Cryptography and Network Security Spring 2012 http://users.abo.fi/ipetre/crypto/ Lecture 3: Block ciphers and DES Ion Petre Department of IT, Åbo Akademi University January 17, 2012 1 Data Encryption Standard We focus now on the most widely used symmetric cipher: DES DES has been replaced by AES as a standard We will use DES to illustrate the principles of modern symmetric ciphers Adopted in 1977 by the National Bureau of Standards (US), nowadays NIST Originates from an IBM project from late 1960s led by Feistel Project ended in 1971 with the development of LUCIFER (key 128 bits) LUCIFER was then refined with the help of NSA to produce DES (key 56 bits) Immediate criticism: the reduction in key length was enormous and the internal details of the design were (and remained) classified information 1994: DES is reaffirmed as a standard for 5 more years 1999: DES should only be used for legacy systems and 3DES should replace it January 17, 2012 2 Block cipher principles Stream cipher is one that encrypts a digital data stream one bit (or byte) at a time Example: autokey Vigenère system Block cipher is one in which the plaintext is divided in blocks and one block is encrypted at one time producing a ciphertext of equal length Similar to substitution ciphers on very big characters: 64 bits or 128 bits are typical block lengths Many modern ciphers are block ciphers January 17, 2012 3 Principle: Substitution-Permutation Ciphers Claude Shannon (1949) introduced idea of substitution-permutation (S-P) networks These form the basis for modern substitution-transposition product cipher S-P networks are based on the two primitive cryptographic operations we have seen before: substitution (S-box) permutation (P-box) The goal is to provide confusion and diffusion of message January 17, 2012 4 Confusion and Diffusion Cipher need to completely obscure statistical properties of original message A one-time pad does this More practically Shannon (1949) suggested to combine elements to obtain: Diffusion – dissipates statistical structure of plaintext over bulk of ciphertext Makes the statistical relationship plaintext - ciphertext as complex as possible Achieved by requiring that every digit of the plaintext affects many digits of the ciphertext (equivalently, every digit of the ciphertext is affected by many digits of the plaintext) Confusion – makes relationship between ciphertext and key as complex as possible Makes it difficult to discover the key starting from the ciphertext The principles of confusion and diffusion are the most essential concepts in the design of modern block ciphers – they defend against statistical attacks January 17, 2012 5 Feistel Cipher Structure Most modern block encryption algorithms use the Feistel structure Horst Feistel was the leader of the IBM team that worked in late 1960s on LUCIFER He devised the so-called “feistel cipher” Algorithm structure – perform n rounds, each round has the following structure (for encryption and decryption): Input is of length 2w (bits), key is K Divide the input into two halves L0 and R0 L1= R0, R1=L0 ⊕ f(R0,K) In the next round use (L1, R1) instead of (L0, R0), etc. Function f is the same in all rounds but uses a different subkey in each round – the subkey of each round is generated from the key January 17, 2012 6 ⊕ Feistel Cipher Structure ⊕ ⊕ January 17, 2012 7 Feistel Cipher Design Principles block size increasing size improves security, but slows cipher key size increasing size improves security, makes exhaustive key searching harder, but may slow cipher number of rounds increasing number improves security, but slows cipher subkey generation greater complexity can make analysis harder, but slows cipher round function greater complexity can make analysis harder, but slows cipher fast software en/decryption & ease of analysis are more recent concerns for practical use and testing January 17, 2012 8 ⊕ ⊕ Feistel Cipher ⊕ Decryption vs ⊕ Encryption: the same algorithm (with keys in reverse order) ⊕ ⊕ ⊕ ⊕ January 17, 2012 9 Feistel decryption Decryption Decryption is the same as encryption and does not require any property for function f (not •Input: The ciphertext (LD , RD )= (RE , LE ) even to be invertible) 0 0 16 16 •Round i (1 to 16) performs on input (LDi-1, RDi-1) the LD/RD – left/right half in the decryption algorithm operations: –LD =RD , RD =LD ⊕f(RD ,K ) LE/RE – left/right half in the i i-1 i i-1 i-1 16-i encryption algorithm –This is the input to next round ⊕ denotes XOR: 0⊕0=0, 1⊕1=0, •The key of round i is K16-i, 0⊕1= 1⊕0=1 •This algorithm is CORRECT – after round i we have LDi=RE16-i, RDi=LE16-i: Encryption •PROOF: •Input to the first round: •Input: the plaintext (LE0, RE0) –LD0=RE16, RD0=LE16 •Round i (1 to 16) performs on input •Induction: assume it holds for i-1, prove it for i (LEi-1, REi-1) the operations: –LDi-1=RE16-i+1, RDi-1=LE16-i+1 –LEi=REi-1, REi=LEi-1⊕f(REi-1,Ki) Then: –This is the input to next round –LDi=RDi-1=LE16-i+1=RE16-i •The key of round i is Ki, –RDi=LDi-1 ⊕ f(RDi-1, K16-i)=RE16-i+1 ⊕ f(LE16-i+1, K16-i)= •Output: the ciphertext (RE16, LE16) =(LE16-i ⊕f(RE16-i,K16-i+1)) ⊕f(RE16-i,K16-i)=LE16-i –Result: (RE16-i, LE16-i) •Output: the plaintext (RD16, LD16)=(LE0, RE0) January 17, 2012 10 DES DES encryption/decryption Strength of DES Design principles Cryptanalysis January 17, 2012 11 DES encryption scheme The plaintext (64 bits) passes through an initial permutation IP (on 64 bits) Then follow 16 identical rounds – in each round a different subkey is used; each subkey is generated from the key After round 16, swap the left half with the right half Apply the inverse of the initial permutation IP-1 (on 64 bits) January 17, 2012 12 DES encryption scheme January 17, 2012 13 Initial permutation and its inverse January 17, 2012 14 Details of a single round of DES Consider L the left half of the input to the round and R its right half – each of them have 32 bits As in any Feistel cipher the overall processing is Li=Ri-1, Ri=Li-1⊕ F(Ri-1,Ki) The round subkey Ki has 48 bits (details later on how it is generated) R is expanded from 32 to 48 bits using an “expansion permutation” E – this is a table that defines a permutation, duplicating in the same time 16 of the bits in R These 48 bits are XORED with the subkey Ki The 48-bit result passes through a substitution function that produces a 32- bit output Apply then a permutation P January 17, 2012 15 A single round of DES January 17, 2012 16 The scheme of the function F(R,K) in DES January 17, 2012 17 Details of a single round of DES January 17, 2012 18 The substitutions in the DES rounds: S-boxes There are 8 S-boxes, each of them accepting a 6-bit input and producing 4-bit output The S-boxes are 4 x 16 tables (shown on the next slide) and are used as follows: The first and the last bit of the input to the S-box form a 2-bit binary number that selects the row of the S-box (rows are from 0 to 3) The middle four bits select the column of the S-box (columns are from 0 to 15) The decimal value in the selected entry of the S-box is converted to its 4-bit binary representation to produce the output January 17, 2012 19 Definition of S-boxes Example: consider the input 011001to S-box S1 The row is 011001: 01 (i.e. 1) The column is 011001: 1100 (i.e. 12) The value in the selected cell is 9 Output is 1001 Note that each row of each S-box is in fact an invertible substitution on 4 bits (permutation of numbers from 0 to 15) Note also that the output of the S-box is immediately permuted in DES so that it spreads in the ciphertext January 17, 2012 20 Subkey generation In the general scheme of DES is shown that a 64-bit key is used – the bits of the key are numbered from 1 to 64. The algorithm ignores every 8th bit – thus, the key for DES is effectively 56-bit long Before round 1 of DES, they key is permuted according to a table labeled Permuted Choice One (see next slide) – the resulting 56-bit key is split into its two 28-bit halves labeled C0 and D0 In each round, Ci-1 and Di-1 are separately subjected to a circular left shift of one or two bits according to the table on the next slide – the shifted values will be input to next round The shifted values serve as input to Permuted Choice Two (see next slide) which produces a 48-bit output: the subkey of the current round January 17, 2012 21 Subkey generation In the general scheme of DES is shown that a 64-bit key is used – the bits of the key are numbered from 1 to 64. The algorithm ignores every 8th bit – thus, the key for DES is effectively 56-bit long Before round 1 of DES, they key is permuted according to a table labeled Permuted Choice One – the resulting 56-bit key is split into its two 28-bit halves labeled C0 and D0 In each round, Ci-1 and Di-1 are separately subjected to a circular left shift of one or two bits according to the table on the next slide – the shifted values will be input to next round The shifted values serve as input to Permuted Choice Two which produces a 48-bit output: the subkey of the current round January 17, 2012 22 DES decryption Like in any Feistel cipher, decryption works just like encryption with the subkeys used in reverse order January 17, 2012 23 Analysis of DES Avalanche effect: this is a desirable property of any encryption algorithm A small change (even 1 bit) in the plaintext should produce significant change in the ciphertext Example: consider two blocks of 64 zeros and in the second block rewrite 1 on the first position.