Cryptography - lecture3

8/7/2019 Cryptography - lecture3

1/27

March 23-28, 2006 1

Cryptography and Network Security

Lecture 3: Block ciphers and DES

Ion PetreIon PetreAcademy of Finland andAcademy of Finland andDepartment of IT, bo Akademi UniversityDepartment of IT, bo Akademi University

Spring 2006http://www.abo.fi/~ipetre/crypto/
http://www.abo.fi/~ipetre/crypto/http://www.abo.fi/~ipetre/crypto/


2/27

March 23-28, 2006 2

Data Encryption Standard

We focus now on the most widely used symmetric cipher: DES DES has been replaced by AES as a standard We will use DES to illustrate the principles of modern symmetric ciphers

Adopted in 1977 by the National Bureau of Standards (US), nowadays NIST Originates from an IBM project from late 1960s led by Feistel

Project ended in 1971 with the development of LUCIFER (key 128 bits) LUCIFER was then refined with the help of NSA to produce DES (key 56 bits) Immediate criticism: the reduction in key length was enormous and the internal

details of the design were (and remained) classified information 1994: DES is reaffirmed as a standard for 5 more years 1999: DES should only be used for legacy systems and 3DES should replace it


3/27

March 23-28, 2006 3

Block cipher principles

Stream cipher is one that encrypts a digital data stream one bit (orbyte) at a time Example: autokey Vigenre system

Block cipher is one in which the plaintext is divided in blocks andone block is encrypted at one time producing a ciphertext of equallength Similar to substitution ciphers on very big characters: 64 bits or 128 bits

are typical block lengths Many modern ciphers are block ciphers


4/27

March 23-28, 2006 4

Principle: Substitution-Permutation Ciphers

Claude Shannon (1949) introduced idea of substitution-permutation(S-P) networks These form the basis for modern substitution-transposition product

cipher

S-P networks are based on the two primitive cryptographicoperations we have seen before: substitution(S-box) permutation(P-box)

The goal is to provide confusionand diffusionof message


5/27

March 23-28, 2006 5

Confusion and Diffusion

Cipher need to completely obscure statistical properties of original message A one-time pad does this

More practically Shannon (1949) suggested to combine elements to obtain: Diffusion dissipates statistical structure of plaintext over bulk of ciphertext

Makes the statistical relationship plaintext - ciphertext as complex as possible Achieved by requiring that every digit of the plaintext affects many digits of the

ciphertext (equivalently, every digit of the ciphertext is affected by many digits of the

plaintext) Confusion makes relationship between ciphertext and key as complex as

possible Makes it difficult to discover the key starting from the ciphertext

The principles of confusion and diffusion are the most essential concepts inthe design of modern block ciphers they defend against statistical attacks


6/27

March 23-28, 2006 6

Feistel Cipher Structure

Virtually all modern block encryption algorithms use the Feistelstructure

Horst Feistelwas the leader of the IBM team that worked in late 1960son LUCIFER

He devised the so-called feistel cipher Algorithm structure perform n rounds, each round has the following

structure (for encryption and decryption): Input is of length 2w (bits), key is K Divide the input into two halves L0 and R0 L1= R0, R1=L0 f(R0,K) In the next round use (L1, R1) instead of (L0, R0), etc. Function f is the same in all rounds but uses a different subkey in each

round the subkey of each round is generated from the key


7/27

March 23-28, 2006 7

Feistel Cipher Structure


8/27

March 23-28, 2006 8

Feistel Cipher Design Principles

block size increasing size improves security, but slows cipher

key size increasing size improves security, makes exhaustive key searching harder, but may slowcipher

number of rounds increasing number improves security, but slows cipher

subkey generation greater complexity can make analysis harder, but slows cipher

round function greater complexity can make analysis harder, but slows cipher

fast software en/decryption & ease of analysis are more recent concerns for practical use and testing


9/27

March 23-28, 2006 9

Feistel CipherDecryption:

the same

algorithm (with

keys in reverseorder)


10/27

March 23-28, 2006 10

Feistel decryption

Decryption is the same asencryption and does not requireany property for function f (noteven to be invertible)

LD/RD left/right half in thedecryption algorithm

LE/RE left/right half in theencryption algorithm

denotes XOR: 00=0, 11=0,01= 10=1

Decryption

Input: The ciphertext (LD0, RD0)= (RE16, LE16)

Round i (1 to 16) performs on input (LDi-1, RDi-1)

the operations:

LDi=RDi-1, RDi=LDi-1f(RDi-1,K16-i)

This is the input to next roundThe key of round i is K16-i,

This algorithm is CORRECT after round i wehave LDi=RE16-i, RDi=LE16-i:

PROOF:Input to the first round:

LD0=RE16, RD0=LE16

Result of the first round

LD1=RD0=LE16=RE15RD1=LD0 f(RD0, K16)=RE16 f(RE15,K16)=(LE15 f(RE15,K16)) f(RE15,K16)=LE15Result: (RE15, LE15)

Output: the plaintext (RD16, LD16)=(LE0, RE0)

Encryption

Input: the plaintext (LE0, RE0)

Round i (1 to 16) performs on input

(LEi-1

, REi-1

) the operations:

LEi=REi-1, REi=LEi-1f(REi-1,Ki)

This is the input to next round

The key of round i is Ki,

Output: the ciphertext (RE16, LE16)


11/27


12/27

March 23-28, 2006 12

DES encryption scheme


13/27

March 23-28, 2006 13

DES encryption scheme

The plaintext (64 bits) passes through an initial permutation IP (on

64 bits) Then follow 16 identical rounds in each round a different subkey

is used; each subkey is generated from the key

After round 16, swap the left half with the right half Apply the inverse of the initial permutation IP-1 (on 64 bits)


14/27


15/27


16/27

March 23-28, 2006 16

The scheme of the function F(R,K) in DES


17/27


18/27


19/27


20/27

March 23-28, 2006 20

Definition of S-boxes

Example: consider the input 011001toS-box S1

The row is 011001: 01 (i.e. 1) The column is 011001: 1100 (i.e. 12) The value in the selected cell is 9 Output is 1001

Note that each row of each S-box is in

fact an invertible substitution on 4 bits(permutation of numbers from 0 to 15) Note also that the output of the S-box

is immediately permuted in DES sothat it spreads in the ciphertext


21/27


22/27


23/27

March 23-28, 2006 23

DES decryption

Like in any Feistel cipher, decryption works just like encryption withthe subkeys used in reverse order


24/27


25/27

March 23-28, 2006 25

Strength of DES

Two main concerns with DES: the length of the key and the nature of thealgorithm

The key is rather short: 56 bits there are 256 possible keys, around 7.2 x1016 In average, only half of the keys have to be tried to break the system In principle it should take long time to break the system Things are quicker with dedicated hardware: 1998 a special machine was built

for less than 250 000 $ breaking DES in less than 3 days, 2006 estimates arethat a hardware costing around 20.000$ may break DES within a day DES has no export restrictions from NSA! 40-bit RC4 key is also insecure 128-but keys seem to be secure

Important difficulty in breaking any system: unless the plaintext is known,we have to recognize when we have broken the system: we have torecognize the plaintext when we find it This is not trivial if the file is binary, compressed, etc. Automated procedures to do that are needed (and indeed some exist)


26/27


27/27

Date post:	09-Apr-2018
Category:	Documents
Upload:	abhijeet
View:	227 times
Download:	0 times

Cryptography - lecture3

Documents