Announcements:Announcements: Homework 3 due nowHomework 3 due now Homework 4 postedHomework 4 posted

Today:Today: Attacks on DESAttacks on DES

Questions?Questions?

DTTF/NB479: DszquphsbqizDTTF/NB479: Dszquphsbqiz Day 14Day 14

DES can be broken by has been showing signs of DES can be broken by has been showing signs of weakness from the beginningweakness from the beginning

1975

1977

1987

1992

1993 20112000

Only 2Only 25656 = 72,057,594,037,927,936 keys, = 72,057,594,037,927,936 keys, so it was brute forced using parallelismso it was brute forced using parallelism

1997: 1997: DES Challenge issued. $10K prizeDES Challenge issued. $10K prize

Found after searching ___% of keyspaceFound after searching ___% of keyspace

1998: 1998: DES Challenge IIDES Challenge II Down to 39 days, 85% of keyspace!Down to 39 days, 85% of keyspace!

Also in 1998…Also in 1998…

DES Cracker used a mixture of software and DES Cracker used a mixture of software and specialized hardwarespecialized hardware

Budget of only $200,000 1998 dollars Budget of only $200,000 1998 dollars vs $20,000,000 1977 dollarsvs $20,000,000 1977 dollars

Result? Result?

Post-DES Post-DES

Brute force attacks that take O(N) DES Brute force attacks that take O(N) DES computations are now reasonable.computations are now reasonable.

Can we just double encrypt to get O(NCan we just double encrypt to get O(N22) ) computations? computations? Use k1, k2Use k1, k2 C = EC = Ek2k2(E(Ek1k1(P)), so P = D(P)), so P = Dk1k1(D(Dk2k2(C)) ? (C)) ?

Meet-in-the-middle attackMeet-in-the-middle attack

Assume k completely determines EAssume k completely determines Ekk and D and Dkk

Know P and C = EKnow P and C = Ek2k2(E(Ek1k1(P))(P))

P

Ek1(P)

(for all k1) C

Dk2(C)

(for all k2)

Time complexity? O( n ) DES computations, O( n2 ) comparisons O(n ) memory

Triple-DES?Triple-DES?TypeType DES DES

computationscomputations

ComparisonsComparisons MemoryMemory Brute Brute force force DESDES

DoubleDouble

C=EC=Ek2k2(E(Ek1k1(P))(P))O(N)O(N) O(NO(N22)) O(N)O(N) O(NO(N22))

Triple1Triple1

C=EC=Ek3k3(E(Ek2k2(E(Ek1k1(P)))(P)))

Triple2Triple2

C=EC=Ek1k1(E(Ek2k2(E(Ek1k1(P)))(P)))

Triple3Triple3

C=EC=Ek2k2(E(Ek1k1(E(Ek1k1(P)))(P)))

Describe attacks on triple 1-3, fill out chart, and order by level of security

Triple-DES?Triple-DES?TypeType DES DES

computationscomputations

ComparisonsComparisons MemoryMemory Brute Brute force force DESDES

(3) Double(3) Double

C=EC=Ek2k2(E(Ek1k1(P))(P))O(N)O(N) O(NO(N22)) O(N)O(N) O(NO(N22))

(1) (1) Triple1Triple1

C=EC=Ek3k3(E(Ek2k2(E(Ek1k1(P)))(P)))O(NO(N22)) O(NO(N33)) O(NO(N22)) O(NO(N33))

(2) (2) Triple2Triple2

C=EC=Ek1k1(E(Ek2k2(E(Ek1k1(P)))(P)))

(3) Triple3(3) Triple3

C=EC=Ek2k2(E(Ek1k1(E(Ek1k1(P)))(P)))

Describe attacks on triple 1-3, fill out chart, and order by level of security

Triple-DES?Triple-DES?TypeType DES DES

computationscomputations

ComparisonsComparisons MemoryMemory Brute Brute force force DESDES

(3) Double(3) Double

C=EC=Ek2k2(E(Ek1k1(P))(P))O(N)O(N) O(NO(N22)) O(N)O(N) O(NO(N22))

(1) (1) Triple1Triple1

C=EC=Ek3k3(E(Ek2k2(E(Ek1k1(P)))(P)))O(NO(N22)) O(NO(N33)) O(NO(N22)) O(NO(N33))

(2) (2) Triple2Triple2

C=EC=Ek1k1(E(Ek2k2(E(Ek1k1(P)))(P)))O(NO(N22)) O(NO(N33)) O(NO(N22)) O(NO(N22))

(3) Triple3(3) Triple3

C=EC=Ek2k2(E(Ek1k1(E(Ek1k1(P)))(P)))

Describe attacks on triple 1-3, fill out chart, and order by level of security

Triple-DES?Triple-DES?TypeType DES DES

computationscomputations

ComparisonsComparisons MemoryMemory Brute Brute force force DESDES

(3) Double(3) Double

C=EC=Ek2k2(E(Ek1k1(P))(P))O(N)O(N) O(NO(N22)) O(N)O(N) O(NO(N22))

(1) (1) Triple1Triple1

C=EC=Ek3k3(E(Ek2k2(E(Ek1k1(P)))(P)))O(NO(N22)) O(NO(N33)) O(NO(N22)) O(NO(N33))

(2) (2) Triple2Triple2

C=EC=Ek1k1(E(Ek2k2(E(Ek1k1(P)))(P)))O(NO(N22)) O(NO(N22)) O(NO(N22)) O(NO(N22))

(3) Triple3(3) Triple3

C=EC=Ek2k2(E(Ek1k1(E(Ek1k1(P)))(P)))O(N)O(N) O(NO(N22)) O(N)O(N) O(NO(N22))

Describe attacks on triple 1-3, fill out chart, and order by level of security

DES Modes of OperationDES Modes of Operation

Electronic codebook:Electronic codebook: Each block is Each block is encoded independentlyencoded independently

Text ASCII bit vector

Block1 (64 bits)

DES

Encoded1 (64 bits)

Encoded bit vector

Block2 (64 bits)

DES

Encoded2 (64 bits)

…

DES Modes of OperationDES Modes of Operation

Cipher-block chaining:Cipher-block chaining: Each plaintext block is XOR’ed Each plaintext block is XOR’ed with the previous ciphertext before going into DESwith the previous ciphertext before going into DES

Text ASCII bit vector

Block1 (64 bits)

DES

Encoded1 (64 bits)

Encoded bit vector

Block2 (64 bits)

DES

Encoded2 (64 bits)

+ …++C0

(random;sent in clear)

DES Modes of OperationDES Modes of Operation

Others:Others: Cipher feedback: Cipher feedback: similar, but 64-bit blocks overlap, similar, but 64-bit blocks overlap,

giving k bits at a time (like 8 for 1 character at a time)giving k bits at a time (like 8 for 1 character at a time)Uses pseudorandom bits like LFSRUses pseudorandom bits like LFSR

Output feedback: Output feedback: similar but helps catch errors before similar but helps catch errors before propagate. propagate.

CounterCounter: Some output can be computed : Some output can be computed independently, so better for parallelizingindependently, so better for parallelizing

I trust you could implement these if needed. Not I trust you could implement these if needed. Not part of HW4…part of HW4…

HW4: DES ImplementationHW4: DES Implementation

I implemented EDEN in Java fairly quicklyI implemented EDEN in Java fairly quicklyDES is obviously more complicatedDES is obviously more complicatedYou’ll implement encryption and decryption. You’ll implement encryption and decryption. Correctness:Correctness: Can use one to test the other.Can use one to test the other.

Efficiency:Efficiency: In addition, it’d be nice to use a language that’s closer In addition, it’d be nice to use a language that’s closer

to the hardware for efficiency, like C or non-OO Java.to the hardware for efficiency, like C or non-OO Java. Part of your grade will depend on thisPart of your grade will depend on this There will also be a competition to see whose There will also be a competition to see whose

implementation is quickest!implementation is quickest!

Questions so far on DES?Questions so far on DES?