Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 5: DES Use and Analysis Background just got here last week

Published byたつぞう すずがみね Modified over 5 years ago

Similar presentations

Presentation on theme: "Lecture 5: DES Use and Analysis Background just got here last week"— Presentation transcript:

1 David Evans http://www.cs.virginia.edu/~evans
Lecture 5: DES Use and Analysis Background just got here last week finished degree at MIT week before Philosophy of advising students don’t come to grad school to implement someone else’s idea can get paid more to do that in industry learn to be a researcher important part of that is deciding what problems and ideas are worth spending time on grad students should have their own project looking for students who can come up with their own ideas for research will take good students interested in things I’m interested in – systems, programming languages & compilers, security rest of talk – give you a flavor of the kinds of things I am interested in meant to give you ideas (hopefully even inspiration!) but not meant to suggest what you should work on CS588: Security and Privacy University of Virginia Computer Science David Evans

2 University of Virginia CS 588
Menu Today’s manifest: on line only DES Review Modes of Operation 3DES DES Attacks Return PS1 12 Sept 2001 University of Virginia CS 588

3 University of Virginia CS 588
DES Structure Plaintext Initial Permutation L0 = left half of plaintext R0 = right half of plaintext Li = Ri - 1 Ri = Li - 1  F (Ri - 1, Ki ) C = Rn || Ln n is number of rounds (undo last permutation) L0 R0 K1 Substitution F 16x Round Permutation L1 R1 12 Sept 2001 University of Virginia CS 588

4 University of Virginia CS 588
DES’s F 32 bits Expand and Permute (using E table) 48 bits Kn Substitute (using S boxes) 32 bits Permutation 12 Sept 2001 University of Virginia CS 588

5 Expansion/Permutation
… 1 32 bits 48 bits … 0 12 Sept 2001 University of Virginia CS 588

6 S-Boxes 48 bits 000000 1110 000010 0100 000011 1111 111111 1101 7 more different S-boxes for bits 7-48  5-32 32 bits Nothing secret about the S-Boxes (but they are confusing) 12 Sept 2001 University of Virginia CS 588

7 University of Virginia CS 588
Modes of Operation 12 Sept 2001 University of Virginia CS 588

8 University of Virginia CS 588
Modes of Operation Transmitting a long plaintext using DES: P = P1 || P2 || ... || PN Electronic Codebook Mode: C = EK (P1) || EK (P2) || ... || EK (PN) Problems: Any identical blocks encrypted identically 64 bits = 8 ASCII characters Lots of ciphertext encrypted with same K 12 Sept 2001 University of Virginia CS 588

9 University of Virginia CS 588
Cipher Block Chaining P1 P2 IV ... DES DES K K C1 C2 to receiver to receiver 12 Sept 2001 University of Virginia CS 588

10 University of Virginia CS 588
Cipher Block Chaining Ci = EK (Pi  Ci - 1) C1 = EK (P1  IV) Decrypt: Mi = DK (Ci )  Ci - 1 M1 = DK (C1 )  IV DK (EK (Pi  Ci - 1))  Ci – 1 = Pi  Ci - 1  Ci – 1 = Pi 12 Sept 2001 University of Virginia CS 588

11 University of Virginia CS 588
Cipher Feedback Mode shift j bits IV DES DES ... K K j bits j bits C1 C2 to receiver to receiver P1 P2 12 Sept 2001 University of Virginia CS 588

12 University of Virginia CS 588
Output Feedback Mode shift j bits IV ... DES DES K K j bits j bits C1 C2 to receiver to receiver P1 P2 12 Sept 2001 University of Virginia CS 588

13 Cipher/Output Feedback
1-bit transmission error Active eavesdropper Performance 12 Sept 2001 University of Virginia CS 588

14 University of Virginia CS 588
Multiple Encryption 12 Sept 2001 University of Virginia CS 588

15 University of Virginia CS 588
Multiple Encryption C = EK2 (EK1 (P)) Does it double the key space? Monoalphabetic cipher Ci = K2[K1[Pi]] = K3[Pi] for some K3 12 Sept 2001 University of Virginia CS 588

16 University of Virginia CS 588
Double-Vigenère C = EK2 (EK1 (P)) Vigenère: Ci = (Pi + Ki mod N) mod Z Ci = ((Pi + K1i mod N1 mod Z) + K2i mod N2) mod Z = (Pi + K1i mod N1 + K2i mod N2 ) mod Z if N1 = N2: = (Pi + K3i mod N) mod Z (K3 = K1 + K2) what if N1  N2? 12 Sept 2001 University of Virginia CS 588

17 University of Virginia CS 588
Double-Vigenère K1 = "BOND" K2 = "JAMES" BONDBONDBONDBONDBONDBONDBOND + JAMESJAMESJAMESJAMESJAMESJAM = KOZHTXNPFGWDNSFMBARVKOZHTXNP Effective key length: LCM (N1, N2) = 20 12 Sept 2001 University of Virginia CS 588

18 University of Virginia CS 588
Double DES C = EK2 (EK1 (P)) Is there a K3 such that C = EK3 (P)? There are 256 keys, and 264! mappings If DES is good, keys map randomly to mappings. Probability that a randomly chosen mapping corresponds to a DES key: 256 / 264! << 1 / 263! Effective key size of Double DES? = 256 * 256 = 2112 WRONG! 12 Sept 2001 University of Virginia CS 588

19 Known Plaintext Attack
D try all possible keys YK1 YK2 YK256 P E try all possible keys XK1 XK2 XK256 One XKi = YKj means K1 = Ki and K2 = Kj 12 Sept 2001 University of Virginia CS 588

20 Meet-in-the-Middle Attack
C = EK2 (EK1 (P)) X = EK1 (P) = DK2 (C) Brute force attack (given one P/C pair): calculate EK1 (P) for all keys (256 work) calculate DK2 (C) for all keys (256 work) the match gives the keys Total work = 2 * 256 = 257 12 Sept 2001 University of Virginia CS 588

21 University of Virginia CS 588
2-Key Triple DES C = EK1 (DK2 (EK1 (P))) Why DK2 not EK2? Backwards compatibility with DES If K1 = K2: C = EK1 (DK1 (EK1 (P))) = EK1 (P) Actual key size = bits = 112 bits Meet-in-the-middle? X = EK1 (P) = DK1 (EK2 (C)) 256 need to try 2112 12 Sept 2001 University of Virginia CS 588

22 How secure is Triple-DES
Brute force search: 2112 keys Best DES attack: 245 B keys/second  6.7 * 1014 years (compared to 22 hours) 1011 years = total lifetime of universe (closed universe theory) Best known attack - reduces to 2120-log2n n = number of known P-C pairs n = 264, work is 256 Realistic? 12 Sept 2001 University of Virginia CS 588

23 University of Virginia CS 588
3-Key Triple DES C = EK3 (DK2 (EK1 (P))) H(K) = 168 Used by PGP, S/MIME How much work to brute-force? Meet-in-the-middle: X = DK3 (C) = DK2 (EK1 (P)) 12 Sept 2001 University of Virginia CS 588

24 University of Virginia CS 588
DES Attacks Last time: brute force Best result: 22 hours But no where near good enough for 3DES Differential Cryptanalysis Power Cryptanalysis 12 Sept 2001 University of Virginia CS 588

25 Differential Cryptanalysis
[Biham & Shamir, 1990] Choose plaintext pairs with fixed difference:  X = X  X’ Use differences in resulting ciphertext to guess key probabilities With enough work (247) and enough chosen plaintexts (247) can find key (compared to 256 brute force work) Takes 3 years of 1.5Mbps encrypting chosen plaintext! 12 Sept 2001 University of Virginia CS 588

26 University of Virginia CS 588
One Round X X’ X = X  X’ Xi = 0 iff Xi = Xi’ 32 bits 32 bits E/P E/P X1 48 bits X1’ 48 bits E/P preserves values: Xi = 0  X1ep(i) = X1ep(i)’ where ep(i) is a function defined by the E table Kn X2 X2’ S S X3 32 bits X3’ 32 bits preserves values: X2i = X1i  Kn X2i’ = X1i’  Kn  Xi = 0  X2ep(i) = X2ep(i)’ P P X4 X4’ 12 Sept 2001 University of Virginia CS 588

27 One Round, cont. Xi = 0  X2ep(i) = X2ep(i)’
S S Xi = 0  X2ep(i) = X2ep(i)’ X3i = X3i’  X4p(i) = X4p(i)’ X3 X3’ P P X4 X4’ (Known from ciphertext) S-boxes are non-linear! Xi = 0  X3s(ep(i)) = X3s(ep(i))’ But, maybe they do probabilistically: Xi = 0  p(X3s(ep(i)) = X3s(ep(i))’) > .5 ? p(X3s(ep(i)) = X3s(ep(i))’) < .5 ? Its a function of the key: p determined experimentally. 12 Sept 2001 University of Virginia CS 588

28 University of Virginia CS 588
S-box: S1 6 bits: x1x2x3x4x5x6 x2x3x4x5 select column 1 2 3 4 5 6 7 8 9 A B C D E F x1x6 00 01 10 11 4 inputs to S1 produce 0: , , , 12 Sept 2001 University of Virginia CS 588

29 Partial pair XOR Distribution, S1
Output XOR 1 2 3 4 5 6 7 8 9 A B C D E F 64 10 12 ... 3F Input XOR 12 Sept 2001 University of Virginia CS 588

30 S-box: S1 1 2 3 4 5 6 7 8 9 A B C D E F 00 Difference in last input bit difference in output bits 0101 = 0100 (1 XOR 5 = 1) = 1110 (B XOR 5 = E) 01 10 11 12 Sept 2001 University of Virginia CS 588

31 Differential Cryptanalysis
Propagate experimental probabilities for 1 round through 16 rounds After enough P-C pairs, one key becomes most probable Difficulty depends heavily on S-Box choices First published in 1990, but NSA knew about it in 1973! 12 Sept 2001 University of Virginia CS 588

32 Differential Cryptanalysis
“Successful” on DES up to 15 rounds (better than exhaustive search) By 16th round, characteristics probabilities are 2-56 Very successful on DES variants (breaks GDES with 6 chosen plaintexts) Very successful on FEAL (FEAL-4, FEAL-8, FEAL-N, FEAL-NX, ...) 12 Sept 2001 University of Virginia CS 588

33 University of Virginia CS 588
Current (mA) 3.75 3.50 3.25 Time (mS) 12 Sept 2001 University of Virginia CS 588

34 DES Power Consumption 16 DES Rounds
Detail: Round Round 3 From Microprocessors use different amount of power depending on what they are doing! 12 Sept 2001 University of Virginia CS 588

35 Power Analysis Scenario
Attacker has physical device that encrypts and decrypts using a secret key Is this realistic? Smart Cards (Mondex) 12 Sept 2001 University of Virginia CS 588

36 Side Channel Cryptanalysis
Regular Cryptanalysis: mathematical Attacker sees inputs, outputs Side Channel Cryptanalysis Attacker sees something else: power consumption, encryption/decryption time, radiation, etc. Depends on implementation of algorithm 12 Sept 2001 University of Virginia CS 588

37 Measuring Power Consumption
Add a resistor between power source and device, measure voltage across resistor I = V/R Can sample at over 1GHz with < 1% error 12 Sept 2001 University of Virginia CS 588

38 University of Virginia CS 588
Power Use Reveals Key Current for a left shift depends on leftmost bit: if 1, need to set rightmost bit after DES key schedule uses shifts, can tell bits in key! Current for XOR may depend on number of switches 12 Sept 2001 University of Virginia CS 588

39 University of Virginia CS 588
Defenses Reduce signal Physical shielding, microprocessor design (make all shifts use same power, etc.) Introduce random noise Change execution order, do random computation, etc. Design cryptosystems with DPA in mind Nonlinear key updates between transactions 12 Sept 2001 University of Virginia CS 588

40 University of Virginia CS 588
Charge Continue thinking about project ideas Each project group should send me or talk to me by next week about what you are considering Next time: modern block ciphers Read AES papers before next class 12 Sept 2001 University of Virginia CS 588

Download ppt "Lecture 5: DES Use and Analysis Background just got here last week"

Similar presentations

Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.

Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Cryptography and Network Security Chapter 3

Cryptography and Network Security Chapter 3
1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.

1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 1 Security PART VII.

McGraw-Hill©The McGraw-Hill Companies, Inc., Security PART VII.
Introduction to Symmetric Block Cipher Jing Deng Based on Prof. Rick Han’s Lecture Slides Dr. Andreas Steffen’s Security Tutorial.

Introduction to Symmetric Block Cipher Jing Deng Based on Prof. Rick Han’s Lecture Slides Dr. Andreas Steffen’s Security Tutorial.
CS 682 - Network Security Lecture 2 Prof. Katz. 9/7/2000Lecture 2 - Data Encryption2 DES – Data Encryption Standard Private key. Encrypts by series of.

CS Network Security Lecture 2 Prof. Katz. 9/7/2000Lecture 2 - Data Encryption2 DES – Data Encryption Standard Private key. Encrypts by series of.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
CS526Topic 2: Classical Cryptography1 Information Security CS 526 Topic 2 Cryptography: Terminology & Classic Ciphers.

CS526Topic 2: Classical Cryptography1 Information Security CS 526 Topic 2 Cryptography: Terminology & Classic Ciphers.
CSE 651: Introduction to Network Security

CSE 651: Introduction to Network Security
Chapter 12 Cryptography (slides edited by Erin Chambers)

Chapter 12 Cryptography (slides edited by Erin Chambers)
History and Background Part 1: Basic Concepts and Monoalphabetic Substitution CSCI 5857: Encoding and Encryption.

History and Background Part 1: Basic Concepts and Monoalphabetic Substitution CSCI 5857: Encoding and Encryption.
The Data Encryption Standard - see Susan Landau’s paper: “Standing the test of time: the data encryption standard.” DES - adopted in 1977 as a standard.

The Data Encryption Standard - see Susan Landau’s paper: “Standing the test of time: the data encryption standard.” DES - adopted in 1977 as a standard.
Chapter 20 Symmetric Encryption and Message Confidentiality.

Chapter 20 Symmetric Encryption and Message Confidentiality.
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.

CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 6: Striving for Confusion Structures.

David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 6: Striving for Confusion Structures.
A paper by: Paul Kocher, Joshua Jaffe, and Benjamin Jun Presentation by: Michelle Dickson.

A paper by: Paul Kocher, Joshua Jaffe, and Benjamin Jun Presentation by: Michelle Dickson.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
Data Encryption Standard (DES)

Data Encryption Standard (DES)

Similar presentations

Ads by Google