feistel des lawrie brown
TRANSCRIPT
-
8/9/2019 Feistel Des Lawrie Brown
1/39
Cryptography andCryptography and
Network SecurityNetwork Security
Chapter 3Chapter 3
Fifth EditionFifth Edition
by William Stallingsby William Stallings
Lecture slides by Lawrie BrownLecture slides by Lawrie Brown
-
8/9/2019 Feistel Des Lawrie Brown
2/39
-
8/9/2019 Feistel Des Lawrie Brown
3/39
-
8/9/2019 Feistel Des Lawrie Brown
4/39
Block vs Strea CiphersBlock vs Strea Ciphers
block ciphers process messages inblock ciphers process messages in
blocks" each of which is then en/decryptedblocks" each of which is then en/decrypted
like a substitution on very big characterslike a substitution on very big characters #$%bits or more#$%bits or more
stream ciphersstream ciphers process messages a bit orprocess messages a bit or
byte at a time when en/decryptingbyte at a time when en/decrypting
many current ciphers are block ciphersmany current ciphers are block ciphers better analysedbetter analysed
broader range of applicationsbroader range of applications
-
8/9/2019 Feistel Des Lawrie Brown
5/39
Block vs Strea CiphersBlock vs Strea Ciphers
-
8/9/2019 Feistel Des Lawrie Brown
6/39
Block Cipher !rinciplesBlock Cipher !rinciples
most symmetric block ciphers are based on amost symmetric block ciphers are based on a"eistel Cipher Structure"eistel Cipher Structure
needed since must be able toneeded since must be able to decryptdecryptcipherte&tcipherte&t
to recover messages efficientlyto recover messages efficiently block ciphers look like an e&tremely largeblock ciphers look like an e&tremely large
substitutionsubstitution would need table of 'would need table of '#$#$entries for a #$%bit blockentries for a #$%bit block instead create from smaller building blocksinstead create from smaller building blocks using idea of a product cipherusing idea of a product cipher
-
8/9/2019 Feistel Des Lawrie Brown
7/39
#deal Block Cipher#deal Block Cipher
-
8/9/2019 Feistel Des Lawrie Brown
8/39
Claude Shannon and Su$stitution%Claude Shannon and Su$stitution%
!erutation Ciphers!erutation Ciphers (laude Shannon introduced idea of substitution%(laude Shannon introduced idea of substitution%
permutation S%)! networks in *+$+ paperpermutation S%)! networks in *+$+ paper
form basis of modern block ciphersform basis of modern block ciphers
S%) nets are based on the two primitiveS%) nets are based on the two primitive
cryptographic operations seen before,cryptographic operations seen before, substitutionsubstitutionS%bo&!S%bo&!
permutationpermutation )%bo&!)%bo&! provideprovide confusionconfusion-- diffusiondiffusionof message - keyof message - key
-
8/9/2019 Feistel Des Lawrie Brown
9/39
-
8/9/2019 Feistel Des Lawrie Brown
10/39
"eistel Cipher Structure"eistel Cipher Structure
orst Feistel devised theorst Feistel devised the &eistel cipher&eistel cipher based on concept of invertible product cipherbased on concept of invertible product cipher
partitions input block into two halvespartitions input block into two halves process through multiple rounds whichprocess through multiple rounds which
perform a substitution on left data halfperform a substitution on left data half
based on round function of right half - subkeybased on round function of right half - subkey then have permutation swapping halvesthen have permutation swapping halves
implements Shannon0s S%) net conceptimplements Shannon0s S%) net concept
-
8/9/2019 Feistel Des Lawrie Brown
11/39
-
8/9/2019 Feistel Des Lawrie Brown
12/39
"eistel Cipher Design Eleents"eistel Cipher Design Eleents
block si1eblock si1e key si1ekey si1e number of roundsnumber of rounds subkey generation algorithmsubkey generation algorithm round functionround function fast software en/decryptionfast software en/decryption ease of analysisease of analysis
-
8/9/2019 Feistel Des Lawrie Brown
13/39
Data Encryption Standard 'DES(Data Encryption Standard 'DES(
most widely used block cipher in worldmost widely used block cipher in world adopted in *+22 by 3BS now 34S5!adopted in *+22 by 3BS now 34S5!
as F4)S )6B $#as F4)S )6B $#
encrypts #$%bit data using 7#%bit keyencrypts #$%bit data using 7#%bit key has widespread usehas widespread use
has been considerable controversy overhas been considerable controversy overits securityits security
-
8/9/2019 Feistel Des Lawrie Brown
14/39
DES )istoryDES )istory
4B8 developed Lucifer cipher4B8 developed Lucifer cipher by team led by Feistel in late #90sby team led by Feistel in late #90s used #$%bit data blocks with *':%bit keyused #$%bit data blocks with *':%bit key
then redeveloped as a commercial cipherthen redeveloped as a commercial cipherwith input from 3S; and otherswith input from 3S; and others
in *+2< 3BS issued re=uest for proposalsin *+2< 3BS issued re=uest for proposals
for a national cipher standardfor a national cipher standard 4B8 submitted their revised Lucifer which4B8 submitted their revised Lucifer which
was eventually accepted as the DESwas eventually accepted as the DES
-
8/9/2019 Feistel Des Lawrie Brown
15/39
DES Design ControversyDES Design Controversy
although DES standard is publicalthough DES standard is public was considerable controversy over designwas considerable controversy over design
in choice of 7#%bit key vs Lucifer *':%bit!in choice of 7#%bit key vs Lucifer *':%bit! and because design criteria were classifiedand because design criteria were classified
subse=uent events and public analysissubse=uent events and public analysisshow in fact design was appropriateshow in fact design was appropriate
use of DES has flourisheduse of DES has flourished especially in financial applicationsespecially in financial applications still standardised for legacy application usestill standardised for legacy application use
-
8/9/2019 Feistel Des Lawrie Brown
16/39
DES Encryption *verviewDES Encryption *verview
-
8/9/2019 Feistel Des Lawrie Brown
17/39
#nitial !erutation #!#nitial !erutation #!
first step of the data computationfirst step of the data computation
4) reorders the input data bits4) reorders the input data bits
even bits to L half" odd bits to > halfeven bits to L half" odd bits to > half =uite regular in structure easy in h/w!=uite regular in structure easy in h/w!
e&le,e&le,
IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb)IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb)
-
8/9/2019 Feistel Des Lawrie Brown
18/39
DES Round StructureDES Round Structure
uses two halves
as for any Feistel cipher can describe as,as for any Feistel cipher can describe as,
!!ii?? $$ii.*.*
$$ii?? !!ii.*.*FF$$ii.*.*"" %%ii!!
F takes half and $:%bit subkey, e&pands > to $:%bits using perm Ee&pands > to $:%bits using perm E adds to subkey using @A>adds to subkey using @A> passes through : S%bo&es to get
-
8/9/2019 Feistel Des Lawrie Brown
19/39
DES Round StructureDES Round Structure
-
8/9/2019 Feistel Des Lawrie Brown
20/39
-
8/9/2019 Feistel Des Lawrie Brown
21/39
-
8/9/2019 Feistel Des Lawrie Brown
22/39
-
8/9/2019 Feistel Des Lawrie Brown
23/39
DES E+apleDES E+aple
-
8/9/2019 Feistel Des Lawrie Brown
24/39
-valanche in DES-valanche in DES
-
8/9/2019 Feistel Des Lawrie Brown
25/39
-valanche E&&ect-valanche E&&ect
key desirable property of encryption algkey desirable property of encryption alg
where a change ofwhere a change of oneone input or key bitinput or key bit
results in changing appro&results in changing appro& hal&hal&output bitsoutput bitsmaking attempts to home%inG by guessingmaking attempts to home%inG by guessing
keys impossiblekeys impossible
DES e&hibits strong avalancheDES e&hibits strong avalanche
-
8/9/2019 Feistel Des Lawrie Brown
26/39
Strength o& DES ,ey Si.eStrength o& DES ,ey Si.e
7#%bit keys have '7#%bit keys have '7#7#? 2' & *9? 2' & *9*#*#valuesvalues
brute force search looks hardbrute force search looks hard
recent advances have shown is possiblerecent advances have shown is possible in *++2 on 4nternet in a few monthsin *++2 on 4nternet in a few months
in *++: on dedicated h/w EFF! in a few daysin *++: on dedicated h/w EFF! in a few days
in *+++ above combined in ''hrsHin *+++ above combined in ''hrsH still must be able to recogni1e plainte&tstill must be able to recogni1e plainte&t
must now consider alternatives to DESmust now consider alternatives to DES
-
8/9/2019 Feistel Des Lawrie Brown
27/39
Strength o& DES -nalyticStrength o& DES -nalytic
-ttacks-ttacks now have several analytic attacks on DESnow have several analytic attacks on DES thesethese utilise some deep structure of the cipherutilise some deep structure of the cipher
by gathering information about encryptionsby gathering information about encryptions
can eventually recover some/all of the sub%key bitscan eventually recover some/all of the sub%key bits if necessary then e&haustively search for the restif necessary then e&haustively search for the rest
generally these are statistical attacksgenerally these are statistical attacks differential cryptanalysisdifferential cryptanalysis linear cryptanalysislinear cryptanalysis related key attacksrelated key attacks
-
8/9/2019 Feistel Des Lawrie Brown
28/39
Strength o& DES /iingStrength o& DES /iing
-ttacks-ttacks
attacks actual implementation of cipherattacks actual implementation of cipher
use knowledge of conse=uences ofuse knowledge of conse=uences of
implementation to derive informationimplementation to derive informationabout some/all subkey bitsabout some/all subkey bits
specifically use fact that calculations canspecifically use fact that calculations can
take varying times depending on the valuetake varying times depending on the valueof the inputs to itof the inputs to it
particularly problematic on smartcardsparticularly problematic on smartcards
-
8/9/2019 Feistel Des Lawrie Brown
29/39
Di&&erential CryptanalysisDi&&erential Cryptanalysis
one of the most significant recent public!one of the most significant recent public!advances in cryptanalysisadvances in cryptanalysis
known by 3S; in 29Is cf DES designknown by 3S; in 29Is cf DES design8urphy" Biham - Shamir published in +90s8urphy" Biham - Shamir published in +90s powerful method to analyse block cipherspowerful method to analyse block ciphers used to analyse most current blockused to analyse most current block
ciphers with varying degrees of successciphers with varying degrees of success DES reasonably resistant to it" cf LuciferDES reasonably resistant to it" cf Lucifer
-
8/9/2019 Feistel Des Lawrie Brown
30/39
Di&&erential CryptanalysisDi&&erential Cryptanalysis
a statistical attack against Feistel ciphersa statistical attack against Feistel ciphers
uses cipher structure not previously useduses cipher structure not previously used
design of S%) networks has output ofdesign of S%) networks has output offunctionfunction ffinfluenced by both input - keyinfluenced by both input - key
hence cannot trace values back throughhence cannot trace values back through
cipher without knowing value of the keycipher without knowing value of the key differential cryptanalysis compares twodifferential cryptanalysis compares two
related pairs of encryptionsrelated pairs of encryptions
-
8/9/2019 Feistel Des Lawrie Brown
31/39
Di&&erential CryptanalysisDi&&erential Cryptanalysis
Copares !airs o& EncryptionsCopares !airs o& Encryptions
with a known difference in the inputwith a known difference in the input
searching for a known difference in outputsearching for a known difference in output
when same subkeys are usedwhen same subkeys are used
-
8/9/2019 Feistel Des Lawrie Brown
32/39
Di&&erential CryptanalysisDi&&erential Cryptanalysis
have some input difference giving somehave some input difference giving some
output difference with probability poutput difference with probability p
if find instances of some higher probabilityif find instances of some higher probabilityinput / output difference pairs occurringinput / output difference pairs occurring
can infer subkey that was used in roundcan infer subkey that was used in round
then must iterate process over manythen must iterate process over manyrounds with decreasing probabilities!rounds with decreasing probabilities!
-
8/9/2019 Feistel Des Lawrie Brown
33/39
Di&&erential CryptanalysisDi&&erential Cryptanalysis
-
8/9/2019 Feistel Des Lawrie Brown
34/39
Di&&erential CryptanalysisDi&&erential Cryptanalysis
perform attack by repeatedly encrypting plainte&t pairsperform attack by repeatedly encrypting plainte&t pairswith known input @A> until obtain desired output @A>with known input @A> until obtain desired output @A>
when foundwhen found if intermediate rounds match re=uired @A> have aif intermediate rounds match re=uired @A> have a right pairright pair if not then have aif not then have a wrong pairwrong pair" relative ratio is S/3 for attack" relative ratio is S/3 for attack
can then deduce keys values for the roundscan then deduce keys values for the rounds right pairs suggest same key bitsright pairs suggest same key bits wrong pairs give random valueswrong pairs give random values
for large numbers of rounds" probability is so low thatfor large numbers of rounds" probability is so low thatmore pairs are re=uired than e&ist with #$%bit inputsmore pairs are re=uired than e&ist with #$%bit inputs
Biham and Shamir have shown how a *
-
8/9/2019 Feistel Des Lawrie Brown
35/39
0inear Cryptanalysis0inear Cryptanalysis
another recent developmentanother recent development also a statistical methodalso a statistical method
must be iterated over rounds" withmust be iterated over rounds" withdecreasing probabilitiesdecreasing probabilities developed by 8atsui et al in early +9Isdeveloped by 8atsui et al in early +9Is based on finding linear appro&imationsbased on finding linear appro&imations can attack DES withcan attack DES with ''$
-
8/9/2019 Feistel Des Lawrie Brown
36/39
-
8/9/2019 Feistel Des Lawrie Brown
37/39
-
8/9/2019 Feistel Des Lawrie Brown
38/39
Block Cipher DesignBlock Cipher Design
basic principles still like Feistel0s in *+290sbasic principles still like Feistel0s in *+290s number of roundsnumber of rounds
more is better" e&haustive search best attackmore is better" e&haustive search best attack
function f,function f, provides confusionG" is nonlinear" avalancheprovides confusionG" is nonlinear" avalanche have issues of how S%bo&es are selectedhave issues of how S%bo&es are selected
key schedulekey schedule comple& subkey creation" key avalanchecomple& subkey creation" key avalanche
-
8/9/2019 Feistel Des Lawrie Brown
39/39
SuarySuary
have considered,have considered, block vs stream ciphersblock vs stream ciphers
Feistel cipher design - structureFeistel cipher design - structure
DESDES
detailsdetails
strengthstrength
Differential - Linear (ryptanalysisDifferential - Linear (ryptanalysis block cipher design principlesblock cipher design principles