Announcements:Announcements: Homework 3 due nowHomework 3 due now Homework 4 postedHomework 4 posted
Today:Today: Attacks on DESAttacks on DES
Questions?Questions?
DTTF/NB479: DszquphsbqizDTTF/NB479: Dszquphsbqiz Day 14Day 14
DES can be broken by has been showing signs of DES can be broken by has been showing signs of weakness from the beginningweakness from the beginning
1975
1977
1987
1992
1993 20112000
Only 2Only 25656 = 72,057,594,037,927,936 keys, = 72,057,594,037,927,936 keys, so it was brute forced using parallelismso it was brute forced using parallelism
1997: 1997: DES Challenge issued. $10K prizeDES Challenge issued. $10K prize
Found after searching ___% of keyspaceFound after searching ___% of keyspace
1998: 1998: DES Challenge IIDES Challenge II Down to 39 days, 85% of keyspace!Down to 39 days, 85% of keyspace!
Also in 1998…Also in 1998…
DES Cracker used a mixture of software and DES Cracker used a mixture of software and specialized hardwarespecialized hardware
Budget of only $200,000 1998 dollars Budget of only $200,000 1998 dollars vs $20,000,000 1977 dollarsvs $20,000,000 1977 dollars
Result? Result?
Post-DES Post-DES
Brute force attacks that take O(N) DES Brute force attacks that take O(N) DES computations are now reasonable.computations are now reasonable.
Can we just double encrypt to get O(NCan we just double encrypt to get O(N22) ) computations? computations? Use k1, k2Use k1, k2 C = EC = Ek2k2(E(Ek1k1(P)), so P = D(P)), so P = Dk1k1(D(Dk2k2(C)) ? (C)) ?
Meet-in-the-middle attackMeet-in-the-middle attack
Assume k completely determines EAssume k completely determines Ekk and D and Dkk
Know P and C = EKnow P and C = Ek2k2(E(Ek1k1(P))(P))
P
Ek1(P)
(for all k1) C
Dk2(C)
(for all k2)
Time complexity? O( n ) DES computations, O( n2 ) comparisons O(n ) memory
Triple-DES?Triple-DES?TypeType DES DES
computationscomputations
ComparisonsComparisons MemoryMemory Brute Brute force force DESDES
DoubleDouble
C=EC=Ek2k2(E(Ek1k1(P))(P))O(N)O(N) O(NO(N22)) O(N)O(N) O(NO(N22))
Triple1Triple1
C=EC=Ek3k3(E(Ek2k2(E(Ek1k1(P)))(P)))
Triple2Triple2
C=EC=Ek1k1(E(Ek2k2(E(Ek1k1(P)))(P)))
Triple3Triple3
C=EC=Ek2k2(E(Ek1k1(E(Ek1k1(P)))(P)))
Describe attacks on triple 1-3, fill out chart, and order by level of security
Triple-DES?Triple-DES?TypeType DES DES
computationscomputations
ComparisonsComparisons MemoryMemory Brute Brute force force DESDES
(3) Double(3) Double
C=EC=Ek2k2(E(Ek1k1(P))(P))O(N)O(N) O(NO(N22)) O(N)O(N) O(NO(N22))
(1) (1) Triple1Triple1
C=EC=Ek3k3(E(Ek2k2(E(Ek1k1(P)))(P)))O(NO(N22)) O(NO(N33)) O(NO(N22)) O(NO(N33))
(2) (2) Triple2Triple2
C=EC=Ek1k1(E(Ek2k2(E(Ek1k1(P)))(P)))
(3) Triple3(3) Triple3
C=EC=Ek2k2(E(Ek1k1(E(Ek1k1(P)))(P)))
Describe attacks on triple 1-3, fill out chart, and order by level of security
Triple-DES?Triple-DES?TypeType DES DES
computationscomputations
ComparisonsComparisons MemoryMemory Brute Brute force force DESDES
(3) Double(3) Double
C=EC=Ek2k2(E(Ek1k1(P))(P))O(N)O(N) O(NO(N22)) O(N)O(N) O(NO(N22))
(1) (1) Triple1Triple1
C=EC=Ek3k3(E(Ek2k2(E(Ek1k1(P)))(P)))O(NO(N22)) O(NO(N33)) O(NO(N22)) O(NO(N33))
(2) (2) Triple2Triple2
C=EC=Ek1k1(E(Ek2k2(E(Ek1k1(P)))(P)))O(NO(N22)) O(NO(N33)) O(NO(N22)) O(NO(N22))
(3) Triple3(3) Triple3
C=EC=Ek2k2(E(Ek1k1(E(Ek1k1(P)))(P)))
Describe attacks on triple 1-3, fill out chart, and order by level of security
Triple-DES?Triple-DES?TypeType DES DES
computationscomputations
ComparisonsComparisons MemoryMemory Brute Brute force force DESDES
(3) Double(3) Double
C=EC=Ek2k2(E(Ek1k1(P))(P))O(N)O(N) O(NO(N22)) O(N)O(N) O(NO(N22))
(1) (1) Triple1Triple1
C=EC=Ek3k3(E(Ek2k2(E(Ek1k1(P)))(P)))O(NO(N22)) O(NO(N33)) O(NO(N22)) O(NO(N33))
(2) (2) Triple2Triple2
C=EC=Ek1k1(E(Ek2k2(E(Ek1k1(P)))(P)))O(NO(N22)) O(NO(N22)) O(NO(N22)) O(NO(N22))
(3) Triple3(3) Triple3
C=EC=Ek2k2(E(Ek1k1(E(Ek1k1(P)))(P)))O(N)O(N) O(NO(N22)) O(N)O(N) O(NO(N22))
Describe attacks on triple 1-3, fill out chart, and order by level of security
DES Modes of OperationDES Modes of Operation
Electronic codebook:Electronic codebook: Each block is Each block is encoded independentlyencoded independently
Text ASCII bit vector
Block1 (64 bits)
DES
Encoded1 (64 bits)
Encoded bit vector
Block2 (64 bits)
DES
Encoded2 (64 bits)
…
DES Modes of OperationDES Modes of Operation
Cipher-block chaining:Cipher-block chaining: Each plaintext block is XOR’ed Each plaintext block is XOR’ed with the previous ciphertext before going into DESwith the previous ciphertext before going into DES
Text ASCII bit vector
Block1 (64 bits)
DES
Encoded1 (64 bits)
Encoded bit vector
Block2 (64 bits)
DES
Encoded2 (64 bits)
+ …++C0
(random;sent in clear)
DES Modes of OperationDES Modes of Operation
Others:Others: Cipher feedback: Cipher feedback: similar, but 64-bit blocks overlap, similar, but 64-bit blocks overlap,
giving k bits at a time (like 8 for 1 character at a time)giving k bits at a time (like 8 for 1 character at a time)Uses pseudorandom bits like LFSRUses pseudorandom bits like LFSR
Output feedback: Output feedback: similar but helps catch errors before similar but helps catch errors before propagate. propagate.
CounterCounter: Some output can be computed : Some output can be computed independently, so better for parallelizingindependently, so better for parallelizing
I trust you could implement these if needed. Not I trust you could implement these if needed. Not part of HW4…part of HW4…
HW4: DES ImplementationHW4: DES Implementation
I implemented EDEN in Java fairly quicklyI implemented EDEN in Java fairly quicklyDES is obviously more complicatedDES is obviously more complicatedYou’ll implement encryption and decryption. You’ll implement encryption and decryption. Correctness:Correctness: Can use one to test the other.Can use one to test the other.
Efficiency:Efficiency: In addition, it’d be nice to use a language that’s closer In addition, it’d be nice to use a language that’s closer
to the hardware for efficiency, like C or non-OO Java.to the hardware for efficiency, like C or non-OO Java. Part of your grade will depend on thisPart of your grade will depend on this There will also be a competition to see whose There will also be a competition to see whose
implementation is quickest!implementation is quickest!
Questions so far on DES?Questions so far on DES?