Data Encryption Standard (DES)

Data Encryption Standard (DES)
INCS 741: Cryptography Data Encryption Standard (DES) Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 10/18/2010 10/18/2009 Dr. Monther Aldwairi

Block Ciphers 10/4/2009 Dr. Monther Aldwairi

Block Ciphers Stream ciphers process messages a bit or byte at a time when en/decrypting Vigenère Cipher Caeser Cipher Block ciphers process messages in blocks Block are en/decrypted like a substitution on very big characters 64-bits or more Hill Cipher block size 2 DES block size 64 bits 10/4/2009 Dr. Monther Aldwairi

Ideal Block Cipher 10/4/2009 Dr. Monther Aldwairi

Shannon Properties of a Good Cryptosystem
Diffusion Each plaintext digit affects the values of many ciphertext digits and visa versa. Achieved by applying permutation then a function on data, forcing different plaintext digits to affect a single ciphertext digit permutation (P-box) Confusion The key doesn’t relate in a simple way to ciphertext. Ciphertext statistics cannot give the key up Achieved by a complex substitution algorithm substitution (S-box) 10/4/2009 Dr. Monther Aldwairi

Feistel Cipher Virtually all conventional block encryption algorithms have a structure described by Horst Feistel of IBM in 1973 partitions input block into two halves process through multiple rounds each round performs a substitution on left data half based on round function of right half & sub key then have permutation swapping halves Implements Shannon’s S-P net concept 10/4/2009 Dr. Monther Aldwairi

Feistel Cipher Structure
10/4/2009 Dr. Monther Aldwairi

Feistel Cipher Design Elements
block size: larger size improves security, but slows cipher key size: increasing size makes exhaustive key searching harder, but may slow cipher. number of rounds: increasing number improves security, but slows cipher sub key generation algorithm: greater complexity can make cryptanalysis harder, but slows cipher round function: greater complexity can make analysis harder, but slows cipher fast software en/decryption: concern for practical use ease of analysis: easier validation & testing of strength 10/4/2009 Dr. Monther Aldwairi

Feistel Cipher Decryption

The most widely used block cipher adopted in 1977 by NBS/NIST as FIPS PUB 46 The plaintext is processed in 64-bit blocks The key is 56-bits in length Controversy over its security Choice of 56-bit key (vs Lucifer 128-bit) DES is public but design criteria were classified (S-box) subsequent events and public analysis show in fact design was appropriate use of DES has flourished in financial applications still standard for legacy application use 10/4/2009 Dr. Monther Aldwairi

DES Overview- Encryption
Generate 16 per-round keys 64-bit input Initial Permutation 56-bit Key 48-bit K1 Round 1 Round 16 Swap left and right halves 48-bit K16 Final Permutation 10/4/2009 Dr. Monther Aldwairi

DES Overview- Decryption
Generate 16 per-round keys Initial Permutation 56-bit Key 48-bit K16 Round 1 Round 16 Swap left and right halves 48-bit K1 Final Permutation 64-bit input 10/4/2009 Dr. Monther Aldwairi

DES Encryption 10/4/2009 Dr. Monther Aldwairi

Initial Permutation IP
IP reorders the input data bits Arrange into 8 × 8 table Permute, even columns into rows followed by odd columns (write bits from bottom up) Example IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb) 10/4/2009 Dr. Monther Aldwairi

A DES Round 64-bit input 64-bit input 32-bit Ln 32-bit Rn 32-bit Ln
Mangler function Kn Mangler function Kn 32-bit Rn+1 32-bit Ln+1 64-bit output 64-bit output 10/4/2009 Dr. Monther Aldwairi

DES Round Details uses two 32-bit L & R halves
as for any Feistel cipher can describe as: Li = Ri–1 Ri = Li–1 xor F(Ri–1, Ki) F takes 32-bit R half and 48-bit subkey: expands R to 48-bits using Expansion perm E adds to subkey using XORE(R) XOR K – we get 48 bits which we split into 8 blocks 6 bits each Substitute blocks using 8 S-boxes to get 32-bit result. Each S-box has 4 rows and 16 columns First and last bits determine the row, remaining 4 determine column finally permutes using 32-bit perm P Confusion 10/4/2009 Dr. Monther Aldwairi

The Mangler Function 4 6 6 + S8 S1 S2 S7 S3 S4 S5 S6 4 Permutation

Calculation of F(R, K) 10/4/2009 Dr. Monther Aldwairi

Substitution Boxes S have eight S-boxes which map 6 to 4 bits
each S-box is actually 4 little 4 bit boxes outer bits 1 & 6 (row bits) select one row of 4 inner bits 2-5 (col bits) are substituted result is 8 lots of 4 bits, or 32 bits row selection depends on both data & key feature known as autoclaving (autokeying) Example S( d ) = 5fd25e03 10/4/2009 Dr. Monther Aldwairi

DES Sub keys Generation
To forms sub keys used in each round initial permutation of the key (PC1) which selects 56-bits in two 28-bit halves 16 stages consisting of: rotating each half separately either 1 or 2 places depending on the key rotation schedule K selecting 24-bits from each half & permuting them by PC2 for use in round function F note practical use issues in h/w vs s/w 10/4/2009 Dr. Monther Aldwairi

DES Example 10/4/2009 Dr. Monther Aldwairi

Generating the Per-Round Keys
56-bit key C0 C0 D0 Initial Permutation D0 Rotate left C1 Rotate left D1 Permutation to obtain the right-half of Ki Permutation to obtain the left-half of Ki Permutation with discard 48-bit K1 © Summer 2007 CPE 542 Network Security

Process the Key Process the key Get a 64-bit key from the user
Every 8th bit (the least significant bit of each byte) is considered a parity bit. For a key to have correct parity, each byte should contain an odd number of "1" bits.) The parity bits are discarded, reducing the key to 56 bits (8th , 16th ,…, 64th ). 10/4/2009 Dr. Monther Aldwairi

Key Schedule Calculate the key schedule. Permuted Choice 1 (PC-1) Split the permuted key (56 bits) into two halves. The first 28 bits are called C0 and the last 28 bits are called D0. 10/4/2009 Dr. Monther Aldwairi

PC-1 The first round key is the computed as follows:
PC-1(K)= C0= D0= 10/4/2009 Dr. Monther Aldwairi

Calculate Sub keys Calculate the 16 sub keys.
Perform one or two circular left shifts on both Ci-1 and Di-1 to get Ci and Di, respectively. The number of shifts per iteration are given in the table below. Round # Left Shifts 10/4/2009 Dr. Monther Aldwairi

PC-2 Calculate the key schedule. Permuted Choice 2 (PC-2) contraction to 28 bit round key Loop back to slide 24 until K16 has been calculated 10/4/2009 Dr. Monther Aldwairi

PC-2 The first round key is the computed as follows:
PC-1(K)= C1= 1<<C0= 1<< = D1= 1<<D0= 1<< = PC-2(C1||D1)=PC-2( ) SK1= 10/4/2009 Dr. Monther Aldwairi

DES Example 10/4/2009 Dr. Monther Aldwairi

Process Data Block Initial Permutation (IP) on 64-bit data block 10/4/2009 Dr. Monther Aldwairi

Round i Split the block into two halves. The first 32 bits are called L0, and the last 32 bits are called R0. Apply the 16 sub keys to the data block. Start with SK1 Expand the 32-bit Ri-1(R0) into 48 bits according Expansion Permutation E Exclusive-or E(Ri-1) with SKi 10/4/2009 Dr. Monther Aldwairi

Round i/S-Boxes Eight S-boex that accept 6 bit inputs and produce 4 bit outputs Break E(Ri-1) xor SKi into eight 6-bit input blocks. Bits 1-6 are B1, bits 7-12 are B2, and so on with bits being B8. Take the 1st and 6th bits of Bj together as a 2-bit value indicating the row in Sj Take the 2nd through 5th bits of Bj together as a 4-bit value indicating the column in Sj to find the substitution. 10/4/2009 Dr. Monther Aldwairi

S-Boxes 10/4/2009 Dr. Monther Aldwairi S1
S5 S2 S6 S3 S7 S4 S8 10/4/2009 Dr. Monther Aldwairi

Permutation (P) Permute the concatenation of B1 through B8 (32 bits)
Exclusive-or the resulting value with Li-1. Thus, all together, your Ri= Li-1 xor P(S1(B1)...S8(B8)), where Bj is a 6-bit block of E(Ri-1) xor SKi. The function for Ri is more concisely written as, Ri-1 = Li-1 xor f(Ri-1, Ki).) 10/4/2009 Dr. Monther Aldwairi

Inverse Initial Permutation IP-1
Loop back to slide 29 - Permutation E until SK16 has been applied Perform the following permutation on the block R16L116. Final Permutation (IP-1) 10/4/2009 Dr. Monther Aldwairi

DES Example DES round 1 16 round example @
Round key = L1= R1= Apply E: Xor K1: ⊕ = 100000||100000||000000||010000||000000||000000||000000||000010 S-Box S1: 0100 S-Box S2: S-Box S3: S-Box S4: 0001 S-Box S5: 0010 S-Box S6: S-Box S7: S-Box S8: 0010 P-Box: Xor L1: ⊕ = R1kL1 = k 16 round 10/4/2009 Dr. Monther Aldwairi

DES Decryption decrypt must unwind steps of data computation
with Feistel design, do encryption steps again using subkeys in reverse order (SK16 … SK1) IP undoes final FP step of encryption 1st round with SK16 undoes 16th encrypt round …. 16th round with SK1 undoes 1st encrypt round then final FP undoes initial encryption IP thus recovering original data value 10/4/2009 Dr. Monther Aldwairi

Avalanche Effect key desirable property of encryption algorithm
where a change of one input or key bit results in changing approx half output bits making attempts to “home-in” by guessing keys impossible DES exhibits strong avalanche Permutation E 10/4/2009 Dr. Monther Aldwairi

Strength of DES – Key Size
56-bit keys have 256 = 7.2 x 1016 values brute force search looks hard recent advances have shown is possible in 1997 on Internet in a few months in 1998 on dedicated h/w (EFF) in a few days in 1999 above combined in 22hrs! still must be able to recognize plaintext must now consider alternatives to DES 10/4/2009 Dr. Monther Aldwairi

Average time required for exhaustive key search
Key Size (bits) Number of Alternative Keys Time required at 106 Decryption/µs 32 232 = 4.3 x 109 2.15 milliseconds 56 256 = 7.2 x 1016 10 hours 128 2128 = 3.4 x 1038 5.4 x 1018 years 168 2168 = 3.7 x 1050 5.9 x 1030 years Taken from Henric Johnson’s slides 10/4/2009 Dr. Monther Aldwairi

Strength of DES – Analytic Attacks
now have several analytic attacks on DES these utilise some deep structure of the cipher by gathering information about encryptions can eventually recover some/all of the sub-key bits if necessary then exhaustively search for the rest generally these are statistical attacks differential cryptanalysis linear cryptanalysis related key attacks 10/4/2009 Dr. Monther Aldwairi

Differential Cryptanalysis
Murphy, Biham & Shamir published in 90’s powerful method to analyze block ciphers used to analyze most current block ciphers with varying degrees of success DES reasonably resistant to it a statistical attack against Feistel ciphers uses cipher structure not previously used design of S-P networks has output of function f influenced by both input & key hence cannot trace values back through cipher without knowing value of the key differential cryptanalysis compares two related pairs of encryptions 10/4/2009 Dr. Monther Aldwairi

have some input difference giving some output difference with probability p if find instances of some higher probability input / output difference pairs occurring can infer subkey that was used in round then must iterate process over many rounds (with decreasing probabilities) The overall strategy of differential cryptanalysis is based on these considerations for a single round. The procedure is to begin with two plaintext messages m and m’ with a given difference and trace through a probable pattern of differences after each round to yield a probable difference for the ciphertext. You submit m and m’ for encryption to determine the actual difference under the unknown key and compare the result to the probable difference. If there is a match, then suspect that all the probable patterns at all the intermediate rounds are correct. With that assumption, can make some deductions about the key bits. This procedure must be repeated many times to determine all the key bits. 10/4/2009 Dr. Monther Aldwairi

Compares Pairs of Encryptions
with a known difference in the input searching for a known difference in output when same subkeys are used 10/4/2009 Dr. Monther Aldwairi

Stallings Figure 3.7 illustrates the propagation of differences through three rounds of DES. The probabilities shown on the right refer to the probability that a given set of intermediate differences will appear as a function of the input differences. Overall, after three rounds the probability that the output difference is as shown is equal to 0.25*1*0.25= Since the output difference is the same as the input, this 3 round pattern can be iterated over a larger number of rounds, with probabilities multiplying to be successively smaller. 10/4/2009 Dr. Monther Aldwairi

perform attack by repeatedly encrypting plaintext pairs with known input XOR until obtain desired output XOR when found if intermediate rounds match required XOR have a right pair if not then have a wrong pair, relative ratio is S/N for attack can then deduce keys values for the rounds right pairs suggest same key bits wrong pairs give random values for large numbers of rounds, probability is so low that more pairs are required than exist with 64-bit inputs Biham and Shamir have shown how a 13-round iterated characteristic can break the full 16-round DES Differential Cryptanalysis works by performing the attack by repeatedly encrypting plaintext pairs with known input XOR until obtain desired output XOR. See [BIHA93] for detailed descriptions. Attack on full DES requires an effort on the order of 247 encryptions, requiring 247 chosen plaintexts to be encrypted, with a considerable amount of analysis – in practise exhaustive search is still easier, even though up to 255 encryptions are required for this. 10/4/2009 Dr. Monther Aldwairi

Linear Cryptanalysis another recent development
also a statistical method must be iterated over rounds, with decreasing probabilities developed by Matsui et al in early 90's based on finding linear approximations can attack DES with 243 known plaintexts, easier but still in practise infeasible A more recent development is linear cryptanalysis. This attack is based on finding linear approximations to describe the transformations performed in DES. This method can find a DES key given 2^43 known plaintexts, as compared to 2^47 chosen plaintexts for differential cryptanalysis. Although this is a minor improvement, because it may be easier to acquire known plaintext rather than chosen plaintext, it still leaves linear cryptanalysis infeasible as an attack on DES. Again, this attack uses structure not seen before. So far, little work has been done by other groups to validate the linear cryptanalytic approach. 10/4/2009 Dr. Monther Aldwairi

Linear Cryptanalysis find linear approximations with prob p != ½
P[i1,i2,...,ia]  C[j1,j2,...,jb] = K[k1,k2,...,kc] where ia,jb,kc are bit locations in P,C,K gives linear equation for key bits get one key bit using max likelihood alg using a large number of trial encryptions effectiveness given by: |p–1/2| The objective of linear cryptanalysis is to find an effective linear equation relating some plaintext, ciphertext and key bits that holds with probability p<>0.5 as shown. Once a proposed relation is determined, the procedure is to compute the results of the left-hand side of the equation for a large number of plaintext-ciphertext pairs, in order to determine whether the sum of the key bits is 0 or 1, thus giving 1 bit of info about them. This is repeated for other equations and many pairs to derive some of the key bit values. Because we are dealing with linear equations, the problem can be approached one round of the cipher at a time, with the results combined. See [MATS93] for details. 10/4/2009 Dr. Monther Aldwairi

Triple DES Use three keys and three executions of the DES algorithm (encrypt-decrypt-encrypt) C = Ek3[ Dk2[ Ek1[P] ] ] C = ciphertext P = Plaintext Ek[X] = encryption of X using key K Dk[Y] = decryption of Y using key K Effective key length of 168 bits 10/4/2009 Dr. Monther Aldwairi

Other Symmetric Block Ciphers
International Data Encryption Algorithm (IDEA) 128-bit key Used in PGP Blowfish Easy to implement High execution speed Run in less than 5K of memory 10/4/2009 Dr. Monther Aldwairi

Other Symmetric Block Ciphers
RC5 Suitable for hardware and software Fast, simple Adaptable to processors of different word lengths Variable number of rounds Variable-length key Low memory requirement High security Data-dependent rotations Cast-128 Key size from 40 to 128 bits The round function differs from round to round Blowfish 10/4/2009 Dr. Monther Aldwairi

Modes of Operation block ciphers encrypt fixed size blocks
eg. DES encrypts 64-bit blocks, with 56-bit key need way to use in practise, given usually have arbitrary amount of information to encrypt Four standard modes were defined for DES Extended to five later, and they can be used with other block ciphers: 3DES and AES. DES (or any block cipher) forms a basic building block, which en/decrypts a fixed sized block of data. However to use these in practise, we usually need to handle arbitrary amounts of data, which may be available in advance (in which case a block mode is appropriate), and may only be available a bit/byte at a time (in which case a stream mode is used). 10/4/2009 Dr. Monther Aldwairi

Electronic Codebook Book (ECB)
message is broken into independent blocks which are encrypted each block is a value which is substituted, like a codebook, hence name each block is encrypted independently from the other blocks Ci = DESK1 (Pi) uses: secure transmission of single values ECB is the simplest of the modes, where each block is en/decrypted independently of all the other blocks, and is used when only a single block of info needs to be sent (eg. a session key encrypted using a master key). 10/4/2009 Dr. Monther Aldwairi

Electronic Codebook Book (ECB)
Stallings Fig 3-11. 10/4/2009 Dr. Monther Aldwairi

Advantages and Limitations of ECB
repetitions in message may show in ciphertext if aligned with message block with messages that change very little, which become a code-book analysis problem weakness due to encrypted message blocks being independent main use is sending a few blocks of data ECB is not appropriate for any quantity of data, since repetitions can be seen, esp. with graphics, and because the blocks can be shuffled/inserted without affecting the en/decryption of each block. 10/4/2009 Dr. Monther Aldwairi

Cipher Block Chaining (CBC)
message is broken into blocks but these are linked together in the encryption operation each previous cipher blocks is chained with current plaintext block, hence name use Initial Vector (IV) to start process Ci = DESK1(Pi XOR Ci-1) C-1 = IV uses: bulk data encryption, authentication To overcome the problems of repetitions and order independence in ECB, want some way of making the ciphertext dependent on all blocks before it. This is what CBC gives us, by combining the previous ciphertext block with the current message block before encrypting. To start the process, use an Initial Value (IV), which is usually well known (often all 0's), or otherwise is sent, ECB encrypted, just before starting CBC use. CBC mode is applicable whenever large amounts of data need to be sent securely, provided that its available in advance (eg , FTP, web etc) 10/4/2009 Dr. Monther Aldwairi

Cipher Block Modes of Operation
Cipher Block Chaining Mode (CBC) The input to the encryption algorithm is the XOR of the current plaintext block and the preceding ciphertext block. Repeating pattern of 64-bits are not exposed 10/4/2009 Dr. Monther Aldwairi 10/4/2009 Dr. Monther Aldwairi 60

Advantages and Limitations of CBC
each ciphertext block depends on all message blocks thus a change in the message affects all ciphertext blocks after the change as well as the original block need Initial Value (IV) known to sender & receiver however if IV is sent in the clear, an attacker can change bits of the first block, and change IV to compensate hence either IV must be a fixed value or it must be sent encrypted in ECB mode before rest of message CBC is the generally used block mode. The chaining provides an avalanche effect, which means the encrypted message cannot be changed or rearranged without totally destroying the subsequent data. One issue is how to handle the last block, which may well not be complete. In general have to pad this block (typically with 0's), and then must recognise padding at other end - may be obvious (eg in text the 0 value should usually not occur), or otherwise must explicitly have the last byte as a count of how much padding was used (including the count). Note that if this is done, if the last block IS an even multiple of 8 bytes, will have to add an extra block, all padding so as to have a count in the last byte. 10/4/2009 Dr. Monther Aldwairi

Cipher FeedBack (CFB) message is treated as a stream of bits
added to the output of the block cipher result is feed back for next stage (hence name) standard allows any number of bit (1,8 or 64 or whatever) to be feed back denoted CFB-1, CFB-8, CFB-64 etc is most efficient to use all 64 bits (CFB-64) Ci = Pi XOR DESK1(Ci-1) C-1 = IV uses: stream data encryption, authentication If the data is only available a bit/byte at a time (eg. terminal session, sensor value etc), then must use some other approach to encrypting it, so as not to delay the info. Idea here is to use the block cipher essentially as a pseudo-random number generator (see stream cipher lecture later) and to combine these "random" bits with the message. Note as mentioned before, XOR is an easily inverted operator (just XOR with same thing again to undo). Again start with an IV to get things going, then use the ciphertext as the next input. As originally defined, idea was to "consume" as much of the "random" output as needed for each message unit (bit/byte) before "bumping" bits out of the buffer and re-encrypting. This is wasteful though, and slows the encryption down as more encryptions are needed. An alternate way to think of it is to generate a block of "random" bits, consume them as message bits/bytes arrive, and when they're used up, only then feed a full block of ciphertext back. This is CFB-64 mode, the most efficient. This is the usual choice for quantities of stream oriented data, and for authentication use. 10/4/2009 Dr. Monther Aldwairi

Cipher FeedBack (CFB) Stallings Fig 3-13. 10/4/2009
Dr. Monther Aldwairi

Advantages and Limitations of CFB
appropriate when data arrives in bits/bytes most common stream mode limitation is need to stall while do block encryption after every n-bits errors propagate for several blocks after the error CFB is the usual stream mode. As long as can keep up with the input, doing encryptions every 8 bytes. A possible problem is that if its used over a "noisy" link, then any corrupted bit will destroy values in the current and next blocks (since the current block feeds as input to create the random bits for the next). So either must use over a reliable network transport layer (pretty usual) or use OFB. 10/4/2009 Dr. Monther Aldwairi

Output FeedBack (OFB) message is treated as a stream of bits
output of cipher is added to message output is then feed back (hence name) feedback is independent of message can be computed in advance Ci = Pi XOR Oi Oi = DESK1(Oi-1) O-1 = IV The alternative to CFB is OFB. Here the generation of the "random" bits is independent of the message being encrypted. The advantage is that firstly, they can be computed in advance, good for bursty traffic, and secondly, any bit error only affects a single bit. Thus this is good for noisy links (eg satellite TV transmissions etc). 10/4/2009 Dr. Monther Aldwairi

Output FeedBack (OFB) Stallings Fig 3-14. 10/4/2009
Dr. Monther Aldwairi

Advantages and Limitations of OFB
used when error feedback a problem or where need to encryptions before message is available superficially similar to CFB but feedback is from the output of cipher and is independent of message sender and receiver must remain in sync, and some recovery method is needed to ensure this occurs originally specified with m-bit feedback in the standards subsequent research has shown that only OFB-64 should ever be used Because the "random" bits are independent of the message, they must never ever be used more than once (otherwise the 2 ciphertexts can be combined, cancelling these bits, and leaving a "book" cipher to solve). Also, as noted, should only ever use a full block feedback ie OFB-64 mode. 10/4/2009 Dr. Monther Aldwairi

Counter (CTR) a “new” mode, though proposed early on
similar to OFB but encrypts counter value rather than any feedback value must have a different counter value for every plaintext block (never reused) Ci = Pi XOR Oi Oi = DESK1(i) uses: high-speed network encryptions 10/4/2009 Dr. Monther Aldwairi

Counter (CTR) Stallings Fig 3-15. 10/4/2009 Dr. Monther Aldwairi

Advantages and Limitations of CTR
efficiency can do parallel encryptions random access to encrypted data blocks provable security (good as other modes) but must ensure never reuse key/counter values, otherwise could break (cf OFB) 10/4/2009 Dr. Monther Aldwairi

Data Encryption Standard (DES)

Similar presentations

Presentation on theme: "Data Encryption Standard (DES)"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Data Encryption Standard (DES)

Similar presentations

Presentation on theme: "Data Encryption Standard (DES)"— Presentation transcript:

Similar presentations

About project

Feedback