data encryption standard (des) dr. monther aldwairi new york institute of technology- amman campus...

Data Encryption Standard (DES)

Dr. Monther AldwairiNew York Institute of

Technology- Amman Campus10/18/2010

INCS 741: Cryptography

10/18/2009 1Dr. Monther Aldwairi

Block Ciphers


Block Ciphers

Stream ciphers process messages a bit or byte at a time when en/decrypting‒ Vigenère Cipher‒ Caeser Cipher

Block ciphers process messages in blocks‒ Block are en/decrypted like a substitution

on very big characters 64-bits or more ‒Hill Cipher block size 2‒DES block size 64 bits


Ideal Block Cipher


Shannon Properties of a Good Cryptosystem

Diffusion– Each plaintext digit affects the values of

many ciphertext digits and visa versa. – Achieved by applying permutation then a

function on data, forcing different plaintext digits to affect a single ciphertext digit

– permutation (P-box) Confusion

– The key doesn’t relate in a simple way to ciphertext.

– Ciphertext statistics cannot give the key up– Achieved by a complex substitution algorithm– substitution (S-box)


Feistel Cipher

Virtually all conventional block encryption algorithms have a structure described by Horst Feistel of IBM in 1973– partitions input block into two halves– process through multiple rounds– each round performs a substitution on left data

half based on round function of right half & sub key

– then have permutation swapping halves

– Implements Shannon’s S-P net concept10/4/2009 6Dr. Monther Aldwairi

Feistel Cipher Structure


Feistel Cipher Design Elements

block size: larger size improves security, but slows cipher

key size: increasing size makes exhaustive key searching harder, but may slow cipher.

number of rounds: increasing number improves security, but slows cipher

sub key generation algorithm: greater complexity can make cryptanalysis harder, but slows cipher

round function: greater complexity can make analysis harder, but slows cipher

fast software en/decryption: concern for practical use

ease of analysis: easier validation & testing of strength


Feistel Cipher Decryption


Data Encryption Standard

(DES)


Data Encryption Standard (DES)

The most widely used block cipher– adopted in 1977 by NBS/NIST as FIPS PUB 46

The plaintext is processed in 64-bit blocks The key is 56-bits in length Controversy over its security

– Choice of 56-bit key (vs Lucifer 128-bit)– DES is public but design criteria were

classified (S-box)– subsequent events and public analysis show in

fact design was appropriate– use of DES has flourished in financial

applications– still standard for legacy application use


DES Overview- Encryption 64-bit input

Sw

ap left and right halves

Final

Perm

utation

Initial Permutation

56-bit KeyGenerate 16 per-round

keys

48-bit K 1

48-b

it K 16

Round 16

Round 1


DES Overview- Decryption

64-bit input

Sw

ap left and right halves

Final

Perm

utation

Initial Permutation

56-bit KeyGenerate 16 per-round

keys

48-bit K 16

48-b

it K 1

Round 16

Round 1


DES Encryption


Initial Permutation IP IP reorders the input data bits

– Arrange into 8 × 8 table– Permute, even columns into rows followed by odd

columns (write bits from bottom up)– Example

IP(675a6967 5e5a6b5a) =(ffb2194d 004df6fb)


0 1 1 0 0 1 1 1 0 1 0 1 1 0 1 0 0 1 1 0 1 0 0 1 0 1 1 0 0 1 1 1 0 1 0 1 1 1 1 0 0 1 0 1 1 0 1 0 0 1 1 0 1 0 1 1 0 1 0 1 1 0 1 0

1 1 1 1 1 1 1 1 1 0 1 1 0 0 1 0 0 0 0 1 1 0 0 1 0 1 0 0 1 1 0 1 0 0 0 0 0 0 0 0 0 1 0 0 1 1 0 1 1 1 1 1 0 1 1 0 1 1 1 1 1 0 1 1

A DES Round64-bit input

32-bit Ln 32-bit Rn

Mangler function

Kn

32-bit Rn+132-bit Ln+1

64-bit output

64-bit input

32-bit Ln 32-bit Rn

32-bit Rn+132-bit Ln+1

64-bit output

Mangler function Kn


DES Round Details uses two 32-bit L & R halves as for any Feistel cipher can describe as:

Li = Ri–1

Ri = Li–1 xor F(Ri–1, Ki) F takes 32-bit R half and 48-bit subkey:

– expands R to 48-bits using Expansion perm E– adds to subkey using XORE(R) XOR K – we get 48

bits which we split into 8 blocks 6 bits each– Substitute blocks using 8 S-boxes to get 32-bit

result.– Each S-box has 4 rows and 16 columns– First and last bits determine the row, remaining 4

determine column

– finally permutes using 32-bit perm P Confusion10/4/2009 19Dr. Monther Aldwairi

The Mangler Function4444444 4

6666666 6

+ + +++ ++ +

6666666 6

S8S1 S2 S7S3 S4 S5 S6

4444444 4

Permutation


Calculation of F(R, K)


Substitution Boxes S

have eight S-boxes which map 6 to 4 bits each S-box is actually 4 little 4 bit boxes

– outer bits 1 & 6 (row bits) select one row of 4 – inner bits 2-5 (col bits) are substituted – result is 8 lots of 4 bits, or 32 bits

row selection depends on both data & key– feature known as autoclaving (autokeying)

ExampleS(18 09 12 3d 11 17 38 39) = 5fd25e03


DES Sub keys Generation

To forms sub keys used in each round– initial permutation of the key (PC1) which

selects 56-bits in two 28-bit halves – 16 stages consisting of: 1.rotating each half separately either 1 or 2

places depending on the key rotation schedule K

2.selecting 24-bits from each half & permuting them by PC2 for use in round function F

note practical use issues in h/w vs s/w10/4/2009 23Dr. Monther Aldwairi

DES Example


© Summer 2007 CPE 542 Network Security 25

Generating the Per-Round Keys

56-bit key

C0 D0

Initial Permutation

Rotate left

D1

Rotate left

C1

Permutation with discard

48-bit K1

57 49 41 33 25 17 9

58 58 50 42 34 26 18

10 2 59 51 43 35 19

19 11 3 60 52 44 36

C0

63 55 47 39 31 23 15

64 62 54 46 38 30 22

14 6 61 53 45 37 29

21 13 5 28 20 12 4

D0

14 17 11 24 1 5

15 28 15 6 21 10

23 19 12 4 26 8

16 7 27 20 13 2

Permutation to obtain the left-half of Ki

41 52 31 37 47 55

42 40 51 45 33 48

44 49 39 56 34 53

46 42 50 36 29 32

Permutation to obtain the right-half of Ki

Process the Key

Process the key Get a 64-bit key from the userEvery 8th bit (the least significant bit of

each byte) is considered a parity bit. For a key to have correct parity, each

byte should contain an odd number of "1" bits.)

The parity bits are discarded, reducing the key to 56 bits (8th , 16th ,…, 64th ).


Key Schedule

Calculate the key schedule.Permuted Choice 1 (PC-1)57 49 41 33 25 17 91 58 50 42 34 26 1810 2 59 51 43 35 2719 11 3 60 52 44 3663 55 47 39 31 23 157 62 54 46 38 30 2214 6 61 53 45 37 2921 13 5 28 20 12 4

Split the permuted key (56 bits) into two halves. The first 28 bits are called C0 and the last 28 bits are called D0.10/4/2009 27Dr. Monther Aldwairi

PC-1M=0000000000000000000000000000000100000000000000000000000000000001

K=1000000000000000000000000000000010000000000000000000000000000000

The first round key is the computed as follows:PC-1(K)= 00010001000000000000000000000000000000000000000000000000

C0= 0001000100000000000000000000

D0= 0000000000000000000000000000


Calculate Sub keys

Calculate the 16 sub keys. Perform one or two circular left shifts on

both Ci-1 and Di-1 to get Ci and Di, respectively.

The number of shifts per iteration are given in the table below.

Round # 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16Left Shifts 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1


PC-2

Calculate the key schedule. Permuted Choice 2 (PC-2) contraction to 28 bit round key

14 17 11 24 1 53 28 15 6 21 1023 19 12 4 26 816 7 27 20 13 241 52 31 37 47 5530 40 51 45 33 4844 49 39 56 34 5346 42 50 36 29 32

Loop back to slide 24 until K16 has been calculated10/4/2009 30Dr. Monther Aldwairi

PC-2M=0000000000000000000000000000000100000000000000000000000000000001

K=1000000000000000000000000000000010000000000000000000000000000000

The first round key is the computed as follows:PC-1(K)= 00010001000000000000000000000000000000000000000000000000

C1= 1<<C0= 1<<0001000100000000000000000000 = 0010001000000000000000000000

D1= 1<<D0= 1<<0000000000000000000000000000 = 0000000000000000000000000000

PC-2(C1||D1)=PC-2(00100010000000000000000000000000000000000000000000000000)

SK1= 000000100000000000010000000000000000000000000000


DES Example


Process Data Block

Initial Permutation (IP) on 64-bit data block

58 50 42 34 26 18 10 260 52 44 36 28 20 12 462 54 46 38 30 22 14 664 56 48 40 32 24 16 857 49 41 33 25 17 9 159 51 43 35 27 19 11 361 53 45 37 29 21 13 563 55 47 39 31 23 15 7


Round i Split the block into two halves. The first 32 bits

are called L0, and the last 32 bits are called R0. Apply the 16 sub keys to the data block. Start with

SK1

Expand the 32-bit Ri-1(R0) into 48 bits according Expansion Permutation E

32 1 2 3 4 54 5 6 7 8 98 9 10 11 12 1312 13 14 15 16 1716 17 18 19 20 2120 21 22 23 24 2524 25 26 27 28 2928 29 30 31 32 1

Exclusive-or E(Ri-1) with SKi10/4/2009 34Dr. Monther Aldwairi

Round i/S-Boxes

Eight S-boex that accept 6 bit inputs and produce 4 bit outputs

Break E(Ri-1) xor SKi into eight 6-bit input blocks. Bits 1-6 are B1, bits 7-12 are B2, and so on

with bits 43-48 being B8. Take the 1st and 6th bits of Bj together as

a 2-bit value indicating the row in Sj

Take the 2nd through 5th bits of Bj

together as a 4-bit value indicating the column in Sj to find the substitution. 10/4/2009 35Dr. Monther Aldwairi

S-Boxes


S1

14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 015 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13

S2

15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10 3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5 0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 1513 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9

S3

10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 813 7 0 9 3 4 6 10 2 8 5 14 12 11 15 113 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7 1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12

S4

7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 1513 8 11 5 6 15 0 3 4 7 2 12 1 10 14 910 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4 3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14

S5

2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 914 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6 4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 1411 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3

S6

12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 1110 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8 9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6 4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13

S7

4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 113 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6 1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2 6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12

S8

13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7 1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2 7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8 2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11

Permutation (P) Permute the concatenation of B1 through B8 (32 bits) Permutation P

16 7 20 2129 12 28 171 15 23 265 18 31 102 8 24 1432 27 3 919 13 30 622 11 4 25

Exclusive-or the resulting value with Li-1. Thus, all together, your Ri= Li-1 xor

P(S1(B1)...S8(B8)), where Bj is a 6-bit block of E(Ri-1) xor SKi.

The function for Ri is more concisely written as, Ri-1 = Li-1 xor f(Ri-1, Ki).)10/4/2009 37Dr. Monther Aldwairi

Inverse Initial Permutation IP-1

Loop back to slide 29 - Permutation E until SK16 has been applied

Perform the following permutation on the block R16L116.

Final Permutation (IP-1)

40 8 48 16 56 24 64 3239 7 47 15 55 23 63 3138 6 46 14 54 22 62 3037 5 45 13 53 21 61 2936 4 44 12 52 20 60 2835 3 43 11 51 19 59 2734 2 42 10 50 18 58 2633 1 41 9 49 17 57 25


DES ExampleDES round 1Round key = 000000100000000000010000000000000000000000000000

L1= 00000000000000000000000000000001 R1= 00000000000000000000000000000001

Apply E: 100000000000000000000000000000000000000000000010

Xor K1: 000000100000000000010000000000000000000000000000⊕ 100000000000000000000000000000000000000000000010 =

100000||100000||000000||010000||000000||000000||000000||000010

S-Box S1: 0100 S-Box S2: 0000 S-Box S3: 1010 S-Box S4: 0001

S-Box S5: 0010 S-Box S6: 1100 S-Box S7: 0100 S-Box S8: 0010

P-Box: 10010000000100101000000110001100

Xor L1: 10010000000100101000000110001100 00000000000000000000000000000001 ⊕ =10010000000100101000000110001101

R1kL1 = 00000000000000000000000000000001k10010000000100101000000110001101

16 round example @http://www.adeptscience.co.uk/products/mathsim/maple/powertools/cryptography/HTML/DES-Example.html

http://www.eventid.net/docs/desexample.asp10/4/2009 39Dr. Monther Aldwairi

http://www.adeptscience.co.uk/products/mathsim/maple/powertools/cryptography/HTML/DES-Example.html

http://www.adeptscience.co.uk/products/mathsim/maple/powertools/cryptography/HTML/DES-Example.html

http://www.eventid.net/docs/desexample.asp

DES Decryption

decrypt must unwind steps of data computation

with Feistel design, do encryption steps again using subkeys in reverse order (SK16 … SK1)‒ IP undoes final FP step of encryption

‒ 1st round with SK16 undoes 16th encrypt round

‒ ….‒ 16th round with SK1 undoes 1st encrypt round ‒ then final FP undoes initial encryption IP ‒ thus recovering original data value 10/4/2009 40Dr. Monther Aldwairi

Avalanche Effect

key desirable property of encryption algorithm

where a change of one input or key bit results in changing approx half output bits

making attempts to “home-in” by guessing keys impossible

DES exhibits strong avalanche Permutation E10/4/2009 41Dr. Monther Aldwairi

Strength of DES – Key Size

56-bit keys have 256 = 7.2 x 1016 values

brute force search looks hard recent advances have shown is possible

‒ in 1997 on Internet in a few months ‒ in 1998 on dedicated h/w (EFF) in a few

days ‒ in 1999 above combined in 22hrs!

still must be able to recognize plaintext must now consider alternatives to DES10/4/2009 42Dr. Monther Aldwairi

Average time required for exhaustive key search


Key Size (bits)

Number of Alternative Keys

Time required at 106 Decryption/µs

32 232 = 4.3 x 109 2.15 milliseconds

56 256 = 7.2 x 1016 10 hours

128 2128 = 3.4 x 1038 5.4 x 1018 years

168 2168 = 3.7 x 1050 5.9 x 1030 years

Taken from Henric Johnson’s slides

Strength of DES – Analytic Attacks

now have several analytic attacks on DES these utilise some deep structure of the

cipher ‒ by gathering information about encryptions ‒ can eventually recover some/all of the sub-key bits ‒ if necessary then exhaustively search for the rest

generally these are statistical attacks‒ differential cryptanalysis ‒ linear cryptanalysis ‒ related key attacks


Differential Cryptanalysis Murphy, Biham & Shamir published in 90’s powerful method to analyze block ciphers used to analyze most current block ciphers

with varying degrees of success DES reasonably resistant to it

‒ a statistical attack against Feistel ciphers ‒ uses cipher structure not previously used ‒ design of S-P networks has output of function f

influenced by both input & key‒ hence cannot trace values back through cipher

without knowing value of the key ‒ differential cryptanalysis compares two related

pairs of encryptions10/4/2009 45Dr. Monther Aldwairi

Differential Cryptanalysis

have some input difference giving some output difference with probability p

if find instances of some higher probability input / output difference pairs occurring

can infer subkey that was used in round then must iterate process over many

rounds (with decreasing probabilities)


Compares Pairs of Encryptions

with a known difference in the input searching for a known difference in

output when same subkeys are used


Differential Cryptanalysis


Differential Cryptanalysis perform attack by repeatedly encrypting plaintext pairs

with known input XOR until obtain desired output XOR when found

– if intermediate rounds match required XOR have a right pair– if not then have a wrong pair, relative ratio is S/N for attack

can then deduce keys values for the rounds– right pairs suggest same key bits– wrong pairs give random values

for large numbers of rounds, probability is so low that more pairs are required than exist with 64-bit inputs

Biham and Shamir have shown how a 13-round iterated characteristic can break the full 16-round DES


Linear Cryptanalysis

another recent development also a statistical method must be iterated over rounds, with

decreasing probabilities developed by Matsui et al in early 90's based on finding linear approximations can attack DES with 243 known

plaintexts, easier but still in practise infeasible


Linear Cryptanalysis

find linear approximations with prob p != ½P[i1,i2,...,ia] C[j1,j2,...,jb] = K[k1,k2,...,kc]

where ia,jb,kc are bit locations in P,C,K

gives linear equation for key bits get one key bit using max likelihood alg using a large number of trial encryptions effectiveness given by: |p–1/2|


Triple DES

Use three keys and three executions of the DES algorithm (encrypt-decrypt-encrypt)

C = Ek3[ Dk2[ Ek1[P] ] ]C = ciphertextP = PlaintextEk[X] = encryption of X using key K

Dk[Y] = decryption of Y using key K

Effective key length of 168 bits10/4/2009 52Dr. Monther Aldwairi

Other Symmetric Block Ciphers

International Data Encryption Algorithm (IDEA)‒ 128-bit key‒ Used in PGP

Blowfish‒ Easy to implement‒ High execution speed ‒ Run in less than 5K of memory


Other Symmetric Block Ciphers

RC5‒ Suitable for hardware and software‒ Fast, simple‒ Adaptable to processors of different word

lengths‒ Variable number of rounds‒ Variable-length key‒ Low memory requirement‒ High security‒ Data-dependent rotations

Cast-128‒ Key size from 40 to 128 bits‒ The round function differs from round to round

Blowfish10/4/2009 54Dr. Monther Aldwairi

Modes of Operation

block ciphers encrypt fixed size blocks eg. DES encrypts 64-bit blocks, with 56-bit

key need way to use in practise, given usually

have arbitrary amount of information to encrypt

Four standard modes were defined for DES Extended to five later, and they can be used

with other block ciphers: 3DES and AES.


Electronic Codebook Book (ECB)

message is broken into independent blocks which are encrypted

each block is a value which is substituted, like a codebook, hence name

each block is encrypted independently from the other blocks Ci = DESK1 (Pi)

uses: secure transmission of single values


Electronic Codebook Book (ECB)


Advantages and Limitations of ECB

repetitions in message may show in ciphertext – if aligned with message block – with messages that change very little,

which become a code-book analysis problem

weakness due to encrypted message blocks being independent

main use is sending a few blocks of data


Cipher Block Chaining (CBC)

message is broken into blocks but these are linked together in the

encryption operation each previous cipher blocks is chained

with current plaintext block, hence name use Initial Vector (IV) to start process

Ci = DESK1(Pi XOR Ci-1)

C-1 = IV uses: bulk data encryption, authentication


Cipher Block Modes of Operation

Cipher Block Chaining Mode (CBC)‒ The input to the encryption algorithm is

the XOR of the current plaintext block and the preceding ciphertext block.

‒ Repeating pattern of 64-bits are not exposed

10/4/2009 60Dr. Monther Aldwairiιι1ι1ιιΚ1ι

ι1ιιΚ

ι1ιΚΚιΚ

ι1ικι

ΠΠΧΧ][ΧΔΧ

)Π(Χ][ΧΔ

)]Π(Χ[ΕΔ][ΧΔ

]Π[ΧΕΧ


Advantages and Limitations of CBC

each ciphertext block depends on all message blocks

thus a change in the message affects all ciphertext blocks after the change as well as the original block

need Initial Value (IV) known to sender & receiver – however if IV is sent in the clear, an attacker can

change bits of the first block, and change IV to compensate

– hence either IV must be a fixed value or it must be sent encrypted in ECB mode before rest of message


Cipher FeedBack (CFB)

message is treated as a stream of bits added to the output of the block cipher result is feed back for next stage (hence

name) standard allows any number of bit (1,8 or 64

or whatever) to be feed back – denoted CFB-1, CFB-8, CFB-64 etc

is most efficient to use all 64 bits (CFB-64)Ci = Pi XOR DESK1(Ci-1)

C-1 = IV

uses: stream data encryption, authentication


Cipher FeedBack (CFB)


Advantages and Limitations of CFB

appropriate when data arrives in bits/bytes

most common stream mode limitation is need to stall while do

block encryption after every n-bits errors propagate for several blocks

after the error


Output FeedBack (OFB)

• message is treated as a stream of bits • output of cipher is added to message • output is then feed back (hence name) • feedback is independent of message • can be computed in advance

Ci = Pi XOR Oi

Oi = DESK1(Oi-1)

O-1 = IV


Output FeedBack (OFB)


Advantages and Limitations of OFB

used when error feedback a problem or where need to encryptions before message is available

superficially similar to CFB but feedback is from the output of cipher and is

independent of message sender and receiver must remain in sync, and

some recovery method is needed to ensure this occurs

originally specified with m-bit feedback in the standards

subsequent research has shown that only OFB-64 should ever be used


Counter (CTR)

a “new” mode, though proposed early on

similar to OFB but encrypts counter value rather than any feedback value

must have a different counter value for every plaintext block (never reused)Ci = Pi XOR Oi

Oi = DESK1(i)

uses: high-speed network encryptions10/4/2009 68Dr. Monther Aldwairi

Counter (CTR)


Advantages and Limitations of CTR

efficiency– can do parallel encryptions

random access to encrypted data blocks

provable security (good as other modes)

but must ensure never reuse key/counter values, otherwise could break (cf OFB)


data encryption standard (des) dr. monther aldwairi new york institute of technology- amman campus...

Documents