DES

1

• DES
• (Data Encryption Standard)

2
Stream Ciphers vs. Block Ciphers

• Stream cipher encrypts digital data one bit
  (byte) at a time
• Block cipher encrypts block of plaintext at a
  time
• Will produce a ciphertext block of the same size

3
DES Basics

• Block cipher (64-bit block)
• Uses 56-bit key (out of 64 bits)
• 16 rounds
• 48-bit subkeys
• Feistel structure (except initial and final
  permutations)

4
Overall Scheme of DES Encryption
DES
5
Initial Permutation (IP) and Inverse IP
6
Single Round of DES
DES
7
DES Round function F
8
DES Round Function
DES

• Operates on 32-bit units
• 32-bit ? 48-bit expansion/permutation (E table)
• XOR with 48 bit subkey
• S-box computation returns 32 bits
• Round permutation (P)

Look at the following diagram!!!
9
Single Round of DES cont
10
Expansion E and Permutation P
11
S-BOX Substitution

• S-BOX 4 x 16 entry table
• Input 6 bits
• 2-bits determine the table (1 s/d 4)
• 4-bits determine the table entry
• Output 4 bits

12
S-BOX table
13
DES Key Generation

• Parity bits (8, 16, , 64) are discarded (out of
  64-bit key)
• 56-bit key is split into 28-bit L and R
• 16 48-bit subkeys (K1, K2, , K16) are generated
  by various circular left shifts of L and R
• Bits are permuted and selected

14

• DES Continues

15
Other Symmetric Block Ciphers

• International Data Encryption Algorithm (IDEA)
• 128-bit key
• Used in PGP
• Skipjack
• is a recent algorithm that was developed in 1987
  and put into service in 1993.
• encrypts and decrypts data in 64-bit blocks
• using an 80-bit key
• Skipjack has 32 rounds, meaning the main
  algorithm is repeated 32 times to produce the
  ciphertext.

16
International Data Encryption Algorithm (IDEA)

• Developed by Xu Lai James Massey (ETH Zurich,
  Switzerland)
• Characteristics
• 64-bits block cipher
• 128-bits key length
• Uses three algebraic groups XOR, mod 216, x
  mod 216 1
• 17 rounds (or 8 rounds according to the
  description)
• Speed software 2 times faster than DES

17
(No Transcript)
18
Modes of Operation

• block ciphers encrypt fixed size blocks
• eg. DES encrypts 64-bit blocks, with 56-bit key
• need way to use in practise, given usually have
  arbitrary amount of information to encrypt
• four were defined for DES in ANSI standard ANSI
  X3.106-1983 Modes of Use
• subsequently now have 5 for DES and AES
• have block and stream modes

19
Electronic Codebook Book (ECB)

• message is broken into independent blocks which
  are encrypted one at a time
• each block is a value which is substituted, like
  a codebook
• each block is encoded independently of the other
  blocks
• Ci DESK1 (Pi)

20
Electronic Codebook Book (ECB)
21
Limitations of ECB

• repetitions in message may show in ciphertext
• main use is sending a few blocks of data, for
  example, an encryption key

22
Cipher Block Chaining (CBC)

• message is broken into blocks
• but these are linked together in the encryption
  operation
• each previous cipher blocks is chained with
  current plaintext block
• use Initial Vector (IV) to start process
• Ci DESK1(Pi XOR Ci-1)
• C-1 IV
• uses bulk data encryption, authentication

23
Cipher Block Chaining (CBC)
24
Advantages and Limitations of CBC

• each ciphertext block depends on all message
  blocks
• thus a change in the message affects all
  ciphertext blocks after the change as well as the
  original block
• need Initial Value (IV) known to sender
  receiver
• however if IV is sent in the clear, an attacker
  can change bits of the first block, and change IV
  to compensate
• hence either IV must be a fixed value (as in
  EFTPOS) or it must be sent encrypted in ECB mode
  before rest of message
• at end of message, handle possible last short
  block
• by padding either with known non-data value (eg
  nulls)
• or pad last block with count of pad size
• eg. b1 b2 b3 0 0 0 0 5 lt- 3 data bytes, then 5
  bytes padcount

25
Cipher FeedBack (CFB)

• message is treated as a stream of bits
• added to the output of the block cipher
• result is feed back for next stage
• standard allows any number of bit (1,8 or 64 or
  whatever) to be feed back
• denoted CFB-1, CFB-8, CFB-64 etc
• is most efficient to use all 64 bits (CFB-64)
• Ci Pi XOR DESK1(Ci-1)
• C-1 IV
• uses stream data encryption, authentication

26
Cipher FeedBack (CFB)
27
Advantages and Limitations of CFB

• appropriate when data arrives in bits/bytes
• most common stream mode
• limitation is need to stall while do block
  encryption after every n-bits
• note that the block cipher is used in encryption
  mode at both ends
• errors propagate for several blocks after the
  error

28
Output FeedBack (OFB)

• message is treated as a stream of bits
• output of cipher is added to message
• output is then feed back (hence name)
• feedback is independent of message
• can be computed in advance
• Ci Pi XOR Oi
• Oi DESK1(Oi-1)
• O-1 IV
• uses stream encryption over noisy channels
• Note the OFB mode description presented in Fig
  3.14 on page 96 of Stallings text is incorrect.
  Refer to the NIST Spl Pubs 800-38A - Fig 4/page
  14

29
Advantages and Limitations of OFB

• used when error feedback a problem or where need
  to encryptions before message is available
• superficially similar to CFB
• but feedback is from the output of cipher and is
  independent of message
• a variation of a Vernam cipher
• hence must never reuse the same sequence (keyIV)
  
• sender and receiver must remain in sync, and some
  recovery method is needed to ensure this occurs
• originally specified with m-bit feedback in the
  standards
• subsequent research has shown that only OFB-64
  should ever be used

30
Counter (CTR)

• a new mode, though proposed early on
• similar to OFB but encrypts counter value rather
  than any feedback value
• must have a different key counter value for
  every plaintext block (never reused)
• Ci Pi XOR Oi
• Oi DESK1(i)
• uses high-speed network encryptions

31
Counter (CTR)
32
Advantages and Limitations of CTR

• efficiency
• can do parallel encryptions
• in advance of need
• good for bursty high speed links
• random access to encrypted data blocks
• provable security (good as other modes)
• but must ensure never reuse key/counter values,
  otherwise could break (cf OFB)

33
Triple DES

• clearly a replacement for DES was needed
• theoretical attacks that can break it
• demonstrated exhaustive key search attacks
• AES is a new cipher alternative
• prior to this alternative was to use multiple
  encryption with DES implementations
• Triple-DES is the chosen form

34
Why Triple-DES?

• why not Double-DES?
• NOT same as some other single-DES use, but have
• meet-in-the-middle attack
• works whenever use a cipher twice
• since X EK1P DK2C
• attack by encrypting P with all keys and store
• then decrypt C with keys and match X value
• can show takes O(256) steps

35
Triple-DES with Two-Keys

• hence must use 3 encryptions
• would seem to need 3 distinct keys
• but can use 2 keys with E-D-E sequence
• C EK1DK2EK1P
• nb encrypt decrypt equivalent in security
• if K1K2 then can work with single DES
• standardized in ANSI X9.17 ISO8732
• no current known practical attacks

36
Triple-DES with Three-Keys

• although are no practical attacks on two-key
  Triple-DES have some indications
• can use Triple-DES with Three-Keys to avoid even
  these
• C EK3DK2EK1P
• has been adopted by some Internet applications,
  eg PGP, S/MIME

37
(No Transcript)
38
DES Encryption
39
One Iteration of DES