1

Data Encryption Standard DES and

Other Symmetric Block Ciphers
DES was developed as a standard for communications and
data protection by an IBM research team, in response to a
public request for proposals by the NBS - the National Bureau
of Standards (which is now known as NIST).
2
Lecture Plan
Review of Encryption
Symmetric and Asymmetric Encryption
DES History
DES Basics
DES Details
DES Example
DES Modes of Use
3
Review of Encryption
A message in its original form (plaintext) is encrypted
into an unintelligible form (ciphertext) by a set of
procedures known as an encryption algorithm (cipher)
and a variable, called a key; and the ciphertext is
transformed (decrypted) back into plaintext using the
decryption algorithm and a key.
Dear Friend,
I have seen
your
message of

Dear
Friend,
I have
seen your
message of

Dear Friend,
I have seen
your
message of

Encryption Decryption
Symmetric
Key
Symmetric
Key
Scrambled
Data
Original
Data
Original
Data
4
Review of Encryption
Encryption C = E
K
(P)
Decryption P = E
K
-1
(C)
E
K
is chosen from a family of transformations
known as a cryptographic system.
The parameter that selects the individual
transformation is called the key K, selected
from a keyspace K.
For a K-bit key size the keyspace size is 2
K
5
Comparison of Symmetric
and Asymmetric Encryption
Encryption Decryption
Ciphertext
Original
Plaintext
Plaintext
Secret Key
Symmetric (Single Key) Cryptography
Encryption Decryption
Ciphertext
Original
Plaintext
Private Key
Public Key
Plaintext
Asymmetric (Two Key) Cryptography
6
Block Cipher Design
Principles
Confusion obscures the relationship between the
plaintext and ciphertext. Eliminates redundancies and
statistical patterns. Confusion is achieved through
substitution.
Diffusion dissipates the redundancies of the
plaintext by distributing over the ciphertext. Diffusion
is achieved through permutations.
Shannons Papers of 1948/1949:
A Mathematical Theory of Communication
Communication Theory of Secrecy Systems
Multiple Iterations
7
DES - History
The Data Encryption Standard (DES) was developed
in the 1970s by the National Bureau of Standards
(NBS)with the help of the National Security Agency
(NSA).
Its purpose is to provide a standard method for
protecting sensitive commercial and unclassified data.
IBM created the first draft of the algorithm, calling it
LUCIFER with a 128-bit key.
DES officially became a federal standard in November
of 1976.
8
DES - History
In May 1973, and again in Aug 1974 the NBS
(now NIST) called for possible encryption
algorithms for use in unclassified government
applications.
Response was mostly disappointing, however,
IBM submitted their LUCIFER design.
Following a period of redesign and comment it
became the Data Encryption Standard (DES).
9
DES - As a Federal Standard
DES was adopted as a (US) federal standard in
November 1976, published by NBS as a
hardware only scheme in January 1977 and by
ANSI for both hardware and software standards
in ANSI X3.92-1981 (also X3.106-1983 modes
of use) .
Subsequently DES has been widely adopted
and is now published in many standards around
the world.
10
DES - Usage in Industry
One of the largest users of the DES is the
banking industry, particularly with EFT, and
EFTPOS
It is for this use that the DES has primarily been
standardized, with ANSI having twice
reconfirmed its recommended use for 5 year
periods - a further extension was not expected.
However DES has been extended to 2005 and
at that time it will be replaced by AES which
has already been standardized.
11
DES - Design Shrouded in
Mystery
Although the standard is public, the design criteria used
are classified and have yet to be released.
There has been considerable controversy over the
design, particularly in the choice of a 56-bit key.
W. Diffie, M Hellman Exhaustive Cryptanalysis of
the NBS Data Encryption Standard IEEE Computer
10(6), June 1977, pp74-84.
M. Hellman DES will be totally insecure within ten
years IEEE Spectrum 16(7), Jul 1979, pp 31-41.
12
DES - Design Proves Good
Recent analysis has shown despite this that the choice
was appropriate, and that DES is well designed.
Rapid advances in computing speed though have
rendered the 56 bit key susceptible to exhaustive key
search, as predicted by Diffie and Hellman.
The DES has also been theoretically broken using a
method called Differential Cryptanalysis, however in
practice this is unlikely to be a problem (yet).
13
DES - Basics
DES uses the two basic techniques of
cryptography - confusion and diffusion.
At the simplest level, diffusion is achieved
through numerous permutations and confusions
is achieved through the XOR operation and the
S-Boxes.
This is also called an S-P network.
14
The S-P Network
P-box
D
e
c
o
d
e
r

:

3

t
o

8

S-box
E
n
c
o
d
e
r

:

8

t
o

3

Product Cipher
P
1
P
4
S
4
S
3
S
2
S
1
P
2
S
8
S
7
S
6
S
5
P
3
S
12
S
11
S
10
S
9
15
DES in a
Nutshell
16
DES - The 16
Iterations
The basic process
in enciphering a
64-bit data block
and a 56-bit key
using the DES
consists of:
An initial
permutation (IP)
16 rounds of a
complex key
dependent
calculation f
A final
permutation, being
the inverse of IP

64-bit Ciphertext

64-bit Plaintext

Initial
Permutation
Iteration 1
Iteration 2
Iteration 16
32-bit Swap
Inverse Initial
Permutation
Permuted Choice
2
Permuted Choice
2
Permuted Choice
1
Left Circular Shift
Left Circular Shift
Permuted Choice
2
Left Circular Shift
K
1
K
2
K
16
56-bit Key
17
Details of Each Iteration
L
i-1
R
i-1
C
i-1
D
i-1

L
i
R
i
C
i
D
i

Permutation Choice
(PC-2)
Expansion
Permutation
(E-Table)
Substitution Box
(S-Box)
XOR
XOR
Permutation Box
(P)
Left Shift(s) Left Shift(s)
48 bits
48 bits
32 bits
32 bits
32 bits
32 bits
48 bits
K
i
32 bits

32 bits

28 bits

28 bits

18
DES - Swapping of Left and
Right Halves
The 64-bit block being enciphered is broken into two
halves.
The left half and the right half go through one DES
round, and the result becomes the new right half.
The old right half becomes the new left half half, and
will go through one round in the next round.
This goes on for 16 rounds, but after the last round the
left and right halves are not swapped, so that the result
of the 16th round becomes the final right half, and the
result of the 15th round (which became the left half of
the 16th round) is the final left half.
19
DES - Swapping of Left and
Right Halves
This can be described
functionally as:
L(i) = R(i-1)
R(i) = L(i-1) P(S(
E(R(i-1)) K(i) ))
This forms one round in an S-P
network
L
i-1
f (R
i-1
, K
i
)
L
i-1
R
i-1
32 bits
L
i
32 bits
R
i
20
DES - Basics
Fundamentally DES performs only two operations on its
input, bit shifting (permutation), and bit substitution.
The key controls exactly how this process works.
By doing these operations repeatedly and in a non-linear
manner you end up with a result which can not be used to
retrieve the original without the key.
Those familiar with chaos theory should see a great deal of
similarity to what DES does. By applying relatively simple
operations repeatedly a system can achieve a state of near
total randomness.
21
Each Iteration Uses a
Different Sub-key
DES works on 64 bits of data at a time. Each 64
bits of data is iterated on from 1 to 16 times (16
is the DES standard).
For each iteration a 48 bit subset of the 56 bit
key is fed into the encryption block
Decryption is the inverse of the encryption
process.
22
DES Key Processing
The key is usually stored as a 64-bit number,
where every eighth bit is a parity bit.
The parity bits are pitched during the algorithm,
and the 56-bit key is used to create 16 different
48-bit subkeys - one for each round.
DES Subkeys: K
1
, K
2
, K
3
, K
16


23
DES Key Processing -
Subkeys Generation
In order to generate the 16 48-bit subkeys from
the 56-bit key, the following process is used:
First, the key is loaded according to the PC-1 and
then halved.
Then each half is rotated by 2 bits in every round
except the first, second, 9th and last rounds.
The reason for this is that it makes it secure against
related-key cryptanalysis.
Then 48 of the 56 bits are chosen according to a
compression permutation - PC-2.
24
The Key Schedule
The subkeys used by the 16 rounds are formed
by the Key Schedule which consists of:
An initial permutation of the key (PC1) which
selects 56-bits in two 28-bit halves
16 stages consisting of:
selecting 24-bits from each half and permuting them by
PC2 for use in function f
rotating each half either 1 or 2 places depending on the
key rotation schedule KRS
this can be described functionally as:
K(i) = PC2(KRS(PC1(K),i))
25
Permuted Choice 1 PC-1
57 49 41 33 25 17 9 1 58 50 42 34 26 18
10 2 59 51 43 35 27 19 11 3 60 52 44 36
63 55 47 39 31 23 15 7 62 54 46 38 30 22
14 6 61 53 45 37 29 21 13 5 28 20 12 4
26
Permuted Choice 2 PC-2
14 17 11 24 1 5 3 28 15 6 21 10
23 19 12 4 26 8 16 7 27 20 13 2
41 52 31 37 47 55 30 40 51 45 33 48
44 49 39 56 34 53 46 42 50 36 29 32
27
Key Rotation Schedule
KRS
Round
Number
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Number of
Left Shifts
1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1
Total Number
of Shifts
1 2 4 6 8 10 12 14 15 17 19 21 23 25 27 28
28
DES Operation - Plaintext
The block to be encrypted is halved - the right
half goes through several steps before being
XOR-ed with the left half and, except after the
last round, trading places with the left half.

29
DES - Expansion
Permutation
First the right half goes through an expansion
permutation which expands it from 32 to 48 bits.
This makes it the same length as the subkey to allow
the XOR, but it also demonstrates an important
concept in cryptography. In expanding to 1.5 times its
size, several bits are repeated (no new bits are
introduced - all the existing bits are shifted around, and
some are used twice).
Because of this some of the input bits affect two output
bits instead of one, the goal being to have every output
bit in DES depend upon every input bit as quickly as
possible. This is known as the avalanche effect.

30
Expansion Permutation
Table
32 1 2 3 4 5
4 5 6 7 8 9
8 9 10 11 12 13
12 13 14 15 16 17
16 17 18 19 20 21
20 21 22 23 24 25
24 25 26 27 28 29
28 29 30 31 32 1
31
DES Operation - E(R
i
) K
i

The result of the expansion permutation is XOR-ed
with the subkey, and then goes through the S-boxes.
There are 8 S-boxes, each of which takes a 6-bit input
an spits out a 4-bit output.
This step is non-linear. For a given input i1, i2 ... i6,
the output is determined by using the concatenation of
i1 and i6, and the concatenation of i2 i5, and using
these as the indices to the table which is the S-box.
32
S-box Permutations
The S-boxes are somewhat different from the other
permutations. While all the others are set up according to
bit x goes to bit y, the input bits can be viewed
differently for the S-boxes.
If the input is {i1,i2,i3,i4,i5,i6} then the two-bit number
{i1,i6} and the the four-bit number {i2,i3,i4,i5} are used as
indices to the table.
For the 48-bit word {i1,i2 i48}, the word {i1 i6} is
sent to S-box 1, the word {i7 i12} to S-box 2, etc. The
output of S-box 1, {o1 o4}, that of S-box 2, {o5 o8}
etc. are concatenated to form the output.
33
The 8 DES S Boxes
S-Box 1 S-Box 2 S-Box 3 S-Box 4 S-Box 5 S-Box 7 S-Box 8 S-Box 6
0 5 6 11 12 17 18 23 24 29 30 35 35 41 42 47
0 3 4 7 8 11 12 15 16 19 20 23 24 27 28 31
48-bit Input
32-bit Output
34
S-box Permutations
35
S1 Box Truth Table
36
The 8 DES
S Boxes
37
DES Operation - P Box
The output of each of the 8 S-boxes is
concatenated to form a 32-bit number, which is
then permutated with a P-box.
This P-box is a straight permutation, and the
resulting number is XOR-ed with the left half
of the input block with which we started at the
beginning of this round.
Finally, if this is not the last round, we swap the
left and right halves and start again.
38
Permutation Function - P
Box
16 7 20 21
9 12 28 17
1 15 23 26
5 18 31 10
2 8 24 14
32 27 3 9
19 13 30 6
22 11 4 25
39
DES Permutations
The initial and final permutations in DES serve
no cryptographic function. They were originally
added in order to make it easier to load the 64-
bit blocks into hardware - this algorithm after
all predates 16-bit busses - and is now often
omitted from implementations.
However the permutations are a part of the
standard, and therefore any implementation not
using the permutations is not truly DES.
40
DES Permutations
Using the Initial Permutation a DES chip loads a 64-
bit block one bit at a time (this gets to be very slow in
software).
The order in which it loads the bits is shown below.
The final permutation is the inverse of the initial (for
example, in the final permutation bit 40 goes to bit 1,
whereas in the initial permutation bit 1 goes to bit 40).
41
Initial Permutation
Bit goes to Bit
58 1
50 2
42 3
34 4
26 5
18 6
10 7
2 8
60 9
52 10
44 11
36 12
28 13
20 14
12 15
4 16
Bit goes to Bit
62 17
54 18
46 19
38 20
30 21
22 22
14 23
6 24
64 25
56 26
48 27
40 28
32 29
24 30
16 31
8 32
Bit goes to Bit
57 33
49 34
41 35
33 36
35 37
17 38
9 39
1 40
59 41
51 42
43 43
35 44
27 45
19 46
11 47
3 48
Bit goes to Bit
61 49
53 50
45 51
37 52
29 53
21 54
13 55
5 56
63 57
55 58
47 59
39 60
31 61
23 62
15 63
7 64
42
Initial Permutation
Pictorially
Bit goes to Bit
58 1
50 2
42 3
34 4
26 5
18 6
10 7
2 8
60 9
52 10
44 11
36 12
28 13
20 14
12 15
4 16
43
DES Initial and Final
Permutations
40 8 48 16 56 24 64 32
39 7 47 15 55 23 63 31
38 6 46 14 54 22 62 30
37 5 45 13 53 21 61 29
36 4 44 12 52 20 60 28
35 3 43 11 51 19 59 27
34 2 42 10 50 18 58 26
33 1 41 9 49 17 57 25
44
Weak Keys
There are a few keys which are considered
weak for the DES algorithm. They are so few,
however, that it is trivial to check for them
during key generation.

Example Weak Keys
45
DES Example - Key
K = 581FBC94D3A452EA
X = 3570E2F1BA4682C7
K = ( 0101 1000 0001 1111 1011 1100 1001 0100
1101 0011 1010 0100 0101 0010 1110 1010 )
C
0
= ( 10111100110100
01101001000101 )
D
0
= ( 11010010001011
10100001111111 )
46
DES Example - Key
C
1
= ( 0111 1001 1010 0011 0100 1000 1011 )
D
1
= ( 1010 0100 0101 1101 0000 1111 1111 )
K
1
= ( 001001 111010 000101 101001
111001 011000 110111 011010 )
C
2
= ( 1111 0011 0100 0110 1001 0001 0110 )
D
2
= ( 0100 1000 1011 1010 0001 1111 1111 )
K
2
= ( 110110 101001 000111 011101
110101 111011 011101 001000 )
47
DES Example - Data
K=581FBC94D3A452EA
X=3570E2F1BA4682C7
X = (x
1
, x
2
, x
3
, , x
64
)
= ( 0011 0101 0111 0000 1110 0010 1111 0001
1011 1010 0100 0110 1000 0010 1100 0111)
This plaintext X is first subjected to an Initial Permutation
IP which gives
L
0
= ( 1010 1110 0001 1011 1010 0001 1000 1001)
A E 1 B A 1 8 9
R
0
= ( 1101 1100 0001 111 0001 0000 1111 0100)
D C 1 F 1 0 F 4
48
DES Example - Data
E(R
0
) = ( 011011 111000 000011 111110
100010 100001 01110 101001)

1
= E(R
0
) K
1
= ( 010010 000010 000110 010111
011011 111001 101001 110011)
S
5
01
(1101) = S
5
1
(13) = 9 = 1001
S
6
11
(1100) = S
6
3
(12) = 6 = 0110

S
7
11
(0100) = S
7
3
(4) = 1 = 0001

S
8
11
(1001) = S
8
3
(9) = 12 = 1100

49
DES Example - Data
B
1
= (1010 0001 1110 1100 1001 0110 0001 1100)
P(B
1
) = (0010 1011 1010 0001 0101 0011 0110 1100)
R
1
= P(B
1
) L
0

= (1000 0101 1011 1010 1111 0010 1110 0101)
8 5 B A F 2 E 5
50
DES Example - Data
L
1
= (1101 1100 0001 1111 0001 0000 1111 0100)
D C 1 F 1 0 F 4
E(R
1
) = ( 110000 001011 110111 110101
011110 100101 011100 001011)

2
= E(R
1
) K
2
= ( 000110 100010 110000 101000
101011 011110 000001 000011)
51
DES Example - Data
S
1
00
(0011) = S
1
1
(3) = 1 = 0001
S
2
10
(0001) = S
2
3
(1) = 14 = 1110

S
3
10
(1000) = S
3
3
(8) = 11 = 1011

S
4
10
(0100) = S
4
3
(4) = 12 = 1100

S
5
11
(0101) = S
5
1
(5) = 14 = 1110
S
6
00
(1111) = S
6
3
(15) = 11 = 1011

S
7
01
(0000) = S
7
3
(0) = 13 = 1101

S
8
01
(0001) = S
8
3
(1) = 15 = 1111
52
DES Example - Data
B
2
= (0001 1110 1011 1100 1110 1011 1101 1111)
P(B
2
) = (0101 1111 0011 1110 0011 1001 1111 0111)
R
2
= P(B
2
) L
1

= (1000 0011 0010 0001 0010 1001 0000 0011)
8 3 2 1 2 9 0 3
L
2
= R
1
= (1000 0101 1011 1010 1111 0010 1110 0101)
8 5 B A F 2 E 5
53
DES Example - Data - Done !
Y = (y
1
, y
2
,y
3
, , y
64
)
= ( 1101 0111 0110 1001 1000 0010 0010 0100
0010 1000 0011 1110 0000 1010 1110 1010)
= ( D 7 6 9 8 2 2 4 2 8 3 E 0 A E A)
54
DES Modes of Use
DES encrypts 64-bit blocks of data, using a 56-bit key
We need some way of specifying how to use it in
practice, given that we usually have an arbitrary
amount of information to encrypt
The way we use a block cipher is called its Mode of
Use and four have been defined for the DES by ANSI
in the standard: ANSI X3.106-1983 Modes of Use)
55
DES Modes of Use
DES Modes of Use are either:
Block Modes
Splits messages in blocks (ECB, CBC)
Stream Modes
On byte stream messages (CFB, OFB)
56
Block Modes - ECB
Electronic Codebook Book (ECB)
where the message is broken into independent 64-
bit blocks which are encrypted
C(i) = DES
K
(P(i))

57
Subverting DES in ECB
Mode
A d a m s , L e s l i e C l e r k $ 1 0
B l a c k , R o b i n B o s s $ 5 0 0
C o l l i n s , K i m M a n a g e r $ 1 0 0
D a v i s , B o b b i e J a n i t o r $ 5
16 8 8
Bytes
Name Position Bonus
58
Block Modes - CBC
Cipher Block Chaining (CBC)
Again the message is broken into 64-bit blocks, but
they are linked together in the encryption operation
with an IV
C(i) = DES
K
(P(i) C(i-1))
C(-1)= IV
59
Cipher Block Chaining
(CBC)
Key

XOR
E
P
0
C
0
IV

XOR
E
P
1
C
1
XOR
E
P
2
C
2
XOR
E
P
3
C
3

Key

IV


XOR
D
C
0
P
0
XOR
D
C
1
P
1
XOR
D
C
2
P
2
XOR
D
C
3
P
3
60
Stream Modes - CFB
Cipher FeedBack (CFB)
where the message is treated as a stream of bytes,
added to the output of the DES, with the result
being feed back for the next stage
C
i
= P
i
SLMB(DES
K
(C(i-1)))
C
i
= SLMB(DES
K
(C(i-1)))
C(-1)= IV
C(i) = C
i-1
|| C
i-2
|| C
i-3
|| C
i-4
||
C
i-5
|| C
i-6
|| C
i-7
|| C
i-8
||
61
Stream Modes - CFB
XOR
E
C
2
C
3
C
4
C
5
C
6
C
7
C
8
C
9
SLMB
P
10
Key

DES Encryption
Box

Select Left Most
Byte

C
10
C
10
64-bit Shift Register

C(10)
62
Stream Modes - OFB
Output FeedBack (OFB)
where the message is treated as a stream of bytes,
added to the message, but with the feedback being
independent of the message
C
i
= P
i
O
i
O
i
= SLMB(DES
K
(O(i-1)))
O(-1)= IV
O(i) = O
i-1
|| O
i-2
|| O
i-3
|| O
i-4
||
O
i-5
|| O
i-6
|| O
i-7
|| O
i-8
||
63
Stream Modes - OFB
XOR
E
O
2
O
3
O
4
O
5
O
6
O
7
O
8
O
9
SLMB
P
10
Key

DES Encryption
Box

Select Left Most
Byte

C
10
O
10
64-bit Shift Register

O(10)

64
Limitations of Various
Modes - ECB
Repetitions in message can be reflected in
ciphertext, if aligned with message block.
Particularly with data such graphics.
Or with messages that change very little, which
become a code-book analysis problem.
Weakness is because enciphered message
blocks are independent of each other.
Can be solved using CBC.
65
Limitations of Various
Modes - CBC
Uses result of one encryption to modify input of
next.
Hence each ciphertext block is dependent on all
message blocks before it.
Thus a change in the message affects the
ciphertext block after the change as well as the
original block.
Susceptible to errors. Error in a single block
make all the subsequent blocks useless.
66
Triple DES - More Secure
DES
E
K
1
D
K
2
E
K
1
Ciphertext Plaintext
Encryption
A B
D
K
1
E
K
2
D
K
1
Plaintext Ciphertext
Decryption
B A
Why not Double DES?
Why Triple DES with two Keys?
Why EDE?
67
IDEA
International Data Encryption Algorithm also known
as Proposed Encryption Standard PES
European origins free from any NSA tampering
64-bit block cipher
128-bit key
Fast in software on general purpose processors
Consists of three basic operations:
XOR
Addition modulo 2
16
Multiplication modulo 2
16
+ 1
68
GOST
64-bit block cipher from USSR
256-bit key (up to 610 bits key considering S-boxes)
Better suited to software implementation than DES
32 rounds
For the i-th round
L
i
=R
i-1
R
i
=L
i-1
f(R
i-1
, K
i
)
f consists of:
Add right half and the i-th subkey modulo 2
32
Break result into 8 4-bit chunks and input into a different S-box
Outputs of all S-boxes are recombined
11-bit left circular shift
XOR with the left half
69
One Round of GOST
L
i-1
R
i-1
Choose One Subkey

S-Box Substitution

Left Circular Shift

L
i
R
i
S-boxes in GOST are
user defined and provide
additional keying material
8 32-bit Subkeys are
derived from 256-bit key
and are repeatedly used
according to the key
schedule of GOST
70
GOST S-Boxes and
Subkeys
Round
Number
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Subkey 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
Round
Number
17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Subkey 1 2 3 4 5 6 7 8 8 7 6 5 4 3 2 1
S-box 1:
4 10 9 2 13 8 0 14 6 11 1 12 7 15 5 3
S-box 2:
14 11 4 12 6 13 15 10 2 3 8 1 0 7 5 9
71
BLOWFISH
Designed by Bruce Schneier
Fast on 32-bit microprocessors
Compact
Simple
Variable key lengths up to 448-bits
Uses a large number of subkeys
16 iterations/rounds
Each round consists of a key-dependent permutation and
A key- and data-dependent substitution
All operations are additions and XORs on 32-bit words
72
RC5
Designed by Professor Ronald Rivest of MIT
Rons Cipher (RC) others also exist RC2,
RC4, RC6
Supports a variety of block sizes, key sizes and
number of rounds
Three basic operations
XOR
Addition
Rotations
Patented by RSADSI
73
AES
A replacement for DES after a very long time
Result of an open, international competition conducted
by NIST
Five finalists
MARS
Serpent
Twofish
RC6
Rijendael
Rijendael finally chosen as AES
74
AES
Design criteria included:
Security
Speed on a variety of platforms hardware,
software, smartcards, microcontrollers
Rijendael European submission finally chosen
as AES