Presentation is loading. Please wait.

Presentation is loading. Please wait.

7/3/01 DES, Triple-DES, and AES Sandy Kutin CSPP 532 7/3/01.

Similar presentations

Presentation on theme: "7/3/01 DES, Triple-DES, and AES Sandy Kutin CSPP 532 7/3/01."— Presentation transcript:

1 7/3/01 DES, Triple-DES, and AES Sandy Kutin CSPP 532 7/3/01

2 Symmetric Cryptography zSecure communication has two parts: yEstablish a key (public key methods) yEncrypt message symmetrically using key zSymmetric encryption is faster zCryptographic scheme is only as good as its “weakest link” zWe need to understand strengths and weaknesses of symmetric encryption

3 7/3/01 DES: Data Encryption Standard z1972: National Bureau of Standards begins search z1975: DES: Lucifer by IBM, modified by NSA (key reduced from 128 to 56 bits) zApproved by NBS ‘76, ANSI ‘81 zrenewed every 5 years by NIST znow considered obsolete

4 7/3/01 DESiderata zSecure: hard to attack yClassic case: given ciphertext, get plaintext yAlso: given both, get key yAchieved through diffusion, confusion zEasy to implement (in hardware, software) yUse a few fast subroutines yDecryption uses same routines zEasy to analyze yProve that certain attacks fail

5 7/3/01 DEScription: Overview zBlock cipher: 64 bits at a time zInitial permutation rearranges 64 bits (no cryptographic effect) zEncoding is in 16 rounds plaintext INITIAL PERMUTATION ROUND 1 ROUND 2 ROUND 16 INITIAL PERMUTATION -1... ciphertext

6 7/3/01 DEScription: One Round z64 bits divided into left, right halves zRight half goes through function f, mixed with key zRight half added to left half zHalves swapped (except in last round) L i-1 R i-1 LiLi RiRi

7 7/3/01 DEScription: InsiDES zExpand right side from 32 to 48 bits (some get reused) zAdd 48 bits of key (chosen by schedule) zS-boxes: each set of 6 bits reduced to 4 zP-box permutes 32 bits R i-1 Expansion KiKi Eight S-boxes P-box Output

8 7/3/01 DESign Principles: Inverses zEquations for round i: zIn other words: zSo decryption is the same as encryption zLast round, no swap: really is the same L i-1 R i-1 LiLi RiRi

9 7/3/01 MoDES of Operation zECB: Electronic CodeBook mode: yEncrypt each 64-bit block independently yAttacker could build codebook zCBC: Cipher Block Chaining mode: yEncryption: C i = E K (P i  C i-1 ) yDecryption: P i = C i-1  D K (C i ) zCFB, OFB: allow byte-wise encryption yCipher FeedBack, Output FeedBack

10 7/3/01 PeDEStrian attacks zObvious attack: guess the key. 2 56 keys zComplementation Property: 2 55 keys z1 million per second: 1100 years zStore E K (P 1 ) for all K: 512 petabytes zTime/Memory Tradeoff (Hellman, 1980): y1 terabyte y5 days

11 7/3/01 DEStroying Security zDifferential Cryptanalysis (1990): zSay you know plaintext, ciphertext pairs zDifference d P = P 1  P 2, d C = C 1  C 2 zDistribution of d C ’s given d P may reveal key zNeed lots of pairs to get lots of good d P ’s zLook at pairs, build up key in pieces zCould find some bits, brute-force for rest

12 7/3/01 DEServing of Praise zAgainst 8-round DES, attack requires: y2 14 = 16,384 chosen plaintexts, or y2 38 known plaintext-ciphertext pairs zAgainst 16-round DES, attack requires: y2 47 chosen plaintexts, or yRoughly 2 55.1 known plaintext-ciphertext pairs zDifferential cryptanalysis not effective zDesigners knew about it

13 7/3/01 DESperate measures zLinear cryptanalysis: yLook at algorithm structure: find places where, if you XOR plaintext and ciphertext bits together, you get key bits yS-boxes not linear, but can approximate zNeed 2 43 known pairs; best known attack zDES apparently not optimized against this zStill, not an easy-to-mount attack

14 7/3/01 DESuetude z“Weakest link” is size of key zAttacks take advantage of encryption speed z1993: Weiner: $1M machine, 3.5 hours z1998: EFF’s Deep Crack: $250,000 y92 billion keys per second; 4 days on average z1999: 23 hours zOK for some things (e.g., short time horizon) zDES sliDES into wiDESpread DESuetude

15 7/3/01 Triple-DES zRun DES three times: yECB mode: zIf K 2 = K 3, this is DES yBackwards compatibility zKnown not to be just DES with K 4 (1992) zHas 112 bits of security, not 3 56 = 168 zWhy? What’s the attack? zWhat’s wrong with Double-DES?

16 7/3/01 DESpair zDouble-DES: C i = E B (E A (P i )) zGiven P 1, C 1 : Note that D B (C 1 ) = E A (P 1 ) zMake a list of every E K (P 1 ). zTry each L: if D L (C 1 ) = E K (P 1 ), then maybe K = A, L = B. (2 48 L’s might work.) zTest with P 2, C 2 : if it checks, it was probably right. zTime roughly 2 56. Memory very large.

17 7/3/01 Advanced Encryption Standard zDES cracked, Triple-DES slow: what next? z1997: AES announced, call for algorithms zAugust 1998: 15 candidate algorithms zAugust 1999: 5 finalists zOctober 2000: Rijndael selected yTwo Belgians: Joan Daemen, Vincent Rijmen zMay 2001: Comment period ended zSummer 2001: Finalized, certified until ‘06

18 7/3/01 AESthetics zSimilar to DES: block cipher (with different modes), but 128-bit blocks z128-bit, 192-bit, or 256-bit key zMix of permutations, “S-boxes” zS-boxes based on modular arithmetic with polynomials: yNon-linear yEasy to analyze, prove attacks fail

19 7/3/01 AES: State array “State” of machine given by 4x4 array of bytes

20 7/3/01 AES: Pseudocode

21 7/3/01 AES: SubBytes() (S-Box) Non-linear, based on polynomial arithmetic

22 7/3/01 AES: ShiftRows()

23 7/3/01 AES: MixColumns()

24 7/3/01 AES: AddRoundKey() Key schedule: expand N b -word key to 4 words per round for (6 + N b ) rounds (N b could be 4, 6, or 8)

25 7/3/01 Not just a CAESar Shift zA byte B=b 7 b 6 b 5 b 4 b 3 b 2 b 1 b 0 is a polynomial b 7 x 7 +b 6 x 6 +b 5 x 5 +b 4 x 4 +b 3 x 3 +b 2 x 2 +b 1 x 1 +b 0 x 0 zCan add, subtract, multiply polynomials zCoefficients are manipulated mod 2 zDo polynomial division, get remainders zCan work “mod” a particular polynomial zAES uses a particular “prime” polynomial

26 7/3/01 KafkAESque Complexity zS-box: input is a byte B yFirst take B -1 (mod p) yNext, do a linear transformation on the bits yFinally, XOR with a fixed byte zMixColumns() also uses polynomials zS-box can be done with a lookup table zEasier to analyze then “random” S-boxes used in DES

27 7/3/01 Suggested Reading zChapter references are to Stallings zModular Arithmetic: Sections 7.1-7.3, 7.5 zBig-Oh Notation: Appendix 6A zDES: Chapter 3 zDouble-DES, Triple-DES: Section 4.1 zAES: The AES home page:

Download ppt "7/3/01 DES, Triple-DES, and AES Sandy Kutin CSPP 532 7/3/01."

Similar presentations

Ads by Google