ABASYN UNIVERSITY PESHAWAR Page |1

QUIZ NO: 03

SUMITTED BY
Ziaullah Khan
Roll number: 17328

SUMITTED TO
Dr. Syed Irfan Ullah (Sir)
Discipline: MSCS
Semester: 4th
Subject: Advance Network Security

DEPARTMENT OF COMPUTER SCIENCE

Abasyn University Peshawar

 ABASYN UNIVERSITY PESHAWAR Page |2

Quiz-3
•DES algorithm developed in 1977, and adopted as standard, describe the grounds on
which you state it is insecure.
–Give reference of at least five research articles
–Give a ground of each research article on which it claims that DES is insecure.
 ABASYN UNIVERSITY PESHAWAR Page |3

Data Encryption Standard (DES)

DES was the result of a research project set up by International Business Machines (IBM)
corporation in the late 1960’s which resulted in a cipher known as LUCIFER. In the early 1970’s
it was decided to commercialize LUCIFER and a number of significant changes were introduced.
IBM was not the only one involved in these changes as they sought technical advice from the
National Security Agency (NSA) (other outside consultants were involved but it is likely that the
NSA were the major contributors from a technical point of view). The altered version of LUCIFER
was put forward as a proposal for the new national encryption standard requested by the National
Bureau of Standards (NBS). It was finally adopted in 1977 as the Data Encryption Standard – DES.
Some of the changes made to LUCIFER have been the subject of much controversy even to the
present day. The most notable of these was the key size. LUCIFER used a key size of 128 bits
however this was reduced to 56 bits for DES. Even though DES actually accepts a 64bit key as
input, the remaining eight bits are used for parity checking and have no effect on DES’s security.
Outsiders were convinced that the 56-bit key was an easy target for a brute force attack due to its
extremely small size. The need for the parity checking scheme was also questioned without
satisfying answers
DES of course isn’t the only symmetric cipher. There are many others, each with varying levels of
complexity. Such ciphers include: IDEA, RC4, RC5, RC6 and the new Advanced Encryption
Standard (AES). AES is an important algorithm and was originally meant to replace DES (and its
more secure variant triple DES) as the standard algorithm for nonocclusive material. However as
of 2003, AES with key sizes of 192 and 256 bits has been found to be secure enough to protect
information up to top secret. Since its creation, AES had underdone intense scrutiny as one would
expect for an algorithm that is to be used as the standard. To date it has withstood all attacks but
the search is still on and it remains to be seen whether or not this will last. We will look at AES
later in the course.

ECB (Electronic Code Book)

In this mode data is divided into 64-bit blocks and each block is encrypted one at a time. Separate
encryptions with different blocks are totally independent of each other. This means that if data is
transmitted over a network or phone line, transmission errors will only affect the block containing
the error. It also means, however, that the blocks can be rearranged, thus scrambling a file beyond
recognition, and this action would go undetected. ECB is the weakest of the various modes because
no additional security measures are implemented besides the basic DES algorithm. However, ECB
is the fastest and easiest to implement, making it the most common mode of DES seen in
commercial applications. This is the mode of operation used by Private Encryptor.

Structure:
The encryption process is made of two permutations (P-boxes), which we call initial and final
permutations, and sixteen Feistel rounds. Each round uses a different 48-bit round key generated
from the cipher key according to a predefined algorithm. Figure 1.2 shows the elements of DES
cipher at the encryption site.
 ABASYN UNIVERSITY PESHAWAR Page |4

Fig. 1.0 General structure of DES

Data Encryption Standard (DES) insecure

1) Attacks
The Data Encryption Standard is a symmetric-key algorithm for the encryption of digital data.
Although it’s short key length of 56 bits makes it too insecure for applications, it has been highly
influential in the advancement of cryptography. DES is now considered insecure because a brute
force attack is possible (see EFF DES cracker).
Successor(s): Triple DES, G-DES, DES-X, LOK...
Block size(s): 64 bits
Key size(s): 56 bits

2) Brute force attack

For any cipher, the most basic method of attack is brute force trying every possible key in turn.
The length of the key determines the number of possible keys, and hence the feasibility of this
approach. For DES, questions were raised about the adequacy of its key size early on, even before
it was adopted as a standard, and it was the small key size, rather than theoretical cryptanalysis,
which dictated a need for a replacement algorithm. It is known that the NSA encouraged, if not
persuaded, IBM to reduce the key size from 128 to 64 bits, and from there to 56 bits.

3) Attacks faster than brute-force

There are three attacks known that can break the full sixteen rounds of DES with less complexity
than a brute-force search.
 ABASYN UNIVERSITY PESHAWAR Page |5

i) Differential cryptanalysis: Was discovered in the late 1980s by Eli Bigham and Adi
Shamir, although it was known earlier to both IBM and the NSA and kept secret. To
break the full 16 rounds, differential cryptanalysis requires 247 chosen plaintexts. DES
was designed to be resistant to DC.
ii) Linear cryptanalysis: Was discovered by Mitsuru Matsui, and needs 243 known
plaintexts (Matsui, 1993); the method was implemented (Matsui, 1994), and was the first
experimental cryptanalysis of DES to be reported. There is no evidence that DES was
tailored to be resistant to this type of attack. A generalization of LC — multiple linear
cryptanalysis — was suggested in 1994 (Kaliski and Robshaw), and was further refined
by Biryukov et al (2004); their analysis suggests that multiple linear approximations
could be used to reduce the data requirements of the attack by at least a factor of 4 (i.e.,
241 instead of 243). A similar reduction in data complexity can be obtained in a chosen-
plaintext variant of linear cryptanalysis (Knudsen and Mathiassen, 2000). Junod (2001)
performed several experiments to determine the actual time complexity of linear
cryptanalysis, and reported that it was somewhat faster than predicted, requiring time
equivalent to 239–241 DES evaluations.
iii) Improved Davies' attack: While linear and differential cryptanalysis are general
techniques and can be applied to a number of schemes, Davies' attack is a specialised
technique for DES, first suggested by Davies in the eighties, and improved by Biham and
Biryukov (1997). The most powerful form of the attack requires 250 known plaintexts,
has a computational complexity of 250, and has a 51% success rate.
4) Weaknesses
During the last few years critics have found some weaknesses in DES.

1) Weaknesses in Cipher Design

We will briefly mention some weaknesses that have been found in the design of the cipher.

S-boxes
At least three weaknesses are mentioned in the literature for S-boxes.
• In S-box 4, the last three output bits can be derived in the same way as the first output
bit by complementing some of the input bits.
• Two specifically chosen inputs to an S-box array can create the same output.
• It is possible to obtain the same output in a single round by changing bits in only three
neighboring S-boxes.

D-boxes
One mystery and one weakness were found in the design of D-boxes:
• It is not clear why the designers of DES used the initial and final permutations; these
have no security benefits.
 ABASYN UNIVERSITY PESHAWAR Page |6

• In the expansion permutation (inside the function), the first and fourth bits of every 4-
bit series are repeated.
2) Weakness in the Cipher Key
Several weaknesses have been found in the cipher key.

Key Size
Critics believe that the most serious weakness of DES is in its key size (56 bits). To do a brute-
force attack on a given cipher text block, the adversary needs to check 256 keys.
• With available technology, it is possible to check one million keys per second. This
means that we need more than two thousand years to do brute-force attacks on DES
using only a computer with one processor.
• If we can make a computer with one million chips (parallel processing), then we can
test the whole key domain in approximately 20 hours. When DES was introduced, the
cost of such a computer was over several million dollars, but the cost has dropped
rapidly. A special computer was built in 1998 that found the key in 112 hours.
• Computer networks can simulate parallel processing. In 1977 a team of researchers
used 3500 computers attached to the Internet to find a key challenged by RSA
Laboratories in 120 days. The key domain was divided among all of these computers,
and each computer was responsible to check the part of the domain.
• If 3500 networked computers can find the key in 120 days, a secret society with 42,000
members can find the key in 10 days.
• The above discussion shows that DES with a cipher key of 56 bits is not safe enough
to be used comfortably.

Weak Keys
Four out of 256 possible keys are called weak keys. A weak key is the one that, after parity drop
operation, consists either of all 0s, all 1s, or half 0s and half 1s. These keys are shown in Table 1.1.

Fig. 1.1 Weak keys

The round keys created from any of these weak keys are the same and have the same pattern as
the cipher key. For example, the sixteen round keys created from the first key is all made of 0s;
the one from the second is made of half 0s and half 1s. The reason is that the key-generation
 ABASYN UNIVERSITY PESHAWAR Page |7

algorithm first divides the cipher key into two halves. Shifting or permutation of a block does not
change the block if it is made of all 0s or all 1s.
What is the disadvantage of using a weak key? If we encrypt a block with a weak key and
subsequently encrypt the result with the same weak key, we get the original block. The process
creates the same original block if we decrypt the block twice. In other words, each weak key is the
inverse of itself Ek(Ek(P)) = P, as shown in Fig. 1.2

. Fig. 1.2: Double encryption and decryption with a weak key

Semi-weak Keys
There are six key pairs that are called semi-weak keys. These six pairs are shown in Table 1.5 (64-
bit format before dropping the parity bits).

Fig. 1.2: Semi weak key

A semi-weak key creates only two different round keys and each of them is repeated eight times.
In addition, the round keys created from each pair are the same with different orders.

Possible Weak Keys

 ABASYN UNIVERSITY PESHAWAR Page |8

There are also 48 keys that are called possible weak keys. A possible weak key is a key that creates
only four distinct round keys; in other words, the sixteen round keys are divided into four groups
and each group is made of four equal round keys.

References
[1] Davies, D. W. "Investigation of a Potential Weakness in the DES Algorithm." (1987).
[2] "Getting Started, COPACOBANA — Cost-optimized Parallel Code- Breaker" (PDF).
December 12, 2006. Retrieved March 6, 2012.
[3] Biham, Eli, and Adi Shamir. Differential cryptanalysis of the data encryption standard.
Springer Science & Business Media, 2012.
[4] Matsui, Mitsuru (1993-05-23). "Linear Cryptanalysis Method for DES Cipher". Advances in
Cryptology — EUROCRYPT '93. Lecture Notes in Computer Science. 765. Springer, Berlin,
Heidelberg. pp. 386–397. doi:10.1007/3-540-48285- 7_33. ISBN 978-3540482857.
[5] Diffie, W., and M. E. Hellman. "Exhaustive Cryptanalysis of the NBS Data Encryption
Standard,‖ IEEE Computer." (1977): 74-84.
[6] Davies, Donald, and Sean Murphy. "Pairs and triplets of DES S-boxes." Journal of Cryptology
8.1 (1995): 1-25.