One of the biggest problems in Security today
is that not too many professionals are aware
of the actual risks, and most of the graduates
in computer science cannot identify a
security hole, if asked.
1
Using DES


DES encrypts a 64-bit data block.
Methods for encryption of larger blocks of
data: 4 methods defined in “ANSI X3.1061983 Modes of Use”:

Block Modes
splits messages in blocks (ECB, CBC)

Stream Modes
on bit stream messages (CFB, OFB)

Now with AES a fifth mode, called the
Counter (CTR) mode, has been defined.
2
DES: ECB Mode
1. Electronic Codebook (ECB):
Each 64 bit of data is sequentially encrypted.
 Used for encryption of a small amount of data like
keys or passwords ( of 8 characters)
Not used for larger data blocks,: Statistical analysis,
particularly for messages with repetitive blocks,
becomes easy.
Parallel encryption/decryption for a large number of
data blocks (?) is possible.
Error in transmission of one cipherblock
affects
only one block of (decrypted) plaintext.



3
Cipher Block Chaining
2. Cipher Block Chaining (CBC): Encryption Process:





Uses an Initialization Vector/ Injection Vector/
Initializing Value/ Initial Chaining Value: (IV) of 64
bits in the first block.
IV is XORed with the first block of data.
The resultant block is encrypted using DES.
The cipher output of the first (i th) block is then
XORed with the second (i+1 st) block of data.
The resultant block is encrypted using DES.
…………………
The process is shown in the figure in the next slide.
4
a) Encryption
Time = 1
IV
P1
CN-1
DES
encrypt
C1
b) Decryption
K
PN
P2
C1
DES
decrypt
+
+
+
K
Time = N
Time = 2
K
DES
encrypt
DES
encrypt
C2
CN
CN
C2
DES
decrypt
K
DES
decrypt
CN -1
IV
+
P1
+
+
P2
PN
5
CBC
continued
C1 = EK[IV  P1]
C2 = EK[C1  P2]
.
.
CN = EK[C(N-1)  PN]
Or generalizing the above,
Ci = EK[C(i-1)  Pi]
Where
C0 = IV
6
CBC
 For Decryption:
continued
– obtained
by substituting the value of CN from
above
DK [CN] = DK[EK[C(N-1)  PN]
Therefore DK [CN] = C(N –1)  PN
On XORing with C(N-1) on both the sides,
C(N-1)  DK[CN] = C(N-1)  C(N-1)  PN
= PN
7
CBC: IV



IV has to be protected like the key.
IV: may be
 a timestamp or
 a random number.
IV is sent using ECB encryption.
Or the sender and the receiver agree upon a value
like all 0’s.
8
CBC: The Last Block

PADDING: If the last block is of less than 64 bits, it is
to be converted to 64 bits by padding
 either with known non-data values (eg nulls)
 or with nulls and with count in bytes of pad size
eg. [ b1 b2 b3 0 0 0 0 5] 3 data bytes, then 5 bytes
pad+count
But if this option be chosen,
then even if the last block were an exact multiple of 8 bytes,

an additional block of 8bytes with all zeros
in the first seven bytes and with the eighth
byte having a value of 8 will have to be
added.
9
Advantages of CBC



Each ciphertext block depends on all the
preceding message blocks
Thus a change in the message affects all
ciphertext blocks after the change as
well as the original block
SELF-HEALING: Due to communication errors,
if a block of ciphertext has an error, the error
propagates for at most two blocks.
Avalanche Effect: Encrypted message cannot
be changed or rearranged without destroying
the subsequent data
10
Disadvantages of CBC

By fooling the receiver to use a different IV, some
selected bits can be inverted.
e.g. P1 = IV  DK[C1]
Let X[i] = ith bit of X.
P1[i] = IV[i]  (DK[C1])[i]
using the property of XOR,
P1[i]’ = IV[i]’  (DK[C1])[i]

Thus if ith bit of IV were complimented, the ith bit of
P1 will also be complimented.
No parallel encryption ( Parallel decryption can be
done.)
11
Cipher FeedBack (CFB)



The message is treated as a stream of bits. Assume
that s bits of plaintext are available for encryption
and transmission to the receiver.
IV is encrypted.
The most significant (leftmost) s bits, out of the
encrypted 64 bits, are then XORed with s bits of
plaintext. This gives s bits of ciphertext (C1). The
least significant (64 – s) bits are discarded.
Next Stage: The shift register, containing IV, is
shifted left s times and the s bits of C1 are entered
(feedback) in the least significant s positions for the
next stage (hence name) ……
12
CFB
(continued)
C1 = P1  Ss(EK(IV)), where Ss is the s
most significant bits selected from
EK(IV).
Therefore
P1 = C1  Ss(EK(IV))
Hence during Decryption, the Encryption
process is required to be used.
13
CFB
(continued)
 The standard allows any number of s
bits (1,8 or 64 or whatever) to be fed
back.



denoted CFB-1, CFB-8, CFB-64 etc
Throughput reduces by 64/s.
is most efficient to use all 64 bits (CFB64)
Ci = Pi  EK(Ci-1)
C0 = IV
14
Cipher FeedBack (CFB)
15
Advantages and Limitations of
CFB
appropriate when data arrives in bits/bytes
 Limitation: need to stall while doing block
encryption after every s-bits, if data should
arrive faster
 Note that the block cipher is used in
encryption mode at both ends
 Bit errors in communication propagate for
several blocks after the error.  CFB should
be used over a reliable network layer.
APPLICATIONS: stream data encryption,
authentication

16
Output FeedBack (OFB)


message is treated as a stream of bits
IV is encrypted.
The most significant (leftmost) s bits, out of the
encrypted 64 bits, are then XORed with s bits of
plaintext. This gives s bits of ciphertext (C1).
Research has shown that using s other than 64 is not
desirable. Hence OFB-64 is the only one in use today.
Next Stage: The bits, obtained by encryption of IV
ONLY, are fed to the next stage (hence name). ….

Feedback is independent of plaintext
message.
17
OFB
(continued)
Q0 = IV
Qi = EK(Qi-1)
Thus Q’s can be computed in advance. … during
encryption
If s bits of plaintext are available for encryption, the
most significant s bits may be selected from Qi by the
process Ss.
Ci = Pi  Ss(Qi)
Therefore Pi = Ci  Ss(Qi)
Hence only Encryption process is used even while
decrypting the plaintext from a given ciphertext.
18
Output FeedBack (OFB)
19
Advantages and Limitations of
OFB


APPLICATIONS: transfer of the encrypted stream
over noisy channels; error in Ci affects Pi only.
used




when errors in communication in cipher feedback method
create a problem, or,
where need to encrypt, before message is available
for bursty traffic
a variation of a Vernam cipher

hence must never reuse the same sequence (key + IV)
Susceptible to “modification of selected bits in the
communication message” attack.
 sender and receiver must remain in sync, and some
recovery method is needed to ensure this occurs
20
OFB Limitations


If the same IV + Key combination is
used for two messages, the two
ciphertexts can be XORed to eliminate
DES out. The result would be a XOR of
two plaintexts, which may be more
easily separated out.
Throughput reduces by 64/s.
21
Counter (CTR): A “new” mode


similar to OFB but encrypts counter value
rather than any feedback value
must have a different key & counter value for
every plaintext block (never reused)
Ci = Pi  Qi
Qi = EK(CTRi)

Select a random 64 bit CTR value for the first
block. Then increment for every sequential
block.
Uses Encryption algorithm for both encryption
and decryption
22
Counter (CTR)
23
Advantages and Limitations of
CTR





Efficiency
 can do parallel encryptions
 Preprocessing: Encryptions may be done in
advance of need
random access to encrypted data blocks ( ie it is not
necessary to decrypt blocks in sequence)
provable security (as good as other modes);
but must ensure never reuse key/counter values,
otherwise could break (cf OFB)
Only encryption is used. (useful in AES, where
encryption and decryption modes are quite different.)
APPLICATIONS: high-speed network encryptions as
in ATM or IPSec; good for bursty high speed links
24
DES Implementations

Software DES Implementations




VLSI DES Implementations



HP 9000/887 125MHz:
1.6 MB/s
Sun Ultra 5 333MHz:
4.0 MB/s
Intel Pentium III 750MHz: 14.0 MB/s
Wildcard (core) XVC300 1999 33MHz 264MB/s
Wildcard (with bus) XVC300 1999 33MHz 1.9MB/s
On an XVC300-4 FPGA at HK Univ


Max freq: 34.4 MHz
Can perform a 64 bit encryption every cycle ie
272MB/s with a latency of 16 cycles
Reference:http://www.cse.cuhk.edu.hk/~phwl/ceg5010/des.pdf
25
Super-encryption
Double DES:
Ciphertext = EK1( EK2( Plaintext))
 takes double the time for encryption and
decryption
 not significantly more secure than DES.
known plaintext meet-in-the middle attack* is the
problem.
Merkle-Hellman attack: requires storing 256
intermediate results ( each of 64 bits i. e. a total
of 259 = 1017 bytes), but it reduces the number of
different keys you need to check from 2112 to 257.
* Reference: R. C. Merkle and M. Hellman, "On the Security of Multiple
Encryption," Communications of the ACM, Volume 24, Number 7, July
1981, pp. 465-467.
26
Meet-in-the-middle Attack




C1 = EK2( EK1( P1))
Initial Storage: For all possible keys, obtain EK( P1)
and store them.
For each key, DK( C1) and compare with the stored
results. If it tallies with any of the stored result, we
probably know both K2 (from decryption) and K1 (
from the stored encryption.)
Verify the correctness with
C2 = EK2( EK1( P2))
27
Triple DES
Reference: http://en.wikipedia.org/wiki/Data_Encryption_Standard as of Nov 1, 2009




DES: approved as a federal standard in November
1976, and published on 15 January 1977 as FIPS
PUB 46, authorized for use on all unclassified data.
DES: reaffirmed as the standard in 1983, 1988
(revised as FIPS-46-1), 1993 (FIPS-46-2)
January 22, 1999: distributed.net and the Electronic
Frontier Foundation jointly broke a DES key in 22
hours and 15 minutes
Oct 25, 1999: NIST reaffirmed DES as a standard
through FIPS 46-3, specifying the preferred use of
Triple DES
28
Triple DES for greater security
Triple DES with three keys:
C = EK3( EK2( EK1( P)))
P = DK1( DK2( DK3( C)))
Used in PGP, S/MIME etc
 Encrypt-Decrypt-Encrypt DES (called EDE
DES) with two keys:
C = EK1( DK2( EK1( P)))
P = DK1( EK2( DK1( C)))
Used in X9.17 and ISO 8732 standards

29
Strength of Triple DES
Reference: http://csrc.nist.gov/publications/nistpubs/80057/sp800-57-Part1-revised2_Mar08-2007.pdf page 61


Three-key Triple DES: Due to MIM
attack, strength = 112 bits
Two-key Triple DES: if the attacker can
obtain approximately 240 such pairs,
then 2TDEA has strength comparable to
an 80-bit algorithm (Reference: [ANSX9.52],
Annex B).
30
Security for Super-encryption
Order of number of computations required for breaking
the security
DES: 255 computations
Double DES: 256 computations
Triple DES: 2112 = 5.19 x 1033 computations
Assume: A computer with 106 chips- each chip
capable of 106 triple-DES encryptions per second.
Time for cracking = 5.19 x 1021 sec = 1.65 x 1014 years
= 16453 times the age of the universe (1010 years)
Since Double DES is not very much more secure than
DES, DES and Triple DES are in use.
31
Weak keys
WEAK KEYS: Those that lead to the same sub keys in
more than one round. REFER: Slides 33-46 for KeySchedule
All block ciphers have some weak keys.
DES has:
 4 weak keys, for which the same key is generated in
all the rounds. This would happen if all the bits, in
each half, are identical, so that left circular shift
operation would not have any effect.
The 4 weak 56-bit keys are (in HEX):
0000000 0000000
0000000 FFFFFFF
FFFFFFF 0000000
FFFFFFF FFFFFFF
32
Semi-Weak keys

12 semi-weak keys, for which in alternate rounds,
the subkey is repeated. (For each of these 12 keys,
only two distinct sub-keys are generated through the
key schedule.)
These 12 cases occur in six pairs. In each pair,
ciphertext, obtained by encryption using one key, can
be decrypted by using the other key of the pair. Such
56-bit keys are given in this and the next slide.:
Pair 1:
First Key: 0000000 1111111 0000000 1111111
0000000 1111111 0000000 1111111
Second Key: 1111111 0000000 1111111 0000000
1111111 0000000 1111111 0000000
33
Semi-Weak keys: Key 3 to Key 12
(56-bit keys)
Key 3
Key 4
Key 5
Key 6
Key 7
Key 8
Key 9
Key10
Key11
Key12
Pair 2:
: 0001 1111 1100 0000 0111 1111 0000 0000 1111 1110 0000 0011 1111 1000
: 1110 0000 0011 1111 1000 0000 1111 1111 0000 0001 1111 1100 0000 0111
Pair 3:
: 0000 0001 1100 0000 0000 0111 0000 0000 0001 1110 0000 0000 0111 1000
: 1110 0000 0000 0011 1000 0000 0000 1111 0000 0000 0011 1100 0000 0000
Pair 4:
: 0001 1111 1111 1100 0111 1111 1111 0000 1111 1111 1100 0011 1111 1111
: 1111 1110 0011 1111 1111 1000 1111 1111 1110 0001 1111 1111 1000 0111
Pair 5:
: 0000 0000 0011 1100 0000 0000 1111 0000 0000 0001 1100 0000 0000 0111
: 0001 1110 0000 0000 0111 1000 0000 0000 1110 0000 0000 0011 1000 0000
Pair 6:
: 1110 0001 1111 1111 1000 0111 1111 1111 0001 1111 1111 1100 0111 1111
: 1111 1111 1100 0011 1111 1111 0000 1111 1111 1110 0011 1111 1111 1000
34
Demi-semi-weak Keys


48 demi-semi-weak keys, for each of which only four
distinct sub-keys are generated.
These occur in 4 groups of 4 keys each, and, in
another 4 groups of 8 keys each.
These are given in the next four slides as 64-bit
keys. (In every 8 bits, the eighth bit is an odd parity
bit. On eliminating the parity bit, you get the 56-bit
key. Refer to slide 34 of DES Part 1. )
All key generation programs should avoid the weak
keys. The total number of possible keys in DES is
256 = 72, 057,594,037,927,936 = 7.2x1016.
In this large key-space, the number of weak, semiweak and demi-semi-weak keys are only 64.
35
Demi-semi-weak Keys: Key 1 to Key 12
(as
64-bit keys)
1F 1F 01 01 0E 0E 01 01
01 1F 1F 01 01 0E 0E 01
1F 01 01 1F 0E 01 01 0E
01 01 1F 1F 01 01 0E 0E
E0 E0 01 01 F1 F1 01 01
FE FE 01 01 FE FE 01 01
FE E0 1F 01 FE F1 0E 01
E0 FE 1F 01 F1 FE 0E 01
FE E0 01 1F FE F1 01 0E
E0 FE 01 1F F1 FE 01 0E
E0 E0 1F 1F F1 F1 0E 0E
FE FE 1F 1F FE FE 0E 0E
36
Demi-semi-weak Keys: Key 13 to Key 24
(as
64-bit keys)
FE 1F E0 01 FE 0E F1 01
E0 1F FE 01 F1 0E FE 01
FE 01 E0 1F FE 01 F1 0E
E0 01 FE 1F F1 01 FE 0E
01 E0 E0 01 01 F1 F1 01
1F FE E0 01 0E FE F0 01
1F E0 FE 01 0E F1 FE 01
01 FE FE 01 01 FE FE 01
1F E0 E0 1F 0E F1 F1 0E
01 FE E0 F1 01 FE F1 0E
01 E0 FE 1F 01 F1 FE 0E
1F FE FE 1F 0E FE FE 0E
37
Demi-semi-weak Keys: Key 25 to Key 36
(as
64-bit keys)
E0 01 01 E0 F1 01 01 F1
FE 1F 01 E0 FE 0E 01 F1
FE 01 1F E0 FE 01 0E F1
E0 1F 1F E0 F1 0E 0E F1
FE 01 01 FE FE 01 01 FE
E0 1F 01 FE F1 0E 01 FE
E0 01 1F FE F1 01 0E FE
FE 1F 1F FE FE 0E 0E FE
1F FE 01 E0 0E FE 01 F1
01 FE 1F E0 01 FE 0E F1
1F E0 01 FE 0E F1 01 FE
01 E0 1F FE 01 F1 0E FE
38
Demi-semi-weak Keys: Key 37 to Key 48
(as
64-bit keys)
01 01 E0 E0 01 01 F1 F1
1F 1F E0 E0 0E 0E F1 F1
1F 01 FE E0 0E 01 FE F1
01 1F FE E0 01 0E FE F1
1F 01 E0 FE 0E 01 F1 FE
01 1F E0 FE 01 0E F1 FE
01 01 FE FE 01 01 FE FE
1F 1F FE FE 0E 0E FE FE
FE FE E0 E0 FE FE F1 F1
E0 FE FE E0 F1 FE FE F1
FE E0 E0 FE FE F1 F1 FE
E0 E0 FE FE F1 F1 FE FE
39
“The public streets and highways of the internet
have become like neighborhoods where it is no
longer safe to venture. Hackers, scammers, virus
builders and other Web predators are looming in
the shadows.”
-- Paul Tinnirello
CIO in an insurance financial industry
“The Gated Community”, e-Week, 13 Oct 2003
40
A Revision
Methods of Encryption

Symmetric Encryption


Block
Stream



Synchronous
Self-Synchronous
Asymmetric ( Public Key) Encryption
41
Block Ciphers
DES : Based upon IBM’s Lucifer; Uses the
processes of Diffusion and Confusion
th January 1977 as the
 Published on 15
FIPS PUB 46 standard; subsequently




Reconfirmed
Reconfirmed
Reconfirmed
Reconfirmed
in
in
in
in
1983
1988 as FIPS-46-1
1993 as FIPS-46-2
1998 as FIPS-46-3
Other Block Ciphers
 26th May 2002: AES: The new standard
42
Stream Cipher

Streaming Cipher: encrypts data unit by unit, where
a unit is of certain number of bits (Example: If the
unit be a bit, a stream cipher encrypts data unit by
unit. Or if the unit be a byte, it encrypts byte by
byte)
simpler and faster than block cipher; but less secure

Two Modes of Stream Cipher:



Synchronous Stream Cipher: Sender uses a key to
encrypt. Receiver uses the same key to decrypt.
Self-Synchronizing Stream Cipher: The key stream
generator (KSG) generates a key, which depends
upon the original key and the cipher output. 43
Example of a Stream Cipher

RC4: used in




SSL (Secure socket Layer)
WEP (Wired Equivalent Privacy)
Key: 1 to 256 octets
Given a key: a pseudo-random stream
is generated and xor’ed with the
cleartext to generate the ciphertext
44
Controversies about DES

Since the design of DES has not been
released, there were misgivings because of


the small key size, and,
the patterns observed in the S-boxes
However DES has survived for nearly two
decades.
References:1.W Diffie, M Hellman "Exhaustive Cryptanalysis of the
NBS Data Encryption Standard" IEEE Computer 10(6), June
1977, pp74-84
2.M Hellman "DES will be totally insecure within ten years" IEEE
Spectrum 16(7), Jul 1979, pp 31-41
45
Design principles
1.Shannon’s Confusion and Diffusion properties
introduced through S-boxes, permutations
and 16 rounds of operation.
2.Some of the Rules followed by NSA for Sboxes:


In no case, the 4 output bits of any of the Sboxes can be expressed as a system of linear
equations of the corresponding six input bits.
Change of one bit in the input of an S-box
Change in at least two output bits.
Thus the S-boxes diffuse the input information
well into the output.
46
S-boxes: design crierion
S boxes: the only non-linear component during
encryption using DES. Hence if a linear relation should
exist between input and output bits, the whole of the
process would become linear and easily breakable.
Guaranteed Avalanche Criterion of order
“r” for S boxes: If a change in one bit at the
input leads to at least a change in r bits at the
output, for all S-boxes and for all possible 1-bit
changes
A value of r of 2 to 5 has been recommended.
47
Two criterion for F
Strict Avalanche Criterion: any output bit j
should change with probability ½, when any
single bit i is changed at the input, for all i
and j.
 Bit Independence Criterion: Output bits k and
j should change independently, if a bit i is
inverted at the input.
(Both the rules are applied for S-boxes)

48
Design principles: Number of Rounds
After only one round: each cipher bit affected by a few
bits of plaintext.
After five rounds, each output bit depends upon every
key and input bit. [701/MattBishop pp 230]
Certification experiments, on the predecessor of DES,
called Lucifer, by NBS showed that 8 rounds are able to
eliminate any dependence of output bits on specific
input bit patterns.[KON 81/Pfleeger pp 655]
Reference: 1.A F Webster & S E Tavares "On the Design of S
boxes", in Advances in Cryptology - Crypto 85, Lecture Notes in
Computer Science, No 218, Springer-Verlag, 1985, pp 523-534
49
Number of Rounds


Schneier has shown in his book that
differential cryptanalysis is more
effective than the brute force method if
the number of rounds is 15 or less.
But for 16 rounds, diff crptanalysis is
less effective.
50
Design: STRENGTH of DES
Avalanche Effect
 A change-in one bit of plaintext
or
-in one bit of the key
produces a change in many (approx half the
number of output) bits of the ciphertext.
This makes it difficult to guess the key.
Completeness effect
 where each output bit is a complex function
of all the input bits
DES exhibits strong Avalanche and Completeness
effects.
51
Design Parameters



Increasing the following improves security but slows
down the cipher:
 block size
 key size
 number of rounds
Greater complexity in the following makes
cryptoanalysis difficult, but slows down the cipher:
 subkey generation
 round function
The Objective:a fast, secure, cipher
52
Permutations:
IP and IP-1, P, E, PC1, PC2
1. DES: 18 steps: Initial Permutation – 16
rounds – Inverse Initial Permutation
2. IP and IP-1 and PC1 ( used in round Key generation,
as the first step) increase the complexity. But these
do not add to the security of DES.
3. E, P and PC2:

E, P ( a part of the function f), and

PC2 (the last step while generating 48 bit
sub-keys from a 56 bit shifted data)
act with S-Boxes to provide avalanche and
completeness effects
53
Fig : single Round of DES Algorithm:
32bits
32bits
28 bits
L
R
C
i-1
i-1
28 bits
D
i-1
i-1
32
32
Expansion/
permutation (E table)
F
48
XOR
48
Left shift (s)
Ki
Left shift (s)
Permutation/contraction
(permuted choice 2)
48
Substitution/
choice (S-box)
32
Permutation
(P)
32
XOR
Li
Ri
C
i
D
i
54
Permutation P








16
29
1
5
2
32
19
22
7
12
15
18
8
27
13
11
20
28
23
31
24
3
30
4
21
17
26
10
14
9
6
25
55
Rules for P to improve diffusion



4 outputs of a box2 affect the middle bits
and 2 are the external bits at the next round
4 outputs of a boxaffect 6 different S-boxes
at the next round
For any two S-boxes k and q,
if the output of k, in round r, affects a middle
bit of q in the next round (r+1), then,
the output of q, in round (r+1), cannot affect
any middle bit of k, in round (r+ 2)
56
Security: Data of 1999
DES inadequate against an attacker with deep pockets:

Using $10,000 worth of FPGA technology, it would
take a year and a half to search out a DES key.
In ten years time $10,000 of hardware would allow
one to find a DES key in less than a week.


Using off-the-shelf technology worth $300,000, one
can find a DES key in an average of 19 days
and in only 3 hours using a custom developed chip.
If $10,000,000 were invested on custom chips, one
could recover DES keys in an average of 6 minutes.
57
Security of DES

(continued)
An investment of $300,000,000 could recover
DES keys in 12 seconds each! ( The amount
is less than the cost of the Glomar Explorer,
built to salvage a single Russian submarine in
2002, and far less than the cost of many spy
satellites.)
Reference:Blaze, Diffie, Rivest, Schneier, Shimomura, Thompson,
Wiener, “Minimal Key Lengths for Symmetric Ciphers to Provide
Adequate Commercial Security”, available at
http://www.finecrypt.net/keylength.html
58
Attempts on DES
1974: DES became a standard.
Three major attempts:
1. Wiener (1993 and 1997)




(I) Assumes the attacker has one (plaintext,
ciphertext) pair
(II) Designed a special, pipelined chip to achieve a
key search rate of 5 * 107 keys per second;
estimated development cost in 1993 : $ 500,000
(III) He calculated (97) that a key search machine
costing $ 100,000 would be able to locate the key
in six hours.
Wiener’s idea: on a theoretical basis only
59
The Second Attempt
2. RSA lab – Award of $ 10000 for finding out the
plaintext for a problem for which part of the plaintext
is given as follows:
“The unknown message is : ………”
And its ciphertext was given.
PROBLEM OF RECOGNIZING “PLAINTEXT”: If the
nature of message (i.e English language / data/?) is
not known,
or
If the text is compressed before encryption, it would be
difficult to conclude whether the decryption has been
successful or not.
60
Attempts on DES


Rocke Verser
 started http://www.distributed.net: a massive parallel
processing, brute force cracking project
 claimed the prize by using 70,000 machines in parallel
for 96 days.
Electronic Frontier Foundation
 Jul 1998: funded a DES Cracker at $ 250,000.
 Jan 1999: EFF announced success in cracking a
DES encryption.
The Cracker: for testing 88 billion keys ps.
EFF: published the detailed design of the DES Cracker.
The design automates recognition of the “plaintext”.

1999: Triple DES: prescribed as the interim standard.
61
Timing Attack


HAMMING WEIGHT is defined as the number
of 1’s in the key.
For some encryption/decryption methods, by
observing the amount of time it takes to
decrypt a given ciphertext, it may be possible
to find the Hamming weight of the key.
However DES (or AES) does not seem to be
amenable to an attack of this type.
62
Types of attacks:
a revision
Depends upon the information known to
the hacker:
1. Ciphertext only
2. Known plaintext-ciphertext pairs
3. Chosen plaintext-ciphertext pairs
4. Chosen ciphertext along with its
decrypted plaintext
5. A combination of 3 and 4
The Hacker is required to find the Key.
63
Summary of DES operations
C = IP-1(L16: R16)
L16= R15
R16= L15  (FK16 (R15))
L15= R14
.
.
L2= R1
R15= L14  (FK15 (R14))
R2= L1  (FK2 (R1))
L1= R0
R1= L0  (FK1 (R0))
(L0: R0) = IP(Plaintext)
FKi(Ri-1) = P(S-BOX Substitution(Ki  EP(Ri-1)))
64
Summary of Key operations
KA = PC1(K)

Intermediate steps:
KB1 = LS-j(KA);

LS-jis left circular shift by j bits, on the two halves of the 56 bits
separately. j can have a value of 1 or 2 ( in rounds 3-8 and 10-15).
KB2 = LS-j (KB1)
KB3 = LS-j (KB2)
.
KBi = LS-j (Kbi-1)
.
KB16 = LS-j (KB15)

The Round Key:
Ki = PC2(KBi)
65
Complementation Property of DES
E(K’,P’) = (E(K,P))’
PROOF: On taking complements of both the plaintext
and the Key:
 PC1, PC2 and Shift only shuffle the bits. If all the bits
of K have been inverted, all the sub-keys will also be
inverted.
 L0: R0 will also be complemented if P is
complemented.
(K1  EP(R0)) will remain unchanged. : INPUT to SBoxes
( Boolean Identity: A  B = A’  B’)
The outputs of S-boxes and the output of F remain
unchanged.
66
Complimentation Property of DES
R1= L0  (FK1 (R0)).
So R1 is complemented.
( Boolean Identity: A  B’ = (A  B)’ )
L1= R0 .
Since R0 is complemented, so is L1  L1: R1 is
complemented.
Thus going step-by-step, we can prove that E(K’,P’) =
(E(K,P))’
67
Problems with DES



A small key size: 56 bits only
A small block size: 64 bits only
Complementation property
68
Analysis



S-boxes: Is a cryptanalytic attack possible by
discovering the weakness (pattern) of Sboxes?
Differential Cryptanalysis (DC):
Without differential cryptanalysis –



To find a key – a problem of 255 complexity.
ie if 255 sets of (chosen plain text, ciphertext) are
available, the key can be found.
With DC, it has been proved mathematically: the
problem reduces to 247 chosen plaintext
messages.
69
Each round of Encryption
After IP, 64 bits are divided into left-half (L(0)) and
Right-half (R(0)). CALLED m0 and m1, in the slides of
Differential Cryptoanalysis.
• L(0): R(0) is the input to Round 1 of encryption.
During Round1, L(0):R(0) will be operated by Fk1 to produce
L(1):R(1), where FK1 is the function Fk with subkey K1.
• .
• .
• Similarly for Round i, L i-1:R i-1 would be the input and
L i: R i will be the output.
Figure 2 shows the function FKi .
70
Fig 2: single Round of DES Algorithm:
a revision
32bits
32bits
28 bits
L
R
C
i-1
i-1
28 bits
D
i-1
i-1
32
32
Expansion/
permutation (E table)
F
48
XOR
48
Left shift (s)
Ki
Left shift (s)
Permutation/contraction
(permuted choice 2)
48
Substitution/
choice (S-box)
32
Permutation
(P)
32
XOR
Li
Ri
C
i
D
i
71
i-th Round
Revision
The part in yellow, in the previous slide, shows the sub
key generation. After PC1, the circular rotations are
independent for the left half and the right-half.
ENCRYPTION: In the i-th round,
Li = Ri-1
Ri = Li-1  F(Ri-1, Ki)
= Li-1  P(S( EP(Ri-1)  Ki ))
Where EP: expansion from 32 bits to 48
S: Using 8 S-boxes to convert 48 bits to 32 bits – each S
box converts 6 bits to 4 bits
P: permutation
72
Differential Cryptanalysis

Round1
The new right half after Round1 = m2 called R(1) earlier
Round2
The new right half after Round2 = m3 called R(2) earlier
Round 16
The new right half after Round16 = m17
called R(16) earlier
73
Differential Cryptanalysis
After IP (L0: R0) = (m0 : m1)
Evaluating the difference:
 At each round, only one new block of 32 bits
is created. (The other one is simply shifted
from the Right side of the (i-1)st round to the
Left side of the i th round.)
Call the new block mi 2 <= i <= 17
 The two message halves are related as
follows:
mi+1 = mi-1  F(mi, Ki) i= 1,2, ….16.
74
One Round & mi
32bits
32bits
L
R
i-1
i-1
32
32
Expansion/
permutation (E table)
F
48
XOR
48
Substitution/
choice (S-box)
32
Permutation
(P)
32
XOR
Li
Ri
Ki
48
L0= m0 R0 = m1
F(Ro,K1)
m2 = L0 xor F
L1 = m1
m2
F(m2, K2)
m3 = L1 xor F
L2 = m2
m3
F(m3, K3)
m4 = m2 xor F
L3 = m3
m4
F(m4, K4)
m5 = m3 xor F
L4 = m4
m5
F(m5, K5)
m6 = m4 xor F
L5 = m5
m6
..
.
75
Differential Cryptanalysis
 Start with 2 messages



m and m’, to be encrypted by the same
key
With a known XOR difference
Λm = m  m’
Consider at an intermediate stage, the
difference between two message halves:
Λmi = mi  mi’
Then Λm i+1 = m i+1  m

= [
m
i-1
i+1’
 f(mi,Ki)]  [ m
i-1
’
 f(m’i,Ki)]
76
Differential Cryptanalysis


Λm i+1 = Λ m i-1  [f(mi, Ki)  f(m’i, Ki)]
Consider the same sub-key for both m and m’.
Consider the case where for many pairs of messages, inputs
(HAVING THE SAME DIFFERENCE X) to F yields output pairs,
WHICH HAVE THE SAME DIFFERENCE Y
More precisely,


if for a fraction p of pairs in which the input XOR
is X, the output XOR is Y
if we know Λ mi and Λ mi –1 with a high
probability, we know Λ mi +1 with high
probability.
If a number of such differences are determined,
the sub-key can be found.
77
Differential Cryptanalysis


Differential cryptanalysis : The Procedure:
Begin with 2 plaintext messages m and m’
with a given difference.
With an assumed key:


Trace through a probable pattern of differences at
the end of each round.
At the end for the two 32-bit halves, there
are two probable differences

Λm
17
|| Λm
16
78
Differential Cryptanalysis
 With the unknown key


EK (m)  EK (m’)
If the two are equal, some deductions about
the key bits can be made.
Biham showed in 1993 that
differential cryptanalysis can successfully find
the Key if
247 chosen plaintext-ciphertext pairs are
provided.
79
Linear Cryptanalysis
Linear Cryptanalysis:
Symbols: P[i]: ith bit of plaintext
C[i]:ith bit of ciphertext
K[i]:ith bit of Key
A[i,j,k…..] = A[i]  A[j]  A[k]  ……
Given 247 known plaintext-ciphertext pair messages (as
opposed to ‘chosen’ messages), Linear Cryptanalysis
can find the key.
Method:First find an equation
P[1, 2,……., a]  C [ß1, ß2,……., ßb] =
K [r1, r2,……., rc]


Where 1 <= a,b <= 64
1 <= c <= 56
80
Linear Cryptanalysis
The equation (on the last slide) should
hold with a probability of 0.5 or more.
 Compute the left hand side. If it is zero
more than half the time,
K[r1,r2,….rc]=0
Otherwise it is 1.
 Such linear relations can help locate the
key.

81
An Application of DES: Given: Salt (12-bit) and PW
Storing a Hashed password file in Unix





the first 8 characters of the password,  assemble a
56-bit key from the low 7-bits of each of these 8
characters
Use the key to encrypt a 64-bit data consisting of all
zeros, using a slightly modified DES:
 E/P table (Please see the next slide to
recapitulate.) modified depending upon the 12-bit
SALT,
 25 rounds of the DES process, rather than 16
rounds, as in the standard DES.
The final 64 bits of ciphertext
Append with two 0s to get 66 bits
Eleven 6-bit characters from the set q = [., /, 0-9, AZ, a-z]
82
Fig : single Round of DES Algorithm:
32bits
32bits
28 bits
L
R
C
i-1
i-1
28 bits
D
i-1
i-1
32
32
Expansion/
permutation (E table)
F
48
XOR
48
Left shift (s)
Ki
Left shift (s)
Permutation/contraction
(permuted choice 2)
48
Substitution/
choice (S-box)
32
Permutation
(P)
32
XOR
Li
Ri
C
i
D
i
83
Application:
Storing a Hashed password file in Unix continued





prepended with a two character string from q
i.e. 12 bits called the salt
13 characters stored in the shadow file
to avoid the use of the DES chip
 Modification of E/P and
 25 rounds
The 12-bit SALT  4096 varieties of the
password
SALT should be a pseudo-random number
84
Data Encryption Standard



15 May 1973: National bureau of Standards seeks
proposals for DES; repeated on 27th August 1974:
IBM proposal, based on the work on Lucifer by
Feistel, Walter Tuchman, Don Coppersmith, Alan
Konheim, Carl Meyer, Mike Matyas, Roy Adler, Edna
Grossman, Bill Notz, Lynn Smith, and Bryant Tuc
17 March 1975: published in Federal Register and
comments invited; after two public workshops,
approved as a federal standard in Nov 1976.
15 Jan 1977: published as the standard FIPS
PUB 46 by National Bureau of Standards
85
Data Encryption Standard



…2
1999: National Institute of Standards
and Technology declared Triple DES as
the interim standard
Nov 2001: Advanced Encryption
Standard issued as FIPS PUB 197
standard
19 May 2005: FIPS 46-3 -- officially
withdrawn, but NIST has approved
Triple DES through the year 2030 for
86
sensitive government inform