Professional Documents
Culture Documents
C = EK (P)
Same Key (K)
P = DK (C)
P = DK (EK (P))
2
DES - Data Encryption
Standard
Intended usage:
Unclassified government business (USA)
Sensitive private sector business
DES could not be legally exported from the US as software (but
could be published in a US book, or printed on a T-Shirt!)
Re-certified every five years, i.e. 1983, 1988, 1993. US NSA
(“National Security Agency” aka “No Such Agency”) were
reluctant for DES to be re-certified in 1988.
Many feared that NSA has secret trapdoor in the DES
3
DES - Data Encryption
Standard
1973 - US NBS (“National Bureau of Standards”, now called NIST) request for
proposals.
None judged worthy.
1974 - 2nd request for proposals.
US NSA urges IBM to submit its cipher Lucifer
US NSA modifies IBM’s submission.
1975 - US NBS publishes proposal
Much comment about US NSA modifications, e.g. fear of backdoors, shortening of key
from 128 to 56 bits
1976 - DES Standard published.
US NSA thought standard would be HW only, but NBS published enough details for
software implementation.
1976 - 1998 DES widely used worldwide
1998 – DES brute force attackable 4
DES Basics
DES is an example of a BLOCK CIPHER (but can also
be operated as a STREAM CIPHER)
Plaintext encrypted 64-bits at a time.
56 bits key. The security lies in the key
256 = 7.2x1016 possible keys
56-bit Key
64- E 64-bit
bit P C
5
DES Desired Design Criteria
Ciphertext should depend on the plaintext and key in a
complicated and involved way (CONFUSION)
Each bit of ciphertext should depend on all bits of
plaintext and all bits of the key (DIFFUSION)
AVALANCHE EFFECT
Small changes to input cause massive variation in output.
In DES, flipping 1 bit of the key or 1 bit of a 64-bit input block
will flip 50% of the output block’s bits
6
Structure of DES
64-bit Plaintext 56-bit Key
ENCRYPTION
Each block is subjected to 16 rounds of Initial Permutation (IP)
substitutions and permutations 64
(transpositions). Generate L&R halves
Permutations act to ‘diffuse’ data,
substitutions act to ‘confuse’ data Round 1
Each round uses 48 bits from key 64 ................................ 56
called the subkey.
Initial and final permutation appear to Round 16
be redundant.
DECRYPTION Swap L & R halves
Same process as encryption but with
Inverse of IP
subkeys applied in reverse order
64-bit Ciphertext7
Feistel Cipher: A Cipher
Design Pattern
Encryption
n rounds
Plaintext = (L0, R0)
For 1 <= i <= n
Li = Ri-1
Ri = Li-1 xor f(Ri-1 , Ki)
Subkeys Ki derived from key K
Ciphertext = (Rn, Ln)
Decryption
As Encryption above, but subkeys applied in reverse order: N, N-1,
N-2, … 8
Feistel Cipher: A Cipher
Design Pattern
Block size: Large block size better. 128-bit or 256-bits blocks are
best
Key size: These days at least 128 bits; more better, e.g. 192 or
256 bits
Number of rounds: Typically at least 16 rounds needed
Round function f and subkey generation: Designed to make
cryptanalysis difficult
Round function f: typically built from transpositions,
substitutions, modular arithmetic, etc.
9
Feistel Cipher Example
L0 R0 Plaintext
R3 L3 Ciphertext
10
DES
ALGORITHM
11
A Round of DES
Left (32) Right (32) Key in (56)
32
E-Box
56
48 48 Key-Box
48 56
8 non-linear S-Boxes
32
P-Box
32 is XOR
32 32
Left (32) Right (32) Key out
12(56)
A Round of DES
Left (32) Right (32)
A Round
32
E-Box Lefti = Righti-1
48 Subkey Righti = Lefti-1 xor fi
48 48)
8 S-Boxes fi = P (S( E(Righti-1)
32 xor Subkeyi ))
P-Box
32
32 32
Left (32) Right (32) 13
Initial Permutation
Number 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1
16
Key Box
48-bit subkey is generated in each round
This is called compression-permutation
Read Left to Right, Top to Bottom
Key bit 14 goes to Bit Position 1 of subkey
8 bits are ignored
17
Key Box
56 bits
28 28
28 28
Permutation & Compression
Subkey
48
48 28 new input for key box 28
56 bits 18
E-Box
32 bits
.............................
48 bits
E box expands & permutates (from 32-bits to 48 bits).
Changes order as well as repeating certain bits (Helps
with avalanche effect).
19
E-Box
32 bits
Each S-box takes 6-bits of input and produces 4-bits of output.
S-Boxes give DES it’s security. Other boxes are linear and easier
to analyze. S-Boxes are non-linear and much harder to analyze.
21
S-Box [n]
b1 b2 b3 b4 b5 b6
r1 r2 r3 r4
23
S-Box Design Criteria
Each S-box has 6 input bits and 4 output bits. (This was the
largest size that could be accommodated in a single chip with
1974 technology.)
No output bit of an S-box should be too close to a linear function
of the input bits.
If you fix the left-most and right-most bits of an S-box and vary the
4 middle bits, each possible 4-bit output is attained exactly once.
If two inputs to an S-box differ in exactly 1 bit, the outputs must
differ in at least 2 bits.
24
P-Box
32 bits
.................................
32 bits
26
P-Box Design Criteria
The 4 output bits from each S-box in round i are distributed so
that 2 of them affect the middle-bits of S-boxes at round (i + 1)
and the other 2 affect end bits.
The 4 output bits from each S-box affect six different S-boxes in
the following round; 2 S-boxes won’t affect the same S-box.
If the output bit from one S-box affects a middle bit of another S-
box, then an output bit from that other S-box cannot affect a
middle bit of the first S-box.
27
Final Permutation
28
DES
ALGORITHM
29
DES Decryption
Same algorithm
Keys must be used in reverse order
If the encryption keys for each round are
K1K2 K3,..., K16
The decryption keys are
K16 K15 K14, ..., K1
Round
Right
1
circular
2 3 4
shift
5
for subkey
6 7 8
generation
9 10 11 12 13 14 15 16
Key shift at each round is
Number 0 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1
30
Security of DES
Design criteria (particularly of S-
Boxes) wasn’t revealed until 1994
No known trapdoors. No proof of
non-existence either
Oddity: If both plaintext and key are
complemented so is the resulting
ciphertext.
31
Security of DES
Weak Keys:
4 weak keys produce 16 identical subkeys
• all zeros,
• all ones,
• 0xE1E1E1E1F0F0F0F0,
• 0x1E1E1E1E0F0F0F0F
Semi-weak keys:
6 semi-weak key pairs produce 2 keys (identical for 8 rounds)
• 0x011F011F010E010E and 0x1F011F010E010E01
• 0x01E001E001F101F1 and 0xE001E001F101F101
• 0x01FE01FE01FE01FE and 0xFE01FE01FE01FE01
• 0x1FE01FE00EF10EF1 and 0xE01FE01FF10EF10E
• 0x1FFE1FFE0EFE0EFE and 0xFE1FFE1FFE0EFE0E
• 0xE0FEE0FEF1FEF1FE and 0xFEE0FEE0FEF1FEF1
32
Security of DES
BRUTE FORCE ATTACK
256 keys but brute force attacks are now becoming feasible
In 1993, Michael Wiener showed that it was possible to cheaply
build hardware that undertook a known-plaintext attack:
in 3.5 hours for $1 million
in 21 mins for $10 million
in 35 hours for $100,000
Intelligence agencies and those with the financial muscle most
probably have such hardware.
33
Security of DES
DES was finally broken by DESCHALL in 1997
They used distributed systems where
14000 unique host and
78000 different IP addresses were recorded
They won $10,000 prize
Now, DES is replaced by 3DES with 168-bit key
34
Double DES (Multiple
Encryption) K1 K2
Encrypt twice with two keys
112 bit keys P E E C
K1= 56-bit
K2 = 56-bit
35
Triple DES (part of DES
standard)
TRIPLE DES WITH 2 KEYS K1 K2 K1
(EDE2)
3 keys considered unnecessary P E D E C
Cost of 2 key attack is thus 2112
TRIPLE DES WITH 3 KEYS
(EDE3)
Preferred by some K1 K2 K3
168-bit key length
P E D E C
36