EECS 690

1
EECS 690

• Weichao Wang

2

• DES
• The history of DES
• The details of the algorithm
• Security of DES
• Cryptanalysis against DES
• Multiple encryption and its safety

3

• Details of DES
• It is a block cipher. Both the plaintext and
  cipher text are 64 bits
• The same key is used for encryption and
  decryption
• The key length is 56 bits
• It consists of 16 rounds, and each round combines
  the output from the previous round and the key
• See flow chart of DES

4

• Initial and final permutation
• Do not impact the safety of DES
• To assist byte-wise operations in hardware
• Key generation
• Every round the key bits are shifted
• 48 bits are selected from the 56 bits key
• Every bit is used about 48 16 / 56 13.7 times
• The key bits are not equally used

5

• Expansion permutation
• From 32 bits to 48 bits
• Every bits will impact multiple bits in later
  operations, which is called avalanche
• Goal Every cipher text bit is impacted by every
  plaint text bit and key bit
• This expansion is still one-to-one mapping

6

• S-Box
• There are eight S-Box, each maps 6-bit input to
  4-bit output
• Each S-Box is a look-up table
• This is the only non-linear step in DES and
  contributes the most to its safety
• P-Box
• A straight permutation

7

• For DES, the same algorithm serves both
  encryption and decryption
• Only the keys will be used in a reverse order

8

• Security of DES
• Key length
• Design of S-Box
• The number of rounds

9

• Weak keys in DES
• Since the keys for each round are not impacted by
  the plaintext or cipher text, the all 0 or all
  1 will be weak keys
• There are weak keys that will generate only 2 or
  4 subkeys during encryption, each key is used 8
  or 4 times
• 64 weak keys exist

10

• Complement keys
• If we use K to represent the bit-wise complement
  of K, we have
• EK(P) C, EK(P) C
• Why is that? Lets study the DES algorithm

11

• Key length of DES
• Original proposal of IBM uses 112 bit key, but
  NSA makes it 56 bits
• Tradeoff storage for computation time
• DES cracker http//www.eff.org/Privacy/Crypto/Cry
  pto_misc/DESCracker/

12

• Number of rounds
• After 5 rounds, every cipher bit is impacted by
  every plaintext bit and key bit
• After 8 rounds, cipher text is already a random
  function
• When the number of rounds is 16 or more, brute
  force attack will be the most efficient attack

13

• DES variants
• Using independent keys for each round
• Multiple DES

14

• Multiple encryption of DES
• Before we study multiple DES, a question must be
  answered. Is DES a group?
• EK2( EK1(P)) EK3(P)
• It is proven that DES is not a group in 1993
• Multiple encryption should use different keys in
  different rounds

15

• Double encryption
• Encrypt the plaintext twice with different keys
• C EK2(EK1(P)), P DK1(DK2(C))
• If DES uses 56 bit key, can we get 112 bit key
  security?
• Meet-in-the-middle attack makes the safety to 57
  bits instead of 112 bit
• Tradeoff storage and search for computation
• Double encryption will not achieve your goal

16

• Triple encryption
• Triple encryption with two keys
• C EK1( EK2 (EK1(P)))
• Why cannot we use
• C EK2( EK1 (EK1(P)))
• Still exist attacks using fewer than 2(2n) steps
• Triple encryption using 3 different keys
• Require at least 2(2n) steps to attack

17

• Generators
• If p is a prime number and g lt p, then g is a
  generator mod p if for every b 1, 2, ---,
  p-1, we can find a number a g a mod p b.
• Discrete logarithms a difficult problem to
  construct asymmetric encryption
• find x so that ax mod n b

18

• A key exchange protocol based on discrete
  logarithms Diffie-Hellman
• Was the first public key algorithm back in 1976
• Alice and Bob agree on a large prime number n and
  its generator g, n and g can be public
• Alice choose a large random number x, and send
  Bob gx mod n
• Bob generate y and send back gy mod n
• Now both side can calculate gxy mod n and it
  will be used as the session key

19

• What malicious node can do
• He can eavesdrop the channel, but since the
  discrete logarithms is difficult, he cannot
  figure out the key
• Is there any other attacks the malicious node can
  conduct?

20

• Key distribution in sensor networks
• Sensors are very weak nodes, they cannot use
  asymmetric encryption
• Symmetric encryption must be used
• Single group key
• Pair-wise key pair
• Random distribution of keys

21

• Pre-distribution of keys for sensor networks
• A pool of P keys are generated
• Every sensor will choose k keys from the pool
• What is the probability that two sensors have a
  shared key?
• When P 10k, when every sensor has 75 keys, the
  probability the two sensors share a key gt 0.5
• When P 100k, every sensor need 250 keys
• Multi-hop path