SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.
DES Analysis and Attacks CSCI 5857: Encoding and Encryption.
-
Upload
rosamond-parker -
Category
Documents
-
view
221 -
download
0
Transcript of DES Analysis and Attacks CSCI 5857: Encoding and Encryption.
![Page 1: DES Analysis and Attacks CSCI 5857: Encoding and Encryption.](https://reader035.fdocuments.in/reader035/viewer/2022062409/5697bff81a28abf838cbf6e1/html5/thumbnails/1.jpg)
DES Analysis and Attacks
CSCI 5857: Encoding and Encryption
![Page 2: DES Analysis and Attacks CSCI 5857: Encoding and Encryption.](https://reader035.fdocuments.in/reader035/viewer/2022062409/5697bff81a28abf838cbf6e1/html5/thumbnails/2.jpg)
Outline
• Confusion and diffusion• Attacks and weaknesses
– Linear cryptanalysis attacks– Weak keys
• Exhaustive search attacks– Use of multiple keys– Meet in the middle attacks– Triple DES
![Page 3: DES Analysis and Attacks CSCI 5857: Encoding and Encryption.](https://reader035.fdocuments.in/reader035/viewer/2022062409/5697bff81a28abf838cbf6e1/html5/thumbnails/3.jpg)
Confusion and Diffusion• Use of inputs to
create round key assures each plaintext bit affects many ciphertext bits
• Use of shifts and permutations in key generation assures each key bit affects many ciphertext bits
![Page 4: DES Analysis and Attacks CSCI 5857: Encoding and Encryption.](https://reader035.fdocuments.in/reader035/viewer/2022062409/5697bff81a28abf838cbf6e1/html5/thumbnails/4.jpg)
Cryptanalysis• Differential Cryptanalysis:
Using similar plaintexts to look for patterns in how ciphertext generated
• Linear Cryptanalysis: Attempting to approximate entire cipher as one big set of linear equations – Finding solutions to set of linear equations well
studied in engineering
– Possible if all S-boxes linear
– n bit key requires n known plaintexts to solve
![Page 5: DES Analysis and Attacks CSCI 5857: Encoding and Encryption.](https://reader035.fdocuments.in/reader035/viewer/2022062409/5697bff81a28abf838cbf6e1/html5/thumbnails/5.jpg)
Linear S-Boxes• Linear n x m S-Box can be expressed as linear
equation of form:
c1 = a11x1 a12x2 … a1nxn
c2 = a21x1 a22x2 … a2nxn
…cm = am1x1 am2x2 … amnxn
where xi is ith input bit ci is ith ciphertext bit aij is either 0 or 1
• Each cipherbit character is defined as the XOR of certain input bits
![Page 6: DES Analysis and Attacks CSCI 5857: Encoding and Encryption.](https://reader035.fdocuments.in/reader035/viewer/2022062409/5697bff81a28abf838cbf6e1/html5/thumbnails/6.jpg)
Linear S-Boxes
• Example of linear 3x3 S-Box:
• Corresponding linear equationsc1 = x1 x2 = 1x1 1 x2 0 x3
c2 = x1 x2 x3 = 1x1 1 x2 1 x3
c3 = x2 x3 = 0x1 1 x2 1 x3
00 01 10 11
0 000 011 111 100
1 110 101 001 010
![Page 7: DES Analysis and Attacks CSCI 5857: Encoding and Encryption.](https://reader035.fdocuments.in/reader035/viewer/2022062409/5697bff81a28abf838cbf6e1/html5/thumbnails/7.jpg)
Linear Cryptanalysis ExampleExample: Above S-Box used after XOR stage
![Page 8: DES Analysis and Attacks CSCI 5857: Encoding and Encryption.](https://reader035.fdocuments.in/reader035/viewer/2022062409/5697bff81a28abf838cbf6e1/html5/thumbnails/8.jpg)
Linear Cryptanalysis Example
• S-Box input bit xi = pi ki
• Resulting equations:c1 = (p1 k1) (p2 k2)c2 = (p1 k1) (p2 k2) (p3 k3) c3 = (p2 k2) (p3 k3)
• Can now solve for key bits!k1 = p1 (c1 c2 c3)k2 = p1 (c1 c2)k3 = p1 (c2 c3)
![Page 9: DES Analysis and Attacks CSCI 5857: Encoding and Encryption.](https://reader035.fdocuments.in/reader035/viewer/2022062409/5697bff81a28abf838cbf6e1/html5/thumbnails/9.jpg)
Linear Cryptanalysis
Possible if cipher uses only linear components– Permutation boxes linear by definition!
Shifting from position i to position j is equation cj = 0p1 0 p2 … 1 pi… 0 pn
• Therefore, S-Boxes must not be linear!– They are the only possible nonlinear component
![Page 10: DES Analysis and Attacks CSCI 5857: Encoding and Encryption.](https://reader035.fdocuments.in/reader035/viewer/2022062409/5697bff81a28abf838cbf6e1/html5/thumbnails/10.jpg)
Cryptanalysis Attacks on DES
• Linear Cryptanalysis– DES not designed for this attack (invented after
DES released– However, DES S-Boxes not linear– 243 known plaintexts needed to break DES using
linear cryptanalysis
![Page 11: DES Analysis and Attacks CSCI 5857: Encoding and Encryption.](https://reader035.fdocuments.in/reader035/viewer/2022062409/5697bff81a28abf838cbf6e1/html5/thumbnails/11.jpg)
Weak Keys
• Keys that leave plaintext vulnerable in some way– Simple example: k = 26 in Caesar cipher
• Weak keys in DES produce same round key for multiple rounds– 4 keys give same round key every round– 8 keys give only 2 distinct round keys– 48 keys give only 4 distinct round keys
– Odds unlikely (8.8 x 10-16 ), but should still check randomly generated keys
![Page 12: DES Analysis and Attacks CSCI 5857: Encoding and Encryption.](https://reader035.fdocuments.in/reader035/viewer/2022062409/5697bff81a28abf838cbf6e1/html5/thumbnails/12.jpg)
Exhaustive Search Attacks
• 56-bit key not computationally secure• Parallel processing attacks
– Computer with 1 million chips (1998) key found in 112 hours
– Network of 3500 computers (1977) key found in 120 days
• 56-bit key not recommended by NIST!
“all clones test different keys!”
![Page 13: DES Analysis and Attacks CSCI 5857: Encoding and Encryption.](https://reader035.fdocuments.in/reader035/viewer/2022062409/5697bff81a28abf838cbf6e1/html5/thumbnails/13.jpg)
Multiple Stage DES
• No way to use larger key in DES– Structure “hardwired”
• Only solution: multiple stage DES– Different keys used
each stage– Output ciphertext of
one stage input plaintext of next stage
![Page 14: DES Analysis and Attacks CSCI 5857: Encoding and Encryption.](https://reader035.fdocuments.in/reader035/viewer/2022062409/5697bff81a28abf838cbf6e1/html5/thumbnails/14.jpg)
Multiple Stage DES• Multiple stages with different keys greatly increases
number of possible ciphertexts
– (264)! possible mappings from 264 possible input blocks to 264 possible output blocks
– Only 256 possible keys (tiny fraction of the above)– Extremely unlikely that there exists K3 such that
E(E(P, K1), K2) = E(P, K3)
Possible ciphertexts
Possible ciphertexts
After applying K1 and K2
After applying K1
![Page 15: DES Analysis and Attacks CSCI 5857: Encoding and Encryption.](https://reader035.fdocuments.in/reader035/viewer/2022062409/5697bff81a28abf838cbf6e1/html5/thumbnails/15.jpg)
“Meet In The Middle” Attack
• Theoretically, two stages should be sufficient– Adversary would have to try all combinations of possible K1
and K2
– 256 x 256 = 2112 possible combinations of keys
• Vulnerable to “meet in the middle” attack– Adversary has a known plaintext P and ciphertext C– Works forward encrypting P with all possible K1 – Works backward decrypting C with all possible K2
– Stores results and searches for matches
![Page 16: DES Analysis and Attacks CSCI 5857: Encoding and Encryption.](https://reader035.fdocuments.in/reader035/viewer/2022062409/5697bff81a28abf838cbf6e1/html5/thumbnails/16.jpg)
“Meet In The Middle” Attack“I’ll try all K1 and store the results in a table”
Table of all possible M created by encrypting P
“I’ll try all K2 and store the results in another table”
Table of all possible M created by decrypting C“Now I’ll compare
the two and look for any matches”
![Page 17: DES Analysis and Attacks CSCI 5857: Encoding and Encryption.](https://reader035.fdocuments.in/reader035/viewer/2022062409/5697bff81a28abf838cbf6e1/html5/thumbnails/17.jpg)
“Meet In The Middle” Attack
• M’s (and keys K1 and K2 that created them) kept in sorted tables – 256 runs to create each
table– 56 x 256 comparisons to
find matches– Match gives plausible
values for K1 and K2
• “Double DES” not computationally secure
M K1
1010001…10 0110100…01
M K2
1010001…10 1100110…00
“These match”
“So this might be K1 and K2”
![Page 18: DES Analysis and Attacks CSCI 5857: Encoding and Encryption.](https://reader035.fdocuments.in/reader035/viewer/2022062409/5697bff81a28abf838cbf6e1/html5/thumbnails/18.jpg)
Triple DES
• Need at least three stages of encryption – “Meet in middle”
attack can only take place after at least two stages
– Effectively the same as 112 bit key
K1
K3
K2
“I can only attack here”
![Page 19: DES Analysis and Attacks CSCI 5857: Encoding and Encryption.](https://reader035.fdocuments.in/reader035/viewer/2022062409/5697bff81a28abf838cbf6e1/html5/thumbnails/19.jpg)
Triple DES With Two Keys• Just use K1 twice
(in first and last stage)
• Shorter keys (112 bits instead of 168 bits)
• Still secure (have to try all K1 and K2 to do meet in middle attack)
“Still too hard to crack”
![Page 20: DES Analysis and Attacks CSCI 5857: Encoding and Encryption.](https://reader035.fdocuments.in/reader035/viewer/2022062409/5697bff81a28abf838cbf6e1/html5/thumbnails/20.jpg)
Efficiency of DES
• Fast if burned into hardware– Basic structure corresponds to wiring diagram
• Slow if executed as software– Basic structure doesn’t fit into registers– Much swapping between RAM/registers required
• 3DES even slower