1. 1 One of the biggest problems in Security today is that not too many professionals are aware of the actual risks, and most of the graduates in computer science cannot identify a security hole, if asked.

2. 2 Using DES DES encrypts a 64-bit data block. Methods for encryption of larger blocks of data: 4 methods defined in “ANSI X3.106- 1983 Modes of Use”: Block Modes splits messages in blocks (ECB, CBC) Stream Modes on bit stream messages (CFB, OFB) Now with AES a fifth mode, called the Counter (CTR) mode, has been defined.

3. 3 DES: ECB Mode 1. Electronic Codebook (ECB): Each 64 bit of data is sequentially encrypted. Used for encryption of a small amount of data like keys or passwords ( of 8 characters) Not used for larger data blocks,: Statistical analysis, particularly for messages with repetitive blocks, becomes easy. Parallel encryption/decryption for a large number of data blocks (?) is possible. Error in transmission of one cipherblock affects only one block of (decrypted) plaintext.

4. 4 Cipher Block Chaining 2. Cipher Block Chaining (CBC): Encryption Process: Uses an Initialization Vector/ Injection Vector/ Initializing Value/ Initial Chaining Value: (IV) of 64 bits in the first block. IV is XORed with the first block of data. The resultant block is encrypted using DES. The cipher output of the first (i th) block is then XORed with the second (i+1 st) block of data. The resultant block is encrypted using DES. ………………… The process is shown in the figure in the next slide.

5. 5 DES encrypt DES encrypt + + DES encrypt DES encrypt K K IV Time = 1 P1 C1 Time = 2 P2 C2 Time = N PNPN + C N -1 DES encrypt DES encrypt CNCN a) Encryption b) Decryption DES decrypt DES decrypt + IV C1 P1 + P2 DES decrypt DES decrypt C2 DES decrypt DES decrypt CNCN K + C N -1 PNPN K

6. 6 CBC continued C1 = EK[IV  P1] C2 = EK[C1  P2]. CN = EK[C(N-1)  PN] Or generalizing the above, Ci = EK[C(i-1)  Pi] Where C0 = IV

7. 7 CBC continued For Decryption: DK [CN] = DK[EK[C(N-1)  PN] – obtained by substituting the value of CN from above Therefore DK [CN] = C(N –1)  PN On XORing with C(N-1) on both the sides, C(N-1)  DK[CN] = C(N-1)  C(N-1)  PN = PN

8. 8 CBC: IV IV has to be protected like the key. IV: may be a timestamp or a random number. IV is sent using ECB encryption. Or the sender and the receiver agree upon a value like all 0’s.

9. 9 CBC: The Last Block PADDING: If the last block is of less than 64 bits, it is to be converted to 64 bits by padding either with known non-data values (eg nulls) or with nulls and with count in bytes of pad size eg. [ b1 b2 b3 0 0 0 0 5]  3 data bytes, then 5 bytes pad+count But if this option be chosen, then even if the last block were an exact multiple of 8 bytes, an additional block of 8bytes with all zeros in the first seven bytes and with the eighth byte having a value of 8 will have to be added.

10. 10 Advantages of CBC Each ciphertext block depends on all the preceding message blocks Thus a change in the message affects all ciphertext blocks after the change as well as the original block SELF-HEALING: Due to communication errors, if a block of ciphertext has an error, the error propagates for at most two blocks. Avalanche Effect: Encrypted message cannot be changed or rearranged without destroying the subsequent data

11. 11 Disadvantages of CBC By fooling the receiver to use a different IV, some selected bits can be inverted. e.g. P1 = IV  DK[C1] Let X[i] = ith bit of X. P1[i] = IV[i]  (DK[C1])[i] using the property of XOR, P1[i]’ = IV[i]’  (DK[C1])[i] Thus if ith bit of IV were complimented, the ith bit of P1 will also be complimented. No parallel encryption ( Parallel decryption can be done.)

12. 12 Cipher FeedBack (CFB) The message is treated as a stream of bits. Assume that s bits of plaintext are available for encryption and transmission to the receiver. IV is encrypted. The most significant (leftmost) s bits, out of the encrypted 64 bits, are then XORed with s bits of plaintext. This gives s bits of ciphertext (C1). The least significant (64 – s) bits are discarded. Next Stage: The shift register, containing IV, is shifted left s times and the s bits of C1 are entered (feedback) in the least significant s positions for the next stage (hence name) ……

13. 13 CFB (continued) C1 = P1  Ss(EK(IV)), where Ss is the s most significant bits selected from EK(IV). Therefore P1 = C1  Ss(EK(IV)) Hence during Decryption, the Encryption process is required to be used.

14. 14 CFB (continued) The standard allows any number of s bits (1,8 or 64 or whatever) to be fed back. denoted CFB-1, CFB-8, CFB-64 etc Throughput reduces by 64/s. is most efficient to use all 64 bits (CFB- 64) C i = P i  EK(C i-1 ) C 0 = IV

15. 15 Cipher FeedBack (CFB)

16. 16 Advantages and Limitations of CFB appropriate when data arrives in bits/bytes Limitation: need to stall while doing block encryption after every s-bits, if data should arrive faster Note that the block cipher is used in encryption mode at both ends Bit errors in communication propagate for several blocks after the error.  CFB should be used over a reliable network layer. APPLICATIONS: stream data encryption, authentication

17. 17 Output FeedBack (OFB) message is treated as a stream of bits IV is encrypted. The most significant (leftmost) s bits, out of the encrypted 64 bits, are then XORed with s bits of plaintext. This gives s bits of ciphertext (C1). Research has shown that using s other than 64 is not desirable. Hence OFB-64 is the only one in use today. Next Stage: The bits, obtained by encryption of IV ONLY, are fed to the next stage (hence name). …. Feedback is independent of plaintext message.

18. 18 OFB (continued) Q 0 = IV Q i = EK(Q i-1 ) Thus Q’s can be computed in advance. … during encryption If s bits of plaintext are available for encryption, the most significant s bits may be selected from Qi by the process Ss. C i = P i  Ss(Q i) Therefore P i = C i  Ss(Q i ) Hence only Encryption process is used even while decrypting the plaintext from a given ciphertext.

19. 19 Output FeedBack (OFB)

20. 20 Advantages and Limitations of OFB APPLICATIONS: transfer of the encrypted stream over noisy channels; error in Ci affects Pi only. used when errors in communication in cipher feedback method create a problem, or, where need to encrypt, before message is available for bursty traffic a variation of a Vernam cipher hence must never reuse the same sequence (key + IV) Susceptible to “modification of selected bits in the communication message” attack. sender and receiver must remain in sync, and some recovery method is needed to ensure this occurs

21. 21 OFB Limitations If the same IV + Key combination is used for two messages, the two ciphertexts can be XORed to eliminate DES out. The result would be a XOR of two plaintexts, which may be more easily separated out. Throughput reduces by 64/s.

22. 22 Counter (CTR): A “new” mode similar to OFB but encrypts counter value rather than any feedback value must have a different key & counter value for every plaintext block (never reused) C i = P i  Q i Q i = EK(CTRi) Select a random 64 bit CTR value for the first block. Then increment for every sequential block. Uses Encryption algorithm for both encryption and decryption

23. 23 Counter (CTR)

24. 24 Advantages and Limitations of CTR Efficiency can do parallel encryptions Preprocessing: Encryptions may be done in advance of need random access to encrypted data blocks ( ie it is not necessary to decrypt blocks in sequence) provable security (as good as other modes); but must ensure never reuse key/counter values, otherwise could break (cf OFB) Only encryption is used. (useful in AES, where encryption and decryption modes are quite different.) APPLICATIONS: high-speed network encryptions as in ATM or IPSec; good for bursty high speed links

25. 25 DES Implementations Software DES Implementations HP 9000/887 125MHz: 1.6 MB/s Sun Ultra 5 333MHz: 4.0 MB/s Intel Pentium III 750MHz: 14.0 MB/s VLSI DES Implementations Wildcard (core) XVC300 1999 33MHz 264MB/s Wildcard (with bus) XVC300 1999 33MHz 1.9MB/s On an XVC300-4 FPGA at HK Univ Max freq: 34.4 MHz Can perform a 64 bit encryption every cycle ie 272MB/s with a latency of 16 cycles Reference:http://www.cse.cuhk.edu.hk/~phwl/ceg5010/des.pdf

26. 26 Super-encryption Double DES: Ciphertext = E K1 ( E K2 ( Plaintext)) takes double the time for encryption and decryption not significantly more secure than DES. known plaintext meet-in-the middle attack* is the problem. Merkle-Hellman attack: requires storing 2 56 intermediate results ( each of 64 bits i. e. a total of 2 59 = 10 17 bytes), but it reduces the number of different keys you need to check from 2 112 to 2 57. * Reference: R. C. Merkle and M. Hellman, "On the Security of Multiple Encryption," Communications of the ACM, Volume 24, Number 7, July 1981, pp. 465-467.

27. 27 Meet-in-the-middle Attack C1 = E K2 ( E K1 ( P1)) Initial Storage: For all possible keys, obtain E K ( P1) and store them. For each key, D K ( C1) and compare with the stored results. If it tallies with any of the stored result, we probably know both K2 (from decryption) and K1 ( from the stored encryption.) Verify the correctness with C2 = E K2 ( E K1 ( P2))

28. Triple DES Reference: http://en.wikipedia.org/wiki/Data_Encryption_Standard as of Nov 1, 2009http://en.wikipedia.org/wiki/Data_Encryption_Standard DES: approved as a federal standard in November 1976, and published on 15 January 1977 as FIPS PUB 46, authorized for use on all unclassified data. DES: reaffirmed as the standard in 1983, 1988 (revised as FIPS-46-1), 1993 (FIPS-46-2) January 22, 1999: distributed.net and the Electronic Frontier Foundation jointly broke a DES key in 22 hours and 15 minutes Oct 25, 1999: NIST reaffirmed DES as a standard through FIPS 46-3, specifying the preferred use of Triple DES 28

29. 29 Triple DES for greater security Triple DES with three keys: C = EK3( EK2( EK1( P))) P = DK1( DK2( DK3( C))) Used in PGP, S/MIME etc Encrypt-Decrypt-Encrypt DES (called EDE DES) with two keys: C = EK1( DK2( EK1( P))) P = DK1( EK2( DK1( C))) Used in X9.17 and ISO 8732 standards

30. Strength of Triple DES Reference: http://csrc.nist.gov/publications/nistpubs/800- 57/sp800-57-Part1-revised2_Mar08-2007.pdf page 61http://csrc.nist.gov/publications/nistpubs/800- 57/sp800-57-Part1-revised2_Mar08-2007.pdf Three-key Triple DES: Due to MIM attack, strength = 112 bits Two-key Triple DES: if the attacker can obtain approximately 240 such pairs, then 2TDEA has strength comparable to an 80-bit algorithm (Reference: [ANSX9.52], Annex B). 30

31. 31 Security for Super-encryption Order of number of computations required for breaking the security DES: 2 55 computations Double DES: 2 56 computations Triple DES: 2 112 = 5.19 x 10 33 computations Assume: A computer with 10 6 chips- each chip capable of 10 6 triple-DES encryptions per second. Time for cracking = 5.19 x 10 21 sec = 1.65 x 10 14 years = 16453 times the age of the universe (10 10 years) Since Double DES is not very much more secure than DES, DES and Triple DES are in use.

32. 32 Weak keys WEAK KEYS: Those that lead to the same sub keys in more than one round. REFER: Slides 33-46 for KeySchedule All block ciphers have some weak keys. DES has: 4 weak keys, for which the same key is generated in all the rounds. This would happen if all the bits, in each half, are identical, so that left circular shift operation would not have any effect. The 4 weak 56-bit keys are (in HEX): 0000000 0000000 0000000 FFFFFFF FFFFFFF 0000000 FFFFFFF FFFFFFF

33. 33 Semi-Weak keys 12 semi-weak keys, for which in alternate rounds, the subkey is repeated. (For each of these 12 keys, only two distinct sub-keys are generated through the key schedule.) These 12 cases occur in six pairs. In each pair, ciphertext, obtained by encryption using one key, can be decrypted by using the other key of the pair. Such 56-bit keys are given in this and the next slide.: Pair 1: First Key: 0000000 1111111 0000000 1111111 0000000 1111111 0000000 1111111 Second Key: 1111111 0000000 1111111 0000000 1111111 0000000 1111111 0000000

34. 34 Semi-Weak keys: Key 3 to Key 12 ( 56-bit keys) Pair 2: Key 3 : 0001 1111 1100 0000 0111 1111 0000 0000 1111 1110 0000 0011 1111 1000 Key 4 : 1110 0000 0011 1111 1000 0000 1111 1111 0000 0001 1111 1100 0000 0111 Pair 3: Key 5 : 0000 0001 1100 0000 0000 0111 0000 0000 0001 1110 0000 0000 0111 1000 Key 6 : 1110 0000 0000 0011 1000 0000 0000 1111 0000 0000 0011 1100 0000 0000 Pair 4: Key 7 : 0001 1111 1111 1100 0111 1111 1111 0000 1111 1111 1100 0011 1111 1111 Key 8 : 1111 1110 0011 1111 1111 1000 1111 1111 1110 0001 1111 1111 1000 0111 Pair 5: Key 9 : 0000 0000 0011 1100 0000 0000 1111 0000 0000 0001 1100 0000 0000 0111 Key10 : 0001 1110 0000 0000 0111 1000 0000 0000 1110 0000 0000 0011 1000 0000 Pair 6: Key11 : 1110 0001 1111 1111 1000 0111 1111 1111 0001 1111 1111 1100 0111 1111 Key12 : 1111 1111 1100 0011 1111 1111 0000 1111 1111 1110 0011 1111 1111 1000

35. 35 Demi-semi-weak Keys 48 demi-semi-weak keys, for each of which only four distinct sub-keys are generated. These occur in 4 groups of 4 keys each, and, in another 4 groups of 8 keys each. These are given in the next four slides as 64-bit keys. (In every 8 bits, the eighth bit is an odd parity bit. On eliminating the parity bit, you get the 56-bit key. Refer to slide 34 of DES Part 1. ) All key generation programs should avoid the weak keys. The total number of possible keys in DES is 2 56 = 72, 057,594,037,927,936 = 7.2x10 16. In this large key-space, the number of weak, semi- weak and demi-semi-weak keys are only 64.

36. 36 Demi-semi-weak Keys: Key 1 to Key 12 ( as 64-bit keys) 1F 1F 01 01 0E 0E 01 01 01 1F 1F 01 01 0E 0E 01 1F 01 01 1F 0E 01 01 0E 01 01 1F 1F 01 01 0E 0E E0 E0 01 01 F1 F1 01 01 FE FE 01 01 FE E0 1F 01 FE F1 0E 01 E0 FE 1F 01 F1 FE 0E 01 FE E0 01 1F FE F1 01 0E E0 FE 01 1F F1 FE 01 0E E0 E0 1F 1F F1 F1 0E 0E FE FE 1F 1F FE FE 0E 0E

37. 37 Demi-semi-weak Keys: Key 13 to Key 24 ( as 64-bit keys) FE 1F E0 01 FE 0E F1 01 E0 1F FE 01 F1 0E FE 01 FE 01 E0 1F FE 01 F1 0E E0 01 FE 1F F1 01 FE 0E 01 E0 E0 01 01 F1 F1 01 1F FE E0 01 0E FE F0 01 1F E0 FE 01 0E F1 FE 01 01 FE FE 01 1F E0 E0 1F 0E F1 F1 0E 01 FE E0 F1 01 FE F1 0E 01 E0 FE 1F 01 F1 FE 0E 1F FE FE 1F 0E FE FE 0E

38. 38 Demi-semi-weak Keys: Key 25 to Key 36 ( as 64-bit keys) E0 01 01 E0 F1 01 01 F1 FE 1F 01 E0 FE 0E 01 F1 FE 01 1F E0 FE 01 0E F1 E0 1F 1F E0 F1 0E 0E F1 FE 01 01 FE E0 1F 01 FE F1 0E 01 FE E0 01 1F FE F1 01 0E FE FE 1F 1F FE FE 0E 0E FE 1F FE 01 E0 0E FE 01 F1 01 FE 1F E0 01 FE 0E F1 1F E0 01 FE 0E F1 01 FE 01 E0 1F FE 01 F1 0E FE

39. 39 Demi-semi-weak Keys: Key 37 to Key 48 ( as 64-bit keys) 01 01 E0 E0 01 01 F1 F1 1F 1F E0 E0 0E 0E F1 F1 1F 01 FE E0 0E 01 FE F1 01 1F FE E0 01 0E FE F1 1F 01 E0 FE 0E 01 F1 FE 01 1F E0 FE 01 0E F1 FE 01 01 FE FE 1F 1F FE FE 0E 0E FE FE FE FE E0 E0 FE FE F1 F1 E0 FE FE E0 F1 FE FE F1 FE E0 E0 FE FE F1 F1 FE E0 E0 FE FE F1 F1 FE FE

40. 40 “The public streets and highways of the internet have become like neighborhoods where it is no longer safe to venture. Hackers, scammers, virus builders and other Web predators are looming in the shadows.” -- Paul Tinnirello CIO in an insurance financial industry “The Gated Community”, e-Week, 13 Oct 2003

41. 41 A Revision Methods of Encryption Symmetric Encryption Block Stream Synchronous Self-Synchronous Asymmetric ( Public Key) Encryption

42. 42 Block Ciphers DES : Based upon IBM’s Lucifer; Uses the processes of Diffusion and Confusion Published on 15 th January 1977 as the FIPS PUB 46 standard; subsequently Reconfirmed in 1983 Reconfirmed in 1988 as FIPS-46-1 Reconfirmed in 1993 as FIPS-46-2 Reconfirmed in 1998 as FIPS-46-3 Other Block Ciphers 26 th May 2002: AES: The new standard

43. 43 Stream Cipher Streaming Cipher: encrypts data unit by unit, where a unit is of certain number of bits (Example: If the unit be a bit, a stream cipher encrypts data unit by unit. Or if the unit be a byte, it encrypts byte by byte) simpler and faster than block cipher; but less secure Two Modes of Stream Cipher: Synchronous Stream Cipher: Sender uses a key to encrypt. Receiver uses the same key to decrypt. Self-Synchronizing Stream Cipher: The key stream generator (KSG) generates a key, which depends upon the original key and the cipher output.

44. 44 Example of a Stream Cipher RC4: used in SSL (Secure socket Layer) WEP (Wired Equivalent Privacy) Key: 1 to 256 octets Given a key: a pseudo-random stream is generated and xor’ed with the cleartext to generate the ciphertext

45. 45 Controversies about DES Since the design of DES has not been released, there were misgivings because of the small key size, and, the patterns observed in the S-boxes However DES has survived for nearly two decades. References:1.W Diffie, M Hellman "Exhaustive Cryptanalysis of the NBS Data Encryption Standard" IEEE Computer 10(6), June 1977, pp74-84 2.M Hellman "DES will be totally insecure within ten years" IEEE Spectrum 16(7), Jul 1979, pp 31-41

46. 46 Design principles 1.Shannon’s Confusion and Diffusion properties introduced through S-boxes, permutations and 16 rounds of operation. 2.Some of the Rules followed by NSA for S- boxes: In no case, the 4 output bits of any of the S- boxes can be expressed as a system of linear equations of the corresponding six input bits. Change of one bit in the input of an S-box  Change in at least two output bits. Thus the S-boxes diffuse the input information well into the output.

47. 47 S-boxes: design crierion S boxes: the only non-linear component during encryption using DES. Hence if a linear relation should exist between input and output bits, the whole of the process would become linear and easily breakable. Guaranteed Avalanche Criterion of order “r” for S boxes: If a change in one bit at the input leads to at least a change in r bits at the output, for all S-boxes and for all possible 1-bit changes A value of r of 2 to 5 has been recommended.

48. 48 Two criterion for F Strict Avalanche Criterion: any output bit j should change with probability ½, when any single bit i is changed at the input, for all i and j. Bit Independence Criterion: Output bits k and j should change independently, if a bit i is inverted at the input. (Both the rules are applied for S-boxes)

49. 49 Design principles: Number of Rounds After only one round: each cipher bit affected by a few bits of plaintext. After five rounds, each output bit depends upon every key and input bit. [701/MattBishop pp 230] Certification experiments, on the predecessor of DES, called Lucifer, by NBS showed that 8 rounds are able to eliminate any dependence of output bits on specific input bit patterns.[KON 81/Pfleeger pp 655] Reference: 1.A F Webster & S E Tavares "On the Design of S boxes", in Advances in Cryptology - Crypto 85, Lecture Notes in Computer Science, No 218, Springer-Verlag, 1985, pp 523-534

50. 50 Number of Rounds Schneier has shown in his book that differential cryptanalysis is more effective than the brute force method if the number of rounds is 15 or less. But for 16 rounds, diff crptanalysis is less effective.

51. 51 Design: STRENGTH of DES Avalanche Effect A change-in one bit of plaintext or -in one bit of the key produces a change in many (approx half the number of output) bits of the ciphertext. This makes it difficult to guess the key. Completeness effect where each output bit is a complex function of all the input bits DES exhibits strong Avalanche and Completeness effects.

52. 52 Design Parameters Increasing the following improves security but slows down the cipher: block size key size number of rounds Greater complexity in the following makes cryptoanalysis difficult, but slows down the cipher: subkey generation round function The Objective:a fast, secure, cipher

53. 53 Permutations: IP and IP -1, P, E, PC1, PC2 1. DES: 18 steps: Initial Permutation – 16 rounds – Inverse Initial Permutation 2. IP and IP -1 and PC1 ( used in round Key generation, as the first step) increase the complexity. But these do not add to the security of DES. 3. E, P and PC2: E, P ( a part of the function f), and PC2 (the last step while generating 48 bit sub-keys from a 56 bit shifted data) act with S-Boxes to provide avalanche and completeness effects

54. 54 Fig : single Round of DES Algorithm: L i-1 R i-1 C i-1 D i-1 XOR 32bits 28 bits Expansion/ permutation (E table) Substitution/ choice (S-box) Permutation (P) Left shift (s) Permutation/contraction (permuted choice 2) L i R i C i D i 32 48 32 F K i 48

55. 55 Permutation P 1672021 29122817 1152326 5183110 282414 322739 1913306 2211425

56. 56 Rules for P to improve diffusion 4 outputs of a box  2 affect the middle bits and 2 are the external bits at the next round 4 outputs of a box  affect 6 different S-boxes at the next round For any two S-boxes k and q, if the output of k, in round r, affects a middle bit of q in the next round (r+1), then, the output of q, in round (r+1), cannot affect any middle bit of k, in round (r+ 2)

57. 57 Security: Data of 1999 DES inadequate against an attacker with deep pockets: Using $10,000 worth of FPGA technology, it would take a year and a half to search out a DES key. In ten years time $10,000 of hardware would allow one to find a DES key in less than a week. Using off-the-shelf technology worth $300,000, one can find a DES key in an average of 19 days and in only 3 hours using a custom developed chip. If $10,000,000 were invested on custom chips, one could recover DES keys in an average of 6 minutes.

58. 58 Security of DES (continued) An investment of $300,000,000 could recover DES keys in 12 seconds each! ( The amount is less than the cost of the Glomar Explorer, built to salvage a single Russian submarine in 2002, and far less than the cost of many spy satellites.) Reference: Blaze, Diffie, Rivest, Schneier, Shimomura, Thompson, Wiener, “Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security”, available at http://www.finecrypt.net/keylength.html

59. 59 Attempts on DES 1974: DES became a standard. Three major attempts: 1. Wiener (1993 and 1997) (I) Assumes the attacker has one (plaintext, ciphertext) pair (II) Designed a special, pipelined chip to achieve a key search rate of 5 * 10 7 keys per second; estimated development cost in 1993 : $ 500,000 (III) He calculated (97) that a key search machine costing $ 100,000 would be able to locate the key in six hours. Wiener’s idea: on a theoretical basis only

60. 60 The Second Attempt 2. RSA lab – Award of $ 10000 for finding out the plaintext for a problem for which part of the plaintext is given as follows: “The unknown message is : ………” And its ciphertext was given. PROBLEM OF RECOGNIZING “PLAINTEXT”: If the nature of message (i.e English language / data/?) is not known, or If the text is compressed before encryption, it would be difficult to conclude whether the decryption has been successful or not.

61. 61 Attempts on DES Rocke Verser started http://www.distributed.net: a massive parallel processing, brute force cracking projecthttp://www.distributed.net claimed the prize by using 70,000 machines in parallel for 96 days. Electronic Frontier Foundation Jul 1998: funded a DES Cracker at $ 250,000. Jan 1999: EFF announced success in cracking a DES encryption. The Cracker: for testing 88 billion keys ps. EFF: published the detailed design of the DES Cracker. The design automates recognition of the “plaintext”. 1999: Triple DES: prescribed as the interim standard.

62. 62 Timing Attack HAMMING WEIGHT is defined as the number of 1’s in the key. For some encryption/decryption methods, by observing the amount of time it takes to decrypt a given ciphertext, it may be possible to find the Hamming weight of the key. However DES (or AES) does not seem to be amenable to an attack of this type.

63. 63 Types of attacks: a revision Depends upon the information known to the hacker: 1. Ciphertext only 2. Known plaintext-ciphertext pairs 3. Chosen plaintext-ciphertext pairs 4. Chosen ciphertext along with its decrypted plaintext 5. A combination of 3 and 4 The Hacker is required to find the Key.

64. 64 Summary of DES operations C = IP -1 (L 16 : R 16 ) L 16 = R 15 R 16 = L 15  ( F K16 (R 15 )) L 15 = R 14 R 15 = L 14  ( F K15 (R 14 )). L 2 = R 1 R 2 = L 1  ( F K2 (R 1 )) L 1 = R 0 R 1 = L 0  ( F K1 (R 0 )) (L 0 : R 0 ) = IP(Plaintext) F Ki ( R i-1 ) = P(S-BOX Substitution(K i  EP( R i-1 )))

65. 65 Summary of Key operations KA = PC1(K) Intermediate steps: KB1 = LS -j (KA); LS -j is left circular shift by j bits, on the two halves of the 56 bits separately. j can have a value of 1 or 2 ( in rounds 3-8 and 10-15). KB2 = LS -j (KB1) KB3 = LS -j (KB2). KB i = LS -j (Kb i-1 ). KB16 = LS -j (KB15) The Round Key: K i = PC2(KBi)

66. 66 Complementation Property of DES E(K’,P’) = (E(K,P))’ PROOF: On taking complements of both the plaintext and the Key: PC1, PC2 and Shift only shuffle the bits. If all the bits of K have been inverted, all the sub-keys will also be inverted. L 0 : R 0 will also be complemented if P is complemented. (K 1  EP(R 0 )) will remain unchanged. : INPUT to S- Boxes ( Boolean Identity: A  B = A’  B’)  The outputs of S-boxes and the output of F remain unchanged.

67. 67 Complimentation Property of DES R 1 = L 0  (F K1 (R 0 )). So R 1 is complemented. ( Boolean Identity: A  B’ = (A  B)’ ) L 1 = R 0. Since R 0 is complemented, so is L 1  L 1 : R 1 is complemented. Thus going step-by-step, we can prove that E(K’,P’) = (E(K,P))’

68. 68 Problems with DES A small key size: 56 bits only A small block size: 64 bits only Complementation property

69. 69 Analysis S-boxes: Is a cryptanalytic attack possible by discovering the weakness (pattern) of S- boxes? Differential Cryptanalysis (DC): Without differential cryptanalysis – To find a key – a problem of 2 55 complexity. ie if 2 55 sets of (chosen plain text, ciphertext) are available, the key can be found. With DC, it has been proved mathematically: the problem reduces to 2 47 chosen plaintext messages.

70. 70 Each round of Encryption After IP, 64 bits are divided into left-half (L(0)) and Right-half (R(0)). CALLED m 0 and m 1, in the slides of Differential Cryptoanalysis. L(0): R(0) is the input to Round 1 of encryption. During Round1, L(0):R(0) will be operated by F k1 to produce L(1):R(1), where F K1 is the function F k with subkey K1.. Similarly for Round i, L i-1 :R i-1 would be the input and L i : R i will be the output. Figure 2 shows the function F Ki.

71. 71 Fig 2: single Round of DES Algorithm: a revision L i-1 R i-1 C i-1 D i-1 XOR 32bits 28 bits Expansion/ permutation (E table) Substitution/ choice (S-box) Permutation (P) Left shift (s) Permutation/contraction (permuted choice 2) L i R i C i D i 32 48 32 F K i 48

72. 72 i-th Round Revision The part in yellow, in the previous slide, shows the sub key generation. After PC1, the circular rotations are independent for the left half and the right-half. ENCRYPTION: In the i-th round, L i = R i-1 R i = L i-1  F(R i-1, Ki) = L i-1  P(S( EP(R i-1 )  Ki )) Where EP: expansion from 32 bits to 48 S: Using 8 S-boxes to convert 48 bits to 32 bits – each S box converts 6 bits to 4 bits P: permutation

73. 73 Differential Cryptanalysis Round1 Round2 Round 16 The new right half after Round1 = m 2 called R(1) earlier The new right half after Round2 = m 3 called R(2) earlier The new right half after Round16 = m 17 called R(16) earlier

74. 74 Differential Cryptanalysis After IP (L 0 : R 0 ) = (m 0 : m 1 ) Evaluating the difference: At each round, only one new block of 32 bits is created. (The other one is simply shifted from the Right side of the (i-1)st round to the Left side of the i th round.) Call the new block m i 2 <= i <= 17 The two message halves are related as follows: m i+1 = m i-1  F(m i, K i ) i= 1,2, ….16.

75. 75 One Round & m i L i-1 R i-1 XOR 32bits Expansion/ permutation (E table) Substitution/ choice (S-box) Permutation (P) L i R i 32 48 32 F K i 48 L0= m0 R0 = m1 F(Ro,K1) m 2 = L0 xor F L1 = m1 m 2 F(m 2, K2) m 3 = L1 xor F L2 = m 2 m 3 F(m 3, K3) m 4 = m 2 xor F L3 = m 3 m 4 F(m 4, K4) m 5 = m 3 xor F L4 = m 4 m 5 F(m 5, K5) m 6 = m 4 xor F L5 = m 5 m 6...

76. 76 Differential Cryptanalysis Start with 2 messages m and m’, to be encrypted by the same key With a known XOR difference Λm = m  m’ Consider at an intermediate stage, the difference between two message halves: Λm i = m i  m i ’ Then Λm i+1 = m i+1  m i+1 ’ = [ m i-1  f(m i,K i )]  [ m i-1 ’  f(m’ i,K i )]

77. 77 Differential Cryptanalysis Λm i+1 = Λ m i-1  [f(m i, K i )  f(m’ i, K i )] Consider the same sub-key for both m and m’. Consider the case where for many pairs of messages, inputs (HAVING THE SAME DIFFERENCE X) to F yields output pairs, WHICH HAVE THE SAME DIFFERENCE Y More precisely, if for a fraction p of pairs in which the input XOR is X, the output XOR is Y if we know Λ mi and Λ mi –1 with a high probability, we know Λ mi +1 with high probability. If a number of such differences are determined, the sub-key can be found.

78. 78 Differential Cryptanalysis Differential cryptanalysis : The Procedure: Begin with 2 plaintext messages m and m’ with a given difference. With an assumed key: Trace through a probable pattern of differences at the end of each round. At the end for the two 32-bit halves, there are two probable differences Λm 17 || Λm 16

79. 79 Differential Cryptanalysis With the unknown key EK (m)  EK (m’) If the two are equal, some deductions about the key bits can be made. Biham showed in 1993 that differential cryptanalysis can successfully find the Key if 2 47 chosen plaintext-ciphertext pairs are provided.

80. 80 Linear Cryptanalysis Linear Cryptanalysis: Symbols: P[i]: ith bit of plaintext C[i]:ith bit of ciphertext K[i]:ith bit of Key A[i,j,k…..] = A[i]  A[j]  A[k]  …… Given 2 47 known plaintext-ciphertext pair messages (as opposed to ‘chosen’ messages), Linear Cryptanalysis can find the key. Method:First find an equation P[  1,  2,…….,  a]  C [ß1, ß2,……., ßb] = K [r1, r2,……., rc] Where 1 <= a,b <= 64 1 <= c <= 56

81. 81 Linear Cryptanalysis The equation (on the last slide) should hold with a probability of 0.5 or more. Compute the left hand side. If it is zero more than half the time, K[r1,r2,….rc]=0 Otherwise it is 1. Such linear relations can help locate the key.

82. 82 An Application of DES: Given: Salt (12-bit) and PW Storing a Hashed password file in Unix the first 8 characters of the password,  assemble a 56-bit key from the low 7-bits of each of these 8 characters Use the key to encrypt a 64-bit data consisting of all zeros, using a slightly modified DES: E/P table (Please see the next slide to recapitulate.) modified depending upon the 12-bit SALT, 25 rounds of the DES process, rather than 16 rounds, as in the standard DES. The final 64 bits of ciphertext  Append with two 0s to get 66 bits  Eleven 6-bit characters from the set q = [., /, 0-9, A- Z, a-z]

83. 83 Fig : single Round of DES Algorithm: L i-1 R i-1 C i-1 D i-1 XOR 32bits 28 bits Expansion/ permutation (E table) Substitution/ choice (S-box) Permutation (P) Left shift (s) Permutation/contraction (permuted choice 2) L i R i C i D i 32 48 32 F K i 48

84. 84 Application: Storing a Hashed password file in Unix continued  prepended with a two character string from q i.e. 12 bits called the salt  13 characters stored in the shadow file to avoid the use of the DES chip Modification of E/P and 25 rounds The 12-bit SALT  4096 varieties of the password SALT should be a pseudo-random number

85. 85 Data Encryption Standard 15 May 1973: National bureau of Standards seeks proposals for DES; repeated on 27 th August 1974: IBM proposal, based on the work on Lucifer by Feistel, Walter Tuchman, Don Coppersmith, Alan Konheim, Carl Meyer, Mike Matyas, Roy Adler, Edna Grossman, Bill Notz, Lynn Smith, and Bryant Tuc 17 March 1975: published in Federal Register and comments invited; after two public workshops, approved as a federal standard in Nov 1976. 15 Jan 1977: published as the standard FIPS PUB 46 by National Bureau of Standards

86. 86 Data Encryption Standard … 2 1999: National Institute of Standards and Technology declared Triple DES as the interim standard Nov 2001: Advanced Encryption Standard issued as FIPS PUB 197 standard 19 May 2005: FIPS 46-3 -- officially withdrawn, but NIST has approved Triple DES through the year 2030 for sensitive government inform