  …  1  p i …  0  p n Therefore, S-Boxes must not be linear! –They are the only possible nonlinear component

Cryptanalysis Attacks on DES Linear Cryptanalysis –DES not designed for this attack (invented after DES released –However, DES S-Boxes not linear –2 43 known plaintexts needed to break DES using linear cryptanalysis

Weak Keys Keys that leave plaintext vulnerable in some way –Simple example: k = 26 in Caesar cipher Weak keys in DES produce same round key for multiple rounds –4 keys give same round key every round –8 keys give only 2 distinct round keys –48 keys give only 4 distinct round keys –Odds unlikely (8.8 x ), but should still check randomly generated keys

Exhaustive Search Attacks 56-bit key not computationally secure Parallel processing attacks –Computer with 1 million chips (1998)  key found in 112 hours –Network of 3500 computers (1977)  key found in 120 days 56-bit key not recommended by NIST! “all clones test different keys!”

Multiple Stage DES No way to use larger key in DES –Structure “hardwired” Only solution: multiple stage DES –Different keys used each stage –Output ciphertext of one stage  input plaintext of next stage

Multiple Stage DES Multiple stages with different keys greatly increases number of possible ciphertexts –(2 64 )! possible mappings from 2 64 possible input blocks to 2 64 possible output blocks –Only 2 56 possible keys (tiny fraction of the above) –Extremely unlikely that there exists K 3 such that E(E(P, K 1 ), K 2 ) = E(P, K 3 ) Possible ciphertexts After applying K 1 and K 2 After applying K 1

“Meet In The Middle” Attack Theoretically, two stages should be sufficient –Adversary would have to try all combinations of possible K 1 and K 2 –2 56 x 2 56 = possible combinations of keys Vulnerable to “meet in the middle” attack –Adversary has a known plaintext P and ciphertext C –Works forward encrypting P with all possible K 1 –Works backward decrypting C with all possible K 2 –Stores results and searches for matches

“Meet In The Middle” Attack “I’ll try all K1 and store the results in a table” Table of all possible M created by encrypting P “I’ll try all K2 and store the results in another table” Table of all possible M created by decrypting C “Now I’ll compare the two and look for any matches”

“Meet In The Middle” Attack M’s (and keys K 1 and K 2 that created them) kept in sorted tables –2 56 runs to create each table –56 x 2 56 comparisons to find matches –Match gives plausible values for K 1 and K 2 “Double DES” not computationally secure MK … …01 MK … …00 “These match” “So this might be K1 and K2”

Triple DES Need at least three stages of encryption –“Meet in middle” attack can only take place after at least two stages –Effectively the same as 112 bit key K1K1 K3K3 K2K2 “I can only attack here”

Triple DES With Two Keys Just use K1 twice (in first and last stage) Shorter keys (112 bits instead of 168 bits) Still secure (have to try all K 1 and K 2 to do meet in middle attack) “Still too hard to crack”

Efficiency of DES Fast if burned into hardware –Basic structure corresponds to wiring diagram Slow if executed as software –Basic structure doesn’t fit into registers –Much swapping between RAM/registers required 3DES even slower