You are on page 1of 122

Cryptography

Network Security
Protecting data that are stored on or that travel over a network (against either
accidental and intentional unauthorized disclosure or modification)
Then what do you mean by privacy?
Privacy is the need to restrict access to data (unauthorized access). Security is
what we do to ensure privacy
Network Security is having three main goals:
Confidentiality -: Ensuring that data that must be kept private, stay private
Integrity -: Ensuring that data are accurate (unauthorized modification or
destruction)
Availability -: Ensure that data are accessible whenever needed by the
organization

Key Points
The OSI (open systems interconnection) security architecture provides a
systematic framework for defining security attacks, mechanisms, and services
Security attacks are classified as either passive attacks, which include
unauthorized reading of a message of file and traffic analysis; and active
attacks, such as modification of messages or files, and denial of service
A security mechanism is any process (or a device incorporating such a
process) that is designed to detect, prevent, or recover from a security attack.
Examples of mechanisms are encryption algorithms, digital signatures, and
authentication protocols
Security services include authentication, access control, data confidentiality,
data integrity, non repudiation, and availability
The generic name for the collection of tools designed to protect data and to
thwart hackers is computer security

Security Attacks
Passive Attack
Passive attacks are in the nature of eavesdropping on, or monitoring of,
transmissions. The goal of the opponent is to obtain information
that is being transmitted

Two types of passive attacks are release of message contents and traffic
analysis

The release of message contents is easily understood (Figure a). A


telephone conversation, an electronic mail message, and a transferred file
may contain sensitive or confidential information. We would like to
prevent an opponent from learning the contents of these transmissions

Security Attacks

Security Attacks

A second type of passive attack, traffic analysis (Figure b)

Suppose that we had a way of masking the contents of messages or other


information traffic so that opponents, even if they captured the message,
could not extract the information from the message
The common technique for masking contents is encryption. If we had
encryption protection in place, an opponent might still be able to observe
the pattern of these messages
The opponent could determine the location and identity of communicating
hosts and could observe the frequency and length of messages being
exchanged. This information might be useful in guessing the nature of the
communication that was taking place

Security Attacks

Security Attacks
Note:

Passive attacks are very difficult to detect because they do not involve any
alteration of the data. Typically, the message traffic is sent and received in
an apparently normal fashion and neither the sender nor receiver is aware
that a third party has read the messages or observed the traffic pattern.
However, it is feasible to prevent the success of these attacks, usually by
means of encryption. Thus, the emphasis in dealing with passive attacks is
on prevention rather than detection.

Security Attacks
Active Attacks

Active attacks involve some modification of the data stream or the creation
of a false stream and can be subdivided into four categories:
Masquerade : One entity pretends to be a different entity
Replay : The passive capture of a data unit and its subsequent
transmission to produce an unauthorized effect
Modification of messages : The portion of the legitimate message is
altered
Denial of service : Preventing or inhibiting the normal use or
management of communications facilities

General categories of
security attacks
Interruption: An asset of the system is destroyed or becomes unavailable
or unusable - attack on availability
Interception: An unauthorized party gains access to an asset attack on
confidentiality
Modification: An unauthorized party not only gains access to but tampers
with an asset attack on integrity
Fabrication: An unauthorized party inserts counterfeit objects into the
system attack on authenticity

Security Services

AUTHENTICATION -: The assurance that the communicating entity is


the one that it claims to be
Peer Entity Authentication -: Used in association with a logical
connection to provide confidence in the identity of the entities
connected
Data Origin Authentication -: In a connectionless transfer, provides
assurance that the source of received data is as claimed

ACCESS CONTROL -: The prevention of unauthorized use of a resource


(i.e., this service controls who can have access to a resource, under what
conditions access can occur, and what those accessing the resource are
allowed to do)

Security Services

DATA CONFIDENTIALITY -: The protection of data from unauthorized


disclosure
Connection Confidentiality -: The protection of all user data on a
connection
Connectionless Confidentiality -: The protection of all user data in a
single data block
Selective-Field Confidentiality -: The confidentiality of selected fields
within the user data on a connection or in a single data block
Traffic Flow Confidentiality -: The protection of the information that
might be derived from observation of traffic flows

Security Services
DATA INTEGRITY -: The assurance that data received are exactly as sent
by an authorized entity (i.e., contain no modification, insertion, deletion, or
replay)
Connection Integrity with Recovery -: Provides for the integrity of
all user data on a connection and detects any modification, insertion,
deletion, or replay of any data within an entire data sequence, with
recovery attempted
Connection Integrity without Recovery -: As above, but provides
only detection without recovery

Security Services

NONREPUDIATION -: Provides protection against denial by one of the


entities involved in a communication of having participated in all or part of
the communication
Nonrepudiation, Origin -: Proof that the message was sent by the
specified party
Nonrepudiation, Destination -: Proof that the message was received
by the specified party

AVAILABILITY-: Requires that computer system assets be available to


authorized parties when needed

SECURITY MECHANISMS

Encipherment -: The use of mathematical algorithms to transform data


into a form that is not readily intelligible

Digital Signature -: Data appended to, or a cryptographic transformation


of, a data unit that allows a recipient of the data unit to prove the source
and integrity of the data unit and protect against forgery (e.g., by the
recipient)

Access Control -: A variety of mechanisms that enforce access rights to


resources

Data Integrity -: A variety of mechanisms used to assure the integrity of a


data unit or stream of data units

SECURITY MECHANISMS
Authentication Exchange -: A mechanism intended to ensure the identity
of an entity by means of information exchange
Traffic Padding -: The insertion of bits into gaps in a data stream to
frustrate traffic analysis attempts
Routing Control -: Enables selection of particular physically secure routes
for certain data and allows routing changes, especially when a breach of
security is suspected
Notarization -: The use of a trusted third party to assure certain properties
of a data exchange

A Model for Network


Security

Tasks in security service

1. Design an algorithm for performing the security related


transformation(opponent cannot defeat its purpose)
2.Generate the secret information to be used
3.Develop methods for the distribution and sharing of secret
information
4.Specify a protocol to be used by the two principals that makes use
of the security algorithm and the secret information to achieve a
particular security service.

Classical Encryption
Techniques
Symmetric Encryption
encryption)

(conventional

encryption

or

single-key

Symmetric encryption is a form of cryptosystem in which encryption and


decryption are performed using the same key

Symmetric encryption transforms plaintext into ciphertext using a secret


key and an encryption algorithm. Using the same key and a decryption
algorithm, the plaintext is recovered from the ciphertext

An original message is known as the plaintext, while the coded message is


called the ciphertext

The process of converting from plaintext to ciphertext is known as


enciphering or encryption; restoring the plaintext from the ciphertext is
deciphering or decryption

The many schemes used for encryption constitute the area of study known
as cryptography. Such a scheme is known as a cryptographic system or
a cipher

Techniques used for deciphering a message without any knowledge of the


enciphering details fall into the area of cryptanalysis. Cryptanalysis is
what the layperson calls "breaking the code

The areas of cryptography and cryptanalysis together are called cryptology

Symmetric Encryption

A symmetric encryption scheme has five ingredients

Plaintext: This is the original intelligible message or data that is fed into
the algorithm as input

Encryption algorithm: The encryption algorithm performs various


substitutions and transformations on the plaintext

Secret key: The secret key is also input to the encryption algorithm. The
key is a value independent of the plaintext and of the algorithm. The
algorithm will produce a different output depending on the specific key
being used at the time. The exact substitutions and transformations
performed by the algorithm depend on the key

Symmetric Encryption

Ciphertext: This is the scrambled message produced as output. It depends


on the plaintext and the secret key. For a given message, two different keys
will produce two different ciphertexts. The ciphertext is an apparently
random stream of data and, as it stands, is unintelligible

Decryption algorithm: This is essentially the encryption algorithm run in


reverse. It takes the ciphertext and the secret key and produces the original
plaintext

Model of symmetric cryptosystem

Cryptographic Systems
Cryptographic systems are characterized along three independent
dimensions:
The type of operations used for transforming plaintext to ciphertext
All encryption algorithms are based on two general principles:
Substitution: in which each element in the plaintext (bit, letter, group of
bits or letters) is mapped into another element
Transposition: in which elements in the plaintext are rearranged
Product systems
The number of keys used
If both sender and receiver use the same key, the system is referred to as
symmetric, single-key, secret-key, or conventional encryption
If the sender and receiver use different keys, the system is referred to as
asymmetric, two-key, or public-key encryption

Cryptographic Systems

The way in which the plaintext is processed


A block cipher processes the input one block of elements at a time,
producing an output block for each input block
A stream cipher processes the input elements continuously, producing
output one element at a time, as it goes along

Cryptanalysis

Objective of attack?
Cryptanalysis
Cryptanalytic attacks rely on the nature of the algorithm plus perhaps
some knowledge of the general characteristics of the plaintext or even
some sample plaintext-ciphertext pairs
Exploits the characteristics of the algorithm to deduce the key or
plaintext

Brute-force attack
The attacker tries every possible key on a piece of ciphertext until an
intelligible translation into plaintext is obtained

Types of cryptanalytic
attacks

Ciphertext-only attack
The cryptanalyst does not know any of the underlying plaintext
A basic assumption is that ciphertext is always available to an attacker

Known-plaintext attack
The attacker is having the ciphertext and as well as some of the
corresponding plaintext (One or more plaintext-ciphertext pairs formed
with the secret key)

Types of cryptanalytic
attacks
Chosen plaintext attack
cryptanalyst can encrypt a plaintext of his choosing and study the
resulting ciphertext
This is most common against asymmetric cryptography, where a
cryptanalyst has access to a public key
Chosen ciphertext attack
cryptanalyst chooses a ciphertext and attempts to find a matching
plaintext
This can be done with a decryption oracle (a machine that decrypts
without exposing the key)

Unconditionally Secured
encryption scheme
If the ciphertext generated by the scheme doesnt contain enough information
to determine uniquely the corresponding plain text and no matter that how
much ciphertext is available
The encryption algorithm should meet one or both of the following
criteria:
The cost of breaking the cipher exceeds the value of the encrypted
information
The time required to break the cipher exceeds the useful lifetime of the
information
If both the above criteria are met, such an encryption scheme is said to be
computationally secure

Substitution Ciphers
1) Caesar cipher

Caesar cipher involves replacing each letter of the alphabet with the letter
standing three places further down the alphabet

The alphabet is wrapped around, so that the letter following Z is A

Assign a numerical equivalent to each letter as 0,1,2,25


a b c
0 1 2
n o
13 14

d e f
3 4 5
p q
15 16

g h i
6 7 8
r s
17 18

j k l m
9 10 11 12
t u v w x y Z
19 20 21 22 23 24 25

Substitution Ciphers

The algorithm can be expressed as follows:


C=E(p)=(p+k) mod 26 ; where k 1 to 25
The decryption algorithm
p=D(C)=(C-k) mod 26
Three important characteristics of this problem enabled us to use a bruteforce cryptanalysis:
The encryption and decryption algorithms are known
There are only 25 keys to try
The language of the plaintext is known and easily recognizable
Exercise 1
Cryptanalyse the following ciphertext with brute-force method
GCUA VQ DTGCM

Substitution Ciphers
2) Monoalphabetic Cipher (26! Key combinations)
Uses a KEY, which is the rearrangement of the letters of the alphabet
These different keys are then substituted for the letters in the plaintext to
create a ciphertext
The key is needed to decipher the secret message
Encrypt the message "meet me at school", by using a key : REMAINDER
P
T
P
T

W X

Substitution Ciphers

CIPHERTEXT : JIITJIRTSMBLLH
Monoalphabetic encryption is very easy to break, for two main reasons :
require only 26! decipherments
words with repeated letters like "meet" in the example show that
repetition in the ciphertext (frequency of the appearance of letters)
Countermeasure
- Provide multiple substitutes, known as homophones

Substitution Ciphers
3) Homophonic Cipher
Replacing each letter with a variety of substitutes
The letter 'a' accounts for roughly 8% of all letters in English, so we assign
8 symbols to represent it
The letter 'b' accounts for 2% of all letters and so we assign 2 symbols to
represent it
At the end of encipherment (after encrypting) each symbol will constitute
roughly 1% of the ciphertext.

Substitution Ciphers
Enciphering a Message
"In wartime, truth is so precious

But before we do, we should count the letters to see how they correspond
with the "standard" frequency count.

Substitution Ciphers
4) Playfair Cipher

First practical digraph substitution cipher


The technique encrypts pairs of letters (digraphs), instead of single letters
as in the simple substitution cipher
It was used for tactical purposes by British forces in the Second Boer War
and in World War I and for the same purpose by the Australians during
World War II
Playfair algorithm is based on the use of 5 x 5 matrix of letters constructed
using a keyword

Substitution Ciphers
The 'key' for a playfair
cipher is generally a word,
for the sake of example we
will choose 'monarchy'.
This is then used to
generate a 'key square', e.g.

Note that there is no 'j', it is


combined with 'i'. We now
apply the encryption rules to
encrypt the plaintext.

1. Repeating plaintext letters that are in the


same pair are separated with a filler letter, such
as x, so that full would be treated as fu lx lz
2. Two plaintext letters that fall in the same row
of the matrix are each replaced by the letter to
the right, with the first element of the row
circularly following the last. For example, ar is
encrypted as RM.
3. Two plaintext letters that fall in the same
column are each replaced by the letter beneath,
with the top element of the column circularly
following the last. For example, mu is
encrypted as CM.
4. Otherwise, each plaintext letter in a pair is
replaced by the letter that lies in its own row
and the column occupied by the other plaintext
letter. Thus, hs becomes BP and ea becomes
IM (or JM, as the encipherer wishes).

Playfair Cipher

Substitution Ciphers

Exercise 2

Encrypt the following using playfair cipher

hackingbeers with a key MARYQUEEN

Substitution Ciphers
5) Polyalphabetic Cipher

Using more than one alphabet, switching between them systematically


This type of cipher is called a polyalphabetic substitution cipher
One such cipher is the famous Vigenere cipher, which was thought to be
unbreakable for almost 300 years

How this Cipher Works


1. Pick a keyword (for our example, the keyword will be "MEC"). And plaintext we
need more supplies fast
2. Write your keyword across the top of the text you want to encipher, repeating it as
many times as necessary.
3. For each letter, look at the letter of the keyword above it (if it was 'M', then you
would go to the row that starts with an 'M'), and find that row in the Vigenere Table

4. Then find the column of your plaintext letter (for example, 'w', so the
twenty-third column).
5. Finally, trace down that column until you reach the row you found before
and write down the letter in the cell where they intersect

Exercise 3

How to Decipher This??? ELCZKJMM


using key MEC

Substitution Ciphers
6) Hill Cipher

Hill Cipher has its roots in matrix theory

Understand by Example

Consider a Plaintext CAT and now we are encrypting it by using Hill


Cipher Substitution technique.
Treat all character as a number. So that A=0, B=1, C=2,, Z=25
Organize a matrix by using plaintext. Here Plaintext is CAT. So that
C=2, A=0, T=19. This is known as Plaintext Matrix

Substitution Ciphers
Chose a random key matrix. This key matrix consists of size nxn order

Multiply both the Matrix (i.e. Key Matrix & Plaintext Matrix)

Now compute a mod 26 value of the above resultant matrix. That is,
take reminder after dividing the above matrix values by 26. That is:

Substitution Ciphers

31/26 = 1 with reminder 5 which goes in above matrix and so on


Translating number in to alphabet. i.e. 5=F, 8=I, and 13=N
Our Cipher text is FIN
For Decryption: Multiply the cipher text matrix & Inverse of Key
Matrix

=>

C = KP mod 26

In general terms, the Hill system can be expressed as follows:


C = E(K, P) = KP mod 26
P = D(K, P) = K-1C mod 26 = K-1KP = P

Substitution Ciphers

Exercise 4

Encrypt the following by using Hill Cipher and then decipher it.
dad by using key ANOTHERBZ

Transposition Ciphers

In the Transposition Technique,there is no any substitution of characters;


instead their position change

A character in 1st position of Plaintext may appear in the 10


the cipher text

A transposition cipher re-orders characters in a block of symbols. There are


Various Transposition cipher techniques given following:
Rail Fence Technique
Simple Columnar Technique
Vernam Cipher (One-time Pad)

th

position of

Transposition Ciphers
1) Rail Fence Technique
Rail Fence technique involves writing plain text message as a sequence of
diagonals and then reading it row-by-row to produce cipher text
Encryption Algorithm: Write down the plain text message as a sequence of diagonals
Read the Plain text Row-by-Row and write down left to right then top
to bottom
Example
Original Plain text massage: Come Home Tomorrow
After we arrange the plaintext message as a sequence of diagonals, it look
like follows

Now read the text row-by-row, and write it sequentially. Thus we have:
CMHMTMROOEOEOORW as the cipher text

Transposition Ciphers
2) Simple Columnar Transposition Technique
Simple columnar transposition technique simply arranges the plaintext as a
sequence of rows of a rectangle that are read in columns randomly
Write the plain text message row-by-row in a rectangle of a pre-defined size
Read the message column-by-column. However it need not be in order of
columns 1, 2, 3 etc. it can be in any order such as 2, 3, 1 etc
The message thus obtained is the cipher text message
Example
Original Plain text massage: Come Home Tomorrow
Let us consider a rectangle with six columns. Therefore, when we write the
message in the rectangle row-by-row suppressing spaces

Now , let us decide the order of columns as some random order, say 4, 6, 1, 2,
5 & 3. Then read the text in the order of these columns
The ciphertext thus obtained would be EOWOOCMROEHMMTO

Transposition Ciphers
3) Simple Columnar Transposition Technique with multiple Rounds
To improve the basic simple columnar, we can introduce more complexity
Use the same basic operation of simple columnar technique, but do it more
than once
Algorithm:
Write the plain text message row-by-row in a rectangle of a pre-defined
size
Read the message column-by-column. However, it need not to be in
order of column 1, 2, 3 etc. it can be any random order such as 2, 3, 1 etc
The message thus obtained is the cipher text message of round 1
Repeat steps 1to 3 as many times as desired

Transposition Ciphers
4) Vernam Cipher (One - time pad)
It is implemented using a random set of characters as the key
Main point is that once a key text for transposition is used, it is never used
again for any other message. So it is called One-Time
Length of the key text is equal to the length of the original plain text
Algorithm
Translate each plain text alphabet in to corresponding Number (i.e. A=0,
B=1,,Z=25)
Do the same for each character key text
Add each number corresponding to the plain text alphabet to the
corresponding key text alphabet number
If the sum thus produced is greater than 26, subtract 26 from it
Translate each number of the sum back to the corresponding alphabet. This
gives the output ciphertext

Transposition Ciphers
Example
Plain text message: HOW ARE YOU
One-time pad (KEY TEXT) : NCBTZQARX

One-time pad is discarded after a single use


This technique is highly secure and suitable for small plain text message.
It is clearly impractical for large messages

Block Ciphers and the Data


Encryption Standard

Block vs Stream Ciphers

block ciphers process messages in into blocks, each of which is then


en/decrypted

like a substitution on very big characters


64-bits or more

stream ciphers process messages a bit or byte at a time when en/decrypting

many current ciphers are block ciphers

Claude Shannon and


Substitution-Permutation
Ciphers

in 1949 Claude Shannon introduced idea of substitution-permutation (S-P)


networks
modern substitution-transposition product cipher

these form the basis of modern block ciphers

S-P networks are based on the two primitive cryptographic operations we


have seen before:
substitution (S-box)
permutation (P-box)

provide confusion and diffusion of message

Confusion and Diffusion


diffusion dissipates statistical structure of plaintext over bulk of ciphertext
confusion makes relationship between ciphertext and key as complex as
possible

Feistel Cipher Structure


Horst Feistel devised the feistel cipher
based on concept of invertible product cipher
partitions input block into two halves
process through multiple rounds which:
perform a substitution on left data half
based on round function of right half & sub key
then have permutation swapping halves
implements Shannons substitution-permutation
network concept

Feistel Cipher Structure (1973)


Virtually all conventional block encryption
algorithms including data encryption standard (DES)
are based on Feistel Cipher Structure.
i
The plaintext is divided into
two halves L0 and R0
Then the two halves pass through n rounds of
processing then combine to produce the cipher
block.
Each round i has as input Li 1 and Ri 1 derived from
the previous round as well as a sub-key K i derived
from the overall K

Feistel Cipher Structure (1973)


All rounds have the same structure
A substitution is performed on the left half of the
data. This is done by applying a round function F to
the right half of the data followed by the XOR of
the output of that function and the left half of the
data.

Classical Feistel Network

Classical Feistel Network

Design Features of Feistel Network


Block Size: (larger block means greater security)
64 bits.
Key Size:56-128 bits.
Number of Rounds: a single round offers
inadequate security, a typical size is 16 rounds.
Sub-key Generation Algorithms: greater
complexity should lead to a greater difficulty of
cryptanalysis.
Round function: Again, greater complexity
generally means greater resistance to
cryptanalysis.

Design Features of Feistel Network


.
Fast Software encryption/Decryption: the speed of
execution of the algorithm is important.
Ease of Analysis: to be able to develop a higher level
of assurance as to its strength
Decryption: use the same algorithm with reversed
keys.

Feistel Encryption and Decryption

Simplified DES (S-DES)


Developed by Prof. Edward Schaefer of Santa Clara
University 1996.
Takes 8 bit block of plain text and 10 bit key as input
and produce an 8 bit block cipher text output.
The encryption algorithm involves 5 functions: initial
permutation (IP); a complex function fk which
involves substitution and permutation depends on the
key; simple permutation function (switch) SW; the
function fk again and final inverse of the initial
permutation( IP-1).

Simplified DES Scheme

Overview
We can express the encryption algorithm as a
composition function:
IP-1fk2 SW fk1 IP
OR ;
Ciphertext=IP-1(fk2(SW(fk1(IP(plaintext)))))
Where,
K1=P8(shift(P10(key)))
K2 =P8 (shift(shift(P10(key))))
The decryption algorithm is:
Plaintext=IP-1 (fk1(SW(fk2(IP(Ciphertext)))))

Key Generation for S-DES

Key Generation for S-DES


First permute the key in the following way:
P10
3

10

Ex: (1010000010)is permuted to (1000001100)


Perform a circular left shift to each bits of the key:
Ex: (10000 01100)(00001 11000)
Next apply P8
P
8

This yields K1=(10100100)

10

Continue
Then perform again 2 bit circular shift left on
each of the five bits:
(00001)(11000)(00100)(00011)
Finally apply again P8:
Then K2=(01000011)

S-DES Encryption

S-DES Encryption
The i/p 8-bit block plaintext is first permuted using the
IP function:
IP
2

At the end of the algorithm the inverse permutation is


used :
IP-1
4

IP-1(IP(X))=X;
Ex: IP{(10110101)}=(01111100)

IP-1 {01111100}=(10110101)

The Function fk
Let L and R be the left most 4 bits and
rightmost 4 bits of the 8 bits input
fk (L, R)=(LF(R,SK),R)
Where SK is a sub key and the is bit-by-bit
XOR function.
Ex: if the o/p of the IP is (10111101) and
F(1101,SK)=(1110) for some SK then
fk(10111101)=(1011) (1110)=(0101)

Continue
Recall the first operation is an expansion and permutation to first
4 bits as follows:
E/P
4

We can depict the result as :


n4

n1

n2

n3

n2

n3

n4

n1

The 8 bit key K1is added to this value using XOR:


n4+K11

n1+ K12

n2 +K13

n3 +K14

n2 +K15

n3 +K16

n4 +K17

n1 +K18

Continue
Let us rename these bits:
P0,0

P0,1

P0,2

P0,3

P1,0

P1,1

P1,2

P1,3

The first row of the matrix 4 bits are fed into the Sbox S0 to produce 2 bit o/p and the remaining 2 bits
are fed to S1 to produce another 2 bits

S-Box
The s-box operates as follows: (P0,0,P0,3 ) determine the
row of the S0 matrix and (P0,1,P0,2 )determine the column:
1
3
S0
0

0 3 2

2 1 0
, S1

2 1 3

1 3 2

0 1 2 3
2 0 1 3
3 0 1 0

2 1 0 3

Ex: if (P0,0,P0,3 ) =(00), (P0,1,P0,2 )=(10) then the o/p is from


row 0 and column 2 in S0 which is equal to 3, i.e., (11) in
binary.
In a similar way we can produce the other two bits

The Switch Function (SW)


SW interchange the left and right 4 bits so that
the second instance of fK operates on a
different 4 bits.

Feistel Cipher Structure

Horst Feistel devised the feistel cipher


based on concept of invertible product cipher

partitions input block into two halves


process through multiple rounds which
perform a substitution on left data half
based on round function of right half & subkey
then have permutation swapping halves

implements Shannons substitution-permutation network concept

Feistel Cipher Structure

Feistel Cipher Design


Principles
block size
increasing size improves security, but slows cipher
key size
increasing size improves security, makes exhaustive key searching harder, but may slow
cipher
number of rounds
increasing number improves security, but slows cipher
subkey generation
greater complexity can make analysis harder, but slows cipher
round function
greater complexity can make analysis harder, but slows cipher
fast software en/decryption & ease of analysis
are more recent concerns for practical use and testing

Feistel Cipher Decryption

Data Encryption Standard


(DES)

most widely used block cipher in world

adopted in 1977 by NBS (now NIST)


as FIPS PUB 46

encrypts 64-bit data using 56-bit key

has widespread use

has been considerable controversy over its security

DES History

IBM developed Lucifer cipher


by team led by Feistel
used 64-bit data blocks with 128-bit key

then redeveloped as a commercial cipher with input from NSA and others

in 1973 NBS issued request for proposals for a national cipher standard

IBM submitted their revised Lucifer which was eventually accepted as the
DES

DES Design Controversy

although DES standard is public

was considerable controversy over design


in choice of 56-bit key (vs Lucifer 128-bit)
and because design criteria were classified

subsequent events and public analysis show in fact design was appropriate

DES has become widely used, esp in financial applications

DES Encryption

Initial Permutation IP

first step of the data computation

IP reorders the input data bits

even bits to LH half, odd bits to RH half

quite regular in structure (easy in h/w)

DES Round Structure

uses two 32-bit L & R halves

as for any Feistel cipher can describe as:


Li = Ri1
Ri = Li1 xor F(Ri1, Ki)

takes 32-bit R half and 48-bit subkey and:


expands R to 48-bits using perm E
adds to subkey
passes through 8 S-boxes to get 32-bit result
finally permutes this using 32-bit perm P

DES Round Structure

Substitution Boxes S

have eight S-boxes which map 6 to 4 bits

each S-box is actually 4 little 4 bit boxes


outer bits 1 & 6 (row bits) select one rows
inner bits 2-5 (col bits) are substituted
result is 8 lots of 4 bits, or 32 bits

row selection depends on both data & key

DES Key Schedule

forms subkeys used in each round

consists of:
initial permutation of the key (PC1) which selects 56-bits in two 28-bit
halves
16 stages consisting of:
selecting 24-bits from each half
permuting them by PC2 for use in function f,
rotating each half separately either 1 or 2 places depending on the
key rotation schedule K

DES Decryption
decrypt must unwind steps of data computation
with Feistel design, do encryption steps again
using subkeys in reverse order (SK16 SK1)
note that IP undoes final FP step of encryption
1st round with SK16 undoes 16th encrypt round
.
16th round with SK1 undoes 1st encrypt round
then final FP undoes initial encryption IP
thus recovering original data value

Avalanche Effect

key desirable property of encryption alg

where a change of one input or key bit results in changing approx half
output bits

making attempts to home-in by guessing keys impossible

DES exhibits strong avalanche

Strength of DES Key Size

56-bit keys have 256 = 7.2 x 1016 values

brute force search looks hard

recent advances have shown is possible


in 1997 on Internet in a few months
in 1998 on dedicated h/w (EFF) in a few days
in 1999 above combined in 22hrs!

still must be able to recognize plaintext

now considering alternatives to DES

Strength of DES Analytic


Attacks

now have several analytic attacks on DES

these utilise some deep structure of the cipher


by gathering information about encryptions
can eventually recover some/all of the sub-key bits
if necessary then exhaustively search for the rest

generally these are statistical attacks

include
differential cryptanalysis
linear cryptanalysis
related key attacks

Differential Cryptanalysis

one of the most significant recent (public) advances in cryptanalysis

known by NSA in 70's cf DES design

Murphy, Biham & Shamir published 1990

powerful method to analyse block ciphers

used to analyse most current block ciphers with varying degrees of success

DES reasonably resistant to it, cf Lucifer

Differential Cryptanalysis

a statistical attack against Feistel ciphers

uses cipher structure not previously used

design of S-P networks has output of function f influenced by both input &
key

hence cannot trace values back through cipher without knowing values of
the key

Differential Cryptanalysis compares two related pairs of encryptions

Differential Cryptanalysis
Compares Pairs of Encryptions
with a known difference in the input
searching for a known difference in output
when same subkeys are used

Differential Cryptanalysis

have some input difference giving some output difference with probability
p

if find instances of some higher probability input / output difference pairs


occurring

can infer subkey that was used in round

then must iterate process over many rounds (with decreasing probabilities)

Differential Cryptanalysis

Differential Cryptanalysis
perform attack by repeatedly encrypting plaintext pairs with known input XOR until
obtain desired output XOR
when found
if intermediate rounds match required XOR have a right pair
if not then have a wrong pair, relative ratio is S/N for attack
can then deduce keys values for the rounds
right pairs suggest same key bits
wrong pairs give random values
for large numbers of rounds, probability is so low that more pairs are required than exist
with 64-bit inputs
Biham and Shamir have shown how a 13-round iterated characteristic can break the full
16-round DES

Linear Cryptanalysis

another recent development

also a statistical method

must be iterated over rounds, with decreasing probabilities

developed by Matsui et al in early 90's

based on finding linear approximations

can attack DES with 247 known plaintexts, still in practise infeasible

Linear Cryptanalysis

find linear approximations with prob p !=


P[i1,i2,...,ia](+)C[j1,j2,...,jb] = K[k1,k2,...,kc]
where ia,jb,kc are bit locations in P,C,K

gives linear equation for key bits

get one key bit using max likelihood alg

using a large number of trial encryptions

effectiveness given by: |p|

Block Cipher Design


Principles

basic principles still like Feistel in 1970s

number of rounds
more is better, exhaustive search best attack

function f:
provides confusion, is nonlinear, avalanche

key schedule
complex subkey creation, key avalanche

Modes of Operation
block ciphers encrypt fixed size blocks
eg. DES encrypts 64-bit blocks, with 56-bit key
need way to use in practise, given usually have arbitrary amount of
information to encrypt
four were defined for DES in ANSI standard ANSI X3.106-1983 Modes of
Use
subsequently now have 5 for DES and AES
have block and stream modes

Electronic Codebook Book


(ECB)

message is broken into independent blocks which are encrypted

each block is a value which is substituted, like a codebook, hence name

each block is encoded independently of the other blocks


Ci = DESK1 (Pi)

uses: secure transmission of single values

Electronic Codebook Book


(ECB)

Advantages and Limitations of


ECB

repetitions in message may show in ciphertext


if aligned with message block
particularly with data such graphics
or with messages that change very little, which become a code-book
analysis problem

weakness due to encrypted message blocks being independent

main use is sending a few blocks of data

Cipher Block Chaining (CBC)

message is broken into blocks

but these are linked together in the encryption operation

each previous cipher blocks is chained with current plaintext block, hence
name

use Initial Vector (IV) to start process


Ci = DESK1(Pi XOR Ci-1)
C-1 = IV

uses: bulk data encryption, authentication

Cipher Block Chaining (CBC)

Advantages and Limitations of


CBC

each ciphertext block depends on all message blocks

thus a change in the message affects all ciphertext blocks after the change as well
as the original block

need Initial Value (IV) known to sender & receiver


however if IV is sent in the clear, an attacker can change bits of the first block,
and change IV to compensate
hence either IV must be a fixed value (as in EFTPOS) or it must be sent
encrypted in ECB mode before rest of message

at end of message, handle possible last short block


by padding either with known non-data value (eg nulls)
or pad last block with count of pad size
eg. [ b1 b2 b3 0 0 0 0 5] <- 3 data bytes, then 5 bytes pad+count

Cipher FeedBack (CFB)


message is treated as a stream of bits
added to the output of the block cipher
result is feed back for next stage (hence name)
standard allows any number of bit (1,8 or 64 or whatever) to be feed back
denoted CFB-1, CFB-8, CFB-64 etc
is most efficient to use all 64 bits (CFB-64)
Ci = Pi XOR DESK1(Ci-1)
C-1 = IV
uses: stream data encryption, authentication

Cipher FeedBack (CFB)

Advantages and Limitations of


CFB

appropriate when data arrives in bits/bytes

most common stream mode

limitation is need to stall while do block encryption after every n-bits

note that the block cipher is used in encryption mode at both ends

errors propogate for several blocks after the error

Output FeedBack (OFB)


message is treated as a stream of bits
output of cipher is added to message
output is then feed back (hence name)
feedback is independent of message
can be computed in advance
Ci = Pi XOR Oi
Oi = DESK1(Oi-1)
O-1 = IV
uses: stream encryption over noisy channels

Output FeedBack (OFB)

Advantages and Limitations of


OFB
used when error feedback a problem or where need to encryptions before message
is available
superficially similar to CFB
but feedback is from the output of cipher and is independent of message
a variation of a Vernam cipher
hence must never reuse the same sequence (key+IV)
sender and receiver must remain in sync, and some recovery method is needed to
ensure this occurs
originally specified with m-bit feedback in the standards
subsequent research has shown that only OFB-64 should ever be used

Counter (CTR)

a new mode, though proposed early on

similar to OFB but encrypts counter value rather than any feedback value

must have a different key & counter value for every plaintext block (never
reused)
Ci = Pi XOR Oi
Oi = DESK1(i)

uses: high-speed network encryptions

Counter (CTR)

Advantages and Limitations of


CTR

efficiency
can do parallel encryptions
in advance of need
good for bursty high speed links

random access to encrypted data blocks

provable security (good as other modes)

but must ensure never reuse key/counter values, otherwise could break (cf
OFB)