640 likes | 841 Views
Data Encryption Standard (DES). Classical Cryptography Simple Cryptosystems Cryptanalysis of Simple Cryptosystems Shannon’s Theory of Secrecy Modern Encryption Systems DES, AES. RSA. Signature Scheme(s). Overview.
E N D
Classical Cryptography Simple Cryptosystems Cryptanalysis of Simple Cryptosystems Shannon’s Theory of Secrecy Modern Encryption Systems DES, AES. RSA. Signature Scheme(s) Overview
A cryptosystem is a five-tuple (P,C,K,E,D), where the following are satisfied: P is a finite set of possible plaintexts. C isa finite set of possible ciphertexts. K, the key space, is a finite set of possible keys KK, EKE (encryption rule), DKD (decryption rule). Each EK: PC and DK: CP are functions such that xP, DK(EK(x)) = x. Cryptosystem
Alphabet {0, 1} (bits) Plaintext and ciphertext {0, 1}* New operation: XOR (EXOR, ) 0 0 = 0, 1 1 = 0, 0 1 = 1, 1 0 = 1, bitwise addition modulo 2. Notation
Financial companies found the need for a cryptographic algorithm that would have the blessing of the US government (=NSA) First call for candidates in May 73, followed by a new call in August 74 Not very many submissions (Why?) IBM submitted Lucifer NSA worked with IBM in redesigning the algorithm Data Encryption Standard (DES)
1973, NBS solicits proposals for cryptosystems for “unclassified” documents. 1974, NBS repeats request.IBM responds with modification of LUCIFER.NBS asks NSA to evaluate.IBM holds patent for DES. 1975, details of the algorithm published, public discussion begins. 1976 Adapted as a standard for all unclassified government communications. Data Encryption Standard (DES)
1983, no problem. 1987, passed, but NSA says that DES soon will be vulnerable to brute-force attack. This is the last time. Business lobbies to keep it, since so the had much invested. 1993, still passed (no alternatives). 1997, call for proposals: AES. Data Encryption Standard (DES)
Originally designed to be efficient in hardware (4 bit was the norm in 1974). A LOT of money has been invested in hardware. First publicly available algorithm certified by NSA as secure. Certificate to be renewed every 5 years. Data Encryption Standard (DES)
DES became a federal standard in November 76 NBS (NIST) hardware standard in January 77 ANSI X3.92-1981 (hardware + software) ANSI X3.106-1983 (modes of operation) Australia AS2805.5-1985 Used in most EFT and EFTPOS from banking industry It was reconfirmed as a standard for 5 years twice Currently 3DES is recommended DES
DES has proven a well designed code 56 bits has been proven inadequate EFF built a cracker for around $200,000 Increase the key to 112 bits? The best way known to cryptanalyze DES is (after brute force) the differential analysis NSA new this from the design?? DES
Uses Feistel principle Many similarities with Lucifer Improves on the S-Boxes DES
It operates in 64 bits blocks with 56 bits keys Uses 16 rounds, each round computed by a function f DES
A round can be described as: Li = Ri-1 The key generation is performed An initial permutation PC1 which selects 56 bits and divide them in two halves In each round Select 24 bits from each half using a permutation function PC2 Rotate left each half by one or two position Data Encryption Standard (DES)
The algorithm Uses blocks of size 64 bits. Key of length 56 (well, 64, but 8 bits are just check bits) Initial permutation IP. 16 rounds. Final permutation IP-1(IP and IP-1 have minorcryptographic value). Data Encryption Standard (DES)
Key schedule K1, K2,…, K16 Discard the parity-check bits of K. Compute PC-1(K) = C0D0, where PC-1 is a fixed permutation, C0, D0 left and right halves, 28-bit each. For i = 1, 2, …, 16:Ci := LSi(Ci-1),Di := LSi(Di-1),where LSi left cyclic shift of one (i= 1, 2, 9, 16) or two positions (else),Ki := PC-2(CiDi), PC-2 fixed permutation selecting 48 bits. Data Encryption Standard (DES)
PC-1(K) = C0D0 57 49 41 33 25 17 9 1 58 50 42 34 26 18 2 59 51 43 35 27 19 11 3 60 52 44 36 63 55 47 39 31 23 15 7 62 54 46 38 30 22 6 61 53 45 37 29 21 13 5 28 20 12 4 Data Encryption Standard (DES)
Ki := PC-2(Ci Di) 14 17 11 24 1 5 3 28 15 6 21 10 23 19 12 4 26 8 16 7 27 20 13 2 41 52 31 37 47 55 30 40 51 45 33 48 44 49 39 56 34 53 46 42 50 36 29 32 Data Encryption Standard (DES) 48 bits are Chosen from The 56-bit String CiDi According to the table shown here
x0 = IP(m) = L0R0. 16 Rounds, i = 1, 2, …, 16:Li := Ri-1,Ri := Li-1 f (Ri-1 , Ki),wheref (Ri-1 , Ki) = P(S(E(Ri-1) Ki)),with operations E (expansion), S (S-box lookup), and P some (permutation). c= IP-1(L16R16). Data Encryption Standard (DES)
x0 = IP(m) = L0R0Initial Permutation 58 50 42 34 26 18 10 2 60 52 44 36 28 20 12 4 62 54 46 38 30 22 14 6 64 56 48 40 32 24 16 8 57 49 41 33 25 17 9 1 59 51 43 35 27 19 11 3 61 53 45 37 29 21 13 5 63 55 47 39 31 23 15 7 Data Encryption Standard (DES)
f (Ri-1 , Ki) = P(S(E(Ri-1) Ki))Expansion: 32 1 2 3 4 5 4 5 6 7 8 9 8 9 10 11 12 13 12 13 14 15 16 17 16 17 18 19 20 21 20 21 22 23 24 25 24 25 26 27 28 29 28 29 30 31 32 1 Data Encryption Standard (DES) R is expanded to E(R) from Originally 32 bits to 48 bits.
f (Ri-1 , Ki) = P(S(E(Ri-1) Ki)) S-box lookup There are 8 S-boxes: S1,…, S8For example S5: 2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9 14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6 4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14 11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3 416 array of 4-bit binary numbers. Data Encryption Standard (DES)
f (Ri-1 , Ki) = P(S(E(Ri-1) Ki)) E(Ri-1) Ki = B1B2…B7B8. For j = 1, 2,…, 8, let Bj = b1 b2 b3 b4 b5b6. In S-box Sj:b1 b6 binary coordinate of a row r,b2 b3 b4 b5bin. coord. of a column c. Replace Bj with Sj(r, c). Data Encryption Standard (DES)
Properties of S-boxes in DES (per NSA) Each S-box has 6 input bits and 4 output bits. This was the largest that could be put on one chip back in 1974. All rows of all the S-boxes are permutations of 0, 1, …, 15 S-Boxes are not affine transformations of their input Change in an input bit changes at least two output bits of the S-box For any x and any S-box S, S(x), S(x 001100) differs by at least two bits Data Encryption Standard (DES)
f (Ri-1 , Ki) = P(S(E(Ri-1) Ki)) P fixed permutation 16 7 20 21 29 12 28 17 1 15 23 26 5 18 31 10 2 8 24 14 32 27 3 9 19 13 30 6 22 11 4 25 Result: bitstring of length 32!! Data Encryption Standard (DES)
c= IP-1(L16R16) 14 17 11 24 1 5 3 28 15 6 21 10 23 19 12 4 26 8 16 7 27 20 13 2 41 52 31 37 47 55 30 40 51 45 33 48 44 49 39 56 34 53 46 42 50 36 29 32 Data Encryption Standard (DES)
How do we decrypt?: Decryption is performed by exactly the same procedure, except that the keys K1,…, K16 are used in reverse order. The reason why this works is the following: The first decryption step takes R16L16 and gives the output: [L16] [R16 f(L16, K16)]. But we know from the encryption procedure that: L16 = R15; R16 = L15 f(R15, K16). Therefore, [L16] [R16 f(L16, K16)] = [R15][L15 f(R15, K16) f(L16, K16)] = [R15][L15 f(R15, K16) f(R15, K16)] = [R15][L15 ] Data Encryption Standard (DES)
Similarly, the second step of decryption sends R15L15 to R14L14. Continuing we see that the decryption process leads us back to R0L0 as desired. Note that the encryption process is essentially the same as the encryption process. Therefore both, the sender and the receiver use a common key and they can use identical machines. Data Encryption Standard (DES)
DES is efficient1992, DEC fabricated a 50K transistor chip that could encrypt at the rate 1Gbit/sec using a clock rate of 250 MHz. Cost $300. The Avalanche EffectSmall change in either the plaintext or the key produces a significant change in the ciphertext. Data Encryption Standard (DES)
Strength of DES: the S-boxes DES permutations don’t form a group, they generate a group of size at least 102499. Double encryption using 2 different keys is not stronger (surprise) than a single encryption (meet-in-the-middle attack) Triple-DES (3-DES) is stronger and very popular recently. Data Encryption Standard (DES)
The DES controversy Why 56 is the key length? LUCIFER had 128.The key space 256 is too small. Why 16 rounds? Why were the criteria for the S-boxes classified?Did NSA put “trapdoors” into the S-boxes?No evidence of “trapdoors” so far. Data Encryption Standard (DES)
Attacks on DES 1977, Diffie & Hellman suggested a VLSI chip that could test 106 keys/sec. A machine with 106 chips could test the entire key space in 10 hours. Cost: $20,000,000. 1990, differential cryptanalysis, Eli Biham, Adi Shamir (Israel). 1993, linear cryptanalysis, Mitsuru Masui (Japan). Data Encryption Standard (DES)
Birthdays Attacks: If there are 23 people in a room: what is the probability that at least two of them have the same birthday? Answer: Compute the probability that they all have different birthdays. ATTACKS ON DES: Meet-in the middle attack
The first person uses up one day, so the second person has probability (1-1/365) of having a different birthday. There are two days removed for the third person, so the probability is (1-2/365) that the third birhtday differs from the first two. Therefore the probability of all 3people having different birthdays is (1-1/365)(1-2/365). ATTACKS ON DES: Meet-in the middle attack
ATTACKS ON DES: Meet-in the middle attack • Continuing in this way, we see that the probability that all 23 people have different birthdays is (1-1/365) (1-2/365)… (1-22/365) = 0.493. Therefore the probability of at least two having the same birthday is 1- 0.493 = 0.507. • If there are 30 people, the probability is around 70%. • More generally, suppose we have n objects, where n is large. There are r people and each chooses an object (with replacement). If then the probability is 50% that at least two people choose the same object.
A Birthday Attack on Discrete Logarithms Suppose we want to solve x mod p. We can do this with high probability by a birthday attack. • Make two lists, both of length around p1/2: • The first list contains numbers k mod p for approximately p1/2 randomly chosen values of k. • The second list contains numbers -l mod p for approximately p1/2 randomly chosen values of l.
A Birthday Attack on Discrete Logarithms There is a good chance that there is a match between some element on the first list and some element on the second list. If so, we have k -l mod p, hence k+l mod p Therefore, x k + l mod (p-1) is the desired discrete logarithm (why?)
ATTACKS ON DES: Meet-in the middle attack Assume Eve has intercepted a message m and a doubly encrypted ciphertext c = Ek2(Ek1(m)). She wants to find k1 and k2. She first computes and stores Ek(m) for all possible keys k. She then computes Dk(c) for all possible keys k. Finally she compares both lists. She knows as a fact (but why?) that there will be at least one match, since the correct pair of keys should be one of them.
The standard is public, the design criteria is classified One of the biggest controversies is the key size (56 bits) W Diffie, M Hellman "Exhaustive Cryptanalysis of the NBS Data Encryption Standard" IEEE Computer 10(6), June 1977, pp74-84 M Hellman "DES will be totally insecure within ten years" IEEE Spectrum 16(7), Jul 1979, pp 31-41 Another controversy: is there a trapdoor? DES
Attacks on DES The Electronic Frontier Foundation (EFF). July 17, 1998, the EFF DES Cracker broke the DES-encrypted message in 56 hours. 1,536 chips, testing 88109 keys/sec. Cost < $250,000. January 19, 1999, Distributed.Net, a worldwide coalition of computer enthusiasts, worked with EFF's DES Cracker and a worldwide network of nearly 100,000 PCs on the Internet, broke the DES-encrypted message in 22 hours and 15 minutes. Data Encryption Standard (DES)
Block modes: Electronic Codebook Book (ECB) Message is broken into independent blocks of 64 bits This is the most natural mode of operation for DES Cipher Block Chaining (CBC) Message is broken in independent blocks of 64 bits, but next input depends of previous output Ci= Ek (PiCi-1), with C-1=IV Pi= Dk (Ci)Ci-1, (why??) DES Modes of Operation
Stream Modes Cipher FeedBack (CFB) The message is xored with the feedback of encrypting the previous block: P = |P1P2…P8| Ci=PiL8(Ek(Ci-1)), with C-1=IV; (these are 8 bits blocks!!) Output feedback The feedback is independent of the message Ci=PiEk(Oi-1), with O-1=IV DES Modes of Operation
ECB repetitions in message can be reflected in ciphertext if aligned with message block particularly with data such graphics or with messages that change very little, which become a code-book analysis problem weakness is because enciphered message blocks are independent of each other Limitation of the modes
CBC use result of one encryption to modify input of next hence each ciphertext block is dependent on all message blocks before it thus a change in the message affects the ciphertext block after the change as well as the original block to start need an Initial Value (IV) which must be known by both sender and receiver however if IV is sent in the clear, an attacker can change bits of the first block, and change IV to compensate hence either IV must be a fixed value (as in EFTPOS) or it must be sent encrypted in ECB mode before rest of message Out of Sync Problems!! DES Modes of Operation
CFB when data is bit or byte oriented, want to operate on it at that level, so use a stream mode the block cipher is use in encryption mode at both ends, with input being a feed-back copy of the ciphertext can vary the number of bits feed back, trading off efficiency for ease of use again errors propogate for several blocks after the error is detected. Limitation of the modes
OFB also a stream mode, but intended for use where the error feedback is a problem, or where the encryptions want to be done before the message is available is superficially similar to CFB, but the feedback is from the output of the block cipher and is independent of the message, a variation of a Vernam cipher again an IV is needed sender and receiver must remain in sync, and some recovery method is needed to ensure this occurs although originally specified with varying m-bit feedback in the standards, subsequent research has shown that only 64-bit OFB should ever be used (and this is the most efficient use anyway), Limitation of the modes
with many block ciphers there are some keys that should be avoided, because of reduced cipher complexity these keys are such that the same sub-key is generated in more than one round Weak Keys: The same sub-key is generated for every round DES has 4 weak keys DES Weak Keys
Semi-Weak Keys only two sub-keys are generated on alternate rounds DES has 12 of these (in 6 pairs) Demi-Semi Weak Keys have four sub-keys generated None of these cause a problem since they are a tiny fraction of all available keys However they MUST be avoided by any key generation program DES Weak Keys
Double DES: Use 2 keys: K1 and K2. Encryption is EK1(EK2(P)) Is double DES reducible to DES? (Crypto 92) Triple DES Use 2 or 3 keys Encryption: EK1(EK2(EK3(P)))) EK1(DK2(EK1(P)))) DES variations
If you can choose the plaintext: Brute Force: try all 256 possible keys No memory necessary The encryption with all keys may be too slow Build a dictionary Each plaintext may result in 264 different ciphertext. Encrypt the known plaintext with all possible keys You have a look up table Very effective if you can inject plaintext and want to find many different keys Cryptanalysis of DES
There are some algorithms that trade memory/space requirements Linear Cryptanalysis Linear approximation to describe DES DES can be broke: It requires around 243 plaintext-ciphertext pairs to find the key. M. Matsui, Eurocrypt 93 Assuming you have a n bits plaintext and ciphertext, and a m bits key Cryptanalysis of DES