Applied Cryptography Data Encryption Standard

Applied CryptographyData Encryption Standard

Sape J. Mullender

Huygens Systems Research LaboratoryUniversiteit TwenteEnschede

1

History

DES has a checkered history. The book provided fascinatingreading material. In brief:

1972: National Bureau of Standards initiated a programmeto develop an encryption standard.

1974: After a second request for technology, IBM offered itsLucifer product as input. The NBS requested and got helpfrom the NSA in evaluating the input.

2

1975: Details of the algorithm were published. IBM granteda nonexclusive, royalty-free licence for its use. The NBSrequested comments. Many comments concerned NSA’sinput; the key size was reduced from 128 bits to 56 bits— a trapdoor was suspected.

3

History, contd.

1976: DES was adopted as a federal standard. NSA regretsits cooperation.

1977–1981: Various enhancements were published.

1983: The first five-year review of DES was succesful.

1987: NSA (with veto power obtained from Reagan) did notwant to recertify the standard. Instead it wanted to certifya series of algorithms which would remain secret. Publicoutrage prevented this and DES was recertified (but for thevery last time!)

1993: DES was recertified.

4

How DES works

� Block cipher, 64-bit blocks plaintext is converted to 64-bitciphertext, using a 56-bit key (or an 8-byte key with parity— note that the parity bit is in the LSB).

� The algorithm is public; the security is in the key.� The algorithm consists of substitutions and permutations,

arranged in 16 rounds.� It is eminently suited for hardware implementations, but

reasonable software implementations can be built too.

5

Overview

F

L R

K

F

L R K

F

L R K

L R

IP

IP

0 0

1 1

15 15

16 16

2

16

Plaintext

Ciphertext

K1

6

The Basic Step

The basic step is reversible:

Li � Ri�1 Ri � Li�1 � F�Ri�1; Ki�

F

L R K

L’ R’ K’

F

K

K’

L’R’

LR

7

The Key

During each step, the key is changed by circularly shifting each28-bit half left by either one or two bits.

After the shift, 48 bits out of the 56 are used in the one-wayfunction F .

1 or 2 bits

28 bits

56 bits

Co

mp

ression

perm

utatio

n

48 bits

8

The One-Way Function

Composed of an expansion mutation, anXOR operation with the 48-bit partialkey, an S-box substitution, and a P-boxpermutation.Note, that this is a one-way function; thatis, it does not have an easily computableinverse. It doesn’t have to, because therounds are invertable even with a non-invertable one-way function.

R

R i

R i

iL

Expansion

S Box

iK48

48

32

48

32

32

32

32

32

9

Expansion Permutation, S-Boxes

The expansion permutation doesn’t permute much. Bits withnumbers � 0 (mod 4) and � 1 (mod 4) are doubled, the othersare not.

32

1 48

4 5 1 8 9

5 7 2 6 8 47

The S-boxes map 6 bits down to 4. There are eight differentones. The mapping is done by table lookup; each 4-bit outputvalue is produced by 4 6-bit input values.

10

P-Box Permutation

The P-Box is a straightforward permutation of the bits.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32

11

Encryption and Decryption

The rounds are individually reversible. This makes decryptionvery similar to encryption:

� The order of the rounds has to be reversed and, since thedifference between rounds is only the key, the sequence ofkeys has to be reversed.

� The key shifts are reversed (right shift instead of left shift).Note that the shift amounts were chosen to make the shiftaround after round 16 to where it started at round 0.

� The initial and final permutations stay where they are: theinitial permutation ‘undoes’ the final permutation so thefirst round gets the correct input.

12

Modes of DES

DES is typically used in one of four modes of operation:

ECB: Electronic Codebook Mode

CBC: Cipher Block Chaining Mode

CFB: Cipher Feedback Mode

OFB: Output Feedback Mode

13

Electronic Codebook Mode

Each block of 64 bits is encrypted and decrypted independentof other blocks.

A cryptanalyst with can collect plaintext/ciphertext pairs forknown plaintext, compile a ‘codebook’ and detect repetitionsof the input.

Block replay is a threat. An attacker can replace a block ofciphertext by a different one undetected by the receiver.

Solution: cipher block chaning :::

14

Cipher Block Chaining Mode

Purpose is to make blocks depend on all previous blocks sothat block substitution no longer works (a checksum at theend of the message will detend tampering).

Ci � fPi � Ci�1gK Pi � Ci�1 � fCigK

Two identical messages will still encrypt the same, so aninitialization vector (a block of random bits) is chosen for C0.

Note that the IV is not secret, but that’s okay, none of theother Ci are secret either.

15

Cipher Feedback Mode

1

2

3

4

5

6

7

0

1

2

3

4

5

6

7

0

Encrypt

Key

Shift

P C

1

2

3

4

5

6

7

0

1

2

3

4

5

6

7

0

Encrypt

Key

Shift

PC

An initialization vector provides the initial contents of the shiftregister.

16

Output Feedback Mode

Output Feedback mode generates an input-independent one-time pad that is XOR-ed with the input stream.

1

2

3

4

5

6

7

0

1

2

3

4

5

6

7

0

Encrypt

Key

Shift

C

1

2

3

4

5

6

7

0

1

2

3

4

5

6

7

0

Encrypt

Key

Shift

PC

K K

P

17

OFB Feedback Size

Output Feedback mode is not secure unless the feedback sizeequals the block size (i.e., 64 bits). The cycle time is then264 � 1. Smaller feedback sizes shorten the cycle time toapproximately 232 — not long enough.

Encrypt

Key

C

K

P

18

Weak Keys

The halves of the key are shifted. If one key half consistsentirely of 1s or 0s, shifting it around won’t change it. Thiscreats a substantial weakness. The following keys, therefore,are weak:

0000000 0000000

0000000 FFFFFFF

FFFFFFF 0000000

FFFFFFF FFFFFFF

19

Complement Keys

The encryption is entirely done by shifting and permutingbits and by XOR-ing. The result of shift and permute areindependent of value. Due to the propoerty of XOR, therefore:

fPgK � C a fP 0g0K � C0

where X0 is the bitwise complement of X.

20

DES and Mathematics

If the DES operator formed a group over the set of inputs:

8K1; K2;9K3 : ffPgK1gK2 � fPgK3

This would imply double DES would be useless. If DES werepure:

8K1; K2; K39K4 : fffPgK1gK2gK3 � fPgK4

and triple DES would be useless.

Fortunately, DES is not a group and it is certainly not pure (oneimplies the other).

21

Triple DES

Works by encrypting, decrypting and encrypting with threekeys (sometimes with two: K1; K2; K1.

P C

Encrypt Decrypt Encrypt

K1 K K32

DecryptEncryptDecrypt

22

DESX

Uses whitening which makes a brute-force attack much, muchharder.

P

K

Encrypt

K1 2 1F(K 2, K )

C

F

23

IDEA

Proposed in 1960, by Xuejia Lai and James Massey, IDEA isprobably the strongest block cipher around today. It usesthree basic operations on 16-bit subblocks:

: XOR

�: Addition modulo 216

�: Multiplication modulo 216 � 1

DES encrypts 64-bit data blocks with a 128-bit key. The basicstep — shown in the next slide — is repeated 8 times. Duringeach step, 6 subkeys are used.

24

IDEA Basic Step

X1 X2 X3 X4

Z3

Z4

Z1

Z2

Z5

Z6

1 3X’ 2X’ X’ 4X’

Z3 Z4Z1 Z2

Outputtransformation

Oneround

25

IDEA Subkeys

There are 6 subkeys for each round and 8 rounds: 48 subkeys.There are four more subkeys for the output transformation:52 keys total.

� The 128-bit key is divided into 8 16-bit subkeys.� These are used as the first 8 subkeys (6 in round 1, 2 in

round 2)� Then the key is rotated left 25-bits and is again divided into

8 subkeys (4 in round 2, 4 in round 3)� This process repeats

26

IDEA Decryption

Steps are reversed, key is rotated right, and subkeys areadditively or multiplicatively inversed before use (this is dataindependent, so need only been done once at initialization).

27