1. Block Ciphers and Data
Encryption Standard
(Class-L8)
Lecture Slides By:
Monalisa Panigrahi
Asst. Professor
LPU
2. Algorithm Types
• It defines what size of plain text
should be encrypted in each step of
algorithm
– Stream Cipher
– Block Cipher
3. Stream Cipher
• Plaintext is encrypted one bit at a time
• Suppose message is “Pay 101” in ASCII
• In binary it can be a series of 1 and 0;
• Every bit will be applied with a encryption
algorithms
• Let Say binary data is 10010101
– Apply XOR with a key operation will get a cipher
text
4. Block Ciphers
• A block of bits is encrypted at one go
• Suppose a plaint text is
FOUR_AND_FOUR
• It can be encrypted in blocks of
“FOUR”, “_AND_”, and “FOUR”
5. How to use a block cipher?
• Block ciphers encrypt fixed size blocks
– E.g. DES encrypts 64-bit blocks
• We need some way to encrypt a message of
arbitrary length
– E.g. a message of 1000 bytes
• NIST defines five ways to do it
– Called modes of operations
5
6. Algorithm Modes
• It is a combination of a series of the
basic algorithm steps on block cipher
and kind of feedback from the
previous steps
7. Five Modes of Operation
– Electronic codebook mode (ECB)
– Cipher block chaining mode (CBC) – most
popular
– Output feedback mode (OFB)
– Cipher feedback mode (CFB)
– Counter mode (CTR)
7
8. Electronic Code Book
(ECB)
• The plaintext is broken into blocks, P1, P2, P3, ...
• Each block contains 64 bits each
• Each block is encrypted independently of the other
blocks
• For all blocks in a message, the same key is used
for encryption
• At the Receiver end, the incoming data is divided
into 64-bit blocks and used the same key for
decryption
8
9. Remarks on ECB
• Strength: it’s simple.
• Weakness:
– Repetitive information contained in the
plaintext may show in the ciphertext, if
aligned with blocks.
– If the same message (e.g., an SSN) is
encrypted (with the same key) and sent
twice, their cipher texts are the same.
• Typical application: secure transmission of
short pieces of information
9
10. Cipher Block Chaining
(CBC)
• The plaintext is broken into blocks: P , P2 , P3 , ...
1
• Each plaintext block is XORed ( chained ) with the previous
ciphertext block before encryption (hence the name):
Ci = E K ( Ci −1 ⊕ Pi )
C0 = IV
• Use an Initial Vector ( IV ) to start the process.
• Decryption : Pi = Ci −1 ⊕ D K (Ci )
• Application : general block-oriented transmission.
10
12. Remarks on CBC
• The encryption of a block depends on the
current and all blocks before it.
• So, repeated plaintext blocks are encrypted
differently.
• Initialization Vector (IV)
– Must be known to both the sender & receiver
– Typically, IV is either a fixed value or is sent
encrypted in ECB mode before the rest of
ciphertext.
12
13. Cipher feedback mode (basic
version)
• Plaintext blocks: p1, p2, …
• Key: k
• Basic idea: construct key stream k1, k2, k3, …
• Encryption:
c0 = IV
ki = Ek (ci −1 ), for i ≥ 1
ci = pi ⊕ ki , for i ≥ 1
13
14. Cipher Feedback (CFB)
Mode
• The plaintext is a sequence of segments of s bits
(where s ≤ block-size): P , P2 , P3 , P4 , …
1
• Encryption is used to generate a sequence of keys,
each of s bits: K1 , K 2 , K 3 , K 4 , …
• The ciphertext is C1 , C2 , C3 , C4 , …, where
Ci = Pi ⊕ Ki
• How to generate the key stream?
14
15. Generating Key Stream for
CFB
• The input to the block cipher is a shift register x;
its value at stage i is denoted as xi .
• Initially, x1 = an initial vector (IV).
For i > 1, xi = shift-left-s -bits(xi −1 ) PCi −1.
• Then, K i = s -most-significant-bits(E K ( xi )).
15
17. Decryption in CFB Mode
• Generate key stream K1 , K 2 , K 3 , K 4 , …
the same way as for encryption.
• Then decrypt each ciphertext segment as:
Pi = Ci ⊕ K i
17
18. Remark on CFB
• The block cipher is used as a stream cipher.
• Appropriate when data arrives in bits/bytes.
• s can be any value; a common value is s = 8.
• A ciphertext segment depends on the current and
all preceding plaintext segments.
• A corrupted ciphertext segment during
transmission will affect the current and next
several plaintext segments.
18
19. Output feedback mode (basic
version)
• Plaintext blocks: p1, p2, …
• Key: k
• Basic idea: construct key stream k1, k2, k3, …
• Encryption:
k0 = IV
ki = Ek ( ki −1 ), for i ≥ 1
ci = pi ⊕ ki , for i ≥ 1
19
20. Output Feedback (OFB)
Mode
• Very similar to Cipher Feedback in structure.
• But K i −1 rather than Ci −1 is fed back to the next stage.
• As in CFB, the input to the block cipher is a shift
register x; its value at stage i is denoted as xi .
• Initially, x1 = an initial vector (IV).
For i > 1, xi = shift-left-s -bits(xi −1 ) PK i −1.
• Then, K i = s -most-significant-bits(E K ( xi )).
20
22. Remark on OFB
• The block cipher is used as a stream cipher.
• Appropriate when data arrives in bits/bytes.
• Advantage:
– more resistant to transmission errors; a bit error in a ciphertext
segment affects only the decryption of that segment.
• Disadvantage:
– Cannot recover from lost ciphertext segments; if a ciphertext
segment is lost, all following segments will be decrypted
incorrectly (if the receiver is not aware of the segment loss).
• IV should be generated randomly each time and sent with
the ciphertext.
22
23. Counter Mode (CTR)
• Plaintext blocks: p1, p2, p3, …
• Key: k
• Basic idea: construct key stream k1, k2, k3, …
• Encryption:
T1 = IV
Ti = Ti-1 + 1
Ci = Pi ♁ EK(Ti)
C = (IV, C1, C2, C3, ...)
23
24. Remark on CTR
• Strengthes:
– Needs only the encryption algorithm
– Fast encryption/decryption; blocks can be processed
(encrypted or decrypted) in parallel; good for high
speed links
– Random access to encrypted data blocks
• IV should not be reused.
24
25. Data Encryption Standard
(DES)
• most widely used block cipher in
world
• adopted in 1977 by NBS (now NIST)
• encrypts 64-bit data using 56-bit key
• has widespread use
• has been considerable controversy
over its security
26. DES History
• IBM developed Lucifer cipher
– by team led by Feistel in late 60’s
– used 64-bit data blocks with 128-bit key
• then redeveloped as a commercial cipher
with input from NSA and others
• in 1973 NBS issued request for proposals
for a national cipher standard
• IBM submitted their revised Lucifer which
was eventually accepted as the DES
27. DES Design Controversy
• although DES standard is public
• was considerable controversy over
design
– in choice of 56-bit key (vs Lucifer 128-bit)
– and because design criteria were classified
• subsequent events and public analysis
show in fact design was appropriate
• use of DES has flourished
– especially in financial applications
– still standardised for legacy application use
28. DES : Basic Principles
• DES is a Block Cipher.
• It Encrypts data in blocks of size 64
bits each
• 64 bits of plain text goes as the
input to DES, which produces 64 bits
of Cipher Text.
• The key length is 56 Bits.
30. Key Size (56 Bits)
How ???
• The Initial Key Consists of 64 bits.
•
• Before the DES process starts, every 8th
bit of the key is discarded to produce a 56
bit key.
• Bit positions (8, 16, 24, 32, 40,48,56,64)
are discarded.
• These bits can be used for parity checking
to ensure that the key does not contain
any error
33. DES - Basics
• DES uses the two basic techniques of
cryptography – Substitution
Technique (confusion) and
Transposition Technique (diffusion).
• DES consists of 16 Steps, each of
which is known as round
• Each round performs the steps of
Substitution and Transposition
34. Level of steps in DES
1. The 64 bit plain text block is handed
over to an Initial Permutation (IP)
function
2. The IP is performed on plain text
3. The IP produces two halves of the
permuted block:
– LPT (Left Plain Text)
– RPT (Right Plain Text)
35. Level of steps in DES
4. Each of LPT and RPT go through 16 rounds
of encryption process
5. In the End, LPT and RPT are rejoined, and
a Final Permutation (FP) is performed on
the combined block
6. The result produces 64-bit cipher text.
38. Initial Permutation (IP)
• IP happens only once and it happens before
the first round
• It suggests how the transposition in IP
should proceed
• It says that the IP replaces the first bit
of the original plain text block with the
58th bit of the original plain text block
• 2nd bit with 50th bit and so on.
41. Initial Permutation IP
• The resulting 64 bits text block is
divided into two half blocks (each 32
bits)
• 16 rounds are performed on these
two blocks
44. Step 1 : Key
Transformation
• For each round, 56 bit key is available
• From this 56 bit key, a different 48-bit sub key
is generated during each round using a process
called as Key Transformation
• In this method, a 56 bit key is divided into two
halves, each of 28 bits
• These halves are circularly shifted by 1 or 2
positions, depending on the round
49. How to Select 48 bit Key
from 56 Bit key
• Since the Key Transformation process involves
permutation as well as selection of a 48 bit sub-
set of the original 56-bit key, It is called as
Compression Permutation
14 17 11 24 1 5 3 28 15 6 21 10
23 19 12 4 26 8 16 7 27 20 13 2
41 52 31 37 47 55 30 40 51 45 33 48
44 49 39 56 34 53 46 42 50 36 29 32
18 bit number is discarded
50. Step 2 : Expansion
Permutation
• The RPT is expanded from 32 bits to
48 bits
• The RPT is divided into 8 blocks, with
each block consists of 4 bits
• For per 4-bit block, 2 more bits are
added.
55. S-Box Substitution
• It is a Process that accepts the 48-
bit input from the XOR operation
involving the compressed key and
Expanded RPT and Produces a 32 bit
output using Substitution Technique
67. DES Example - Data
K=581FBC94D3A452EA
X=3570E2F1BA4682C7
X = (x1, x2, x3, …, x64)
=( 0011 0101 0111 0000 1110 0010 1111 0001
1011 1010 0100 0110 1000 0010 1100 0111)
This plaintext X is first subjected to an Initial Permutation –
IP which gives
L0 = ( 1010 1110 0001 1011 1010 0001 1000 1001)
A E 1 B A 1 8 9
R0 =( 1101 1100 0001 111 0001 0000 1111 0100)
D C 1 F 1 0 F 4
72. DES Example - Data
B2 = (0001 1110 1011 1100 1110 1011 1101 1111)
P(B2) = (0101 1111 0011 1110 0011 1001 1111 0111)
R2 = P(B2) ⊕ L1
= (1000 0011 0010 0001 0010 1001 0000 0011)
8 3 2 1 2 9 0 3
L2 = R1 = (1000 0101 1011 1010 1111 0010 1110 0101)
8 5 B A F 2 E 5
73. DES Example - Data -
Done !
Y = (y1, y2,y3, …, y64)
=( 1101 0111 0110 1001 1000 0010 0010 0100
0010 1000 0011 1110 0000 1010 1110 1010)
=( D 7 6 9 8 2 2 4 2 8 3 E 0 A E A)
Editor's Notes
Lecture slides by Lawrie Brown for “Cryptography and Network Security”, 4/e, by William Stallings, Chapter 2 – “ Classical Encryption Techniques ”.
The most widely used private key block cipher, is the Data Encryption Standard (DES). It was adopted in 1977 by the National Bureau of Standards as Federal Information Processing Standard 46 (FIPS PUB 46). DES encrypts data in 64-bit blocks using a 56-bit key. The DES enjoys widespread use. It has also been the subject of much controversy its security.
In the late 1960s, IBM set up a research project in computer cryptography led by Horst Feistel. The project concluded in 1971 with the development of the LUCIFER algorithm. LUCIFER is a Feistel block cipher that operates on blocks of 64 bits, using a key size of 128 bits. Because of the promising results produced by the LUCIFER project, IBM embarked on an effort, headed by Walter Tuchman and Carl Meyer, to develop a marketable commercial encryption product that ideally could be implemented on a single chip. It involved not only IBM researchers but also outside consultants and technical advice from NSA. The outcome of this effort was a refined version of LUCIFER that was more resistant to cryptanalysis but that had a reduced key size of 56 bits, to fit on a single chip. In 1973, the National Bureau of Standards (NBS) issued a request for proposals for a national cipher standard. IBM submitted the modified LUCIFER. It was by far the best algorithm proposed and was adopted in 1977 as the Data Encryption Standard.
Before its adoption as a standard, the proposed DES was subjected to intense & continuing criticism over the size of its key & the classified design criteria. Recent analysis has shown despite this controversy, that DES is well designed. DES is theoretically broken using Differential or Linear Cryptanalysis but in practise is unlikely to be a problem yet. Also rapid advances in computing speed though have rendered the 56 bit key susceptible to exhaustive key search, as predicted by Diffie & Hellman. DES has flourished and is widely used, especially in financial applications. It is still standardized for legacy systems, with either AES or triple DES for new applications.
The overall scheme for DES encryption is illustrated in Stallings Figure3.4, which takes as input 64-bits of data and of key. The left side shows the basic process for enciphering a 64-bit data block which consists of: - an initial permutation (IP) which shuffles the 64-bit input block - 16 rounds of a complex key dependent round function involving substitutions & permutations - a final permutation, being the inverse of IP The right side shows the handling of the 56-bit key and consists of: - an initial permutation of the key (PC1) which selects 56-bits out of the 64-bits input, in two 28-bit halves - 16 stages to generate the 48-bit subkeys using a left circular shift and a permutation of the two 28-bit halves
The initial permutation and its inverse are defined by tables, as shown in Stallings Tables 3.2a and 3.2b, respectively. The tables are to be interpreted as follows. The input to a table consists of 64 bits numbered left to right from 1 to 64. The 64 entries in the permutation table contain a permutation of the numbers from 1 to 64. Each entry in the permutation table indicates the position of a numbered input bit in the output, which also consists of 64 bits. Note that the bit numbering for DES reflects IBM mainframe practice, and is the opposite of what we now mostly use - so be careful! Numbers from Bit 1 (leftmost, most significant) to bit 32/48/64 etc (rightmost, least significant). Note that examples are specified using hexadecimal. Here a 64-bit plaintext value of “675a6967 5e5a6b5a” (written in left & right halves) after permuting with IP becomes “ffb2194d 004df6fb”.