cryptography and ntk security 2 021

CH 1 - Introduction

1.0 Why is the computer security important?

You probably do not want strangers

 reading your email

 using your computer to attack other systems
 sending forged email from your computer or
 examining personal information stored on your computer
 Definition of Computer security
Computer security is about provision and policies adopted to protect information and property
from unauthorized access, use, alteration, degradation, destruction, theft, corruption, natural
disaster etc while allowing the information and property to remain accessible and productive to
its intended use. It can also be defined as follows
The protection afforded to an automated information system in order to attain the applicable
objectives of preserving the integrity, availability, and confidentiality of information system
resources (includes hardware, software, firmware, information/ data, and telecommunications).
This definition introduces three key objectives that are at the heart of computer security:
 Confidentiality:
Confidentiality ensures that computer-related assets are accessed only by authorized parties. This
term covers two related concepts:
o Data confidentiality: Assures that private or confidential information is not made
available or disclosed to unauthorized individuals.
o Privacy: Assures that individuals control or influence what information related to
them may be collected and stored and by whom and to whom that information may
be disclosed.
A loss of confidentiality is the unauthorized disclosure of information.
 Integrity:
Integrity refers to the trustworthiness of data or resources, and it is usually phrased in terms of
preventing improper or unauthorized change. This term covers two related concepts:
o Data integrity: Assures that information and programs are changed only in a
specified and authorized manner.
o System integrity: Assures that a system performs its intended function in an
unimpaired manner, free from deliberate or inadvertent unauthorized manipulation
of the system.

1
 cryptography and ntk security 2 021

A loss of integrity is the unauthorized modification or destruction of information.

 Availability:
Assures that systems work promptly and service is not denied authorized users. Availability is
sometimes known by its opposite, denial of service.
Let us consider the following example on such security objectives.
Patient’s medical information should not be improperly disclosed. (Confidentiality)
Patient’s medical information should be correct. (Integrity)
Patient’s medical information can be accessed when needed for treatment. (Availability)
Although the use of the CIA triad to define security objectives is well established, some in the
security field feel that additional concepts are needed to present a complete picture. Two of the
most commonly mentioned are as follows:
 Authenticity:
The property of being genuine and being able to be verified and trusted; confidence in the
validity of a transmission, a message, or message originator. This means verifying that users are
who they say they are and that each input arriving at the system came from a trusted source.
 Accountability:
The security goal that generates the requirement for actions of an entity to be traced uniquely to
that entity. This supports non-repudiation, deterrence, fault isolation, intrusion detection and
prevention, and after-action recovery and legal action.

1.1 OSI Security Architecture

Before we dive into OSI Security architecture let us see meaning of two important terms:
i) Threat
A potential for violation of security, which exists when there is a circumstance, capability, action, or
event that could breach security and cause harm. That is, a threat is a possible danger that might exploit a
vulnerability.
We can view any threat as being one of four kinds: interception, interruption, modification, and
fabrication.
An interception means that some unauthorized party has gained access to an asset. The outside party can
be a person, a program, or a computing system.
In an interruption, an asset of the system becomes lost, unavailable, or unusable.
If an unauthorized party not only accesses but tampers with an asset, the threat is a modification.
an unauthorized party might create a fabrication of counterfeit objects on a computing system.
ii) Attack
An assault on system security that derives from an intelligent threat; that is, an intelligent act that is a
deliberate attempt (especially in the sense of a method or technique) to evade security services and violate
the security policy of a system.
In the literature, the terms threat and attack are commonly used to mean more or less the same thing.

2
 cryptography and ntk security 2 021

To assess effectively the security needs of an organization and to evaluate and choose various
security products and policies, the manager responsible for security needs some systematic way
of defining the requirements for security and characterizing the approaches to satisfying those
requirements. This is difficult enough in a centralized data processing environment; with the use
of local and wide area networks, the problems are compounded.
ITU-T Recommendation X.800, Security Architecture for OSI, defines such a systematic
approach. The OSI security architecture is useful to managers as a way of organizing the task of
providing security.
The OSI security architecture was developed in the context of the OSI protocol architecture. The
OSI security architecture focuses on security attacks, mechanisms, and services. These can be
defined briefly as follows:
 Security attack: Any action that compromises the security of information owned by an
organization.
 Security mechanism: A process (or a device incorporating such a process) that is
designed to detect, prevent, or recover from a security attack.
 Security service: A processing or communication service that enhances the security of
the data processing systems and the information transfers of an organization. The services
are intended to counter security attacks, and they make use of one or more security
mechanisms to provide the service.
 Security Attacks
Security attacks classified in terms of Passive attacks and Active attacks.
 Passive Attacks - A passive attack attempts to learn or make use of information from the
system but does not affect system resources. Passive attacks are in the nature of
eavesdropping on, or monitoring of, transmissions. The goal of the opponent is to obtain
information that is being transmitted. Two types of passive attacks are release of message
contents and traffic analysis.
- The release of message contents is easily understood. For example, during telephone
conversation, an electronic mail message, and a transferred file may contain sensitive or
confidential information. We would like to prevent an opponent from learning the
contents of these transmissions.
- A second type of passive attack, traffic analysis, is subtler. Suppose that we had a way
of masking the contents of messages or other information traffic so that opponents, even
if they captured the message, could not extract the information from the message. The
common technique for masking contents is encryption. If we had encryption protection in
place, an opponent might still be able to observe the pattern of these messages. The
opponent could determine the location and identity of communicating hosts and could
observe the frequency and length of messages being exchanged. This information might
be useful in guessing the nature of the communication that was taking place.
3
 cryptography and ntk security 2 021

Passive attacks are very difficult to detect because they do not involve any alteration of the data.
Typically, the message traffic is sent and received in an apparently normal fashion. But neither
the sender nor receiver is aware that a third party has read the messages or observed the traffic
pattern. However, it is feasible to prevent the success of these attacks, usually by means of
encryption. Thus, the emphasis in dealing with passive attacks is on prevention rather than
detection.
 Active Attacks - An active attack attempts to alter system resources or affect their
operation. Active attacks involve some modification of the data stream or the creation of
a false stream and can be subdivided into four categories: masquerade, replay,
modification of messages, and denial of service.
- masquerade: takes place when one entity pretends to be a different entity. A
masquerade attack usually includes one of the other forms of active attack.
- Replay: involves the passive capture of a data unit and its subsequent retransmission to
produce an unauthorized effect.
- Modification of messages: simply means that some portion of a legitimate message is
altered, or that messages are delayed or reordered, to produce an unauthorized effect.
- denial of service: prevents or inhibits the normal use or management of
communications facilities.
Active attacks present the opposite characteristics of passive attacks. Whereas passive attacks are
difficult to detect, measures are available to prevent their success. On the other hand, it is quite
difficult to prevent active attacks absolutely, because of the wide variety of potential physical,
software, and network vulnerabilities. Instead, the goal is to detect active attacks and to recover
from any disruption or delays caused by them. If the detection has a deterrent effect, it may also
contribute to prevention.

 Security Services
X.800 defines a security service as a service that is provided by a protocol layer of
communicating open systems and that ensures adequate security of the systems or of data
transfers. Perhaps a clearer definition is found in RFC 2828, which provides the following
definition: a processing or communication service that is provided by a system to give a specific
kind of protection to system resources; security services implement security policies and are
implemented by security mechanisms. X.800 divides these services into five categories and
fourteen specific services. We look at each category in turn.
1. Authentication - The assurance that the communicating entity is the one that it claims to be.
Two specific authentication services are defined in X.800:
 Peer Entity Authentication:-Used in association with a logical connection to provide confidence
in the identity of the entities connected.

4
 cryptography and ntk security 2 021

 Data-Origin Authentication:- In a connectionless transfer, provides assurance that the source of

received data is as claimed.
2. Access Control - The prevention of unauthorized use of a resource (i.e., this service controls
who can have access to a resource, under what conditions access can occur, and what those
accessing the resource are allowed to do).
3. Data Confidentiality - The protection of data from unauthorized disclosure. The data
confidentiality services are 4:
4. Data Integrity - The assurance that data received are exactly as sent by an authorized entity
(i.e., contain no modification, insertion, deletion, or replay). There are five services under
data security.
5. Non-repudiation - Provides protection against denial by one of the entities involved in a
communication of having participated in all or part of the communication. The services are:
 Non-repudiation, Origin:- Proof that the message was sent by the specified party.
 Non-repudiation, Destination:-Proof that the message was received by the specified party.

6. Availability Service -Both X.800 and RFC 2828 define availability to be the property of a
system or a system resource being accessible and usable upon demand by an authorized
system entity, according to performance specifications for the system (i.e., a system is
available if it provides services according to the system design whenever users request them).
A variety of attacks can result in the loss of or reduction in availability. Some of these attacks
are amenable to automated countermeasures, such as authentication and encryption, whereas
others require some sort of physical action to prevent or recover from loss of availability of
elements of a distributed system.
X.800 treats availability as a property to be associated with various security services.
However, it makes sense to call out specifically an availability service. An availability
service is one that protects a system to ensure its availability. This service addresses the
security concerns raised by denial-of-service attacks. It depends on proper management and
control of system resources and thus depends on access control service and other security
services.
 Security Mechanisms
Security mechanisms are technical tools and techniques that are used to implement security
services. A mechanism might operate by itself, or with others, to provide a particular service.
Examples of common security mechanisms are as follows:
 Cryptography
 Message digests and digital signatures
 Digital certificates
 Public Key Infrastructure (PKI)
In this course the above security mechanisms in details.

5
 cryptography and ntk security 2 021

An original message is known as the plaintext or cleartext, while the coded message is called
the ciphertext, or codetext or just cipher. The process of converting from plaintext to ciphertext
is known as enciphering or encryption; restoring the plaintext from the ciphertext is
deciphering or decryption. The many schemes used for encryption constitute the area of study
known as cryptography. Such a scheme is known as a cryptographic system or a cipher.
The technique or rules selected for encryption - known as the encryption algorithm - determines
how simple or how complex the process of transformation will be.
The process of trying to decrypt encrypted information without the key (to "break" an encrypted
message) is called cryptanalysis.
Cryptography guarantees authorization, authentication, integrity, confidentiality, and non-
repudiation in all communications and data exchanges in the new information society.
Two forms of encryption are commonly used: conventional or symmetric encryption and public-
key or asymmetric encryption.
Section 1.1 Review Questions
1.1.1 What is the OSI security architecture?
1.1.2 List and briefly define the three key objectives of computer security.
1.1.3 List and briefly define categories of passive and active security attacks.
1.1.4 List and briefly define categories of security services.
1.1.5 List and briefly define categories of security mechanisms.
1.1.6 What is cryptography?
1.1.7 What is the difference between plaintext and ciphertext?
1.1.8 What is the difference between interception and interruption?

1.2 Classical Encryption techniques

Symmetric encryption also referred to as conventional encryption or single-key encryption was
the only type of encryption in use prior to the development of public-key encryption in the
1970s. It remains by far the most widely used of the two types of encryption.
1.2.1 Symmetric Cipher Model
A symmetric encryption scheme has five ingredients:
 Plain text: This is the original intelligible message or data that is fed into the algorithm
as input.
 Encryption algorithm: The encryption algorithm performs various substitutions and
transformations on the plain text.
 Secret key: The secret key is also input to the encryption algorithm. The key is a value
independent of the plain text and of the algorithm. The algorithm will produce a different
output depending on the specific key being used at the time. The exact substitutions and
transformations performed by the algorithm depend on the key.

6
 cryptography and ntk security 2 021

 Cipher text: This is the scrambled message produced as output. It depends on the plain
text and the secret key. For a given message two different keys will produce two different
cipher texts. The cipher text is an apparently random stream of data and, as it stands is
unintelligible.
 Decryption algorithm: This is essentially the encryption algorithm run in reverse. It
takes the cipher text and the secret key and produces the original plain text.
With the message X and the encryption key K as input, the encryption algorithm E forms the
ciphertext Y. We can write this as:
Y =E ( K , X )
The intended receiver, in possession of the key, is able to invert the transformation:
X =D ( K , Y )
There are two requirements for secure use of conventional encryption:
1. We need a strong encryption algorithm. The opponent should be unable to decrypt
cipher text or discover the key even if he or she is in possession of a number of cipher
texts together with the plain text that produced each cipher text.
2. Sender and receiver must have obtained copies of the secret key in a secure fashion and
must keep the key secure. If someone can discover the key and knows the algorithm, all
communication using this key is readable.
Typically, the objective of attacking an encryption system is to recover the key in use rather than
simply to recover the plain text of a single cipher text. There are two general approaches to
attacking a conventional encryption scheme:
 Cryptanalysis: Cryptanalytic attacks rely on the nature of the algorithm plus perhaps
some knowledge of the general characteristics of the plain text or even some sample plain
text-cipher text pairs. This type of attack exploits the characteristics of the algorithm to
attempt to deduce a specific plain text or to deduce the key being used.
 Brute-force attack: The attacker tries every possible key on a piece of cipher text until
an intelligible translation into plain text is obtained. On average, half of all possible keys
must be tried to achieve success.
An encryption scheme is unconditionally secure if the cipher text generated by the scheme does
not contain enough information to determine uniquely the corresponding plain text, no matter
how much cipher text is available. That is, no matter how much time an opponent has, it is
impossible for him or her to decrypt the cipher text simply because the required information is
not there. With the exception of a scheme known as the one-time pad, there is no encryption
algorithm that is unconditionally secure. Therefore, all that the users of an encryption algorithm
can strive for is an algorithm that meets one or both of the following criteria:
 The cost of breaking the cipher exceeds the value of the encrypted information.
 The time required to break the cipher exceeds the useful lifetime of the information.
An encryption scheme is said to be computationally secure if either of the foregoing two
criteria are met. It is very difficult to estimate the amount of effort required to cryptanalyze
cipher text successfully.

7
 cryptography and ntk security 2 021

1.2.2 Substitution Techniques

In this section and the next, we examine a sampling of what might be called classical encryption
techniques. A study of these techniques enables us to illustrate the basic approaches to
symmetric encryption used today and the types of cryptanalytic attacks that must be anticipated.
The two basic building blocks of all encryption techniques are substitution and transposition. We
examine these in the next two sections.
A substitution technique is one in which the letters of plain text are replaced by other letters or
by numbers or symbols. If the plain text is viewed as a sequence of bits, then substitution
involves replacing plain text bit patterns with cipher text bit patterns.
 Caesar Cipher
The earliest known, and the simplest, use of a substitution cipher was by Julius Caesar. The
Caesar cipher involves replacing each letter of the alphabet with the letter standing three places
further down the alphabet. For example,
plain: meet me after the toga party
cipher: PHHW PH DIWHU WKH WRJD SDUWB
Note that the alphabet is wrapped around, so that the letter following Z is A. We can define the
transformation by listing all possibilities, as follows:
plain: a b c d e f g h i j k l m n o p q r s t u v w x y z
cipher: D E F G H I J K L M N O P Q R S T U V W X Y Z A B C

Let us assign a numerical equivalent to each letter:

Then the algorithm can be expressed as follows. For each plaintext letter, substitute the
ciphertext letter C:
C=E ( 3 , p )=( p+3 ) mod 26
A shift may be of any amount, so that the general Caesar algorithm is:
C=E ( k , p )=( p+ k ) mod 26
where takes on a value in the range 1 to 25. The decryption algorithm is simply
p=D ( k , C )=( C − k ) mod 26
If it is known that a given cipher text is a Caesar cipher, then a brute-force cryptanalysis is easily
performed: simply try all the 25 possible keys. Problems with Caesar cipher are:
1. The encryption and decryption algorithms are known.
2. There are only 25 keys to try.
3. The language of the plain text is known and easily recognizable.
Therefore, the cipher text can easily be deciphered by the use of a brute-force cryptanalysis.
 Monoalphabetic Ciphers

8
 cryptography and ntk security 2 021

With only 25 possible keys the Caesar cipher is far from secure. A dramatic increase in the key
space can be achieved by allowing an arbitrary substitution. Before proceeding, we define the
term permutation. A permutation of a finite set of elements S is an ordered sequence of all the
elements of S, with each element appearing exactly once. For example, if S = {a, b, c}, there are
six permutations of S:

abc, acb, bac, bca, cab, cba

In general, there are n! permutations of a set of n elements, because the first element can be
chosen in one of n ways, the second in n - 1 ways, the third in n – 2 ways, and so on.

Recall the assignment for the Caesar cipher:

plain: a b c d e f g h i j k l m n o p q r s t u v w x y z
cipher: D E F G H I J K L M N O P Q R S T U V W X Y Z A B C

If, instead, the “cipher” line can be any permutation of the 26 alphabetic characters, then there
are 26! or greater than 4 * 1026 possible keys. Such an approach is referred to as a
monoalphabetic substitution cipher, because a single cipher alphabet (mapping from plain
alphabet to cipher alphabet) is used per message. There is, however, another line of attack. If the
cryptanalyst knows the nature of the plaintext, then the analyst can exploit the regularities of the
language.

Monoalphabetic ciphers are easy to break because they reflect the frequency data of the original
alphabet. A countermeasure is to provide multiple substitutes, known as homophones, for a
single letter.

 Polyalphabetic Ciphers
Another way to improve on the simple monoalphabetic technique is to use different
monoalphabetic substitutions as one proceeds through the plain text message. The general name
for this approach is polyalphabetic substitution cipher. All these techniques have the following
features in common:
1. A set of related monoalphabetic substitution rules is used.
2. A key determines which particular rule is chosen for a given transformation.
The best known and one of the simplest, polyalphabetic ciphers is referred to as the Vigenère
cipher. In this scheme the set of related monoalphabetic substitution rules consists of the 26
Caesar ciphers with shifts of 0 through 25. Each cipher is denoted by a key letter which is the
cipher text letter that substitutes for the plain text letter a. Thus, a Caesar cipher with a shift of 3
is denoted by the key value 3.

9
 cryptography and ntk security 2 021

We can express the Vigenère cipher in the following manner. Assume a sequence of plaintext
letters P= p 0 , p1 , p2 , … , p n −1 and a key consisting of the sequence of letters
K=k 0 , k 1 , k 2 , … , k m− 1 where typically m<n. The sequence of ciphertext letters
C=C 0 ,C 1 , C 2 , … , C n− 1 is calculated as follows:
C=C 0 ,C 1 , C 2 , … , C n− 1=E ( K , P )=E (k 0 , k 1 , k 2 , … , k m −1 ,, p0 , p 1 , p2 , … , pn − 1
( p||0+k 0 ) mod 26 , ( p||1+ k 1 ) mod 26 ,... , ( p||m−1+ k m −1 ) mod 26 ,
( p||m+1+ k 1 ) mod 26 , … , ( p||2 m−1+ k m −1 ) mod 26 , …
Thus, the first letter of the key is added to the first letter of the plaintext, mod 26, the second
letters are added, and so on through the first m letters of the plaintext. For the next m letters of
the plaintext, the key letters are repeated. This process continues until all of the plaintext
sequence is encrypted.
To aid in understanding the scheme and to aid in its use, a matrix known as the Vigenère tableau
is constructed (Table 1.1). Each of the 26 ciphers is laid out horizontally, with the key letter for
each cipher to its left. A normal alphabet for the plain text runs across the top. The process of
encryption is simple: Given a key letter x and a plain text letter y the cipher text letter is at the
intersection of the row labeled x and the column labeled y; in this case the cipher text is V.

Table 1.1. The Modern Vigenère Tableau

To encrypt a message, a key is needed that is as long as the message. Usually, the key is a
repeating keyword. For example if the keyword is deceptive the message "we are discovered
save yourself" is encrypted as follows:

10
 cryptography and ntk security 2 021

key: d e c e p t i v e d e c e p t i v e d e c e p t i v e
plain text: w e a r e d i s c o v e r e d s a v e y o u r s e l f
cipher text: Z I C V T W Q N G R Z G V T W A V Z H C Q Y G L M G J
Decryption is equally simple. The key letter again identifies the row. The position of the cipher
text letter in that row determines the column, and the plain text letter is at the top of that column.

The strength of this cipher is that there are multiple cipher text letters for each plain text letter,
one for each unique letter of the keyword. Thus, the letter frequency information is obscured.
However, not all knowledge of the plain text structure is lost.

 One-Time Pad
In polyalphabetic ciphers the key repeats until the size of the plain text. Mauborgne suggested
using a random key that is as long as the message, so that the key need not be repeated. In
addition, the key is to be used to encrypt and decrypt a single message, and then is discarded.
Each new message requires a new key of the same length as the new message. Such a scheme,
known as a one-time pad, is unbreakable. It produces random output that bears no statistical
relationship to the plain text. Because the cipher text contains no information whatsoever about
the plain text, there is simply no way to break the code.
Suppose that we are using a Vigenère scheme with 27 characters in which the twenty-seventh
character is the space character, but with a one-time key that is as long as the message. Thus, the
tableau of Table 1.1 must be expanded to 27 x 27. Consider the cipher text
ANKYODKYUREPFJBYOJDSPLREYIUNOFDOIUERFPLUYTS
We now show two different decryptions using two different keys:
cipher text: A N K Y O D K Y U R E P F J B Y O J D S P L R E Y I U N O F D O I U E R F P L U Y T S
key: pxlmvmsydofuyrvzwc tnlebnecvgdupahfzzlmnyih
plain text: m r m u s t a r d w i t h t h e c a n d l e s t i c k i n t h e h a l l

cipher text: ANKYODKYUREPFJBYOJDSPLREYIUNOFDOIUERFPLUYTS

key: mfugpmiydgaxgoufhklllmhsqdqogtewbqfgyovuhwt
plain text: miss scarlet with the knife in the library
Suppose that a cryptanalyst had managed to find these two keys. Two plausible plain texts are
produced. How is the cryptanalyst to decide which is the correct decryption (i.e., which is the
correct key)? If the actual key were produced in a truly random fashion, then the cryptanalyst
cannot say that one of these two keys is more likely than the other. Thus, there is no way to
decide which key is correct and therefore which plain text is correct.
In fact, given any plain text of equal length to the cipher text, there is a key that produces that
plain text. Therefore, if you did an exhaustive search of all possible keys, you would end up with
many legible plain texts, with no way of knowing which the intended plain text was. Therefore,
the code is unbreakable.
11
 cryptography and ntk security 2 021

The security of the one-time pad is entirely due to the randomness of the key. If the stream of
characters that constitute the key is truly random, then the stream of characters that constitute the
cipher text will be truly random. Thus, there are no patterns or regularities that a cryptanalyst can
use to attack the cipher text.
1.2.3 Transposition Techniques

A very different kind of mapping is achieved by performing some sort of permutation on the
plain text letters. This technique is referred to as a transposition cipher.
The simplest such cipher is the rail fence technique in which the plain text is written down as a
sequence of diagonals and then read off as a sequence of rows. For example, to encipher the
message "meet me after the toga party" with a rail fence of depth 2, we write the following:
mematrhtgpry
etefeteoaat
The encrypted message is
MEMATRHTGPRYETEFETEOAAT
This sort of thing would be trivial to cryptanalyze. A more complex scheme is to write the
message in a rectangle, row by row, and read the message off, column by column, but permute
the order of the columns. The order of the columns then becomes the key to the algorithm. For
example,
Key: 4 3 1 2 5 6 7
Plain text: a t t a c k p
ostpone
duntilt
woamxyz
Cipher text: TTNAAPTMTSUOAODWCOIXKNLYPETZ
A pure transposition cipher is easily recognized because it has the same letter frequencies as the
original plain text. For the type of columnar transposition just shown, cryptanalysis is fairly
straightforward and involves laying out the cipher text in a matrix and playing around with
column positions. Digram and trigram frequency tables can be useful.
The transposition cipher can be made significantly more secure by performing more than one
stage of transposition. The result is a more complex permutation that is not easily reconstructed.
Thus, if the foregoing message is reencrypted using the same algorithm,
Key: 4 3 1 2 5 6 7
Input: t t n a a p t
mt s uoao
dwc oix k
n l y pet z
Output: NSCYAUOPTTWLTMDNAOIEPAXTTOKZ

12
 cryptography and ntk security 2 021

To visualize the result of this double transposition, designate the letters in the original plain text
message by the numbers designating their position. Thus, with 28 letters in the message, the
original sequence of letters is
01 02 03 04 05 06 07 08 09 10 11 12 13 14
15 16 17 18 19 20 21 22 23 24 25 26 27 28
After the first transposition we have
03 10 17 24 04 11 18 25 02 09 16 23 01 08
15 22 05 12 19 26 06 13 20 27 07 14 21 28
which has a somewhat regular structure. But after the second transposition, we have
17 09 05 27 24 16 12 07 10 02 22 20 03 25
15 13 04 23 19 14 11 01 26 21 18 08 06 28
This is a much less structured permutation and is much more difficult to cryptanalyze.
1.3 Cipher Principles
A stream cipher is one that encrypts a digital data stream one bit or one byte at a time.
Examples of classical stream ciphers are the autokeyed Vigenère cipher and the Vernam cipher.

A block cipher is one in which a block of plain text is treated as a whole and used to produce a
cipher text block of equal length. Typically, a block size of 64 or 128 bits is used. A block cipher
can be used to achieve the same effect as a stream cipher.

In general, block ciphers seem applicable to a broader range of applications than stream ciphers.
The vast majority of network-based symmetric cryptographic applications make use of block
ciphers. Several important symmetric block ciphers are based on a structure referred to as a
Feistel Cipher Structure.

Section 1.2 & 1.3 Review Questions

1.2.1 Describe the main requirements for the secure use of symmetric encryption.
1.2.2 What are the two basic functions used in encryption algorithms?
1.2.3 Differentiate between secret-key encryption and public-key encryption.
1.2.4 What is the difference between a block cipher and a stream cipher?
1.2.5 What are the two general approaches to attacking a cipher?
1.2.6 List and briefly define types of cryptanalytic attacks based on what is known to the attacker.
1.2.7 What is the difference between an unconditionally secure cipher and a computationally secure
cipher?
1.2.8 Why is the Caesar cipher substitution technique vulnerable to a brute-force cryptanalysis?
1.2.9 What is the difference between a monoalphabetic cipher and a polyalphabetic cipher?
1.2.10 What are two problems with the one-time pad?
1.2.11 What is a transposition cipher?

13
 cryptography and ntk security 2 021

 The Feistel Cipher

Feistel proposed that we can approximate the ideal block cipher by utilizing the concept of a
product cipher, which is the execution of two or more simple ciphers in sequence in such a way
that the final result or product is cryptographically stronger than any of the component ciphers.
The essence of the approach is to develop a block cipher with a key length of k bits and a block
length of n bits, allowing a total of 2k possible transformations, rather than the 2n!
transformations available with the ideal block cipher. In particular, Feistel proposed the use of a
cipher that alternates substitutions and permutations

 Feistel Cipher Structure

The inputs to the encryption algorithm are a plaintext block of length 2w bits and a key K. The
plaintext block is divided into two halves, L 0 and R0. The two halves of the data pass through n
rounds of processing and then combine to produce the ciphertext block. Each round i has as
inputs Li-1 and Ri-1, derived from the previous round, as well as a subkey K i, derived from the
overall K. In general, the subkeys Ki are different from K and from each other and are generated
from the key by a subkey generation algorithm.

Figure 1.1: Feistel Encryption and Decryption (16 rounds)

14
 cryptography and ntk security 2 021

All rounds have the same structure. A substitution is performed on the left half of the data. This
is done by applying a round function F to the right half of the data and then taking the exclusive-
OR of the output of that function and the left half of the data. The round function has the same
general structure for each round but is parameterized by the round subkey K i. Following this
substitution, a permutation is performed that consists of the interchange of the two halves of the
data. The exact realization of a Feistel network depends on the choice of the following
parameters and design features:

 Block size: Larger block sizes mean greater security (all other things being equal) but
reduced encryption/decryption speed for a given algorithm.
 Key size: Larger key size means greater security but may decrease encryption/decryption
speed. The greater security is achieved by greater resistance to brute-force attacks and
greater confusion. Key sizes of 64 bits or less are now widely considered to be
inadequate, and 128 bits has become a common size.
 Number of rounds: The essence of the Feistel cipher is that a single round offers
inadequate security but that multiple rounds offer increasing security. A typical size is 16
rounds.
 Subkey generation algorithm: Greater complexity in this algorithm should lead to
greater difficulty of cryptanalysis.
 Round function: Again, greater complexity generally means greater resistance to
cryptanalysis.
There are two other considerations in the design of a Feistel cipher:
 Fast software encryption/decryption: In many cases, encryption is embedded in
applications or utility functions in such a way as to preclude a hardware implementation.
Accordingly, the speed of execution of the algorithm becomes a concern.
 Ease of analysis: Although we would like to make our algorithm as difficult as possible
to cryptanalyze, there is great benefit in making the algorithm easy to analyze. That is, if
the algorithm can be concisely and clearly explained, it is easier to analyze that algorithm
for cryptanalytic vulnerabilities and therefore develop a higher level of assurance as to its
strength. DES, for example, does not have an easily analyzed functionality.
Decryption with a Feistel cipher is essentially the same as the encryption process. The rule is as
follows: Use the ciphertext as input to the algorithm, but use the subkeys K i in reverse order.
That is, use Kn in the first round, Kn-1 in the second round, and so on until K1 is used in the last
round. This is a nice feature because it means we need not implement two different algorithms,
one for encryption and one for decryption.
15
 cryptography and ntk security 2 021

1.4 Data Encryption Standard - Block Cipher Design Principles and Modes of Operation
 Data Encryption Standard
The most widely used encryption scheme is based on the Data Encryption Standard (DES)
adopted in 1977 by the National Bureau of Standards, now the National Institute of Standards
and Technology (NIST), as Federal Information Processing Standard 46 (FIPS PUB 46). The
algorithm itself is referred to as the Data Encryption Algorithm (DEA).

DES Encryption
The Data Encryption Standard (DES) was designed to encipher sensitive but non-classified data.
Over the years, DES became the dominant symmetric encryption algorithm, especially in
financial applications. DES is one of the most important classical cryptosystems in the history of
cryptography. The DES algorithm is a careful and complex combination of two fundamental
building blocks of encryption: substitution and transposition for that reason is sometimes referred
to as a Product Cipher. The algorithm derives its strength from repeated application of these two
techniques, one on top of the other, for a total of 16 cycles. This algorithm uses a single key to
encode and decode messages. DES is a so-called secret key cipher.

The overall scheme for DES encryption is illustrated in Figure 1.2. As with any encryption
scheme, there are two inputs to the encryption function: the plaintext to be encrypted and the
key. In this case, the plaintext must be 64 bits in length and the key is 56 bits in length.
(Actually, the function expects a 64-bit key as input. However, only 56 of these bits are ever
used; the other 8 bits can be used as parity bits or simply set arbitrarily). The user can change the
key at will any time there is uncertainty about the security of the old key.

Looking at the left-hand side of the figure 1.2, we can see that the processing of the plaintext
proceeds in three phases.

Phase 1: The 64-bit plaintext passes through an initial permutation (IP) that rearranges the bits to
produce the permuted input.
Phase 2: A phase consisting of 16 rounds of the same function, which involves both permutation
and substitution functions. The output of the last (sixteenth) round consists of 64 bits
that are a function of the input plaintext and the key. The left and right halves of the
output are swapped to produce the preoutput.
Phase 3: The preoutput is passed through a permutation (IP -1) that is the inverse of the initial
permutation function, to produce the 64-bit ciphertext.

16
 cryptography and ntk security 2 021

Figure 1.2: General Depiction of DES Encryption Algorithm

With the exception of the initial and final permutations, DES has the exact structure of a Feistel
cipher, as shown in Figure 1.1.

The right-hand portion of Figure 1.2 shows the way in which the 56-bit key is used. Initially, the
key is passed through a permutation function. Then, for each of the 16 rounds, a subkey (Ki) is
produced by the combination of a left circular shift and a permutation. The permutation function
is the same for each round, but a different subkey is produced because of the repeated shifts of
the key bits.

DES Decryption
As with any Feistel cipher, decryption uses the same algorithm as encryption, except that the
application of the subkeys is reversed. Additionally, the initial and final permutations are
reversed.
 Block Cipher Design Principles
Although much progress has been made in designing block ciphers that are cryptographically
strong, the basic principles have not changed all that much since the work of Feistel and the DES
design team in the early 1970s. In this section we look at three critical aspects of block cipher
design: the number of rounds, design of the function F, and key scheduling.

i. Number of Rounds

17
 cryptography and ntk security 2 021

The cryptographic strength of a Feistel cipher derives from three aspects of the design: the
number of rounds, the function F, and the key schedule algorithm. Let us look first at the choice
of the number of rounds.

The greater the number of rounds, the more difficult it is to perform cryptanalysis, even for a
relatively weak F. In general, the criterion should be that the number of rounds is chosen so that
known cryptanalytic efforts require greater effort than a simple brute-force key search attack.
This criterion was certainly used in the design of DES. Schneier [SCHN96] observes that for 16-
round DES, a differential cryptanalysis attack is slightly less efficient than brute force: The
differential cryptanalysis attack requires 255.1 operations, whereas brute force requires 255. If DES
had 15 or fewer rounds, differential cryptanalysis would require less effort than a brute-force key
search.

This criterion is attractive, because it makes it easy to judge the strength of an algorithm and to
compare different algorithms. In the absence of a cryptanalytic breakthrough, the strength of any
algorithm that satisfies the criterion can be judged solely on key length.

ii. Design of Function F

The heart of a Feistel block cipher is the function F, which provides the element of confusion in
a Feistel cipher. Thus, it must be difficult to “unscramble” the substitution performed by F. One
obvious criterion is that F be nonlinear. The more nonlinear F, the more difficult any type of
cryptanalysis will be. There are several measures of nonlinearity. In rough terms, the more
difficult it is to approximate F by a set of linear equations, the more nonlinear F is.

iii. Key Schedule Algorithm

With any Feistel block cipher, the key is used to generate one subkey for each round. In general,
we would like to select subkeys to maximize the difficulty of deducing individual subkeys and
the difficulty of working back to the main key. No general principles for this have yet been
promulgated.

1.5 Evaluation criteria for AES - AES Cipher - Triple DES

 Advanced Encryption Standard

The Advanced Encryption Standard (AES) was published by the National Institute of Standards
and Technology (NIST) in 2001. AES is a symmetric block cipher that is intended to replace
DES as the approved standard for a wide range of applications. Compared to public-key ciphers
such as RSA, the structure of AES and most symmetric ciphers is quite complex and cannot be
explained as easily as many other cryptographic algorithms. Accordingly, the reader may wish to
18
 cryptography and ntk security 2 021

begin with a simplified version of AES. This version allows the reader to perform encryption and
decryption by hand and gain a good understanding of the working of the algorithm details.
Classroom experience indicates that a study of this simplified version enhances understanding of
AES.

 Evaluation criteria for AES

It is worth examining the criteria used by NIST to evaluate potential candidates. These criteria
span the range of concerns for the practical application of modern symmetric block ciphers. In
fact, two set of criteria evolved. The three categories of criteria were as follows:

 Security: This refers to the effort required to cryptanalyze an algorithm. The emphasis in
the evaluation was on the practicality of the attack. Because the minimum key size for AES
is 128 bits, brute-force attacks with current and projected technology were considered
impractical. Therefore, the emphasis, with respect to this point, is cryptanalysis other than a
brute-force attack.

 Cost: NIST intends AES to be practical in a wide range of applications. Accordingly, AES
must have high computational efficiency, so as to be usable in high-speed applications, such
as broadband links.

 Algorithm and implementation characteristics: This category includes a variety of

considerations, including flexibility; suitability for a variety of hardware and software
implementations; and simplicity, which will make an analysis of security more
straightforward.

 Triple DES

In 1999, NIST issued a new version of its DES standard (FIPS PUB 46-3) that indicated that
DES should only be used for legacy systems and that triple DES (3DES) be used. 3DES has two
attractions that assure its widespread use over the next few years. First, with its 168-bit key
length, it overcomes the vulnerability to brute-force attack of DES. Second, the underlying
encryption algorithm in 3DES is the same as in DES. This algorithm has been subjected to more
scrutiny than any other encryption algorithm over a longer period of time, and no effective
cryptanalytic attack based on the algorithm rather than brute force has been found. Accordingly,
there is a high level of confidence that 3DES is very resistant to cryptanalysis. If security were
the only consideration, then 3DES would be an appropriate choice for a standardized encryption
algorithm for decades to come.

19
 cryptography and ntk security 2 021

The principal drawback of 3DES is that the algorithm is relatively sluggish in software. The
original DES was designed for mid-1970s hardware implementation and does not produce
efficient software code. 3DES, which has three times as many rounds as DES, is correspondingly
slower. A secondary drawback is that both DES and 3DES use a 64-bit block size. For reasons of
both efficiency and security, a larger block size is desirable.

Because of these drawbacks, 3DES is not a reasonable candidate for long-term use. As a
replacement, NIST in 1997 issued a call for proposals for a new Advanced Encryption Standard
(AES), which should have security strength equal to or better than 3DES and significantly,
improved efficiency. In addition to these general requirements, NIST specified that AES must be
a symmetric block cipher with a block length of 128 bits and support for key lengths of 128, 192,
and 256 bits.

Ultimately, AES is intended to replace 3DES, but this process will take a number of years. NIST
anticipates that 3DES will remain an approved algorithm (for U.S. government use) for the
foreseeable future.

20