Presentation is loading. Please wait.

Presentation is loading. Please wait.

David Evans CS551: Security and Privacy University of Virginia Computer Science Lecture 4: Dissin’ DES The design took.

Published byErik Powers Modified over 8 years ago

Similar presentations

Presentation on theme: "David Evans CS551: Security and Privacy University of Virginia Computer Science Lecture 4: Dissin’ DES The design took."— Presentation transcript:

1 David Evans http://www.cs.virginia.edu/~evans CS551: Security and Privacy University of Virginia Computer Science Lecture 4: Dissin’ DES The design took advantage of certain cryptanalytic techniques, most prominently the technique of “differential cryptanalysis”, which were not known in the published literature. After discussions with NSA, it was decided that disclosure of the design consideration would reveal the technique of differential cryptanalysis, a powerful technique that can be used against many ciphers. This in turn would weaken the competitive advantage the United States enjoyed over other countries in the field of cryptography. Don Coppersmith, DES designer

2 30 Aug 2000University of Virginia CS 5512 Menu DES Key Schedule Modes of Operation Triple-DES Cryptanalysis

3 30 Aug 2000University of Virginia CS 5513 Projects Office hours: Tuesday 3:00-4:00 Wednesday after class Good time to talk to me about your project ideas!

4 30 Aug 2000University of Virginia CS 5514 DES Structure Plaintext 16x Round L0L0 R0R0  F K1K1 L1L1 R1R1 L 0 = left half of plaintext R 0 = right half of plaintext L i = R i - 1 R i = L i - 1  F ( R i - 1, K i ) C = R n || L n n is number of rounds (undo last permutation) Substitution Permutation Initial Permutation

5 30 Aug 2000University of Virginia CS 5515 DES’s F Expand and Permute (using E table) 32 bits 48 bits  KnKn Substitute (using S boxes) 32 bits Permutation

6 30 Aug 2000University of Virginia CS 5516 DES Keys K i = PC (Shift (Left (K i-1 )) || Shift (Right (K i-1 ))) Key Shift (1 or 2 bits) 56 bits 28 bits Compress/Permute KnKn Next round How do you decrypt? Are there any weak keys? Bits shifted: 1 in rounds 1,2, 9 and 16 2 in other rounds

7 30 Aug 2000University of Virginia CS 5517 Modes of Operation Transmitting a long plaintext using DES: P = P 1 || P 2 ||... || P N Electronic Codebook Mode: C = E K (P 1 ) || E K (P 2 ) ||... || E K (P N ) Problems: –Any identical blocks encrypted identically 64 bits = 8 ascii characters –Lots of ciphertext encrypted with same K

8 30 Aug 2000University of Virginia CS 5518 Cipher Block Chaining DES IV K  P1P1 C1C1 to receiver DES K  P2P2 C2C2 to receiver...

9 30 Aug 2000University of Virginia CS 5519 Cipher Block Chaining C i = E K (P i  C i - 1 )C 1 = E K (P 1  IV) Decrypt: M i = D K (C i )  C i - 1 M 1 = D K (C 1 )  IV D K (E K (P i  C i - 1 ))  C i – 1 = P i  C i - 1  C i – 1 = P i

10 30 Aug 2000University of Virginia CS 55110 Cipher Feedback Mode DES IV K  j bits P1P1 C1C1 to receiver DES K  j bits P2P2 C2C2 to receiver shift j bits...

11 30 Aug 2000University of Virginia CS 55111 Output Feedback Mode DES IV K  j bits P1P1 C1C1 to receiver DES K  j bits P2P2 C2C2 to receiver shift j bits...

12 30 Aug 2000University of Virginia CS 55112 Cipher/Output Feedback 1-bit transmission error Active eavesdropper Performance

13 30 Aug 2000University of Virginia CS 55113 Multiple Encryption

14 30 Aug 2000University of Virginia CS 55114 Multiple Encryption C = E K2 (E K1 (P)) Does it double the key space? Monoalphabetic cipher C i = K 2 [K 1 [P i ]] = K 3 [P i ] for some K 3

15 30 Aug 2000University of Virginia CS 55115 Double-Vigenère C = E K2 (E K1 (P)) Vigenère: C i = (P i + K i mod N ) mod Z C i = ((P i + K1 i mod N1 mod Z) + K2 i mod N2 ) mod Z = (P i + K1 i mod N1 + K2 i mod N2 ) mod Z if N1 = N2 : = (P i + K3 i mod N ) mod Z(K3 = K1 + K2) what if N1  N2 ?

16 30 Aug 2000University of Virginia CS 55116 Double-Vigenère K1 = "BOND" K2 = "JAMES" BONDBONDBONDBONDBONDBONDBOND +JAMESJAMESJAMESJAMESJAMESJAM =KOZHTXNPFGWDNSFMBARVKOZHTXNP Effective key length: LCM (N1, N2) = 20

17 30 Aug 2000University of Virginia CS 55117 Double DES C = E K2 (E K1 (P)) Is there a K3 such that C = E K3 (P) ? –There are 2 56 keys, and 2 64 ! mappings –If DES is good, keys map randomly to mappings. –Probability that a randomly chosen mapping corresponds to a DES key: 2 56 / 2 64 ! << 1 / 2 63 ! Effective key size of Double DES? = 2 56 * 2 56 = 2 112 WRONG!

18 30 Aug 2000University of Virginia CS 55118 Known Plaintext Attack P E E K1K1 K2K2 C P E try all possible keys X K1 X K2 X K2 56 C D try all possible keys Y K1 Y K2 Y K2 56 One X Ki = Y Kj means K 1 = K i and K 2 = K j

19 30 Aug 2000University of Virginia CS 55119 Meet-in-the-Middle Attack C = E K2 (E K1 (P)) X = E K1 (P) = D K2 (C) Brute force attack (given one P/C pair): calculate E K1 (P) for all keys (2 56 work) calculate D K2 (C) for all keys (2 56 work) the match gives the keys Total work = 2 * 2 56 = 2 57

20 30 Aug 2000University of Virginia CS 55120 2-Key Triple DES C = E K1 (D K2 (E K1 (P))) Why D K2 not E K2 ? –Backwards compatibility with DES –If K1 = K2: C = E K1 (D K1 (E K1 (P))) = E K1 (P) Actual key size = 56 + 56 bits = 112 bits Meet-in-the-middle? –X = E K1 (P) = D K1 (E K2 (C)) 2 56 need to try 2 112

21 30 Aug 2000University of Virginia CS 55121 How secure is Triple-DES Brute force search: 2 112 keys –Best DES attack: 245 B keys/second –  6.7 * 10 14 years (compared to 22 hours) –10 11 years = total lifetime of universe (closed universe theory) Best known attack - reduces to 2 120-log 2 n –n = number of known P-C pairs –n = 2 64, work is 2 56 Realistic?

22 30 Aug 2000University of Virginia CS 55122 3-Key Triple DES C = E K3 (D K2 (E K1 (P))) H(K) = 168 Used by PGP, S/MIME How much work to brute-force? –Meet-in-the-middle: X = D K3 (C) = D K2 (E K1 (P)) 2 56 + 2 112

23 30 Aug 2000University of Virginia CS 55123 DES Attacks Last time: brute force –Best result: 22 hours –But no where near good enough for 3DES Differential Cryptanalysis Power Cryptanalysis

24 30 Aug 2000University of Virginia CS 55124 Differential Cryptanalysis [Biham & Shamir, 1990] Choose plaintext pairs with fixed difference:  X = X  X’ Use differences in resulting ciphertext to guess key probabilities With enough work (2 47 ) and enough chosen plaintexts (2 47 ) can find key (compared to 2 56 brute force work) Takes 3 years of 1.5Mbps encrypting chosen plaintext!

25 30 Aug 2000University of Virginia CS 55125 One Round 32 bits 48 bits  KnKn S 32 bits P E/P 32 bits 48 bits  S 32 bits P X X’ E/P  X = X  X’  X i = 0 iff X i = X i ’ X1 X1’ X2 X2’ X3’ X4’ X4 X3 E/P preserves values: X i = 0  X1 ep(i) = X1 ep(i) ’ where ep(i) is a function defined by the E table  preserves values: X2 i = X1 i  K n X2 i ’ = X1 i ’  K n  X i = 0  X2 ep(i) = X2 ep(i) ’

26 30 Aug 2000University of Virginia CS 55126 One Round, cont. S P S P X2 X2’ X3’ X4’ X4 X3  X i = 0  X2 ep(i) = X2 ep(i) ’ X3 i = X3 i ’  X4 p(i) = X4 p(i) ’ S-boxes are non-linear!  X i = 0  X3 s(ep(i)) = X3 s(ep(i)) ’ But, maybe they do probabilistically:  X i = 0  p(X3 s(ep(i)) = X3 s(ep(i)) ’) >.5 ? p(X3 s(ep(i)) = X3 s(ep(i)) ’) <.5 ? Its a function of the key: p determined experimentally. (Known from ciphertext)

27 30 Aug 2000University of Virginia CS 55127 S-box: S1 0123456789ABCDEF E4D12FB83A6C5907 0F74E2D1A6CB9538 41E8D62BFC973A50 FC8249175B3EA06D 6 bits: x 1 x 2 x 3 x 4 x 5 x 6 x1x6x1x6 00 01 10 11 x 2 x 3 x 4 x 5 select column 4 inputs to S1 produce 0: 011100, 000001, 111110, 111011

28 30 Aug 2000University of Virginia CS 55128 Partial pair XOR Distribution, S1 Output XOR 0123456789ABCDEF 064000000000000000 10000624401012410624 200080444068612642... 3F4842402442488622 Input XOR

29 30 Aug 2000University of Virginia CS 55129 S-box: S1 0123456789ABCDEF E4D12FB83A6C5907 0F74E2D1A6CB9538 41E8D62BFC973A50 FC8249175B3EA06D 00 01 10 11 Difference in last input bit difference in output bits 0101 0001 + 0101 = 0100 (1 XOR 5 = 1) 1011 + 0101 = 1110 (B XOR 5 = E)

30 30 Aug 2000University of Virginia CS 55130 Differential Cryptanalysis Propagate experimental probabilities for 1 round through 16 rounds After enough P-C pairs, one key becomes most probable Difficulty depends heavily on S-Box choices First published in 1990, but DES designers knew about it in 1973!

31 30 Aug 2000University of Virginia CS 55131 Differential Cryptanalysis “Successful” on DES up to 15 rounds (better than exhaustive search) By 16 th round, characteristics probabilities are 2 -56 Very successful on DES variants (breaks GDES with 6 chosen plaintexts) Very successful on FEAL (FEAL-4, FEAL-8, FEAL-N, FEAL-NX,...)

32 30 Aug 2000University of Virginia CS 55132 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current (mA) 3.75 3.50 3.25 0 8.0 Time (mS)

33 30 Aug 2000University of Virginia CS 55133 DES Power Consumption 16 DES Rounds 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Detail: Round 2 Round 3 From http://www.cryptography.com/dpa/technical/index.html Microprocessors use different amount of power depending on what they are doing!

34 30 Aug 2000University of Virginia CS 55134 Power Analysis Scenario Attacker has physical device that encrypts and decrypts using a secret key Is this realistic? Smart Cards (Mondex)

35 30 Aug 2000University of Virginia CS 55135 Side Channel Cryptanalysis Regular Cryptanalysis: mathematical –Attacker sees inputs, outputs Side Channel Cryptanalysis –Attacker sees something else: power consumption, encryption/decryption time, radiation, etc. Depends on implementation of algorithm

36 30 Aug 2000University of Virginia CS 55136 Measuring Power Consumption Add a resistor between power source and device, measure voltage across resistor I = V/R Can sample at over 1GHz with < 1% error

37 30 Aug 2000University of Virginia CS 55137 Power Use Reveals Key Current for a left shift depends on leftmost bit: –if 1, need to set rightmost bit after DES key schedule uses shifts, can tell bits in key! Current for XOR may depend on number of switches

38 30 Aug 2000University of Virginia CS 55138 Defenses Reduce signal –Physical shielding, microprocessor design (make all shifts use same power, etc.) Introduce random noise –Change execution order, do random computation, etc. Design cryptosystems with DPA in mind –Nonlinear key updates between transactions

39 30 Aug 2000University of Virginia CS 55139 Charge Continue thinking about project ideas –Office hours: tomorrow 3:00-4:00 Next time: modern block ciphers –Read AES papers before next class

Download ppt "David Evans CS551: Security and Privacy University of Virginia Computer Science Lecture 4: Dissin’ DES The design took."

Similar presentations

Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.

Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Cryptography and Network Security Chapter 3

Cryptography and Network Security Chapter 3
Data Encryption Standard (DES)

Data Encryption Standard (DES)
Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.

Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.
Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.

Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.
DES 1 Data Encryption Standard DES 2 Data Encryption Standard  DES developed in 1970’s  Based on IBM Lucifer cipher  U.S. government standard  DES.

DES 1 Data Encryption Standard DES 2 Data Encryption Standard  DES developed in 1970’s  Based on IBM Lucifer cipher  U.S. government standard  DES.
1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.

1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 1 Security PART VII.

McGraw-Hill©The McGraw-Hill Companies, Inc., Security PART VII.
Introduction to Symmetric Block Cipher Jing Deng Based on Prof. Rick Han’s Lecture Slides Dr. Andreas Steffen’s Security Tutorial.

Introduction to Symmetric Block Cipher Jing Deng Based on Prof. Rick Han’s Lecture Slides Dr. Andreas Steffen’s Security Tutorial.
15-441 Computer Networking Lecture 21: Security and Cryptography Thanks to various folks from 15-441, semester’s past and others.

Computer Networking Lecture 21: Security and Cryptography Thanks to various folks from , semester’s past and others.
CS 682 - Network Security Lecture 2 Prof. Katz. 9/7/2000Lecture 2 - Data Encryption2 DES – Data Encryption Standard Private key. Encrypts by series of.

CS Network Security Lecture 2 Prof. Katz. 9/7/2000Lecture 2 - Data Encryption2 DES – Data Encryption Standard Private key. Encrypts by series of.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
Lecture 2.2: Private Key Cryptography II CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 2.2: Private Key Cryptography II CS 436/636/736 Spring 2012 Nitesh Saxena.
Cryptanalysis on Substitution- Permutation Networks Jen-Chang Liu, 2005 Ref: Cryptography: Theory and Practice, D. R. Stinson.

Cryptanalysis on Substitution- Permutation Networks Jen-Chang Liu, 2005 Ref: Cryptography: Theory and Practice, D. R. Stinson.
Announcements: Quizzes graded, but not in gradebook. (Current grade gives 0 on the parts you shouldn’t have done .) Quizzes graded, but not in gradebook.

Announcements: Quizzes graded, but not in gradebook. (Current grade gives 0 on the parts you shouldn’t have done .) Quizzes graded, but not in gradebook.
CS526Topic 2: Classical Cryptography1 Information Security CS 526 Topic 2 Cryptography: Terminology & Classic Ciphers.

CS526Topic 2: Classical Cryptography1 Information Security CS 526 Topic 2 Cryptography: Terminology & Classic Ciphers.
CSE 651: Introduction to Network Security

CSE 651: Introduction to Network Security
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

Similar presentations

Ads by Google