Documente Academic
Documente Profesional
Documente Cultură
Spring 2006
http://www.abo.fi/~ipetre/crypto/
Ion Petre
Academy of Finland and
Department of IT, Åbo Akademi University
Stream cipher is one that encrypts a digital data stream one bit (or
byte) at a time
Example: autokey Vigenère system
Block cipher is one in which the plaintext is divided in blocks and
one block is encrypted at one time producing a ciphertext of equal
length
Similar to substitution ciphers on very big characters: 64 bits or 128 bits
are typical block lengths
Many modern ciphers are block ciphers
block size
increasing size improves security, but slows cipher
key size
increasing size improves security, makes exhaustive key searching harder, but may slow
cipher
number of rounds
increasing number improves security, but slows cipher
subkey generation
greater complexity can make analysis harder, but slows cipher
round function
greater complexity can make analysis harder, but slows cipher
Feistel Cipher ⊕
⊕
Decryption:
the same
algorithm (with
keys in reverse
order)
⊕
⊕
⊕
⊕
DES encryption/decryption
Strength of DES
Design principles
Cryptanalysis
Consider L the left half of the input to the round and R its right half – each of
them have 32 bits
As in any Feistel cipher the overall processing is
Li=Ri-1, Ri=Li-1⊕ F(Ri-1,Ki)
The round subkey Ki has 48 bits (details later on how it is generated)
R is expanded from 32 to 48 bits using an “expansion permutation” E
(shown on the next slide) – this is a table that defines a permutation,
duplicating in the same time 16 of the bits in R
These 48 bits are XORED with the subkey Ki
The 48-bit result passes through a substitution function that produces a 32-
bit output
Apply then a permutation P (shown on the next slide)
Like in any Feistel cipher, decryption works just like encryption with
the subkeys used in reverse order
Two main concerns with DES: the length of the key and the nature of the
algorithm
The key is rather short: 56 bits – there are 256 possible keys, around 7.2 x
1016
In average, only half of the keys have to be tried to break the system
In principle it should take long time to break the system
Things are quicker with dedicated hardware: 1998 – a special machine was built
for less than 250 000 $ breaking DES in less than 3 days, 2006 – estimates are
that a hardware costing around 20.000$ may break DES within a day
DES has no export restrictions from NSA!
40-bit RC4 key is also insecure
128-but keys seem to be secure
Important difficulty in breaking any system: unless the plaintext is known,
we have to recognize when we have broken the system: we have to
recognize the plaintext when we find it
This is not trivial if the file is binary, compressed, etc.
Automated procedures to do that are needed (and indeed some exist)
There are ways to break DES significantly quicker than with the brute-force
attack: differential and linear cryptanalysis
Differential cryptanalysis
Published in the open literature after 1990: Murphy and then Biham and Shamir
(published a book on this)
Idea: Knowing the XOR of the message halves before and after a round, one
may try to deduce the subkey used in that round
DES can be broken in 247 steps, requiring 247 chosen plaintexts
The need for so many chosen plaintexts makes its applicability limited
This attack seems to have been known to the DES design team and NSA 20
years before it was published in the open literature!
Linear cryptanalysis
More recent attack (Matsui, 1993): find linear approximations to describe the
transformations in DES
Can find the DES key given 247 known plaintexts
Still impractical method