1 / 44

Digital Encryption Standard

Digital Encryption Standard. CSIS 5857: Encoding and Encryption. History of DES. 1973: National Institute of Standards requests proposals for national symmetric key cryptosystem 1975: NIST accepts proposal from IBM as national Digital Encryption Standard Based on Feistel cipher 56-bit key

zinnia
Download Presentation

Digital Encryption Standard

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Digital Encryption Standard CSIS 5857: Encoding and Encryption

  2. History of DES • 1973: National Institute of Standards requests proposals for national symmetric key cryptosystem • 1975: NIST accepts proposal from IBM as national Digital Encryption Standard • Based on Feistel cipher • 56-bit key • Origin of some parts of structure classified • Input from NSA on S-Box structure • Still widely used symmetric key cipher • Current standard: AES

  3. Overall DES Structure • 64-bit block inputs and outputs • 16 round Feistel cipher • 56-bit key used to generate 48-bit round keys

  4. Initial and Final Permutations • Plaintext undergoes initial permutation • Final permutation is inverse of initial permutation • No known reason, since easy for adversary to simulate

  5. Initial and Final P-Boxes

  6. Feistel Structure • Input at each round broken into 32-bit left and right halves • Right half mixed with round key using “mixer” function f(R, K) • Result XOR’d with left half • Resulting left and right halves swapped before next round

  7. Mixer Function • 32-bit right half expanded to 48 bits • Combined with round key using XOR • Run through array of 8 x 6 S-Boxes • Results combined and run through 32 x 32 P-Box

  8. Expansion Permutation • First and last bits of each four bits duplicated • No real contribution to confusion, just matches size with round key

  9. Array of S-Boxes • 48-bit input broken into 8 “chunks” of 6 bits each • Output of each compressed to 4 bits • Combined to form 32-bit output • Each S-Box is different to maximize confusion

  10. S-Box Structure • 4 rows x 16 columns (2 bits x 4 bits) • Row determined by bits 1 and 6 of input • Column determined by bits 2 – 5 of input

  11. S-Boxes 1 – 4

  12. S-Boxes 5 – 8

  13. DES S-Box Example • Input: 110010 • First and last 2 bits: 10 = 2 in decimal • Middle four bits: 1001 = 9 in decimal • Output: 12 = 1100

  14. Mixer P-Box • Goal: Output of each S-Box distributed across final round key value before use in XOR

  15. Round Keys • 16 round keys • Applied in reverse order at decryption stage

  16. Round Key Generation • 64 bit input = 56 bits of key data + 8 parity bits • 56-bit key split into 28-bit left and right halves • Circular left shift applied to each half at each round • Combined in compression P-Box to create 48-bit round key

  17. Parity Bit Drop • Every 8th bit of key input used for parity check to detect transmission errors • This stage removes the parity bits and shuffles key bits

  18. Key Shift Schedule • Key split into two subkeys (28 bits each) • Circular left shift applied each round • One bit shift in rounds 1, 2, 9, 16 • Two bit shift in other rounds (adds up to 28) • Assures different key each round

  19. Round Key Compression • Reduces round key to 48 bits to match bits in mixer • Combined with shifts, assures different bits used in each round key (different bits removed each round)

  20. Analysis of DES How resistant to different attack types? Common analysis for all ciphers Cryptanalysis attacks Confusion and diffusion Differential cryptanalysis Linear cryptanalysis Weak keys… Exhaustive search attacks 56-bit key vulnerable to exhaustive search Current solution: multiple stage DES

  21. Confusion and Diffusion Use of inputs to create round key assures eachplaintext bit affects many ciphertext bits Use of shifts and permutations in key generation assures each key bit affects many ciphertext bits

  22. Differential Cryptanalysis Basic idea: slightly “tweak” plaintexts to see effect on resulting ciphertext Based on differential relationship p1p2= c1c2for XOR For large numbers of chosen plaintext: Compute differences p1 p2and c1 c2 Keep statistics on their relationships Examine S-boxes to determine how they would affect the statistical relationships Guess bits of the key based on these relationships Based on nonuniform distributions of outputs in S-boxes

  23. Example: single S-box between XOR and output Note uneven distribution Some outputs more likely than others Since adversary knows this, can guess likely values of intermediate X Can then work backward from known P to guess K Differential Cryptanalysis

  24. Differential Cryptanalysis • For all intermediate pairs x1and x2(or some subset) • Compute x1 x2 • Compute c1 c2as result of running x1and x2through the S-box • Example: All cases where x1 x2 = 001

  25. Differential Cryptanalysis c1 c2 x1 x2 Resulting statistics P(c1 c2 | x1 x2 )

  26. Differential Cryptanalysis Darth runs a bunch of examples for whichp1 p2 = 100 Results: 00 happens 25% of time01 happens 25% of time11 happens 50% of time Assumption: x1 x2is actually 001 Therefore, likely key is (p1 p2)  (x1 x2 ) = 101

  27. Cryptanalysis Attacks on DES Differential Cryptanalysis Use of 16 rounds specifically meant for this attack Even distributions in S-boxes Statistical relationships obscured Heavy avalanche effect 247 chosen plaintexts needed to break DES

  28. Linear S-Boxes Linearn x m S-Box can be expressed as linear equation of form:c1 = a11x1 a12x2 …  a1nxnc2 = a21x1 a22x2 …  a2nxn…cm = am1x1 am2x2 …  amnxnwhere xi is ith input bit ci is ith ciphertext bitaij is either 0 or 1 Each cipherbit character is defined as the XOR of certain input bits

  29. Linear S-Boxes Example of linear 3x3 S-Box:c1 = x1 x2 = 1x1 1x2 0x3c2 = x1 x2 x3 = 1x1 1x2 1x3c3 = x2 x3 = 0x1 1x2 1x3 Corresponding S-Box:

  30. Linear Cryptanalysis Attempt to approximate entire cipher as one big set of linear equations Finding solutions to set of linear equations well studied in engineering n bit key requires n known plaintexts to solve

  31. Linear Cryptanalysis Example Example: Above S-Box used after XOR stage

  32. Linear Cryptanalysis Example S-Box input bit xi= pi  ki Resulting equations:c1 = (p1 k1)  (p2 k2) c2 = (p1 k1)  (p2 k2)  (p3 k3) c3 = (p2 k2)  (p3 k3) Can now solve for key bits!k1 = p1  (c1 c2 c3)k2 = p1  (c1 c2)k3 = p1  (c2 c3)

  33. Linear Cryptanalysis Possible if cipher uses only linear components Permutation boxes linear by definition!Shifting from position i to position j is equation cj = 0p1 0p2…  1pi…  0pn Therefore, S-Boxes must not be linear! They are the only possible nonlinear component

  34. Cryptanalysis Attacks on DES Linear Cryptanalysis DES not designed for this attack (invented after DES released However, DES S-Boxes not linear 243 known plaintexts needed to break DES using linear cryptanalysis

  35. Weak Keys • Keys that leave plaintext vulnerable in some way • Simple example: k = 26 in Caesar cipher • Weak keys in DES produce same round key for multiple rounds • 4 keys give same round key every round • 8 keys give only 2 distinct round keys • 48 keys give only 4 distinct round keys • Odds unlikely (8.8 x 10-16 ), but should still check randomly generated keys

  36. Exhaustive Search Attacks 56-bit key not computationally secure Parallel processing attacks Computer with 1 million chips (1998)  key found in 112 hours Network of 3500 computers (1977)  key found in 120 days 56-bit key not recommended by NIST! “all clones test different keys!”

  37. Multiple Stage DES No way to use larger key in DES Structure “hardwired” Only solution: multiple stage DES Different keys used each stage Output ciphertext of one stage  input plaintext of next stage

  38. Multiple Stage DES Multiple stages with different keys greatlyincreases number of possible ciphertexts (264)! possible mappings from 264 possible input blocks to 264 possible output blocks Only 256 possible keys (tiny fraction of the above) Extremely unlikely that there exists K3 such that E(E(P, K1), K2) = E(P, K3) After applying K1 and K2 Possible ciphertexts Possible ciphertexts After applying K1

  39. “Meet In The Middle” Attack Theoretically, two stages should be sufficient Adversary would have to try all combinations of possible K1 and K2 256 x 256 = 2112 possible combinations of keys Vulnerable to “meet in the middle” attack Adversary has a known plaintextP and ciphertext C Works forward encrypting P with all possible K1 Works backward decrypting C with all possible K2 Stores results and searches for matches

  40. “Meet In The Middle” Attack “I’ll try all K1 and store the results in a table” “I’ll try all K2 and store the results in another table” Table of all possible M created by encrypting P Table of all possible M created by encrypting P “Now I’ll compare the two and look for any matches”

  41. “Meet In The Middle” Attack M’s (and keys K1and K2 that created them) kept in sorted tables 256 runs to create each table 56 x 256 comparisons to find matches Match gives plausible values for K1 and K2 “Double DES” not computationally secure M K1 1010001…10 0110100…01 “So this might be K1 and K2” “These match” M K2 1010001…10 1100110…00

  42. Triple DES Need at least three stages of encryption “Meet in middle” attack can only take place after at least two stages Effectively the same as 112 bit key K1 K2 K3 “I can only attack here”

  43. Triple DES With Two Keys Just use K1 twice (in first and last stage) Shorter keys (112 bits instead of 168 bits) Still secure (have to try all K1 and K2 to do meet in middle attack) “Still too hard to crack”

  44. Efficiency of DES • Fast if burned into hardware • Basic structure corresponds to wiring diagram • Slow if executed as software • Basic structure doesn’t fit into registers • Much swapping between RAM/registers required • 3DES even slower

More Related