DATA ENCRYPTION STANDARD
Ref: Cryptography and Network Security
by William Stallings
MODERN BLOCK CIPHERS
One of the most widely used types of cryptographic algorithms
Provide secrecy /authentication services
The focus of the lecture is DES (Data Encryption Standard, the
most widely used symmetric cipher.
A detailed study of DES provides an understanding of the
principles used in other symmetric ciphers
DES is based on block cipher design principles
BLOCK VS STREAM CIPHERS
Block ciphers process messages in blocks, each of
which is then en/decrypted
Stream ciphers process messages a bit or byte at a time
when en/decrypting
Many current ciphers are block ciphers and have a
broader range of applications, hence focus on them.
BLOCK VS STREAM CIPHERS
BLOCK CIPHER PRINCIPLES
Most symmetric block ciphers are based on a FeistelCipher Structure.
A block cipher operates on a plaintext block of n bits toproduce a ciphertext block of n bits
IDEAL BLOCK CIPHER
CLAUDE SHANNON AND SUBSTITUTION-
PERMUTATION CIPHERS
Claude Shannon introduced idea of substitution-permutation
(S-P) networks in 1949 paper
This form basis of modern block ciphers
S-P nets are based on the two primitive cryptographic
operations seen before:
substitution (S-box)
permutation (P-box)
It was the technique of layering groups of S-boxes separated
by a larger P-box to form the S-P network
FEISTEL CIPHER STRUCTURE
Horst Feistel devised the Feistel cipher early 70’s duringworking at IBM Thomas J Watson Research Labs
Partitions input block into two halves
perform a substitution on left half based on round functionof right half & subkey
permutation swapping right halve with left half of nextround.
process through multiple rounds
Implements Shannon’s S-P net concept
FEISTEL CIPHER STRUCTURE
FEISTEL CIPHER STRUCTURE
The inputs to the encryption algorithm are a plaintext block of
length 2w bits and a key K.
The plaintext block is divided into two halves, L0 and R0.
The two halves of the data pass through n rounds of processing
and then combine to produce the ciphertext block.
Each round i has as inputs Li–1 and Ri–1, derived from the previous
round, as well as a subkey Ki, derived from the overall K.
In general, the subkey Ki are different from K and from each
other.
The process of decryption with a Feistel cipher is essentially the
same as the encryption process.
The rule of decryption is as follows:
Use the ciphertext as input to the algorithm, but use the subkeys
Ki in reverse order. That is, use Kn in the first round, Kn–1 in the
second round, and so on until K1 is used in the last round.
FEISTEL CIPHER STRUCTURE
The intermediate value of the decryption process is equal
to the corresponding value of the encryption process with
the two halves of the value swapped.
Output of the first round of the decryption process is equal
to a 32-bit swap of the input to the sixteenth round of the
encryption process
The encryption process
DATA ENCRYPTION STANDARD (DES)
Before the Advanced Encryption Standard (AES), the DataEncryption Standard (DES) was the most widely used encryptionscheme.
DES was issued in 1977 by the National Bureau of Standards,now the National Institute of Standards and Technology (NIST),as Federal Information Processing Standard 46 (FIPS PUB 46).
Encrypts 64-bit data using 56-bit key (Actually, the function expects a 64-bit key as input. However, only 56 of these bits are ever used; the other 8 bits can be used as parity bits)
In 1999, NIST issued a new version of its standard (FIPS PUB46-3) that is called triple DES.
Triple DES: It involves repeating the DES algorithm three timeson the plaintext using two or three different keys to produce theciphertext.
DES HISTORY
IBM developed Lucifer cipher based on Feistel block cipher
by team led by Feistel in early 70’s
used 64-bit data blocks with 128-bit key
Then redeveloped as a commercial cipher with input fromNSA and others
In 1973 NBS issued request for proposals for a nationalcipher standard
IBM submitted their revised Lucifer which was eventuallyaccepted as the DES
DES OVERVIEW
DES ENCRYPTION DETAIL OVERVIEW
DES ENCRYPTION DETAIL OVERVIEW
DES encryption takes as input 64-bits of data and of key.
The left side of the previous figure shows encryption of 64-bit data block which consists of: - an initial permutation (IP) which shuffles the 64-bit input block
16 rounds of a complex key dependent round function involving substitutions & permutations - a final permutation, being the inverse of IP
The right side shows the handling of the 56-bit key and consists of:
an initial permutation of the key which selects 56-bits out of the 64-bits input, in two 28-bit halves
16 stages to generate the 48-bit subkeys using a left circular shift and a permutation of the two 28-bit halves
INITIAL PERMUTATION IP
INITIAL AND FINAL PERMUTATION
Example: Find the output of the initial permutation box when the input is given in hexadecimal as: 0x0002 0000 0000 0001
DES ROUND STRUCTURE
DES FUNCTION
• The heart of DES is the DES
function.
• The DES function applies a 48-bit
key to the rightmost 32 bits to
produce a 32-bit output.
• The function is made up of
four sections:
• an expansion D-box,
• a whitener (that adds
key),
• a group of S-boxes, and
• a straight D-box
EXPANSION D-BOX
After the expansion permutation, DES uses the XOR
operation on the expanded right section and the round key.
Both the right section and the key are 48-bits in length
Whitener (XOR)
S-BOXES
DES has eight S-boxes which map 6 to 4 bits
The substitution in each box follows a pre-determined rulebased on a 4-row by 16-column table.
Because each S-box has its own table, we need eight tables,
S BOXES
S-BOX EXAMPLE
Example: The input to S-box 1 is 100011. What
is the output?
FINAL PERMUTATION
The last operation in the DES function is a permutation
with a 32-bit input and a 32-bit output.
The input/output relationship for this operation is
shown in the Table
DES KEY SCHEDULE
It forms subkeys used in each round
initial permutation of the key which selects 56-bits in two
28-bit halves
16 stages consisting of:
rotating each half separately either 1 or 2 places
depending on the round
changes the 56 bits to 48 bits, which are used as a key
for a round.
DE
S K
ey
Sch
ed
ule
PARITY DROP AND SHIFT The preprocess before key expansion is a compression transposition
step that we call parity bit drop.
It drops the parity bits (bits 8, 16, 24, 32, …, 64) from the 64-bit keyand permutes the rest of the bits according to Table.
After the straight permutation, the key is divided into two 28-bitparts. Each part is shifted left (circular shift) one or two bits
COMPRESSION D-BOX
The compression D-box changes the 56 bits to 48 bits,
which are used as a key for a round.
DES EXAMPLE
Determine what the ciphertext block would be (all in hexadecimal):
Plaintext: 123456ABCD132536 Key: AABB09182736CCDD
Cipher Text: C0B7A8D05F3A829C
AVALANCHE EFFECT
Key desirable property of encryption algorithm
A change of one input or key bit results in changing approx. half
output bits
DES exhibits strong avalanche.
Although the two plaintext blocks differ only in the rightmost bit,
the ciphertext blocks differ in 29 bits.
This means that changing approximately 1.5 percent of the
plaintext creates a change of approximately 45 percent in the
ciphertext
WEAKNESS OF DES
Weakness in the Cipher Key
Critics believe that the most serious weakness of DES is in its key size
(56 bits).
To do a brute-force attack on a given ciphertext block, the adversary
needs to check 256 keys.
With available technology, it is possible to check one million keys per
second. This means that we need more than two thousand years to do
brute-force attacks on DES using only a computer with one processor.
If we can make a computer with one million chips (parallel
processing), then we can test the whole key domain in approximately
20 hours.
When DES was introduced, the cost of such a computer was over
several million dollars, but the cost has dropped rapidly.
A special computer was built in 1998 that found the key in 112 hours
MULTIPLE DES—CONVENTIONAL
ENCRYPTION ALGORITHMS
2-DES
The output of 2-DES
is c = Ek2(Ek1(m)). To decrypt similarly, m = Dk1(Dk2(c)).
3-DES
There are in general two flavors of 3-DES
The first implementation uses three keys, namely K1, K2, K3.
The ciphertext of m is thus obtained by C = DESK1 [DESK2
(DESK3 (m))].
The second way to implement 3-DES is using two keys, thus C
= DESk1 [DES-1K2(DESk1(m))].
Thus if the keys K1 and K2 are the same then we obtain a single
DES.