block ciphers: the data encryption standard (des)staff.um.edu.mt/mvel3/files/crypto/3_des.pdf ·...
TRANSCRIPT
Block Ciphers:The Data Encryption Standard
(DES)
CPS2323
CPS2323 2/31
Content
● Block Ciphers: Constructing Pseudo Random Permutations using confusion/diffusion
● A call for an industry standard... and the NSA● Lucifer and Feistel networks● S boxes and nonlinearity● P boxes and the avalanche effect● Encryption and decryption functions● Cryptanalysis
CPS2323 3/31
Pseudo Random Permutations (i)
● Permutations: Invertible functions where domain = range
● Bijection: onetoone (injective) and onto (surjective)
X X
x1
x2
x3
x4
x6
x7
x8
x9
... ......
CPS2323 4/31
Pseudo Random Permutations (ii)
● Block ciphers: lengthpreserving permutations
X
Y
l
}
f
CPS2323 5/31
Pseudo Random Permutations (iii)
● Truly Random (lengthpreserving) Permutations give us perfectly secret block ciphers– i.e. randomly choose an f out of possible
permutations
CPS2323 6/31
Pseudo Random Permutations (iv)
● The Random Oracle way– Alice needs to send Bob all existing random maps for correct
decryption to be possible through an outofband channel. What?! Practical example – WWI codebooks
x f(x)
0000 1111
0001 0101
0010 1100
0011 1001
0100 0010
0101 1110
... ...
CPS2323 7/31
Pseudo Random Permutations (v)
● The Zimmermann Telegram
CPS2323 8/31
Pseudo Random Permutations (vi)
● PRF or keyed functions– Truly random generate only the key i.e. the key fixes the
entire f
– f's output should be indistinguishable from that of a TRF● Nontrivial!● Typically:
– e.g. for AES256 (stateoftheart): <<
<<
CPS2323 9/31
Pseudo Random Permutations (vii)
● Typical constructions follow a product cipher design based on principles established by Claude Shannon in his 1949 seminal work: “Communication Theory of Secrecy Systems”
CPS2323 10/31
Pseudo Random Permutations (viii)
● Confusion– Obscure: Y k↔
– i.e. if an attacker manages to get to the key from the ciphertext, then a distinguisher has been found
– In computer security, known plaintext settings are practical– Revolves around the nonfeasibility to model mathematically even parts of the
cipher e.g. as a system of linear equations
● Diffusion– Obscure: X Y↔
– i.e. hide all plaintext patterns/statistics, ranging from letter frequencies to network packet headercorresponding ciphertext bits
● BOTH ARE REQUIRED FOR SECURE CIPHER DESIGN
or ?
or ?
CPS2323 11/31
Pseudo Random Permutations (ix
● Nonlinearity– A good measure for confusion
● Avalanche effect– A good measure for diffusion
– Every ciphertext block bit has a 0.5 chance of being affected by some plaintext block bit
– Alt. A change in a single plaintext block bit on average affects half of the ciphertext bits
– Alt. (2) The plain/ciphertext blocks are statistically independent
CPS2323 12/31
DES (i)
● 1972– NIST (NBS back then) issued a request for a standardized cipher– A milestone in the history of cryptography where the utility of cryptography outside military/government was
officialy recognized
● 1974– IBM's Licufer – a block cipher makes the final cut– Designed by Horst Feistel in the 60s– Modified after NSA was pulled in the conduct a security analysis– A move to that led to speculation
● 1977– Full design released, that included weirdlooking Sboxes
● 1990's– Subject to intense cryptanalysis focusing on breaking Sboxes, which turned out to be the pointofstrength
for this algorithm. So far the best known attacks are infeasible
– Keyspace (256) is the only security issue due to advances in computing power – addressed by 3DES
CPS2323 13/31
DES (ii)
● 16 rounds of confusion and diffusion
CPS2323 14/31
DES (iii)
● Highlevel design: Feistel NetworkL
0R
0
L1
R1
}x n
}x n
Ld
0
Ld
1R
d
1
Rd
0
L'0
R'0
CPS2323 15/31
DES (iv)
● Correct decryption
– Right half – just copying no encryption takes place
CPS2323 16/31
DES (v)
– Left half: some more doubleXOR magic
CPS2323 17/31
DES (vi)
● DES Round Function
CPS2323 18/31
DES (vi)
● Sboxes (Substitution boxes)
– Primary (8 different) components of round function f
– Provide nonlinearity
– 4 permutations of 0..15
CPS2323 19/31
DES (vii)
● Nonlinearity● Otherwise:
● for a known (x,y), find S(k1)● Then, find the 4 possible values for k1
● Actually, attacking a single Sbox discloses only a part of the key: shortcut attack on the keyspace
● Actually, equation has to factor in the multiple round and all other components, however these are all linear
CPS2323 20/31
DES (viii)
● Pbox (Permutation box)
– Provides for the Avalanche Effect (diffusion)
– Crosswires individual bits from the 4bit Sbox output to different Sboxes in the following rounds
CPS2323 21/31
DES (ix)
● Encryption
Bitbased functiondesign with efficienth/w implementation inmind (remember a 60s design)
Feistel Network Key Schedule
CPS2323 22/31
DES (x)
● Key Schedule – encryption
– Stretches the key into a sequence of subkeys
– Left shifts compute an entire revolution
– i.e
– Handy for decryption
CPS2323 23/31
DES (xi)
● Key Schedule – decryption
– Shift the inverse way
– Result in using subkeys in reverse order, for correct decryption
– i.e.● Decryption round 1
undoes encryption round 16 using the same subkey etc...
CPS2323 24/31
Cryptanalysis (i)
● DES, being a standard, attracted numerous cryptanalytic effort– Healthy, in the sense that in case of known attacks it is much better that
these aren't only known by attackers– Cryptanalysis typically proceeds by analyzing reduced/vulnerable
versions of a cipher and then attempts to extend the attack to the full cipher
– Ultimately the results of these efforts pointed towards the conclusion that the NSA knew all along what they were doing as far back as the 70s
– Not only the Sboxes are crucial to a block cipher's design, but the DES's Sbox design render the DES computationally secure against the best known attacks today
● Bar the small keyspace of course!
CPS2323 25/31
Cryptanalysis (ii)
● Differential cryptanalysis– Exploits an alternative avenue of linearity:
– Linear relations within Sbox input/output differences in this case
– Consider a simper version of the DES utilizing the following Sbox
CPS2323 26/31
Cryptanalysis (iii)
Note:
Cryptanalysis (iii)
!!!!
CPS2323 27/31
Cryptanalysis (iv)
Short cut attack:● Chosen plaintext pairs (L,R)(L,R') with the desired ● Pass them through the cipher whose key you want to attack● Keep the pairs conforming to the most likely ● Bruteforce across all pairs● Given sufficient pairs, the combination that returns the highest
number of the expected output difference, is the correct key bit sequence
Expected
CPS2323 28/31
Cryptanalysis (v)
● Cipher has got other Sboxes, components
● Multiple rounds r:
● Each disclosed bit halves the keyspace
● The more vulnerable Sboxes the more key bits can be disclosed
● Scaling to DES: Active attack; 247 chosen plaint text pairs required
– Considered impractical
linear
Sboxes – switch off with X = X'
CPS2323 29/31
Cryptanalysis (vi)
● Linear cryptanalysis
– Exploits linear relations among SBox input/output SUBbits
CPS2323 30/31
Cryptanalysis (vii)
● Collect known plaintext/ciphertext pairs●
● Passive attack (note S() does not form part of the equation above )● Once again need to factor in the remaining linear components and the
multiple rounds● For DES the number of known plaintext/ciphertext pairs is 2
43
● Passive attack● A step forward from differential cryptanalysis but still infeasible
CPS2323 31/31
CPS2323 Reading ListTextbook:● Understanding Cryptography: A Textbook for Students and Practitioners: Christof Paar and
Jan Pelz. Publisher: Springer, 1st Edition, 2010, ISBN10: 3642041000, ISBN13: 9783642041006.
Supplementary reading:● Applied Cryptography. Bruce Schneier. Publisher: Wiley, 2nd Edition, 1996, ISBN10:
0471117099, ISBN13: 9780471117094 ● Discrete and combinatorial Mathematics: An Applied Introduction. Ralph P Grimaldi.
Publisher: Addison Wesley, 5th Edition, 2003, ISBN10: 0201726343, ISBN13: 9780201726343 ● GnuTLS Manual. http://www.gnutls.org/manual/gnutls.html● Handbook of Applied Cryptography. Alfred Menezes, Paul van Oorschot, and Scott Vanstone.
Publisher: CRC Press, 1996, ISBN10: 0849385237, ISBN13: 9780849385230 ● Introduction to Modern Cryptography, 2nd Edition. Publisher: Chapman and Hall/CRC Press,
2014, ISBN10: 1466570261 ISBN13: 9781466570269.