510 likes | 751 Views
CH.4-1: DATA ENCRYPTION STANDARD Symmetric - Secret Key Algorithm developed by IBM in 1971. Adopted with changes (e.g., key reduced in size) as the official U.S. Government standard - widely used by feds and banks. Block cipher (64 bit blocks), 56 bit key, generates 64 bit output
E N D
CH.4-1: DATA ENCRYPTION STANDARD Symmetric - Secret Key Algorithm developed by IBM in 1971. Adopted with changes (e.g., key reduced in size) as the official U.S. Government standard - widely used by feds and banks. Block cipher (64 bit blocks), 56 bit key, generates 64 bit output block for every 64-bit input block. Capabilities: + Provides secrecy (confidentiality/privacy) service + fast encryption (relatively), keys are hard to break - requires secure distribution of the key - does not provide authentication or integrity services Key distribution remains a relatively difficult problem. Secret Key Cryptography
Characteristics of DES 64-bit plaintext block in – 64-bit ciphertext block out. Key length is 56-bit, usually expressed as a 64-bit value, where every 8th bit is parity on the preceding 7 bits – used to check for key errors. The selected key is called the initial key. The initial key is used to generate 16 sub-keys, each 48 bits long. Processing proceeds in 16 rounds – each round applies the same functions, but using the output from the previous round and a different sub-key ( a round is like a program loop). The DES algorithm uses substitution & permutation that provide Shannon’s confusion and diffusion functions. Secret Key Cryptography
DES – Very Simplified Block Diagram Main idea: Plaintext is split input into a left and right half for Processing. Decryption simply runs the algorithm backwards. Secret Key Cryptography
DES - Simplified Block Diagram - Discussion 1. 64 bit of plaintext is split into 2 - 32 bit halves (left/right). 2. Left half is input to function box f() that performs a substitution & permutation operation based on the bit values of the key. 3. The output is XORed with the right half and sent as input to the 2nd f() function box that performs addition substitution and permutations also based on the key. 4. The output of the 2nd f() box is XORed with left half. 5. The total output is the left half concatentated with the right half. Decryption is the inverse (encryption run backwards) In a real system, this process is run using 16 sub-keys generated from the key and processed in 16 rounds using a different sub-key for each round. Secret Key Cryptography
DES - More Detailed Block Diagram – 1 round Secret Key Cryptography
DES - Sub-Key Generation - right half of slide 5 1. 64 bit key (including parity bits) is permuted & reduced to 56 bits. Key permutation schedule (# indicate bit selected) - total array size is 4 rows x 14 columns = 56 entries: 57, 49, 41, 33, 25, 17, 09, 01, 58, 50, 42, 34, 26, 18 10, 02, 59, 51, 43, 35, 27, 19, 11, 03, 60, 52, 44, 36 63, 55, 47, 39, 31, 23, 15, 07, 62, 54, 46, 38, 30, 22 14, 06, 61, 53, 45, 37, 29, 21, 13, 05, 28, 20, 12, 04 Note that the parity bits are not selected. 8, 16, 24, 32, 40, 48, 56, 64 are the parity bits. All other bits are selected and permuted. 2. The 56 bit result is split in two halves (left and right). Secret Key Cryptography
DES - Sub-Key Generation - continued 3. The halves are circular shifted by 1 or 2 bits (round dependent). Round 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Shift 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1 By circular shift we mean and end around shift. Remember, we are generating 16 sub-keys, one for each round and each step after 3 above is performed on each sub-key at each round. 4. After the shift, 48 of the 56 bits are selected using a compression (56 bit to 48 bit compression) permutation. Secret Key Cryptography
DES - Sub-Key Generation - continued Compression permutation 14, 17, 11, 24, 01, 05, 03, 28, 15, 06, 21, 10 23, 19, 12, 04, 26, 08, 16, 07, 27, 20, 13, 02 41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48 44, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32 Doesn't involve all bits. Sub-set = (4 rows x 12 columns = 48 bits). For example, bit 18 in the input doesn't appear in the output (i.e., there is no bit 18 in the above permutation). Bit 03 in the input block moves to position 7 in the output block. After 16 rounds of sub-key processing, all sub-keys are generated. Secret Key Cryptography
DES - Encryption - the left side 1. Original message is blocked in 64 bit groups, then encrypted block by block. 2. There is an initial block permutation before the 1st round Initial permutation: 58, 50, 42, 34, 26, 18, 10, 02, 60, 52, 44, 36, 28, 20, 12, 04 62, 54, 46, 38, 30, 22, 14, 06, 64, 56, 48, 40, 32, 24, 16, 08 57, 49, 41, 33, 25, 17, 09, 01, 59, 51, 43, 35, 27, 19, 11, 03 61, 53, 45, 37, 29, 21, 13, 05, 63, 55, 47, 39, 31, 23, 15, 07 The permutation does not strengthen DES - it makes byte loading in Byte-oriented hardware chips easy - note that in each group of 8 bits, one bit is taken from a different Byte in the 64 bit block - is hard to do in software and often omitted - if omitted, it is not standards compliant DES. Secret Key Cryptography
DES - Encryption - continued 2. The permuted output is split into a 32 bit left and right half 3. The right half is expanded to 48 bits and permuted again - this is called the Expansion permutation. Purpose: Since some bits are used twice (must be in the expansion), these bits will affect later substitutions - causes the dependency of the output bits on the input bits to spread faster - avalanche effect. 32, 01, 02, 03, 04, 05, 04, 05, 06, 07, 08, 09 08, 09, 10, 11, 12, 13, 12, 13, 14, 15, 16, 17 16, 17, 18, 19, 20, 21, 20, 21, 22, 23, 24, 25 24, 25, 26, 27, 28, 29, 28, 29, 30, 31, 32, 01 Example: Input bit 03 is moved to position 04 in the output, while Bit 09 is moved to positions 12, and 14, and so on. Secret Key Cryptography
DES - Encryption - continued 4. The 48 bit expansion permutation value is Exclusive ORed (XOR) with the 1st sub-key - creates key dependency. The bit-by-bit XOR function is defined as: 0 XOR 0 = 0 1 XOR 0 = 1 0 XOR 1 = 1 1 XOR 1 = 0 5. The 48 bit XOR result is converted back to 32 bits by 8 S-boxes. Each S-Box has a 6-bit input and produces a 4-bit output. That is, 48 bits/6 bits/input = 8 distinct inputs – one per S-Box. Secret Key Cryptography
DES - Encryption - S-boxes 48-Bit Input S-box 1 S-box 8 32-Bit output Input to each S-Box is a 6-bit value used to look up a 4-Bit output from a 4-row, 16 column table in the S-Box. If we number the inputs: a1, a2, a3, a4, a5, a6 then a1 and a2 specify the row and a3, a4, a5, a6 specify the column Secret Key Cryptography
DES - Encryption - continued The output is the value stored in the table at the intersection of the row and column. For example, the table for S-Box 1 is: 14, 04, 13, 01, 02, 15, 11, 08, 03, 10, 06, 12, 05, 09, 00, 07 00, 15, 07, 04, 14, 02, 13, 01, 10, 06, 12, 11, 09, 05, 03, 08 04, 01, 14, 08, 13, 06, 02, 11, 15, 12, 09, 07, 03, 10, 05, 00 15, 12, 08, 02, 04, 09, 01, 07, 05, 11, 03, 14, 10, 00, 06, 13 Values are between 00 and 15 (i.e., 4-bits) and each S-Box contains a mapping (i.e., a different table). For S-box 1 above, an input of 110110 = row 4, column 6 = 01 output. In total, the S-Boxes provide 4-bits/box x 8 boxes = 32-bit output. The S-Boxes provide the confusion function. Secret Key Cryptography
DES Encryption 6. The 32 bit output of the S-box is sent to the P-Box for permutation to provide additional diffusion. In the P-Box, the 32-bit input is mapped to a 32-bit output - every bit is used, and no bit is used twice. 16, 07, 20, 21, 29, 12, 28, 17, 01, 15, 23, 26, 05, 18, 31, 10 02, 08, 24, 14, 32, 27, 03, 09, 19, 13, 30, 06, 22, 11, 04, 25 This is a total of 32 bits (16 per row). The output of the P-Box is then XORed with the left half output of the original permutation. 7. This result is used as a new right half and the old right half replaces the old left half creating a 64 bit output for round 1. 8. The 64 bit output is now used as input for round 2. This continues for 16 total rounds with each round using a different sub-key. Secret Key Cryptography
DES - Decryption DES uses exactly the same functions to decrypt as encrypt, but the sub-keys must be used in reverse order for decryption (i.e., encryption uses K1, K2, ….K15, so decryption uses K16, K15, ….K1). In order to better understand DES, we will use the simplified version described by Stallings. Although not very secure, it is simple enough that it can be used to encrypt and decrypt by hand! You should work through the example in the book to satisfy yourself That it really works. Secret Key Cryptography
Simplified DES - Stallings (page 56). 10-Bit key Decryption Encryption 8-bit Plaintext 8-bit Plaintext P 10 Shift IP IP-1 P8 K1 K1 fk fk Shift SW SW P8 K2 K2 fk fk IP-1 IP 8-bit Ciphertext 8-bit Ciphertext Secret Key Cryptography
Simplified DES - Key Generation (expanded) 10 bits Permutation Split Key, Circular Shift Permutation - K1 output Split Key, Circular Shift Permutation, K2 output P10 5 bits 5 bits LS-1 LS-1 5 bits 5 bits P8 K1 8 bits LS-2 LS-2 5 bits 5 bits P8 K2 8 bits Secret Key Cryptography
Simplified DES - Key Generation (expanded) P10 Permutation: P10(in-order) = k1, k2, k3, k4, k5, k6, k7, k8, k9, k10 (1010000010) P10(out-order)= k3, k5, k2, k7, k4, k10, k1, k9, k8, k6 (1000001100) Split the permuted key into 2 five-bit halves and circular left shift 1 In = 10000 01100 Out = 00001 11000 P8 Permutation - selects and permutes 8 of the 10 bits Result is Sub-key K1 = 10100100 P8 6 3 7 4 8 5 10 9 Secret Key Cryptography
Simplified DES - Key Generation (expanded) To get sub-key K2: Take output of original circular left shift 1 and shift an additional 2 In = 00001 11000 Out = 00100 00011 Apply P8 to this value to produce K2 K2 = 01000011 This completes the generation of K1 and K2 Secret Key Cryptography
Simplified DES - Encryption Two permutation functions (initial - IP, and final IP-1), where IP-1 is the inverse of IP; that is IP-1(IP(X)) = X. Two permutation/substitution functions fk each using one sub-key, on the left (L) and right (R) data elements. That is: fk(L,R) = (L F(R, SK), R) where SK is a sub-key and is the bit-by-bit Exclusive OR. One switch function SW that interchanges the left and right 4 bits so the second instance of fk operates on a different set of bits. Secret Key Cryptography
Simplified DES - Initial & Final Permutation IP IP 2 6 3 1 4 8 5 7 Input = 01001101 Output = 11000110 IP-1 IP-1 4 1 3 5 7 2 8 6 Input = 11000110 Output = 01001101 Result is IP-1(IP(X)) = X Secret Key Cryptography
Simplified DES - Function fk Assume output of the IP stage is = 10111101 Then L, R = 1011, 1101 And fk(L,R) = (L F(R, SK), R) So fk(1011, 1101) = (1011 F(R, SK), 1101) Now assume F(R, SK) = F(1101, SK) for some sub-key = 1110 (this value will change depending on the sub-key). Then: fk(1011, 1101) = (1011 1110, 1101) = 0101, 1101 Next we need to describe the complex function F(R,SK). Secret Key Cryptography
Simplified DES - Function F(R,SK) IP 4 bits Expand/Permute 8 bits 4 bits 4 bits S0 S1 F(R,SK) 4 bits 2 bits 2 bits 4 bits P4 4 bits 4 bits SW Secret Key Cryptography
Simplified DES - Function Parts of F(R,SK) Expansion/Permutation (4 bits n1, n2, n3, n4) to 8 bits E/P 4 1 2 3 2 3 4 1 Arrange these bits as follows: n4 | n1 , n2 | n3 (left half of expansion/permutation) n2 | n3 , n4 | n1 (right half) Compute; n4 k11 | n1 k12 , n2 k13 | n3 k14 n2 k15 | n3 k16 , n4 k17 | n1 k18 Where xy in kxy means x is key #, y is bit position in the key. Secret Key Cryptography
Simplified DES - Function Parts of F(R,SK) Rename these 8 bits: Row 1 p0,0 | p0,1 p0,2 | p0,3 Row 2 p1,0 | p1,1 p1,2 | p1,3 The first 4 bits, row 1 are input to the s-box S0, 2nd row to S-box S1 to produce a 2-bit output for each input bit as follows; 0 1 2 3 0 1 2 3 0 1 0 3 2 0 0 1 2 3 1 3 2 1 0 1 2 0 1 3 S0 2 0 2 1 3 S1 2 3 0 1 0 3 3 1 3 2 3 2 1 0 3 For example, S0, p0,0 = 01; S1, p1,1 = 00 Secret Key Cryptography
Simplified DES - Function Parts of F(R,SK) P4 Permutation: 2 bit input from S0, 2 bits from S1 P4 2 4 3 1 P4 output = output of fk Switch function: interchanges the left and right halves so the second instance of fk using the second key operates on different data. The second instance of fk operates the same as described above using the k2 sub-key and the switched input. Decryption uses all the same functions run backwards. Secret Key Cryptography
DES - Today DES is obviously a more complicated function than Stalling’s S-DES, but the principles are similar. DES is also product of the 70’s - no longer considered secure. Problem is key length - 56 bits = 256 keys ~ 1017 that is now considered a risk - requires a search = 255 tries to break - has been broken in theory & practice: 1. 1977 - Diffie/Hellman $20M machine proposal (never built). 2. 1993 - Entrust proposes a detailed design to break DES. 3. 1998 - Deep Crack breaks DES key in 4.5 days. 4. 1998 - 70,000 Internet PCs break DES key in 96 days. 5. 1999 - 2nd internet effort breaks DES in 22 days. Secret Key Cryptography
DES - Strength Brute force key attacks have complexity of 255 = 256/2 operations. Differential Cryptanalysis: Chosen plaintext attack (select a large number of plaintexts with certain mathematical qualities based on the 2 halves split used in DES), encrypt - analyze the result to reveal the key - Theoretical effort is 247, but selecting 247 plaintexts and getting them injected is not reasonable. Linear Cryptanalysis: Known plaintext attack (get know plaintext - ciphertext pairs and find a linear equation representing the key bits). Requires 247 pairs which are infeasible to acquire. Note: Doing this in the lab is easy, getting that many plaintext/ ciphertext pairs injected into an adversary’s system is the problem! Secret Key Cryptography
Times for Exhaustive Key Search (assumes half the keys searched) Secret Key Cryptography
Deep Crack 1.Broke 56 bit DES on June 16, 1998 - 3 days after RSA challenge. 2. $ 250,000 hardware machine designed as follows: 28 circuit boards, 64 chips/board, 24 DES engines/chip. Pentium I/O box running Linux. 28x64x24 = 43,008 search engines (40 MHz). 60 x 106 keys/sec-engine. 43 x 103 x 60 x 106 = 2.58 x 106 keys/microsecond design rate. 3. Results for final implementation: Fewer boards in final (27 for 41,472 chips). Some bad chips (37,050 were good). Speed achieved was 92.2 x 109 key/sec (~ 100,000 keys/usec). Took 2.3 days to find the key at 25% of key space. SO… estimate of ~ 4.5 days for 1/2 space is very close. Secret Key Cryptography
Weak Keys in Symmetric Algorithms In any encryption algorithm we can find weak keys. These are keys that yield encryptions that are relatively easy to break using cryptanalysis. Simple weak keys are those with a high degree of internal redundancy or symmetry. For example, any key composed of: all zeros, all ones, alternating ones and zeros, and alternating zeroes and ones. Secret Key Cryptography
Weak Keys in DES There are 16 DES keys that are considered weak. The probability of generating these is small (16/256). Suspect keys are those for which the initial permutation of the 2-28 bit quantities C0, D0 produce one of the four values: All zeroes, alternating ones and zeroes, alternating zeroes and ones, and all ones. This produces 16 weak keys as follows: C0 c0 c0 c0 0,0.. 1,0.. 0,1.. 1,1.. D0 0,0.. 0,0.. 0,0.. 0,0.. D0 1,0.. 1,0.. 1,0.. 1,0.. D0 0,1.. 0,1.. 0,1.. 0,1.. D0 1,1.. 1,1.. 1,1.. 1,1.. Secret Key Cryptography
Weak Keys in DES The 4 keys for which C0 and D0 are all zeroes or ones are weak keys since they are their own inverses. This means that the key used in every round will be the same (shift produces no change). This is also true of keys where each half is all 1's or 0's. The remaining 12 keys are considered semi-weak since each is the inverse of one of the others. Relatively easy to test for these keys after generation. Also a good idea to avoid keys with values < 1000, since an adversary may start searching the key space from the bottom. This can be also be avoided by a simple test. Secret Key Cryptography
DES - Controversy Other issues were raised by adoption of DES as federal standard. Original IBM Lucifer key length was 128 bits - reduced to 56 in order to fit on a single chip implementation. During development of the chip IBM engaged outside consultants including the National Security Administration (NSA). The S-box design criteria were classified. Cryptographers were concerned that certain weaknesses might have been put in by NSA to ensure NSA could decrypt messages without access to the key. Despite these concerns DES flourished. Secret Key Cryptography
Strenghtening DES - Still DES, but stronger Concept - Use cascading (multiple) encryption, say double or triple: Double Encryption K2 K1 E E Intermediate Ciphertext ic Ciphertext c Plaintext p Triple Encryption K1 K2 K3 E E E Plaintext p Ciphertext c Intermediate ciphertext ic1 Intermediate ciphertext ic2 Secret Key Cryptography
DES and Multiple DES – Key Strength DES = 56 bit key strength 2DES = 2 x 56 = 112 bit strength if K1 K2 3DES = 3 x 56 = 168 bit if K1 K2 K3 = 2 x 56 = 112 bit if K1= K3, but K1 K2 = 1 x 56 = 56 bit if K1 = K2 = K3 2 DES not used (at least shouldn’t be) 2nd option of 3DES is commonly used = compatible with DES Secret Key Cryptography
Double DES - A New attack - Meet-in-the-Middle C = Ek2(Ek1(P)) & P = Dk2(Dk1(C)) and if X is the result after the first encryption = result after first decryption, then: X = Ek1(P) = Dk2(C) (X is the middle-man) Given a known plaintext/ciphertext pair (P, C), then: Encrypt P for all 256 possible values of the key, k1, create a table Decrypt C for all 256 values of the key, k2, match against table On match, test the trial key against a new (P, C) pair If successful, assume the key is correct. We also Know that there are only 264 possible ciphertext values that can be produced by a given plaintext (because the block size is 64). Secret Key Cryptography
Double DES - Meet-in-the-Middle We know a 112 bit key is used. On average, for a 64 bit output the number of keys that can produce a 64 bit result is 2112/264 = 248. Step 1: Create & match the table. This will produce about 248 false alarms on the first (P, C) pair. By trying a second pair, the false alarm rate drops to 248-64 = 2-16. Put another way, the probability that the correct keys are determined is 1 - 2-16 or nearly 1. Since the original effort was ~ 2x256, double DES is not as strong as the key size would indicate. It is ~ 4 times stronger than DES Secret Key Cryptography
Typical Multiple DES Encryption Most common is Triple DES using 2 different 56 bit keys. Called EDE3 (encrypt-decrypt-encrypt with 3 keys) The DES algorithm is applied 3 times using the different keys: Encrypt - K1, Decrypt - K2(run backwards), Encrypt – K1 Although key length is 3 x 56 = 168, strength is 2 x 56 = 112 This because it is a 2-step encryption, not 3. The decryption step increases complexity, but does not increase key strength. Used because EDE3 is backwards compatible with single DES. Now key strength is 2112 ~ 1033 possible keys - still considered strong. Biggest Problem = Speed = 1/3 speed of DES. Secret Key Cryptography
3 DES Compatibility 3DES Encryption/Decryption functions: C = Ek1(Dk2(Ek1(P))) D = Dk1(Ek2(Dk1(C))) IF K1 = K2 C = Ek1(Dk1(Ek1(P))) = Ek1(P) D = Dk1(Ek1(Dk1(C))) = Dk1(C) Secret Key Cryptography
Operating Modes Block ciphers, like DES, encrypt plaintext in fixed size, n-bit blocks. (n is typically 64) For messages longer than 64 bits, the easiest method is to divide the message in n-bit blocks and encrypt each block separately. This is called Electronic CodeBook (ECB) mode. Trouble is, it has some significant flaws. Therefore, other modes of operation have been developed. All the modes include: Electronic CodeBook (ECB) Cipher Block Chaining (CBC) Cipher FeedBack (CFB), and Output Feedback (OFB) Each method adds complexity, but strengthens the cryptography. Secret Key Cryptography
Electronic CodeBook (ECB) Mode Key Key E E-1 Plaintext p Plaintext p Ciphertext c Characteristics: 1. Identical plaintext blocks and same key produce identical cipher blocks (may reveal structure). Thus, long messages may contain repeats and are to be avoided. Typically used only for one block messages, like a key exchange. 2. Each block is independent of other blocks, except as above. 3. Errors occurring in a block affect only that block - don’t propagate. Secret Key Cryptography
Cipher Block Chaining (CBC) Mode IV0 Cj-1 Cj-1 Plaintextpj E E-1 Key Plaintextpj Ciphertextcj Key Secret Key Cryptography
Cipher Block Chaining (CBC) Mode The encryption is initialized by Initializing Vector IV0 The first block of plaintext pj is encrypted as a function of the key and the Exclusive OR of pj and IV0. The first output block is fed back to the input as cj-1 and EXORed with the next plaintext block pj. Characteristics: • Identical plaintext blocks produce identical ciphertext (for same • key & IV0). Changing IV0 produces different ciphertext. • 2. Chaining causes ciphertext to depend on plaintext and previous • plaintext blocks (because of cj-1 feedback) -- = text doesn’t repeat! • 3. Errors propagate because of the feedback. • 4. IV does not have to be secret, but should be protected (integrity). Secret Key Cryptography
Cipher FeedBack (CFB) Mode r-bit shift r-bit shift Ij Cj-1 Ij IV E E-1 Key Key Leftmost r bits Leftmost r bits Oj Oj Plaintextpj Ciphertext cj Plaintextpj Secret Key Cryptography
Cipher FeedBack (CFB) Mode The same as CBC in principle, but operates like a streaming cipher. While CBC mode processes an n-bit block, streaming ciphers operate on smaller units, say r bits, r < n (r is often 1 bit, or 8 bits = 1 character). Characteristics: 1. Like CBC, changing IV, changes the ciphertext. 2. Chaining makes output depend on plaintext, key, and previous ciphertext. 3. Errors propagate, but stop after n bits shift out of cj. 4. If r < n, throughput is decreased by a factor of n/r (compared to CBC). Secret Key Cryptography
Output FeedBack (OFB) Mode Oj-1 Ij Oj-1 Ij IV E E-1 Key Key Leftmost r bits Leftmost r bits Oj Oj Plaintext pj Plaintextpj Ciphertextcj Secret Key Cryptography
Output FeedBack (OFB) Mode Still similar to CFB (typically used for stream encryption), except encryption function output is fed back instead of ciphertext. This limits error propagation, but at the cost of being somewhat less secure. Characteristics: 1. Like CBC, changing IV, changes the ciphertext. 2. Chaining makes output depend on plaintext, key, and previous encryption block. 3. Errors in transmission do not propagate - a key difference! Secret Key Cryptography
Other Algorithms Many - many have been developed, many have fallen, but many have survived. Good ones include: IDEA - 128 bit key, strong algorithm, never been broken (Swiss) RC2, 4, 5 - Variable key length from Ron Rivest (MIT) Blowfish - Variable key length - to 448 bits, from Bruce Schneier of Counterpane CAST-128, FEAL, LOKI, etc., etc. Secret Key Cryptography
Symmetric Encryption - Block Size Small blocks help statistical analysis. All things being equal, small blocks are more likely to repeat. So, long blocks are more secure, since they are less likely to repeat, but, Long blocks increase the complexity of implementation exponentially. Long blocks reduce encryption speed. 64/128 bits are common block sizes and using cipher feedback mode further strengthens. Secret Key Cryptography