Kryptographie Data Encryption Standard (DES) Uwe Egly Vienna - PowerPoint PPT Presentation

Kryptographie Data Encryption Standard (DES) Uwe Egly Vienna University of Technology Institute of Information Systems Knowledge-Based Systems Group November 30, 2010 1 / 32

Block Ciphers ◮ Block ciphers (BCs) are symmetric-key algorithms = ⇒ S and R use the same key ◮ Encryption of an n -bit block into an n -bit block ( n : block size) ◮ Encryption functions of BCs are permutations ◮ Best-known symm. BC: DES (data encryption standard) ◮ Successor of DES is AES (advanced encryption standard) ◮ Block cipher handles encryption of one block ◮ Interplay if > 1 block is present: modes of operation (= basic cipher + feed-back functions + simple operations) 2 / 32

Data Encryption Standard (DES) ◮ Most important crypto algorithm in the last 30 years ◮ Standardized by ANSI in 1981 (incl. modes of operation) ◮ Originally, supposed to be implemented in HW, later in SW ◮ Block cipher with a block size of 64 bit ◮ Encryption and decryption with the same algo and key ◮ Key size of 56 bit (+ 8 bit parity) results in 64 bit (parity bit is the least significant bit in the byte) ◮ DES is a Feistel cipher (round-based (product) cipher) ◮ Round = substitution followed by permutations ◮ DES: 16 rounds 3 / 32

b b b b b b Basic Structure of DES plaintext 32 bit 48 bit 64 bit IP L 0 R 0 K 1 f L L 1 R 1 K 2 f L L 15 R 15 K 16 f L R 16 L 16 IP − 1 ciphertext 4 / 32

Overview ◮ Algorithm with 16 rounds + input-/output permutation ◮ Generates 16 round keys K i (48 bit) from the key K (56 bit) ◮ Uses 8 fixed 6-to-4 bit permutations (S-boxes) per round ◮ Divides 64 bit plaintext block into L 0 and R 0 (32 bit each) ◮ All rounds are functionally identical: L i − 1 , R i − 1 �→ L i , R i : L i R i − 1 = R i L i − 1 ⊕ f ( R i − 1 , K i ) with f ( R i − 1 , K i ) = P ( S ( E ( R i − 1 ) ⊕ K i )) = ◮ E : Fixed expansion permutation: exp. R i − 1 from 32 to 48 bit (all bits are used, some even twice) ◮ P : another fixed 32 bit permutation ◮ before IP − 1 : no exchange of L 16 and R 16 ◮ Decryption: same algorithm and key but round keys are applied in reverse order 5 / 32

b b b A Round of DES L i − 1 R i − 1 key shift shift E-permutation compression perm. L 32 bit S-boxes 48 bit 28 bit P-box L L i R i key 6 / 32

Initial Permutation IP ◮ Permutes a plaintext block according to the following table: 50 58 42 34 26 18 10 2 60 52 44 36 28 20 12 4 62 54 46 38 30 22 14 6 64 56 48 40 32 24 16 8 57 49 41 33 25 17 9 1 59 51 43 35 27 19 11 3 61 53 45 37 29 21 13 5 63 55 47 39 31 23 15 7 ◮ Exa: Move plaintext bit 58 to bit 1, bit 50 to bit 2, etc. ◮ IP and IP − 1 do not affect the security of DES ◮ Task: Load the plaintext bytes into registers of the DES-Chip (resp. store the register content into the ciphertext) ◮ In the late 70s (the time DES was introduced), there were no 16 bit µ P! 7 / 32

Key Schedule ◮ Check the parity info of the key and extract the 56 key bit ◮ Apply the following key permutation at the beginning 57 49 41 33 25 17 9 1 58 50 42 34 26 18 10 2 59 51 43 35 27 19 11 3 60 52 44 36 63 55 47 39 31 23 15 7 62 54 46 38 30 22 14 6 61 53 45 37 29 21 13 5 28 20 12 4 ◮ Generate 16 round keys (RKs) à 48 bit as follows: ◮ Decompose the 56 bit in 2 × 28 and rotate left each of these halves in each round Round 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Number of shifts 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1 ◮ Compression permutation: choose 48 from 56 bit + permute 14 17 11 24 1 5 3 28 15 6 21 10 23 19 12 4 26 8 16 7 27 20 13 2 41 52 31 37 47 55 30 40 51 45 33 48 44 49 39 56 34 53 46 42 50 36 29 32 ◮ Use different combinations of key bit in the round keys 8 / 32

Expansion Permutation (E-Box) ◮ Expand R i from 32 to 48 bit (exchange and repeat some bit) ◮ 48 bit required because of bitwise ⊕ of R i with round key ◮ Implemented by the following permutation 32 1 2 3 4 5 4 5 6 7 8 9 8 9 10 11 12 13 12 13 14 15 16 17 21 21 16 17 18 19 20 20 22 23 24 25 24 25 26 27 28 29 28 29 30 31 32 1 ◮ Table: Which output position belongs to which input position? ◮ Example: ◮ Bit in input position 3 is moved to output position 4 (index) ◮ Bit in input position 21 is moved to output positions 30 and 32 ◮ Some bit are used more than once 9 / 32

S-Boxes ◮ Most important element for the security of DES ◮ 48 bit ❀ 8 S-Boxes each with 6 bit input and 4 bit output ◮ Each S-Box: Table with 4 rows and 16 columns ◮ Each table entry is a 4 bit number ◮ Example: The sixth S-Box (bit 31 to 36) 12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 11 10 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8 9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6 4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13 ◮ Exa: Input is 110011 ❀ row 11 = 3; column 1001 = 9 = ⇒ replace 110011 by 14 = 1110 ◮ Output of all S-boxes: 32 bit 10/ 32

P-Box and Final Permutation P-Box ◮ Permutes its input (32 bit) to its output (32 bit) according to 16 7 20 21 29 12 28 17 1 15 23 26 5 18 31 10 4 2 8 24 14 32 27 3 9 19 13 30 6 22 11 25 ◮ Exa: bit 21 moves to bit 4, bit 4 moves to bit 31 Final permutation ◮ Inverse to the initial permutation ◮ Attention: L 16 and R 16 are not exchanged in the last round ◮ Exchange would prevent decryption with the same algo ◮ Decryption: Apply RKs in reverse order K 1 , K 2 , . . . , K 15 , K 16 ❀ K 16 , K 15 , . . . , K 2 , K 1 and rotate right the key by 0 , 1 , 2 , 2 , 2 , 2 , 2 , 2 , 1 , 2 , 2 , 2 , 2 , 2 , 2 , 1 11/ 32

Security of DES ◮ Nowadays, simple DES is insecure ◮ Keys with 56 bit and r > 16 do not improve security ◮ Weak keys: result in at least two identical round keys ◮ There are four weak keys in DES, namely highmost 28 bit lowmost 28 bit 0000000 0000000 0000000 FFFFFFF FFFFFFF 0000000 FFFFFFF FFFFFFF ◮ Since around 1995, there is special HW for breaking DES (EFF crack: brute-force attack succeeded in two days) 12/ 32

Improvement: 3DES (with 2 or with 3 56 bit keys) Encryption DES − 1 DES DES K 1 K 2 K 3 Ciphertext Plaintext DES − 1 DES − 1 DES Decryption Why is 3DES more secure than DES? ◮ Set of the 2 56 permutations (def. by 56 bit DES keys) is not closed under composition of functions ◮ I.e. there is no 56 bit DES key K , such that, for all m , the following holds: E k ( m ) E k 1 ( D k 2 ( E k 3 ( m ))) = 13/ 32

Modes of Operation for Block Cipher ◮ BC: Resulting cipherblock is always identical for a given plaintext and a given key ◮ Basic block cipher encrypts a single block How shall we handle messages consisting of several blocks? ◮ Mode = cipher + feed-back functions + simple operations ◮ Security: Based on the cipher, not on the mode, but . . . ◮ . . . with some modes, detection of manipulations is possible 14/ 32

Four Modes of Operation for Block Ciphers 1. ECB (Electronic Codebook Mode) 2. CBC (Cipherblock Chaining Mode) 3. CFB (Cipher Feedback Mode) 4. OFB (Output Feedback Mode) In the following, we use Σ for the alphabet, n for the block size, k ∈ K for the key, K for the key space. 15/ 32

Electronic Codebook Mode (ECB) ◮ Decompose plaintext into blocks à n bit (pad if necessary) ◮ Encrypt with E e , decrypt with D d ( e , d either identical or public, private key) = ⇒ D d ( E e ( m )) = m ◮ Exa: Permutation cipher with Σ = { 0 , 1 } and n = 4 ◮ K = S 4 (= set of all permutations with 4 ele) and for π ∈ S 4 : E π : { 0 , 1 } 4 �→ { 0 , 1 } 4 b 4 b 3 b 2 b 1 �→ b π ( 4 ) b π ( 3 ) b π ( 2 ) b π ( 1 ) with ◮ Plaintext m = 101100010100101; decompose and pad: ◮ m 1 = 1011, m 2 = 0001, m 3 = 0100, m 4 = 1010 � 1 2 3 4 ; hence, c = c 1 . . . c 4 where c i = E π ( m i ) : ◮ Key is π = � 2 3 4 1 ◮ c 1 = 0111, c 2 = 0010, c 3 = 1000, c 4 = 0101 ◮ Vulnerable to frequency analysis, modifications of c possibly undetected 16/ 32

How to Become Rich With ECB ◮ Modification of messages possibly undetected with ECB ◮ Exa: Money transfer between 2 accounts at different banks ◮ Data format for transmission with field sizes in byte: SBank, RBank (12 each), Name (48), Account (12), Value (8) ◮ Transfer money between own accounts at different banks ◮ Intercept the transfer and extract X=field 3–5 ◮ Catch “another” transmission and replace field 3–5 by X ◮ Close the account after some hours; run with the money 17/ 32

b b Scheme of the ECB Mode m j n bit E e D d e d c j m j 18/ 32

Other Schemata of the ECB Mode (from Wikipedia) 19/ 32

Cipherblock Chaining Mode (CBC) ◮ Avoids the disadvantages of ECB by feed-back operation ◮ Uses operation XOR: a ⊕ b is 1 if and only if a � = b ( a , b bit) ◮ a ⊕ b is equal to ( a + b ) mod 2 ◮ Encryption of one block depends on the predecessor (actually, c j − 1 ⊕ m j is encrypted) ◮ Avoids the success of the frequency alaysis ◮ Ciphertext changes detected, because result is “not decrytable” 20/ 32

CBC: Overview ◮ CBC requires random (known) initialization vector IV ∈ Σ n ◮ Decompose the plaintext into blocks á n bit ◮ This results in t plaintext blocks m 1 , . . . , m t ◮ Procedure for m 1 , . . . , m t and key e c 0 = IV , c j = E e ( c j − 1 ⊕ m j ) , 1 ≤ j ≤ t ◮ Procedure for c 1 , . . . , c t and key d c 0 = IV , m j = c j − 1 ⊕ D d ( c j ) , 1 ≤ j ≤ t 21/ 32