Block Ciphers (DES)

1
 Block Ciphers and the Data
Encryption Standard

All the afternoon Mungo had been working on

2
 Modern Block Ciphers
• will now look at modern block ciphers
• one of the most widely used types of
cryptographic algorithms
• provide secrecy and/or authentication
services
• in particular will introduce DES (Data
Encryption Standard)

3
 Block vs Stream Ciphers
• block ciphers process messages into
blocks, each of which is then
en/decrypted
• like a substitution on very big characters
– 64-bits or more
• stream ciphers process messages a bit or
byte at a time when en/decrypting
• many current ciphers are block ciphers

4
 Block Cipher Principles
• most symmetric block ciphers are based on a
Feistel Cipher Structure
• needed since must be able to decrypt ciphertext
to recover messages efficiently
• block ciphers look like an extremely large
substitution
• would need table of 264 entries for a 64-bit block
• instead create from smaller building blocks
• using idea of a product cipher

5
Claude Shannon and Substitution-
Permutation Ciphers
• in 1949 Claude Shannon introduced idea of
substitution-permutation (S-P) networks
– modern substitution-transposition product cipher
• these form the basis of modern block ciphers
• S-P networks are based on the two primitive
cryptographic operations we have seen before:
– substitution (S-box)
– permutation (P-box)
• provide confusion and diffusion of message

6
 Confusion and Diffusion
• cipher needs to completely obscure
statistical properties of original message
• a one-time pad does this
• more practically Shannon suggested
combining elements to obtain:
• diffusion – dissipates statistical structure
of plaintext over bulk of ciphertext
• confusion – makes relationship between
ciphertext and key as complex as possible

7
 Feistel Cipher Structure
• Horst Feistel devised the feistel cipher
– based on concept of invertible product cipher
• partitions input block into two halves
– process through multiple rounds which
– perform a substitution on left data half
– based on round function of right half & subkey
– then have permutation swapping halves
• implements Shannon’s substitution-
permutation network concept

8
Feistel Cipher Structure

9
 Feistel Cipher Design
Principles
• block size
– increasing size improves security, but slows cipher
• key size
– increasing size improves security, makes exhaustive key searching
harder, but may slow cipher
• number of rounds
– increasing number improves security, but slows cipher
• subkey generation
– greater complexity can make analysis harder, but slows cipher
• round function
– greater complexity can make analysis harder, but slows cipher
• fast software en/decryption & ease of analysis
– are more recent concerns for practical use and testing

10
Feistel Cipher Decryption

11
Data Encryption Standard (DES)
• most widely used block cipher in world
• adopted in 1977 by NBS (now NIST)
– as FIPS PUB 46
• encrypts 64-bit data using 56-bit key
• has widespread use
• has been considerable controversy over
its security

12
 DES History
• IBM developed Lucifer cipher
– by team led by Feistel
– used 64-bit data blocks with 128-bit key
• then redeveloped as a commercial cipher
with input from NSA and others
• in 1973 NBS issued request for proposals
for a national cipher standard
• IBM submitted their revised Lucifer
which was eventually accepted as the DES
13
 DES Design Controversy
• although DES standard is public
• was considerable controversy over design
– in choice of 56-bit key (vs Lucifer 128-bit)
– and because design criteria were classified
• subsequent events and public analysis
show in fact design was appropriate
• DES has become widely used, especially in
financial applications

14
DES Encryption

15
General structure of DES

32 bits 32 bits
LI–1 RI–1
Mixer

f ( RI–1, KI ) KI
Swapper

LI RI
32 bits 32 bits
Each round

16
DES function

17
Key generation

18
We choose a random plaintext block, a random key, and a
computer program to determine what the ciphertext block would
be (all in hexadecimal):

19
To check the effectiveness of DES, when a single bit is changed in
the input, let us use two different plaintexts with only one single
bit difference. The two ciphertexts are completely different
without even changing the key:

Although the two plaintext blocks differ only in the rightmost bit,
the ciphertext blocks differ in 29 bits.

20
 Initial Permutation IP
• first step of the data computation
• IP reorders the input data bits
• even bits to LH half, odd bits to RH half
• quite regular in structure (easy in h/w)
• see text Table 3.2
• example:
IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb)

21
 DES Round Structure
• uses two 32-bit L & R halves
• as for any Feistel cipher can describe as:
Li = Ri–1
Ri = Li–1 xor F(Ri–1, Ki)
• takes 32-bit R half and 48-bit subkey and:
– expands R to 48-bits using perm E
– adds to subkey
– passes through 8 S-boxes to get 32-bit result
– finally permutes this using 32-bit perm P

22
DES Round Structure

23
 Substitution Boxes S
• have eight S-boxes which map 6 to 4 bits
• each S-box is actually 4 little 4 bit boxes
– outer bits 1 & 6 (row bits) select one rows
– inner bits 2-5 (col bits) are substituted
– result is 8 lots of 4 bits, or 32 bits
• row selection depends on both data & key
– feature known as autoclaving (autokeying)
• example:
S(18 09 12 3d 11 17 38 39) = 5fd25e03

24
 DES Key Schedule
• forms subkeys used in each round
• consists of:
– initial permutation of the key (PC1) which
selects 56-bits in two 28-bit halves
– 16 stages consisting of:
• selecting 24-bits from each half
• permuting them by PC2 for use in function f,
• rotating each half separately either 1 or 2 places
depending on the key rotation schedule K

25
 DES Decryption
• decrypt must unwind steps of data computation
• with Feistel design, do encryption steps again
• using subkeys in reverse order (SK16 … SK1)
• note that IP undoes final FP step of encryption
• 1st round with SK16 undoes 16th encrypt round
• ….
• 16th round with SK1 undoes 1st encrypt round
• then final FP undoes initial encryption IP
• thus recovering original data value

26
 Avalanche Effect
• key desirable property of encryption
algorithm
• where a change of one input or key bit
results in changing approx half output
bits
• making attempts to “home-in” by
guessing keys impossible
• Completeness Effect- each bit of CT
needs to depend on many bits of PT
27
 DES Weakness
• Design in S Box
• Design in D Box
• Design in Key
• Six pair of Semi weak key, 48 possible
weak key

28
 Strength of DES – Key Size
• 56-bit keys have 256 = 7.2 x 1016 values
• brute force search looks hard
• recent advances have shown is possible
– in 1997 on Internet in a few months
– in 1998 on dedicated h/w (EFF) in a few days
– in 1999 above combined in 22hrs!
• still must be able to recognize plaintext
• now considering alternatives to DES
29
 Strength of DES – Timing
Attacks
• attacks actual implementation of cipher
• use knowledge of consequences of
implementation to derive knowledge of
some/all subkey bits
• specifically use fact that calculations
can take varying times depending on the
value of the inputs to it
• particularly problematic on smartcards
30
 Differential analysis
• Propagation ratio is the probability that
output diff. is y given that input diff. is
x
• Rp = Nd (x, y)/ 2m
• In the class example
ND( 0100, 0110)= 1/2
Rp = 1/2 1/81/81/81/8

31
Block Cipher Design Principles
• basic principles still like Feistel in 1970’s
• number of rounds
– more is better, exhaustive search best attack
• function f:
– provides “confusion”, is nonlinear, avalanche
• key schedule
– complex subkey creation, key avalanche

32
 Modes of Operation
• block ciphers encrypt fixed size blocks
• e.g. DES encrypts 64-bit blocks, with 56-bit
key
• need way to use in practice, given usually have
arbitrary amount of information to encrypt
• four were defined for DES in ANSI standard
ANSI X3.106-1983 Modes of Use
• subsequently now have 5 for DES and AES
• have block and stream modes
33
 Electronic Codebook Book (ECB)
• message is broken into independent
blocks which are encrypted
• each block is a value which is
substituted, like a codebook, hence name
• each block is encoded independently of
the other blocks
Ci = DESK1 (Pi)
• uses: secure transmission of single values
34
Electronic Codebook Book (ECB)

35
Electronic Codebook Book (ECB)

36
Electronic Codebook Book (ECB)

37
 Advantages and Limitations of
ECB
• repetitions in message may show in
ciphertext
– if aligned with message block
– particularly with data such as graphics
– or with messages that change very little,
which become a code-book analysis problem
• weakness due to encrypted message
blocks being independent
• main use is sending a few blocks of data
38
 Cipher Block Chaining (CBC)
• message is broken into blocks
• but these are linked together in the
encryption operation
• each previous cipher blocks is chained
with current plaintext block, hence name
• use Initial Vector (IV) to start process
Ci = DESK1(Pi XOR Ci-1)
C-1 = IV
• uses: bulk data encryption, authentication

39
Cipher Block Chaining (CBC)

40
Cipher Block Chaining (CBC)

Original image Encrypted image

41
 Advantages and Limitations of
CBC
• each ciphertext block depends on all message blocks
• thus a change in the message affects all ciphertext
blocks after the change as well as the original block
• need Initial Value (IV) known to sender & receiver
– however if IV is sent in the clear, an attacker can change
bits of the first block, and change IV to compensate
– hence either IV must be a fixed value or it must be sent
encrypted in ECB mode before rest of message
• at end of message, handle possible last short block
– by padding either with known non-data value (eg nulls)
– or pad last block with count of pad size
• eg. [ b1 b2 b3 0 0 0 0 5] <- 3 data bytes, then 5 bytes pad+count

42
 Cipher FeedBack (CFB)
• message is treated as a stream of bits
• added to the output of the block cipher
• result is feed back for next stage (hence name)
• standard allows any number of bit (1,8 or 64 or
whatever) to be feed back
– denoted CFB-1, CFB-8, CFB-64 etc
• is most efficient to use all 64 bits (CFB-64)
Ci = Pi XOR DESK1(Ci-1)
C-1 = IV
• uses: stream data encryption, authentication
43
Cipher FeedBack (CFB)

44
 Advantages and Limitations of
CFB
• appropriate when data arrives in bits/bytes
• most common stream mode
• limitation is need to stall while do block
encryption after every n-bits
• note that the block cipher is used in
encryption mode at both ends
• errors propagate for several blocks after
the error

45
 Output FeedBack (OFB)
• message is treated as a stream of bits
• output of cipher is added to message
• output is then feed back (hence name)
• feedback is independent of message
• can be computed in advance
Ci = Pi XOR Oi
Oi = DESK1(Oi-1)
O-1 = IV
• uses: stream encryption over noisy channels
46
Output FeedBack (OFB)

47
 Advantages and Limitations of
OFB
• used when error feedback a problem or where need to
encryptions before message is available
• superficially similar to CFB
• but feedback is from the output of cipher and is
independent of message
• a variation of a Vernam cipher
– hence must never reuse the same sequence (key+IV)
• sender and receiver must remain in sync, and some
recovery method is needed to ensure this occurs
• originally specified with m-bit feedback in the standards
• subsequent research has shown that only OFB-64 should
ever be used

48
 Counter (CTR)
• a “new” mode, though proposed early on
• similar to OFB but encrypts counter value
rather than any feedback value
• must have a different key & counter value
for every plaintext block (never reused)
Ci = Pi XOR Oi
Oi = DESK1(i)
• uses: high-speed network encryptions
49
Counter (CTR)

50
 Advantages and Limitations of
CTR
• efficiency
– can do parallel encryptions
– in advance of need
– good for bursty high speed links
• random access to encrypted data blocks
• provable security (good as other modes)
• but must ensure never reuse key/counter
values, otherwise could break (cf OFB)

51
 Summary
• have considered:
– block cipher design principles
– DES
• details
• strength
– Modes of Operation
• ECB, CBC, CFB, OFB, CTR

52