St. Vincent Pallotti College of Engg. & Tech.

, Nagpur
Department of CE & IT
Computer System Security
UNIT: I

Q.1) Write an algorithm for S-DES and analyze it.

The most widely used private key block cipher, is the Data Encryption Standard
(DES). It was adopted in 1977 by the National Bureau of Standards as Federal Information
Processing Standard 46 (FIPS PUB 46). DES encrypts data in 64-bit blocks using a 56-bit
key. The DES enjoys widespread use. It has also been the subject of much controversy its
security.
DES encryption:
 The overall scheme for DES encryption is illustrated in Stallings Figure3.4, which
takes as input 64-bits of data and of key.
The left side shows the basic process for enciphering a 64-bit data block which consists of:
- an initial permutation (IP) which shuffles the 64-bit input block
- 16 rounds of a complex key dependent round function involving substitutions &
permutations
- a final permutation, being the inverse of IP
The right side shows the handling of the 56-bit key and consists of:
- an initial permutation of the key (PC1) which selects 56-bits out of the 64-bits input, in
two 28-bit halves
- 16 stages to generate the 48-bit subkeys using a left circular shift and a permutation of the
two 28-bit halves.
The initial permutation and its inverse are defined by tables, as shown in Stallings
Tables 3.2a and 3.2b, respectively. The tables are to be interpreted as follows. The input to
a table consists of 64 bits numbered left to right from 1 to 64. The 64 entries in the
permutation table contain a permutation of the numbers from 1 to 64. Each entry in the
permutation table indicates the position of a numbered input bit in the output, which also
consists of 64 bits.
Note that the bit numbering for DES reflects IBM mainframe practice, and is the opposite
of what we now mostly use - so be careful! Numbers from Bit 1 (leftmost, most significant)
to bit 32/48/64 etc (rightmost, least significant).
Note that examples are specified using hexadecimal.
Here a 64-bit plaintext value of “675a6967 5e5a6b5a” (written in left & right halves) after
permuting with IP becomes “ffb2194d 004df6fb”.
Detail here the internal structure of the DES round function F, which takes R half &
subkey, and processes them through E, add subkey, S & P.
This follows the classic structure for a feistel cipher.
Note that the s-boxes provide the “confusion” of data and key values, whilst the
permutation P then spreads this as widely as possible, so each S-box output affects as many
S-box inputs in the next round as possible, giving “diffusion”.
DES Round Structure
 Figure illustrates the internal structure of the DES round function F. The R input is
first expanded to 48 bits by using expansion table E that defines a permutation plus an
expansion that involves duplication of 16 of the R bits .The resulting 48 bits are XORed
with Ki. This 48-bit result passes through a substitution function comprising 8 S-boxes
which each map 6 input bits to 4 output bits, producing a 32-bit output, which is then
permuted by permutation P.
DES Decryption
As with any Feistel cipher, DES decryption uses the same algorithm as encryption
except that the subkeys are used in reverse order SK16 .. SK1.
If you trace through the DES overview diagram can see how each decryption step
top to bottom with reversed subkeys, undoes the equivalent encryption step moving from
bottom to top.
Strength of DES :-
1. Key Size
2. Analytic Attacks
3. Timing Attacks

Q.2) Encrypt the plaintext “read between the lines” using the keyboard “KNIGHT”.

Plaintext: read between the lines

Keyword: KNIGHT
By using Playfair cipher encryption method,
Plaintext: READ BETWEEN THE LINES
RE AD BE TW EX EN TH EL IN ES
 Thus matrix can be constructed as,
K N I G H
T A B C D
E F L M O
P Q R S U
V W X Y Z

Plaintext - Ciphertext
RE - PL
AD - BT
BE - TL
TW - AV
EX - LV
EN - FK
TH - DK
EL - FM
IN - GI
ES - MP
Thus, the required ciphertext is PLBTTLAVLVFKDKFMGIMP.

Q.4) Explain different block cipher modes of operations and their limitations.

Symmetric-key encipherment can be done using modern block ciphers. Modes of

operation have been devised to encipher text of any size employing either DES or AES.
The modes are intended to cover virtually all the possible applications of encryption
for which a block cipher could be used.

a. Electronic Codebook (ECB) Mode: The simplest mode of operation is called the
electronic codebook (ECB) mode, in which plaintext is handled one block at a time
and each block of plaintext is encrypted using same key. ECB is used when only
a single block of info needs to be sent (Eg-A session encryption key).
 The Encryption & Decryption can be shown as-

Limitations:
 message repetitions may show in ciphertext
• if aligned with message block
• particularly with data such graphics
• or with messages that change very little, which become a code-book
analysis problem
 weakness is due to the encrypted message blocks being independent
 main use is sending a few blocks of data

b. Cipher Block Chaining (CBC) Mode: To overcome the problems of repetitions and
order independence in ECB, want some way of making the ciphertext dependent on
all blocks before it. This is what CBC gives us, by combining the previous
ciphertext block with the current message block before encrypting. To start the
process, use an Initial Value (IV), which is usually well known (often all 0's), or
otherwise is sent, ECB encrypted, just before starting CBC use. CBC mode is
applicable whenever large amounts of data need to be sent securely, provided that all
data is available in advance (eg email, FTP, web etc).

The Encryption & Decryption can be shown as-

 Limitations:
 a ciphertext block depends on all blocks before it
 any change to a block affects all following ciphertext blocks
 need Initialization Vector (IV)
• which must be known to sender & receiver
• if sent in clear, attacker can change bits of first block, and change IV
to compensate
• hence IV must either be a fixed value (as in EFTPOS)
• or must be sent encrypted in ECB mode before rest of message

c. Cipher Feedback (CFB) Mode: If the data is only available a bit/byte at a time, then
must use some other approach to encrypt it, so as not to delay the info. Idea here is
to use the block cipher essentially as a pseudo-random number generator and to
combine these "random" bits with the message. XOR is an easily inverted operator
(just XOR with same thing again to undo). Again start with an IV to get things
going,
then use the ciphertext as the next input. As originally defined, idea was to
"consume" as much of the "random" output as needed for each message unit
(bit/byte) before "bumping" bits out of the buffer and re-encrypting. This slows the
encryption down as more encryptions are needed. An alternate way to think of it is
to generate a block of "random" bits, consume them as message bits/bytes arrive,and
when they're used up, only then feed a full block of ciphertext back. This is CFB-64
or CFB-128 mode (depending on the block size of the cipher used). CFB is the usual
 choice for quantities of stream oriented data, and for authentication use.
The Encryption & Decryption can be shown as-

Limitations:
 appropriate when data arrives in bits/bytes
 most common stream mode
 limitation is need to stall while do block encryption after every n-bits
 note that the block cipher is used in encryption mode at both ends
 errors propogate for several blocks after the error

d. Output Feedback (OFB) Mode: The alternative to CFB is OFB. Here the generation
of the "random" bits is independent of the message being encrypted. The advantage
is that firstly, they can be computed in advance, good for bursty traffic, and
secondly,
any bit error only affects a single bit. Thus this is good for noisy links (eg satellite
TV transmissions etc).

The Encryption & Decryption can be shown as-

 Limitations:
 bit errors do not propagate
 more vulnerable to message stream modification
 a variation of a Vernam cipher
• hence must never reuse the same sequence (key+IV)
 sender & receiver must remain in sync
 originally specified with m-bit feedback
 subsequent research has shown that only full block feedback (ie CFB-64 or
CFB-128) should ever be used

e. Counter (CTR) Mode: The Counter (CTR) mode is a variant of OFB, but which
encrypts a counter value (hence name). Although it was proposed many years
before,
it has only recently been standardized for use with AES along with the other existing
4 modes. It is being used with applications in ATM (asynchronous transfer mode)
network security and IPSec (IP security). A counter, equal to the plaintext block size
 is used. The only requirement stated in SP 800-38A is that the counter value must be
different for each plaintext block that is encrypted. Typically the counter is
initialized to some value and then incremented by 1 for each subsequent block.
The Encryption & Decryption can be shown as-

Limitations:
 efficiency
• can do parallel encryptions in h/w or s/w
• can preprocess in advance of need
• good for bursty high speed links
 random access to encrypted data blocks
 provable security (good as other modes)
 but must ensure never reuse key/counter values, otherwise could break (of
OFB)

Q.5) Write short notes on:

(i) International Data Encryption Algorithm(IDEA)
(ii) CAST

(i) International Data Encryption Algorithm(IDEA)

Xuejia Lai and James Massey, ETH (Swiss Federal Institute of Technology),
1991
 • Patented
patent is held by Ascom-Tech
Non-commercial use of IDEA is free. Commercial licenses can be obtained
contacting Ascom-Tech
• Used in PGP
• 128-bit key, 64-bit block
• Variant Feistel network (not Feistel)
• Eight rounds + final transformation

• Uses three operations. Each operation is performed on two 16-bit inputs to produce
a single 16-bit output

• Bit-by-bit XOR (  )

• (Unsigned 16-bit integers) addition modulo 216 ( )

• (Unsigned 16-bit integers) multiplication modulo 216 + 1 (except that a block of

all zeros is treated as representing 216 (  )
• Three operations are incompatible in the sense that

• No pair of the three operations satisfies a distributive law. e.g.,

a (b  c)  (a b)  (a c)
• No pair of the three operations satisfies an associative law. e.g.,
a (b  c)  (a b)  c

• Incombination
IDEA, confusion is achieved by using these three separate operations in

• Provides a complex transformation of the input, making cryptanalysis much more

difficult (than with a DES which uses just a single XOR)
(ii) CAST:
-Developed by Carlisle Adams and Stafford Tavares
− -Used in IPSec
−-64-bit block, 40- to 128-bit keys (in 8-bit increments)
-Classical Feistel network structure
-Sixteen rounds
-Two subkeys per round, one 32-bit (Kmi ), one 5-bit (Kri )
-Three different round functions
 -Four operations: addition(+) and subtraction(-) modulo 232 , XOR, and (variable)
circular left rotate (<<<)
-5-bit subkey (Kri ) determines rotate amount
-Encryption:
L0||R0 = Plaintext
for i = 1 to 16 do
Li = Ri-1
Ri = Li-1  Fi[Ri-1, Kmi, Kri];
Ciphertext = L16||R16

-Decryption: same as encryption with the keys applied in reverse order

-CAST-128 uses 8 S-boxes

-Four of these, S-box 1 thru S-box 4 are used in the encryption/decryption process
-S-box 5 thru S-box 8 are used in the subkey generation
-S-boxes contain fixed (predefined) values
-Each S-box contains 256 32-bit values

Q.6) Explain various aspects of information security.

Information security involves protecting information from diverse threats for the
purpose of ensuring continuity of operation, minimizing damages and maximizing results.
Information security can be seen as a means of protecting:

• Confidentiality, i.e. assurance that information is accessible only to authorised

persons. Sensitive information must be protected from unauthorised publication,
access or interception.
• Integrity, i.e. maintaining the accuracy and completeness of information and
processes. Ensuring that information is correct and undamaged and that software
functions correctly.
• Availability, i.e. ensuring that information and services are available to authorised
users when needed.
Information security also involves the preservation of other characteristics, such as
information traceability, reliability, irrefutability and responsibility.
Information is a valuable asset and therefore needs appropriate protection. Information
comes in various formats, e.g. printed or written on paper, stored electronically, published
on film or revealed in conversation. Information should always be protected in an
appropriate manner, irrespective of the means by which such information is utilised or
stored.

Q.7) Define the terms with reference to cryptanalysis:

(i) Unconditionally secure
(ii) Computationally secure

Unconditionally secure:
An encryption scheme is unconditionally secure if the cipher text
generated by the scheme does not contain enough information to determine uniquely
the corresponding plaintext, no matter how much ciphertext is available.

Computationally secure:
An encryption scheme is said to be computationally secure if
either of the foregoing two criteria are met. The rub is that it is very difficult to estimate
the amount of effort required to cryptanalyze ciphertext successfully.

Q.8) What is steganography?

Steganography:
Steganography conceal the existence of the message. A simple form of
steganography is one in which an arrangement of words or letters within an apparently
Innocuous text spells out the real message. For example, the sequence of first letters of
each word of the overall message spells out the hidden message.
Some of the other techniques that have been used are-
• Character marking: Selected letters or printed or typewritten text are overwritten
in pencil. The marks are ordinarily not visible unless the paper is held at an
angle to bright light.
• Invisible ink: A number of substances can be used for writing but leave no
visible trace until heat or some chemical is applied to the paper.
• Pin punctures: small pin punctures on selected letters are ordinarily not visible
unless the paper is held up in front of light.

Q.9) Explain in detail the actual DES algorithm using appropriate diagrams.

The most widely used private key block cipher, is the Data Encryption Standard
(DES). It was adopted in 1977 by the National Bureau of Standards as Federal Information
Processing Standard 46 (FIPS PUB 46). DES encrypts data in 64-bit blocks using a 56-bit
key. The DES enjoys widespread use. It has also been the subject of much controversy its
security.
DES encryption:

The overall scheme for DES encryption is illustrated in Stallings Figure3.4, which
takes as input 64-bits of data and of key.
The left side shows the basic process for enciphering a 64-bit data block which consists of:
- an initial permutation (IP) which shuffles the 64-bit input block
- 16 rounds of a complex key dependent round function involving substitutions &
permutations
- a final permutation, being the inverse of IP
The right side shows the handling of the 56-bit key and consists of:
- an initial permutation of the key (PC1) which selects 56-bits out of the 64-bits input, in
two 28-bit halves
- 16 stages to generate the 48-bit subkeys using a left circular shift and a permutation of the
two 28-bit halves.
The initial permutation and its inverse are defined by tables, as shown in Stallings
Tables 3.2a and 3.2b, respectively. The tables are to be interpreted as follows. The input to
a table consists of 64 bits numbered left to right from 1 to 64. The 64 entries in the
permutation table contain a permutation of the numbers from 1 to 64. Each entry in the
permutation table indicates the position of a numbered input bit in the output, which also
consists of 64 bits.
Note that the bit numbering for DES reflects IBM mainframe practice, and is the opposite
of what we now mostly use - so be careful! Numbers from Bit 1 (leftmost, most significant)
to bit 32/48/64 etc (rightmost, least significant).
Note that examples are specified using hexadecimal.
Here a 64-bit plaintext value of “675a6967 5e5a6b5a” (written in left & right halves) after
permuting with IP becomes “ffb2194d 004df6fb”.
Detail here the internal structure of the DES round function F, which takes R half &
subkey, and processes them through E, add subkey, S & P.
This follows the classic structure for a feistel cipher.
Note that the s-boxes provide the “confusion” of data and key values, whilst the
permutation P then spreads this as widely as possible, so each S-box output affects as many
S-box inputs in the next round as possible, giving “diffusion”.
DES Round Structure

Figure illustrates the internal structure of the DES round function F. The R input is
first expanded to 48 bits by using expansion table E that defines a permutation plus an
expansion that involves duplication of 16 of the R bits .The resulting 48 bits are XORed
with Ki. This 48-bit result passes through a substitution function comprising 8 S-boxes
which each map 6 input bits to 4 output bits, producing a 32-bit output, which is then
permuted by permutation P.
DES Decryption
As with any Feistel cipher, DES decryption uses the same algorithm as encryption
except that the subkeys are used in reverse order SK16 .. SK1.
 If you trace through the DES overview diagram can see how each decryption step
top to bottom with reversed subkeys, undoes the equivalent encryption step moving from
bottom to top.

Q.10) Explain the subkey generation process in Blowfish.

The subkeys are calculated using the Blowfish algorithm:

1. Initialize first the P-array and then the four S-boxes, in order, with a
fixed string.
This string consists of the hexadecimal digits of pi (less the initial 3): P1
= 0x243f6a88, P2 = 0x85a308d3, P3 = 0x13198a2e, P4 =
0x03707344, etc.
2. XOR P1 with the first 32 bits of the key, XOR P2 with the second 32-
bits of the key, and so on for all bits of the key (possibly up to P14).
Repeatedly cycle through the key bits until the entire P-array has been
XORed with key bits. (For every short key, there is at least one
equivalent longer key; for example, if A is a 64-bit key, then AA, AAA,
etc., are equivalent keys.)
3. Encrypt the all-zero string with the Blowfish algorithm, using the
subkeys
described in steps (1) and (2).
4. Replace P1 and P2 with the output of step (3).
5. Encrypt the output of step (3) using the Blowfish algorithm with the
modified
subkeys.
6. Replace P3 and P4 with the output of step (5).
7. Continue the process, replacing all entries of the P array, and then all
four S-boxes
in order, with the output of the continuously changing Blowfish algorithm.
In total, 521 iterations are required to generate all required
subkeys. Applications can store the subkeys rather than execute this
derivation process multiple times.

11) Explain Blowfish encryption algorithm with reference to the characteristics

and the encryption operations.

Ans: - Manipulates data in large blocks

_ has a 64-bit block size.
_ has a scalable key, from 32 bits to at least 256 bits.
_ uses simple operations that are efficient on microprocessors.
e.g., exclusive-or, addition, table lookup, modular- multiplication. It does
not
Use variable-length shifts or bit-wise permutations, or conditional jumps.
_ employs precomputable subkeys.
On large-memory systems, these subkeys can be precomputed for faster
Operation. Not precomputing the subkeys will result in slower operation,
but it
Should still be possible to encrypt data without any precomputations.
_ consists of a variable number of iterations.
For applications with a small key size, the trade-off between the
complexity of
A brute-force attack and a differential attack make a large number of
iterations
Superfluous. Hence, it should be possible to reduce the number of
iterations
with no loss of security (beyond that of the reduced key size).
_ Uses subkeys that are a one-way hash of the key.
This allows the use of long passphrases for the key without
compromising
security.
_ Has no linear structures that reduce the complexity of exhaustive
search.
_ Uses a design that is simple to understand. This facilitates analysis and
increase
the confidence in the algorithm. In practice, this means that the
algorithm will be
a Feistel iterated block cipher.

Blowfish has 16 rounds.

The input is a 64-bit data element, x.
Divide x into two 32-bit halves: xL, xR.
Then, for i = 1 to 16:
xL = xL XOR Pi
xR = F(xL) XOR xR
Swap xL and xR
After the sixteenth round, swap xL and xR again to undo the last swap.
Then, xR = xR XOR P17 and xL = xL XOR P18.
Finally, recombine xL and xR to get the ciphertext.

12) What makes cryptanalysis difficult and security of Blowfish

unchallenged?

- Blowfish uses Key-dependent S-Boxes.

- Operations are performed on both halves of data.
- Blowfish uses Time-consuming subkey generation process which makes
it bad for rapid key switching, but makes brute force expensive.
 Perfect avalanche effect:- Small change in input plaintext will
give all together different output. Thus cryptanalysis becomes
very critical.

Q.13) Blowfish is not appropriate for applications with limited

memory. Justify.
Blowfish is a variable-length key, 64-bit block cipher. The algorithm consists
of two parts: a key-expansion part and a data- encryption part. Key expansion
converts a key of at most 448 bits into several subkey arrays totaling 4168
bytes.
Data encryption occurs via a 16-round Feistel network. Each round consists of a
key-dependent permutation, and a key- and data-dependent substitution. All
operations are XORs and additions on 32-bit words. The only additional
operations are four indexed array data lookups per round.
The difficult part is only the computation to construct the P- and S-array from
the fractional part of pi. First, we need to know how to use the binary
exponential algorithm to find the d-th position of pi in hex. Used a file called
calpi.c to generate the hex one at a time

Subkey and S-Box Generation

The key ranging from 32 bits to 448 bits (1 to 14 32-bit words) is stored in a K-array:
K , K , …, K 1  j  14
1 2 j
The 18 32-bit subkeys are stored in the P-array:
P , P , …, P
1 2 18
There are 4 S-boxes, each with 8x32(=256) 32-bit entries
S1,0, S1,1, …, S1,255
S2,0, S2,1, …, S2,255
S3,0, S3,1, …, S3,255
S4,0, S4,1, …, S4,255
P-array and then 4 S-boxes are initialized with fractional part of π :
P1= 243F6A8816
P2= 85A308D316
•••
S4,254= 578FDFE316
S4,255= 3AC372E616

Subkey and S-Box Initialization

P-array is XORed with K-array (reusing K-array if necessary): P =
1
P ⊕ K , P = P ⊕ K , …, P = P ⊕ K , P =P ⊕K ,
1 1 2 2 2 j j j j+1 j+1 1
P =P ⊕K ,…
j+2 j+2 2
Then update P-array and S-boxes as follows:
P1, P2 = EP,S[0]
P3, P4 = EP,S[P1 || P2]
•••
P17, P18 = EP,S[P15 || P16]
S1,0, S1,1 = EP,S[P17 || P18]
•••
S4,254, S4,255 = EP,S[P4,252 || P4,253]
Where EP,S[Y] is the ciphertext produced by encrypting
Y using Blowfish with the P and S arrays
521 executions in total are required to produce the final P and S arrays
.
Hence Blowfish is not appropriate for applications with limited memory.

Q.14) The Caesar cipher has no real importance where serious security is needed.
Comment.
The Caesar cipher involves replacing each letter of the alphabet with the letter
standing three places further down the alphabet. If it is known that a given
ciphertext is a Caesar cipher, then a brute-force cryptanalysis is easily performed:
Simply try all 25 possible keys.
Three important characteristics of this problem enabled us to use a brute-force
cryptanalysis:
  The encryption and decryption algorithm are known.
 There are only 25 keys to try.
 The language of plaintext is known and easily recognizable.
Thus, the Caesar cipher has no real importance where serious security is needed.

Q15)Distinguish between mono-alphabetic and poly-alphabetic

ciphers. Give examples for each.

Monoalphabetic cipher
- rather than just shifting the alphabet
-could shuffle (jumble) the letters arbitrarily
-each plaintext letter maps to a different random ciphertext letter
-hence key is 26 letters long

eg. Plaintext: abcdefghijklmnopqrstuvwxyz

Ciphertext: DKVQFIBJWPESCXHTMYAUOLRGZN

Polyalphabetic ciphers:
 -improve security using multiple cipher alphabets
 -make cryptanalysis harder with more alphabets to guess and flatter
frequency distribution
 -use a key to select which alphabet is used for each letter of the message
 -use each alphabet in turn
 -repeat from start after end of key is reached

eg. Transposition technique:

message : “meet me after the toga party”
m e m a t r h t g p r y
e t e f e t e o a a t

ciphertext :
MEMATRHTGPRYETEFETEOAAT

Q.16) Explain transposition ciphers. How is it different from substitution ciphers? If

the cipher is keyed by a word “COMPUTER” and the plaintext is “Please
transferonemilliondollarstomyswissbankaccountssixtwotwo”. Obtain the ciphertext
by columnar transposition.
All the techniques examined so far involve the substitution of a ciphertext symbol
for a plaintext symbol. A very different kind of mapping is achieved by performing some
sort of permutation on the plaintext letters. This technique is referred to as a transposition
cipher.
 The simplest such cipher is the rail fence technique, in which the plaintext is written
down as a sequence of diagonals and then read off as a sequence of rows. But this would be
trivial to cryptanalyze. A more complex scheme is to write the message in a rectangle, row
by row, and read the message off, column by column, but permute the order of the columns.
The order of the columns then becomes the key to the algorithm.

Key: - COMPUTER
Plaintext: - Please transferonemilliondollarstomyswissbankaccountssixtwotwo

C O M P U T E R
0 1 2 3 4 5 6 7
P L E A S E T R

A N S F E R O N

E M I L L I O N

D O L L A R S T

O M Y S W I S S

B A N K A C C O

U N T S S I X T

W O T W O

Seq.:- 4 3 1 2 5 6 7 0
Output: - SELAWASO AFLLSKSW LNMOMANO ESILYNTT ERIRICI
TOOSSCX RNNTSOT PAEDOBUW
Q.17) Explain the Model of Network Security with access Security Model.

A message is to be transferred from one party to another across some sort of

internet. The two parties, who are the principals in the transaction, must cooperate for the
exchange to take place.
Security aspects come into play when it is necessary or desirable to protect the
information transmission from an opponent who may present a threat to confidentiality,
authenticity, and so on. All the techniques for providing security have two components A
security-related transformation on the information to be sent. Examples include the
encryption of the message, which scrambles the message so that it is unreadable by the
opponent, and the addition of a code based on the contents of the message, which can be
used to verify the identity of the sender
Some secret information shared by the two principals and, it is hoped, unknown to the
opponent. An example is an encryption key used in conjunction with the transformation to
scramble the message before transmission and unscramble it on reception.
A trusted third party may be needed to achieve secure transmission. For example, a
third party may be responsible for distributing the secret information to the two principals
while keeping it from any opponent. Or a third party may be needed to arbitrate disputes
between the two principals concerning the authenticity of a message transmission
This general model shows that there are four basic tasks in designing a particular
security service
1. Design an algorithm for performing the security-related transformation. The algorithm
should be such that an opponent cannot defeat its purpose
2. Generate the secret information to be used with the algorithm
3. Develop methods for the distribution and sharing of the secret information
4. Specify a protocol to be used by the two principals that makes use of the security
algorithm and the secret information to achieve a particular security service.
 Q.18) Explain Fiestel Encryption and Decryption algorithm with proper
diagram of Block Cipher Principle.

Fiestel Encryption algorithm:

Above Fig. depicts the structure proposed by Feistel. The inputs to the encryption algorithm
are a plaintext block of length 2 w bits and a key K. The plaintext block is divided into two
halves,
L0 and R0. The two halves of the data pass through n rounds of processing and then
combine to produce the ciphertext block. Each round i has as inputs L i-1 and R i-1, derived
from the previous round, as well as a subkey k i derived from the overall k. In general the
subkeys k are different from k and from each other.
All rounds have the same structure. A substitution is performed on the left half of the
data. This is done by applying a round function F to the right half of the data and then taking
the exclusive- OR of the output of that function and the left half of the data. The round
function has the same general structure for each round but is parameterized by the round
subkey K .. Following this substitution, a permutation is performed that consists of the
interchange of the two halves of the data. This structure is a particular form of the
substitution-permutation network (SPN) proposed by Shannon.
The exact realization of a Feistel network depends on the choice of the following
parameters and design features:
• block size - increasing size improves security, but slows cipher
• key size - increasing size improves security, makes exhaustive key searching harder,
 but may slow cipher
• number of rounds - increasing number improves security, but slows cipher
• subkey generation algorithm - greater complexity can make analysis harder, but
slows cipher
• round function - greater complexity can make analysis harder, but slows cipher
• fast software en/decryption - more recent concern for practical use
• ease of analysis - for easier validation & testing of strength
Feistel Decryption Algorithm
The process of decryption with a Feistel cipher is essentially the same as the
encryption process.
The rule is as follows: Use the ciphertext as input to the algorithm, but use the subkeys
K i in reverse order. That is, use K i in the first round, K n-1 in the second round, and so on
until k1 is used in the last round. This is a nice feature because it means we need not
implement two different algorithms, one for encryption and one for decryption.
To see that the same algorithm with a reversed key order produces the
correct result, consider the fig below which shows the encryption process going down the
left-hand side and the decryption process going up the right-hand side for a 16-round
algorithm( the result would be same for the number of rounds). The notations LEi and REi
for data travelling through encryption algorithm and LDi and RDi for data travelling
through the decryption algorithm. The diagram indicates that, at every round, the
intermediate value of the decryption process is equal to the corresponding value of the
encryption process with the two halves of the value swapped. To put this another way, let
the output of the ith encryption round be LEi||REi (Li concatenated with Ri). Then the
corresponding input to(16-i)th decryption round is REi||LEi or, equivalently, RD16-i||LD16-
i.
Q.19) Explain RC5 algorithm with characteristics, parameters, primitives and
Encryption, decryption functions.
The characteristics of RC5 algorithm are as follows:
1. RC5 is a symmetric block cipher.
2. RC5 is suitable for hardware or software.
3. RC5 is fast.
4. RC5 is adaptable to processors of different word-lengths.
5. RC5 is iterative in structure, with a variable number of rounds.
6. RC5 have a variable-length cryptographic key.
7. RC5 is simple.
8. RC5 have a low memory requirement.
9. RC5 provides high security when suitable parameter values are
chosen.

Some parameters of RC5 algorithm are : -

w This is the word size, in bits; each word contains u = (w/8) 8-bit
Bytes. The nominal value of w is 32 bits; allowable values of w are 16,
32 and 64. RC5 encrypts two-word blocks: plaintext and ciphertext
Blocks are each 2w bits long.
r This is the number of rounds. Also, the expanded key table S
contains
t = 2(r + 1) words. Allowable values of r are 0, 1, ..., 255.
In addition to w and r, RC5 has a variable-length secret
cryptographic key, specified by parameters b and K:
b The number of bytes in the secret key K. Allowable values of b
are 0, 1, ..., 255.
K The b-byte secret key: K[0], K[1], ..., K[b − 1] .

RC5 uses only the following three primitive operations (and their
inverses):

1. Two’s complement addition of words, denoted by “+”. This is modulo-

2w addition. The inverse operation, subtraction, is denoted “−”.
2. Bit-wise exclusive-OR of words, denoted by o.
3. A left-rotation (or “left-spin”) of words: the cyclic rotation of word x
left by y bits is denoted x <<< y. Here y is interpreted modulo w, so that when
w is a power of two, only the lg(w) low-order bits of y are used to determine
the rotation amount. The inverse operation, right-rotation, is denoted x >>> y.

RC5 Encryption Function:

We assume that the input block is given in two w-bit registers A and B.
We also assume that key-expansion has already been performed, so that the
array S[0...t−1] has been computed. Here is the encryption algorithm in
pseudo-code:
A = A + S[0];
B = B + S[1];
for i = 1 to r do
A = ((A _ B) <<< B) + S[2 _ i];
B = ((B _ A) <<< A) + S[2 _ i + 1];
The output is in the registers A and B.
We note the exceptional simplicity of this 5-line algorithm.
We also note that each RC5 round updates both registers A and B, whereas a
“round” in DES updates only half of its registers. An RC5 “half-round” (one of
the assignment statements updating A or B in the body of the loop above) is
thus perhaps more analogous to a DES round.

RC5 Decryption Function:

The decryption routine is easily derived from the encryption routine.
for i = r downto 1 do
B = ((B − S[2 _ i + 1]) >>> A) _ A;
A = ((A − S[2 _ i]) >>> B) _ B;
B = B − S[1];
A = A − S[0];
Q.20) State characteristics of advanced symmetric block cipher.

 variable key length

eg. Blowfish,RC5,CAST-128,RC2
 Expensive key schedule computation
eg blowfish
 mixed operators
More than one arithmetic and / or Boolean operator.
 Data independent rotation
-provide excellent confusion and diffusion
eg. RC5
 Key dependent rotation
- eg CAST-128
 Operation on both halves each round
eg IDEA,Blowfish,RC5
 Variable no of rounds
eg. RC5
 Variable plaintext / ciphertext block length
eg RC5
 key dependent S-Boxes
eg. Blowfish
 Variable round function
eg. CAST-128

Q.21) What is cryptanalysis? Explain the various types of cryptanalytic attacks based
on the amount of information known to the cryptanalyst.
 Cryptanalytic attacks rely on the nature of the algorithm plus perhaps some
knowledge of the general characteristics of the plaintext or even some sample plaintext-
ciphertext pairs.
The various types of Cryptanalytic attacks on security based on the amount of
information known to the cryptanalyst, from least to most. The most difficult problem is
presented when all that is available is the ciphertext only. In some cases, not even the
encryption algorithm is known, but in general we can assume that the opponent does know
the algorithm used for encryption. Then with increasing information have the other attacks.
Generally, an encryption algorithm is designed to withstand a known-plaintext attack.
Various types of cryptanalytic attacks:
f. ciphertext only
1. only know algorithm & ciphertext, is statistical, know or can identify
plaintext
g. known plaintext
1. know/suspect plaintext & ciphertext
h. chosen plaintext
1. select plaintext and obtain ciphertext
i. chosen ciphertext
1. select ciphertext and obtain plaintext
j. chosen text
select plaintext or ciphertext to en/decrypyt
Brute-force attacks try every possible key on a piece of
ciphertext until an intelligible translation into plaintext is obtained. On
average,half of all possible keys must be tried to achieve success.

Q.22) Encrypt the following text as follows:-

IAMINSEVENTHSEM
 Using Playfair cipher, Key- EIGHT
 Using Transposition cipher(2-state Columnar Tech),
Key- CLASS

Plaintext: IAMINSEVENTHSEM
Keyword: EIGHT
(i) By using Playfair cipher encryption method,
Plaintext: IAMINSEVENTHSEM
IA MI NS EV EN TH SE MX
Thus matrix can be constructed as,
E I G H T
A B C D F
K L M N O
P Q R S U
V W X Y Z

Plaintext - Ciphertext
IA - EB
 MI - LG
NS - SY
EV - AE
EN - HK
TH - ET
SE - HP
MX - RG

Thus, the required ciphertext is .EBLGSYAEHKETHPRG

(ii)By using transposition cipher (2-state Columnar Tech)
Key-CLASS
As there are 5 characters in key so 5 columns are there

State 1:

C1 C2 C3 C4 C5
i a m i n
s e v e n
t h s e m

As key is CLASS so alphabetically the order of columns will be

C3-C1-C2-C4-C5
Cipher text: mvs ist aeh iee nnm

State 2:
C1 C2 C3 C4 C5
m v s i s
t a e h i
e e n n m

As key is CLASS so alphabetically the order of columns will be

C3-C1-C2-C4-C5
Cipher text is: sen mte vae ihn sim

Q.23) What are block cipher modes of operation of DES? Explain any one mode in
detail.

The block cipher modes of operation of DES are

 Electronic Code Book[ECB] ,
 Cipher Block Chaining[CBC],
3. Output Feedback[OFB] and
4. Cipher Feedback[CFB]
Electronic Codebook (ECB) Mode. The Electronic Codebook (ECB) mode is defined as
follows (Figure 1). In ECB encryption, a plain text data block (D1,D2,...,D64) is used
directly as the DES input block (11,12,... ,164). The input block is processed through a
DES device in the encrypt state. The resultant output block (01,02,...,064) is used directly
as cipher text (C1,C2,...,C64) or may be used in subsequent ADP applications.

In ECB decryption, a cipher text block (C1,C2,...,C64) is used directly as the DES input
block (I1,I2,...,164). The input block is then processed through a DES device in the decrypt
state. The resultant output block (O1,O2,...,064) is the plain text (D1,D2,. ..,D64) or may be
used in subsequent ADP applications.

The ECB decryption process is the same as the ECB encryption process except that the
decrypt state of the DES device is used rather than the encrypt state.

Q.24) State the different substitution encryption techniques and explain Caesar
cipher in details and convert plaintext to ciphertext of given sentences.
“Hardwork Makes Man perfect”.
 The different substitution encryption techniques are as follows :-
 Caesar cipher
 Monoalphabetic cipher
 Playfair cipher
 Hill cipher
 Polyalphabetic substitution cipher

Caesar cipher:
 The earliest known substitution cipher by Julius Caesar
 First attested use in military affairs
 The Caesar cipher involves replacing each letter of the
alphabet with the 3rd letter further down the alphabet
example:
meet me after the toga party
PHHW PH DIWHU WKH WRJD SDUWB

 can define transformation as:

abcdefghijklmnopqrstuvwxyz
DEFGHIJKLMNOPQRSTUVWXYZABC
 mathematically give each letter a number
abcdefghij k l m n o p q r s t u v w x y z
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
 then have Caesar cipher as:
c = E(p) = (p + k) mod (26)
p = D(c) = (c – k) mod (26)

plaintext : Hardwork Makes Man perfect

Ciphertext : kdvhasvo qdoiw qdr tivjigx

Q.25) Blowfish is not appropriate for applications with limited memory.

Justify.

Blowfish is a variable-length key, 64-bit block cipher. The algorithm consists of

two parts: a key-expansion part and a data- encryption part. Key expansion converts a key
of at most 448 bits into several subkey arrays totaling 4168 bytes.
Data encryption occurs via a 16-round Feistel network. Each round consists of a key-
dependent permutation, and a key- and data-dependent substitution. All operations are
XORs and additions on 32-bit words. The only additional operations are four indexed array
data lookups per round. The difficult part is only the computation to construct the P- and S-
array from the fractional part of pi. First, we need to know how to use the binary
exponential algorithm to find the d-th position of pi in hex. Used a file called calpi.c to
generate the hex one at a time.
 Subkey and S-Box Generation
The key ranging from 32 bits to 448 bits (1 to 14 32-bit words) is stored in a K-array:

K , K , …, K 1  j  14
1 2 j
The 18 32-bit subkeys are stored in the P-array:
P , P , …, P
1 2 18
There are 4 S-boxes, each with 8x32(=256) 32-bit entries
S1,0, S1,1, …, S1,255
S2,0, S2,1, …, S2,255
S3,0, S3,1, …, S3,255
S4,0, S4,1, …, S4,255
P-array and then 4 S-boxes are initialized with fractional part of π :
P1= 243F6A8816
P2= 85A308D316
•••
S4,254= 578FDFE316
S4,255= 3AC372E616

Subkey and S-Box Initialization

P-array is XORed with K-array (reusing K-array if necessary): P =
1
P ⊕ K , P = P ⊕ K , …, P = P ⊕ K , P =P ⊕K ,
1 1 2 2 2 j j j j+1 j+1 1
P =P ⊕K ,…
j+2 j+2 2

Then update P-array and S-boxes as follows:

P1, P2 = EP,S[0]
P3, P4 = EP,S[P1 || P2]
•••
P17, P18 = EP,S[P15 || P16]
S1,0, S1,1 = EP,S[P17 || P18]
•••
S4,254, S4,255 = EP,S[P4,252 || P4,253]
 Where E [Y] is the ciphertext produced by encrypting Y
P,S
using Blowfish with the P and S arrays
521 executions in total are required to produce the final P and S arrays
.
Hence Blowfish is not appropriate for applications with limited memory.

Q.26) Explain the conventional cryptosystem model.

A message is to be transferred from one party to another across some sort of

internet. The two parties, who are the principals in the transaction, must cooperate for the
exchange to take place.
Security aspects come into play when it is necessary or desirable to protect the
information transmission from an opponent who may present a threat to confidentiality,
authenticity, and so on. All the techniques for providing security have two components A
security-related transformation on the information to be sent. Examples include the
encryption of the message, which scrambles the message so that it is unreadable by the
opponent, and the addition of a code based on the contents of the message, which can be
used to verify the identity of the sender
Some secret information shared by the two principals and, it is hoped, unknown to the
opponent. An example is an encryption key used in conjunction with the transformation to
scramble the message before transmission and unscramble it on reception.
A trusted third party may be needed to achieve secure transmission. For example, a
third party may be responsible for distributing the secret information to the two principals
while keeping it from any opponent. Or a third party may be needed to arbitrate disputes
between the two principals concerning the authenticity of a message transmission
 This general model shows that there are four basic tasks in designing a particular
security service

1. Design an algorithm for performing the security-related transformation. The algorithm

should be such that an opponent cannot defeat its purpose
2. Generate the secret information to be used with the algorithm
3. Develop methods for the distribution and sharing of the secret information
4. Specify a protocol to be used by the two principals that makes use of the security
algorithm and the secret information to achieve a particular security service.

Q.27) What is linear and differential cryptanalysis?

Linear Cryptanalysis:
A more recent development is linear cryptanalysis. This attack is based on finding
linear approximations to describe the transformations performed in DES. This method can
find a DES key given 2^43 known plaintexts, as compared to 2^47 chosen plaintexts for
differential cryptanalysis. Although this is a minor improvement, because it may be easier
to acquire known plaintext rather than chosen plaintext, it still leaves linear cryptanalysis
infeasible as an attack on DES. Again, this attack uses structure not seen before. So far,
little work has been done by other groups to validate the linear cryptanalytic approach.
The objective of linear cryptanalysis is to find an effective linear
equation relating some plaintext, ciphertext and key bits that holds with probability p<>0.5
as shown.
P[i1,i2,...,ia] ⊕ C[j1,j2,...,jb] = K[k1,k2,...,kc]
where ia=jb,kc are bit locations in P,C,K

Once a proposed relation is determined, the procedure is to compute the results

of the left-hand side of the equation for a large number of plaintext-ciphertext pairs, in
order to determine whether the sum of the key bits is 0 or 1, thus giving 1 bit of info about
them. This is repeated for other equations and many pairs to derive some of the key bit
values. Because we are dealing with linear equations, the problem can be approached one
round of the cipher at a time, with the results combined.

Differential Cryptanalysis:
Biham & Shamir show Differential Cryptanalysis can be successfully used to
cryptanalyse the DES with an effort on the order of 247 encryptions, requiring 247 chosen
plaintexts. They also demonstrated this form of attack on a variety of encryption algorithms
and hash functions.
Differential cryptanalysis was known to the IBM DES design team as early as 1974 (as a T
attack), and influenced the design of the S-boxes and the permutation P to improve its
resistance to it. Compare DES’s security with the cryptanalysis of an eight-round
LUCIFER algorithm which requires only 256 chosen plaintexts, verses an attack on an
eight-round version of DES requires 214 chosen plaintexts.
 This attack is known as Differential Cryptanalysis because the analysis
compares differences between two related encryptions, and looks for a known difference
in leading to a known difference out with some (pretty small but still significant)
probability. If a number of such differences are determined, it is feasible to determine the
subkey used in the function f.
Shown here is the equation which shows how this removes the influence of the key, hence
enabling the analysis.

Q.28) Encrypt the following plaintext using Playfair cipher:-

Plaintext – WILLIAMSTALLING
Keyword – INFOTECT

Plaintext: WILLIAMSTALLING

Keyword: INFOTECH
(i) By using Playfair cipher encryption method,
Plaintext: WILLIAMSTALLING
WI LX LI AM ST AL XL IN GX
Thus matrix can be constructed as,

I N F O T
E C H A B
D G K L M
P Q R S U
V W X Y Z

Plaintext - Ciphertext
WI - VI
LX - KY
LI - DO
AM - BL
ST - UO
AL - LS
XL - YK
IN - TI
GX - VK

Thus, the required ciphertext is VIKYDOBLUOLSYKTIVK

Q.29) Explain Triple-DES algorithm with the help of encryption and decryption.

The possibility of known-plaintext attacks on triple DES with two keys has enticed some
applications to use triple DES with three keys. Triple DES with three keys is used by many
applications such as PGP
C = EK3 (DK2 (EK1 (P)))
No cryptographic significance to middle decrypt operation
backwards compatible with existing single DES (K1 = K2 = K3 )
Two-key Triple DES (K1 = K3 ) or three-key triple DES
Security of Triple DES
no known practical attacks
brute force search impossible
meet-in-the-middle attacks need 256 plaintext-ciphertext pairs per key
A popular current
alternative
Major disadvantage is
speed (3x slower)
Q.30) Explain various types of Cryptanalytic attacks on security.

Cryptanalytic attacks rely on the nature of the algorithm plus perhaps some knowledge
of the general characteristics of the plaintext or even some sample plaintext-ciphertext
pairs.
The various types of Cryptanalytic attacks on security based on the amount of
information known to the cryptanalyst, from least to most. The most difficult problem is
presented when all that is available is the ciphertext only. In some cases, not even the
encryption algorithm is known, but in general we can assume that the opponent does know
the algorithm used for encryption. Then with increasing information have the other attacks.
Generally, an encryption algorithm is designed to withstand a known-plaintext attack.
Various types of cryptanalytic attacks:
k. ciphertext only
1. only know algorithm & ciphertext, is statistical, know or can identify
plaintext
l. known plaintext
1. know/suspect plaintext & ciphertext
m. chosen plaintext
1. select plaintext and obtain ciphertext
n. chosen ciphertext
1. select ciphertext and obtain plaintext
o. chosen text
select plaintext or ciphertext to en/decrypyt
 Brute-force attacks try every possible key on a piece of
ciphertext until an intelligible translation into plaintext is obtained. On
average,half of all possible keys must be tried to achieve success.

Q.31) “Poly-alphabetic ciphers are secured than mono-alphabetic ciphers”.

Comment.

Monoalphabetic cipher

 rather than just shifting the alphabet

 could shuffle (jumble) the letters arbitrarily
 each plaintext letter maps to a different random ciphertext letter
 hence key is 26 letters long

Plaintext: abcdefghijklmnopqrstuvwxyz
Ciphertext: DKVQFIBJWPESCXHTMYAUOLRGZN

Polyalphabetic ciphers:
 improve security using multiple cipher alphabets
 make cryptanalysis harder with more alphabets to guess and flatter frequency
distribution
 use a key to select which alphabet is used for each letter of the message
 use each alphabet in turn
 repeat from start after end of key is reached

Therefore Polyalphabetic ciphers are secured than mono-alphabetic ciphers

Q.32) Sort out the difference between substitution technique and transposition
technique with example.

Substitution technique:
Substitution ciphers form the first of the fundamental building blocks. The core
idea is to replace one basic unit (letter/byte) with another.
Examples: Playfair cipher , Caesar cipher ,Hill cipher

Playfair cipher:
Consider ways to reduce the "spikyness" of natural language text, since if
just map one letter always to another, the frequency distribution is just shuffled.
One approach is to encrypt more than one letter at once. The Playfair cipher is an
example of doing this.
The best-known multiple-letter encryption cipher is the Playfair, which
treats digrams in the plaintext as single units and translates these units into
ciphertext digrams. The Playfair algorithm is based on the use of a 5x5 matrix of
letters constructed using a keyword. The rules for filling in this 5x5 matrix are: L to
R, top to bottom, first with keyword after duplicate letters have been removed, and
then with the remain letters, with I/J used as a single letter.

eg. using the keyword EIGHT

E I G H T
A B C D F
K L M N O
P Q R S U
V W X Y Z

Transposition technique:
. A very different kind of mapping is achieved by performing some sort of
permutation on the plaintext letters. This technique is referred to as a transposition
cipher, and form the second basic building block of ciphers. The core idea is to
rearrange the order of basic units (letters/bytes/bits) without altering their actual
values.
The simplest such cipher is the rail fence technique, in which the
plaintext is written down as a sequence of diagonals and then read off as a sequence
of rows.
The example message is: "meet me after the toga party" with a rail fence of depth 2.
This sort of thing would be trivial to cryptanalyze.

eg. write message out as:

mema t r h t g p r y
e t e f e t e o a a t
giving ciphertext
MEMATRHTGPRYETEFETEOAAT