Upload
aarthi-sam
View
251
Download
1
Embed Size (px)
Citation preview
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 1/117
----VIJAY KATTAVIJAY KATTA---- 11
Cryptography and NetworkCryptography and Network
Security.Security.
By.By.----------
William Stalling.William Stalling.
B.ForouzanB.ForouzanBruce Schneier Bruce Schneier
P. van Oorschot, and S. Vanstone,P. van Oorschot, and S. Vanstone,
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 2/117
----VIJAY KATTAVIJAY KATTA---- 22
Chapter 3Chapter 3 & Chapter 6& Chapter 6 ± ±
Block CiphersBlock Ciphers DESDESOthersOthers
3.1 Simplified DES3.2 Block Cipher Principles
3.3 The Data Encryption Standard
3.4 The Strength of DES3.5 Differential and Linear Cryptanalysis
3.6 Block Cipher Design Principles
3.7 Block Cipher Modes of Operation
Ch06- Contemporary symmetric ciphers
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 3/117
----VIJAY KATTAVIJAY KATTA---- 33
3.0 Modern Block Ciphers3.0 Modern Block Ciphers
will now look at modern block cipherswill now look at modern block ciphers
one of the most widely used types of one of the most widely used types of
cryptographic algorithmscryptographic algorithmsprovide secrecy and/or authenticationprovide secrecy and/or authentication
servicesservices
in particular will introduce DES (Datain particular will introduce DES (DataEncryption Standard)Encryption Standard)
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 4/117
----VIJAY KATTAVIJAY KATTA---- 44
Block vs Stream CiphersBlock vs Stream Ciphers
block ciphers process messages in intoblock ciphers process messages in into
blocks, each of which is then en/decryptedblocks, each of which is then en/decrypted
like a substitution on very big characterslike a substitution on very big characters ± ± 6464--bits or morebits or more
stream ciphersstream ciphers process messages a bit or process messages a bit or
byte at a time when en/decryptingbyte at a time when en/decryptingmany current ciphers are block ciphersmany current ciphers are block ciphers
hence are focus of coursehence are focus of course
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 5/117
----VIJAY KATTAVIJAY KATTA---- 55
Simplified DES (SSimplified DES (S--DES)DES)
An educational algorithm An educational algorithm
A product cipher A product cipher
± ± two identical subtwo identical sub--ciphersciphersEach subEach sub--cipher cipher
± ± PermutationPermutation
± ± SubstitutionSubstitution
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 6/117
----VIJAY KATTAVIJAY KATTA---- 66
SS--DESDES
EncryptionEncryption
± ± Input: 8Input: 8--bit plaintextbit plaintext
± ± Input: 10Input: 10--bit key Kbit key K ± ± Output: 8Output: 8--bit ciphertextbit ciphertext
DecryptionDecryption
± ± Input: 8Input: 8--bit ciphertextbit ciphertext
± ± Input: 10Input: 10--bit key Kbit key K
± ± Output: 8Output: 8--bit plaintextbit plaintext
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 7/117
----VIJAY KATTAVIJAY KATTA---- 77
Simplified DES (cont.)Simplified DES (cont.)
Key generationKey generation
± ± P10:P10: a permutation of 10 bitsa permutation of 10 bits
± ± shift:shift: shift (rotate) the inputshift (rotate) the input ± ± P8:P8: a permutation of 8a permutation of 8--bitbit
Encryption/DecryptionEncryption/Decryption
± ± IP:IP: initial permutationinitial permutation
± ± f f KK:: a complex function (substitution+permutation)a complex function (substitution+permutation)
± ± SW: aSW: a simple permutation (swapping)simple permutation (swapping)
± ± IPIP--11:: the inverse of IPthe inverse of IP
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 8/117
----VIJAY KATTAVIJAY KATTA---- 88
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 9/117
----VIJAY KATTAVIJAY KATTA---- 99
Overview of SOverview of S--DESDES
Subkey generationSubkey generation
± ± KK11=P8=P8 yy shiftshift yy P10P10 ((KK))
± ± KK22=P8=P8yy
shiftshiftyy
shiftshiftyy
P10P10 ((KK))EncryptionEncryption
± ± C=C= IPIP--11 yy f f KK22 yy SWSW yy f f KK11 yy IPIP ((PP))
DecryptionDecryption ± ± P=P= IPIP--11 yy f f K1K1 yy SWSW yy f f K2K2 yy IPIP ((CC))
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 10/117
----VIJAY KATTAVIJAY KATTA---- 1010
SubSub--key generationkey generation
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 11/117
----VIJAY KATTAVIJAY KATTA---- 1111
SubSub--key generation (cont.)key generation (cont.)
P10P10
33 55 22 77 44 1010 11 99 88 66
P10 (k1 k2 k3 k4 k5 k6 k7 k8 k9 k10)
k3 k5 k2 k7 k4 k10 k1 k9 k8 k6
e.g. K= 10100 00010
P10(K) = P10 (10100 00010)
= 10000 01100
� P10: 10-bit permutation
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 12/117
----VIJAY KATTAVIJAY KATTA---- 1212
SubSub--key generation (cont.)key generation (cont.)� LS-1: rotate left for 1 bit
e.g. LS-1(10000)=00001
LS-1(01100)=11000
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 13/117
----VIJAY KATTAVIJAY KATTA---- 1313
SubSub--key generation (cont.)key generation (cont.)
P8P8
66 33 77 44 88 55 1010 99
P8 (k1 k2 k3 k4 k5 k6 k7 k8 k9 k10)
k6 k3 k7 k4 k8 k5 k10 k9
e.g. K 1= P8 (00001 11000)
= 010100100
� P8: a permutation with 10-bit input and 8-bit output
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 14/117
----VIJAY KATTAVIJAY KATTA---- 1414
SubSub--key generation (cont.)key generation (cont.)� LS-2: rotate left for 2 bits
e.g. LS-2(00001)=00100
LS-2(11000)=00011
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 15/117
----VIJAY KATTAVIJAY KATTA---- 1515
SubSub--key generation (cont.)key generation (cont.)
P8P8
66 33 77 44 88 55 1010 99
P8 (k1 k2 k3 k4 k5 k6 k7 k8 k9 k10)
k6 k3 k7 k4 k8 k5 k10 k9
e.g. K 2= P8 (00100 00011)
= 01000011
� P8: a permutation with 10-bit input and 8-bit output
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 16/117
----VIJAY KATTAVIJAY KATTA---- 1616
--
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 17/117
----VIJAY KATTAVIJAY KATTA---- 1717
SS--DES encryption (cont.)DES encryption (cont.)
� Initial and final permutations: IP, IP-1
IPIP
22 66 33 11 44 88 55 77
IPIP--11
44 11 33 55 77 22 88 66
IP-1 � IP (X) = X = IP � IP-1 (X)
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 18/117
----VIJAY KATTAVIJAY KATTA---- 1818
SS--DES encryption (cont.)DES encryption (cont.)
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 19/117
----VIJAY KATTAVIJAY KATTA---- 1919
SS--DES encryption (cont.)DES encryption (cont.)
Function f Function f KK ± ± PermutationPermutation ++ substitutionsubstitution..
± ± f f KK((LL,, RR)=()=(LL��
F(R,SK)F(R,SK),, RR))SK: A subkey Ki (i = 1, 2)SK: A subkey Ki (i = 1, 2)
L: Leftmost 4 bitsL: Leftmost 4 bits
R: Rightmost 4 bitsR: Rightmost 4 bits
F: A mapping from 4F: A mapping from 4--bit strings to 4bit strings to 4--bit strings.bit strings.��: bit: bit--wise XORwise XOR
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 20/117
----VIJAY KATTAVIJAY KATTA---- 2020
SS--DES encryption (cont.)DES encryption (cont.)
Function f Function f KK ± ± Example:Example:
Input is 1011 1101Input is 1011 1101 L=1011L=1011,, R=1101R=1101
F(F(11011101, SK) = 1110, SK) = 1110
f f KK((10111011 11011101) =) = 10111011 �� 1110 ||1110 || 11011101
== 01010101 11011101
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 21/117
----VIJAY KATTAVIJAY KATTA---- 2121
SS--DES encryption (cont.)DES encryption (cont.)� Mapping F(R, SK)
R
SK
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 22/117
----VIJAY KATTAVIJAY KATTA---- 2222
SS--DES encryption (cont.)DES encryption (cont.)
Mapping F(R, SK)Mapping F(R, SK)
± ± Expansion/permutation (E/P): 4Expansion/permutation (E/P): 4--bit Rbit R 8 bits8 bits
± ± XOR with subkey SKXOR with subkey SK
8 bits8 bits ± ± 2 S2 S--boxbox 4 bits4 bits
± ± P4 permutationP4 permutation 4 bits (output)4 bits (output)
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 23/117
----VIJAY KATTAVIJAY KATTA---- 2323
SS--DES encryption (cont.)DES encryption (cont.)
E/P: 4E/P: 4--bitbit 88--bitbit
E/PE/P
44 11 22 33 22 33 44 11
Example:
E/P(1001)=11000011
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 24/117
----VIJAY KATTAVIJAY KATTA---- 2424
SS--DES encryption (cont.)DES encryption (cont.)
SS--box (substitution box)box (substitution box)
± ± S0, S1: 4 bitsS0, S1: 4 bits 2 bits2 bits
b2b3b2b3
b1b4b1b4
0000 0101 1010 1111
0000 0101 0000 1111 1010
0101 1111 1010 0101 00001010 0000 1010 0101 1111
1111 1111 0101 1111 1010
S0( b1 b2 b3 b4)
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 25/117
----VIJAY KATTAVIJAY KATTA---- 2525
SS--DES encryption (cont.)DES encryption (cont.)
b2b3b2b3
b1b4b1b4
0000 0101 1010 1111
0000 0000 1010 1010 1111
0101 1010 0000 0101 1111
1010 1111 0000 0101 0000
1111 1010 0101 0000 1111
S1( b1 b2 b3 b4)
Example:
S0(0010)=00, S1(0010)=10
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 26/117
----VIJAY KATTAVIJAY KATTA---- 2626
SS--DES encryption (cont.)DES encryption (cont.)
P4: 4P4: 4--bit permutationbit permutation
P4P4
22 44 11 33
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 27/117
----VIJAY KATTAVIJAY KATTA---- 2727
SS--DES encryption (cont.)DES encryption (cont.)1001
10011001 11000011
0101 1010
01 00
1000
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 28/117
----VIJAY KATTAVIJAY KATTA---- 2828
SS--DES Encryption (cont.)DES Encryption (cont.)
SW: switch functionSW: switch function
± ± Interchange the left and right 4 bitsInterchange the left and right 4 bits
b1 b2 b3 b4 b5 b6 b7 b8
b1 b2 b3 b4b5 b6 b7 b8
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 29/117
----VIJAY KATTAVIJAY KATTA---- 2929
SS--DES Encryption (cont.)DES Encryption (cont.)
22nd round: same as the first round exceptnd round: same as the first round exceptSubSub--key Kkey K22 is usedis used
Final permutation IPFinal permutation IP--11 is applied.is applied.
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 30/117
----VIJAY KATTAVIJAY KATTA---- 3030
SS--DES encryption (cont.)DES encryption (cont.)
Key: K=1010000010Key: K=1010000010
Plaintext: P=11110011Plaintext: P=11110011
SubSub--key generationkey generation ± ± K1 = P8K1 = P8 �� LSLS--11 �� P10 (P10 (10100000101010000010) =) = 1010010010100100
± ± K2 = P8K2 = P8 �� LSLS--22 �� LSLS--11 �� P10 (P10 (10100000101010000010)) = 01000011= 01000011Plaintext: 11110011Plaintext: 11110011 ± ± IP (11110011) = 1011IP (11110011) = 101111011101 = L ||= L || RR
± ± F (R, KF (R, K11))E/P (E/P (11011101)) �� KK11 == 1110101111101011��10100100 =10100100 = 0100010011111111
S0 (S0 (01000100) = 11) = 11
S1 (S1 (11111111) = 11) = 11
P4 (1111) = 1111P4 (1111) = 1111
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 31/117
----VIJAY KATTAVIJAY KATTA---- 3131
SS--DES encryption (cont.)DES encryption (cont.)
± ± f f K1K1 ((10111011 11011101) = () = (LL��FF((R R ,, KK11),), R R ))== ((10111011��1111,1111,11011101) = 0100 1101) = 0100 1101
± ± SW (SW (01000100 1101)= 11011101)= 1101 0100 =0100 = LL || R|| R
± ± F(R, KF(R, K22))
E/P (E/P (01000100)) �� KK22== 0010100000101000 �� 0100001101000011 == 0110011010111011S0 (S0 (01100110) = 10) = 10
S1 (S1 (10111011) = 01) = 01
P4 (1001) =P4 (1001) = 01010101
± ± f f K2K2((11011101 01000100) = () = (LL��FF((R R ,, KK22),), R R ))
== ((11011101��01010101,, 01000100) = 0000100) = 0000100 ± ± IPIP--11 (10000100) = 01000001(10000100) = 01000001
Ciphertext C=01000001Ciphertext C=01000001
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 32/117
----VIJAY KATTAVIJAY KATTA---- 3232
SS--DES decryptionDES decryption
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 33/117
----VIJAY KATTAVIJAY KATTA---- 3333
SS--DES decryption (cont.)DES decryption (cont.)
C =C = IPIP--11 yy f f KK22 yy SWSW yy f f KK11 yy IPIP ((PP))
IPIP--11 yy f f K1K1 yy SWSW yy f f K2K2 yy IPIP ((CC))== IPIP--11 yy f f K1K1 yy SWSW yy f f K2K2 yy IPIP yy IPIP--11 yy f f KK22yy SWSW yy f f KK11 yy IPIP ((PP))
== IPIP--11 yy f f K1K1 yy SWSW yy f f K2K2 yy f f KK22yy SWSW yy f f KK11 yy IPIP ((PP))
== IPIP--11 yy f f K1K1 yy SWSW yy SWSW yy f f KK11 yy IPIP ((PP))== IPIP--11 yy f f K1K1 yy f f KK11 yy IPIP ((PP))== IPIP--11 yy IPIP ((PP))== PP
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 34/117
----VIJAY KATTAVIJAY KATTA---- 3434
SS--DES decryption (cont.)DES decryption (cont.)
OnlyOnly subsub--keys are f ed in reverse order keys are f ed in reverse order
SWSW �� SW = I (identity)SW = I (identity)
IPIP--11
� IP = IP � IP� IP = IP � IP--11
= I (identity)= I (identity)f f K1K1 � f � f K1K1 (X,Y) = f (X,Y) = f K1K1((XX��FF(Y,(Y, KK11)), Y), Y)
= (= (XX��FF(Y,(Y, KK11))��FF(Y,(Y, KK11), Y)), Y)
= (X, Y)= (X, Y)
f f K2K2 � f � f K2K2 (X,Y) = f (X,Y) = f K2K2((XX��FF(Y,(Y, KK22)), Y), Y)
= (= (XX��FF(Y,(Y, KK22))��FF(Y,(Y, KK22), Y)), Y)
= (X, Y)= (X, Y)
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 35/117
----VIJAY KATTAVIJAY KATTA---- 3535
SS--DES decryption (cont.)DES decryption (cont.)
GenerateGenerate subsub--keys in reverse order keys in reverse order
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 36/117
----VIJAY KATTAVIJAY KATTA---- 3636
SS--DES decryption (cont.)DES decryption (cont.)
Generate subGenerate sub--keys in reverse order keys in reverse order
P10(K)=k1 k2 « k10P10(K)=k1 k2 « k10
EncryptionEncryption ± ± LSLS--1(k1 k2 k3 k4 k5) =1(k1 k2 k3 k4 k5) = k2 k3 k4 k5 k1k2 k3 k4 k5 k1
± ± LSLS--2 (k2 k3 k4 k5 k1) =2 (k2 k3 k4 k5 k1) = k4 k5 k1 k2 k3k4 k5 k1 k2 k3
DecryptionDecryption ± ± RSRS--2 (k1 k2 k3 k4 k5) =2 (k1 k2 k3 k4 k5) = k4 k5 k1 k2 k3k4 k5 k1 k2 k3
± ± RSRS--2 (k4 k5 k1 k2 k3) =2 (k4 k5 k1 k2 k3) = k2 k3 k4 k5 k1k2 k3 k4 k5 k1
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 37/117
----VIJAY KATTAVIJAY KATTA---- 3737
SS--DES decryption (cont.)DES decryption (cont.)
GenerateGenerate subsub--keys in reverse order keys in reverse order
RS-2 RS-2
RS-2RS-2
K2
K1
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 38/117
----VIJAY KATTAVIJAY KATTA---- 3838
SS--DES decryptionDES decryption
Encrytion/Decryption
e/d flag
P/C
K 1/K 2
K 2/K
1
C/P
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 39/117
----VIJAY KATTAVIJAY KATTA---- 3939
3.2& 3.63.2& 3.6 Block Cipher PrinciplesBlock Cipher Principles
most symmetric block ciphers are based on amost symmetric block ciphers are based on a
Feistel Cipher StructureFeistel Cipher Structure
needed since must be able toneeded since must be able to decryptdecrypt ciphertextciphertext
to recover messages efficientlyto recover messages efficiently
block ciphers look like an extremely largeblock ciphers look like an extremely large
substitutionsubstitution
would need table of 2would need table of 26464
entries for a 64entries for a 64--bit blockbit blockinstead create from smaller building blocksinstead create from smaller building blocks
using idea of a product cipher using idea of a product cipher
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 40/117
----VIJAY KATTAVIJAY KATTA---- 4040
Claude Shannon and SubstitutionClaude Shannon and Substitution--
Permutation CiphersPermutation Ciphers
in 1949 Claude Shannon introduced idea of in 1949 Claude Shannon introduced idea of
substitutionsubstitution--permutation (Spermutation (S--P) networksP) networks
± ± modern substitutionmodern substitution--transposition product cipher transposition product cipher
these form the basis of modern block ciphersthese form the basis of modern block ciphers
SS--P networks are based on the two primitiveP networks are based on the two primitive
cryptographic operations we have seen before:cryptographic operations we have seen before:
± ± substitutionsubstitution (S(S--box)box)
± ± permutation permutation (P(P--box)box)
provideprovide confusionconfusion andand diffusiondiffusion of messageof message
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 41/117
----VIJAY KATTAVIJAY KATTA---- 4141
Shannon introduced the concept of a product cipher. A product cipher is a complex cipher combining
substitution, permutation, and other components
discussed in previous sections.
5.1.4 Product Ciphers
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 42/117
----VIJAY KATTAVIJAY KATTA---- 4242
DiffusionThe idea of diffusion is to hide the relationship between
the ciphertext and the plaintext.
5.1.4 Continued
Diffusion hides the relationship between the
ciphertext and the plaintext.
N ote
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 43/117
----VIJAY KATTAVIJAY KATTA---- 4343
ConfusionThe idea of confusion is to hide the relationship between
the ciphertext and the key.
5.1.4 Continued
Confusion hides the relationship between the
ciphertext and the k ey.
N ote
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 44/117
----VIJAY KATTAVIJAY KATTA---- 4444
Rounds Diffusion and confusion can be achieved using iterated
product ciphers where each iteration is a combination of
S-boxes, P-boxes, and other components.
5.1.4 Continued
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 45/117
----VIJAY KATTAVIJAY KATTA---- 4545
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 46/117
----VIJAY KATTAVIJAY KATTA---- 4646
Confusion and DiffusionConfusion and Diffusion
Shannon suggests to thwart ³statistical analysis´Shannon suggests to thwart ³statistical analysis´
ConfusionConfusion
± ± Blur the relation between the ciphertext and theBlur the relation between the ciphertext and the
encryption keyencryption key ± ± SubstitutionSubstitution
DiffusionDiffusion
± ± Each ciphertext alphabet is affected by many plaintextEach ciphertext alphabet is affected by many plaintext
alphabetalphabet
± ± Repeated permutationsRepeated permutations
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 47/117
----VIJAY KATTAVIJAY KATTA---- 4747
Feistel Cipher StructureFeistel Cipher Structure
Horst Feistel devised theHorst Feistel devised the f eistel cipher f eistel cipher
± ± based on concept of invertible product cipher based on concept of invertible product cipher
partitions input block into two halvespartitions input block into two halves
± ± process through multiple rounds whichprocess through multiple rounds which
± ± perform a substitution on left data half perform a substitution on left data half
± ± based on round function of right half & subkeybased on round function of right half & subkey
± ± then have permutation swapping halvesthen have permutation swapping halvesimplements Shannon¶s substitutionimplements Shannon¶s substitution--permutation network conceptpermutation network concept
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 48/117
----VIJAY KATTAVIJAY KATTA---- 4848
Feistel Cipher StructureFeistel Cipher Structure
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 49/117
----VIJAY KATTAVIJAY KATTA---- 4949
Feistel Cipher Design PrinciplesFeistel Cipher Design Principles
block sizeblock size ± ± increasing size improves security, but slows cipher increasing size improves security, but slows cipher
key sizekey size ± ± increasing size improves security, makes exhaustive key searchingincreasing size improves security, makes exhaustive key searching
harder, but may slow cipher harder, but may slow cipher
numb
er of
roundsnumb
er of
rounds ± ± increasing number improves security, but slows cipher increasing number improves security, but slows cipher
subkey generationsubkey generation ± ± greater complexity can make analysis harder, but slows cipher greater complexity can make analysis harder, but slows cipher
round f unctionround f unction ± ± greater complexity can make analysis harder, but slows cipher greater complexity can make analysis harder, but slows cipher
f ast so
f tware en/decryption & ease o
f analysis
f ast so
f tware en/decryption & ease o
f analysis ± ± are more recent concerns for practical use and testingare more recent concerns for practical use and testing
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 50/117
----VIJAY KATTAVIJAY KATTA---- 5050
Feistel Cipher DecryptionFeistel Cipher Decryption
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 51/117
----VIJAY KATTAVIJAY KATTA---- 5151
Average time required forAverage time required for
exhaustiveexhaustive key searchkey searchKey SizeKey Size(bits)(bits)
Number ofNumber ofAlternative KeysAlternative Keys
Time required atTime required at101066 Decryption/Decryption/µs µs
3232 223232 = 4.3 x 10= 4.3 x 1099 2.15 milliseconds2.15 milliseconds
5656 225656 = 7.2 x 10= 7.2 x 101616 10 hours10 hours
128128 22128128 = 3.4 x 10= 3.4 x 103838 5.4 x 105.4 x 101818 yearsyears
168168 22168168 = 3.7 x 10= 3.7 x 105050 5.95.9 xx 10103030 yearsyears
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 52/117
----VIJAY KATTAVIJAY KATTA---- 5252
3.3 Data Encryption Standard (DES)3.3 Data Encryption Standard (DES)
most widely used block cipher in worldmost widely used block cipher in world
adopted in 1977 by NBS (now NIST)adopted in 1977 by NBS (now NIST)
± ± as FIPS PUB 46as FIPS PUB 46encrypts 64encrypts 64--bit data using 56bit data using 56--bit keybit key
has widespread usehas widespread use
has been considerable controversy over has been considerable controversy over its securityits security
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 53/117
----VIJAY KATTAVIJAY KATTA---- 5353
DES HistoryDES History
IBM developed Lucifer cipher IBM developed Lucifer cipher
± ± by team led by Feistelby team led by Feistel
± ± used 64used 64--bit data blocks with 128bit data blocks with 128--bit keybit key
then redeveloped as a commercial cipher then redeveloped as a commercial cipher with input from NSA and otherswith input from NSA and others
in 1973 NBS issued request for proposalsin 1973 NBS issued request for proposals
for a national cipher standardfor a national cipher standardIBM submitted their revised Lucifer whichIBM submitted their revised Lucifer whichwas eventually accepted as the DESwas eventually accepted as the DES
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 54/117
----VIJAY KATTAVIJAY KATTA---- 5454
Security analysis of DESSecurity analysis of DES
Why 56 bits?Why 56 bits?
± ± Lucifer¶s key is 128Lucifer¶s key is 128--bit longbit long
± ± Rumor: it was deliberately reduced so thatRumor: it was deliberately reduced so that
NSA can break itNSA can break it
± ± FactsFacts
1997: distributed exhaustive key search all over 1997: distributed exhaustive key search all over
the world takes 3 months.the world takes 3 months.1998: specialized key search chips take 56 hours1998: specialized key search chips take 56 hours
1999: the search device is improved and achieves1999: the search device is improved and achieves
the record of 22 hoursthe record of 22 hours
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 55/117
----VIJAY KATTAVIJAY KATTA---- 5555
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 56/117
----VIJAY KATTAVIJAY KATTA---- 5656
A single round A single round
6 2 3 C ti d
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 57/117
----VIJAY KATTAVIJAY KATTA---- 5757
6 .2.3 Continued
Figure 6.10 K ey generation
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 58/117
----VIJAY KATTAVIJAY KATTA---- 5858
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 59/117
----VIJAY KATTAVIJAY KATTA---- 5959
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 60/117
----VIJAY KATTAVIJAY KATTA---- 6060
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 61/117
----VIJAY KATTAVIJAY KATTA---- 6161
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 62/117
----VIJAY KATTAVIJAY KATTA---- 6262
Avalanche effect Avalanche effect
A A small changesmall change in either the plaintext or in either the plaintext or
the key should producethe key should produce a signif icanta signif icant
change in the ciphertextchange in the ciphertext
In particular,In particular, one bit changeone bit change in either thein either the
plaintextplaintext or theor the keykey half bits changehalf bits change inin
ciphertextciphertext
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 63/117
----VIJAY KATTAVIJAY KATTA---- 6363
Avalanche effect (cont.) Avalanche effect (cont.)
For exampleFor example
± ± P1=0000 0000P1=0000 0000 ������ 00000000
± ± P2=1000 0000P2=1000 0000 ������ 00000000
± ± K=0000001 1001011 0100100 1100010K=0000001 1001011 0100100 1100010
0011100 0011000 0011100 0110010]0011100 0011000 0011100 0110010]
± ± Then, 34 bits differ in C=RThen, 34 bits differ in C=R1616LL1616
Avalanche effect Avalanche effect
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 64/117
----VIJAY KATTAVIJAY KATTA---- 6464
Fast avalanche effectFast avalanche effect
The avalanche effect within the first few rounds;The avalanche effect within the first few rounds;for example, the first 3 rounds.for example, the first 3 rounds.
Change in Plaintext Change in Key
Round #bits that differ Round #bits that differ
0 1 0 0
1 6 1 22 21 2 14
3 35 3 28
4 39 4 32
5 34 5 30
6 32 6 32
7 31 7 35
8 29 8 34
9 42 9 4010 44 10 38
11 32 11 31
12 30 12 33
13 30 13 28
14 26 14 26
15 29 15 34
16 34 16 35
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 65/117
----VIJAY KATTAVIJAY KATTA---- 6565
3.73.7 Modes of OperationModes of Operation
block ciphers encrypt fixed size blocksblock ciphers encrypt fixed size blockseg. DES encrypts 64eg. DES encrypts 64--bit blocks, with 56bit blocks, with 56--bit keybit key
need way to use in practise, given usually haveneed way to use in practise, given usually havearbitrary amount of information to encryptarbitrary amount of information to encrypt
four were defined for DES in ANSI standardfour were defined for DES in ANSI standardANSI X3.106ANSI X3.106--1983 Modes of Use1983 Modes of Use
subsequently now have 5 for DES and AESsubsequently now have 5 for DES and AES
havehave blockblock andand streamstream modesmodes ± ± Recall ch03Recall ch03--33
± ± stream ciphersstream ciphers process messages a bit or byte at aprocess messages a bit or byte at atime when en/decryptingtime when en/decrypting
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 66/117
----VIJAY KATTAVIJAY KATTA---- 6666
Modes of operationsModes of operations (Overview)(Overview)
Advantages and disadvantages: Advantages and disadvantages: goalsgoals ± ± Same plaintext blocks => Same Cipher blocksSame plaintext blocks => Same Cipher blocks
± ± PaddingPadding
± ± Stream cipher => Error propagationStream cipher => Error propagation
± ± Parallel encryption/decryptionParallel encryption/decryptionPadding message (64bits block)Padding message (64bits block) ± ± Electronic codebook mode (ECB)Electronic codebook mode (ECB)
± ± Cipher block chaining mode (CBC)Cipher block chaining mode (CBC)
Convert DES to Stream cipher Convert DES to Stream cipher (1 bit or 8 bits)(1 bit or 8 bits) ± ± Cipher feedback mode (CFB)Cipher feedback mode (CFB)
± ± Output feedback mode (OFB)Output feedback mode (OFB)
PParallel encryptionsarallel encryptions ± ± Counter (CTR)Counter (CTR)
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 67/117
----VIJAY KATTAVIJAY KATTA---- 6767
CC
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 68/117
----VIJAY KATTAVIJAY KATTA---- 6868
ECB modeECB mode
Simplest modeSimplest modeEach block of 64Each block of 64--bit plaintext is handledbit plaintext is handled
independentlyindependently
It is like a codebook (huge) lookupIt is like a codebook (huge) lookupThe same 64The same 64--bit block has the samebit block has the same
cipher textcipher text
Same key is used in all block encryption.Same key is used in all block encryption. APPLICATION : APPLICATION :--
Secured Transmission of Key.Secured Transmission of Key.
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 69/117
----VIJAY KATTAVIJAY KATTA---- 6969
ECB mode (cont.)ECB mode (cont.)
EncryptionEncryption
± ± Key: KKey: K
± ± Plaintext: P=PPlaintext: P=P11PP22«P«PNN--11PPNN
± ± Padded plaintext:Padded plaintext: P¶=PP¶=P11PP22«P«PNN--11PPNN¶¶
PP11, P, P22,«, P,«, PNN--11 are 64are 64--bit blocksbit blocks
PPNN--11¶¶ is the last (padded) 64is the last (padded) 64--bit blockbit block
Padding pattern:Padding pattern: 10«010«0 ± ± Ciphertext C=CCiphertext C=C11CC22«C«CNN
CCii = E= EKK(P(Pii), 1), 1eeiieeNN
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 70/117
----VIJAY KATTAVIJAY KATTA---- 7070
ECB mode (cont.)ECB mode (cont.)
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 71/117
----VIJAY KATTAVIJAY KATTA---- 7171
ECB mode (cont.)ECB mode (cont.)
DecryptionDecryption
± ± Key: KKey: K
± ± Ciphertext: C=CCiphertext: C=C11CC22«C«CNN
± ± Padded plaintext: P¶=PPadded plaintext: P¶=P11PP22«P«PNN--11PPNN¶¶
± ± Plaintext: PPlaintext: P11PP22«P«PNN--11PPNN
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 72/117
----VIJAY KATTAVIJAY KATTA---- 7272
ECB mode (cont.)ECB mode (cont.)
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 73/117
----VIJAY KATTAVIJAY KATTA---- 7373
Advantages and Limitations of ECB Advantages and Limitations of ECB
repetitions in message may show inrepetitions in message may show inciphertextciphertext
± ± if aligned with message blockif aligned with message block
± ± particularly with data such graphicsparticularly with data such graphics ± ± or with messages that change very little,or with messages that change very little,
which become a codewhich become a code--book analysis problembook analysis problem
weakness due to encrypted messageweakness due to encrypted messageblocks being independentblocks being independent
main use is sending a few blocks of datamain use is sending a few blocks of data
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 74/117
----VIJAY KATTAVIJAY KATTA---- 7474
Cipher Block Chaining (CBC)Cipher Block Chaining (CBC)
message is broken into blocksmessage is broken into blocks
but these are linked together in thebut these are linked together in theencryption operationencryption operation
each previous cipher blocks is chainedeach previous cipher blocks is chainedwith current plaintext block, hence namewith current plaintext block, hence name
use Initial Vector (IV) to start processuse Initial Vector (IV) to start process
CCii = DES= DESK1K1(P(Pii XOR CXOR Cii--11))CC--11 = IV= IV
uses: bulk data encryption, authenticationuses: bulk data encryption, authentication
CBC mode (Cont )CBC mode (Cont )
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 75/117
----VIJAY KATTAVIJAY KATTA---- 7575
CBC mode (Cont«.)CBC mode (Cont«.)
GoalGoal: the same plaintext block is encrypted into: the same plaintext block is encrypted intodifferent ciphertext blockdifferent ciphertext block
Initial vector (IV)Initial vector (IV)
± ± 6464--bit longbit long
± ± Fixed, or negotiated between sender and receiver Fixed, or negotiated between sender and receiver
PaddedPadded plaintext: P¶= Pplaintext: P¶= P11PP22«P«PNN
Ciphertext: C = CCiphertext: C = C11CC22«C«CNN
± ± CC11=E=EKK(IV(IV �� PP11))
± ± CCii=E=EKK(C(Cii--11�� PPii), 2), 2eeiieeNN
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 76/117
----VIJAY KATTAVIJAY KATTA---- 7676
CBC mode (cont.)CBC mode (cont.)
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 77/117
----VIJAY KATTAVIJAY KATTA---- 7777
CBC mode (cont.)CBC mode (cont.)
DecryptionDecryption
± ± Key: KKey: K
± ± Ciphertext: C=CCiphertext: C=C11CC22«C«CNN
± ± Padded plaintext: P=PPadded plaintext: P=P11PP22«P«PNN
PP11=D=DKK(C(C11)) �� IVIV
PPii= D= DKK(C(Cii)) �� CCii--11= C= Cii--11��PPii��CCii--11
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 78/117
----VIJAY KATTAVIJAY KATTA---- 7878
CBC mode (cont.)CBC mode (cont.)
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 79/117
----VIJAY KATTAVIJAY KATTA---- 7979
Advantages and Limitations of CBC Advantages and Limitations of CBC
each ciphertext block depends oneach ciphertext block depends on allall message blocksmessage blocks
thus a change in the message affects all ciphertextthus a change in the message affects all ciphertextblocks after the change as well as the original blockblocks after the change as well as the original block
needneed Initial ValueInitial Value (IV) known to sender & receiver (IV) known to sender & receiver
± ± however if IV is sent in the clear, an attacker can change bits of however if IV is sent in the clear, an attacker can change bits of the first block, and change IV to compensatethe first block, and change IV to compensate
± ± hence either IV must be a fixed value (as in EFTPOS) or it musthence either IV must be a fixed value (as in EFTPOS) or it mustbe sent encrypted in ECB mode before rest of messagebe sent encrypted in ECB mode before rest of message
at end of message, handle possible last short blockat end of message, handle possible last short block
± ± by padding either with known nonby padding either with known non--data value (eg nulls)data value (eg nulls) ± ± or pad last block with count of pad sizeor pad last block with count of pad size
eg. [ b1 b2 b3 0 0 0 0 5] <eg. [ b1 b2 b3 0 0 0 0 5] <-- 3 data bytes, then 5 bytes pad+count3 data bytes, then 5 bytes pad+count
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 80/117
----VIJAY KATTAVIJAY KATTA---- 8080
CFB mode (Cipher feedback)CFB mode (Cipher feedback)
Stream cipher modeStream cipher mode
OneOne--time padtime pad
Block size: J bits, 1Block size: J bits, 1eeJJee
6464NeedNeed no paddingno padding in most casesin most cases
± ± For example, between key board andFor example, between key board and
computer, we set J=8computer, we set J=8
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 81/117
----VIJAY KATTAVIJAY KATTA---- 8181
CFB mode (cont.)CFB mode (cont.)
Encryption: JEncryption: J--bit CFBbit CFB
± ± Plaintext: P = PPlaintext: P = P11PP22������PPNN, P, Pii¶s are J¶s are J--bit blocksbit blocks
± ± SSJJ(X): the leftmost(X): the leftmost J bitsJ bits of Xof X
± ± TT6464--JJ(Y): the rightmost(Y): the rightmost 6464--JJ bits of Ybits of Y
± ± Algorithm Algorithm
R=IVR=IV
For i=1 to NFor i=1 to N ± ± CCii= P= Pii �� SSJJ(E(EKK(R))(R))
± ± R=TR=T6464--JJ(R)||C(R)||Cii--11
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 82/117
----VIJAY KATTAVIJAY KATTA---- 8282
CFB mode (cont.)CFB mode (cont.)
Decryption: JDecryption: J--bit CFBbit CFB
± ± Ciphertext: C= CCiphertext: C= C11CC22������CCNN, C, Cii¶s are J¶s are J--bit blocksbit blocks
± ± SSJJ(X): the leftmost J bits of X(X): the leftmost J bits of X
± ± TT6464--JJ(Y): the rightmost 64(Y): the rightmost 64--J bits of YJ bits of Y
± ± Algorithm Algorithm
R=IVR=IV
For i=1 to NFor i=1 to N ± ± PPii= C= Cii �� SSJJ(E(EKK(R))(R))
± ± R=TR=T6464--JJ(R)||C(R)||Cii--11
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 83/117
----VIJAY KATTAVIJAY KATTA---- 8383
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 84/117
----VIJAY KATTAVIJAY KATTA---- 8484
Advantages and Limitations of CFB Advantages and Limitations of CFB
appropriate when data arrives in bits/bytesappropriate when data arrives in bits/bytes
most common stream modemost common stream mode
limitation is need to stall while do blocklimitation is need to stall while do blockencryption after every nencryption after every n--bitsbits
note that the block cipher is used innote that the block cipher is used in
encryptionencryption mode atmode at bothboth endsends
errors propagate for several blocks after errors propagate for several blocks after
the error the error
OFB mode (Output feedback)OFB mode (Output feedback)
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 85/117
----VIJAY KATTAVIJAY KATTA---- 8585
( p )( p )
Similar to CFB, butSimilar to CFB, but output (not ciphertext) isoutput (not ciphertext) is
fed backfed backuses: stream encryption over noisy channelsuses: stream encryption over noisy channels
Advantage Advantage
± ± Bit errors in CBit errors in Cii won¶t propagate to decryptionwon¶t propagate to decryptionerrorserrors of Cof C j j, j>I, j>I
DisadvantageDisadvantage
± ± Complement bits of CComplement bits of Cii result in complementingresult in complementing
bits in Pbits in Pii
Not suitable for error Not suitable for error--correcting (See the nextcorrecting (See the next
decryption figure)( modify one bit of C1)decryption figure)( modify one bit of C1)
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 86/117
----VIJAY KATTAVIJAY KATTA---- 8686
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 87/117
----VIJAY KATTAVIJAY KATTA---- 8787
Counter (CTR)Counter (CTR)
a ³new´ mode, though proposed early ona ³new´ mode, though proposed early on
similar to OFB but encrypts counter valuesimilar to OFB but encrypts counter value
rather than any feedback valuerather than any feedback value
must have amust have a different key & counter valuedifferent key & counter value
for every plaintext block (never reused)for every plaintext block (never reused)
CCii = P= Pii XOR OXOR Oii
OOii = DES= DESK1K1(i)(i)
uses: highuses: high--speed network encryptionsspeed network encryptions
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 88/117
----VIJAY KATTAVIJAY KATTA---- 8888
Counter (CTR)Counter (CTR)
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 89/117
----VIJAY KATTAVIJAY KATTA---- 8989
Advantages and Limitations of CTR Advantages and Limitations of CTR
efficiencyefficiency
± ± can docan do parallel encryptionsparallel encryptions
± ± in advancein advance of needof need
± ± good for bursty high speed linksgood for bursty high speed links
random accessrandom access to encrypted data blocksto encrypted data blocks
provable security (good as other modes)provable security (good as other modes) ??
but must ensure never reuse key/counter but must ensure never reuse key/counter
values, otherwise could break (cf OFB)values, otherwise could break (cf OFB)
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 90/117
----VIJAY KATTAVIJAY KATTA---- 9090
Modes of operations (Modes of operations (SummarySummary))
Advantages and disadvantages: Advantages and disadvantages: goalsgoals
± ± Same plaintext blocks => Same Cipher Same plaintext blocks => Same Cipher
blocksblocks
± ± Padding problemPadding problem
± ± Stream cipher => Error propagationStream cipher => Error propagation
± ± Parallel encryption/decryptionParallel encryption/decryption
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 91/117
----VIJAY KATTAVIJAY KATTA---- 9191
Ch06Ch06 -- Double DESDouble DES
Key size K=(KKey size K=(K11, K, K22): 112 bits): 112 bits
C=EC=EK2K2(E(EK1K1(P))(P))
6 .4.1 Double DE S
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 92/117
----VIJAY KATTAVIJAY KATTA---- 9292
The first approach is to use double DE S (2 DE S).
Meet-in-the-Middle Attack
However, using a known-plaintext attack called meet-in-
the-middle attack proves that double DE S improves this
vulnerability slightly (to 257
tests), but not tremendously(to 2112 ).
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 93/117
----VIJAY KATTAVIJAY KATTA---- 9393
Double DES (cont.)Double DES (cont.)
MeetMeet--inin--thethe--middle attackmiddle attack
± ± Given a pair (P, C)Given a pair (P, C)
± ± Let KLet Kii be thebe the i i th key of the key space, 0th key of the key space, 0 ee ii ee225656--11
± ± Compute MCompute Mii=E=EKiKi(P), 0(P), 0 ee ii ee225656
--11 ± ± ComputeCompute NN j j=D=DKjKj(C),(C), 00 ee ii ee225656--11
± ± Check whether Mi=NjCheck whether Mi=Nj
If so, K=(Ki, Kj) is very likely to be the secret keyIf so, K=(Ki, Kj) is very likely to be the secret key
± ± Time: 2Time: 25656++225656=2=25757
± ± The memory size for Mi¶s: 2The memory size for Mi¶s: 25656××64 bits64 bits
we need not store Nj¶s.we need not store Nj¶s.
6 .4.1 Continued
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 94/117
----VIJAY KATTAVIJAY KATTA---- 9494
Figure 6.14 Meet-in-the-middle attack for double DE S
6 .4.1 Continued
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 95/117
----VIJAY KATTAVIJAY KATTA---- 9595
Figure 6.15 Tables for meet-in-the-middle attack
6 .4.2 Triple DE S
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 96/117
----VIJAY KATTAVIJAY KATTA---- 9696
Figure 6.16 Triple DE S with two keys
Triple DESTriple DES
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 97/117
----VIJAY KATTAVIJAY KATTA----9797
Triple DESTriple DES
Plaintext,Plaintext, ciphertextciphertext:: 6464 bitsbitsKeyKey K=(KK=(K11,, KK22)):: 112112 bitsbits
EncryptionEncryption:: C=EC=EKK11(D(DKK22(E(EKK11(P)))(P)))
Decryption: P=DDecryption: P=DK1K1
(E(EK2K2
(D(DK1K1
(P)))(P)))
Advantages Advantages
± ± Key size is larger Key size is larger
± ± Compatible with regular oneCompatible with regular one--key DESkey DES
Set KSet K11=K=K22=K (56=K (56--bit)bit)CC=E=EKK(D(DKK(E(EKK(P)))=E(P)))=EKK(P)(P)
PP=D=DKK(E(EKK(D(DKK(P)))=D(P)))=DKK(P)(P)
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 98/117
----VIJAY KATTAVIJAY KATTA---- 9898
6 .4.2 Continuous
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 99/117
----VIJAY KATTAVIJAY KATTA---- 9999
Triple DE S with Three K eys
The possibility of known-plaintext attacks on triple DE S with two keys has enticed some applications to use triple
DE S with three keys. Triple DE S with three keys is used
by many applications such as PGP (See Chapter 16 ).
IDEA«IDEA«
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 100/117
----VIJAY KATTAVIJAY KATTA---- 100100
(International Data Encryption(International Data Encryption
Algorithm) Algorithm)Plain text = 64 bit.Plain text = 64 bit.
Key =128 bit.Key =128 bit.
Sub key = 52. (16 bit each)Sub key = 52. (16 bit each)
Cipher text = 64.Cipher text = 64.
Number of identical rounds =8.(6 key inNumber of identical rounds =8.(6 key in
each round)each round)
And one output transformation round(4 And one output transformation round(4
key)key)
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 101/117
----VIJAY KATTAVIJAY KATTA---- 101101
Design IssuesDesign Issues
The design philosophy behind theThe design philosophy behind the
algorithm is one of ³ mixing operation fromalgorithm is one of ³ mixing operation from
different algebraic groups´.different algebraic groups´.
1) XOR1) XOR
2)Addition modulo 22)Addition modulo 21616
3) Multiplication modulo 23) Multiplication modulo 21616 + 1+ 1
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 102/117
----VIJAY KATTAVIJAY KATTA---- 102102
E i K G iE i K G i
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 103/117
----VIJAY KATTAVIJAY KATTA---- 103103
Encryption Key Generation.Encryption Key Generation.
E ti Al ithE ti Al ith
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 104/117
----VIJAY KATTAVIJAY KATTA---- 104104
Encryption Algorithm.Encryption Algorithm.
Sequence of operationSequence of operation
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 105/117
----VIJAY KATTAVIJAY KATTA---- 105105
1)Multiply x1 and first sub key(sk)1)Multiply x1 and first sub key(sk)
2)Add x2 and second sk2)Add x2 and second sk3)Add x3 and third sk3)Add x3 and third sk
4)Multiply x4 and fourth sk4)Multiply x4 and fourth sk
5) Step 15) Step 1��
step 3step 36)6) Step 2Step 2 �� step 4step 4
7)Multiply step 5 with fifth sk.7)Multiply step 5 with fifth sk.
8)Add result of step 6 and step 78)Add result of step 6 and step 7
9) Multiply result of step 8 with sixth sk.9) Multiply result of step 8 with sixth sk.
10)Add result of step 7 and step 9.10)Add result of step 7 and step 9.
Continue..Continue..
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 106/117
----VIJAY KATTAVIJAY KATTA---- 106106
Continue..Continue..
11) XOR result of steps 1 and step 9.11) XOR result of steps 1 and step 9.
12) XOR result of steps 3 and step 9.12) XOR result of steps 3 and step 9.
13) XOR result of steps 2 and step 10.13) XOR result of steps 2 and step 10.
14) XOR result of steps 2 and step 10.14) XOR result of steps 2 and step 10.
O ti i t t t f tiO ti i t t t f ti
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 107/117
----VIJAY KATTAVIJAY KATTA---- 107107
Operation in output transformationOperation in output transformation
1)Multiply x1 with first sk.1)Multiply x1 with first sk.
2)Add x2 and second sk.2)Add x2 and second sk.
3)Add x3 and third sk.3)Add x3 and third sk.
4)Multiply x4 and fourth sk.4)Multiply x4 and fourth sk.
N t tiN t ti
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 108/117
----VIJAY KATTAVIJAY KATTA---- 108108
Next generationNext generation
NIST begin the process of selecting theNIST begin the process of selecting thenextnext--generation secretgeneration secret--key encryptionkey encryptionalgorithm in 1998.algorithm in 1998.
Advanced encryption standard (AES) Advanced encryption standard (AES) ± ± Rijndael (Rijndael (Chapter 5Chapter 5))
Plaintext, ciphertext:Plaintext, ciphertext: at least 128 bitsat least 128 bits..
Key size: flexible,Key size: flexible, at least 128 bitsat least 128 bits..You can check its web.You can check its web.
± ± Http://www.nist.gov/aesHttp://www.nist.gov/aes
St Ci hSt Ci h
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 109/117
----VIJAY KATTAVIJAY KATTA---- 109109
Stream CiphersStream Ciphers
process the messageprocess the message bit by bit (or byes) (as abit by bit (or byes) (as astream)stream)
typically have atypically have a (pseudo) random(pseudo) random stream keystream key
combined (combined (XORXOR) with plaintext bit by bit) with plaintext bit by bitrandomness of randomness of stream keystream key completely destroyscompletely destroys
any statistically properties in the messageany statistically properties in the message
±± CCii = M= Mii XOR StreamKeyXOR StreamKeyii
what could be simpler!!!!what could be simpler!!!!
but must never reuse stream keybut must never reuse stream key
± ± otherwise can remove effect and recover messagesotherwise can remove effect and recover messages
St Ci h P tiSt Ci h P ti
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 110/117
----VIJAY KATTAVIJAY KATTA---- 110110
Stream Cipher PropertiesStream Cipher Properties
some design considerations are:some design considerations are:
± ± long period with no repetitionslong period with no repetitions
± ± statistically randomstatistically random
± ± depends ondepends on large enough keylarge enough key ± ± large linear complexitylarge linear complexity
± ± correlation immunitycorrelation immunity
± ± confusionconfusion
± ± diffusiondiffusion
± ± use of highly nonuse of highly non--linear boolean functionslinear boolean functions
St Ci hSt Ci h RC4RC4
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 111/117
----VIJAY KATTAVIJAY KATTA---- 111111
Stream Cipher Stream Cipher:: RC4RC4
a proprietary cipher owned by RSA DSIa proprietary cipher owned by RSA DSI
another Ron Rivest design, simple but effectiveanother Ron Rivest design, simple but effective
variable key size, bytevariable key size, byte--oriented stream cipher oriented stream cipher
widely used (web SSL/TLS,widely used (web SSL/TLS, WLAN WEPWLAN WEP--notnotsecure)secure)
key forms random permutation of all 8key forms random permutation of all 8--bit valuesbit values
uses that permutation to scramble input infouses that permutation to scramble input infoprocessed a byte at a timeprocessed a byte at a time
WLAN WEP (WLAN securityWLAN WEP (WLAN security
requirement and some attacks ppt)requirement and some attacks ppt)
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 112/117
----VIJAY KATTAVIJAY KATTA---- 112112
WLANs
protocol standardIEEE 802.11a802.11b802.11g
(WEP)802.11i (TKIP short-term solution)
requirement and some attacks.ppt)requirement and some attacks.ppt)
WLAN WEP (WLAN securityWLAN WEP (WLAN security
requirement and some attacks ppt)requirement and some attacks ppt)
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 113/117
----VIJAY KATTAVIJAY KATTA---- 113113
Problems withWEP24-bit IVs are too short
The CRC checksum is used byWEP for integrity
protection
WEP combines the IV with the key in a way that enablescryptanalytic attacks
Integrity protection for source and destination addresses
is not provided
requirement and some attacks.ppt)requirement and some attacks.ppt)
WLAN WEP (WLAN securityWLAN WEP (WLAN security
requirement and some attacks ppt)requirement and some attacks ppt)
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 114/117
----VIJAY KATTAVIJAY KATTA---- 114114
TKIPIEEE 802.11i short-term solutionA message integrity code (MIC), called Michael,to
defeat forgeries;
A packet sequencing discipline, to defeat replay attacks
A per-packet key mixing function, to prevent attack
Long-term solution
A single key to provide confidentiality and integrity
Provide integrity protection for the plaintext packet
header, as well as
requirement and some attacks.ppt)requirement and some attacks.ppt)
WLAN WEP (WLAN securityWLAN WEP (WLAN security
requirement and some attacks ppt)requirement and some attacks ppt)
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 115/117
----VIJAY KATTAVIJAY KATTA---- 115115
WEPWEP TKIPTKIP
Cipher Key Size(s)Cipher Key Size(s) RC4 40RC4 40 or 104or 104--bitbit
encryptionencryption
RC4 128RC4 128--bitbit encryptionencryption
6464--bit authenticationbit authentication
Key Lifetime Per Key Lifetime Per--packetpacket--keykey 2244--bit wrapping IVbit wrapping IVConcatenate IV toConcatenate IV to
base keybase key
4848--bit IV TKIP mixingbit IV TKIP mixingfunctionfunction
Packet Data ReplayPacket Data Replay
detectiondetection
CRCCRC--3232
NoneNone
MichaelMichael
Enforcing IVEnforcing IV
sequencingsequencingKey ManagementKey Management NoneNone IEEE802.1XIEEE802.1X
requirement and some attacks.ppt)requirement and some attacks.ppt)
WLAN EAP (EAP series methods onWLAN EAP (EAP series methods on
wireless security ppt)wireless security ppt)
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 116/117
----VIJAY KATTAVIJAY KATTA---- 116116
IEEE 802.1X provide both authentication and keymanagement
EAP RADIUS
wireless security.ppt)wireless security.ppt)
WLAN EAP (EAP series methodsWLAN EAP (EAP series methods
5/7/2018 S DES and DES Complete - slidepdf.com
http://slidepdf.com/reader/full/s-des-and-des-complete 117/117
EAP seriesEAP series ± ± PasswordPassword--basedbased
LEAPLEAP
EAPEAP--SKESKE
EAPEAP--SRPSRPEAPEAP--SPEKESPEKE
EAPEAP--SIM (GSM/GPRS, SIM card)SIM (GSM/GPRS, SIM card)
EAPEAP--AKA (3G AKA (3G--UMTS, USIM card)UMTS, USIM card)
± ± CertificateCertificate--basedbased
EAPEAP--TLSTLSEAPEAP--TTLSTTLS
PEAPPEAP
on wireless security.ppt)on wireless security.ppt)