190 likes | 267 Views
Security of symmetric algorithms. TE/CS 536 Network Security Spring 2005 – Lecture 8. DES Top View. 56-bit Key. 64-bit Input. 48-bit K1. Generate keys. LPT RPT. Initial Permutation. 48-bit K1. Round 1. 48-bit K2. Round 2. …. 48-bit K16. Round 16. Swap 32-bit halves. Swap.
E N D
Security of symmetric algorithms TE/CS 536 Network Security Spring 2005 – Lecture 8
DES Top View 56-bit Key 64-bit Input 48-bit K1 Generate keys LPT RPT Initial Permutation 48-bit K1 Round 1 48-bit K2 Round 2 …... 48-bit K16 Round 16 Swap 32-bit halves Swap Final Permutation Permutation 64-bit Output
Per-Round Key Generation Initial Permutation of DES key C i-1 D i-1 28 bits 28 bits Circular Left Shift Circular Left Shift One round Round 1,2,9,16: single shift Others: two bits Permutation with 8 bits Discard 48 bits Ki C i D i 28 bits 28 bits
A DES Round 32 bits Ln 32 bits Rn E One Round Encryption 48 bits F Function 48 bits Ki S-Boxes P 32 bits 32 bits Ln+1 32 bits Rn+1
6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 S1 S2 S3 S4 S5 S6 S7 S8 + + + + + + + + Permutation F Function Key is XORed in eight 6-bit chunks with the expanded permuted RPT The permutation produces “spread” among the chunks/S-boxes!
2 bits row I1 I2 I3 I4 I5 I6 S O1 O2 O3 O4 i 4 bits column = 1,…8. i S-Box • 48 bits ==> 32 bits. (8*6 ==> 8*4) • 2 bits used to select amongst 4 permutations for the rest of the 4-bit quantity
Decryption • Apply the same operations with the keys Ki in the reverse sequence: K16 … K1 • To generate keys in the reverse sequence, the bits are circularly shifted right (instead of left) during the key generation process.
Cipher Iterative Action : Input: 64 bits Key: 48 bits Output: 64 bits Key Generation Box : Input: 56 bits Output: 48 bits DES Standard Total 16 rounds
DES Box Summary • Simple, easy to implement: • Hardware gigabits/second • Software megabits/second • Supports several operation modes • ECB • CBC • OFB • CFB
What is a Brute force attack • Brute force attack • Algorithm is known but key is secret • Test all possible keys to recover plaintext from a given ciphertext • Correct key is found by testing candidate plaintexts for similarity to plaintext language (e.g. English encoded in ASCII) • A cipher is secure (un-breakable) if there is no method less expensive than a BF
Brute force attacks on DES • 1977: Diffie-Hellman • $20 M paper design • Search speed (2^38) keys/sec • Will recover one key/day • Cost per key = $50,000 (averaged over 1 year)
Brute force attacks on DES - 2 • 1993: Michael Weiner • Search speed (2^38) keys/sec -- $100K • Will recover one key/35hours • Cost per key = $6.59 (averaged over 1 year) • Other options • Speed (2^41.39) keys/sec -- $1M, 3.5 hours • Speed (2^44.71) keys/sec -- $10M, 21 mins
Brute force attacks on DES - 3 • 1997: DESCHALL • In response to RSA challenge, distributed effort • Searched 51.8% key space • Average speed overall = (2^32.16) = 4.8 bkeys/s • Max speed = (2^32.70) = 7 billion keys per sec • Machines involved = max. 14000 in single day • Time to find the key = 90 days
Brute force attacks on DES - 4 • 1998: Electronic Frontier Foundation (EFF) • $250K DES Cracker machine with 18,000 custom chips : first hardware design actually built (RSA challenge 1998) • Time to find the key 56.05 hours • Searched 24.8% key space • Ave speed (2^36.37) 88.8 b kps
To foil attacks on DES • NIST recommends 128 bits for symmetric key algorithms (1024 bits for asymmetric) • Keys should be generated properly • Usually keys are derived from a user-selected password or passphrase – which should have 128 bits entropy (16 different words), e.g. • sqrnf oikas ocmpe vflte krbqa jwf • iTb.\ / & / - } I t / P ; ^ + 2 2 q • serf bare qd jab weld hum jf sheet gallop neve
Double DES • Multiple encryption to compensate for the short basic DES key • Effective Key size = 128? • If yes, key search space = (2^128) K1K2 • Plain text -------->T--------> C
Double DES – meet-in-the-middle attack • Given a (P,C) pair • Step 1: Calculate Te = E(K1, P) – search space (2^56) • Step 2: Calculate Td = D(K2, C) – search space (2^56) • Step 3: Check if Te = Td K1 and K2 found, work needed: (2^57) • Memory requirement for storing T from step 1: (2^56) 64-bit blocks or (10^17) bytes
Triple DES • Multiple encryption compensates short key • Standard practice: E(K3, D(K2, E(K1, P))) -- 168-bit DES • K1=K3 Two key Triple DES – 112 bit E(K1, D(K2, E(K1, P))) • To launch meet-in-the-middle attack T = D(K2, E(K1, P)) requires exploring a (2^112) search space.
DES3 Issues • Efficiency demands schemes with longer keys to begin with! • DES3 runs one third as fast as DES on the same platform • New candidates - RC5 (64 bit?), IDEA, AES