Presentation is loading. Please wait.

Presentation is loading. Please wait.

Week 3 - Monday.  What did we talk about last time?  Secure encryption  DES.

Published byAlicia Malone Modified over 8 years ago

Similar presentations

Presentation on theme: "Week 3 - Monday.  What did we talk about last time?  Secure encryption  DES."— Presentation transcript:

1 Week 3 - Monday

2  What did we talk about last time?  Secure encryption  DES

3

4

5 Yuki Gage

6

7  DES has 16 rounds  The book calls them cycles  In each round, the input is broken into 2 halves, manipulated, and combined with part of the key Input Permutation Left 0 Right 0 f f Key 1 Left 1 Right 1 + + Left 0 Right 0

8  DES uses bitwise operations as well as lookup tables  DES has 8 substitution boxes (S-boxes) which take 6 bits of data and give back 4

9  The expansion permutation takes 32 input bits and expands them into 48 bits while permuting them  16 bits are repeated  These 48 bits are XORed with the round key  The resulting 48 bits are substituted through S-boxes which produces a 32 bit result  The final 32 bits are permuted Expansion Permutation XOR with Key S-boxP-box

10  The encryption key is 64 bits, but only 56 bits are used  The other 8 bits are for parity  Each of the 16 rounds has a 48 bit round key  To produce the round key, the left and right halves of the 56 bit key are independently shifted by either 1 or 2 bits, depending on the round  48 bits are chosen and permuted by a key transformation box

11  There is an initial permutation before the rounds  There is a final permutation after the rounds  Otherwise, each round feeds into the next one

12

13  The NSA tinkered with DES  They shortened the key length from the original 128 bits of Lucifer to 56  They changed the S-boxes  People were concerned that the NSA had introduced a trapdoor so that they could read messages  Eventually, the NSA released information about the choice of S-boxes:  No S-box is a linear or affine function of its input  Changing 1 bit of the S-box input changes at least 2 bits of its output  If a single bit is held constant, changing the others should not radically change the total number of 1s or 0s in the output

14  In 1990, researchers independently discovered differential cryptanalysis  It uses related plaintext-ciphertext pairs to trace small changes in input to the output  The changes the NSA made to the S-boxes made them significantly more resistant to differential cryptanalysis  Declassified explanations show that people at IBM and the NSA knew about differential cryptanalysis in the 1970s

15  DES has four weak keys that are their own inverse  Encryption = decryption for these keys  They are all 1s, all 0s, or half and half  DES has six pairs of semiweak keys  Encryption with one key is the same as decryption with the other in the pair  Complements:  If c = DES(p, k) then  c = DES(  p,  k)  These problems are easily avoidable  Don’t use weak or semiweak keys  People are usually not encrypting the negation of a plaintext with the negation of a key

16  DES is fast  Easy to implement in software or hardware  Encryption is the same as decryption  Triple DES is still standard for many financial applications  Resistant to differential and linear cryptanalysis (2 47 and 2 43 known pairs required, respectively)

17  Short key size  Brute force attack by EFF in 1998 in 56 hours then in 1999 in just over 22 hours  Brute force attack by University of Bochum and Kiel in 9 days in 2006 (but, using a machine costing only $10,000)  If you could check 1,000,000,000 keys per second (which is unlikely with a commodity PC), it would take an average of 417 days to recover a key

18

19  The short key size leaves DES vulnerable to brute force attacks  How can we make up for this weakness?  Possibilities:  Encrypt twice with DES  Encrypt three times with DES ……

20  "DES is wrong if you listen to NIST, Double DES ain't no better, man, that got dissed" --MC Plus+  Double DES encrypts a plaintext with DES twice, using two different keys  Double DES is susceptible to a meet-in-the- middle attack  This attack uses a space-time tradeoff  Although two keys should mean 56 + 56 = 112 bits of security or 2 112 time for a brute force attack, the meet-in-the-middle attack can run in roughly 2 57 or 2 58 time, using 2 56 space

21 Encrypt P 1 Decrypt C 1  Two pairs of plaintexts and ciphertexts are needed  Encrypt P 1 with all possible keys and save them  Decrypt C 1 with all possible keys  If the result matches anything in the list, use the key to encrypt P 2  If that matches C 2, you win!  On the left, I show all the decryptions, but only the encryptions need to be stored

22  Although susceptible to a brute force attack, DES has no other major weaknesses  Double DES can be defeated by an extension of the brute force attack  What about triple DES?  Let E K (X) and D K (X) be encryption and decryption using DES with key K  Triple DES uses keys K1, K2, and K3  C = E K1 (D K2 (E K3 (M)))  Setting K1 = K2 = K3 allows for compatibility with single DES systems  Triple DES is still a standard for financial transactions with no known practical attacks

23

24  Advanced Encryption Standard  Block cipher designed to replace DES  Block size of 128-bits  Key sizes of 128, 192, and 256 bits  Like DES, has a number of rounds (10, 12, or 14 depending on key size)  Originally called Rijndael, after its Belgian inventors  Competed with 14 other algorithms over a 5 year period before being selected by NIST

25  In 1997, NIST made a call for a new encryption standard to replace DES  The algorithms had to have these properties:  Unclassified  Publicly disclosed  Royalty-free  Symmetric block ciphers for blocks of 128 bits  Usable with keys of 128, 192, and 256 bits  15 algorithms were chosen for further scrutiny  5 algorithms were finalists  NIST said that the 4 runner-up algorithms had excellent security properties  Rijndael was chosen for its efficiency

26  The 15 algorithms were CAST-256, CRYPTON, DEAL, DFC, E2, FROG, HPC, LOKI97, MAGENTA, MARS, RC6, Rijndael, SAFER+, Serpent, and Twofish  The 5 finalists: AlgorithmDesigners RijndaelVincent Rijmen, Joan Daemen SerpentRoss Anderson, Eli Biham, Lars Knudsen Twofish Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, and Niels Ferguson RC6 Ron Rivest, Matt Robshaw, Ray Sidney, and Yiqun Lisa Yin MARSIBM

27  AES keeps an internal state of 128 bits in a 4 x 4 table of bytes  There are four operations on the state:  Substitute bytes  Shift rows  Mix columns  Add round key

28  Each byte is substituted for some other byte  This operation is similar to the S-box from DES  The substitution is based on the multiplicative inverse of the value in GF(2 8 )  An algebraic structure is used instead of hand picking substitution value  0 is used as its own multiplicative inverse  To break up patterns, the result of finding the multiplicative inverse is XORed with the value 99 | 0 1 2 3 4 5 6 7 8 9 a b c d e f ---|--|--|--|--|--|--|--|--|--|--|--|--|--|--|--|--| 00 |63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76 10 |ca 82 c9 7d fa 59 47 f0 ad d4 a2 af 9c a4 72 c0 20 |b7 fd 93 26 36 3f f7 cc 34 a5 e5 f1 71 d8 31 15 30 |04 c7 23 c3 18 96 05 9a 07 12 80 e2 eb 27 b2 75 40 |09 83 2c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f 84 50 |53 d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf 60 |d0 ef aa fb 43 4d 33 85 45 f9 02 7f 50 3c 9f a8 70 |51 a3 40 8f 92 9d 38 f5 bc b6 da 21 10 ff f3 d2 80 |cd 0c 13 ec 5f 97 44 17 c4 a7 7e 3d 64 5d 19 73 90 |60 81 4f dc 22 2a 90 88 46 ee b8 14 de 5e 0b db a0 |e0 32 3a 0a 49 06 24 5c c2 d3 ac 62 91 95 e4 79 b0 |e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08 c0 |ba 78 25 2e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8a d0 |70 3e b5 66 48 03 f6 0e 61 35 57 b9 86 c1 1d 9e e0 |e1 f8 98 11 69 d9 8e 94 9b 1e 87 e9 ce 55 28 df f0 |8c a1 89 0d bf e6 42 68 41 99 2d 0f b0 54 bb 16

29  For 128-bit blocks (those used in AES), the rows are shifted by a set amount  Row 1 is not shifted at all  Row 2 is shifted over by 1 byte  Row 3 is shifted over by 2 bytes  Row 4 is shifted over by 3 bytes  Rijndael has slightly different shifts for larger block sizes

30

31  XOR the current round key with the state  This step is very simple, except that the key schedule that generates the round key from the overall key is complex

32  AES supports key sizes of 128, 192, and 256 bits  Rijndael supports unlimited key size, in principle, as well as other block sizes  128 bit keys use 10 rounds, 192 use 12, and 256 use 14 Add round key First RoundNormal RoundLast Round

33  Strengths  Strong key size  Fast in hardware and software  Rich algebraic structure  Well-studied, open standard  Weaknesses  Almost none  A few theoretical attacks exist on reduced round numbers of AES  No practical attacks other than side channel attacks

34  No practical attacks exist on the full AES  With reduced numbers of rounds and strong attack models, there are some theoretical attacks  CP = chosen plaintexts  RK-CP = related key chosen plaintexts RoundsKey SizeDataTimeYear 6All2 32 CP2 72 1998 6All6 ∙ 2 32 CP2 44 2000 719219 ∙ 2 32 CP2 155 2000 725621 ∙ 2 32 CP2 172 2000 7All2 128 – 2 119 CP2 120 2000 81922 128 – 2 119 CP2 188 2000 82562 128 – 2 119 CP2 204 2000 92562 85 RK-CP2 224 2000 121922 123 RK-CP2 176 2009 142562 99.5 RK-CP2 99.5 2009 101282 88 CP2 126.1 2011

35  Attacks that rely on timing, measuring cache, energy consumption, or other ways an implementation leaks data are called side channel attacks  Several practical side channel attacks for AES do exist  In 2005, Bernstein found a cache-timing attack that broke an OpenSSL implementation of AES using 200 million chosen plaintexts and a server that would give him precise timing data  Later in 2005, Osvik et al. found an attack that recovered a key after 800 encryptions in only 65 milliseconds, with software running on the target machine  In 2009, Saha et al. found an attack on hardware using differential fault analysis to recover a key with a complexity of 2 32  In 2010, Bangerter et al. found a cache-timing attack that required no knowledge of plaintexts or ciphertexts and could work in about 3 minutes after monitoring 100 encryptions

36 DESAES Date19761999 Block size64 bits128 bits Key length56 bits128, 192, 256 bits Encryption primitivesSubstitution, permutation Substitution, shift, bit mixing Cryptographic primitivesConfusion, diffusion DesignOpen Design rationaleClosedOpen Selection processSecret Secret with public comment SourceIBM with NSA helpIndependent Belgians Security Broken if you’ve got the resources No practical attacks yet

37

38  Finish AES  Public key cryptography background  Omar Mustardo presents

39  Keep reading Section 2.5  Keep working on Assignment 1  Due this Friday by midnight

Download ppt "Week 3 - Monday.  What did we talk about last time?  Secure encryption  DES."

Similar presentations

Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.

Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.
Week 3 - Wednesday.  What did we talk about last time?  DES  Started AES.

Week 3 - Wednesday.  What did we talk about last time?  DES  Started AES.
1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.

1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.
Data Encryption Standard (DES)

Data Encryption Standard (DES)
Chapter 3  Symmetric Key Cryptosystems 1 Overview  Modern symmetric-key cryptosystems o Data Encryption Standard (DES)  Adopted in 1976  Block size.

Chapter 3  Symmetric Key Cryptosystems 1 Overview  Modern symmetric-key cryptosystems o Data Encryption Standard (DES)  Adopted in 1976  Block size.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Cryptography and Network Security Chapter 3

Cryptography and Network Security Chapter 3
The Advanced Encryption Standard (AES) Simplified.

The Advanced Encryption Standard (AES) Simplified.
Hashing Algorithms: SHA-3 CSCI 5857: Encoding and Encryption.

Hashing Algorithms: SHA-3 CSCI 5857: Encoding and Encryption.
Computer Science CSC 405By Dr. Peng Ning1 CSC 405 Introduction to Computer Security Topic 2. Basic Cryptography (Part II)

Computer Science CSC 405By Dr. Peng Ning1 CSC 405 Introduction to Computer Security Topic 2. Basic Cryptography (Part II)
Rachana Y. Patil 1 Data Encryption Standard (DES) (DES)

Rachana Y. Patil 1 Data Encryption Standard (DES) (DES)
Data Encryption Standard (DES)

Data Encryption Standard (DES)
Modern Cryptography.

Modern Cryptography.
Cryptography and Network Security

Cryptography and Network Security
1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.

1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.
Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.

Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.
AES clear a replacement for DES was needed

AES clear a replacement for DES was needed
1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.

1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.
Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard It seems very simple. It is very simple. But if you don't know.

Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard "It seems very simple." "It is very simple. But if you don't know.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption

Similar presentations

Ads by Google