Presentation is loading. Please wait.

Presentation is loading. Please wait.

CNS2010lecture 5 :: attacks on DES1 ELEC5616 computer and network security matt barrie

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "CNS2010lecture 5 :: attacks on DES1 ELEC5616 computer and network security matt barrie"— Presentation transcript:

1 CNS2010lecture 5 :: attacks on DES1 ELEC5616 computer and network security matt barrie mattb@ee.usyd.edu.au

2 CNS2010lecture 5 :: attacks on DES2 DES keys Given one plaintext/cyphertext (m,c) pair, there is a very high probability that only one key will satisfy c = DES(m,k) Consider DES as a collection of permutations π (1) … π (2 56 ). If π i are independent permutations then  (m, k) : Pr [  k 1 ≠ k : DES(m, k 1 ) = DES(m, k) ] = 2 56. 2 -64 = 2 -8 = 0.39% Thus given one (m, c) pair the key is uniquely determined. The problem is to find k.

3 CNS2010lecture 5 :: attacks on DES3 attacks on DES Exhaustive key search –For a strong n-bit block cypher with a j-bit key, the key can be recovered on average in 2 j-1 operations given a small number (< (j+4)/n) of plaintext- cyphertext pairs –For DES, j = 56 bits, n = 64 bits so exhaustive search is expected to yield the key in 2 55 operations Cyphertext-only DES key search –Suppose DES is used to encrypt 8 x 8 ASCII characters (=64 bits) per block, with one bit being a parity bit. –Trial decryption yields all 8 parity bits valid with probability 2 -8 and thus for t blocks 2 -8t –Over 2 56 keys, this leads to probability of correct key being 2 -56 / 2 -8t thus only t ~ 10 blocks are enough

4 CNS2010lecture 5 :: attacks on DES4 reducing effort in attacks on DES DES is a Feistel network, thus: DES(  m,  k) =  DES(m, k) This is called the “Complementation Property” So for a CPA: if c 1 = DES(m, k) and c 2 = DES(  m, k) then if DES(m, k 1 ) ≠ c 1 nor  c 2 then k ≠ k 1 nor  k 1 Search space is reduced by half

5 CNS2010lecture 5 :: attacks on DES5 2DES Double encryption with DES (2DES) is bad 2DES k1k2 (m) = E k1 (E k2 (m)) 2DES is vulnerable to “meet in the middle” attack –i.e. for a fixed message, m, create a table: E k (m) for all k є {0,1} 56 Then for c = E k1k2 (m) try all k until D k1 (c) is in the table Thus 2DES can be broken on average in 2 56 operations using 2 56 memory slots (a time-space tradeoff)- not good for 112 bits of key (56 + 56)

6 CNS2010lecture 5 :: attacks on DES6 3DES Two-key Triple DES (3DES): DES three times, two keys (112 bits) 3DES k1k2 (m) = E k1 (D k2 (E k1 (m))) The strength of DES (& 3DES) is that it does not form a group DES k1 (DES k2 (m)) ≠ DES k3 (m) Consider the time-space tradeoff on 2TDES: –for time 2 (56+64) /s and space s, we can recover k 1 and k 2 in 2TDES If s > 2 8 then we can do better than exhaustive search.

7 CNS2010lecture 5 :: attacks on DES7 DESX A modification of DES to avoid exhaustive key search is DESX k 1 = 56 bits (DES key) k 2 = 64 bits (whitening key) k 3 = h(k2, k3) = 64 bits DESX k1k2k3 (m) = k 3  E k1 (m  k 2 ) Whitening key gives greater resilience to brute force attacks Given j plaintext / cyphertext pairs, the effective key size is greater than or equal to |k| + n -1 - log j = 56 + 64 - 1 - log j = 119 - log j ≥ 100 bits

8 CNS2010lecture 5 :: attacks on DES8 DES round functions The function F(x,k i ): {0,1} 32 x {0,1} 48 → {0,1} 32 x (32 bits)k i (48 bits) 48 bits 32 bits P 6 bits x 8 4 bits x 8 s1s1 s8s8 8 x S-boxes (4x16) (substitution) nonlinear confuse P-box (permutation) diffuse expansion b

9 CNS2010lecture 5 :: attacks on DES9 differential cryptanalysis This method is a better-than-brute-force approach to attacking DES with (plaintext, cyphertext) pairs (CPA). Involves looking at the XOR of two texts. We consider any s-box function F(x, k i ) : Define the difference measure (on input) as Δ = b 1  b 2 = (x 1  k i )  (x 2  k i ) = x 1  x 2 The input XOR (b 1  b 2 ) does not depend on the key but the output XOR (e 1  e 2 ) does. S box b 1, b 2 (2x6 bits) e 1, e 2 (2x4 bits)

10 CNS2010lecture 5 :: attacks on DES10 differential cryptanalysis Now define the set Δ(b) consisting of ordered pairs (b 1, b 2 ) having input XOR b: Δ(b) = {(b 1, b 2 ) є {0,1} 6 | b 1  b 2 = b} where | Δ(b) | = 2 6 = 64 Take the example where b = 110100, then if we consider the first S-box the pairs might be Δ(b) = {(000000,110100), (000001,110101), … (111111,001011)}    110100 110100 110100

11 CNS2010lecture 5 :: attacks on DES11 differential cryptanalysis If this is done for all 64 pairs in Δ(b) then the following distribution of output XORs (e 1  e 2 ) is obtained: (e 1  e 2 )0000 0001 0010 0011 … 1111 0 8 16 6 6 Now suppose that (b 1  b 2 ) = 110100 and (e 1  e 2 ) = 0001, then (b 1, b 2 ) must be one of eight possible pairs, hence b 1 is one of 16 possible values. Since x 1 is known (this is a KPA), the 6 bits of the key XORed with x 1 to give b 1 are one of 16 possible values. This procedure is repeated for different Δs to make deductions about the key bits and eventually recover the key.

12 CNS2010lecture 5 :: attacks on DES12 linear cryptanalysis Consider the cyphertext derived by combining certain bits from the plaintext and key: The cypher can easily be broken, for example, if c[1] = p[4]  p[17]  k[5]  k[3] i.e. k[3]  k[5] = c[1]  p[4]  p[17] This is because the cypher is linear. plaintextkey cyphertext

13 CNS2010lecture 5 :: attacks on DES13 linear cryptanalysis If we use the following notation: p[i 1, …, i u ] = p[i 1 ]  p[i 2 ]  …  p[i u ] (the xor bits of the plaintext) Also define ρ = Pr [ p[i 1, …, i u ]  c[j 1, …, j v ] = k [s 1, …, s w ] ] Now if |ρ - 0.5| is large, then we can guess k [s 1, …, s w ] Optimally for a break|ρ - 0.5|= 0.5 (ρ = 0 or 1) (perfect cipher would have ρ = 0.5)

14 CNS2010lecture 5 :: attacks on DES14 algorithm to recover key bits Given R plaintext, cyphertext pairs (R is large): if ρ > 0.5 then k[s 1, …, s w ] = majority{p[i 1, …, i u ]}  c[j 1, …, j v ]} over all plaintext cyphertext pairs if ρ < 0.5 then k[s 1, …, s w ] = minority = 1  majority (*) Fact: if given R ≥ (ρ - 0.5) -2 then the correct value of k[s 1, …, s w ] is obtained with probability > 97.7%

15 CNS2010lecture 5 :: attacks on DES15 linear cryptanalysis of DES In 1993, Matsui made the following observation about DES which approximates the 5th S-box as a linear function: ρ 5 = Pr[ x[4] = S 5 (x)[0,1,2,3] ] = 12/64 = 0.19 (Note x є {0,1} 6 ) For the ith DES round Pr i [r i [15]  F(r i, k i )[7,18,24,29] = k i [22]] = ρ 5 = 0.19 (r i is the ith round right hand part) where the bits have been chosen to undo the permutation.

16 CNS2010lecture 5 :: attacks on DES16 attack on 3 round DES From the first round we can write Pr[r 1 [7,18,24,29] xor l 0 [7,18,24,29] xor r 0 [15] = k 0 [22]] = ρ 5 From the last round we can write Pr[r 1 [7,18,24,29] xor c r [7,18,24,29] xor c l [15] = k 2 [22]] = ρ 5 XORing together gives Pr[l 0 [7,18,24,29] xor c r [7,18,24,29] xor c l [15] xor r 0 [15] = k 0 [22] xor k 2 [22]] = ρ 5. ρ 5 + (1- ρ 5 ) 2 = 0.7 Using the fact (*) we can find k 0 [22] xor k 2 [22] using R = (0.7 - 0.5) -2 = 25 plaintext/cyphertext pairs l0l0 r0r0 r1r1 r2r2 r3r3 l1l1 l2l2 l3l3 left half of plaintextright half of plaintext F(r 0,k 0 ) F(r 1,k 1 ) F(r 2,k 2 ) left half of cyphertextright half of cyphertext

17 CNS2010lecture 5 :: attacks on DES17 DES strengths against attacks Attack Complexity # messages requirements knownchosenstorage processing exhaustive precomputation-12 56 1 (lookup) exhaustive search1- neg. 2 55 linear cryptanalysis2 43 (85%) -for texts 2 43 2 38 (10%) -for texts 2 50 differential cryptanalysis- 2 47 for texts 2 47 2 55 - for texts 2 55

18 CNS2010lecture 5 :: attacks on DES18 advanced encryption standard (AES) NIST Requirements: –Block cypher –128 bit blocks –128/192/256 bit keys –Strength equal to or better than 3DES at greatly improved efficiency smartcard, hardware, software flexibility simplicity and elegance –Royalty-free worldwide –security for over 30 years –may protect sensitive data for over 100 years –public confidence in the cypher

19 CNS2010lecture 5 :: attacks on DES19 AES candidates 15 submissions from international field Some strong candidates: NameTypeRoundsRel. SpeedGates (cycles) Twofish Feistel16125423k Serpent SP-network32180070k Mars Ext. Feistel32160070k cells Rijndael Square10, 12, 141276??? RC6 Feistel201436???

20 CNS2010lecture 5 :: attacks on DES20 AES Rijndael (pronounced “rain-dahl”) announced Oct 2000 Operates on 128 bit blocks Key length is variable: 128, 192 or 256 bits An SP-network Uses a single S-box which acts on a byte input to give a byte output (think of as a 256 byte lookup table): S(x) = M(1/x) + b over the field GF(2 8 ) (M is a matrix, b is a constant) Construction gives tight differential and linear bounds.

21 CNS2010lecture 5 :: attacks on DES21 AES overview Linear transformation arranging 16 bytes of the value being encoded in a square and doing bytewise shuffling and mixing. Step 1: Add Round Key –simply XORs in the subkey for the current round Step 2: Byte-sub –S-box substitution Step 3: Shuffle (ShiftRows) –top row of four bytes in unchanged –second row is shifted one place left –third row is shifted two places left –fourth row is shifted three places left Step 4: Mix Column –four bytes in a column are mixed using a matrix multiplication Result: Change in the input effects all of output in 2 rounds 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

22 CNS2010lecture 5 :: attacks on DES22 AES

23 CNS2010lecture 5 :: attacks on DES23 AES overview Number of rounds variable: –10 for 128-bit keys –12 for 192-bit keys –14 for 256-bit keys Gives 50% margin of safety based on current known attacks –attack for 6 round 128 bit keys –attack for 7 round 192 bit keys –attack for 9 round 256 bit keys –however require enormous amount of texts (certificational) Safety against feasible attacks believed to currently be ~100%

24 CNS2010lecture 5 :: attacks on DES24 references Towards the 128-bit Era: AES Candidates (interest only) http://home.ecn.ab.ca/~jsavard/crypto/co0408.htm Stallings (3 rd Ed) –§4 Handbook of Applied Cryptography –§7.1 - §7.4

Download ppt "CNS2010lecture 5 :: attacks on DES1 ELEC5616 computer and network security matt barrie"

Similar presentations

Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.

Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.
Chap. 5: Advanced Encryption Standard (AES) Jen-Chang Liu, 2005 Adapted from lecture slides by Lawrie Brown.

Chap. 5: Advanced Encryption Standard (AES) Jen-Chang Liu, 2005 Adapted from lecture slides by Lawrie Brown.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 5

Cryptography and Network Security Chapter 5
Cryptography and Network Security Chapter 3

Cryptography and Network Security Chapter 3
The Advanced Encryption Standard (AES) Simplified.

The Advanced Encryption Standard (AES) Simplified.
Data Encryption Standard (DES)

Data Encryption Standard (DES)
Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.

Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.
Cryptography and Network Security

Cryptography and Network Security
Cryptography1 CPSC 3730 Cryptography Chapter 3 DES.

Cryptography1 CPSC 3730 Cryptography Chapter 3 DES.
Foundations of Network and Computer Security J J ohn Black Lecture #5 Sep 7 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #5 Sep 7 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.

Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.
AES clear a replacement for DES was needed

AES clear a replacement for DES was needed
1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.

1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.
Cryptography and Network Security (AES) Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 10/18/2009 INCS 741: Cryptography 10/18/20091Dr.

Cryptography and Network Security (AES) Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 10/18/2009 INCS 741: Cryptography 10/18/20091Dr.
1 CS 255 Lecture 4 Attacks on Block Ciphers Brent Waters.

1 CS 255 Lecture 4 Attacks on Block Ciphers Brent Waters.
Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard It seems very simple. It is very simple. But if you don't know.

Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard "It seems very simple." "It is very simple. But if you don't know.
Cryptography and Network Security Chapter 5 Fourth Edition by William Stallings.

Cryptography and Network Security Chapter 5 Fourth Edition by William Stallings.
CS 682 - Network Security Lecture 2 Prof. Katz. 9/7/2000Lecture 2 - Data Encryption2 DES – Data Encryption Standard Private key. Encrypts by series of.

CS Network Security Lecture 2 Prof. Katz. 9/7/2000Lecture 2 - Data Encryption2 DES – Data Encryption Standard Private key. Encrypts by series of.

Similar presentations

Ads by Google