Advanced Informatics

Razak Faculty of Technology and Informatics

#utmrazak
UTM Kuala Lumpur

System Design for Security – MANN 1043

Lecturer: Prof Ts Dr Salwani Mohd Daud

salwani.kl@utm.my
Room: 06.09.01 (MJIIT Level 6)
Tel (O): 03-22031333 / ext: 1333
Mobile: 019 3288904
Topic 3 (continuation)

Cryptography

Created: 27 Jan 2013 Latest edition: Jan 2019

Introduction

Cryptography

1. Data Encryption Standard – DES

2. Advanced Encryption Standard – AES
3. Cryptographic Attacks
DES – Data Encryption Standard

Modern Block Ciphers- DES

(based on slides made by Dr. Lawrie Brown)

• now look at modern block ciphers

• one of the most widely used types of
cryptographic algorithms
• Provide confidentiality services
• We discuss in detail DES (Data Encryption
Standard) and AES (Advanced Encryption
Standard)
• We discuss block cipher design principles
Embedded Cryptography 2 3
DES – Data Encryption Standard
Block vs Stream Ciphers
• block ciphers process messages in blocks, each
of which is then en/decrypted
• like a substitution on very big alphabet
– 64-bits or more
• stream ciphers process messages a bit or byte
at a time when en/decrypting
• many current ciphers are block ciphers
• broader range of applications

Embedded Cryptography 2 4
DES – Data Encryption Standard

Data Encryption Standard (DES)

• most widely used block cipher in world
• adopted in 1977 by NBS (now NIST)
– as FIPS PUB 46
• encrypts 64-bit data using 56-bit key
• has widespread use
• has been considerable controversy over its
security

Embedded Cryptography 2 5
DES – Data Encryption Standard

DES History

• in 1973 NIST (then NBS) issued request for proposals for a national
cipher standard
• IBM already developed Lucifer cipher
– by team led by Feistel in late 60’s
– used 64-bit data blocks with 128-bit key
• 1974, IBM submits Lucifer
• Lucifer is analyzed and redesigned by NSA and others, and becomes
DES
• 1977, the new cryptosystem becomes the federal standard in USA
(till Nov. 2001).
• Some variants of DES (we’ll discuss them later) still very much in use.

Embedded Cryptography 2 6
DES – Data Encryption Standard

DES Design Controversy

• although DES standard is public

• was considerable controversy over design
– in choice of 56-bit key (vs Lucifer 128-bit)
– and because design criteria were classified
• subsequent events and public analysis show in
fact design was appropriate
• use of DES has flourished
– especially in financial applications
– still standardised for legacy application use
Embedded Cryptography 2 7
DES – Data Encryption Standard
Public key encryption methods

DES encryption algorithm is block cipher and

uses a 64-bit block and a 64-bit encryption key

DES encryption algorithm is block cipher and uses a 64-bit block and a 64-bit
encryption key (of which only 56 bits are actively used in the encryption
process). Unfortunately DES has been around for a long time, and the 56-bit
version is now easily crackable (in less than a day, on fairly modest
equipment).

An enhancement, and one which is still fairly compatible with DES, is the 3-
DES algorithm. It has three phases, and splits the key into two. Overall the key
size is typically 112 bits (2x54 bits - with a combination of the three keys - of
which two of the keys are typically the same). The algorithm is
EncryptK3( DecryptK2( EncryptK1(message), where K1 and K3 are typically the
same (to keep compatibility).

Embedded Cryptography 2 8
DES – Data Encryption Standard

A Simplified DES-Type Algorithm

• Suppose that a message has 12 bits and is
written as L0R0 , where L0 consists of the first 6
bits and R0 consists of the last 6 bits.
• The key K has 9 bits. The ith round of the
algorithm transforms an input Li-1Ri-1 to the
output LiRi using an 8-bit key Ki derived from K.
• The main part of the encryption process is a
function f(Ri-1,Ki) that takes a 6-bit input
Embedded Cryptography 2 9
DES – Data Encryption Standard

Ri-1 and an 8-bit input Ki and produces a 6-bit

output which will be described later.
The output of the ith round is defined as:
Li = Ri-1 and Ri = Li-1 XOR f(Ri-1,Ki)
The decryption is the reverse of encryption.
[Ln] [Rn XOR f(Ln, Kn)] = … =[Rn-1] [Ln-1]

Embedded Cryptography 2 10
DES – Data Encryption Standard
The Operations of f Function

• E(Li)=E(011001)=E(01010101) (Expander)
• S-boxes
S1 101 010 001 110 011 100 111 000
001 100 110 010 000 111 101 011
S2 100 000 110 101 111 001 011 010
101 011 000 111 110 010 001 100
The input for an S-box has 4 bits. The first
bit specifies which row will be used: 0 for 1st
Embedded Cryptography 2 11
DES – Data Encryption Standard

• The other 3 bits represent a binary number

that specifies the column: 000 for the 1st
column, 001 for the 2nd column, … 111 for the
7th column. For example, an input 1010 for S1
box will yield the output 110.
• The key K consists of 9 bits. Ki is the key for the
ith round starting with the ith bit of K. Let
K=010011001, then K4=01100101.

Embedded Cryptography 2 12
DES – Data Encryption Standard

Ri-1=100110 and Ki=01100101

• E(Ri-1) XOR Ki =10101010 XOR 01100101
= 11001111
S1(1100)=000
S2(1111)=100
Thus, Ri = f(Ri-1,Ki)=000100, Li =Ri-1 =100110

Li-1Ri-1 = 011100100110 → (?) LiRi

100110011000
Embedded Cryptography 2 13
DES – Data Encryption Standard

Encryption

[1
Embedded Cryptography]2 14
DES – Data Encryption Standard
Encryption (cont.)
64-bit plaintext (X)

Initial Permutation (IP)

64-bit key (K)

Key i
Round (i) Key Generation (KeyGen)

32-bit Switch (SW)

Inversion of Initial Permutation (IP-1)

64-bit ciphertext (Y)

Embedded Cryptography 2 15
DES – Data Encryption Standard
Encryption (cont.)
• Plaintext: X
• Initial Permutation: IP( )
• Roundi: 1≤ i ≤ 16
• 32-bit switch: SW( )
• Inverse IP: IP-1( )
• Ciphertext: Y
• 1
Y  IP ( SW ( Round i ( IP ( X ), Keyi )))

Embedded Cryptography 2 16
DES – Data Encryption Standard

Encryption (IP, IP-1)

• IP  IP-1
Bit 0 1 2 3 4 5 6 7 Bit 0 1 2 3 4 5 6 7
1 58 50 42 34 26 18 10 2 1 40 8 48 16 56 24 64 32
9 60 52 44 36 28 20 12 4 9 39 7 47 15 55 23 63 31
17 62 54 46 38 30 22 14 6 17 38 6 46 14 54 22 62 30
25 64 56 48 40 32 24 16 8 25 37 5 45 13 53 21 61 29
33 57 49 41 33 25 17 9 1 33 36 4 44 12 52 20 60 28
41 59 51 43 35 27 19 11 3 41 35 3 43 11 51 19 59 27
49 61 53 45 37 29 21 13 5 49 34 2 42 10 50 18 58 26
57 63 55 47 39 31 23 15 7 57 33 1 41 9 49 17 57 25

 Note: IP(IP-1) = IP-1(IP)Embedded

= I Cryptography 2 17
DES – Data Encryption Standard
Encryption (Round)

(Key Generation)

[1
Embedded Cryptography 2 18
]
DES – Data Encryption Standard
Encryption (Round) (cont.)
Li-1 Ri-1

Expansion/permutation (E_table)

XOR Ki

F Substitution/choice (S-box)

Permutation (P)

XOR

Li Embedded Cryptography 2
Ri 19
DES – Data Encryption Standard

Encryption (Round) (cont.)

F

S-box

[1
Embedded Cryptography 2 20
]
DES – Data Encryption Standard
Encryption (Round) (cont.)
• Separate plaintext as L0R0
– L0: left half 32 bits of plaintext
– R0: right half 32 bits of plaintext
• Expansion/permutation: E( )
•
•
•
Substitution/choice: S-box( )
Permutation: P( )  F
• Ri  Li 1 ~ P ( S _ box ( E ( Ri 1 ) ~ Keyi ))
Li  Ri 1
Embedded Cryptography 2 21
DES – Data Encryption Standard

Encryption (Round) (cont.)

 E  P
32 1 2 3 4 5 16 7 20 21 29 12 28 17
4 5 6 7 8 9
1 15 23 26 5 18 31 10
8 9 10 11 12 13
2 8 24 14 32 27 3 9
12 13 14 45 16 17
16 17 18 19 20 21 9 13 30 6 22 11 4 25
20 21 22 23 24 25
24 25 26 27 28 29
28 29 30 31 32 1

Expansion Expansion

Embedded Cryptography 2 22
DES – Data Encryption Standard

Encryption (Round) (cont.)

 S-box

[1
Embedded Cryptography 2 23]
DES – Data Encryption Standard
Key Generation

(Encryption)

Embedded Cryptography 2
[1 24
]
DES – Data Encryption Standard

Key Generation Input Key

(cont.)
Permuted Choice One (PC-1)

C0 D0
▪ ▪
▪ ▪
▪ ▪
Ci-1 Di-1
Permuted Choice Two (PC-2)
Schedule of Left Shifts
Keyi
Ci Di
Embedded Cryptography 2 25
DES – Data Encryption Standard
Key Generation (cont.)
• Original Key: Key0
• Permuted Choice One: PC_1( )
• Permuted Choice Two: PC_2( )
• Schedule of Left Shift: SLS( )
•
( C 0 , D0 )  PC _ 1( Key 0 )
•
( Ci , Di )  SLS ( Ci 1 , Di 1 )
•
Keyi  PC _ 2( SLS (Ci 1 , Di 1 ))
Embedded Cryptography 2 26
DES – Data Encryption Standard

Decryption
• The same algorithm as
encryption.
• Reversed the order of key
(Key16, Key15, … Key1).
• For example:
– IP undoes IP-1 step of
encryption.
– 1st round with SK16 undoes
16th encrypt round.

[1
Embedded Cryptography 2
]27
DES – Data Encryption Standard

Try DES calculator

https://github.com/kevinoconnor7/Simplified-DES

Embedded Cryptography 2 28
DES – Data Encryption Standard

Strength of DES
• Criticism
– Reduction in key size of 72 bits
• Too short to withstand with brute-force attack
– S-boxes were classified.
• Weak points enable NSA to decipher without key.
• 56-bit keys have 256 = 7.2 x 1016 values
– Brute force search looks hard.
– A machine performing one DES encryption per
microsecond would take more than a thousand year to
break the cipher.
Embedded Cryptography 2 29
DES – Data Encryption Standard
Strength of DES (cont.)

• Avalanche effect in DES

– If a small change in
either the plaintext or
the key, the ciphertext
should change markedly.
• DES exhibits a strong
avalanche effect.

Embedded Cryptography 2 30
DES – Data Encryption Standard

• DES was proved insecure

– In 1997 on Internet in a few months
– in 1998 on dedicated h/w (EFF) in a few days
– In 1999 above combined in 22hrs!

Embedded Cryptography 2 31
DES – Data Encryption Standard

Strength of DES – Analytic Attacks

• now have several analytic attacks on DES

• these utilise some deep structure of the cipher
– by gathering information about encryptions
– can eventually recover some/all of the sub-key bits
– if necessary then exhaustively search for the rest
• generally these are statistical attacks
• include
– differential cryptanalysis
– linear cryptanalysis
Embedded Cryptography 2 32
DES – Data Encryption Standard

DES resistance to diff. attack

• Original DES  requires 2^47 encryptions (that’s a lot) = 1mln

GB
• What if creators of DES did not know about differential
cryptanalysis:
• Modifications:
– Identity permutation instead of P  2^19 encryptions =
4MB
– Order of S-boxes 2^38 = 2000 GB
– XOR replaced by addition  2^31 = 2GB
– S-boxes one position changed  2^33 = 8GB
– Expansion function EEmbedded  2^26 = 64 MB
Cryptography 2
eliminated 33
DES – Data Encryption Standard

Linear Cryptanalysis

• another recent development

• also a statistical method
• must be iterated over rounds, with decreasing
probabilities
• developed by Matsui et al in early 90's
• based on finding linear approximations
• can attack DES with 243 known plaintexts,
easier but still in practice infeasible
Embedded Cryptography 2 34
DES – Data Encryption Standard

DES Design Criteria

• as reported by Coppersmith in [COPP94]
• 7 criteria for S-boxes provide for
– non-linearity
T is linear if T(x  y) = T(x)  T(y)
E and P are linear; the only non-linear transformation is the
S-box substitution
– resistance to differential cryptanalysis
– good confusion
Example: if two inputs to an S-box differ in exactly one bit, the
outputs must differ in at least two bits.
• 3 criteria for permutation P provide for
– increased diffusion
Embedded Cryptography 2 35
AES Advanced Encryption Standard

Advanced Encryption Standard (AES) is found at least

six time faster than triple DES.

The features of AES are as follows:

• Symmetric key symmetric block cipher

• 128-bit data, 128/192/256-bit keys

• Stronger and faster than Triple-DES

https://www.tutorialspoint.com/cryptography/advanced_encryption_standard.htm
Embedded Cryptography 2 36
AES Advanced Encryption Standard
• AES is an iterative.
• It is based on ‘substitution–permutation network’. It comprises
of a series of linked operations, some of which involve replacing
inputs by specific outputs (substitutions) and others involve
shuffling bits around (permutations).
• Interestingly, AES performs all its computations on bytes rather
than bits.
• Hence, AES treats the 128 bits of a plaintext block as 16 bytes.
• These 16 bytes are arranged in four columns and four rows for
processing as a matrix −
• Unlike DES, the number of rounds in AES is variable and
depends on the length of the key.
• AES uses 10 rounds for 128-bit keys, 12 rounds for 192-bit keys
and 14 rounds for 256-bit keys. Each of these rounds uses a
different 128-bit round key, which is calculated from the original
AES key.

Embedded Cryptography 2 37
AES Advanced Encryption Standard
The schematic of AES structure is given in the following illustration:

Embedded Cryptography 2 38
AES Advanced Encryption Standard
Encryption Process
Each round comprise of four sub-processes. The first round process is depicted below:
Byte Substitution (SubBytes)
The 16 input bytes are substituted by looking up
a fixed table (S-box) given in design. The result
is in a matrix of four rows and four columns.

Shiftrows
Each of the four rows of the matrix is shifted to the
left. Any entries that ‘fall off’ are re-inserted on the
right side of row. Shift is carried out as follows −
•First row is not shifted.
•Second row is shifted one (byte) position to the left.
•Third row is shifted two positions to the left.
•Fourth row is shifted three positions to the left.
•The result is a new matrix consisting of the same 16
bytes but shifted with respect to each other.
MixColumns
Each column of four bytes is now transformed using a special mathematical function. This function
takes as input the four bytes of one column and outputs four completely new bytes, which replace
the original column. The result is another new matrix consisting of 16 new bytes. It should be
noted that this step is not performed in the last round.
Addroundkey
The 16 bytes of the matrix are now considered as 128 bits and are XORed to the 128 bits of the
round key. If this is the last round then the output is the ciphertext. Otherwise, the resulting 128
bits are interpreted as 16 bytes and we begin another
Embedded similar
Cryptography 2 round. 39
AES Advanced Encryption Standard

Decryption Process

The process of decryption of an AES ciphertext is similar to the

encryption process in the reverse order. Each round consists of the four
processes conducted in the reverse order −
• Add round key
• Mix columns
• Shift rows
• Byte substitution
Since sub-processes in each round are in reverse manner, unlike for a
Feistel Cipher, the encryption and decryption algorithms needs to be
separately implemented, although they are very closely related.
Embedded Cryptography 2 40
AES Advanced Encryption Standard

• In present day cryptography, AES is widely adopted and supported

in both hardware and software.
• Till date, no practical cryptanalytic attacks against AES has been
discovered.
• Additionally, AES has built-in flexibility of key length, which allows
a degree of ‘future-proofing’ against progress in the ability to
perform exhaustive key searches.
• However, just as for DES, the AES security is assured only if it is
correctly implemented and good key management is employed.

Embedded Cryptography 2 41
Cryptographic Attacks

The basic intention of an attacker is to break a cryptosystem and to

find the plaintext from the ciphertext. To obtain the plaintext, the
attacker only needs to find out the secret decryption key, as the
algorithm is already in public domain.
Hence, he applies maximum effort towards finding out the secret
key used in the cryptosystem. Once the attacker is able to determine
the key, the attacked system is considered
as broken or compromised.

Embedded Cryptography 2 42
Cryptographic Attacks

Brute – Force Attack

Key Size (bits) Number of Time required at 1 Time required at 106
Alternative Keys decryption/µs decryptions/µs

32 232 = 4.3  109 231 µs = 35.8 minutes 2.15 milliseconds

56 256 = 7.2  1016 255 µs = 1142 years 10.01 hours
128 2128 = 3.4  1038 2127 µs = 5.4  1024 5.4  1018 years
years
168 2168 = 3.7  1050 2167 µs = 5.9  1036 5.9  1030 years
years
26 characters 26! = 4  1026 2  1026 µs = 6.4  1012 6.4  106 years
(permutation) years

Embedded Cryptography 2 43
Cryptographic Attacks
Main weakness of DES – Key Size

• 56-bit keys: there are 256 = 7.2 x 1016 possible values

• brute force search is hard, but (more and more) feasible

• Software (200MHZ Pentium) 244 encryptions per year

1PC: 2000 years, 200 PC’s: 10 years, 6000 PC’s: 3 months

• Hardware (FPGA), Cost = $10 000

less than 2 years

• Hardware (ASIC), Cost = $250 000

1 key in about 50 hours
for 1 million $: I key in ½ hour
Embedded Cryptography 2 44
Cryptographic Attacks

Concrete brute-force attacks

• recent advances have shown that the brute-force attack against
DES is possible

• in 1997 – Verser – internet program with volunteers –took 97 days

• in 1998 - Deep Crack computer developed by Electronic Frontier

Foundation – cost $220 000 – avg. time search is 4.5 days

• still must be able to recognize plaintext

• must now consider alternatives to DES

Embedded Cryptography 2 45
Cryptographic Attacks

Recommendations for key length

Intruder Budget Secure key length
hacker tiny 45

Small company $400 50

Small company $10000 55

$300K 60

Big company $10M 70

Intelligence agency $300M 75

Embedded Cryptography 2 46
Cryptographic Attacks
• Ciphertext Only Attacks (COA) − In this method, the attacker has
access to a set of ciphertext(s). He does not have access to
corresponding plaintext. COA is said to be successful when the
corresponding plaintext can be determined from a given set of
ciphertext. Occasionally, the encryption key can be determined from
this attack. Modern cryptosystems are guarded against ciphertext-
only attacks.

Embedded Cryptography 2 47
Cryptographic Attacks
• Known Plaintext Attack (KPA) − In this method, the attacker knows
the plaintext for some parts of the ciphertext. The task is to decrypt the
rest of the ciphertext using this information. This may be done by
determining the key or via some other method. The best example of this
attack is linear cryptanalysis against block ciphers.

Embedded Cryptography 2 48
Cryptographic Attacks
• Chosen Plaintext Attack (CPA) − In this method, the attacker has the
text of his choice encrypted. So he has the ciphertext-plaintext pair of his
choice. This simplifies his task of determining the encryption key. An
example of this attack is differential cryptanalysis applied against block
ciphers as well as hash functions. A popular public key cryptosystem,
RSA is also vulnerable to chosen-plaintext attacks.

Embedded Cryptography 2 49
Cryptographic Attacks
• Dictionary Attack − This attack has many variants, all of which involve
compiling a ‘dictionary’. In simplest method of this attack, attacker builds a
dictionary of ciphertexts and corresponding plaintexts that he has learnt over a
period of time. In future, when an attacker gets the ciphertext, he refers the
dictionary to find the corresponding plaintext.

Embedded Cryptography 2 50
Cryptographic Attacks
• Brute Force Attack (BFA) − In this method, the attacker tries to determine
the key by attempting all possible keys. If the key is 8 bits long, then the
number of possible keys is 28 = 256. The attacker knows the ciphertext and the
algorithm, now he attempts all the 256 keys one by one for decryption. The
time to complete the attack would be very high if the key is long.

Embedded Cryptography 2 51
Cryptographic Attacks

In probability theory, the birthday

problem or birthday paradox concerns
the probability that, in a set of n randomly
 chosen people, some pair of them will
have the same birthday. 

Embedded Cryptography 2 52
Cryptographic Attacks
• Man in Middle Attack (MIM) − The targets of this attack are mostly
public key cryptosystems where key exchange is involved before
communication takes place.
• Host A wants to communicate to host B, hence requests public key
of B.
• An attacker intercepts this request and sends his public key instead.
• Thus, whatever host A sends to host B, the attacker is able to read.
• In order to maintain communication, the attacker re-encrypts the
data after reading with his public key and sends to B.
• The attacker sends his public key as A’s public key so that B takes it
as if it is taking it from A.

Embedded Cryptography 2 53
Cryptographic Attacks
• Side Channel Attack (SCA) − This type of attack is not against any
particular type of cryptosystem or algorithm. Instead, it is launched to
exploit the weakness in physical implementation of the cryptosystem.

Embedded Cryptography 2 54
Cryptographic Attacks
• Timing Attacks − They exploit the fact that different computations
take different times to compute on processor. By measuring such
timings, it is be possible to know about a particular computation the
processor is carrying out. For example, if the encryption takes a longer
time, it indicates that the secret key is long.

Embedded Cryptography 2 55
Cryptographic Attacks
• Power Analysis Attacks − These attacks are similar to timing attacks
except that the amount of power consumption is used to obtain
information about the nature of the underlying computations.

Embedded Cryptography 2 56
Cryptographic Attacks
• Fault analysis Attacks − In these attacks, errors are induced in the
cryptosystem and the attacker studies the resulting output for useful
information.

Embedded Cryptography 2 57