DES overview
- Block encryption algorithm: plaintext, ciphertext 64-bit packet length
- Symmetric Algorithms: Encryption and decryption key arrangements are different, but use the same algorithm
- Key length: 56 bits - each 8th bit is a parity bit
- The key is any 56-digit number, and there is a weak key , which is easy to avoid
- A combination of Chaos and Diffusion, each combination replaces first and then replaces , 16 rounds
- Use only standard arithmetic and logic operations, easy to time
Other encryption algorithms
Triple DES Triple DES
IDEA
RC5
RC6
AES
Some other more practical algorithms, such as Blowfish, CAST, and RC2, etc.
encryption process
- Input 64bit plaintext data
- Initial Replacement IP IPIP
- 16 iterations under key control
- Swap left and right 32bit
- Initial inverse permutation IP − 1 IP^{-1}IP−1
L 0 R 0 ← IP (64 bit input method) L_0R_0\leftarrow IP (64 bit input method)L0R0←IP(64bit输入法)
L i ← R i − 1 L_i \leftarrow R_{i-1} Li←Ri−1
L i ← L i ⊕ f ( R i − 1 , k 1 ) L_i\leftarrow L_i \oplus f(R_{i-1}, k_1) Li←Li⊕f(Ri−1,k1)
64 bit ciphertext← IP − 1 ( R 16 L 16 ) 64bit ciphertext\leftarrow IP^{-1}(R_{16}L_{16})64 bit ciphertext _←IP−1(R16L16)
i is the number of iterations, ⊕ \oplus⊕ is the bitwise mod2 summation, f is the encryption function
In this way, the decryption process is launched
( R 16 L 16 ) ← IP ( 64 bit ciphertext) (R_{16}L_{16})\leftarrow IP(64bit ciphertext)(R16L16)←IP(64bit密文)
R i − 1 ← L i R_{i-1} \leftarrow L_i Ri−1←Li
L i ← R i − 1 ⊕ f ( L i − 1 , k 1 ) L_i\leftarrow R_{i-1} \oplus f(L_{i-1}, k_1) Li←Ri−1⊕f(Li−1,k1)
64 bit plaintext← IP − 1 ( L 0 R 0 ) 64bit plaintext\leftarrow IP^{-1}(L_0R_0)64 bit plaintext _←IP−1(L0R0)
replace, extend, replace
Initial Replacement IP IPIP and initial inverse permutationIP − 1 IP^{-1}IP−1
The initial replacement IP indicates that the original data at the 58th position (8 rows and 2 columns) is placed in the first row and the first position
Extended permutation E combination - 32 extended to 48 bits
Divide 32 bits into 4 columns
- The original first column --> columns 2 and 6
- The original 4th column --> the new 5th column and the first column, note that they have moved one bit forward relative to the row
Compression instead of S-box - 48 bits compressed to 32 bits
Find a box with 4 rows and 16 columns
48 bits become 6-bit binary
a 1 a 2 a 3 a 4 a 5 a 6 a_1a_2a_3a_4a_5a_6a1a2a3a4a5a6
Take the first and last digits to form
a 1 a 6 a_1a_6a1a6As a row , the remainder is a 2 a 3 a 4 a 5 a_2a_3a_4a_5a2a3a4a5As a column selection, get the corresponding 32-bit
Security Analysis
- DES other algorithms linear, S-box nonlinear
- S-boxes are not easy to analyze, providing better security
- S-box is the key
How to construct an S-box
- The only determines the security strength of the algorithm
- The obfuscation effect necessary for cryptographic algorithms
- S- and cipher strength, S-box grouping design
- Nonlinearity, differential uniformity, strict avalanche, reversibility, no trapdoor
Construction of permutation p-boxes
Provide avalanche effect
plaintext, key changes cause ciphertext changes
key
Key Replacement Algorithm Guidelines
- Subkey statistical independence, flexibility
- Simple
- speed
- But there is no simple relationship (given two seed keys with some relationship, the relationship between their wheel keys can be predicted)
- The seed key has the same effect on all subkeys
- It is more difficult for subkeys to obtain other subkey bits
- no weak keys
Operating mode
- ECB (electronic codebook mode) ECB (electronic codebook mode)
- Cipher block chaining CBC (cipher block chaining)
- Cipher feedback CFB (cipher feedback)
- Output feedback OFB (output feedback)
ECB
Each plaintext is encrypted separately
C i = E K ( P i ) P i = D K ( C i ) C_i = E_K (P_i)\quad P_i = D_K (C_i) Ci=EK(Pi)Pi=DK(Ci)
- simple and effective
- parallelizable
- Mode information cannot be hidden from plaintext
- The same plaintext generates the same ciphertext, and the same information appears multiple times causing leakage
- Active attack on plaintext - replace, retake, delete, replay
- Error transmission: bad ciphertext -> corresponding plaintext damage
- Send SMS
CBC
C i = E K ( P i ⊕ C i − 1 ) P i = D K ( C i ) ⊕ C i − 1 C_i = E_K (P_i\oplus C_{i-1})\quad P_i = D_K (C_i)\oplus C_{i-1} Ci=EK(Pi⊕Ci−1)Pi=DK(Ci)⊕Ci−1
- There is no known parallel implementation of the algorithm
- Mode information can be hidden
- Common Initialization Vector IV IVIV
- Same plaintext generates different ciphertext
- The initialization vector IV can be used to change the first block
- Hard to actively attack plaintext
- Information blocks cannot be easily replaced, rearranged, deleted, or retransmitted
- Error propagation: bad ciphertext -> two bad files
- Safer than ECB
- Suitable for transmitting messages with a length greater than 64 bits , and can also perform user authentication – SSL or IPSec
CFB
block cipher ⇒ stream cipher block cipher\Rightarrow stream cipherblock cipher⇒stream cipher
assumed
- S i S_i SiIs a shift register, transfer jbit
- Encrypt C i = high j bits of P i ⊕ E k ( S i ) C_i = high j bits of P_i\oplus E_k(S_i)Ci=Pi⊕Ek(Si)的高j位
S i + 1 = ( S i < < j ) ∣ C i S_{i+1}=(S_i << j) | C_i Si+1=(Si<<j)∣Ci - Decrypt the high j bits of P i = C i ⊕ E k ( S i ) P_i = the high j bits of C_i\oplus E_k(S_i)Pi=Ci⊕Ek(Si)的高j位
S i + 1 = ( S i < < j ) ∣ C i S_{i+1}=(S_i << j) | C_i Si+1=(Si<<j)∣Ci
features
- block cipher ⇒ stream cipher block cipher\Rightarrow stream cipherblock cipher⇒stream cipher
- Algorithms without parallel implementation
- hidden plaintext
- Common Shift Register Initial Value IV IVIV —— different information, unique IV
- Error Propagation: One Unit Damage Affects Multiple Units
OFB
block cipher ⇒ stream cipher block cipher\Rightarrow stream cipherblock cipher⇒stream cipher
Assume the same as CFB
but encrypt as follows
C i = P i ⊕ E k ( S i ) high j bits C_i = P_i\oplus E_k(S_i) high j bitsCi=Pi⊕Ek(Si)的高j位
S i + 1 = ( S i < < j ) ∣ ( E k ( S i ) 的高 j 位 ) S_{i+1}=(S_i << j) | (E_k(S_i)的高j位) Si+1=(Si<<j ) ∣ ( Ek(Si) high j bit )
(S change is different from CFB)
Decrypt
the high j bits of P i = C i ⊕ E k ( S i ) P_i = the high j bits of C_i\oplus E_k(S_i)Pi=Ci⊕Ek(Si)的高j位
S i + 1 = ( S i < < j ) ∣ ( E k ( S i ) 的高 j 位 ) S_{i+1}=(S_i << j) | (E_k(S_i)的高j位) Si+1=(Si<<j ) ∣ ( Ek(Si) high j bits )
Features
The first four points are the same as CFB
- block cipher ⇒ stream cipher block cipher\Rightarrow stream cipherblock cipher⇒stream cipher
- Algorithms without parallel implementation
- hidden plaintext
- Common Shift Register Initial Value IV IVIV —— different information, unique IV
start at fifth
- Error Propagation: Damage to one unit only affects the corresponding unit
- Active attacks on plaintext are possible – replaced, rearranged, deleted, replayed
- Not as safe as CFB
Multiple DES
safety
- F-function (S-Box) design principle unknown
- The key length debate
- Deciphering of DES
- Weak and semi-weak keys
Length problem
2 56 ≈ 1 0 17 2^{56} \approx 10^{17}256≈1017
Keys can now be cracked in a day
weak key, semi-weak key
Weak key:
EK ⋅ EK = I E_K \cdot E_K= IEK⋅EK=IDES
has 4 weak keys
p = E k ( E k ( P ) ) p = E_k(E_k(P))p=Ek(Ek(P))
Semi-weak key:
EK 1 = EK 2 E_{K1} = E_{K2}EK 1=EK2 _
There are at least 12 semi-weak keys
C = E k 1 ( P ) = E k 2 ( P ) C = Ek_1(P) = E_{k2}(P)C=I k1(P)=Ek2 _(P)
Use conventional encryption for confidential communication
Targeting vulnerable locations
with link encryption and end-to-end encryption
Link Layer Encryption
for a communication link
The message is encrypted before being transmitted , and the received message is decrypted at each node , and then the key of the next link is used to cancel the key of a link to encrypt the message before transmission
advantage
- All intermediate transmission node messages are decrypted and re-encrypted
- The data on the link appears in ciphertext
- Mask the source and destination of the message
- The use of padding technology->The message frequency and length are covered to prevent the analysis of communication services
shortcoming
- It is necessary to synchronize the encryption devices at both ends of the link, which will bring side effects to network performance and manageability
- In the network nodes, link encryption only provides security on the communication link, and the node is plaintext——needs physical security of the node
- Symmetric encryption system needs to establish a dedicated network, but the distribution of network nodes is wide , and the continuous distribution of keys is difficult
Node Encryption
Similar to link encryption. Intermediate node decryption and re-encryption
Difference: Messages are not allowed to exist in plain text at the node , and after decryption, they are encrypted with another key——in another security module of the node
Security: Header and routing information are transmitted in clear text, powerless for attackers to analyze communication traffic
end-to-end encryption
Always exist in ciphertext during transmission from source to destination
Also known as off-line encrypted packet encryption, it will not be decrypted until the end. Node corruption will not result in message leaks
advantage
- Cheaper, more reliable, easier to design, implement, and maintain
- Avoid synchronization problems - packets are independently encrypted, and packet transmission errors do not affect subsequent
- End-to-end encryption is more natural and does not affect other users of the network
shortcoming
- Encryption of the destination address is not allowed
- Does not cover up the source and destination of the message, and is powerless to the attacker to analyze the communication business