Prof. Chintan Patel Information Security

CE Department. Unit - 2

MEFGI , RAJKOT

• A stream cipher : is one that encrypts the digital data stream one bitor one byte at a time

Example : Vigenere cipher or vernam cipher.

GATE : Its also called as a block cipher where size = 1.

• A block cipher : Asymmetric key modern cipher that encrypts n bitblock of plain text and decrypts n bits block of cipher text

• PADDING : If the message has fewer than n bits , padding must be done to make it n bits.

If message size is not multiple of n bits then it should be divided into n bits andlast block should be padded.

• Can we model substitution as a permutation ???

• Yes , n bits of input and outputs can be represented as 2^n bit sequences , with 1’s and 0’s .

0 1 2 3 4 5 6 8

7 4 3 2 1 0 6 5

• Reversible mapping : which produces unique cipher text blocks .

Plain text Cipher text

00 11

01 10

10 00

11 01

Plain text Cipher text

00 11

01 10

10 01

11 01

a. Reversible mapping b. Irreversible mapping

• Can be used to define any reversible mapping between plain text andcipher text. Feistel refers it as a ideal block cipher

PLAIN TEXT CIPHER TEXT

0000 1110

0001 0100

0010 1101

0011 0001

0100 0010

0101 1111

0110 1011

0111 1000

1000 0011

1001 1010

1010 0110

1011 1100

1100 0101

1101 1001

1110 0000

1111 0111

CIPHER TEXT CIPHER TEXT

0000 1110

0001 0011

0010 0100

0011 1000

0100 0001

0101 1100

0110 1010

0111 1111

1000 0111

1001 1101

1010 1001

1011 0110

1100 1011

1101 0010

1110 0000

1111 0101

• Ideal block cipher for large no. of block size is not practical , how everfor implementation and performance point of view , Mapping it selfconstitutes key.

• “Basic aim of key was to produce unique cipher text but here everyplain text it self is giving unique cipher text ”….

• So total key size is if n = 4 (refer previous slide table where n = 4) is4(number of bits) * 16(no. of rows) = 64bits.

• In general , if n bits is there than n * 2^n bits.

• Substitutions : Each plaintext element or group ofelement is uniquely replaced by a corresponding ciphertext elements or group of elements.

• Permutation : A sequence of plain text element isreplaced by a permutation of that sequence . There is noelements are added or deleted or replaced only order ofthe elements is changed.

• “ Based on knowledge of statistical characteristic of plain text , Attacker can assume the probable words of message.”………so Claude Shannon refers a concept in which

• Relationship between plain text and cipher text was hidden : called diffusion

• And Relation between cipher text and key was hidden : called confusion

• The mechanism of diffusion seeks to make the statistical relationship between the P.T and C.T as complex as possible in order to thwart attempts to deduce the key.

• In confusion , Even if the attacker can get handle on some statistics of C.T , the way in which the key was used to produce the that cipher text is so complex as to make it difficult to deduce the key.

• Diffusion can be achieved by repeatedly performingthe some permutation : The effect is that bits fromdifferent positions in the original P.T contribute to asingle bits of character in cipher text.

• Confusion can be achieved by the use of complexsubstitution algorithm like hill cipher or Playfaircipher.

Data Encryption Standard (DES)

The Data Encryption Standard (DES) is a symmetric-

key block cipher published by the National Institute of

Standards and Technology (NIST).

•In 1973, NIST published a request for proposals for a

national symmetric-key cryptosystem.

•A proposal from IBM, a modification of a project called

Lucifer, was accepted as DES.

•DES was published in the Federal Register in March 1975

as a draft of the Federal Information Processing Standard

(FIPS).

Encryption and decryption with DES

General structure of DES

Initial and final permutation steps in DES

The initial and final permutations are

straight P-boxes that are inverses

of each other.

They have no cryptography significance

in DES.

Note

DES uses 16 rounds. Each round of DES is a Feistel cipher.

A round in DES (encryption site)

The heart of DES is the DES function. The DES function

applies a 48-bit key to the rightmost 32 bits to produce a 32-

bit output.

DES function

Expansion P-box

Since RI−1 is a 32-bit input and KI is a 48-bit key, we first need

to expand RI−1 to 48 bits.

Expansion permutation

Although the relationship between the input and output can

be defined mathematically, DES uses below Table to define

this P-box.

Expansion P-box table

Whitener (XOR)

After the expansion permutation, DES uses the XOR

operation on the expanded right section and the round

key. Note that both the right section and the key are 48-

bits in length. Also note that the round key is used only in

this operation.

S-Boxes

The S-boxes do the real mixing (confusion). DES uses 8 S-

boxes, each with a 6-bit input and a 4-bit output.

S-boxes

S-box rule

S-box 1

Example : The input to S-box 1 is 100011. What is the

output?

If we write the first and the sixth bits together, we get 11 in binary,

which is 3 in decimal. The remaining bits are 0001 in binary, which

is 1 in decimal. We look for the value in row 3, column 1, in Table (S-

box 1). The result is 12 in decimal, which in binary is 1100. So the

input 100011 yields the output 1100.

Straight Permutation

Figure Key generation

Parity-bit drop table

• DES Design Criteria

Design criteria for S-Box(substitution)

Design criteria for P-Box(permutation)

• Number of Rounds

• Design of The function F.

• Key scheduling

• No o/p bit of any S-Box should be too close a linear function of i/pbits.

• Each row of an S-Box should include all 16 possible o/p bitcombination

• If 2 i/p to an S-Box differ by 1 bit , than o/p must differ by at least 2bits.

• If 2 i/p to an S-Box differ in two middle bit exactly , than o/p mustdiffer by at least 2 bits.

• If 2 i/p to an S-Box differ in their first 2 bits and identical in their last2 bits, than o/p must not be same.

This criteria are intended to increase the confusion of the algorithm

• 4 O/P Bits from each round I are distributed sothat 2 of them affect “middle bits” of round(i+1)

and other 2 affects end bits.

• 4 o/p bits from each S-box affect 6 different S-boxon next round and no two affect the same S-Box.

• This criteria are intended to increase thediffusion of the algorithm

• Schneier observes that for 16-rounds DES, adifferential crypt analysis attack is less efficientthan brute force.

• Differential cryptanalysis requires 2^55.1operations while brute force requires 2^55.

• If DES has 15 or lesser rounds, Differentialcryptanalysis requires less effort than brute forceattack

• SAC(STRONG AVALNCHE CRITERIA)

• It must provide avalanche effect :

Small changes in plain text and key must produce different ciphertext

• BIC(BIT INDEPENDENT CRITERIA) O/P bit j and k should change independently , when any single bit input I is

inverted.

BIC and SAC criteria appear to strengthen the effectiveness of confusion

• Select the key to maximize the difficulty of deducing individualsubkeys and difficulty of working back the main key.

• Multiple encryption and Triple DES

•Block Cipher Modes of Operation

•Book : William Stalling (Chapter 6)

• Topics to be covered….

Introduction

Double DES

Triple DES With 2 keys

Triple DES with 3 keys..

• Multiple Encryption : Encryption algorithm is used multiple times.

• Triple DES : 3 stages of DES algorithms with 2 or 3 keys…

• Is it true that some K3 which can be prepare from K1 and K2……..?????

• Following is true ???

• E(K2 , E(K1 , p)) = E(K3 , P)

• No its not possible. DES is not a group cipher like Caeser cipher.

• So double DES results in mapping which is not equal to a Single DES encryption

• Thus double DES results in mapping which is not equal to a Single DES encryption.

• C = E(K2 , E(K1 , P))…..

• X = E(K1 , P) = D(K2 , C)..

•

• Based on Given (P,C) pair….

• Encrypt the P using K1 . Store these result in a table and then sort table by value of X.

• Decrypt the C using K2 . Store these result in a table and match with X. If 2 k same keys found than try on cipher text if it produce correct plain text than accept as a correct keys..

• hence must use 3 encryptions

would seem to need 3 distinct keys

• but can use 2 keys with E-D-E sequence

C = EK1(DK2(EK1(P)))

and encrypt & decrypt equivalent in security

if K1=K2 then can work with single DES

• although are no practical attacks on two-key Triple-DES have some indications

• can use Triple-DES with Three-Keys to avoid even these C = EK3(DK2(EK1(P)))

• has been adopted by some Internet applications, eg PGP, S/MIME

• a “new” mode, though proposed early on

• similar to OFB but encrypts counter value rather than any feedback value

• must have a different key & counter value for every plaintext block (never reused)

• uses: high-speed network encryptions

• Hardware Efficiency : In CTR mode encryption can be done parallelon multiple plaintext block.

• Software Efficiency : Because of parallel work , functions likeaggressive pipelining , multiple instruction dispatch , and large no. ofregister can be done effectively.

• Preprocessing : Encryption does not depend on plaintext or ciphertext, preprocessing can be used to prepare the output of encryptionboxes that feed into XOR.

• Simplicity :

• Provable security :

• IDEA (International Data Encryption Algorithms)

• Blowfish

• RC2 , RC 5

• Cast 128

• It is a minor revision of an earlier cipher, PES(Proposed Encryption Standard);

• IDEA was originally called IPES (Improved PES).

• IDEA was used as the symmetric cipher in earlyversions of the Pretty Good Privacy cryptosystem.

• The IDEA encryption algorithm

provides high level security not based on keeping the algorithm a secret, but rather upon ignorance of the secret key

is fully specified and easily understood

is available to everybody

is suitable for use in a wide range of applications

can be economically implemented in electronic components (VLSI Chip)

can be used efficiently

may be exported world wide

is patent protected to prevent fraud and piracy

• The algebraic idea behind IDEA is the mixing of three incompatible algebraic

operations on 16-bit blocks:

bitwise XOR,

addition modulo 216, and

Multiplication modulo 216 + 1.

• 64 bit plain text is divided into 4 , 16bit blocks. Which are Called X1,X2,X3,X4.

• 128 Bit key is divided into 8 , bit blocks.

• 1. Multiply X1 and the first subkey Z1.

• 2. Add X2 and the second subkey Z2.

• 3. Add X3 and the third subkey Z3.

• 4. Multiply X4 and the fourth subkey Z4.

• 5. Bitwise XOR the results of steps 1 and 3.

• 6. Bitwise XOR the results of steps 2 and 4.

• 7. Multiply the result of step 5 and the fifth subkey Z5.

• 8. Add the results of steps 6 and 7.

• 9. Multiply the result of step 8 and the sixth subkey Z6.

• 10. Add the results of steps 7 and 9.

• 11. Bitwise XOR the results of steps 1 and 9.

• 12. Bitwise XOR the results of steps 3 and 9.

• 13. Bitwise XOR the results of steps 2 and 10.

• 14. Bitwise XOR the results of steps 4 and 10.

• final transformation occurs:

• 1. Multiply X1 and the first subkey Z1.

• 2. Add X2 and the second subkey Z2.

• 3. Add X3 and the third subkey Z3.

• 4. Multiply X4 and the fourth subkey Z4.

• Each of the eight complete rounds requires six subkeys, and the finaltransformation “half round” requires four subkeys; so, the entireprocess requires 52 subkeys.

• The 128-bit key is split into eight 16-bit subkeys.

• The bits are shifted to the left 25 bits.

• The resulting 128-bit string is split into eight 16-bit blocks thatbecome the next eight subkeys.

• The shifting and splitting process is repeated until 52 subkeys aregenerated.

• The shifts of 25 bits ensure that repetition does not occur in thesubkeys.

• Six subkeys are used in each of the 8 rounds. The final 4 subkeys areused in

• the ninth “half round” final transformation.

• simplified IDEA encrypts a 16-bit block of plaintext to a 16-bit block of cipher text. It uses a 32-bit key. The simplified algorithm consists of four identical rounds and a “half round” final transformation.

• IDEA Supports all,

ECB(Electronic code book)

CBC(cipher block chaining)

CFB(Cipher feedback mode)

OFB(Output Feedback mode)

• IDEA-based security solutions available in many market areas,ranging from Financial Services, and Broadcasting to Government.

• The IDEA algorithm can easily be embedded in any encryption software. Data encryption can be used to protect data transmission and storage. Typical fields are:

• – Audio and video data for cable TV, pay TV, video conferencing, distance learning, business TV, VoIP

• – Sensitive financial and commercial data

• – Email via public networks

• – Transmission links via modem, router or ATM link, GSM technology

• – Smart cards

Source : Internet and Book : AtulKahate.

• Developed by Bruce Schneier in 1993/94 .

• Design objectives :

Fast : Blowfish encryption rate on 32 bit microprocessor is 26clock cycles per byte.

Compact : It can be executed in less than 5 kb memory.

Simple : Uses only primitive operations like XOR , and tablelookup making its design and implementation simple.

Secure : Blowfish has a variable key length up to a maximum of448 and minimum 32 bit , to make it flexible and secure.

Used in applications where key remains constant for a long time(e.g. Communication link.) but not where key changesfrequently.(e.g. Packet switching).

• Encrypts a 64 bit blocks with a variable-length key. And contains 2 parts.

Subkeys Generation : Generates the key up to 448 bit long to subkeys totaling 4168 bits.

Data encryption : Iteration of feistel function 16 times. each round contains a key dependent permutation and key and data dependent substitution.

• 1. Uses large no. of subkeys. And key must be ready beforeencryption and decryption. Key size ranges from 32 bits to 448 bits.

Means 1 to 14 words with 32 bit/word.

K1, K2,K3,……..Kn ….each block contains 32 bits.

• 2. P-Array , consisting of 18, 32 bit subkeys.

P1,P2…..P18..

Schneier recommends the usage of the bits of fractional parts of constant pi=22/7.

P1 = 24F6C98

P2 = 85F6A88……..

P18 = 84F6D84.

• 3. 4 S-boxes , each containing 256, 32 bit entries.

S1,0 ………………………..S1, 255

S2,0……………………… ..S2,255

S3,0…………………………S3,255

S4,0…………………………S4,255

Initialized same as P-Array with some hexadecimal value of fractional part of constant pi = 22/7.

• 4. SO bitwise XOR Operation of P1 With K1, P2 with K2 ,…….P14 with K14. after that key array K will be exhausted and hence for P15 to P18….K1 to K4. P1 = P1 XOR K1

P2 = P2 XOR K2…….

….

P18= P18 XOR K4

• Symmetric block cipher developed by Ron Rivest.

• Quite Fast because uses only addition , XOR and shiftoperation.

• Allows variable no. of rounds and variable size key to addthe flexibility.

• Requires less memory for execution and thereforesuitable not only for desktop application but also forsmart card and other devices.

Parameter Allowed values

Word size in bits 16,32,64

Number of Rounds 0……….255

Number of 8-bit bytes in the key 0……….255

Word size , number of rounds and key , all can be of variable length. These are

variable means before execution of a particular instance of RC 5, These values can

be chosen from those allowed unlike DES and IDEA.

RC 5 Uses 2-words blocks

RC5-w/r/b where w = word size , r = number of rounds , b = number of 8 bit byte in

the key..

EX. RC-5 32/16/16 …Means 64(32*2) bits , 16 rounds , 16 bytes key

• Input plain text is divided into equal size blocks A and B.

• To produce C and D , S[0] is added to A , S[1] is added to B

• Step 1 : XOR C and D to produce E.

• Step 2. : Circular left of E by D bits.

• Step 3 : Add E with next sub key to produce F.

• Step 4 : XOR D and F

• Step 5 : Circular left shift G.

• Step 6 : Add G and next sub-key

• To check weather all rounds are finish or not.

• Step 1 : The sub keys S[0],S[1]……..are generated.

• Step 2 : The original key is called L. all Sub keys (S[0],S[1]……) are mixed with corresponding sub portion of original keys (L[0],L[1]…..)

• typically have a hierarchy of keys

• session key

temporary key

used for encryption of data between users

for one logical session then discarded

• master key

used to encrypt session keys

shared by user & key distribution center

Henric Johnson 134

SESSION KEY LIFE TIME

hierarchies of KDC’s required for large networks, but must trust each other

session key lifetimes should be limited for greater security(connection oriented and less)

use of automatic key distribution on behalf of users, but must trust system

use of decentralized key distribution

controlling key usage

• for cryptographic applications, can use a block cipher to generate random numbers

• often for creating session keys from master key

• Counter ModeXi = EKm[i]

• Output Feedback ModeXi = EKm[Xi-1]

• often use deterministic algorithmic techniques to create “random numbers”

although are not truly random

can pass many tests of “randomness”

• known as “pseudorandom numbers”

• created by “Pseudorandom Number Generators (PRNGs)”

• common iterative technique using:• Xn+1 = (aXn + c) mod m

• given suitable values of parameters can produce a long random-like sequence

• suitable criteria to have are:• function generates a full-period• generated sequence should appear random• efficient implementation with 32-bit arithmetic

• note that an attacker can reconstruct sequence given a small number of values

• have possibilities for making this harder

• Also called as Blum, Blum, Shub generator.

• Choose any two large prime number that both have remainder 3 when divided by 4.

• Let n = p*q , Choose random s, such that s is relatively prime to n.

• p and q can be factor s.

• Xo = S^2 mod n

• For I = 0 to infinity.

• Xi = (X(i-1))^2 mod n

• Bi = Xi mod 2.

• BBS is also referred as Cryptographically secure pseudorandom bit generator(CSPRBG).

Cast 128 , RC 2

• Developed by Ron Rivest (RSA Data Security)

• 64-bit block cipher

• Variable key size (from one byte up to 128 bytes)

• Designed to be easy to implement on 16-bit microprocessor

Use 16-bit word, 16-bit arithmetic (addition, XOR, AND, ~, rotate)

• Non-Feistel

• 18 rounds (mixing/mashing)

• Used in S/MIME

• RC2 assumes 128 (64 word) byte key buffer For byte operation, key array is L[0], …, L[127]; each L[i] is a byte For word operation, key array is K[0], …, K[63]; each K[i] is a 16-bit

word These are alternative views of the same key buffer

• Key expansion Assume that exactly T bytes of key are supplied, 1 T 128 The purpose of key expansion algorithm is to modify the key buffer so

that each bit of the expanded key depends in a complicated way on every bit of the supplied input key

Key expansion begins by placing the supplied T-byte key into bytes L[0], …, L[T-1] of the key buffer

L array is then computed making use of an auxiliary array P P array is a random permutation of values of 0,…,255, which is

constructed based on p=3.14159… (See next page) The computation is

K[i] = L[2*i] + 256*L[2*i+1].

Here is the P array in hexadecimal notation:

0 1 2 3 4 5 6 7 8 9 a b c d e f 00: d9 78 f9 c4 19 dd b5 ed 28 e9 fd 79 4a a0 d8 9d 10: c6 7e 37 83 2b 76 53 8e 62 4c 64 88 44 8b fb a2 20: 17 9a 59 f5 87 b3 4f 13 61 45 6d 8d 09 81 7d 32 30: bd 8f 40 eb 86 b7 7b 0b f0 95 21 22 5c 6b 4e 82 40: 54 d6 65 93 ce 60 b2 1c 73 56 c0 14 a7 8c f1 dc 50: 12 75 ca 1f 3b be e4 d1 42 3d d4 30 a3 3c b6 26 60: 6f bf 0e da 46 69 07 57 27 f2 1d 9b bc 94 43 03 70: f8 11 c7 f6 90 ef 3e e7 06 c3 d5 2f c8 66 1e d7 80: 08 e8 ea de 80 52 ee f7 84 aa 72 ac 35 4d 6a 2a 90: 96 1a d2 71 5a 15 49 74 4b 9f d0 5e 04 18 a4 eca0: c2 e0 41 6e 0f 51 cb cc 24 91 af 50 a1 f4 70 39 b0: 99 7c 3a 85 23 b8 b4 7a fc 02 36 5b 25 55 97 31 c0: 2d 5d fa 98 e3 8a 92 ae 05 df 29 10 67 6c ba c9 d0: d3 00 e6 cf e1 9e a8 2c 63 16 01 3f 58 e2 89 a9 e0: 0d 38 34 1b ab 33 ff b0 bb 48 0c 5f b9 b1 cd 2e f0: c5 f3 db 47 e5 a5 9c 77 0a a6 20 68 fe 7f c1 ad

• Encryption algorithm takes a 64-bit input stored in R[0], R[1], R[2], R[3], and places the result back in R[0] thru R[3].

• Algorithm consists of 18 rounds of two types: mixing and mashing

• Mixing round:R[0] = R[0] + K[j] + (R[3] & R[2]) + ((~R[3] & R[1]);

R[0] = R[0] <<< 1;

j = j + 1;

R[1] = R[1] + K[j] + (R[0] & R[3]) + ((~R[0] & R[2]);

R[1] = R[1] <<< 2;

j = j + 1;

R[2] = R[2] + K[j] + (R[1] & R[0]) + ((~R[1] & R[3]);

R[2] = R[2] <<< 3;

j = j + 1;

R[3] = R[3] + K[j] + (R[2] & R[1]) + ((~R[2] & R[0]);

R[3] = R[3] <<< 5;

j = j + 1;

Here j is the global variable; K[j] is the first

subkey word that has not yet been used

• Decryption: Inverse operation of encryption with the keys used in reverse order

Mashing Round : R[j] = + k[R[j-1] % 64]

• 64-bit iterated block cipher

• key: 40 bits up to 128 bits (increments of 8 bits)

• 12 up to 16 rounds

• Feistel Network structure

• designed by C. Adams and S.Tavares (1996)

• S-box design procedure patented by Entrust Technologies Inc: U.S. patent 5,511,123, filed Aug. 4, 1994, issued Apr. 3, 1996

• CAST-128 is part of the GnuPG suite of cryptographic algorithms (nicknamed CAST-5)

• CAST-128 uses fixed 8x32-bit S-boxes: for encryption and decryption (S1, S2, S3, S4) and for the key schedule (S5, S6, S7, S8)

• round operations: +, -, <<<,

• three round functions: f1, f2 and f3

• An official algorithm for use with the Canadian Government:

http://www.cse-cst.gc.ca/services/crypto-services/crypto-algorithms-e.html

f1

f2

f3

Round functions

• Three different round functions are used in CAST-128. The rounds are as follows (where "D" is the data input to the f function and "Ia" -"Id" are the most significant byte through least significant byte of I, respectively).

• Note that "+" and "-" are addition and subtraction modulo 2**32, "^" is bitwise XOR, and "<<<" is the circular left- shift operation.

• Type 1: I = ((Kmi + D) <<< Kri), f = ((S1[Ia] ^ S2[Ib]) - S3[Ic]) + S4[Id]

• Type 2: I = ((Kmi ^ D) <<< Kri), f = ((S1[Ia] - S2[Ib]) + S3[Ic]) ^ S4[Id]

• Type 3: I = ((Kmi - D) <<< Kri), f = ((S1[Ia] + S2[Ib]) ^ S3[Ic]) - S4[Id]

• Rounds 1, 4, 7, 10, 13, and 16 use f function Type 1.

• Rounds 2, 5, 8, 11, and 14 use f function Type 2.

• Rounds 3, 6, 9, 12, and 15 use f function Type 3.

• Variable key length

Blowfish, RC5, CAST-128, RC2

• Mixed operators

More than one arithmetic and/or Boolean operator, especially ones that are not associative or distributive

These operators provide nonlinearity as an alternative to S-boxes

• Data-dependent rotation

Provide excellent confusion and diffusion

RC5

• Key-dependent rotation

CAST-128

Key features found in advanced symmetric block

ciphers (not in DES)

• Key-dependent S-boxes

Blowfish

• Expensive key schedule computation

Blowfish

• Variable round function (F)

CAST-128

• Variable plaintext/ciphertext block length

RC5

• Variable number of rounds

RC5

• Operation on both data halves each round

IDEA, Blowfish, RC5