Network Security and Cryptography II

Unit-02
EC723PE: Network Security and Cryptography
Dr. Mohammad Fayazur Rahaman

Associate Professor, mfrahaman_ece@mgit.ac.in
Dept. of Electronics and Communications Engineering,

Mahatma Gandhi Institute of Technology, Gandipet, Hyderabad-75
AY2023 - 2024, B.Tech. ECE IV-Year I-Semester (R18)

(Last updated: September 22, 2023)
1 / 114
Unit-02
1.5.2 Decryption in RC5
1. Encryption Algorithms 1.6 Characteristics of Advanced
1.1 Background Symmetric block Ciphers
1.2 Triple-DES 2. Confidentiality Using Conventional
1.2.1 Double-DES Encryption
1.2.2 Triple-DES with Two-Keys 2.1 Placement of Encryption Function
1.2.3 Triple-DES with Three-Keys 2.1.1 Link vs. End-to-End Encryption
1.3 International Data Encryption 2.1.2 Logical Placement of End-to-End
Algorithm (IDEA) Encryption Function
1.3.1 IDEA Encryption 2.2 Traffic Confidentiality
1.3.2 IDEA Decryption 2.3 Key Distribution
1.4 Blowfish 2.3.1 A Key Distribution Scenario
1.4.1 Encryption 2.3.2 Transparent Key Control Scheme
1.4.2 Decryption 2.4 Random Number Generation
1.5 RC5 2.4.1 The Use of Random Numbers
1.5.1 Encryption in RC5 2.4.2 Sources of Random Numbers 2 / 114
Where are we ?
Background
This section provides an examination of some of the most significant symmetric
block ciphers currently in use. The selection of these ciphers was guided by a set of
criteria:
i. The ciphers must demonstrate substantial cryptographic strength.
ii. They are widely utilized in Internet-based applications.
iii. They showcase modern symmetric block cipher techniques that have
evolved since the inception of the Data Encryption Standard (DES).
The following algorithms are investigated in this section:
• Triple-DES: This cipher involves the application of the DES algorithm three times
in succession to enhance security.
• IDEA: International Data Encryption Algorithm is known for its efficient operations
on both 64-bit and 128-bit blocks.
• Blowfish: A fast and secure block cipher, suitable for various applications.
• RC5: A stream cipher designed for efficient software implementation.
The section concludes with a summary highlighting essential characteristics of
advanced symmetric block ciphers. 4 / 114
Where are we ?
1.2 Triple-DES
Due to its susceptibility to brute-force attacks, the DES has been largely superseded
by more robust encryption methodologies. Two primary strategies have emerged in
response to this challenge:
I. Designing New Algorithms: A proactive approach involves the creation of
entirely novel algorithms engineered to withstand both cryptanalytic and
brute-force attacks.
II. Enhancing Existing Infrastructure: An alternative route seeks to retain
existing investments in software and equipment by implementing multiple
encryption with DES alongside multiple keys.
We will commence by investigating the simpler instance of the second approach,
followed by an exploration of the widely adopted Triple Data Encryption Standard
algorithm.
6 / 114
1.2.1 Double-DES
i. The simplest form of multiple encryp- 112 bits), certain considerations and
tion has two encryption stages and potential vulnerabilities necessitate
two-keys (Figure 7.1a). a more in-depth analysis.
ii. Given a plaintext P and two encryp-
tion keys K1 and K2 , ciphertext C is
generated as
C = E(K2 , E(K1 , P ))
iii. For decryption, the reverse applica-

tion of keys is essential:
P = D(K1 , D(K2 , C))
iv. Although this approach might appear

to offer a substantial increase in se-
curity (with a key length of 56 × 2 =
7 / 114
v. Reduction to a Single Stage: Can a double encryption process be
reduced to a single encryption stage?
• Consider the hypothetical situation where, for all 56-bit key values, it is
possible to find a key K3 such that the equation holds:
E(K2 , E(K1 , P )) = E(K3 , P )
• If this were the case, then double encryption, and indeed, any number of
stages of multiple encryption with the DES would be useless because the result
would be equivalent to a single encryption with a single 56-bit key
8 / 114
vi. A closer examination raises doubts about its possibility.
• Encryption with DES is essentially a mapping of 64-bit blocks to 64-bit
blocks
• Each of the 264 possible input blocks is mapped to a unique 64-bit block under
a specific key.
• For 264 possible inputs, there are (264 )! (i.e., > 1010 ) potential mappings.
20
vii. In contrast, DES defines a single mapping for each distinct key, resulting in a
total of 256 (i.e., < 1017 ) mappings.
• Hence, it’s reasonable to infer that double-DES, using different keys,
would lead to a mapping that isn’t defined by a solitary DES application.
9 / 114
ix. Meet-in-the-Middle Attack:
• An attack method named the meet-in-the-middle attack, applies to any
block encryption cipher.
• The approach capitalizes on the insight that
X = E(K1 , P ) = D(K2 , C)
x. When faced with a known pair of plaintext P and ciphertext C, the

meet-in-the-middle attack proceeds as follows:
• Encrypt P for all 256 possible values of K1 . Store these results in a table and
sort it by the values of X.
• Decrypt C using all 256 possible values of K2 . Compare each decryption
result with the table for a match.
• If a match is found, verify the resulting keys against a new known
plaintext-ciphertext pair.
10 / 114
xi. The meet-in-the-middle attack unveils that a known plaintext attack can
compromise the security of double-DES, despite its 112-bit key size
• For any plaintext P , there are 264 possible ciphertext values resulting from
double-DES.
• Double-DES employs a 112-bit key, yielding 2112 possible keys.
• Therefore, on average, for a given plain text P , the number of different
112-bit keys that will produce a given ciphertext C is 2112 /264 = 248
• Thus, this attack can generate approximately 248 false alarms using the first
(P,C) pair.
• By including a second (P,C) known pair, the false alarm rate reduces to
248 /264 = 2−16 .
• Performing the meet-in-the-middle attack on two known (P,C) pairs yields a
probability of 1 − 2−16 for correctly determining the keys.
• As a result, a known plaintext attack can successfully break double-DES
using an effort roughly equivalent to 256 , which is not significantly greater than
the 255 required for single DES.
11 / 114
1.2.2 Triple-DES with Two-Keys
i. To counter the meet-in-the-middle attack, we can use three stages of encryp-
tion with three different keys, known as Triple-DES:
• This raises the cost of the known plaintext attack to 2112 , which is impractical
• However, it has the drawback of requiring a key length of 56 × 3 = 168 bits
ii. As an alternative, a triple encryption
method that uses only two-keys is
proposed
• The function follows an encrypt-
decrypt-encrypt sequence
C = E (K1 , D (K2 , E (K1 , P )))
• The decryption for the second
stage allows users of Triple-DES
to encrypt data decrypted by users
of the older DES
C = E (K1 , D (K1 , E (K1 , P ))) = E (K1 , P ) 12 / 114
1.2.3 Triple-DES with Three-Keys
i. Although the attacks on two-key Triple-DES is impractical, anyone using it may
feel some concern.
ii. Thus, many researchers now feel that three-key Triple-DES is the preferred
alternative.
iii. Three-key Triple-DES has an effective key length of 168 bits and is defined as
follows:
C = E (K3 , D (K2 , E (K1 , P )))
iv. Backward compatibility with DES is provided by putting K3 = K2 , or K1 = K2 .
v. A number of Internet-based applications have adopted three-key Triple-DES,
including PGP and S/MIME,
13 / 114
Where are we ?
1.3 International Data Encryption Algorithm (IDEA)
• IDEA is a block cipher that uses a 128-bit key to encrypt data in blocks of 64
bits.
• By contrast, DES also uses 64-bit blocks but a 56-bit key.
Design Principles
The design goals for IDEA can be grouped into those related to
I. Cryptographic strength and
II. Ease of implementation.
15 / 114
Design Principles
I. Cryptographic Strength
i. Block length: The block length should be long enough to deter statistical
analysis.
• On the other hand, the complexity of implementing an effective encryption
function appears to grow exponentially with block size.
• The use of a block size of 64 bits is generally recognized as sufficiently
strong.
ii. Key length: The key length should be long enough to prevent exhaustive key
searches.
• With a length of 128 bits, IDEA seems to be secure in this area far into the
future.
16 / 114
iii. Confusion: The ciphertext should depend on the plaintext and key in a
complicated and involved way.
• The objective is to complicate the determination of how the statistics of the
ciphertext depend on the statistics of the plaintext.
• IDEA achieves this goal by using three different operations, as explained
later.
• This is in contrast to DES, which relies principally on the XOR operation and
on small nonlinear S-boxes.
iv. Diffusion: Each plaintext bit should influence every ciphertext bit, and each
key bit should influence every ciphertext bit.
• The spreading out of a single input bit over many ciphertext bits hides the
statistical structure of the encryption.
17 / 114
In IDEA, confusion is achieved by mixing three different operations. Each
operation is performed on two 16-bit inputs to produce a single 16-bit output.
The operations are:
A. Bit-by-bit exclusive-OR, denoted as ⊕. Also note
(P ⊕ Z) ⊕ Z = P
B. Addition of integers modulo 216 (modulo 65536), with inputs and outputs
treated as unsigned 16-bit integers. This operation is denoted as . Also note
(P Z) −Z = P
where −Z is additive inverse of Z mod 216
C. Multiplication of integers modulo 216 + 1 (modulo 65537), with inputs and
outputs treated as unsigned 16-bit integers, except that a block of all zeros is
treated as representing 216 . This operation is denoted as . Also note
(P Z) Z −1 = P
where Z −1 is multiplicative inverse mod (216 + 1)
18 / 114
In IDEA, diffusion is provided by the basic building block of the algorithm, known
as the multiplication/addition (MA) structure
i. This structure takes as inputs two 16- structure uses the least number of
bit values derived from the plaintext operations (four) required to achieve
and two 16-bit subkeys derived from complete diffusion.
the key and produces two 16-bit out-
puts.
ii. Each output bit of the first round
depends on every bit of the plain-
text-derived inputs and on every bit
of the subkeys.
iii. This particular structure is repeated
eight times in the algorithm, provid-
ing very effective diffusion.
iv. Furthermore, it can be shown that this
19 / 114
II. Implementation Considerations
IDEA is designed to facilitate both software and hardware implementation.
Hardware implementation, typically in VLSI, is designed to achieve high speed.
Software implementation has the advantage of flexibility and low cost.
Software:
• Use subblocks: Cipher operations should operate on subblocks that are "natural"
for software, such as 8, 16, or 32 bits. IDEA uses 16-bit subblocks.
• Use simple operations: Cipher operations should be easily programmed using
addition, shifting, and so on. The three basic elements of IDEA meet this
requirement.
20 / 114
Hardware:
• Similarity of encryption and decryption: Encryption and decryption should
differ only in the way of using the key so that the same device can be used for
both encryption and decryption. Like DES, IDEA has a structure that satisfies
this requirement.
• Regular structure: The cipher should have a regular modular structure to
facilitate VLSI implementation. IDEA is constructed from two basic modular
building blocks repeated multiple times.
21 / 114
1.3.1 IDEA Encryption
i. The overall scheme for IDEA encryp-
tion is illustrated in adjacent Figure.
ii. As with any encryption scheme, there
are two inputs to the encryption
function: the plaintext to be en-
crypted and the key.
iii. In this case, the plaintext is 64 bits
in length, and the key is 128 bits in
length.
iv. The IDEA algorithm consists of eight
rounds followed by a final transfor-
mation function.
v. The algorithm divides the input into
four 16-bit subblocks.
22 / 114
vi. Each of the rounds takes four 16-bit six 16-bit subkeys, whereas the final
subblocks as input and produces four transformation uses four subkeys, for
16-bit output blocks. a total of 52 subkeys.
vii. The final transformation also pro- ix. The right-hand portion of Figure in-
duces four 16-bit blocks, which are dicates that these 52 subkeys are all
concatenated to form the 64-bit ci- generated from the original 128-bit
phertext. key.
viii. Each of the rounds also makes use of
23 / 114
Details of a Single Round:
i. Adjacent Figure shows the first
round.
ii. Subsequent rounds have the same
structure but with different subkey
and plaintext-derived inputs.
iii. The round begins with a transforma-
tion that combines the four input
subblocks with four subkeys, using
the addition and multiplication op-
erations.
iv. The four output blocks of this
transformation are then combined
using the XOR operation to form two
16-bit blocks that are input to the
MA structure.
24 / 114
v. The MA structure also takes two duce the four output blocks for this
subkeys as input and combines these round.
inputs to produce two 16-bit outputs. vii. Note that the two outputs that are
vi. Finally, the four output blocks from partially generated by the second and
the upper transformation are com- third inputs are interchanged to pro-
bined with the two output blocks of duce the second and third outputs.
the MA structure using XOR to pro-
25 / 114
Output Transformation Stage: tion has the same structure as en-
i. The ninth stage of the algorithm, cryption, as will be seen.
labeled the output transformation v. Note also that this ninth stage re-
stage is shown in adjacent Figure. quires only four subkey inputs, com-
ii. Note that it has the same structure pared to six subkey inputs for each of
as the preceding rounds. the first eight stages.
iii. The only difference is that the
second and third inputs are inter-
changed before being applied to the
operational units.
iv. In fact, this has the effect of undo-
ing the interchange at the end of the
eighth round. The reason for this
extra interchange is so that decryp-
26 / 114
Subkey Generation: spect to the original key.
i. The first eight subkeys, labeled Z1 ,
Z2 , ..., Z8 , are taken directly from
the key, with Z1 being equal to the
first (most significant) 16 bits, Z2
corresponding to the next 16 bits,
and so on.
ii. Then a circular left shift of 25
bit positions is applied to the key,
and the next eight subkeys are ex-
tracted.
iii. This procedure is repeated until all
52 subkeys are generated.
iv. Adjacent Figure indicates the bit as-
signments for all subkeys with re-
27 / 114
1.3.2 IDEA Decryption
i. The process of decryption in IDEA is essentially the same as the encryption
process.
ii. Decryption is achieved by using the ciphertext as input to the same overall
IDEA structure, but with a different selection of subkeys.
iii. To verify that the same algorithm with the decryption subkeys produces the
correct result, consider Figure 4.8, which shows the encryption process going
down the left-hand side and the decryption process going up the
right-hand side.
• Each of the eight rounds is further broken down into the two substages of
transformation and sub-encryption.
iv. The decryption subkeys U1 , U2 , . . . , U52 are derived from the encryption
subkeys as follows:
28 / 114
a. The first four subkeys of decryption
round i are derived from the first
four subkeys of encryption round
(10 − i), where the transformation
stage is counted as round 9.
• The first and fourth decryption
subkeys are equal to the multi-
plicative inverse modulo (216 +
1) of the corresponding first and
fourth encryption subkeys.
• For rounds 2 through 8, the sec-
ond and third decryption subkeys
are equal to the additive inverse
modulo 216 of the corresponding
second and third encryption sub-
keys.
29 / 114
b. For the first eight rounds, the last two subkeys of decryption round i are equal
to the last two subkeys of encryption round (9 − i).
c. Table summarizes these relationships, where Zi−1 represents the multiplicative

inverse modulo (216 + 1), and −Zi represents the additive inverse modulo 216 .
Zj Zj−1 = 1 and − Zj Zj = 0
30 / 114
v. Consider the bottom box in encryp- following relationships:
tion and decryption diagram.
• On the encryption side, the fol-
lowing relationships hold for the
output transformation:
• Substituting,
• Thus, the output of the first sub-

stage of the decryption process
vi. The first substage of the first round is equal to the input to the last
of the decryption process yields the stage of the encryption process
31 / 114
• Where MAR (X,Y) is the right-
hand output of the MA structure
vii. Now consider the following relation- with inputs X and Y
ships, which can be derived from Fig- • similarly, MAL (X,Y) is the left-
ure 4.5: hand output
32 / 114
viii. Now
ix. Similarly, we can obtain x. Following the similar steps, we can

obtain the output of the entire de-
cryption process is equal to the in-
put to the encryption process
33 / 114
Where are we ?
Overview
Blowfish was designed to have the following characteristics:

• Fast: Blowfish encrypts data on 32-bit microprocessors at a rate of 18 clock
cycles per byte
• Compact: Blowfish can run in less than 5K of memory
• Simple: Blowfish’s simple structure is easy to implement and eases the task of
determining the strength of the algorithm.
• Variably secure: The key length is variable and can be as long as 448 bits. This
allows a tradeoff between higher speed and higher security.
• Blowfish encrypts 64-bit blocks of plaintext into 64-bit blocks of ciphertext.
35 / 114
Subkey and S-Box Generation
i. Blowfish makes use of a key that iii. The subkeys are stored in the P-array:
ranges from 32 bits to 448 bits (1
to 14, 32-bit words). This key is used P1 , P2 , · · · , P18
to generate
• 18, 32-bit subkeys and iv. There are 4 S-boxes, each with 256,
• 4, 8×32 S-boxes containing a total 32-bit entries
of 1024, 32-bit entries.
• The total is 1042, 32-bit values, or S1,0 , S1,1 , · · · , S1,255
4168 bytes. S2,0 , S2,1 , · · · , S2,255
ii. The keys are stored in a K-array: S3,0 , S3,1 , · · · , S3,255
K1 , K2 , · · · , Kj 1 ≤ j ≤ 14 S4,0 , S4,1 , · · · , S4,255
36 / 114
Steps in generating the P-array and S-boxes are as follows:
i. Initialize first the P-array and then from the K-array as needed. For ex-
the four S-boxes in order using the ample, for the maximum length key
bits of the fractional part of the con- (14, 32-bit words),
stant π. Thus, the leftmost 32 bits of P 1 = P1 ⊕ K 1
the fractional part of π become P1 , ..
.
and so on. For example, in hexadeci-
mal, P14 = P14 ⊕ K14
P1 = 243F 6A88 P15 = P15 ⊕ K1
..
P2 = 85A308D3 .
..
. P18 = P18 ⊕ K4
S4,254 = 578F DF E3
S4,255 = 3AC372E6 iii. Encrypt the 64-bit block of all zeros
ii. Perform a bitwise XOR of the P- using the current P- and S-arrays;
array and the K-array, reusing words replace P1 and P2 with the output
of the encryption.
37 / 114
iv. Encrypt the output of step 3 us- Blowfish encryption algorithm are re-
ing the current P- and S-arrays and quired to produce the final S- and
replace P3 and P4 with the resulting P-arrays
ciphertext.
v. Continue this process to update all P1 , P2 = EP,S [0]
elements of P and then, in order, all P3 , P4 = EP,S [P1 ||P2 ]
elements of S, using at each step the ..
output of the continuously chang- .
ing Blowfish algorithm. P17 , P18 = EP,S [P15 ||P16 ]
vi. Where EP,S [Y ] is the ciphertext pro- S1,0 , S1,1 = EP,S [P17 ||P18 ]
duced by encrypting Y using Blow- ..
fish with the arrays S and P .
vii. A total of 521 executions of the S4,254 , S4,255 = EP,S [S4,252 ||S4,253 ]
38 / 114
1.4.1 Encryption
i. Blowfish uses two primitive opera- of the data after round i has com-
tions: pleted.
◦ Addition: Addition of words, de- ◦ The algorithm can be defined by
noted by +, is performed modulo the following pseudocode:
232 .
◦ Bitwise exclusive-OR: This oper-
ation is denoted by ⊕.
ii. Figure 4.9a depicts the encryption
operation.
◦ The plaintext is divided into two
32-bit halves LE0 and RE0 . iii. The resulting ciphertext is con-
◦ We use the variables LEi and REi tained in the two variables LE17 and
to refer to the left and right half RE17
39 / 114
40 / 114
Detail of Single Blowfish Round: The
function F is shown in the adjacent
Figure
◦ The 32-bit input to F is divided into 4
bytes (namely a,b,c, and d)
◦ The function can be defined as
◦ Thus, each round includes the complex

use of addition modulo 232 , XOR and
substitution using S-boxes
41 / 114
1.4.2 Decryption
i. Decryption, shown in Figure 4.9b, is same algorithmic direction as en-

easily derived from the encryption al- cryption, rather than the reverse.
gorithm. v. The algorithm can be defined as fol-
ii. In this case, the 64 bits of cipher- lows:
text are initially assigned to the two
one-word variables LD0 and RD0 .
iii. As with most block ciphers, Blowfish
decryption involves using the subkeys
in reverse order.
iv. However, unlike most block ciphers,
Blowfish decryption occurs in the
42 / 114
Discussion
i. Unlike DES, the S-boxes in Blowfish are key dependent.
ii. In the case of Blowfish, both the subkeys and boxes are produced by a process of
repeated applications of Blowfish itself.
iii. In Blowfish operations are performed on both halves of the data in each
round, compared to performing an operation on just half the data in each round
in the classic Feistel cipher.
• This improves the avalanche characteristics of a block cipher.
iv. With regard to brute-force attacks, Blowfish is virtually invulnerable with
suitable choice of key length, which can be as long as 448 bits.
v. Blowfish is also impressively fast to execute.
vi. A few of the highlights of that discussion are as follows:
• A brute-force attack is more difficult because of the time-consuming
subkey-generation process. A total of 522 executions of the encryption
algorithm are required to test a single key.
• The function F gives Blowfish the best possible avalanche effect for a Feistel
network 43 / 114
Where are we ?
1.5 RC5
Design Characteristics
i. Suitable for hardware or software: RC5 uses only primitive computational
operations commonly found on microprocessors.
ii. Fast: To achieve this, RC5 is a simple algorithm and is word-oriented. The
basic operations work on full words of data at a time.
iii. Adaptable to processors of different word lengths: The number of bits in a
word is a parameter of RC5; different word lengths yield different algorithms.
iv. Variable number of rounds: The number of rounds is a second parameter
of RC5. This parameter allows a tradeoff between higher speed and higher
security.
v. Variable-length key: The key length is a third parameter of RC5. Again,
this allows a tradeoff between speed and security.
vi. Simple: RC5’s simple structure is easy to implement and eases the task of
determining the strength of the algorithm.
45 / 114
vii. Low memory requirement: A low memory requirement makes RC5 suitable
for smart cards and other devices with restricted memory.
viii. High security: RC5 is intended to provide high security with suitable parameters.
ix. Data-dependent rotations: RC5 incorporates rotations (circular bit shifts)
whose amount is data-dependent. This appears to strengthen the algorithm
against cryptanalysis.
46 / 114
RC5 Parameters
RC5 is actually a family of encryption 32-bit words (64-bit plaintext
algorithms determined by three and ciphertext blocks),
parameters, as follows: • 12 rounds in the encryption and
i. Block Size: RC5 encrypts blocks of decryption algorithms, and
plaintext of length 32, 64, or 128 • a key length of 16 bytes (128
bits into blocks of ciphertext of the bits).
same length.
ii. Key Length: The key length
ranges from 0 to 2040 bits.
iii. Specific Version: A specific version
of RC5 is designated as RC5-w/r/b.
• For example, RC5-32/12/16 has
47 / 114
Key Expansion
i. RC5 performs a complex set of operations on the secret key to produce a
total of t subkeys.
• Two subkeys are used in each round, and two subkeys are used in an
additional operation that is not part of any round, so t = 2r + 2.
• Each subkey is one word (w bits) in length. The key expansion technique is
illustrated in Figure 4.11.
ii. The subkeys are stored in a t-word array labeled S[0], S[1], . . . , S[t − 1].
• Using the parameters r and w as inputs, this array is initialized to a
particular fixed pseudorandom bit pattern.
iii. Then the b-byte key, K[0 . . . b − 1], is converted into a c-word array
L[0 . . . c − 1].
iv. Finally, a mixing operation is performed that applies the contents of L to the
initialized value of S to produce a final value for the array S.
48 / 114
49 / 114
v. The initialization operation makes vi. Using these two constants, the array
use of two word-length constants S is initialized as :
defined as follows:
• where addition is performed mod-

• Where ulo 2w
vii. Then, the initialized array S is mixed
with the key array L to produce a final
array S of subkeys.
• and Odd[x] is the odd integer • For this purpose, three passes are
nearest to x made through the larger of the two
• Using the allowable values of w, arrays, and the smaller array may
the constants are be handled more times.
50 / 114
1.5.1 Encryption in RC5
i. RC5 employs three primitive operations (and their inverses) for encryption:
a. Addition: The addition of words, denoted by "+," is performed modulo 2w .
• The inverse operation, denoted by "-," is subtraction modulo 2w .
b. Bitwise Exclusive-OR: This operation is denoted by "⊕".
c. Left Circular Rotation: The circular rotation of a word x left by y bits is
denoted by "x ≪ y."
• The inverse operation is the right circular rotation of word x by y bits,
denoted by "x ≫ y."
ii. Figure 4.12a illustrates the encryption operation in RC5.
• The plaintext is assumed to initially reside in the two w-bit registers A and B.
• We use the variables LEi and REi to refer to the left and right halves of the
data after round i has completed.
51 / 114
52 / 114
iii. The algorithm can be defined by the following pseudocode:
iv. The resulting ciphertext is contained in the two variables LEr and REr .
v. Each of the r rounds consists of a substitution using both words of data, a
permutation using both words of data, and a substitution that depends on the
key.
vi. Notice the exceptional simplicity of the operation, which can be defined in just
five lines of code.
• Also, both halves of the data are updated in each round.
• Thus, one round of RC5 is somewhat equivalent to two rounds of DES.
53 / 114
i. Decryption in RC5, as shown in Figure 4.12b, is derived easily from the encryption
algorithm.
ii. In this case, the 2w bits of ciphertext are initially assigned to the two one-word
variables LDr and RDr .
iii. We use the variables LDi and RDi to refer to the left and right halves of the
data before round i has begun, where the rounds are numbered from r down to 1.
iv. The decryption algorithm can be defined as follows:
v. The two most striking features of RC5 are the simplicity of the algorithm and
the use of data-dependent rotations.
vi. These rotations are the only nonlinear portion of the algorithm.
54 / 114
Where are we ?
Characteristics of Advanced Symmetric Block Ciphers
◦ All contemporary symmetric block ciphers are similar in many ways to DES and
the basic Feistel block cipher structure.
◦ However, as knowledge of cryptanalysis has evolved and the need for fast
software encryption has emerged, advances have been made.
56 / 114
Key Features found in advances, but not found in DES:
i. Variable key length: The longer the key, the longer it takes for a
brute-force key search. Blowfish and RC5 provide a variable key length.
ii. Mixed operators: The use of more than one arithmetic and/or Boolean
operator complicates cryptanalysis.
• This approach can provide nonlinearity as an alternative to S-boxes.
• All the algorithms, except DES and triple DES, use mixed operators.
iii. Data-dependent rotation: Another alternative to S-boxes is to use rotations
that depend on the data.
• With a sufficient number of rounds, this can provide excellent confusion
and diffusion.
• Furthermore, the rotations are dependent on the blocks of data moving
through the rounds, rather than on the subkeys.
• RC5 uses data-dependent rotations.
57 / 114
iv. Key-dependent rotation: A rotation can be used that depends on the key
rather than on the data.
v. Key-dependent S-boxes: Rather than attempt to design fixed S-boxes with
desirable cryptographic features, such as is done in DES, the content of the
S-boxes can be dependent on the key. Blowfish uses key-dependent S-boxes.
vi. Lengthy key schedule algorithm: This is an tactic employed in Blowfish. The
generation of subkeys takes much longer than a single encryption or decryption.
The result is that the effort for a brute-force attack is greatly magnified.
vii. Variable F: The use of a function F that varies from round to round may
complicate the cryptanalysis problem.
viii. Variable plaintext/ciphertext block length: A longer block length yields
greater cryptographic strength. Also, a variable block length can provide a
measure of convenience, allowing the algorithm to be tailored to the application.
RC5 adopts this strategy.
58 / 114
ix. Variable number of rounds: Of course, an increase in the number of rounds
increases the encryption/decryption time. Allowing for a variable number of
rounds allows the user to make a tradeoff between security and execution speed.
RC5 provides for a variable number of rounds.
x. Operation on both data halves each round: In the classic Feistel cipher,
only one half of the data is altered in each round. IDEA, Blowfish, and RC5
operate on both halves of the data each round.
59 / 114
Symmetric Block Cipher Algorithms - Comparison
Features DES Triple IDEA Blowfish RC5
DES
Mixed Operators No No Yes Yes Yes

Both halves altered in each No No Yes Yes Yes
round
Variable Key Length No No No Yes Yes
Lengthy Key Schedule No No No Yes No
Key-Dependent S-Boxes No No No Yes No
Data-Dependent Rotation No No No No Yes
Variable Block length No No No No Yes
Variable No. of rounds No No No No Yes
60 / 114
Where are we ?
Introduction
• More topics like Authentication, Integrity, Digital signatures, and the use of
public-key encryption, are also included in the theory and practice of cryptology
• Before examining some of these recent topics, we concentrate in this section on the
use of conventional encryption to provide confidentiality.
◦ The main choice here is between what are known as link and end-to-end
encryption.
◦ Next, we look at the use of encryption to counter traffic analysis attacks.
• Then we discuss the difficult problem of key distribution.
• Finally, we discuss the principles underlying an important tool in providing a
confidentiality facility: random number generation.
62 / 114
2.1 Placement of Encryption Function
• If encryption is to be used to counter attacks on confidentiality, we need to
decide what to encrypt and where the encryption function should be located.
• To begin, we examine the potential locations of security attacks and then look at
the two major approaches to encryption placement: link and end-to-end.
Potential Locations for Confidentiality Attacks:

◦ Consider a user workstation in a typical business organization.
◦ Workstations are attached to local area networks (LANs).
◦ LANs can be interconnected with bridges and routers, creating points of
vulnerability.
◦ Eavesdropping is a concern, especially on broadcast LANs.
◦ Intruders can monitor LAN traffic through dial-in capabilities.
◦ Wiring closets serve as a staging point for external communications and can be
vulnerable.
63 / 114
◦ Attacks can target various communica- processors.
tions links, including cable, microwave ◦ Security measures must be implemented
links, and satellite channels. to mitigate these risks.
◦ Cable can be attacked using invasive
taps or inductive devices.
◦ Optical fiber is less vulnerable to taps.
◦ Microwave and satellite transmissions
can be intercepted.
◦ Processors along the path are also sub-
ject to attack, including hardware, soft-
ware, and memory.
◦ There are numerous locations where at-
tacks on confidentiality can occur,
ranging from communications links to
64 / 114
2.1.1 Link vs. End-to-End Encryption
• The most common approach to secure points of vulnerability in communication
networks is encryption.
• The decision on what to encrypt and where to place encryption gear leads to
two fundamental alternatives: link encryption and end-to-end encryption.
Basic Approaches be decrypted at each packet
I. Link Encryption: switch, making them vulnerable.
◦ Each vulnerable communication ∗ All links in the path must use
link is equipped with encryption link encryption.
devices at both ends. ∗ Each pair of nodes sharing a
◦ All traffic over these links is se- link needs a unique key.
cured. ∗ Many keys are required
◦ Disadvantage: Messages must
65 / 114
II. End-to-End Encryption: transmitted in the clear, expos-
◦ Encryption happens at the two ing traffic patterns.
end systems.
◦ Source host or terminal en-
crypts data, which are transmit-
ted unaltered across the network.
◦ Destination shares a key with the
source and can decrypt the data.
◦ Strengths:
∗ Secures data against attacks
on network links or switches.
∗ Relieves end users of concerns
about network security.
◦ Weakness: Packet headers are
66 / 114
67 / 114
III. Combined Approach
◦ To achieve greater security, both link and end-to-end encryption can be
used together.
◦ In this approach, user data in a packet are encrypted using an end-to-end
encryption key, and the entire packet is further encrypted using a link
encryption key.
◦ Each switch in the network decrypts and reads the header using the link
encryption key before encrypting the entire packet again for the next link.
◦ This ensures security, except when the packet is in the memory of a packet
switch, during which the packet header is in the clear.
68 / 114
2.1.2 Logical Placement of End-to-End Encryption Function
• In the context of securing communications, the choice of where to perform encryp-
tion is crucial.
• For link encryption, encryption occurs at a lower level of the communications
hierarchy, typically at the physical or link layers.
• However, when considering end-to-end encryption, several options for the logical
placement of the encryption function are available.
• At the lowest practical level, the encryption function could be performed at the
network layer.
69 / 114
Network-Layer Encryption
• Encryption could be performed at the ciency.

network layer, such as associating en- ◦ The packet header remains unen-
cryption with protocols like X.25. crypted for routing purposes.
• In network-layer encryption, each end
system is a separately protected entity.
• User data in packets are encrypted,
and end systems with shared se-
cret keys can engage in encrypted ex-
changes.
• Considerations:
◦ Encryption could be offloaded to a
front-end processor (FEP) for effi-
70 / 114
Challenges in End-to-End Encryption
• End-to-end encryption is effective for securing traffic within a single integrated
internetwork but faces challenges for traffic crossing internetwork boundaries
(e.g., electronic mail, electronic data interchange, and file transfers).
• Gateways are used to interconnect networks with different architectures (e.g., OSI-
based and TCP/IP-based).
• In such scenarios, end-to-end encryption must be achieved at the application
layer.
• Application-layer encryption increases the number of entities to consider and
requires more secret keys for generation and distribution.
71 / 114
72 / 114
Communication Hierarchy and Encryption
• As we move up the communication hierarchy, less information is encrypted, but
it becomes more secure.
• Example using TCP/IP architecture:
◦ Application-level encryption (Figure 5.5a): Only user data portion of a TCP
segment is encrypted.
◦ TCP-level encryption (Figure 5.5b): User data and TCP header are encrypted
on a single end-to-end connection.
◦ Link-level encryption (Figure 5.5c): Entire data unit except link header and
trailer is encrypted on each link.
73 / 114
74 / 114
Where are we ?
2.2 Traffic Confidentiality
• In some cases, security concerns extend beyond data encryption to include traffic
analysis.
• Knowledge of message patterns, frequency, and other traffic details can reveal
valuable information, even in commercial applications.
• Several types of information that can be derived from a traffic analysis attack:
◦ Identities of communication partners
◦ Frequency of communication between partners
◦ Message patterns, length, or quantity that suggest important information
exchange
◦ Events correlated with special conversations between partners
• Another concern related to traffic is the use of traffic patterns to create a Covert
Channels
◦ Covert channels allow communication that violates security policies.
◦ Example: Using message length to convey binary data (0s and 1s).
◦ Various schemes are possible for covert communication.
76 / 114
Link Encryption Approach
• Link encryption involves encrypting padding.

packet headers to reduce traffic anal-
ysis opportunities.
• Attackers may still assess network traf-
fic volume and communication between
end systems.
• Countermeasure: Traffic padding.
• Traffic padding continuously gener-
ates ciphertext, making it difficult
to distinguish between real data and
77 / 114
End-to-End Encryption Approach
• End-to-end encryption presents more layer addresses and traffic patterns

limited options for traffic analysis de- remain accessible
fense. • One technique that might prove useful
◦ For example, if encryption is imple- is to pad out data units to a uniform
mented at the application layer, then length at either the transport or appli-
an opponent can determine which cation level
transport entities are engaged in di- • In addition, null messages can be in-
alogue serted randomly into the stream to ob-
◦ If encryption techniques are housed scure traffic patterns
at the transport layer, then network-
78 / 114
Where are we ?
2.3 Key Distribution
• Key distribution is a critical component of any cryptographic system.
• To ensure the security of data exchange, both parties must share the same key,
and this key must be protected from unauthorized access.
• Frequent key changes are often desirable to limit data exposure if an attacker
learns the key.
• Key distribution refers to the means of delivering a key to two parties without
allowing others to see it.
• Key distribution between parties A and B can be achieved through various
methods:
I. A key can be selected by A and physically delivered to B.
II. A third party can select the key and physically deliver it to both A and B.
III. If A and B have used a key before, one party can transmit a new key to the
other, encrypted using the old key.
IV. If A and B have encrypted connections to a third party C, C can deliver a
key on the encrypted links to A and B.
80 / 114
• Challenges in Key Distribution key, then all subsequent keys will be
◦ Manual key delivery (options I and revealed
II) is reasonable for link encryp-
tion but impractical for end-to-end
encryption, especially in distributed
systems.
◦ The scale of the problem depends
on the number of communicating
pairs.
◦ For end-to-end encryption, distri-
bution of potentially millions of keys
must be managed.
∗ If there are N hosts, the number of
required keys in N (N2−1)
◦ With option III, if an attacker ever
succeeds in gaining access to one
81 / 114
• Key Distribution Center (option IV) N entities, reducing the scale of the
◦ Widely adopted for end-to-end en- key distribution problem.
cryption.
◦ A key distribution center is respon-
sible for distributing keys to user
pairs as needed.
◦ Each user shares a unique key
(master key) with the key distribu-
tion center.
◦ Session keys (temporary keys) are
used for communication between
end systems, obtained from the key
distribution center.
◦ Session keys are transmitted in en-
crypted form, using the master key
◦ Only N master keys are required for
82 / 114
2.3.1 A Key Distribution Scenario
• Key distribution is crucial for secure communication.
• A typical scenario, involves a Key Distribution Center (KDC) and the use of
master keys shared between users and the KDC.
• Let’s assume User A wishes to establish a secure logical connection with User B
and needs a one-time session key for data protection. Both A and B share master
keys with the KDC. The following steps occur:
83 / 114
84 / 114
i. A requests a session key from the KDC to protect the connection to B.
• The request includes the identities of A and B and a unique identifier, N1
(nonce), for this transaction.
• The nonce should be difficult to guess and ensures that this request is not a
replay of a previous one.
ii. The KDC responds with a message encrypted using A’s secret key, Ka . The
message includes:
• The one-time session key, Ks , for the session.
• The original request message, including the nonce, to allow A to match the
response with the correct request.
• Two items intended for B:
◦ The session key, Ks , to be used for the session.
◦ An identifier of A (e.g., its network address), IDA .
85 / 114
vi. A stores the session key and sends to B the information received from the KDC,
encrypted with B’s shared master key, Kb .
vii. B receives the information, decrypts it with its own master key Kb , and obtains
the session key (Ks ) and A’s identity.
viii. Additional steps (authentication):
a. B sends a nonce, N2 , to A, using the session key Ks .
b. A responds with f(N2 ), where f is a function that transforms N2 (e.g.,
adding one). This step ensures that the original message was not a replay.
ix. Authentication: The actual key distribution involves steps 1 to 3, but steps
4 and 5, along with step 3, serve an authentication function. They establish
trust and ensure that the communication between A and B is secure.
86 / 114
Hierarchical Key Control:
• In large networks, a hierarchical key control system can be established to
efficiently manage key distribution.
• This involves the use of multiple Key Distribution Centers (KDCs) organized in
a hierarchical structure.
• Local KDCs: Responsible for key distribution within specific local domains, such
as LANs or buildings.
• Global KDC: Facilitates communication between local KDCs and can participate
in key selection.
• Multiple Layers: Depending on the network’s size and geographic scope, the
hierarchy can extend to three or more layers.
• Hierarchical key control reduces the effort required for master key distribution
and limits the impact of a compromised KDC to its local area.
87 / 114
Session Key Lifetime
• The lifetime of session keys is crucial for security. Balancing the frequency of
session key changes with network capacity (delay in receiving new key, overhead,
etc) and security considerations is essential.
• Connection-Oriented Protocols: Use the same session key for the duration of
an open connection, changing it periodically or when necessary (e.g., when
sequence numbers cycle).
• Connectionless Protocols: Determine session key lifetime based on a fixed
period or a specific number of transactions to maintain security while
minimizing overhead.
• The choice of session key lifetime depends on the protocol and security
requirements.
88 / 114
2.3.2 Transparent Key Control Scheme
• A transparent key control scheme allows for end-to-end encryption at the net-
work or transport level while remaining transparent to end users.
◦ It is suitable for connection-oriented protocols like X.25 or TCP.
• Front-End Processor (FEP): Acts on behalf of the host or terminal, performing
end-to-end encryption and obtaining session keys.
• Connection Establishment:
i. Host sends a connection-request packet.
ii. FEP applies to the KDC for permission, encrypting the communication with
a shared master key.
iii. KDC approves the request, generates a session key, and delivers it to the
respective FEPs.
iv. Connection is established, and user data are encrypted using the session
key by the FEPs.
• Advantages: Minimal impact on end systems, transparent operation, and efficient
key management.
89 / 114
90 / 114
Decentralized Key Control
• In some cases, a decentralized approach to key control can be advantageous,
particularly within local contexts.
• This approach avoids the need for a central Key Distribution Center (KDC)
and relies on each end system’s ability to communicate securely with potential
partners for session key distribution.
• The number of master keys may be as many as [n(n - 1)/2], where n is the
number of end systems.
• Session key may be established with the following sequence of steps:
i. A issues a request to B for a session key and includes a nonce, N1
ii. B responds with a message that is encrypted using the shared master key.
◦ The response includes the session key selected by B, an identifier of B, the
value f(N1 ), and another nonce, N2
iii. Using the new session key, A returns f(N2 ) to B.
• Decentralized key control provides flexibility in session key distribution but
requires each end system to manage at most (n-1) master keys.
91 / 114
92 / 114
Controlling Key Usage
It is essential to control how automatically distributed keys are used within a
cryptographic system. One approach is to classify keys based on their intended use
and impose controls accordingly.
• Types of Keys:
◦ Data-encrypting key: For general network communication.
◦ PIN-encrypting key: For personal identification numbers (PINs) in financial
transactions.
◦ File-encrypting key: For encrypting files stored in publicly accessible locations.
• Key Tags: Associate each key with a tag that specifies its characteristics.
◦ One bit indicates whether the key is a session key or a master key.
◦ One bit indicates whether the key can be used for encryption.
◦ One bit indicates whether the key can be used for decryption.
◦ Remaining bits are reserved for future use.
• Flexible control schemes like control vectors can provide more detailed key
management and usage control, allowing for a variety of key types and
restrictions.
93 / 114
Control Vectors: The control vector is a flexible scheme for managing and
controlling keys. Each session key has an associated control vector with fields
specifying its use and restrictions.
◦ Cryptographic Coupling: The control vector is cryptographically coupled
with the session key during key generation at the KDC.
◦ Hash Function: The control vector is passed through a hash function to
produce a value of the same length as the encryption key.
◦ Coupling and Decoupling: The control vector and the session key can be
coupled or decoupled to enable or restrict key usage.
Control vectors offer fine-grained control over key usage and restrictions,
enhancing the security of cryptographic systems.
94 / 114
95 / 114
Key Derivation Process The control vector plays a central role in the key
derivation process. When generating a session key, the following steps are
performed:
◦ Hash Value: A hash function is applied to the control vector to produce a hash
value.
◦ XOR Operation: The hash value is XORed with the master key, resulting in an
output that serves as the key input for encrypting the session key.
Mathematically, this process can be expressed as follows:
Here, Km represents the master key, and Ks represents the session key.
96 / 114
Session Key Recovery: To recover the session key from ciphertext, the reverse
operation is performed:
• When a session key is delivered to a user from the KDC, the control vector is
included in clear form.
• The session key can only be recovered by using both the master key that the
user shares with the KDC and the control vector.
• This linkage ensures that the session key is securely associated with its control
vector.
97 / 114
Advantages: The use of a control vector offers several advantages over simpler
tagging mechanisms, such as an 8-bit tag:
i. No Length Restriction: There is no restriction on the length of the control
vector.
• This flexibility enables arbitrarily complex controls to be imposed on key use.
ii. Clear Form Availability: The control vector is available in clear form at all
stages of operation.
• This allows for control of key usage to be exercised in multiple locations
within the cryptographic system.
98 / 114
Where are we ?
Introduction
• Random Number Generation is a critical aspect of network security, particularly

in cryptographic applications.
• In this section, we will explore the role of random numbers in network security
and discuss various approaches to generating them.
100 / 114
2.4.1 The Use of Random Numbers
Random numbers are essential in several network security algorithms, including:

a. Reciprocal Authentication Schemes: Nonces (random numbers) are used for
handshaking to prevent replay attacks.
• The use of random nonces frustrates opponents’ attempts to predict or guess
the nonce.
b. Session Key Generation: Whether performed by a Key Distribution Center
(KDC) or one of the principals, session key generation relies on random
numbers.
c. RSA Public-Key Encryption: The RSA algorithm, discussed later, requires the
generation of random prime numbers.
101 / 114
These applications impose two distinct and sometimes conflicting requirements on a
sequence of random numbers: randomness and unpredictability.
I. Randomness: Traditionally, the generation of a sequence of random
numbers focuses on meeting specific statistical criteria. Two main criteria are
used to assess the randomness of a sequence:
A. Uniform Distribution: The sequence should exhibit a uniform
distribution, meaning that the frequency of occurrence of each number
in the sequence is approximately the same.
B. Independence: No value in the sequence can be deduced or predicted
from the others.
II. Unpredictability: In applications like reciprocal authentication and session key
generation, the primary requirement is not just statistical randomness but
unpredictability.
• Sequences of numbers that mimic randomness are artificially generated
using algorithms.
• In such cases, it’s crucial to ensure that an adversary cannot predict future
elements of the sequence based on earlier elements.
102 / 114
2.4.2 Sources of Random Numbers
• Obtaining true random numbers can be challenging. Physical noise generators,
like pulse detectors for ionizing radiation events, gas discharge tubes, and leaky
capacitors, are potential sources.
• Another option is to use collections of published random numbers. However, they
are predictable because an adversary aware of their use can obtain a copy.
• Cryptographic applications typically rely on algorithmic techniques for
random number generation. These algorithms are deterministic and produce
sequences. If the algorithm is well-designed, the resulting sequences will pass
many reasonable tests of randomness. Such numbers are often referred to as
pseudorandom numbers.
• Random generation algorithms covered in this section are:
I. Pseudorandom Number Generators
II. Cryptographically Generated Random Numbers
III. ANSI X9.17 Pseudorandom Number Generator
IV. Blum Blum Shub (BBS) Generator
103 / 114
I. Pseudorandom Number Generators
i. The most widely used technique for pseudorandom number generation is an algo-
rithm known as the linear congruential method.
ii. The algorithm is parameterized with four numbers:
The modulus : m>0

The multiplier : 0≤a<m
The increment : 0≤c<m
The starting value, or seed : 0 ≤ X0 < m
iii. The sequence of random numbers {Xn } is obtained via the iterative equation:
Xn+1 = (aXn + c) mod m
iv. If m, a, c, and X0 are integers, this technique produces a sequence of integers

with 0 ≤ Xn < m.
104 / 114
Choosing Parameters:
• The selection of values for a, c, and m is critical for a good random number
generator.
• Example: a = 7, c = 0, m = 32, and X0 = 1 yields a sequence with a period of 4 (4
values repeated).
• Criteria for evaluating a random number generator:
T1 : Full-period generating function.
T2 : Generated sequence should appear random.
T3 : Efficient implementation with 32-bit arithmetic.
• For 32-bit arithmetic, a prime value of m is often chosen: m = 231 − 1.
• Some values of a pass all three tests, e.g., a = 16807
105 / 114
Strengths and Limitations:
• Strength: Properly chosen parameters make the sequence statistically
indistinguishable from a random sequence.
• Limitation: The algorithm is deterministic; once the initial value X0 is known, all
subsequent numbers are determined.
• Implications for cryptanalysis: If an opponent knows the parameters and a
single number in the sequence, they can determine all future elements.
Enhancing Non-Reproducibility:
◦ To make the sequence non-reproducible, various methods can be employed.
◦ Example: Using an internal system clock to modify the random number stream.
∗ Restarting the sequence after every N numbers using the current clock value
(mod m) as the new seed.
∗ Adding the current clock value to each random number (mod m).
106 / 114
II. Cryptographically Generated Random Numbers
Another approach to produce high-quality random numbers is by taking advantage
of encryption logic.
Cyclic Encryption: This approach is
often used to produce session keys from
a master key.
• A counter with a period N is used as
input to the encryption logic.
• For instance, if 56-bit DES keys need
to be generated, a counter with a period
of 256 can be employed.
• After each key is produced, the counter
is incremented by one.
107 / 114
• As a result, the pseudorandom numbers generated through this scheme cycle
through a full period.
• Each output, denoted as X1 , X2 , X3 , and so on, is based on a different counter
value.
• Therefore, X1 , X2 , . . . XN is highly unpredictable.
• Importantly, since the master key is protected, it is computationally infeasible to
deduce any of the secret keys through knowledge of one or more earlier keys.
Enhanced Security:
◦ To enhance the security of this algorithm, the input to the encryption logic could
be the output of a full-period pseudorandom number generator instead of a
simple counter.
◦ In summary, cyclic encryption is a method commonly employed to generate
cryptographically secure random numbers, ensuring that the generated keys
are highly unpredictable and resistant to computational attacks.
108 / 114
III. ANSI X9.17 Pseudorandom Number Generator
• This is one of the strongest pseudoran- of the same pair of 56-bit keys
dom number generators and is specified ◦ Output: The output consists of a
in ANSI X9.17 64-bit pseudorandom number and
• It makes use of triple-DES for encryp- a 64-bit seed value
tion
◦ Input: Two pseudorandom inputs
drive the generator
I. One is a 64-bit representation
of the current date and time,
and
II. the other is a 64-bit seed
value, which is updated for
each generation
◦ Keys: The generator makes use of 3
triple-DES modules that make use
109 / 114
• Define the following quantities:
DTi : Date/Time value at the begining generation stage i

Vi : Seed value at the begining of generation stage i
Ri : Pseudorandom number produced by the generation stagei
K1 , K2 : DES keys used for each stage
• Then, we have
Ri = EDEK1 ,K2 [Vi ⊕ EDEK1 ,K2 [DTi ]]

Vi+1 = EDEK1 ,K2 [Ri ⊕ EDEK1 ,K2 [DTi ]]
• where EDE refers to the sequence encrypt-decrypt-encrypt using two-key

triple-DES
• Note, this technique involves 112-bit key and three EDE encryptions
110 / 114
IV. Blum Blum Shub (BBS) Generator
• The Blum, Blum, Shub (BBS) generator is a popular approach for generating secure
pseudorandom numbers and is named after its developers, Blum and Blum.
• It is renowned for its strong cryptographic strength
• The procedure for the BBS generator is as follows:
i. First, choose two large prime numbers, p and q, such that both p and q have a
remainder of 3 when divided by 4. This can be represented as:
p ≡ q ≡ 3 mod 4
For example, if we choose the prime numbers 7 and 11, both satisfy 7 ≡ 11 ≡
3 mod 4.
ii. Calculate n = p × q. The product n is used as part of the BBS algorithm.
iii. Next, choose a random number s such that s is relatively prime to n. In other
words, neither p nor q should be a factor of s. This ensures the security of the
generator.
111 / 114
iv. The BBS generator then produces a sequence of bits, denoted as B, using
the following algorithm:
• Initialize X0 = s2 mod n.
• For i from 1 to k (where k is the desired length of the sequence):
2
Xi = (Xi−1 ) mod n
Bi = Xi mod 2
• The least significant bit (Bi ) is taken at each iteration.

v. The BBS generator is referred to as a cryptographically secure
pseudorandom bit generator (CSPRBG).
vi. In simpler terms, for practical purposes, the sequence generated by the BBS
generator is unpredictable.
vii. The security of the BBS generator relies on the difficulty of factoring n. In
other words, given n, it is computationally challenging to determine its two prime
factors, p and q.
112 / 114
Text Books
[1] W. Stallings, Cryptography And Network Security: Principles and Practice.

Pearson Education.
Second Edition (** Prescribed Textbook).
[2] D. M. Behrouz A Forouzan, Cryptography And Network Security.

Tata McGraw Hill Education Private Limited.
Second Edition.
[3] OpenAI.com, “chatgpt - an openai based language models for dialogue,” 2023.
https://openai.com/blog/chatgpt/ [Accessed: Jul 2023].
113 / 114
Thank you
114 / 114

Network Security and Cryptography II

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Network Security and Cryptography II

Uploaded by

Copyright:

Available Formats

Unit-02

EC723PE: Network Security and Cryptography

Dr. Mohammad Fayazur Rahaman

Dept. of Electronics and Communications Engineering,

AY2023 - 2024, B.Tech. ECE IV-Year I-Semester (R18)

iii. For decryption, the reverse applica-

P = D(K1 , D(K2 , C))

iv. Although this approach might appear

E(K2 , E(K1 , P )) = E(K3 , P )

x. When faced with a known pair of plaintext P and ciphertext C, the

c. Table summarizes these relationships, where Zi−1 represents the multiplicative

• Thus, the output of the first sub-

ix. Similarly, we can obtain x. Following the similar steps, we can

Blowfish was designed to have the following characteristics:

◦ Thus, each round includes the complex

i. Decryption, shown in Figure 4.9b, is same algorithmic direction as en-

• where addition is performed mod-

Mixed Operators No No Yes Yes Yes

Potential Locations for Confidentiality Attacks:

• Encryption could be performed at the ciency.

• Link encryption involves encrypting padding.

• End-to-end encryption presents more layer addresses and traffic patterns

• Random Number Generation is a critical aspect of network security, particularly

Random numbers are essential in several network security algorithms, including:

The modulus : m>0

Xn+1 = (aXn + c) mod m

iv. If m, a, c, and X0 are integers, this technique produces a sequence of integers

DTi : Date/Time value at the begining generation stage i

Ri = EDEK1 ,K2 [Vi ⊕ EDEK1 ,K2 [DTi ]]

• where EDE refers to the sequence encrypt-decrypt-encrypt using two-key

• The least significant bit (Bi ) is taken at each iteration.

[1] W. Stallings, Cryptography And Network Security: Principles and Practice.

[2] D. M. Behrouz A Forouzan, Cryptography And Network Security.

You might also like