480 likes | 764 Views
Digital Encryption Standard. CSIS 5857: Encoding and Encryption. History of DES. 1973: National Institute of Standards requests proposals for national symmetric key cryptosystem 1975: NIST accepts proposal from IBM as national Digital Encryption Standard Based on Feistel cipher 56-bit key
E N D
Digital Encryption Standard CSIS 5857: Encoding and Encryption
History of DES • 1973: National Institute of Standards requests proposals for national symmetric key cryptosystem • 1975: NIST accepts proposal from IBM as national Digital Encryption Standard • Based on Feistel cipher • 56-bit key • Origin of some parts of structure classified • Input from NSA on S-Box structure • Still widely used symmetric key cipher • Current standard: AES
Overall DES Structure • 64-bit block inputs and outputs • 16 round Feistel cipher • 56-bit key used to generate 48-bit round keys
Initial and Final Permutations • Plaintext undergoes initial permutation • Final permutation is inverse of initial permutation • No known reason, since easy for adversary to simulate
Feistel Structure • Input at each round broken into 32-bit left and right halves • Right half mixed with round key using “mixer” function f(R, K) • Result XOR’d with left half • Resulting left and right halves swapped before next round
Mixer Function • 32-bit right half expanded to 48 bits • Combined with round key using XOR • Run through array of 8 x 6 S-Boxes • Results combined and run through 32 x 32 P-Box
Expansion Permutation • First and last bits of each four bits duplicated • No real contribution to confusion, just matches size with round key
Array of S-Boxes • 48-bit input broken into 8 “chunks” of 6 bits each • Output of each compressed to 4 bits • Combined to form 32-bit output • Each S-Box is different to maximize confusion
S-Box Structure • 4 rows x 16 columns (2 bits x 4 bits) • Row determined by bits 1 and 6 of input • Column determined by bits 2 – 5 of input
DES S-Box Example • Input: 110010 • First and last 2 bits: 10 = 2 in decimal • Middle four bits: 1001 = 9 in decimal • Output: 12 = 1100
Mixer P-Box • Goal: Output of each S-Box distributed across final round key value before use in XOR
Round Keys • 16 round keys • Applied in reverse order at decryption stage
Round Key Generation • 64 bit input = 56 bits of key data + 8 parity bits • 56-bit key split into 28-bit left and right halves • Circular left shift applied to each half at each round • Combined in compression P-Box to create 48-bit round key
Parity Bit Drop • Every 8th bit of key input used for parity check to detect transmission errors • This stage removes the parity bits and shuffles key bits
Key Shift Schedule • Key split into two subkeys (28 bits each) • Circular left shift applied each round • One bit shift in rounds 1, 2, 9, 16 • Two bit shift in other rounds (adds up to 28) • Assures different key each round
Round Key Compression • Reduces round key to 48 bits to match bits in mixer • Combined with shifts, assures different bits used in each round key (different bits removed each round)
Analysis of DES How resistant to different attack types? Common analysis for all ciphers Cryptanalysis attacks Confusion and diffusion Differential cryptanalysis Linear cryptanalysis Weak keys… Exhaustive search attacks 56-bit key vulnerable to exhaustive search Current solution: multiple stage DES
Confusion and Diffusion Use of inputs to create round key assures eachplaintext bit affects many ciphertext bits Use of shifts and permutations in key generation assures each key bit affects many ciphertext bits
Differential Cryptanalysis Basic idea: slightly “tweak” plaintexts to see effect on resulting ciphertext Based on differential relationship p1p2= c1c2for XOR For large numbers of chosen plaintext: Compute differences p1 p2and c1 c2 Keep statistics on their relationships Examine S-boxes to determine how they would affect the statistical relationships Guess bits of the key based on these relationships Based on nonuniform distributions of outputs in S-boxes
Example: single S-box between XOR and output Note uneven distribution Some outputs more likely than others Since adversary knows this, can guess likely values of intermediate X Can then work backward from known P to guess K Differential Cryptanalysis
Differential Cryptanalysis • For all intermediate pairs x1and x2(or some subset) • Compute x1 x2 • Compute c1 c2as result of running x1and x2through the S-box • Example: All cases where x1 x2 = 001
Differential Cryptanalysis c1 c2 x1 x2 Resulting statistics P(c1 c2 | x1 x2 )
Differential Cryptanalysis Darth runs a bunch of examples for whichp1 p2 = 100 Results: 00 happens 25% of time01 happens 25% of time11 happens 50% of time Assumption: x1 x2is actually 001 Therefore, likely key is (p1 p2) (x1 x2 ) = 101
Cryptanalysis Attacks on DES Differential Cryptanalysis Use of 16 rounds specifically meant for this attack Even distributions in S-boxes Statistical relationships obscured Heavy avalanche effect 247 chosen plaintexts needed to break DES
Linear S-Boxes Linearn x m S-Box can be expressed as linear equation of form:c1 = a11x1 a12x2 … a1nxnc2 = a21x1 a22x2 … a2nxn…cm = am1x1 am2x2 … amnxnwhere xi is ith input bit ci is ith ciphertext bitaij is either 0 or 1 Each cipherbit character is defined as the XOR of certain input bits
Linear S-Boxes Example of linear 3x3 S-Box:c1 = x1 x2 = 1x1 1x2 0x3c2 = x1 x2 x3 = 1x1 1x2 1x3c3 = x2 x3 = 0x1 1x2 1x3 Corresponding S-Box:
Linear Cryptanalysis Attempt to approximate entire cipher as one big set of linear equations Finding solutions to set of linear equations well studied in engineering n bit key requires n known plaintexts to solve
Linear Cryptanalysis Example Example: Above S-Box used after XOR stage
Linear Cryptanalysis Example S-Box input bit xi= pi ki Resulting equations:c1 = (p1 k1) (p2 k2) c2 = (p1 k1) (p2 k2) (p3 k3) c3 = (p2 k2) (p3 k3) Can now solve for key bits!k1 = p1 (c1 c2 c3)k2 = p1 (c1 c2)k3 = p1 (c2 c3)
Linear Cryptanalysis Possible if cipher uses only linear components Permutation boxes linear by definition!Shifting from position i to position j is equation cj = 0p1 0p2… 1pi… 0pn Therefore, S-Boxes must not be linear! They are the only possible nonlinear component
Cryptanalysis Attacks on DES Linear Cryptanalysis DES not designed for this attack (invented after DES released However, DES S-Boxes not linear 243 known plaintexts needed to break DES using linear cryptanalysis
Weak Keys • Keys that leave plaintext vulnerable in some way • Simple example: k = 26 in Caesar cipher • Weak keys in DES produce same round key for multiple rounds • 4 keys give same round key every round • 8 keys give only 2 distinct round keys • 48 keys give only 4 distinct round keys • Odds unlikely (8.8 x 10-16 ), but should still check randomly generated keys
Exhaustive Search Attacks 56-bit key not computationally secure Parallel processing attacks Computer with 1 million chips (1998) key found in 112 hours Network of 3500 computers (1977) key found in 120 days 56-bit key not recommended by NIST! “all clones test different keys!”
Multiple Stage DES No way to use larger key in DES Structure “hardwired” Only solution: multiple stage DES Different keys used each stage Output ciphertext of one stage input plaintext of next stage
Multiple Stage DES Multiple stages with different keys greatlyincreases number of possible ciphertexts (264)! possible mappings from 264 possible input blocks to 264 possible output blocks Only 256 possible keys (tiny fraction of the above) Extremely unlikely that there exists K3 such that E(E(P, K1), K2) = E(P, K3) After applying K1 and K2 Possible ciphertexts Possible ciphertexts After applying K1
“Meet In The Middle” Attack Theoretically, two stages should be sufficient Adversary would have to try all combinations of possible K1 and K2 256 x 256 = 2112 possible combinations of keys Vulnerable to “meet in the middle” attack Adversary has a known plaintextP and ciphertext C Works forward encrypting P with all possible K1 Works backward decrypting C with all possible K2 Stores results and searches for matches
“Meet In The Middle” Attack “I’ll try all K1 and store the results in a table” “I’ll try all K2 and store the results in another table” Table of all possible M created by encrypting P Table of all possible M created by encrypting P “Now I’ll compare the two and look for any matches”
“Meet In The Middle” Attack M’s (and keys K1and K2 that created them) kept in sorted tables 256 runs to create each table 56 x 256 comparisons to find matches Match gives plausible values for K1 and K2 “Double DES” not computationally secure M K1 1010001…10 0110100…01 “So this might be K1 and K2” “These match” M K2 1010001…10 1100110…00
Triple DES Need at least three stages of encryption “Meet in middle” attack can only take place after at least two stages Effectively the same as 112 bit key K1 K2 K3 “I can only attack here”
Triple DES With Two Keys Just use K1 twice (in first and last stage) Shorter keys (112 bits instead of 168 bits) Still secure (have to try all K1 and K2 to do meet in middle attack) “Still too hard to crack”
Efficiency of DES • Fast if burned into hardware • Basic structure corresponds to wiring diagram • Slow if executed as software • Basic structure doesn’t fit into registers • Much swapping between RAM/registers required • 3DES even slower