modern block cipher standards des
play

Modern Block Cipher Standards (DES) Debdeep Mukhopadhyay Assistant - PDF document

Jul 10, 2023 •9 likes •169 views

Modern Block Cipher Standards (DES) Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Data Encryption Standard DES developed in 1970s

  1. Modern Block Cipher Standards (DES) Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Data Encryption Standard • DES developed in 1970’s • Based on IBM Lucifer cipher • Federal Information Processing Standard (FIPS) • DES development was controversial: – Design process was not open, people feared hidden trapdoors that would have allowed NSA to decrypt messages without the keys. – Key length was small (56 bits) D. Mukhopadhyay Crypto & Network Security IIT Kharagpur 1

  2. DES Numerology • DES is a Feistel cipher • 64 bit block length • 56 bit key length • 16 rounds • 48 bits of key used each round (subkey) • Each round is simple (for a block cipher) • Security depends primarily on “S-boxes” • Each S-boxes maps 6 bits to 4 bits Initial Permutations • DES has an initial permutation and a final permutation after 16 rounds. • These permutations are inverses of each other and operate on 64 bits. • They have no cryptographic significance. • The designers did not disclose their purpose. D. Mukhopadhyay Crypto & Network Security IIT Kharagpur 2

  3. key L R 32 28 28 One expand shift shift 48 28 28 32 Round K i ⊕ 48 compress 48 of S-boxes DES 28 28 32 P box Function f 32 32 ⊕ 32 key L R DES Expansion • Input 32 bits 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 • Output 48 bits 31 0 1 2 3 4 3 4 5 6 7 8 7 8 9 10 11 12 11 12 13 14 15 16 15 16 17 18 19 20 19 20 21 22 23 24 23 24 25 26 27 28 27 28 29 30 31 0 D. Mukhopadhyay Crypto & Network Security IIT Kharagpur 3

  4. DES S-box (Substitution Box) • 8 “substitution boxes” or S-boxes • Each S-box maps 6 bits to 4 bits • S-box number 1 input bits (0,5) ↓ input bits (1,2,3,4) | 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 00 | 1110 0100 1101 0001 0010 1111 1011 1000 0011 1010 0110 1100 0101 1001 0000 0111 01 | 0000 1111 0111 0100 1110 0010 1101 0001 1010 0110 1100 1011 1001 0101 0011 1000 10 | 0100 0001 1110 1000 1101 0110 0010 1011 1111 1100 1001 0111 0011 1010 0101 0000 11 | 1111 1100 1000 0010 0100 1001 0001 0111 0101 1011 0011 1110 1010 0000 0110 1101 For other tables refer to Stinson’s Book S-Box with Table entries in decimal Output=13 What is the output if input is 101000? Row=10=2 Column=0100=4 D. Mukhopadhyay Crypto & Network Security IIT Kharagpur 4

  5. Properties of the S-Box • There are several properties • We highlight some: – The rows are permutations – The inputs are a non-linear combination of the inputs – Change one bit of the input, and half of the output bits change (Avalanche Effect) – Each output bit is dependent on all the input bits DES P-box (Permutation Box) • Input 32 bits 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 • Output 32 bits 15 6 19 20 28 11 27 16 0 14 22 25 4 17 30 9 1 7 23 13 31 26 2 8 18 12 29 5 21 10 3 24 D. Mukhopadhyay Crypto & Network Security IIT Kharagpur 5

  6. DES Subkey • Input key size: 64 bits, of which 8 are parity bits. • 56 bit DES key, 0,1,2,…,55 • Left half key bits, LK 49 42 35 28 21 14 7 0 50 43 36 29 22 15 8 1 51 44 37 30 23 16 9 2 52 45 38 31 • Right half key bits, RK 55 48 41 34 27 20 13 6 54 47 40 33 26 19 12 5 53 46 39 32 25 18 11 4 24 17 10 3 DES Subkey i=1 ,2 , . . . . , n • For rounds – Let LK = (LK circular shift left by r i ) – Let RK = (RK circular shift left by r i ) – Left half of subkey K i is of 24 bits 13 16 10 23 0 4 2 27 14 5 20 9 22 18 11 3 25 7 15 6 26 19 12 1 – Right half of subkey K i is 24 bits 12 23 2 8 18 26 1 11 22 16 4 19 15 20 10 27 5 24 17 13 21 7 0 3 D. Mukhopadhyay Crypto & Network Security IIT Kharagpur 6

  7. DES Subkey • For rounds 1, 2, 9 and 16 the shift r i is 1 , and in all other rounds r i is 2 • Bits 8,17,21,24 of LK omitted each round • Bits 6,9,14,25 of RK omitted each round • Compression permutation yields 48 bit subkey K i from 56 bits of LK and RK • Key schedule generates subkey DES Some Points to Ponder • An initial perm P before round 1, and its inverse at the end. • Halves are swapped after last round. • A final permutation (inverse of P ) is applied to (R 16 ,L 16 ) to yield ciphertext. D. Mukhopadhyay Crypto & Network Security IIT Kharagpur 7

  8. Exercise Prove that decryption in DES can be done by applying the encryption algorithm to the ciphertext, with the key schedule reversed. Weak keys • A weak key is the one which after parity drop operation, consists either of all 0’s, all 1’s or half 0’s and half 1’s. • Four out of the 2 56 keys are weak keys. D. Mukhopadhyay Crypto & Network Security IIT Kharagpur 8

  9. Examples of weak keys Keys before parity drop Actual key (64 bits) (56 bits) 0101 0101 0101 0101 0000000 0000000 1F1F 1F1F 0E0E 0E0E 0000000 FFFFFFF E0E0 E0E0 F1F1 F1F1 FFFFFFF 0000000 FEFE FEFE FEFE FEFE FFFFFFF FFFFFFF Consequence of weak keys • The round keys created from any of these weak keys are the same. – For example, for the first weak key, all the round keys are 0. – The second key leads to half 0s, and half 1s. • If we encrypt a block with a weak key and subsequently encrypt the result with the same weak key, we get the original block. D. Mukhopadhyay Crypto & Network Security IIT Kharagpur 9

  10. Semi Weak Keys • A semi weak key creates only two different round keys and each of them is repeated eight times. • There are six key pairs that are called semi- weak keys. • The round keys created from each pair are the same in different order. Semi weak keys First key in the pair Second key in the pair 01FE 01FE 01FE 01FE FE01 FE01 FE01 FE01 1FE0 1FE0 0EF1 0EF1 E01F E01F F10E F10E 01E0 01E0 01F1 01F1 E001 E001 F101 F101 1FFE 1FFE 0EFE 0EFE FE1F FE1F FE0E FE0E 011F 011F 010E 010E 1F01 1F01 0E01 0E01 E0FE E0FE F1FE F1FE FEE0 FEE0 FEF1 FEF1 D. Mukhopadhyay Crypto & Network Security IIT Kharagpur 10

  11. A Sample round key generation 1 9153E54319BD 6EAC1ABCE642 2 6EAC1ABCE642 9153E54319BD There are 8 equal 3 6EAC1ABCE642 9153E54319BD round keys in each 4 6EAC1ABCE642 9153E54319BD semi-weak keys. 5 6EAC1ABCE642 9153E54319BD Also, the round key 6 6EAC1ABCE642 9153E54319BD in the first set is the 7 6EAC1ABCE642 9153E54319BD same as the 16 th 8 6EAC1ABCE642 9153E54319BD key in the second 9 9153E54319BD 6EAC1ABCE642 set. 10 9153E54319BD 6EAC1ABCE642 11 9153E54319BD 6EAC1ABCE642 This means that the 12 9153E54319BD 6EAC1ABCE642 keys are inverses 13 9153E54319BD 6EAC1ABCE642 of each other. 14 9153E54319BD 6EAC1ABCE642 Thus, 15 9153E54319BD 6EAC1ABCE642 E k2 (E k1 (P))=P 16 6EAC1ABCE642 9153E54319BD Multiple DES • The major criticism against DES is the key length. • So, we may try cascading several DES applications. • Luckily, DES does not form a group under the composition operation. Thus, it is highly improbable that we can obtain k3 st. – E k2 (E k1 (P))=E k3 (P) D. Mukhopadhyay Crypto & Network Security IIT Kharagpur 11

  12. 2DES • Uses two applications of the DES cipher. • The total key size is 56x2=112 bits. • However 2DES is vulnerable to a known plaintext attack. Meet in the middle attack 64 bit plaintext M=E K2 (P) and M=D k2 (C) DES Attacker performs a known cipher plaintext attack. He collects (P,C) pairs. middle text Using 1 st relation, he encrypts P using all possible 2 56 keys, DES and records all values for M. cipher Using 2 nd relation, he decrypts C using all possible 2 56 keys, 64 bit ciphertext and records all values for M. D. Mukhopadhyay Crypto & Network Security IIT Kharagpur 12

  13. Security of 2 DES • Then the attacker checks for a match in the table in the value of M. He notes the key pair (K 1 ,K 2 ) • If there are more than one keys, he takes another (P,C) pair. • The attacker continues until there is only key left. • Thus attack complexity is around 2 57 . • What does this say about the security of 2DES? Triple DES • Since 2DES was a bad design, people consider 3 applications of DES. • The first and third stages use K 1 as key. • The second stage use K 2 as the key. • Also, the middle stage uses decryption. • Thus, setting K 1 =K 2 we have simple DES. D. Mukhopadhyay Crypto & Network Security IIT Kharagpur 13

  14. Generalization of the Feistel Cipher Clefia: 128 bit block cipher designed by Sony Corporation Further Reading • B. A Forouzan, Cryptography & Network Security, Tata Mc Graw Hills, Chapter 5 • Douglas Stinson, Cryptography Theory and Practice, 2 nd Edition , Chapman & Hall/CRC D. Mukhopadhyay Crypto & Network Security IIT Kharagpur 14

  15. Exercises Exercises D. Mukhopadhyay Crypto & Network Security IIT Kharagpur 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Cipher Cipher Cipher Cipher

464 views • 20 slides
Modern Block Cipher Standards (DES) Debdeep Mukhopadhyay Assistant Professor Department of

Modern Block Cipher Standards (DES) Debdeep Mukhopadhyay Assistant Professor Department of

Modern Block Cipher Standards (DES) Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Data Encryption Standard DES developed in 1970s

421 views • 14 slides
Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee , Byeonghak Lee KAIST Tweakable Block Cipher A tweakable block cipher accepts an additional input "tweak - Tweaks are publicly used

519 views • 30 slides
Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Cryptography Block Cipher Modes of Operation Block Ciphers with Multiple Blocks Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography Cipher Feedback Mode School of Engineering and Technology

428 views • 32 slides
Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next?

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next?

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next? Pascal Junod University of Applied Sciences Western Switzerland Pascal Junod -- Advanced Block Cipher Design 1 ECRYPT II Summer School - May

914 views • 56 slides
Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Iterated Block Cipher Outline Iterated Block Cipher 1 S-Boxes 2 A Basic Substitution Permutation Network 3 Linear

1.58k views • 113 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx

COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx

COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx COSIC KU Leuven and iMinds March 3, 2014 1 Joint work with E. Andreeva, B. Mennink, and K. Yasuda. 1 / 23 Overview COBRA 1 Misuse resistance 2

711 views • 58 slides
Block Cipher Operation CBC CFB OFB CSS441: Security and Cryptography CTR Feedback Sirindhorn

Block Cipher Operation CBC CFB OFB CSS441: Security and Cryptography CTR Feedback Sirindhorn

CSS441 Block Cipher Operation Modes ECB Block Cipher Operation CBC CFB OFB CSS441: Security and Cryptography CTR Feedback Sirindhorn International Institute of Technology XTS-AES Thammasat University Prepared by Steven Gordon on 20

871 views • 32 slides
PSEUDO-RANDOM FUNCTIONS We want to answer the question: What is a good block cipher? where

PSEUDO-RANDOM FUNCTIONS We want to answer the question: What is a good block cipher? where

Recall We studied security of function families (in particular, block ciphers) against key recovery. But we saw that security against key recovery is not su ffi cient to ensure that natural usages of a block cipher are secure. PSEUDO-RANDOM

268 views • 13 slides
Overview of the DES A block cipher: encrypts blocks of 64 bits using a 64 bit key

Overview of the DES A block cipher: encrypts blocks of 64 bits using a 64 bit key

Overview of the DES A block cipher: encrypts blocks of 64 bits using a 64 bit key outputs 64 bits of ciphertext A product cipher basic unit is the bit performs both substitution and transposition (permutation) on the

512 views • 35 slides
Objectives Introduction to Finite Fields AES Algorithm Sub Byte Shift row

Objectives Introduction to Finite Fields AES Algorithm Sub Byte Shift row

Modern Block Cipher Standards (AES) Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Introduction to Finite Fields AES

604 views • 31 slides
Attacks on the KeeLoq Block Cipher and Authentication Systems Andrey Bogdanov Chair for

Attacks on the KeeLoq Block Cipher and Authentication Systems Andrey Bogdanov Chair for

Attacks on the KeeLoq Block Cipher and Authentication Systems Andrey Bogdanov Chair for Communication Security Ruhr University Bochum, Germany abogdanov@crypto.rub.de www.crypto.rub.de Abstract. KeeLoq is a block cipher used in numerous

143 views • 13 slides
Block Cipher Cryptanalysis: Basic and Advanced Techniques I

Block Cipher Cryptanalysis: Basic and Advanced Techniques I

Block Cipher Cryptanalysis: Basic and Advanced Techniques I & II Andrey Bogdanov KU Leuven, ESAT/COSIC Outline I. Block Ciphers II.

1.03k views • 79 slides
PSEUDO-RANDOM FUNCTIONS 1 / 65 Recall We studied security of a block cipher against key

PSEUDO-RANDOM FUNCTIONS 1 / 65 Recall We studied security of a block cipher against key

PSEUDO-RANDOM FUNCTIONS 1 / 65 Recall We studied security of a block cipher against key recovery. But we saw that security against key recovery is not sufficient to ensure that natural usages of a block cipher are secure. We want to answer the

920 views • 88 slides
Objectives Electronic Code Book Cipher Block Chaining Output Boolean functions

Objectives Electronic Code Book Cipher Block Chaining Output Boolean functions

Modes of Operation of Block Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Electronic Code Book Cipher Block Chaining

183 views • 16 slides
rrt rtss

rrt rtss

trt r rtss s st rrt rtss

857 views • 38 slides
Developmental Evaluations March 2020 This presentation is made possible by the support of the

Developmental Evaluations March 2020 This presentation is made possible by the support of the

Evaluation Caf: A Study of Three Developmental Evaluations March 2020 This presentation is made possible by the support of the American People through the United States Agency for International Development (USAID.) The contents of this

429 views • 28 slides
Data-Centric Execution of Speculative Parallel Programs MARK JEFFREY, SUVINAY SUBRAMANIAN,

Data-Centric Execution of Speculative Parallel Programs MARK JEFFREY, SUVINAY SUBRAMANIAN,

Data-Centric Execution of Speculative Parallel Programs MARK JEFFREY, SUVINAY SUBRAMANIAN, MALEEN ABEYDEERA, JOEL EMER, DANIEL SANCHEZ MICRO 2016 Executive summary Many-cores must exploit cache locality to scale Current speculative systems,

495 views • 27 slides
6.2 Series solutions about ordinary points a lesson for MATH F302 Differential Equations Ed

6.2 Series solutions about ordinary points a lesson for MATH F302 Differential Equations Ed

6.2 Series solutions about ordinary points a lesson for MATH F302 Differential Equations Ed Bueler, Dept. of Mathematics and Statistics, UAF March 5, 2019 for textbook: D. Zill, A First Course in Differential Equations with Modeling Applications

291 views • 17 slides
XvMo%on: Unified Virtual Machine Migra%on over Long Distance Ali Jos

XvMo%on: Unified Virtual Machine Migra%on over Long Distance Ali Jos

XvMo%on: Unified Virtual Machine Migra%on over Long Distance Ali Jos Mash,zadeh, Min Cai, Gabriel Tarasuk-Levin, Ricardo Koller, Tal Garfinkel, Sreekanth SeBy Stanford

707 views • 38 slides
The Data Encryption Standard - see Susan Landaus paper: Standing the test of time: the data

The Data Encryption Standard - see Susan Landaus paper: Standing the test of time: the data

The Data Encryption Standard - see Susan Landaus paper: Standing the test of time: the data encryption standard. DES - adopted in 1977 as a standard for unclassified applications - after a public solicitation from NBS (now NIST),

550 views • 16 slides
Using DE S to Implement ATM Cell E ncryption on the APIC David Ruppel Dr. Mansoor Alam

Using DE S to Implement ATM Cell E ncryption on the APIC David Ruppel Dr. Mansoor Alam

Using DE S to Implement ATM Cell E ncryption on the APIC David Ruppel Dr. Mansoor Alam Department of Electrical Engineering and Computer Science The University of Toledo Data E ncryption Standard (DE S) Data E ncryption Standard (DE S)

335 views • 16 slides
Ameth Saloum Ndiaye UNU-WIDER 2017 Development Conference UNU-WIDER 2017 Development 1

Ameth Saloum Ndiaye UNU-WIDER 2017 Development Conference UNU-WIDER 2017 Development 1

Migration and Remittances in Senegal: Effects on Labor Supply and Human Capital of Households Members Left Behind Ameth Saloum Ndiaye UNU-WIDER 2017 Development Conference UNU-WIDER 2017 Development 1 Conference - Accra Outline of discussion

620 views • 31 slides

More recommend