Information Security and Management

3. Block Ciphers and the Data Encryption Standard

Chih-Hung WangFall 2011

1

•Block Ciphers and Stream Ciphers▫ Block ciphers is one in which a block of

plaintext is treated as a whole and used to produce a ciphertext block of equal length.

▫ like a substitution on very big characters 64/128-bits or more

▫ Stream ciphers is one that encrypts a digital data stream one bit or one byte at a time.

▫ Many current ciphers are block ciphers

2

Block Cipher Principles

Block Ciphers and Stream Ciphers

3

Motivation

• Reversible Mapping

Plaintext Ciphertext

00 11

01 10

10 00

11 01

4

Reversible Mapping

Plaintext Ciphertext

00 11

01 10

10 01

11 01

Irreversible Mapping

A General Substitution Cipher• If a small block size, such n=4, is used, then the system is

equivalent to a classical substitution cipher. are vulnerable to statistical analysis of the plaintext.

• An arbitrary reversible substitution cipher for a large block size is not practical.

5

6

A General Substitution Cipher

The size of keyis nn 2For a 64-bitsblock, key sizeisbits

2164 10264

• most symmetric block ciphers are based on a Feistel Cipher Structure

• Feistel proposed the use of a cipher that alternates substitutions and permutations

• needed since must be able to decrypt ciphertext to recover messages efficiently

• block ciphers look like an extremely large substitution

• would need table of 264 entries for a 64-bit block

• instead create from smaller building blocks • using idea of a product cipher

7

Block Cipher Principles

• in 1949 Claude Shannon introduced idea of substitution-permutation (S-P) networks▫ modern substitution-transposition product cipher

• these form the basis of modern block ciphers • S-P networks are based on the two primitive

cryptographic operations we have seen before: ▫ substitution (S-box)▫ permutation (P-box)

• provide confusion and diffusion of message

8

Claude Shannon and Substitution-Permutation Ciphers

• Cipher needs to completely obscure statistical properties of original message

• a one-time pad does this• more practically Shannon suggested

combining elements to obtain:• diffusion – the statistical structure of the

plaintext is dissipated into long range statistics of the ciphertext

• confusion – makes relationship between ciphertext and key as complex as possible

9

Diffusion and Confusion

•Horst Feistel devised the feistel cipher▫ based on concept of invertible product

cipher•Partitions input block into two halves

▫ The two halves of the data pass through n rounds of processing and then combine to produce the ciphertext block.

•Implements Shannon’s substitution-permutation network concept

10

Feistel Cipher Structure

11

Feistel Cipher Structure

• Block size ▫ larger block sizes mean greater security but reduced e/d

speed • Key size

▫ increasing size improves security, makes exhaustive key searching harder, but may slow cipher

• Number of rounds ▫ a single round offers inadequate security▫ increasing number improves security, but slows cipher

• Subkey generation ▫ greater complexity should lead to greater difficulty of

cryptanalysis• Round function

▫ greater complexity means greater resistance to cryptanalysis

• Fast software encryption/decryption • Ease of analysis

▫ DES does not have an easily analyzed functionality

12

Feistel Cipher Design Principles

Feistel Cipher Decryption

• Use the ciphertext as input to the algorithm, but use subkey Ki in reverse order.

),( 16151516

1516

KREFLERE

RELE

13

Decryption

),()],([

),(

),(

1615161515

161516

16001

151601

KREFKREFLE

KREFRE

KRDFLDRD

RELERDLD

14

Feistel Cipher Decryption

),(),(

),(

11

1

11

1

iiiiiii

ii

iiii

ii

KLEFREKREFRELE

LERE

KREFLERE

RELE

15

General Form of Feistel Cipher

•History▫ National Bureau of Standards (now the

National Institute of Standards and Technology:NIST) 1977-> as Federal Information Processing Standard 46(FIPS PUB 46)

▫ 1960:IBM LUCIFER project

16

Data Encryption Standard (DES)

• Critique▫ The key length

In IBM’s original LUCIFER algorithm is 128 bits, but that of the proposed system was only 56 bits.

▫ Design Criteria for the internal structure S-boxes Any hidden weak points that could enable

NSA to decipher message without benefit the key?

Differential cryptanalysis -> DES has a very strong internal structure

17

DES

•Not Secure?▫ DES has flourished and is widely used,

especially in financial applications▫ In 1994, NIST reaffirmed DES for federal

use for another five years▫ NIST recommends the use of DES for

applications other than protection of classified information

18

DES

•Data are encrypted in 64-bit blocks using 56 bit key.

•Transforms 64-bit input in a series of steps into 64-bit output.

19

DES Encryption

20

The Structure of Block Cipher

Plaintext Ciphertext

n bits

K 1 K 2 K t Key

k bits

Weak cipher

Sub-key generator

Weak cipher

Weak cipher

…...

…...

1-st round

2-nd round t-th round

21

General Depiction

22

Details of Single Round

•Li = Ri-1 ; Ri = Li-1 ⊕ f(Ri-1, Ki) (i=1…15)

•Li = Li-1 ⊕ f(Ri-1, Ki) ; Ri = Ri-1 (i=16)

23

Details of Single Round

24

Feistel EncryptionIP

Input1,2,3,…

….. 64

R0

1,2,3,…. …

32

L0

1,2,3,…. …

32

f

R1

1,2,3,…. …

32

L1

1,2,3,…. …

32

k1

f

R2

1,2,3,…. …

32

L2

1,2,3,…. …

32

k2

f

Ri

1,2,3,…. …

32

Li

1,2,3,…. …

32

ki

f

R16

1,2,3,…. …

32

L16

1,2,3,…. …

32

k16

Output

1,2,3,… …

.. 64

IP-1

25

IP and IP-1

IP IP-1

58 50 42 34 26 18 10 2 40 8 48 16 56 24 64 32

60 52 44 36 28 20 12 4 39 7 47 15 55 23 63 31

62 54 46 38 30 22 14 6 38 6 46 14 54 22 62 30

64 56 48 40 32 24 16 8 37 5 45 13 53 21 61 29

57 49 41 33 25 17 9 1 36 4 44 12 52 20 60 28

59 51 43 35 27 19 11 3 35 3 43 11 51 19 59 27

61 53 45 37 29 21 13 5 34 2 42 10 50 18 58 26

63 55 47 39 31 23 15 7 33 1 41 9 49 17 57 25

IP (Initial Permutation)IP-1 (Inverse Initial Permutation)

26

Expansion & Permutation

Expansion (E)

32 1 2 3 4 5 4 5 6 7 8 9 8 9 10 11 12 1312 13 14 15 16 1716 17 18 19 20 2120 21 22 23 24 2524 25 26 27 28 2928 29 30 31 32 1

Permutation (P)

16 7 20 21 29 12 28 17 1 15 23 26 5 18 31 10 2 8 24 14 32 27 3 919 13 30 6 22 11 4 25

27

Calculation of F(R,K)

E

S1 S2 S3 S4 S5 S6 S7 S8

48 bits Subkey ki (48bits)

R (32 bits)

P

Output F (32 bits)

28

S-box (EX. S1)

Column

row 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 S-box

0 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7

S1 1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8

2 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0

3 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13

011001row

column1001

9

29

Key Generation

PC

-1

56-bit Key

1,2,3, ..… …

….. 64

Left shift

Left shift

Left shift

Left shift

PC-2

k1

Left shift

Left shift

Left shift

PC

-2k

i

Left shift

PC

-2k

16

C0

1,2,3 ….. 28

D0

1,2,3 ….. 28

C1

1,2,3 ….. 28

D1

1,2,3 ….. 28

Ci

1,2,3 ….. 28

Di

1,2,3 ….. 28

D16

1,2,3 ….. 28

C16

1,2,3 ….. 28

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16-------------------------------------------1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1

30

Key Generation Left shift

Round number

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

Bits rotated

1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1

PC-1 | PC-2 57 49 41 33 25 17 9 | 14 17 11 24 1 5 1 58 50 42 34 26 18 | 3 28 15 6 21 10 10 2 59 51 43 35 27 | 23 19 12 4 26 8 19 11 3 60 52 44 36 | 16 7 27 20 13 2 63 55 47 39 31 23 15 | 41 52 31 37 47 55 7 62 54 46 38 30 22 | 30 40 51 45 33 48 14 6 61 53 45 37 29 | 44 49 39 56 34 53 21 13 5 28 20 12 4 | 46 42 50 36 29 32

•Decryption uses the same algorithm as encryption, except that the application of the subkeys is reversed.▫ K16, K15 , …, K1

31

DES Decryption

DES Example

32

•DES exhibits a strong avalanche effect▫ Two plaintexts differ by one bit▫ Two keys differ by one bit

33

The Avalanche Effect

(a) Change in Plaintext (1 bits) Round Number of bits that differ 1 6 4 39 8 29 12 30 16 34

(b) Change in Key (1 bits) Round Number of bits that differ 1 2 4 32 8 34 12 33 16 35

DES Avalanche Effect-Change in Plaintext

34

DES Avalanche Effect-Change in Key

35

•56-bit DES▫ 1977 Diffie & Hellman

Parallel machine with 1 million encryption devices, each of which could perform one encryption per microsecond.

Average search time down to about 10 hours

The cost would be about $20 million

36

The Strength of DES

▫ 1993 Wiener Key search rate of 50 million keys per

second Design a module that costs $100,000 and

contains 5750 key search chips

37

The Strength of DES

Key search machine Unit Cost

Expected search time

$100,000 35 hours

$1,000,000 3.5 hours

$10,000,000 21 minutes

• RSA Laboratories▫ The Challenge

Offered a $10,000 reward, was to find a DES key given a ciphertext for a plaintext consisting of an unknown plaintext message preceeded by three known blocks of text containing the 24-character phrase “the unknown message is:”

January 29, 1997, developed a brute-force program and distributed it over the internet.

The project linked numerous machines over the Internet and eventually grew to over 70,000 systems

Ended 96 days later when the correct key was found after examining about one-quarter of all possible keys.

38

The Strength of DES

•Differential Cryptanalysis▫ Biham and Shamir [1993] [BIHA93]

Can successfully cryptanalyze DES with an effort on the order 247, requiring 247 chosen plaintexts (brute-force method: 255)

Not very well. The differential cryptanalysis was known to the IBM team as early as 1974.

▫ Linear Cryptanalysis▫ Weak keys; Semi-weak keys

39

Cryptanalysis of DES

•A statistical attack against Feistel ciphers •Uses cipher structure not previously used •Design of S-P networks has output of

function f influenced by both input & key•Hence cannot trace values back through

cipher without knowing values of the key •Differential Cryptanalysis compares two

related pairs of encryptions

40

Differential Cryptanalysis

•With a known difference in the input •Searching for a known difference in

output•When same subkeys are used

41

Differential Cryptanalysis Compares Pairs of Encryptions

42

Differential Cryptanalysis (Three Round of DES)

• Another recent development • Also a statistical method • Must be iterated over rounds, with

decreasing probabilities• Developed by Matsui et al in early 90's

[MATS93]• Based on finding linear approximations• Can attack DES given 247 known plaintexts,

still infeasible as an attack on DES

43

Linear Cryptanalysis

• Basic principles still like Feistel in 1970’s• DES design criteria [COPP94] (Coppersmith)• Number of rounds

▫ The greater the number of rounds, the more difficult it is to perform cryptanalysis, even for a relatively weak F.

• Design of function F:▫ S-box design▫ Provides “confusion”, is nonlinear, avalanche

• Key schedule▫ Complex subkey creation, key (strict) avalanche,

bit independence [ADAM94]

44

Block Cipher Design Principles

45

Block Cipher Modes

64 bits 64 bits 64 bits 64 bits…

Plaintext M

DES Cipher

Ciphertext C

Apply DES in Multiple Data Blocks

• Four modes have been defined (FIPS PUB 74, 81)▫ Electronic Codebook (ECB)▫ Cipher Block Chaining (CBC)▫ Cipher Feedback (CFB)▫ Output Feedback (OFB)

• NIST has expanded the list of recommended modes to five in special Publication 800-38A▫ ** Counter (CTR)

46

Block Cipher Modes

47

ECB

•Each block of 64 plaintext bits is encoded independently using the same key

•Typical Application▫ Secure transmission of single values (e.g.,

an encryption key)

48

ECB

•Security▫ For lengthy messages, the ECB mode may

not be secure. If the message is highly structured, it may

be possible for a cryptanalyst to exploit these regularities.

For example: the message always starts out with certain predefined fields.

The message has repetitive elements, with a period of repetition a multiple of 64 bits.

49

ECB

50

CBC

•The input to the encryption algorithm is the XOR of the next 64 bits of plaintext and the preceding 64 bits of ciphertext.

•Typical Application▫ General-purpose block-oriented

transmission

51

CBC

•Expression▫ Encryption

Cn = EK(Cn-1 Pn)

▫ Decryption DK[Cn] = DK[EK(Cn-1 Pn)

= (Cn-1 Pn)

=> Cn-1 DK[Cn] = Cn-1 Cn-1 Pn = Pn

52

CBC

• IV: initialization vector▫ Must be known to both the sender and receiver.▫ IV should be protected as well as the key.▫ This should be done by sending the IV using ECB

encryption▫ If an opponent can predictably change bits in IV,

the corresponding bits of the received value of P1 can be changed.

53

CBC

•Encryption

54

CFB

•Decryption

55

CFB

5e book (CFB)

56

• Input is processed J bits at a time. Preceding ciphertext is used as input to the encryption algorithm to produce pseudorandom output, which is XORed with plaintext to produce next unit of ciphertext.

• Typical Application▫ General-purpose stream-oriented transmission▫ Authentication

57

CFB

•Stream Cipher▫ It is possible to convert DES into a stream

cipher, using either CFB or OFB.▫ A stream cipher eliminates the need to pad

a message to be an integral number of blocks.

▫ A stream cipher can operate in real time.

58

CFB

•Encryption

59

OFB

•Decryption

60

OFB

5e book OFB

61

•Similar to CFB, except that the input to the encryption algorithm is the preceding DES output.

•Typical Application▫ Stream-oriented transmission over noisy

channel (e.g., satellite communication)

62

OFB

•Advantage▫ Bit errors in transmission do not

propagate. If a bit error occurs in C1, only the recovered value of P1 is affected.

•Disadvantage▫ It is more vulnerable to a message stream

modification attack than is CFB.

63

OFB

Counter Mode (CTR)

• Encryption

64

CTR

• Decryption

65

• This mode was proposed early on [DIFF79]• Applications to ATM (asynchronous transfer

mode) network security and IPSec (IP Security)

• Advantages [LIPM00]▫ Hardware efficiency▫ Software efficiency▫ Preprocessing▫ Random access▫ Provable▫ Simplicity

66

CTR

5e book CTR

67