Lect 6 support DES

(1)

Cryptography and Security

Mechanisms

Nazar Abbas Saqib

[email protected]

(2)

Agenda

Block cipher principles

(3)

Block Cipher Principles

Stream cipher: one bit or byte at a time

Block cipher: a large block, typically 64 or 128 bits,

at a time

Block ciphers work on a block at a time, which is some

number of bits. All of these bits have to be available before they can be processed

Broader range of applications than stream ciphers

Large block thwarts statistical attacks

(4)

Block Cipher Principles

Reversible Mapping Irreversible Mapping Plaintext Ciphertext Plaintext Ciphertext

00 11 00 11

01 10 01 10

10 00 10 01

11 01 11 01

What is the most general form of block cipher?

For n-bit block, consider the transformation, F: 2n → 2n F must be reversible, i.e., 1-1 correspondence

(5)

Ideal Block Cipher

Why ideal?

1. Ideal bcz of unique plaintext-ciphertext mappings

(6)

Ideal Block Cipher

What if n is small? What if n is large?

1. If n is small, system is vulnerable to statistical cryptanalysis

(7)

Diffusion and Confusion

Diffusion:

hides the relationship b/w ciphertext and plaintext

Diffusion means the change of a character in the plaintext changes

several characters of the ciphertext. Similarly the change of a character in the ciphertext changes several characters in the plaintext

Spread the statistics over a range of bits-Thwart frequency analysis

Can be achieved by repeatedly performing some permutation

followed by applying a function to that permutation

Hill cipher has this property : p11 changes, c11, c21 and c31 also

change

Claude Shannon, 1949

c₁₁ = (k₁₁p₁₁ + k₁₂p₂₁ + k₁₃p₃₁) mod 26 c₂₁ = (k₂₁p₁₁ + k₂₂p₂₁ + k₂₃p₃₁) mod 26 c₃₁ = (k₃₁p₁₁ + k₃₂p₂₁ + k₃₃p₃₁) mod 26

k₁₁ k₁₂ k₁₃ k₂₁ k₂₂ k₂₃ k₃₁ k₃₂ k₃₃

= _{mod 26}

p₁₁ p₁₂ p₁₃ p₂₁ p₂₂ p₂₃ p₃₁ p₃₂ p₃₃ c₁₁ c₁₂ c₁₃

(8)

Diffusion and Confusion

Confusion:

hides the relationship b/w ciphertext and the key

Confusion means that the key does not relate in a simple way to the

ciphertext. In particular, each character in ciphertext should depend on several parts of the key

Make statistical relationship between the ciphertext and key as

difficult as possible - Thwart attempts to discover the key

Can be achieved by using a complex, non-linear, substitution operation(S-box)

Hill cipher holds this property but not so good, k11 changes, changes

the first row only i-e c₁₁, c₁₂, c₁₃it helps attacks to workout key partially.

Claude Shannon, 1949

c₁₁ = (k₁₁p₁₁ + k₁₂p₂₁ + k₁₃p₃₁) mod 26 c₁₂ = (k₁₁p1₂ + k₁₂p₂₂ + k₁₃p₃₂) mod 26 c₁₃ = (k₁₁p₁₃ + k₁₂p₂₃ + k₁₃p₃₃) mod 26

k₁₁ k₁₂ k₁₃ k₂₁ k₂₂ k₂₃ k₃₁ k₃₂ k₃₃

= _{mod 26}

p₁₁ p₁₂ p₁₃ p₂₁ p₂₂ p₂₃ p₃₁ p₃₂ p₃₃ c₁₁ c₁₂ c₁₃

(9)

Shannon Substitution

Shannon Substitution--Permutation Network

Permutation Network

(S

(S--P Network)

P Network)

In 1949, Claude Shannon introduced the idea of

substitution-permutation (S-P) networks which form the basis of modern block ciphers

S-P network: a special form of substitution-transposition product cipher Product cipher

Two or more simple ciphers are performed in sequence in such a way that

(10)

Feistel

Feistel Structure

Structure

Feistel cipher

In 1970’s, Horst Feistel (IBM T.J. Watson Research Labs)

invented a suitable (practical) structure which adapted Shannon’s S-P network

The input is divided into two halves – the encryption

function operates on one half and the second half is then mixed

Encryption and decryption use the same structure

The cipher has invertible, non-invertible and self-invertible

(11)

Feistel

Feistel Cipher

Cipher

Structure

Input block is partitioned into two

halves, L_i-1 and R_i-1

In round i,

L_i = R_i-1

R_i= L_i-1⊕ _F(K

i,Ri-1)

Substitution followed by

permutation

Multiple rounds

An Implementation of Shannon’s S-P

(12)

Feistel

Feistel Cipher Design Elements

Cipher Design Elements

Block size

Increasing size improves security, but slows cipher

Key size

Increasing size improves security, makes exhaustive key searching

harder, but may slow cipher

Number of rounds

Increasing number improves security, but slows cipher

Subkey generation algorithm

Greater complexity can make analysis harder, but slows cipher

Round function

Greater complexity can make analysis harder, but slows cipher

Fast software encryption/decryption

(13)

Feistel

Feistel Decryption

Decryption

Algorithm

Essentially same as the

encryption

Same algorithm but use

the subkeys K

_i

in

reverse order

F need not be a

reversible function

Satisfy

D

(14)

On Encryption side

LE16=RE15

RE16=LE15 x F(RE15, K16)

On decryption side

LD0=RE16 & RD0=LE16 LD1=RE15=RD0=LE16

RD1=LD0 x F(RD0, K16) RD1=RE16x F(RE15, K16)

RD1=LE15xF(RE15,K16)x F(RE15,

K16)

LE15

So

LD1=RE15 & RD1=LE15

That holds for all the 16 iterations

Feistel

Feistel Structure

Structure –

– Does

Does

decryption works?

(15)

(16)

DES History

In 1973, NBS (NIST) issues a public request for proposals for a

national cipher standard, which must be

Secure

Public

Completely specified

Easy to understand

Available to all users

Economic and efficient in hardware

Able to be validated

Exportable

IBM submitted LUCIFER (Feistel) (which was redesigned to

(17)

DES Basics

Block cipher (64-bit block)

Uses 56-bit key (out of 64 bits)

16 rounds

48-bit subkeys

Feistel structure (except initial and final

(18)

Overall Scheme of DES Encryption

64-bit input data goes

thru initial permutation

_{Then 16 rounds of the}

same iteration (round function is applied)

_{For each round, sub-key}

is generated thru key generation module

_{After 16 rounds of}

iterations, the contents of L and R are swapped and input to Inverse

permutation

_{Finally, a 64-bit}

ciphertext is done!

(19)

Input of DES

Data: need to be broken into 64-bit blocks; add pad at the last

message if necessary.

_e.g._{X =(3 5 0 7 7 F 1 0 A B 1 2 F C 6 5)}_HEX _{Secret key:}

_{Any string of 64 bits long including 8 parity bits.}

_{1 parity bit in each 8-bit byte of the key may be utilized for}

error detection in key generation, distribution, and storage

_K=(k

1…k7k8… k15k16 k17…k24…k32… k40… k48… k56… k64)

_{The bits k}

8, k16, k24, k32, k40, k48, k56, k64 can be used for

(20)

(21)

Generating subkeys used in each

round

consists of:

initial permutation of the key (PC1) which selects

56-bits in two 28-bit halves

16 stages consisting of:

selecting

24-bits

from each half

permuting them by

PC2

for use in function f,

rotating

each half

separately either 1 or 2 places

(22)

DES Key Schedule

initial permutation of the key (PC1) which

selects 56-bits in two 28-bit halves Ci & Di

_{Circularly shift each half by 1 or 2 bit}

depending on the provided table (given)

_{Permuted Choice 2 selects 24-bit from}

(23)

One sub

One sub--key

key

64 bits of secret key are input to the key

generator, 8 parity bits are removed; So, DES key has only 56 bits

Objective: use these 56 bits to generate a

different 48 bit sub-key for

each round

of DES

PC1 is a P box where 8 parity bits are

removed with input of 64 bits key

56-bit output of PC1 is split into two

28-bit keys which is input into shift registers

C and D

The contents of are circularly shifted to

left by 1 or 2 bits (according to a shift table) prior to each iteration

PC2 is also a P box which ignores certain

input bits and permutes to a 48-bit sub-key

PC1 (64⇒56)

64-bit Secret key

C (28-bit) D (28-bit)

PC2 (56⇒48)

48-bit sub-key

Circular left shift)

(24)

Sub

Sub--Key generations

Key generations

Given a secret key K of 64 bits long (includes 8 parity bits)

by the sender

K= [133457799BBCDFF1]

16

(25)

Permuted Choice 1 (PC1)

The table below specifies how the key is loaded to memory in PC1.

Bit Bit Bit

Bit 57575757 49494949 41414141 33333333 25252525 17171717 9999 1111 58585858 50505050 42424242 34343434 26262626 18181818 Goes to bit

Goes to bit Goes to bit

Goes to bit 1111 2222 3333 4444 5555 6666 7777 8888 9999 10101010 11111111 12121212 13131313 14141414

Bit Bit Bit

Bit 10101010 2222 59595959 51515151 43434343 35353535 27272727 19191919 11111111 3333 60606060 52525252 44444444 36363636 Goes to bit

Goes to bit 15151515 16161616 17171717 18181818 19191919 20202020 21212121 22222222 23232323 24242424 25252525 26262626 27272727 28282828

Bit Bit Bit

Bit 63636363 55555555 47474747 39393939 31313131 23232323 15151515 7777 62626262 54545454 46464646 38383838 30303030 22222222 Goes to bit

Goes to bit 29292929 30303030 31313131 32323232 33333333 34343434 35353535 36363636 37373737 38383838 39393939 40404040 41414141 42424242

Bit Bit Bit

Bit 14141414 6666 61616161 53535353 45454545 37373737 29292929 21212121 13131313 5555 28282828 20202020 12121212 4444 Goes to bit

Goes to bit 43434343 44444444 45454545 46464646 47474747 48484848 49494949 50505050 51515151 52525252 53535353 54545454 55555555 56565656

K= [133457799BBCDFF1]₁₆

K=[00010011001101000101011101111001100110111011110011 01111111110001]₂

(64 bits)

PC1[k]= [11110000110011001010101011110101010101100110011110001111]₂

L = [1111000011001100101010101111]_{2 =} [F0CCAAF]₁₆ and

R = [0101010101100110011110001111]₂₌ [556678F]₁₆

= [F0CCAAF556678F]₁₆ (56 bits)

(26)

Shift Registers C and D

The contents of C = {C1, C2, … C28} and D = {D1, D2, … D28} are

circularly shifted to left by 1 or 2 bits (according to a shift table) prior to each iteration

C₁(L) = [1110000110011001010101011111]= [E19955F]₁₆

D₁(R) = [1010101011001100111100011110] =[AACCF1E]₁₆

Round No. of Shift to left

1 1 9 1

2 1 10 2

3 2 11 2

4 2 12 2

5 2 13 2

6 2 14 2

7 2 15 2

8 2 16 1

L = [1111000011001100101010101111]_{2 =} [F0CCAAF]₁₆

(27)

Permuted Choice 2 (PC2)

PC2 is determined by the table below

Consider input X= [C₁(L) D₁(R)] and Y=[C₂(L) D₂(R)] C₁(L) = [1110000110011001010101011111]= [E19955F]₁₆

D₁(R) = [1010101011001100111100011110] =[AACCF1E]₁₆

X= [C₁(L) D₁(R)]= [1110000110011001010101011111

1010101011001100111100011110]= [E19955FAACCF1E]₁₆

PC2(X)= [000110110000001011101111111111000111000001110010]

= [1B02EFFC7072]₁₆

Bit Bit Bit

Bit 14141414 17171717 11111111 24242424 1111 5555 3333 28282828 15151515 6666 21212121 10101010

Goes to bit Goes to bitGoes to bit

Goes to bit 1111 2222 3333 4444 5555 6666 7777 8888 9999 10101010 11111111 12121212

Bit Bit Bit

Bit 23232323 19191919 12121212 4444 26262626 8888 16161616 17171717 27272727 20202020 13131313 2222

Goes to bit 13131313 14141414 15151515 16161616 17171717 18181818 19191919 20202020 21212121 22222222 23232323 24242424

Bit Bit Bit

Bit 41414141 52525252 31313131 37373737 47474747 55555555 30303030 40404040 51515151 45454545 33333333 48484848

Goes to bit 25252525 26262626 27272727 28282828 29292929 30303030 31313131 32323232 33333333 34343434 35353535 36363636

Bit Bit Bit

Bit 44444444 49494949 39393939 56565656 34343434 53535353 46464646 42424242 50505050 36363636 29292929 32323232

Goes to bit 37373737 38383838 39393939 40404040 41414141 42424242 43434343 44444444 45454545 46464646 47474747 48484848

(28)

K

₁

= [1B02EFFC7072]

₁₆

K

₂

= [79AED9DBC9E5]

₁₆

K

₃

= [55FC8A42CF99]

₁₆

K

₄

= [72ADD6DB351D]

₁₆

K

₅

= [7CEC07EB53A8]

₁₆

K

₆

= [63A53E507B2F]

₁₆

K

₇

= [EC84B7F618BC]

₁₆

K

₈

= [F78A3AC13BFB]

₁₆

K

₉

= [E0DBEBEDE781]

₁₆

K

₁₀

= [B1F347BA464F]

₁₆

K

₁₁

= [215FD3DED386]

₁₆

K

₁₂

= [7571F59467E9]

₁₆

K

₁₃

= [97C5D1FABA41]

₁₆

K

₁₄

= [5F43B7F2E73A]

₁₆

K

₁₅

= [BF918D3D3F0A]

₁₆

K

₁₆

= [CB3D8B0E17F5]

₁₆

16 round keys

(29)

DES ENCRYPTION

(30)

Initial Permutation (IP)

IP is determined as the following table It occurs before round one

_{Bits in the plaintext are moved to next location, e.g. bit 58 to bit}

1, bit 50 to bit 2 and bit 42 to bit 3, etc

58

50

42

34

26

18

10

2

60

52

44

36

28

20

12

4

62

54

46

38

30

22

14

6

64

56

48

40

32

24

16

8

57

49

41

33

25

17

9

1

59

51

43

35

27

19

11

3

61

53

45

37

29

21

13

5

(31)

Initial Permutation (IP)

Initial Permutation (IP) ---Example

Example

M=[0000000100100011010001010110011110001001101010111100110

111101111] = [123456789ABCDEF ]_HEX

IP(M) =[11001100000000001100110011111111 1101 1100 0001 1111 0001 0000 1111 0100]= [CC00CCFF 9 F0AAF0AA]_HEX

Thus

_L₀ _{= 11001100000000001100110011111111 =}_{CC00CCFF 9}_HEX _R₀ _{= 1101 1100 0001 1111 0001 0000 1111 0100 =}_F0AAF0AA_HEX

_L

(32)

DES ENCRYPTION

ROUND FUNCTION

(SINGLE ROUND)

(33)

DES Round Function

Operates on 32-bit units

32-bit

→

48-bit expansion/permutation (E table)

XOR with 48 bit subkey

S-box computation returns 32 bits

Round permutation (P)

(34)

(35)

Computation of Round function

f(R

iiiiiiii---1

1

, K

,

K

iiiiiiii

))))))))

Three types of boxes: E, S, P

_{R (32 bits) is passed to expansion and permutation box E-box} _{48 bits output of E-box is added modulo 2 to 48 bits sub-key}

and result sent to S boxes

_{S boxes (S}₁_{, S}₂_…S₈_{) store a set of numbers; input 48 (=6}×₈₎

bits used to look up numbers like a code book and 32 bits output is sent to permutation box P

_{Permutation box P permutes 32 bit input producing a 32-bit}

(36)

E

E--box used in DES

box used in DES

The E-box expands 32 bits to 48 bits; it changes the order of the

bits as well as repeating certain bits.

Bit

Bit 3232 11 22 33 44 55 44 55 66 77 88 99

Goes to bit 1 2 3 4 5 6 7 8 9 10 11 12

Bit

Bit 88 99 1010 1111 1212 1313 1212 1313 1414 1515 1616 1717

Goes to bit 13 14 15 16 17 18 19 20 21 22 23 24

Bit

Bit 1616 1717 1818 1919 2020 2121 2020 2121 2222 2323 2424 2525

Goes to bit 25 26 27 28 29 30 31 32 33 34 35 36

Bit 24 25 26 27 28 29 28 29 30 31 32 1

(37)

_L

0 = 11001100000000001100110011111111 = CC00CCFF 9HEX

_R

0 = 1101 1100 0001 1111 0001 0000 1111 0100 = F0AAF0AA HEX

E(R0) =[011110100001010101010101011110100001010101010101] =

[7A15557A1555 ]_HEX

E

(38)

E(R0) =[011110100001010101010101011110100001010101010101]

K₁ =[000110110000001011101111111111000111000001110010]

E(R0) K1 =[011000010001011110111010100001100110010100100111]

(39)

Substitution Boxes S

Have eight S-boxes which map 6 to 4 bits

_{Each S-box is actually 4 little 4 bit boxes}

_{outer bits 1 & 6 (row bits) select one rows}

_{inner bits 2-5 (col bits) are substituted}

_{result is 8 lots of 4 bits, or 32 bits}

Example:

(40)

DES S

(41)

DES S

DES S--Boxes

Boxes

E(R0) K1 =[011000010001011110111010100001100110010100100111]

=[6117BA866527 ]

_HEX

S-Box[E(R0) K1]

=[01011100100000101011010110010111]

(42)

P

P---box used in DES

box used in DES

The P-box permutation is determined as below which is

a straight permutation; no bits are used twice, and no

bits are ignored.

Bit BitBit

Bit 16161616 7777 20202020 21212121 29292929 12121212 28282828 17171717 1111 15151515 23232323 26262626 5555 18181818 31313131 10101010

Goes to bit Goes to bit Goes to bit

Goes to bit 1111 2222 3333 4444 5555 6666 7777 8888 9999 10101010 11111111 12121212 13131313 14141414 15151515 16161616

Bit BitBit

Bit 2222 8888 24242424 14141414 32323232 27272727 3333 9999 19191919 13131313 30303030 6666 22222222 11111111 4444 25252525

Goes to bit Goes to bit Goes to bit

(43)

S-Box[E(R0) K1]

=[01011100100000101011010110010111]

= [5C82B597 ]

_HEX

P[S-Box[E(R0) K1]]

=[00100011010010101010100110111011] = [234AA9BB ]HEX

P

P---box used in

box used in

DES

(44)

P[S-Box[E(R0) K1]]

=[00100011010010101010100110111011] = [234AA9BB ]_HEX

P

P---box used in

box used in

DES

R₁= P[S-Box[E(R0) K₁] L₀

=[11101111010010100110010101000100]

= [EF4A6544 ]

_HEX

(45)

L₀ = 11001100000000001100110011111111 = [CC00CCFF 9]_HEX

R₁= 11101111010010100110010101000100 = [EF4A6544 ]_HEX

R₀ = 1101 100 00011111 0001 0000 111 0100 = [F0AAF0AA] _HEX

L₁ = 1101 100 00011111 0001 0000 111 0100 = [F0AAF0AA ]_HEX

R₂= 11101111010010100110010101000100 = [CC017709 ]_HEX

L₂ = 1101 100 00011111 0001 0000 111 0100 = [EF4A6544 ]_HEX

L₃= 11101111010010100110010101000100 = [CC017709 ]_HEX

R₃= 10100010010111000000101111110100 = [A25C0BF4 ]_HEX L₄ = 10100010010111000000101111110100 = [A25C0BF4 ]_HEX

R₅= 10001010010011111010011000110111 = [8A4FA637 ]_HEX

R₄ = 01110111001000100000000001000101= [77220045]_HEX

R₆= 11101001011001111100110101101001 = [E967CD69 ]_HEX

R₇= 00000110010010101011101000010000 = [64ABA10]_HEX

L₅ = 01110111001000100000000001000101= [77220045]_HEX

L₆= 10001010010011111010011000110111 = [8A4FA637 ]_HEX

L₇= 11101001011001111100110101101001 = [E967CD69 ]_HEX

L₈= 00000110010010101011101000010000 = [64ABA10]_HEX

R₈= 11010101011010010100101110010000 = [D5694B90]_HEX

Round Outputs L

(46)

R₁₀= 11101111010010100110010101000100 = [B7D5D7B2 ]_HEX

R₉= 00100100011111001100011001111010 = [247CC67A] _HEX

R₁₁= 11000101011110000011110001111000= [C5783C78 ]_HEX

R₁₂= 01110101101111010001100001011000 = [75BD1858 ]_HEX

R₁₄= 11000010100011001001011000001101 = [C28C960D]_HEX

R₁₃ = 00011000110000110001010101011010= [18C3155A]_HEX

R₁₅= 01000011010000100011001000110100 = [43423234 ]_HEX

R₁₆= 00001010010011001101100110010101= [0A4CD995]_HEX

L₉= 11010101011010010100101110010000 = [D5694B90]_HEX

L₁₀= 00100100011111001100011001111010 = [247CC67A] _HEX

L₁₁= 11101111010010100110010101000100 = [B7D5D7B2 ]_HEX

L₁₂= 11000101011110000011110001111000= [C5783C78 ]_HEX

L₁₃= 01110101101111010001100001011000 = [75BD1858 ]_HEX

L₁₄ = 00011000110000110001010101011010= [18C3155A]_HEX

L₁₅= 11000010100011001001011000001101 = [C28C960D]_HEX

L₁₆= 01000011010000100011001000110100 = [43423234 ]_HEX

Round Outputs L

(47)

Inverse Initial Permutation (IP

-1

)

IP-1 is determined as the following table;

_{Since DES consists of 16 rounds, too many for our lecture!}

_{Consider DES algorithm of two rounds.}

_{Ciphertext = IP}-1_(R

1L1) = 1101 0111 0110 1001 1000 0010 0010

0100 0010 1000 0011 1110 0000 1010 1110 1010 =

D7698224283E0AEAHEX

40 4040

40 8888 48484848 16161616 56565656 24242424 64646464 32323232

39 3939

39 7777 47474747 15151515 55555555 23232323 63636363 31313131

38 3838

38 6666 46464646 14141414 54545454 22222222 62626262 30303030

37 3737

37 5555 45454545 13131313 53535353 21212121 61616161 29292929

36 3636

36 4444 44444444 12121212 52525252 20202020 60606060 28282828

35 3535

35 3333 43434343 11111111 51515151 19191919 59595959 27272727

34 3434

34 2222 42424242 10101010 50505050 18181818 58585858 26262626

33 3333

(48)

R₁₆= 00001010010011001101100110010101 = [0A4CD995]_HEX

L₁₆= 01000011010000100011001000110100 = [43423234 ]_HEX

IP-1_(R

16L16)= IP-1[00001010010011001101100110010101

01000011010000100011001000110100]

IP-1_(R

16L16)=

=[10000101111010000001001101010100000011110000101010110100000 00101= [85E813540F0AB405 ]_HEX

Ciphertext

=[10000101111010000001001101010100000011110000101010 11010000000101]= [85E813540F0AB405 ]HEX

Plaintext=[0000000100100011010001010110011110001001101

010111100110111101111 ]= [123456789ABCDEF]HEX

Key=[00010011001101000101011101111001100110111011110

(49)

DES Avalanche Effect

In any good cipher, any change in the

key or plaintext, no matter how large or small, should change approximately half the ciphertext bits

Examples

(a) Change one bit in the plaintext

with the same key

(b) Change one bit in the key with

the same plaintext

After 3 or 4 rounds, approximately

half of the ciphertext bits are changed

After 16 rounds, a lot of scrambling

(50)

Home Work