CYS505 Network Security

Prepared By: Dr. Ihab ELAFF

 will now look at modern block ciphers
 one of the most widely used types of
cryptography algorithms
 provide strong secrecy and/or authentication
services
 in particular will introduce DES (Data
Encryption Standard)
 block ciphers process messages into blocks,
each of which is then encrypted/decrypted
 like a substitution on very big characters
◦ 64-bits or more
 stream ciphers process messages a bit or
byte at a time when encrypting/decrypting
 many current ciphers are block ciphers
 hence are focus of course
 block ciphers look like an extremely large
substitution
 would need table of 264 entries for a 64-bit
block
 arbitrary reversible substitution cipher for a
large block size is not practical
◦ 64-bit general substitution block cipher, key size
264!
 most symmetric block ciphers are based on
a Feistel Cipher Structure
 needed since must be able to decrypt
ciphertext to recover messages efficiently
General n-bit-n-bit Block Substitution
 Horst Feistel devised the feistel cipher
◦ implements Shannon’s substitution-permutation
network concept
 partitions input block into two halves
◦ process through multiple rounds which
◦ perform a substitution on left data half
◦ based on round function of right half & subkey
◦ then have permutation swapping halves
 “F” is the round function
 K0,K1,…. ,Kn the sub-keys
rounds 0,1,… ,n.
 Encryption:

1. Split the Plaintext block into

two equal pieces L0, R0
2. For i = 0,1, …n

Li+1 = Ri
Ri+1 = Li⊕F(Ri, Ki)
 “F” is the round function
 K0,K1,…. ,Kn the sub-keys
rounds 0,1,… ,n.
 Decryption:

1. Split the Ciphertext block into

two equal pieces Ln+1, Rn+1
2. For i = n,n-1, …0

Ri = Li+i
Li = Ri+1⊕F(Li+1, Ki)
 block size
◦ increasing size improves security, but slows cipher
 key size
◦ increasing size improves security, makes exhaustive key
searching harder, but may slow cipher
 number of rounds
◦ increasing number improves security, but slows cipher
 subkey generation
◦ greater complexity can make analysis harder, but slows
cipher
 round function
◦ greater complexity can make analysis harder, but slows
cipher
 fast software en/decryption & ease of analysis
◦ are more recent concerns for practical use and testing
 most widely used block cipher in world
 encrypts 64-bit data using 56-bit key
 has widespread use
 Adopted in 1977 by the National Institute of
Standards and Technology (NIST), as Federal
Information Processing Standard 46 (FIPS PUB
46).
 although DES standard is public
 was considerable controversy over design
◦ in choice of 56-bit key (vs Lucifer 128-bit)
 subsequent events and public analysis show
in fact design was appropriate
 DES has become widely used, especially in
financial applications
 Permutation (16 bit to 16 bit)
 Permutation (16 bit to 14 bit)
 1 Process the key.
 2 Process a 64-bit data block.
 1.1 Get a 64-bit key from the user. (Every 8th
bit (the least significant bit of each byte) is
considered a parity bit. For a key to have
correct parity, each byte should contain an
odd number of "1" bits.) This key can be
entered directly, or it can be the result of
hashing something else. There is no standard
hashing algorithm for this purpose.
 1.2 Calculate the key schedule.
 1.2.1 Perform the following permutation on
the 64-bit key. (The parity bits are discarded,
reducing the key to 56 bits. Bit 1 (the most
significant bit) of the permuted block is bit
57 of the original key, bit 2 is bit 49, and so
on with bit 56 being bit 4 of the original key.)
 1.2.2 Split the permuted key into two halves.
The first 28 bits are called C0 and the last 28
bits are called D0.
 1.2.3 Calculate the 16 sub keys. Start with i=1
1- Perform one or two circular left shifts on both
Ci-1 and Di-1 to get Ci and Di, respectively. The
number of shifts per iteration are given in the
table below.
 1.2.3 Calculate the 16 sub keys. Start with i=1
2-Permute the concatenation CiDi as indicated
below. This will yield the key Ki, which is 48 bits
long.

3 Loop back to step 1 until K16 has been

calculated.
 2.1 Get a 64-bit data block. If the block is
shorter than 64 bits, it should be padded as
appropriate for the application.
 2.2 Perform the Initial permutation on the
data block using the
following tables.
 2.3 Split the block into two halves. The first
32-bit are called L0, and the last 32-bit are
called R0.
 2.4 Apply the 16 Rounds Start with i = 1:
◦ 2.4.1 Expand the 32-bit Ri-1 into 48 bits according to
the bit-selection function using Expansion
Permutation table:
 2.4 Apply the 16 Rounds Start with i = 1:
◦ 2.4.2 Xi = E(Ri-1) ⊕Ki (Ki is the key which is
generated in the previous section) [Xi is 48-bit].
◦ 2.4.3 Xi into eight 6-bit blocks. Bits 1-6 are B1, bits
7-12 are B2, and so on with bits 43-48 being B8.
 2.4 Apply the 16 Rounds Start with i = 1:
◦ 2.4.4 Substitute the values found in the S-boxes for
all Bj. Start with j = 1 to 8. All values in the S-boxes
should be considered 4 bits wide.
 S-Boxes
2.4.4 Substitute the values found in the S-boxes
1- Take the 1st and 6th bits of Bj together as 2-bit value
(call it m) indicating the row in Sj to look in for the
substitution.
2- Take the 2nd through 5th bits of Bj together as 4-bit
value (call it n) indicating the column in Sj to find the
substitution.
3- Replace Bj with Sj [m][n] , Loop back to 1 until all 8
blocks have been replaced.
Ex: B1=011101  n=(01)2 , m=(1110)2
2.4.5 Permute the concatenation of B1 through B8 as
indicated below to P.

2.4.6 Find Ri = Li-1⊕P

2.4.7 Assign Li = Ri-1
2.4.8 Loop back to 2.4.1 until K16 has been applied.
2.5 Perform the following Inverse Permutation on the
block R16 L16 (Left and Right are swapped)
 decrypt must unwind steps of data
computation
 with Feistel design, do encryption steps again
 using subkeys in reverse order (SK16 … SK1)
 note that IP undoes final FP step of encryption
 1st round with SK16 undoes 16th encrypt
round
 ….
 16th round with SK1 undoes 1st encrypt round
 then final FP undoes initial encryption IP
 thus recovering original data value
 key desirable property of encryption alg

 DES exhibits strong avalanche

 where a change of one input or key bit results

in changing approx half output bits
 Plaintext M = (0123456789ABCDEF)16
 Key K = (133457799BBCDFF1)16

1)Process the key.

K = 0001 0011 0011 0100
0101 0111 0111 1001
1001 1011 1011 1100
1101 1111 1111 0001
1)Process the key.

 56-bit permutation
 K+ =1111 0000 1100 1100 1010 1010 1111
0101 0101 0110 0110 0111 1000 1111
1)Process the key.

K+ =1111 0000 1100 1100 1010 1010 1111

0101 0101 0110 0110 0111 1000 1111

C0 = 1111 0000 1100 1100 1010 1010 1111

D0 = 0101 0101 0110 0110 0111 1000 1111

CSE111 Introduction to Computer

1)Process the key.
C0 = 1111 0000 1100 1100 1010 1010 1111
D0 = 0101 0101 0110 0110 0111 1000 1111

C1 = 1110 0001 1001 1001 0101 0101 1111

D1 = 1010 1010 1100 1100 1111 0001 1110

C2 = 1100 0011 0011 0010 1010 1011 1111

D2 = 0101 0101 1001 1001 1110 0011 1101

C3 = 0000 1100 1100 1010 1010 1111 1111

D3 = 0101 0110 0110 0111 1000 1111 0101
CSE111 Introduction to Computer
1)Process the key.
56-bit  48-bit
C1 D 1 = 1110 0001 1001 1001 0101 0101 1111
1010 1010 1100 1100 1111 0001 1110

K1 = 000110 110000 001011 101111

111111 000111 000001 110010

CSE111 Introduction to Computer

2) Process a 64-bit data block.
M = (0123456789ABCDEF)16
M = 0000 0001 0010 0011
0100 0101 0110 0111
1000 1001 1010 1011
1100 1101 1110 1111
2) Process a 64-bit data block.
M = 0000 0001 0010 0011 0100 0101 0110 0111
1000 1001 1010 1011 1100 1101 1110 1111

IP = 1100 1100 0000 0000 1100 1100 1111 1111

1111 0000 1010 1010 1111 0000 1010 1010
2) Process a 64-bit data block.
IP = 1100 1100 0000 0000 1100 1100 1111 1111
1111 0000 1010 1010 1111 0000 1010 1010

L0 = 1100 1100 0000 0000 1100 1100 1111 1111

R0 = 1111 0000 1010 1010 1111 0000 1010 1010

Ln = Rn-1 Rn = Ln-1 + f(Rn-1,Kn)

L1=R0 =1111 0000 1010 1010 1111 0000 1010 1010

R1 = L0 + f(R0,K1)
2) Process a 64-bit data block.
R1 = L0 + f(R0,K1)
32-bit  48-bit
R0 = 1111 0000 1010 1010 1111 0000 1010 1010

E(R0) = 011110 100001 010101 010101

011110 100001 010101 010101
2) Process a 64-bit data block.
K1 = 000110 110000 001011 101111
111111 000111 000001 110010

E(R0) = 011110 100001 010101 010101

011110 100001 010101 010101

K1+E(R0) = 011000 010001 011110 111010

100001 100110 010100 100111
Kn + E(Rn-1) =B1B2B3B4B5B6B7B8,
2) Process a 64-bit data block.
K1+E(R0) = 011000 010001 011110 111010
100001 100110 010100 100111
K1 + E(R0) =B1B2B3B4B5B6B7B8

B1 = 011000  n=(00)2 , m=(1100)2

S1(B1) = (5)10 = (0101)2

2) Process a 64-bit data block.
K1+E(R0) = 011000 010001 011110 111010
100001 100110 010100 100111
K1 + E(R0) =B1B2B3B4B5B6B7B8
B1 = 011000
S1(B1) = 0101

B2 = 010001
S2(B2) = 1100
2) Process a 64-bit data block.

S1(B1)S2(B2)S3(B3)S4(B4)S5(B5)S6(B6)S7(B7)S8(B8) =
0101 1100 1000 0010 1011 0101 1001 0111

f=
0010 0011 0100 1010 1010 1001 1011 1011
2) Process a 64-bit data block.

R1 = L0 + f(R0 , K1 )

R1 =
1100 1100 0000 0000 1100 1100 1111 1111+
0010 0011 0100 1010 1010 1001 1011 1011

= 1110 1111 0100 1010 0110 0101 0100 0100

 56-bit keys have 256 = 7.2 x 1016 values
 brute force search looks hard
 recent advances have shown is possible
◦ in 1997 on Internet in a few months
◦ in 1998 on dedicated hardware (EFF) in a few days
◦ in 1999 above combined in 22hrs!
 still must be able to recognize plaintext
 now considering alternatives to DES
 attacks actual implementation of cipher
 use knowledge of consequences of
implementation to derive knowledge of
some/all subkey bits
 specifically use fact that calculations can take
varying times depending on the value of the
inputs to it
 now have several analytic attacks on DES
 these utilise some deep structure of the
cipher
◦ by gathering information about encryptions
◦ can eventually recover some/all of the sub-key
bits
◦ if necessary then exhaustively search for the rest
 generally these are statistical attacks
 include
◦ differential cryptanalysis
◦ linear cryptanalysis
◦ related key attacks
 one of the most significant recent (public)
advances in cryptanalysis
 known in 70's with DES design
 Murphy, Biham & Shamir published 1990
 powerful method to analyse block ciphers
 used to analyse most current block ciphers
with varying degrees of success
 DES reasonably resistant to it
 a statistical attack against Feistel ciphers
 uses cipher structure not previously used
 design of S-P networks has output of
function f influenced by both input & key
 hence cannot trace values back through
cipher without knowing values of the key
 Differential Cryptanalysis compares two
related pairs of encryptions
 Differential cryptanalysis is complex
 with a known difference in the input
 searching for a known difference in output
 have some input difference giving some
output difference with probability p
 if find instances of some higher probability
input / output difference pairs occurring
 can infer subkey that was used in round
 then must iterate process over many rounds
 perform attack by repeatedly encrypting plaintext
pairs with known input XOR until obtain desired
output XOR
 when found
◦ if intermediate rounds match required XOR have a right pair
◦ if not then have a wrong pair
 can then deduce keys values for the rounds
◦ right pairs suggest same key bits
◦ wrong pairs give random values
 larger numbers of rounds makes it more difficult
 Attack on full DES requires an effort on the order of
247, requiring 247 chosen plaintexts to be encrypted
 another recent development
 also a statistical method
 based on finding linear approximations to
model the transformation of DES
 can attack DES with 247 known plaintexts, still
in practise infeasible
 No output of any S-Box is too close to a
linear function of the input bits
 Each row of an S-Box includes all 16
possible output bit combinations
 If two inputs to an S-box differ in one bit,
the output bits differ in at least two bits
 If two inputs differ is the two middle bits,
outputs must differ at least two bits
 Defend against differential analysis and
provide good confusion properties
 basic principles still like Feistel in 1970’s
 number of rounds
◦ more is better, makes exhaustive search best attack
◦ 16 rounds: brute force 255
◦ differential analysis: 255.1
 function F:
◦ provides “confusion”, is nonlinear, avalanche
◦ Strict Avalanche Criterion (SAC)
 Any output bit i should change with p=1/2 when any
single input bit j is inverted, for all i,j
 Applies to both S-Boxes and the overall F function
 key schedule
◦ No general rule has been discovered
◦ complex subkey creation, key avalanche
 block ciphers encrypt fixed size blocks
 eg. DES encrypts 64-bit blocks, with 56-bit
key
 need way to use in practise, given usually
have arbitrary amount of information to
encrypt
 four were defined for DES in ANSI standard
ANSI X3.106-1983 Modes of Use
◦ DES is the basic building block
 have block and stream modes
 message is broken into independent blocks
which are encrypted
 each block is a value which is substituted,
like a codebook, hence name
◦ Each DES is a very complex 64-bit to 64-bit
substitution
 each block is encoded independently of the
other blocks
Ci = DESK1 (Pi)
 uses: secure transmission of single values
◦ Repeated input blocks have same output
◦ Not secure for long transmission
 repetitions in message may show in
ciphertext
◦ if aligned with message block
◦ particularly with data such graphics
◦ or with messages that change very little, which
become a code-book analysis problem
 weakness due to encrypted message blocks
being independent
 main use is sending a few blocks of data
 message is broken into blocks
 but these are linked together in the
encryption operation
 each previous cipher blocks is chained with
current plaintext block, hence name
 use Initial Vector (IV) to start process
Ci = DESK1(Pi XOR Ci-1)
C-1 = IV
 uses: bulk data encryption, authentication
 each ciphertext block depends on all message
blocks
 thus a change in the message affects all ciphertext
blocks after the change as well as the original
block
 need Initial Value (IV) known to sender & receiver
◦ however if IV is sent in the clear, an attacker can
change bits of the first block, and change IV to
compensate
◦ hence either IV must be a fixed value (as in
EFTPOS) or it must be sent encrypted in ECB
mode before rest of message
 message is treated as a stream of bits
 added to the output of the block cipher
 result is feed back for next stage (hence
name)
 standard allows any number of bit (1,8 or
64 or whatever) to be feed back
◦ denoted CFB-1, CFB-8, CFB-64 etc
 is most efficient to use all 64 bits (CFB-64)
Ci = Pi XOR DESK1(Ci-1)
C-1 = IV
 uses: stream data encryption,
authentication
 appropriate when data arrives in bits/bytes
 most common stream mode
 note that the block cipher is used in
encryption mode at both ends
 errors propagate for several blocks after the
error
◦ Must use over a reliable network channel
 message is treated as a stream of bits
 output of cipher is added to message
 output is then feed back (hence name)
 feedback is independent of message
 can be computed in advance
Ci = Pi XOR Oi
Oi = DESK1(Oi-1)
O-1 = IV
 uses: stream encryption over noisy channels
 used when error feedback a problem or where need
to encryptions before message is available
 superficially similar to CFB
 but feedback is from the output of cipher and is
independent of message
◦ Errors do not propagate
 sender and receiver must remain in sync, and some
recovery method is needed to ensure this occurs
 Because the "random" bits are independent of the
message, they must never be used more than once
◦ otherwise the 2 ciphertexts can be combined, cancelling
these bits)
 a “new” mode, though proposed early on
 encrypts counter value rather than any
feedback value
 must have a different key & counter value for
every plaintext block (never reused)
Ci = Pi XOR Oi
Oi = DESK1(i)
 uses: high-speed network encryptions
 efficiency
◦ can do parallel encryptions
◦ in advance of need
◦ good for bursty high speed links
 random access to encrypted data blocks
◦ Do not have to decode from the beginning
 provable security (good as other modes)
 but must ensure never reuse key/counter
values, otherwise could break (cf OFB)