Using DE S to Implement ATM Cell E ncryption on the APIC David - PowerPoint PPT Presentation

Using DE S to Implement ATM Cell E ncryption on the APIC David Ruppel Dr. Mansoor Alam Department of Electrical Engineering and Computer Science The University of Toledo

Data E ncryption Standard (DE S) Data E ncryption Standard (DE S) ! Algorithm proposed by Federal Information Processing Standards (FIPS) within National Bureau of Standards ! Approved by US Secretary of Commerce in 1977 ! Reaffirmed in 1983, 1988, 1993 and 1999 ! Available for non-government use ! Is being replaced to Triple Data Encryption Algorithm (TDEA) and Advanced Encryption Standard (AES)

Why Use DE S? Why Use DE S? ! TDEA uses 3 keys ! Encryption is: ! DES encrypt with key 1 ! DES decrypt with key 2 ! DES encrypt with key 3 ! Decryption inverts the operations in reverse order ! Currently, the US government recommends either TDEA or AES for non-classified applications ! DES underlies TDEA and is thus a starting point

Main Points Main Points ! Recirculating 64-bit block product cipher ! Uses a 64-bit key ! 56 bits are random ! 8 bits used for odd parity ! Permutations and selection tables are static ! Key is the only variable in the algorithm

E ncryption E ncryption ! 64-bit data block is Data 64 bits permuted (IP) P ! Resulting 64-bit block is Permuted Data divided into two 32-bit 64 bits subblocks (L and R) L block R block 32 bits 32 bits

E ncryption (cont) E ncryption (cont) ! 56 random key bits are Key - 56 bits partitioned into two partition subblocks C block D block 28 bits 28 bits ! Subblocks are shifted and permute and shift permuted Permuted and Permuted and shifted C block shifted D block ! Subblocks are concatenate concatenated and 48 bits and shift Key - 48 bits are selected for the key

E ncryption (cont) E ncryption (cont) ! A key and one data Key Subblock R subblock (R) are combined using a non- F linear function (F) output from F Subblock L ! The function result is XOR XOR’d with the other data subblock (L) New subblock R

E ncryption (cont) E ncryption (cont) ! The two subblocks are interchanged ! L’ = R ! R’ = L XOR F(R,K) ! Process is repeated for a total of 16 iterations ! The two subblocks are interchanged and concatenated into a 64-bit block ! 64-bit block is permuted (IP -1 )

F unction (F ) F unction (F ) ! 32-bit data subblock is 32- bit subblock R expanded to 48 bits by repetition of selected bits repeat bits 48- bit subblock 48- bit key XOR ! Two 48-bit subblocks are XOR’d 48- bit subblock

F unction (F ) (cont) F unction (F ) (cont) ! Result is divided into eight 6-bit 48 bits sub-subblocks partition ! Each sub-subblock is associated 6 6 6 6 6 6 6 6 with a different 4 x 16 static table Table lookup ! 4-bit values 4 4 4 4 4 4 4 4 ! 0 to 15 in each row conatenate ! The 6 bits in the sub-subblock are 32 bit result used as look-up indices into a table ! The results from the 8 tables are (4 x 16) of 4-bit values concatenated into a 32-bit block ! 1 st & 6 th bits are row ! Remaining bits are column

F unction (F ) (cont) F unction (F ) (cont) ! Concatenation result is permuted (P) Previous 32 bit result P Output of F

Decryption Decryption ! Repeat the encryption process on the encrypted data ! Use the encryption keys in reverse order ! The usage of L and R are interchanged, i.e., L is used as input to F rather than R

E ncrypting ATM Cells E ncrypting ATM Cells ! Encrypt entire 53-byte cell ! Hides the VC ! Masks destination ! One cell generates 6-5/8 blocks of encrypted data ! Eight input cells will be encrypted in nine output cells ! 12.5 % traffic load overhead

APIC/ SPC Processing APIC/ SPC Processing ! Assume VC is set up between two end-users ! Assume two APICs are on the route ! APICs establish a different VC between them ! Original VC between APICs can be torn down or left unused ! APIC captures traffic on original VC ! Encrypts ! Forwards to the other APIC

APIC/ SPC Processing (cont) APIC/ SPC Processing (cont) ! Traffic arrives at second APIC ! Decrypts ! Forwards to end-user recipient ! When done, VCs are torn down

Alternate Approach Alternate Approach ! Only encrypt payload ! No traffic load overhead ! No wasted VC