Embed Size (px)
Citation preview
DES Analysis and Attacks
CSCI 5857: Encoding and Encryption
Outline
• Confusion and diffusion• Attacks and weaknesses
– Linear cryptanalysis attacks– Weak keys
• Exhaustive search attacks– Use of multiple keys– Meet in the middle attacks– Triple DES
Confusion and Diffusion• Use of inputs to
create round key assures each plaintext bit affects many ciphertext bits
• Use of shifts and permutations in key generation assures each key bit affects many ciphertext bits
Cryptanalysis• Differential Cryptanalysis:
Using similar plaintexts to look for patterns in how ciphertext generated
• Linear Cryptanalysis: Attempting to approximate entire cipher as one big set of linear equations – Finding solutions to set of linear equations well
studied in engineering
– Possible if all S-boxes linear
– n bit key requires n known plaintexts to solve
Linear S-Boxes• Linear n x m S-Box can be expressed as linear
equation of form:
c1 = a11x1 a12x2 … a1nxn
c2 = a21x1 a22x2 … a2nxn
…cm = am1x1 am2x2 … amnxn
where xi is ith input bit ci is ith ciphertext bit aij is either 0 or 1
• Each cipherbit character is defined as the XOR of certain input bits
Linear S-Boxes
• Example of linear 3x3 S-Box:
• Corresponding linear equationsc1 = x1 x2 = 1x1 1 x2 0 x3
c2 = x1 x2 x3 = 1x1 1 x2 1 x3
c3 = x2 x3 = 0x1 1 x2 1 x3
00 01 10 11
0 000 011 111 100
1 110 101 001 010
Linear Cryptanalysis ExampleExample: Above S-Box used after XOR stage
Linear Cryptanalysis Example
• S-Box input bit xi = pi ki
• Resulting equations:c1 = (p1 k1) (p2 k2)c2 = (p1 k1) (p2 k2) (p3 k3) c3 = (p2 k2) (p3 k3)
• Can now solve for key bits!k1 = p1 (c1 c2 c3)k2 = p1 (c1 c2)k3 = p1 (c2 c3)
Linear Cryptanalysis
Possible if cipher uses only linear components– Permutation boxes linear by definition!
Shifting from position i to position j is equation cj = 0p1 0 p2 … 1 pi… 0 pn
• Therefore, S-Boxes must not be linear!– They are the only possible nonlinear component
Cryptanalysis Attacks on DES
• Linear Cryptanalysis– DES not designed for this attack (invented after
DES released– However, DES S-Boxes not linear– 243 known plaintexts needed to break DES using
linear cryptanalysis
Weak Keys
• Keys that leave plaintext vulnerable in some way– Simple example: k = 26 in Caesar cipher
• Weak keys in DES produce same round key for multiple rounds– 4 keys give same round key every round– 8 keys give only 2 distinct round keys– 48 keys give only 4 distinct round keys
– Odds unlikely (8.8 x 10-16 ), but should still check randomly generated keys
Exhaustive Search Attacks
• 56-bit key not computationally secure• Parallel processing attacks
– Computer with 1 million chips (1998) key found in 112 hours
– Network of 3500 computers (1977) key found in 120 days
• 56-bit key not recommended by NIST!
“all clones test different keys!”
Multiple Stage DES
• No way to use larger key in DES– Structure “hardwired”
• Only solution: multiple stage DES– Different keys used
each stage– Output ciphertext of
one stage input plaintext of next stage
Multiple Stage DES• Multiple stages with different keys greatly increases
number of possible ciphertexts
– (264)! possible mappings from 264 possible input blocks to 264 possible output blocks
– Only 256 possible keys (tiny fraction of the above)– Extremely unlikely that there exists K3 such that
E(E(P, K1), K2) = E(P, K3)
Possible ciphertexts
Possible ciphertexts
After applying K1 and K2
After applying K1
“Meet In The Middle” Attack
• Theoretically, two stages should be sufficient– Adversary would have to try all combinations of possible K1
and K2
– 256 x 256 = 2112 possible combinations of keys
• Vulnerable to “meet in the middle” attack– Adversary has a known plaintext P and ciphertext C– Works forward encrypting P with all possible K1 – Works backward decrypting C with all possible K2
– Stores results and searches for matches
“Meet In The Middle” Attack“I’ll try all K1 and store the results in a table”
Table of all possible M created by encrypting P
“I’ll try all K2 and store the results in another table”
Table of all possible M created by decrypting C“Now I’ll compare
the two and look for any matches”
“Meet In The Middle” Attack
• M’s (and keys K1 and K2 that created them) kept in sorted tables – 256 runs to create each
table– 56 x 256 comparisons to
find matches– Match gives plausible
values for K1 and K2
• “Double DES” not computationally secure
M K1
1010001…10 0110100…01
M K2
1010001…10 1100110…00
“These match”
“So this might be K1 and K2”
Triple DES
• Need at least three stages of encryption – “Meet in middle”
attack can only take place after at least two stages
– Effectively the same as 112 bit key
K1
K3
K2
“I can only attack here”
Triple DES With Two Keys• Just use K1 twice
(in first and last stage)
• Shorter keys (112 bits instead of 168 bits)
• Still secure (have to try all K1 and K2 to do meet in middle attack)
“Still too hard to crack”
Efficiency of DES
• Fast if burned into hardware– Basic structure corresponds to wiring diagram
• Slow if executed as software– Basic structure doesn’t fit into registers– Much swapping between RAM/registers required
• 3DES even slower
