ICT 5301:

Information System and

Network Security
Dr. Hossen Asiful Mustafa
http://hossenmustafa.buet.ac.bd
 Encryption & Decryption
Key (K)

Plaintext (P) Encrypt (E) Ciphertext (C)

C = EK (P)
Same Key (K)

Ciphertext (C) Decrypt (D) Plaintext (P)

P = DK (C)

P = DK (EK (P))

2
 DES - Data Encryption
Standard
 Intended usage:
 Unclassified government business (USA)
 Sensitive private sector business
 DES could not be legally exported from the US as software (but
could be published in a US book, or printed on a T-Shirt!)
 Re-certified every five years, i.e. 1983, 1988, 1993. US NSA
(“National Security Agency” aka “No Such Agency”) were
reluctant for DES to be re-certified in 1988.
 Many feared that NSA has secret trapdoor in the DES

3
 DES - Data Encryption

Standard
1973 - US NBS (“National Bureau of Standards”, now called NIST) request for
proposals.
 None judged worthy.
 1974 - 2nd request for proposals.
 US NSA urges IBM to submit its cipher Lucifer
 US NSA modifies IBM’s submission.
 1975 - US NBS publishes proposal
 Much comment about US NSA modifications, e.g. fear of backdoors, shortening of key
from 128 to 56 bits
 1976 - DES Standard published.
 US NSA thought standard would be HW only, but NBS published enough details for
software implementation.
 1976 - 1998 DES widely used worldwide
 1998 – DES brute force attackable 4
 DES Basics
 DES is an example of a BLOCK CIPHER (but can also
be operated as a STREAM CIPHER)
 Plaintext encrypted 64-bits at a time.
 56 bits key. The security lies in the key
 256 = 7.2x1016 possible keys
56-bit Key

64- E 64-bit
bit P C
5
 DES Desired Design Criteria
 Ciphertext should depend on the plaintext and key in a
complicated and involved way (CONFUSION)
 Each bit of ciphertext should depend on all bits of
plaintext and all bits of the key (DIFFUSION)
 AVALANCHE EFFECT
 Small changes to input cause massive variation in output.
 In DES, flipping 1 bit of the key or 1 bit of a 64-bit input block
will flip 50% of the output block’s bits
6
 Structure of DES
64-bit Plaintext 56-bit Key
 ENCRYPTION
 Each block is subjected to 16 rounds of Initial Permutation (IP)
substitutions and permutations 64
(transpositions). Generate L&R halves
 Permutations act to ‘diffuse’ data,
substitutions act to ‘confuse’ data Round 1
 Each round uses 48 bits from key 64 ................................ 56
called the subkey.
 Initial and final permutation appear to Round 16
be redundant.
 DECRYPTION Swap L & R halves
 Same process as encryption but with
Inverse of IP
subkeys applied in reverse order
64-bit Ciphertext7
 Feistel Cipher: A Cipher
Design Pattern
 Encryption
 n rounds
 Plaintext = (L0, R0)
 For 1 <= i <= n
Li = Ri-1
Ri = Li-1 xor f(Ri-1 , Ki)
 Subkeys Ki derived from key K
 Ciphertext = (Rn, Ln)
 Decryption
 As Encryption above, but subkeys applied in reverse order: N, N-1,
N-2, … 8
 Feistel Cipher: A Cipher
Design Pattern
 Block size: Large block size better. 128-bit or 256-bits blocks are
best
 Key size: These days at least 128 bits; more better, e.g. 192 or
256 bits
 Number of rounds: Typically at least 16 rounds needed
 Round function f and subkey generation: Designed to make
cryptanalysis difficult
 Round function f: typically built from transpositions,
substitutions, modular arithmetic, etc.
9
Feistel Cipher Example
L0 R0 Plaintext

L1=R0 R1=L0 xor f(R0, K1)

L2=R1 R2=L1 xor f(R1, K2)

L3=R2 R3=L2 xor f(R2, K3)

R3 L3 Ciphertext
10
DES
ALGORITHM

11
 A Round of DES
Left (32) Right (32) Key in (56)

32
E-Box
56
48 48 Key-Box
48 56
8 non-linear S-Boxes
32
P-Box
32 is XOR
32 32
Left (32) Right (32) Key out
12(56)
 A Round of DES
Left (32) Right (32)
 A Round
32
E-Box Lefti = Righti-1
48 Subkey Righti = Lefti-1 xor fi
48 48)
8 S-Boxes fi = P (S( E(Righti-1)
32 xor Subkeyi ))
P-Box
32
32 32
Left (32) Right (32) 13
 Initial Permutation

 Read Left to Right, Top to Bottom

 Plaintext bit 58 goes to Bit Position 1

 Plaintext bit 50 goes to Bit Position 2

 Does this increase security?

14
 Key Box

 64-bit key transforms to 56-bit by discarding the parity

bit (every 8-bit)
 Read Left to Right, Top to Bottom
 Plaintext bit 57 goes to Bit Position 1…
15
 Key Box
 The 56-bit key is divided into two 28-bit halves.
 The halves are circularly shifted left by either one or
two bits, depending on the round.
Round 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

Number 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1

16
 Key Box
 48-bit subkey is generated in each round
 This is called compression-permutation
 Read Left to Right, Top to Bottom
 Key bit 14 goes to Bit Position 1 of subkey
 8 bits are ignored

17
 Key Box
56 bits
28 28

Rotate Left 1 or 2 bits Rotate Left 1 or 2 bits

28 28
Permutation & Compression
Subkey
48
48 28 new input for key box 28

56 bits 18
 E-Box
32 bits

.............................

48 bits
 E box expands & permutates (from 32-bits to 48 bits).
 Changes order as well as repeating certain bits (Helps
with avalanche effect).
19
 E-Box

 32 bits are divided into 8 blocks of 4 bits

 For each block:
 1st and 4th bits are repeated twice
 2nd and 3rd bits are not repeated
 The bits are permuted as shown in the table 20
 S-Boxes
48 bits

S[1] ................................. S[8]

32 bits
 Each S-box takes 6-bits of input and produces 4-bits of output.
 S-Boxes give DES it’s security. Other boxes are linear and easier
to analyze. S-Boxes are non-linear and much harder to analyze.

21
 S-Box [n]
b1 b2 b3 b4 b5 b6

Result = SBOX [n] [Row] [Column]

r1 r2 r3 r4

 Each S-box has its own substitution table.

 Outer 2 bits select row, middle 4 bits select column of substitution
table. Entry gives new 4 bit value. 22
 Substitution table for
S-Box S1

What is the output for S-Box-1 for input 101110?

23
 S-Box Design Criteria
 Each S-box has 6 input bits and 4 output bits. (This was the
largest size that could be accommodated in a single chip with
1974 technology.)
 No output bit of an S-box should be too close to a linear function
of the input bits.
 If you fix the left-most and right-most bits of an S-box and vary the
4 middle bits, each possible 4-bit output is attained exactly once.
 If two inputs to an S-box differ in exactly 1 bit, the outputs must
differ in at least 2 bits.

24
 P-Box
32 bits

.................................

32 bits

 P-Box is just a mathematical permutation.

25
 P-Box

 Read Left to Right, Top to Bottom

 Key bit 16 goes to Bit Position 1…

26
 P-Box Design Criteria
 The 4 output bits from each S-box in round i are distributed so
that 2 of them affect the middle-bits of S-boxes at round (i + 1)
and the other 2 affect end bits.
 The 4 output bits from each S-box affect six different S-boxes in
the following round; 2 S-boxes won’t affect the same S-box.
 If the output bit from one S-box affects a middle bit of another S-
box, then an output bit from that other S-box cannot affect a
middle bit of the first S-box.

27
 Final Permutation

 Inverse of initial permutation

 Read Left to Right, Top to Bottom

 Key bit 40 goes to Bit Position 1…

28
DES
ALGORITHM

29
 DES Decryption
 Same algorithm
 Keys must be used in reverse order
 If the encryption keys for each round are
K1K2 K3,..., K16
 The decryption keys are
K16 K15 K14, ..., K1

Round
Right
1
circular
2 3 4
shift
5
for subkey
6 7 8
generation
9 10 11 12 13 14 15 16
 Key shift at each round is
Number 0 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1
30
 Security of DES
 Design criteria (particularly of S-
Boxes) wasn’t revealed until 1994
 No known trapdoors. No proof of
non-existence either
 Oddity: If both plaintext and key are
complemented so is the resulting
ciphertext.

31
 Security of DES
 Weak Keys:
 4 weak keys produce 16 identical subkeys
• all zeros,
• all ones,
• 0xE1E1E1E1F0F0F0F0,
• 0x1E1E1E1E0F0F0F0F
 Semi-weak keys:
 6 semi-weak key pairs produce 2 keys (identical for 8 rounds)
• 0x011F011F010E010E and 0x1F011F010E010E01
• 0x01E001E001F101F1 and 0xE001E001F101F101
• 0x01FE01FE01FE01FE and 0xFE01FE01FE01FE01
• 0x1FE01FE00EF10EF1 and 0xE01FE01FF10EF10E
• 0x1FFE1FFE0EFE0EFE and 0xFE1FFE1FFE0EFE0E
• 0xE0FEE0FEF1FEF1FE and 0xFEE0FEE0FEF1FEF1

32
 Security of DES
 BRUTE FORCE ATTACK
 256 keys but brute force attacks are now becoming feasible
 In 1993, Michael Wiener showed that it was possible to cheaply
build hardware that undertook a known-plaintext attack:
 in 3.5 hours for $1 million
 in 21 mins for $10 million
 in 35 hours for $100,000
 Intelligence agencies and those with the financial muscle most
probably have such hardware.
33
 Security of DES
 DES was finally broken by DESCHALL in 1997
 They used distributed systems where
 14000 unique host and
 78000 different IP addresses were recorded
 They won $10,000 prize
 Now, DES is replaced by 3DES with 168-bit key

34
 Double DES (Multiple
Encryption) K1 K2
 Encrypt twice with two keys
 112 bit keys P E E C
 K1= 56-bit
 K2 = 56-bit

35
 Triple DES (part of DES
standard)
 TRIPLE DES WITH 2 KEYS K1 K2 K1
(EDE2)
 3 keys considered unnecessary P E D E C
 Cost of 2 key attack is thus 2112
 TRIPLE DES WITH 3 KEYS
(EDE3)
 Preferred by some K1 K2 K3
 168-bit key length
P E D E C
36