1 DES & Hash function. 2 Outline zIntroduction zData Encryption Standard (DES) zDouble & Triple DES...

1

DES & Hash function

2

Outline

Introduction Data Encryption Standard (DES) Double & Triple DES Hash Function MD5 SHA-1

3

Introduction Encryption Schemes

Conventional Encryption (Symmetric) ex: DES

Public-Key Encryption (Asymmetric) ex: RSA

Messagesource

Encryptionalgorithm

Decryptionalgorithm

Destination

K eysource

KSecure Channel

Model of Conventional Cryptosystem

4

Introduction(Cont’d)

Messagesource

Encryptionalgorithm

Decryptionalgorithm

Destination

K ey pairsource

Public-K ey Cryptosystem : Secrecy

KUb

KRb

Source A Destination B

Messagesource

Encryptionalgorithm

Decryptionalgorithm

Destination

K ey pairsource

Public-K ey Cryptosystem : Authentication

KRaKUa

Source A Destination B

5

Data Encryption Standard (DES)

Two inputs to the encryption function plaintext and key

64-bit plaintext passes through an initial permutation to produce the permuted input

16 rounds have the same function permutation and substitution

The pre-output is passed through a permutation (IP-1) to produce the 64-bit ciphertext.

6


Initial permutation

Round 1

Round 2

Permuted choice 2

Permuted choice 2

Left circular shift

Left circular shift

Permuted choice 1

Left circular shiftPermuted choice 2Round 16

32-bit swap

Inverse initialpermutation

K 1

K 2

K 16

64-bit plaintext 56-bit key

…………… ……………

……………

64-bit ciphertext

General Depiction of DES Encryption Algorithm.

7


Initial Permutation (IP)、 Inverse Initial Permutation (IP-1)

Initial Permutation (IP)

58 50 42 34 26 18 10 260 52 44 36 28 20 12 462 54 46 38 30 22 14 664 56 48 40 32 24 16 857 49 41 33 25 17 9 159 51 43 35 27 19 11 361 53 45 37 29 21 13 563 55 47 39 31 23 15 7

Inverse Initial Permutation (IP-1)

40 8 48 16 56 24 64 3239 7 47 15 55 23 63 3138 6 46 14 54 22 62 3037 5 45 13 53 21 61 2936 4 44 12 52 20 60 2835 3 43 11 51 19 59 2734 2 42 10 50 18 58 2633 1 41 9 49 17 57 25

8


Details of Single Round:

)KR(FL RR L

,11

1

iiii

ii

L i-1 Ri-1 Ci-1 Di-1

Left shift(s) Left shift(s)Expansion/permutation(E table)

Permutation/contraction(permuted choice 2)

XOR

Substition/choice(S-box)

Permutation(P)

XOR

RiL i Ci Di

K i

48

48

32

32

F

28 bits 28 bits32 bits 32 bits

9

Expansion Permutation (E) :

Permutation Function (P) :


Expansion Permutation (E)

32 1 2 3 4 5 4 5 6 7 8 9 8 9 10 11 12 1312 13 14 15 16 1716 17 18 19 20 2120 21 22 23 24 2524 25 26 27 28 2928 29 30 31 32 1

Permutation Function (P)

16 7 20 21 29 12 28 17 1 15 23 26 5 18 31 10 2 8 24 14 32 27 3 919 13 30 6 22 11 4 25

10

S-box 8 S-boxes each accepts 6 bits input, produces 4 bits output


R (32 bits)

48 bits

E

K (48 bits)

+

S1 S2 S3 S4 S5 S6 S7 S8

P

32 bits

11

S-box The first and last bits of the

input to box Si to select a row

The middle 4 bits select a column.

ex : in S1, input ＝ 010011, the row is 01, the column is 1001 => output ： 0110


12

DES Key Generation

56-bit key used as input and produces a 48-bit output the function F(Ri-1,Ki)

Permuted Choice One (PC-1)

At each round, Ci-1 and Di-1 are separately subjected to acircular left shift of 1 or 2 bits.


57 49 41 33 25 17 9 1 58 50 42 34 26 1810 2 59 51 43 35 2719 11 3 60 52 44 3663 55 47 39 31 23 15 7 62 54 46 38 30 2214 6 61 53 45 37 2921 13 5 28 20 12 4

(c) Schedule of Left Shifts ─────────────────────────────── Round number 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Bits rotated 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1 ───────────────────────────────

13


DES Key Generation

Permuted Choice Two (PC-2)

14 17 11 24 1 5 3 2815 6 21 10 23 19 12 426 8 16 7 27 20 13 241 52 31 37 47 55 30 4051 45 33 48 44 49 39 5634 53 46 42 50 36 29 32

14

DES Decryption Algorithm

DES Decryption uses the samealgorithm as encryption, exceptthe application of the subkeys is reversed.

The initial permutation (IP) is the same as the IP-1 at theencryption part

15


LERD LERDRELD RELD

way,same By theLE RD RE LD

LE )]K,F(RE )K,[F(RE LE )K,F(RE )]K,F(RE [LE

)K,F(RE RE )K,F(RD LD RD

RELE RD LD )K,F(RD LD RD

RD LD )K,F(RE LE RE LD

RE LE RD

016 -16

016-16

15 1

15 1

15

16151615 15

16151615 15

1615 16

16o 0 1

15 16 0 1

)1(161 1

1

1615 15 16 0

15 16 0

ii

ii

iiii

ii

[Note] LEi, REi : the output of the ith encryption round LDi, RDi : the output of the ith decryption round

Input (plaintext)

LE 0 RE0K 1

RE1 LE 1K 2

LE 2 RE2

F⊕

F ⊕

⊕

⊕

F

F

LE 14 RE14

RE15 LE 15

K 15

K 16

LE 16 RE16

LE 16RE16

Output (ciphertext)

Input (ciphertext)

F⊕

F ⊕

⊕

⊕

F

F

LD 16=RE0

K 1

K 2

Output (plaintext)

RD16=LE0

RD15=LE1LD 15=RE1

LD 14=RE2 RD14=LE2

RD16=LE0LD 16=RE0

K 16LD 0=RE16 RD0=LE16

LD 2=RE14 RD2=LE14

K 15RD1=LE15LD 1=RE15

16

After a 32-bit swap, the data at the decryption part is the same as the data before encrypted.

Finally, the data passes through an IP-1

return to the original plaintext


17


Avalanche Effect : a small change in either the plaintext or the key should produce a significant change in the ciphertext.

DES exhibits a strong avalanche effect.

18

Double DES

meet-in-the-middle attack : Given a known pair ( P,C ).

K1,K2 are not independent. The Complexity is similar to thesingle DES.

256

P CK2 X

K1 K2

K1 X

256

19

Encryption-Decryption-Encryption (EDE)

The cost of a brute-force key search on triple DES : 2112

Currently, there are no practical cryptanalytic attacks of triple DES.

Triple DES

20

Hash Function

h = H(M) M : variable-length message H(M) : fixed-length message

The hash value is appended to the message at the source.

The receiver authenticates that message by re-computing the hash value .

21

Hash Function

22

Requirement for a Hash Function H can be applied to a block of data of any size.

H produces a fixed-length output.

H(x) is relatively easy to compute for any given x.

one-way property

weak collision resistance

Hash Function

23

MD5

Input variable-length message The input is processed in 512-bit block

Output a 128-bit message digest

Message 100...0

Y 0 Y 1 Y q Y L-1… …

HMD5 HMD5 HMD5 HMD5

512 bits 512 bits 512 bits 512 bits

512 512 512 512

128

CV 1

128

CV q

128

CV L-1

128

IV

128-bit digest

K bitsL x 512 bits = N x 32 bits

24

MD5

Append padding bits the padding bits : 1 512 bits (100…0) Padding is always added, even if the message is already

of the desired length. ex: the message is 448 bits long,

it is padded by 512 bits to a length of 960 bits

Append length a 64-bit representation of the original message’s length If the original length greater than 264

K mod 264 (the low-order 64 bits of the length)

25

Initialize MD buffer The buffer can be represented as four-32 bit

registers(A,B,C,D) A = 67452301 B = EFCDAB89 C = 98BADCFE D = 10325476

The heart of the algorithm is a compression function

four rounds each round processes 16 steps The four rounds have a similar structure, but each uses a

different primitive logical function (F,G,H,I).

MD5

26

MD5

F, T[1...16], X[i]16 steps

G, T[17...32], X[ρ 2i]16 steps

H, T[33...48], X[ρ 3i]16 steps

I, T[49...64], X[ρ 4i]16 steps

+ + + +

128512

Y q CV q

A B C D

A B C D

A B C D

A B C D

32

128

CV q+1

Note: Addition (+) is mod 232.

27

MD5 A,B,C,D D,{[(A+g(B,C,D)

+X[k]+T[i]) <<< s]+B},B,C

g : one of the primitive functions F,G,H,I

<<<s : circular left shift by s bits

X[k] : the k’th 32-bit word in the 512-bit block of the message round 1 k = i-1 round 2 k = [1+5(i-1)] mod 16 round 3 k = [5+3(i-1)] mod 16 round 4 k = [7(i-1)] mod 16

T[i] : the i’th 32-bit word in matrix T

+ : addition modulo 232 ^, , ¯, : AND,OR,NOT,XOR

A B C D

+

+

+

CLS s

+

A B C D

gX[k]

T[i]

Elementary MD5 Operation (single step).

28

Round Primitive function g g(b, c, d)

1 F(b, c, d)

2 G(b, c, d)

3 H(b, c, d)

4 I(b, c, d)

)()( dbcb )()( dcdb

dcb )( dbc

MD5

29

MD5 Table T, constructed from the sine function

───────────────────────────────────

T[1] = D76AA478 T[17] = F61E2562 T[33] = FFFA3942 T[49] = F4292244

T[2] = E8C7B756 T[18] = C040B340 T[34] = 8771F681 T[50] = 432AFF97

T[3] = 242070DB T[19] = 265E5A51 T[35] = 699D6122 T[51] = AB9423A7

T[4] = C1BDCEEE T[20] = E9B6C7AA T[36] = FDE5380C T[52] = FC93A039

T[5] = F57C0FAF T[21] = D62F105D T[37] = A4BEEA44 T[53] = 655B59C3

T[6] = 4787C62A T[22] = 02441453 T[38] = 4BDECFA9 T[54] = 8F0CCC92

T[7] = A8304613 T[23] = D8A1E681 T[39] = F6BB4B60 T[55] = FFEFF47D

T[8] = FD469501 T[24] = E7D3FBC8 T[40] = BEBFBC70 T[56] = 85845DD1

T[9] = 698098D8 T[25] = 21E1CDE6 T[41] = 289B7EC6 T[57] = 6FA87E4F

T[10] = 8B44F7AF T[26] = C33707D6 T[42] = EAA127FA T[58] = FE2CE6E0

T[11] = FFFF5BB1 T[27] = F4D50D87 T[43] = D4EF3085 T[59] = A3014314

T[12] = 895CD7BE T[28] = 455A14ED T[44] = 04881D05 T[60] = 4E0811A1

T[13] = 6B901122 T[29] = A9E3E905 T[45] = D9D4D039 T[61] = F7537E82

T[14] = FD987193 T[30] = FCEFA3F8 T[46] = E6DB99E5 T[62] = BD3AF235

T[15] = A679438E T[31] = 676F02D9 T[47] = 1FA27CF8 T[63] = 2AD7D2BB

T[16] = 49B40821 T[32] = 8D2A4C8A T[48] = C4AC5665 T[64] = EB86D391

───────────────────────────────────

30

MD5

/* Round 1. */ /* Let [abcd k s i] denote the operation a = b + ((a + F(b,c,d) + X[k] + T[i]<<<s). Do the following 16 operations. */ [ABCD 0 7 1] [DABC 1 12 2] [CDAB 2 17 3] [BCDA 3 22 4] [ABCD 4 7 5] [DABC 5 12 6] [CDAB 6 17 7] [BCDA 7 22 8] [ABCD 8 7 9] [DABC 9 12 10] [CDAB 10 17 11] [BCDA 11 22 12] [ABCD 12 7 13] [DABC 13 12 14] [CDAB 14 17 15] [BCDA 15 22 16]

/* Round 2. */ /* Let [abcd k s i] denote the operation a = b + ((a + G(b,c,d) + X[k] + T[i]<<<s). Do the following 16 operations. */ [ABCD 1 5 17] [DABC 6 9 18] [CDAB 11 14 19] [BCDA 0 20 20] [ABCD 5 5 21] [DABC 10 9 22] [CDAB 15 14 23] [BCDA 4 20 24] [ABCD 9 5 25] [DABC 14 9 26] [CDAB 3 14 27] [BCDA 8 20 28] [ABCD 13 5 29] [DABC 2 9 30] [CDAB 7 14 31] [BCDA 12 20 32]

31

MD5

/* Round 3. */ /* Let [abcd k s i] denote the operation a = b + ((a + H(b,c,d) + X[k] + T[i]<<<s). Do the following 16 operations. */ [ABCD 5 4 33] [DABC 8 11 34] [CDAB 11 16 35] [BCDA 14 23 36] [ABCD 1 4 37] [DABC 4 11 38] [CDAB 7 16 39] [BCDA 10 23 40] [ABCD 13 4 41] [DABC 0 11 42] [CDAB 3 16 43] [BCDA 6 23 44] [ABCD 9 4 45] [DABC 12 11 46] [CDAB 15 16 47] [BCDA 2 23 48]

/* Round 4. */ /* Let [abcd k s i] denote the operation a = b + ((a + I(b,c,d) + X[k] + T[i]<<<s). Do the following 16 operations. */ [ABCD 0 6 49] [DABC 7 10 50] [CDAB 14 15 51] [BCDA 5 21 52] [ABCD 12 6 53] [DABC 3 10 54] [CDAB 10 15 55] [BCDA 1 21 56] [ABCD 8 6 57] [DABC 15 10 58] [CDAB 6 15 59] [BCDA 13 21 60] [ABCD 4 6 61] [DABC 11 10 62] [CDAB 2 15 63] [BCDA 9 21 64]

32

MD5

For each step, only one of four buffers is updated.

Four different circular left shift are used in each round and different from round to round.

33

Secure Hash Algorithm (SHA-1)

Input input message with a maximum length of less than 264 bits The input is processed in 512-bit block

Output a 160-bit message digest

Append padding bits Append length Initialize MD buffer

The buffer can be represented as five-32 bit registers. A = 67452301 D = 10325476 B = EFCDAB89 F = C3D2E1F0 C = 98BADCF

34


The heart of the algorithm is a compression function

four rounds each round processes 20 steps The four rounds have a similar structure, but each uses

a different primitive logical function (f1,f2,f3,f4).

35


f1, K, W[0...19]20 steps

+ + + +

160512

Y q CV q

A B C D

A B C D

A B C D

A B C D

32

160

CV q+1

Note: Addition (+) is mod 232.

E

E

E

E

f2, K, W[20...39]20 steps

f3, K, W[40...59]20 steps

f4, K, W[60...79]20 steps

+

SHA-1 Processing of a Single 512-bit Block

36


A,B,C,D,E [E+f(t,B,C,D)+S5(A)+Wt

+Kt ],A,S30(B),C,D t : step number ; 0 t 79 f(t,B,C,D): one of the primitive

functions (f1,f2,f3,f4) for step t

Sk : circular left shift by k bits Kt : an additional constant ;

four distinct value are used

A B C D

+

+

+

A B C D

E

E

+

Wt

K t

Ft

S5

S30

Elementary SHA Operation (single step).

37


Step Function Name Function Value

(0 ≦ t ≦ 19) f1 = f(t, B, C, D)

(20 ≦ t ≦ 39) f2 = f(t, B, C, D)

(40 ≦ t ≦ 59) f3 = f(t, B, C, D)

(60 ≦ t ≦ 79) f4 = f(t, B, C, D)

)()( DBCB

DCB )()()( DCDBCB

DCB

───────────────────────

Step Number Hexadecimal Take Integer Part of:

0 t 19 K≦ ≦ t = 5A827999

20 t 39 K≦ ≦ t = 6ED9EBA1

40 t 59 K≦ ≦ t = 8F1BBCDC

60 t 79 K≦ ≦ t = CA62C1D6

───────────────────────

]22[ 30

]32[ 30 ]52[ 30

]102[ 30

38


Wt : a 32-bit word derived from current 512-bit input block

in the first 16 steps of processing, Wt is equal to the corresponding word in the message block.

for the remaining 64 steps :Wt = S1(Wt-16 Wt-14 Wt-8 Wt-3)ex : W16 = S1(W0 W2 W8 W13)

For each step, two of buffers are updated.

Y q

W0 W1 W15 W16… …

XOR

S1

W0 W2 W8 W13

XOR

S1

Wt-16 W t-14 W t-8 W t-3

W t

XOR

S1

W63 W65 W71 W76

W79…

512 bits

39

Comparison of SHA-1 and MD5

Complicacy: MD5 :

Uses one of 16 words of a message block directly as input of each step function.

Only the order of the words is permuted from round to round.

SHA-1 : Expands the 16 blocks words to 80 words for using in the

compression function.

SHA-1 complicates the task of finding a different message block that maps to the same compression function output.

.

40

Comparison of SHA-1 and MD5 Security against brute-force attacks

to produce any message having a given message digest : MD5 requires on the order of 2128 operations. SHA-1 " " " " " 2160 " .

to produce two message having the same message digest :

MD5 requires on the order of 264 operations. SHA-1 " " " " " 280 " .

SHA-1 is stronger against brute-force attacks.

41

Comparison of SHA-1 and MD5 Speed

Both algorithms rely heavily on addition modulo 232. SHA-1 involves more steps (80 v.s. 64) and process a

160-bit buffer compare to MD5’s 128-bit buffer. SHA-1 should execute more slowly than MD5 on the

same hardware.

Simplicity and compactness Both algorithms are simple to describe and simple to

implement.

42

Little-endian versus big-endian architecture

MD5 uses a little-endian scheme for interpreting a message as a sequence of 32-bit words.

SHA-1 uses a big-endian scheme.

Comparison of SHA-1 and MD5

1 DES & Hash function. 2 Outline zIntroduction zData Encryption Standard (DES) zDouble & Triple DES...

Documents

Transcript of 1 DES & Hash function. 2 Outline zIntroduction zData Encryption Standard (DES) zDouble & Triple DES...