Beruflich Dokumente
Kultur Dokumente
DES
DES: The Data Encryption Standard /
DEA: Data Encryption Algorithm
Adopted by NIST as Federal Information Processing Standard 46 (FIPS PUB
46) in 1977.
The algorithmic implementation of DES is known as DEA for
Data Encryption Algorithm.
Based on a cipher (Lucifer) developed earlier by IBM for Lloyd’s of London
for cash transfer.
Data is encrypted in 64-bit blocks using a 56-bit key
Output is also 64 bits in size
DES uses the Feistel cipher structure with 16 rounds of processing.
The key is specified with 8 bytes, but one bit of each byte is used as a parity
check. Hence 56 bit.
DES encryption was broken in 1999 by Electronics
Frontiers Foundation (EFF, www.eff.org). This resulted in
NIST issuing a new directive that year that required
organizations to use Triple DES, that is, three consecutive
applicationsof DES. (That DES was found to be not as strong
as originally believed also prompted NIST to initiate the
development of new standards for data encryption. The result
is AES that we will discuss later.)
Triple DES continues to enjoy wide usage in commercial
applications even today. To understand Triple DES, you must
first understand the basic DES encryption.
As mentioned, DES uses the Feistel structure
with 16 rounds.
What is specific to DES is the implementation of
the F function in the algorithm and how the round
keys are derived from the main encryption key.
The round keys are generated from the main key
by a sequence of permutations. Each round
key is 48 bits in length.
DES Algorithm
DES
Encryption
It is inferred that the initial and final permutations are easy to implement on hardware
chips with 8 bit inetfaces(which was popular when DES was invented) and . The
contents of the table are chosen to reduce the crisscrossing of wires to realize the
permutations.
DES
The dotted rectangle
constitutes the F function.
1.Expansion/Permutation
2.Key Mixing
3.SBox
4.PBox based
Permutation
Fiestel Function-DES
1)Expansion/Permutation
The 32bit right half of the 64bit input data block is expanded by into a 48bit
block. This is referred to as the expansion permutation step, or the Estep.
The Estep entails the following:
– first divide the 32bit block into eight 4bit words
– attach an additional bit on the left to each 4bit word that is the last bit of the
previous 4bit word
– attach an additional bit to the right of each 4bit word that is the beginning bit
of the next 4bit word.
Note that what gets prefixed to the first 4bit block is the last bit of the last 4bit
block. By the same token, what gets appended to the last 4bit block is the first
bit of the first 4bit block
Fiestel Function-DES
Expansion Table
Expansion Table
Fiestel Function-DES
2) Key Mixing
The round key(48 bit) is used
only in this function
The 56-bit key is divided into two
halves, each half shifted separately,
and the combined 56-bit key
permuted/contracted to yield a 48-bit
round key. How this is done will be
explained later.
The 48 bits of the expanded output
produced by the E-step are XORed
with the round key. This is referred
to as key mixing.
Fiestel Function-DES
3) SBox
The output produced by the previous step
is broken into eight six-bit words. Each
six-bit word goes through a substitution
step;its replacement is a 4-bit word. The
substitution is carried out with an S-
box[ The name “S-Box” stands for “Substitution
Box”. ]
So after all the substitutions, we again end
up with a 32-bit word.
4) Pbox based Permutation
The 32-bits of the previous step then go
through a P-box based permutation.
Fiestel Function-DES
The SBox for the Substitution Step in
Each Round
Fiestel Function-DES
Definition of SBoxes
used in DES
Note that the goal of the
substitution step
implemented by the Sbox is
to introduce diffusion in
the generation of the output
from the input. Diffusion
means that each plaintext bit
must affect as many ciphertext
bits as possible.
Permutation Function P
Single Round-DES
What comes out of the P-
box is then XORed with
the left half of the 64-bit
block that we started out
with. The output of this
XORing operation gives
us the right half block for
the next round.
Round Processing-DES
24
DES
WHAT MAKES DES A STRONG CIPHER (TO THE
EXTENT IT IS A STRONG CIPHER)
1) Avalanche Effect
The substitution step is very effective as far as diffusion is concerned. It
has been shown that if you change just one bit of the 64bit input data
block, on the average that alters 34 bits of the ciphertext block.
The manner in which the round keys are generated from the encryption
key is also very effective as far as confusion is concerned. It has been
shown that if you change just one bit of the encryption key, on the average
that changes 35 bits of the ciphertext.
2)BruteForce Attack
The 56bit encryption key means a key space of size 2 56 ≈ 7.2 × 10 16
Assuming that, on the average, you’d need to try half the keys
in a bruteforce attack, a machine able to process 1000 keys per
microsecond would need roughly 13 months to break the code.
However, a parallelprocessing machine trying 1 million keys si
multaneously would need only about 10 hours. (EFF took
three days on a specially architectured machine to
break the code.)
2)One of the most significant advances in cryptanalysis in recent years
is differential cryptanalysis. We will talk of the technique and the
applicability to DES
Table 3.2
DES
Example
Note: DES subkeys are shown as eight 6-bit values in hex format
DES Example
Avalanche Effect
Aim: small change in key (or plaintext) produces large change in
ciphertext
Avalanche effect is present in DES (good for security)
Following examples show the number of bits that change in output
when two different inputs are used, differing by 1 bit
Plaintext 1: 02468aceeca86420
Plaintext 2: 12468aceeca86420
Ciphertext difference: 32 bits
Key 1: 0f1571c947d9e859
Key 2: 1f1571c947d9e859
Ciphertext difference: 30
Table 3.3 Avalanche Effect in DES: Change in Plaintext
Table 3.4 Avalanche Effect in DES: Change in Key
Table 3.5
Average Time Required for Exhaustive Key Search
Key size
Although 64 bit initial key, only 56 bits used in
encryption (other 8 for parity check)
256 = 7.2 x 1016
1977: estimated cost $US20m to build machine
to break in 10 hours
1998: EFF built machine for $US250k to break
in 3 days
Today: 56 bits considered too short to
withstand brute force attack
3DES uses 128-bit keys
Attacks on DES
Timing Attacks
Information gained about key/plaintext by observing how
long implementation takes to decrypt
No known useful attacks on DES
Differential Cryptanalysis
Observe how pairs of plaintext blocks evolve
Break DES in 247 encryptions (compared to 255); but require
247 chosen plaintexts
Linear Cryptanalysis
Find linear approximations of the transformations
Break DES using 243 known plaintexts
Timing Attack : In cryptography, a
timing attack is a side channel
attack in which the attacker
attempts to compromise a
cryptosystem by analyzing the
time taken to execute
cryptographic algorithms. Every
logical operation in a computer
takes time to execute, and the
time can differ based on the
input; with precise
measurements of the time for
each operation, an attacker can
work backwards to the input.
In computer security, a side-channel attack is any
attack based on information gained from the
implementation of a computer system, rather than
weaknesses in the implemented algorithm itself
(e.g. cryptanalysis and software bugs). Timing
information, power consumption, electromagnetic
leaks or even sound can provide an extra source
of information, which can be exploited.
Differential Crptanalysis
●
Eli Biham and Adi Shamir in 1990
●
Chosen-plaintext attack
●
A statistical attack against Fiestel Cipher
●
exploits the relationship between the difference of two inputs and the difference of the
corresponding two outputs
●
why look at the difference? because in an SPN,
the key does not influence the value of the difference!
X’=1001 k=1010 y’=0011=x’ ⊕k
x’’=1100 y’’=0110=x’’⊕k
Δx=0101 Δy=0101
●
Cryptanalyst finds the probability of a particular output difference for a given input difference
●
This attack will not recover the key, it will reduce the range of possible intermediate values
down to number that is manageable.
In a perfectly randomized cipher, the probability of a
given output difference MY, given an input
difference MX, is (1⁄2) m ,where m is the number
of bits
DES Algorithm Design
DES was designed in private; questions about the
motivation of the design
S-Boxes provide non-linearity: important part
of DES, generally considered to be secure
S-Boxes provide increased confusion
Permutation P chosen to increase diffusion
Multiple Encryption with DES
DES is vulnerable to brute force attack
Alternative block cipher that makes use of DES
software/equipment/knowledge: encrypt multiple
times with different keys
Options:
1. Double DES: not much better than single DES
2. Triple DES (3DES) with 2 keys: brute force 2112
3. Triple DES with 3 keys: brute force 2168
Double Encryption