CRYPTOGRAPHY AND NETWORK SECURITY

MODULE I

Symmetric Cipher Models- Substitution techniques- Transposition techniques-

Rotor machines-Steganography. Simplified DES- Block Cipher principles- The Data

Encryption Standard, Strength of DES- Differential and linear Cryptanalysis. Block

Cipher Design principles- Block Cipher modes of operations.

1. INTRODUCTION
Security basics

 Security refers to any measures taken to protect something. Examples of security

in the real world include locks on doors, alarms in our cars, police officers.
 Computer security is a field of computer science concerned with the control of
risks related to computer use. It describe the methods of protecting the integrity of
data stored on a computer. In computer security the measures taken are focused
on securing individual computer hosts.
 Network security consists of the provisions made in an underlying computer
network infrastructure, policies adopted by the network administrator to protect
the network and the network-accessible resources from unauthorized access and
the effectiveness (or lack) of these measures combined together. It starts from
authenticating any user. Once authenticated, firewall enforces access policies such
as what services are allowed to be accessed by the network users. Even though it
prevents unauthorized access, it prevents harmful contents such as computer
worms being transmitted over the network. An intrusion prevention system (IPS)
helps detect and prevent such malware.

1.1 THREATS IN NETWORK SECURITY

The following describe the general threats to the security of the distributed systems

 Disclosure of information
o Organizations maintain valuable information on their computer systems. This
information may be used by other parties in such a way as to damage the interest
 of the organization owning the information. Therefore information stored on or
processed by computer systems must be protected against disclosure both internal
and external to the user organization.
 Contamination of information
o Valuable information may become worthless if unauthorized information is mixed
with it. The damage may be as great as the damage through information
disclosure.
 Unauthorized use of resources
o Unauthorized use of resources may lead to destruction, modification, loss of
integrity etc. of resources and thus the authorization of individual users will be
limited.
 Misuse of resources
o Authorized use of resources may give authorized individuals the opportunity to
perform activities that are harmful to the organization. Misuse of resources,
intentional or accidental, may be harmful to the organization through corruption,
destruction, disclosure, loss or removal of resources. Such misuse may affect the
liability of an organization for information entrusted to it or for transactions and
information exchanged with other organizations.
 Unauthorized information flow
o In a distributed system, information flow must be controlled not only between
users of end-systems but also between end-systems. Depending on the prevailing
security policy information flow restrictions may be applied to the basis of
classification of data objects and end-systems, user clearances, etc.
 Repudiation of information flow
o Repudiation of information flow involves denial of transmission or receipt of
messages. Since such messages may carry purchasing agreement, instructions for
payment etc., the scope for criminal repudiation of such messages is considerable.
 Denial of service
o Because of the wide range of services performed with the aid of computer
systems, denial of service may significantly affect the capability of a user
organisation to perform its functions and to fulfill its obligations. Detection and
prevention of denial of service must be considered as part of any security policy.

Goals of Computer Security

 Integrity: Guarantee that the data is what we expect

 Confidentiality: The information must just be accessible to the authorized people
 Authentication: Guarantee that only authorized persons can access to the resources

1.2 ) Security Architecture for OSI

 ITU-T Recommendation X.800, Security Architecture for OSI defines systematic way
to
 • Define the requirements for security
• Characterizing the approaches to satisfying those requirements
 ITU-T – international Telecommunication Union Telecommunication Standardization
Sector
 OSI – Open Systems Interconnections
 The OSI security architecture focuses on:

• Security attack: Any actions that compromises the security of information owned by
an organization (or a person)

• Security mechanism: a mechanism that is designed to detect, prevent, or recover from

a security attack

• Security service: a service that enhances the security of the data processing systems
and the information transfers of an organization. The services make use of one or more
security mechanisms to provide the service

1.3) SECURITY ATTACKS

Any action that compromises security of information is called a security attack. Some of the
common security attacks are given below.

• Passive attack: aims to learn or make use of information from the system but does not
affect system resources.

• Active attack: attempts to alter system resources or affect their operation

Attacks can be active or passive

Passive Attacks
 goal to obtain information
 No modification of content or fabrication
 Eavesdropping to learn contents or other information (transfer patterns, traffic
flows etc.)
 Two types

 Release of message contents

 Traffic analysis
Release of message contents:

 contents of the messages are released against our wish to someone else.

Traffic Analysis :

 monitoring the transmission of communication

Active Attacks

 modification of content and/or participation in communication to

 Four types

 Impersonate legitimate parties (Masquerade)

  Replay or retransmit

 Modify the content in transit

 Launch denial of service attacks

Masquerade: when one entity pretend to be a different entity.

Replay :

User Captures a sequence of events or some data units and resends them

Alteration :

Change to the original message.

DOS :

Prevent Legitimate users from accessing some services.

1.4) SECURITY SERVICES

Security service is a service which ensures adequate security of the systems or of data transfers

X.800 Recommendation divides security services into 5 categories:

 Authentication
 Access control
 Data confidentiality
 Data integrity
 Nonrepudiation

1. Authentication
Corroboration of the identity of an entity. Two specific authentication services are
defined in the standard.
Peer Entity Authentication: -
Used in association with a logical connection to provide confidence in the identity
of the entities connected.
Data Origin Authentication: -
In connection less transfer, provides assurance that the source of received data is
as claimed.

2. Access control

In the context of network security, access control is the ability to limit and control
the access to host system and application via communication links. To achieve this, each
entity trying to gain access must first be identified, or authenticated, so that access rights
can be tailored to the individual.

3. Data confidentiality

The protection of data from unauthorized disclosure. Four specific services of

confidentially are
Connection Confidentially: -
 The protection of all user data on a connection.
Connectionless Confidentially: -
The protection of all user data in a single data book.
Selective Field Confidentially: -
The confidentially of selected fields within the user data on a connection or in a
single data book.
Traffic - flow confidentiality: -
The protection of information that might be derived from observation of traffic
flow.

4. Data integrity

The assurance that data received is exactly as sent by an authorized entity. That
means no modification insertion, deletion or replay. There are five types of specific
services.
Connection Integrity With Recovery: -
Provides for the integrity of all user data on a connection and detects any
modification, insertion, deletion or reply-of any data within an entries data
sequence, with recovery attempted.
Connection Integrity Without Recovery: -
As above, but provides only detection without recovery.
Selective-Field Connection Integrity: -
Provides for the integrity of selected fields within the user data of a data block
transferred over a connection and takes the form of determination of whether the
selected fields have been modified, inserted, deleted or replayed.
Connectionless Integrity: -
Provides for the integrity of a single connectionless data block and may take the
form of detection of data modification. Additionally, a limited form of replay
detection may be provided.
Selective-Field Connectionless Integrity: -
Provides for the integrity of selected fields within a single connectionless data
block; takes the form of determination of a whether the selected field have been
modified.

5. Non-repudiation: -
 Provides protection against denial by one of the entities involved in a communication of
having participated in all or part of the communication. There are two types of specific
services in Non-repudiation.
Non-repudiation, origin: -
Proof that the specific parties sent the massage.
Non-repudiation, Destination: -
Proofs that the massage was receive by the specific parties.

1.5 ) BASIC TERMINOLOGIES

SYMMETRIC CIPHER MODEL

 Plaintext: original message to be encrypted

 Ciphertext: the encrypted message
 Enciphering or encryption: the process of converting plaintext into ciphertext
 Encryption algorithm: performs encryption
o Two inputs: a plaintext and a secret key
 Deciphering or decryption: recovering plaintext from ciphertext
 Decryption algorithm: performs decryption
o Two inputs: ciphertext and secret key
 Secret key: same key used for encryption and decryption
o Also referred to as a symmetric key
 Cipher or cryptographic system : a scheme for encryption and decryption
 Cryptography: science of studying ciphers
 Cryptanalysis: science of studying attacks against cryptographic systems
 Cryptology: cryptography + cryptanalysis
 A Symmetric encryption scheme has five ingredients
 Plain text: the original message
 Encryption algorithm: performs various substitutions and transformations
on the plain text
  Secret key: input to the encryption algorithm, Independent of plain text
and algorithm
 Ciphertext: this is the scrambled message produced as output
 Decryption algorithm: encryption algorithm runs in reverse. It takes the
ciphertext and the secret key and produces the original plaintext

Simplified Model of conventional encryption

 or conventional / secret-key / single-key

 sender and recipient share a common key
 all classical encryption algorithms are symmetric
 The only type of ciphers prior to the invention of asymmetric-key ciphers in 1970‟s
 by far most widely used
 Mathematically:

Y = EK(X) or Y = E(K, X)

X = DK(Y) or X = D(K, Y)

X = plaintext Y = ciphertext K = secret key

E = encryption algorithm D = decryption algorithm

Both E and D are known to public

 Two requirements for secure use of symmetric encryption:

 a strong encryption algorithm

 a secret key known only to sender / receiver

Y = EK(X)
X = DK(Y)

 Can characterize by:

 type of encryption operations used
 substitution / transposition / product
 number of keys used
 single-key or private / two-key or public
 way in which plaintext is processed
 block / stream

Cryptanalysis

Objective: to recover the plaintext of a ciphertext or, more typically, to recover the secret
key.

 Two general approaches:

– brute-force attack

– non-brute-force attack (cryptanalytic attack)

Brute-Force Attack

 Try every key to decipher the ciphertext.

 On average, need to try half of all possible keys

 Time needed proportional to size of key space

Cryptanalytic Attacks

 May be classified by how much information needed by the attacker:

  Ciphertext-only attack

 Known-plaintext attack

 Chosen-plaintext attack

 Chosen-ciphertext attack

 Chosen Text

1. Ciphertext-only attack

Cryptanalysts knows:
 Encryption algorithm
 Ciphertext
2. Known-plaintext attack
Cryptanalysts knows:
 Encryption algorithm
 Ciphertext
 One or more plaintext-ciphertext pairs formed with the secret key
3. Chosen-plaintext attack
Cryptanalysts knows:
 Encryption algorithm
 Ciphertext
 Plaintext message chosen by cryptanalyst, together with its corresponding
ciphertext generated with the secret key

4. Chosen-ciphertext attack

Cryptanalysts knows:
 Encryption algorithm
 Ciphertext
 Plaintext message chosen by cryptanalyst, together with its corresponding
decrypted plaintext generated with the secret key

5. Chosen Text
Cryptanalysts knows:
 Encryption algorithm
 Ciphertext
  Plaintext message chosen by cryptanalyst, together with its corresponding
decrypted plaintext generated with the secret key
 Plaintext message chosen by cryptanalyst, together with its corresponding
ciphertext generated with the secret key

More Definitions
 Unconditional security
 no matter how much computer power is available, the cipher cannot be broken
since the ciphertext provides insufficient information to uniquely determine the
corresponding plaintext

 Computational security

 Cost of breaking the cipher exceeds the value of the encrypted information .

The time required to break the cipher exceeds the life time of the information

Classical Ciphers

 Plaintext is viewed as a sequence of elements (e.g., bits or characters)

 Substitution cipher: replacing each element of the plaintext with another element.
 Transposition (or permutation) cipher: rearranging the order of the elements of the
plaintext.
 Product cipher: using multiple stages of substitutions and transpositions

SUBSTITUTION TECHNIQUES

 where letters of plaintext are replaced by other letters or by numbers or symbols

 or if plaintext is viewed as a sequence of bits, then substitution involves replacing

plaintext bit patterns with ciphertext bit patterns

1. Caesar Cipher
– earliest known substitution cipher
 – Invented by Julius Caesar
– Each letter is replaced by the letter three positions further down the alphabet.
– Plain: abcdefghijklmnopqrstuvwxyz

Cipher: D E F G H I J K L M N O P Q R S T U V W X Y Z A B C

– example:
o meet me after the toga party
o PHHW PH DIWHU WKH WRJD SDUWB

– Mathematically, map letters to numbers:

a, b, c, ..., x, y, z

0, 1, 2, ..., 23, 24, 25

– Then the general Caesar cipher is:

c = EK(p) = (p + k) mod 26

p = DK(c) = (c – k) mod 26

– For each Alphabet we have 25 possibilities of replacement.

– Key space: {0, 1, ..., 25}
– Vulnerable to brute-force attacks.
2. Monoalphabetic Substitution Cipher
– Shuffle the letters and map each plaintext letter to a different random ciphertext
letter
– Plain: abcdefghijklmnopqrstuvwxyz

Cipher: DKVQFIBJWPESCXHTMYAUOLRGZN

– Plaintext: ifwewishtoreplaceletters
Ciphertext: WIRFRWAJUHYFTSDVFSFUUFYA
– Now we have a total of 26! = 4 x 1026 keys.
– With so many keys, it is secure against brute-force attacks.
– But not secure against some cryptanalytic attacks.
 – Problem is language characteristics.
– Human languages are not random.
– Letters are not equally frequently used.
– In English, E is by far the most common letter, followed by T, R, N, I, O, A, S.
– Other letters like Z, J, K, Q, X are fairly rare.
– There are tables of single, double & triple letter frequencies for various languages
– Key concept: monoalphabetic substitution does not change relative letter
frequencies
– To attack, we
 calculate letter frequencies for ciphertext
 compare this distribution against the known one

Example: given ciphertext:

UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZ
VUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSX
EPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ
 count relative letter frequencies (see text)
 guess P & Z are e and t
 guess ZW is th and hence ZWP is the
 proceeding with trial and error finally get:

Plaintext:

it was disclosed yesterday that several informal but direct contacts have been made
with political representatives of the viet cong in Moscow

3. Playfair cipher
– Not even the large number of keys in a monoalphabetic cipher provides
security.
– One approach to improving security was to encrypt multiple letters.
– The Playfair Cipher is an example.
– Invented by Charles Wheatstone in 1854, but named after his friend Baron
Playfair.
 Playfair Key Matrix
 – A 5X5 matrix of letters based on a keyword
– Fill in letters of keyword.
– Fill rest of matrix with other letters.
– For example, using the keyword MONARCHY

M O N A R
C H Y B D
E F G I/J K
L P Q S T
U V W X Z

 Encrypting and Decrypting

1. If a pair is a repeated letter, insert a filler like „x', e.g., "balloon"

encrypts as "ba lx lo on“.

2. If both letters fall in the same row, replace each with letter to right
(wrapping back to start from end), e.g., “ar" encrypts as "RM“.

3. If both letters fall in the same column, replace each with the letter
below it (again wrapping to top from bottom), e.g. “mu" encrypts
to "CM“.

4. Otherwise each letter is replaced by the one in its row in the

column of the other letter of the pair, e.g., “hs" encrypts to "BP",
and “ea" to "IM" or "JM“.
 Decrypting the Playfair cipher is as simple as doing the same process in reverse.
Receiver has the same key and can create the same key table, and then decrypt
any messages made using that key.

 Security

– Security much improved over monoalphabetic.

– It has 26 x 26 = 676 diagrams.

– Would need a 676 entry frequency table to analyse (verses 26 for

monoalphabetic), and correspondingly more ciphertext.

– It was widely used for many years in US and British military in WW1.
– It can be broken for a few hundred letters, but still has much of
plaintext structure.

4.Polyalphabetic Ciphers

– Another approach to improving security is to use multiple cipher

alphabets.
– It is called polyalphabetic substitution ciphers.
– Makes cryptanalysis harder with more alphabets to guess and flatter
frequency distribution.
– Use a key to select which alphabet is used for each letter of the message.
– Use each alphabet in turn.
 Repeat from start after end of key is reached.
 Vigenere table

Vigenère Cipher

 simplest polyalphabetic substitution cipher

 effectively multiple caesar ciphers

 key is multiple letters long K = k1 k2 ... kd

 ith letter specifies ith alphabet to use

 use each alphabet in turn

 repeat from start after „d‟ letters in message

 decryption simply works in reverse

Example of Vigenère Cipher

 write the plaintext out

 write the keyword repeated above it

  use each key letter as a caesar cipher key

 encrypt the corresponding plaintext letter

 eg using keyword deceptive

 key: deceptivedeceptivedeceptive

 plaintext: wearediscoveredsaveyourself

 ciphertext:ZICVTWQNGRZGVTWAVZHCQYGLMGJ

 reverse process is for decryption

Security of Vigenère Ciphers

 have multiple ciphertext letters for each plaintext letter

 hence letter frequencies are obscured

 but not totally lost

 start with letter frequencies

 see if monoalphabetic or not

 if not, then need to determine number of alphabets, since then can

attach each

Variants of Vigenere Cipher

There are two special cases of Vigenere cipher −

 The keyword length is same as plaintect message. This

case is called Vernam Cipher. It is more secure than
typical Vigenere cipher.

 Vigenere cipher becomes a cryptosystem with perfect

secrecy, which is called One-time pad.

Vernam Cipher

Vernam proposed a bit-wise exclusive or of the message stream with a truly random
zero-one stream which was shared by sender and receipient.

Example:
Plaintext: HELLO(corresponding value- 7 4 11 11 14)

Key: NCBTA(corresponding value- 13 2 1 19 0)

Encryption

PT: H E L L O

7 4 11 11 14

KEY: N C B T A

13 2 1 19 0

XOR ---------------------------

20 6 12 30 14
CT: U G M E O
Decryption

CT: U G M E O

20 6 12 30 14

KEY: N C B T A

13 2 1 19 0

XOR ------------------------------------------------------

7 4 11 -15 14

PT: H E L L O

This cipher is unbreakable in a very strong sense. The intuition is that any message
can be transformed into any cipher (of the same length) by a key, and all
transformations are equally likely.
5. Hill cipher

 The Hill cipher uses matrices to transform blocks of plaintext letters into blocks of
ciphertext.
 Encryption:
o Assign each letter an index
o C=KP mod 26
o Matrix K is the key
 Decryption
o P=inverseof(k) mod 26
 Example for hill cipher is added in next file
TRANSPOSITION TECHNIQUES

 All techniques examined so far involve the substitution of ciphertext symbol for a
plaintext symbol.

 A very different kind of mapping is achieved by performing some sort of permutation on

the plaintext letters.

 This technique is referred to as transposition or permutation ciphers.

 These techniques hide the message by rearranging the letter order without altering the
actual letters.

 The ciphertext has the same frequency distribution as the original plaintext.

Rail Fence Cipher

 For encryption:

 Depth =2
  Write message letters out diagonally over a number of rows, then read off cipher row by
row.

 For example, the plaintext message:

“meet me after the toga party” will be written out as:

m e m a t r h t g p r y

e t e f e t e o a a t

 To give the following ciphertext:

“MEMATRHTGPRYETEFETEOAAT”

 For Decryption:

 Count the number of characters and make columns

 And make number of rows = depth

M E M A T R H T G P R Y
- - - - - - - - - - -

M E M A T R H T G P R Y
E T E F E T E O A A T

 Diagonally read the charcacters to obtain the plaintext

 This sort of encryption would be trivial to cryptanalyze

Colomnar Transposition Ciphers

 For encryption:

 A more complex scheme is to write letters of the message in rows over a specified
number of columns.
  Then reorder the columns according to some key before reading off the rows.

Key: 3 4 2 1

Plaintext : a t t a

c k t o

d a y X

Ciphertext: AOXTTYACDTKA

 (If needed only) If the message is re-encrypted using the same algorithm and the
same key:

Key: 3 4 2 1

Plaintext: a o X t

t y a c

d t k a

Ciphertext: TCAXAKATDOYT

 For decryption:

 Write key and then write the characters columnwise

Key: 3 4 2 1
Ciphertext : a t t a
c k t o
d a y X
Plaintext:ATTACKTODAY

STEGANOGRAPHY
 Steganography is the practice of concealing a file, message, image, or video within
another file, message, image, or video.
 In this method it hides secret behind the message
  Various techniques are used:
o Character marking:
 Selected letters of printed or typewritten text are overwritten in pencil.
 The marks are ordinarily not visible unless the paper is held at an angle to
bright light.
o Invisible ink:
 A number of substances can be used for writing but leave no visible trace
until heat or some chemical is applied to the paper.
o Pin punctures:
 Small pin punctures on selected letters are ordinarily not visible unless the
paper is held up in front of a light.
o Typewriter correction ribbon:
 Used between lines typed with a black ribbon, the results of typing with
the correction tape are visible only under a strong light.
 Advantages:
o It can be employed by parties who have something to lose should the fact of their
secret communication(not necessary the content) be discovered.
 Disadvantage:
o It requires a lot of overhead to hide a relatively few bits of information.
o Once the system is discovered it becomes virtually worthless.

ROTOR MACHINES
 before modern ciphers, rotor machines were most common complex ciphers in use
 widely used in WorldWar2
o German Enigma, Allied Hagelin, Japanese Purple
 implemented a very complex, varying substitution cipher
 used a series of cylinders, each giving one substitution, which rotated and changed after
each letter was encrypted
 with 3 cylinders have 263=17576 alphabets

Hagelin Rotor Machine

 A three-rotor machine with wiring represented by numbered contacts

MODERN SYMMETRIC KEY ENCRYPTION

STREAM CIPHERS
 In this scheme, the plaintext is processed one bit at a time i.e. one bit of plaintext is taken,
and a series of operations is performed on it to generate one bit of ciphertext.
 Technically, stream ciphers are block ciphers with a block size of one bit.
  Eg: Additive cipher, monoalphabetic cipher, vignere cipher

BLOCK CIPHERS
 In this scheme, the plain binary text is processed in blocks (groups) of bits at a time; i.e. a
block of plaintext bits is selected, a series of operations is performed on this block to
generate a block of ciphertext bits.
 The number of bits in a block is fixed.
 For example, the schemes DES and AES have block sizes of 64 and 128, respectively.
 Eg: Playfair cipher, Hill cipher
BLOCK CIPHER PRINCIPLES

 most symmetric block ciphers are based on a Feistel Cipher Structure

 Horst Feistel devised the feistel cipher
 partitions input block into two halves
 process through multiple rounds
 perform a substitution on left data half
 based on round function of right half & subkey
 then have permutation swapping halves
 implements Shannon‟s substitution-permutation network concept
Ideal Block Cipher

 Claude Shannon and Substitution-Permutation Ciphers

 o Claude Shannon introduced idea of substitution-permutation (S-P) networks in
1949 paper
o form basis of modern block ciphers
o S-P nets are based on the two primitive cryptographic operations:
 substitution (S-box)
 permutation (P-box)
 provide confusion & diffusion of message & key
 Confusion
o A technique that seeks to make the relationship between the statistics of the
ciphertext and the value of the encryption keys as complex as possible. Cipher
uses key and plaintext.
 Diffusion
o A technique that seeks to obscure the statistical structure of the plaintext by
spreading out the influence of each individual plaintext digit over many
ciphertext digits.

FEISTEL CIPHER STRUCTURE

 Invented by Horst Feistel,
o working at IBM Thomas J Watson research labs in early 70's,
 The idea is to partition the input block into two halves, l(i-1) and r(i-1),
o process through multiple rounds which
o perform a substitution on left data half
o based on round function of right half & subkey
o then have permutation swapping halves
 implements Shannon‟s S-P net concept
 The function f incorporates one stage of the S-P network, controlled by part of the key
k(i) known as the i th subkey.

Feistel Cipher Structure

 Feistel Cipher Design Principle Elements/ Parameters

 block size
o increasing size improves security, but slows cipher
 key size
o increasing size improves security, makes exhaustive key searching harder, but
may slow cipher
 number of rounds
o increasing number improves security, but slows cipher
 subkey generation
o greater complexity can make analysis harder, but slows cipher
 round function
o greater complexity can make analysis harder, but slows cipher
 fast software en/decryption & ease of analysis
 are more recent concerns for practical use and testing

Feistel Cipher Encryption and Decryption

This can be described functionally as:

Proof

To show that the output of the first round of the decryption process is equal to a 32-bit swap of
the input to the sixteenth round of the encryption process.

First, consider the encryption process. We see that

LE 16 = RE 15

RE 16 = LE 15 x F(RE 15 , K 16 )

On the decryption side,

LD 1 = RD0= LE 16 = RE 15

RD 1 = LD0 x F(RD0 , K 16 )

= RE 16 x F(RE 15 , K 16 )

= [LE 15 x F(RE 15 , K 16 )] x F(RE 15 , K 16 )

The XOR has the following properties:

[AxB]xC=Ax[BxC]

DxD=0

Ex0=E

LE i = RE i-1

RE i =LE i -1 x F(RE i -1 , K i )

Rearranging terms,

RE i -1 = LE i

LE i -1 = RE i x F(RE i -1 , K i )
DATA ENCRYPTION STANDARD (DES)
 most widely used block cipher in world

 Adopted in 1977 by the National Bureau of Standards, now the National Institute of
Standards and Technology

 Data are encrypted in 64-bit blocks using a 56-bit key

 The same algorithm is used for decryption.

 has been considerable controversy over its security

 DES History
 IBM developed Lucifer cipher

 by team led by Feistel in late 60‟s

 used 64-bit data blocks with 128-bit key

 then redeveloped as a commercial cipher with input from NSA and others

 in 1973 NBS issued request for proposals for a national cipher standard

 IBM submitted their revised Lucifer which was eventually accepted as the DES

DES Encryption Overview

 The overall scheme for DES encryption is illustrated in Figure, which takes as input 64-
bits of data and of key.

The left side shows the basic process for enciphering a 64-bit data block which consists
of:

- an initial permutation (IP) which shuffles the 64-bit input block

- 16 rounds of a complex key dependent round function involving substitutions &

permutations

- a final permutation, being the inverse of IP

The right side shows the handling of the 56-bit key and consists of:
 - an initial permutation of the key (PC1) which selects 56-bits out of the 64-bits input, in
two 28-bit halves

- 16 stages to generate the 48-bit subkeys using a left circular shift and a permutation of
the two 28-bit halves

Tables for DES

 The input to a table consists of 64 bits numbered left to right from 1 to 64.
 The 64 entries in the permutation table contain a permutation of the numbers from 1 to
64.
 Each entry in the permutation table indicates the position of a numbered input bit in the
output, which also consists of 64 bits.
INITIAL PERMUTATION IP
 first step of the data computation
 It happens only once and before the first round.
 IP reorders the input data bits
 IP produces two halves of the permuted block. LH half, RH half

To see that these two permutation functions are indeed the inverse of each other,consider the
following 64-bit input M:

where is a binary digit.Then the permutation is as follows:

If we then take the inverse permutation

it can be seen that the original ordering of the bits is restored.

DES ROUND STRUCTURE

– uses two 32-bit L & R halves

– as for any Feistel cipher can describe as:

 Li = Ri–1
 Ri = Li–1 xor F(Ri–1, Ki)

– takes 32-bit R half and 48-bit subkey and:

o expands R to 48-bits using perm E

o adds to subkey

o passes through 8 S-boxes to get 32-bit result

 o finally permutes this using 32-bit perm P

SUBSTITUTION BOXES S

– have eight S-boxes which map 6 to 4 bits

– each S-box is actually 4 little 4 bit boxes
o outer bits 1 & 6 (row bits) select one rows
o inner bits 2-5 (col bits) are substituted
o result is 8 lots of 4 bits, or 32 bits
– row selection depends on both data & key
o feature known as autoclaving (autokeying)

DES Key Schedule

– forms subkeys used in each round

– consists of:

o initial permutation of the key (PC1) which selects 56-bits in two 28-bit halves

o 16 stages consisting of:

  selecting 24-bits from each half

 permuting them by PC2 for use in function f,

 rotating each half separately either 1 or 2 places depending on the key

rotation schedule K

DES Decryption

– decrypt must unwind steps of data computation

– with Feistel design, do encryption steps again

– using subkeys in reverse order (SK16 … SK1)

– note that IP undoes final FP step of encryption

– 1st round with SK16 undoes 16th encrypt round

– 16th round with SK1 undoes 1st encrypt round

– then final FP undoes initial encryption IP

– thus recovering original data value

Avalanche Effect

– key desirable property of encryption alg

– where a change of one input or key bit results in changing approx half output bits
– making attempts to “home-in” by guessing keys impossible
– DES exhibits strong avalanche

STRENGTH OF DES

Concerns on key size and nature of algorithm

 Key Size
– 56-bit keys have 256 = 7.2 x 1016 values
– brute force search looks hard
– DES was finally and definitively proved insecure in July 1998, when
the Electronic Frontier Foundation (EFF) announced that it had broken
a DES encryption using a special-purpose "DES cracker" machine that
was built for less than $250,000. The attack took less than three days.
The EFF has published a detailed description of the machine, enabling
others to build their own cracker [EFF98].
– It is important to note that there is more to a key-search attack than
simply running through all possible keys. Unless known plaintext is
provided, the analyst must be able to recognize plaintext as plaintext.

Nature of algorithm

– the design criteria for the S boxes ,and indeed for the entire algorithm,
were not made public, there is a suspicion that the boxes were
constructed in such a way that cryptanalysis is possible for an
opponent who knows the weaknesses in the S-boxes.
– This assertion is tantalizing, and over the years a number of
regularities and unexpected behaviors of the S-boxes have been
discovered.

Timing Attacks

– attacks actual implementation of cipher

– use knowledge of consequences of implementation to derive

knowledge of some/all subkey bits

– specifically use fact that calculations can take varying times depending
on the value of the inputs to it

Analytic Attacks
 – now have several analytic attacks on DES
– these utilise some deep structure of the cipher
o by gathering information about encryptions
o can eventually recover some/all of the sub-key bits
o if necessary then exhaustively search for the rest
– generally these are statistical attacks
– include
o differential cryptanalysis
o linear cryptanalysis

Differential Cryptanalysis

• One of the most significant recent (public) advances in cryptanalysis

• Known by NSA in 70's DES design Murphy, Biham& Shamir published in

90’s

• Powerful method to analyse block ciphers

• Used to analyse most current block ciphers with varying degrees of

success

• DES reasonably resistant to it.

Linear Cryptanalysis

• Another recent development also a statistical method

• Must be iterated over rounds, with decreasing probabilities

• Developed by Matsui et al in early 90's based on finding linear

approximations

• Can attack DES with known plaintexts, easier but still in practice
infeasible

BLOCK CIPHER DESIGN PRINCIPLES

DES Design Criteria

• As reported by Coppersmith in [COPP94]

• 7 criteria for S-boxes provide for non-linearity

• Resistance to differential cryptanalysis

• Good confusion

• 3 criteria for permutation P provide for increased diffusion

• The criteria for the S-boxes are as follows.

 No output bit of any S-box should be too close a linear function of the input bits.
Specifically, if we select any output bit and any subset of the six input bits, the
fraction of inputs for which this output bit equals the XOR of these input bits
should not be close to 0 or 1,but rather should be near 1/2.
 Each row of an S-box (determined by a fixed value of the leftmost and rightmost
input bits) should include all 16 possible output bit combinations.
 If two inputs to an S-box differ in exactly one bit, the outputs must differ in at
least two bits.
 If two inputs to an S-box differ in the two middle bits exactly,the outputs must
differ in at least two bits.
 If two inputs to an S-box differ in their first two bits and are identical in their last
two bits,the two outputs must not be the same.
 For any nonzero 6-bit difference between inputs,no more than eight of the 32
pairs of inputs exhibiting that difference may result in the same output difference.
 This is a criterion similar to the previous one, but for the case of three S-boxes.

• The criteria for the permutation P are as follows.

 The four output bits from each S-box at round are distributed so that two of them
affect (provide input for) “middle bits” of round and the other two affect end
bits.The two middle bits of input to an S-box are not shared with adjacent S-
boxes.The end bits are the two left-hand bits and the two right-hand bits,which are
shared with adjacent S-boxes.
 The four output bits from each S-box affect six different S-boxes on the next
round,and no two affect the same S-box.
 For two S-boxes , , if an output bit from affects a middle bit of on the next round,
then an output bit from cannot affect a middle bit of .This implies that,for ,an
output bit from must not affect a middle bit of . These criteria are intended to
increase the diffusion of the algorithm.
Three critical aspects of block cipher design:
 the number of rounds,
 design of the function F,and
 key scheduling.

1.The number of rounds

 The greater the number of rounds, the more difficult it is to perform cryptanalysis
 The criterion should be that the number of rounds is chosen so that known cryptanalytic
efforts require greater effort than a simple brute-force key search attack.
 This criterion was certainly used in the design of DES.
 If DES had 15 or fewer rounds, differential cryptanalysis would require less effort than a
brute-force key search.
 This criterion is attractive, because it makes it easy to judge the strength of an algorithm
and to compare different algorithms.
 In the absence of a cryptanalytic breakthrough, the strength of any algorithm that satisfies
the criterion can be judged solely on key length.

2. Design of Function F
 The heart of a Feistel block cipher is the function F.
 in DES, this function relies on the use of S-boxes.
 DESIGN CRITERIA FOR F
o The function F provides the element of confusion in a Feistel cipher.
o One criterion is that F be nonlinear, The more nonlinear F, the more difficult any
type of cryptanalysis will be.
o The algorithm should have good avalanche properties, this means that a change in
one bit of the input should produce a change in many bits of the output. ie;strict
avalanche criterion (SAC)
o Another criterion is the bit independence criterion (BIC),which states that
output bit „j‟ and „k‟ should change independently and should change
independently when any single input bit „i‟ is inverted for all „i‟ , „j‟ ,‟k‟
o S-BOX DESIGN
 Larger S-boxes, by and large, are more resistant to differential and
linear cryptanalysis

3. key scheduling.
 select subkeys to maximize the difficulty of deducing individual subkeys and the
difficulty of working back to the main key.
 No general principles for this have yet been promulgated.

BLOCK CIPHER MODES OF OPERATION

Modes of Operation Modes of Operation
 Block ciphers encrypt fixed size blocks
o Eg. Des encrypts 64-bit blocks with 56-bit key
 Need some way to en/decrypt arbitrary amounts of data in practise
 Have have block and and stream modes
 To cover a wide variety of applications
 Can be used with any block cipher
 Nist sp 800 defines 5 modes
1. Electronic Codebook Book (ECB)
2. Cipher Block Chaining (CBC)
3. Cipher FeedBack (CFB)
4. Output Output FeedBack (OFB)
5. Counter (CTR)

1. ELECTRONIC CODEBOOK BOOK (ECB)

 message is broken into independent blocks that are encrypted
 each block is a value which is substituted, like a codebook, hence name
 each block is encoded independently of the other blocks
Ci = EK(Pi)
 uses: secure transmission of single values

 Advantages and limitations of ECB

o message repetitions may show in ciphertext
 if aligned with message block
 particularly with data such graphics
 or with messages that change very little, which become a code-book
analysis problem
o weakness is due to the encrypted message blocks being independent
o vulnerable to cut-and-paste attacks
 o main use is sending a few blocks of data

2. CIPHER BLOCK CHAINING (CBC)

 message is broken into blocks
 linked together in encryption operation
 each previous cipher block is chained with current plaintext block, hence name
 use Initial Vector (IV) to start process
o Ci = EK(Pi XOR Ci-1)
o C-1 = IV
 IV prevents same P from making same C
 uses: bulk data encryption, authentication

 Advantages and Limitations of CBC

o a ciphertext block depends on all blocks before it
o any change to a block affects all following ciphertext blocks...
o need Initialization Vector (IV)
 which must be known to sender & receiver
 if sent in clear, attacker can change bits of first block, by changing
corresponding bits of IV
 hence IV must either be a fixed value
 or derived in way hard to manipulate

Stream Modes of Operation

 block modes encrypt entire block
 may need to operate on smaller units
  real time data
 convert block cipher into stream cipher
a. cipher feedback (CFB) mode
b. output feedback (OFB) mode
c. counter (CTR) mode

3. CIPHER FEEDBACK (CFB)

 message is treated as a stream of bits
 added to the output of the block cipher
 result is feed back for next stage (hence name)
 standard allows any number of bits (1,8, 64 or 128 etc) to be feed back
 denoted CFB-1, CFB-8, CFB-64, CFB-128, etc.
 most efficient to use all bits in block (64 or 128)
Ci = Pi XOR EK(Ci-1)
C-1 = IV
 uses: stream data encryption, authentication
  Advantages and Limitations of CFB
o most common stream mode
o appropriate when data arrives in bits/bytes
o limitation is need to stall while do block encryption after every s-bits

4. OUTPUT FEEDBACK (OFB)

 message is treated as a stream of bits
 output of cipher is added to message
 output is then feed back (hence name)
Oi = EK(Oi-1)
Ci = Pi XOR Oi
O-1 = IV
 feedback is independent of message
 can be computed in advance

 Advantages and Limitations of OFB

o needs an IV which is unique for each use
o bit errors do not propagate
o more vulnerable to message stream modification...
o change arbitrary bits by changing ciphertext
 o sender & receiver must remain in sync

5. COUNTER (CTR)
 a “new” mode, though proposed early on
 similar to OFB but encrypts counter value rather than any feedback value
Oi = EK(i)
Ci = Pi XOR Oi
 must have a different key & counter value for every plaintext block (never reused)
 uses: high-speed network encryptions

 Advantages and Limitations of CTR

o efficiency
o can do parallel encryptions in h/w or s/w
o can preprocess in advance of need
o good for bursty high speed links
o random access to encrypted data blocks
o provable security (good as other modes)