Scribd Logo
Upload

Welcome to Scribd!

  • 8 views

    Introduction To DES Overview of The DES Algorithm Internal Structure of DES Decryption Security of DES

    Uploaded by

    Karthik G B

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Introduction To DES Overview of The DES Algorithm Internal Structure of DES Decryption Security of DES

    Uploaded by

    Karthik G B
    8 views22 pages

    Original Title

    DES

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    8 views22 pages

    Introduction To DES Overview of The DES Algorithm Internal Structure of DES Decryption Security of DES

    Uploaded by

    Karthik G B

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    You are on page 1of 22

    DES

    • Introduction to DES
    • Overview of the DES Algorithm
    • Internal Structure of DES
    • Decryption
    • Security of DES
     Classification of DES in the Field of Cryptology

    Cryptology

    Cryptography Cryptanalysis

    Symmetric Ciphers Asymmetric Ciphers Protocols

    Block Ciphers Stream Ciphers


     DES Facts

    • Data Encryption Standard (DES) encrypts blocks of size 64 bit.


    • Developed by IBM based on the cipher Lucifer under influence of the National
    Security Agency (NSA), the design criteria for DES have not been published
    • Standardized 1977 by the National Bureau of Standards (NBS)
    today called National Institute of Standards and Technology (NIST)
    • Most popular block cipher for most of the last 30 years.
    • By far best studied symmetric algorithm.
    • Nowadays considered insecure due to the small key length of 56 bit.
    • But: 3DES yields very secure cipher, still widely used today.
    • Replaced by the Advanced Encryption Standard (AES) in 2000
     Block Cipher Primitives: Confusion and Diffusion

    • Claude Shannon: There are two primitive operations with which strong encryption
    algorithms can be built:
    1. Confusion: An encryption operation where the relationship between key
    and ciphertext is obscured.
    Today, a common element for achieving confusion is substitution, which is
    found in both AES and DES.

    2. Diffusion: An encryption operation where the influence of one plaintext


    symbol is spread over many ciphertext symbols with the goal of hiding
    statistical properties of the plaintext.
    A simple diffusion element is the bit permutation, which is frequently used
    within DES.

    • Both operations by themselves cannot provide security. The idea is to concatenate


    confusion and diffusion elements to build so called product ciphers.
     Product Ciphers

    • Most of today‘s block ciphers are product ciphers as they consist of


    rounds which are applied repeatedly to the data.

    • Can reach excellent diffusion: changing of one bit of plaintext


    results on average in the change of half the output bits.

    Example:

    single bit flip many bit flips


     Overview of the DES Algorithm

    • Encrypts blocks of size 64 bits.


    • Uses a key of size 56 bits.
    • Symmetric cipher: uses same key for encryption and decryption
    • Uses 16 rounds which all perform the identical operation
    • Different subkey in each round derived from main key
     The DES Feistel Network (1)

    • DES structure is a Feistel network

    • Advantage: encryption and decryption


    differ only in keyschedule

    • Bitwise initial permutation, then 16 rounds


    1. Plaintext is split into 32-bit halves Li and Ri
    2.Ri is fed into the function f, the output of which is then XORed with Li
    3. Left and right half are swapped
    • Rounds can be expressed as:
     The DES Feistel Network (2)

    • L and R swapped again at the end of the cipher, i.e., after round 16
    followed by a final permutation
     Initial and Final Permutation

    • Bitwise Permutations.
    • Inverse operations.
    • Described by tables IP and IP-1.

    Initial Permutation Final Permutation


     The f-Function

    • main operation of DES


    • f-Function inputs:
    Ri-1 and round key ki

    • 4 Steps:
    1. Expansion E
    2. XOR with round key
    3. S-box substitution
    4. Permutation
     The Expansion Function E

    1.Expansion E
    • main purpose:
    increases diffusion
    !
     Add Round Key

    2.XOR Round Key

    • Bitwise XOR of the round key and


    the output of the expansion function
    E

    • Round keys are derived from the


    main key in the DES keyschedule
    (in a few slides)
     The DES S-Boxes
    3.S-Box substitution
    • Eight substitution tables.
    • 6 bits of input, 4 bits of output.
    • Non-linear and resistant to differential
    cryptanalysis.
    • Crucial element for DES security!
     The Permutation P
    4.Permutation P
    • Bitwise permutation.
    • Introduces diffusion.
    • Output bits of one S-Box effect several S-Boxes
    in next round
    • Diffusion by E, S-Boxes and P guarantees that
    after Round 5 every bit is a function of each key
    bit and each plaintext bit.
     Key Schedule (1)

    • Derives 16 round keys (or subkeys) ki of 48 bits each from the


    original 56 bit key. !
    • The input key size of the DES is 64 bit: 56 bit key and 8 bit parity:

    • Parity bits are removed in a first permuted choice PC-1:


    (note that the bits 8, 16, 24, 32, 40, 48, 56 and 64 are not used at all)
     Key Schedule (2)
    • Split key into 28-bit halves C0 and D0.

    • In rounds i = 1, 2, 9 ,16, the two halves are each


    rotated left by one bit.

    • In all other rounds where the two halves are each


    rotated left by two bits.

    • In each round i permuted choice PC-2


    selects a permuted subset of 48 bits of Ci and Di as
    round key ki, i.e. each ki is a permutation of k!

    • Note: The total number of rotations:


    4 x 1 + 12 x 2 = 28 ⇒ D0 = D16 and C0 = C16!
     Decryption
    • In Feistel ciphers only the keyschedule
    has to be modified for decryption.
    • Generate the same 16 round keys in
    reverse order.

    • Reversed key schedule:


    As D0=D16 and C0=C16 the first round key
    can be generated by applying PC-2 right
    after PC-1 (no rotation here!).
    All other rotations of C and D can be
    reversed to reproduce the other round keys
    resulting in:
    • No rotation in round 1.
    • One bit rotation to the right in rounds
    2, 9 and 16.
    • Two bit rotations to the right in all other
    rounds.
     Security of DES

    • After proposal of DES two major criticisms arose:


    1. Key space is too small (256 keys)
    2. S-box design criteria have been kept secret: Are there any hidden
    analytical attacks (backdoors), only known to the NSA?

    • Analytical Attacks: DES is highly resistent to both differential and linear


    cryptanalysis, which have been published years later than the DES. This
    means IBM and NSA had been aware of these attacks for 15 years!
    So far there is no known analytical attack which breaks DES in realistic
    scenarios.

    • Exhaustive key search: For a given pair of plaintext-ciphertext (x, y) test all
    256 keys until the condition DESk-1(x)=y is fulfilled.
    ⇒ Relatively easy given today’s computer technology!
     History of Attacks on DES
    Year Proposed/ implemented DES Attack
    1977 Diffie & Hellman, (under-)estimate the costs of a key search machine
    1990 Biham & Shamir propose differential cryptanalysis (247 chosen ciphertexts)
    1993 Mike Wiener proposes design of a very efficient key search machine:
    Average search requires 36h. Costs: $1.000.000
    1993 Matsui proposes linear cryptanalysis (243 chosen ciphertexts)
    Jun. 1997 DES Challenge I broken, 4.5 months of distributed search
    Feb. 1998 DES Challenge II--1 broken, 39 days (distributed search)
    Jul. 1998 DES Challenge II--2 broken, key search machine Deep Crack built by the
    Electronic Frontier Foundation (EFF): 1800 ASICs with 24 search engines each,
    Costs: $250 000, 15 days average search time (required 56h for the Challenge)
    Jan. 1999 DES Challenge III broken in 22h 15min
    (distributed search assisted by Deep Crack)
    2006-2008 Reconfigurable key search machine COPACOBANA developed at the
    Universities in Bochum and Kiel (Germany), uses 120 FPGAs to break DES in
    6.4 days (avg.) at a cost of $10 000.
     Triple DES – 3DES

    • Triple encryption using DES is often used in practice to extend the effective key
    length of DES to 112.

    • Alternative version of 3DES:

    Advantage: choosing k1=k2=k3 performs single DES encryption.


    • No practical attack known today.
    • Used in many legacy applications, i.e., in banking systems.
     Alternatives to DES

    Algorithm I/O Bit key lengths remarks


    DES ''replacement'',
    AES / Rijndael 128 128/192/256
    worldwide used standard
    Triple DES 64 112 (effective) conservative choice
    Mars 128 128/192/256 AES finalist
    RC6 128 128/192/256 AES finalist
    Serpent 128 128/192/256 AES finalist
    Twofish 128 128/192/256 AES finalist
    IDEA 64 128 patented
     Lessons Learned

    • DES was the dominant symmetric encryption algorithm from the mid-1970s to the
    mid-1990s. Since 56-bit keys are no longer secure, the Advanced Encryption
    Standard (AES) was created.

    • Standard DES with 56-bit key length can be broken relatively easily nowadays
    through an exhaustive key search.

    • DES is quite robust against known analytical attacks: In practice it is very difficult
    to break the cipher with differential or linear cryptanalysis.

    • By encrypting with DES three times in a row, triple DES (3DES) is created, against
    which no practical attack is currently known.

    • The “default” symmetric cipher is nowadays often AES. In addition, the other four
    AES finalist ciphers all seem very secure and efficient.

    You might also like