MULTIPLE ENCRYPTIONS

DES is known to be vulnerable to many types of attacks. One alternative is to go for a new algorithm such as AES. Another option is to use the investment in available DES. DES can be best used to do multiple encryptions with multiple keys. First, plaintext is converted to cipher

100

text using the encryption algorithm and cipher is used as input for a second time encryption. This process may be repeated through any number of stages.

Double DES

DES can be done twice for additional security. The procedure of double encryption/decryption is describes as follows:

C=E(K₂, E(K₁, P)) and P=D(K₁, D(K₂, C)) Note that the key size is now 112 bits.

Encryption:

K₁ K₂

P X C Decryption:

K2 K1

C X P Strength of double DES

With double DES the cipher text is obtained as E(K2, E(K1, P)) = C. one may wonder it is after all encryption done with a new key perhaps K3. That is E(K2, E(K1, P)) = E(K3, P). If this is so, there is no difference between single or double encryption. It is easy to shoe that equation above is not true.

A single DES has key space of 2⁵⁶ . Whereas with double DES and block size of 64 we have 2⁶⁴ input blocks and the number of mappings possible is 2⁶⁴! Note that,

20

2⁶⁴! > 10¹⁰ and 2⁵⁶ < 10¹⁷

Thus DES used twice will provide many more mappings that are defined by single DES.

Attack on double DES

A special type of attack called meet in the middle attack is useful for double DES. Details of this attack are given here.

Suppose a P, C pair is known

Try various possible keys for K₁ and do encryption on P at the same time decrypt C with various possible K₂. Stop when X = E (K₁, P) = D (K₂, C).

101

Probably you have discovered the pair of keys K₁ andK₂. To confirm this is the right the pair of keys, encrypt P with these two keys and see if get C. If not continue with decryption. A systematic way of the attack is described in the following steps:

1. Use all 2⁵⁶ keys on P and encrypt

2. Store the result in a table in the sorted order of ciphers (X) produced 3. Use systematically the values for K₂ and decrypt C

4. Check the result of decryption against table value

5. If match occurs then K₁ and K₂ could be pair of keys used 6. Confirm this by doing double DES on P

7. If the result is C then keys are discovered 8. If not continue with decryption

One of the keys K2 that gives a value in the table of encryption is the pair that is used in Double DES. Complexity of the attack is 2⁵⁶ + 2⁵⁴ (average) which is not very much greater compared to 2⁵⁵ required by brute force attack on single DES.

Triple DES

Obvious counter measure to thwart meet in the middle attack for double DES is go more encryptions. Triple DES with three keys is a solution. The encryption and decryption with three keys is shown here.

C=E(K3, E(K2, E(K1, P))) and P=D(K1, D(K2, D(K3, C))) Encryption:

K1 K2 K3

P X Y C Decryption:

K₃ K₂ K₁

C Y X P Strength of double DES

Key size will increase to 56 x 3 = 168 bits. Meet in the middle attack would now require 2¹¹² trials. This is not practical now and far into the future. The major drawback with triple DES is unwieldy key size (168 bits). Tuchman (1979) proposed an attractive alternative to this namely

102

Triple DES with 2 keys. This is currently in use by key management standards ANS X9.17 and ISO 8732. Triple DES with two keys is shown below.

C=E(K₁, D(K₂, E(K₁, P))) and P=D(K₁, E(K₂, D(K₁, C))) Encryption:

K₁ K₂ K₁ P X Y C

Decryption:

K₁ K₂ K₁ C Y X P

By using encryption and decryption alternatively it is possible to reduce this to single DES (usable as single DES also). There is no cryptographic significance of E, D and E. With K₁=K₂ it is simply single DES. A single user DES can encode P using key once and triple DES user can decode it with using K1 three times. A triple DES user can do E, D, E with one key and single DES user can decrypt the file by using key once.

Attack on Triple DES

No practical cryptanalytic attacks have been reported so far. Coppersmith notes that cost of brute force attack is 2¹¹² and that of differential cryptanalytic attacks suffers from exponential growth of the order of 10⁵². Merkle and Hellman (1981) proposed finding plain text which makes intermediate encryption A as 0. But this proposal is not practical.

7.5 SUMMARY

In this unit you will find discussion on strength and weakness of DES, two types of attacks on encryption algorithms and its performance on DES in sections 3.1 and 3.2. The later sections describe ways to strengthen DES further in section 3.3 design issues of various function in a

E D E

D E D

103

single round are detailed. In the final section of this unit an important multiple encryption method called triple DES id discussed.

7.6 KEYWORDS

Differential cryptanalysis attack, linear cryptanalsis attack, timing attacks, DES design criteria, strict avalance, guaranteed avalance, bit independence, multiple encryption, double DES, triple DES.

7.7 QUESTIONS

1. Write about the strength of DES.

2. Discuss timing attacks.

3. Describe differential cryptanalysis attack on DES.

4. Briefly discuss the principle of linear cryptanalysis.

5. Writ note on strict avalanche, bit independence, guaranteed avalanche, random number generation.

6. Discuss double and triple DES.

7. Show that triple DES with two keys can be used for three or one encryption.

8. Describe attacks on double and triple DES.

7.8 REFERENCES

1. Atul Kahate, Cryptography and Network Security, Tata MCGrawHill 2. Behrouz A Forouzan, Cryptography and Network security, McGraw Hill 3. William Stallings, Cryptography and Network Security, Pearson

104