Title: Data Encryption Standard
1Data Encryption Standard
2??????
- ????????
- Simple DES
- Feistel Cipher
- DES
- Attack
3????????
4eXclusive OR (XOR)
5eXclusive OR (XOR)
6eXclusive OR (XOR)
- A?0A
- A?A0
- A?A'0
- A?BB?A // commutative
- (A?B)?CA?(B?C) // associative
- A?B?BA
- ??? A?BC ???? AC?BB?C
- Swap
7Block ciphers
- E 0,1k?0,1n?0,1n
- EK(M)M is a block cipher but not a good one
- All mappings 2n2n
- Reversible mappings 2n!
- Just a tool
- If don't use right, even an excellent one won't
give security - DES
- AES
8???????
- First call for candidates in May 1973, followed
by a new call in August 1974 - IBM submitted Lucifer
- NSA worked with IBM in redesigning the algorithm
- DES became a federal standard in November 1976
- Reviewed every five years
9Controversies
- One of the biggest controversies is the key size
(56 bits) - W Diffie, M Hellman "Exhaustive Cryptanalysis of
the NBS Data Encryption Standard" IEEE Computer
10(6), June 1977, pp74-84 - M Hellman "DES will be totally insecure within
ten years" IEEE Spectrum 16(7), Jul 1979, pp
31-41 - Another controversy is there a back door?
10Simplified DES
11Fundamental techniques for encryption
- Diffusion
- Speading the change throughout the ciphertext
- flipping an input bit should change each output
bit with a probability of one half - Permutation follows by some function
- Confusion
- Obscuring the relationship between the key and
the ciphertext - Substitution
12Three operation behinds DES
- XOR
- Substitution
- Permutation
13Simplified DES
- Block 8 bits
- Key 10 bits
- Encryption
- IP-1(fK2(SW(fK1(IP(plaintext)))))
- K1P8(Shift(P10(key)))
- K2P8(Shift(Shift(P10(key))))
14?????? Stallings, Cryptography and Network
Security, 3rd ed.
15IP and IP-1
- IP
- 2 6 3 1 4 8 5 7
- IP-1
- 4 1 3 5 7 2 8 6
16fK
F(Ri-1,Ki)P(S(E(Ri-1)?Ki))
?????? Stallings, Cryptography and Network
Security, 3rd ed.
17E/P
- Input 4 bits
- Output 8 bits
- 4 1 2 3 2 3 4 1
18S-box
- 0 1 2 3 0 1 0 3 2S0 1 3 2 1 0 2
0 2 1 3 3 3 1 3 2
19?????? Stallings, Cryptography and Network
Security, 3rd ed.
20SW
?????? Stallings, Cryptography and Network
Security, 3rd ed.
21?????? Stallings, Cryptography and Network
Security, 3rd ed.
22Feistel Network
23Parameters
- Block size
- Larger mean greater security but reduce
encryption/decryption speed - Key size
- Number of rounds
- Subkey generation algorithm
- Round function
24(No Transcript)
251 round
261 round
272 rounds
28(No Transcript)
29DES
30DES
- symmetric cryptosystem
- 64 bit block
- 56 bit key
- 16 round Feistel cipher
31DES
Bellare and Rogaway, Introduction to Modern
Cryptography http//www-cse.ucsd.edu/users/mihir/c
se207/classnotes.html
32(No Transcript)
33(No Transcript)
34f
Bellare and Rogaway, Introduction to Modern
Cryptography http//www-cse.ucsd.edu/users/mihir/c
se207/classnotes.html
35(No Transcript)
36KeySchedule
Bellare and Rogaway, Introduction to Modern
Cryptography http//www-cse.ucsd.edu/users/mihir/c
se207/classnotes.html
37Speed
- 1 Gbit/sec on high-end VLSI
- 640 gates
- 48 gate depth
- 80 cycles per byte on a fairly modern processor
38Observation
- Complementation
- If C is Ek(P), then C' is Ek'(P')
- Key
- 4 weak
- Ek(Ek(M))M
- 0, 1, half 0 half 1, half 1, half 0
- 6 pairs of semi-weak
- Ek1(Ek2(M))M
- Not a group
- Given K1, K1 there is always K s.t.
EK(M)EK1(EK2(M)) - multiple encryption useless
-
39Double DES
- DES(K2,DES(K1,M))
- Seems to secure against differential and linear
cryptanalysis - Meet in the middle attack
- 257 DES or DES-1 computation
- effective key length of 257
- 1.15E6 terabytes
40Triple-DES
- 3DES3(K1K2K3,M)DES(K3,DES-1(K2,DES(K1,M))
- 3DES2(K1K2,M) DES(K2,DES-1(K1,DES(K2,M))
- DES(K,M)3DES3(KKK,M)
- DES(K,M)3DES2(KK,M)
- 3DES is subject to a meet-in-the-middle attack
- effective key length 2112
41DESX
- 3DES is slow
- DESX(K K1K2,M)K2?DES(K,K1?M)
- DESX-1(K K1K2,C)K1?DES-1(K,K2?C)
- Equivalent security with regards to differential
and linear attack - Resistance to exhaustive key search attack
42How to use DES securely?
- Encrypt files
- Encrypt master key that encrypt the list of DES
keys used to encrypt the files - Encryption mode
- ECB
- CBC
43Key Recovery Attack
44Attack
- Bruteforce
- 255 DES operation
- 1 plaintext-ciphertext
- Differential cryptanalysis
- 247 chosen plaintext
- Linear cryptanalysis
- 243 known plaintext
45Attack
- All are impracticals
- Bruteforce
- Electronic Frontier Foundation's (EFF) "Deep
Crack," a specially designed supercomputer, and a
worldwide network of nearly 100,000 PCs on the
Internet, to win RSA Data Security's DES
Challenge III in a record-breaking 22 hours and
15 minutes. - New block cipher must stand differential and
linear cryptanalysis
46Bruteforce
- Identifier DES-Challenge-IIICipher DESStart
January 18, 1999 900 AM PSTPrize 10,000 - IV da 4b be f1 6b 6e 98 3d
- Plaintext See you in Rome (second AES
Conference, March 22-23, 1999) - Ciphertext bd 0d de 91 99 60 b8 8a 47 9c b1 5c
23 7b 81 18 99 0545 bc de 82 01 ab 53 4d 6f 1c
b4 30 63 3c ee cd 96 2e07 c6 e6 95 99 9c 96 46
5a 95 70 02 02 70 98 bd 41 c288 a9 f0 2f 8b e5
48 20 d2 a8 a0 6b bf 93 de 89 f6 e252 fd 8a 25
eb d0 7d 96 83 ee a4 2d c8 8d 1b 71