Secret Key Algorithms (DES)

Transcription

1 Secret Key Algorithms (DES) G. Bertoni L. Breveglieri Foundations of Cryptography - Secret Key pp. 1 / 34

2 Definition a symmetric key cryptographic algorithm is characterized by having the same key used for both encryption and decryption. therefore the key must be known only by the two communicating parties and kept secret to everybody else Foundations of Cryptography - Secret Key pp. 2 / 34

3 Block and Stream Cipher there are two main families of symmetric key algorithms: block ciphers input is a string of bits, generally 64 bits string is input in parallel stream ciphers input is a single bit / byte or a 32 bit word bits are input serially today block ciphers are more common Foundations of Cryptography - Secret Key pp. 3 / 34

4 Structure of a Block Cipher block cipher is divided into two distinct parts: key schedule data path secret key KEY SCHEDULE plaintext DATA PATH ciphertext Foundations of Cryptography - Secret Key pp. 4 / 34

5 Data Path in order to have a regular structure the data path consists of a function called round, which is repeated for a fixed number of times having two or more rounds is a necessity, since no sufficiently simple function has ever been found so far that exhibits the required confusion / diffusion property in a single round Foundations of Cryptography - Secret Key pp. 5 / 34

6 Key Schedule the key schedule algorithm processes the secret key and derives from it a number of so-called round keys each round key is used in one round the rationale behind the idea of using round keys, is that of stressing the dependence of each bit of the cipher text from every bit of the secret key Foundations of Cryptography - Secret Key pp. 6 / 34

7 Block Cipher Structure PLAINTEXT SECRET KEY ROUND 0 ROUND KEY 0 ROUND 1 ROUND KEY 1 KEY SCHEDULE ROUND 9 ROUND KEY 9 ROUND 10 ROUND KEY 10 ENCRYPTED DATA Foundations of Cryptography - Secret Key pp. 7 / 34

8 Example the most popular block cipher is the Data Encryption Standard (DES) it was designed in the 70 s by IBM and revised by NSA (US National Security Agency) the design of DES was directly commissioned by the US government Foundations of Cryptography - Secret Key pp. 8 / 34

9 DES Structure DES is divided in two parts: key schedule data path block size is 64 bits secret key size is formally 64 bits actually only 56 bits are used a real key the round function is inspired by the so-called Feistel function Foundations of Cryptography - Secret Key pp. 9 / 34

10 Feistel Round Function depending on the properties of the function, the round is iterated a certain number of times function f does not need to be invertible! this can be proved by deriving the equations of L i and R i as functions of L i+1 and R i+1 L i + f R i ROUND KEY L i+1 R i+1 Foundations of Cryptography - Secret Key pp. 10 / 34

11 DES Structure the DES round is iterated 16 times an initial permutation is applied before the first round is just a bit rearrangement is unuseful for security but helps HW design before outputting ciphertext, the inverse of the initial permutation is applied Foundations of Cryptography - Secret Key pp. 11 / 34

12 DES Round 32 four transformations compose the f function of DES: expansion (EBOX) key addition substitution box (SBOX) permutation S 1 S 2 S 3 EXPANSION S 4 S 5 32 PERMUTATION S 6 ROUND KEY S 7 S 8 Foundations of Cryptography - Secret Key pp. 12 / 34

13 DES Expansion the right word R i of the input text is expanded from 32 bits to 48 bits EBOX simply duplicates some bits, those in positions 1, 4, 5, 9, 10, 14, 15, Foundations of Cryptography - Secret Key pp. 13 / 34

14 DES SBOX SBOX design criteria are undisclosed the only way for representing a SBOX is through the use of a look-up table the 8 SBOXes of DES are all different from one another and named S1 S8 all the SBOXes take a 6 bit input and return a 4 bit output Foundations of Cryptography - Secret Key pp. 14 / 34

15 DES Permutation the 32 bits output of the array of 8 SBOXes are permuted all the bits are used once no bit is discharged it is a simple rearrangement of the bits Foundations of Cryptography - Secret Key pp. 15 / 34

16 SECRET KEY DES Key Schedule 64 PC C 0 D 0 DES key schedule is very simple has the property of giving back the original secret key as final output SUB KEY LS 1 LS 1 C 1 D PC - 2 LS 2 LS LS 16 LS 16 SUB KEY PC - 2 C 16 D Foundations of Cryptography - Secret Key pp. 16 / 34

17 DES Key Schedule secret key has nominally 64 bits, but the 8 th bit of every byte is used as parity bit PC-1 function extracts 56 bits by discarding the parity bit of every byte of the secret key PC-2 function extracts a fixed set of bits in order to obtain a round key of 48 bits the secret key is shifted by one bit position for rounds 1, 2, 9 and 16, and by two bit positions in the remaining rounds Foundations of Cryptography - Secret Key pp. 17 / 34

18 DES Decryption DES decryption is essentially the same function as encryption in order to decrypt a DES ciphertext, it suffices to apply the 16 encryption round functions and simply feed the round keys in reverse order this property is a consequence of the structure of Feistel networks Foundations of Cryptography - Secret Key pp. 18 / 34

19 Weak keys The secret key should be randomly chosen, but there are some particular values that should not be used 4 Weak keys: all 0, all 1, half 0 half 1 E k (E k (x))=x 12 Semi weak keys: In the form 7 zeros, 7 ones combinations E k2 (E k1 (x))=x

20 Other Facts Fixed Points There are 2^32 P such that E k (P)=P, with k a weak key Complementation property E k (P)= C => E k (P )= C where A = not(a)

21 How to Test Security is a block cipher secure? consider key space and block size, is brute force attack feasible? consider mathematical attacks consider implementation attacks these are the minimal tests that a block cipher should pass, to be accepted as practically secure Foundations of Cryptography - Secret Key pp. 21 / 34

22 How to Break DES due to the computational power of supercomputers available today, or of specialised parallel hardware, DES is unsecure brute force attack: give a ciphertext and a plaintext how much does it take to try all the keys? 2 56 encryptions! Foundations of Cryptography - Secret Key pp. 22 / 34

23 Brute Force Attack Estimation how many days does it take to compute 2 56 encryptions? if 1 encryption per millisecond days per microsecond days per nanosecond 833 days If 100 devices in parallel 8 days solutions? 3DES or change the algorithm Foundations of Cryptography - Secret Key pp. 23 / 34

24 Trade of Time and Memory Space one could think of tabulating all the possible encryption operations select a plaintext P and encrypt it with all the possible keys: 64 bits 2 56 memory space = 4,611,686,018,427,387,904 bits = 524,288 TBytes force plaintext P, get ciphertext and find the corresponding key in the data base Foundations of Cryptography - Secret Key pp. 24 / 34

25 Triple DES (3DES) triple DES is the application of DES three times, with 3 different secret keys the most used version is EDE: first Encryption second Decryption finally Encryption again EEE is the another possibility Foundations of Cryptography - Secret Key pp. 25 / 34

26 Triple DES (3DES) 3DES is interesting since no changes to the basic algorithm are required, just a reuse of the available HW / SW sometimes 3DES is used with only two keys (called two key 3DES): C = E k1 ( D k2 ( E k1 ( P ) ) ) Foundations of Cryptography - Secret Key pp. 26 / 34

27 Security consider 2DES (version EE), which is the application of DES two times with two different keys a simple brute force attack to 2DES costs = DES encryptions similarly, a brute force attack to 3DES with two keys costs DES encryptions but there is another attack, called meet-inthe-middle, that can trade time with memory Foundations of Cryptography - Secret Key pp. 27 / 34

28 Attack Meet-in-the-Middle (2DES) give a pair plaintext-ciphertext (P, C) for every key k i compute A i = Enc ki (P) and store A i cost is 2 56 encryptions and 2 56 memory cells for every key k j compute B j = Dec kj (C) and for every i check all the equality A i = B j if equality A i = B j holds store the key pair (ki, kj) cost is 2 56 decryptions, no need of storing there is now a set of candidate key pairs (ki, kj) with a second plain-ciphertext pair (P,C ), check which key pair (ki, kj) is the right one total cost is 2 56 encryptions, 2 56 decryptions (thus 2 57 operations), and 2 56 memory cells Foundations of Cryptography - Secret Key pp. 28 / 34

29 Impact on 2DES and 3DES with meet-in-the-middle, attacking 2DES costs = 2 57 DES encryptions, plus 2 56 memory cells similarly, with meet-in-the-middle the cost of breaking 3DES (with two keys) is about of operations (encryptions and decryptions) and 2 56 memory cells therefore the idea of chaining two or more encryptions with different keys is not so good as it may seem at a first glance Foundations of Cryptography - Secret Key pp. 29 / 34

30 Hardware Speed-Up if the throughput is not satisfactory, it is possible to pipeline the round, in order to increase the clock frequency generally the round is divided into two or three stages Foundations of Cryptography - Secret Key pp. 30 / 34

31 Hardware Speed-Up if time latency is the constraint, instead of throughput, it is possible to execute two rounds per clock cycle but only if the critical path allows it Foundations of Cryptography - Secret Key pp. 31 / 34

32 Software Implementation DES is not software-friendly, as there are many bit-oriented operations all the substitutions of DES are stored in precomputed tables key schedule is generally computed in advance and the round keys are stored in a table Foundations of Cryptography - Secret Key pp. 32 / 34

33 Theoretical Attack to test the robustness of a block cipher there are some well known attacks that ought to be tested: linear cryptanalysis differential cryptanalysis Foundations of Cryptography - Secret Key pp. 33 / 34

34 Linear Cryptanalysis every block cipher should exhibit a strongly non-linear behaviour if not so, linear cryptanalysis may succeed in finding an approximated linear relation between plaintext, corresponding ciphertext and the bits of the secret key Foundations of Cryptography - Secret Key pp. 34 / 34

35 Differential Cryptanalysis select a set of pairs of plaintexts, where the elements of the pair have a fixed difference the difference propagates in the DES in a peculiar manner build a set of probabilities of the differences of the cipher text pairs collect a certain number of plaintext / ciphertext pairs, statistics will validate guesses of the right bits of the key Foundations of Cryptography - Secret Key pp. 35 / 34