Transcript Data Encryption Standard

Data Encryption Standard – DES and
Other Symmetric Block Ciphers
DES was developed as a standard for communications and
data protection by an IBM research team, in response to a
public request for proposals by the NBS - the National Bureau
of Standards (which is now known as NIST).
1
Lecture Plan

Review of Encryption
 Symmetric and Asymmetric Encryption
 DES History
 DES Basics
 DES Details
 DES Example
 DES Modes of Use
2
Review of Encryption

A message in its original form (plaintext) is encrypted
into an unintelligible form (ciphertext) by a set of
procedures known as an encryption algorithm (cipher)
and a variable, called a key; and the ciphertext is
transformed (decrypted) back into plaintext using the
decryption algorithm and a key.
Encryption
Dear
Friend,
I have
seen your
message of

Dear Friend,
I have seen
your
message of
…
Original
Data
Decryption
Symmetric
Key
Scrambled
Data
Dear Friend,
I have seen
your
message of
…
Symmetric
Key
Original
Data
3
Review of Encryption

Encryption C = EK(P)
 Decryption P = EK-1(C)
 EK is chosen from a family of transformations
known as a cryptographic system.
 The parameter that selects the individual
transformation is called the key K, selected
from a keyspace K.
 For a K-bit key size the keyspace size is 2K
4
Comparison of Symmetric
and Asymmetric Encryption
Secret Key
Plaintext
Original
Plaintext
Ciphertext
Encryption
Decryption
Symmetric (Single Key) Cryptography
Private Key
Public Key
Plaintext
Original
Plaintext
Ciphertext
Encryption
Decryption
Asymmetric (Two Key) Cryptography
5
Block Cipher Design
Principles
Confusion – obscures the relationship between the
plaintext and ciphertext. Eliminates redundancies and
statistical patterns. Confusion is achieved through
substitution.
 Diffusion – dissipates the redundancies of the
plaintext by distributing over the ciphertext. Diffusion
is achieved through permutations.
 Shannon’s Papers of 1948/1949:




A Mathematical Theory of Communication
Communication Theory of Secrecy Systems
Multiple Iterations
6
DES - History

The Data Encryption Standard (DES) was developed
in the 1970s by the National Bureau of Standards
(NBS)with the help of the National Security Agency
(NSA).

Its purpose is to provide a standard method for
protecting sensitive commercial and unclassified data.

IBM created the first draft of the algorithm, calling it
LUCIFER with a 128-bit key.

DES officially became a federal standard in November
of 1976.
7
DES - History

In May 1973, and again in Aug 1974 the NBS
(now NIST) called for possible encryption
algorithms for use in unclassified government
applications.
 Response was mostly disappointing, however,
IBM submitted their LUCIFER design.
 Following a period of redesign and comment it
became the Data Encryption Standard (DES).
8
DES - As a Federal Standard

DES was adopted as a (US) federal standard in
November 1976, published by NBS as a
hardware only scheme in January 1977 and by
ANSI for both hardware and software standards
in ANSI X3.92-1981 (also X3.106-1983 modes
of use) .
 Subsequently DES has been widely adopted
and is now published in many standards around
the world.
9
DES - Usage in Industry

One of the largest users of the DES is the
banking industry, particularly with EFT, and
EFTPOS
 It is for this use that the DES has primarily been
standardized, with ANSI having twice
reconfirmed its recommended use for 5 year
periods - a further extension was not expected.
 However DES has been extended to 2005 and
at that time it will be replaced by AES which
has already been standardized.
10
DES - Design Shrouded in
Mystery

Although the standard is public, the design criteria used
are classified and have yet to be released.
 There has been considerable controversy over the
design, particularly in the choice of a 56-bit key.
 W. Diffie, M Hellman “Exhaustive Cryptanalysis of the
NBS Data Encryption Standard” IEEE Computer
10(6), June 1977, pp74-84.
 M. Hellman “DES will be totally insecure within ten
years” IEEE Spectrum 16(7), Jul 1979, pp 31-41.
11
DES - Design Proves Good

Recent analysis has shown despite this that the choice
was appropriate, and that DES is well designed.
 Rapid advances in computing speed though have
rendered the 56 bit key susceptible to exhaustive key
search, as predicted by Diffie and Hellman.
 The DES has also been theoretically broken using a
method called Differential Cryptanalysis, however in
practice this is unlikely to be a problem (yet).
12
DES - Basics

DES uses the two basic techniques of
cryptography - confusion and diffusion.
 At the simplest level, diffusion is achieved
through numerous permutations and confusions
is achieved through the XOR operation and the
S-Boxes.
 This is also called an S-P network.
13
The S-P Network
S-box
P1
S1
S2
S3
S4
Product Cipher
S5
S6
P2
P3
S7
S8
Encoder : 8 to 3
Decoder : 3 to 8
P-box
S9
S10
S11
S12
P4
14
DES in a
Nutshell
15
DES - The 16
Iterations
56-bit Key
64-bit Plaintext

The basic process
in enciphering a
64-bit data block
and a 56-bit key
using the DES
consists of:



An initial
permutation (IP)
16 rounds of a
complex key
dependent
calculation f
A final
permutation, being
the inverse of IP
…
…
Initial
Permutation
Iteration 1
Iteration 2
Iteration 16
Permuted Choice
1
K1
Permuted Choice
2
Left Circular Shift
K2
Permuted Choice
2
Left Circular Shift
K16
Permuted Choice
2
Left Circular Shift
32-bit Swap
Inverse Initial
Permutation
…
64-bit Ciphertext
16
Details of Each Iteration
32 bits
32 bits
28 bits
28 bits
Li-1
Ri-1
Ci-1
Di-1
Left Shift(s)
Left Shift(s)
32 bits
Expansion
Permutation
(E-Table)
48 bits
XOR
48 bits
Permutation Choice
(PC-2)
Ki
48 bits
Substitution Box
(S-Box)
32 bits
Permutation Box
(P)
32 bits
XOR
32 bits
Li
Ri
Ci
Di
17
DES - Swapping of Left and
Right Halves

The 64-bit block being enciphered is broken into two
halves.
 The left half and the right half go through one DES
round, and the result becomes the new right half.
 The old right half becomes the new left half half, and
will go through one round in the next round.
 This goes on for 16 rounds, but after the last round the
left and right halves are not swapped, so that the result
of the 16th round becomes the final right half, and the
result of the 15th round (which became the left half of
the 16th round) is the final left half.
18
DES - Swapping of Left and
Right Halves
Li-1
 This can be described
functionally as:
Ri-1
 L(i) = R(i-1)
 R(i) = L(i-1)  P(S(
E(R(i-1))  K(i) ))
Li-1  f (Ri-1, Ki)
 This forms one round in an S-P
network
32 bits
Li
32 bits
Ri
19
DES - Basics




Fundamentally DES performs only two operations on its
input, bit shifting (permutation), and bit substitution.
The key controls exactly how this process works.
By doing these operations repeatedly and in a non-linear
manner you end up with a result which can not be used to
retrieve the original without the key.
Those familiar with chaos theory should see a great deal of
similarity to what DES does. By applying relatively simple
operations repeatedly a system can achieve a state of near
total randomness.
20
Each Iteration Uses a
Different Sub-key

DES works on 64 bits of data at a time. Each 64
bits of data is iterated on from 1 to 16 times (16
is the DES standard).
 For each iteration a 48 bit subset of the 56 bit
key is fed into the encryption block
 Decryption is the inverse of the encryption
process.
21
DES Key Processing

The key is usually stored as a 64-bit number,
where every eighth bit is a parity bit.

The parity bits are pitched during the algorithm,
and the 56-bit key is used to create 16 different
48-bit subkeys - one for each round.

DES Subkeys: K1, K2, K3, … K16
22
DES Key Processing Subkeys Generation

In order to generate the 16 48-bit subkeys from
the 56-bit key, the following process is used:
First, the key is loaded according to the PC-1 and
then halved.
 Then each half is rotated by 2 bits in every round
except the first, second, 9th and last rounds.
 The reason for this is that it makes it secure against
related-key cryptanalysis.
 Then 48 of the 56 bits are chosen according to a
compression permutation - PC-2.

23
The Key Schedule

The subkeys used by the 16 rounds are formed
by the Key Schedule which consists of:


An initial permutation of the key (PC1) which
selects 56-bits in two 28-bit halves
16 stages consisting of:
 selecting 24-bits from each half and permuting them by
PC2 for use in function f
 rotating each half either 1 or 2 places depending on the
key rotation schedule KRS
 this can be described functionally as:
K(i) = PC2(KRS(PC1(K),i))
24
Permuted Choice 1 — PC-1
57 49 41 33 25 17
10
9
2 59 51 43 35 27 19 11
63 55 47 39 31 23 15
14
1 58 50 42 34 26 18
3 60 52 44 36
7 62 54 46 38 30 22
6 61 53 45 37 29 21 13
5 28 20 12
4
25
Permuted Choice 2 — PC-2
14 17 11 24
23 19 12
1
4 26
5
3 28 15
8 16
6 21 10
7 27 20 13
2
41 52 31 37 47 55 30 40 51 45 33 48
44 49 39 56 34 53 46 42 50 36 29 32
26
Key Rotation Schedule —
KRS
Round
Number
1
2
3
4
5
6
7
8
9
10 11 12 13 14 15 16
Number of
Left Shifts
1
1
2
2
2
2
2
2
1
2
Total Number 1
of Shifts
2
4
6
8
10 12 14 15 17 19 21 23 25 27 28
2
2
2
2
2
1
27
DES Operation - Plaintext

The block to be encrypted is halved - the right
half goes through several steps before being
XOR-ed with the left half and, except after the
last round, trading places with the left half.
28
DES - Expansion
Permutation

First the right half goes through an expansion
permutation which expands it from 32 to 48 bits.
 This makes it the same length as the subkey to allow
the XOR, but it also demonstrates an important
concept in cryptography. In expanding to 1.5 times its
size, several bits are repeated (no new bits are
introduced - all the existing bits are shifted around, and
some are used twice).
 Because of this some of the input bits affect two output
bits instead of one, the goal being to have every output
bit in DES depend upon every input bit as quickly as
possible. This is known as the avalanche effect.
29
Expansion Permutation
Table
32
1
2
3
4
5
4
5
6
7
8
9
8
9
10
11
12
13
12
13
14
15
16
17
16
17
18
19
20
21
20
21
22
23
24
25
24
25
26
27
28
29
28
29
30
31
32
1
30
DES Operation - E(Ri)  Ki

The result of the expansion permutation is XOR-ed
with the subkey, and then goes through the S-boxes.
 There are 8 S-boxes, each of which takes a 6-bit input
an spits out a 4-bit output.
 This step is non-linear. For a given input i1, i2 ... i6,
the output is determined by using the concatenation of
i1 and i6, and the concatenation of i2… i5, and using
these as the indices to the table which is the S-box.
31
S-box Permutations

The S-boxes are somewhat different from the other
permutations. While all the others are set up according to
“bit x goes to bit y”, the input bits can be viewed
differently for the S-boxes.

If the input is {i1,i2,i3,i4,i5,i6} then the two-bit number
{i1,i6} and the the four-bit number {i2,i3,i4,i5} are used as
indices to the table.

For the 48-bit word {i1,i2 … i48}, the word {i1 … i6} is
sent to S-box 1, the word {i7 … i12} to S-box 2, etc. The
output of S-box 1, {o1 … o4}, that of S-box 2, {o5 … o8}
etc. are concatenated to form the output.
32
The 8 DES S Boxes
48-bit Input
0…5
6 … 11
12 … 17
18 … 23
24 … 29
30 … 35
35 … 41
42 … 47
S-Box 1
S-Box 2
S-Box 3
S-Box 4
S-Box 5
S-Box 6
S-Box 7
S-Box 8
0…3
4…7
8 … 11
12 … 15
16 … 19
20 … 23
24 … 27
28 … 31
32-bit Output
33
S-box Permutations
34
S1 Box Truth Table
35
The 8 DES
S Boxes
36
DES Operation - P Box

The output of each of the 8 S-boxes is
concatenated to form a 32-bit number, which is
then permutated with a P-box.
 This P-box is a straight permutation, and the
resulting number is XOR-ed with the left half
of the input block with which we started at the
beginning of this round.
 Finally, if this is not the last round, we swap the
left and right halves and start again.
37
Permutation Function - P
Box
16
9
1
5
2
32
19
22
7
12
15
18
8
27
13
11
20
28
23
31
24
3
30
4
21
17
26
10
14
9
6
25
38
DES Permutations

The initial and final permutations in DES serve
no cryptographic function. They were originally
added in order to make it easier to load the 64bit blocks into hardware - this algorithm after
all predates 16-bit busses - and is now often
omitted from implementations.

However the permutations are a part of the
standard, and therefore any implementation not
using the permutations is not truly DES.
39
DES Permutations

Using the Initial Permutation a DES chip loads a 64bit block one bit at a time (this gets to be very slow in
software).

The order in which it loads the bits is shown below.

The final permutation is the inverse of the initial (for
example, in the final permutation bit 40 goes to bit 1,
whereas in the initial permutation bit 1 goes to bit 40).
40
Initial Permutation
Bit goes to Bit
58
1
50
2
42
3
34
4
26
5
18
6
10
7
2
8
60
9
52
10
44
11
36
12
28
13
20
14
12
15
4
16
Bit goes to Bit
62
17
54
18
46
19
38
20
30
21
22
22
14
23
6
24
64
25
56
26
48
27
40
28
32
29
24
30
16
31
8
32
Bit goes to Bit
57
33
49
34
41
35
33
36
35
37
17
38
9
39
1
40
59
41
51
42
43
43
35
44
27
45
19
46
11
47
3
48
Bit goes to Bit
61
49
53
50
45
51
37
52
29
53
21
54
13
55
5
56
63
57
55
58
47
59
39
60
31
61
23
62
15
63
7
64
41
Initial Permutation
Pictorially
Bit goes to Bit
58
1
50
2
42
3
34
4
26
5
18
6
10
7
2
8
60
9
52
10
44
11
36
12
28
13
20
14
12
15
4
16
42
DES Initial and Final
Permutations
40
39
38
37
36
35
34
33
8
7
6
5
4
3
2
1
48
47
46
45
44
43
42
41
16
15
14
13
12
11
10
9
56
55
54
53
52
51
50
49
24
23
22
21
20
19
18
17
64
63
62
61
60
59
58
57
32
31
30
29
28
27
26
25
43
Weak Keys

There are a few keys which are considered
weak for the DES algorithm. They are so few,
however, that it is trivial to check for them
during key generation.
Example Weak Keys
44
DES Example - Key
K = 581FBC94D3A452EA
X = 3570E2F1BA4682C7
K = ( 0101 1000 0001 1111 1011 1100 1001 0100
1101 0011 1010 0100 0101 0010 1110 1010 )
C0 = ( 10111100110100
01101001000101 )
D0 = ( 11010010001011
10100001111111 )
45
DES Example - Key
C1 = ( 0111 1001 1010 0011 0100 1000 1011 )
D1 = ( 1010 0100 0101 1101 0000 1111 1111 )
K1 = ( 001001 111010 000101 101001
111001 011000 110111 011010 )
C2 = ( 1111 0011 0100 0110 1001 0001 0110 )
D2 = ( 0100 1000 1011 1010 0001 1111 1111 )
K2 = ( 110110 101001 000111 011101
110101 111011 011101 001000 )
46
DES Example - Data
K=581FBC94D3A452EA
X=3570E2F1BA4682C7
X
= (x1, x2, x3, …, x64)
=(
0011 0101 0111 0000 1110 0010 1111 0001
1011 1010 0100 0110 1000 0010 1100 0111)
This plaintext X is first subjected to an Initial Permutation –
IP which gives
L0
= ( 1010 1110 0001 1011 1010 0001 1000 1001)
A E
1
B
A 1
8
9
R0
= ( 1101 1100 0001 111 0001 0000 1111 0100)
D
C
1
F
1
0
F
4
47
DES Example - Data
E(R0) = (
011011 111000 000011 111110
100010 100001 01110 101001)
1 = E(R0)  K1
= ( 010010 000010 000110 010111
011011 111001 101001 110011)
S501(1101) = S51(13) = 9 = 1001
S611(1100) = S63(12) = 6 = 0110
S711(0100) = S73(4) = 1 = 0001
S811(1001) = S83(9) = 12 = 1100
48
DES Example - Data
B1 = (1010 0001 1110 1100 1001 0110 0001 1100)
P(B1) = (0010 1011 1010 0001 0101 0011 0110 1100)
R1
= P(B1)  L0
= (1000 0101 1011 1010 1111 0010 1110 0101)
8
5
B
A
F
2
E
5
49
DES Example - Data
L1 = (1101 1100 0001 1111 0001 0000 1111 0100)
D
E(R1) = (
C
1
F
1
0
F
110000 001011 110111 110101
4
011110 100101 011100 001011)
2 = E(R1)  K2
= ( 000110 100010 110000 101000
101011 011110 000001 000011)
50
DES Example - Data
S100(0011) =
S11(3)
=1
S210(0001) =
S23(1)
= 14 = 1110
S310(1000) =
S33(8)
= 11 = 1011
S410(0100) =
S43(4)
= 12 = 1100
S511(0101) =
S51(5)
= 14 = 1110
S600(1111)
S63(15)
= 11 = 1011
S701(0000) =
S73(0)
= 13 = 1101
S801(0001) =
S83(1)
= 15 = 1111
=
= 0001
51
DES Example - Data
B2 = (0001 1110 1011 1100 1110 1011 1101 1111)
P(B2) = (0101 1111 0011 1110 0011 1001 1111 0111)
R2
= P(B2)  L1
= (1000 0011 0010 0001 0010 1001 0000 0011)
8
3
2
1
2
9
0
3
L2 = R1 = (1000 0101 1011 1010 1111 0010 1110 0101)
8
5
B
A
F
2
E
5
52
DES Example - Data - Done !
Y
= (y1, y2,y3, …, y64)
=(
1101 0111 0110 1001 1000 0010 0010 0100
0010 1000 0011 1110 0000 1010 1110 1010)
=(
D 7 6 9 8 2 2 4 2 8 3 E 0 A E A)
53
DES Modes of Use

DES encrypts 64-bit blocks of data, using a 56-bit key

We need some way of specifying how to use it in
practice, given that we usually have an arbitrary
amount of information to encrypt

The way we use a block cipher is called its Mode of
Use and four have been defined for the DES by ANSI
in the standard: ANSI X3.106-1983 Modes of Use)
54
DES Modes of Use

DES Modes of Use are either:

Block Modes


Splits messages in blocks (ECB, CBC)
Stream Modes

On byte stream messages (CFB, OFB)
55
Block Modes - ECB

Electronic Codebook Book (ECB)


where the message is broken into independent 64bit blocks which are encrypted
C(i) = DESK(P(i))
56
Subverting DES in ECB
Mode
Name
Bonus
A d a m s ,
L e s l i e
C l e r k
$
1 0
B l a c k ,
R o b i n
B o s s
$
5 0 0
M a n a g e r
$
1 0 0
J a n i t o r
$
5
C o l l i n s ,
D a v i s ,
Bytes
Position
K i m
B o b b i e
16
8
8
57
Block Modes - CBC

Cipher Block Chaining (CBC)

Again the message is broken into 64-bit blocks, but
they are linked together in the encryption operation
with an IV
C(i) = DESK(P(i)  C(i-1))
 C(-1)= IV

58
Cipher Block Chaining
(CBC)
IV
Key
P0
P1
P2
P3
XOR
XOR
XOR
XOR
E
E
E
E
C0
C1
C2
C3
Key
…
IV
C0
C1
C2
C3
D
D
D
D
XOR
XOR
XOR
XOR
P0
P1
P2
P3
…
59
Stream Modes - CFB

Cipher FeedBack (CFB)

where the message is treated as a stream of bytes,
added to the output of the DES, with the result
being feed back for the next stage
Ci = Pi  SLMB(DESK(C(i-1)))
 Ci = SLMB(DESK(C(i-1)))


C(-1)= IV

C(i) = Ci-1|| Ci-2|| Ci-3|| Ci-4||
Ci-5|| Ci-6|| Ci-7|| Ci-8||
60
Stream Modes - CFB
64-bit Shift Register
C2 C3 C4 C5 C6 C7 C8 C9
E
DES Encryption
Box
SLMB
Select Left Most
Byte
Key
C10
C(10)
P10
XOR
C10
61
Stream Modes - OFB

Output FeedBack (OFB)

where the message is treated as a stream of bytes,
added to the message, but with the feedback being
independent of the message
Ci = Pi  Oi
 Oi = SLMB(DESK(O(i-1)))
 O(-1)= IV
 O(i) = Oi-1|| Oi-2|| Oi-3|| Oi-4||
Oi-5|| Oi-6|| Oi-7|| Oi-8||

62
Stream Modes - OFB
64-bit Shift Register
O2 O 3 O4 O5 O6 O 7 O8 O9
E
DES Encryption
Box
SLMB
Select Left Most
Byte
Key
O10
O(10)
P10
XOR
C10
63
Limitations of Various
Modes - ECB

Repetitions in message can be reflected in
ciphertext, if aligned with message block.
 Particularly with data such graphics.
 Or with messages that change very little, which
become a code-book analysis problem.
 Weakness is because enciphered message
blocks are independent of each other.
 Can be solved using CBC.
64
Limitations of Various
Modes - CBC

Uses result of one encryption to modify input of
next.

Hence each ciphertext block is dependent on all
message blocks before it.

Thus a change in the message affects the
ciphertext block after the change as well as the
original block.

Susceptible to errors. Error in a single block
make all the subsequent blocks useless.
65
Triple DES - More Secure
DES
K1
Plaintext
E
K2
A
D
K1
B
E
Ciphertext
Encryption
K1
Ciphertext
D
Why not Double DES?
K2
B
E
K1
A
D
Plaintext
Decryption
Why Triple DES with two Keys?
Why EDE?
66
IDEA






International Data Encryption Algorithm also known
as Proposed Encryption Standard – PES
European origins – free from any NSA tampering
64-bit block cipher
128-bit key
Fast in software on general purpose processors
Consists of three basic operations:



XOR
Addition modulo 216
Multiplication modulo 216 + 1
67
GOST





64-bit block cipher from USSR
256-bit key (up to 610 bits key considering S-boxes)
Better suited to software implementation than DES
32 rounds
For the i-th round



Li=Ri-1
Ri=Li-1  f(Ri-1, Ki)
f consists of:





Add right half and the i-th subkey modulo 232
Break result into 8 4-bit chunks and input into a different S-box
Outputs of all S-boxes are recombined
11-bit left circular shift
XOR with the left half
68
One Round of GOST
Li-1
Ri-1
Choose One Subkey
S-Box Substitution
Left Circular Shift
Li
Ri
S-boxes in GOST are
user defined and provide
additional keying material
8 32-bit Subkeys are
derived from 256-bit key
and are repeatedly used
according to the key
schedule of GOST
69
GOST S-Boxes and
Subkeys
Round
Number
1
2
3
4
5
6
7
8
9
10 11 12 13 14 15 16
Subkey
1
2
3
4
5
6
7
8
1
2
Round
Number
17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Subkey
1
S-box 1:
4 10 9
S-box 2:
14 11 4
2
2
3
13 8
12 6
4
5
0
6
7
14 6
13 15 10 2
8
8
7
3
6
4
5
5
4
6
7
3
2
8
1
11 1
12 7
15 5
3
3
1
7
9
8
0
5
70
BLOWFISH







Designed by Bruce Schneier
Fast on 32-bit microprocessors
Compact
Simple
Variable key lengths up to 448-bits
Uses a large number of subkeys
16 iterations/rounds



Each round consists of a key-dependent permutation and
A key- and data-dependent substitution
All operations are additions and XOR’s on 32-bit words
71
RC5

Designed by Professor Ronald Rivest of MIT
 Ron’s Cipher (RC) others also exist – RC2,
RC4, RC6
 Supports a variety of block sizes, key sizes and
number of rounds
 Three basic operations
XOR
 Addition
 Rotations


Patented by RSADSI
72
AES
A replacement for DES – after a very long time
 Result of an open, international competition conducted
by NIST
 Five finalists







MARS
Serpent
Twofish
RC6
Rijendael
Rijendael finally chosen as AES
73
AES

Design criteria included:
Security
 Speed on a variety of platforms – hardware,
software, smartcards, microcontrollers


Rijendael – European submission finally chosen
as AES
74