Giáo trình mã hóa DES

Mã hóa DES trong việc bảo mật ,là 1 trong những phương pháp mã hóa thông dụng nhất trong ngành mật mã học.Tài liệu được dùng để giảng dạy trong môn an toàn thông tin mạng tại trường đại học bách khoa đại học đà nẵng

Lecture Data Encryption Standard (DES)

6.2

Objectives

❏

❏ To review a short history of DES

❏

❏ To define the basic structure of DES

❏

❏ To describe the details of building elements of DES

❏

❏ To describe the round keys generation process

❏

❏ To analyze DES Chapter 6

6.3

6

6 1 INTRODUCTION 1 INTRODUCTION

The

The Data Data Encryption Encryption Standard Standard (DES) (DES) is is a a symmetric symmetric key key

block

block cipher cipher published published by by the the National National Institute Institute of of

Standards

Standards and and Technology Technology (NIST) (NIST)

6.1.1 History

6.1.2 Overview

Topics discussed in this section:

6.4

In 1973, NIST published a request for proposals for a national

modification of a project called Lucifer, was accepted as DES DES was published in the Federal Register in March 1975 as

a draft of the Federal Information Processing Standard (FIPS).

6.1.1 History

DES History

in 1973 NIST (then NBS) issued request for proposals for a national cipher

standard

IBM already developed Lucifer cipher

by team led by Feistel in late 60’s

used 64-bit data blocks with 128-bit key

1974, IBM submits Lucifer

Lucifer is analyzed and redesigned by NSA and others, and becomes DES

1977, the new cryptosystem becomes the federal standard in USA (till

Nov 2001).

Some variants of DES (we’ll discuss them later) still very much in use.

DES is a block cipher, as shown in Figure 6.1.

6.1.2 Overview

Figure 6.1 Encryption and decryption with DES

DES Basic Principles

DES is based on the Feistel Structure

Feistel structure: decrypt ciphertext is very

similar to encrypt plaintext

Uses the idea of a product cipher – that is a

sequence of transformations

The smaller transformations are substitutions

and permutations

6 6 2 DES STRUCTURE 2 DES STRUCTURE

The The encryption encryption process process is is made made of of two two permutations permutations (P (P boxes),

boxes), which which we we call call initial initial and and final final permutations, permutations, and and sixteen

sixteen Feistel Feistel rounds rounds

6.2.1 Initial and Final Permutations 6.2.2 Rounds

6.2.3 Cipher and Reverse Cipher 6.2.4 Examples

Topics discussed in this section:

6.9

6

6 2 Continue 2 Continue

Figure 6.2 General structure of DES

DES Encryption Overview

6.10

6.2.1 Initial and Final Permutations

Figure 6.3 Initial and final permutation steps in DES

6.2.1 Continue

Table 6.1 Initial and final permutation tables

Example 6.1

6.2.1 Continued

Find

Find the the output output of of the the initial initial permutation permutation box box when when the the input input is is

given

given in in hexadecimal hexadecimal as as::

Only

Only bit bit 25 25 and and bit bit 64 64 are are 1 1ss;; the the other other bits bits are are 0 0ss In In the the final final

permutation,

permutation, bit bit 25 25 becomes becomes bit bit 64 64 and and bit bit 63 63 becomes becomes bit bit 15 15 The The

result

result is is

Solution

6.14

Example 6.2

6.2.1 Continued

Prove Prove that that the the initial initial and and final final permutations permutations are are the the inverse inverse of of each each other

other by by finding finding the the output output of of the the final final permutation permutation if if the the input input is is

The The input input has has only only two two 1 1ss;; the the output output must must also also have have only only two two 1 1ss Using

Using Table Table 6 6 1 1,, we we can can find find the the output output related related to to these these two two bits bits Bit

Bit 15 15 in in the the input input becomes becomes bit bit 63 63 in in the the output output Bit Bit 64 64 in in the the input input becomes

becomes bit bit 25 25 in in the the output output So So the the output output has has only only two two 1 1s, s, bit bit 25 25 and

and bit bit 63 63 The The result result in in hexadecimal hexadecimal is is Solution

6.15

6.2.1 Continued

The initial and final permutations are straight

P-boxes that are inverses

of each other.

They have no cryptography significance in DES.

Note

6.16

DES uses 16 rounds Each round of DES is a Feistel cipher.

6.2.2 Rounds

Figure 6.4

A round in DES (encryption site)

The heart of DES is the DES function The DES function

applies a 48-bit key to the rightmost 32 bits to produce a 32-bit

output.

6.2.2 Continued

DES Function

Figure 6.5

DES function

Expansion P-box

6.2.2 Continue

Figure 6.6 Expansion permutation

Although the relationship between the input and output can be

defined mathematically, DES uses Table 6.2 to define this

P-box.

6.2.2 Continue

Table 6.6 Expansion P-box table

6.20

Whitener (XOR) After the expansion permutation, DES uses the XOR operation

on the expanded right section and the round key Note that both the right section and the key are 48-bits in length Also note that the round key is used only in this operation.

6.2.2 Continue

6.21

S-Boxes

The boxes do the real mixing (confusion) DES uses 8

S-boxes, each with a 6-bit input and a 4-bit output See Figure

6.7.

6.2.2 Continue

Figure 6.7 S-boxes

6.22

6.2.2 Continue

Figure 6.8 S-box rule

Table 6.3 shows the permutation for S-box 1 For the rest of

the boxes see the textbook.

6.2.2 Continue

Table 6.3 S-box 1

Example 6.3

6.2.2 Continued

The The input input to to S S box box 1 1 is is 1 10001 00011 1 What What is is the the output? output?

If

If we we write write the the first first and and the the sixth sixth bits bits together, together, we we get get 11 11 in in binary, binary, which

which is is 3 3 in in decimal decimal The The remaining remaining bits bits are are 0001 0001 in in binary, binary, which which is

is 1 1 in in decimal decimal We We look look for for the the value value in in row row 3 3,, column column 1 1,, in in Table Table 6

6 3 3 (S (S box box 1 1)) The The result result is is 12 12 in in decimal, decimal, which which in in binary binary is is 1100 1100 So

So the the input input 100011 100011 yields yields the the output output 1100 1100

Solution

Example 6.4

6.2.2 Continued

The

The input input to to S S box box 8 8 is is 000000 000000 What What is is the the output? output?

If

If we we write write the the first first and and the the sixth sixth bits bits together, together, we we get get 00 00 in in binary, binary,

which

which is is 0 0 in in decimal decimal The The remaining remaining bits bits are are 0000 0000 in in binary, binary, which which

is

is 0 0 in in decimal decimal We We look look for for the the value value in in row row 0 0,, column column 0 0,, in in Table Table

6

6 10 10 (S (S box box 8 8)) The The result result is is 13 13 in in decimal, decimal, which which is is 1101 1101 in in binary binary

So

So the the input input 000000 000000 yields yields the the output output 1101 1101

Solution

6.26

Straight Permutation

6.2.2 Continue

Table 6.11 Straight permutation table

6.27

Using mixers and swappers, we can create the cipher and

reverse cipher, each having 16 rounds.

6.2.3 Cipher and Reverse Cipher

First Approach

To achieve this goal, one approach is to make the last round

(round 16) different from the others; it has only a mixer and

no swapper.

In the first approach, there is no swapper in the

last round.

Note

6.28

6.2.3 Continued

Figure 6.9 DES cipher and reverse cipher for the first approach

6.2.3 Continued

Algorithm 6.1 Pseudocode for DES cipher

6.2.3 Continued

Algorithm 6.1 Pseudocode for DES cipher (Continued)

6.2.3 Continued

Algorithm 6.1 Pseudocode for DES cipher (Continued)

6.32

6.2.3 Continued

Algorithm 6.1 Pseudocode for DES cipher (Continued)

6.33

Alternative Approach

6.2.3 Continued

We can make all 16 rounds the same by including one swapper

to the 16th round and add an extra swapper after that (two

swappers cancel the effect of each other).

Key Generation

The round-key generator creates sixteen 48-bit keys out of a

56-bit cipher key.

6.34

6.2.3 Continued

Figure 6.10

Key generation

6.2.3 Continued

Table 6.12 Parity-bit drop table

Table 6.13 Number of bits shifts

6.2.3 Continued

Table 6.14 Key-compression table

6.2.3 Continued

Algorithm 6.2 Algorithm for round-key generation

6.38

6.2.3 Continued

Algorithm 6.2 Algorithm for round-key generation (Continue)

6.39

Example 6.5

6.2.4 Examples

We

We choose choose a a random random plaintext plaintext block block and and a a random random key, key, and and

determine

determine what what the the ciphertext ciphertext block block would would be be (all (all in in hexadecimal) hexadecimal)::

Table 6.15 Trace of data for Example 6.5

6.40

Example 6.5

Table 6.15 Trace of data for Example 6.5 (Conintued

6.2.4 Continued

Continued

Example 6.6

6.2.4 Continued

Let

Let us us see see how how Bob, Bob, at at the the destination, destination, can can decipher decipher the the ciphertext ciphertext

received

received from from Alice Alice using using the the same same key key Table Table 6 6 16 16 shows shows some some

interesting

interesting points points

6 6 3 DES ANALYSIS 3 DES ANALYSIS

Critics Critics have have used used a a strong strong magnifier magnifier to to analyze analyze DES DES Tests Tests have

have been been done done to to measure measure the the strength strength of of some some desired desired properties

properties in in a a block block cipher cipher

6.3.1 Properties 6.3.2 Design Criteria 6.3.3 DES Weaknesses

Topics discussed in this section:

Two desired properties of a block cipher are the avalanche

effect and the completeness.

6.3.1 Properties

Example 6.7

To

To check check the the avalanche avalanche effect effect in in DES, DES, let let us us encrypt encrypt two two plaintext plaintext

blocks

blocks (with (with the the same same key) key) that that differ differ only only in in one one bit bit and and observe observe

the

the differences differences in in the the number number of of bits bits in in each each round round

6.44

Example 6.7

6.3.1 Continued

Although Although the the two two plaintext plaintext blocks blocks differ differ only only in in the the rightmost rightmost bit, bit, the

the ciphertext ciphertext blocks blocks differ differ in in 29 29 bits bits This This means means that that changing changing approximately

approximately 1 1 5 5 percent percent of of the the plaintext plaintext creates creates a a change

change of of approximately approximately 45 45 percent percent in in the the ciphertext ciphertext

Table 6.17 Number of bit differences for Example 6.7

Continued

6.45

6.3.1 Continued

Completeness effect

Completeness effect means that each bit of the ciphertext

needs to depend on many bits on the plaintext.

6.46

6.3.2 Design Criteria

S-Boxe The design provides confusion and diffusion of bits from each round to the next.

P-Boxes They provide diffusion of bits.

Number of Rounds DES uses sixteen rounds of Feistel ciphers the ciphertext is thoroughly a random function of plaintext and ciphertext.

During the last few years critics have found some weaknesses

in DES.

6.3.3 DES Weaknesses

Weaknesses in Cipher Design

1 Weaknesses in S-boxes

2 Weaknesses in P-boxes

3 Weaknesses in Key

Example 6.8

6.3.3 Continued

Let Let us us try try the the first first weak weak key key in in Table Table 6 6 18 18 to to encrypt encrypt a a block block two two times

times After After two two encryptions encryptions with

with the the same same key key the the original original plaintext plaintext block block is is created created Note Note that that we

we have have used used the the encryption encryption algorithm algorithm two two times, times, not not one one encryption

encryption followed followed by by another another decryption decryption

6.3.3 Continued

Figure 6.11 Double encryption and decryption with a weak key

6.50

6.3.3 Continued

6.51

6.3.3 Continued

6.52

6.3.3 Continued

Figure 6.12 A pair of semi-weak keys in encryption and decryption

Example 6.9

6.3.3 Continued

What

What is is the the probability probability of of randomly randomly selecting selecting a a weak, a semi semi weak, weak,

or

or a a possible possible weak weak key? key?

Solution

DES

DES has has a a key key domain domain of of 2 2 56 The The total total number number of of the the above above keys keys

are

are 64 64 ((4 4 + + 12 12 + + 48 48)) The The probability probability of of choosing choosing one one of of these these keys keys

is

is 8 8 8 8 × × 10 10 − −16 16 ,, almost almost impossible impossible

6.3.3 Continued

Example 6.10

6.3.3 Continued

Let

Let us us test test the the claim claim about about the the complement complement keys keys We We have have used used an an

arbitrary

arbitrary key key and and plaintext plaintext to to find find the the corresponding corresponding ciphertext ciphertext If If

we

we have have the the key key complement complement and and the the plaintext, plaintext, we we can can obtain obtain the the

complement

complement of of the the previous previous ciphertext ciphertext (Table (Table 6 6 20 20))

6.56

6 6 4 Multiple DES 4 Multiple DES

The The major major criticism criticism of of DES DES regards regards its its key key length length Fortunately

Fortunately DES DES is is not not a a group group This This means means that that we we can can use

use double double or or triple triple DES DES to to increase increase the the key key size size

6.4.1 Double DES 6.4.4 Triple DES

Topics discussed in this section:

6.57

6

6 4 Continued 4 Continued

A

A substitution substitution that that maps maps every every possible possible input input to to every every

possible

possible output output is is a a group group

Figure 6.13 Composition of mapping

6.58

The first approach is to use double DES (2DES).

6.4.1 Double DES

Meet-in-the-Middle Attack However, using a known-plaintext attack called

2112).

6.4.1 Continued

Figure 6.14 Meet-in-the-middle attack for double DES

6.4.1 Continued

Figure 6.15 Tables for meet-in-the-middle attack

6.4.2 Triple DES

Figure 6.16 Triple DES with two keys

6.62

6.4.2 Continuous

Triple DES with Three Keys The possibility of known-plaintext attacks on triple DES with two keys has enticed some applications to use triple DES with three keys Triple DES with three keys is used by many applications such as PGP (See Chapter 16).

6.63

6

6 5 Security of DES 5 Security of DES

DES,

DES, as as the the first first important important block block cipher, cipher, has has gone gone through through

much

much scrutiny scrutiny Among Among the the attempted attempted attacks, attacks, three three are are of of

interest

interest:: brute brute force, force, differential differential cryptanalysis, cryptanalysis, and and linear linear

cryptanalysis

cryptanalysis

6.5.1 Brute-Force Attack

6.5.2 Differential Cryptanalysis

6.5.3 Linear Cryptanalysis

Topics discussed in this section:

6.64

We have discussed the weakness of short cipher key in DES Combining this weakness with the key complement weakness,

6.5.1 Brute-Force Attack

It has been revealed that the designers of DES already knew

about this type of attack and designed S-boxes and chose 16 as

the number of rounds to make DES specifically resistant to

this type of attack.

6.5.2 Differential Cryptanalysis

We show an example of DES differential

cryptanalysis in Appendix N.

Note

Linear cryptanalysis is newer than differential cryptanalysis DES is more vulnerable to linear cryptanalysis than to differential cryptanalysis S-boxes are not very resistant to linear cryptanalysis It has been shown that DES can be

practical point of view, finding so many pairs is very unlikely.

6.5.3 Linear Cryptanalysis

We show an example of DES linear cryptanalysis

in Appendix N.

Note