Title: Block Ciphers and Data Encryption Standard DES
1Block Ciphers and Data Encryption Standard (DES)
2Motivation
- Problem Alice and Bob happen to speak a language
in which all sentences are only n-bits long
(n-bit blocks). They want to encrypt their
message so Trudy who also happens to know a lot
about statistical analysis of plaintext/ciphertext
, wont break their message - Assume that Alice and Bob use substitution and
encryption is reversible (so decryption would be
possible), determine the size of the key for each
of the following n values. - (a) n 4
- (b) n 64
- what advice would you offer to Alice and Bob?
3Motivation (cont.)
- Answer
- For an n-bit input, there are total of 2n
possible outputs (each of these outputs is n-bit
wide also). To be reversible, we need to have
one-to-one mapping, that is, each output block
maps to only one input block. - Hence the size of the key is n x 2n.
- (a) For n 4 ? key size 64 too small. It
can be vulnerable to brute attack or statistical
analysis - (b) N 64 (which is more reasonable sentence
size) ? key size 64 x 264 270 ( 1021 ) bits
with such large key statistical characteristics
of the source text will be masked to a point that
cryptanalysis is infeasible no matter how
determined Trudy is!
4Motivation (cont.)
- However key size of 270 bits is not manageable
(i.e., Alice and Bob wont be able to remember
it, and there is no such large CPU memory to
store it!) - Alice and Bob need to consider using a solution
provided by Shannon (1949) and later by Feistel
(1971) which is the basis for most symmetric
ciphers
5Block vs. Stream Ciphers
- Before we discuss Shannon/Feistel solution, lets
define Block and Stream ciphers - Block ciphers work and process one block/work at
a time (block consists of fix number of bits) - All of its bits have to be available before the
block can be processed - Stream ciphers work on a bit or byte of the
message at a time, hence process it as a stream - Most current ciphers are block cipher
6Block Cipher
- A block of message is encrypted using the same
key - The cryptosystem encrypts one block of data at a
time - Plaintext is broken into fixed length of blocks
(often 64 bits) and processed one block at a time - Last block may be padded to form a complete block
- Each block is applied to the same algorithm and
key - Same key is used to encrypt each block at the
transmitting side and decrypt each block at the
receiving side. - At the receiving side, the same key and the same
algorithm is used to decrypt the block to get the
original plaintext - DES and IDEA is the typical Block Cipher
7Claude Shannon Substitution-and-Permutation
Ciphers
- Claude Shannons 1949 paper has the key ideas
that led to the development of modern block
ciphers. Critically, it was the technique of
layering modern substitution-transposition
product cipher S-P networks - S-P networks are based on the two primitive
cryptographic operations we have seen before - Substitution (s-box)
- Permutation (P-box)
- The ideas of confusion and diffusion are added
8Confusion and Diffusion
- Cipher needs to completely obscure statistical
properties of original message - More practically Shannon suggested combining
elements to obtain - Diffusion dissipates statistical structure of
plaintext over bulk of ciphertext. This is
achieved by having each digit plaintext affect
the value of many ciphertext - The idea is to make the statistical relationship
between the plaintext and ciphertext as complex
as possible in order to thwart attempts to deduce
the key - Example encryp a message M m1,m2,m3, of
characters with an averaging operation -
9Confusion and Diffusion (cont.)
- Confusion makes relationship between ciphertext
and key as complex as possible, again to thwart
attempts to discover the key. - It is achieved through the use of complex and
nonlinear substitution -
10Feistel Cipher
- Horst Feistel, working at IBM Thomas J Watson
Research Labs devised a suitable invertible
cipher structure in early 70s - One of Feistels main contributions was the
invention of a suitable structure which adapted
Shannons S-P network in an easily inverted
structure - Essentially the same hardware or software is used
for both encryption and decryption, with just a
slight change in how the keys are used. - One layer of S-box followed by P-box are used to
form the round function
11Feistel Cipher (cont.)
- In the Feistel Cipher
- Partitions input block into two halves
- Process through multiple rounds which
- Perform a substitution on data left-half
- Based on round function of right half subkey
- Then have permutation swapping halves
12Feistel Cipher Structure
- Can be described functionally as (for igt0),
- L(i) R(i 1)
- R(i) L(i1) XOR F(K(i), R(i-1))
13Feistel Cipher Design Principles
- Block size
- Increasing size improves security, but slows
cipher - Key size
- Increasing size improves security, makes
exhaustive key searching harder, but many slow
cipher - Number of rounds
- Increasing the number of rounds improves
security, but slow cipher - Subkey generation
- Greater complexity can make analysis harder, but
slows cipher - Round function
- Greater complexity can make analysis harder, but
slows cipher - Fast software encryption and decryption ease of
analysis - Are more recent concerns for practical use and
testing
14Feistel Cipher Decryption
- The process of decryption with a Feistel cipher
is essentially the same as the encryption
process. The rule is as follows - Use the ciphertext as input to the algorithm, but
use the subkeys Ki in reverse order. That is,
use Kn in the first round, Kn-1 in the second
round, and so on until K1 is used in the last
round. - This is a nice feature because it means we need
not implement two different algorithms, one for
encryption and one for decryption
15Data Encryption Standard (DES)
- Published in 1977 by the National Bureau of
Standards for use in commercial and unclassified
US government applications - Specified in Federal Information Processing
Standard (FIPS) 42. - Most widely used block cipher in the world
- Use 56-bit key (8 bits for parity), and maps a
64-bit input block to produce 64-bits output
block - Pretty fast encryption algorithm in hardware
- A de facto standard and widely used
- A symmetric key cryptosystem, 64-bit block cipher
- Small key space with 56-bit key size (256)
- It is not considered to be secure
16DES History
- Designed by IBM (based on Lucifer cipher) with
input from NSA - By team led by Feistel
- Used 64-bit data blocks with 128-bit key
- Then re-developed as a commercial cipher with
input from NSA and others - In 1973, NBS (todays NIST) issued request for
proposals for a national cipher standard - IBM submitted their revised Lucifer which was
eventually accepted as the DES - The American National Standards Institute (ANSI)
adopted DES as a standard (ANSI X3.92) in 1981.
It is called Data Encryption Algorithm (DEA)
17DES Design Controversy Why 56-bit key?
- Was considerable controversy over design
- Over the choice of 56-bit key (vs the original
version of Lucifer, 128-bit) - And because design criteria was classified
- Subsequent events and public analysis show in
fact design was appropriate - DES has become widely used, especially in
financial applications.
18Basic Structure of DES
64-bit input
56-bit key
Initial Permutation
Permuted Choice 1
48-bit K1
Round 1
Left circular shift
Permuted choice 2
48-bit K2
Round 2
Left circular shift
Permuted choice 2
. . .
. . .
. .
48-bit K16
Round 16
Left circular shift
Permuted choice 2
32-bit Swap left and right halves
Final Permutation
64-bit output
19DES Overview
- Encryption
- 64 bits input block is subjected to an initial
permutation to obtain a 64 bits result - 56-bit key is used to generate 16 48-bit per
round keys - Each round takes the 64-bit output from previous
round with 48-bit per round key to produce a
64-bit output - Each round is a complex key dependent round
function involving substitution and permutation
functions - After 16 round, the 64-bit output swaps its half
- Then a final permutation (which is the inverse of
the initial permutation) to produce a 64-bit
output - The right side shows the handling of the 56-bit
key and consist of - An initial permutation of the key (PC1) which
selects 56 bits in two 28-bit halves - 16 stages to generate the subkeys using a left
circular shift and a permutation
20Initial Permutation IP
- The initial permutation and its inverse are
defined by tables, as shown in Tables 3.2a
3.2b, respectively - The table are to be interpreted as follows the
input to a table consists of 64 bits numbered
from 1 to 64 - The 64 entries in the permutation table contain a
permutation of the numbers from 1 to 64. - Each entry in the permutation table indicates the
position of the numbered input bit in the output,
which also consists of 64 bits
21Initial Permutation IP (cont.)
- Note that the bit numbering for DES reflects IBM
mainframe practice, and is the opposite of what
we now mostly use so be careful! Numbers from
Bit 1 (leftmost, most significant) to bit
32/48/64 etc (rightmost, least significant)
22DES Single Round Structure
- DES is a Feistel cipher which can be described as
follows - Use two 32-bit L R halves
- Li Ri-1
- Ri Li-1 XOR F(Ri-1 , Ki ), where F is called
the Mangler Function - F takes 32-bit R half and 48-bit subkey and
- Expands R to 48 bits using permutation/expansion
- XORed with a 48-bit subkey
- Then passes this through S-boxes to get 32-bit
new result - Finally permutes this using 32-bit permutation P
23Single Round of DES Algorithm
24Expansion Function
- Expands RH side data input from 32 to 48 bits
- By duplicating 16 bits
- Specifically split input into 8 groups (row in
the table below) of 4 bits (columns in the table
below) - Then duplicate bits from either side to form
groups of 6 bits
25Key Addition
- The expanded 48 bits data are then XORed
(addition modulo 2) to the 48 subkey bits - Subkeys are obtained from Permuted Choice 2 (PC2)
- Example
- E(R) 20 00 09 1b 3e 2d 1f 36 XOR
- SK 38 09 1b 26 2f 3a 27 0f
- 18 09 12 3d 11 17 38 29
26Substitution Box S
- The substitution consists of a set of eight
S-boxes, each of which accepts 6 bits as input
and produces 4 bits as output (see figure in the
next slide) - These transformation are defined in Table 3.3,
(after the next slide) which is interpreted as
follows - The first and last bits of the input to box Si
form a 2-bit binary number to select one of four
subsititutions defined by the four rows in the
table for Si. - The middle four bits select one of the sixteen
columns. - The decimal value in the cell selected by the row
and column is then converted to its 4-bit
representation to produce the output
27DES Round Structure
28Definition of DES S-Boxes
29Permutation P
- It is the last transformation of the F function
- It accepts 32 bits data from the S-box as input
data (see DES Round Structure Slide) to perform
permutation according to the table below
For example, the 1st output bit is 16th input
bit, the 2nd output bit is the 7th input bit etc.
30DES Key Schedule
- Generates subkeys which are used in each round
(Schedule or have a key (Ki) ready at the start
of its round (roundI)) (Refer to Figure 3.7) - Start by selecting 56-bit key from 64-bit input
key data. - Selection is as indicated in Table 3.4a where bit
in the last column are ignored (in practice we
can use these bits as parity check bits) - At each round do
- Initial permutation of the key (PC1, Permuted
Choice 1) which governed by the permutation Table
3.4b (there is no 64 elements in this table, why? - The result is 56 bits which is treated as two
28-bit halves (Ci-1 and Di-1 in the figure)
31DES Key Schedule (Cont.)
- Then perform left shift rotation of 1 or 2 bits
depending on the round, key rotation schedule K,
as indicated in Table 3.4d, for each half, Ci-1
and Di-1 , and separately - The pass these shifted halves to the next round
where they will serve as Ci and Di . - These shifted halves also serve as the inputs for
Permuted Choice 2, which performs contraction
(drops 4 bits from each half, so its output is 24
bits out of 28 bits) and permutation according to
Table 3.4c
32DES Key Schedule Calculation
33DES Overview - Decryption
- Decryption works by running DES backwards
- Take 64 bits output and perform an initial
permutation to obtain a 64 bits result (the
initial and final permutations are inverse of
each other) - 56-bit key is used to generate 16 48-bit per
round keys - Each round takes the 64-bit output from previous
round with 48-bit per round key to produce a
64-bit output. This time, use the key in the
opposite order (i.e., use K16 first) - After 16 round, the 64-bit output swaps its half
- Then a final permutation (which is the inverse of
the initial permutation) to produce a 64-bit
output
34How Secure is DES?
- DES is a quite simple cipher only the S box is
a nonlinear transformation in the algorithm - So it would have been easier to break it, if
S-boxes were linear - The S-boxes provide the confusion of data and
key values - Permutation P then spreads this as widely as
possible, so each S-box output affects as many
S-box inputs in the next round as possible,
giving diffusion - However, one may get the impression that anyone
could design a cipher Just take some bits,
shuffle them, and then shuffle them some more,
and you got your algorithm (you need to have M
DK(EK (M)))
35How Secure is DES? (cont.)
- Since Its adoption there have been some concerns
(mysterious and controversy) of some of the
design aspects in DES - For instance we do not know the details in
choosing the construction of the S-box
kaufman2002, pg. 75 - Or why the key size is 56 although the original
recommendation from IBM is 128 bit, certainly
would make a stronger cipher - However, Biham and Shamir 1991, have shown that
a simple change of DES, an in swapping S-box 3
with S-box 7, leads to DES with order of
magnitude less secure
36DES, Avalanche Effect
- DES exhibits strong avalanche as shown in the
Table below - Recall avalanche where a change of one input or
key bit results in changing approx. half output
bits - In table (a), with two plaintexts that differ by
one bit, - 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 (hex)
- 8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 (hex)
- Results show that about half of the bits in
ciphertext differ after just a few rounds - Similarly in table (b) for a single change in the
key - See figure in next slide
37Avalanche Effects in DES
38Strength and Weakness of DES
- Small key length of 56 bits resulting in 256 key
space (7.2 x 1016 values) - Brute force is hard but possible with this small
key space - The 56-bit key is susceptible to exhaustive key
search - DES was first cracked publicly in the RSA
Challenge - Cracking DES, book published by OReilly tell you
all you need to know including a sample code. - Very widely used commercially
- Has demonstrated breaks
- 1997 on a large network of computers in a few
months - 1998 on dedicated hardware hardward EFF
(Electronic Frontier in a few days - 1999 above combined in 22 hours
- Still must be able to recognize plaintext
39Strength of DES Timing Attacks
- By performing a careful measurement of the amount
of time it takes to encrypt and decrypt various
ciphertexts, one can derive some knowledge of
some/all subkey bits and eventually break the
cipher this type of attacks is called timing
attacks - Timing attacks are particularly problematic for
smartcards and public keys as it will be
discussed - So far and based on previous research results,
DES appears to be fairly resistant to timing
attacks
40Differential Cryptanalysis
- It starts with a pair of messages, say m and m
with known XOR difference (?m m XOR m) then
compare and trace the difference between their
ciphertexts, at each round - Perform attack by repeatedly encrypting plaintext
pairs with known input XOR until we obtain
desired output XOR - When found
- If intermediate rounds match required XOR have a
right pair - If not then, have a wrong pair
- Differential Cryptanalysis is one of the most
significant recent (public) advances in
cryptanalysis - Known by NSA in 70s cf DES design and that lead
to some researchers to conclude the reason for
DES resistant to such attack - We needed to wait until 1990 when Murphy, Biham,
Shamir made such attack public BIHA93 - Used to analyze most current block ciphers with
varying degrees of success
41Linear Cryptanalysis
- This attack is based on finding linear
approximations to model cipher using statistical
method - Not so powerful attack against DES, why?
- Must be iterated over rounds, with decreasing
probabilities - Developed by Matsui et al in early 90s
- Based on finding linear approximations
- Can attack DES with 247 known plaintexts, still
in practice infeasible
42Modes of Operations
- DES (or any block cipher) forms a basic building
block, which encrypts/decrypts a fixed sized
block of data. - However, in order to use them in practice, we
usually need to handle arbitrary amounts of data,
which may be available in advance (in which case
a block mode is appropriate), and may only be
available a bit/byte at a time (in which case a
stream mode is used) - To cover as much as possible application needs, 4
modes were defined for for DES in ANSI standard,
ANSI X3.106-1983
43Cryptography Mode of Operations
- Larger size of messages
- Described in DES as different mode of operations
- Electronic Code Book (ECB)
- Cipher Block Chaining (CBC)
- k-Bit Cipher Feedback Mode (CFB)
- k-Bit Output Feedback Mode (OFB)
44DES Mode of Operation
45Electronic Codebook (ECB) Mode
- The simplest mode
- Plaintext is handled 64 bits at a time and each
plaintext is encrypted using the same key - Each block is a value which is substituted, like
a codebook, hence named - Each block is encoded independently of the other
blocks - Ci DESk1 (Pi)
- If the message is longer than 64 bits, the
procedure is to break the message up into 64-bit
blocks, padding the last block if necessary
46Electronic Codebook (ECB) Mode
P1
Pn
P2
Encryption
. . .
K
K
K
C1
Cn
C2
C1
Cn
C2
Decryption
K
K
. . .
K
P1
P2
Pn
47Advantages and Limitations of ECB
- ECB has some advantages
- Simple
- Allow parallelism implementation, hardware, speed
- However, ECB is not appropriate for large
quantity of data - If the plaintext contains two identical 64-bit
blocks, the corresponding two blocks of
ciphertext will be identical. - Cipher can be changed without being detected
- Idea for short amount of data, such as an
encryption key to be securely transmitted - Vulnerability
- Someone seeing the ciphertext can gain
information from repeated blocks - Someone can rearrange blocks or modify block to
her own advantage
48Example
- Lesile, close friend of Trudy, had a fight with
her Boss, Bob. As a result, Leslie is not
expecting much bonus this year. Kim, in
contrast, is the Bosss favorite and everyone
knows about that. The figure below shows a
portion of the annual bonuses the company decided
to award to its employee which will be sent to
the bank after being encrypted using ECB. Leslie
asks Trudy if she can rectify this unfairness,
given on the ciphertext?
49Example
- Answer
- No problem said Trudy
- She makes a copy of 12th ciphertext block (which
contains Kims bonus) and uses it to replace the
4th ciphertext blok (which contains Leslies
bonus). That is even without knowing what the
12th block is about - Leslie can expect to have a good vacation this
year! (copying the 8th ciphertext block is also
possible, but Leslie is not that greedy person
after all!! (TB, book)
50Randomized Electronic Codebook (ECB) Mode
P1
P2
Pn
Encryption
r1
r2
rn
. . .
K
K
K
C1
C2
Cn
C1
C2
Cn
Decryption
K
K
K
. . .
r1
r2
rn
P1
Pn
P2
51Cipher Block Chaining (CBC) Mode
- To overcome these problems of repetitions and
order independence in ECB, we want some ways of
making the ciphertext dependent on all blocks
before message is broken into blocks - Make each previous cipher blocks chained with
current plaintext block, hence name CBC - Start with an initial random number, the
Initialization Vector (IV) do not use a value 0
as IV - The IV must known to both the sender and receiver
- For maximum security, IV should be protected as
well as the key - Plaintext is then XOR with IV or the preceding
ciphertext block - The result is then encrypted with the same key
- Ci DESK1(Pi XOR Ci-1) where C-1 is IV
- The input to the encryption function for each
plaintext block bears no fixed relationship to
the plaintext block.
52Cipher Block Chaining (CBC) Mode
P1
P2
Pn
Encryption
IV
. . .
K
K
K
C1
C2
Cn
C1
C2
Cn
Decryption
K
K
K
. . .
IV
P1
Pn
P2
53Advantages and Limitations of CBC
- Each ciphertext block depends on all message
blocks - Thus a change in the message affects all
ciphertext blocks after the change as well as the
original block - Need IV known to sender and receiver
- However, if IV is sent in the clear, an attacker
can change bits of the first block, and change IV
to compensate - Hence either IV must be a fixed value (as in
EFTPOS) or it must be sent encrypted in ECB mode
before rest of message - Not appropriate for byte-by-byte like interactive
applications where people type a short message
and wait for response - At end of message, handle possible last short
block - By padding either with known non-data value
- CBC encryption has the same performance as ECB
mode except for the cost of generating and
transmitting the IV
54Cipher Feedback (CFB) Mode
- Message is treated as a stream of bits. So CFB
converts DES (a block cipher into stream cipher) - The unit of transmission is k bits (see diagram
in next slide) - The Ci result of each plaintext Pi (of k-bit in
size) is feedback for next stage (hence name) - Standard allows any number of k bit (1,8 or 64
..) to be feedback - Denoted CFB-1, CFB-8, CFB-64, etc.
- It uses 64 bit shift register that is initially
set to some IV value - The k- MSB of the register are pushed to left and
replace by the next k-bit on the register - Only the k-MSB of the encryption box are XOR with
plaintext Pi (of size k bits) - At the end of processing, Pi (of size k bits) the
register is shifted to the left by k bits (so k
MSB are dropped) and the new s bits from Ci are
placed to right of the register
55K-bit Cipher Feedback (CFB) Mode
Encryption
k
k
IV
K
K
K
discarded
discarded
discarded
k bits
k bits
k bits
P1
P2
P3
k bits
k bits
k bits
C1
C2
C3
56K-bit Cipher Feedback (CFB) Mode
Decryption
k
k
IV
K
K
K
discarded
discarded
discarded
k bits
k bits
k bits
P1
P2
P3
k bits
k bits
k bits
C1
C2
C3
57Advantages and Limitation of CFB
- Appropriate when data arrives in bits/bytes
- Most common stream mode
- Limitation is need to stall while do block
encryption after every k bits - Note that the block cipher is used in encryption
mode and both ends - Errors propagate for several blocks after the
error - This eliminate the padding of the last block and
can operate in real time - The ciphertext should be the same length as
plaintext - CFB-encrypted messages are somewhat less subject
to tampering than either CBC or OFB
58Output Feedback (OFB) Mode
- Like CFB, message is treated as a stream of bits
- The output of encryption box is feedback (hence
named) as compared to CFB that we have to wait
until we got the ciphertext itself then feed it
back - Act like a pseudorandom generator, assuming IV is
b0 - The encryption of IV with a key K produce b1
- The results is a string of pseudorandom stream
b0b1 - The ciphertext is obtained by XOR with Plaintext.
- This is also called one-time pad
- Feedback is independent of message, so can be
computed in advance (see figure in the next
slide) - Ci Pi XOR Oi
- Oi DESK1(Oi-1) where O-1 is IV
59K-bit Output Feedback (OFB) Mode
Encryption
k
k
IV
K
K
K
discarded
discarded
discarded
k bits
k bits
k bits
b1
b2
b3
P1
P2
P3
k bits
k bits
k bits
C1
C2
C3
60K-bit Output Feedback (OFB) Mode
Decryption
k
k
IV
K
K
K
discarded
discarded
discarded
k bits
k bits
k bits
b1
b2
b3
C1
C2
C3
k bits
k bits
k bits
P1
P2
P3
61Limitation and Advantages of OFB
- Used when error feedback a problem or where need
to encryptions before message is available - Superficially similar to CFB
- But feedback is from the output of cipher and is
independent of message - Another advantage over CFB, any bit error only
affects a single bit. Thus this is good for
noisy links (e.g., satellite TV transmissions
etc.), i.e., Any errors in transmission will not
propagate and only the recover value of P is
affected - No costly cryptographic operations are needed
(just XOR) - Sender and receiver must remain in sync, and some
recovery method is needed to ensure this occurs - Originally specified with m-bit feedback in the
standards - Subsequent research has shown that only OFB-64
should ever be used - Vulnerability subject to message stream
modification attacks - Bad guys can modify the plaintext into any he
wants by simply XORing the ciphertext with the
known plaintext
62Counter (CTR)
- A new mode, though proposed early on
- Similar to OFB but encrypts counter value rather
than any feedback value - Must have a different key and counter value for
every plaintext block (never reused) - Ci Pi XOR Oi
- Oi DESK1(i)
- Uses high speed network encryptions
63Counter (CTR)
64Advantages and Limitations of CTR
- Efficiency
- Can do parallel encryptions
- In advance of need
- Good for bursty high speed link
- Random access to encrypted data blocks
- Provable security (good as other modes)
- But must ensure never reuse key/counter values,
otherwise could break (cf OFB)
65Summary of Block Cipher Modes