IS 302: Information Security and Trust

Week 3: From DES to AES

2010
 Review
– Caesar, Vigenere, Zimmerman, Vernam
– Permutation substitution, transposition

– Four types of attacks

– Dictionary attack, frequency attack

– Kerckhoff principle

© Yingjiu Li 2007 2
 Outline
• Stream cipher and block cipher
• DES
• AES
• Modes of block ciphers

© Yingjiu Li 2007 3
 Stream Cipher and Block Cipher

© Yingjiu Li 2007 4
 Stream Cipher
• What is stream cipher?
– Convert symbols one by one

• Which of the following are stream cipher?

– Caesar, Vigenere, Zimmerman, Vernam

© Yingjiu Li 2007 5
 Block Cipher
• What is block cipher?
– Convert symbols block by block
– DES, AES

© Yingjiu Li 2007 6
 Comparison

Stream Cipher Block Cipher

Advantage •speed of transformation •high diffusion
•low error propagation •immunity to insertion
of symbols

Disadvantage •low diffusion •slowness of encryption

•susceptibility to malicious •error propagation
insertions and modifications

© Yingjiu Li 2007 7
 DES

© Yingjiu Li 2007 8
 Introduction
• wiki DES
– http://en.wikipedia.org/wiki/Data_Encryption_Standard
– Motivation
• public need vs DoD, DoS
• Private vendors’ systems cannot exchange information
• No independent party capable of testing/evaluating the devices
– Timeline
• 1972 NBS first call, 1974second call
• IBM’s DES based on Horst Feistel’s Lucifer cipher
• 1976 US Federal standardJan 15, 1977 published

© Yingjiu Li 2007 9
 Controversies
• Controversies
– Shorted key length (64 bits  56 bits + 8 bits parity)
– Mysterious S-boxes as evidence of improper interference
• Alan Konheim (one of the designers of DES) commented, "We sent
the S-boxes off to Washington. They came back and were all
different.”
• Another member of the DES team, Walter Tuchman, is quoted as
saying, "We developed the DES algorithm entirely within IBM using
IBMers. The NSA did not dictate a single wire!"
• Current status
– 1998 3DES  valid till 2030 extensively used in banking industry
– May 26, 2002, superseded by AES  since brute force attack can
be easily done in hours to break 56 bit key nowadays

© Yingjiu Li 2007 10
 Strength
• 1990 Biham and Shamir showed that the
design of DES is optimal
– Almost any change to DES weakens it

© Yingjiu Li 2007 11
 One Round in Encoding
• 56-bits key  16 48-bits A round of encoding a block
sub key in DES (repeat 16 times)
• 64-bits blocks
– Right half  left half Left half block Right half block
– Left half mixed with
encrypted right half  right
half substitution Sub key

permutation f

New left half New right half

block block

© Yingjiu Li 2007 12
 Overall Diagram
http://en.wikipedia.org/wiki/Data_Encryption_Standard

f function
© Yingjiu Li 2007 13
 Demo
• Cryptool: DES process

© Yingjiu Li 2007 14
 Triple DES
• Two-Key DES
Data
K1 E K2 E C

– Total key size is 56x2=112 bits; but the effective key size is only
57 bits only!
• Triple DES (3DES)
Data C
K1 E K2 D K1 E

– This is a secure solution with effective key size of 112

bits
© Yingjiu Li 2007 15
 Demo
• Cryptool
– DES-CBC
– 3-DES

© Yingjiu Li 2007 16
 Security Concerns
56 bit key is too short
– Can be broken on average in 2^55 ≈3.6*10^16
trials
– Moore’s law: speed of processor doubles per
1.5 yr
– 1997: 3500 machines broke DES in about 4
months
– 1998: 1M dollar machine broke DES in about 4
days

© Yingjiu Li 2007 17
 AES

© Yingjiu Li 2007 18
 Introduction
• Wiki AES
– http://en.wikipedia.org/wiki/Advanced_Encrypt
ion_Standard_process
– Timeline
• 1997 NIST call
• Final five
– Rijndael(Joan Daemen and Vincent Rijmen , 86/10),
– Serpent(Ross Anderson, 59/7),
– Twofish(Bruce Schneier, 31/21),
– RC6(Don Rivest, Lisa Yin, 23/37),
– MARS (Don Coppersmith, IBM,13/83)
• 2000 Rijndael wins
• 2002 standard

© Yingjiu Li 2007 19
 AES vs DES
DES AES

Date 1976 1999

Block size 64 128

Key length 56 128, 192, 256

Number of rounds 16 9,11,13

Encryption primitives Substitution, permutation Substitution, shift, bit mixing

Cryptographic primitives Confusion, diffusion Confusion, diffusion

Design Open Open

Design rationale Closed Open

Selection process Secret Secret, but accept open

public comment
Source IBM, enhanced by NSA Independent cryptographers

© Yingjiu Li 2007 20
 High-Level Cipher Algorithm
http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
• KeyExpansion using Rijndael's key schedule
• Initial Round
– AddRoundKey (one 128/192/256 key to 9/11/13 128-bit subkeys)
• Steps in each of 9/11/13 rounds (state: 4*4=16-array of bytes = 128
bit-block)
– SubBytes — a non-linear substitution step where each byte is replaced
with another according to a lookup table.
– ShiftRows — a transposition step where each row of the state is shifted
cyclically a certain number of steps.
– MixColumns — a mixing operation which operates on the columns of the
state, combining the four bytes in each column
– AddRoundKey — each byte of the state is combined with the round key;
each round key is derived from the cipher key using a key schedule.
• Final Round (no MixColumns)
– SubBytes
– ShiftRows
– AddRoundKey

© Yingjiu Li 2007 21
© Yingjiu Li 2007 22
© Yingjiu Li 2007 23
© Yingjiu Li 2007 24
© Yingjiu Li 2007 25
 Demo
• Cryptool: AES process
• AES-128-CBC

© Yingjiu Li 2007 26
 Modes of Block Ciphers

© Yingjiu Li 2007 27
 Four Modes
• How are multiple blocks processed?
– ECB: Electronic Code Book
– CBC: Cipher Block Chaining
– CFB: Cipher Feedback
– OFB: Output Feedback

© Yingjiu Li 2007 28
 Electronic codebook (ECB)
mode

© Yingjiu Li 2007 29
Cipher-block Chaining (CBC) Mode

© Yingjiu Li 2007 30
 ECB vs CBC
• Which mode would you choose?

Original image Encrypted with ECB Encrypted with CBC

© Yingjiu Li 2007 31
 ECB vs CBC
• ECB:
– chain dependency: blocks are enciphered independently
– identical plaintext blocks result in identical ciphertext
– error propagation: within a single block
• CBC:
– chain dependency: proper decryption requires a correct
preceding cipher block.
– identical plaintext blocks result in different ciphertext
– error propagation: a bit error in cipher affects
decipherment of following blocks

© Yingjiu Li 2007 32
Hands-On Exercise: AES Encryption
and Decryption

© Yingjiu Li 2007 33
 Part I: OpenSSL
• Download Lab.doc
• Lab exercise 2.1: OpenSSL AES
encryption/decryption

© Yingjiu Li 2007 34
 Part II: JCE
• Download Lab.doc
• Lab exercise 2.2: JCE AES encryption and
decryption

© Yingjiu Li 2007 35
 Class:Javax.crypto.Cipher
• This class provides the functionality of a cryptographic
cipher for encryption and decryption
• Methods:
– getInstance(String algorithm )
• Generates a Cipher object that implements the specified algorithm.
– init(int opmode, Key key )
• The cipher is initialized with a key for either encryption or
decryption.
– doFinal(byte[] input )
• Encrypts or decrypts data depending on how this cipher was
initialized.

Further details: http://java.sun.com/j2se/1.4.2/docs/api/javax/crypto/Cipher.html

http://java.sun.com/j2se/1.5.0/docs/api/javax/crypto/Cipher.html
© Yingjiu Li 2007 36
 Example: AES Encryption
• The following sample encrypts a file “clear.txt”and save the output as a file named
“encryptedfile”.

// Create a cipher object with algorithm “AES”.

Cipher cipher = Cipher.getInstance("AES");

//Set the Cipher object to ENCRYPT MODE

//Initialise it with the encryption key “mykey”.
//Previous example demostrated how to retrieve this key from a keystore.
cipher.init(Cipher.ENCRYPT_MODE, mykey);

//Create an input stream to read the file.

File clr=new File(“clear.txt”);
FileInputStream fi = new FileInputStream(clr);

//Get the size of the file.

long length = clr.length(); …..cont’d

© Yingjiu Li 2007 37
 Example: AES Encryption cont’d
//Create a byte array with the size of the file.
byte[] plaintext = new byte[(int) length];

//Read data into the byte array

fi.read(plaintext);

//Close file
fi.close();

// Now encrypt the text and store it in the byte array ciphertext
byte[] ciphertext = cipher.doFinal(plaintext);

//Write encrypted text into the output file

File enc=new File(“encryptedfile”)
FileOutputStream fo = new FileOutputStream(enc);
fo.write(ciphertext);
fo.close();

© Yingjiu Li 2007 38
 Example: AES Decryption
• The following sample decrypts a file “encryptedfile”and save the output as a file
named “decryptedfile”.

// Create a cipher object with algorithm “AES”

Cipher cipher = Cipher.getInstance("AES");

//Set the Cipher object to DECRYPT MODE

//Initialise it with the decryption key “mykey”.
//Previous example demostrated how to retrieve this key from a keystore.
cipher.init(Cipher.DECRYPT_MODE, mykey);

//Create an input stream to read the file.

File enc=new File(“encryptedfile”);
FileInputStream fi = new FileInputStream(enc);

//Get the size of the file.

long length = enc.length(); …..cont’d

© Yingjiu Li 2007 39
 Example: AES Decryption cont’d
//Create a byte array with the size of the file.
byte[] ciphertext = new byte[(int) length];

//Read data into the byte array

fi.read(ciphertext);

//Close file
fi.close();

// Now decrypt the text and store it in the byte array ciphertext
byte[] plaintext = cipher.doFinal(ciphertext);

//Write encrypted text into the output file

File dec=new File(“decryptedfile”)
FileOutputStream fo = new FileOutputStream(dec);
fo.write(plaintexttext);
fo.close();

© Yingjiu Li 2007 40
 Review Questions
• Which of the following is stream cipher
1) DES 2) AES 3) Vernam
• What is effective key size for 4-DES
1) 112 bits 2) 113 bits 3) 168 bits
• Increasing key size from 56 bits to 128
bits, how many times more effort an
attacker needs to spend in brute force
attack?
1) 72 2) 2^72 3) 2^184

© Yingjiu Li 2007 41