Professional Documents
Culture Documents
Security
Symmetry Key Cryptography
UNIT-II
Dr P Naga Jyothi
Assistant Professor,
Dept of CSE
Learning Outcomes
• Distinguish between block and stream ciphers
• Explain and implement block cipher DES and AES algorithm
• Explain and implement stream cipher RC4
Key Topics
• Block ciphers
• DES Algorithm
• AES Algorithm
• Stream Ciphers
Modern Block Ciphers
• Now look at modern block ciphers
• One of the most widely used types of cryptographic algorithms
• Provide secrecy /authentication services
• Focus on DES (Data Encryption Standard)
• To illustrate block cipher design principles
Block vs Stream Ciphers
• Block ciphers process messages in blocks, each of which is then
en/decrypted.
• Like a substitution on very big characters
• 64-bits or 128-bit
• Stream ciphers is one that encrypts a digital data stream one bit or
one byte at a time. Ex: Vigenere cipher and Vernam cipher
• Many current ciphers are block ciphers.
• Broader range of applications.
Block cipher vs Stream cipher
Block Cipher Stream Cipher
Block Cipher Converts the plain text into cipher text by Stream Cipher Converts the plain text into cipher text by
taking plain text’s block at a time. taking 1 byte of plain text at a time.
Block cipher uses either 64 bits or more than 64 bits. While stream cipher uses 8 bits.
The complexity of block cipher is simple. While stream cipher is more complex.
Block cipher Uses confusion as well as diffusion. While stream cipher uses only confusion.
In block cipher, reverse encrypted text is hard. While in stream cipher, reverse encrypted text is easy.
Block cipher works on transposition techniques like rail- While stream cipher works on substitution techniques
fence technique, columnar transposition technique, etc. like Caesar cipher, substitution cipher, etc.
Block cipher is slow as compared to stream cipher. While stream cipher is fast in comparison to block cipher.
Motivation of Feistel cipher structure
• A block cipher operates on a plaintext block of n bits to produce a ciphertext
block of n bits.
• 2n possible different plaintext blocks for en/decryption
• Block size
• Key size
• Number of rounds
• Subkey generation algorithm
• Round function
• Fast software en/decryption
• Ease of analysis
Plaintext(2w bits)
⊕ F
L1 R1
. .
. .
w bits w bits .
Round i .
Ki
⊕ F
Li Ri
. .
. .
. w bits w bits .
Round n
Ki
⊕ F
Ln Rn
Ln+1 Rn+1
Cipherntext(2w bits)
Feistel Cipher Decryption
1st round of the decryption is equal to
32 bit swap of input to the sixteenth
round of encryption process
LE16=RE15
RE16=LE15 X F(RE15,K16)---Encryption
Decryption
LD1=RD0=LE16=RE15
RD1=LD0 X F(RD0,K16)
=RE16 X F(RE15,K16)
=[LE15 X F(RE15,K16 ) F(RE15,K16)
REi-1 =LEi
LEi-1=Rei F( REi-1,Ki)=REi F(LEi,Ki)
Data Encryption Standard (DES) Algorithm
Data Encryption Standard (DES)
• Most widely used block cipher in world -IBM developed Lucifer cipher
• Adopted in 1977 by NBS (now NIST)
• as FIPS PUB 46
• Has widespread use and had considerable controversy over its security
• Although DES standard is public
• Subsequent events and public analysis show in fact design was appropriate
• Use of DES has flourished
• especially in financial applications
• still standardised for legacy application use
DES Algorithm
Steps
• Initial Permutation-64 bit plaintext passes through IP that rearranges the
bits to produce the Permuted Input.
• Followed by 16 Fiestel rounds of same function(Substitution and
Permutation)
• The output of last (16) round consists of 64bits that are function of input
plaintext and the key.
• Swapping- Left and right halves are− swapped to produce the preoutput .It is
passed to through permutation(IP 1) to produce 64bit ciphertext.
• Final Permutation/Inverse initial permutation
• 56 bit key is used initially while it is passing through permutation function
for each 16 rounds, a sub key is produced by the combination of left
circular shift and a permutation.
DES Algorithm
64-bit plaintext 64-bit key
……….. ………..
K1 48 56
Round 1 Permuted choice 2 Left circular shift
64 56
K2 48 56
Round 2 Permuted choice 2 Left circular shift
48 56
Round 16 Permuted choice 2 Left circular shift
32-bit swap
Inverse Initial
permutation
………..
64-bit ciphertext
Initial Permutation IP
First step of the data computation
IP reorders the input data bits
Even bits to LH half, odd bits to RH half
Quite regular in structure (easy in h/w)
example:
This table specifies the input permutation on a 64-bit block. The meaning is as follows: the first bit of the
output is taken from the 58th bit of the input; the second bit from the 50th bit, and so on, with the last bit
of the output taken from the 7th bit of the input.
Inverse Initial Permutation
32 1 2 3 4 5
4 5 6 7 8 9
8 9 10 11 12 13
12 13 14 15 16 17
16 17 18 19 20 21
20 21 22 23 24 25 Expansion Permutation
24 25 26 27 28 29
28 29 30 31 32 1
Permutation Choice 1 (PC1)
57 49 41 33 25 17 9
1 58 50 42 34 26 18
The "Left" and "Right" halves of the table show which bits
10 2 59 51 43 35 27
from the input key form the left and right sections of the key
19 11 3 60 52 44 36 schedule state. Note that only 56 bits of the 64 bits of the
63 55 47 39 31 23 15 input are selected; the remaining eight (8, 16, 24, 32, 40, 48,
56, 64) were specified for use as parity bits
7 62 54 46 38 30 22
14 6 61 53 45 37 29
21 13 5 28 20 12 4
14 17 11 24 1 5 3 28
This permutation selects the 48-bit subkey for each round
15 6 21 10 23 19 12 4
from the 56-bit key-schedule state. This permutation will
ignore 8 bits below: 26 8 16 7 27 20 13 2
Permuted Choice 2 "PC-2" ignored bits 9, 18, 22, 25, 35, 41 52 31 37 47 55 30 40
38, 43,
51 45 33 48 44 49 39 56
34 53 46 42 50 36 29 32
Permutation Table (P)
K1 K2
P X C C=E(K2,E(K1,P))
E E
Encryption
K2 K1
C X P P=D(K1,D(K2,C))
D D
Decryption
Triple DES
• Counter to Meet-in-the-middle attack is to use three stage of encryption with
three different keys.
• Key length 168bit, it overcomes the Vulnerability to brute-force attack of DES.
• Triple DES with two keys
C=E(K1,D(K2,E(K1,P)))
• It has three times as many rounds as DES, is correspondingly slower.
Triple DES
K1 K2 K3
P E A
D B
E C
C=E(K3,D(K2,E(K1,P)))
Encryption
K1 K2 K3
C B A P
D E D
P=D(K3,E(K2,D(K1,C)))
Decryption
Meet-in-the-Middle attack
• The meet-in-the-middle attack is a type of cryptanalytic attack commonly used
against encryption algorithms that use symmetric keys. Furthermore, the attack
takes advantage of the fact that the encryption and decryption processes are
inverse operations of each other. Therefore, an attacker follows a brute-force
approach to find the secret key we use in the encryption process.
• The attack works by dividing the key space into two parts. First, it encrypts the
plaintext using all possible keys from one-half of the key space. Additionally, an
attacker decrypts the resulting ciphertext using all possible keys from the other
half of the key space. Finally, the attacker checks for a match between
intermediate values obtained from the encryption and decryption steps.
• If a match is found, the key used in the encryption and decryption is in the middle
of the key space. By repeating the process with smaller key spaces on either side
of the matched key, the attacker can eventually find the secret key used in the
encryption. The meet-in-the-middle attack is particularly effective against
encryption algorithms with a relatively small key space and vulnerable
to exhaustive key search.
Ref: https://www.baeldung.com/cs/security-meet-in-the-middle-attack
Modes of Operation
• Block ciphers encrypt fixed size blocks
• Eg. DES encrypts 64-bit blocks, with 56-bit key
• Need way to use in practise, given usually have arbitrary amount of
information to encrypt
• Four were defined for DES in ANSI standard ANSI X3.106-1983 Modes
of Use
• DES is the basic building block
• Have block and stream modes
Modes of operation
8.61
Electronic Codebook Book (ECB)
• Message is broken into independent blocks which are
encrypted
• Each block is a value which is substituted, like a
codebook, hence name
• Each block is encoded independently of the other
blocks
• Uses: secure transmission of single values
8.62
Electronic Codebook (ECB) Mode
The simplest mode of operation is called the electronic codebook
(ECB) mode.
8.63
Advantages and Limitations of ECB
• Message repetitions may show in ciphertext
• if aligned with message block
• particularly with data such graphics
• or with messages that change very little, which become a code-
book analysis problem
• Weakness is due to the encrypted message blocks being
independent
• Main use is sending a few blocks of data
8.64
Cipher Block Chaining (CBC)
• Message is broken into blocks
• Linked together in encryption operation
• Each previous cipher blocks is chained with current
plaintext block, hence name
• Use Initial Vector (IV) to start process
• Uses: bulk data encryption, authentication
8.65
Cipher Block Chaining (CBC) Mode
In CBC mode, each plaintext block is exclusive-ored with the
previous cipher text block before being encrypted.
8.66
Cipher block chaining (CBC) mode
8.67
Message Padding
• At end of message must handle a possible last short
block
• which is not as large as block size of cipher
• pad either with known non-data value (e.g. nulls)
• or pad last block along with count of pad size
• eg. [ b1 b2 b3 0 0 0 0 5]
• means have 3 data bytes, then 5 bytes pad+count
• this may require an extra entire block over those in message
• There are other, more esoteric modes, which avoid the
need for an extra block
8.68
Advantages and Limitations of CBC
• A cipher text block depends on all blocks before it
• Any change to a block affects all following cipher text
blocks
• Need Initialization Vector (IV)
• which must be known to sender & receiver
• if sent in clear, attacker can change bits of first block, and change
IV to compensate
• hence IV must either be a fixed value (as in EFTPOS)
• or must be sent encrypted in ECB mode before rest of message
8.69
Cipher Feedback (CFB)
• Message is treated as a stream of bits
• Added to the output of the block cipher
• Result is feed back for next stage (hence name)
• Standard allows any number of bit (1,8 or 64 or whatever) to be feed
back
• denoted CFB-1, CFB-8, CFB-64 etc
• Is most efficient to use all 64 bits (CFB-64)
C1 = P1 ⊕ MSBSE[(K,IV)]
P1 = C1 ⊕ MSBSE[(K,IV)]
• Uses: stream data encryption, authentication
Cipher Feedback (CFB) Mode
In some situations, we need to use DES or AES as secure ciphers, but the plaintext or cipher text block sizes are to be smaller.
Encryption in cipher feedback (CFB) mode
8.71
Advantages and Limitations of CFB
• Appropriate when data arrives in bits/bytes
• Most common stream mode
• Note that the block cipher is used in encryption mode at both ends
• Errors propagate for several blocks after the error
• Must use over a reliable network channel
Output Feedback (OFB)
• Message is treated as a stream of bits
• Output of cipher is added to message
• Output is then feed back (hence name)
• Feedback is independent of message
• Can be computed in advance
Cj = Pj ⊕ E(K,Oj-1)
Oj-1 = E(k,Oj-1)
Cj = Pj ⊕ E(K,[Cj-1 ⊕ Pj-1])
Pj = Cj ⊕ E(K,[Cj-1 ⊕ Pj-1])
Uses: stream encryption on noisy channels
8.73
Output Feedback (OFB) Mode
In this mode each bit in the cipher text is independent of the previous
bit or bits. This avoids error propagation.
8.74
Advantages and Limitations of OFB
• Bit errors do not propagate
• More vulnerable to message stream modification
• A variation of a Vernam cipher
• hence must never reuse the same sequence (key+IV)
• Sender & receiver must remain in sync
• Originally specified with m-bit feedback
• Subsequent research has shown that only full block
feedback (ie CFB-64 or CFB-128) should ever be used
8.75
Counter (CTR)
• A “new” mode, though proposed early on
• Similar to OFB but encrypts counter value rather than
any feedback value
• Must have a different key & counter value for every
plaintext block (never reused)
Cj = Pj ⊕ E(K,Tj)
Pj = Cj ⊕ E(K,Tj)
• Uses: high-speed network encryptions
8.76
Counter (CTR) Mode
In the counter (CTR) mode, there is no feedback. The pseudo
randomness in the key stream is achieved using a counter.
Encryption in counter (CTR) mode
8.77
Advantages and Limitations of CTR
• Efficiency
• can do parallel encryptions in hardware or software
• can preprocess in advance of need
• good for burst high speed links
• Random access to encrypted data blocks
• Provable security (good as other modes)
• But must ensure never reuse key/counter values,
otherwise could break (cf OFB)
8.78
Comparison of Different Modes
n-bit
8.79
Advanced Encryption Standard (AES)
AES Origins
Round1 (4 transformations)
Round 1
Output state
(16 bytes) Round N-1 key
.
. (16 bytes)
.
Round1 (4 transformations)
Round N-1
Output state Round N key
(16 bytes) (16 bytes)
Final state
(16 bytes) AES Encryption process
Cipher text-16 bytes(128 bits)
AES Structure
Substitute Bytes
• A simple substitution of each byte uses one table of 16x16
bytes containing a permutation of all 256 8-bit values.
• Each byte of state is replaced by byte indexed by row (left 4-
bits) & column (right 4-bits)
• eg. byte {95} is replaced by byte in row 9 column 5
• which has value {2A}
• S-box constructed using defined transformation of values in
GF(28)
• Designed to be resistant to all known attacks.
Substitute Bytes
Substitute Bytes
Example
Shift Rows
A circular byte shift in each
• 1st row is unchanged
2nd row does 1 byte circular shift to left
3rd row does 2 byte circular shift to left
4th row does 3 byte circular shift to left
Decrypt inverts using shifts to right
Since state is processed by columns, this step
permutes bytes between the columns
Shift Rows
Mix Columns
Each column is processed separately
Each byte is replaced by a value dependent on all 4
bytes in the column
Effectively a matrix multiplication in GF(28) using
prime poly m(x) =x8+x4+x3+x+1
Mix Columns
Can express each col as 4 equations
to derive each new byte in col
Decryption requires use of inverse matrix
with larger coefficients, hence a little harder
Have an alternate characterization
each column a 4-term polynomial
with coefficients in GF(28)
and polynomials multiplied modulo (x4+1)
coefficients based on linear code with maximal distance between
codewords
AES Arithmetic
Uses arithmetic in the finite field GF(28)
With irreducible polynomial
m(x) = x8 + x4 + x3 + x + 1
which is (100011011) or {11b}
e.g.
{02} • {87} mod {11b} = (1 0000 1110) mod {11b}
= (1 0000 1110) xor (1 0001 1011) = (0001 0101)
Mix Columns
Mix Columns Example
for i = 0 to 255 do
S[i] = i
T[i] = K[i mod keylen])
j = 0
for i = 0 to 255 do
j = (j + S[i] + T[i]) (mod 256)
swap (S[i], S[j])
RC4 Encryption
• Encryption continues shuffling array values
• Sum of shuffled pair selects "stream key" value from permutation
• XOR S[t] with next byte of message to en/decrypt
i = j = 0
for each message byte Mi
i = (i + 1) (mod 256)
j = (j + S[i]) (mod 256)
swap(S[i], S[j])
t = (S[i] + S[j]) (mod 256)
Ci = Mi XOR S[t]
RC4 Overview
RC4 Security
• Claimed secure against known attacks
• have some analyses, none practical
• Result is very non-linear
• Since RC4 is a stream cipher, must never reuse a key
• Have a concern with WEP, but due to key handling rather than RC4
itself