applied cryptography data encryption standard
TRANSCRIPT
Applied CryptographyData Encryption Standard
Sape J. Mullender
Huygens Systems Research LaboratoryUniversiteit TwenteEnschede
1
History
DES has a checkered history. The book provided fascinatingreading material. In brief:
1972: National Bureau of Standards initiated a programmeto develop an encryption standard.
1974: After a second request for technology, IBM offered itsLucifer product as input. The NBS requested and got helpfrom the NSA in evaluating the input.
2
1975: Details of the algorithm were published. IBM granteda nonexclusive, royalty-free licence for its use. The NBSrequested comments. Many comments concerned NSA’sinput; the key size was reduced from 128 bits to 56 bits— a trapdoor was suspected.
3
History, contd.
1976: DES was adopted as a federal standard. NSA regretsits cooperation.
1977–1981: Various enhancements were published.
1983: The first five-year review of DES was succesful.
1987: NSA (with veto power obtained from Reagan) did notwant to recertify the standard. Instead it wanted to certifya series of algorithms which would remain secret. Publicoutrage prevented this and DES was recertified (but for thevery last time!)
1993: DES was recertified.
4
How DES works
� Block cipher, 64-bit blocks plaintext is converted to 64-bitciphertext, using a 56-bit key (or an 8-byte key with parity— note that the parity bit is in the LSB).
� The algorithm is public; the security is in the key.� The algorithm consists of substitutions and permutations,
arranged in 16 rounds.� It is eminently suited for hardware implementations, but
reasonable software implementations can be built too.
5
Overview
F
L R
K
F
L R K
F
L R K
L R
IP
IP
0 0
1 1
15 15
16 16
2
16
Plaintext
Ciphertext
K1
6
The Basic Step
The basic step is reversible:
Li � Ri�1 Ri � Li�1 � F�Ri�1; Ki�
F
L R K
L’ R’ K’
F
K
K’
L’R’
LR
7
The Key
During each step, the key is changed by circularly shifting each28-bit half left by either one or two bits.
After the shift, 48 bits out of the 56 are used in the one-wayfunction F .
1 or 2 bits
28 bits
56 bits
Co
mp
ression
perm
utatio
n
48 bits
8
The One-Way Function
Composed of an expansion mutation, anXOR operation with the 48-bit partialkey, an S-box substitution, and a P-boxpermutation.Note, that this is a one-way function; thatis, it does not have an easily computableinverse. It doesn’t have to, because therounds are invertable even with a non-invertable one-way function.
R
R i
R i
iL
Expansion
S Box
iK48
48
32
48
32
32
32
32
32
9
Expansion Permutation, S-Boxes
The expansion permutation doesn’t permute much. Bits withnumbers � 0 (mod 4) and � 1 (mod 4) are doubled, the othersare not.
32
1 48
4 5 1 8 9
5 7 2 6 8 47
The S-boxes map 6 bits down to 4. There are eight differentones. The mapping is done by table lookup; each 4-bit outputvalue is produced by 4 6-bit input values.
10
P-Box Permutation
The P-Box is a straightforward permutation of the bits.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
11
Encryption and Decryption
The rounds are individually reversible. This makes decryptionvery similar to encryption:
� The order of the rounds has to be reversed and, since thedifference between rounds is only the key, the sequence ofkeys has to be reversed.
� The key shifts are reversed (right shift instead of left shift).Note that the shift amounts were chosen to make the shiftaround after round 16 to where it started at round 0.
� The initial and final permutations stay where they are: theinitial permutation ‘undoes’ the final permutation so thefirst round gets the correct input.
12
Modes of DES
DES is typically used in one of four modes of operation:
ECB: Electronic Codebook Mode
CBC: Cipher Block Chaining Mode
CFB: Cipher Feedback Mode
OFB: Output Feedback Mode
13
Electronic Codebook Mode
Each block of 64 bits is encrypted and decrypted independentof other blocks.
A cryptanalyst with can collect plaintext/ciphertext pairs forknown plaintext, compile a ‘codebook’ and detect repetitionsof the input.
Block replay is a threat. An attacker can replace a block ofciphertext by a different one undetected by the receiver.
Solution: cipher block chaning :::
14
Cipher Block Chaining Mode
Purpose is to make blocks depend on all previous blocks sothat block substitution no longer works (a checksum at theend of the message will detend tampering).
Ci � fPi � Ci�1gK Pi � Ci�1 � fCigK
Two identical messages will still encrypt the same, so aninitialization vector (a block of random bits) is chosen for C0.
Note that the IV is not secret, but that’s okay, none of theother Ci are secret either.
15
Cipher Feedback Mode
1
2
3
4
5
6
7
0
1
2
3
4
5
6
7
0
Encrypt
Key
Shift
P C
1
2
3
4
5
6
7
0
1
2
3
4
5
6
7
0
Encrypt
Key
Shift
PC
An initialization vector provides the initial contents of the shiftregister.
16
Output Feedback Mode
Output Feedback mode generates an input-independent one-time pad that is XOR-ed with the input stream.
1
2
3
4
5
6
7
0
1
2
3
4
5
6
7
0
Encrypt
Key
Shift
C
1
2
3
4
5
6
7
0
1
2
3
4
5
6
7
0
Encrypt
Key
Shift
PC
K K
P
17
OFB Feedback Size
Output Feedback mode is not secure unless the feedback sizeequals the block size (i.e., 64 bits). The cycle time is then264 � 1. Smaller feedback sizes shorten the cycle time toapproximately 232 — not long enough.
Encrypt
Key
C
K
P
18
Weak Keys
The halves of the key are shifted. If one key half consistsentirely of 1s or 0s, shifting it around won’t change it. Thiscreats a substantial weakness. The following keys, therefore,are weak:
0000000 0000000
0000000 FFFFFFF
FFFFFFF 0000000
FFFFFFF FFFFFFF
19
Complement Keys
The encryption is entirely done by shifting and permutingbits and by XOR-ing. The result of shift and permute areindependent of value. Due to the propoerty of XOR, therefore:
fPgK � C a fP 0g0K � C0
where X0 is the bitwise complement of X.
20
DES and Mathematics
If the DES operator formed a group over the set of inputs:
8K1; K2;9K3 : ffPgK1gK2 � fPgK3
This would imply double DES would be useless. If DES werepure:
8K1; K2; K39K4 : fffPgK1gK2gK3 � fPgK4
and triple DES would be useless.
Fortunately, DES is not a group and it is certainly not pure (oneimplies the other).
21
Triple DES
Works by encrypting, decrypting and encrypting with threekeys (sometimes with two: K1; K2; K1.
P C
Encrypt Decrypt Encrypt
K1 K K32
DecryptEncryptDecrypt
22
DESX
Uses whitening which makes a brute-force attack much, muchharder.
P
K
Encrypt
K1 2 1F(K 2, K )
C
F
23
IDEA
Proposed in 1960, by Xuejia Lai and James Massey, IDEA isprobably the strongest block cipher around today. It usesthree basic operations on 16-bit subblocks:
: XOR
�: Addition modulo 216
�: Multiplication modulo 216 � 1
DES encrypts 64-bit data blocks with a 128-bit key. The basicstep — shown in the next slide — is repeated 8 times. Duringeach step, 6 subkeys are used.
24
IDEA Basic Step
X1 X2 X3 X4
Z3
Z4
Z1
Z2
Z5
Z6
1 3X’ 2X’ X’ 4X’
Z3 Z4Z1 Z2
Outputtransformation
Oneround
25
IDEA Subkeys
There are 6 subkeys for each round and 8 rounds: 48 subkeys.There are four more subkeys for the output transformation:52 keys total.
� The 128-bit key is divided into 8 16-bit subkeys.� These are used as the first 8 subkeys (6 in round 1, 2 in
round 2)� Then the key is rotated left 25-bits and is again divided into
8 subkeys (4 in round 2, 4 in round 3)� This process repeats
26
IDEA Decryption
Steps are reversed, key is rotated right, and subkeys areadditively or multiplicatively inversed before use (this is dataindependent, so need only been done once at initialization).
27