Lectures #3
Block Ciphers and the Data
Encryption Standard
CYS535 Network Security
Prepared By: Dr. Ihab ELAFF
        Chapter 3
Block Ciphers and the Data
   Encryption Standard
3.1 Block Cipher Principles
Modern Block Ciphers
• One of the most widely used types of
  cryptography algorithms
• Provide strong secrecy and/or authentication
  services
• In particular will introduce DES (Data
  Encryption Standard)
Block vs Stream Ciphers
• Block Ciphers process messages into blocks,
  each of which is then encrypted/decrypted like a
  substitution on very big characters (64-bits or
  more)
• Stream Ciphers process messages a bit or byte
  at a time when encrypting/decrypting
• Many current ciphers are Block Ciphers
Block Cipher Principles
• Block Ciphers look like an extremely large
  substitution
• It needs table of 264 entries for a 64-bit block
• Arbitrary reversible substitution cipher for a large
  block size is not practical (64-bit general
  substitution block cipher, key size 264!)
• Most symmetric block ciphers are based on a
  Feistel Cipher Structure
Block Cipher Principles
      General n-bit-n-bit Block Substitution
Feistel Cipher Structure
• Horst Feistel devised the feistel cipher
 ▫ implements Shannon’s substitution-permutation
   network concept
 ▫ partitions input block into two halves
 ▫ process through multiple rounds which
 ▫ perform a substitution on left data half
 ▫ based on round function of right half & subkey
 ▫ then have permutation swapping halves
Feistel Cipher Structure
    Feistel Cipher Encryption
  “F” is the round function
 K0,K1,…. ,Kn the sub-keys rounds
   0,1,… ,n.
 Encryption:
1.  Split the Plaintext block into
    two equal pieces L0, R0
2. For i = 0,1, …n
    Li+1 = Ri
    Ri+1 = Li⊕F(Ri, Ki)
    Feistel Cipher Decryption
  “F” is the round function
 K0,K1,…. ,Kn the sub-keys rounds
   0,1,… ,n.
 Decryption:
1.  Split the Ciphertext block into
    two equal pieces Ln+1, Rn+1
2. For i = n,n-1, …0
    Ri = Li+i
    Li = Ri+1⊕F(Li+1, Ki)
Feistel Cipher Design Principles
• block size
  ▫ increasing size improves security, but slows cipher
• key size
  ▫ increasing size improves security, makes exhaustive key searching
    harder, but may slow cipher
• number of rounds
  ▫ increasing number improves security, but slows cipher
• subkey generation
  ▫ greater complexity can make analysis harder, but slows cipher
• round function
  ▫ greater complexity can make analysis harder, but slows cipher
• fast software en/decryption & ease of analysis
  ▫ are more recent concerns for practical use and testing
3.2 Data Encryption Standard (DES)
Data Encryption Standard (DES)
• Most widely used block cipher in world
• Encrypts 64-bit data using 56-bit key
• Adopted in 1977 by the National Institute of
  Standards and Technology (NIST), as Federal
  Information Processing Standard 46 (FIPS PUB
  46).
DES Design Controversy
• DES standard is public
• Was considerable controversy over design in
  choice of 56-bit key (vs Lucifer 128-bit)
• Subsequent events and public analysis show in
  fact design was appropriate
• DES has become widely used, especially in
  financial applications
DES Encryption
• Permutation (16 bit to 16 bit)
DES Encryption
• Permutation (16 bit to 14 bit)
DES Encryption
DES Encryption Steps
• 1 Process the key.
• 2 Process a 64-bit data block.
DES Encryption Steps:
1-Process the key.
• 1.1 Get a 64-bit key from the user. (Every 8th bit
  (the least significant bit of each byte) is
  considered a parity bit. For a key to have correct
  parity, each byte should contain an odd number
  of "1" bits.) This key can be entered directly, or it
  can be the result of hashing something else.
  There is no standard hashing algorithm for this
  purpose.
DES Encryption
DES Encryption Steps:
1-Process the key.
• 1.2 Calculate the key schedule.
• 1.2.1 Perform the following permutation on the
  64-bit key. (The parity bits are discarded,
  reducing the key to 56 bits. Bit 1 (the most
  significant bit) of the permuted block is bit 57 of
  the original key, bit 2 is bit 49, and so on with bit
  56 being bit 4 of the original key.)
DES Encryption Steps:
1-Process the key.
DES Encryption Steps:
1-Process the key.
• 1.2.2 Split the permuted key into two halves. The
  first 28 bits are called C0 and the last 28 bits are
  called D0.
DES Encryption Steps:
1-Process the key.
• 1.2.3 Calculate the 16 sub keys. Start with i=1
1- Perform one or two circular left shifts on both Ci-1
and Di-1 to get Ci and Di, respectively. The number of
shifts per iteration are given in the table below.
DES Encryption Steps:
1-Process the key.
• 1.2.3 Calculate the 16 sub keys. Start with i=1
2-Permute the concatenation CiDi as indicated below.
This will yield the key Ki, which is 48 bits long.
3 Loop back to step 1 until K16 has been calculated.
DES Encryption Steps:
2-Process a 64-bit data block.
• 2.1 Get a 64-bit data block. If the block is shorter
  than 64 bits, it should be padded as appropriate
  for the application.
• 2.2 Perform the Initial
permutation on the data
block using the
following tables.
DES Encryption Steps:
2-Process a 64-bit data block.
• 2.3 Split the block into two halves. The first 32-
  bit are called L0, and the last 32-bit are called R0.
DES Encryption
DES Encryption Steps:
2-Process a 64-bit data block.
• 2.4 Apply the 16 Rounds Start with i = 1:
  ▫ 2.4.1 Expand the 32-bit Ri-1 into 48 bits according
    to the bit-selection function using Expansion
    Permutation table:
DES Encryption Steps:
2-Process a 64-bit data block.
• 2.4 Apply the 16 Rounds Start with i = 1:
  ▫ 2.4.2 Xi = E(Ri-1) ⊕Ki (Ki is the key which is generated
    in the previous section) [Xi is 48-bit].
  ▫ 2.4.3 Xi into eight 6-bit blocks. Bits 1-6 are B1, bits 7-12
    are B2, and so on with bits 43-48 being B8.
DES Encryption Steps:
2-Process a 64-bit data block.
• 2.4 Apply the 16 Rounds Start with i = 1:
  ▫ 2.4.4 Substitute the values found in the S-boxes
    for all Bj. Start with j = 1 to 8. All values in the S-
    boxes should be considered 4 bits wide.
DES Encryption Steps:
2-Process a 64-bit data block.
• S-Boxes
DES Encryption Steps:
2-Process       a  64-bit      data    block.
  2.4.4 Substitute the values found in the S-boxes
   1- Take the 1st and 6th bits of Bj together as 2-bit value (call it m)
   indicating the row in Sj to look in for the substitution.
   2- Take the 2nd through 5th bits of Bj together as 4-bit value (call
   it n) indicating the column in Sj to find the substitution.
   3- Replace Bj with Sj [m][n] , Loop back to 1 until all 8 blocks
   have been replaced.
   Ex: B1=011101  n=(01)2 , m=(1110)2
DES Encryption Steps:
2-Process a 64-bit data block.
 2.4.5 Permute the concatenation of B1 through B8 as indicated below to
 P.
 2.4.6 Find Ri = Li-1⊕P
 2.4.7 Assign Li = Ri-1
 2.4.8 Loop back to 2.4.1 until K16 has been applied.
DES Encryption Steps:
2-Process a 64-bit data block.
 2.5 Perform the following Inverse Permutation on the
 block R16 L16 (Left and Right are swapped)
DES Decryption
•   decrypt must unwind steps of data computation
•   with Feistel design, do encryption steps again
•   using subkeys in reverse order (SK16 … SK1)
•   note that IP undoes final FP step of encryption
•   1st round with SK16 undoes 16th encrypt round
•   ….
•   16th round with SK1 undoes 1st encrypt round
•   then final FP undoes initial encryption IP
•   thus recovering original data value
DES Decryption (reverse encryption)
Avalanche Effect
• key desirable property of encryption algorithm
• DES exhibits strong Avalanche where a change
  of one input or key bit results in changing
  approximate half output bits
Example
• Plaintext M = (0123456789ABCDEF)16
• Key K = (133457799BBCDFF1)16
1)Process the key.
K = 0001 0011 0011 0100
    0101 0111 0111 1001
    1001 1011 1011 1100
    1101 1111 1111 0001
Example
1)Process the key.
• 56-bit permutation
• K+ =1111 0000 1100 1100 1010 1010 1111 0101
  0101 0110 0110 0111 1000 1111
Example
1)Process the key.
K+ =1111 0000 1100 1100 1010 1010 1111
0101 0101 0110 0110 0111 1000 1111
C0 = 1111 0000 1100 1100 1010 1010 1111
D0 = 0101 0101 0110 0110 0111 1000 1111
Example
1)Process the key.
C0 = 1111 0000 1100 1100 1010 1010 1111
D0 = 0101 0101 0110 0110 0111 1000 1111
C1 = 1110 0001 1001 1001 0101 0101 1111
D1 = 1010 1010 1100 1100 1111 0001 1110
C2 = 1100 0011 0011 0010 1010 1011 1111
D2 = 0101 0101 1001 1001 1110 0011 1101
C3 = 0000 1100 1100 1010 1010 1111 1111
D3 = 0101 0110 0110 0111 1000 1111 0101
Example
1)Process the key.
56-bit  48-bit
C1 D1 =     1110 0001 1001 1001 0101 0101 1111
            1010 1010 1100 1100 1111 0001 1110
K1 = 000110 110000 001011 101111
     111111 000111 000001 110010
Example
2) Process a 64-bit data block.
M = (0123456789ABCDEF)16
M = 0000 0001 0010 0011
    0100 0101 0110 0111
    1000 1001 1010 1011
    1100 1101 1110 1111
Example
2) Process a 64-bit data block.
M = 0000 0001 0010 0011 0100 0101 0110 0111
    1000 1001 1010 1011 1100 1101 1110 1111
IP = 1100 1100 0000 0000 1100 1100 1111 1111
     1111 0000 1010 1010 1111 0000 1010 1010
Example
2) Process a 64-bit data block.
IP = 1100 1100 0000 0000 1100 1100 1111 1111
     1111 0000 1010 1010 1111 0000 1010 1010
L0 = 1100 1100 0000 0000 1100 1100 1111 1111
R0 = 1111 0000 1010 1010 1111 0000 1010 1010
Ln = Rn-1                     Rn = Ln-1 + f(Rn-1,Kn)
L1=R0 =1111 0000 1010 1010 1111 0000 1010 1010
R1 = L0 + f(R0,K1)
Example
2) Process a 64-bit data block.
R1 = L0 + f(R0,K1)
32-bit  48-bit
R0 = 1111 0000 1010 1010 1111 0000 1010 1010
E(R0) =       011110 100001 010101 010101
              011110 100001 010101 010101
Example
2) Process a 64-bit data block.
K1 = 000110 110000 001011 101111
          111111 000111 000001 110010
E(R0) =    011110 100001 010101 010101
           011110 100001 010101 010101
K1+E(R0) = 011000 010001 011110 111010
            100001 100110 010100 100111
Kn + E(Rn-1) =B1B2B3B4B5B6B7B8,
Example
2) Process a 64-bit data block.
K1+E(R0) = 011000 010001 011110 111010
            100001 100110 010100 100111
K1 + E(R0) =B1B2B3B4B5B6B7B8
B1 = 011000  n=(00)2 , m=(1100)2
S1(B1) = (5)10 = (0101)2
Example
2) Process a 64-bit data block.
K1+E(R0) = 011000 010001 011110 111010
           100001 100110 010100 100111
K1 + E(R0) =B1B2B3B4B5B6B7B8
B1 = 011000
S1(B1) = 0101
B2 = 010001
S2(B2) = 1100
Example
2) Process a 64-bit data block.
S1(B1)S2(B2)S3(B3)S4(B4)S5(B5)S6(B6)S7 (B7)S 8(B8) =
0101 1100 1000 0010 1011 0101 1001 0111
f=
0010 0011 0100 1010 1010 1001 1011 1011
Example
2) Process a 64-bit data block.
R1 = L0 + f(R0 , K1 )
R1 =
1100 1100 0000 0000 1100 1100 1111 1111+
0010 0011 0100 1010 1010 1001 1011 1011
= 1110 1111 0100 1010 0110 0101 0100 0100
3.3 Strength of DES
Strength of DES – Key Size
• 56-bit keys have 256 = 7.2 x 1016 values
• brute force search looks hard
• recent advances have shown is possible
 ▫ in 1997 on Internet in a few months
 ▫ in 1998 on dedicated hardware (EFF) in a few days
 ▫ in 1999 above combined in 22hrs!
• still must be able to recognize plaintext
• now considering alternatives to DES
Strength of DES – Timing Attacks
• attacks actual implementation of cipher
• use knowledge of consequences of
  implementation to derive knowledge of some/all
  subkey bits
• specifically use fact that calculations can take
  varying times depending on the value of the
  inputs to it
Strength of DES – Analytic Attacks
• now have several analytic attacks on DES
• these utilise some deep structure of the cipher
  ▫ by gathering information about encryptions
  ▫ can eventually recover some/all of the sub-key bits
  ▫ if necessary then exhaustively search for the rest
• generally these are statistical attacks
• include
  ▫ differential cryptanalysis
  ▫ linear cryptanalysis
  ▫ related key attacks
Cipher Block Chaining (CBC)
Cipher Block Chaining (CBC)
• message is broken into blocks
• but these are linked together in the encryption
  operation
• each previous cipher blocks is chained with current
  plaintext block, hence name
• use Initial Vector (IV) to start process
  Ci = DESK1(Pi XOR Ci-1)
  C-1 = IV
• uses: bulk data encryption, authentication
Cipher Block Chaining (CBC)
Cipher FeedBack (CFB)
Cipher FeedBack (CFB)
•   message is treated as a stream of bits
•   added to the output of the block cipher
•   result is feed back for next stage (hence name)
•   standard allows any number of bit (1,8 or 64 or
    whatever) to be feed back
    ▫ denoted CFB-1, CFB-8, CFB-64 etc
• is most efficient to use all 64 bits (CFB-64)
    Ci = Pi XOR DESK1(Ci-1)
    C-1 = IV
• uses: stream data encryption, authentication
Cipher FeedBack (CFB)
Output FeedBack (OFB)
Output FeedBack (OFB)
•   message is treated as a stream of bits
•   output of cipher is added to message
•   output is then feed back (hence name)
•   feedback is independent of message
•   can be computed in advance
    Ci = Pi XOR Oi
    Oi = DESK1(Oi-1)
    O-1 = IV
• uses: stream encryption over noisy channels
Output FeedBack (OFB)
Counter (CTR)
Counter (CTR)
• a “new” mode, though proposed early on
• encrypts counter value rather than any feedback
  value
• must have a different key & counter value for every
  plaintext block (never reused)
  Ci = Pi XOR Oi
  Oi = DESK1(i)
• uses: high-speed network encryptions
Counter (CTR)
End.