January 17, 2012 1
Cryptography and Network Security
Lecture 3: Block ciphers and DES
Ion Petre
Department of IT, Åbo Akademi University Spring 2012
http://users.abo.fi/ipetre/crypto/
Data Encryption Standard
We focus now on the most widely used symmetric cipher: DES
DES has been replaced by AES as a standard
We will use DES to illustrate the principles of modern symmetric ciphers
Adopted in 1977 by the National Bureau of Standards (US), nowadays NIST
Originates from an IBM project from late 1960s led by Feistel
Project ended in 1971 with the development of LUCIFER (key 128 bits)
LUCIFER was then refined with the help of NSA to produce DES (key 56 bits)
Immediate criticism: the reduction in key length was enormous and the internal details of the design were (and remained) classified information
1994: DES is reaffirmed as a standard for 5 more years
1999: DES should only be used for legacy systems and 3DES should replace it
January 17, 2012 3
Block cipher principles
Stream cipher is one that encrypts a digital data stream one bit (or byte) at a time
Example: autokey Vigenère system
Block cipher is one in which the plaintext is divided in blocks and one block is encrypted at one time producing a ciphertext of equal length
Similar to substitution ciphers on very big characters: 64 bits or 128 bits are typical block lengths
Many modern ciphers are block ciphers
Principle: Substitution-Permutation Ciphers
Claude Shannon (1949) introduced idea of substitution-permutation (S-P) networks
These form the basis for modern substitution-transposition product cipher
S-P networks are based on the two primitive cryptographic operations we have seen before:
substitution (S-box)
permutation (P-box)
The goal is to provide confusion and diffusion of message
January 17, 2012 5
Confusion and Diffusion
Cipher need to completely obscure statistical properties of original message
A one-time pad does this
More practically Shannon (1949) suggested to combine elements to obtain:
Diffusion – dissipates statistical structure of plaintext over bulk of ciphertext
Makes the statistical relationship plaintext - ciphertext as complex as possible
Achieved by requiring that every digit of the plaintext affects many digits of the
ciphertext (equivalently, every digit of the ciphertext is affected by many digits of the plaintext)
Confusion – makes relationship between ciphertext and key as complex as possible
Makes it difficult to discover the key starting from the ciphertext
The principles of confusion and diffusion are the most essential concepts in
the design of modern block ciphers – they defend against statistical attacks
Feistel Cipher Structure
Most modern block encryption algorithms use the Feistel structure
Horst Feistel was the leader of the IBM team that worked in late 1960s on LUCIFER
He devised the so-called “feistel cipher”
Algorithm structure – perform n rounds, each round has the following structure (for encryption and decryption):
Input is of length 2w (bits), key is K
Divide the input into two halves L0 and R0
L1= R0, R1=L0 ⊕ f(R0,K)
In the next round use (L1, R1) instead of (L0, R0), etc.
Function f is the same in all rounds but uses a different subkey in each round – the subkey of each round is generated from the key
January 17, 2012 7
Feistel Cipher Structure
⊕
⊕
⊕
Feistel Cipher Design Principles
block size
increasing size improves security, but slows cipher
key size
increasing size improves security, makes exhaustive key searching harder, but may slow cipher
number of rounds
increasing number improves security, but slows cipher
subkey generation
greater complexity can make analysis harder, but slows cipher
round function
greater complexity can make analysis harder, but slows cipher
fast software en/decryption & ease of analysis
are more recent concerns for practical use and testing
January 17, 2012 9
Feistel Cipher Decryption vs Encryption:
the same
algorithm (with keys in reverse order)
⊕
⊕
⊕
⊕
⊕
⊕
⊕
⊕
Feistel decryption
Decryption is the same as
encryption and does not require any property for function f (not even to be invertible)
LD/RD – left/right half in the decryption algorithm
LE/RE – left/right half in the encryption algorithm
⊕ denotes XOR: 0⊕0=0, 1⊕1=0, 0⊕1= 1⊕0=1
Decryption
•Input: The ciphertext (LD
0, RD
0)= (RE
16, LE
16)
•Round i (1 to 16) performs on input (LD
i-1, RD
i-1) the operations:
–LD
i=RD
i-1, RD
i=LD
i-1⊕f(RD
i-1,K
16-i) –This is the input to next round
•The key of round i is K
16-i,
•This algorithm is CORRECT – after round i we have LD
i=RE
16-i, RD
i=LE
16-i:
•PROOF:
•Input to the first round:
–LD0=RE16, RD0=LE16
•Induction: assume it holds for i-1, prove it for i
–LDi-1=RE16-i+1, RDi-1=LE16-i+1 Then:
–LDi=RDi-1=LE16-i+1=RE16-i
–RDi=LDi-1 ⊕ f(RDi-1, K16-i)=RE16-i+1 ⊕ f(LE16-i+1, K16-i)=
=(LE16-i ⊕f(RE16-i,K16-i+1)) ⊕f(RE16-i,K16-i)=LE16-i –Result: (RE16-i, LE16-i)
•Output: the plaintext (RD
16, LD
16)=(LE
0, RE
0)
Encryption
•Input: the plaintext (LE
0, RE
0)
•Round i (1 to 16) performs on input (LE
i-1, RE
i-1) the operations:
–LE
i=RE
i-1, RE
i=LE
i-1⊕f(RE
i-1,K
i) –This is the input to next round
•The key of round i is K
i,
•Output: the ciphertext (RE
16, LE
16)
January 17, 2012 11
DES
DES encryption/decryption
Strength of DES
Design principles
Cryptanalysis
DES encryption scheme
The plaintext (64 bits) passes through an initial permutation IP (on 64 bits)
Then follow 16 identical rounds – in each round a different subkey is used; each subkey is generated from the key
After round 16, swap the left half with the right half
Apply the inverse of the initial permutation IP
-1(on 64 bits)
January 17, 2012 13
DES encryption scheme
Initial permutation
and its inverse
January 17, 2012 15
Details of a single round of DES
Consider L the left half of the input to the round and R its right half – each of them have 32 bits
As in any Feistel cipher the overall processing is L
i=R
i-1, R
i=L
i-1⊕ F(R
i-1,K
i)
The round subkey K
ihas 48 bits (details later on how it is generated)
R is expanded from 32 to 48 bits using an “expansion permutation” E – this is a table that defines a permutation, duplicating in the same time 16 of the bits in R
These 48 bits are XORED with the subkey K
i
The 48-bit result passes through a substitution function that produces a 32- bit output
Apply then a permutation P
A single round of
DES
January 17, 2012 17
The scheme of the function F(R,K) in DES
Details of a single
round of DES
January 17, 2012 19
The substitutions in the DES rounds: S-boxes
There are 8 S-boxes, each of them accepting a 6-bit input and producing 4-bit output
The S-boxes are 4 x 16 tables (shown on the next slide) and are used as follows:
The first and the last bit of the input to the S-box form a 2-bit binary number that selects the row of the S-box (rows are from 0 to 3)
The middle four bits select the column of the S-box (columns are from 0 to 15)
The decimal value in the selected entry of the S-box is converted to
its 4-bit binary representation to produce the output
Definition of S-boxes
Example: consider the input 011001to S-box S1
The row is 011001: 01 (i.e. 1)
The column is 011001: 1100 (i.e. 12)
The value in the selected cell is 9
Output is 1001
Note that each row of each S-box is in fact an invertible substitution on 4 bits (permutation of numbers from 0 to 15)
Note also that the output of the S-box is immediately permuted in DES so that it spreads in the ciphertext
January 17, 2012 21
Subkey generation
In the general scheme of DES is shown that a 64-bit key is used – the bits of the key are numbered from 1 to 64.
The algorithm ignores every 8th bit – thus, the key for DES is effectively 56-bit long
Before round 1 of DES, they key is permuted according to a table labeled
Permuted Choice One (see next slide) – the resulting 56-bit key is split into its two 28-bit halves labeled C0 and D0
In each round, Ci-1 and Di-1 are separately subjected to a circular left shift of one or two bits according to the table on the next slide – the shifted values will be input to next round
The shifted values serve as input to Permuted Choice Two (see next slide) which produces a 48-bit output: the subkey of the current round
Subkey generation
In the general scheme of DES is shown that a 64-bit key is used – the bits of the key are numbered from 1 to 64.
The algorithm ignores every 8th bit – thus, the key for DES is effectively 56-bit long
Before round 1 of DES, they key is permuted according to a table labeled
Permuted Choice One – the resulting 56-bit key is split into its two 28-bit halves labeled C0 and D0
In each round, Ci-1 and Di-1 are separately subjected to a circular left shift of one or two bits according to the table on the next slide – the shifted values will be input to next round
The shifted values serve as input to
Permuted Choice Two which produces a 48-bit output: the subkey of the current round
January 17, 2012 23
DES decryption
Like in any Feistel cipher, decryption works just like encryption with
the subkeys used in reverse order
Analysis of DES
Avalanche effect: this is a desirable property of any encryption algorithm
A small change (even 1 bit) in the plaintext should produce significant change in the ciphertext
Example: consider two blocks of 64 zeros and in the second block rewrite 1 on the first position. Encrypt them both with DES: depending on the key, the result may have 34 different bits!
A small change (even 1 bit) in the key should produce significant change in the ciphertext
Example: a change of one bit in the DES key may produce 35 different bits in the encryption of the same plaintext
January 17, 2012 25
Strength of DES
Two main concerns with DES: the length of the key and the nature of the algorithm
The key is rather short: 56 bits – there are 2
56possible keys, around 7.2 x 10
16 In average, only half of the keys have to be tried to break the system
In principle it should take long time to break the system
Things are quicker with dedicated hardware: 1998 – a special machine was built for less than 250 000 $ breaking DES in less than 3 days, 2006 – estimates are that a hardware costing around 20.000$ may break DES within a day
DES has no export restrictions from NSA!
40-bit RC4 key is also insecure
128-but keys seem to be secure
Important difficulty in breaking any system: unless the plaintext is known, we have to recognize when we have broken the system: we have to
recognize the plaintext when we find it
This is not trivial if the file is binary, compressed, etc.
Automated procedures to do that are needed (and indeed some exist)
Strength of DES
Nature of the algorithm
There has always been a concern about the design of DES, especially
about the design of S-boxes – perhaps they have been designed in such a way as to ensure a trapdoor to the algorithm – break it without having to search for the key
The design criteria for the S-boxes (and for the rest of the algorithm) have been classified information and NSA was involved in the design
Many regularities and unexpected behavior of the S-boxes have been reported
On the other hand, changing the S-boxes slightly seems to weaken the algorithm
No fatal weaknesses in the S-boxes have been (publicly) reported so far
January 17, 2012 27
Cryptanalysis of DES
There are ways to break DES significantly quicker than with the brute-force attack: differential and linear cryptanalysis
Differential cryptanalysis
Published in the open literature after 1990: Murphy and then Biham and Shamir (published a book on this)
Idea: Knowing the XOR of the message halves before and after a round, one may try to deduce the subkey used in that round
DES can be broken in 247 steps, requiring 247 chosen plaintexts
The need for so many chosen plaintexts makes its applicability limited
This attack seems to have been known to the DES design team and NSA 20 years before it was published in the open literature!
Linear cryptanalysis
More recent attack (Matsui, 1993): find linear approximations to describe the transformations in DES
Can find the DES key given 247 known plaintexts
Still impractical method
DES cryptanalysis chronology (Wikipedia)
July 1990 Biham and Shamir rediscover differential cryptanalysis, and apply it to a 15-round DES- like cryptosystem.
1992 Biham and Shamir report the first theoretical attack with less complexity than brute force:
differential cryptanalysis. However, it requires an unrealistic 247 chosen plaintexts.
1994 The first experimental cryptanalysis of DES is performed using linear cryptanalysis (Matsui, 1994).
June 1997 The DESCHALL Project breaks a message encrypted with DES for the first time in public.
July 1998 The EFF's DES cracker (Deep Crack) breaks a DES key in 56 hours.
January 1999 Together, Deep Crack and distributed.net break a DES key in 22 hours and 15 minutes.
November 2001 The Advanced Encryption Standard is published in FIPS 197 May 2002 The AES standard becomes effective
May 2005 NIST withdraws FIPS 46-3 (see Federal Register vol 70, number 96)
April 2006
The FPGA based parallel machine COPACOBANA of the Universities of Bochum and Kiel, Germany, breaks DES in 9 days at $10,000 hardware cost. Within a year software improvements reduced the average time to 6.4 days.
November 2008 The successor of COPACOBANA, the RIVYERA machine reduced the average time to less than one single day.