Kryptographie Data Encryption Standard (DES) Uwe Egly Vienna - - PowerPoint PPT Presentation

kryptographie data encryption standard des
SMART_READER_LITE
LIVE PREVIEW

Kryptographie Data Encryption Standard (DES) Uwe Egly Vienna - - PowerPoint PPT Presentation

Aug 15, 2022 612 likes •955 views

Kryptographie Data Encryption Standard (DES) Uwe Egly Vienna University of Technology Institute of Information Systems Knowledge-Based Systems Group November 30, 2010 1 / 32 Block Ciphers Block ciphers (BCs) are symmetric-key algorithms

slide-1
SLIDE 1

Kryptographie Data Encryption Standard (DES)

Uwe Egly

Vienna University of Technology Institute of Information Systems Knowledge-Based Systems Group

November 30, 2010

1 / 32

slide-2
SLIDE 2

Block Ciphers

◮ Block ciphers (BCs) are symmetric-key algorithms

= ⇒ S and R use the same key

◮ Encryption of an n-bit block into an n-bit block (n: block size) ◮ Encryption functions of BCs are permutations ◮ Best-known symm. BC: DES (data encryption standard) ◮ Successor of DES is AES (advanced encryption standard) ◮ Block cipher handles encryption of one block ◮ Interplay if > 1 block is present: modes of operation

(= basic cipher + feed-back functions + simple operations)

2 / 32

slide-3
SLIDE 3

Data Encryption Standard (DES)

◮ Most important crypto algorithm in the last 30 years ◮ Standardized by ANSI in 1981 (incl. modes of operation) ◮ Originally, supposed to be implemented in HW, later in SW ◮ Block cipher with a block size of 64 bit ◮ Encryption and decryption with the same algo and key ◮ Key size of 56 bit (+ 8 bit parity) results in 64 bit

(parity bit is the least significant bit in the byte)

◮ DES is a Feistel cipher (round-based (product) cipher) ◮ Round = substitution followed by permutations ◮ DES: 16 rounds

3 / 32

slide-4
SLIDE 4

Basic Structure of DES

ciphertext IP−1 R16 L L15 L L1 L L0 L16

b

R15

b

R1

b

R0 IP plaintext f

b

f

b

f

b

K16 K2 K1 32 bit 48 bit 64 bit 4 / 32

slide-5
SLIDE 5

Overview

◮ Algorithm with 16 rounds + input-/output permutation ◮ Generates 16 round keys Ki (48 bit) from the key K (56 bit) ◮ Uses 8 fixed 6-to-4 bit permutations (S-boxes) per round ◮ Divides 64 bit plaintext block into L0 and R0 (32 bit each) ◮ All rounds are functionally identical: Li−1, Ri−1 → Li, Ri:

Li = Ri−1 Ri = Li−1 ⊕ f(Ri−1, Ki) with f(Ri−1, Ki) = P(S(E(Ri−1) ⊕ Ki))

◮ E: Fixed expansion permutation: exp. Ri−1 from 32 to 48 bit

(all bits are used, some even twice)

◮ P: another fixed 32 bit permutation ◮ before IP−1: no exchange of L16 and R16 ◮ Decryption: same algorithm and key

but round keys are applied in reverse order

5 / 32

slide-6
SLIDE 6

A Round of DES

Li Li−1 Ri L P-box S-boxes L E-permutation Ri−1

b

key compression perm. shift shift key

b b

32 bit 48 bit 28 bit

6 / 32

slide-7
SLIDE 7

Initial Permutation IP

◮ Permutes a plaintext block according to the following table: 58 50 42 34 26 18 10 2 60 52 44 36 28 20 12 4 62 54 46 38 30 22 14 6 64 56 48 40 32 24 16 8 57 49 41 33 25 17 9 1 59 51 43 35 27 19 11 3 61 53 45 37 29 21 13 5 63 55 47 39 31 23 15 7 ◮ Exa: Move plaintext bit 58 to bit 1, bit 50 to bit 2, etc. ◮ IP and IP−1 do not affect the security of DES ◮ Task: Load the plaintext bytes into registers of the DES-Chip

(resp. store the register content into the ciphertext)

◮ In the late 70s (the time DES was introduced), there were

no 16 bit µP!

7 / 32

slide-8
SLIDE 8

Key Schedule

◮ Check the parity info of the key and extract the 56 key bit ◮ Apply the following key permutation at the beginning 57 49 41 33 25 17 9 1 58 50 42 34 26 18 10 2 59 51 43 35 27 19 11 3 60 52 44 36 63 55 47 39 31 23 15 7 62 54 46 38 30 22 14 6 61 53 45 37 29 21 13 5 28 20 12 4 ◮ Generate 16 round keys (RKs) à 48 bit as follows: ◮ Decompose the 56 bit in 2 × 28 and

rotate left each of these halves in each round

Round 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Number of shifts 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1 ◮ Compression permutation: choose 48 from 56 bit + permute 14 17 11 24 1 5 3 28 15 6 21 10 23 19 12 4 26 8 16 7 27 20 13 2 41 52 31 37 47 55 30 40 51 45 33 48 44 49 39 56 34 53 46 42 50 36 29 32 ◮ Use different combinations of key bit in the round keys

8 / 32

slide-9
SLIDE 9

Expansion Permutation (E-Box)

◮ Expand Ri from 32 to 48 bit (exchange and repeat some bit) ◮ 48 bit required because of bitwise ⊕ of Ri with round key ◮ Implemented by the following permutation 32 1 2 3 4 5 4 5 6 7 8 9 8 9 10 11 12 13 12 13 14 15 16 17 16 17 18 19 20 21 20 21 22 23 24 25 24 25 26 27 28 29 28 29 30 31 32 1 ◮ Table: Which output position belongs to which input position? ◮ Example:

◮ Bit in input position 3 is moved to output position 4 (index) ◮ Bit in input position 21 is moved to output positions 30 and

32

◮ Some bit are used more than once

9 / 32

slide-10
SLIDE 10

S-Boxes

◮ Most important element for the security of DES ◮ 48 bit ❀ 8 S-Boxes each with 6 bit input and 4 bit output ◮ Each S-Box: Table with 4 rows and 16 columns ◮ Each table entry is a 4 bit number ◮ Example: The sixth S-Box (bit 31 to 36) 12 1 10 15 9 2 6 8 13 3 4 14 7 5 11 10 15 4 2 7 12 9 5 6 1 13 14 11 3 8 9 14 15 5 2 8 12 3 7 4 10 1 13 11 6 4 3 2 12 9 5 15 10 11 14 1 7 6 8 13 ◮ Exa: Input is 110011 ❀ row 11 = 3; column 1001 = 9

= ⇒ replace 110011 by 14 = 1110

◮ Output of all S-boxes: 32 bit

10/ 32

slide-11
SLIDE 11

P-Box and Final Permutation

P-Box

◮ Permutes its input (32 bit) to its output (32 bit) according to 16 7 20 21 29 12 28 17 1 15 23 26 5 18 31 10 2 8 24 14 32 27 3 9 19 13 30 6 22 11 4 25 ◮ Exa: bit 21 moves to bit 4, bit 4 moves to bit 31

Final permutation

◮ Inverse to the initial permutation ◮ Attention: L16 and R16 are not exchanged in the last round ◮ Exchange would prevent decryption with the same algo ◮ Decryption: Apply RKs in reverse order

K1, K2, . . . , K15, K16 ❀ K16, K15, . . . , K2, K1 and rotate right the key by 0, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1

11/ 32

slide-12
SLIDE 12

Security of DES

◮ Nowadays, simple DES is insecure ◮ Keys with 56 bit and r > 16 do not improve security ◮ Weak keys: result in at least two identical round keys ◮ There are four weak keys in DES, namely

highmost 28 bit lowmost 28 bit 0000000 0000000 0000000 FFFFFFF FFFFFFF 0000000 FFFFFFF FFFFFFF

◮ Since around 1995, there is special HW for breaking DES

(EFF crack: brute-force attack succeeded in two days)

12/ 32

slide-13
SLIDE 13

Improvement: 3DES (with 2 or with 3 56 bit keys)

Plaintext Ciphertext DES DES−1 DES Encryption DES−1 DES DES−1 Decryption K1 K2 K3

Why is 3DES more secure than DES?

◮ Set of the 256 permutations (def. by 56 bit DES keys) is not

closed under composition of functions

◮ I.e. there is no 56 bit DES key K, such that, for all m, the

following holds: Ek(m) = Ek1(Dk2(Ek3(m)))

13/ 32

slide-14
SLIDE 14

Modes of Operation for Block Cipher

◮ BC: Resulting cipherblock is always identical for a given

plaintext and a given key

◮ Basic block cipher encrypts a single block

How shall we handle messages consisting of several blocks?

◮ Mode = cipher + feed-back functions + simple operations ◮ Security: Based on the cipher, not on the mode, but . . . ◮ . . . with some modes, detection of manipulations is possible

14/ 32

slide-15
SLIDE 15

Four Modes of Operation for Block Ciphers

  • 1. ECB (Electronic Codebook Mode)
  • 2. CBC (Cipherblock Chaining Mode)
  • 3. CFB (Cipher Feedback Mode)
  • 4. OFB (Output Feedback Mode)

In the following, we use Σ for the alphabet, n for the block size, k ∈ K for the key, K for the key space.

15/ 32

slide-16
SLIDE 16

Electronic Codebook Mode (ECB)

◮ Decompose plaintext into blocks à n bit (pad if necessary) ◮ Encrypt with Ee, decrypt with Dd

(e, d either identical or public, private key) = ⇒ Dd(Ee(m)) = m

◮ Exa: Permutation cipher with Σ = {0, 1} and n = 4

◮ K = S4 (= set of all permutations with 4 ele) and for π ∈ S4:

Eπ : {0, 1}4 → {0, 1}4 with b4b3b2b1 → bπ(4)bπ(3)bπ(2)bπ(1)

◮ Plaintext m = 101100010100101; decompose and pad: ◮ m1 = 1011, m2 = 0001, m3 = 0100, m4 = 1010 ◮ Key is π =

1 2 3 4

2 3 4 1

  • ; hence, c = c1 . . . c4 where ci = Eπ(mi):

◮ c1 = 0111, c2 = 0010, c3 = 1000, c4 = 0101

◮ Vulnerable to frequency analysis, modifications of c

possibly undetected

16/ 32

slide-17
SLIDE 17

How to Become Rich With ECB

◮ Modification of messages possibly undetected with ECB ◮ Exa: Money transfer between 2 accounts at different banks ◮ Data format for transmission with field sizes in byte:

SBank, RBank (12 each), Name (48), Account (12), Value (8)

◮ Transfer money between own accounts at different banks ◮ Intercept the transfer and extract X=field 3–5 ◮ Catch “another” transmission and replace field 3–5 by X ◮ Close the account after some hours; run with the money

17/ 32

slide-18
SLIDE 18

Scheme of the ECB Mode

Ee Dd

b

e

b

d mj mj cj n bit

18/ 32

slide-19
SLIDE 19

Other Schemata of the ECB Mode (from Wikipedia)

19/ 32

slide-20
SLIDE 20

Cipherblock Chaining Mode (CBC)

◮ Avoids the disadvantages of ECB by feed-back operation ◮ Uses operation XOR: a ⊕ b is 1 if and only if a = b (a, b bit) ◮ a ⊕ b is equal to (a + b) mod 2 ◮ Encryption of one block depends on the predecessor

(actually, cj−1 ⊕ mj is encrypted)

◮ Avoids the success of the frequency alaysis ◮ Ciphertext changes detected, because result is “not

decrytable”

20/ 32

slide-21
SLIDE 21

CBC: Overview

◮ CBC requires random (known) initialization vector IV ∈ Σn ◮ Decompose the plaintext into blocks á n bit ◮ This results in t plaintext blocks m1, . . . , mt ◮ Procedure for m1, . . . , mt and key e

c0 = IV, cj = Ee(cj−1 ⊕ mj) , 1 ≤ j ≤ t

◮ Procedure for c1, . . . , ct and key d

c0 = IV, mj = cj−1 ⊕ Dd(cj), 1 ≤ j ≤ t

21/ 32

slide-22
SLIDE 22

Example for the CBC Mode

◮ Block cipher, plaintext and key as above, i.e., ◮ m1 = 1011, m2 = 0001, m3 = 0100, m4 = 1010 ◮ The key is π =

1 2 3 4

2 3 4 1

  • and IV = 1010 = c0

◮ Compute ci = Eπ(ci−1 ⊕ mi):

c1 = Eπ(0001) = 0010, c2 = 0110, c3 = 0100, c4 = 1101

◮ Decryption: mi = ci−1 ⊕ E−1 π (ci) with E−1 π

= Dπ

◮ Decryption works because:

cj−1 ⊕ Dd(cj) = cj−1 ⊕ Dd(Ee(cj−1 ⊕ mj)) since Dd(Ee(x)) = x = cj−1 ⊕ (cj−1 ⊕ mj) = (cj−1 ⊕ cj−1) ⊕ mj = mj

◮ Use x ⊕ x = 0 and 0 ⊕ x = x in order to obtain mj

22/ 32

slide-23
SLIDE 23

Scheme of the CBC Mode

Ee

  • cj−1

Dd

  • b

e c0 = IV mj mj cj−1

b

d cj n bit

23/ 32

slide-24
SLIDE 24

Other Schemata of the CBC Mode (from Wikipedia)

24/ 32

slide-25
SLIDE 25

The Cipher Feedback Mode (CFB): Overview

◮ CBC well-suited for the encryption of long messages

where the block size is appropriate

◮ Some applications require the en/decryption of r-bit

plaintext units without delay (r is fixed and ≤ n)

◮ Idea: Make en/decryption units smaller than the block size

25/ 32

slide-26
SLIDE 26

Encryption Using CFB

◮ Choose IV ∈ {0, 1}n and r with 1 ≤ r ≤ n ◮ Decompose plaintext into blocks m1, m2, . . . , mu of size r ◮ Set I1 = IV and for 1 ≤ j ≤ u do

  • 1. Oj = Ek(Ij)
  • 2. tj is the string of the first r bit of Oj
  • 3. cj = mj ⊕ tj
  • 4. Ij+1 = 2rIj + cj (mod 2n)

(i.e., delete the first r bit in Ij and append cj)

◮ Ciphertext of the message is then c1c2 · · · cu

26/ 32

slide-27
SLIDE 27

Encryption Using CFB

◮ Given: Ciphertext blocks c1c2 · · · cu ◮ Set I1 = IV and for 1 ≤ j ≤ u do

  • 1. Oj = Ek(Ij)
  • 2. tj is the string of the first r bit of Oj
  • 3. mj = cj ⊕ tj (difference compared to encryption)
  • 4. Ij+1 = 2rIj + cj (mod 2n)

(i.e., delete the first r bit in Ij and append cj)

◮ CFB not applicable with public keys

(because S and R must know k)

◮ With public-key procedure, use CBC ◮ Decryption works: tj, k is equal for the S and the R and

cj ⊕ tj = (mj ⊕ tj) ⊕ tj = mj ⊕ (tj ⊕ tj) = mj

27/ 32

slide-28
SLIDE 28

Example for the CFB Mode

◮ Block cipher, plaintext and key as above, but with r = 3 ◮ m1 = 101, m2 = 100, m3 = 010, m4 = 100, m5 = 101 ◮ The key is π =

1 2 3 4

2 3 4 1

  • and IV = 1010 = I1

◮ The encryption is summarized in the following table

j Ij Oj tj mj cj 1 1010 0101 010 101 111 2 0111 1110 111 100 011 3 1011 0111 011 010 001 4 1001 0011 001 100 101 5 1101 1011 101 101 000

28/ 32

slide-29
SLIDE 29

Scheme of the CFB Mode

Ij

I1 = IV

r-bit shift

Ek

b

k

Oj

r bit cj cj−1 mj

  • Ij

r-bit shift

Ek

b

k

Oj

r bit cj−1 mj

  • n bit

r bit

29/ 32

slide-30
SLIDE 30

Output Feedback Mode (OFB)

◮ Initialization as in the CFB Mode ◮ Set I1 = IV and for 1 ≤ j ≤ u do

  • 1. Oj = Ek(Ij)
  • 2. tj is the string of the first r bit of Oj
  • 3. cj = mj ⊕ tj
  • 4. Ij+1 = Oj (difference compared to CFB)

◮ Ciphertext of the message is then c1c2 · · · cu ◮ For the decryption function, replace 3. by mj = cj ⊕ tj ◮ More vulnerable against manipulations (compared to CFB):

ci depends not on mi−1, but only on its position

◮ If a key is reused: Use a new IV (can be public) ◮ OFB not applicable with public keys (like CFB)

30/ 32

slide-31
SLIDE 31

Example for the OFB Mode

◮ Block cipher, plaintext, key and r = 3 as above ◮ m1 = 101, m2 = 100, m3 = 010, m4 = 100, m5 = 101 ◮ The key is π =

1 2 3 4

2 3 4 1

  • and IV = 1010 = I1

◮ The encryption is summarized in the following table

j Ij Oj tj mj cj 1 1010 0101 010 101 111 2 0101 1010 101 100 001 3 1010 0101 010 010 000 4 0101 1010 101 100 001 5 1010 0101 010 101 111

31/ 32

slide-32
SLIDE 32

Scheme of the OFB Mode

Ij

I1 = IV

Ek

b

k

Oj

r bit cj Oj−1 mj

  • Ij

Ek

b

k

Oj

r bit Oj−1 mj

  • n bit

r bit

32/ 32