Data Encryption Standard - PowerPoint PPT Presentation

1 / 46
About This Presentation
Title:

Data Encryption Standard

Description:

Bruteforce. 255 DES operation. 1 plaintext-ciphertext. Differential cryptanalysis ... Bruteforce ... Bruteforce. Identifier: DES-Challenge-III. Cipher: DES ... – PowerPoint PPT presentation

Number of Views:882
Avg rating:3.0/5.0
Slides: 47
Provided by: pirun
Category:

less

Transcript and Presenter's Notes

Title: Data Encryption Standard


1
Data Encryption Standard
  • ??????? ????????

2
??????
  • ????????
  • Simple DES
  • Feistel Cipher
  • DES
  • Attack

3
????????
4
eXclusive OR (XOR)
  • either or (but not both)

5
eXclusive OR (XOR)
6
eXclusive OR (XOR)
  • A?0A
  • A?A0
  • A?A'0
  • A?BB?A // commutative
  • (A?B)?CA?(B?C) // associative
  • A?B?BA
  • ??? A?BC ???? AC?BB?C
  • Swap

7
Block ciphers
  • E 0,1k?0,1n?0,1n
  • EK(M)M is a block cipher but not a good one
  • All mappings 2n2n
  • Reversible mappings 2n!
  • Just a tool
  • If don't use right, even an excellent one won't
    give security
  • DES
  • AES

8
???????
  • First call for candidates in May 1973, followed
    by a new call in August 1974
  • IBM submitted Lucifer
  • NSA worked with IBM in redesigning the algorithm
  • DES became a federal standard in November 1976
  • Reviewed every five years

9
Controversies
  • One of the biggest controversies is the key size
    (56 bits)
  • W Diffie, M Hellman "Exhaustive Cryptanalysis of
    the NBS Data Encryption Standard" IEEE Computer
    10(6), June 1977, pp74-84
  • M Hellman "DES will be totally insecure within
    ten years" IEEE Spectrum 16(7), Jul 1979, pp
    31-41
  • Another controversy is there a back door?

10
Simplified DES
11
Fundamental techniques for encryption
  • Diffusion
  • Speading the change throughout the ciphertext
  • flipping an input bit should change each output
    bit with a probability of one half
  • Permutation follows by some function
  • Confusion
  • Obscuring the relationship between the key and
    the ciphertext
  • Substitution

12
Three operation behinds DES
  • XOR
  • Substitution
  • Permutation

13
Simplified DES
  • Block 8 bits
  • Key 10 bits
  • Encryption
  • IP-1(fK2(SW(fK1(IP(plaintext)))))
  • K1P8(Shift(P10(key)))
  • K2P8(Shift(Shift(P10(key))))

14
?????? Stallings, Cryptography and Network
Security, 3rd ed.
15
IP and IP-1
  • IP
  • 2 6 3 1 4 8 5 7
  • IP-1
  • 4 1 3 5 7 2 8 6

16
fK
F(Ri-1,Ki)P(S(E(Ri-1)?Ki))
?????? Stallings, Cryptography and Network
Security, 3rd ed.
17
E/P
  • Input 4 bits
  • Output 8 bits
  • 4 1 2 3 2 3 4 1

18
S-box
  • 0 1 2 3 0 1 0 3 2S0 1 3 2 1 0 2
    0 2 1 3 3 3 1 3 2

19
?????? Stallings, Cryptography and Network
Security, 3rd ed.
20
SW
?????? Stallings, Cryptography and Network
Security, 3rd ed.
21
?????? Stallings, Cryptography and Network
Security, 3rd ed.
22
Feistel Network
23
Parameters
  • Block size
  • Larger mean greater security but reduce
    encryption/decryption speed
  • Key size
  • Number of rounds
  • Subkey generation algorithm
  • Round function

24
(No Transcript)
25
1 round
26
1 round
27
2 rounds
28
(No Transcript)
29
DES
30
DES
  • symmetric cryptosystem
  • 64 bit block
  • 56 bit key
  • 16 round Feistel cipher

31
DES
Bellare and Rogaway, Introduction to Modern
Cryptography http//www-cse.ucsd.edu/users/mihir/c
se207/classnotes.html
32
(No Transcript)
33
(No Transcript)
34
f
Bellare and Rogaway, Introduction to Modern
Cryptography http//www-cse.ucsd.edu/users/mihir/c
se207/classnotes.html
35
(No Transcript)
36
KeySchedule
Bellare and Rogaway, Introduction to Modern
Cryptography http//www-cse.ucsd.edu/users/mihir/c
se207/classnotes.html
37
Speed
  • 1 Gbit/sec on high-end VLSI
  • 640 gates
  • 48 gate depth
  • 80 cycles per byte on a fairly modern processor

38
Observation
  • Complementation
  • If C is Ek(P), then C' is Ek'(P')
  • Key
  • 4 weak
  • Ek(Ek(M))M
  • 0, 1, half 0 half 1, half 1, half 0
  • 6 pairs of semi-weak
  • Ek1(Ek2(M))M
  • Not a group
  • Given K1, K1 there is always K s.t.
    EK(M)EK1(EK2(M))
  • multiple encryption useless

39
Double DES
  • DES(K2,DES(K1,M))
  • Seems to secure against differential and linear
    cryptanalysis
  • Meet in the middle attack
  • 257 DES or DES-1 computation
  • effective key length of 257
  • 1.15E6 terabytes

40
Triple-DES
  • 3DES3(K1K2K3,M)DES(K3,DES-1(K2,DES(K1,M))
  • 3DES2(K1K2,M) DES(K2,DES-1(K1,DES(K2,M))
  • DES(K,M)3DES3(KKK,M)
  • DES(K,M)3DES2(KK,M)
  • 3DES is subject to a meet-in-the-middle attack
  • effective key length 2112

41
DESX
  • 3DES is slow
  • DESX(K K1K2,M)K2?DES(K,K1?M)
  • DESX-1(K K1K2,C)K1?DES-1(K,K2?C)
  • Equivalent security with regards to differential
    and linear attack
  • Resistance to exhaustive key search attack

42
How to use DES securely?
  • Encrypt files
  • Encrypt master key that encrypt the list of DES
    keys used to encrypt the files
  • Encryption mode
  • ECB
  • CBC

43
Key Recovery Attack
44
Attack
  • Bruteforce
  • 255 DES operation
  • 1 plaintext-ciphertext
  • Differential cryptanalysis
  • 247 chosen plaintext
  • Linear cryptanalysis
  • 243 known plaintext

45
Attack
  • All are impracticals
  • Bruteforce
  • Electronic Frontier Foundation's (EFF) "Deep
    Crack," a specially designed supercomputer, and a
    worldwide network of nearly 100,000 PCs on the
    Internet, to win RSA Data Security's DES
    Challenge III in a record-breaking 22 hours and
    15 minutes.
  • New block cipher must stand differential and
    linear cryptanalysis

46
Bruteforce
  • Identifier DES-Challenge-IIICipher DESStart
    January 18, 1999 900 AM PSTPrize 10,000
  • IV da 4b be f1 6b 6e 98 3d
  • Plaintext See you in Rome (second AES
    Conference, March 22-23, 1999)
  • Ciphertext bd 0d de 91 99 60 b8 8a 47 9c b1 5c
    23 7b 81 18 99 0545 bc de 82 01 ab 53 4d 6f 1c
    b4 30 63 3c ee cd 96 2e07 c6 e6 95 99 9c 96 46
    5a 95 70 02 02 70 98 bd 41 c288 a9 f0 2f 8b e5
    48 20 d2 a8 a0 6b bf 93 de 89 f6 e252 fd 8a 25
    eb d0 7d 96 83 ee a4 2d c8 8d 1b 71   
Write a Comment
User Comments (0)
About PowerShow.com