Data Encryption Standard

Similar documents
Data Encryption Standard

ECE Lecture 7. Towards modern ciphers. Data Encryption Standard and its extensions. Levels of Security

Week 4. : Block Ciphers and DES

ECE 646 Lecture 7. Secret-Key Ciphers. Data Encryption Standard DES

Symmetric Cryptography. Chapter 6

Stream Ciphers and Block Ciphers

Comparison of the Hardware Performance of the AES Candidates Using Reconfigurable Hardware

ECE 646 Lecture 7. Data Encryption Standard DES. Secret-Key Ciphers. Secret agreement between IBM & NSA, 1974

Introduction to Network Security Missouri S&T University CPE 5420 Data Encryption Standard

Chapter 3 Block Ciphers and the Data Encryption Standard

Block Ciphers and the Data Encryption Standard (DES) Modified by: Dr. Ramzi Saifan

Network Security. Lecture# 6 Lecture Slides Prepared by: Syed Irfan Ullah N.W.F.P. Agricultural University Peshawar

Encryption DES. Dr.Talal Alkharobi. The Data Encryption Standard (DES)

Lecture 4: Symmetric Key Encryption

Cryptography and Network Security Chapter 3. Modern Block Ciphers. Block vs Stream Ciphers. Block Cipher Principles

Computer and Data Security. Lecture 3 Block cipher and DES

Stream Ciphers and Block Ciphers

Comp527 status items. Crypto Protocols, part 2 Crypto primitives. Bart Preneel July Install the smart card software. Today

Lecture 3: Symmetric Key Encryption

Symmetric Encryption Algorithms

Cryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái

Lecture 2: Secret Key Cryptography

Fundamentals of Cryptography

Jaap van Ginkel Security of Systems and Networks

Block Ciphers and Stream Ciphers. Block Ciphers. Stream Ciphers. Block Ciphers

Fast implementations of secret-key block ciphers using mixed inner- and outer-round pipelining

Secret Key Cryptography

Block Ciphers. Lucifer, DES, RC5, AES. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk Block Ciphers 1

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34

L3. An Introduction to Block Ciphers. Rocky K. C. Chang, 29 January 2015

Cryptography and Network Security

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Symmetric Cryptography. CS4264 Fall 2016

CENG 520 Lecture Note III

3 Symmetric Cryptography

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Computer Security 3/23/18

Cryptography MIS

Week 5: Advanced Encryption Standard. Click

Symmetric Key Encryption. Symmetric Key Encryption. Advanced Encryption Standard ( AES ) DES DES DES 08/01/2015. DES and 3-DES.

Computational Security, Stream and Block Cipher Functions

ICT 6541 Applied Cryptography. Hossen Asiful Mustafa

Symmetric Key Algorithms. Definition. A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting.

COPACOBANA: RECONFIGURABLE COMPUTING IN CRYPTANALYSIS. Ben Johnstone

Block Ciphers and Data Encryption Standard. CSS Security and Cryptography

Study and Analysis of Symmetric Key-Cryptograph DES, Data Encryption Standard

Secret Key Algorithms (DES)

Fast implementation and fair comparison of the final candidates for Advanced Encryption Standard using Field Programmable Gate Arrays

A Related Key Attack on the Feistel Type Block Ciphers

Lecture 5. Encryption Continued... Why not 2-DES?

Lecture 4. Encryption Continued... Data Encryption Standard (DES)

CSC 474/574 Information Systems Security

Introduction to Modern Symmetric-Key Ciphers

Secret Key Cryptography (Spring 2004)

New Kid on the Block Practical Construction of Block Ciphers. Table of contents

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

ECE596C: Handout #7. Analysis of DES and the AES Standard. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Network Security Essentials Chapter 2

Cryptographic Algorithms - AES

CPSC 467b: Cryptography and Computer Security

PRNGs & DES. Luke Anderson. 16 th March University Of Sydney.

CPSC 467b: Cryptography and Computer Security

Computer Security: Principles and Practice

International Journal for Research in Applied Science & Engineering Technology (IJRASET) Performance Comparison of Cryptanalysis Techniques over DES

EEC-484/584 Computer Networks

ELECTRONICS DEPARTMENT

IDEA, RC5. Modes of operation of block ciphers

Network Security Essentials

Hardware Architectures

6 Block Ciphers. 6.1 Block Ciphers CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

A Brief Outlook at Block Ciphers

CSc 466/566. Computer Security. 6 : Cryptography Symmetric Key

Introduction to Cryptography. Lecture 2. Benny Pinkas. Perfect Cipher. Perfect Ciphers. Size of key space

The Rectangle Attack

Block Encryption and DES

Block Ciphers. Secure Software Systems

Data Encryption Standard (DES)

Secret Key Cryptography Overview

Symmetric Encryption. Thierry Sans

APNIC elearning: Cryptography Basics

Modern Block Ciphers

Cryptography. Submitted to:- Ms Poonam Sharma Faculty, ABS,Manesar. Submitted by:- Hardeep Gaurav Jain

Winter 2011 Josh Benaloh Brian LaMacchia

CSCI 454/554 Computer and Network Security. Topic 3.1 Secret Key Cryptography Algorithms

CSE 127: Computer Security Cryptography. Kirill Levchenko

On the Design of Secure Block Ciphers

Making and Breaking Ciphers

CSCE 813 Internet Security Symmetric Cryptography

Differential Cryptanalysis

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

CPSC 467: Cryptography and Computer Security

Cryptography and Network Security

Private-Key Encryption

AIT 682: Network and Systems Security

Encryption Details COMP620

Lecture 1 Applied Cryptography (Part 1)

PGP: An Algorithmic Overview

Symmetric Key Cryptography

CIT 380: Securing Computer Systems. Symmetric Cryptography

Transcription:

ECE 646 Lecture 6 Data Encryption Standard Required Reading: I. W. Stallings, "Cryptography and Network-Security," 5th Edition, Chapter 3: Block Ciphers and the Data Encryption Standard Chapter 6.1: Multiple Encryption and Triple DES II. A. Menezes, P. van Oorschot, and S. Vanstone, Handbook of Applied Cryptography, Chapter 7.4: DES

NBS public request for a standard cryptographic algorithm May 15, 1973, August 27, 1974 The algorithm must be: secure public - completely specified - easy to understand - available to all users economic and efficient in hardware able to be validated exportable IBM s early work, 1971-1974 Selected members of the team: Horst Feistel, Karl Meyer, Don Coppersmith - cryptographers Alan Konheim head of the Information Theory group at Watson Research Labs in Yorktown Heights, NY Walter Tuchman head of the product group at IBM Kingston, NY Developed algorithms: subsequent versions of the algorithm known initially as Demon, then Lucifer, and finally given an official name DSD-1 most of the versions used a 128-bit key

DES - chronicle of events 1973 - NBS issues a public request for proposals for a standard cryptographic algorithm 1975 - first publication of the IBM s algorithm and request for comments 1976 - NBS organizes two workshops to evaluate the algorithm 1977 - official publication as FIPS PUB 46: Data Encryption Standard 1983, 1987, 1993 - recertification of the algorithm for another five years 1993 - software implementations allowed to be validated Controversies surrounding DES Unknown design criteria Most criteria reconstructed from cipher analysis 1990 Reinvention of differential cryptanalysis Slow in software Only hardware implementations certified 1993 Software, firmware and hardware treated equally Too short key Theoretical designs of DES breaking machines 1998 Practical DES cracker built

Secret agreement between IBM & NSA, 1974 Obligations of IBM: Algorithm developed in secret by IBM NSA reserved a right to monitor the development and propose changes No software implementations, just hardware chips IBM not allowed to ship implementations to certain countries License required to ship to carefully selected customers in approved countries Obligations of NSA: seal of approval Life of DES 1970 1980 1990 2000 Time DES developed by IBM and NSA In common use for over 20 years transision to a new standard Federal and banking standard Over 300 validated implementations Former de facto world-wide standard

Most popular secret-key ciphers American standards 1980 1990 2000 2010 2020 2030 1977 1999 DES 56 bit key AES 2002 contest Triple DES 112, 168 bit 168 bit only AES - Rijndael 128, 192, and 256 bit keys Other popular algorithms IDEA RC5 Blowfish CAST Serpent Twofish RC6 Mars DES - external look plaintext block 64 bits DES ciphertext block key 56 bits 64 bits

DES high-level internal structure L 0 R 0 f IP K 1 DES Main Loop Feistel Structure L 1 R 1 f L 2 R 2...... L 15 R 15 f K 2 K 16 L n+1 =R n R n+1 =L n f(r n, K n+1 ) R 16 L 16 IP -1

Feistel Structure Encryption Decryption L n R n L n R n f K n+1 f K n+1 L n+1 R n+1 L n+1 R n+1 L n+1, R n+1?? f K n+1 L n, R n?? IP -1 Decryption IP L 0 R 0 R 16 L 16 f K 1 f K 16 L 1 R 1 R 15 L 15 f K 2 f K 15 L 2 R 2...... R 14 L 14...... L 15 R 15 R 1 L 1 f K 16 f K 1 R 16 L 16 L 0 R 0 IP IP -1

Classical Feistel Network plaintext = L 0 R 0 for i=1 to n { L i =R i-1 R i =L i-1 f(r i-1, K i ) } L n+1 = R n R n+1 = L n ciphertext = L n+1 R n+1 Mangler Function of DES, F

Notation for Permutations Input i 1 i 2 i 3 i 4 i 5 i 6 i 7 i 8 i 9 i 10 i 56 i 57 i 58 i 59 i 60 i 61 i 62 i 63 i 64 58 50 42 34 26 18 10 2 5 63 55 47 39 31 23 15 7 i 58 i 50 i 42 i 34 i 26 i 18 i 10 i 2 i 5 i 63 i 55 i 47 i 39 i 31 i 23 i 15 i 7 Output

Notation for S-boxes Input i 1 i 2 i 3 i 4 i 5 i 6 i 1 i 6 determines a row number in the S-box table, 0..3 i 2 i 3 i 4 i 5 determine a column in the S-box table, 0..15 o 1 o 2 o 3 o 4 is a binary representation of a number from 0..15 in the given row and the given column o 1 o 2 o 3 o 4 Output

1. Randomness General design criteria of DES 2. Avalanche property changing a single bit at the input changes on average half of the bits at the output 3. Completeness property every output bit is a complex function of all input bits (and not just a subset of input bits) 4. Nonlinearity encryption function is non-affine for any value of the key 5. Correlation immunity output bits are statistically independent of any subset of input bits Completeness property Every output bit is a complex function of all input bits (and not just a subset of input bits) Formal requirement: For all values of i and j, i=1..64, j=1..64 there exist inputs X 1 and X 2, such that X 1 x 1 x 2 x 3... x i-1 0 x i+1... x 63 x 64 X 2 x 1 x 2 x 3... x i-1 1 x i+1... x 63 x 64 Y 1 = DES(X 1 ) y 1 y 2 y 3... y j-1 y j y j+1... y 63 y 64 Y 2 = DES(X 2 ) y 1 y 2 y 3... y j-1 y j y j+1... y 63 y 64

Linear Transformations Transformations that fulfill the condition: T(X [m x 1] ) = Y [n x 1] = A [n x m] X [m x 1] or T(X 1 X 2 ) = T(X 1 ) T(X 2 ) Affine Transformations Transformations that fulfill the condition: T(X [m x 1] ) = Y [n x 1] = A [n x m] X [m x 1] B [n x 1] Linear Transformations of DES IP, IP -1, E, PC1, PC2, SHIFT e.g., IP(X 1 X 2 ) = IP(X 1 ) IP( X 2 ) Non-Linear and non-affine transformations of DES There are no such matrices A [4x6] and B [4x1] that S S(X [6x1] ) = A [4x6] X [6x1] B [4x1]

Design of S-boxes S[0..15] S in out = S[in] 16! 2 10 13 possibilities precisely defined initially unpublished criteria resistant against differential cryptanalysis (attack known to the designers and rediscovered in the open research in 1990 by E. Biham and A. Shamir) Typical Flow Diagram of a Secret-Key Block Cipher Round Key[0] Initial transformation i:=1 Round Key[i] Cipher Round i<#rounds? i:=i+1 #rounds times Round Key[#rounds+1] Final transformation

Implementation of a secret-key cipher in hardware Round keys computed on-the-fly input key encryption/decryption key scheduling round keys output Implementation of a secret-key cipher Round keys precomputed input key key scheduling encryption/decryption memory of round keys output

Basic iterative architecture of secret key ciphers input key Key scheduling round keys multiplexer register combinational logic output one round Theoretical design of the specialized machine to break DES Project: Michael Wiener, Entrust Technologies, 1993, 1997 Method: exhaustive key search attack Basic component: specialized integrated circuit in CMOS technology, 75 MHz Checks: 200 mln keys per second Costs: $10 Total cost $ 1 mln $ 100.000 Estimated time 35 minutes 6 hours

DES breaking machine known ciphertext key counter Round key Encryption Round 1 key 1 Key Scheduling Round 1 Encryption Round 2.... Round key 2 Key Scheduling Round 2.... plaintext Encryption Round 16 comparator Round key 16 known plaintext Key Scheduling Round 16 Deep Crack Electronic Frontier Foundation, 1998 Total cost: $220,000 Average time of search: 4.5 days/key 1800 ASIC chips, 40 MHz clock

Deep Crack Parameters Number of ASIC chips 1800 Clock frequency 40 MHz Number of clock cycles per key 16 Number of search units per ASIC 24 Search speed Average time to recover the key 90 bln keys/s 4.5 days COPACOBANA Cost-Optimized Parallel COde Breaker Ruhr University, Bochum, University of Kiel, Germany, 2006 Cost: 8980 (ver. 1)

COPACOBANA Based on Xilinx FPGAs (Field Programmable Gate Arrays) ver. 1 based on 120 Spartan 3 FPGAs ver. 2 based on 128 Virtex 4 SX 35 FPGAs Description, FAQ, and news available at http://www.copacobana.org/ For ver. 1 based on Spartan FPGAs Clock frequency = 136 MHz Average search time for a single DES key = 6.4 days Worst case search time for a single DES key = 12.8 days

Secure key length today and in 20 years (against an intelligence agency with the budget of $300M) key length 128 bits IDEA, minimum key length in AES 120 bits DESX 112 bits Triple DES with three different keys 100 bits Secure key length in 2031 86 bits 80 bits Skipjack Secure key length in 2010 56 bits DES

Secure key length - discussion increasing key length in a newly developed cipher costs NOTHING increasing effective key length, assuming the use of an existing cipher has a limited influence on the efficiency of implementation (DESX, Triple DES) It is economical to use THE SAME secure key length FOR ALL aplications The primary barriers blocking the use of symmetric ciphers with a secure key length have been of the political nature (e.g., export policy of USA) Other attacks differential cryptanalysis Biham, Shamir 1991 linear cryptanalysis Matsui, 1993

Differential cryptanalysis M 1 M 1 * M 2 M 2 *... M N-1 M N-1 * M N M N * M i M i * = const Encryption module key C 1 C 1 * C 2 C 2 *... C N-1 C N-1 * C N C N * access to the encryption module with the key inside analysis of trilions of pairs plaintext-ciphertext Differential cryptanalysis of DES Requirements: Biham, Shamir 1991 access to the encryption module with the key inside time for encryption of 2 47 = 1.4 10 14 plaintext blocks = 1 million gigabytes of plaintext Conclusions: attack impossible to mount DES specially designed (IBM, NSA) to be resistant against differential cryptanalysis

Requirements: Linear cryptanalysis of DES Matsui 1993 2 43 = 8.8 10 12 known plaintext blocks = 70.3 terabytes of known plaintext 2 43 operations probability of success 85% Conclusions: attack impossible to mount in practice What if creators of DES did not know about differential cryptanalysis... Required number of plaintext blocks Original DES 2 47 = 1 mln GB Modifications: Identity permutation in place of P 2 19 = 4 MB Order of S-boxes 2 38 = 2,000 GB XOR replaced by addition 2 31 = 2 GB S-boxes random 2 21 = 16 MB one position changed 2 33 = 8 GB Expansion function E eliminated 2 26 = 64 MB

Differential and linear cryptanalysis - discussion Attacks infeasible for correctly designed ciphers Perfect tool for comparing strengths of various ciphers Resistance against these attacks does not imply resistance against other unknown methods of attack Triple DES EDE mode with two keys encryption plaintext decryption ciphertext Diffie, Hellman, 1977 E encryption 56 K1 D decryption 56 K1 D decryption 56 K2 E encryption 56 K2 E encryption 56 K1 D decryption 56 K1 ciphertext plaintext

Triple DES EDE mode with three keys encryption plaintext decryption ciphertext Diffie, Hellman, 1977 E encryption 56 K1 D decryption 56 K1 D decryption 56 K2 E encryption 56 K2 E encryption 56 K3 D decryption 56 K3 ciphertext plaintext Best Attacks Against Triple DES Version with three keys (168 bits of key) Meet-in-the-middle attack 2 32 known plaintexts 2 113 steps 2 90 single DES encryptions, and 2 88 memory Effective key size = 2 112 Version with two keys (112 bits of key) Effective key size = 2 80

Advantages: Triple DES secure key length (112 or 168 bits) increased compared to DES resistance to linear and differential cryptanalysis possibility of utilizing existing implementations of DES Disadvantages: relatively slow, especially in software DESX Rivest, 1988 plaintext 64 DES 56 K a K KEY = (K, K a ) 120 bits 64 K b = hash function(k, K a ) K b ciphertext

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback