Data Encryption Standard DES

1
Data Encryption Standard(DES)

• Lecture 3
• Finish Lecture 2
• DES
• AES

2
Reading Assignment

• Reading assignments for September 4
• Required
• Pfleeger Ch. 2
• Read onlyIndex of Coincidence (pp. 37-39),
  Cracking Random , Long Sequences, Dual
  Message, (pp. 43-46)
• Pfleeger Ch. 3.8, 3.9, 3.10
• Advanced Encryption Standard Fact Sheet
  http//csrc.nist.gov/encryption/aes/aesfact.html
• Recommended
• Announcing the Advanced Encryption Standard, NIST
  Nov. 2001 http//csrc.nist.gov/publications/fips/f
  ips197/fips-197.pdf
• DES Challenge III Broken in Record 22 hours, Jan.
  1999 http//www.eff.org//Privacy/Crypto_misc/DESCr
  acker/HTML/19990119_deschallenge3.html
• Has DES Been Broken?, RSA Labs.
  http//www.rsasecurity.com/rsalabs/faq/3-2-2.html
  
• Reading assignments for September 9
• Required
• Pfleeger Ch 3.1, , 3.7

3
Basic Encryption Techniques

• Substitution (confusion)
• Permutation (diffusion)
• Combinations and iterations of these

4
Monoalphabetic Ciphers

• Substitute each character by another character
• Caesar cipher
• CE(K,M), e.g., C(M3) mod 26
• plaintext placement A B C D E
• ciphertext placement A B C D E F
• e.g., MCAB
• C ECD
• Advantages simple to implement
• Disadvantages easy to break (25 possibilities
  for English alphabet), repeated characters, small
  words, space

5
Simple Alphabetic Substitution

• Assign a new symbol to each plain text symbol
  randomly or by key, e.g.,
• C ?K, A ?H, B ? L

• MCAB
• C KHL
• Advantages large key space 26!
• Disadvantages trivially broken for known
  plaintext attack, repeated pattern, letter
  frequency distributions unchanged

6
Polyalphabetic Substitution

• Frequency distribution reflects the distribution
  of the underlying alphabet ? cryptanalysts find
  substitutions
• E.g., English e 14 , t 9.85, a 7.49, o-
  7.37,
• Need flatten the distribution
• E.g., combine high and low distributions
• t ? a (odd position), b (even position)
• x ? a (even position) , b (odd position)

7
Polyalphabetic Substitution 2.

• Increasing the number of permutations (alphabet)
  increases the chance of flat distribution
• Vigenere Tableaux
• Collection of 26 permutations
• Use key to determine which column to use
• Disadvantage length of keyword

8
Cryptanalysis of Polyalphabetic Substitution

• Determine the number of alphabets used
• Solve each piece as monoalphabetic subst.
• Kasiski Method
• Uses regularity of English letters, letter
  groupings, full words
• e.g., endings -th, -ing, -ed, -ion, -ation,
  -tion,
• beginnings im-, in-, re-, un-, ...
• patterns -eek-, -oot-, -our-,
• words of, end, to, with, are, is,

9
Kasiski Method

• With n alphabets, k appearance of word or letter
  group, the plaintext will be encoded k/n times
  with the same alphabet
• Steps
• Identify repeated patterns of 3 or more
  characters
• Write down the positions of the instances of
  pattern
• Compute the distance between patterns
• Determine factors of each distances
• Key length will be one of the factors
• Divide cipher into pieces encrypted with the same
  alphabet, solve it as monoalphabetic substitution.

10
One-Time Pad

• Perfect Secrecy!
• Large, non-repeating set of keys
• Key is larger than the message
• Advantages immune to most attacks
• Disadvantages
• Need total synchronization
• Need very long, non-repeating key
• Key cannot be reused
• Key management printing, storing, accounting for

11
Transposition

• Letters of the message are rearranged
• Break patterns, e.g., columnar transposition
• Plaintext this is a test
• t h i s
• i s a t tiehssiatst!
• e s t !
• Advantages easy to implement
• Disadvantages
• Trivially broken for known plaintext attack
• Easily broken for cipher only attack

12
Cryptanalysis

• Rearrange the letters
• Digrams, Trigrams, Patterns
• Frequent digrams -re-, -th-, -en-, -ed-,
• Cryptanalysis
• Compute letter frequencies ? subst. or perm.
• Compare strings of ciphertext to find reasonable
  patterns (e.g., digrams)
• Find digram frequencies

13
Double Transposition

• Two columnar transposition with different number
  of columns
• First transposition breaks up adjacent letters
• Second transp. breaks up short patterns

14
Product Ciphers

• One encryption applied to the result of the other
  En(En-1((E1(M)))), e.g.,
• Double transposition
• Substitution followed by permutation, followed by
  substitution, followed by permutation
• Broken for
• Chosen plaintext

15
Steam Ciphers

• Convert one symbol of plain text into a symbol of
  ciphertext based on the symbol (plain), key, and
  algorithm
• Advantages
• Speed of transformation
• Low error propagation
• Disadvantages
• Low diffusion
• Vulnerable to malicious insertion and
  modification

16
Block Ciphers

• Encrypt a group of plaintext as one block and
  produces a block of ciphertext
• Advantages
• Diffusion
• Immunity to insertions
• Disadvantages
• Slowness of encryption
• Error propagation

17
Data Encryption Standards DES
18
Data Encryption Standard

• Mathematics to design strong product ciphers is
  classified
• Breakable by exhaustive search on 56-bit key size
  for known plaintext, chosen plaintext and chosen
  ciphertext attacks
• Security computational complexity of computing
  the key under the above scenarios (22 hours)

19
Data Encryption Standard (DES)

• DES is a product cipher
• 56 bit key size
• 64 bit block size for plaintext and cipher text
• Developed by IBM and adopted by NIST with NSA
  approval
• Encryption and decryption algorithms are public
  but the design principles are classified

20
DES Controversies

• Key size 56 bits threshold of allowing
  exhaustive-search known plaintext attack
• Built in trapdoor allegations
• The US Senate Select Committee of Intelligence
  exonerated NSA from tampering with the design of
  DES in any way

21
DES Multiple Encryption

• 1992 proven that DES is not a group multiple
  encryptions by DES are not equivalent to a single
  encryption

22
DES Multiple Encryption
P
EK1(P)
EK2EK1(P)
Intermediate Ciphertext
Ciphertext
Plaintext
Encryption
Encryption
K1
K2
Known-plaintext meet-in-the-middle
attack Effective key size 57 bit
23
DES Multiple Encryption
P
EK1(P)
DK2EK1(P)
EK1DK2EK1(P)
E
E
D
K1
K2
K1
Tuchman avoid meet-in-the-middle attack If
K1K2 single encryption
24
DES Multiple Encryption

• Tuchmans technique is part of NIST standard
• Can be broken in 256 operations if one has 256
  chosen plaintext blocks (Merkle, Hellman 1981)
• Could use distinct K1,K2,K3 to avoid this attack

25
DES Algorithm
64 bit plaintext
56 bit key
Permuted choice
Initial permutation
K1
Left circular shift
Permuted choice 1
Iteration 1
K2
Left circular shift
Permuted choice 2
Iteration 2
K3
Left circular shift
Permuted choice 16
Iteration 16
32 bit swap
Inverse initial permutation
64 bit ciphertext
26
DES Cycle
32 bits
32 bits
R i-1
L i-1( R i-2)
Expansion permutation
48 bits
48 bits
Permuted key
48 bits
32 bits
32 bits
R i
27
Modes of DES

• ECB Electronic Code Book
• CBC Cipher Block Chaining
• CFB Cipher FeedBack
• OFB Output FeedBack
• Part of NIST standard

28
ECB Mode
64 bit data
56 bit key
56 bit key
E
D
64 bit data
Good for small messages Identical data block will
be identically encrypted
29
CBC Mode
64 bit data
64 bit previous Ciphertext block

56 bit key
56 bit key
E
D
64 bit previous Ciphertext block

CnEkCn-1 ? Pn
64 bit data
Need initiation vector
30
CFB Mode
Needs initialization vector Adv can encipher one
character at a time Error propagation current
transf. next 8 characters
8, 8 bit blocks
8, 8 bit blocks
Left shift
56 bit key
56 bit key
E
D
Left shift


8 bit cipher text
8 bit plain text
8 bit plain text
31
OFB Mode
Needs initialization vector Adv can encipher one
character at a time Error propagation current
transfer only
8, 8 bit blocks
8, 8 bit blocks
Left shift
56 bit key
56 bit key
E
D
Left shift


8 bit cipher text
8 bit plain text
8 bit plain text
32
Advanced Encryption Standard (AES)

• Federal Information Processing Standard (FIPS) to
  be used by U.S. Government organizations
• Effective since May 26, 2002
• Replaces DES (triple DES remains)
• Rijndael (Rhine Dhal) algorithm (Joan Daemen
  and Vincent Rijmen)

33
Rijndael Algorithm

• Chosen for security, performance, efficiency,
  ease of implementation, and flexibility
• Block cipher (variable block and key length)
• Block size 128, 192, 256 bits
• Key size 128, 192, 256 bits

34
Next Class
Public Key Cryptosystems