DES/TDEA• Currently, there exist three FIPS†-approved

algorithms for encryption:

– Data Encryption Standard (DES)– Triple DES (TDEA)– Skipjack

Triple DES is the FIPS-approved symmetric encryption algorithm of choice.

†Federal Information Processing Standards

DES/TDEA• Data Encryption Standard

– AKA• Data Encryption Algorithm (DEA) (ANSI)

• DEA-1 (ISO)

– Origins• Early 1970’s a need arose

• Military/NSA had developed encryption and had equipment

• Nonmilitary research and application was “haphazard”

• Some manufacturing, mostly for overseas

• No interoperatibility

• Was anything really secure?

• No independent certification

DES/TDEA– National Bureau of Standards (National

Institute of Standards and Technolgy)• Issues public request 5/15/73 for RFP for a standard

crytpographic algorithm• Specs (wish list):

– Provide high level of security– Completely specified and easy to understand– Security in the key not depend on the algorithm secrecy– Available to all users– Adaptable to diverse applications– Economically implementable in electronic devices– Efficient– Validatable– Exportable

DES/TDEA– Responses failed to meet the goals– Second request 8/27/74– Algorithm based on IBM’s Patented Lucifer

• Roy Adler, Don Coppersmith, Horst Feistel, Edna Grossman, Alan Konheim, Carl Meyer, Bill Notz, Lynn Smith, Walt Tuchman, Bryant Tuckerman

• Worked well for hardware of the time

– NBA asked for NSA evaluation help– NSA makes several changes (always suspected)– IBM/NBS work out agreement– Published 8/1/75

DES/TDEA– Review, lively dialogue and publications of the

standard ensued– “Standards were unprecendented”– “DES did more to galvanize the field of

cryptanalysis than anything else”– NSA claimed was secure

• Thought was hardware solution

• Details published that allowed for SW implmentation

• Next standard, Skipjack, was classified…

– ANSI approved “DEA” as X3.92 (1981)

DES/TDEA– Business adoption

• Retail and wholesale banking (through ANSI)– Financial Institution Retail Security Working Group

– Financial Institution Wholesale Security Working Group

– Authentication, PIN and key management and distribution, secure personal and node authentication

• American Bankers Association (ABA)– Voluntary standards

– Recommendations for encryption and key management

– Additional Governmental usage• GSA

• Dept of Treasury

DES/TDEA– Validation/Certification

• DES requires recertification every 5 years• 1978

– First Certified

• 1983– Recertified with no problems

• 1987– Likeliness of breaking beginning to show– Commercial COMSEC Endorsement Program (CCEP)

» NSA designed algorithms on a VLSI chip– Banking industry uses extensively with no alternative– Withdrawal leave some orgs with no alternatives– Recertified but “would not be recertified again”

DES/TDEA• 1993

– Still no alternative– Usefulness expected to end by later 1990s– Software implementations allowed to be certified

• 1999– Reaffirmed – FIPS PUB 46-3 (supercedes 46-2)– Added TDEA and Skipjack as approved standards

“Note: It is anticipated that triple DES and the Advanced Encryption Standard (AES) will coexist as FIPS† approved algorithms allowing for a gradual transition to AES. (The AES is a new symmetric-based encryption standard under development by NIST. AES is intended to provide strong cryptographic security for the protection of sensitive information well into the 21st century.)”

† Federal Information Processing Standards

DES/TDEA– With this modification:

» “1. Triple DES (i.e., TDEA), as specified in ANSI X9.52 will be recognized as a FIPS approved algorithm.

» 2. Triple DES will be the FIPS approved symmetric encryption algorithm of choice.

» 3. Single DES (i.e., DES) will be permitted for legacy systems only. New procurements to support legacy systems should, where feasible, use Triple DES products running in the single DES configuration.

» 4. Government organizations with legacy DES systems are encouraged to transition to Triple DES based on a prudent strategy that matches the strength of the protective measures against the associated risk.”

DES/TDEA• Components

– Keys• 64 but actually 56 bits

• Every 8th bit is parity

– Blocks• “Block cipher”

• 64 bit blocks in/out

• Composed of bits numbered from left to right, i.e., the left most bit of a block is bit one.

– Algorithm• Symmetric

• “At its simplest level…nothing more than a combination of the two basic techniques of encryption: confusion and diffusion”

DES/TDEA• Algorithm Notes

– Substitution followed by Permutation on the text based on the key (round)

– 16 Rounds

– Uses standard arithmetic and logical operations on numbers of 64 bits (’70s hardware influence)

– Handful of numbers considered weak and Semiweak keys

» 64 out of 72,057,594,037,927,927,936

DES/TDEA– Algorithm Description

• Start with 64 bits of Plaintext

• Initial Permutation (IP)

• Block bisected into two 32 bits “right” and “left” blocks

• Function “ƒ” applied 16 times using shifted keys and exchanging the R/L

• R/L rejoined

• Final Permutation (IP-1)

• End with 64 bits of Ciphertext

DES/TDEA

• Initial Permutation (IP)– Transposes the input block using table:

58, 50, 42, 34, 26, 18, 10, 2, 60, 52, 44, 36 28, 20, 12, 4

62, 54, 46, 38, 30,…

57, 49, 41, 33,…

61, 53, 45

i.e. Bit 58 goes to position 1, 50 to 2, 42 to 3, …

Maybe makes it easier to load text into a DES chip?

DES/TDEA• Key transformation

– Extract 56 bits from 64 bit key (remove and verify parity)– Generate 48 bit subkey for each of the 16 rounds

1. Divide 56 bit key into two 28 bit pieces2. Circular shift left each half by one or two bits based on:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 161 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1

3. Select 48 out of 56 bits (compression permutation)(aka permuted choice)14, 17, 11, 24, 1, 5, 3, 28, 15, 6, 21, 1023, 19, 12, 4, 26, 8, 16, 7, 27, 20, 13, 241, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 4844, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32

i.e. bit 1 goes to position 14, 17 to 2,…

L R Key

Key’L’ R’

P-Box

S-Box

Expansion

shift shift

Compression

5232 32

48

32

48

DES/TDEA• Expansion Permutation

– Expand R 32 bit half to 48 bits– Make R same size as key for XOR– Main purpose: one bit affects two substitutions creating a

rapidly increasing dependency of output to input bits (avalanche effect)

– E-box: For each 4 bit input, • 1st and 4th bits two bits of the output block• 2nd and 3rd bits one bit• Using:32, 1, 2, 3, 4, 5, 4, 5, 6, 7, 8, 9, 8, 9, 10, 11, 12, 13, 12, 13, 14, 15, 16, 17,16, 17, 18, 19, 20, 21, 20, 21, 22, 23, 24, 25,24, 25, 26, 27, 28, 29, 28, 29, 30, 31, 32, 1

DES/TDEA• S-Box Substitution

– After Compressed key XORed with expanded blocks– Substitution Box used:

• 6 bit in 4 bits out• 8 different S-Boxes• Tables used in parallel• 48 bits in 6 bit groups go through 8 s-boxes giving 32 bits out

– Input bits used to index into a table:• b1,…, b6 (row) b1,b6 and (column) b2,b3,b4,b5

– Result is 32 bit block– This substitution is most critical: “other operations are

linear and easy to analyze, The S-boxes are nonlinear and, more than anything else, give DES its security”

S-Box Design• No output bit of S-box should be too close to a

linear function of the input bits• If L and R bits are fixed, and 4 middle bits

varied, each possible 4 bit result is obtained once.• 2 inputs vary in 1 bit, output varies in 2 bits• 2 inputs vary in 2 middle bits, the output varies in

at least 2 bits• 2 inputs are different on 1st 2 bits, and same on

last 2 bits, the output is different• A few more esoteric ones….

DES/TDEA• P-Box Permutation

– Output of S-Box is permuted

– Map each input bit output position

– No bits used twice and bits ignored (straight permutation)

16, 7, 20, 21, 29, 12, 28, 17, 1,15, 23, 26, 5, 18, 31, 10

2, 8, 24, 14, 32, 27, 3, 9, 19, 13, 30, 6, 22, 11, 4, 25

• Result XORed with L 32 bits• L and R switched• Go around again…• Repeat 16 times

DES/TDEA

• Final Permutation (P-1)– L and R not exchanged after last round– Concatenated block put through:

40, 8, 48, 16, 56, 24, 64, 32, 39, 7, 47, 15, 55, 23, 63, 31

38, 6, 46, 14, 54, …

36, 4, 44, 12, …

34, 2, 42, …

• Done (EOA)!

DEA/TDEA

• Decrypting– Use same function– Key is the key…

• Used in reverse order (K1,…,K16 becomes K16,…, K1)

• Right circular shift of 0-2 bits

0 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

( 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1 )

DES/TDEA

• Triple Data Encryption Algorithm– Same base algorithm

– Uses three separate keys (K1, K2, K3) (bundle)

With keying options of: 1. K1 K2 K3

2. K1 K2 and K3 = K1

3. K1 = K2 = K3

– Encryption defined as:C = EK3(DK2(EK1(T)))

– Decryption defined as:C = DK1(EK2(DK3(T)))

DES/TDEA– TDEA backwards compatible with DES if:

• Using compatible keying options

1. An encrypted plaintext computed using a single DES mode of operation can be decrypted correctly by a corresponding TDEA mode of operation

2. An encrypted plaintext computed using a TDEA mode of operation can be decrypted correctly by a corresponding single DES mode of operation

– When using Keying Option 3 (K1 = K2 = K3), TECB, TCBC, TCFB and TOFB modes are backward compatible with single DES modes of operation ECB, CBC, CFB, OFB respectively

DES/TDEA

• Is it (basic DES) really Secure?– Years of speculation– Successful attacks on versions with fewer rounds– Differential and Linear Cryptanalysis reduces

potential number of steps of a brute force (exhaustion) attack

– NSA rumors: massively parallel systems with special algorithms yielding < 15 min. cracks

– Conclusion: Logically, doubtful!