lecture 3 the data encryption standard (des). in 1974, ibm submitted an algorithm called lucifer for...
TRANSCRIPT
Lecture 3 The Data Encryption Standard (DES)
In 1974, IBM submitted an algorithm called LUCIFER for the National Bureau of Standards (NBS). The NBS forwarded it to the National Security Agency (NSA) , which reviewed it, and returned a version called the Data Encryption Standard (DES) algorithm. In 1977, NBS made it the official data encryption standard for use on all unclassified government communications. This was probably the result of a misunderstanding between NSA and NBS. The NSA thought DES was hardware-only. But NBS published enough details so that people could write DES software. If NSA knew the details would be released so that people could write software, they would never have agreed to it.
From 1975 on, there has been controversy surrounding DES. Many were wary of the NSA’s ‘invisible hand’ in the development of the algorithm.
The NSA had modified the algorithm to install a trapdoor.
The NSA reduced the key size from the original 128-bits to 56-bits.
The reason of the inner workings of the algorithm. For example, differential cryptanalysis.
Much of NSA’s reasoning became clear in the early 1990s, but in the 1970s this seemed mysterious and worrisome.
The DES has lasted about 30 years, but becoming outdated. Therefore, NIST replaced it with a new system in the year 2000. However, it is worth studying DES since it represents a popular class of algorithms.
DES is a block cipher; it encrypts data in 64-bit blocks. A 64-bit block of plaintext goes in one end of the algorithm and a 64-bit block of ciphertext comes out the other end. DES is a symmetric algorithm. The actual mechanics of how this is done is often called a Feistel system.
Outline A Simplified DES-Type Algorithm Differential Cryptanalysis DES DES Is Not A Group Breaking DES Password Security Modification Detection Code (MDC)
1 A Simplified DES-Type Algorithm
Li Ri
Ri-1(6 bits)Li-1(6 bits)
Ki (8 bits)f
One round of a Feistel system
One round of a Feistel system (Continued)
.obtain Switch to . toleadsit that see we,Continuing
].][[
]),(),(][[]),(][[
output thegives and takesstepfirst The order. reversein used
keys hebut with t before, as procedure same the Use.
process Decryption
. ciphertext theproduces and
,say rounds, ofnumber certain afor performed isoperation This
XOR. denotes where
),,( and
process Encryption
0000
11
111
111
RLLR
LR
KLfKRfLRKLfRL
LRK
LRRL
RL
n
KRfLRRL
nn
nnnnnnnnnn
nni
nnnn
nn
iiiiii
One round of a Feistel system (Continued)
The function f(Ri1,Ki)
Ri1
E
E (Ri1)
Ki
4 bits
S1
4 bits
S2
f(Ri1,Ki)
One round of a Feistel system (Continued)The expander function
1 32 4
3
5
4
6
1 32 4 5 6
S-box
100001010110111000011101
010011001111101110000100
011101111000010110100001
000111100011110001010101
2
1
S
S
One round of a Feistel system (Continued)
.011000100110
obtain we
100110, Since .011000000100011100
),(Then .000100),(
Therefore, 100.output thegets and sent to are 1111 bits
The 000.output thegets and sent to are 1100 bits The
.110011110110010110101010(100110)
and 100110, means This .01100101 and
100111001001 isinput theSuppose
1
111
2
1
1
11
ii
ii
iiiiii
i
ii
ii
RL
RL
KRfLRKRf
S
S
KE
RK
RL1 Example
2 Differential Cryptanalysis
The idea is to compare the differences in the ciphertexts for suitably chosen pairs of plaintexts and thereby deduce information about the key. Because the key is introduced by XORing with E(Ri1), looking at the XOR of the inputs removes the effect of the key at this stage and hence removes some of the randomness introduced by the key.
2.1 Differential Cryptanalysis for Three Rounds
.except equation last in this everything know We
).,(),(
obtain we, , Since
).,(),(
ent torearrengem bemay This
).,(),(
Therefore, .,
Define . with messageanother have weSuppose
).,(),(),(
),(
have We. outputsobtain and
inputs varioususe We. of instead start withly temporariWe
4
4*44414
*4
*343
4*34314
4*3431
*444
**
*11
*1
*1
432114334
32112
4411
0011
K
KLfKLfLR
LRLR
KRfKRfLR
KRfKRfLRRR
LLLRR
RRRRL
KRfKRfLKRfLR
LKRfLR
RLRL
RLRL
iiiii
i
2.1 Differential Cryptanalysis for Three Rounds (Continued)
). of bits last three theand three
first the(namely, outputs two theof XORs the(2)
;)()()()( becuase
),)( of bitsfour last theandfour first the(namely,
boxes-S two the toinputs theof XORs the(1)
know we),,( ),,( theanalyzing From
14
4*44
*44
4
4*444
LR
LELLELELE
LE
KLfKLf
2.1 Differential Cryptanalysis for Three Rounds (Continued)
remains. for y possibilit oneonly untilRepeat (4)
.for iespossibilit theDeduce (3)
list. on this is ))(,)((pair The (2)
.XORoutput and
)(XORinput with pairs oflist at theLook (1)
:procedureattack theofsummary A
4
4
4*444
14
4
K
K
KLEKLE
LR
LE
2.1 Differential Cryptanalysis for Three Rounds (Continued)
001001101. iskey The . of encryptioncorrect theyieldscan 001001101
Only .001101?00 So }.{0100,1011in are of bitsfour last
theand },{0011,1000in are of bitsfirst that thefind We.111011100110
,110101110110h repeat wit Now }.{1111,0100in are
of bitsfour last thededucecan we way,same the}.Using{1001,0011in
are of bitsfirst theSo 010. toequal XORoutput produces ),(0011,10010011),
(1001, pairs For the 00.1 is fromoutput theand ,010 is fromoutput that the
meansIt .010100 ,10101011)()()( Therefore,
.001001000110 then ,111011100110select weIf .010000111001
obtian Webit.th with thestarting , of bits 8 usingby obtianed is
encryption of roundth for the key The . knowyet t don' that weAssume
001001101.key theand 110001110110start with We
11
4
4
*1
*111
4
4
21
14*444
*4
*4
*1
*1
44
11
KRL
KKK
K
RLRL
K
K
SS
LRLELELE
RLRL
RLiK
iKK
KR L
i
2 Example
2.2 Differential Cryptanalysis for Four Rounds
The analysis we used for three rounds still applies, but to extend it to four rounds we need to use more probabilistic techniques. Here we address some weaknesses in the S-box.
2.2 Differential Cryptanalysis for Four Rounds (Continued)
. have
we,000000011010 From .011010
that so , choose wesuppose Now 3/8.16)(12/16)(8/
yprobabilit with 011010 be willXORoutput combined that the
see wet,independen are boxes-S two theof outputs theassume
weIf 00111100.)001100( toexapanded is This .001100
such that ,chosen randomly start with we
thatSuppose 010. toequal XORoutput with 8 are there1100,
toequal XOR with pairsinput 16 theAmong .box in the
aknesssimilar we a is There 011. toequal XORoutput have
themof 12hat discover t we0011, toequal XOR with pairs
input 16 at thelook weIf .box in the weaknessa is There
*11
01*000
*00
*000
*00
2
1
RR
LRLLL
LL
E
RRRRR
S
S
1Fact
2.2 Differential Cryptanalysis for Four Rounds (Continued)
keys.other theoften than more keys of lists in the
appear should key correct the,frequentlyappear should
key incorrect any reason the no be toseems thereSince
.key possible ofset a deduce tosiscryptanaly aldifferenti
round threeuseThen .000011000000 that Assume
.,output at theLook 00.0110100011 toequal
XOR with inputs of pairschoosen randomly severalTry
:strategyattack The
4
4
11
*4
*444
K
K
RL
RLRL
2.2 Differential Cryptanalysis for Four Rounds (Continued)
key.correct get thecan we
message, aencrypt tokeys possible two Using.110000?10 Therefor,
17111111011139111160111
611108011028111040110
23110110010132110130101
8110027010040100
181011100011351011150011
8101035101080010
1610016000140100170001
81000140000331000120000
FQLastFQLastFQFirst FQFirst
table.following in the areobtain we
keys possible of sfrequencie The 00.0110100011,
withinputs of pairs random hundred severaltry weSuppose
00*0
*000
K
RLRLRL
591100
420010
3 Example
2.3 Differential CryptanalysisComment. (1) It might be noticed that we could have obtained the key at least as quickly by simple running the brute force attack. However, in more elaborate system such as DES, differential cryptanalytic techniques are much more efficient than exhaustive searching through all keys, at least until the number of rounds become fairly large.
2.3 Differential Cryptanalysis (Continued)
(2) Linear cryptanalysis is another type of cryptanalytic attack, invented by Mitsuru Matsui. This attack uses linear approximations to describe the action of a block cipher. Linear cryptanalysis is newer than differential cryptanalysis, and there may be more performance improvements (theoretically around 243 plaintext-ciphertext pairs) in the coming years. But it is not clear that they can be used effectively against full DES in practice.
3 DES The key is usually expressed as a 64-bit number,
but every eighth bit is used for parity checking and is ignored. So the key length is 56 bits. The algorithm uses only standard arithmetic and logical operations on numbers of 64 bits at most, so it was easily implemented in late 1970s hardware technology. The repetitive nature of the algorithm makes it ideal for use on a special-purpose chip. Initial software implementations were clumsy, but current implementations are better.
3.1 Description of DES Algorithm
algorihm. Type-DES simplified thelikeswitch right -left the
do tohavet don' that wemeans 3 step The order. reversein used arekey
t theexcept tha procedure, same eexactly thby performed is Decryption
).( ciphertext get the n topermutatio initial theof
inverse apply the then ,obtain right to andleft Switch (3)
later. described be ofunction t
a is and key thefrom obtained bits 48 of string a is where
),,(
:following theperform ,161For (2)
bits. 32last theis and of
bits 32first theis where, Write).(obtain
n topermutatio initial fixed aby permuted are of bits The (1)
:stages threeof consists encryption of algorithm DES The
16161
1616
111
0
00000
LRIPc
LR
fKK
KRf LR RL
i
R
LRLmmIPm
m
i
iiiiii
3.1 Description of DES Algorithm (Continued)Plaintext
IP
L0 R0
fK1
L1 R1
L16 R16
Ciphertext
IP1
3.2 Initial Permutation
1970s.in available are that chips into
yefficientl more load algorithm themake todesigned
perhaps isit ce,significan hiccryptograpWithout
715233139475563
513212937455361
311192735435159
19172533414957
816243240485664
614223038465462
412202836445260
210182634425058
nPermutatio Initial
3.3 The Function f(Ri1, Ki)Ri1
Expander
E(Ri1)
Ki
B1 B2 B3 B4 B5 B6 B7 B8
S1 S2 S3 S4 S5 S6 S7 S8
C1 C2 C3 C4 C5 C6 C7 C8
Permutation
f(Ri-1, Ki)
3.3 The Function f(Ri1, Ki) (Continued)
.,, outputsbit -4eight obtain we way,In this
column. thedetermines whileby specified isbox - of
row The .box -for input theis . Write(3)
bits. 6 has each
where, asit writeand ,)( Compute )2(
13231302928292827262524
252423222120212019181716
1716151413121312111098
9876545432132
nPermutatioExpansion
table.following by the bits) (48 )( toexpanded is bits) (32 (1)
:follows as described is ),function The
821
543261
621
8211
11
1
CCC
bbbbbbS
SSBbbbB
B
BBBKRE
RER
K f(R
jjj
j
ii
ii
ii
3.3 The Function f(Ri1, Ki) (Continued)
9145012761124153110813
1523961285113410117140
5119610101214821574133
1050121327943116148115
2box -S
1360101431157194281215
0510379121511261381414
8359111261011321447150
7095126103811152113414
1box -S
Boxes-S
1427121154981311060153
4825143115137111209610
9141011227430156511813
1541211582110960314137
4box -S
1225113141547896013101
7141051221110315894613
1151112145821064390713
8241171213151536149010
3box -S
)(Continued Boxes-S
1380671141110155912234
6111311040731282515149
8311014131659127241510
1157144313086291510112
6box -S
3541090156132141712811
1403651291587131011124
6893101505113741221114
9140131535861110714122
5box -S
)(Continued Boxes-S
1165309121513810471412
8531513106021412914117
2914011651247310813151
7120514391011115648213
8box -S
1232141505971041813116
2950861510147312131141
6815212531410194711013
1610579123138015142114
7box -S
)(Continued Boxes-S
3.3 The Function f(Ri1, Ki) (Continued)
25411226301319
932732142482
10311852623151
172812292120716
nPermutatioBox -P
.),(
is stringbit -32 resulting The table.following
theaccording permuted is string The (4)
1
821
ii KRf
CCC
3.4 The Key Transformation
412202851321
2937455361614
2230384654627
15233139475563
3644526031119
2735435159210
1826344250581
9172533414957
nPermutatioKey
bits. 28 have and where, asresult the Writetable.
following by the permuted are bits remaining The bits.parity the
ignoringby key bit -56 a toreduced iskey DESbit -64 The (1)
0000 DCDC
3.4 The Key Transformation (Continued)
round. 16 theof 14ely approximatin used iskey theofbit Each #
322936504246533456394944
483345514030554737315241
21320277168264121923
10216152835124111714
. isoutput The table.
following the toaccording stringbit -56 thefromchosen are bits 48 )3(
1222222122222211Shift
16151413121110987654321Ruond
Roundper Shifted BitsKey ofNumber
table.following the
toaccording left, the toplaces or two oneinput shift the means
where),( and )(let 16,1For (2) 11
i
iiiii
K
LSDLSDCLSCi
3.5 Security of DES
There has been much speculation on the key length, number of iterations, and design of the S-boxes. The S-boxes were particularly mysterious —all those constants, without any apparent reason as to why or what they're for. Although IBM claimed that the inner workings were the result of 17 man-years of intensive cryptanalysis some people feared that the NSA embedded a trapdoor into the algorithm so they would have an easy means of decrypting messages.
3.5 Security of DES (Continued) IBM published the following criteria for S-
boxes in the early 1990’s. (1) Each S-box has 6 input bits and 4 output
bits, which was the largest that could be put on one chip in 1974.
(2) The output of the S-boxes should not be close to being linear functions of the inputs.
(3) Each row of an S-box contains all numbers from 0 to 15.
(4) If two inputs to an S-box differ by 1 bit, the outputs must differ by 2 bits.
3.5 Security of DES (Continued) (5) If two inputs to an S-box differ in their first 2
bits but have the same last 2 bits, the output must be unequal.
(6) There are 32 pairs of inputs having a given XOR. For each of these pairs, compute the XOR of the outputs. No more than eight of these output XORs should be the same. This is clearly to avoid an attack via differential cryptanalysis.
(7) A criterion similar to (6), but involving three S-boxes.
(For details, see “D. Coppersmith, The Data Encryption Standard and its strength against attacks")
4 DES Is Not a Group Choose keys K1 and K2 and encrypt a plaintext P
by EK2(EK1
(P)). Does this increase the security? If an attacker has sufficient memory, double encryption provides little extra protection. Moreover, if double encryption is equivalent to single encryption, then the cryptosystem is much less secure than one might guess. For example, if this were true for DES, the exhaustive search through all 256 keys could be replaced by a search of length around 228.
.0 havemust we,0
and ,)()(such that integer positivesmallest theis Since
).()()()()()()(
Therefore, .0 and ,integer somefor that Assume Proof.
.| then ), particular afor
)()( (so cycle a oflength theis and , allfor )()(
such that integer positivesmallest theis If
.length of cycle a called
is ,)()(such that integer positivesmallest theis where
,)()(,)),((),(
)plaintext some(for sencryption of sequenceA s.1' ofentirely
consistingkey with theencryptionrepresent let and s0' ofentirely
consistingkey with theencryptionrepresent Let
0010
010010100100
00
01010
10
10101010
1
0
rnr
PPEEn
PEEPEEEEPEEP
nrqrnqm
mnPP
PEEnPPPEE
m
n
PPEEn
PPEEPEEEEPEE
P
E
E
n
rnqrm
nm
n
n
1 nPropositio
1 Definition
group. a
not is DES Therefore, .10 around is multiplecommon least
their and , plaintexts 33for cycles theof lengths thefound
h Coppersmit lengths. cycle theof multiple a is ,
By the .2 satisfies also mapidentity theis that
such integer positivesmallest the,20 Since map.
identity theiswhich , : timesDecrypt
.121 with , integers somefor havemust we
keys, possible 2only are thereSince . somefor
Then n.compositiounder closed is DES that Suppose Proof.
.such that key at isn'
there,,anyfor is,That group. anot is DES
277
0
56
56
56
5601
21
123
P
m
mE
mij
EDEDEi
jijiEE
KEEE
EEE
K K
mK
iK
iK
jK
iK
ijK
iK
jK
K
KKK
1 nPropositio
1 Theorem
5 Breaking DES 5.1 DES Has Shown Signs Age (1) Diffie and Hellman estimated that a
machine could be built for $ 20 million in 1977 that could crack DES in roughly a day.
(2) Using the switching technology, Wiener designed a more efficient device to attack DES in 1993.
(3) The year 1996 saw the formulation of three basic approaches for attacking DES. The first method was to do distributive computation. Another approach is to design custom architecture. The middle method considers programmable logic arrays.
5.1 DES Has Shown Signs Age (Continued) (4) The distributive computing approach to
breaking DES became very popular, especially wit the growing popularity of the Internet. In 1997, the RSA Data Security company issued a challenge to find the key and crack a DES encrypted message. Only five months, Rocke Verser submitted the winning key and search the 25% keyspace. In the following year, RSA company issued the challenge II. The key was found after searching roughly 85% of the keyspace using 39 days.
5.1 DES Has Shown Signs Age (Continued)
(5) On 1998, Electronic Frontier Foundation (EFF) developed a project called the DES Cracker (also know as Deep Crack). The average computer is ill suited for the task of cracking DES. The architecture is that the hardware efficiently eliminated a large number of invalid keys and only returned keys that were potentially promising, and the software then processed each of the promising candidate keys on its own, checking to see if one of the promising keys was in fact the actual key.
5.1 DES Has Shown Signs Age (Continued)
The end result was that the DES Cracker consisted of about 1500 chips and could crack DES in roughly 4.5 days on average.
(6) The rumor is that the NSA can crack DES in 3 to 15 minutes, depending on how much preprocessing they can do. And these machines cost only $50,000 each, in quantity.
# Above results demonstrates that a 56-bit key is too short for a secure secret-key cipher for the late 1990s computation technology.
5.2 DES Variants For Increasing Security
attack. middle-in-meet thetoresistant areBoth
))).((( ))),(((
isother The
))).((( ))),(((
is One d.implemente becan DES triple
that versionsleast twoat are There key.bit -112 a toequivalent
elyapproximatsecurity of level a have toappaers DES Triple (2)
attack. middle-in-meet the todue key,bit -112not key,
bit -57 a of levelsecurity thehasactually scheme encryption
double that theshowedHellman and Merkle key.
different a usingagain encrypting then andkey onewith
encryptingfirst by plaintext theencrypts DES Double (1)
121121
123321
cDEDmmEDEc
cDDDmmEEEc
KKKKKK
KKKKKK
5.2 DES Variants For Increasing Security (Continued)
hardware. existingin dimplemente be
canit that is variant DES about thisneat is What #
1987. since toolkit BSAFE theand 1986
since programsecurity mail electronic MailSafe
in the includedbeen has DESX secure.fairly be
shown tobeen has DESX, as knowns method This
.)( ),(
Rivest.
by proposedbeen has DES ofrsion Another ve (3)
1313 22KcKDmmKEKc KK
6 Password Security Problem. A password, associated with each user
(entity), is typically a string of 6 to 10 or more characters the user is capable of committing to memory. This serves as a shared secret between the user and system. To gain access to a system resource (e.g., computer account, printer, or software application), the user enters a (user-id, password) pair. The system checks that the password matches corresponding data it holds for that user-id, and that the stated identity is authorized to access the resource. Demonstration of knowledge of this secret is accepted by the system as corroboration of the entity's identity.
6.1 Password Schemes
(1) Stored password files
(2) “Encrypted” password files
(IDA , pwdA
)
User A
Reject
Accept
Server
Password table
No
Yes
f()
IDA
……
f(pwdA)
…
…
=
pwdA
f(pwdA)
f(pwdA)
6.1 Password Schemes (Continued)
(3) Slowing down the password mapping
(4) Salting passwords
To make dictionary attacks less effective, each password, upon initial entry, may be augmented with a t-bit random string called a salt before applying the one-way function. Both the hashed password and the salt are recorded in the password file.
(5) Passphrases
6.2 Attacks
(1) Replay of fixed passwords
(2) Exhaustive password search
The feasibility of the attack depends on the number of passwords that need be checked before a match is expected, and the time required to test each.
(3) Password-guessing and dictionary attacks
Online/Offline password-guessing attacks
6.3 Case Study – UNIX Passwords
User password
12 User salt
64Data Ii
I1=00…0
Key K
56
1264
Encrypted password
/etc/passwd
Truncate to 8 ASCII chars; 0-pad if necessary
*DES#
Repack 76 bits into eleven 7-bit characters
O25
Next inputIi,2≤i≤25
Output Oi
6.3 Case Study – UNIX Passwords (Continued) (1) Password salting. UNIX password salting
associates a 12-bit 'random' salt with each user-selected password. The 12 bits are used to alter the standard expansion function E of the DES mapping, providing one of 4096 variations, e.g., bit 1 with block bits 1 and 25, bit 2 with block bits 2 and 26, etc. If the salt bit is 1, the block bits are swapped, and otherwise they are not. Both the hashed password and salt are recorded in the system password file. Security of any particular user's password is unchanged by salting, but a dictionary attack now requires 4096 variations of each trial password.
6.4 Case Study – UNIX Passwords (Continued)
(2) Preventing use of off-the-shelf DES chips. Because the DES expansion permutation E is dependent on the salt, standard DES chips can no longer be used to implement the UNIX password algorithm. An adversary wishing to use hardware to speed up an attack must build customized hardware rather than use commercially available chips. This may deter adversaries with modest resources.
7 Modification Detection Code (MDC) Definition 2 An modification detection
codes hash function h with inputs x, x' and outputs y, y' potentially has the following properties:
(1) Preimage resistance: For essentially all pre-specified outputs, it is computationally infeasible to find any input which hashes to that output, i.e., to find any preimage x' such that h(x')=y when given any y for which a corresponding input is not known.
(2) 2nd-preimage resistance: It is computationally infeasible to find any second input which has the same output as any specified input, i.e., given x, to find a 2nd-preimage x' x such that h(x)=h(x').
(3) Collision resistance: It is computationally infeasible to find any two distinct inputs x, x' which hash to the same output, i.e., such that h(x)=h(x'). (Note that here there is free choice of both inputs.)
7.1 Objectives of Adversaries vs. MDC
The objective of an adversary who wishes to attack an MDC is as follows:
(1) Given a hash-value y, find a preimage x such that y =h(x); or given one such pair (x, h(x)), find a second preimage x' such that h(x) = h(x').
(2) Find any two inputs x, x', such that h(x) = h(x').
7.2 Case Study – MDC-2 with DES
A practical motivation for constructing hash functions from block ciphers is that if an efficient implementation of a block cipher is already available within a system (either in hardware or software), then using it as the central component for a hash function may provide the latter functionality at little additional cost.
7.2 Case Study – MDC-2 with DES (Continued)
252525.2525252525
= 525252,5252525252 = :l)hexadecima(in is values
prescribed ofset default A values.prescribed drecommende
ofset a from ion) verificatMDCfor used bemust constants
same (the , constantssecret -nonbit -64 theChoose
.01)(
10)(
:follows as keys DES
bit-56 suitable to bit values-64 mapch which whi,,
functions twodefine ,For DES. be Let
6310976541
6310976541
6421
VIIV
VIIV
uuuuuuuuUg
uuuuuuuuUg
Ugg
uuuUEK
7.2 Case Study – MDC-2 with DES (Continued)
.||;||
)( ),(
)( ),(
:) 1(for follows as defined
||= )( isoutput The . of halvesbit -32right and
left theare , and ion,concatenat thedenote ||Let )2(
. ,Let (1)
:steps
following theperforms DES with 2-MDC The .],
,,[ blocksbit -46 intobroken is message The
1
1
00
21
CRLCH RCCLH
MMECHgk
MMECHgk
ti
H HMhC
CRCL
VIHIVH
M
MMMM
iiiiii
iikiii
iikiii
tti
ii
t
i
i
Eg(Hi1) Eg'(Hi1)
Mi
CLi CRi CL'i CR'i
CLi CR'i CL'i CRi
HiH'i
Thank You!