Computer Security Lecture 20

1
Computer Security Lecture 20

• Phillip G. Bradford
• Computer Science
• University of Alabama

2
Lecture Outline

• Review Last Lecture
• Expansion
• Xor
• S-Boxes
• DES encryption and decryption

3
The Non-Linearity of S-Boxes

• Inputs 6 bits and outputs 4 bits
• 6 bits choose one of 64 outputs
• Each output is 4 bits
• Take the 3 bit in---3 bit out case
• 23 8 inputs
• 23 8 outputs
• Back to the 2n! Choices for an S-Box

4
The Non-Linearity of S-Boxes
5
The Non-Linearity of S-Boxes

• Even more so, the S-Boxes have the same elements
  1 through 16
• Repeated 4 times!
• Thus, not invertible

6
The Invertibility of DES

• Li Ri-1 and Ri Li-1 xor f(Ri-1,Ki)
• L2 R1 and R2 L1 xor f(R1,K2)
• Inverses
• R1 L2
• L1 R2 xor f(R1,K2)
• L1 xor f(R1,K2) xor f(R1,K2) L1
• Then with R1 and L1 invert them!

7
The Invertibility of DES

• Li Ri-1 and Ri Li-1 xor f(Ri-1,Ki)
• Inverses
• R0 L1
• L0 R1 xor f(R0,K1)
• L0 xor f(R0,K1) xor f(R0,K1) L0

8
The Invertibility of DES

• The key schedule
• Note the sum of all of the bit rotates is 28
• Each half of the key is 28 bits long!
• By the last bit rotate we are back at the
  beginning !
• What about those S-Boxes?
• 6 bits to 4 bits
• It does not matter!
• Xored in, but reversible

9
Double DES

• Double DES
• Two keys k1 and k2
• Encrypt c Ek2Ek1m
• So, m Dk1Dk2c
• Is this more secure than a single application of
  DES?
• If not, why not?

10
Meet in the Middle Attack

• Diffie Hellmans Analysis
• M-in-the-Middle is a general attack
• Given plaintext ciphertext pairs

11
Meet in the Middle Attack

• Given a known pair (m,c)
• Fact If c Ek2Ek1m,
• Then Ek1m Dk2c
• Encrypt m with all 256 possible keys k1
• For each k1 store (k1, c Ek1(m))
• Decrypt c using all 256 possible keys k2
• Store (Dk2(c),k2) for all k2
• Match the correct pair Dk2(c) Ek1(m)

12
Meet in the Middle Attack

• Analysis
• Given m, 264 potential cipher texts c
• Double DES has 2112 potential double keys
• For a plaintext m, the number of double keys that
  can give c is at most
• 2112/264 248
• Where c Ek2Ek1m
• So expect 248 false alarms for (k1,c Ek1(m))

13
Meet in the Middle Attack

• Suppose each Ek1 and Ek2 independently and
  uniquely maps to
• 264 domain elements
• Each of k1 and k2 fix E as a function with domain
  and range of size 264
• Fix a plaintext m then Ek2Ek1m
• Maps to 264 ciphertexts
• Based on k1 and k2 of 2112 bits total

14
Meet in the Middle Attack

• Analysis, Cont.
• For (Dk2(c),k2), there are also 264 potential
  ciphertexts that k2 can encrypt m into
• This means 248/ 264 1/216
• Therefore, given (m,c), with probability 1- 1/216
  we will determine the correct keys using
  M-in-Middle

15
Double DES

• Key space of 256 is no larger using two
  applications?
• See Campbell and Wiener citation in book
• Say DES is not a group

16
Triple DES

• Three key versions
• Encrypt c Ek3Dk2Ek1m
• Decrypt m Dk1Ek2Dk3c
• Very large keys 54x3 168 bits
• Two keys
• Encrypt c Ek1Dk2Ek1m
• Decrypt m Dk1Ek2Dk1c