-
8/4/2019 crypto7_1
1/16
DES Modes of Operation
Block modes:
Electronic Codebook Book (ECB)
Message is broken into independent blocks of 64bits
Cipher Block Chaining (CBC)
Message is broken in independent blocks of 64 bits,
but next input depends of previous output
Ci= Ek(PiCi-1), with C-1=IV
-
8/4/2019 crypto7_1
2/16
DES Modes of Operation
Stream Modes
Cipher FeedBack (CFB)
The message is xored with the feedback ofencrypting the previous
block
Ci=PiEk(Ci-1), with C-1=IV
Output feedback
The feedback is independent of the message
Ci=PiEk(Oi-1), with O-1=IV
-
8/4/2019 crypto7_1
3/16
Limitation of the modes
ECB
repetitions in message can be reflected in
ciphertext if aligned with message block
particularly with data such graphics
or with messages that change very little, which
become a code-book analysis problemweakness is because
enciphered message
blocks are independent of each other
-
8/4/2019 crypto7_1
4/16
Limitation of the modes
CBC
use result of one encryption to modify input of next hence each
ciphertext block is dependent on all message
blocks before it
thus a change in the message affects the ciphertext block
afterthe change as well as the original block
to start need an Initial Value (IV) which must beknown by both
sender and receiver
however if IV is sent in the clear, an attacker can change
bitsof the first block, and change IV to compensate
hence either IV must be a fixed value (as in EFTPOS) or itmust
be sent encrypted in ECB mode before rest of message
Need padding at the end
-
8/4/2019 crypto7_1
5/16
Limitation of the modes
CFB
when data is bit or byte oriented, want to operate on it
at that level, so use a stream mode the block cipher is use in
encryption mode at both
ends, with input being a feed-back copy of the
ciphertext
can vary the number of bits feed back, trading offefficiency for
ease of use
again errors propogate for several blocks after the error
-
8/4/2019 crypto7_1
6/16
Limitation of the modes
CFB
-
8/4/2019 crypto7_1
7/16
Limitation of the modes OFB
also a stream mode, but intended for use where theerror feedback
is a problem, or where the encryptionswant to be done before the
message is available
is superficially similar to CFB, but the feedback is fromthe
output of the block cipher and is independent of themessage, a
variation of a Vernam cipher
again an IV is needed
sender and receiver must remain in sync, and somerecovery method
is needed to ensure this occurs
although originally specified with varying m-bitfeedback in the
standards, subsequent research hasshown that only 64-bit OFB should
ever be used (and
this is the most efficient use anyway),
-
8/4/2019 crypto7_1
8/16
Limitation of the modes
OFB
-
8/4/2019 crypto7_1
9/16
DES Weak Keys
with many block ciphers there are somekeys that should be
avoided, because of
reduced cipher complexity these keys are such that the same
sub-key is
generated in more than one round
Weak Keys:The same sub-key is generated for every round
DES has 4 weak keys
-
8/4/2019 crypto7_1
10/16
DES Weak Keys
Semi-Weak Keys
only two sub-keys are generated on alternate rounds
DES has 12 of these (in 6 pairs)
Demi-Semi Weak Keys
have four sub-keys generated
None of these cause a problem since they are a
tiny fraction of all available keys However they MUST be avoided
by any key
generation program
-
8/4/2019 crypto7_1
11/16
DES variations
Double DES:
Use 2 keys: K1 and K2.
Encryption is EK1(EK2(P)) Is double DES reducible to DES?
(Crypto 92)
Triple DES
Use 2 or 3 keys
Encryption:
EK1(EK2(EK3(P))))
EK1(DK2(EK1(P))))
-
8/4/2019 crypto7_1
12/16
Cryptanalysis of DES
If you can choose the plaintext:
Brute Force: try all 256 possible keys No memory necessary
The encryption with all keys may be too slow
Build a dictionary Each plaintext may result in 264 different
ciphertext, but there is
only 256 possible values
Encrypt the known plaintext with all possible keys
You have a look up table
Very effective if you can inject plaintext and want to findmany
different keys
-
8/4/2019 crypto7_1
13/16
Cryptanalysis of DES
There are some algorithms that tradememory/space
requirements
Linear Cryptanalysis Linear approximation to describe DES DES
can be broke:
8 rounds: 221 known plaintext
16 rounds: 243 or 247 known plaintext
M. Matsui, Eurocrypt 93
Assuming you have a n bits plaintext and ciphertext,and a m bits
key
-
8/4/2019 crypto7_1
14/16
Cryptanalysis of DES
Linear cryptanalisis
Find bit locations s on plain, s on
ciphertext and s on key such that
has a probability higher than .5Use many different plaintext and
analyze the
left hand side. Infer the right hand side.
)...()...()...(1121
11KKKyyyxxx
cba
-
8/4/2019 crypto7_1
15/16
Cryptanalysis of DES
Differential cryptanalysis:
First suggested by Murphy for the cryptanalysis of
FEAL-4 Assume that we label each left and right part of any
block in the 16 rounds of DES as xi, starting from x0
and x1.
Assume that we have two known plaintext x and x, andwe know x =
xx
DES in each round produces xi+1 = xi-1F(xi,Ki)
-
8/4/2019 crypto7_1
16/16
Cryptanalysis of DES
Differential analysis
Using that, we have
xi+1 = xi-1F(xi,Ki) F(xi,Ki)If F(xi,Ki) F(xi,Ki) is a function
of xi with
high probability, then:
Knowing xi-1 and xi then we know xi+1
Test this hypotheses for different x and startgetting
information about Ki
This can break DES with 247 chosen plaintext
