Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 The Data Encryption Standard. 2 Outline 4.1 Introduction 4.4 DES 4.5 Modes of Operation 4.6 Breaking DES 4.7 Meet-in-the-Middle Attacks.

Published byDayna Gallagher Modified over 8 years ago

Similar presentations

Presentation on theme: "1 The Data Encryption Standard. 2 Outline 4.1 Introduction 4.4 DES 4.5 Modes of Operation 4.6 Breaking DES 4.7 Meet-in-the-Middle Attacks."— Presentation transcript:

1 1 The Data Encryption Standard

2 2 Outline 4.1 Introduction 4.4 DES 4.5 Modes of Operation 4.6 Breaking DES 4.7 Meet-in-the-Middle Attacks

3 3 4.1 Introduction In 1973, NBS, later to become NIST, issued a public request seeking a crypto algo to become a national standard. In 1974, IBM submitted an algo called LUCIFER. The NBS forwarded it to NSA, which reviewed it and, after some modifications, returned a version that was essentially the DES. In 1975, NBS released DES, as well as a free license for its use. In 1977, NBS made it the official data encryption standard.

4 4 Introduction From 1975 on, there has been controversy surrounding DES. Some regarded the key size as too small. Many were worried about NSA’s involvement. In 1990, Eli Biham and Adi Shamir showed how their method of differential cryptanalysis could be used to attack DES. The DES algo involves 16 rounds; differential cryptanaysis would be more efficient than exhaustively searching all possible keys if the algo used at most 15 rounds.

5 5 Introduction The DES has lasted for a long time, but is becoming outdated. Brute force searches (see Sec 4.6), though expensive, can now break the system. Therefore, NIST replaced it with a new system in the year 2000. The DES is a block cipher; namely, it breaks the plaintext into blocks of 64 bits, and encrypts each block separately.

6 6 4.4 DES Description of DES DES is a special type of iterated cipher called a Feistel cipher. In a Feistel cipher, each state u i is divided into two halves of equal length, say L i and R i. Round function g: g(L i-1, R i-1, K i )=(L i, R i ), where Invertible:

7 7 Overview of DES One round

8 8 DES Initial permutation IP : IP(x)=L 0 R 0 Inverse permutation IP -1 : y=IP -1 (R 16 L 16 ) Note L 16 and R 16 are swapped before IP -1 is applied. Each L i and R i is 32 bits in length. The function takes as input a 32-bit string (the right half of the current state) and a round key. Key schedule (K 1,K 2,…,K 16 ) consists of 48-bit round keys that are derived from the 56-bit key, K.

9 9 DES Suppose we denote the first argument of f function ( Figure A ) by A, and the second argument by J. A is expanded to 48-bit according to a fixed expansion function E. Compute and write the result as concatenation of eight 6-bit strings B=B 1 B 2 B 3 B 4 B 5 B 6 B 7 B 8. The next step uses eight S-boxes (S 1, …,S 8 ), Given a bitstring of length 6, B j =b 1 b 2 b 3 b 4 b 5 b 6. b 1 b 6 determine the row r of S j, and b 2 b 3 b 4 b 5 determine the column c of S j. We compute C j =S j (B j ). The bitstring C=C 1 C 2 C 3 C 4 C 5 C 6 C 7 C 8 is permuted according to the permutation P. Then f ( A, J )= P (C).

10 10 A E(A) J f(A,J) E + B1B1 B2B2 B3B3 B4B4 B5B5 B6B6 B7B7 B8B8 S1S1 S2S2 S3S3 S4S4 S5S5 S6S6 S7S7 S8S8 C1C1 C2C2 C3C3 C4C4 C5C5 C6C6 C7C7 C8C8 P Figure A The DES f function

11 11 S1S1 1441312151183106125907 0157414213110612116538 4114813621115129731050 1512824917511314100613 S2S2 1518146113497213120510 3134715281412011069115 0147111041315812693215 1381013154211671205149 S3S3 1009146315511312711428 1370934610285141211151 1364981530111212510147 1101306987415143115212 S4S4 7131430691012851112415 13811561503147212110149 1069012117131513145284 3150610113894511127214 S-boxes Example B

12 12 S5S5 2 4171011685315130149 11212471315015103986 4211110137815912563014 1181271142136150910453 S6S6 1211015926801334147511 1015427129561131401138 9141552812370410113116 4321295151011141760813 S7S7 4112141508133129751061 1301174911014351221586 1411131237141015680592 6111381410795015142312 S8S8 1328461511110931450127 1151381037412561101492 7114191214206101315358 2114741081315129035611 S-boxes

13 13 DES Example B: We show how to compute an output of S-box S 1 with input 101000. b 1 b 6 =10 which is 2 b 2 b 3 b 4 b 5 =0100 which is 4 Output is row 2 and column 4 of S 1. Note: rows are numbered 0,1,2,3 and columns are 0,1,2, … 15 So the output is 13 which is 1101 in binary.

14 14 DES The expansion function E is specified by the following table: If A=(a 1,a 2, …,a 32 ) then E (A)=(a 32,a 1,a 2,a 3,a 4,a 5,a 4, …,a 31,a 32,a 1 ). E bit-selection table 3212345 456789 8910111213 121314151617 161718192021 202122232425 242526272829 28293031321

15 15 DES The permutation P is as follows: If C=(c 1,c 2, …,c 32 ) then P (C)=(c 16,c 7,c 20,c 21,c 29, …,c 11,c 4,c 25 ). P 1672021 29122817 1152326 5183110 282414 322739 1913306 2211425

16 16 DES Key scheduling:

17 17 DES

18 18 4.5 Modes of Operation Four modes of operation for DES: Electronic codebook mode ( ECB mode) Cipher feedback mode ( CFB mode) Cipher block chaining mode ( CBC mode) Output feedback mode ( OFB mode) ECB mode corresponds to the naive use of a block cipher: x 1,x 2, … of 64-bit plaintext blocks, encrypted with the same key K, producing a string of ciphertext blocks, y 1,y 2, …

19 19 Modes of Operation CBC mode: initialization vector IV and y 0 =IV IV=y 0 + x1x1 eKeK y1y1 + x2x2 eKeK y2y2 encrypt IV=y 0 + y1y1 dKdK x1x1 + y2y2 dKdK x2x2 decrypt Figure 3.9 CBC mode

20 20 Modes of Operation OFB mode: a synchronous stream cipher (cf. section 1.1.7) z 0 =IV, then keystream z 1 z 2 … encryption: IV=z 0 eKeK + x1x1 y1y1 eKeK + x2x2 y2y2 encrypt IV=z 0 eKeK + y1y1 x1x1 eKeK + y2y2 x2x2 decrypt

21 21 Modes of Operation CFB mode: y 0 =IV keystream: encryption: IV=y 0 eKeK + x1x1 y1y1 eKeK + x2x2 y2y2 encrypt IV=y 0 eKeK + y1y1 x1x1 eKeK + y2y2 x2x2 decrypt Figure 3.10 CFB mode

22 22 Modes of Operation Some properties: In ECB and OFB modes, changing one 64-bit plaintext block, x i, causes the corresponding ciphertext block, y i, to be altered, but other ciphertext blocks are not affected. It is useful in some cases, like communicating on an unreliable channel. In CBC and CFB modes, if a plaintext block x i is changed, then y i and all subsequent ciphertext blocks will be affected. These modes can be used to produce a message authentication code ( MAC ).

23 23 4.6 Breaking DES The S-boxes, being the non-linear components of the cryptosystem, are vital to its security. DES was to make differential cryptanalysis infeasible. Differential cryptanalysis was known to IBM when they design DES, but it was kept secret for almost 20 years until Biham and Shamir invented the technique in the early 1990 ’ s. The most pertinent criticism of DES is that the size of the keyspace, 2 56, is too small.

24 24 Breaking DES Many people try to design a special purpose machine to do exhaustive key search. Eg: “ DES Cracker ” contained 1536 chips and could search 88 billion keys per second. It won RSA Laboratory ’ s “ DES Challenge II-2 ” by successfully finding a DES key in 56 hours.

25 25 Breaking DES Other than exhaustive key search, differential cryptanalysis and linear cryptanalysis are the most important attacks. (linear attack is more efficient) In 1994, Matsui implemented the attack by using 2 43 plaintext-ciphertext pairs with the same key. It took 40 days to generate the pairs and 10 days to find the key. DES is still secure theoretically due to the extremely large number of pairs required. An adversary is impossible to collect that amount of pairs.

26 26 Breaking DES There are two main approaches to achieving increased security. 1. Use DES multiple times – Triple DES 2. Find a new system that employs a larger key size than 56 bits – AES (Rijndael) The idea behind multiple DES schemes: 1. Double DES encrypts the plaintext by first encrypting with one key and then encrypting again using a different key.(one might guess that Double DES should double the keyspace to 2 112. However, this in not true! See Sec 4.7)

27 27 Breaking DES 2. Triple DES (a level of security eq. to a 112-bit key) There are two ways Triple DES can be implemented: (1) Choose three keys, K 1, K 2, K 3 and perform E K1 (E K2 (E K3 (m))). (2) Choose two keys, K 1 and K 2, and perform E K1 (D K2 (E K1 (m)) Both versions of Triple DES are resistant to meet-in-the-middle attacks. However, there are other attacks on (2).

28 28 4.7 Meet-in-the-Middle Attacks Starting with plaintext message m, the ciphertext is c=E k2 (E k1 (m)). To decrypt, simply compute m=D k1 (D k2 (c)). Eve will need to discover both k1 and k2 to decrypt their messages. Does this provide greater security? No

29 29 4.7 Meet-in-the-Middle Attacks Assume Eve has intercepted a message m and a doubly encrypted ciphertext c=E k2 (E k1 (m)). She wants to find k 1 and k 2. She first computes and stores E k (m) for all possible keys k. She then computes D k (c) for all possible keys k. Finally, she compares the two lists. If there are several matches, she then takes another plaintext-ciphertext pair and do further test …

Download ppt "1 The Data Encryption Standard. 2 Outline 4.1 Introduction 4.4 DES 4.5 Modes of Operation 4.6 Breaking DES 4.7 Meet-in-the-Middle Attacks."

Similar presentations

DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.

DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.
The Data Encryption Standard - see Susan Landau’s paper: “Standing the test of time: the data encryption standard.” DES - adopted in 1977 as a standard.

The Data Encryption Standard - see Susan Landau’s paper: “Standing the test of time: the data encryption standard.” DES - adopted in 1977 as a standard.
From Crypto-Theory to Crypto-Practice 1 CHAPTER 14: From Crypto-Theory to Crypto-Practice SHIFT REGISTERS The first practical approach to ONE-TIME PAD.

From Crypto-Theory to Crypto-Practice 1 CHAPTER 14: From Crypto-Theory to Crypto-Practice SHIFT REGISTERS The first practical approach to ONE-TIME PAD.
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.2 Secret Key Cryptography.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.2 Secret Key Cryptography.
1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.

1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Cryptography and Network Security Chapter 3

Cryptography and Network Security Chapter 3
The Advanced Encryption Standard (AES) Simplified.

The Advanced Encryption Standard (AES) Simplified.
Data Encryption Standard (DES)

Data Encryption Standard (DES)
Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.

Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.
CMSC 414 Computer (and Network) Security Lecture 5 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 5 Jonathan Katz.
Cryptography1 CPSC 3730 Cryptography Chapter 3 DES.

Cryptography1 CPSC 3730 Cryptography Chapter 3 DES.
DES 1 Data Encryption Standard DES 2 Data Encryption Standard  DES developed in 1970’s  Based on IBM Lucifer cipher  U.S. government standard  DES.

DES 1 Data Encryption Standard DES 2 Data Encryption Standard  DES developed in 1970’s  Based on IBM Lucifer cipher  U.S. government standard  DES.
1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.

1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.
Introduction to Modern Cryptography Lecture 2 Symmetric Encryption: Stream & Block Ciphers.

Introduction to Modern Cryptography Lecture 2 Symmetric Encryption: Stream & Block Ciphers.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 1 Security PART VII.

McGraw-Hill©The McGraw-Hill Companies, Inc., Security PART VII.
Introduction to Symmetric Block Cipher Jing Deng Based on Prof. Rick Han’s Lecture Slides Dr. Andreas Steffen’s Security Tutorial.

Introduction to Symmetric Block Cipher Jing Deng Based on Prof. Rick Han’s Lecture Slides Dr. Andreas Steffen’s Security Tutorial.
15-441 Computer Networking Lecture 21: Security and Cryptography Thanks to various folks from 15-441, semester’s past and others.

Computer Networking Lecture 21: Security and Cryptography Thanks to various folks from , semester’s past and others.

Similar presentations

Ads by Google