Lecture 4: DES and block ciphers

Transcription

1 Lecture 4: DES and block ciphers Johan Håstad, transcribed by Ernir Erlingsson DES DES is a 64 bit block cipher with a 56 bit key. It selects a 64 bit block and modifies it depending on the key, i.e. {0, 1} 64 {0, 1} General properties of DES The cryptographer s favorite operation, xor, is present in most cryptosystems. It is easily invertible, but at the same time gives immense security since if either input is unknown so is the output. In other words, if we have an equation of the form c = a b then it is quite hard to discern c if we only know a. If we know both inputs we of course know the output but that is true for any function. Breaking a cryptosystem solely based on xor is, however, pretty straightforward. Breaking it is equivalent to solving a linear system of equations mod 2, and this can be done quite efficiently. One common method that applies is gaussian elimination. To prevent this, traditionally, a non-linear table is employed to obfuscate the data, {0, 1} a {0, 1} b. In DES it is done by eight fixed substitution boxes, a.k.a. S-boxes. 1av10

2 bits bits L R f 48 k (XOR) L bits bits Figure 1: Single Round of the DES algorithm (Encryption) The figure above shows a simplified illustration of a single iteration of the DES algorithm, which is used when encrypting data. The figure below shows its inverse, which is used when decrypting data. Both are performed 16 times in a single encryption/decryption. L R bits bits R k 48 f (XOR) L R bits bits Figure 2: Single Inverse Round of the DES algorithm (Decryption) In cryptographic terms the figures above are commonly known as a Feistel 2av10

3 networks 1. Next we need to specify the function f. Note that the ability to decrypt is independent of f and hence the only interesting property is to provide security. The function f consists of the following steps. 1. Expand R to 48 bits. 2. Apply xor with 48 bits from the key, which are selected depending on the current iteration number. 3. Divide the 48 bit result into eight different parts of 6 bits each, and through the use of the eight respective S-boxes, project each part into a part of only four bits {0, 1} 6 {0, 1} Permute the resulting bits. Consult the figure below for an illustration of the four steps. R ( bits) E R (48 bits) K (48 bits) 6 bits 6 bits S1 S2 S3 S4 S5 S6 S7 S8 4 bits 4 bits P R ( bits) Figure 3: Subcomponents of f 1 See table 3.2, 3.4 and figure 3.8 in Cryptography and Network security, Stallings 3av10

4 The input, R, is expanded to 48 bits by duplicating 16 bits from it, while the 48 key bits are selected from among the 56 possible, through the use of two 28-bit registers. As previously mentioned and seen above, DES has eight different S-boxes. Certain conspiracy theories exist that state that these are deliberately flawed by the National Security Agency in the US to allow the agency to exploit these flaws to facilitate cracking data encrypted with DES. To this day, however, no proof has been found to back these theories, even after excruciating crypto-analysis by hundreds of well respected scientists. But still to this day conspiracy theories are alive and well, but most of them point to the suspicious DES key-length of 56 bits. A perceptive student might have noticed that DES permutes the bits on two different occasions, E and P (in the figure above), and this might at first seem redundant. But the fact is that E is in fact not much of a permutation, in fact it permutes the date very little. To see the need for some permutation let us look at the situation when we have no expansion P, the S-boxes map 4 bits to 4 bits and we have no permutation E. In this situation the four least significant bits of all quantities would live their own life and not be influenced by the other bits. The effective block size would be 8 bits as 4 bits of each of L and R would mix and we would not have a good block cipher. The role of P is thus to spread changes within the block and there is one design criteria of the S-boxes with a similar aim. It was required that two blocks which differ only in a single bit should produce very different outputs. In particular it was required that for any two inputs, x and x which differ only in a single bit, then S(x) and S(x ) should differ in at least 2 bits. It is interesting to note that this is a severe restriction and in fact few functions satisfy this property. 2 Modes Modes refers to how block ciphers are used in a broader perspective, i.e. in different encryption modes given a plaintext message with blocks M 1,M 2,... The following subsections contain brief descriptions of some different available modes. Note, however, that the list presented here is far from exhaustive. 2.1 ECB (Electronic Code Book) ECB is the simplest encryption mode, it simply encrypts each message block independently. This method s main advantage is that it is very easy to 4av10

5 implement. C i = E k (M i ) The equation above can be described in layman terms as, crypto text block C i is equal to the plaintext block M i encrypted by a block cipher E and key k. The main disadvantage of this method is that identical plaintext blocks are encrypted to identical ciphertext blocks. 2.2 CBC (Cipher Block Chaining) In CBC mode, each block of plaintext is XORed with the previous ciphertext block before being encrypted. Thus an arbitrary ciphertext block is dependent on all plaintext blocks up to that point. C i = E k [M i C i 1 ] We set C 0 = N, which is a random initialization vector and is transmitted with the other crypto-blocks. M1 M2 M3 N C1 C2 C3 Figure 4: CBC is designed to make the cipher blocks appear randomized, thus making it impossible to notice repeats in the plaintext, and also make it impossible to change the order of the blocks. The main drawback with this method is that it cannot be parallelized since it is sequential. A possible solution it the use of Counter mode (CTR), which is presented briefly in the next subsection. 5av10

6 2.3 CTR (Counter mode) This mode turns a block cipher into a stream cipher. It generates the next key stream block by encrypting successive values of a "counter", which is sent as part of the message. C 0 = CTR C i = E k [CTR + i] M i This has the same problems as one time tape with regards to malleability and resending of messages. 3 DES security One important (and often missed) security aspect is that of repeating blocks. I f we have T possible blocks, then if the blocks are uniformly distributed the first repeat is expected to occur after T sent blocks. As uniform distribution is rare, in practice we would happen much sooner. 3.1 Is DES secure? The answer to this question is "not really". Since the creation of DES technology has advanced forward at a fast pace, enabling even todays supercomputer s the ability to brute force compute an arbitrary DES key in a reasonable amount of time (days or weeks). And not to mention specially built machines to break DES, which are constantly cheaper and better. This is of course all due to the DES algorithm s short key length of 56 bits, giving 2 56 possible keys. 3.2 Is DES employed in conjunction with CBC secure? The security of DES of any other block cipher is essentially a matter of faith. The only hard evidence that it is indeed secure lies in the fact that nobody knows how to break it. When analyzing modes one can use a different approach. One assumes that the block cipher is secure and then proves that the mode has certain property. In such cases one usually works with a very strong notion of security. Consider the following game. You are given a black box and you are told that the box, given x, either computes E k (x) for a fixed randomly chosen key k or it gives F (x) for a permutation, F picked uniformly at random from 6av10

7 all permutations. Your task is to tell which of the two is the case. If your probability of being correct is essentially 1/2 the block cipher is secure. One can prove that CBC used with a block crypto with such security properties have nice provably properties but do not discuss the details here. 4 Triple DES This is a known variant of DES and is very easy to implement given an implementation of DES. Its strength lies in the new key length of 168 bits which addresses the biggest weakness with standard DES albeit with an unorthodox key length like standard DES. Triple DES works by splitting the key into three parts, and like the name implies, apply the standard algorithm three times, i.e. E k1 E 1 k2 E k3[m]. This solution is actually better than applying E k1 E k2 E k3 [M], because it enables us to choose the k s in such a way that two cancel each other out, e.g. with k 1 = k 2, the result is simply E k3 [M] which is simply the standard DES algorithm. Thus is can be used in a network that also uses standard DES. But if Triple DES is a good idea, then surely Double DES is as well? Unfortunately Double DES can be broken with the same time complexity as standard DES. This is due to double DES s suspectibility to a "meet in the middle" attack, which operates by finding possible keys from each end of the algorithm and then search those sets for matches. The following subsection gives an example and (hopefully) clarifies the issue. 4.1 "Meet in the middle" example Let us assume that we are given a message M, its encryption C, anddouble DES was employed, i.e. C = E k1 (E k2 (M)). One calculates E k2 [M] for all k 2 and stores these values in a hash table. One then computes E 1 k 1 [C], for all k 1 looks for collisions in the hash table that can be investigated further. This approach uses time at most 2 57 so it is only marginally more expensive than single DES. On a more pessimistic note the procedure also uses 2 56 memory and that might be harder to come by. 7av10

8 5 Breaking DES Given a set of known plaintexts and cryptotexts, it is possible to analyze the pairs and construct and reduce the number of keys it is necessary to check. Example s of such an approach are: 1. Differential crypto-analysis Linear crypto-analysis. 3. The former algorithm can successfully crypt-analyze DES by seeing 2 47 chosen plaintexts, the latter algorithm, however, requires 2 43 message blocks, which is 2 46 bytes, or 64 Tera bytes. An examination of the former algorithm is beyond the scope of this lecture, but the latter is presented in the following subsection, although very briefly. 5.1 Linear crypto-analysis Linear cryptanalysis is the method of combining linear equation which often apply. Although the S-boxes are not linear, they can often be approximated linearly with good results. For example, we could perhaps have that outbit[3] = inbit[2] + inbit[5] with a probability of 75%, where the probability is taken over the other inputs. Similar relations might hold with other bits. Using such relations, we can create a chain of equations, where each equation applies with 75% probability, and at the end relates the input data to the output data. Let us be more concrete with a toy example. Suppose we only have two iterations of a cipher where the inputs on the first round in 1 are equal to the message bits M the output of the first round, out 1, equals the inputs to the second round in 2 and the outputs from the second round out 2 equals the crypto bits C. The key bits on the two rounds are k 1 and k 2 respectively. Suppose that because of an S-box used on the first round we have out 1 [3] = in 1 [2] + in 1 [3] + k 1 [2] + k 1 [3] holding with probability.75. Assume for the second round we 2 Biham + Shamir 3 Matsui out 2 [2] + out 2 [4] = in 2 [3] + k 2 [3] 8av10

9 also with probability.75. Now the inputs for the first round is the clear text and the output of the second round is the cipher text and the inputs to the second round are the outputs of the first round. The last fact implies that out 1 [3] = in 2 [3]. Combining the equations we hence get an equation in 1 [2] + in 1 [3] + out 2 [2] + out 2 [4] = k 1 [2] + k 1 [3] + k 2 [3] which is correct with probability ( ) ( ) 2 1 =5/8, 4 where the first terms comes from both equations being correct and the second from both being incorrect. This implies that sampling many times and each time looking at in 1 [2] + in 1 [3] + out 2 [2] + out 2 [4] = M[2] + M[3] + C[2] + C[4] we get a bit that with probability 5/8 equals k 1 [2] + k 1 [3] + k 2 [3] and thus given enough pairs of clear text and crypto texts we will eventually learn this bit of the key. As a general rule for combining equations we have the following fact. Its proof is by a calculation that we omit. For bits: A = B, the probability is 1+p 1 2 B = C, the probability is 1+p 2 2 this leads to: A = C with probability 1+p 1p 2 2 Through tedious equation puzzling, the Japanese crypto-analyst Matsui found a relationship between the in, out, and key bits, for full DES which are correct with probability As we see below this will enable us to extract useful information after roughly 2 44 observed blocks of cleartext and cryptotext. 9av10

10 5.2 Fact from probability theory Suppose we are given a guess of a bit b which is correct with probability 1 +p, 2 how many independent guesses do we need until we are pretty sure to know the value of b? IfweseeN guesses, the expected number of correct guesses is N + Np. 2 The standard deviation of this number is N. We can view the expected advantage, Np, as a signal, and the standard deviation, N, as noise. When the signal is stronger than the noise, we should be able to do something useful. In our case this would mean which is equivalent to Np > N N p 2. This can be made rigorous and we leave the details to the interested reader. 10 av 10