1

Lecture 3: Secret Key Cryptography

Outline• concepts• DES• IDEA• AES

2

Glossary• plaintext – message in its original form• ciphertext – encrypted message• encryption – process of producing ciphertext from plaintext• decryption – reverse process• breaking encryption scheme – discovering plaintext that

matches ciphertext• cryptoanalyst, attacker, intruder, bad guy – an entity trying to

break encryption

3

Concepts• block cipher – encrypts blocks of data (say 64), essentially

substituting 64 bit-data block by 64-bit encrypted block– we can specify cipher by stating the complete

data->encryption, is it possible?– can two data blocks map to the same encrypted block?– can we map a data block to a smaller (larger) encrypted

block? • two basic operations for k-bit blocks

– substitution – for each 2k inputs specify output, impractical for large k

– permutation – for each bit specifies the output position it gets• block encryption usually contains multiple rounds of

substituitions and premutations

4

(Exclusive-OR)

• Bitwise operation with two inputs where the output bit is 1 if exactly one of the two input bits is one

• (B A) A) = B• If A is a “one time pad”, very efficient and secure• Common encryption schemes (e.g. RC4) calculate a pseudo-

random stream from a key

5

DES Intro• DES – Data Encryption Standard• published in 1977 by National Bureau of Standards (now NIST)

with input from NSA• based on IBM Lucifer cipher• encodes 64-bit blocks• uses 56-bit key

– key consists of 8 octets, where 7 bits are useful and 8th is parity

• efficient to implement in hardware, but slow in software• the adoption of DES was done without public scrutiny• some operations are suspect

6

DES Basic Structure• encryption

– 64 bit data block is permuted (initial permutation)– from 56-bit key – generate sixteen 48-bit round keys– 16 rounds: at each round take 64-bit data from previous

round and 48-bit key and produce data for the next round– final permutation (inverse of initial permutation)

• decryption– do initial permutation (to undo final)– run 16 rounds “in reverse” (more later)– do final permutation

• security value of initial/final permutations is suspect

7

DES Round Key Generation• 56-bit key is divided into two 28-bit halves: C0 and D0• initial permutation of both parts (security value suspect)• 16 rounds

– in each round the bits Ci-1 and Di-1 are rotated (to produce Ci and Di) then permuted (this permutation may be of security value) and some bits dropped to produce two 24-bit halves of Ki

8

DES Round

• 64-bit input is divided into 32-bit halves Ln and Rn

• observe that due to properties of decoding can be done even if the mangler function is not reversible

encoding decoding

9

DES Mangler Function• takes 32-bit Rn and 48-bit Kn and produces a 32-bit Rn+1

• operation

– 32-bit Rn is expanded to 48 bits – each 4-bits are expanded to 6 bits by duplicating adjacent bits

– each 6 bits or Rn are XOR-ed with corresponding 6 bits of Kn and fed into S-Box (1 through 8) each S-box is different

– S-Box is a (completely defined) substitution that accepts 6 bits and produces 4 bits (mapping is not unique)

– the output 32 bits are then permuted to produce Rn+1 the idea of the permutation is so that the output of one S-Box affexts the input of multiple S-Boxes in the next round

10

DES Weak Keys• there are sixteen DES keys that are suspect• 4 weak keys:

– C0 and D0 are either all 0s or all 1s - thekeys are their own inverses (encrypting with the key is the same as decrypting with it)

• semi-weak:– either all 0s and all 1s or alternating 0s and 1s

11

Why is DES the Way it Is?• operations in DES appear simple and arbitrary• things are however mysterious

– if S-Boxes 3 and 7 are swapped, DES is an order of magnitude less secure

• DES design process was not public, so it is not clear how the details were chosen

• if they leave some hidden weakness?• possibility

– DES was designed to be strong against specific attacks the designers knew about but did not publish (not to educate the bad guys)

– are the other standards vulnerable to these attacks?

12

IDEA• IDEA = international data encryption standard• devloped by Lai and Massey, 1992• 64-bit block size, 128-bit key• similar to DES in the sense – operates in rounds, complicated

one-way mangler function• 8.5 rounds of:

: bitwise XOR

+: addition mod 216

: multplication mod 216 + 1• decryption: same as encryption, with inverse keys• very secure, a bit slow (about the same as DES)

13

AESAES = Advanced Encryption Standard• public design process:• NIST’s request for proposals (1997)• Winner: Rijndael (2000)• Rijndael

– 128, 192, or 256-bit block size, 128, 192, or 256-bit key.– algebraically designed s-boxes, input is divided into octets – 10-14 rounds of:

• Byte substitution in every octet using s-box• shifting (rotating) rows• MixColumn – spread octets according specified

MicColumn table• XOR with a RoundKey

– Decryption is by design similar to encryption