Sie sind auf Seite 1von 22

Lecture 3: Block Ciphers: Practical Instantiation of PRP

CS6903: Modern Cryptography Spring 2010

Nitesh Saxena

DES – Data Encryption Standard

Encrypts by series of substitution and transpositions. Based on Feistel Structure Worldwide standard for more than 20 years. Has a history of controversy. Designed by IBM (Lucifer) with later help (interference?) from NSA. No longer considered secure for highly sensitive applications. Replacement standard AES (advanced encryption standard) recently completed.

3/1/2011

Lecture 1 - Introduction

2

DES - Overview
3/1/2011
Lecture 1 - Introduction
3
DES – Each iteration.
3/1/2011
Lecture 1 - Introduction
4
DES – Function F
3/1/2011
Lecture 1 - Introduction
5

3/1/2011

Lecture 1 - Introduction

6

Operation Tables of DES (Key Schedule, PC-1, PC-2)

3/1/2011

Lecture 1 - Introduction

7

Operation Tables (IP, IP -1 , E and P)

3/1/2011

Lecture 1 - Introduction

8

S-boxes: S1
0000
0001 0010
0011 0100
0101 0110
0111
1000
1001 1010
1011 1100
1101 1110
1111
14
4
13
1
2
15
11
8
3
10
6
12
5
9
0
7
00
01
0
15
7
4
14
2
13
1
10
6
12
11
9
5
3
8
10
4
1
14
8
13
6
2
11
15
12
9
7
3
10
5
0
11
15
12
8
2
4
9
1
7
5
11
3
14
10
0
6
13

Sj

S (b1b 2 b 3b 4 b 5b 6 )

Is the table entry from

row b b

:

1

2

column b b b b

:

3

4

5

6

S ( 011001) = 6 d = 0110

3/1/2011

Lecture 1 - Introduction

9

DES Decryption

Same as the encryption algorithm with the “reversed” key schedule – NEXT!

3/1/2011

Lecture 1 - Introduction

10

x
Plain text
Initial permutation (IP)
L
0
R
0
Round-1 (key K 1 )

R

0

L 0 F ( R 0 , K 1)

Rounds 2-15

L15

R15

Round-16 (key K 16 )

 R15 L15 ⊕ F ( R15 , K 16 ) L15 ⊕ F ( R15 , K 16 ) R15

3/1/2011

y

swap

IP inverse

Cipher text

Lecture 1 - Introduction

11

decryptencrypt

L15 ⊕ F ( R15 , K 16 )
R15
IP inverse

y

Cipher text IP

L15 F ( R15 , K 16 )

R15

Round-1 (K 16 )

L15 F ( R15 , K 16 ) F ( R15 , K 16 )

R15

=

R15

L15

Since

3/1/2011

Lecture 1 - Introduction

= 0

b 0 = b

b b

12

DES Security

S-Box design not well understood (secret). Has survived some recent sophisticated attacks (differential cryptanalysis) Key is too short. Hence is vulnerable to brute force attack. 1998 distributed attack took 3 months. \$1,000,000 machine will crack DES in 35 minutes – 1997 estimate. \$10,000 – 2.5 days.

3/1/2011

Lecture 1 - Introduction

13

DES Cracking machine

14

3/1/2011

Lecture 1 - Introduction

Super-encryption.

If key length is a concern, then instead of encrypting once, encrypt twice!! C = E K2 (E K1 (P)) P = D K2 (D K1 (C)) Does this result in a larger key space? Encrypting with multiple keys is known as super-encryption. May not always be a good idea.

3/1/2011

Lecture 1 - Introduction

15

Double DES

K

1

K

2

P

E

E

X

C

Encryption

C

K

2

K

1

D

X

D

Decryption

P

Double DES is almost as easy to break as single DES (Needs more memory though)!

3/1/2011

Lecture 1 - Introduction

16

Double DES – Meet-in-the-middle Attack (due to Diffie-Hellman)

Based on the observation that, if

= E K2 (E K1 (P))

C

Then

X

= E K1 (P) = D K2 (C).

Given a known (P, C) pair, encrypt P with all possible values of K and store result in table T.

Next, decrypt C with all possible keys K and check result. If match occurs then check key pair with new known (P, C) pair. If match occurs, you have found the keys. Else continue as before. Process will terminate successfully.

3/1/2011

Lecture 1 - Introduction

17

Meet-in-the-middle Explanation.

The first match does not say anything as we have 2 64 ciphertexts and 2 112 keys. On the average 2 112 / 2 64 = 2 48 keys will produce same ciphertext. So there could be 2 48 possible candidates We can use a second pair (P’,C’) So, probability that false alarm will survive two known (P, C) pairs is 2 48 / 2 64 = 2 -16 . One can always check a third pair to further reduce the chance of a false alarm.

3/1/2011

Lecture 1 - Introduction

18

Triple DES

K

1

K 2

K 1

A

P

B

EDE

C

Encryption

K

1

K 2

K 1

B

A

C

DED

Decryption

P

Triple DES (2 keys) requires 2 112 search. Is reasonably secure. 3 keys requires 2 112 .

3/1/2011

Lecture 1 - Introduction

19

DES Encryption modes

Electronic Code Book (ECB) Cipher Block Chain (CBC)

3/1/2011

Lecture 1 - Introduction

20

Electronic Code Book (ECB) Mode

Although DES encrypts 64 bits (a block) at a time, it can encrypt a long message (file) in Electronic Code Book (ECB) mode.

K

K

Time = 1

P1
DES
Encrypt

K

Time = 2

P2
DES
Encrypt

K

Time = N

PN

DES

Encrypt

C1
C2
CN
C1
C2
CN
DES
DES
DES
Decrypt
K Decrypt
K Decrypt
• •
P1
P2
PN

If same key is used then identical plaintext blocks map to identical ciphertext.

3/1/2011

Lecture 1 - Introduction

21

Cipher Block Chain (CBC) Mode.

K

K

Time = 1

Time = 2

P1
P2
IV
+
+
DES
DES
Encrypt
K Encrypt
C1
C2
C1
C2
DES
DES
K
Decrypt
Decrypt
IV
+
+
P1
P2

• •

• •

CN-1

K

K

CN-1

Time = N PN

+
DES
Encrypt
CN
CN
DES
Decrypt

+

PN

3/1/2011

Lecture 1 - Introduction

22