Post on 12-Jan-2016
description
1
Data Encryption Standard – DES and Other Symmetric Block Ciphers
DES was developed as a standard for communications and data protection by an IBM research team, in response to a
public request for proposals by the NBS - the National Bureau of Standards (which is now known as NIST).
2
Lecture Plan Review of Encryption Symmetric and Asymmetric Encryption DES History DES Basics DES Details DES Example DES Modes of Use
3
Review of Encryption A message in its original form (plaintext) is encrypted
into an unintelligible form (ciphertext) by a set of procedures known as an encryption algorithm (cipher) and a variable, called a key; and the ciphertext is transformed (decrypted) back into plaintext using the decryption algorithm and a key.
Dear Friend,I have seen your message of …
…
Dear Friend,I have seen your message of …
Encryption Decryption
Symmetric Key
Symmetric Key
Scrambled Data
Original Data
Original Data
4
Review of Encryption Encryption C = EK(P) Decryption P = EK
-1(C) EK is chosen from a family of transformations
known as a cryptographic system. The parameter that selects the individual
transformation is called the key K, selected from a keyspace K.
For a K-bit key size the keyspace size is 2K
5
Comparison of Symmetric and Asymmetric Encryption
Encryption DecryptionCiphertext
Original PlaintextPlaintext
Secret Key
Symmetric (Single Key) Cryptography
Encryption DecryptionCiphertext
Original Plaintext
Private KeyPublic Key
Plaintext
Asymmetric (Two Key) Cryptography
6
Block Cipher Design Principles
Confusion – obscures the relationship between the plaintext and ciphertext. Eliminates redundancies and statistical patterns. Confusion is achieved through substitution.
Diffusion – dissipates the redundancies of the plaintext by distributing over the ciphertext. Diffusion is achieved through permutations.
Shannon’s Papers of 1948/1949: A Mathematical Theory of Communication Communication Theory of Secrecy Systems
Multiple Iterations
7
DES - History The Data Encryption Standard (DES) was developed
in the 1970s by the National Bureau of Standards (NBS)with the help of the National Security Agency (NSA).
Its purpose is to provide a standard method for protecting sensitive commercial and unclassified data.
IBM created the first draft of the algorithm, calling it LUCIFER with a 128-bit key.
DES officially became a federal standard in November of 1976.
8
DES - History In May 1973, and again in Aug 1974 the NBS
(now NIST) called for possible encryption algorithms for use in unclassified government applications.
Response was mostly disappointing, however, IBM submitted their LUCIFER design.
Following a period of redesign and comment it became the Data Encryption Standard (DES).
9
DES - As a Federal Standard DES was adopted as a (US) federal standard in
November 1976, published by NBS as a hardware only scheme in January 1977 and by ANSI for both hardware and software standards in ANSI X3.92-1981 (also X3.106-1983 modes of use) .
Subsequently DES has been widely adopted and is now published in many standards around the world.
10
DES - Usage in Industry One of the largest users of the DES is the
banking industry, particularly with EFT, and EFTPOS
It is for this use that the DES has primarily been standardized, with ANSI having twice reconfirmed its recommended use for 5 year periods - a further extension was not expected.
However DES has been extended to 2005 and at that time it will be replaced by AES which has already been standardized.
11
DES - Design Shrouded in Mystery
Although the standard is public, the design criteria used are classified and have yet to be released.
There has been considerable controversy over the design, particularly in the choice of a 56-bit key.
W. Diffie, M Hellman “Exhaustive Cryptanalysis of the NBS Data Encryption Standard” IEEE Computer 10(6), June 1977, pp74-84.
M. Hellman “DES will be totally insecure within ten years” IEEE Spectrum 16(7), Jul 1979, pp 31-41.
12
DES - Design Proves Good Recent analysis has shown despite this that the choice
was appropriate, and that DES is well designed. Rapid advances in computing speed though have
rendered the 56 bit key susceptible to exhaustive key search, as predicted by Diffie and Hellman.
The DES has also been theoretically broken using a method called Differential Cryptanalysis, however in practice this is unlikely to be a problem (yet).
13
DES - Basics DES uses the two basic techniques of
cryptography - confusion and diffusion. At the simplest level, diffusion is achieved
through numerous permutations and confusions is achieved through the XOR operation and the S-Boxes.
This is also called an S-P network.
14
The S-P NetworkP-box
Dec
oder
: 3
to
8
S-box
Enc
oder
: 8
to
3
Product Cipher
P1 P4
S4
S3
S2
S1
P2
S8
S7
S6
S5
P3
S12
S11
S10
S9
15
DES in a Nutshell
16
DES - The 16 Iterations
The basic process in enciphering a 64-bit data block and a 56-bit key using the DES consists of: An initial
permutation (IP) 16 rounds of a
complex key dependent calculation f
A final permutation, being the inverse of IP
…
64-bit Ciphertext
…
64-bit Plaintext
…Initial
Permutation
Iteration 1
Iteration 2
Iteration 16
32-bit Swap
Inverse Initial Permutation
Permuted Choice 2
Permuted Choice 2
Permuted Choice 1
Left Circular Shift
Left Circular Shift
Permuted Choice 2 Left Circular Shift
K1
K2
K16
56-bit Key
17
Details of Each Iteration
Li-1 Ri-1 Ci-1 Di-1
Li Ri Ci Di
Permutation Choice(PC-2)
Expansion Permutation
(E-Table)
Substitution Box(S-Box)
XOR
XOR
Permutation Box(P)
Left Shift(s) Left Shift(s)
48 bits
48 bits
32 bits
32 bits
32 bits
32 bits
48 bitsKi
32 bits 32 bits 28 bits 28 bits
18
DES - Swapping of Left and Right Halves
The 64-bit block being enciphered is broken into two halves.
The left half and the right half go through one DES round, and the result becomes the new right half.
The old right half becomes the new left half half, and will go through one round in the next round.
This goes on for 16 rounds, but after the last round the left and right halves are not swapped, so that the result of the 16th round becomes the final right half, and the result of the 15th round (which became the left half of the 16th round) is the final left half.
19
DES - Swapping of Left and Right Halves
This can be described functionally as: L(i) = R(i-1) R(i) = L(i-1) P(S( E(R(i-1)) K(i) ))
This forms one round in an S-P network
Li-1 f (Ri-1, Ki)
Li-1 Ri-1
32 bitsLi
32 bitsRi
20
DES - Basics Fundamentally DES performs only two operations on its
input, bit shifting (permutation), and bit substitution. The key controls exactly how this process works. By doing these operations repeatedly and in a non-linear
manner you end up with a result which can not be used to retrieve the original without the key.
Those familiar with chaos theory should see a great deal of similarity to what DES does. By applying relatively simple operations repeatedly a system can achieve a state of near total randomness.
21
Each Iteration Uses a Different Sub-key
DES works on 64 bits of data at a time. Each 64 bits of data is iterated on from 1 to 16 times (16 is the DES standard).
For each iteration a 48 bit subset of the 56 bit key is fed into the encryption block
Decryption is the inverse of the encryption process.
22
DES Key Processing The key is usually stored as a 64-bit number,
where every eighth bit is a parity bit. The parity bits are pitched during the algorithm,
and the 56-bit key is used to create 16 different 48-bit subkeys - one for each round.
DES Subkeys: K1, K2, K3, … K16
23
DES Key Processing - Subkeys Generation
In order to generate the 16 48-bit subkeys from the 56-bit key, the following process is used:First, the key is loaded according to the PC-1 and
then halved. Then each half is rotated by 2 bits in every round
except the first, second, 9th and last rounds. The reason for this is that it makes it secure against
related-key cryptanalysis. Then 48 of the 56 bits are chosen according to a
compression permutation - PC-2.
24
The Key Schedule The subkeys used by the 16 rounds are formed
by the Key Schedule which consists of: An initial permutation of the key (PC1) which
selects 56-bits in two 28-bit halves 16 stages consisting of:
selecting 24-bits from each half and permuting them by PC2 for use in function f
rotating each half either 1 or 2 places depending on the key rotation schedule KRS
this can be described functionally as: K(i) = PC2(KRS(PC1(K),i))
25
Permuted Choice 1 — PC-1
57 49 41 33 25 17 9 1 58 50 42 34 26 18
10 2 59 51 43 35 27 19 11 3 60 52 44 36
63 55 47 39 31 23 15 7 62 54 46 38 30 22
14 6 61 53 45 37 29 21 13 5 28 20 12 4
26
Permuted Choice 2 — PC-2
14 17 11 24 1 5 3 28 15 6 21 10
23 19 12 4 26 8 16 7 27 20 13 2
41 52 31 37 47 55 30 40 51 45 33 48
44 49 39 56 34 53 46 42 50 36 29 32
27
Key Rotation Schedule — KRS
Round Number
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Number of Left Shifts
1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1
Total Number of Shifts
1 2 4 6 8 10 12 14 15 17 19 21 23 25 27 28
28
DES Operation - Plaintext The block to be encrypted is halved - the right
half goes through several steps before being XOR-ed with the left half and, except after the last round, trading places with the left half.
29
DES - Expansion Permutation
First the right half goes through an expansion permutation which expands it from 32 to 48 bits.
This makes it the same length as the subkey to allow the XOR, but it also demonstrates an important concept in cryptography. In expanding to 1.5 times its size, several bits are repeated (no new bits are introduced - all the existing bits are shifted around, and some are used twice).
Because of this some of the input bits affect two output bits instead of one, the goal being to have every output bit in DES depend upon every input bit as quickly as possible. This is known as the avalanche effect.
30
Expansion Permutation Table
32 1 2 3 4 5
4 5 6 7 8 9
8 9 10 11 12 13
12 13 14 15 16 17
16 17 18 19 20 21
20 21 22 23 24 25
24 25 26 27 28 29
28 29 30 31 32 1
31
DES Operation - E(Ri) Ki
The result of the expansion permutation is XOR-ed with the subkey, and then goes through the S-boxes.
There are 8 S-boxes, each of which takes a 6-bit input an spits out a 4-bit output.
This step is non-linear. For a given input i1, i2 ... i6, the output is determined by using the concatenation of i1 and i6, and the concatenation of i2… i5, and using these as the indices to the table which is the S-box.
32
S-box Permutations The S-boxes are somewhat different from the other
permutations. While all the others are set up according to “bit x goes to bit y”, the input bits can be viewed differently for the S-boxes.
If the input is {i1,i2,i3,i4,i5,i6} then the two-bit number {i1,i6} and the the four-bit number {i2,i3,i4,i5} are used as indices to the table.
For the 48-bit word {i1,i2 … i48}, the word {i1 … i6} is sent to S-box 1, the word {i7 … i12} to S-box 2, etc. The output of S-box 1, {o1 … o4}, that of S-box 2, {o5 … o8} etc. are concatenated to form the output.
33
The 8 DES S Boxes
S-Box 1 S-Box 2 S-Box 3 S-Box 4 S-Box 5 S-Box 7 S-Box 8S-Box 6
0 … 5 6 … 11 12 … 17 18 … 23 24 … 29 30 … 35 35 … 41 42 … 47
0 … 3 4 … 7 8 … 11 12 … 15 16 … 19 20 … 23 24 … 27 28 … 31
48-bit Input
32-bit Output
34
S-box Permutations
35
S1 Box Truth Table
36
The 8 DES S Boxes
37
DES Operation - P Box The output of each of the 8 S-boxes is
concatenated to form a 32-bit number, which is then permutated with a P-box.
This P-box is a straight permutation, and the resulting number is XOR-ed with the left half of the input block with which we started at the beginning of this round.
Finally, if this is not the last round, we swap the left and right halves and start again.
38
Permutation Function - P Box
16 7 20 21
9 12 28 17
1 15 23 26
5 18 31 10
2 8 24 14
32 27 3 9
19 13 30 6
22 11 4 25
39
DES Permutations The initial and final permutations in DES serve
no cryptographic function. They were originally added in order to make it easier to load the 64-bit blocks into hardware - this algorithm after all predates 16-bit busses - and is now often omitted from implementations.
However the permutations are a part of the standard, and therefore any implementation not using the permutations is not truly DES.
40
DES Permutations Using the Initial Permutation a DES chip loads a 64-
bit block one bit at a time (this gets to be very slow in software).
The order in which it loads the bits is shown below. The final permutation is the inverse of the initial (for
example, in the final permutation bit 40 goes to bit 1, whereas in the initial permutation bit 1 goes to bit 40).
41
Initial PermutationBit goes to Bit58 150 242 334 426 518 610 72 860 952 1044 1136 1228 1320 1412 154 16
Bit goes to Bit62 1754 1846 1938 2030 2122 2214 236 2464 2556 2648 2740 2832 2924 3016 318 32
Bit goes to Bit57 3349 3441 3533 3635 3717 389 391 4059 4151 4243 4335 4427 4519 4611 473 48
Bit goes to Bit61 4953 5045 5137 5229 5321 5413 555 5663 5755 5847 5939 6031 6123 6215 637 64
42
Initial Permutation Pictorially
Bit goes to Bit58 150 242 334 426 518 610 72 860 952 1044 1136 1228 1320 1412 154 16
43
DES Initial and Final Permutations
40 8 48 16 56 24 64 32
39 7 47 15 55 23 63 31
38 6 46 14 54 22 62 30
37 5 45 13 53 21 61 29
36 4 44 12 52 20 60 28
35 3 43 11 51 19 59 27
34 2 42 10 50 18 58 26
33 1 41 9 49 17 57 25
44
Weak Keys There are a few keys which are considered
weak for the DES algorithm. They are so few, however, that it is trivial to check for them during key generation.
Example Weak Keys
45
DES Example - Key
K = 581FBC94D3A452EAX = 3570E2F1BA4682C7
K = ( 0101 1000 0001 1111 1011 1100 1001 0100
1101 0011 1010 0100 0101 0010 1110 1010 )
C0 = ( 10111100110100
01101001000101 )
D0 = ( 11010010001011
10100001111111 )
46
DES Example - KeyC1 = ( 0111 1001 1010 0011 0100 1000 1011 )
D1 = ( 1010 0100 0101 1101 0000 1111 1111 )
K1 = ( 001001 111010 000101 101001
111001 011000 110111 011010 )
C2 = ( 1111 0011 0100 0110 1001 0001 0110 )
D2 = ( 0100 1000 1011 1010 0001 1111 1111 )
K2 = ( 110110 101001 000111 011101
110101 111011 011101 001000 )
47
DES Example - DataK=581FBC94D3A452EAX=3570E2F1BA4682C7
X = (x1, x2, x3, …, x64)
= ( 0011 0101 0111 0000 1110 0010 1111 0001
1011 1010 0100 0110 1000 0010 1100 0111)
This plaintext X is first subjected to an Initial Permutation – IP which givesL0 = ( 1010 1110 0001 1011 1010 0001 1000 1001)
A E 1 B A 1 8 9
R0 = ( 1101 1100 0001 111 0001 0000 1111 0100) D C 1 F 1 0 F 4
48
DES Example - DataE(R0) = ( 011011 111000 000011 111110
100010 100001 01110 101001)1 = E(R0) K1
= ( 010010 000010 000110 010111
011011 111001 101001 110011)
S501(1101) = S5
1(13) = 9 = 1001
S611(1100) = S6
3(12) = 6 = 0110
S711(0100) = S7
3(4) = 1 = 0001
S811(1001) = S8
3(9) = 12 = 1100
49
DES Example - DataB1 = (1010 0001 1110 1100 1001 0110 0001 1100)
P(B1) = (0010 1011 1010 0001 0101 0011 0110 1100)
R1 = P(B1) L0
= (1000 0101 1011 1010 1111 0010 1110 0101)
8 5 B A F 2 E 5
50
DES Example - DataL1 = (1101 1100 0001 1111 0001 0000 1111 0100)
D C 1 F 1 0 F 4E(R1) = ( 110000 001011 110111 110101
011110 100101 011100 001011)
2 = E(R1) K2
= ( 000110 100010 110000 101000
101011 011110 000001 000011)
51
DES Example - DataS1
00(0011) = S11(3) = 1 = 0001
S210(0001) = S2
3(1) = 14 = 1110
S310(1000) = S3
3(8) = 11 = 1011
S410(0100) = S4
3(4) = 12 = 1100
S511(0101) = S5
1(5) = 14 = 1110
S600(1111) = S6
3(15) = 11 = 1011
S701(0000) = S7
3(0) = 13 = 1101
S801(0001) = S8
3(1) = 15 = 1111
52
DES Example - DataB2 = (0001 1110 1011 1100 1110 1011 1101 1111)
P(B2) = (0101 1111 0011 1110 0011 1001 1111 0111)
R2 = P(B2) L1
= (1000 0011 0010 0001 0010 1001 0000 0011)
8 3 2 1 2 9 0 3
L2 = R1 = (1000 0101 1011 1010 1111 0010 1110 0101)
8 5 B A F 2 E 5
53
DES Example - Data - Done !Y = (y1, y2,y3, …, y64)
= ( 1101 0111 0110 1001 1000 0010 0010 0100
0010 1000 0011 1110 0000 1010 1110 1010)
= ( D 7 6 9 8 2 2 4 2 8 3 E 0 A E A)
54
DES Modes of Use DES encrypts 64-bit blocks of data, using a 56-bit key We need some way of specifying how to use it in
practice, given that we usually have an arbitrary amount of information to encrypt
The way we use a block cipher is called its Mode of Use and four have been defined for the DES by ANSI in the standard: ANSI X3.106-1983 Modes of Use)
55
DES Modes of Use DES Modes of Use are either:
Block Modes Splits messages in blocks (ECB, CBC)
Stream Modes On byte stream messages (CFB, OFB)
56
Block Modes - ECB Electronic Codebook Book (ECB)
where the message is broken into independent 64-bit blocks which are encrypted
C(i) = DESK(P(i))
57
Subverting DES in ECB Mode
A d a m s , L e s l i e C l e r k $ 1 0
B l a c k , R o b i n B o s s $ 5 0 0
C o l l i n s , K i m M a n a g e r $ 1 0 0
D a v i s , B o b b i e J a n i t o r $ 5
16 8 8Bytes
Name Position Bonus
58
Block Modes - CBC Cipher Block Chaining (CBC)
Again the message is broken into 64-bit blocks, but they are linked together in the encryption operation with an IV
C(i) = DESK(P(i) C(i-1)) C(-1)= IV
59
Cipher Block Chaining (CBC)
Key
XOR
E
P0
C0
IV XOR
E
P1
C1
XOR
E
P2
C2
XOR
E
P3
C3
…
Key
IV …XOR
D
C0
P0
XOR
D
C1
P1
XOR
D
C2
P2
XOR
D
C3
P3
60
Stream Modes - CFB Cipher FeedBack (CFB)
where the message is treated as a stream of bytes, added to the output of the DES, with the result being feed back for the next stage
Ci = Pi SLMB(DESK(C(i-1)))
Ci = SLMB(DESK(C(i-1)))
C(-1)= IV C(i) = Ci-1|| Ci-2|| Ci-3|| Ci-4|| Ci-
5|| Ci-6|| Ci-7|| Ci-8||
61
Stream Modes - CFB
XOR
E
C2 C3 C4 C5 C6 C7 C8 C9
SLMB
P10
KeyDES Encryption Box
Select Left Most Byte
C10
C10
64-bit Shift Register
C(10)
62
Stream Modes - OFB Output FeedBack (OFB)
where the message is treated as a stream of bytes, added to the message, but with the feedback being independent of the message
Ci = Pi Oi
Oi = SLMB(DESK(O(i-1))) O(-1)= IV O(i) = Oi-1|| Oi-2|| Oi-3|| Oi-4|| Oi-
5|| Oi-6|| Oi-7|| Oi-8||
63
Stream Modes - OFB
XOR
E
O2 O3 O4 O5 O6 O7 O8 O9
SLMB
P10
KeyDES Encryption Box
Select Left Most Byte
C10
O10
64-bit Shift Register
O(10)
64
Limitations of Various Modes - ECB
Repetitions in message can be reflected in ciphertext, if aligned with message block.
Particularly with data such graphics. Or with messages that change very little, which
become a code-book analysis problem. Weakness is because enciphered message
blocks are independent of each other. Can be solved using CBC.
65
Limitations of Various Modes - CBC
Uses result of one encryption to modify input of next.
Hence each ciphertext block is dependent on all message blocks before it.
Thus a change in the message affects the ciphertext block after the change as well as the original block.
Susceptible to errors. Error in a single block make all the subsequent blocks useless.
66
Triple DES - More Secure DES
E
K1
D
K2
E
K1
CiphertextPlaintext
Encryption
A B
D
K1
E
K2
D
K1
PlaintextCiphertext
Decryption
B A
Why not Double DES?
Why Triple DES with two Keys?
Why EDE?
67
IDEA International Data Encryption Algorithm also known
as Proposed Encryption Standard – PES European origins – free from any NSA tampering 64-bit block cipher 128-bit key Fast in software on general purpose processors Consists of three basic operations:
XOR Addition modulo 216
Multiplication modulo 216 + 1
68
GOST 64-bit block cipher from USSR 256-bit key (up to 610 bits key considering S-boxes) Better suited to software implementation than DES 32 rounds For the i-th round
Li=Ri-1 Ri=Li-1 f(Ri-1, Ki)
f consists of: Add right half and the i-th subkey modulo 232
Break result into 8 4-bit chunks and input into a different S-box Outputs of all S-boxes are recombined 11-bit left circular shift XOR with the left half
69
One Round of GOST
Li-1 Ri-1Choose One Subkey
S-Box Substitution
Left Circular Shift
Li Ri
S-boxes in GOST are user defined and provide additional keying material
8 32-bit Subkeys are derived from 256-bit key and are repeatedly used according to the key schedule of GOST
70
GOST S-Boxes and Subkeys
Round Number
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Subkey 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
Round Number
17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Subkey 1 2 3 4 5 6 7 8 8 7 6 5 4 3 2 1
S-box 1:
4 10 9 2 13 8 0 14 6 11 1 12 7 15 5 3
S-box 2:
14 11 4 12 6 13 15 10 2 3 8 1 0 7 5 9
71
BLOWFISH Designed by Bruce Schneier Fast on 32-bit microprocessors Compact Simple Variable key lengths up to 448-bits Uses a large number of subkeys 16 iterations/rounds
Each round consists of a key-dependent permutation and A key- and data-dependent substitution All operations are additions and XOR’s on 32-bit words
72
RC5 Designed by Professor Ronald Rivest of MIT Ron’s Cipher (RC) others also exist – RC2,
RC4, RC6 Supports a variety of block sizes, key sizes and
number of rounds Three basic operations
XORAdditionRotations
Patented by RSADSI
73
AES A replacement for DES – after a very long time Result of an open, international competition conducted
by NIST Five finalists
MARS Serpent Twofish RC6 Rijendael
Rijendael finally chosen as AES
74
AES Design criteria included:
SecuritySpeed on a variety of platforms – hardware,
software, smartcards, microcontrollers
Rijendael – European submission finally chosen as AES