98 Views

Download Presentation
## Using DES

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**One of the biggest problems in Security today is that not**too many professionals are aware of the actual risks, and most of the graduates in computer science cannot identify a security hole, if asked.**Using DES**• DES encrypts a 64-bit data block. • Methods for encryption of larger blocks of data: 4 methods defined in “ANSI X3.106-1983 Modes of Use”: • Block Modes splits messages in blocks (ECB, CBC) • Stream Modes on bit stream messages (CFB, OFB) • Now with AES a fifth mode, called the Counter (CTR) mode, has been defined.**DES: ECB Mode**1. Electronic Codebook (ECB): • Each 64 bit of data is sequentially encrypted. • Used for encryption of a small amount of data like keys or passwords ( of 8 characters) Not used for larger data blocks,: Statistical analysis, particularly for messages with repetitive blocks, becomes easy. • Parallel encryption/decryption for a large number of data blocks (?) is possible. • Error in transmission of one cipherblock affects only one block of (decrypted) plaintext.**Cipher Block Chaining**2. Cipher Block Chaining (CBC): Encryption Process: • Uses an Initialization Vector/ Injection Vector/ Initializing Value/ Initial Chaining Value: (IV) of 64 bits in the first block. • IV is XORed with the first block of data. • The resultant block is encrypted using DES. • The cipher output of the first (i th) block is then XORed with the second (i+1 st) block of data. • The resultant block is encrypted using DES. ………………… The process is shown in the figure in the next slide.**a) Encryption**Time = N Time = 1 Time = 2 PN P2 P1 IV CN-1 + + + DES encrypt DES encrypt K DES encrypt K C2 CN C1 b) Decryption CN C2 C1 DES decrypt K DES decrypt DES decrypt K CN -1 IV + + + P2 PN P1**CBC continued**C1 = EK[IV P1] C2 = EK[C1 P2] . . CN = EK[C(N-1) PN] Or generalizing the above, Ci = EK[C(i-1) Pi] Where C0 = IV**CBC continued**• For Decryption: DK [CN] = DK[EK[C(N-1) PN]– obtainedby substituting the value of CN from above Therefore DK [CN] = C(N –1) PN On XORing with C(N-1) on both the sides, C(N-1) DK[CN] = C(N-1) C(N-1) PN = PN**CBC: IV**• IV has to be protected like the key. • IV: may be • a timestamp or • a random number. • IV is sent using ECB encryption. Or the sender and the receiver agree upon a value like all 0’s.**CBC: The Last Block**• PADDING: If the last block is of less than 64 bits, it is to be converted to 64 bits by padding • either with known non-data values (eg nulls) • or with nulls and with count in bytes of pad size • eg. [ b1 b2 b3 0 0 0 0 5] 3 data bytes, then 5 bytes pad+count But if this option be chosen, then even if the last block were an exact multiple of 8 bytes, an additional block of 8bytes with all zeros in the first seven bytes and with the eighth byte having a value of 8 will have to be added.**Advantages of CBC**• Each ciphertext block depends on allthe preceding message blocks Thus a change in the message affects all ciphertext blocks after the change as well as the original block • SELF-HEALING: Due to communication errors, if a block of ciphertext has an error, the error propagates for at most two blocks. • Avalanche Effect: Encrypted message cannot be changed or rearranged without destroying the subsequent data**Disadvantages of CBC**• By fooling the receiver to use a different IV, some selected bits can be inverted. e.g. P1 = IV DK[C1] Let X[i] = ith bit of X. P1[i] = IV[i] (DK[C1])[i] using the property of XOR, P1[i]’ = IV[i]’ (DK[C1])[i] Thus if ith bit of IV were complimented, the ith bit of P1 will also be complimented. • No parallel encryption ( Parallel decryption can be done.)**Cipher FeedBack (CFB)**• The message is treated as a stream of bits. Assume that s bits of plaintext are available for encryption and transmission to the receiver. • IV is encrypted. The most significant (leftmost) s bits, out of the encrypted 64 bits, are then XORed with s bits of plaintext. This gives s bits of ciphertext (C1). The least significant (64 – s) bits are discarded. • Next Stage: The shift register, containing IV, is shifted left s times and the s bits of C1 are entered (feedback) in the least significant s positions for the next stage (hence name) ……**CFB (continued)**C1 = P1 Ss(EK(IV)), where Ss is the s most significant bits selected from EK(IV). Therefore P1 = C1 Ss(EK(IV)) Hence during Decryption, the Encryption process is required to be used.**CFB (continued)**• The standard allows any number of s bits (1,8 or 64 or whatever) to be fed back. • denoted CFB-1, CFB-8, CFB-64 etc • Throughput reduces by 64/s. • is most efficient to use all 64 bits (CFB-64) Ci = Pi EK(Ci-1) C0 = IV**Advantages and Limitations of CFB**• appropriate when data arrives in bits/bytes • Limitation: need to stall while doing block encryption after every s-bits, if data should arrive faster • Note that the block cipher is used in encryption mode at both ends • Bit errors in communication propagate for several blocks after the error. CFB should be used over a reliable network layer. APPLICATIONS: stream data encryption, authentication**Output FeedBack (OFB)**• message is treated as a stream of bits • IV is encrypted. The most significant (leftmost) s bits, out of the encrypted 64 bits, are then XORed with s bits of plaintext. This gives s bits of ciphertext (C1). Research has shown that using s other than 64 is not desirable. Hence OFB-64 is the only one in use today. Next Stage: The bits, obtained by encryption of IV ONLY, are fed to the next stage (hence name). …. • Feedback is independent of plaintext message.**OFB (continued)**Q0 = IV Qi = EK(Qi-1) Thus Q’s can be computed in advance. … during encryption If s bits of plaintext are available for encryption, the most significant s bits may be selected from Qi by the process Ss. Ci = Pi Ss(Qi) Therefore Pi = Ci Ss(Qi) Hence only Encryption process is used even while decrypting the plaintext from a given ciphertext.**Advantages and Limitations of OFB**• APPLICATIONS: transfer of the encrypted streamover noisy channels; error in Ci affects Pi only. • used • when errors in communication in cipher feedback method create a problem, or, • where need to encrypt, before message is available • for bursty traffic • a variation of a Vernam cipher • hence must never reuse the same sequence (key + IV) Susceptible to “modification of selected bits in the communication message” attack. • sender and receiver must remain in sync, and some recovery method is needed to ensure this occurs**OFB Limitations**• If the same IV + Key combination is used for two messages, the two ciphertexts can be XORed to eliminate DES out. The result would be a XOR of two plaintexts, which may be more easily separated out. • Throughput reduces by 64/s.**Counter (CTR): A “new” mode**• similar to OFB but encrypts counter value rather than any feedback value • must have a different key & counter value for every plaintext block (never reused) Ci = Pi Qi Qi = EK(CTRi) Select a random 64 bit CTR value for the first block. Then increment for every sequential block. • Uses Encryption algorithm for both encryption and decryption**Advantages and Limitations of CTR**• Efficiency • can do parallel encryptions • Preprocessing: Encryptions may be done in advance of need • random access to encrypted data blocks ( ie it is not necessary to decrypt blocks in sequence) • provable security (as good as other modes); but must ensure never reuse key/counter values, otherwise could break (cf OFB) • Only encryption is used. (useful in AES, where encryption and decryption modes are quite different.) • APPLICATIONS: high-speed network encryptions as in ATM or IPSec; good for bursty high speed links**DES Implementations**• Software DES Implementations • HP 9000/887 125MHz: 1.6 MB/s • Sun Ultra 5 333MHz: 4.0 MB/s • Intel Pentium III 750MHz: 14.0 MB/s • VLSI DES Implementations • Wildcard (core) XVC300 1999 33MHz 264MB/s • Wildcard (with bus) XVC300 1999 33MHz 1.9MB/s • On an XVC300-4 FPGA at HK Univ • Max freq: 34.4 MHz • Can perform a 64 bit encryption every cycle ie 272MB/s with a latency of 16 cycles Reference:http://www.cse.cuhk.edu.hk/~phwl/ceg5010/des.pdf**Super-encryption**Double DES: Ciphertext = EK1( EK2( Plaintext)) • takes double the time for encryption and decryption • not significantly more secure than DES. known plaintext meet-in-the middle attack* is the problem. Merkle-Hellman attack: requires storing 256 intermediate results ( each of 64 bits i. e. a total of 259 = 1017 bytes), but it reduces the number of different keys you need to check from 2112 to 257. *Reference: R. C. Merkle and M. Hellman, "On the Security of Multiple Encryption," Communications of the ACM, Volume 24, Number 7, July 1981, pp. 465-467.**Meet-in-the-middle Attack**• C1 = EK2( EK1( P1)) • Initial Storage: For all possible keys, obtain EK( P1) and store them. • For each key, DK( C1) and compare with the stored results. If it tallies with any of the stored result, we probably know both K2 (from decryption) and K1 ( from the stored encryption.) • Verify the correctness with C2 = EK2( EK1( P2))**Triple DESReference:**http://en.wikipedia.org/wiki/Data_Encryption_Standardas of Nov 1, 2009 • DES: approved as a federal standard in November 1976, and published on 15 January 1977 as FIPS PUB 46, authorized for use on all unclassified data. • DES: reaffirmed as the standard in 1983, 1988 (revised as FIPS-46-1), 1993 (FIPS-46-2) • January 22, 1999: distributed.net and the Electronic Frontier Foundation jointly broke a DES key in 22 hours and 15 minutes • Oct 25, 1999: NIST reaffirmed DES as a standard through FIPS 46-3, specifying the preferred use of Triple DES**Triple DES for greater security**• Triple DES with three keys: C = EK3( EK2( EK1( P))) P = DK1( DK2( DK3( C))) Used in PGP, S/MIME etc • Encrypt-Decrypt-Encrypt DES (called EDE DES) with two keys: C = EK1( DK2( EK1( P))) P = DK1( EK2( DK1( C))) Used in X9.17 and ISO 8732 standards**Strength of Triple DESReference:**http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf page 61 • Three-key Triple DES: Due to MIM attack, strength = 112 bits • Two-key Triple DES: if the attacker can obtain approximately 240 such pairs, then 2TDEA has strength comparable to an 80-bit algorithm (Reference: [ANSX9.52], Annex B).**Security for Super-encryption**Order of number of computations required for breaking the security DES: 255 computations Double DES: 256 computations Triple DES: 2112 = 5.19 x 1033 computations Assume: A computer with 106 chips- each chip capable of 106 triple-DES encryptions per second. Time for cracking = 5.19 x 1021 sec = 1.65 x 1014 years = 16453 times the age of the universe (1010 years) Since Double DES is not very much more secure than DES, DES and Triple DES are in use.**Weak keys**WEAK KEYS: Those that lead to the same sub keys in more than one round. REFER: Slides 33-46 for KeySchedule All block ciphers have some weak keys. DES has: • 4 weak keys, for which the same key is generated in all the rounds. This would happen if all the bits, in each half, are identical, so that left circular shift operation would not have any effect. The 4 weak 56-bit keys are (in HEX): 0000000 0000000 0000000 FFFFFFF FFFFFFF 0000000 FFFFFFF FFFFFFF**Semi-Weak keys**• 12 semi-weak keys, for which in alternate rounds, the subkey is repeated. (For each of these 12 keys, only two distinct sub-keys are generated through the key schedule.) These 12 cases occur in six pairs. In each pair, ciphertext, obtained by encryption using one key, can be decrypted by using the other key of the pair. Such 56-bit keys are given in this and the next slide.: Pair 1: First Key: 0000000 1111111 0000000 1111111 0000000 1111111 0000000 1111111 Second Key: 1111111 0000000 1111111 0000000 1111111 0000000 1111111 0000000**Semi-Weak keys: Key 3 to Key 12(56-bit keys)**Pair 2: Key 3 : 0001 1111 1100 0000 0111 1111 0000 0000 1111 1110 0000 0011 1111 1000 Key 4 : 1110 0000 0011 1111 1000 0000 1111 1111 0000 0001 1111 1100 0000 0111 Pair 3: Key 5 : 0000 0001 1100 0000 0000 0111 0000 0000 0001 1110 0000 0000 0111 1000 Key 6 : 1110 0000 0000 0011 1000 0000 0000 1111 0000 0000 0011 1100 0000 0000 Pair 4: Key 7 : 0001 1111 1111 1100 0111 1111 1111 0000 1111 1111 1100 0011 1111 1111 Key 8 : 1111 1110 0011 1111 1111 1000 1111 1111 1110 0001 1111 1111 1000 0111 Pair 5: Key 9 : 0000 0000 0011 1100 0000 0000 1111 0000 0000 0001 1100 0000 0000 0111 Key10 : 0001 1110 0000 0000 0111 1000 0000 0000 1110 0000 0000 0011 1000 0000 Pair 6: Key11 : 1110 0001 1111 1111 1000 0111 1111 1111 0001 1111 1111 1100 0111 1111 Key12 : 1111 1111 1100 0011 1111 1111 0000 1111 1111 1110 0011 1111 1111 1000**Demi-semi-weak Keys**• 48 demi-semi-weak keys, for each of which only four distinct sub-keys are generated. These occur in 4 groups of 4 keys each, and, in another 4 groups of 8 keys each. These are given in the next four slides as 64-bit keys. (In every 8 bits, the eighth bit is an odd parity bit. On eliminating the parity bit, you get the 56-bit key. Refer to slide 34 of DES Part 1. ) • All key generation programs should avoid the weak keys. The total number of possible keys in DES is 256 = 72, 057,594,037,927,936 = 7.2x1016. In this large key-space, the number of weak, semi-weak and demi-semi-weak keys are only 64.**Demi-semi-weak Keys: Key 1 to Key 12(as 64-bit keys)**1F 1F 01 01 0E 0E 01 01 01 1F 1F 01 01 0E 0E 01 1F 01 01 1F 0E 01 01 0E 01 01 1F 1F 01 01 0E 0E E0 E0 01 01 F1 F1 01 01 FE FE 01 01 FE FE 01 01 FE E0 1F 01 FE F1 0E 01 E0 FE 1F 01 F1 FE 0E 01 FE E0 01 1F FE F1 01 0E E0 FE 01 1F F1 FE 01 0E E0 E0 1F 1F F1 F1 0E 0E FE FE 1F 1F FE FE 0E 0E**Demi-semi-weak Keys: Key 13 to Key 24(as 64-bit keys)**FE 1F E0 01 FE 0E F1 01 E0 1F FE 01 F1 0E FE 01 FE 01 E0 1F FE 01 F1 0E E0 01 FE 1F F1 01 FE 0E 01 E0 E0 01 01 F1 F1 01 1F FE E0 01 0E FE F0 01 1F E0 FE 01 0E F1 FE 01 01 FE FE 01 01 FE FE 01 1F E0 E0 1F 0E F1 F1 0E 01 FE E0 F1 01 FE F1 0E 01 E0 FE 1F 01 F1 FE 0E 1F FE FE 1F 0E FE FE 0E**Demi-semi-weak Keys: Key 25 to Key 36(as 64-bit keys)**E0 01 01 E0 F1 01 01 F1 FE 1F 01 E0 FE 0E 01 F1 FE 01 1F E0 FE 01 0E F1 E0 1F 1F E0 F1 0E 0E F1 FE 01 01 FE FE 01 01 FE E0 1F 01 FE F1 0E 01 FE E0 01 1F FE F1 01 0E FE FE 1F 1F FE FE 0E 0E FE 1F FE 01 E0 0E FE 01 F1 01 FE 1F E0 01 FE 0E F1 1F E0 01 FE 0E F1 01 FE 01 E0 1F FE 01 F1 0E FE**Demi-semi-weak Keys: Key 37 to Key 48(as 64-bit keys)**01 01 E0 E0 01 01 F1 F1 1F 1F E0 E0 0E 0E F1 F1 1F 01 FE E0 0E 01 FE F1 01 1F FE E0 01 0E FE F1 1F 01 E0 FE 0E 01 F1 FE 01 1F E0 FE 01 0E F1 FE 01 01 FE FE 01 01 FE FE 1F 1F FE FE 0E 0E FE FE FE FE E0 E0 FE FE F1 F1 E0 FE FE E0 F1 FE FE F1 FE E0 E0 FE FE F1 F1 FE E0 E0 FE FE F1 F1 FE FE**“The public streets and highways of the internet have**become like neighborhoods where it is no longer safe to venture. Hackers, scammers, virus builders and other Web predators are looming in the shadows.” -- Paul Tinnirello CIO in an insurance financial industry “The Gated Community”, e-Week, 13 Oct 2003**A Revision**Methods of Encryption • Symmetric Encryption • Block • Stream • Synchronous • Self-Synchronous • Asymmetric ( Public Key) Encryption**Block Ciphers**DES : Based upon IBM’s Lucifer; Uses the processes of Diffusion and Confusion • Published on 15th January 1977 as the FIPS PUB 46 standard; subsequently • Reconfirmed in 1983 • Reconfirmed in 1988 as FIPS-46-1 • Reconfirmed in 1993 as FIPS-46-2 • Reconfirmed in 1998 as FIPS-46-3 Other Block Ciphers • 26th May 2002: AES: The new standard**Stream Cipher**• Streaming Cipher: encrypts data unit by unit, where a unit is of certain number of bits (Example: If the unit be a bit, a stream cipher encrypts data unit by unit. Or if the unit be a byte, it encrypts byte by byte) • simpler and faster than block cipher; but less secure • Two Modes of Stream Cipher: • Synchronous Stream Cipher: Sender uses a key to encrypt. Receiver uses the same key to decrypt. • Self-Synchronizing Stream Cipher:The key stream generator (KSG) generates a key, which depends upon the original key and the cipher output.**Example of a Stream Cipher**• RC4: used in • SSL (Secure socket Layer) • WEP (Wired Equivalent Privacy) • Key: 1 to 256 octets • Given a key: a pseudo-random stream is generated and xor’ed with the cleartext to generate the ciphertext**Controversies about DES**• Since the design of DES has not been released, there were misgivings because of • the small key size, and, • the patterns observed in the S-boxes However DES has survived for nearly two decades. References:1.W Diffie, M Hellman "Exhaustive Cryptanalysis of the NBS Data Encryption Standard" IEEE Computer 10(6), June 1977, pp74-84 2.M Hellman "DES will be totally insecure within ten years" IEEE Spectrum 16(7), Jul 1979, pp 31-41**Design principles**1.Shannon’s Confusion and Diffusion properties introduced through S-boxes, permutations and 16 rounds of operation. 2.Some of the Rules followed by NSA for S-boxes: • In no case, the 4 output bits of any of the S-boxes can be expressed as a system of linear equations of the corresponding six input bits. • Change of one bit in the input of an S-box Change in at least two output bits. Thus the S-boxes diffuse the input information well into the output.**S-boxes: design crierion**S boxes: the only non-linear component during encryption using DES. Hence if a linear relation should exist between input and output bits, the whole of the process would become linear and easily breakable. Guaranteed Avalanche Criterion of order “r” for S boxes: If a change in one bit at the input leads to at least a change in r bits at the output, for all S-boxes and for all possible 1-bit changes A value of r of 2 to 5 has been recommended.**Two criterion for F**• Strict Avalanche Criterion: any output bit j should change with probability ½, when any single bit i is changed at the input, for all i and j. • Bit Independence Criterion: Output bits k and j should change independently, if a bit i is inverted at the input. (Both the rules are applied for S-boxes)**Design principles: Number of Rounds**After only one round: each cipher bit affected by a few bits of plaintext. After five rounds, each output bit depends upon every key and input bit. [701/MattBishop pp 230] Certification experiments, on the predecessor of DES, called Lucifer, by NBS showed that 8 rounds are able to eliminate any dependence of output bits on specific input bit patterns.[KON 81/Pfleeger pp 655] Reference: 1.A F Webster & S E Tavares "On the Design of S boxes", in Advances in Cryptology - Crypto 85, Lecture Notes in Computer Science, No 218, Springer-Verlag, 1985, pp 523-534**Number of Rounds**• Schneier has shown in his book that differential cryptanalysis is more effective than the brute force method if the number of rounds is 15 or less. • But for 16 rounds, diff crptanalysis is less effective.