Lecture slides by Lawrie Brown for “Cryptography and Network Security”, 4/e, by William Stallings, Chapter 2 – “ Classical Encryption Techniques ”.
The most widely used private key block cipher, is the Data Encryption Standard (DES). It was adopted in 1977 by the National Bureau of Standards as Federal Information Processing Standard 46 (FIPS PUB 46). DES encrypts data in 64-bit blocks using a 56-bit key. The DES enjoys widespread use. It has also been the subject of much controversy its security.
In the late 1960s, IBM set up a research project in computer cryptography led by Horst Feistel. The project concluded in 1971 with the development of the LUCIFER algorithm. LUCIFER is a Feistel block cipher that operates on blocks of 64 bits, using a key size of 128 bits. Because of the promising results produced by the LUCIFER project, IBM embarked on an effort, headed by Walter Tuchman and Carl Meyer, to develop a marketable commercial encryption product that ideally could be implemented on a single chip. It involved not only IBM researchers but also outside consultants and technical advice from NSA. The outcome of this effort was a refined version of LUCIFER that was more resistant to cryptanalysis but that had a reduced key size of 56 bits, to fit on a single chip. In 1973, the National Bureau of Standards (NBS) issued a request for proposals for a national cipher standard. IBM submitted the modified LUCIFER. It was by far the best algorithm proposed and was adopted in 1977 as the Data Encryption Standard.
Before its adoption as a standard, the proposed DES was subjected to intense & continuing criticism over the size of its key & the classified design criteria. Recent analysis has shown despite this controversy, that DES is well designed. DES is theoretically broken using Differential or Linear Cryptanalysis but in practise is unlikely to be a problem yet. Also rapid advances in computing speed though have rendered the 56 bit key susceptible to exhaustive key search, as predicted by Diffie & Hellman. DES has flourished and is widely used, especially in financial applications. It is still standardized for legacy systems, with either AES or triple DES for new applications.
The overall scheme for DES encryption is illustrated in Stallings Figure3.4, which takes as input 64-bits of data and of key. The left side shows the basic process for enciphering a 64-bit data block which consists of: - an initial permutation (IP) which shuffles the 64-bit input block - 16 rounds of a complex key dependent round function involving substitutions & permutations - a final permutation, being the inverse of IP The right side shows the handling of the 56-bit key and consists of: - an initial permutation of the key (PC1) which selects 56-bits out of the 64-bits input, in two 28-bit halves - 16 stages to generate the 48-bit subkeys using a left circular shift and a permutation of the two 28-bit halves
The initial permutation and its inverse are defined by tables, as shown in Stallings Tables 3.2a and 3.2b, respectively. The tables are to be interpreted as follows. The input to a table consists of 64 bits numbered left to right from 1 to 64. The 64 entries in the permutation table contain a permutation of the numbers from 1 to 64. Each entry in the permutation table indicates the position of a numbered input bit in the output, which also consists of 64 bits. Note that the bit numbering for DES reflects IBM mainframe practice, and is the opposite of what we now mostly use - so be careful! Numbers from Bit 1 (leftmost, most significant) to bit 32/48/64 etc (rightmost, least significant). Note that examples are specified using hexadecimal. Here a 64-bit plaintext value of “675a6967 5e5a6b5a” (written in left & right halves) after permuting with IP becomes “ffb2194d 004df6fb”.
Block Ciphers and Data Encryption Standard (Class-L8) Lecture Slides By: Monalisa Panigrahi Asst. Professor LPU
Algorithm Types• It defines what size of plain text should be encrypted in each step of algorithm – Stream Cipher – Block Cipher
Stream Cipher• Plaintext is encrypted one bit at a time• Suppose message is “Pay 101” in ASCII• In binary it can be a series of 1 and 0;• Every bit will be applied with a encryption algorithms• Let Say binary data is 10010101 – Apply XOR with a key operation will get a cipher text
Block Ciphers• A block of bits is encrypted at one go• Suppose a plaint text is FOUR_AND_FOUR• It can be encrypted in blocks of “FOUR”, “_AND_”, and “FOUR”
How to use a block cipher?• Block ciphers encrypt fixed size blocks – E.g. DES encrypts 64-bit blocks• We need some way to encrypt a message of arbitrary length – E.g. a message of 1000 bytes• NIST defines five ways to do it – Called modes of operations 5
Algorithm Modes• It is a combination of a series of the basic algorithm steps on block cipher and kind of feedback from the previous steps
Five Modes of Operation– Electronic codebook mode (ECB)– Cipher block chaining mode (CBC) – most popular– Output feedback mode (OFB)– Cipher feedback mode (CFB)– Counter mode (CTR) 7
Electronic Code Book (ECB)• The plaintext is broken into blocks, P1, P2, P3, ...• Each block contains 64 bits each• Each block is encrypted independently of the other blocks• For all blocks in a message, the same key is used for encryption• At the Receiver end, the incoming data is divided into 64-bit blocks and used the same key for decryption 8
Remarks on ECB• Strength: it’s simple.• Weakness: – Repetitive information contained in the plaintext may show in the ciphertext, if aligned with blocks. – If the same message (e.g., an SSN) is encrypted (with the same key) and sent twice, their cipher texts are the same.• Typical application: secure transmission of short pieces of information 9
Cipher Block Chaining (CBC)• The plaintext is broken into blocks: P , P2 , P3 , ... 1• Each plaintext block is XORed ( chained ) with the previous ciphertext block before encryption (hence the name): Ci = E K ( Ci −1 ⊕ Pi ) C0 = IV• Use an Initial Vector ( IV ) to start the process.• Decryption : Pi = Ci −1 ⊕ D K (Ci )• Application : general block-oriented transmission. 10
Remarks on CBC• The encryption of a block depends on the current and all blocks before it.• So, repeated plaintext blocks are encrypted differently.• Initialization Vector (IV) – Must be known to both the sender & receiver – Typically, IV is either a fixed value or is sent encrypted in ECB mode before the rest of ciphertext. 12
Cipher feedback mode (basic version)• Plaintext blocks: p1, p2, …• Key: k• Basic idea: construct key stream k1, k2, k3, …• Encryption: c0 = IV ki = Ek (ci −1 ), for i ≥ 1 ci = pi ⊕ ki , for i ≥ 1 13
Cipher Feedback (CFB) Mode• The plaintext is a sequence of segments of s bits (where s ≤ block-size): P , P2 , P3 , P4 , … 1• Encryption is used to generate a sequence of keys, each of s bits: K1 , K 2 , K 3 , K 4 , …• The ciphertext is C1 , C2 , C3 , C4 , …, where Ci = Pi ⊕ Ki• How to generate the key stream? 14
Generating Key Stream for CFB• The input to the block cipher is a shift register x; its value at stage i is denoted as xi .• Initially, x1 = an initial vector (IV). For i > 1, xi = shift-left-s -bits(xi −1 ) PCi −1.• Then, K i = s -most-significant-bits(E K ( xi )). 15
Decryption in CFB Mode• Generate key stream K1 , K 2 , K 3 , K 4 , … the same way as for encryption.• Then decrypt each ciphertext segment as: Pi = Ci ⊕ K i 17
Remark on CFB• The block cipher is used as a stream cipher.• Appropriate when data arrives in bits/bytes.• s can be any value; a common value is s = 8.• A ciphertext segment depends on the current and all preceding plaintext segments.• A corrupted ciphertext segment during transmission will affect the current and next several plaintext segments. 18
Output feedback mode (basic version)• Plaintext blocks: p1, p2, …• Key: k• Basic idea: construct key stream k1, k2, k3, …• Encryption: k0 = IV ki = Ek ( ki −1 ), for i ≥ 1 ci = pi ⊕ ki , for i ≥ 1 19
Output Feedback (OFB) Mode• Very similar to Cipher Feedback in structure.• But K i −1 rather than Ci −1 is fed back to the next stage.• As in CFB, the input to the block cipher is a shift register x; its value at stage i is denoted as xi .• Initially, x1 = an initial vector (IV). For i > 1, xi = shift-left-s -bits(xi −1 ) PK i −1.• Then, K i = s -most-significant-bits(E K ( xi )). 20
Remark on OFB• The block cipher is used as a stream cipher.• Appropriate when data arrives in bits/bytes.• Advantage: – more resistant to transmission errors; a bit error in a ciphertext segment affects only the decryption of that segment.• Disadvantage: – Cannot recover from lost ciphertext segments; if a ciphertext segment is lost, all following segments will be decrypted incorrectly (if the receiver is not aware of the segment loss).• IV should be generated randomly each time and sent with the ciphertext. 22
Counter Mode (CTR)• Plaintext blocks: p1, p2, p3, …• Key: k• Basic idea: construct key stream k1, k2, k3, …• Encryption: T1 = IV Ti = Ti-1 + 1 Ci = Pi ♁ EK(Ti) C = (IV, C1, C2, C3, ...) 23
Remark on CTR• Strengthes: – Needs only the encryption algorithm – Fast encryption/decryption; blocks can be processed (encrypted or decrypted) in parallel; good for high speed links – Random access to encrypted data blocks• IV should not be reused. 24
Data Encryption Standard (DES)• most widely used block cipher in world• adopted in 1977 by NBS (now NIST)• encrypts 64-bit data using 56-bit key• has widespread use• has been considerable controversy over its security
DES History• IBM developed Lucifer cipher – by team led by Feistel in late 60’s – used 64-bit data blocks with 128-bit key• then redeveloped as a commercial cipher with input from NSA and others• in 1973 NBS issued request for proposals for a national cipher standard• IBM submitted their revised Lucifer which was eventually accepted as the DES
DES Design Controversy• although DES standard is public• was considerable controversy over design – in choice of 56-bit key (vs Lucifer 128-bit) – and because design criteria were classified• subsequent events and public analysis show in fact design was appropriate• use of DES has flourished – especially in financial applications – still standardised for legacy application use
DES : Basic Principles• DES is a Block Cipher.• It Encrypts data in blocks of size 64 bits each• 64 bits of plain text goes as the input to DES, which produces 64 bits of Cipher Text.• The key length is 56 Bits.
Key Size (56 Bits) How ???• The Initial Key Consists of 64 bits.•• Before the DES process starts, every 8th bit of the key is discarded to produce a 56 bit key.• Bit positions (8, 16, 24, 32, 40,48,56,64) are discarded.• These bits can be used for parity checking to ensure that the key does not contain any error
DES - Basics• DES uses the two basic techniques of cryptography – Substitution Technique (confusion) and Transposition Technique (diffusion).• DES consists of 16 Steps, each of which is known as round• Each round performs the steps of Substitution and Transposition
Level of steps in DES1. The 64 bit plain text block is handed over to an Initial Permutation (IP) function2. The IP is performed on plain text3. The IP produces two halves of the permuted block: – LPT (Left Plain Text) – RPT (Right Plain Text)
Level of steps in DES4. Each of LPT and RPT go through 16 rounds of encryption process5. In the End, LPT and RPT are rejoined, and a Final Permutation (FP) is performed on the combined block6. The result produces 64-bit cipher text.
Initial Permutation (IP)• IP happens only once and it happens before the first round• It suggests how the transposition in IP should proceed• It says that the IP replaces the first bit of the original plain text block with the 58th bit of the original plain text block• 2nd bit with 50th bit and so on.
Step 1 : Key Transformation• For each round, 56 bit key is available• From this 56 bit key, a different 48-bit sub key is generated during each round using a process called as Key Transformation• In this method, a 56 bit key is divided into two halves, each of 28 bits• These halves are circularly shifted by 1 or 2 positions, depending on the round
How to Select 48 bit Key from 56 Bit key• Since the Key Transformation process involves permutation as well as selection of a 48 bit sub- set of the original 56-bit key, It is called as Compression Permutation 14 17 11 24 1 5 3 28 15 6 21 10 23 19 12 4 26 8 16 7 27 20 13 2 41 52 31 37 47 55 30 40 51 45 33 48 44 49 39 56 34 53 46 42 50 36 29 32 18 bit number is discarded
Step 2 : Expansion Permutation• The RPT is expanded from 32 bits to 48 bits• The RPT is divided into 8 blocks, with each block consists of 4 bits• For per 4-bit block, 2 more bits are added.
DES Example - Data K=581FBC94D3A452EA X=3570E2F1BA4682C7X = (x1, x2, x3, …, x64) =( 0011 0101 0111 0000 1110 0010 1111 0001 1011 1010 0100 0110 1000 0010 1100 0111)This plaintext X is first subjected to an Initial Permutation –IP which gives L0 = ( 1010 1110 0001 1011 1010 0001 1000 1001) A E 1 B A 1 8 9R0 =( 1101 1100 0001 111 0001 0000 1111 0100) D C 1 F 1 0 F 4