SLIDE 1
Cryptography and Cryptography and Network Security Network Security Chapter Chapter 3 3
Fourth Edition Fourth Edition by William Stallings by William Stallings Lecture slides by Lecture slides by Lawrie Lawrie Brown Brown
SLIDE 2 Modern Block Ciphers Modern Block Ciphers
- now look at modern block ciphers
now look at modern block ciphers
- ne of the
- ne of the most widely used
most widely used types of types of cryptographic algorithms cryptographic algorithms
provide secrecy /authentication secrecy /authentication services services
focus on DES DES (Data Encryption Standard) Data Encryption Standard)
- to illustrate block cipher design
to illustrate block cipher design principles principles
SLIDE 3 Block Block vs vs Stream Ciphers Stream Ciphers
block ciphers process messages in blocks messages in blocks, , each of which is then each of which is then en/decrypted en/decrypted
- like a substitution on very big characters
like a substitution on very big characters
64-bits or more bits or more
stream ciphers process messages a process messages a bit or bit or byte byte at a time when en/decrypting at a time when en/decrypting
many current ciphers current ciphers are are block ciphers block ciphers
- broader range of applications
broader range of applications
SLIDE 4
Illustration of Block Cipher Illustration of Block Cipher Technique Technique
SLIDE 5
Block Block vs vs Stream Ciphers Stream Ciphers
SLIDE 6
Block Block vs vs Stream Ciphers Stream Ciphers
SLIDE 7 Block Cipher Principles Block Cipher Principles
most symmetric block ciphers are symmetric block ciphers are based based on a
Feistel Feistel Cipher Cipher Structure Structure
block ciphers look like an look like an extremely large extremely large substitution substitution
In general, for an n for an n-bit ideal block cipher, the bit ideal block cipher, the length of the key length of the key defined in this fashion is defined in this fashion is n x n x 2n bits. bits.
SLIDE 8
Ideal Block Cipher Ideal Block Cipher
SLIDE 9 Claude Shannon and Substitution Claude Shannon and Substitution- Permutation Ciphers Permutation Ciphers
Claude Shannon Shannon introduced idea of introduced idea of substitution substitution- permutation permutation (S-P) networks in P) networks in 1949 1949 paper paper
- form basis of modern block ciphers
form basis of modern block ciphers
P nets are are based based on the
two primitive primitive cryptographic cryptographic operations
seen before:
substitution (S-box) box)
permutation (P-box) box)
provide confusion confusion & & diffusion diffusion of message & key
SLIDE 10 Confusion and Diffusion Confusion and Diffusion
- cipher needs to completely obscure
cipher needs to completely obscure statistical properties of original message statistical properties of original message
a one-time pad does this time pad does this
- more practically Shannon suggested
more practically Shannon suggested combining S & P elements to obtain: combining S & P elements to obtain:
diffusion – dissipates statistical structure dissipates statistical structure
- f plaintext over bulk of
- f plaintext over bulk of ciphertext
ciphertext
confusion – makes relationship between makes relationship between ciphertext ciphertext and key as complex as possible and key as complex as possible
SLIDE 11 Feistel Cipher Structure Feistel Cipher Structure
- partitions input block into two halves
partitions input block into two halves
- process through multiple rounds which
process through multiple rounds which
- perform a substitution on left data half
perform a substitution on left data half
- based on round function of right half &
based on round function of right half & subkey subkey
- then have permutation swapping halves
then have permutation swapping halves
implements Shannon’s S-P net concept P net concept
SLIDE 12
Feistel Cipher Structure Feistel Cipher Structure
SLIDE 13 Feistel Cipher Design Elements Feistel Cipher Design Elements
block size
key size
number of rounds
- subkey generation algorithm
subkey generation algorithm
round function
- fast software en/decryption
fast software en/decryption
ease of analysis
SLIDE 14
Feistel Cipher Decryption Feistel Cipher Decryption
SLIDE 15 Data Encryption Standard (DES) Data Encryption Standard (DES)
most widely used widely used block cipher in world block cipher in world
adopted in 1977 1977 by NBS (now NIST) by NBS (now NIST)
as FIPS PUB 46 46
encrypts 64 64-bit data using bit data using 56 56-bit key bit key
has widespread use
SLIDE 16 DES History DES History
IBM developed Lucifer cipher Lucifer cipher
by team led by Feistel Feistel in late in late 60 60’s ’s
used 64 64-bit data blocks with bit data blocks with 128 128-bit key bit key
- then redeveloped as a commercial cipher
then redeveloped as a commercial cipher with input from NSA and others with input from NSA and others
in 1973 1973 NBS issued request for proposals NBS issued request for proposals for a national cipher standard for a national cipher standard
- IBM submitted their revised Lucifer which
IBM submitted their revised Lucifer which was eventually accepted as the DES was eventually accepted as the DES
SLIDE 17
DES Encryption Overview DES Encryption Overview
SLIDE 18 Initial Permutation IP Initial Permutation IP
- first step of the data computation
first step of the data computation
- IP reorders the input data bits
IP reorders the input data bits
even bits to LH LH half, half, odd bits to
RH half half
- quite regular in structure (easy in h/w)
quite regular in structure (easy in h/w)
example: IP( IP(675 675a a6967 5 6967 5e e5a6b5a) = a) = (--------
004df df6 6fb) fb)
SLIDE 19
Initial Permutation (IP) Initial Permutation (IP)
SLIDE 20 Initial Permutation IP Initial Permutation IP
- first step of the data computation
first step of the data computation
- IP reorders the input data bits
IP reorders the input data bits
even bits to LH LH half, half, odd bits to
RH half half
- quite regular in structure (easy in h/w)
quite regular in structure (easy in h/w)
example:
IP( IP(675 675a6967 5 6967 5e e5a6b5a) = (ffb a) = (ffb2194 2194d d 004 004df df6fb) fb)
SLIDE 21 DES Round Structure DES Round Structure
uses two 32 32-bit L & R halves bit L & R halves
- as for any Feistel cipher can describe as:
as for any Feistel cipher can describe as:
Li = = Ri–1 Ri = = Li–1 ⊕ F( F(Ri–1, , Ki)
F takes 32 32-bit R half and bit R half and 48 48-bit subkey: bit subkey:
expands R to 48 48-bits using perm E bits using perm E
adds to subkey using XOR
passes through 8 8 S S-boxes to get boxes to get 32 32-bit result bit result
finally permutes using 32 32-bit perm P bit perm P
SLIDE 22
Single Round of DES Single Round of DES Algorithm Algorithm
SLIDE 23
Calculation of F(R, K) Calculation of F(R, K)
SLIDE 24
The Expansion Permutation E
SLIDE 25 DES Expansion Permutation DES Expansion Permutation
- R half expanded to same length as
R half expanded to same length as 48 48-bit bit subkey subkey
consider R as 8 8 nybbles nybbles (4 4 bits each) bits each)
expansion permutation
copies each nybble nybble into the middle of a into the middle of a 6-bit bit block block
- copies the end bits of the two adjacent
copies the end bits of the two adjacent nybbles nybbles into the two end bits of the into the two end bits of the 6-bit block bit block
SLIDE 26
Calculation of F(R, K) Calculation of F(R, K)
SLIDE 27 Substitution Boxes S Substitution Boxes S
have eight S-boxes which map boxes which map 6 6 to to 4 4 bits bits
each S-box is actually box is actually 4 4 little little 4 4 bit boxes bit boxes
1 & & 6 6 (row row bits) bits) select one row of select one row of 4 4
inner bits 2-5 5 (col col bits) bits) are substituted are substituted
result is 8 8 lots of lots of 4 4 bits, or bits, or 32 32 bits bits
- row selection depends on both data & key
row selection depends on both data & key
- feature known as autoclaving (
feature known as autoclaving (autokeying autokeying)
SLIDE 28 28 28
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 14 4 13 1 2 15 11 8 3 10 6 12 5 9 7 0 15 7 4 14 2 13 1 10 6 12 11 6 5 3 8 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 15 12 8 2 4 9 1 7 5 11 3 14 10 6 13
Box S1
- For example, S1(101010) = 6 = 0110.
1 2 3
SLIDE 29
Calculation of F(R, K) Calculation of F(R, K)
SLIDE 30
Permutation Function (P) Permutation Function (P)
SLIDE 31
Single Round of DES Single Round of DES Algorithm Algorithm
SLIDE 32 DES Key Schedule DES Key Schedule
- forms subkeys used in each round
forms subkeys used in each round
- initial permutation of the key (PC
initial permutation of the key (PC1) which ) which selects selects 56 56-bits in two bits in two 28 28-bit halves bit halves
16 stages consisting of: stages consisting of:
rotating each half each half separately either separately either 1 1 or
2 places places depending on the depending on the key rotation schedule key rotation schedule K
selecting 24 24-bits from each half & permuting them bits from each half & permuting them by PC by PC2 2 for use in round function F for use in round function F
- note practical use issues in h/w vs s/w
note practical use issues in h/w vs s/w
SLIDE 33 Permuted Choice One (PC Permuted Choice One (PC1)
33 33
57 49 41 33 25 17 9 1 58 50 42 34 26 18 10 2 59 51 43 35 27 19 11 3 60 52 44 36 63 55 47 39 31 23 15 7 62 54 46 38 30 22 14 6 61 53 45 37 29 21 13 5 28 20 12 4
SLIDE 34
Schedule of Left Shifts Schedule of Left Shifts
SLIDE 35
Permuted Choice Two (PC Permuted Choice Two (PC-2 2)
SLIDE 36 DES Round in Full DES Round in Full
#
"
#
$!
SLIDE 37 DES Decryption DES Decryption
- decrypt must unwind steps of data computation
decrypt must unwind steps of data computation
with Feistel Feistel design, design, do encryption steps again do encryption steps again using using subkeys subkeys in reverse order (SK in reverse order (SK16 16 … SK … SK1)
- IP undoes final FP step of encryption
IP undoes final FP step of encryption
1st round with SK st round with SK16 16 undoes undoes 16 16th encrypt round th encrypt round
….
16th round with SK th round with SK1 1 undoes undoes 1st encrypt round st encrypt round
- then final FP undoes initial encryption IP
then final FP undoes initial encryption IP
- thus recovering original data value
thus recovering original data value
SLIDE 38
DES Decryption DES Decryption
SLIDE 39 Avalanche Effect Avalanche Effect
- key desirable property of encryption
key desirable property of encryption alg alg
where a change of one
input or key bit results in changing approx results in changing approx half half output bits
- utput bits
- making attempts to “home
making attempts to “home-in” by guessing in” by guessing keys impossible keys impossible
- DES exhibits strong avalanche
DES exhibits strong avalanche
SLIDE 40
Avalanche Effect Avalanche Effect
SLIDE 41 Strength of DES Strength of DES – – Key Size Key Size
56-bit keys have bit keys have 2 256
56 = 7.2
2 x x 10 1016
16 values
values
- brute force search looks hard
brute force search looks hard
- recent advances have shown is possible
recent advances have shown is possible
in 1997 1997 on Internet in a
- n Internet in a few months
few months
in 1998 1998 on dedicated h/w
(EFF) in ) in a few days a few days
in 1999 1999 above combined above combined in in 22 22hrs hrs!
- still must be able to recognize plaintext
still must be able to recognize plaintext
- must now consider alternatives to DES
must now consider alternatives to DES
SLIDE 42 Block Cipher Design Block Cipher Design
- basic principles still like
basic principles still like Feistel’s Feistel’s in in 1970 1970’s ’s
number of rounds
- more is better, exhaustive search best attack
more is better, exhaustive search best attack
function f:
provides “confusion”, is nonlinear, avalanche is nonlinear, avalanche
have issues of how S-boxes are selected boxes are selected
key schedule
complex subkey subkey creation, creation, key avalanche key avalanche
SLIDE 43 Summary Summary
have considered:
block vs vs stream ciphers stream ciphers
Feistel cipher design & structure cipher design & structure
DES
details
strength
- block cipher design principles
block cipher design principles
