NETWORK SECURITY

CS G513 & SS G513

Data Encryption Standard

(DES)
Ashutosh Bhatia
BITS Pilani
ashutosh.bhatia@pilani.bits-pilani.ac.in
The Data Encryption Standard (DES)
• Early 1970s: Horst Feistel designs Lucifer at IBM
• key-len = 128 bits ; block-len = 128 bits
• 1973: NBS asks for block cipher proposals for commercial and unclassified
government applications.
• IBM submits variant of Lucifer.
• 1976: NBS adopts DES as a federal standard
• key-len = 56 bits ; block-len = 64 bits
• 1997: DES broken by exhaustive search.
• Computing power goes up 1 bit every 2 years.
• Now we use DES three times > Triple DES = 3DES
• 2000: NIST adopts Rijndael as AES to replace DES
DES Design Controversy
• although DES standard is public
• was considerable controversy over design
• in choice of 56-bit key (vs Lucifer 128-bit)
• and because design criteria were classified
• subsequent events and public analysis show in fact design was
appropriate
• use of DES has flourished
• especially in financial applications
• still standardised for legacy application use
 DES Encryption Overview
64 bit plaintext 64 bit plaintext

DES

Decryption
Encryption

DES 56 bit key Reverse

Cipher
Cipher

64 bit ciphertext 64 bit ciphertext

DES Encryption
Overview

Round Key Generation

Initial and Final Permutation IP

Initial Final
Initial and Final Permutation IP (Alternative Representation)
DES Rounds
DES Round Function
DES Round Function
Expansion Box
 Substitution Boxes S

The S-boxes do the real mixing

(confusion). DES uses 8 S-boxes, each
with a 6-bit input and a 4-bit output.
 S-Box

Si: {0,1}6 ⟶ {0,1}4

DES Sub-Key Generation
DES Sub-Key Generation
PC-1

PC-2
DES Permuted Choice 1 and 2 (PC-1, PC-2)
 DES Decryption
• decrypt must unwind steps of data computation
• with Feistel design, do encryption steps again using subkeys in
reverse order (SK16 … SK1)
• IP undoes final FP step of encryption
• 1st round with SK16 undoes 16th encrypt round
• ….
• 16th round with SK1 undoes 1st encrypt round
• then final FP undoes initial encryption IP
• thus recovering original data value
DES Example
Avalanche
Effect in DES
 Key Desirable property of
an encryption algorithm

 A Change in one bit in the

plaintext or the key results
in changing approximately
half of the ciphertext bits

 Makes attempt to guessing

the key impossible

 DES exhibits strong

avalanche

Change in Plaintext
Avalanche
Effect in DES
 Key Desirable property of
an encryption algorithm

 A Change in one bit in the

plaintext or the key results
in changing approximately
half of the ciphertext bits

 Makes attempt to guessing

the key impossible

 DES exhibits strong

avalanche

Change in Key
 Feistel Cipher Design Features
• Block size
• Larger block sizes mean greater security
but reduced encryption/decryption speed
for a given algorithm
• Key size
• Larger key size means greater security but
may decrease encryption/decryption
speeds
• Number of rounds
• The essence of the Feistel cipher is that a
single round offers inadequate security
but that multiple rounds offer increasing
security
• Subkey generation algorithm
• Greater complexity in this algorithm
should lead to greater difficulty of
cryptanalysis
• Round function F
• Greater complexity generally means
greater resistance to cryptanalysis
• Fast software encryption/decryption
• In many cases, encrypting is embedded in
applications or utility functions in such a
way as to preclude a hardware
implementation; accordingly, the speed of
execution of the algorithm becomes a
concern
• Ease of analysis
• If the algorithm can be concisely and
clearly explained, it is easier to analyze that
algorithm for cryptanalytic vulnerabilities
and therefore develop a higher level of
assurance as to its strength
 Attacks on DES or In general Block Ciphers
 Weaknesses in S-boxes and P boxes
 Weaknesses in Key
 Brute force search requires 255 keys on an average. Recent advances
have shown, it is possible
 in 1997 on Internet in a few months, in 1998 on dedicated h/w (EFF) in a few
days, in 1999 above combined in 22hrs!
 Bit-wise complement of plaintext with complement of key results in
complement of ciphertext
′
 𝐷𝐸𝑆𝐾′ 𝑥 ′ = 𝐷𝐸𝑆𝐾 𝑥
 Only half of the keys need to be checked
Timing attacks: calculation time depends upon the key.
Particularly problematic on smartcards
Differential cryptanalysis and Linear cryptanalysis
 Example: a bad S-box choice
Suppose:
Si(x1, x2, …, x6) = ( x2⨁x3, x1⨁x4⨁x5, x1⨁x6, x2⨁x3⨁x6 )

or written equivalently: Si(x) = Ai⋅x (mod 2)

011000 x1 x2⨁x3
100110 x2
. = x1⨁x4⨁x5
100001 x3 x1⨁x6
011001 x4 x2⨁x3⨁x6
We say that Si is a linear function. x5
x6
 Example: a bad S-box choice
Then entire DES cipher would be linear: ∃fixed binary matrix B s.t.

832
m
DES(k,m) = 64
B . k1 = c (mod 2)
k2
⋮
k16

But then: DES(k,m1) ⨁ DES(k,m2) ⨁ DES(k,m3)

= DES(k, m1⨁m2⨁m3)
B m1 ⨁ B m2 ⨁ B m3 = B m1⨁m2⨁m3
k k k k⨁k⨁k
 Weak Keys in DES

Encrypting twice using

the same weak key
generates the same
plaintext black.

6.25
MULTIPLE ENCRYPTIONS WITH DES
 As you already know, the DES cryptographic system is now known to not be
secure.
 Why we can’t use only AES ?
 How about a cryptographic system that carries out repeated encryptions with DES?
Would that be more secure?
 Double DES may not be that much more secure than regular DES.
 Two DES-based encryption stages using two different keys.
C = E (K2, E(K1 , P))
 With two keys, each of length 56 bits, double DES in effect uses a 112 bit key.
Meet-in-the-Middle Attack on Double DES
 A type of known plaintext attack
 Let’s say that an attacker has available to him/her a plaintext-ciphertext pair (P,C).

 From the perspective of the

attacker, there exists an M
such that

M = E(K1 , P) = D(K2, C)

I
 in order to mount the attack, the attacker creates a sorted table of all possible value
for X for a given P by trying all possible 256 keys. This table will have 256 entries.
 The attacker also creates another sorted table of all possible X by decrypting C
using every one of the 256 keys. This table also has 256 entries.
 Analyzing Meet-in-the-Middle Attack

 𝑃 = 0,1 𝑚 , 𝐶 = 0,1 𝑚 , 𝐾1 𝑋 𝐾2 = ( 0, 1 2𝑛
 The attacker has 𝑙 pairs of plaintext and ciphertext
 Probability of a key (K1, K2) satisfying ∀ 𝑖 ( E(K1 , Pi) = D(K2, Ci)) is : 2−𝑚𝑙

 Thus the expected number of key pairs that would satisfy the
above equation : 22𝑛 . 2−𝑚𝑙

 What if 𝑙 ≥ 2𝑛/𝑚
 The time complexity of the attack is : 2. 𝑙. 2𝑛
 Space Complexity: 2𝑛+1 (𝑚𝑙 + 𝑙)