Lecture 3 The Data Encryption Standard (DES)

In 1974, IBM submitted an algorithm called LUCIFER for the National Bureau of Standards (NBS). The NBS forwarded it to the National Security Agency (NSA) , which reviewed it, and returned a version called the Data Encryption Standard (DES) algorithm. In 1977, NBS made it the official data encryption standard for use on all unclassified government communications. This was probably the result of a misunderstanding between NSA and NBS. The NSA thought DES was hardware-only. But NBS published enough details so that people could write DES software. If NSA knew the details would be released so that people could write software, they would never have agreed to it.

From 1975 on, there has been controversy surrounding DES. Many were wary of the NSA’s ‘invisible hand’ in the development of the algorithm.

The NSA had modified the algorithm to install a trapdoor.

The NSA reduced the key size from the original 128-bits to 56-bits.

The reason of the inner workings of the algorithm. For example, differential cryptanalysis.

Much of NSA’s reasoning became clear in the early 1990s, but in the 1970s this seemed mysterious and worrisome.

The DES has lasted about 30 years, but becoming outdated. Therefore, NIST replaced it with a new system in the year 2000. However, it is worth studying DES since it represents a popular class of algorithms.

DES is a block cipher; it encrypts data in 64-bit blocks. A 64-bit block of plaintext goes in one end of the algorithm and a 64-bit block of ciphertext comes out the other end. DES is a symmetric algorithm. The actual mechanics of how this is done is often called a Feistel system.

Outline A Simplified DES-Type Algorithm Differential Cryptanalysis DES DES Is Not A Group Breaking DES Password Security Modification Detection Code (MDC)

1 A Simplified DES-Type Algorithm

Li Ri

Ri-1(6 bits)Li-1(6 bits)

Ki (8 bits)f

One round of a Feistel system

One round of a Feistel system (Continued)

.obtain Switch to . toleadsit that see we,Continuing

].][[

]),(),(][[]),(][[

output thegives and takesstepfirst The order. reversein used

keys hebut with t before, as procedure same the Use.

process Decryption

. ciphertext theproduces and

,say rounds, ofnumber certain afor performed isoperation This

XOR. denotes where

),,( and

process Encryption

0000

11

111

111

RLLR

LR

KLfKRfLRKLfRL

LRK

LRRL

RL

n

KRfLRRL

nn

nnnnnnnnnn

nni

nnnn

nn

iiiiii

One round of a Feistel system (Continued)

The function f(Ri1,Ki)

Ri1

E

E (Ri1)

Ki

4 bits

S1

4 bits

S2

f(Ri1,Ki)

One round of a Feistel system (Continued)The expander function

1 32 4

3

5

4

6

1 32 4 5 6

S-box

100001010110111000011101

010011001111101110000100

011101111000010110100001

000111100011110001010101

2

1

S

S

One round of a Feistel system (Continued)

.011000100110

obtain we

100110, Since .011000000100011100

),(Then .000100),(

Therefore, 100.output thegets and sent to are 1111 bits

The 000.output thegets and sent to are 1100 bits The

.110011110110010110101010(100110)

and 100110, means This .01100101 and

100111001001 isinput theSuppose

1

111

2

1

1

11

ii

ii

iiiiii

i

ii

ii

RL

RL

KRfLRKRf

S

S

KE

RK

RL1 Example

2 Differential Cryptanalysis

The idea is to compare the differences in the ciphertexts for suitably chosen pairs of plaintexts and thereby deduce information about the key. Because the key is introduced by XORing with E(Ri1), looking at the XOR of the inputs removes the effect of the key at this stage and hence removes some of the randomness introduced by the key.

2.1 Differential Cryptanalysis for Three Rounds

.except equation last in this everything know We

).,(),(

obtain we, , Since

).,(),(

ent torearrengem bemay This

).,(),(

Therefore, .,

Define . with messageanother have weSuppose

).,(),(),(

),(

have We. outputsobtain and

inputs varioususe We. of instead start withly temporariWe

4

4*44414

*4

*343

4*34314

4*3431

*444

**

*11

*1

*1

432114334

32112

4411

0011

K

KLfKLfLR

LRLR

KRfKRfLR

KRfKRfLRRR

LLLRR

RRRRL

KRfKRfLKRfLR

LKRfLR

RLRL

RLRL

iiiii

i

2.1 Differential Cryptanalysis for Three Rounds (Continued)

). of bits last three theand three

first the(namely, outputs two theof XORs the(2)

;)()()()( becuase

),)( of bitsfour last theandfour first the(namely,

boxes-S two the toinputs theof XORs the(1)

know we),,( ),,( theanalyzing From

14

4*44

*44

4

4*444

LR

LELLELELE

LE

KLfKLf

2.1 Differential Cryptanalysis for Three Rounds (Continued)

remains. for y possibilit oneonly untilRepeat (4)

.for iespossibilit theDeduce (3)

list. on this is ))(,)((pair The (2)

.XORoutput and

)(XORinput with pairs oflist at theLook (1)

:procedureattack theofsummary A

4

4

4*444

14

4

K

K

KLEKLE

LR

LE

2.1 Differential Cryptanalysis for Three Rounds (Continued)

001001101. iskey The . of encryptioncorrect theyieldscan 001001101

Only .001101?00 So }.{0100,1011in are of bitsfour last

theand },{0011,1000in are of bitsfirst that thefind We.111011100110

,110101110110h repeat wit Now }.{1111,0100in are

of bitsfour last thededucecan we way,same the}.Using{1001,0011in

are of bitsfirst theSo 010. toequal XORoutput produces ),(0011,10010011),

(1001, pairs For the 00.1 is fromoutput theand ,010 is fromoutput that the

meansIt .010100 ,10101011)()()( Therefore,

.001001000110 then ,111011100110select weIf .010000111001

obtian Webit.th with thestarting , of bits 8 usingby obtianed is

encryption of roundth for the key The . knowyet t don' that weAssume

001001101.key theand 110001110110start with We

11

4

4

*1

*111

4

4

21

14*444

*4

*4

*1

*1

44

11

KRL

KKK

K

RLRL

K

K

SS

LRLELELE

RLRL

RLiK

iKK

KR L

i

2 Example

2.2 Differential Cryptanalysis for Four Rounds

The analysis we used for three rounds still applies, but to extend it to four rounds we need to use more probabilistic techniques. Here we address some weaknesses in the S-box.

2.2 Differential Cryptanalysis for Four Rounds (Continued)

. have

we,000000011010 From .011010

that so , choose wesuppose Now 3/8.16)(12/16)(8/

yprobabilit with 011010 be willXORoutput combined that the

see wet,independen are boxes-S two theof outputs theassume

weIf 00111100.)001100( toexapanded is This .001100

such that ,chosen randomly start with we

thatSuppose 010. toequal XORoutput with 8 are there1100,

toequal XOR with pairsinput 16 theAmong .box in the

aknesssimilar we a is There 011. toequal XORoutput have

themof 12hat discover t we0011, toequal XOR with pairs

input 16 at thelook weIf .box in the weaknessa is There

*11

01*000

*00

*000

*00

2

1

RR

LRLLL

LL

E

RRRRR

S

S

1Fact

2.2 Differential Cryptanalysis for Four Rounds (Continued)

keys.other theoften than more keys of lists in the

appear should key correct the,frequentlyappear should

key incorrect any reason the no be toseems thereSince

.key possible ofset a deduce tosiscryptanaly aldifferenti

round threeuseThen .000011000000 that Assume

.,output at theLook 00.0110100011 toequal

XOR with inputs of pairschoosen randomly severalTry

:strategyattack The

4

4

11

*4

*444

K

K

RL

RLRL

2.2 Differential Cryptanalysis for Four Rounds (Continued)

key.correct get thecan we

message, aencrypt tokeys possible two Using.110000?10 Therefor,

17111111011139111160111

611108011028111040110

23110110010132110130101

8110027010040100

181011100011351011150011

8101035101080010

1610016000140100170001

81000140000331000120000

FQLastFQLastFQFirst FQFirst

table.following in the areobtain we

keys possible of sfrequencie The 00.0110100011,

withinputs of pairs random hundred severaltry weSuppose

00*0

*000

K

RLRLRL

591100

420010

3 Example

2.3 Differential CryptanalysisComment. (1) It might be noticed that we could have obtained the key at least as quickly by simple running the brute force attack. However, in more elaborate system such as DES, differential cryptanalytic techniques are much more efficient than exhaustive searching through all keys, at least until the number of rounds become fairly large.

2.3 Differential Cryptanalysis (Continued)

(2) Linear cryptanalysis is another type of cryptanalytic attack, invented by Mitsuru Matsui. This attack uses linear approximations to describe the action of a block cipher. Linear cryptanalysis is newer than differential cryptanalysis, and there may be more performance improvements (theoretically around 243 plaintext-ciphertext pairs) in the coming years. But it is not clear that they can be used effectively against full DES in practice.

3 DES The key is usually expressed as a 64-bit number,

but every eighth bit is used for parity checking and is ignored. So the key length is 56 bits. The algorithm uses only standard arithmetic and logical operations on numbers of 64 bits at most, so it was easily implemented in late 1970s hardware technology. The repetitive nature of the algorithm makes it ideal for use on a special-purpose chip. Initial software implementations were clumsy, but current implementations are better.

3.1 Description of DES Algorithm

algorihm. Type-DES simplified thelikeswitch right -left the

do tohavet don' that wemeans 3 step The order. reversein used arekey

t theexcept tha procedure, same eexactly thby performed is Decryption

).( ciphertext get the n topermutatio initial theof

inverse apply the then ,obtain right to andleft Switch (3)

later. described be ofunction t

a is and key thefrom obtained bits 48 of string a is where

),,(

:following theperform ,161For (2)

bits. 32last theis and of

bits 32first theis where, Write).(obtain

n topermutatio initial fixed aby permuted are of bits The (1)

:stages threeof consists encryption of algorithm DES The

16161

1616

111

0

00000

LRIPc

LR

fKK

KRf LR RL

i

R

LRLmmIPm

m

i

iiiiii

3.1 Description of DES Algorithm (Continued)Plaintext

IP

L0 R0

fK1

L1 R1

L16 R16

Ciphertext

IP1

3.2 Initial Permutation

1970s.in available are that chips into

yefficientl more load algorithm themake todesigned

perhaps isit ce,significan hiccryptograpWithout

715233139475563

513212937455361

311192735435159

19172533414957

816243240485664

614223038465462

412202836445260

210182634425058

nPermutatio Initial

3.3 The Function f(Ri1, Ki)Ri1

Expander

E(Ri1)

Ki

B1 B2 B3 B4 B5 B6 B7 B8

S1 S2 S3 S4 S5 S6 S7 S8

C1 C2 C3 C4 C5 C6 C7 C8

Permutation

f(Ri-1, Ki)

3.3 The Function f(Ri1, Ki) (Continued)

.,, outputsbit -4eight obtain we way,In this

column. thedetermines whileby specified isbox - of

row The .box -for input theis . Write(3)

bits. 6 has each

where, asit writeand ,)( Compute )2(

13231302928292827262524

252423222120212019181716

1716151413121312111098

9876545432132

nPermutatioExpansion

table.following by the bits) (48 )( toexpanded is bits) (32 (1)

:follows as described is ),function The

821

543261

621

8211

11

1

CCC

bbbbbbS

SSBbbbB

B

BBBKRE

RER

K f(R

jjj

j

ii

ii

ii

3.3 The Function f(Ri1, Ki) (Continued)

9145012761124153110813

1523961285113410117140

5119610101214821574133

1050121327943116148115

2box -S

1360101431157194281215

0510379121511261381414

8359111261011321447150

7095126103811152113414

1box -S

Boxes-S

1427121154981311060153

4825143115137111209610

9141011227430156511813

1541211582110960314137

4box -S

1225113141547896013101

7141051221110315894613

1151112145821064390713

8241171213151536149010

3box -S

)(Continued Boxes-S

1380671141110155912234

6111311040731282515149

8311014131659127241510

1157144313086291510112

6box -S

3541090156132141712811

1403651291587131011124

6893101505113741221114

9140131535861110714122

5box -S

)(Continued Boxes-S

1165309121513810471412

8531513106021412914117

2914011651247310813151

7120514391011115648213

8box -S

1232141505971041813116

2950861510147312131141

6815212531410194711013

1610579123138015142114

7box -S

)(Continued Boxes-S

3.3 The Function f(Ri1, Ki) (Continued)

25411226301319

932732142482

10311852623151

172812292120716

nPermutatioBox -P

.),(

is stringbit -32 resulting The table.following

theaccording permuted is string The (4)

1

821

ii KRf

CCC

3.4 The Key Transformation

412202851321

2937455361614

2230384654627

15233139475563

3644526031119

2735435159210

1826344250581

9172533414957

nPermutatioKey

bits. 28 have and where, asresult the Writetable.

following by the permuted are bits remaining The bits.parity the

ignoringby key bit -56 a toreduced iskey DESbit -64 The (1)

0000 DCDC

3.4 The Key Transformation (Continued)

round. 16 theof 14ely approximatin used iskey theofbit Each #

322936504246533456394944

483345514030554737315241

21320277168264121923

10216152835124111714

. isoutput The table.

following the toaccording stringbit -56 thefromchosen are bits 48 )3(

1222222122222211Shift

16151413121110987654321Ruond

Roundper Shifted BitsKey ofNumber

table.following the

toaccording left, the toplaces or two oneinput shift the means

where),( and )(let 16,1For (2) 11

i

iiiii

K

LSDLSDCLSCi

3.5 Security of DES

There has been much speculation on the key length, number of iterations, and design of the S-boxes. The S-boxes were particularly mysterious —all those constants, without any apparent reason as to why or what they're for. Although IBM claimed that the inner workings were the result of 17 man-years of intensive cryptanalysis some people feared that the NSA embedded a trapdoor into the algorithm so they would have an easy means of decrypting messages.

3.5 Security of DES (Continued) IBM published the following criteria for S-

boxes in the early 1990’s. (1) Each S-box has 6 input bits and 4 output

bits, which was the largest that could be put on one chip in 1974.

(2) The output of the S-boxes should not be close to being linear functions of the inputs.

(3) Each row of an S-box contains all numbers from 0 to 15.

(4) If two inputs to an S-box differ by 1 bit, the outputs must differ by 2 bits.

3.5 Security of DES (Continued) (5) If two inputs to an S-box differ in their first 2

bits but have the same last 2 bits, the output must be unequal.

(6) There are 32 pairs of inputs having a given XOR. For each of these pairs, compute the XOR of the outputs. No more than eight of these output XORs should be the same. This is clearly to avoid an attack via differential cryptanalysis.

(7) A criterion similar to (6), but involving three S-boxes.

(For details, see “D. Coppersmith, The Data Encryption Standard and its strength against attacks")

4 DES Is Not a Group Choose keys K1 and K2 and encrypt a plaintext P

by EK2(EK1

(P)). Does this increase the security? If an attacker has sufficient memory, double encryption provides little extra protection. Moreover, if double encryption is equivalent to single encryption, then the cryptosystem is much less secure than one might guess. For example, if this were true for DES, the exhaustive search through all 256 keys could be replaced by a search of length around 228.

.0 havemust we,0

and ,)()(such that integer positivesmallest theis Since

).()()()()()()(

Therefore, .0 and ,integer somefor that Assume Proof.

.| then ), particular afor

)()( (so cycle a oflength theis and , allfor )()(

such that integer positivesmallest theis If

.length of cycle a called

is ,)()(such that integer positivesmallest theis where

,)()(,)),((),(

)plaintext some(for sencryption of sequenceA s.1' ofentirely

consistingkey with theencryptionrepresent let and s0' ofentirely

consistingkey with theencryptionrepresent Let

0010

010010100100

00

01010

10

10101010

1

0

rnr

PPEEn

PEEPEEEEPEEP

nrqrnqm

mnPP

PEEnPPPEE

m

n

PPEEn

PPEEPEEEEPEE

P

E

E

n

rnqrm

nm

n

n

1 nPropositio

1 Definition

group. a

not is DES Therefore, .10 around is multiplecommon least

their and , plaintexts 33for cycles theof lengths thefound

h Coppersmit lengths. cycle theof multiple a is ,

By the .2 satisfies also mapidentity theis that

such integer positivesmallest the,20 Since map.

identity theiswhich , : timesDecrypt

.121 with , integers somefor havemust we

keys, possible 2only are thereSince . somefor

Then n.compositiounder closed is DES that Suppose Proof.

.such that key at isn'

there,,anyfor is,That group. anot is DES

277

0

56

56

56

5601

21

123

P

m

mE

mij

EDEDEi

jijiEE

KEEE

EEE

K K

mK

iK

iK

jK

iK

ijK

iK

jK

K

KKK

1 nPropositio

1 Theorem

5 Breaking DES 5.1 DES Has Shown Signs Age (1) Diffie and Hellman estimated that a

machine could be built for $ 20 million in 1977 that could crack DES in roughly a day.

(2) Using the switching technology, Wiener designed a more efficient device to attack DES in 1993.

(3) The year 1996 saw the formulation of three basic approaches for attacking DES. The first method was to do distributive computation. Another approach is to design custom architecture. The middle method considers programmable logic arrays.

5.1 DES Has Shown Signs Age (Continued) (4) The distributive computing approach to

breaking DES became very popular, especially wit the growing popularity of the Internet. In 1997, the RSA Data Security company issued a challenge to find the key and crack a DES encrypted message. Only five months, Rocke Verser submitted the winning key and search the 25% keyspace. In the following year, RSA company issued the challenge II. The key was found after searching roughly 85% of the keyspace using 39 days.

5.1 DES Has Shown Signs Age (Continued)

(5) On 1998, Electronic Frontier Foundation (EFF) developed a project called the DES Cracker (also know as Deep Crack). The average computer is ill suited for the task of cracking DES. The architecture is that the hardware efficiently eliminated a large number of invalid keys and only returned keys that were potentially promising, and the software then processed each of the promising candidate keys on its own, checking to see if one of the promising keys was in fact the actual key.

5.1 DES Has Shown Signs Age (Continued)

The end result was that the DES Cracker consisted of about 1500 chips and could crack DES in roughly 4.5 days on average.

(6) The rumor is that the NSA can crack DES in 3 to 15 minutes, depending on how much preprocessing they can do. And these machines cost only $50,000 each, in quantity.

# Above results demonstrates that a 56-bit key is too short for a secure secret-key cipher for the late 1990s computation technology.

5.2 DES Variants For Increasing Security

attack. middle-in-meet thetoresistant areBoth

))).((( ))),(((

isother The

))).((( ))),(((

is One d.implemente becan DES triple

that versionsleast twoat are There key.bit -112 a toequivalent

elyapproximatsecurity of level a have toappaers DES Triple (2)

attack. middle-in-meet the todue key,bit -112not key,

bit -57 a of levelsecurity thehasactually scheme encryption

double that theshowedHellman and Merkle key.

different a usingagain encrypting then andkey onewith

encryptingfirst by plaintext theencrypts DES Double (1)

121121

123321

cDEDmmEDEc

cDDDmmEEEc

KKKKKK

KKKKKK

5.2 DES Variants For Increasing Security (Continued)

hardware. existingin dimplemente be

canit that is variant DES about thisneat is What #

1987. since toolkit BSAFE theand 1986

since programsecurity mail electronic MailSafe

in the includedbeen has DESX secure.fairly be

shown tobeen has DESX, as knowns method This

.)( ),(

Rivest.

by proposedbeen has DES ofrsion Another ve (3)

1313 22KcKDmmKEKc KK

6 Password Security Problem. A password, associated with each user

(entity), is typically a string of 6 to 10 or more characters the user is capable of committing to memory. This serves as a shared secret between the user and system. To gain access to a system resource (e.g., computer account, printer, or software application), the user enters a (user-id, password) pair. The system checks that the password matches corresponding data it holds for that user-id, and that the stated identity is authorized to access the resource. Demonstration of knowledge of this secret is accepted by the system as corroboration of the entity's identity.

6.1 Password Schemes

(1) Stored password files

(2) “Encrypted” password files

(IDA ， pwdA

)

User A

Reject

Accept

Server

Password table

No

Yes

f()

IDA

……

f(pwdA)

…

…

=

pwdA

f(pwdA)

f(pwdA)

6.1 Password Schemes (Continued)

(3) Slowing down the password mapping

(4) Salting passwords

To make dictionary attacks less effective, each password, upon initial entry, may be augmented with a t-bit random string called a salt before applying the one-way function. Both the hashed password and the salt are recorded in the password file.

(5) Passphrases

6.2 Attacks

(1) Replay of fixed passwords

(2) Exhaustive password search

The feasibility of the attack depends on the number of passwords that need be checked before a match is expected, and the time required to test each.

(3) Password-guessing and dictionary attacks

Online/Offline password-guessing attacks

6.3 Case Study – UNIX Passwords

User password

12 User salt

64Data Ii

I1=00…0

Key K

56

1264

Encrypted password

/etc/passwd

Truncate to 8 ASCII chars; 0-pad if necessary

*DES#

Repack 76 bits into eleven 7-bit characters

O25

Next inputIi,2≤i≤25

Output Oi

6.3 Case Study – UNIX Passwords (Continued) (1) Password salting. UNIX password salting

associates a 12-bit 'random' salt with each user-selected password. The 12 bits are used to alter the standard expansion function E of the DES mapping, providing one of 4096 variations, e.g., bit 1 with block bits 1 and 25, bit 2 with block bits 2 and 26, etc. If the salt bit is 1, the block bits are swapped, and otherwise they are not. Both the hashed password and salt are recorded in the system password file. Security of any particular user's password is unchanged by salting, but a dictionary attack now requires 4096 variations of each trial password.

6.4 Case Study – UNIX Passwords (Continued)

(2) Preventing use of off-the-shelf DES chips. Because the DES expansion permutation E is dependent on the salt, standard DES chips can no longer be used to implement the UNIX password algorithm. An adversary wishing to use hardware to speed up an attack must build customized hardware rather than use commercially available chips. This may deter adversaries with modest resources.

7 Modification Detection Code (MDC) Definition 2 An modification detection

codes hash function h with inputs x, x' and outputs y, y' potentially has the following properties:

(1) Preimage resistance: For essentially all pre-specified outputs, it is computationally infeasible to find any input which hashes to that output, i.e., to find any preimage x' such that h(x')=y when given any y for which a corresponding input is not known.

(2) 2nd-preimage resistance: It is computationally infeasible to find any second input which has the same output as any specified input, i.e., given x, to find a 2nd-preimage x' x such that h(x)=h(x').

(3) Collision resistance: It is computationally infeasible to find any two distinct inputs x, x' which hash to the same output, i.e., such that h(x)=h(x'). (Note that here there is free choice of both inputs.)

7.1 Objectives of Adversaries vs. MDC

The objective of an adversary who wishes to attack an MDC is as follows:

(1) Given a hash-value y, find a preimage x such that y =h(x); or given one such pair (x, h(x)), find a second preimage x' such that h(x) = h(x').

(2) Find any two inputs x, x', such that h(x) = h(x').

7.2 Case Study – MDC-2 with DES

A practical motivation for constructing hash functions from block ciphers is that if an efficient implementation of a block cipher is already available within a system (either in hardware or software), then using it as the central component for a hash function may provide the latter functionality at little additional cost.

7.2 Case Study – MDC-2 with DES (Continued)

252525.2525252525

= 525252,5252525252 = :l)hexadecima(in is values

prescribed ofset default A values.prescribed drecommende

ofset a from ion) verificatMDCfor used bemust constants

same (the , constantssecret -nonbit -64 theChoose

.01)(

10)(

:follows as keys DES

bit-56 suitable to bit values-64 mapch which whi,,

functions twodefine ,For DES. be Let

6310976541

6310976541

6421

VIIV

VIIV

uuuuuuuuUg

uuuuuuuuUg

Ugg

uuuUEK

7.2 Case Study – MDC-2 with DES (Continued)

.||;||

)( ),(

)( ),(

:) 1(for follows as defined

||= )( isoutput The . of halvesbit -32right and

left theare , and ion,concatenat thedenote ||Let )2(

. ,Let (1)

:steps

following theperforms DES with 2-MDC The .],

,,[ blocksbit -46 intobroken is message The

1

1

00

21

CRLCH RCCLH

MMECHgk

MMECHgk

ti

H HMhC

CRCL

VIHIVH

M

MMMM

iiiiii

iikiii

iikiii

tti

ii

t

i

i

Eg(Hi1) Eg'(Hi1)

Mi

CLi CRi CL'i CR'i

CLi CR'i CL'i CRi

HiH'i

Thank You!