Ph.D.

Course Work

UNIT 2 - ENCRYPTION – SYMMETRIC TECHNIQUES

Subject Name : SECURITY PRINCIPLES AND CRYPTOGRAPHY THEORY PRACTICES

Course Code : CS3023
Faculty Name : Dr. S. Pradeep
Designation : Assistant Professor

1
 Course Outcomes

CO No. Course Outcomes

CO2 To appreciate the different aspects of encryption techniques.

2
 Syllabus – Unit 2
UNIT II - ENCRYPTION – SYMMETRIC TECHNIQUES (9 Hours)
Substitution Ciphers – Transposition Ciphers – Classical Ciphers - DES -
AES - Confidentiality Modes of Operation – Key Channel Establishment for
symmetric cryptosystems.

REFERENCES:
•William Stallings, “Crpyptography and Network security: Principles and Practices”,
Pearson/PHI, 5th Edition,2010.
•Behrouz A. Forouzan, “Cryptography and Network Security”, 2ndEdition, Tata McGraw
Hill Education,2010.
•Wade Trappe, Lawrence C Washington, “Introduction to Cryptography with coding
theory”, 2nd Edition, Pearson,2007.
•Douglas R. Stinson ,“Cryptography Theory and Practice ”, 3rd Edition, Chapman &
Hall/CRC, 2006.
•W. Mao, “Modern Cryptography – Theory and Practice”, Pearson Education, 2nd
Edition,2007.
3
 ADVANCE
ENCRYPTION
STANDARD
 TOPICS

• ORIGIN OF AES

• BASIC AES

• INSIDE ALGORITHM

• FINAL NOTES
 AES: ADVANCED ENCRYPTION
STANDARD
 symmetric-key NIST standard, replaced DES (Nov 2001)
 processes data in 128 bit blocks
 128, 192, or 256 bit keys
 brute force decryption (try each key) taking 1 sec on DES,
takes 149 trillion years for AES
 ORIGINS

• A REPLACEMENT FOR DES WAS NEEDED

• KEY SIZE IS TOO SMALL

• CAN USE TRIPLE-DES – BUT SLOW, SMALL BLOCK

• US NIST ISSUED CALL FOR CIPHERS IN 1997

• 15 CANDIDATES ACCEPTED IN JUN 98

• 5 WERE SHORTLISTED IN AUG 99

 THE ADVANCED ENCRYPTION
STANDARD (AES)
• IN 1997, THE U.S. NATIONAL INSTITUTE FOR STANDARDS AND
TECHNOLOGY (NIST) PUT OUT A PUBLIC CALL FOR A REPLACEMENT
TO DES.
• IT NARROWED DOWN THE LIST OF SUBMISSIONS TO FIVE FINALISTS,
AND ULTIMATELY CHOSE AN ALGORITHM THAT IS NOW KNOWN AS
THE ADVANCED ENCRYPTION STANDARD (AES).
• AES IS A BLOCK CIPHER THAT OPERATES ON 128-BIT BLOCKS. IT IS
DESIGNED TO BE USED WITH KEYS THAT ARE 128, 192, OR 256 BITS
LONG, YIELDING CIPHERS KNOWN AS AES-128, AES-192, AND AES-256.

Cryptography 8
 AES ROUND STRUCTURE
• THE 128-BIT VERSION OF THE AES
ENCRYPTION ALGORITHM PROCEEDS
IN TEN ROUNDS.
• EACH ROUND PERFORMS AN
INVERTIBLE TRANSFORMATION ON A
128-BIT ARRAY, CALLED STATE.
• THE INITIAL STATE X0 IS THE XOR OF
THE PLAINTEXT P WITH THE KEY K:
• X0 = P XOR K.

• ROUND I (I = 1, …, 10) RECEIVES STATE

XI-1 AS INPUT AND PRODUCES STATE XI.

• THE CIPHERTEXT C IS THE OUTPUT OF

THE FINAL ROUND: C = X10.

9
 AES ROUNDS
• EACH ROUND IS BUILT FROM FOUR BASIC STEPS:
1. SUBBYTES STEP: AN S-BOX SUBSTITUTION STEP
2. SHIFTROWS STEP: A PERMUTATION STEP
3. MIXCOLUMNS STEP: A MATRIX MULTIPLICATION STEP
4. ADDROUNDKEY STEP: AN XOR STEP WITH A ROUND KEY
DERIVED FROM THE 128-BIT ENCRYPTION KEY

10
 BLOCK CIPHER MODES
• A BLOCK CIPHER MODE DESCRIBES THE WAY A BLOCK CIPHER
ENCRYPTS AND DECRYPTS A SEQUENCE OF MESSAGE BLOCKS.
• ELECTRONIC CODE BOOK (ECB) MODE (IS THE SIMPLEST):
• BLOCK P[I] ENCRYPTED INTO CIPHERTEXT BLOCK C[I] = EK(P[I])
• BLOCK C[I] DECRYPTED INTO PLAINTEXT BLOCK M[I] = DK(C[I])

11
Public domain images from http://en.wikipedia.org/wiki/File:Ecb_encryption.png and http://en.wikipedia.org/wiki/File:Ecb_decryption.png
 STRENGTHS AND WEAKNESSES OF
ECB

• WEAKNESS:
• STRENGTHS:
• DOCUMENTS AND IMAGES
• IS VERY SIMPLE ARE NOT SUITABLE FOR ECB
• ALLOWS FOR ENCRYPTION SINCE PATTERS
IN THE PLAINTEXT ARE
PARALLEL
REPEATED IN THE
ENCRYPTIONS OF THE CIPHERTEXT:
BLOCKS OF A
PLAINTEXT
• CAN TOLERATE THE
LOSS OR DAMAGE OF A
BLOCK 06/30/22 12
 ANOTHER EXAMPLE

P(1) = “HTTP/1.1” C(1) = “k329aM02”

t=1 block
cipher
…
P(17) = “HTTP/1.1” C(17) = “k329aM02”
t=17 block
cipher

13
 CIPHER BLOCK CHAINING (CBC)
MODE
• IN CIPHER BLOCK CHAINING (CBC) MODE
• THE PREVIOUS CIPHERTEXT BLOCK IS COMBINED WITH THE
CURRENT PLAINTEXT BLOCK C[I] = EK (C[I 1]  P[I])
• C[1] = V, A RANDOM BLOCK SEPARATELY TRANSMITTED
ENCRYPTED (KNOWN AS THE INITIALIZATION VECTOR)
• DECRYPTION: P[I] = C[I 1]  DK (C[I])

CBC Encryption: CBC Decryption:

P[0] P[1] P[2] P[3] P[0] P[1] P[2] P[3]

V V

EK EK EK EK DK DK DK DK

C[0] C[1] C[2] C[3] C[0] C[1] C[2] C[3]

14
 STRENGTHS AND WEAKNESSES OF
CBC

• STRENGTHS: • WEAKNESSES:
• CBC REQUIRES THE
• DOESN’T SHOW RELIABLE
PATTERNS IN THE TRANSMISSION OF ALL
PLAINTEXT THE BLOCKS
• IS THE MOST SEQUENTIALLY
• CBC IS NOT SUITABLE
COMMON MODE
FOR APPLICATIONS THAT
• IS FAST AND ALLOW PACKET LOSSES
RELATIVELY SIMPLE (E.G., MUSIC AND VIDEO
STREAMING)
15
 JAVA AES ENCRYPTION EXAMPLE

• SOURCE

HTTP://JAVA.SUN.COM/JAVASE/6/DOCS/TECHNOTES/GUIDES/SECURITY/CRYPTO/CRYPTOSPEC.HTML
• GENERATE AN AES KEY

KEYGENERATOR KEYGEN = KEYGENERATOR.GETINSTANCE("AES");

SECRETKEY AESKEY = KEYGEN.GENERATEKEY();
• CREATE A CIPHER OBJECT FOR AES IN ECB MODE AND PKCS5 PADDING

CIPHER AESCIPHER;
AESCIPHER = CIPHER.GETINSTANCE("AES/ECB/PKCS5PADDING");
• ENCRYPT

AESCIPHER.INIT(CIPHER.ENCRYPT_MODE, AESKEY);
BYTE[] PLAINTEXT = "MY SECRET MESSAGE".GETBYTES();
BYTE[] CIPHERTEXT = AESCIPHER.DOFINAL(PLAINTEXT);
• DECRYPT

AESCIPHER.INIT(CIPHER.DECRYPT_MODE, AESKEY);
BYTE[] PLAINTEXT1 = AESCIPHER.DOFINAL(CIPHERTEXT);

16
 AES COMPETITION
REQUIREMENTS
• PRIVATE KEY SYMMETRIC BLOCK CIPHER

• 128-BIT DATA, 128/192/256-BIT KEYS

• STRONGER & FASTER THAN TRIPLE-DES

• PROVIDE FULL SPECIFICATION & DESIGN DETAILS

• BOTH C & JAVA IMPLEMENTATIONS

 AES EVALUATION CRITERIA

• INITIAL CRITERIA:
• SECURITY – EFFORT FOR PRACTICAL CRYPTANALYSIS
• COST – IN TERMS OF COMPUTATIONAL EFFICIENCY
• ALGORITHM & IMPLEMENTATION CHARACTERISTICS

• FINAL CRITERIA
• GENERAL SECURITY
• EASE OF SOFTWARE & HARDWARE IMPLEMENTATION
• IMPLEMENTATION ATTACKS
• FLEXIBILITY (IN EN/DECRYPT, KEYING, OTHER FACTORS)
 AES SHORTLIST
• AFTER TESTING AND EVALUATION, SHORTLIST IN AUG-
99
• MARS (IBM) - COMPLEX, FAST, HIGH SECURITY MARGIN
• RC6 (USA) - V. SIMPLE, V. FAST, LOW SECURITY MARGIN
• RIJNDAEL (BELGIUM) - CLEAN, FAST, GOOD SECURITY
MARGIN
• SERPENT (EURO) - SLOW, CLEAN, V. HIGH SECURITY MARGIN
• TWOFISH (USA) - COMPLEX, V. FAST, HIGH SECURITY MARGIN

• FOUND CONTRAST BETWEEN ALGORITHMS WITH

• FEW COMPLEX ROUNDS VERSUS MANY SIMPLE ROUNDS
• REFINED VERSIONS OF EXISTING CIPHERS VERSUS NEW
PROPOSALS
 THE AES CIPHER - RIJNDAEL

• RIJNDAEL WAS SELECTED AS THE AES IN OCT-2000

• DESIGNED BY VINCENT RIJMEN AND JOAN DAEMEN
IN BELGIUM
• ISSUED AS FIPS PUB 197 STANDARD IN NOV-2001

• AN ITERATIVE RATHER THAN FEISTEL CIPHER

• PROCESSES DATA AS BLOCK OF 4 COLUMNS OF 4 V. Rijmen
BYTES (128 BITS)
• OPERATES ON ENTIRE DATA BLOCK IN EVERY ROUND

• RIJNDAEL DESIGN:
• SIMPLICITY
• HAS 128/192/256 BIT KEYS, 128 BITS DATA
• RESISTANT AGAINST KNOWN ATTACKS J. Daemen
• SPEED AND CODE COMPACTNESS ON MANY CPUS
 TOPICS

• ORIGIN OF AES

• BASIC AES

• INSIDE ALGORITHM

• FINAL NOTES
AES CONCEPTUAL SCHEME
Plaintext (128 bits)

AES Key (128-256 bits)

Ciphertext (128 bits)

22
 MULTIPLE ROUNDS
• ROUNDS ARE (ALMOST) IDENTICAL
• FIRST AND LAST ROUND ARE A LITTLE DIFFERENT

23
HIGH LEVEL DESCRIPTION

No MixColumns
OVERALL STRUCTURE
 128-BIT VALUES

• DATA BLOCK VIEWED AS 4-BY-4 TABLE OF BYTES

• REPRESENTED AS 4 BY 4 MATRIX OF 8-BIT BYTES.
• KEY IS EXPANDED TO ARRAY OF 32 BITS WORDS

1 byte

26
DATA UNIT
UNIT TRANSFORMATION
CHANGING PLAINTEXT TO STATE
 TOPICS

• ORIGIN OF AES

• BASIC AES

• INSIDE ALGORITHM

• FINAL NOTES
DETAILS OF EACH ROUND
 SUBBYTES: BYTE SUBSTITUTION
• A SIMPLE SUBSTITUTION OF EACH BYTE
• PROVIDE A CONFUSION

• USES ONE S-BOX OF 16X16 BYTES CONTAINING A PERMUTATION

OF ALL 256 8-BIT VALUES

• EACH BYTE OF STATE IS REPLACED BY BYTE INDEXED BY ROW

(LEFT 4-BITS) & COLUMN (RIGHT 4-BITS)
• EG. BYTE {95} IS REPLACED BY BYTE IN ROW 9 COLUMN 5
• WHICH HAS VALUE {2A}

• S-BOX CONSTRUCTED USING DEFINED TRANSFORMATION OF

VALUES IN GALOIS FIELD- GF(28)
SUBBYTES AND INVSUBBYTES
 SUBBYTES OPERATION

• THE SUBBYTES OPERATION INVOLVES 16

INDEPENDENT BYTE-TO-BYTE TRANSFORMATIONS.
• Interpret the byte as two
hexadecimal digits xy
S1,1 = xy16 • SW implementation, use row (x) and
column (y) as lookup pointer

x’y’16
 SUBBYTES TABLE
• IMPLEMENT BY TABLE LOOKUP
INVSUBBYTES TABLE
 SAMPLE SUBBYTE
TRANSFORMATION

• THE SUBBYTES AND INVSUBBYTES TRANSFORMATIONS ARE

INVERSES OF EACH OTHER.
 SHIFTROWS

• SHIFTING, WHICH PERMUTES THE BYTES.

• A CIRCULAR BYTE SHIFT IN EACH EACH
• 1ST ROW IS UNCHANGED
• 2ND ROW DOES 1 BYTE CIRCULAR SHIFT TO LEFT
• 3RD ROW DOES 2 BYTE CIRCULAR SHIFT TO LEFT
• 4TH ROW DOES 3 BYTE CIRCULAR SHIFT TO LEFT
• IN THE ENCRYPTION, THE TRANSFORMATION
IS CALLED SHIFTROWS
• IN THE DECRYPTION, THE TRANSFORMATION
IS CALLED INVSHIFTROWS AND THE
SHIFTING IS TO THE RIGHT
SHIFTROWS SCHEME
SHIFTROWS AND INVSHIFTROWS
 MIXCOLUMNS
• SHIFTROWS AND MIXCOLUMNS PROVIDE DIFFUSION TO THE
CIPHER
• EACH COLUMN IS PROCESSED SEPARATELY
• EACH BYTE IS REPLACED BY A VALUE DEPENDENT ON ALL 4
BYTES IN THE COLUMN
• EFFECTIVELY A MATRIX MULTIPLICATION IN GF(28) USING
PRIME POLY M(X) =X8+X4+X3+X+1
 MIXCLUMNS SCHEME

The MixColumns transformation operates at the column level; it

transforms each column of the state to a new column.
MIXCOLUMN AND
INVMIXCOLUMN
 ADDROUNDKEY

• XOR STATE WITH 128-BITS OF THE ROUND KEY

• ADDROUNDKEY PROCEEDS ONE COLUMN AT A TIME.

• ADDS A ROUND KEY WORD WITH EACH STATE COLUMN MATRIX
• THE OPERATION IS MATRIX ADDITION

• INVERSE FOR DECRYPTION IDENTICAL

• SINCE XOR OWN INVERSE, WITH REVERSED KEYS

• DESIGNED TO BE AS SIMPLE AS POSSIBLE

ADDROUNDKEY SCHEME
AES ROUND
 AES KEY SCHEDULING

• TAKES 128-BITS (16-BYTES) KEY AND EXPANDS INTO ARRAY OF

44 32-BIT WORDS
KEY EXPANSION SCHEME
 KEY EXPANSION SUBMODULE

• ROTWORD PERFORMS A ONE BYTE CIRCULAR LEFT SHIFT ON A WORD FOR

EXAMPLE:

ROTWORD[B0,B1,B2,B3] = [B1,B2,B3,B0]

• SUBWORD PERFORMS A BYTE SUBSTITUTION ON EACH BYTE OF INPUT WORD

USING THE S-BOX

• SUBWORD(ROTWORD(TEMP)) IS XORED WITH RCON[J] – THE ROUND

CONSTANT
 ROUND CONSTANT (RCON)

• RCON IS A WORD IN WHICH THE THREE RIGHTMOST BYTES ARE ZERO

• IT IS DIFFERENT FOR EACH ROUND AND DEFINED AS:
RCON[J] = (RCON[J],0,0,0)
WHERE RCON[1] =1 , RCON[J] = 2 * RCON[J-1]
• MULTIPLICATION IS DEFINED OVER GF(2^8) BUT CAN BE IMPLEMENT
IN TABLE LOOKUP
 KEY EXPANSION EXAMPLE (1ST
ROUND)
• Example of expansion of a 128-bit cipher key
Cipher key = 2b7e151628aed2a6abf7158809cf4f3c
w0=2b7e1516 w1=28aed2a6 w2=abf71588 w3=09cf4f3c
 TOPICS

• ORIGIN OF AES

• BASIC AES

• INSIDE ALGORITHM

• FINAL NOTES
 AES SECURITY

• AES WAS DESIGNED AFTER DES.

• MOST OF THE KNOWN ATTACKS ON DES WERE ALREADY TESTED ON
AES.
• BRUTE-FORCE ATTACK
• AES IS DEFINITELY MORE SECURE THAN DES DUE TO THE LARGER-SIZE KEY.
• STATISTICAL ATTACKS
• NUMEROUS TESTS HAVE FAILED TO DO STATISTICAL ANALYSIS OF THE
CIPHERTEXT
• DIFFERENTIAL AND LINEAR ATTACKS
• THERE ARE NO DIFFERENTIAL AND LINEAR ATTACKS ON AES AS YET.
 IMPLEMENTATION ASPECTS
• THE ALGORITHMS USED IN AES ARE SO SIMPLE
THAT THEY CAN BE EASILY IMPLEMENTED
USING CHEAP PROCESSORS AND A MINIMUM
AMOUNT OF MEMORY.

• VERY EFFICIENT

• IMPLEMENTATION WAS A KEY FACTOR IN ITS

SELECTION AS THE AES CIPHER

• AES ANIMATION:
• HTTP://WWW.CS.BC.EDU/~STRAUBIN/CS381-05/BLOCKCIPHERS/
RIJNDAEL_INGLES2004.SWF
 MODES OF
OPERATIONS
 HOW TO USE A BLOCK CIPHER?
• BLOCK CIPHERS ENCRYPT FIXED-SIZE BLOCKS
• E.G. DES ENCRYPTS 64-BIT BLOCKS
• WE NEED SOME WAY TO ENCRYPT A MESSAGE OF ARBITRARY
LENGTH
• E.G. A MESSAGE OF 1000 BYTES
• NIST DEFINES SEVERAL WAYS TO DO IT
• CALLED MODES OF OPERATION

56
 FIVE MODES OF OPERATION

• ELECTRONIC CODEBOOK MODE (ECB)

• CIPHER BLOCK CHAINING MODE (CBC) – MOST POPULAR
• OUTPUT FEEDBACK MODE (OFB)
• CIPHER FEEDBACK MODE (CFB)
• COUNTER MODE (CTR)

57
 MESSAGE PADDING

• THE PLAINTEXT MESSAGE IS BROKEN INTO BLOCKS, P1, P2, P3, ...
• THE LAST BLOCK MAY BE SHORT OF A WHOLE BLOCK AND
NEEDS PADDING.
• POSSIBLE PADDING:
• KNOWN NON-DATA VALUES (E.G. NULLS)
• OR A NUMBER INDICATING THE SIZE OF THE PAD
• OR A NUMBER INDICATING THE SIZE OF THE
PLAINTEXT
• THE LAST TWO SCHEMES MAY REQUIRE AN
EXTRA BLOCK.

58
 ELECTRONIC CODE BOOK (ECB)

• THE PLAINTEXT IS BROKEN INTO BLOCKS, P1, P2, P3, ...

• EACH BLOCK IS ENCRYPTED INDEPENDENTLY:
CI = EK(PI)
• FOR A GIVEN KEY, THIS MODE BEHAVES LIKE WE
HAVE A GIGANTIC CODEBOOK, IN WHICH EACH
PLAINTEXT BLOCK HAS AN ENTRY, HENCE THE NAME
ELECTRONIC CODE BOOK

59
 REMARKS ON ECB

• STRENGTH: IT’S SIMPLE.

• WEAKNESS:
• REPETITIVE INFORMATION CONTAINED IN THE PLAINTEXT MAY
SHOW IN THE CIPHERTEXT, IF ALIGNED WITH BLOCKS.
• IF THE SAME MESSAGE (E.G., AN SSN) IS ENCRYPTED (WITH THE
SAME KEY) AND SENT TWICE, THEIR CIPHERTEXTS ARE THE SAME.

• TYPICAL APPLICATION: SECURE

TRANSMISSION OF SHORT PIECES OF
INFORMATION (E.G. A TEMPORARY
ENCRYPTION KEY)

60
 CIPHER BLOCK CHAINING (CBC)

 The plaintext is broken into blocks: P1 , P2 , P3 , ...

 Each plaintext block is XORed chained  with the previous
ciphertext block before encryption (hence the name):

Ci  E K Ci 1  Pi 

C0  IV

 Use  an Initial Vector  IV  to start the process.

 Decryption :  Pi  Ci 1  D K (Ci )
 Application : general block-oriented transmission. 61
Cipher Block Chaining (CBC)

62
 REMARKS ON CBC

• THE ENCRYPTION OF A BLOCK DEPENDS ON THE

CURRENT AND ALL BLOCKS BEFORE IT.

• SO, REPEATED PLAINTEXT BLOCKS ARE

ENCRYPTED DIFFERENTLY.

• INITIALIZATION VECTOR (IV)

• MUST BE KNOWN TO BOTH THE SENDER & RECEIVER
• TYPICALLY, IV IS EITHER A FIXED VALUE OR IS SENT
ENCRYPTED IN ECB MODE BEFORE THE REST OF
CIPHERTEXT. 63
 Without knowing the key k , for any data block x,
Ek ( x ) is unknown to the adversary.

 To encrypt P1 , P2 , P3 ,..., we may use Ek to generate

a key stream (a sequence of "masks")
K1 , K 2 , K 3 ,..., and encrypt Pi as Ci  Pi  K i .

 Three different ways to generate K1, K 2 , K 3,...

64
 CIPHER FEEDBACK MODE (BASIC
VERSION)

• PLAINTEXT BLOCKS: P1, P2, …

• KEY: K
• BASIC IDEA: CONSTRUCT KEY STREAM K1, K2,
K3, …
c0  IV
• ENCRYPTION: 

ki  Ek (ci 1 ), for i  1

ci  pi  ki , for i  1

65
 CIPHER FEEDBACK (CFB) MODE

 The plaintext is a sequence of segments of s bits

(where s  block-size): P1, P2 , P3 , P4 , 
 Encryption is used to generate a sequence of keys,
each of s bits: K1, K 2 , K 3 , K 4 , 
 The ciphertext is C1 , C2 , C3 , C4 , , where
Ci  Pi  Ki
 How to generate the key stream?
66
 GENERATING KEY STREAM FOR
CFB

 The input to the block cipher is a shift register x;

its value at stage i is denoted as xi .

 Initially, x1  an initial vector (IV).

For i  1, xi  shift-left-s-bits(xi 1 ) Ci 1.

 Then, K i  s-most-significant-bits(E K ( xi )).

67
ENCRYPTION IN CFB MODE

68
 DECRYPTION IN CFB MODE

 Generate key stream K1 , K 2 , K 3 , K 4 , 

the same way as for encryption.
 Then decrypt each ciphertext segment as:
Pi  Ci  Ki

69
 REMARK ON CFB

• THE BLOCK CIPHER IS USED AS A STREAM CIPHER.

• APPROPRIATE WHEN DATA ARRIVES IN BITS/BYTES.
• S CAN BE ANY VALUE; A COMMON VALUE IS S = 8.
• A CIPHERTEXT SEGMENT DEPENDS ON THE CURRENT
AND ALL PRECEDING PLAINTEXT SEGMENTS.
• A CORRUPTED CIPHERTEXT SEGMENT DURING
TRANSMISSION WILL AFFECT THE CURRENT AND
NEXT SEVERAL PLAINTEXT SEGMENTS.
• HOW MANY PLAINTEXT SEGMENTS WILL BE AFFECTED?

70
 OUTPUT FEEDBACK MODE (BASIC
VERSION)

• PLAINTEXT BLOCKS: P1, P2, …

• KEY: K
• BASIC IDEA: CONSTRUCT KEY STREAM K1, K2,
K3, …
k0  IV
• ENCRYPTION: 

ki  Ek ( ki 1 ), for i  1

ci  pi  ki , for i  1

71
 OUTPUT FEEDBACK (OFB) MODE

 Very similar to Cipher Feedback in structure.

 But K i 1 rather than Ci 1 is fed back to the next stage.

 As in CFB, the input to the block cipher is a shift

register x; its value at stage i is denoted as xi .

 Initially, x1  an initial vector (IV).

For i  1, xi  shift-left-s-bits(xi 1 )  K i 1.

 Then, K i  s-most-significant-bits(E K ( xi )). 72

Cipher Feedback

Output Feedback

73
 REMARK ON OFB
• THE BLOCK CIPHER IS USED AS A STREAM CIPHER.
• APPROPRIATE WHEN DATA ARRIVES IN BITS/BYTES.
• ADVANTAGE:
• MORE RESISTANT TO TRANSMISSION ERRORS; A BIT ERROR
IN A CIPHERTEXT SEGMENT AFFECTS ONLY THE DECRYPTION
OF THAT SEGMENT.
• DISADVANTAGE:
• CANNOT RECOVER FROM LOST CIPHERTEXT SEGMENTS; IF A
CIPHERTEXT SEGMENT IS LOST, ALL FOLLOWING SEGMENTS
WILL BE DECRYPTED INCORRECTLY (IF THE RECEIVER IS NOT
AWARE OF THE SEGMENT LOSS).
• IV SHOULD BE GENERATED RANDOMLY EACH TIME
AND SENT WITH THE CIPHERTEXT.
74
 COUNTER MODE (CTR)

• PLAINTEXT BLOCKS: P1, P2, P3, …

• KEY: K
• BASIC IDEA: CONSTRUCT KEY STREAM K1, K2, K3,
…
• ENCRYPTION:

T1 = IV (RANDOM)
TI = IV + I - 1
CI = PI ♁ EK(TI)
C = (IV, C1, C2, C3, ...) 75
 REMARK ON CTR

• STRENGTHES:
• NEEDS ONLY THE ENCRYPTION ALGORITHM
• FAST ENCRYPTION/DECRYPTION; BLOCKS CAN BE
PROCESSED (ENCRYPTED OR DECRYPTED) IN
PARALLEL; GOOD FOR HIGH SPEED LINKS
• RANDOM ACCESS TO ENCRYPTED DATA BLOCKS

• IV SHOULD NOT BE REUSED.

76
STREAM CIPHERS
Vernam’s one-time pad cipher
 Key = k1k2k3k4  (random, used one-time only)

 Plaintext = m1m2m3m4 

 Ciphertext = c1c2c3c4 
where ci  mi  ki

 Can be proved to be unconditionally secure.

78
STREAM CIPHER DIAGRAM

79
 STREAM CIPHERS
 Typically, process the plaintext byte by byte.
 So, the plaintext is a stream of bytes: P1 , P2 , P3 , 
 Use a key K as the seed to generate a sequence of
pseudorandom bytes (keystream): K1 , K 2 , K 3 , 
 The ciphertext is C1 , C2 , C3 , C4 , , where
Ci  Pi  K i
 Various stream ciphers differ in the way they
generate keystreams. 80
 STREAM CIPHERS
 For a stream cipher to be secure, the keystream
 should have a large period, and
 should be as random as possible, each of the 256
values appearing about equally often.
 The same keystream must not be reused. That is,
the input key K must be different for each plaintext
(if the pseudorandom generator is deterministic).
81
 THE RC4 STREAM CIPHER

• DESIGNED BY RON RIVEST IN 1987 FOR RSA

SECURITY.
• KEPT AS A TRADE SECRET UNTIL LEAKED OUT
IN 1994.
• THE MOST POPULAR STREAM CIPHER.
• SIMPLE AND FAST.
• WITH A 128 BITS KEY, THE PERIOD IS > 10100 .
• USED IN THE SSL/TLS STANDARDS (FOR
SECURE WEB COMMUNICATION), IEEE 802.11
WIRELESS LAN STANDARD, MICROSOFT POINT-
TO-POINT ENCRYPTION, AND MANY OTHERS. 82
 RC4

 Two vectors of bytes:

 S [0], S[1], S[2],  , S[255]
 T [0], T [1], T [2],  , T [255]
 Key: variable length, from 1 to 256 bytes
 Initialization:
1. S [i ]  i, for 0  i  255
2. T [i ]  K [i mod key-length], for 0  i  255
(i.e., fill up T [0..255] with the key K repeatedly.)
83
 RC4: INITIAL PERMUTATION

 Initial Permutation of S:
j0
for i  0 to 255 do
j  ( j  S[i ]  T [i] ) mod 256
Swap S[i ], S [ j ]
 This part of RC4 is generally known as the
Key Scheduling Algorithm (KSA).
 After KSA, the input key and the temporary
vector T will no longer be used. 84
RC4: KEY STREAM GENERATION

 Key stream generation:

i, j  0
while (true)
i  ( i  1 ) mod 256
j  ( j  S[i] ) mod 256
Swap S[i], S[ j ]
t  ( S[i]  S[ j ] ) mod 256
k  S [t ]
output k 85
 SECURITY OF RC4

• THE KEYSTREAM GENERATED BY RC4 IS BIASED.

• THE SECOND BYTE IS BIASED TOWARD ZERO WITH HIGH
PROBABILITY.
• THE FIRST FEW BYTES ARE STRONGLY NON-RANDOM AND
LEAK INFORMATION ABOUT THE INPUT KEY.
• DEFENSE: DISCARD THE INITIAL N BYTES OF THE
KEYSTREAM.
• CALLED “RC4-DROP[N-BYTES]”.
• RECOMMENDED VALUES FOR N = 256, 768, OR 3072 BYTES.

• EFFORTS ARE UNDERWAY (E.G. THE ESTREAM PROJECT)

TO DEVELOP MORE SECURE STREAM CIPHERS.
86
 RC4 AND WEP

• WEP IS A PROTOCOL USING RC4 TO ENCRYPT PACKETS

FOR TRANSMISSION OVER IEEE 802.11 WIRELESS LAN.
• WEP REQUIRES EACH PACKET TO BE ENCRYPTED
WITH A SEPARATE RC4 KEY.
• THE RC4 KEY FOR EACH PACKET IS A CONCATENATION
OF A 24-BIT IV (INITIALIZATION VECTOR) AND A 40 OR
104-BIT LONG-TERM KEY.

RC4 key: IV (24) Long-term lkey (40 or 104 bits)

87
 802.11 FRAMES USING WEP

Header IV Packet
l ICV FCS

encrypted

• ICV: integrity check value (for data integrity)

• FCS: frame check sequence (for error detection)
• Both use CRC32
88
• WEP HAS BEEN SHOWN TO BE INSECURE.
• THERE IS AN ARTICLE, “BREAKING 104 BIT WEP IN LESS THAN 60
SECONDS,” DISCUSSING HOW TO DISCOVER THE RC4 KEY BY
ANALYZING ENCRYPTED ARP PACKETS.

89
 DEFINITION
• KEY ESTABLISHMENT IS A PROCESS WHERE A SHARED SECRET
BECOMES AVAILABLE TO TWO OR MORE PARTIES, FOR
SUBSEQUENT CRYPTOGRAPHIC USE.
• KEY ESTABLISHMENT MAY BE BROADLY SUBDIVIDED INTO KEY
TRANSPORT AND KEY AGREEMENT.
• KEY TRANSPORT PROTOCOL IS A KEY ESTABLISHMENT
TECHNIQUE WHERE ONE PARTY CREATES OR OTHERWISE OBTAINS
A SECRET VALUE, AND SECURELY TRANSFERS IT TO THE OTHER(S).
• KEY AGREEMENT PROTOCOL IS A KEY ESTABLISHMENT
TECHNIQUE IN WHICH A SHARED SECRET IS DERIVED BY TWO (OR
MORE) PARTIES AS A FUNCTION OF INFORMATION CONTRIBUTED
BY, OR ASSOCIATED WITH, EACH OF THESE, (IDEALLY) SUCH THAT
NO PARTY CAN PREDETERMINE THE RESULTING VALUE.
THANK YOU