Information Security

Dr. Uma Godase

Computer Science and Engineering
MIT School of Engineering
Symmetric Cipher Model
 Requirements
Two requirements for secure use of symmetric encryption:
▪ a strong encryption algorithm
▪ a secret key known only to sender / receiver
Mathematically have:
Y = EK(X)
X = DK(Y)
▪ assume encryption algorithm is known
▪ implies a secure channel to distribute key
 Product Ciphers

▪ ciphers using substitutions or transpositions are not secure

because of language characteristics
▪ Hence product cipher uses several ciphers in succession to
make harder
• two substitutions make a more complex substitution
• two transpositions make more complex transposition
• but a substitution followed by a transposition makes a
new much harder cipher
▪ this is bridge from classical to modern ciphers
 Block vs. Stream Ciphers

▪ block ciphers process messages in blocks, each of

which is then en/decrypted
▪ like a substitution on very big characters
▪ 64-bits or more
▪ stream ciphers process messages a bit or byte at a
time when en/decrypting
▪ many current ciphers are block ciphers
▪ most symmetric block ciphers are based on a Feistel
Cipher Structure
 Feistel Cipher Structure

▪ Horst Feistel devised the Feistel cipher based on

concept of invertible product cipher
▪ partitions input block into two halves
▪ process through multiple rounds
▪ perform a substitution on left data half based on
round function of right half & sub key
▪ then have permutation swapping halves
Feistel Cipher Structure
 Feistel Cipher Design Elements
▪ Block size : Larger block size - greater security
▪ Key size : Larger key size - greater security
▪ Number of rounds : multiple rounds – greater security
▪ Sub key generation algorithm : more complex
algorithm – greater difficulty of cryptanalysis
▪ Round function : more complex function - greater
difficulty of cryptanalysis
▪ Ease of analysis : easy to analyze the algorithm - more
security
Feistel Cipher Decryption
 Simplified DES ( S - DES)
Encryption Decryption

P10
8-bit plaintext 8-bit plaintext

SHIFT
IP IP - 1
P8
K1 K1
fk fk

SHIFT
SW SW

K2 P8 K2
fk fk

IP - 1 IP

8-bit ciphertext 8-bit ciphertext

 Five Functions to Encrypt
▪ IP – an initial permutation

▪ fk - a complex, 2-input function

▪ SW – a simple permutation that swaps the two nybles

▪ fk - a complex, 2-input function; again

▪ IP – inverse permutation of the initial permutation

 Initial Permutation (IP)

Move the bits of the original character around a little…

k1 k2 k3 k4 k5 k6 k7 k8

k2 k6 k3 k1 k4 k8 k5 k7
 Expansion/Permutation (E/P)
Expand 4 bits into 8 and permutate them…

k1 k2 k3 k4

k4 k1 k2 k3 k2 k3 k4 k1
Data Encryption Standard (DES)
 Initial Permutation IP

▪ first step of the data computation

▪ IP reorders the input data bits
▪ quite regular in structure (easy in h/w)
Details of Single round of DES
 DES Key Schedule

Generation of sub keys used in each round

▪ Permuted Choice 1 (PC1) : Convert 64 bit key to 56 bit
by discarding every 8th bit
▪ divide 56-bits in two 28-bit halves
▪ Apply left circular shift separately to each half either 1 or
2 places depending on the key rotation schedule
▪ round no. 1,2,9,16 – 1 bit shift
▪ remaining rounds – 2 bit shift
▪ These shifted 56 bits are input to the next round and
Permuted Choice II is applied
▪ Permuted Choice 2 (PC2): Apply permutation to
convert 56 bits into 48 bits which will be the sub key for
that round.
 DES Round Structure

▪ uses two 32-bit Left & Right halves

▪ as for any Feistel cipher we can describe as:
Li = Ri–1
Ri = Li–1 ⊕ F(Ri–1, Ki)
▪ F takes 32-bit R half and 48-bit sub key:
1. Expansion :expands R to 48-bits using permutation E
2. XOR : adds to sub key using XOR
3. S- box : passes through 8 S-boxes to get 32-bit result
4. P-box :finally permutes using 32-bit permutation P
DES Round Structure
 Substitution Boxes S
▪ eight S-boxes map 6 bit input to 4 bit output
▪ Each S-box has 4 rows & 16 columns containing
numbers in the range 0 – 15 distributed horizontally
▪ outer bits 1 & 6 (row bits) select one row r of 4
▪ middle bits 2-5 (column bits) select column c
▪ Number at the intersection of r and c is the output
for that S-box
▪ Total result is 8 lots of 4 bits i. e. 32 bits
 DES Decryption

▪ with Feistel design, do encryption steps again using

sub keys in reverse order (SK16 … SK1)
▪ IP undoes final FP step of encryption
▪ 1st round with SK16 undoes 16th encrypt round
▪ ….
▪ 16th round with SK1 undoes 1st encrypt round
▪ then final FP undoes initial encryption IP
▪ thus recovering original data value
 Avalanche Effect

▪ key desirable property of encryption algorithm

▪ Avalanche Effect : a change of one input or key
bit results in changing many output bits
▪ Strict Avalanche Criteria (SAC) : Any output
bit j of S – box should change with probability
1/2 when any single input bit i is inverted
▪ DES exhibits strong avalanche
 Strength of DES
▪ Key Size : 256 = 7.2 x 1016 possible keys make
brute force attack impractical.
▪ Nature of DES algorithm : no success in
discovering fatal weakness in S- box
▪ Timing Attack : specifically use fact that
calculations can take varying times depending on the
value of the inputs to it. DES is resistant to
successful timing attack.
 DES - Cryptanalytic Attacks
Cryptanalytic Attacks
▪ Differential Cryptanalysis
▪ Linear Cryptanalysis
Differential Cryptanalysis
▪ a statistical attack against Feistel ciphers
▪ powerful method to analyze block ciphers
▪ can break DES in less than 255 complexity.
▪ can attack DES with 247 chosen plaintexts
 Differential Cryptanalysis
▪ compares two related pairs of encryptions with a
known difference in the input searching for a known
difference in output when same sub keys are used.
▪ Uses some input difference giving some output
difference with probability p
▪ if instances of some higher probability input / output
difference pairs occurring are found, can infer sub
key that was used in round
▪ then must iterate process over many rounds (with
decreasing probabilities)
 Linear Cryptanalysis

▪ statistical method based on finding linear

approximations to describe the transformations
performed in DES.
▪ must be iterated over rounds, with decreasing
probabilities
▪ Tries to find effective linear equation of the form
P[i1,i2,...,ia] ⊕ C[j1,j2,...,jb] = K[k1,k2,...,kc]
▪ can attack DES with 243 known plaintexts, easier but
still in practice infeasible
 Criteria for Number of Rounds
Factors deciding cryptographic strength of cipher:
▪ Number of rounds
▪ Function F
▪ Key schedule algorithm
Increase in no. of rounds – increase in difficulty in
cryptanalysis
Deciding number of rounds – Number of rounds is
chosen such that cryptanalytic efforts require greater
effort than simple brute force attack
 Confusion and Diffusion
▪ cipher needs to completely obscure statistical properties of
original message
Diffusion:
▪ The statistical structure of the plaintext is spread
(dissipated) into long-range statistics of the cipher text.
▪ Achieved by having each plaintext digit affect the value of
many cipher text digits.
Confusion:
▪ Makes relationship between cipher text and key as
complex as possible. So if attacker gets some handle on
the statistics of the cipher text, the way in which key was
used to produce that cipher text is so complex as to make
it difficult to deduce the key.
▪ Achieved by using a complex substitution algorithm.
 Variations of DES

Variations of DES –
▪ Double DES
▪ Triple DES
• Triple DES with two keys
• Triple DES with three keys
 Double DES
▪ Two encryption stages, two keys
▪ Given plaintext P, keys K1, K2
encryption C = E(K2, E(K1, P))
decryption P = D(K1, D(K2, C))
▪ for decryption, keys applied in reverse order
▪ Apparently, key length 56×2 = 112 bits
 Double DES : Attacks
Reduction to Single Stage :
▪ Suppose it is possible to find key K3 so that
E(K2, E(K1, P)) = E(K3, P)
▪ Multiple encryption will be useless as it would be
equivalent to single encryption i.e. DES
Meet in the middle attack :
C = E(K2, E(K1, P))
X = E(K1,P) = D(K2, P)
▪ Encrypt P for all possible 256 values of K1
▪ Decrypt C for all possible 256 values of K2
▪ Lookup each decryption against table
▪ Upon a match, verify with another (P,C) pair
▪ If second pair works, done!
 Triple-DES with Two-Keys
▪ To counter meet-in-the-middle attack
▪ Encrypt-decrypt-encrypt EDE sequence
C= E (K1, D(K2, E(K1, P)))
▪ Key length 112 bits
▪ No current cryptanalysis attack on 3DES
Triple-DES with Two-Keys: Proposed attack

1. Proposed by Hellman & Merkle:

▪ Find plaintext that produces intermediate value A = 0
▪ Then use meet in the middle attack
▪ Requires 256 efforts with chosen plaintext cipher text
pair
Triple-DES with Two-Keys : Proposed Attack
2. Known plaintext attack :
▪ Based on the observation that if we know A & C, problem
reduces to that of attack on double DES.
▪ Obtain n (P, C) pairs & place in table1 sorted on P
▪ Pick arbitrary value a for A. For each key K1 = i , calculate
plaintext Pi that produces a.
Pi= D(i, a)
For each Pi that matches an entry in table1, create entry in
table2 consisting key K1= i and value B
B = D (i, C)
▪ For each key K2= j , calculate 2nd intermediate value for our
chosen a Bj = D(j, a). Search Bj in table2. If there is a
match, (i, j) are values of key (K1, K2).
 Triple-DES with Three-Keys

▪ Although there are no practical attacks on two-key

Triple-DES have some proposed attacks
▪ can use Triple-DES with Three-Keys to avoid even
these
C = E(K3, D(K2, E(K1, P)))
▪ Key length 168 bit
▪ Used in Internet applications: PGP, S/MIME
Advanced Encryption Standard (AES)
▪ replacement for DES was needed
have theoretical attacks that can break it
have demonstrated exhaustive key search attacks
▪ can use Triple-DES – but slower in speed
▪ 3DES has smaller block size
▪ Rijndael was selected as the AES in Oct-2000
 AES Requirements

▪ private key symmetric block cipher

▪ 128-bit data, 128/192/256-bit keys
▪ stronger & faster than Triple-DES
▪ provide full specification & design details
 AES Evaluation Criteria
Initial criteria:
▪ security – effort for practical cryptanalysis
▪ cost – in terms of computational efficiency
▪ algorithm & implementation characteristics – such as
flexibility, simplicity, hardware & software suitability
Final criteria:
▪ general security
▪ ease of software implementation - factors like execution
speed, performance across variety of platforms, variation
of speed with key size
▪ ease of hardware implementation – factors like speed, size
▪ implementation attacks – like timing attack
▪ flexibility (in en/decrypt, keying, other factors)
▪ Potential for instruction level parallelism
 AES Cipher - Rijndael
▪ designed by Rijmen-Daemen in Belgium
▪ has 128/192/256 bit keys, 128 bit data
▪ an iterative rather than feistel cipher
▪ processes data as block of 4 columns of 4 bytes
▪ operates on entire data block in every round
▪ designed to be:
▪ resistant against known attacks
▪ speed and code compactness on many CPUs
▪ design simplicity
 AES Parameters

Parameter Variation1 Variation2 Variation3

Key Size ( words/ bytes/bits) 4/16/128 6/24/192 8/32/256

Plaintext block size ( words/ 4/16/128 4/16/128 4/16/128

bytes/bits)

Number of rounds 10 12 14

Round key size 4/16/128 4/16/128 4/16/128

Expanded key size(words/bytes) 44/176 52/208 60/240

 AES Key Expansion

▪ takes 128-bit (16-byte) key and expands into array

of 44/52/60 32-bit words
▪ start by copying key into first 4 words
▪ then loop creating words that depend on values in
previous & 4 places back i.e. word w[i] depends on
w[i-1] and word 4 positions back w[i-4]
▪ in 3 of 4 cases just XOR these together
AES Key Expansion
 AES Key Expansion
Details of function g:
▪ RotWord : 1 byte circular shift on a word
[ b0,b1,b2,b3] -> [b1,b2,b3,b0]
▪ SubWord : byte substitution on each byte of input
word using S - box.
▪ XOR result of step 1 & 2 with a round constant
Rcon[j]. Round constant is different for each round.
Rcon[j] = ( RC[j],0,0,0)
where RC[1]=1
RC[j]=2.RC[j-1]
 Key Expansion Rationale
designed to resist known attacks
design criteria included
▪ knowing part key insufficient to find many more
▪ invertible transformation
▪ fast on wide range of CPU’s
▪ use round constants to break symmetry
▪ diffuse key bits into round keys
▪ enough non-linearity to hinder analysis
▪ simplicity of description
AES
 Byte Substitution
▪ a simple substitution of each byte
▪ uses one table (S- box) of 16x16 bytes containing a
permutation of all 256 8-bit values
▪ each byte of state is replaced by byte indexed by row
(left 4-bits) & column (right 4-bits)
▪ eg. byte {95} is replaced by byte in row 9
column 5
▪ which has value {2A}
▪ designed to be resistant to all known attacks
Byte Substitution
 Shift Rows
▪ a circular byte shift in each
1st row is unchanged
2nd row does 1 byte circular shift to left
3rd row does 2 byte circular shift to left
4th row does 3 byte circular shift to left
▪ decrypt inverts using shifts to right
▪ since state is processed by columns, this step
permutes bytes between the columns
Shift Rows
 Mix Columns
▪ each column is processed separately
▪ each byte is replaced by a value dependent on all 4
bytes in the column
▪ effectively a matrix multiplication
▪ decryption requires use of inverse matrix
with larger coefficients, hence a little harder
Mix Columns
 Add Round Key

▪ XOR 128 bits of state with 128-bits of the round key

▪ Column wise operation
▪ inverse for decryption identical
▪ designed to be as simple as possible
 Characteristics of AES

▪ Not a feistel structure i.e. parallel processing of

entire data block during each round
▪ Key expansion
▪ Only add round key uses key so other stages are
reversible without key
▪ Each stage is easily reversible
 AES Decryption
▪ AES decryption is not identical to encryption since
steps done in reverse
▪ but can define an equivalent inverse cipher with
steps as for encryption
▪ using inverses of each step with a different key
schedule
▪ works since result is unchanged when
▪ swap byte substitution & shift rows
▪ swap mix columns & add (tweaked) round key
Block Cipher Modes of Operation

Mode of Operation : technique for enhancing the effect

of cryptographic algorithm or adapting algorithm for
an application.
▪ Block cipher is basic building block
▪ Five modes of operation are defined
▪ Each is suitable for certain applications
Block Cipher Modes of Operation
 Electronic Codebook Mode
▪ Break message into b-bit blocks (e.g. 64)
▪ Encrypt each block independently
▪ Suitable for short amount of data (e.g. key)
▪ Identical P blocks produce same C blocks
▪ Regularities appear in long, structured messages
▪ Cryptanalysis is possible
 Cipher Block Chaining(CBC) Mode
▪ XOR current P block and previous C block
▪ Identical P blocks produce different C blocks
▪ Suitable for long messages
▪ Initial Vector (IV) is XORed with first block
▪ IV must be known to both sides
Encryption
C1 = E(K, IV ⊕ P1) Ci = E(K, Ci-1 ⊕ P1)
Decryption
P1 = IV ⊕ D(K, C1) Pi = Ci-1 ⊕ D(K, Ci)
Cipher Block Chaining(CBC) Mode
 Cipher Feedback Mode ( CFB)

▪ Use block cipher as stream cipher

▪ Encrypt one byte at a time
▪ No need to pad message to 64 bits
▪ Chaining is used as in CBC
▪ Unit of transmission is s bits (usually 8)
 Cipher Feedback Mode ( CFB)

• A
 Cipher Feedback Mode ( CFB)
CFB Encryption
▪ Input to E is b-bit shift register, initially IV
▪ From the output of E, select most significant s bits: Ss[E]
▪ XOR with P1 to produce C1
▪ C1 is also placed in least significant s bits of shift register
(left shift)
▪ Repeat the process until all units encrypted
CFB Decryption
▪ Initially IV as input
▪ From output of E, select most significant s bits
▪ XOR with C1 produces P1
▪ C1 is also placed in least significant s bits of shift register
C1 = P1 ⊕ Ss[E(K, IV)] P1 = C1 ⊕ Ss[E(K, IV)]
 Output Feedback Mode
▪ Similar to CFB with one difference
▪ Output of E instead of Ci is placed in shift Register
▪ Advantage : bit errors in transmission don’t propagate
Output Feedback Mode
 Output Feedback Mode
OFB Encryption
▪ Input to E is b-bit shift register, initially IV
▪ From the output of E, select most significant s bits: Ss[E]
▪ XOR with P1 to produce C1
▪ Output of E is also placed in least significant s bits of shift
register (left shift)
▪ Repeat the process until all units encrypted
OFB Decryption
▪ Initially IV as input
▪ From output of E, select most significant s bits
▪ XOR with C1 produces P1
▪ Output of E is also placed in least significant s bits of shift
register
C1 = P1 ⊕ Ss[E(K, IV)] P1 = C1 ⊕ Ss[E(K, IV)]
 Counter Mode

▪ Counter with b-bits (block size of E) is used

▪ Counter value must be different for each P
▪ Counter value is initialized to certain value
▪ Counter is incremented for each subsequent P
▪ No chaining is used
Encryption: Ci = Pi ⊕ E(K, Counter)]
Decryption: Pi = Ci ⊕ E(K, Counter)]
Counter Mode
 Public-Key Cryptography

▪ uses two keys – a public & a private key

▪ uses clever application of number theoretic concepts
to function
▪ complements rather than replaces private key crypto
Why Public-Key Cryptography?
Addresses two key issues:
▪ key distribution – how to have secure
communications in general without having to trust a
KDC with your key
▪ digital signatures – how to verify a message comes
intact from the claimed sender
public-key/two-key/asymmetric cryptography
Uses two keys:
▪ public-key : which may be known by anybody, and
can be used to encrypt messages, and verify
signatures
▪ private-key : known only to the recipient, used to
decrypt messages, and sign (create) signatures
▪ is asymmetric because those who encrypt messages
or verify signatures cannot decrypt messages or
create signatures
Public-Key Cryptography
 Public-Key Characteristics
Public-Key algorithms rely on two keys where:
▪ it is computationally infeasible to find decryption
key knowing only algorithm & encryption key
▪ it is computationally easy to en/decrypt messages
when the relevant (en/decrypt) key is known
▪ either of the two related keys can be used for
encryption, with the other used for decryption (for
some algorithms)
Public-Key Cryptosystems : Authentication & Secrecy
 Public-Key Cryptosystem
Categories of uses:
▪ encryption/decryption (provide secrecy)
▪ digital signatures (provide authentication)
▪ key exchange (of session keys)
▪ some algorithms are suitable for all uses, others are specific
to one
Security of Public Key Schemes :
▪ like private key schemes brute force exhaustive search attack
is always theoretically possible
▪ but keys used are too large
▪ requires the use of very large number hence is slow
compared to private key schemes
▪ uses large integers so provides security due to cost of
factoring large numbers
 RSA Key Setup
Generation of a public/private key pair:
▪ select two large primes at random p, q ( p ≠ q)
▪ compute
n = p.q
ø(n) = (p-1)(q-1)
▪ select at random the encryption key e such that
1<e<ø(n), gcd(e, ø(n))=1
▪ solve following equation to find decryption key d
1= d . e mod ø(n) and 0≤d≤n
▪ publish the public encryption key: PU={e, n}
▪ keep secret private decryption key: PR={d, n}
 RSA Encryption/Decryption
Encryption of a message M at the sender:
▪ obtain public key of recipient PU={e, n}
▪ Compute
C = Me mod n, where 0≤M<n
Decryption of a message C at the receiver:
▪ Use receiver’s private key PR={d, n}
▪ Compute
M = Cd mod n
 RSA Example - Key Setup
▪ Select primes: p=17 & q=11
▪ Compute n = p . q =17 x 11=187
▪ Compute ø(n)=(p–1)(q-1)=16 x 10=160
▪ Select e: gcd(e,160)=1; choose e=7
▪ Determine d: d * e mod 160=1 and d < 160 Value is
d=23 since 23x7=161= 10x160+1
▪ Publish public key PU={7,187}
▪ Keep secret private key PR={23,187}
 RSA Example - En/Decryption

RSA encryption/decryption is:

▪ given message M = 88
▪ encryption:
C = 887 mod 187 = 11
▪ decryption:
M = 1123 mod 187 = 88
 RSA Security

Possible approaches to attack RSA :

▪ Brute force key search : infeasible given size of
numbers
▪ Mathematical attacks : based on difficulty of computing
ø(n), by factoring modulus n
▪ Timing attacks : running time of decryption
▪ Chosen cipher text attacks : exploiting properties of
RSA
 Factoring Problem

Mathematical approach takes 3 forms:

▪ factor n = p . q, hence compute ø(n) and then d
▪ determine ø(n) directly and compute d
▪ find d directly
 Timing Attacks
▪ developed by Paul Kocher in mid-1990’s
▪ exploit timing variations in operations
E.g. multiplying by small vs large number
▪ infer operand size based on time taken
▪ RSA exploits time taken in exponentiation
▪ countermeasures
▪ use constant exponentiation time
▪ add random delays
 Chosen Cipher text Attacks

▪ RSA is vulnerable to a Chosen Cipher text attack

▪ attackers choose cipher texts & get decrypted
plaintext back
▪ choose cipher text to exploit properties of RSA to
provide info to help cryptanalysis
▪ can counter with random pad of plaintext or use
Optimal Asymmetric Encryption Padding (OASP)
 Primitive Roots

▪ from Euler’s theorem have aø(n)mod n=1

▪ consider am=1 (mod n), GCD(a,n)=1
▪ must exist for m = ø(n) but may be smaller
▪ once powers reach m, cycle will repeat
▪ if smallest is m = ø(n) then a is called a primitive root
▪ if p is prime, then successive powers of a "generate" the
group mod p
▪ these are useful but relatively hard to find
 Key Management

▪ public-key encryption helps address key distribution

problems
▪ have two aspects of this:
▪ distribution of public keys
▪ use of public-key encryption to distribute secret keys
 Public Announcement
▪ users distribute public keys to recipients or
broadcast to community at large
e.g. append PGP keys to email messages or post to
news groups or email list
▪ major weakness is forgery
▪ anyone can create a key claiming to be someone else
and broadcast it
▪ until forgery is discovered can masquerade as
claimed user
 Publicly Available Directory
▪ can obtain greater security by registering keys with a
public directory
▪ directory must be trusted with properties:
▪ contains {name, public-key} entries
▪ participants register securely with directory authority
▪ participants can replace key at any time.
▪ directory is periodically published.
▪ directory can be accessed electronically.
▪ still vulnerable to tampering or forgery
 Public-Key Authority
▪ improve security by tightening control over
distribution of keys from directory
▪ has properties of directory and requires users to
know public key for the directory
▪ then users interact with directory to obtain any
desired public key securely
▪ does require real-time access to directory when keys
are needed
Public-Key Authority
Public-Key Certificates
 Diffie-Hellman Key Exchange

▪ first public-key type scheme proposed

▪ by Diffie & Hellman in 1976 along with the
exposition of public key concepts
▪ practical method for public exchange of a secret key
▪ used in a number of commercial products
 Diffie-Hellman Key Exchange
▪ a public-key distribution scheme
▪ cannot be used to exchange an arbitrary message
▪ rather it can establish a common key
▪ known only to the two participants
▪ value of key depends on the participants (and their
private and public key information)
▪ security relies on the difficulty of computing
discrete logarithms (similar to factoring) – hard
 Diffie-Hellman Setup
▪ all users agree on global parameters:
▪ large prime integer q
▪ a - primitive root mod q
▪ User A generates his key
▪ chooses a secret key (number): Xa < q
▪ compute their public key: Ya = aXa mod q
▪ A sends value of Ya to B
▪ User B generates his key
▪ chooses a secret key (number): Xb < q
▪ compute their public key: Yb = aXb mod q
▪ B sends value of Yb to A
 Diffie-Hellman Key Exchange
▪ A computes secret key as
Ka = Yb Xa mod q
▪ B computes secret key as
Kb = Ya Xb mod q
▪ Ka = Kb which is shared between A and B.
 Diffie-Hellman Example
▪ users A & B who wish to swap keys:
▪ agree on prime q=353 and a=3
▪ select random secret keys:
▪ A chooses Xa =97, B chooses Xb=233
▪ compute respective public keys:
Ya =397 mod 353 = 40 (A)
Yb=3233 mod 353 = 248 (B)
▪ compute shared session key as:
Ka= YbXa mod 353 = 24897 = 160 (A)
Kb = Ya Xbmod 353 = 40233 = 160 (B)
Diffie-Hellman Key Exchange - Attacks
Man in the middle attack(Bucket Brigade Attack):
▪ A & B agree on q and a
▪ Intruder C listens this
A C B
q=11,a=7 q=11,a=7 q=11,a=7
▪ A & B select random numbers Xa & Xb
A C B
Xa =3 Xa =8, Xb =6 Xb=7
▪ All 3 calculate values of Ya & Yb
A C B
Ya =2 Ya =9, Yb =4 Yb=8
Diffie-Hellman Key Exchange - Attacks

▪ A sends Ya to B but C intercepts it and sends his Ya

to B. Also B sends his Yb to A but C intercepts it
and sends his Yb to A.
A C B
Ya = 2 Ya =2 Ya=9
Yb= 4 Yb =8 Yb=8
▪ A, B & C calculate their key values
Ka = 9 Ka =9, Kb =5 Kb=5
 RC5
▪ RC5 ( Rivest Cipher or Ron's Code)
▪ block cipher notable for its simplicity
▪ Symmetric block cipher
▪ Like Feistel Network Structure
▪ Fast
▪ uses Word-Oriented operations
▪ It uses only computational primitive operations.
▪ Adaptable to processors of different word lengths
▪ Therefore the number w of bits in a word is a parameter of
RC5, different choices of this parameter results different
algorithms.
▪ Low memory requirements
▪ So it is easily implemented on devices with restricted
 RC5
▪ RC5 ( Rivest Cipher or Ron's Code)
▪ Variable number of rounds
▪ The user can explicitly manipulate the trade-off between
higher speed and higher security. So the number of rounds i
is a second parameter of RC5
▪ Variable length cryptographic key
▪ The user can choose the level of security appropriate for his
application the key length b in bytes is thus a third
parameter of RC5.
▪ Simple
▪ It is simple to implement, This simplicity makes it more
interesting to analyze and evaluate, so that the cryptographic
strength can be more rapidly determined
 RC5
▪ RC5 algorithm example: RC5-32/16/7
▪ similar to DES
▪ Two 32-bit word inputs and outputs
▪ 16 rounds
▪ 7-byte(56-bit) secret key
▪ Choices for w and r
▪ speed vs. security
▪ Choosing larger number of rounds
▪ provides an increased level of security
 RC5
▪ RC5 default parameters
▪ The default is 32/12/ 7 for 32 bit words
▪ The default is 64/16/7 for 64 bit words
▪ So if any parameter is dropped use the corresponding default
parameter
▪ Examples
▪ RC5-32 Means 32/12/7
▪ RC5-32, 9 Means 32/9/ 7
▪ RC5-64 Means 64/16/7
 RC5
▪ Components of RC5
▪ Key expansion algorithm
▪ Encryption algorithm
▪ Decryption algorithm
 RC5
▪ Encryption
▪ Input block is given in two w-bit registers A and B.
▪ Output is also placed in A and B registers.
▪ A = A + S[0]
▪ B = B + S[1]
▪ for i = 1 to r do
▪ A = ((A ⊕ B) <<< B) + S[2*i];
▪ B = ((B ⊕ A) <<< A) + S[2*i + 1];
 RC5
▪ Encryption
▪ A <<< B
▪ Bits in A are rotated to left
by the amount specified by
lower log2(w) bits in B
 RC5
▪ Decryption
▪ for i = r downto 1 do
▪ B = ((B - S[2*i +1]) >>> A) ⊕ A;
▪ A = ((A - S[2*i]) >>> B) ⊕ B;
▪ B = B - S[1];
▪ A = A - S[0];
 RC5
▪ Decryption
• A >>> B
• Bits in A are rotated to right
by the amount specified by lower
log2(w) bits in B
RC5
 RC5
▪ Key Expansion
▪ RC5 performs some operations on the secret key to
generate a total of t sub keys, which are stored in S
array, S[0],S[1], …, S[t-1]
▪ The key expansion algorithm consists of two
constants (Magic numbers) and three simple
algorithm parts
▪ Step-1: Convert secret key bytes to words
▪ Step-2: Initialize sub key array S (S[0], S[1], …, S[t-1])
▪ Step-3: Mix the secret key into sub key array S