Cryptography & Network Security 4 CSE- 1 SEM Unit-II Topics to be covered: 1. 2. 3. 4. 5. 6. 7. 8. 9. Introduction to Secret Key Cryptography and Principles Block Ciphers Vs Stream Ciphers Feistel Cipher Structure Data Encryption Standard and Strengths DES Block Cipher Design Principles and Modes of Operations Triple DES IDEA (International Data Encryption Algorithm) Blowfish and CAST-128 AES( Advanced Encryption Standard) 1. Introduction to Secret Key Cryptography and Principles Secret Key encryption, also referred to as conventional encryption, Symmetric key, Single-key encryption, was the only type of encryption in use prior to the development of public-key encryption in the late 1970s.1 It remains by far the most widely used of the two types of encryption. The plain text is encrypted and decrypted with same key which shared by the sender and receiver. The secrecy of the message depends on the secrecy of the key, but not on the algorithm. A symmetric encryption scheme has Five ingredients as follows: Principles 1. plain text - original message or data that is fed into algorithm as input 2. cipher text - coded message 3. Secret key – information used in cipher known only to sender/receiver also given as input to algorithm 4. Encryption Algorithm –The Encryption algorithm uses various substitutions and transformations for converting plaintext to cipher text with 5. Decryption Algorithm- This is essentially the encryption algorithm run in the reverse order. It takes the same secret key and cipher text to produce the plain text. Fig 2.1 Simplified Model of Conventional Encryption There are two requirements for secure use of symmetric encryption: 1. We need strong encryption algorithm. UNIT-2 Page 1 Cryptography & Network Security 4 CSE- 1 SEM 2. Sender and Receiver must have obtained the copies the secret key in the secured fashion and must keep the key secure. 2. Stream Ciphers and Block Ciphers Any plain text can be transformed into cipher text with following Ciphers Stream Cipher is the one that encrypts the digital data one bit or one byte at a time to produce the cipher text. Ex:-Autokyed Vigenere Cipher and Verman Cipher Block Cipher is the one in which a block of plain text is treated as whole and used to produce a cipher text of equal length. Ex:- DES Motivations for Feistel Cipher Structure: A block cipher operates on a plain text of n-bits to produce the cipher text of n-bits. There are 2n different possible plain text blocks for encryptions to be reversible (Eg: for decryption to be possible), and each must produce unique cipher text block. Such transformation is called “reversible” or “nonsingular. If same cipher block has different plain text block such scheme is called “irreversible Transformation” Table 1: Reversible and Irreversible Transformations Reversible Mapping Irreversible Mapping Plain Text Cipher Text Plain Text Cipher Text 00 11 00 11 10 01 10 01 01 00 01 01 In the above example the same cipher block "01" is producing different plain text blocks, this is called "irreversible transformation". Block Cipher Principles: Most symmetric block encryption algorithms in current use are based on a structure referred to as a Feistel block cipher. A block cipher operates on a plaintext block of n bits to produce a ciphertext block of n bits. An arbitrary reversible substitution cipher for a large block size is not practical, however, from an implementation and performance point of view. In general, for an n-bit general substitution block cipher, the size of the key is n x 2n. For a 64-bit block, UNIT-2 Page 2 Cryptography & Network Security 4 CSE- 1 SEM which is a desirable length to thwart statistical attacks, the key size is 64 x 264 = 270 = 1021 bits. In considering these difficulties, Feistel points out that what is needed is an approximation to the ideal block cipher system for large n, built up out of components that are easily realizable. Ideal Block Cipher: The most general form of the block cipher is Ideal Block Cipher in which a reversible mapping between plain text and cipher text is possible. This allows the maximum number of possible encryption mappings from plain text to cipher text. Fig 2.2 General n-bit by n-bit Ideal Block Cipher 3. The Feistel Cipher Horst Feistel, working at IBM Thomas J Watson Research Labs devised a suitable invertible cipher structure in early 70's. He proposed that we can actually approximate the concept of a product cipher, which is the execution of two or more simple ciphers in sequence in such a way that to produce the final result or product that is cryptographically stronger than any of the component ciphers. The structure uses the alternate use of substitutions and permutations, which is proposed by the Claude Shannon to develop the product cipher that alternates confusion and diffusion. Confusion and Diffusion: The terms diffusion and confusion were introduced by Claude Shannon to capture the two basic building blocks for any cryptographic system. Every block cipher involves a transformation of a block of plaintext into a block of ciphertext, where the transformation depends on the key. The mechanism of diffusion seeks to make the statistical relationship between the plaintext and ciphertext as complex as possible in order to thwart attempts to UNIT-2 Page 3 Cryptography & Network Security 4 CSE- 1 SEM deduce the key. Confusion seeks to make the relationship between the statistics of the ciphertext and the value of the encryption key as complex as possible, again to thwart attempts to discover the key. So successful are diffusion and confusion in capturing the essence of the desired attributes of a block cipher that they have become the cornerstone of modern block cipher design. Feistel Cipher Structure Horst Feistel devised the feistel cipher based on concept of invertible product cipher partitions input block into two halves process through multiple rounds which perform a substitution on left data half based on round function of right half & subkey then have permutation swapping halves implements Shannon’s S-P net concept The Design Elements of the Feistel Cipher are as follows: • Block size - increasing size improves security, but slows cipher • Key size - increasing size improves security, makes exhaustive key searching harder, but may slow cipher • Number of rounds –single round offers inadequate security, but multiple rounds increase security, increasing number improves security, but slows cipher • Subkey generation algorithm - greater complexity can make analysis harder, but slows cipher • Round function - greater complexity can make analysis harder, but slows cipher • Fast software encryption/decryption – in many cases encryption is embeded in hardware to increase speed of cipher, more recent concern for practical use • Ease of analysis - for easier validation & there is a great advantage in designing easier algorithm to find all the vulnerabilities, testing of strength UNIT-2 Page 4 Cryptography & Network Security 4 CSE- 1 SEM Fig 2.3 Encryption Process UNIT-2 Page 5 Cryptography & Network Security 4 CSE- 1 SEM Fig 2.4 Encryption and Decryption Processes Working procedure of Feistel Cipher: The plaintext block is divided into two halves, Lo and Ro. The two halves of the data pass through n rounds of processing and then combine to produce the ciphertext block. Each round i has as inputs Li-l and R;-l' derived from the previous round, as welI as a subkey Ki, derived from the overall K. In general, the subkeys Ki are different from K and from each other and are generated from the key by a subkey generation algorithm. All rounds have the same structure. A substitution is performed on the left half of the data. This is done by applying a round function F to the right half of the data and then taking the exclusive-OR (X OR) of the output of that function and the left half of the data. The round function has the same generaI structure for each round but is parameterized by the round subkey Ki. Following this substitution, a permutation is performed that consists of the interchange of the two halves of the data. UNIT-2 Page 6 Cryptography & Network Security 4 CSE- 1 SEM The general process of the encryption will be as follows: LEi= REi-1 REi=LEI X F(REi-1,Ki) The Decryption is as follows: LE16=RE15 RE16=LE15 X F(RE15,K16) 4.Data Encryption Standard and Strengths DES Introduction: The most widely used private key block cipher, is the Data Encryption Standard (DES). It was adopted in 1977 by the National Bureau of Standards as Federal Information Processing Standard 46 (FIPS PUB 46). DES encrypts data in 64-bit blocks using a 56-bit key. The DES enjoys widespread use. It has also been the subject of much controversy its security. IBM developed Lucifer cipher by team led by Feistel in late 60’s used 64-bit data blocks with 128-bit key then redeveloped as a commercial cipher with input from NSA and others in 1973 NBS issued request for proposals for a national cipher standard IBM submitted their revised Lucifer which was eventually accepted as the DES Over View of DES: The overall scheme for DES encryption is illustrated in Stallings Figure 2.5, which takes as input 64-bits of data and of key. The left side shows the basic process for enciphering a 64-bit data block which consists of: an initial permutation (IP) which shuffles the 64-bit input block 16 rounds of a complex key dependent round function involving substitutions & permutations a final permutation, being the inverse of IP The right side shows the handling of the 56-bit key and consists of: an initial permutation of the key (PC1) which selects 56-bits out of the 64-bits input, in two 28-bit halves 16 stages to generate the 48-bit subkeys using a left circular shift and a permutation of the two 28-bit halves UNIT-2 Page 7 Cryptography & Network Security 4 CSE- 1 SEM Fig 2.6 Over view of DES The main phases in the left hand side of the above figure i.e. processing of the plain text are: Initial Permutation (IP): The plaintext block undergoes an initial permutation. 64 bits of the block are permuted. For example the actual input message order can be as follows according to their bit positions: Table 2: Actual 64 bit order An example initial Permutation obtained by just writing the even numbered columns first in the row wise and odd numbered columns later in the row wise. UNIT-2 Page 8 Cryptography & Network Security 4 CSE- 1 SEM Table 3: Initial Permutation A Single Round Transformation: On the right hand side part of the figure, the usage of the 56 bit key is shown. Initially the key ispassed through a permutation function. Now for each of the 16 iterations, a new subkey (Ki) is produced by combination of a left circular shift and a permutation function which is same for each iteration. A different subkey is produced because of repeated shifting of the key bits. The left and right halves of each 64 bit intermediate value are treated as separated 32bit quantities labeled L (left) and R (Right). The overall processing at each iteration is given by following steps, which form one round in an S-P network. Li = Ri-1. Ri = L i-1 F(R i-1, Ki ) Where Function F can be described as P(S( E(R(i-1)) K(i) )) The following figure shows a closer view of algorithms for a single iteration. The 64bit permuted input passes through 16 iterations, producing an intermediate 64-bit value at the conclusion of each iteration. UNIT-2 Page 9 Cryptography & Network Security 4 CSE- 1 SEM Fig 2.7: Single Round Function A Complex Transformation (F): This again contains two sub transformations i) Expansion transformation (E) ii) Substitution transformation (S) Fig 2.8: Expansion and Substitution Transformations i. Expansion transformation 64 bit permuted block undergoes 16 rounds of complex transformation. Subkeys are used in each of the 16 iterations. The round Key Ki is 48 bits. The R input is 32 bits. The R input is first expanded to 48 bit by using a table that defines a permutation plus an expansion that involves duplication of 16 of R bits. The Expansion is as follows: The middle elements belong UNIT-2 Page 10 Cryptography & Network Security 4 CSE- 1 SEM to the 32 bit R input and Left and right 8 elements are the duplications of the R input, to make as 48 bit. Table 4: Expansion Permutation i) Substitution transformation The Role of the S-Box in the transformation (F) is as follows, the substitution consists of a set of 8 S-Boxes, each accepts 6 input and produce 4 out bits. These transformations are defined as follows: The first and last bits of 6bits used to specify the row, and the rest of the 4 bits are used to specify the column of the specific box. The data in the specified position is used to replace. The S-box will be as follows, Table 5: Substitution Table Row0 Row1 Row2 Row3 Col 0 14 0 4 15 Col 1 4 15 1 12 Col 2 13 7 14 8 Col 3 1 4 8 2 Col 4 2 14 13 4 Col 5 15 2 6 9 Col 6 11 13 2 1 Col 7 8 1 11 7 Col 8 3 10 15 5 Col 9 10 6 12 11 Col 10 6 12 9 3 Col 11 12 11 7 14 Col 12 5 9 3 10 Col 13 9 5 10 0 Col 14 0 3 5 6 For example, if the input to the s-box is 011001, the first and last are "01" means decimal value 1, therefore it is Row 1, and middle bits are "1100", decimal value equal to that is 12, means Column 12, the value in the Row1 and Col 12 is "9", which is used for replacement. again the 4 bit is generated from the s-box as output. 32-bit swap: The output of 16th round consists of 64bits that are a function of input plain text and key.32 bit left and right halves of this output is swapped. Inverse Initial Permutation (IP-1): The 64 bit output undergoes a permutation that is inverse of the initial permutation. Sub Key Generation Algorithm: Here 64-bit is used as input to the algorithm. The Bits of the key are numbered from 1 to 64; and every 8th bit is ignored. The resulting 56-bit key is then treated as two 28 bit quantities, labled C0 and D0 . At each round Ci-1 and Di-1 are subjected to a circular shift or rotation of one or two bits. After shifting it is given to a permutation /contraction function, which then produces 48 bit output as key for that round. DES Decryption: The DES decryption uses the same algorithm as encryption, except the application of subkey in the reverse order. The Avalanche Affect of DES: UNIT-2 Page 11 Col 15 7 8 0 13 Cryptography & Network Security 4 CSE- 1 SEM The Desirable property of any encryption algorithm is that a small change in the planin text or key has to produce a significant change in the ciphertext. In particular, a change in one bit of plaintext or key should produce bits of the ciphertext. If the change were small, this might provide a way to reduce the size of the plaintext or key space to be searched. Strength of DES – Key Size 1. The Key Since its adoption as a federal standard, there have been lingering concerns about the level of security provided by DES in two areas: key size and the nature of the algorithm. With a key length of 56 bits, there are 2^56 possible keys, which is approximately 7.2*10^16 keys. Thus a brute-force attack appeared impractical. However DES was finally and definitively proved insecure in July 1998, when the Electronic Frontier Foundation (EFF) announced that it had broken a DES encryption using a special-purpose "DES cracker" machine that was built for less than $250,000. The attack took less than three days. The EFF has published a detailed description of the machine, enabling others to build their own cracker [EFF98].There have been other demonstrated breaks of the DES using both large networks of computers & dedicated h/w, including: - 1997 on a large network of computers in a few months - 1998 on dedicated h/w (EFF) in a few days - 1999 above combined in 22hrs! It is important to note that there is more to a key-search attack than simply running through all possible keys. Unless known plaintext is provided, the analyst must be able to recognize plaintext as plaintext. Clearly must now consider alternatives to DES, the most important of which are AES and triple DES. 2. The Nature of the Encryption algorithm Another concern is the possibility that cryptanalysis is possible by exploiting the characteristics of the DES algorithm. The focus of concern has been on the eight substitution tables, or S-boxes, that are used in each iteration. These techniques utilise some deep structure of the cipher by gathering information about encryptions so that eventually you can recover some/all of the sub-key bits, and then exhaustively search for the rest if necessary. Generally these are statistical attacks which depend on the amount of information gathered for their likelihood of success. Attacks of this form include differential cryptanalysis. linear cryptanalysis, and related key attacks. 3. The Timing Attack A timing attack exploits the fact that an encryption or decryption algorithm often takes slightly different amounts of time on different inputs. The AES analysis process has highlighted this attack approach, and showed that it is a concern particularly with smartcard implementations, though DES appears to be fairly resistant to a successful timing attack. 5. Block Cipher Design Principles and Modes of Operations UNIT-2 Page 12 Cryptography & Network Security 4 CSE- 1 SEM There are three critical aspects of the design of the block cipher: The number of rounds, the function F, and Key Scheduling. The DES design criteria: The design of DES has focused on design of S-Box and P function that takes the output of the S-Box. The criteria for S-box are as follows: i. ii. iii. No output bit of any s-box should be too close a linear function of the input bits. Each row of the S-box should include all 16 possible output bit combinations. If two inputs to an s-box differ in exactly one bit, the output must differ in at least two bits. If two inputs to the s-box differ in middle two bits, then output must differ in at least two bits. If two inputs to the s-box differ in their first two bits and are identical in their last two bits, the outputs must not be the same. For any nonzero 6-bit difference between inputs, no more than 8 of 32 pairs of inputs exhibiting that difference may result in the same output difference. This is a criterion similar to the previous one, but for the case of three s-boxes. iv. v. vi. vii. The Criteria for the Permutation P as follows: i. The four output bits from each s-box at each round I are distributed so that two of them affect "middle bits" of round (i+1) and the other two affect end bits. The two middle bits of the input to s-box are not shared with adjacent s-boxes. The end bits are the two left-hand bits and the two right-hand bits, which are shared with adjacent s-boxes. The four output bits from each s-box affect six different s-boxes on the next round, and no two affect the same s-box. For two s-boxes l, k if output bit from Sj affect a middle bit of Sk on the nest round, then an output bit from Sk canot affect a middle bit of Sj. ii. iii. These criteria are intended to increase the diffusion of the algorithm. I. The Number of Rounds The greater the number of rounds, the more difficult it is to perform cryptanalysis, even for a relatively weak F. IF DES had less than 15 or fewer rounds, differential cryptanalysis would require less effort than brute-force attack. II. Design of the Function F The heart of the Feistel Cipher is the Function F. This function relies on the use of the S-boxes. This is also the case for most other symmetric block ciphers. The function F provides the elements of confusion in the feistel cipher. Thus it must be difficult to "unscramble" the substitution performed by the F. UNIT-2 Page 13 Cryptography & Network Security 4 CSE- 1 SEM Criterion 1: The more nonlinear is the more difficulty in cryptanalysis. Criterion 2: The algorithm even can be designed with good avalanche properties. Criterion 3: Bit independence Criterion, which states that the output bits j and k should change independently when any single bit I is inverted, for i, j and k. The S-Box Design: This is the one of the intense research area in the field of symmetric block ciphers. The Papers are almost too numerous to count. There are some general principles. One Characteristic of Sboxes is its size. An NxM S-box has N inputs and M outputs. The DES has 6X4 s-boxes. The larger is the size of the S-box, the stronger is against the cryptanalysis. The approaches for the S-boxes: Random: Use some random number generation to generate the entries in the Sboxes. Random with testing: Choose S-Box entries randomly, then test the results against various criteria, and throw away those that do not pass. Human-made: This is manual approach with only simple mathematics to support it. Math-made: Generate S-box according to mathematical principles, that offer proven security against cryptanalysis. III. The Key Schedule Algorithm: With any Feistel Cipher only one sub key is generated for each round. In general we would like to select the subkey to maximize the difficulty of deducing the individual subkeys and difficulty of working back to the main key. There are no general principles for this yet. Cipher Block Modes of Operations: A symmetric block cipher processes one block of data at a time. In the case of DES and 3DES, the block length is 64 bits. For longer amounts of plaintext, it is necessary to break the plaintext into 64-bit blocks (padding the last block if necessary). There are three modes of operations: Electronic Codebook Mode Cipher Block Chaining Mode Cipher Feed back Mode. Output Feedback Mode Counter Mode Electronic Codebook Mode: The simplest way to proceed is what is known as electronic codebook (ECB) mode, in which plaintext is handled 64 bits at a time and each block of plaintext is encrypted using the same key. The term codebook is used because, for a given key, there is a unique ciphertext for every 64-bit block of plaintext. Therefore, one can imagine a gigantic codebook in which there is an entry for every possible 64-bit plaintext pattern showing its corresponding ciphertext. UNIT-2 Page 14 Cryptography & Network Security 4 CSE- 1 SEM Fig 2.9: ECB Problem of ECB: With ECB, if the same 64-bit block of plaintext appears more than once in the message, it always produces the same ciphertext. Because of this, for lengthy messages, the ECB mode may not be secure, for repeated 64 bit patterns. Cipher Block Chaining Mode (CBC): In the cipher block chaining (CBC) mode, the input to the encryption algorithm is the XOR of the current plaintext block (P) and the preceding ciphertext block(C ) ; the same key is used for each block. In effect, we have chained together the processing of the sequence of plaintext blocks, to avoid the similarities. The input to the encryption function for each plaintext block bears no fixed relationship to the plaintext block. Therefore, repeating patterns of 64 bits are not exposed. For decryption, each cipher block is passed through the decryption algorithm. The result is XORed with the preceding ciphertext block to produce the plaintext block. To see that this works, we can write: Ci=Ek[Ci-1 XOR Pi], where Ek[x] is the encryption of plain text x, using the key K, and XOR is the Exclusive OR operation. The Decryption process is as follows: Pi=Dk[Ci] XOR Ci-1 UNIT-2 Page 15 Cryptography & Network Security 4 CSE- 1 SEM Fig 2.10 Cipher Block Chaining Mode Cipher Feedback Mode (CFB): It is possible to convert any block cipher into a stream cipher by using the cipher feedback (CFB) mode. A stream cipher eliminates the need to pad a message to be an integraI number of blocks. It also can operate in real time. Thus, if a character stream is being transmitted, each character can be encrypted and transmitted immediately using a character-oriented stream cipher. One desirable property of a stream cipher is that the ciphertext be of the same length as the plaintext. Thus, if 8-bit characters are being transmitted, each character should be encrypted using 8 bits. If more than 8 bits are used, transmission capacity is wasted. In the figure, it is assumed that the unit of transmission is s bits; a common value is s = 8. As with CBC, the units of plaintext are chained together, so that the ciphertext of any plaintext unit is a function of all the preceding plaintext. First, consider encryption. The input to the encryption function is a 64-bit shift register that is initially set to some initialization vector (IV). The leftmost (most significant) s bits of the output of the encryption function are XORed with the first unit of plaintext Pl to produce the first unit of ciphertext Cl, which is then transmitted. In addition, the contents of the shift register are shifted left by s bits and Cl is placed in the rightmost (least significant) s bits of the shift register. This process continues until all plaintext units have been encrypted. UNIT-2 Page 16 Cryptography & Network Security 4 CSE- 1 SEM Fig 2.11 Cipher Feedback Mode Output Feedback Mode (OFB): The output feedback (OFB) mode is similar in structure to that of CFB. As can be seen in Fig 2.12, it is the output of the encryption function that is fed back to the shift register in OFB, whereas in CFB, the ciphertext unit is fed back to the shift register. The other difference is that the OFB mode operates on full blocks of plaintext and ciphertext, not on an -bit subset. Encryption can be expressed as By rearranging terms, Cj = Pj_ E(K, [Cj-i_ Pj-1]) we can demonstrate that decryption works. Pj = Cj_ E(K, [Cj-1 _ Pj-1]) UNIT-2 Page 17 Cryptography & Network Security 4 CSE- 1 SEM Fig 2.12 Output Feedback Mode Advantage of OFB Mode: The bit errors in transmission do not propagate Disadvantage of OFB Mode: The disadvantage of OFB is that it is more vulnerable to a message stream modification attack than is CFB. Counter Mode (CTR): Although interest in the counter (CTR) mode has increased recently with applications to ATM (asynchronous transfer mode) network security and IP sec (IP security), this mode was proposed early on 1979. In Fig 2.13 depicts the CTR mode. A counter equal to the plaintext block size is used. The only requirement stated in SP 800-38A is that the counter value must be different for each plaintext block that is encrypted. Typically, the counter is initialized to some value and then incremented by 1 for each subsequent block. UNIT-2 Page 18 Cryptography & Network Security 4 CSE- 1 SEM Fig 2.14 Counter Mode Advantages of CRT: Hardware Efficiency Software Efficiency Preprocessing Random Access Provable Security Simplicity 6. Triple DES Double DES: The simplest form of multiple encryption has two encryption stages and two keys, Fig 2.16 Given a plaintext P and two encryption keys K1 andK2, ciphertext is generated as Decryption requires that the keys be applied in reverse order: UNIT-2 Page 19 Cryptography & Network Security 4 CSE- 1 SEM For DES, this scheme apparently involves a key length of 56X2=112 bits, resulting in a dramatic increase in cryptographic strength. But we need to examine the algorithm more closely. Fig 2.16 Double DES The first answer to problems of DES is an algorithm called Double DES which includes double encryption with two keys. It increases the key size to 112 bits, which seems to be secure. But, there are some problems associated with this approach. Issue of reduction to single stage: Suppose it were true for DES, for all 56-bit key values, that given any two keys K1 and K2, it would be possible to find a key K3 such that If this were the case, then double encryption, and indeed any number of stages of multiple encryption with DES, would be useless because the result would be equivalent to a single encryption with a single 56-bit key. meet-in-the-middle” attack: Given a known pair(P,C), the attack proceeds as follows. First, encrypt P for all 256 possible values of K1. Store these results in a table and then sort the table by the values of X . Next, decrypt C, using all 256 possible values of K2. As each decryption is produced, check the result against the table for a match. If a match occurs, then test the two resulting keys against a new known plaintext–ciphertext pair. If the two keys produce the correct ciphertext, accept them as the correct keys. Test the two keys for the second pair of plaintext-ciphertext and if they match, correct keys are found Triple DES was the answer to many of the shortcomings of DES. Since it is based on the DES algorithm, it is very easy to modify existing software to use Triple DES. 3DES was developed in 1999 by IBM – by a team led by Walter Tuchman. 3DES prevents a meet-in-themiddle attack. 3DES has a 168-bit key and enciphers blocks of 64 bits. It also has the advantage of proven reliability and a longer key length that eliminates many of the shortcut attacks that can be used to reduce the amount of time it takes to break DES. 3DES uses three keys and three executions of the DES algorithm. The function follows an encrypt-decryptencrypt (EDE) sequence. UNIT-2 Page 20 Cryptography & Network Security 4 CSE- 1 SEM Fig 2.12 Triple DES Encryption and Decryption C=Ek3[Dk2[Ek1[p]]] Where C= ciphertext, P= plaintext and EK[X] = encryption of X using key K DK[Y] = decryption of Y using key K Decryption is simply the same operation with the keys reversed P=Dk1[Ek2[Dk3[c]]] Triple DES runs three times slower than standard DES, but is much more secure if used properly. With three distinct keys, TDEA has an effective key length of 168 bits making it a formidable algorithm. As the underlying algorithm is DEA, it offers the same resistance to cryptanalysis as is DEA. Triple DES can be done using 2 keys or 3 keys. There is no cryptographic significance to the use of decryption for the second stage of 3DES encryption. Its only advantage is that it allows users of 3DES to decrypt data encrypted by users of the older single DES: c = Ek1 [D2l [EK3 [P]]] = EK1 [P] Strength of Triple DES: If we assume that the cracker would perform 1 million decryptions per 1micro second, then DES would take 10 hours to break. With 128 bit Key It would take 1018 years to break. With 168 bit key Brute force attack is impossible. Fig 2.13 Time to break Code UNIT-2 Page 21 Cryptography & Network Security 4 CSE- 1 SEM 7. IDEA (International Data Encryption Algorithm) The International Data Encryption Standard Algorithm (IDEA) is a symmetric block cipher that was proposed and developed by Lai and James to replace DES. It differs with DES both in terms of Rounds and Keys. IDEA uses 128 bit Key. It is a minor revision of an earlier cipher, PES (Proposed Encryption Standard). IDEA was originally called IPES (Improved PES) and was also included in PGP (Pretty Good Privacy Protocol). IDEA is a block cipher which uses a 128-bit length key to encrypt successive 64-bit blocks of plaintext. The main design goals of IDEA are, Block Length: Block size of 64 bits is considered strong enough to deter statistical analysis. Also usage of Cipher Feedback Mode of operation provides better strength. Key Length: Its key size of 128 bits is very secure to deter exhaustive search IDEA’s overall scheme is based on three different operations: Bit by Bit XOR denoted as , addition mod 216 denoted as and multiplication mod (216 +1) as ʘ. All operations are on 16-bit sub-blocks, with no permutations used. Completely avoid substitution boxes and table lookups used in the block ciphers. The algorithm structure has been chosen such that when different key sub-blocks are used, the encryption process is identical to the decryption process. In IDEA, Confusion is achieved by using these three separate operations in combination providing a complex transformation of the input, making cryptanalysis much more difficult (than with a DES which uses just a single XOR). The main basic building block is the Multiplication/Addition (MA) structure shown below: Fig 2.14 Multiplication and Addition Structure UNIT-2 Page 22 Cryptography & Network Security 4 CSE- 1 SEM Diffusion is provided by this MA structure where, each output bit depends on every bit of inputs (plaintext-derived inputs and subkey inputs).This MA structure is repeated eight times, providing very effective diffusion The overall scheme for IDEA is shown below: Fig 2.15 Overall IDEA Structure Working of IDEA: The encryption function takes two inputs; one being the plaintext to be encrypted and the key. The plaintext is 64 bits in length and key is 128 bits in length. The IDEA algorithm UNIT-2 Page 23 Cryptography & Network Security 4 CSE- 1 SEM consists of eight rounds followed by a final transformation function. The algorithm divides the input into four 16-bit sub-blocks. Each of the rounds takes four 16-bit sub-blocks as input and produces four 16-bit output blocks. The final transformation also produces four 16-bit blocks, which are concatenated to form the 64-bit ciphertext. Each of the rounds also makes use of six 16-bit subkeys, whereas the final transformation uses four subkeys, for a total of 52 subkeys. First, the 128-bit key is partitioned into eight 16-bit sub-blocks which are then directly used as the first eight key sub-blocks {i.e. Z1, Z2… Z8 are taken directly from the 128-bit key where Z1.equals the first 16 bits, Z2 corresponding to next 16 bits and so on}. The 128-bit key is then cyclically shifted to the left by 25 positions, after which the resulting 128-bit block is again partitioned into eight 16-bit sub-blocks to be directly used as the next eight key subblocks. The cyclic shift procedure described above is repeated until all of the required 52 16bit key sub-blocks have been generated. The following figure shows the single round in the encryption algorithm. Fig 2.16 IDEA Single Round Encryption UNIT-2 Page 24 Cryptography & Network Security 4 CSE- 1 SEM Fig 2.17 First Stage of MA Structure IDEA deviates from the Feistel Structure that the round starts with a transformation that combines four input subblocks with four subkeys, using the addition and multiplication operations. These four output blocks are then combined using the XOR operation to form two 16bit blocks that are input to the MA structure, which also takes two subkeys(k5,k6) as input and combines these inputs to produce 16-bit outputs. Finally, the four output blocks from the upper transformation are combined with the two output blocks of the MA (Multiplication/Addition) structure using XOR to produce the four output blocks for this round. Also, the two outputs that are partially generated by the second and third inputs(X2 and X3) are interchanged to produce the second and third outputs (W12 and W13). This increases the mixing of bits being processed and makes the algorithm more resistant to differential cryptanalysis. The ninth stage of the algorithm, labelled the output transformation stage has the same structure as the upper rounds, but the only difference is that the second and third inputs are interchanged before being applied to the operational units. The effect of this is undoing the interchange at the end of eighth round. The reason for this extra interchange is so that decryption has the same structure as encryption. The ninth stage requires only four subkey inputs, compared to six subkey inputs for each of the first eight stages. UNIT-2 Page 25 Cryptography & Network Security 4 CSE- 1 SEM Fig 2.19 The 9th Stage of the Algorithm Decryption Steps: 1. The first four subkeys of decryption round i are derived from the first four subkeys of encryption round (10-i), where the transformation stage is counted as round 9. The first and fourth decryption subkeys are equal to the multiplicative inverse modulo (216 +1) of the corresponding first and fourth encryption subkeys. For rounds 2 through 8, the second and third decryption subkeys are equal to the additive inverse modulo (216) of the corresponding third and second encryption subkeys. For rounds 1 and 9, the second and third decryption subkeys are equal to the additive inverse modulo (216) of the corresponding second and third encryption subkeys. 2. For the first eight rounds, the last two subkeys of decryption round i are equal to the last two subkeys of encryption round (9-i) 8. Blowfish Blowfish was developed in 1993 by Bruce Schneier [SCHN93, SCHN94], an independent consultant and cryptographer, and quickly became one of the most popular alternatives to DES. Blowfish was designed to be easy to implement and to have a high execution speed. It is also a very compact algorithm that can run in less than 5K of memory. An interesting feature of Blowfish is that the key length is variable and it can vary from 32 bits up to 448 bits. In practice, 128-bit keys are used. Blowfish uses 16 rounds. Blowfish uses 8X32 S-boxes and the XOR function, as does DES, but also uses binary addition. Unlike DES, which uses fixed S-boxes, Blowfish uses dynamic S-boxes that are generated as a function of the key. A total of 521 executions of the Blowfish encryption algorithm is required to produce the subkeys and S-boxes. Accordingly, Blowfish is not suitable for applications in which the secret key changes frequently. UNIT-2 Page 26 Cryptography & Network Security 4 CSE- 1 SEM Fig 2.20 Blowfish Structure Working of the Round Function: The function splits the 32-bit input into four eight-bit quarters, and uses the quarters as input to the S-boxes. The outputs are added modulo 232 and XORed to produce the final 32-bit output. Fig 2.21 The Round Function Decryption is exactly the same as encryption, except that P1, P2,..., P18 are used in the reverse order. This is not so obvious because xor is commutative and associative. A common misconception is to use inverse order of encryption as decryption algorithm (i.e. first XORing P17 and P18 to the ciphertext block, then using the P-entries in reverse order). UNIT-2 Page 27 Cryptography & Network Security 4 CSE- 1 SEM CAST -128 Algorithms: In cryptography, CAST-128 (alternatively CAST5) is a block cipher used in a number of products, notably as the default cipher in some versions of GPG and PGP. It has also been approved for Canadian government use by the Communications Security Establishment. The algorithm was created in 1996 by Carlisle Adams and Stafford Tavares using the CAST design procedure. Another member of the CAST family of ciphers, CAST-256 (a former AES candidate) was derived from CAST-128. According to some sources, the CAST name is based on the initials of its inventors, though Bruce Schneier reports the authors' claim that "the name should conjure up images of randomness". CAST-128 is a 12- or 16-round Feistel network with a 64-bit block size and a key size of between 40 to 128 bits (but only in 8-bit increments). The full 16 rounds are used when the key size is longer than 80 bits. Components include large 8×32-bit S-boxes based on bent functions, key-dependent rotations, modular addition and subtraction, and XOR operations. There are three alternating types of round function, but they are similar in structure and differ only in the choice of the exact operation (addition, subtraction or XOR) at various points. Fig 2.22 Structure of CAST -128 9. Advanced Encryption Standard (AES) UNIT-2 Page 28 Cryptography & Network Security 4 CSE- 1 SEM Introduction to AES Structure: The AES encryption process takes the plain text of length 128 bit or 16 bytes. The Key length can vary in the range of 128, 192, or 256 bits, 16,24 or 32 bytes respectively. The Algorithms can be referred to as AES-128, AES-192, and AES-256. The Encryption and decryption algorithms take a block of length 128 bits, for producing the cipher block of length 128 bit. The plain text block is copied into an array called “State Array” which is modified at each stage of encryption and decryption. After the final stage the “State array” moved to the Output Matrix. The key is also represented in the form of a square matrix. The Key is expanded to 44 words, each word of 4 bytes length (32 bits). The 1st four bytes of the plain text input to encryption cipher occupy the 1st column of “in” matrix, second four bytes occupy the second column and so on. Similarly, the first four bytes of the expanded key, which form a word, occupy the first column of the w matrix. The cipher consists of rounds, where the number of rounds depends on the key length: 10 rounds for a 16-byte key, 12 rounds for a 24-byte key, 14 rounds for a 32-byte key. UNIT-2 Page 29 Cryptography & Network Security 4 CSE- 1 SEM The first N-1 rounds consists 4 distinct operations: SubBytes, ShiftRows, MixColumns, and AddRoundKey, and final round contains only three transformations and there is an initial single transformation before the first round, that can be considered as round 0. Each transformation takes one or more 4X4 matrices as input and produce the 4X4 as output. The out put the final round is the cipher text. A separate round key is used for each round, which is obtained from the expanded key. AES Data structure: The 1st four bytes of the plain text input to encryption cipher occupy the 1 st column of “in” matrix; second four bytes occupy the second column and so on. Similarly, the first four bytes of the expanded key, which form a word, occupy the first column of the “w” matrix. Comments about the Overall Structure: • • • One noteworthy feature of this structure is that it is not a Feistel structure. The key that is provided as input is expanded into an array of forty-four 32-bit words, w[i]. Four distinct words (128 bits) serve as a round key for each round Four different stages are used, one of permutation and three of substitution: • Substitute bytes: Uses an S-box to perform a byte-by-byte substitution of the block • ShiftRows: A simple permutation • MixColumns: A substitution that makes use of arithmetics • AddRoundKey: A simple bitwise XOR of the current block with a portion of the expanded key • The structure is quite simple. • Only the AddRoundKey stage makes use of the key UNIT-2 Page 30 Cryptography & Network Security 4 CSE- 1 SEM • The other three stages together provide confusion, diffusion, and nonlinearity, but by • • • • themselves would provide no security because they do not use the key. Each stage is easily reversible. As with most block ciphers, the decryption algorithm makes use of the expanded key in reverse order. Decryption is not identical to the encryption. This is just because of the structure of the AES. Once it is established that all four stages are reversible, it is easy to verify that decryption does recover the plaintext. The final round of both encryption and decryption consists of only three stages. AES Transformation Functions: i. The Substitute Transformation: The AES defines a 16 X 16 matrix of byte values, which is called “S-Box”. This contains the permutations of all possible 256 b-bit values. Each and every byte of the “State matrix” mapped into a new byte in the following way: The left most 4 bytes used to define the row, and right most 4 bits used to define the column. These row and column values used to serve the indexes for the s- box to identify 8-bit output value. State Array ii. S- BOX OUTPUT ShiftRows Transformation: The first row of State is not altered. For the second row, a 1-byte circular left shift is performed. For the third row, a 2-byte circular left shift is performed. For the fourth row, a 3byte circular left shift is performed. The following is an example of ShiftRows. UNIT-2 Page 31 Cryptography & Network Security iii. 4 CSE- 1 SEM MixColumns Transformation: Each byte of a column is mapped into a new value that is a function of all four bytes in that column. The transformation can be defined by the following matrix multiplication on State. Each element in the product matrix is the sum of products of elements of one row and one column. The MixColumns transformation on a single column of State can be expressed as: For example: iv. UNIT-2 AddRoundKey Transformation Page 32 Cryptography & Network Security 4 CSE- 1 SEM The 128 bits of State are bitwise XORed with the 128 bits of the round key. the operation is viewed as a columnwise operation between the 4 bytes of a State column and one word of the round key; it can also be viewed as a byte-level operation. For example: Inputs to the Single Round AES: AES Key Expansion: The 128 bit key is copied into the first four words of the expanded key. The remainder of the expanded key is filled in four words at a time. Each added new word depends on the w[i] and w[i-4]. In three out of four cases, a simple XOR is used. For a word whose position in the w array is a multiple of 4, a more complex function is used. The complex function g consists of the following subfunctions. UNIT-2 Page 33 Cryptography & Network Security 4 CSE- 1 SEM Where R is the called Rotate Constant. RotWord performs a one-byte circular left shift on a word. SubWord performs a byte substitution on each byte of its input word, using the S-box The result of steps 1 and 2 is XORed with a round constant, R *******END of the 2nd UNIT******* UNIT-2 Page 34

Download
# Unit -2