2HistoryDES was adopted as a US federal standard for commercial encryption in 1975.Feistel Cipher: the fundamental building block of DES designed by IBM.Design requirements:must provide high level of security (commercial standard)Security must not depend on secrecy of algorithm (Kerckhoff’s principle)Must be easily and economically implemented
36.1.2 Overview DES is a block cipher, as shown in Figure 6.1. Figure 6.1 Encryption and decryption with DES
4DES StructureThe encryption process is made of two permutations (P-boxes), which we call initial and final permutations, and sixteen Feistel rounds.
56.2.1 Initial and Final Permutations Figure 6.3 Initial and final permutation steps in DES
66.2.1 Continue Table 6.1 Initial and final permutation tables How to read this table?The 58th bit of input x will be the first bit of output IP(x), the 50th bit of x is the second bit of IP(x), etc.The initial and final permutations are straight P-boxes that are inverses of each other. They have no cryptography significance in DES.
7ContinuedExample 6.1Find the output of the initial permutation box when the input is given in hexadecimal as:SolutionOnly bit 25 and bit 64 are 1s; the other bits are 0s. In the final permutation, bit 25 becomes bit 64 and bit 63 becomes bit 15. The result is
86.2.2 Rounds Figure 6.4 A round in DES (encryption site) DES uses 16 rounds. Each round of DES is a Feistel cipher.Separate message block into two 32-bit halves, Li and RiIntroduce confusion by using a “complex” nonlinear function ff has two inputs: Ri and a 48-bit round key, KiIntroduce diffusion by “adding” Li and the output of fLi+1 = RiRi+1 = Li f(Ri, Ki+1)
9ContinuedDES FunctionThe heart of DES is the DES function. The DES function applies a 48-bit key to the rightmost 32 bits to produce a 32-bit output.Figure DES function
106.2.2 Continue Expansion P-box Since RI−1 is a 32-bit input and KI is a 48-bit key, we first need to expand RI−1 to 48 bits.Figure 6.6 Expansion permutation
11ContinueAlthough the relationship between the input and output can be defined mathematically, DES uses Table 6.2 to define this P-box.Table 6.6 Expansion P-box table
126.2.2 Continue Whitener (XOR) After the expansion permutation, DES uses the XOR operation on the expanded right section and the round key. Note that both the right section and the key are 48-bits in length. Also note that the round key is used only in this operation.
13ContinueS-BoxesThe S-boxes do the real mixing (confusion). DES uses 8 S-boxes, each with a 6-bit input and a 4-bit output. See Figure 6.7.Figure 6.7 S-boxes
15ContinueTable 6.3 shows the permutation for S-box 1. For the rest of the boxes see the textbook.Table 6.3 S-box 1
16ContinuedExample 6.3The input to S-box 1 is What is the output?SolutionIf we write the first and the sixth bits together, we get 11 in binary, which is 3 in decimal. The remaining bits are 0001 in binary, which is 1 in decimal. We look for the value in row 3, column 1, in Table 6.3 (S-box 1). The result is 12 in decimal, which in binary is So the input yields the output 1100.
21PropertiesTwo desired properties of a block cipher are the avalanche effect and the completeness.Example 6.7To check the avalanche effect in DES, let us encrypt two plaintext blocks (with the same key) that differ only in one bit and observe the differences in the number of bits in each round.
226.3.1 Continued Example 6.7 Continued Although the two plaintext blocks differ only in the rightmost bit, the ciphertext blocks differ in 29 bits. This means that changing approximately 1.5 percent of the plaintext creates achange of approximately 45 percent in the ciphertext.Table Number of bit differences for Example 6.7
236.3.1 Continued Completeness effect Completeness effect means that each bit of the ciphertext needs to depend on many bits on the plaintext.
246.3.2 Design Criteria S-Boxes The design provides confusion and diffusion of bits from each round to the next.P-BoxesThey provide diffusion of bits.Number of RoundsDES uses sixteen rounds of Feistel ciphers. the ciphertext is thoroughly a random function of plaintext and ciphertext.
25DES WeaknessesDuring the last few years critics have found some weaknesses in DES.Weaknesses in Cipher DesignWeaknesses in S-boxesTwo specifically chosen inputs to an S-box can create same output2. Weaknesses in P-boxesinitial and final permutations have no security benefitsthe first and fourth bits of every 4-bit series are repeated3. Weaknesses in KeyWeak keys create same 16 round keysSemi-weak keys create 2 different round keysPossible weak keys create 4 distinct round keysKey complement
266.3.3 DES Weaknesses There are four weak keys. After parity drop operation, a key consists either of all 0s, all 1s, or half 0s and half 1s.Weak keys create same 16 round keys.
27ContinuedExample 6.8Let us try the first weak key in Table 6.18 to encrypt a block two times. After two encryptionswith the same key the original plaintext block is created. Note that we have used the encryption algorithm two times, not one encryption followed by another decryption.
28ContinuedFigure Double encryption and decryption with a weak key
29ContinuedSemi-weak keys create only 2 different round keys; k1, k2
30ContinuedSemi-week keys create 2 different round keys
31ContinuedFigure A pair of semi-weak keys in encryption and decryption
32ContinuedExample 6.9What is the probability of randomly selecting a weak, a semi-weak, or a possible weak key?SolutionDES has a key domain of 256. The total number of the above keys are 64 ( ). The probability of choosing one of these keys is 8.8 × 10−16, almost impossible.
34ContinuedExample 6.10Let us test the claim about the complement keys. We have used an arbitrary key and plaintext to find the corresponding ciphertext. If we have the key complement and the plaintext, we can obtain the complement of the previous ciphertext (Table 6.20).
35Topics discussed in this section: 6-4 Multiple DESMajor limitation of DESKey length is too short (56 bits).Question: So can we apply DES multiple times to increase the strength of encryption?Advantage: We could then preserve the existing investment in software and equipment.Topics discussed in this section:6.4.1 Double DES Triple DES
36Double DES (I) Meet-in-the-Middle Attack Apply two iterations of DES with two keys K1 and K2What if DES has a structure of an algebraic group, such that for each K1 and K2 there is a K3 with the property:Ek2(Ek1(P)) = Ek3(P)Meet-in-the-Middle AttackHowever, using a known-plaintext attack called meet-in-the-middle attack proves (1992) that double DES improves this vulnerability slightly (to 257 tests), but not tremendously (to 2112).
376.4.1 Continued Figure 6.14 Meet-in-the-middle attack for double DES • For given P and C – search only O(2^56) pairs of keys K1 and K2 at the intermediate message MEncrypt P under all 2^56 options for K1– Denote the results by M1, M2, . . ., Mn• Decrypt C under all 2^56 options for K2– Denote the results by M1’, M2’, . . ., Mn’
386.4.1 Continued Figure 6.15 Tables for meet-in-the-middle attack • Sort the values M1, M2, . . ., Mn• Sort the values M1’, M2’, . . ., Mn’Eve will find at least one match of M with two keys (k1 and k2). If there is only match, Eve found the key. If there is more than one, Eve takes another intercepted plain-text-cipher text pair. This is repeated until she finally finds a unique pair.
39Triple-DES (I) EEE Mode: – DES Encrypt-Encrypt-Encrypt with three keys K1, K2, K3 (168 bits) and strength O (2110) against Meet-in-the-Middle– Not compatible with regular DES
40Triple-DES (II) EDE Mode: DES Encrypt-Decrypt-Encrypt with two keys K1, & K2Properties:Two keys (112 bits)Strength O(2110) against Meet-in-the-MiddleCompatible with regular DES when K1= K2
41E-D-E versus E-E-E Why E-D-E? Initial and final permutations would cancel each other out with EEE (minor advantage to EDE)EDE compatible with single DES if same keys.Only 2 different Keys needed with E-D-EThe possibility of known-plaintext attacks on triple DES with two keys has enticed some applications to use triple DES with three keys. Triple DES with three keys is used by many applications such as PGP. New candidates numerous - RC5, IDEA, two-fish, CAST, etc.
426-5 Security of DESDES, as the first important block cipher, has gone through much scrutiny.The size of the key space, 256, is “too small” to be really secure. Brute-Force Attack: Combining short cipher key in DES with the key complement weakness, it is clear that DES can be broken using 2^55 encryptions.Security of DES mainly relies on the nonlinearity of the f (i.e. the S-boxes)
436-5 Security of DESDifferential cryptanalysis: Designed S-boxes and 16 rounds aim to make DES specifically resistant to this type of attack.Linear cryptanalysis: DES is more vulnerable to linear cryptanalysis than to differential cryptanalysis. S-boxes are not very resistant to linear cryptanalysis. It has been shown that DES can be broken using 243 pairs of known plaintexts. However, from the practical point of view, finding so many pairs is very unlikely.
44Exhaustive Key SearchIn 1993, Michael Wiener presented a pipelined chip which does 16 encryptions simultaneously and tests 5107 DES keys per second.Each chip could be built for US$10 using current technology.A frame consisting of 5760 chips can be built for $100K.In 1997, cost cut by a factor of 6Software version of DES cracking effort can be found atCurrent Record: 22 hrs and 15 mins to break DES by distributed software cracking effort.
45Overview of DES C = DES (K, M) Block size = 64 bits Key size = 56 bits Number of rounds = 16IP - Initial PermutationIP-1 - The inverse of IPf - A nonlinear functionKi - Round i subkey (48 bits)Each Feistel block can be described asLi = Ri-1Ri = Li-1 f (Ri-1, Ki)
477-1 INTRODUCTIONThe Advanced Encryption Standard (AES) is a symmetric-key block cipher published by the National Institute of Standards and Technology (NIST) in December 2001.
48The criteria defined by NIST for selecting AES fall into three areas: 1. Security2. Cost3. Implementation.
49AES has defined three versions, with 10, 12, and 14 rounds. AES is a non-Feistel cipher that encrypts and decrypts a data block of 128 bits. It uses 10, 12, or 14 rounds. The key size, which can be 128, 192, or 256 bits, depends on the number of rounds.NoteAES has defined three versions, with 10, 12, and 14 rounds.Each version uses a different cipher key size (128, 192, or 256), but the round keys are always 128 bits.
50Rounds.Figure 7.1 General design of AES encryption cipher
52ContinueFigure 7.3 Block-to-state and state-to-block transformation
537.1.4 Continue Continue Example 7.1 Figure 7.4 Changing plaintext to state
54Structure of Each Round Figure 7.5 Structure of each round at the encryption site
55Topics discussed in this section: 7-2 TRANSFORMATIONSTo provide security, AES uses four types of transformations: substitution, permutation, mixing, and key-adding.Topics discussed in this section:7.2.1 Substitution7.2.2 Permutation7.2.3 Mixing7.2.4 Key Adding
56SubstitutionAES, like DES, uses substitution. AES uses two invertible transformations.SubBytesThe first transformation, SubBytes, is used at the encryption site. To substitute a byte, we interpret the byte as two hexadecimal digits.NoteThe SubBytes operation involves 16 independent byte-to-byte transformations.
59PermutationAnother transformation found in a round is shifting, which permutes the bytes.ShiftRowsIn the encryption, the transformation is called ShiftRows.Figure 7.9 ShiftRows transformation
60PermutationExample 7.4Figure 7.10 shows how a state is transformed using ShiftRows transformation. The figure also shows that InvShiftRows transformation creates the original state.Figure ShiftRows transformation in Example 7.4
61MixingWe need an interbyte transformation that changes the bits inside a byte, based on the bits inside the neighboring bytes. We need to mix bytes to provide diffusion at the bit level.Figure Mixing bytes using matrix multiplication
62MixingMixColumnsThe MixColumns transformation operates at the column level; it transforms each column of the state to a new column.Figure MixColumns transformation
63The AddRoundKey transformation is the inverse of itself. Key AddingAddRoundKeyAddRoundKey proceeds one column at a time. AddRoundKey adds a round key word with each state column matrix; the operation in AddRoundKey is matrix addition.NoteThe AddRoundKey transformation is the inverse of itself.
66AES SecurityAES was designed after DES. Most of the known attacks on DES were already tested on AES.Brute-Force AttackAES is definitely more secure than DES due to the larger-size key.Statistical AttacksNumerous tests have failed to do statistical analysis of the ciphertext.Differential and Linear AttacksThere are no differential and linear attacks on AES as yet.
67Simplicity and CostThe algorithms used in AES are so simple that they can be easily implemented using cheap processors and a minimum amount of memory.
69Supported Ciphers 1. Range of MAC algorithms Almost all include MD5, SHA-12. Range of symmetric algorithmsAlmost all include AES, DES3. Range of public key algorithmsAlmost all include RSA, Diffie-Hellman, DSA
70Cryptographic APIs Cryptlib OpenSSL easy to use free for noncommercial useOpenSSLpoorly documentedopen sourcepopular
71Cryptographic APIs Crypto++ BSAFE C++ library open source well documented, Java, C/C++most popular commercial libraryWas commercial SDK from RSAfree from 2009 under RSA Share Project https://community.emc.com/community/edn/rsashare?view=tags&tags=java
72Cryptographic APIs Cryptix: JCA, JCE Python Cryptographic Toolkit open source Java library, C# libraryPython Cryptographic Toolkitopen source crypt, hash, rand modulesCrypt:: CPAN modules for Perlwell documentedmany different libraries