Data Encryption Standard (DES) - PowerPoint PPT Presentation

Data Encryption Standard (DES) 密碼學與應用 海洋大學資訊工程系 丁培毅 丁培毅 1

DES DES • Data Encryption Standard (Data Encryption • Data Encryption Standard (Data Encryption Algorithm, DEA) • 1973 National Bureau of Standards (NBS) RFP 1973 N ti l B f St d d (NBS) RFP • 1974 IBM LUCIFER • National Security Agency (NSA) modified it • 1977 NBS officially made it a standard • 1977 NBS officially made it a standard • major controversies: – 56-bit key size too short, 2 56  7.2 ꞏ10 16 56 16 – NSA involvement (trapdoor?) Note: A general purpose computer can do 2 ꞏ 10 9 ~ 2 30.9 instructions/sec, there are 365*86400~ 2 24.9 seconds/year i.e. 2 55.8 ~6.4 ꞏ10 16 instructions/year 2

NSA’s Evil Claws NSA s Evil Claws • NSA backdoors in RSA’s BSafe library – Sept. 2013, RSA denied that “NSA has paid $10M to RSA to put the probably flawed Dual-EC-DRBG/NIST SP 800-90 as the default PRNG”. Dual-EC-DRBG algorithm is fatally the default PRNG . Dual EC DRBG algorithm is fatally flawed, as Ferguson and Shumow pointed out in 2007. – Jan. 2014, Extended Random protocol (designed by NSA) to the discredited Dual Elliptic Curve random number generator - speed up the discovery of keys 65000 times • Malware -- Regin Mal are Regin – First appeared 2011, Nov. 2014 Kaspersky: The Regin platform: nation-state ownage of GSM networks platform: nation state ownage of GSM networks • Worldwide surveillance project: PRISM – June 2013 Edward Snowden disclosed NSA’s PRISM June. 2013, Edward Snowden disclosed NSA s PRISM 3

DES DES • Used extensively in computer network • Used extensively in computer network environments and electronic commerce • Major Attacks: M j A k – Hardware DES crackers: 1977 Diffie and Hellman 1993 Wiener, 1997 Verser, 1998 EFF – 1990 Biham and Shamir, Differential Cryptanalysis – 1993 Masui, Linear Cryptanalysis • Five-year reviews: 1982, 1987, 1992 passed Five year reviews: 1982, 1987, 1992 passed (http://www.itl.nist.gov/fipspubs/fip46-2.htm) , 1997?? • Replacement: 2000 NIST AES (Rijndael) • Replacement: 2000 NIST AES (Rijndael) 4

Simplified DES Type Algorithm Simplified DES-Type Algorithm • A Block cipher: p – 12-bit message, written in the form L 0 R 0 , each 6 bits – 9-bit key K 9 bit key K – n rounds, each round converts L i-1 R i-1 to L i R i using an 8-bit key K i derived from K (starting from the i- 8 bi k K d i d f K ( i f h i th bit of K) – main part is a nonlinear round function f(R i-1 , K i ) which is called a Feistel (1973 IBM LUCIFER) system, commonly used in many symmetric encryption schemes that maximize the effects of Shannon’s “Confusion” and “Diffusion” 5

Feistel System Feistel System • f(R • f(R i-1 , K i ) takes a 6-bit input R i-1 and an 8-bit K ) takes a 6 bit input R and an 8 bit input K i , and produces a 6-bit output L i = R i-1 and R i = L i-1  f(R i-1 , K i ) starting from the i-th from the i th K i bit of K L i-1 R i-1 8 6 6 f an emulated one-time pad one time pad L i R i 6

Feistel System Feistel System • How to encrypt/decrypt with a Feistel structure? K n L n-1 R n-1 L 0 R 0 K 1 0 0 f DES f L 1 R 1 K 2 identical f key key L n L R R n L n-1 R n-1 K n f L n R n K n R n L n K n R n L n f DES -1 f R n-1 L n-1 K n-1 f R 1 K 1 L 1 R n-1 L n-1 f R 0 L 0 L 0 R 0 7

Feistel System Feistel System • Another view: K n L n-1 R n-1 K ' f R n L n K K n K ' f L L n-1 R R n-1 • Intuitively, f(ꞏ) should be designed s.t. 1) output K' is not correlated to L 1). output K is not correlated to L n-1 or R n ; or R ; 2). K' is as random (unpredictable) as possible; 3) K' can not be reproduced from R 3). K can not be reproduced from R n-1 (or L n ) without knowing K n ; (or L ) without knowing K ; 4). given many pairs of (L n-1 , R n , R n-1 ), it should not be easy to deduce K (f(ꞏ) should behave like a one way function w r t deduce K n (f(ꞏ) should behave like a one way function w.r.t input 8 K actually not possible for the limited bit length)

Feistel Type of Systems Feistel Type of Systems Block Size Key Size # Rounds DES 64 56 16 Double-DES 64 112 32 Triple-DES Triple DES 64 64 168 168 48 48 IDEA 64 128 8 Blowfish 64 32..448 16 RC5 C5 32, 64, 128 0..2048 3 , 6 , 8 0.. 0 8 variable va ab e CAST-128 64 40..128 16 RC2 RC2 64 64 8 1024 8..1024 16 16 9

Design of f(R Design of f(R i-1 , K i ) K ) • f(R i f(R i-1 , K i ) provides an autokey stream for encrypting L i-1 K i ) provides an autokey stream for encrypting L i R i-1 The expander function E(•) The expander function E( ) 6bits 1 2 3 4 5 6 E(•) ( ) 1 2 4 3 4 3 5 6 E(R i-1 ) 8bits  K i S-boxes (Substitution-boxes) 4bits 4bits 101 010 001 110 011 100 111 000 S S 1 S 1 S 2 001 100 110 010 000 111 101 011 3bits 3bits 100 000 110 101 111 001 011 010 S S 2 f(R i-1 , K i ) 101 011 000 111 110 010 001 100 10

Design of f(R Design of f(R i-1 , K i ) K ) • What happens if there were no E(ꞏ) and S 1 S 2 ? What happens if there were no E( ) and S 1 , S 2 ? K i ' = f(R i-1 , K i ) = R i-1  K i means that once you know a set of L i-1 R i-1 R i you know K i K i = R i-1  L i-1  R i the overall DES output is then a linear function of inputs and keys K i ’s, you can solve system of equations for K i ’s if you have ke s K ’s o can sol e s stem of eq ations for K ’s if o ha e enough pairs of (plaintext, ciphertext)’s. • What happens if S • What happens if S 1 , S 2 are linear operator like division ? S are linear operator like ‘division’? -1 (y) could be one of the 2 pre-images x of S 1 , namely, S 1 -1 (y)=2 ꞏ y or S 1 -1 (y)=2 ꞏ y+1, S 1 1 1 L = E(R i-1 ) L  2 ꞏ (L i-1  R i ) L -1 (y)=2 ꞏ y then K i if S 1 the overall DES output is still a linear function • S 1 , S 2 are transformations requiring table lookup, nonlinear S S f i i i bl l k li 11

Differential Cryptanalysis Differential Cryptanalysis • Biham and Shamir, “Differential cryptanalysis of DES-like yp y cryptosystems,” Crypto90 • Probably were known to the designers of DES at IBM and NSA, Coppersmith. • Compare the differences in the plaintexts and the • Compare the differences in the plaintexts and the ciphertexts (XOR) for suitably chosen pairs of plaintexts and deduce information about the key and deduce information about the key. Note: XOR of two uniformly random bits should be uniformly random y y DES can be viewed as a PRNG, its output is close to random. • Chosen plaintext attack: have access to an encryption engine 12

Differential Cryptanalysis Differential Cryptanalysis • Idea 1: The key is introduced into the system by Idea 1: The key is introduced into the system by XORing with E(R i-1 ). It is possible to XOR two sets of outputs to remove the randomness effects introduced by outputs to remove the randomness effects introduced by the key. a   k  a  b b  The effects of k are removed. k 13

Differential Cryptanalysis Differential Cryptanalysis • Idea 2: – consider a nonlinear function g(ꞏ) – inputs x 1 , x 2 and outputs y 1 , y 2 satisfy y 1 y 2 y 1 2 y 1 = g(x 1 ), y 2 = g(x 2 ) – the XOR of inputs x' = x 1  x 2 and the XOR of outputs y' = y 1   y 2 are constrained also by g(ꞏ) such that given a pair of x' and are constrained also b g( ) s ch that gi en a pair of ' and y', there are only a few candidate pairs (x 1 , x 2 ) satisfying the constraints • ex: given x' (= x 1  x 2 ) = 010, there are only 8 (out of 64) possible pairs of (x 1 , x 2 ) x 1 000 100 010 110 001 101 011 111 1 x 2 010 110 000 100 011 111 001 101 if y' (= y 1  y 2 ) is also given as 101, try listing all g(x 1 ), g(x 2 ) and see which pairs of input (x 1 , x 2 ) satisfy the constraint 14

Differential Cryptanalysis Differential Cryptanalysis known • Somewhere inside the algorithm, plaintext plaintext the key is XORed to the data the key is XORed to the data stream. If we could deduce the value of some internal data x , we might be able to deduce the key. might be able to ded ce the ke ? ? • Is there any method we can use ? DES to get more specific about an to get more specific about an Encryption Encryption key is unknown unknown internal data x ? ? Algorithm plaintext 2 plaintext 1 x =? x =?  fix some relation, e.g. R 1 =R 1 *  calculate x  x* and y  y* from plaintexts and  x * x ciphertexts sbox sbox deduce x y * y y y corresponding di and x * d * ciphertext ciphertext 1 ciphertext 2 15

3-Round Differential Cryptanalysis 3 Round Differential Cryptanalysis L 1 R 1 K 2 f L 2 = R 1 , R 2 = L 1  f(R 1 , K 2 ) L 2 R 2 K 3 2 1 2 1 1 2 f L 3 = R 2 , R 3 = L 2  f(R 2 , K 3 ) L 2  f(R 2 , K 3 ) L 3 R 2 , R 3 L 3 L 3 R 3 R 3 K 4 K 4 f L 4 = R 3 , R 4 = L 3  f(R 3 , K 4 ) L  f(R L R R K ) L 4 R 4 = L 1  f(R 1 , K 2 )  f(R 3 , K 4 ) For another set of inp t (L * R * R ) the o tp t is (L * R * ) For another set of input (L 1 , R 1 =R 1 ), the output is (L 4 , R 4 ) R 4 * = L 1 *  f(R 1 * , K 2 )  f(R 3 * , K 4 ) R 4 ' = R 4  R 4 * = L 1 '  f(L 4 , K 4 )  f(L 4 * , K 4 ) ' * ' * Th diff The difference no K 2 , K 3 K K involved 16