This action might not be possible to undo. Are you sure you want to continue?

Welcome to Scribd! Start your free trial and access books, documents and more.Find out more

(Version 1.0)

...........................................Table of Contents – Encryption 1..............................................3 Encryption Algorithm...............4 2...........................................6 2....................3 2...................................................................1 1.......................................5 AES.................4 SHA-1............................6........................6 Blowfish.........................6.......................1 Subkeys 6 2.............1 Prelude – Private Key Management..........4 2.......................1 RSA.........................................................8 ..1 1.....................0 Encryption Algorithms.....................1 2...................................2 Encryption 7 2.......................................4 2...1 1..................................................................7 CAST...........................................................................2 Encryption Implementation Standards...................0 Encryption Standards.............4 2........................2 2.......3 Generating the Subkeys: 7 2.............2..........3 Triple DES (FIPS 46-3).2 DES......6..........................................................................2 2.............................................................................1 A Note on the DES..................................................................................................................

or ISO 9314 FDDI. Symmetric encryption uses the same key word for encrypting data and decrypting the encrypted data or cipherdata. It provides faster execution. 1. The algorithm that has strong encryption and acceptable performance is AES Rijndael with block size of 128 bits and key size of no less than 256 bites.2 Encryption Implementation Standards There are two types of encryption implementations: Symmetric and Asymmetric encryption. etc.1. private key management is very important.11b. 1.) do not encrypt any data within their payload. Therefore. In addition to strong encryption. This includes digital signature standards and encryption standards for data. Several encryption algorithms are well suited for standard encryption needs. This block-key size requirements provides a lifetime of Encryption Page 1 . IEEE 802. the data encrypted with the corresponding public key is no longer protected. yet has performance acceptable for application data exchange. The objective of a standard encryption implementation is to ensure the expected degree of safety is in place. data to be transmitted over any network must be encrypted prior to being passed to the next layer.3 Encryption Algorithm Since the protocols of current Local Area Networks (such as IEEE 802. Only a few persons (preferably no more than two person – the primary and backup) should be given access to the private key. Asymmetric encryption uses different keys for encrypting data and decrypting cipherdata.3 standard with 10BaseT/100Base-T/1000Base-X/1000Base-T. such as encryption for static document or data.0 Encryption Standards This appendix provides the standards for encryption technology to be deployed. 1. the algorithm must be fast so that the performance of application will not be unduly impacted. The sender simply use the recipient’s public key (which can be made public without compromising the security) to encrypt the data and send the cipherdata to the recipient. The algorithm to be used for encryption must be suitable for both static document and data. 802. Decryption of the data uses the recipient’s private key not the public key.1 Prelude – Private Key Management The effectiveness of any encryption method is dependent on the ability to keep the decryption key (private key) from falling into the hands of an unauthorized person. The strength of the encryption depends on the algorithm used. Asymmetric encryption implementation is more secured than symmetric since the party encrypting the data need not know the private key of the recipient. Once the private key is compromised.5.

n). The message “M” (which must be shorter than Mod) is interpreted as a number. modulo Mod. to give “C”. is also used in conjunction with “Xpriv”. Mod). 2. and encrypted as follows: where “C” is the encrypted text (ciphertext) “M” is the plaintext Encryption Page 2 . The message to be encrypted is divided into blocks of fixed length (cipher block). Although understanding of these technical details is not necessary to implement them. to give “M”. The RSA algorithm uses two large primes and messages of unconditional length. the public exponent. then the private key pair (Xpriv. This number is raised to the power of “Xpub”. n). as necessary. there is a short discussion about the pros and cons of that algorithm. modulo Mod. The Mod. Mod). “C” may in turn be raised to the power of “Xpriv”. but no longer than the number of digits in “Xpub”. The public key is the pair (Xpub. in an effort to help ensure Internet security.0 Encryption Algorithms This section provides additional discussions about some popular encryption algorithms. Mod) is therefore (e. it is beneficial for technical manager to have a basic idea of how encryption algorithms work. to meet the length requirement.1 RSA RSA is a public-key cryptosystem developed by MIT professors Ronald L. Adleman in 1977. The "key" of an RSA cipher is three numbers: The first is “Xpub”.2. the ciphertext. This section will provide the technical manager insight and basis to evaluate products that implement different algorithms. and Leonard M. “n”. The “Xpub” and “Xpriv” are also known as primes. This section provides technical details of how the various algorithms work. and the third is Mod. the second is “Xpriv”. Mod) is (d. The private key is the pair (Xpriv. Rivest. the private exponent. Adi Shamir. It is broken into chunks. The private key is generated using the following formula: where “p” and “q” are large ( ≥ 500 bits) random integrates “e” is a random number relatively prime to (p-1)(q-1) The public key is generated as follows: The public key pair (Xpub. At the end of each algorithm. the modulus. If we call the “Xpriv” “d”. RSA uses modular arithmetic and elementary number theory as the basis for encryption computation.

S. the algorithm is extremely difficult to break. describes the Data Encryption Algorithm (DEA). it is possible to break the key through factoring. the degree of difficulty in factoring the prime increases ten folds for every 10 bits added. but single DES is permitted only for legacy systems. In November of 2001. government cipher intended for commercial use and was the most widely used cryptosystem in the world. secure key distribution may be difficult. Considering that the public and private keys are generated through modulus mathematic. the upper limit is: where “n” is the length of the number in bits. The DES can also be used for single-user encryption. using brute force and other crypto-analysis techniques. 2. its safety relies on the user selecting the key with a sufficiently large size and a non-common key word. the Data Encryption Standard. public-key cryptography provides an ideal solution to this problem. such as to store files on a hard disk in an encrypted form. by carefully selection of the key and ensuring that the size of the key is at least 500 bits. The DES is the United States Federal Information Processing Standard (FIPS 46-3) for encryption of non-classified document and data (Confidential and Protected Data).5 for further discussions about the AES encryption. and is generally supported by most encryption software. it has been broken. However.“j” is the j-th block The encrypted text can be decrypted using The RSA is a commonly used encryption algorithm throughout the world. In a multi-user environment. The DES is a 16-round fixed sized cipher block with eight (8) party bits for error checking. The DES uses the DEA algorithm and executes very quickly.52). However.2 DES DES. FIPS 46-3 was replaced by the Advanced Encryption Standard (AES . Encryption Page 3 . corresponding to X9.FIPS 197). The algorithm is also supported by most Java packages. Please see paragraph 11. From the above equation. FIPS 46-3 includes a definition of triple-DES (TDEA. The human is generally considered the weakest link in cryptography. Although the RSA is a solid algorithm and produces strong ciphertext. It is recommended that the key length be no less than 500 bit.32. However. defined in the ANSI standard X9. The United States National Institute of Standards and Technology (NIST) FIPS 46-3 reaffirms Triple DES usage as of October 1999. It was the first official U.

but uses only 56-bit key during execution. the terms AES algorithm and Rijndael algorithm are used interchangeably. There are several algorithms proposed for AES. This allows an individual byte of the State to be referred to as s[r. Encryption Page 4 . 2. In November of 2001. is a 16-round Feistel that was originally designed for hardware implementation. 2. The algorithm takes a message of less than 264 bits in length and produces a 160-bit message digest. both the sender and the receiver must know the same secret key. When used for communication. corrected an unpublished flaw in the SHA. FIPS 180). but the larger message digest makes it more secure against brute-force collision and inversion attacks.30 (part 2) standard. However. and 256 bits. 192. The SHA-1. The algorithm operates on an internal two-dimensional array called the State. However. Therefore. It should be noted that SHA is a hash algorithm and not an encryption algorithm. and skipjack.5 AES The AES is the Advanced Encryption Standard (FIPS 197). modification of the existing software is very easy. AES designated Rijndael algorithm as the standard algorithm. 2. Rijndael is a symmetric block cipher with a block size of 128 bits. The SHA-1 is also described in the ANSI X9. Eight (8) bits are stripped off the full 64-bit key for parity. each individual byte has two indices. DES. each containing Nb bytes. Therefore. the security of the algorithm increases exponentially. which can be used to encrypt and decrypt the message. In the State array denoted by the symbol s. including RC6.c].3 Triple DES (FIPS 46-3) Triple DES was the answer to many of the shortcomings of the DES. The State consists of four rows of bytes. with its row number r in the range 0 ≤ r < 4 and its column number c in the range 0 ≤ c < Nb. where Nb is the block length divided by 32. It has been found that the number of rounds is exponentially proportional to the amount of time required to find a key using a brute-force attack.1 A Note on the DES The DES standard specifies a 64-bit block size. Rijndael is selected because of its flexibility and simplicity. Blowfish. It also has the advantage of proven reliability and a longer key length that eliminates many of the shortcut attacks that can be used to reduce the amount of time it takes to break the DES. The algorithm is slightly slower than MD5. Since the Triple DES algorithm is based on the DES.4 SHA-1 The Secure Hash Algorithm (SHA) is specified in the Secure Hash Standard (SHS. a revision to the SHA that was published in 1994. Its design is very similar to the MD4 family of hash functions developed by Rivest. even this more powerful version of DES may not be strong enough to protect data for very much longer. a symmetric cryptosystem. or to generate and verify a message authentication code (MAC).2. The AES specifies the algorithm to support variable key sizes: 128.2. as the number of rounds increases.

and Nr = 14 when Nk = 8. k. the range for c. the length of the input block. is 128. and its key agility is good. The only Key-Block-Round combinations that conform to this standard are given in the Table 1. or 256 bits. is 0 ≤ c < 4. 192. regardless of its use in feedback or non-feedback modes. the column number of the State. which reflects the number of 32-bit words (number of columns) in the State. Nr = 12 when Nk = 6. and the State is 128 bits.Since AES specifies Nb = 4. 6. Table 1 Key-Block-Round Combination Key Length (Nk words) 4 6 8 Block Size (Nb words) 4 4 4 Number of Rounds (Nr) 10 12 14 AES-128 AES-192 AES-256 Rijndael consistently outperforms other proposed AES algorithms in both hardware and software across a wide range of computing environments. the number of rounds to be performed during the execution of the algorithm is dependent on the key size. Rijndael's operations are among the easiest to defend against power and timing attacks. The number of rounds is represented by Nr. The key length is represented by Nk = 4. which reflects the number of 32-bit words (number of columns) in the Cipher Key. For the AES algorithm. Encryption Page 5 . This is represented by Nb = 4. in which it also demonstrates excellent performance. the output block. Rijndael's very low memory requirements make it well suited for restricted-space environments. or 8. the length of the Cipher Key. Its key setup time is excellent. For the AES algorithm. Therefore Nk = k / 32 For the AES algorithm. where Nr = 10 when Nk = 4.

.0. There are four 32-bit S-boxes with 256 entries each: S1..1.255. Rijndael's internal round structure appears to have good potential to benefit from instruction-level parallelism (multiple instructions can be executed in parallel).encryption part. S2. P2..1. Encryption Page 6 . The only additional operations are four indexed array data lookups per round. 2.255.. 2.1 Subkeys Blowfish uses a large number of subkeys. The P-array consists of 18 32-bit subkeys: P1. S1. 2.. S2.. All operations are XORs and additions on 32-bit words. Each round consists of a key-dependent permutation and a key. it appears that some defense can be provided against such attacks without significantly impacting Rijndael's performance.. and the algorithm can accommodate alterations in the number of rounds.and data-dependent substitution.. P18. S1. S2. and are not being depolyed at this time.Additionally. Rijndael is designed with some flexibility in terms of block and key sizes.. The algorithm consists of two parts: a key-expansion part and a data.6 Blowfish Blowfish is a variable-length key.. Finally.. Key expansion converts a key of at most 448 bits into several subkey arrays totaling 4168 bytes. Data encryption occurs through a 16-round Feistel network..6. 1. These keys must be pre-computed before any data encryption or decryption. The following is the high-level schematic of Rijndael algorithm. 64-bit block cipher. although these features require further study.0.

.6. S4. etc. Encrypt the all-zero string with the Blowfish algorithm. P2. For example: P1 P2 P3 P4 = = = = 0x243f6a88 0x85a308d3 0x13198a2e 0x03707344 2. First.d mod 232 } Decryption is exactly the same as encryption. 2.b mod 232) XOR S3. and so on for all the bits of the key.a + S2..1. Implementations of Blowfish that require the fastest speeds should unroll the loop and ensure that all subkeys are stored in cache. xR For i = 1 to 16{ xL = xL XOR Pi xR = F(xL) XOR xR Swap xL and xR Swap xL and xR (Undo the last swap.. Encryption Page 7 . P18 are used in the reverse order.2 Encryption Blowfish is a Feistel network consisting of 16 rounds (see Figure 1). for example.0. S3. S4. there is at least one equivalent longer key.3 Generating the Subkeys: The subkeys are calculated using the Blowfish algorithm. in order. 3.6. The method of generating the subkeys is as follows: 1. Divide x into two 32-bit halves: xL. then AA. The input is a 64-bit data element...255. initialize the P-array and then the four S-boxes.1.. XOR P2 with the second 32-bits of the key.. b. For every short key. Repeatedly cycle through the key bits until the entire P-array has been XORed with key bits. This string consists of the hexadecimal digits of pi (less the initial 3).c) + S4. are equivalent keys. 4. S3.. Replace P1 and P2 with the output of step (3)...255. XOR P1 with the first 32 bits of the key. except that P1. c..0.S3. if A is a 64-bit key..) xR = xR XOR P17 xL = xL XOR P18 } Recombine xL and xR Function F{ Divide xL into four eight-bit quarters: a. using the subkeys described in steps (1) and (2).. x. and d F(xL) = ((S1. 2. with a fixed string. S4. AAA.

5. the original inventors of CAST. CAST-256 was one of the original candidates for the AES. Feistel ciphers are sometimes called DES-like ciphers. the algorithm did not qualify for the second round. The name CAST stands for Carlisle Adams and Stafford Tavares. The following figure illustrates the concept of Feistel ciphers. Encryption Page 8 . CAST-256 has the property of strongly favoring security over speed. Feistel Cipher CAST-128 has been endorsed by the Canadian government as one of the replacement algorithms for DES. In total. 521 iterations are required to generate all required subkeys. 7. Continue the process. CAST-128 consists of 16 non-identical rounds. and then all four S-boxes in order. 2. with the output of the continuously-changing Blowfish algorithm. For faster execution.7 CAST CAST-128 (CAST5) is another popular 64-bit Feistel cipher allowing key sizes up to 128 bits. Although no security weaknesses were found. Replace P3 and P4 with the output of step (5). CAST-256 was a candidate for AES in the first round of evaluation. 6. where each round is built up by simple operations such as integer and bitwise addition and rotation. replacing all entries of the P. CAST256 (CAST6) is a freely available extension of CAST-128 accepting up to 256 bits of key size and with a 128-bit block size.array. Feistel ciphers are a special class of iterated block ciphers where the ciphertext is calculated from the plaintext by repeated application of the same transformation or round function. Encrypt the output of step (3) using the Blowfish algorithm with the modified subkeys. applications can store the subkeys (in protected session name space) rather than execute this derivation process multiple times.

- 03 Ins Info Security Iso 17799 1101
- Introduction to Authenticated Encryption
- naclcrypto-20090310
- Yahalom Attack
- Unit1-NN
- pkcs1_v2.1
- PKCS 12 v1.1 - Personal Information Exchange Syntax
- Image Integrity based on HMAC Structure
- A Guide to Cryptography
- 10.1.1.74.2958
- wireless comm systems 4
- Rfc4013 Saslprep - Stringprep Profile for User Names and Passwords
- PKCS#15
- 1-3.crypt
- Analysis Fuzzing
- Using Learning Vector Quantization in IDS Alert Management System
- Aes Algorithm and different Modes
- rfc3125
- A Practical Approach to Solve SMC Problem
- Sp800!73!3 PART4 Piv Transitional Interface Data Model Spec
- PCI HSM Security Requirements v.2.0
- Chapter 8
- Matt Ch10 Keymanagement
- Securing Your Private Keys as Best Practice for Code Signing Certificates
- Eancom Digital Signature
- Bell Mass Paul 03 JSAC Libre
- Sp800!73!3 PART1 Piv Card Applic Namespace Date Model Rep
- OpenSSL - User Manual and Data Format
- Trusted Time Stamp
- Cryptography Network Security Lab File

Are you sure?

This action might not be possible to undo. Are you sure you want to continue?

We've moved you to where you read on your other device.

Get the full title to continue

Get the full title to continue listening from where you left off, or restart the preview.

scribd