Data Encryption Standard (DES)

Data Encryption Standard (DES)

Data Encryption Standard (DES) Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 16 Data Encryption Standard (DES), adopted in 1976 DES has 56 bit keys. You can re-use a key as often as you want. You can encrypt text that is as long as you want*. * In any modern encryption system, there are theoretical limits on the number of times you use the key, and length of the plaintexts. But the limits are huge. They are generally not a concern in practice. Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 17 DES Data Encryption Standard (DES) adopted in 1976 Key size (56 bits) is too small for today's computers (can be broken within hours on very powerful computers) Variants (e.g. 3DES) still provide good security, although nowadays AES considered more secure and is more efficient. Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 18 Design parameters Block length is 64 bits • Key length is is 56 bits • I Actually, the key length is often said to be 64 bits. But 8 of those bits are parity bits. So the effective key length is 56 bits. DES consists of 16 \rounds". Each round uses a roundkey, • also called a subkey, derived from the main key. Subkey length is 48 bits for each subkey K1;:::; K16. Subkeys are derived from the 56 bit key via the \key schedule". Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 19 Notation for DES operations Have three special operations: Cyclic shifts on bitstring blocks: Will denote by b <<< n the • move of the bits of block b by n to the left. Bits that would have fallen out are added at the right side of the b. b >>> n is defined similarly Permutations on the position of bits: Written down as output • order of the input bits. Example: the permutation 4 1 2 3 means that the fourth input bit becomes the first output bit, • the first input bit becomes the second output bit, • the second input bit becomes the third output bit, and • the third input bit becomes the fourth output bit. Sometimes,• we use the word \permutation" for bit re-arrangements that include duplication or dropping of bits, even though that is not a proper permutation. Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 20 Key schedule Have different keys for each round, computed by so-called Key schedule 64-bit key is actually 56-bit key plus 8 parity bits First apply a permutation PC-1 which removes the parity bits. • This results in 56 bits. Split result into half to obtain (C0; D0) • For each round i = 1; :::; 16, we compute • Ci = Ci 1 <<< pi − Di = Di 1 <<< pi − where 1 if i = 1; 2; 9; 16 p = i 2 otherwise Now we join Ci and Di together, and apply a permutation • PC-2 which produces a 48-bit output, to obtain Ki . Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 21 Feistel cipher: a way of doing block ciphers Invented in 1971 at IBM Important class of ciphers (eg Blowfish, DES, 3DES) Same encryption scheme applied iteratively for several rounds Important step: Derive next message state from previous message state via special function called Feistel function Encryption is organised as a series of \rounds". Each round works as follows: Split input in half • Apply Feistel function to the right half • Compute xor of result with old left half to be new left half • Swap old right and new left half, unless we are in the last • round Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 22 Overview of DES R Plaintext Block Li−1 i−1 Ki Initial Permutation IP F L0 R0 Li Ri L16 R16 Final Permutation IP−1 Ciphertext block Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 23 DES Feistel Cipher, continued Formal definition: Split plaintext block in two equal pieces M = (L0; R0) • For each round i = 1; 2;:::; 16 compute • Li = Ri 1 − Ri = Li 1 F (Ki ; Ri 1) − ⊕ − The ciphertext is C = (R16; L16) • R Li−1 i−1 Ki F Li Ri Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 24 Decryption Works as encryption, but with a reversed order of keys Split ciphertext block in two equal pieces C = (R16; L16) • For each round i = 16; 15;:::; 1 compute • Ri 1 = Li − Li 1 = Ri F (Ki ; Li ) − ⊕ Plaintext is M = (L0; R0) • Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 25 DES Feistel function Four stage procedure: Expansion permutation: Expand 32-bit message half block to • 48 bit block by doubling 16 bits and permuting them Round key addition: Compute xor of this 48 bit block with • round key Ki S-Box: Split 48 bit into eight 6-bit blocks. Each of them is • given as input to eight substitution boxes, which substitute 6-bit block by 4-bit block. P-Box: Combine these eight 4-bit blocks to 32-bit block and • apply another permutation. Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 26 DES Feistel function, continued Source: Wikipedia Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 27 S-boxes S-boxes: An S-box substitution is a table lookup. Input is 6 • bit, output is 4 bit. Works as follows: Strip out outer bits of input and join them. This two-bit • number is the row index. Four inner bits indicate column number. • Output is corresponding entry in table • Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 28 Confusion and diffusion The design of DES aims to provide confusion and diffusion. I Confusion means that each bit of the ciphertext should depend on several parts of the key, obscuring the connections between the two. I Diffusion means that if we change a single bit of the plaintext, then (statistically) half of the bits in the ciphertext should change. A related property is \non-linearity". If a cipher has this property, it means that the ciphertext is not a \linear" combination of the key and the plaintext. (That would be weak. More precisely, it would be vulnerable to linear differential cryptanalysis.) Permutations and XOR are linear operations. So some non-linear operations need to be used as well. The S-box of DES is a non-linear operation. Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 29 Choice of S-boxes Because of their non-linearity, the S-boxes are the core of DES in terms of cryptographic strength. Motivation for the choice of the particular S-boxes not known until 1990s. It includes the following constraints: I No single output bit should be too close to a linear combination of the input bits. I If two inputs to an S-box differ in exactly one bit, their outputs must differ in at least two bits. I If two inputs to an S-box differ in the two middle bits, their outputs must differ in at least two bits. I If two inputs to an S-box differ in their rst two bits and are identical in their last two bits, the two outputs must be different. Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 30 DES is not secure by today's standards In any practical encryption system, such as DES, an attacker could try to enumerate all the keys, and test them all. What prevents this in practice is that it would take too long. How long depends on the key size. In the 1970s, the assumption was that you could test at most 1 million keys per second. In that case it would take you more than 2000 years to crack a DES key. DES keys are too short for today's standards. In 2012, a system with 48 Xilinx Virtex-6 LX240T FPGAs was announced, each FPGA containing 40 fully pipelined DES cores running at 400 MHz, able to test 8 x 1011 keys/sec. The system can exhaustively search the entire 56-bit DES key space in about 28 hours. AES has 128 bit keys. That is vastly more. Even if you could build a system capable of testing 8 x 1011 keys/sec, it would take 25,000 years to test them all. Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 31 DES, \2DES" and 3DES DES a good design, but as it only has 56 bit keys, it has only approximately 256 security. (There are some cryptanalytic attacks on DES, but not very serious ones, so let's say its security is about 256.) How about using DES twice? Take a 112-bit key, split it into two keys K1 and K2 and encrypt M like this: EncK1 (EncK2 (M)) Would that give us 2112 security? Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 32 \2DES" is not significantly more secure than DES Suppose we have a pair (M; C) consisting of a valid plaintext-ciphertext pair. With approximately 257 work, we can find the 112-bit key K1K2 used in 2DES. Here is how to do it. 56 I Try all 2 possible keys K2, and store all the results 56 EncK2 (M). Sort them in order. This is 2 work for the encryption, and 256 log(256) for the sorting. 56 I Try all the 2 possible keys K1, computing DecK1 (C). For each such value, check if it is one of the stored EncK2 (M). That is 256 work for the Dec, and log(256) work for the checking.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    20 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us