DATA ENCRYPTION STANDARD · DATA ENCRYPTION STANDARD (DES) Before the Advanced Encryption Standard (AES), the Data Encryption Standard (DES) was the most widely used encryption scheme.

DATA ENCRYPTION STANDARD

Ref: Cryptography and Network Security

by William Stallings

MODERN BLOCK CIPHERS

One of the most widely used types of cryptographic algorithms

Provide secrecy /authentication services

The focus of the lecture is DES (Data Encryption Standard, the

most widely used symmetric cipher.

A detailed study of DES provides an understanding of the

principles used in other symmetric ciphers

DES is based on block cipher design principles

BLOCK VS STREAM CIPHERS

Block ciphers process messages in blocks, each of

which is then en/decrypted

Stream ciphers process messages a bit or byte at a time

when en/decrypting

Many current ciphers are block ciphers and have a

broader range of applications, hence focus on them.

BLOCK VS STREAM CIPHERS

BLOCK CIPHER PRINCIPLES

Most symmetric block ciphers are based on a FeistelCipher Structure.

A block cipher operates on a plaintext block of n bits toproduce a ciphertext block of n bits

IDEAL BLOCK CIPHER

CLAUDE SHANNON AND SUBSTITUTION-

PERMUTATION CIPHERS

Claude Shannon introduced idea of substitution-permutation

(S-P) networks in 1949 paper

This form basis of modern block ciphers

S-P nets are based on the two primitive cryptographic

operations seen before:

substitution (S-box)

permutation (P-box)

It was the technique of layering groups of S-boxes separated

by a larger P-box to form the S-P network

FEISTEL CIPHER STRUCTURE

Horst Feistel devised the Feistel cipher early 70’s duringworking at IBM Thomas J Watson Research Labs

Partitions input block into two halves

perform a substitution on left half based on round functionof right half & subkey

permutation swapping right halve with left half of nextround.

process through multiple rounds

Implements Shannon’s S-P net concept

FEISTEL CIPHER STRUCTURE

FEISTEL CIPHER STRUCTURE

The inputs to the encryption algorithm are a plaintext block of

length 2w bits and a key K.

The plaintext block is divided into two halves, L0 and R0.

The two halves of the data pass through n rounds of processing

and then combine to produce the ciphertext block.

Each round i has as inputs Li–1 and Ri–1, derived from the previous

round, as well as a subkey Ki, derived from the overall K.

In general, the subkey Ki are different from K and from each

other.

The process of decryption with a Feistel cipher is essentially the

same as the encryption process.

The rule of decryption is as follows:

Use the ciphertext as input to the algorithm, but use the subkeys

Ki in reverse order. That is, use Kn in the first round, Kn–1 in the

second round, and so on until K1 is used in the last round.

FEISTEL CIPHER STRUCTURE

The intermediate value of the decryption process is equal

to the corresponding value of the encryption process with

the two halves of the value swapped.

Output of the first round of the decryption process is equal

to a 32-bit swap of the input to the sixteenth round of the

encryption process

The encryption process

DATA ENCRYPTION STANDARD (DES)

Before the Advanced Encryption Standard (AES), the DataEncryption Standard (DES) was the most widely used encryptionscheme.

DES was issued in 1977 by the National Bureau of Standards,now the National Institute of Standards and Technology (NIST),as Federal Information Processing Standard 46 (FIPS PUB 46).

Encrypts 64-bit data using 56-bit key (Actually, the function expects a 64-bit key as input. However, only 56 of these bits are ever used; the other 8 bits can be used as parity bits)

In 1999, NIST issued a new version of its standard (FIPS PUB46-3) that is called triple DES.

Triple DES: It involves repeating the DES algorithm three timeson the plaintext using two or three different keys to produce theciphertext.

DES HISTORY

IBM developed Lucifer cipher based on Feistel block cipher

by team led by Feistel in early 70’s

used 64-bit data blocks with 128-bit key

Then redeveloped as a commercial cipher with input fromNSA and others

In 1973 NBS issued request for proposals for a nationalcipher standard

IBM submitted their revised Lucifer which was eventuallyaccepted as the DES

DES OVERVIEW

DES ENCRYPTION DETAIL OVERVIEW

DES ENCRYPTION DETAIL OVERVIEW

DES encryption takes as input 64-bits of data and of key.

The left side of the previous figure shows encryption of 64-bit data block which consists of: - an initial permutation (IP) which shuffles the 64-bit input block

16 rounds of a complex key dependent round function involving substitutions & permutations - a final permutation, being the inverse of IP

The right side shows the handling of the 56-bit key and consists of:

an initial permutation of the key which selects 56-bits out of the 64-bits input, in two 28-bit halves

16 stages to generate the 48-bit subkeys using a left circular shift and a permutation of the two 28-bit halves

INITIAL PERMUTATION IP

INITIAL AND FINAL PERMUTATION

Example: Find the output of the initial permutation box when the input is given in hexadecimal as: 0x0002 0000 0000 0001

DES ROUND STRUCTURE

DES FUNCTION

• The heart of DES is the DES

function.

• The DES function applies a 48-bit

key to the rightmost 32 bits to

produce a 32-bit output.

• The function is made up of

four sections:

• an expansion D-box,

• a whitener (that adds

key),

• a group of S-boxes, and

• a straight D-box

EXPANSION D-BOX

After the expansion permutation, DES uses the XOR

operation on the expanded right section and the round key.

Both the right section and the key are 48-bits in length

Whitener (XOR)

S-BOXES

DES has eight S-boxes which map 6 to 4 bits

The substitution in each box follows a pre-determined rulebased on a 4-row by 16-column table.

Because each S-box has its own table, we need eight tables,

S BOXES

S-BOX EXAMPLE

Example: The input to S-box 1 is 100011. What

is the output?

FINAL PERMUTATION

The last operation in the DES function is a permutation

with a 32-bit input and a 32-bit output.

The input/output relationship for this operation is

shown in the Table

DES KEY SCHEDULE

It forms subkeys used in each round

initial permutation of the key which selects 56-bits in two

28-bit halves

16 stages consisting of:

rotating each half separately either 1 or 2 places

depending on the round

changes the 56 bits to 48 bits, which are used as a key

for a round.

DE

S K

ey

Sch

ed

ule

PARITY DROP AND SHIFT The preprocess before key expansion is a compression transposition

step that we call parity bit drop.

It drops the parity bits (bits 8, 16, 24, 32, …, 64) from the 64-bit keyand permutes the rest of the bits according to Table.

After the straight permutation, the key is divided into two 28-bitparts. Each part is shifted left (circular shift) one or two bits

COMPRESSION D-BOX

The compression D-box changes the 56 bits to 48 bits,

which are used as a key for a round.

DES EXAMPLE

Determine what the ciphertext block would be (all in hexadecimal):

Plaintext: 123456ABCD132536 Key: AABB09182736CCDD

Cipher Text: C0B7A8D05F3A829C

AVALANCHE EFFECT

Key desirable property of encryption algorithm

A change of one input or key bit results in changing approx. half

output bits

DES exhibits strong avalanche.

Although the two plaintext blocks differ only in the rightmost bit,

the ciphertext blocks differ in 29 bits.

This means that changing approximately 1.5 percent of the

plaintext creates a change of approximately 45 percent in the

ciphertext

WEAKNESS OF DES

Weakness in the Cipher Key

Critics believe that the most serious weakness of DES is in its key size

(56 bits).

To do a brute-force attack on a given ciphertext block, the adversary

needs to check 256 keys.

With available technology, it is possible to check one million keys per

second. This means that we need more than two thousand years to do

brute-force attacks on DES using only a computer with one processor.

If we can make a computer with one million chips (parallel

processing), then we can test the whole key domain in approximately

20 hours.

When DES was introduced, the cost of such a computer was over

several million dollars, but the cost has dropped rapidly.

A special computer was built in 1998 that found the key in 112 hours

MULTIPLE DES—CONVENTIONAL

ENCRYPTION ALGORITHMS

2-DES

The output of 2-DES

is c = Ek2(Ek1(m)). To decrypt similarly, m = Dk1(Dk2(c)).

3-DES

There are in general two flavors of 3-DES

The first implementation uses three keys, namely K1, K2, K3.

The ciphertext of m is thus obtained by C = DESK1 [DESK2

(DESK3 (m))].

The second way to implement 3-DES is using two keys, thus C

= DESk1 [DES-1K2(DESk1(m))].

Thus if the keys K1 and K2 are the same then we obtain a single

DES.