Data Encrption Standard, Lecture Notes - Computer Science and , Study notes of Cryptography and System Security

Prof. Salil Vadhan, Prof. Prof. Raymond G Kammer, Computer Science, Cryptography, Data Encryption Standard, Decipher, Cipher Function f, Triple Data Encryption Algorithm, ECB Mode, Harvard, Lecture Notes

Typology: Study notes

2010/2011

Uploaded on 11/02/2011

thecoral
thecoral 🇺🇸

4.5

(30)

395 documents

1 / 26

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
FIPS PUB 46-3
FEDERAL INFORMATION
PROCESSING STANDARDS PUBLICATION
Reaffirmed
1999 October 25
U.S. DEPARTMENT OF COMMERCE/National Institute of Standards and Technology
DATA ENCRYPTION STANDARD (DES)
CATEGORY: COMPUTER SECURITY
SUBCATEGORY: CRYPTOGRAPHY
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a

Partial preview of the text

Download Data Encrption Standard, Lecture Notes - Computer Science and and more Study notes Cryptography and System Security in PDF only on Docsity!

FIPS PUB 46-

FEDERAL INFORMATION

PROCESSING STANDARDS PUBLICATION

Reaffirmed 1999 October 25

U.S. DEPARTMENT OF COMMERCE/National Institute of Standards and Technology

DATA ENCRYPTION STANDARD (DES)

CATEGORY: COMPUTER SECURITY

SUBCATEGORY: CRYPTOGRAPHY

U.S. DEPARTMENT OF COMMERCE, William M. Daley, Secretary NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY, Raymond G. Kammer, Director

Foreword

The Federal Information Processing Standards Publication Series of the National Institute of Standards and Technology (NIST) is the official series of publications relating to standards and guidelines adopted and promulgated under the provisions of Section 5131 of the Information Technology Management Reform Act of 1996 (Public Law 104-106), and the Computer Security Act of 1987 (Public Law 100-235). These mandates have given the Secretary of Commerce and NIST important responsibilities for improving the utilization and management of computer and related telecommunications systems in the Federal Government. The NIST, through its Information Technology Laboratory, provides leadership, technical guidance, and coordination of Government efforts in the development of standards and guidelines in these areas.

Comments concerning Federal Information Processing Standards Publications are welcomed and should be addressed to the Director, Information Technology Laboratory, National Institute of Standards and Technology, 100 Bureau Dr. Stop 8900, Gaithersburg, MD 20899-8900.

William Mehuron, Director Information Technology Laboratory

Abstract

The selective application of technological and related procedural safeguards is an important responsibility of every Federal organization in providing adequate security to its electronic data systems. This publication specifies two cryptographic algorithms, the Data Encryption Standard (DES) and the Triple Data Encryption Algorithm (TDEA) which may be used by Federal organizations to protect sensitive data. Protection of data during transmission or while in storage may be necessary to maintain the confidentiality and integrity of the information represented by the data. The algorithms uniquely define the mathematical steps required to transform data into a cryptographic cipher and also to transform the cipher back to the original form. The Data Encryption Standard is being made available for use by Federal agencies within the context of a total security program consisting of physical security procedures, good information management practices, and computer system/network access controls. This revision supersedes FIPS 46-2 in its entirety.

Federal Information Processing Standards Publication 46-

1999 October 25

Announcing the

DATA ENCRYPTION STANDARD

Federal Information Processing Standards Publications (FIPS PUBS) are issued by the National Institute of Standards and Technology after approval by the Secretary of Commerce pursuant to Section 5131 of the Information Technology Management Reform Act of 1996 (Public Law 104- 106), and the Computer Security Act of 1987 (Public Law 100-235).

1. Name of Standard. Data Encryption Standard (DES). 2. Category of Standard. Computer Security, Cryptography. 3. Explanation. The Data Encryption Standard (DES) specifies two FIPS approved cryptographic algorithms as required by FIPS 140-1. When used in conjunction with American National Standards Institute (ANSI) X9.52 standard, this publication provides a complete description of the mathematical algorithms for encrypting (enciphering) and decrypting (deciphering) binary coded information. Encrypting data converts it to an unintelligible form called cipher. Decrypting cipher converts the data back to its original form called plaintext. The algorithms described in this standard specifies both enciphering and deciphering operations which are based on a binary number called a key.

A DES key consists of 64 binary digits ("0"s or "1"s) of which 56 bits are randomly generated and used directly by the algorithm. The other 8 bits, which are not used by the algorithm, may be used for error detection. The 8 error detecting bits are set to make the parity of each 8-bit byte of the key odd, i.e., there is an odd number of "1"s in each 8-bit byte^1. A TDEA key consists of three DES keys, which is also referred to as a key bundle. Authorized users of encrypted computer data must have the key that was used to encipher the data in order to decrypt it. The encryption algorithms specified in this standard are commonly known among those using the standard. The cryptographic

(^1) Sometimes keys are generated in an encrypted form. A random 64-bit number is generated

and defined to be the cipher formed by the encryption of a key using a key encrypting key. In this case the parity bits of the encrypted key cannot be set until after the key is decrypted.

7. Applications. Data encryption (cryptography) is utilized in various applications and environments. The specific utilization of encryption and the implementation of the DES and TDEA^1 will be based on many factors particular to the computer system and its associated components. In general, cryptography is used to protect data while it is being communicated between two points or while it is stored in a medium vulnerable to physical theft. Communication security provides protection to data by enciphering it at the transmitting point and deciphering it at the receiving point. File security provides protection to data by enciphering it when it is recorded on a storage medium and deciphering it when it is read back from the storage medium. In the first case, the key must be available at the transmitter and receiver simultaneously during communication. In the second case, the key must be maintained and accessible for the duration of the storage period. FIPS 171 provides approved methods for managing the keys used by the algorithms specified in this standard. Public- key based protocols may also be used (e.g., ANSI X9.42). 8. Implementations. Cryptographic modules which implement this standard shall conform to the requirements of FIPS 140-1. The algorithms specified in this standard may be implemented in software, firmware, hardware, or any combination thereof. The specific implementation may depend on several factors such as the application, the environment, the technology used, etc. Implementations which may comply with this standard include electronic devices (e.g., VLSI chip packages), micro-processors using Read Only Memory (ROM), Programmable Read Only Memory (PROM), or Electronically Erasable Read Only Memory (EEROM), and mainframe computers using Random Access Memory (RAM). When an algorithm is implemented in software or firmware, the processor on which the algorithm runs must be specified as part of the validation process. Implementations of an algorithm which are tested and validated by NIST will be considered as complying with the standard. Note that FIPS 140-1 places additional requirements on cryptographic modules for Government use. Information about devices that have been validated and procedures for testing and validating equipment for conformance with this standard and FIPS 140-1 are available from the National Institute of Standards and Technology, Information Technology Laboratory, 100 Bureau Dr. Stop 8930, Gaithersburg, MD 20899-8930. 9. Export Control. Cryptographic devices and technical data regarding them are subject to Federal Government export controls and exports of cryptographic modules implementing this standard and technical data regarding them must comply with these Federal regulations and be licensed by the Bureau of Export Administration of the U.S. Department of Commerce.

(^1) DES forms the basis for TDEA.

10. Patents. Cryptographic devices implementing this standard may be covered by U.S. and foreign patents, including patents issued to the International Business Machines Corporation. However, IBM has granted nonexclusive, royalty-free licenses under the patents to make, use and sell apparatus which complies with the standard. The terms, conditions and scope of the licenses are

set out in notices published in the May 13, 1975 and August 31, 1976 issues of the Official Gazette of the United States Patent and Trademark Office (934 O.G. 452 and 949 O.G. 1717).

11. Alternative Modes of Using the DES and TDEA. FIPS PUB 81, DES Modes of Operation, describes four different modes for using DES described in this standard. These four modes are called the Electronic Codebook (ECB) mode, the Cipher Block Chaining (CBC) mode, the Cipher Feedback (CFB) mode, and the Output Feedback (OFB) mode. ECB is a direct application of the DES algorithm to encrypt and decrypt data; CBC is an enhanced mode of ECB which chains together blocks of cipher text; CFB uses previously generated cipher text as input to the DES to generate pseudorandom outputs which are combined with the plaintext to produce cipher, thereby chaining together the resulting cipher; OFB is identical to CFB except that the previous output of the DES is used as input in OFB while the previous cipher is used as input in CFB. OFB does not chain the cipher.

The X9.52 standard, “Triple Data Encryption Algorithm Modes of Operation” describes seven different modes for using TDEA described in this standard. These seven modes are called the TDEA Electronic Codebook Mode of Operation (TECB) mode, the TDEA Cipher Block Chaining Mode of Operation (TCBC), the TDEA Cipher Block Chaining Mode of Operation - Interleaved (TCBC-I), the TDEA Cipher Feedback Mode of Operation (TCFB), the TDEA Cipher Feedback Mode of Operation - Pipelined (TCFB-P), the TDEA Output Feedback Mode of Operation (TOFB), and the TDEA Output Feedback Mode of Operation - Interleaved (TOFB-I). The TECB, TCBC, TCFB and TOFB modes are based upon the ECB, CBC, CFB and OFB modes respectively obtained by substituting the DES encryption/decryption operation with the TDEA encryption/decryption operation.

12. Implementation of this standard. This standard became effective July 1977. It was reaffirmed in 1983, 1988, 1993, and 1999. It applies to all Federal agencies, contractors of Federal agencies, or other organizations that process information (using a computer or telecommunications system) on behalf of the Federal Government to accomplish a Federal function. Each Federal agency or department may issue internal directives for the use of this standard by their operating units based on their data security requirement determinations.

With this modification of the FIPS 46-2 standard:

  1. Triple DES (i.e., TDEA), as specified in ANSI X9.52 will be recognized as a FIPS approved algorithm.
  2. Triple DES will be the FIPS approved symmetric encryption algorithm of choice.
  3. Single DES (i.e., DES) will be permitted for legacy systems only. New procurements to support legacy systems should, where feasible, use Triple DES products running in the single DES configuration.

single DES systems are encouraged to transition to Triple DES. Agencies are advised to implement Triple DES when building new systems.

16. Comments. Comments and suggestions regarding this standard and its use are welcomed and should be addressed to the National Institute of Standards and Technology, Attn: Director, Information Technology Laboratory, 100 Bureau Dr. Stop 8900, Gaithersburg, MD 20899-8900. 17. Waiver Procedure. Under certain exceptional circumstances, the heads of Federal departments and agencies may approve waivers to Federal Information Processing Standards (FIPS). The head of such agency may redelegate such authority only to a senior official designated pursuant to section 3506(b) of Title 44, United States Code. Waiver shall be granted only when:

a. Compliance with a standard would adversely affect the accomplishment of the mission of an operator of a Federal computer system; or

b. Compliance with a standard would cause a major adverse financial impact on the operator which is not offset by Government-wide savings.

Agency heads may act upon a written waiver request containing the information detailed above. Agency heads may also act without a written waiver request when they determine that conditions for meeting the standard cannot be met. Agency heads may approve waivers only by a written decision which explains the basis on which the agency head made the required finding(s). A copy of each decision, with procurement sensitive or classified portions clearly identified, shall be sent to: National Institute of Standards and Technology; ATTN: FIPS Waiver Decisions, 100 Bureau Drive, Stop 8970, Gaithersburg, MD 20899-8970.

In addition, notice of each waiver granted and each delegation of authority to approve waivers shall be sent promptly to the Committee on Government Operations of the House of Representatives and the Committee on Government Affairs of the Senate and shall be published promptly in the Federal Register.

When the determination on a waiver applies to the procurement of equipment and/or services, a notice of the waiver determination must be published in the Commerce Business Daily as a part of the notice of solicitation for offers of an acquisition or, if the waiver determination is made after that notice is published, by amendment to such notice.

A copy of the waiver, any supporting documents, the document approving the waiver and any accompanying documents, with such deletions as the agency is authorized and decides to make under 5 United States Code Section 552(b), shall be part of the procurement documentation and retained by the agency.

18. Special Information. In accordance with the Qualifications Section of this standard, reviews of this standard have been conducted every 5 years since its adoption in 1977. The standard was

reaffirmed during each of those reviews. This revision to the text of the standard contains changes which allow software implementations of the algorithm, permit the use of other FIPS approved cryptographic algorithms, and designate Triple DES (i.e., TDEA) as a FIPS approved cryptographic algorithm.

19. Where to Obtain Copies of the Standard. Copies of this publication are for sale by the National Technical Information Service, U.S. Department of Commerce, Springfield, VA 22161. When ordering, refer to Federal Information Processing Standards Publication 46- (FIPSPUB463), and identify the title. When microfiche is desired, this should be specified. Prices are published by NTIS in current catalogs and other issuances. Payment may be made by check, money order, deposit account or charged to a credit card accepted by NTIS.

Figure 1. Enciphering computation.

The following notation is convenient: Given two blocks L and R of bits, LR denotes the block consisting of the bits of L followed by the bits of R. Since concatenation is associative, B 1 B 2 ...B 8 , for example, denotes the block consisting of the bits of B 1 followed by the bits of B 2 ...followed by the bits of B 8.

Enciphering

A sketch of the enciphering computation is given in Figure 1.

The 64 bits of the input block to be enciphered are first subjected to the following permutation, called the initial permutation IP :

IP

58 50 42 34 26 18 10 2 60 52 44 36 28 20 12 4 62 54 46 38 30 22 14 6 64 56 48 40 32 24 16 8 57 49 41 33 25 17 9 1 59 51 43 35 27 19 11 3 61 53 45 37 29 21 13 5 63 55 47 39 31 23 15 7

That is the permuted input has bit 58 of the input as its first bit, bit 50 as its second bit, and so on with bit 7 as its last bit. The permuted input block is then the input to a complex key-dependent computation described below. The output of that computation, called the preoutput, is then subjected to the following permutation which is the inverse of the initial permutation:

IP-

40 8 48 16 56 24 64 32 39 7 47 15 55 23 63 31 38 6 46 14 54 22 62 30 37 5 45 13 53 21 61 29 36 4 44 12 52 20 60 28 35 3 43 11 51 19 59 27 34 2 42 10 50 18 58 26 33 1 41 9 49 17 57 25

That is, the output of the algorithm has bit 40 of the preoutput block as its first bit, bit 8 as its second bit, and so on, until bit 25 of the preoutput block is the last bit of the output.

Deciphering

The permutation IP-1^ applied to the preoutput block is the inverse of the initial permutation IP applied to the input. Further, from (1) it follows that:

(4) R = L' L = R'f(L',K)

Consequently, to decipher it is only necessary to apply the very same algorithm to an enciphered message block, taking care that at each iteration of the computation the same block of key bits K is used during decipherment as was used during the encipherment of the block. Using the notation of the previous section, this can be expressed by the equations:

(5) Rn-1 = Ln Ln-1 = Rnf(Ln,Kn)

where now R 16 L 16 is the permuted input block for the deciphering calculation and L 0 R 0 is the preoutput block. That is, for the decipherment calculation with R 16 L 16 as the permuted input, K 16 is used in the first iteration, K 15 in the second, and so on, with K 1 used in the 16th iteration.

The Cipher Function f

A sketch of the calculation of f(R,K) is given in Figure 2.

Figure 2. Calculation of f (R, K)

Let E denote a function which takes a block of 32 bits as input and yields a block of 48 bits as output. Let E be such that the 48 bits of its output, written as 8 blocks of 6 bits each, are obtained by selecting the bits in its inputs in order according to the following table:

E BIT-SELECTION TABLE

The permutation function P yields a 32-bit output from a 32-bit input by permuting the bits of the input block. Such a function is defined by the following table:

P

The output P(L) for the function P defined by this table is obtained from the input L by taking the 16th bit of L as the first bit of P(L) , the 7th bit as the second bit of P(L) , and so on until the 25th bit of L is taken as the 32nd bit of P(L). The permutation function P of the algorithm is repeated in Appendix 1.

Now let S 1 ,...,S 8 be eight distinct selection functions, let P be the permutation function and let E be the function defined above.

To define f(R,K) we first define B 1 ,...,B 8 to be blocks of 6 bits each for which

(6) B 1 B 2 ...B 8 = K ⊕ E(R)

The block f(R,K) is then defined to be

(7) P(S 1 (B 1 )S 2 (B 2 )...S 8 (B 8 ))

Thus KE(R) is first divided into the 8 blocks as indicated in (6). Then each Bi is taken as an input to Si and the 8 blocks S 1 (B 1 ),S 2 (B 2 ),...,S 8 (B 8 ) of 4 bits each are consolidated into a single block of 32 bits which forms the input to P. The output (7) is then the output of the function f for the inputs R and K.

TRIPLE DATA ENCRYPTION ALGORITHM

Let EK(I) and DK(I) represent the DES encryption and decryption of I using DES key K respectively. Each TDEA encryption/decryption operation (as specified in ANSI X9.52) is a compound operation of DES encryption and decryption operations. The following operations are used:

  1. TDEA encryption operation: the transformation of a 64-bit block I into a 64-bit block O that is defined as follows: O = EK3(DK2(EK1(I))).
  2. TDEA decryption operation: the transformation of a 64-bit block I into a 64-bit block O that is defined as follows:

O = DK1(EK2(DK3(I)))

The standard specifies the following keying options for bundle (K 1 , K 2 , K 3 )

  1. Keying Option 1: K 1 , K 2 and K 3 are independent keys;
  2. Keying Option 2: K 1 and K 2 are independent keys and K 3 = K 1 ;
  3. Keying Option 3: K 1 = K 2 = K 3.

A TDEA mode of operation is backward compatible with its single DES counterpart if, with compatible keying options for TDEA operation,

  1. an encrypted plaintext computed using a single DES mode of operation can be decrypted correctly by a corresponding TDEA mode of operation; and
  2. an encrypted plaintext computed using a TDEA mode of operation can be decrypted correctly by a corresponding single DES mode of operation.

When using Keying Option 3 (K 1 = K 2 = K 3 ) , TECB, TCBC, TCFB and TOFB modes are backward compatible with single DES modes of operation ECB, CBC, CFB, OFB respectively.

The diagram in Appendix 2 illustrates TDEA encryption and TDEA decryption.