Weichao Wang 2 Overview of the DES A block cipher encrypts blocks of 64 bits using a 64 bit key outputs 64 bits of ciphertext A product cipher basic unit is the bit performs both substitution and transposition permutation on the bits ID: 636698
Download Presentation The PPT/PDF document "Symmetric Encryption Example: DES" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Symmetric Encryption Example: DES
Weichao
WangSlide2
2
Overview of the DES
A block cipher:
encrypts blocks of 64 bits using a 64 bit key
outputs 64 bits of ciphertext
A product cipher
basic unit is the bit
performs both substitution and transposition (permutation) on the bits
Cipher consists of 16 rounds (iterations), each with a 48-bit round key generated from the 64-bit keySlide3
3
Generation of Round Keys
Round keys are 48 bits eachSlide4
4
EnciphermentSlide5
5
The
f
FunctionSlide6
6
S-Box
There are eight S-Box, each maps 6-bit input to 4-bit output
Each S-Box is a look-up table
This is the only non-linear step in DES and contributes the most to its safety
P-Box
A permutationSlide7
7
Controversy
Considered too weak
Diffie, Hellman said “in a few years technology would allow DES to be broken in days”
DES Challenge organized by RSA
In 1997, solved in 96 days; 41 days in early 1998; 56 hours in late 1998; 22 hours in Jan 1999
http://w2.eff.org/Privacy/Crypto/Crypto_misc/DESCracker/HTML/19990119_deschallenge3.html
Design decisions not public
S-boxes may have backdoorsSlide8
8
Undesirable Properties
4 weak keys
They are their own inverses
12 semi-weak keys
Each has another semi-weak key as inverse
Complementation property
DES
k
(
m
) =
c
DES
k
(
m
) =
c
S-boxes exhibit irregular properties
Distribution of odd, even numbers non-random
Outputs of fourth box depends on input to third boxSlide9
9
Number of rounds
After 5 rounds, every cipher bit is impacted by every plaintext bit and key bit
After 8 rounds, cipher text is already a random function
When the number of rounds is 16 or more, brute force attack will be the most efficient attack for known plaintext attack
So NSA knows a lot when it fixes the DESSlide10
10
Differential Cryptanalysis
A chosen ciphertext attack
Requires 2
47
(plaintext, ciphertext) pairs
Revealed several properties
Small changes in S-boxes reduce the number of (plaintext, ciphertext) pairs needed
Making every bit of the round keys independent does not impede attack
Linear cryptanalysis improves result
Requires 2
43
(plaintext, ciphertext) pairsSlide11
11
DES Modes
Electronic Code Book Mode (ECB)
Encipher each block independently
Cipher Block Chaining Mode (CBC)
Xor each plaintext block with previous ciphertext block
Requires an initialization vector for the first one
The initialization vector can be made public
Encrypt-Decrypt-Encrypt Mode (2 keys:
k
,
k
)
Encrypt-Encrypt-Encrypt Mode (3 keys:
k
,
k
,
k
)Slide12
12
CBC Mode Encryption
init. vector
m
1
DES
c
1
m
2
DES
c
2
sent
sent
…
…
…Slide13
13
CBC Mode Decryption
init. vector
c
1
DES
m
1
…
…
…
c
2
DES
m
2Slide14
14
Self-Healing Property
What will happen if a bit gets lost during transmission?
All blocks will not be aligned
When one bit in a block flipped, only the next two blocks will be impacted.
Plaintext “heals” after 2 blocksSlide15
15
Current Status of DES
Design for computer system, associated software that could break any DES-enciphered message in a few days published in 1998
Several challenges to break DES messages solved using distributed computing
NIST selected
Rijndael
as Advanced Encryption Standard, successor to DES
Designed to withstand attacks that were successful on DES
128 bit block size; 128, 192, or 256 bit key
Encryption speed can be 700MB/sec on an i7 CPU