Symmetric Key

Encryption
Algorithms
• Two categories of methods
– Stream cipher: algorithm operates on
individual bits (or bytes); one at a
time
– Block cipher: operates on fixed-
length groups of bits called blocks
 Idea of a block
cipher
• Partition the text into relatively large (e.g.
128 bits) blocks and encode each block
separately.
• The encoding of each block generally
depends on at most one of the previous
blocks.
• The same “key” is used at each block.
• The Data Encryption Standard (DES) is an
example of a block cipher, where blocks of
64 bits are encrypted using a 56-bit key.
• many current ciphers are block ciphers
–
better analyzed
–
broader range of applications
 Idea of a stream
•
cipher
stream ciphers process messages a bit or
byte at a time when en/decrypting
• The Vigenère cipher is an example of a
stream cipher.
• For each block, a different “key” is
generated.
• Block ciphers work a on block / word at a
time, which is some number of bits. All
of these bits have to be available before
the block can be processed.
• Stream ciphers work on a bit or byte of the
message at a time, hence process it as a
“stream”.
Only a few symmetric methods
are used today:
Data Encryption Standard
(DES)
• The Data Encryption Standard (DES) is a
symmetric-key block cipher published by the
National Institute of Standards and Technology
(NIST).
Data Encryption Standard (DES)
History
• DES is a block cipher, Encryption and
decryption with DES is shown
bellow.
 DES STRUCTURE
• The encryption process is made of two
permutations (P-boxes), which we call
initial and final permutations, and sixteen
rounds.
 Initial Permutation
•
IP
first step of the data computation
• IP reorders the input data bits
• even bits to LH half, odd bits to RH
half
• quite regular in structure (easy in
h/w)
• no cryptographic value
 DES
description
• Block cipher: 64 bits at a time
• Initial permutation rearranges 64 bits
(no cryptographic effect)
• Encoding is in 16 rounds
• ENCRYPTION
 Each block is subjected to 16 rounds of
substitutions and permutations
(transpositions).
 Each round uses 48 bits from key called
the subkey.
 Initial and final permutation appear to
be redundant.
• DECRYPTION
 process as encryption but with subkeys applied
in reverseorder
 One
•
Round
64 bits divided into left, right halves
• Right half goes through function f, mixed with
key
• Right half added to left half
• Halves swapped (except in last round)
• Expand right side from 32 to 48 bits (some
get reused)
• Add 48 bits of key (chosen by schedule)
• S-boxes: each set of 6 bits reduced to 4
• P-box permutes 32 bits
 Strength of DES – Key
 56-bit
Size
keys have 2 = 7.2 x 10 values
56 16

 brute force search looked hard

 advances have shown is possible
 in 1997 on Internet in a few months
 in 1998 on dedicated h/w in a few days
 in 1999 above combined in 22hrs!
 Forced to consider alternatives to
DES
 Double
DES
• DES uses a 56-bit key, this raised
concerns about brute force attacks
• One proposed solution: double DES.
• Apply DES twice using two keys, K1 and
K2.

This leads to a 2x56=112 bit key, so it is

more secure than DES
• Double DES is prone to Meet-in-the-
Middle attack.
Meet-in-the-Middle
Attack

If the same K1-K2 pairs match for the second

plaintext-ciphertext pair, then the correct
keys are most probably found
• 2-DES: C = EK2(EK1(P))
• So, X = EK1(P) = DK2(C)
• Given a known pair (P, C), attack as follows:
– Encrypt P with all 256 possible keys for K1.
– Decrypt C with all 256 possible keys for K2.
– If EK1’(P) = DK2’(C), try the keys on another (P’, C’).
– If works, (K1’, K2’) = (K1, K2) with high probability.
– Takes O(256) steps; not much more than attacking 1-DES
 Triple
DES
• Another method for a strong cipher
• use multiple encryption with DES
with different keys
– to preserve the investment in DES
– for quicker deployment
• Triple DES is chosen as a standard
method
– Standardized by ANSI, ISO and NIST
Triple-DES with two
keys

can use 2 keys with E-D-E sequence

C = EK1(DK2(EK1(P)))
 Triple-DES with Three-
Keys
• can use Triple-DES with Three-Keys
C = EK3(DK2(EK1(P)))
• has been adopted by some
Internet applications, eg PGP,
S/MIME

• Principal drawback is that the algorithm

is relatively sluggish in software
Meet-in-the-Middle Attack on 3DES
1. For each possible key for K1, encrypt P to produce a
possible valuefor A.
2. Using this A, and C, attack the 2DES to obtain a pair of
keys (K2, K1’).
3. If K1’ = K1, try the key pair (K1, K2) on another (C’,P’).
4. If it works, (K1, K2) is the key pair with high probability.
International Data Encryption
Standard (IDEA)
 International Data Encryption
Standard (IDEA)
• The International Data Encryption Standard
Algorithm (IDEA) is a symmetric block cipher
that was proposed to replace DES designed
in 1991.
• It is a minor revision of an earlier cipher, PES
(Proposed Encryption Standard); IDEA was
originally called IPES (Improved PES). IDEA
was used as the symmetric cipher in early
versions of the Pretty Good Privacy
cryptosystem.
• The main design goals of IDEA are:
• Block Length: Block size of 64 bits is
considered strong enough to deter statistical
analysis. Also usage of Cipher Feedback
Mode of operation provides better strength.
• Key Length: Its key size of 128 bits is
very secure to deter exhaustive search.
• 128 bit key, 64 bit block size, 8 rounds
• algorithm is quite different than DES,
– doesn’t use S-boxes
– uses binary addition rather than exclusive-
or
 Features of
• IDEA
The IDEA encryption algorithm
• provides high level security not based on keeping
the algorithm a secret, but rather upon ignorance
of the secret key
• Is fully specified, easily understood, and is available
to everybody
• Is suitable for use in a wide range of applications
and can be economically implemented in electronic
components (VLSI Chip)
• Can be used efficiently and may be exported
world wide
• Is patent protected to prevent fraud and piracy
 Description of IDEA

• The block cipher IDEA operates with 64-bit

plaintext and cipher text blocks and is
controlled by a 128-bit key.
• Completely avoid substitution boxes and
table lookups used in the block ciphers

• The algorithm structure has been chosen such

that when different key sub-blocks are used,
the encryption process is identical to the
decryption process
 Key
generation
• The 64-bit plaintext block is partitioned
into four 16-bit sub-blocks
• six 16-bit key are generated from the 128-bit
key. Since a further four 16-bit key-sub-
blocks are required for the subsequent
output transformation, a total of 52 (= 8 x 6
+ 4) different 16-bit sub-blocks have to be
generated from the 128-bit key.
• First, the 128-bit key is partitioned into eight 16-
bit sub-blocks which are then directly used as
the first eight key sub-blocks
• The 128-bit key is then cyclically shifted to the
left by 25 positions, after which the resulting
128-bit block is again partitioned into eight 16-
bit sub- blocks to be directly used as the next
eight key sub-blocks
• The cyclic shift procedure described above is
repeated until all of the required 52 16-bit
key sub-blocks have been generated
 IDEA Encryption
• Input – 64-bit plaintext, 128-bit key, Output – 64-bit ciphertext
Encryption algorithm consists of 8 rounds followed by a final
transformation function
• Round function –
Input – 4 16-bit subblocks, 6 16-bit subkeys, Output – 4 16-
bit subblocks
• Output transformation function –
Input – 4 16-bit subblocks, 4 16-bit
subkeys Output – 4 16-bit subblocks
• Subkey generator –
Input – 128-bit key
Output – 52 16-bit subkeys
 Details of a Single Round
1.Transformation – use addition and multiplication
operations
Input – 4 subblocks (X1, X2, X3, X4) and 4
subkeys (Z1, Z2, Z3, Z4)
2.XOR operation – The 4 output subblocks are
XORed to form 2 16-bit blocks that are inputs to the
MA structure
3. MA structure –
Input – 2 16-bit blocks, 2 16-bit
subkeys Output – 2 16-bit output
blocks
4.XOR operation – The 4 outputs from the upper
transformation are XORed with the 2 outputs of the
MA structure to produce 4 outputs
 Decryption
• The computational process used for decryption
of the ciphertext is essentially the same as that
used for encryption
• The only difference is that each of the 52 16-bit
key sub-blocks used for decryption is the
inverse of the key sub-block used during
encryption
• In addition, the key sub-blocks must be used
in the reverse order during decryption in
order to reverse the encryption process
 Modes of
• operation
IDEA supports all modes of operation such
as:
– Electronic Code Book (ECB) mode
– Cipher Block Chaining (CBC)
– Cipher Feedback (CFB)
– Output Feedback (OFB) modes
• For plaintext exceeding this fixed size, the
simplest approach is to partition the
plaintext into blocks of equal length and
encrypt each separately. This method is
named Electronic Code Book (ECB) mode.
• However, Electronic Code Book is not a
good system to use with small block sizes
(for example, smaller than 40 bits)
 Electronic Code Book (ECB) mode

• message is broken into independent

blocks which are encrypted
• each block is a value which is substituted,
like a codebook, hence name
• each block is encoded independently of
the other blocks
• uses: secure transmission of single values. ECB
is the simplest of the modes, and is used
when only a single block of info needs to be
sent
• ECB is not appropriate for any quantity of
data, since repetitions can be seen, esp. with
graphics, and because the blocks can be
shuffled/inserted without affecting the
en/decryption of each block. Its main use is
to send one or a very few blocks, eg a
session encryption key.
 Cipher Block Chaining
(CBC)
• To overcome the problems of repetitions and
order independence in ECB, there should be
a way of making the ciphertext dependent
on all blocks before it
• This is what CBC gives us, by combining
the previous ciphertext block with the
current message block before encrypting.
• To start the process, use an Initial Value (IV),
which is usually well known (often all 0's),
or otherwise is sent, ECB encrypted, just
before starting CBC use.
• CBC mode is applicable whenever large
amounts of data need to be sent securely,
provided that all data is available in
advance (eg email, FTP, web etc).
• In CBC mode, each plaintext block is
exclusive-ored with the previous
ciphertext block before being encrypted.
One issue that arises with block modes is how to
handle the last block, which may well not be
complete. In general have to pad this block (typically
with 0's), and then must recognise padding at other
end
 Advantages and Limitations of CBC
• A ciphertext block depends on all
blocks before it
• Any change to a block affects all
following ciphertext blocks
• Need Initialization Vector (IV)
– which must be known to sender & receiver
– if sent in clear, attacker can change bits of first block,
and
change IV to compensate
– hence IV must either be a fixed value or must be
sent encrypted in ECB mode before rest of message
 Cipher Feedback (CFB) Mode
• Encryption in cipher feedback (CFB)
mode
• The relation between plaintext and ciphertext
blocks is shown below:
 Cipher FeedBack (CFB)
• message is treated as a stream of bits
• added to the output of the block cipher
• result is feed back for next stage (hence name)
• standard allows any number of bit (1,8, 64 or 128 etc)
to be feed back
– denoted CFB-1, CFB-8, CFB-64, CFB-128 etc
• most efficient to use all bits in block (64 or 128)
• uses: stream data encryption, authentication
 Advantages and Limitations of CFB
• appropriate when data arrives in bits/bytes
• most common stream mode
• limitation is need to stall while do
block encryption after every n-bits
• the block cipher is used in encryption
mode at
both ends
• errors propagate for several blocks after
the error
 Output Feedback (OFB)
Mode
• In this mode each bit in the ciphertext is
independent of the previous bit or bits. This
avoids error propagation.
Encryption in output feedback (OFB)
mode
• message is treated as a stream of bits
• output of cipher is added to message
• output is then feed back (hence
name)
• feedback is independent of message
• can bePcomputed
Ci = i XOR in advance
Oi Oi =
EK1(Oi-1) O-1
• uses:=stream
IV encryption on noisy
channels
• Here the generation of the "random" bits is
independent of the message being encrypted.
The advantage is that firstly, they can be
computed in advance, good for bursty traffic,
and secondly, any bit error only affects a
single bit. Thus this is good for noisy links (eg
satellite TV transmissions etc).
 Advantages and Limitations of OFB
• One advantage of the OFB method is that
bit errors in transmission do not
propagate.
• The disadvantage of OFB is that it is more
vulnerable to a message stream
modification attack than is CFB.
• Since OFB is a Vernam cipher variant, the
stream should never be used more than
once.
 Applications of
• IDEA
Today, there are hundreds of IDEA-based security
solutions available in many market areas, ranging
from Financial Services, and Broadcasting to
Government
• The IDEA algorithm can easily be embedded in any
encryption software. Data encryption can be used to
protect data transmission and storage. Typical fields
are:
– Audio and video data for cable TV, pay TV, video
conferencing, distance learning
– Sensitive financial and commercial data
– Email via public networks
– Smart cards