Lectures #3

Block Ciphers and the Data

Encryption Standard

CYS535 Network Security

Prepared By: Dr. Ihab ELAFF
 Chapter 3
Block Ciphers and the Data
Encryption Standard
3.1 Block Cipher Principles
Modern Block Ciphers
• One of the most widely used types of
cryptography algorithms
• Provide strong secrecy and/or authentication
services
• In particular will introduce DES (Data
Encryption Standard)
Block vs Stream Ciphers
• Block Ciphers process messages into blocks,
each of which is then encrypted/decrypted like a
substitution on very big characters (64-bits or
more)
• Stream Ciphers process messages a bit or byte
at a time when encrypting/decrypting
• Many current ciphers are Block Ciphers
Block Cipher Principles
• Block Ciphers look like an extremely large
substitution
• It needs table of 264 entries for a 64-bit block
• Arbitrary reversible substitution cipher for a large
block size is not practical (64-bit general
substitution block cipher, key size 264!)
• Most symmetric block ciphers are based on a
Feistel Cipher Structure
Block Cipher Principles
General n-bit-n-bit Block Substitution
Feistel Cipher Structure
• Horst Feistel devised the feistel cipher
▫ implements Shannon’s substitution-permutation
network concept
▫ partitions input block into two halves
▫ process through multiple rounds which
▫ perform a substitution on left data half
▫ based on round function of right half & subkey
▫ then have permutation swapping halves
Feistel Cipher Structure
 Feistel Cipher Encryption
 “F” is the round function
 K0,K1,…. ,Kn the sub-keys rounds
0,1,… ,n.
 Encryption:
1. Split the Plaintext block into
two equal pieces L0, R0
2. For i = 0,1, …n
Li+1 = Ri
Ri+1 = Li⊕F(Ri, Ki)
 Feistel Cipher Decryption
 “F” is the round function
 K0,K1,…. ,Kn the sub-keys rounds
0,1,… ,n.
 Decryption:
1. Split the Ciphertext block into
two equal pieces Ln+1, Rn+1
2. For i = n,n-1, …0
Ri = Li+i
Li = Ri+1⊕F(Li+1, Ki)
Feistel Cipher Design Principles
• block size
▫ increasing size improves security, but slows cipher
• key size
▫ increasing size improves security, makes exhaustive key searching
harder, but may slow cipher
• number of rounds
▫ increasing number improves security, but slows cipher
• subkey generation
▫ greater complexity can make analysis harder, but slows cipher
• round function
▫ greater complexity can make analysis harder, but slows cipher
• fast software en/decryption & ease of analysis
▫ are more recent concerns for practical use and testing
3.2 Data Encryption Standard (DES)
Data Encryption Standard (DES)
• Most widely used block cipher in world
• Encrypts 64-bit data using 56-bit key
• Adopted in 1977 by the National Institute of
Standards and Technology (NIST), as Federal
Information Processing Standard 46 (FIPS PUB
46).
DES Design Controversy
• DES standard is public
• Was considerable controversy over design in
choice of 56-bit key (vs Lucifer 128-bit)
• Subsequent events and public analysis show in
fact design was appropriate
• DES has become widely used, especially in
financial applications
DES Encryption
• Permutation (16 bit to 16 bit)
DES Encryption
• Permutation (16 bit to 14 bit)
DES Encryption
DES Encryption Steps
• 1 Process the key.
• 2 Process a 64-bit data block.
DES Encryption Steps:
1-Process the key.
• 1.1 Get a 64-bit key from the user. (Every 8th bit
(the least significant bit of each byte) is
considered a parity bit. For a key to have correct
parity, each byte should contain an odd number
of "1" bits.) This key can be entered directly, or it
can be the result of hashing something else.
There is no standard hashing algorithm for this
purpose.
DES Encryption
DES Encryption Steps:
1-Process the key.
• 1.2 Calculate the key schedule.
• 1.2.1 Perform the following permutation on the
64-bit key. (The parity bits are discarded,
reducing the key to 56 bits. Bit 1 (the most
significant bit) of the permuted block is bit 57 of
the original key, bit 2 is bit 49, and so on with bit
56 being bit 4 of the original key.)
DES Encryption Steps:
1-Process the key.
DES Encryption Steps:
1-Process the key.
• 1.2.2 Split the permuted key into two halves. The
first 28 bits are called C0 and the last 28 bits are
called D0.
DES Encryption Steps:
1-Process the key.
• 1.2.3 Calculate the 16 sub keys. Start with i=1
1- Perform one or two circular left shifts on both Ci-1
and Di-1 to get Ci and Di, respectively. The number of
shifts per iteration are given in the table below.
DES Encryption Steps:
1-Process the key.
• 1.2.3 Calculate the 16 sub keys. Start with i=1
2-Permute the concatenation CiDi as indicated below.
This will yield the key Ki, which is 48 bits long.

3 Loop back to step 1 until K16 has been calculated.

DES Encryption Steps:
2-Process a 64-bit data block.
• 2.1 Get a 64-bit data block. If the block is shorter
than 64 bits, it should be padded as appropriate
for the application.
• 2.2 Perform the Initial
permutation on the data
block using the
following tables.
DES Encryption Steps:
2-Process a 64-bit data block.
• 2.3 Split the block into two halves. The first 32-
bit are called L0, and the last 32-bit are called R0.
DES Encryption
DES Encryption Steps:
2-Process a 64-bit data block.
• 2.4 Apply the 16 Rounds Start with i = 1:
▫ 2.4.1 Expand the 32-bit Ri-1 into 48 bits according
to the bit-selection function using Expansion
Permutation table:
DES Encryption Steps:
2-Process a 64-bit data block.
• 2.4 Apply the 16 Rounds Start with i = 1:
▫ 2.4.2 Xi = E(Ri-1) ⊕Ki (Ki is the key which is generated
in the previous section) [Xi is 48-bit].
▫ 2.4.3 Xi into eight 6-bit blocks. Bits 1-6 are B1, bits 7-12
are B2, and so on with bits 43-48 being B8.
DES Encryption Steps:
2-Process a 64-bit data block.
• 2.4 Apply the 16 Rounds Start with i = 1:
▫ 2.4.4 Substitute the values found in the S-boxes
for all Bj. Start with j = 1 to 8. All values in the S-
boxes should be considered 4 bits wide.
DES Encryption Steps:
2-Process a 64-bit data block.
• S-Boxes
DES Encryption Steps:
2-Process a 64-bit data block.
2.4.4 Substitute the values found in the S-boxes
1- Take the 1st and 6th bits of Bj together as 2-bit value (call it m)
indicating the row in Sj to look in for the substitution.
2- Take the 2nd through 5th bits of Bj together as 4-bit value (call
it n) indicating the column in Sj to find the substitution.
3- Replace Bj with Sj [m][n] , Loop back to 1 until all 8 blocks
have been replaced.
Ex: B1=011101  n=(01)2 , m=(1110)2
DES Encryption Steps:
2-Process a 64-bit data block.
2.4.5 Permute the concatenation of B1 through B8 as indicated below to
P.

2.4.6 Find Ri = Li-1⊕P

2.4.7 Assign Li = Ri-1
2.4.8 Loop back to 2.4.1 until K16 has been applied.
DES Encryption Steps:
2-Process a 64-bit data block.
2.5 Perform the following Inverse Permutation on the
block R16 L16 (Left and Right are swapped)
DES Decryption
• decrypt must unwind steps of data computation
• with Feistel design, do encryption steps again
• using subkeys in reverse order (SK16 … SK1)
• note that IP undoes final FP step of encryption
• 1st round with SK16 undoes 16th encrypt round
• ….
• 16th round with SK1 undoes 1st encrypt round
• then final FP undoes initial encryption IP
• thus recovering original data value
DES Decryption (reverse encryption)
Avalanche Effect
• key desirable property of encryption algorithm

• DES exhibits strong Avalanche where a change

of one input or key bit results in changing
approximate half output bits
Example
• Plaintext M = (0123456789ABCDEF)16
• Key K = (133457799BBCDFF1)16

1)Process the key.

K = 0001 0011 0011 0100
0101 0111 0111 1001
1001 1011 1011 1100
1101 1111 1111 0001
Example
1)Process the key.

• 56-bit permutation
• K+ =1111 0000 1100 1100 1010 1010 1111 0101
0101 0110 0110 0111 1000 1111
Example
1)Process the key.

K+ =1111 0000 1100 1100 1010 1010 1111

0101 0101 0110 0110 0111 1000 1111

C0 = 1111 0000 1100 1100 1010 1010 1111

D0 = 0101 0101 0110 0110 0111 1000 1111
Example
1)Process the key.
C0 = 1111 0000 1100 1100 1010 1010 1111
D0 = 0101 0101 0110 0110 0111 1000 1111

C1 = 1110 0001 1001 1001 0101 0101 1111

D1 = 1010 1010 1100 1100 1111 0001 1110

C2 = 1100 0011 0011 0010 1010 1011 1111

D2 = 0101 0101 1001 1001 1110 0011 1101

C3 = 0000 1100 1100 1010 1010 1111 1111

D3 = 0101 0110 0110 0111 1000 1111 0101
Example
1)Process the key.
56-bit  48-bit
C1 D1 = 1110 0001 1001 1001 0101 0101 1111
1010 1010 1100 1100 1111 0001 1110

K1 = 000110 110000 001011 101111

111111 000111 000001 110010
Example
2) Process a 64-bit data block.
M = (0123456789ABCDEF)16
M = 0000 0001 0010 0011
0100 0101 0110 0111
1000 1001 1010 1011
1100 1101 1110 1111
Example
2) Process a 64-bit data block.
M = 0000 0001 0010 0011 0100 0101 0110 0111
1000 1001 1010 1011 1100 1101 1110 1111

IP = 1100 1100 0000 0000 1100 1100 1111 1111

1111 0000 1010 1010 1111 0000 1010 1010
Example
2) Process a 64-bit data block.
IP = 1100 1100 0000 0000 1100 1100 1111 1111
1111 0000 1010 1010 1111 0000 1010 1010

L0 = 1100 1100 0000 0000 1100 1100 1111 1111

R0 = 1111 0000 1010 1010 1111 0000 1010 1010

Ln = Rn-1 Rn = Ln-1 + f(Rn-1,Kn)

L1=R0 =1111 0000 1010 1010 1111 0000 1010 1010

R1 = L0 + f(R0,K1)
Example
2) Process a 64-bit data block.
R1 = L0 + f(R0,K1)
32-bit  48-bit
R0 = 1111 0000 1010 1010 1111 0000 1010 1010

E(R0) = 011110 100001 010101 010101

011110 100001 010101 010101
Example
2) Process a 64-bit data block.
K1 = 000110 110000 001011 101111
111111 000111 000001 110010

E(R0) = 011110 100001 010101 010101

011110 100001 010101 010101

K1+E(R0) = 011000 010001 011110 111010

100001 100110 010100 100111
Kn + E(Rn-1) =B1B2B3B4B5B6B7B8,
Example
2) Process a 64-bit data block.
K1+E(R0) = 011000 010001 011110 111010
100001 100110 010100 100111
K1 + E(R0) =B1B2B3B4B5B6B7B8

B1 = 011000  n=(00)2 , m=(1100)2

S1(B1) = (5)10 = (0101)2

Example
2) Process a 64-bit data block.
K1+E(R0) = 011000 010001 011110 111010
100001 100110 010100 100111
K1 + E(R0) =B1B2B3B4B5B6B7B8
B1 = 011000
S1(B1) = 0101

B2 = 010001
S2(B2) = 1100
Example
2) Process a 64-bit data block.

S1(B1)S2(B2)S3(B3)S4(B4)S5(B5)S6(B6)S7 (B7)S 8(B8) =

0101 1100 1000 0010 1011 0101 1001 0111

f=
0010 0011 0100 1010 1010 1001 1011 1011
Example
2) Process a 64-bit data block.

R1 = L0 + f(R0 , K1 )

R1 =
1100 1100 0000 0000 1100 1100 1111 1111+
0010 0011 0100 1010 1010 1001 1011 1011
= 1110 1111 0100 1010 0110 0101 0100 0100
3.3 Strength of DES
Strength of DES – Key Size
• 56-bit keys have 256 = 7.2 x 1016 values
• brute force search looks hard
• recent advances have shown is possible
▫ in 1997 on Internet in a few months
▫ in 1998 on dedicated hardware (EFF) in a few days
▫ in 1999 above combined in 22hrs!
• still must be able to recognize plaintext
• now considering alternatives to DES
Strength of DES – Timing Attacks
• attacks actual implementation of cipher
• use knowledge of consequences of
implementation to derive knowledge of some/all
subkey bits
• specifically use fact that calculations can take
varying times depending on the value of the
inputs to it
Strength of DES – Analytic Attacks
• now have several analytic attacks on DES
• these utilise some deep structure of the cipher
▫ by gathering information about encryptions
▫ can eventually recover some/all of the sub-key bits
▫ if necessary then exhaustively search for the rest
• generally these are statistical attacks
• include
▫ differential cryptanalysis
▫ linear cryptanalysis
▫ related key attacks
Cipher Block Chaining (CBC)
Cipher Block Chaining (CBC)
• message is broken into blocks
• but these are linked together in the encryption
operation
• each previous cipher blocks is chained with current
plaintext block, hence name
• use Initial Vector (IV) to start process
Ci = DESK1(Pi XOR Ci-1)
C-1 = IV
• uses: bulk data encryption, authentication
Cipher Block Chaining (CBC)
Cipher FeedBack (CFB)
Cipher FeedBack (CFB)
• message is treated as a stream of bits
• added to the output of the block cipher
• result is feed back for next stage (hence name)
• standard allows any number of bit (1,8 or 64 or
whatever) to be feed back
▫ denoted CFB-1, CFB-8, CFB-64 etc
• is most efficient to use all 64 bits (CFB-64)
Ci = Pi XOR DESK1(Ci-1)
C-1 = IV
• uses: stream data encryption, authentication
Cipher FeedBack (CFB)
Output FeedBack (OFB)
Output FeedBack (OFB)
• message is treated as a stream of bits
• output of cipher is added to message
• output is then feed back (hence name)
• feedback is independent of message
• can be computed in advance
Ci = Pi XOR Oi
Oi = DESK1(Oi-1)
O-1 = IV
• uses: stream encryption over noisy channels
Output FeedBack (OFB)
Counter (CTR)
Counter (CTR)
• a “new” mode, though proposed early on
• encrypts counter value rather than any feedback
value
• must have a different key & counter value for every
plaintext block (never reused)
Ci = Pi XOR Oi
Oi = DESK1(i)
• uses: high-speed network encryptions
Counter (CTR)
End.