INFORMATION SECURITY

SENS-4533

Week 6
Block ciphers, DES

Dr Nauman Mazhar
Faculty of Information Technology
University of Central Punjab (UCP)
Outline
 Block cipher principles
◦ Feistel cipher structure
 Data Encryption Standard (DES)
 DES encryption & decryption
 Key schedule
 Strength of DES
 DES variants
◦ Double DES, Tripple DES

2
Block Ciphers
 Block ciphers
◦ Encrypt block of plaintext at a time
 plaintext block of b bits encrypted
as a whole
 produces ciphertext block
of equal length

◦ Typical block size...

 64 or 128 bits

3
Block Cipher Principles
 Most symmetric block ciphers are based on Feistel Cipher
◦ Feistel proposed use of Product Cipher
◦ cipher alternates between substitution/permutation

Feistel Cipher Structure

 Partition input block into two halves → left/right half
 Process through multiple rounds
◦ subkeys for each round → Ki for ith round
◦ subkeys Ki for each round derived from original key K
 Apply function F in each round
◦ substitution based on right half & subkey
 Then permutation → swapping halves
4
Feistel Cipher Structure
Encryption:
 Showing first two of 16 rounds

 Input block divided in two halves

LEi-1 and REi-1

 Subkeys Ki for each round

 Round function F(REi-1, Ki)

 Permutation

 Output of ith round: LEi || REi

5
Feistel Cipher
Decryption:
 Same algo as encryption
◦ use ciphertext as input to algo

 Use subkeys Ki in reverse order

◦ Kn in first round

 Advantage...
◦ no need to implement two separate algos for encryption
& decryption

6
Data Encryption Standard
(DES)

7
Data Encryption Standard
DES
 Most widely used symmetric encryption scheme
◦ algo referred to as Data Encryption Algo (DEA)

 Block cipher
◦ block size 64 bits → encrypt 64 bit data blocks
◦ key length 64 bits → effective key size 56 bits

 Adopted by NIST (earlier NBS) in 1977

◦ published as FIPS PUB-46

8
DES History
 IBM developed Lucifer cipher in 1971
◦ team led by Feistel → Feistel cipher structure
64 bit data block, 128 bit key

 Lucifer revised for commercial use → input from NSA

◦ key size reduced – 56 bits
◦ design criteria for internal structure kept classified (S-boxes)
 possible hidden weak points – may facilitate NSA

 IBM’s revised Lucifer accepted as national standard – DES

9
DES
Encryption

10
Initial Permutation (IP)
IP reorders input data bits
1 2 3 4 5 6 7 8
 9 10 11 12 13 14 15 16

◦ input bits numbered from 1 to 64

17 18 19 20 21 22 23 24
25 26 27 28 29 30 31 32

◦ table shows output position of numbered input bit

33 34 35 36 37 38 39 40
41 42 43 44 45 46 47 48
49 50 51 52 53 54 55 56
(input bit 1 shifted to 40th position in output) 57 58 59 60 61 62 63 64

11
Inverse Initial Permutation (IP-1)
1 2 3 4 5 6 7 8

 IP-1 restores the original order of input 9 10 11 12 13 14 15 16

17 18 19 20 21 22 23 24
data bits, as per the given table... 25 26 27 28 29 30 31 32
33 34 35 36 37 38 39 40
41 42 43 44 45 46 47 48
49 50 51 52 53 54 55 56
57 58 59 60 61 62 63 64

12
DES Round Structure
 DES uses two 32-bit halves; L & R
◦ As for any Feistel cipher :
Li = Ri–1
Ri = Li–1 XOR F(Ri–1, Ki)

 Round Function F takes 32 bit R half and 48 bit subkey…

◦ expands R to 48 bits using Permutation E
◦ adds to subkey
◦ passes through 8 S-boxes… 48 bits to 32 bits
◦ finally, permutes using 32 bit Permutation P

13
Single Round of DES Algorithm
©Copyright 2004. Amir Qayyum. All
rights reserved 14
DES: The Function ‘F’

15
Expansion Permutation
 32 bit R half expanded to same length as 48 bit subkey
 consider R as 8 nibbles (4 bits each)
 copy each nibble into middle of 6 bit block
 copy end bits of two adjacent nibbles, into two end bits
of 6 bit block
 16 of the R bits
are duplicated

 Resulting 48 bits
XORed with Ki

16
Substitution Boxes S
 Eight S-boxes - map 6 bits to 4 bits
◦ outer bits 1 & 6 select one row
(row bits)
◦ inner bits 2 to 5 select column input symbol
(col bits)

control
Si
◦ intersection value substituted
output symbol
◦ implements contraction substitution

S-Box (4 x 16)

17
Substitution Boxes S

18
Permutation Box ‘P’
1 2 3 4 5 6 7 8
 P-box at the end of each round 9 10 11 12 13 14 15 16

 Permutes the 32 bit output from 17 18 19 20 21 22 23 24

8 S-boxes 25 26 27 28 29 30 31 32

 Increases diffusion/avalanche effect

19
DES Key Schedule
 Generate subkeys used in each round...
 Initial permutation (PC1)
◦ select & permute 56 bits into two 28 bit halves

 Followed by 16 stages of...

◦ Rotation
 each 28 bit half undergoes left circular shift (1 or 2 places)
 depending on key rotation schedule
◦ Permutation
 56 bits are then permuted/contracted (PC2) to generate 48 bits
 forms the 48 bit key for Round Function F

20
DES Key
Schedule

21
DES Key Schedule
 Initial 64 bit key
 56 bits selected

22
DES Key Schedule
1 2 3 4 5 6 7 8

• Selected 56 bits undergo permutation PC1 9 10 11 12 13 14 15 16

17 18 19 20 21 22 23 24
25 26 27 28 29 30 31 32
• These 56 bits treated as two 28 bit halves 33 34 35 36 37 38 39 40
41 42 43 44 45 46 47 48
49 50 51 52 53 54 55 56
57 58 59 60 61 62 63 64

23
DES Key Schedule
• Each 28 bit half undergoes left circular shift of 1 or 2 bits

• Shifted values serve as input to next round

• They also undergo contraction permutation (PC2), then used as input
to round function F

24
DES Decryption
 DES decryption uses same algo as for encryption

 Perform encryption steps again...

◦ use ciphertext as input
◦ use subkeys in reverse order
(SK16 , SK15 , … … … , SK1)

25
DES Example Encryption

26
Avalanche Effect
 A key desirable property of encryption algorithms…
A small change in either plaintext or key
should produce a significant change in ciphertext
 In particular...
a change in one bit of plaintext, or one bit of key,
should produce a change in many bits of ciphertext

 If change in ciphertext is small...

◦ might help reduce the time for cryptanalysis

27
Avalanche Effect
 DES shows strong
avalanche

 Table shows
DES avalanche effect
with change of
one plaintext bit

 Change in one
input bit,
changes approx half
output bits

28
Strength of DES
 Concerns about strength of DES :
◦ Brute force attack
◦ Cryptanalytic attack

 Brute Force Attack

◦ 56 bit key  256 = 7.21 x 1016 possible keys
◦ brute force looks difficult

 But in 1998, DES proved insecure

◦ EFF announced to break DES in less than 3 days
◦ special purpose DES cracker machine (cost $250,000)

 Still must be able to recognize plaintext

29
Strength of DES
 Differential Cryptanalysis
◦ discovered in late 1980s → Eli Biham & Adi Shamir
◦ needs 247 chosen plaintexts to break full 16 rounds
◦ possible to recover DES key

 Linear Cryptanalysis
◦ discovered in 1994 → Mitsuru Matsui
◦ needs 243 known plaintexts
◦ tries to find linear approximations to encryption process
◦ uses statistical methods to recover the key

30
Multiple Encryptions & DES

 Clearly, a replacement for DES was needed

 Alternatives...
• AES – has come out as a new cipher
• Prior to this, multiple encryptions with DES
o Double DES
o Triple DES with 2 keys
o Triple DES with 3 keys
• Triple DES is the chosen form

31
Double DES
 Could use 2 DES encrypts on each block
C = EK2 (EK1 (P) )

 “Meet-in-the-middle” attack :
X = EK1(P) = DK2(C)
 encrypt P with all possible keys, & store X values
 decrypt C with all possible keys, & match previous X values

 requires… known plaintext - ciphertext pair

 works whenever cipher used twice

32
Tripple DES with Two Keys
 Hence, must use 3 encryptions…
 Can use 2 keys with E-D-E sequence
C = EK1 (DK2 (EK1 (P) ) )
 encrypt & decrypt equivalent in security
 if K1 = K2 then can work with single DES

 Standardized in ANSI X9.17 & ISO 8732

 No current known practical attacks
 several proposed impractical attacks
 might become basis of future insecurity

33
Tripple DES with Three Keys

 Can use Triple-DES with 03 Keys

C = EK3 (DK2 (EK1 (P) ) )

 Effective key length of 168 bits

 Very secure, but compute intensive

 Adopted by some Internet applications

 PGP, S/MIME

34
Tripple DES

Encryption

Decryption

35
Ex : Simplified DES
Simplified DES encryption algo shown
in diagram

Let 8-bit plaintext be 0010 1001

Encrypt given plaintext using following

keys:

K1 = 1101 0101
K2 = 1000 1101

Also decrypt obtained ciphertext

Details of sub-blocks of encryption

algorithm in next slide

36
Ex : Simplified DES

IP IP-1
2 6 3 1 4 8 5 7 4 1 3 5 7 2 8 6

E/P P4
4 1 2 3 2 3 4 1 2 4 3 1

So 0 1 2 3 S1 0 1 2 3
0 1 0 3 2 0 0 1 2 3
1 3 2 1 0 1 2 0 1 3
2 0 1 2 3 2 3 0 1 0
3 3 1 3 2 3 2 1 0 3

37
Summary
 Block cipher design principles
 DES
◦ Algo details
◦ Strength / weakness
◦ DES alternatives

38