Unit II

Block cipher and DES

Prepared by
Sankari M
Assistant Professor/CSE
 UNIT-II
• Simplied DES- Block Cipher principles – The Data Encryption Standard – The strength of
DES – Confidentiality using symmetric encryption – Placement of encryption - Traffic
confidentiality – Key distribution - Random number generation
 Symmetric and
Asymmetric Encryption
Symmetric-key cryptography
Note

In symmetric-key cryptography, the same key is used

by the sender(for encryption) and the receiver (for
decryption).
The key is shared.
Algorithm: DES,3DES,AES,S-DES
 Symmetric-key cryptography

• Advantages:
– Simple
– Faster
• Disadvantages:
– Key must exchanges in secure way
– Easy for hacker to get a key as it is passed in
unsecure way.
Asymmetric-key cryptography
Note

An asymmetric-key (or public-key) cipher uses two

keys: one private (To encrypt data) and one public(To
decrypt data).
• Asymmetric Key Cryptography (Public Key Cryptography)
– 2 different keys are used

Advantages
1. More Secured
2. Authentication

Disadvantages
1. Relatively Complex
Figure 30.6 Comparison between two categories of cryptography
• Asymmetric encryption use two keys, one to encrypt the data,
and another key to decrypt the data.
•These keys are generated together
•. One is named as Public key and is distributed freely. The
other is named as Private Key and it is kept hidden.
•Both Sender & Recipient has to share their Public Keys for
Encryption and has to use their Private Keys for Decryption.
 Asymmetric encryption use two keys:

Public Key - to encrypt the data

Private Key - to decrypt the data

 These keys are generated together.

 The Public key(s) is distributed freely between the sender and receiver.

 The other is named as Private Key and it is kept hidden.

 The Private Key is only used for Decryption and will not be shared
between the sender and receiver.
RSA(Rivert Shamir Algorithm)
Digital Signature Algorithm
Diffie-Helman
 ECC(Elliptic Curve cryptography)
Merits:
 Two parties don't need to have their private keys already shared in order to
communicate using encryption.
 Authentication and Non-Repudiation are possible. (Authentication means that you can
encrypt the message with my public key and only I can decrypt it with my private key.
Non-repudiation means that you can "sign" the message with your private key and I can
verify that it came from you with your public key.)

De-Merits:
Asymmetric Encryption algorithms are comparatively complex.
Time consuming process for Encryption and Decryption.
 Modern Block Ciphers

 one of the most widely used types of cryptographic

algorithms
 provide secrecy /authentication services
 focus on DES (Data Encryption Standard)
Block vs Stream Ciphers
Block vs Stream Ciphers
 Block Cipher Principles
 most symmetric block ciphers are based on a
Feistel Cipher Structure
 needed since must be able to decrypt ciphertext
to recover messages efficiently
 block ciphers look like an extremely large
substitution
 would need table of 264 entries for a 64-bit block
 instead create from smaller building blocks
 using idea of a product cipher
Ideal Block Cipher

permutation
Claude Shannon introduced idea of substitution-permutation (S-
P) networks called modern substitution-transposition product
cipher these form the basis of modern block ciphers

22
 S-P Network

• Claude Shannon introduced idea of substitution-permutation (S-P) networks called modern

substitution-transposition product cipher these form the basis of modern block ciphers

S-P networks are based on the two primitive cryptographic operations we

have seen before:

substitution (S-box)

permutation (P-box)

provide confusion and diffusion of message

diffusion – dissipates statistical structure of plaintext over bulk of ciphertext

confusion – makes relationship between ciphertext and key as complex as

possible
 Feistel Cipher Structure
 Horst Feistel devised the Feistel cipher
based on concept of invertible product cipher
 partitions input block into two halves
process through multiple rounds which
perform a substitution on left data half
based on round function of right half &
subkey
then have permutation swapping halves
 implements Shannon’s S-P net concept
Feistel Cipher Structure
Feistel Cipher Design Elements
 block size
 key size
 number of rounds
 subkey generation algorithm
 round function
 fast software en/decryption
 ease of analysis
 SIMPLIFIED DATA ENCRYPTION STANDARD (S-DES)

• The S-DES encryption algorithm takes an 8-bit block of plaintext

(example: 10111101) and a 10-bit key as input and produces an 8-
bit block of ciphertext as output.

• The S-DES decryption algorithm takes an 8-bit block of ciphertext

and the same 10-bit key used to produce that ciphertext as input
and produces the original 8-bit block of plaintext.
Encryption algorithm involves 5 functions
• Initial permutation (IP)
• A complex function involves both permutation and substitution
operations (fk )
• Swapping ( SW )
• Complex function (fk )
• Inverse of initial permutation (IP-1)
S-DES key generation
 S-DES
Encryption
S-Box
Data Encryption Standard (DES)

Private key block cipher

It follows fiestel structure
Adopted in 1977 by NBS
It ensures security
Data Encryption Standard (DES)

DES is defined as the Symmetric

encryption which encrypts the 64-
bit plain text data blocks using a
56-bit key.
Decrypts the 64-bit cipher text
data using a 56-bit key.
 DES History
 IBM developed Lucifer Algorithm by fiestel
 LUCIFER is a Feistel block cipher that operates on
blocks of 64 bits, using a key size of 128 bits.

 Plan to develop the marketable

commercial encryption product.
 (128 bit key reduced to 56 bits)
 IBM submitted their revised Lucifer which
was eventually accepted as the DES
DES Encryption Overview
Number of input block size=64
bits
Key size- 64 bit 48 bits
Number of sub key generation-
16
Number of rounds- 16
Initial Permutation-Shuffling
Left circular shift- Reposition of
bits
 Initial Permutation IP
 first step of the data computation
 IP reorders the input data bits
 even bits to LH half, odd bits to RH half
 quite regular in structure (easy in h/w)
 no cryptographic value
 example:
IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb)
Initial Permutation IP table

Permutation X= (IP(M)),

Inverse permutation Y = IP-1

(IP(M)))
 DES Round Function F
 uses two 32-bit L & R halves
 as for any Feistel cipher can describe as:
Li = Ri–1
Ri = Li–1  F(Ri–1, Ki)
 F takes 32-bit R half and 48-bit subkey:
expands R to 48-bits using perm E
adds to subkey using XOR
passes through 8 S-boxes to get 32-bit result
finally permutes using 32-bit perm P
Single round DES Structure
Left Half i-1 Right Half i-1 Left Half Key i-1 Right Half Key i-1

28 28

32 Left Shift(s) i Left Shift(s) i

Expansion Permutation
Contraction Permutation
(permuted choice 2)
48
48
48
Round Key i

48

Keyed Substitution (8 S-Boxes)

32

Transposition (P-Box)

32
Mangler
Function
F
32

Mangled Right Half i-1

32

32

Left Half i Right Half i Left Half Key i-1 Right Half Key i-1
 DES Expansion Permutation
Right Half i-1 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32

32 1 2 3 4 5 4 5 6 7 8 9 8 9 10 11 12 13 12 13 14 15 16 17 16 17 18 19 20 21 20 21 22 23 24 25 24 25 26 27 28 29 28 29 30 31 32 1

 R half expanded to same length as 48-bit

subkey
 consider R as 8 nibbles (4 bits each)
 expansion permutation
copies each nibble into the middle of a 6-bit
block
copies the end bits of the two adjacent
nibbles into the two end bits of the 6-bit block
Expansion Permutation€
DES Round Structure
 Substitution Boxes S
 Eight S-boxes which
map 6 to 4 bits
 row selection depends
on both data & key
feature known as
autoclaving (autokeying)
Substitution Boxes S
 Substitution Boxes S
 each of the eight s-
boxes is different
input symbol  each s-box reduces
6 bits to 4 bits
control

Si  so the 8 s-boxes
implement the 48-bit
output symbol to 32-bit contraction
substitution
 Permutation Box P
S1 S2 S3 S4 S5 S6 S7 S8

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32

16 7 20 21 29 12 28 17 1 15 23 26 5 18 31 10 2 8 24 14 32 27 3 9 19 13 30 6 22 11 4 25

 P-box at end of each round

 Increases diffusion/avalanche effect
 DES Round in Full
Right Half i-1 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32

32 1 2 3 4 5 4 5 6 7 8 9 8 9 10 11 12 13 12 13 14 15 16 17 16 17 18 19 20 21 20 21 22 23 24 25 24 25 26 27 28 29 28 29 30 31 32 1

Round Key i

+
O 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48

input symbol input symbol input symbol input symbol input symbol input symbol input symbol input symbol
control

control

control

control

control

control

control

control
S1 S2 S3 S4 S5 S6 S7 S8

output symbol output symbol output symbol output symbol output symbol output symbol output symbol output symbol

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32

16 7 20 21 29 12 28 17 1 15 23 26 5 18 31 10 2 8 24 14 32 27 3 9 19 13 30 6 22 11 4 25

Left Half i-1

+
O 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32

Right Half i

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
 DES Key Schedule
 forms subkeys used in each round
initial permutation of the key (PC1) which
selects 56-bits in two 28-bit halves
16 stages consisting of:
•rotating each half separately either 1 or 2 places
depending on the key rotation schedule K
•selecting 24-bits from each half & permuting them
by PC2 for use in round function F
 note practical use issues in h/w vs s/w
 DES Key Schedule
64-bit key with parity bits
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64

permuted
choice 1
57 49 41 33 25 17 9 1 58 50 42 34 26 18 10 2 59 51 43 35 27 19 11 3 60 52 44 36 63 55 47 39 31 23 15 7 62 54 46 38 30 22 14 6 61 53 45 37 29 21 13 5 28 20 12 4

56-bit key 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56
Left
Shift
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 1 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 29

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

permuted
choice 2
14 17 11 24 1 5 3 28 15 6 21 10 23 19 12 4 26 8 16 7 27 20 13 2 41 52 31 37 47 55 30 40 51 45 33 48 44 49 39 56 34 53 46 42 50 36 29 32

48-bit subkey 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
 DES Decryption
 decrypt must unwind steps of data computation
 with Feistel design, do encryption steps again
using subkeys in reverse order (SK16 … SK1)
IP undoes final FP step of encryption
1st round with SK16 undoes 16th encrypt round
….
16th round with SK1 undoes 1st encrypt round
then final FP undoes initial encryption IP
thus recovering original data value
 DES Round Decryption
Left half i-1 Right half i-1

Mangler
Function Round key i
F

+
O

Left half i Right half i

Decryption
DES Example
 Avalanche Effect
 key desirable property of encryption alg
 where a change of one input or key bit
results in changing approx half output bits
 making attempts to “home-in” by guessing
keys impossible
 DES exhibits strong avalanche
Avalanche in DES
 Strength of DES – Key Size
 56-bit keys have 256 = 7.2 x 1016 values
 brute force search looks hard
 recent advances have shown is possible
in 1997 on Internet in a few months
in 1998 on dedicated h/w (EFF) in a few days
in 1999 above combined in 22hrs!
 still must be able to recognize plaintext
 must now consider alternatives to DES
 Strength of DES – Nature of
DES and Timing attacks
 Substitution box S-Box is used in each iteration to make the encryption
strong.
 Timing Attacks:
 A timing attack is one in which information about the key or the plaintext is
obtained by observing how long it takes a given implementation to perform
decryptions on various ciphertexts.
 A timing attack exploits the fact that an encryption or decryption algorithm
often takes slightly different amounts of time on different inputs.
 Confidentiality
Using Symmetric
Encryption
 Confidentiality
• Ensures the receiver only receive the sender’s
information. It wont be accessed by the unauthorised
users.
• Providing confidentiality through the use of secret-key
encryption has historically been the focus of cryptology.
• This topic remains important in itself, though other
considerations have emerged in the last few decades.
• An understanding of the issues involved here
• clarifies those in other applications of encryption and
helps to motivate the development of public-key
encryption.

1
Placement of Encryption Function
Issues involved:
What should be encrypted?
Where should encryption be done?
Two approaches: Link encryption
End-to-end encryption
To make the decisions, one should first examine
the potential locations of security attacks.

2
Points of Vulnerability

Telco
Wiring Central
Closet Office
Comms
Server

LAN

Workstation
Frame Relay
or ATM
Network

3
Locations for Confidentiality
Attacks
Consider a user workstation in a typical business
organization. The points of vulnerability include:

The LAN that the workstation is attached to:

eavesdropping on the LAN, which is typically a
broadcast network.
The Wiring closet: tapping the wires.
Communications links out of the Wiring closet: invasive
or inductive tapping.
Processors along the path to the outside: modifying the
hardware or software, etc.

4
 N
PS

Packet-switching
PS
N network PS
N

N
PS
= end-to-end encryption device

= link encryption device PSN = packet switching node

 Link Encryption
Each vulnerable communications link is equipped on
both ends with an encryption device. Thus, all traffic
over all communications links is secured.
The message must be decrypted each time it enters a
packet switch. Thus, the message is vulnerable at each
switch.
Many keys must be provided. However, each key needs
be distributed to only two nodes.
Layer used in OSI as 1,2

5
End-to-End Encryption
The encryption process is carried out at the two end
systems. The source and the destination share a key.
This plan seems to secure the transmission against
attacks on the network links or switches. There is,
however, still a weak spot.
The source may encrypt only the user data portion, but
must leave the header in the clear.
With end-to-end encryption, the user data are secure,
but the traffic pattern is not. A certain degree of
authentication is also provided.
Layer used in OSI as 3,4,6,7

6
Deploying End-to-End Encryption
Possible choices:
The network layer or the transport layer one key for
each pair of end systems cannot cross
internetwork boundaries
The application layer
many keys needed: one key for each pair of users
can cross internetwork boundaries

8
Link vs. End-to-End Encryptions
Link Encryption End-to-End Encryption
Security within End Systems and Intermediate Systems
Message exposed in sending host Message encrypted in sending host
Message exposed in intermediate nodes Message encrypted in intermediate nodes
Role of User
Applied by sending host Applied by sending process User applies
Transparent to user encryption
Host maintains encryption facility User must determine algorithm Users selects
One facility for all users encryption scheme
Can be done in hardware Software implementation
All or no messages encrypted User chooses to encrypt, or not, for each message
Implementation Concerns
Requires one key per (host-intermediate Requires one key per user pair
node) pair and (intermediate node-
intermediate node) pair
Provides host authentication Provides user authentication
 Traffic Confidentiality
Types of information that can be derived from a traffic
analysis attack:
Identities of partners
How frequently the partners are communicating
Message pattern, message length, or quantity of
messages
Events correlated with conversations between particular
partners
Messages of a covert channel

9
 Traffic Padding
Key

Discontinuous Encryption Continuous

plaintext input algorithm ciphertext output

Continuous
random-data
generator
Countering Traffic Analysis
Link encryption approach
Packet headers already encrypted further strength
via traffic padding
End-to-end encryption approach

available measures more limited

padding out data units to a uniform length inserting
null messages randomly

11
The Key Distribution Problem
For symmetric encryption to work, the two parties of an
exchange must share the same key and that key must
be protected.
Frequent key changes may be desirable to limit the
amount of data compromised.
The strength of a cryptographic system rests with the
technique for solving the key distribution problem—
delivering a key to the two parties of an exchange.
The scale of the problem depends on the number of
communication pairs.

12
Approaches to Key Distribution
Let A (Alice) and B (Bob) be the two parties.
A key can be selected by A and physically delivered to
B.
A third party can select the key and physically deliver it
to A and B.
If A and B have previously and recently used a key, one
party can transmit the new key to the other, encrypted
using the old key.
If A and B each has an encrypted connection to a third
party C, C can deliver a key on the encrypted links to A
and B.
Number of Keys for Endpoints

9
10

8
10

7
10

6
10

5 6 789 2 3 4 5 6 789 2 3 4 5 6 789

3 4 5
10 10 10
Number of endpoints

Source: Figure 7.7, Stallings 2006

Using a Key Distribution Center
A key distribution center is responsible for distributing
keys to pairs of users as needed.
Each user must share a unique key with the key
distribution center for purposes of key distribution.
At least two levels of keys must be used:
session keys-Temporary key which is encrypted by the
user. Once the session is completed,it discarded
and master keys-Encrypt the session key and pass it
to distribution center
If there are N end users, N (N − 1)/2 session keys are
needed at any one time, but only N master keys
are required.
 Key
Hierarchy
Data Cryptographic
Protection

Session Keys Cryptographic

Protection

Master Keys Non-Cryptographic

Protection
 Key Distribution
Scenario
Key
Distribution
Center (KDC)
(1) IDA || IDB || N1

Key distribution (2) E(Ka, [Ks || IDA || IDB || N1]) || E(Kb, [Ks, IDA])
steps

(3) E(Kb, [Ks || IDA])

Initiator Responder
A B
(4) E(Ks, N2)

Authentication (5) E(Ks, f(N2))

 Hierarchical Key Control
For large networks, a single KDC is inadequate.
In a hierarchy of KDCs, each local KDC is responsible
for a small domain.
If the two parties are within the same local domain, their
KDC is responsible for key distribution.
Otherwise, the two corresponding local KDCs can
communicate through a global KDC. Any of the three
KDCs involved can select the key.
Advantages: distributing the effort of master key
distribution and isolating the damage of a fault.
Session Key Lifetime
Two competing considerations in determining the
lifetime of a session key:
The more frequently session keys are changed, the
more secure they are.
The distribution of session keys delays the start of an
exchange and places a burden on network capacity.
The decision can be based on whether the
communication protocol is connection-oriented or
connectionless.
Automatic Key Distribution
Key
1. Host sends packet requesting connection. distribution
2. Security service buffers packet; asks KDC center
for session key.
3. KDC distributes session key to both hosts.
4. Buffered packet transmitted.

Application Application
2
1

Security Security
service service

4
HOST HOST
Network
Decentralized Key Distribution

(1) IDA || N1

Initiator Responder
A B
(2) E(MKm, [Ks || IDA || IDB || f(N1) || N2 ])

(3) E(Ks, f(N2))

 Decentralized Key Control
The KDC must be trusted and be protected from
subversion.
This requirement can be avoided if the key distribution
is fully decentralized.
A fully decentralized key control, though not feasible for
large networks, may be useful within a local context.
A decentralized approach requires that each end
system be able to communicate in a secure manner
with all potential partner end systems for purposes of
session key distribution.
Controlling Key Usage
It may be desirable to impose some control on the
way in which automatically distributed keys are
used.
Possible types of session keys include: data-
encrypting key, PIN-encrypting key, file-encrypting
key, etc.
Key use controlling schemes: Tags
Control vectors
The Use of Random Numbers
Random numbers are used by a number of
security algorithms for:
Nonces (used in authentication protocols) Session
key generation (by the KDC or an end system)
Key generation for the RSA algorithm
Two requirements: randomness and
unpredictability.
Pseudorandom Numbers
True random numbers are hard to come by.
Cryptographic applications typically use algorithmic
techniques for random number generation.
These algorithms are deterministic and therefore
produce sequence of numbers that are not statistically
random.
If the algorithm is good, the resulting sequences will
pass reasonable tests for randomness.
Such numbers are often referred to as pseudorandom
numbers.
The Linear Congruential Method
m the modulus m>0
a the multiplier 0≤a<m
c the increment 0≤c<m
X0 the starting value (seed) 0 ≤ X0 <
m
Iterative equation: Xn+1 = (aXn + c) mod m
Larger values of m imply higher potential for a long
period.
For example, Xn+1 = (75Xn) mod (231 − 1) has a period of
231 − 2.
What are the weakness and the remedy?
Cryptographical Generation
Cyclic encryption: use an arbitrary block cipher. Full-
period generating functions are easily obtained.
DES Output Feedback Mode: the successive 64-bit
outputs constitute a sequence of pseudorandom
numbers.
ANSI X9.17 Pseudorandom number generator
(PRNG): make use of triple DES. Employed in financial
security applications and PGP.
Pseudorandom Number Generation
Counter with
Period N
C

C+1

Master Key
Encryption
Km Algorithm
ANSI X9.17 PRNG
K 1, K 2

DTi EDE

EDE Vi+1

Vi EDE
The Blum Blum Shub (BBS) Generator
Choose two large prime numbers p and q such that
p≡q≡3 (mod 4). Let n = p × q.
Choose a random number s relatively prime to n.
Bit sequence generating algorithm:

X0 = s2 mod n
for i = 1 to ∞
Xi = (Xi−1)2 mod n Bi = Xi mod 2

The BBS generator passes the next-bit test.

Example Operation of BBS
Generator
i Xi Bi i Xi Bi
0 20749 11 137922 0
1 143135 1 12 123175 1
2 177671 1 13 8630 0
3 97048 0 14 114386 0
4 89992 0 15 14863 1
5 174051 1 16 133015 1
6 80649 1 17 106065 1
7 45663 1 18 45870 0
8 69442 0 19 137171 1
9 186894 0 20 48060 0
10 177046 0
Thank you