Session: 2023 – 2024

Subject: Cryptography and network Security

Semester: VII Unit : II

Syllabus: Introduction to Secret key and cryptography, Encrypt given messages using DES, AES, IDEA,
Problems on cryptography algorithms, Principles, finite fields, stream cipher, block cipher modes of operation,
DES, Triple DES, AES, IDEA, RC5, key distribution.

Private key /Secret key

Definition
In cryptography, a private or secret key is an encryption/decryption key known only to the that
exchange secret messages.
In traditional secret key cryptography, a key would be shared by the communicators so that each could
encrypt and decrypt messages.
Given a message (called plaintext) and the key, encryption produces unintelligible data “ciphertext”,
which is about the same length as the plaintext was. Decryption is the reverse of encryption, and uses
the same key as encryption
Secret key cryptography involves the use of a single key.
The risk in this system is that if either party loses the key or it is stolen, the system is broken.
Secret key cryptography is sometimes referred to as conventional cryptography or symmetric
cryptography.

JIT/Dept. of CSE/ Page 1

Symmetric Key Distribution using symmetric Encryption

1. In symmetric encryption - the two parties to an exchange must share the same key, and that key
must be protected from access by others.
2. Frequent key changes are usually desirable to limit the amount of data compromised if an attacker
learns the key.
3. Therefore, the strength of any cryptographic system rests with the key distribution technique, a term
that refers to the means of delivering a key to two parties who wish to exchange data without
allowing others to see the key.
4. For two parties A and B, key distribution can be achieved in a number of ways, as follows -
i. A can select a key and physically deliver it to B.
ii. A third party can select the key and physically deliver it to A and B.
iii. If A and B have previously and recently used a key, one party can transmit the new
key to the other, encrypted using the old key.
iv. If A and B each has an encrypted connection to a third party C, C can deliver a key on
the encrypted links to A and B.

• Options (i) and (ii) call for manual delivery of a key. For link encryption, this is a reasonable
requirement, because each link encryption device is going to be exchanging data only with its partner
on the other end of the link.

• For end-to-end encryption over a network, manual delivery is not desirable. In a distributed
system, any given host or terminal may need to engage in exchanges with many other hosts and
terminals over time.
Thus, each device needs a number of keys supplied dynamically.
• If end-to-end encryption is done at a network or IP level, then a key is needed for each pair of hosts
on the network that wish to communicate.
• Option (iii) is a possibility for either link encryption or end-to- end encryption, but if an attacker ever
succeeds in gaining access to one key, then all subsequent keys will be revealed.
• Option (iv) refers to a scenario where a key distribution center is responsible for distributing keys
to pairs of users (hosts, processes, applications) as needed. Each user must share a unique key with
the key distribution center for purposes of key distribution

Groups, Rings, and Fields

❑ Groups, rings, and fields are the fundamental elements of a branch of mathematics known as abstract
algebra, or modern algebra.
❑ In abstract algebra, we are concerned with sets on whose elements we can operate algebraically; that
is, we can combine two elements of the set, in several ways, to obtain a third element of the set.

Groups
❑ A group is denoted by -
❑ Group is a set of elements with a binary operation denoted by “.”that associates to each
ordered pair (a, b) of elements in an element (a .b) in G, such that the following axioms are
obeyed

JIT/Dept. of CSE/ Page 2

 ❑ If a group has a finite number of elements, it is referred to as a finite group.

❑ The order of the group is equal to the number of elements in the group.

❑ If a group has a infinite number of elements, the group is an infinite group.

❑ A group is said to be abelian if it satisfies the following additional condition –

❑ When the group operation is addition, the identity element is 0; the inverse element of a is – a;
and subtraction is defined with the following rule

Fields

❑ A field is denoted by –

❑ Field is a set of elements with two binary operations, called addition and multiplication, such
that for all a,b,c in F the following axioms are obeyed –

❑ A field is a set in which we can do addition, subtraction, multiplication, and division without
leaving the set. Division is defined with the following rule a/b = a(b-1)

Stream Cipher

• A stream cipher is one that encrypts a digital data stream one bit or one byte at a time.

• A stream cipher is a symmetric encryption algorithm in which ciphertext output is produced bit-
by-bit or byte-by-byte from a stream of plaintext input. The most widely used such cipher is
RC4.

JIT/Dept. of CSE/ Page 3

 • Examples of classical stream ciphers are the Vigenère cipher, the Vernam cipher & One-Time
Pad cipher.
• Stream Cipher
– Using Algorithmic bit stream generator
– Using pseudorandom number generator

• Figure above is a diagram of stream cipher structure using pseudorandom number generator.
• In this structure, a key is input to a pseudorandom bit generator that produces a stream of 8-bit
numbers that are apparently random. The output of the generator, called a keystream, is
combined one byte at a time with the plaintext stream using the bitwise exclusive-OR (XOR)
operation.
• Following are the important design considerations for a stream cipher –
– The encryption sequence should have a large period. A pseudorandom number generator
uses a function that produces a deterministic stream of bits that eventually repeats.
Thelonger the period of repeat the more difficult it will be to do cryptanalysis.
– The keystream should have the properties of a true random number stream. For
example, there should be an approximately equal number of 1s and 0s.

JIT/Dept. of CSE/ Page 4

 – To guard against brute-force attacks, the key (provided to the generator) needs to be
sufficiently long.

Block Cipher

• A block cipher is one in which a block of plaintext is treated as a whole and used to produce a
ciphertext block of equal length. Typically, a block size of 64 or 128 bits is used.
• When multiple blocks of plaintext are encrypted using the same key, a number of security issues
arise.
• A mode of operation is a technique for enhancing the effect of a cryptographic algorithm or
adapting the algorithm for an application, such as applying a block cipher to a sequence of data
blocks or a data stream.
• To apply a block cipher in a variety of applications, five modes of operation have been defined –

JIT/Dept. of CSE/ Page 5

Data Encryption Standard (DES)

❑ The Data Encryption Standard (DES) is a symmetric-key block cipher published by the National
Institute of Standards and Technology (NIST).

JIT/Dept. of CSE/ Page 6

 ❑ Encrypts 64-bit data using 56-bit key and has widespread use.

❑ S-DES encryption (decryption) algorithm takes 8-bit block of plaintext (ciphertext) and a 10-bit
key, and produces 8-bit ciphertext (plaintext) block.
❑ Encryption algorithm involves 5 functions
– an initial permutation (IP);
– a complex function fK, which involves both permutation and substitution and depends on
a key input;
– a simple permutation function that switches (SW) the 2 halves of the data;
– the function fK again;
– a permutation function that is the inverse of the initial permutation (IP-1).

JIT/Dept. of CSE/ Page 7

 ❑ The function fK takes 8-bit key which is obtained from the 10-bit initial one two times. The key
is first subjected to a permutation P10. Then a shift operation is performed.
❑ The output of the shift operation then passes through a permutation function that produces an 8-
bit output (P8) for the first subkey (K1).
❑ The output of the shift operation also feeds into another shift and another instance of P8 to
produce the 2nd subkey K2.

The algorithm begins with an Add round key stage followed by 9 rounds of four stages and a
tenth round of three stages. This applies for both encryption and decryption with the exception
that each stage of a round the decryption algorithm is the inverse of it’s counterpart in the
encryption algorithm.

❑ Data block of 4 columns of 4 bytes is state. Key is expanded to array of words.

❑ The four stages in encryption algorithm are as follows -
1. Substitute bytes
2. Shift rows
3. Mix Columns
4. Add Round Key
❑ The tenth round simply leaves out the Mix Columns stage.
❑ The first nine rounds of the decryption algorithm consist of the following -
1. Inverse Shift rows
2. Inverse Substitute bytes
3. Inverse Add Round Key
4. Inverse Mix Columns
❑ Again, the tenth round simply leaves out the Inverse Mix Columns stage.

JIT/Dept. of CSE/ Page 8

JIT/Dept. of CSE/ Page 9
AES Key Expansion

❑ takes 128-bit (16-byte) key and expands into array of 44/52/60 32-bits words

❑ The AES key expansion algorithm takes as input a 4-word key. Each word contains 32 bits
which means each subkey is 128 bits long.

❑ The key is copied into the first four words of the expanded key.

❑ Each added word w[i] depends on the immediately preceding word, w[i − 1], and the word four
positions back w[i − 4].

❑ In three out of four cases, a simple XOR is used. For a word whose position in the w array is a
multiple of 4, a more complex function is used. The function g consists of the following
subfunctions -

RotWord performs a one-byte circular left shift on a word. This means that an input word
[b0, b1, b2, b3] is transformed into [b1, b2, b3, b0].

JIT/Dept. of CSE/ Page 10

 SubWord performs a byte substitution on each byte of its input word, using the s-box
described earlier. The result of steps 1 and 2 is XORed with round constant.

International Data Encryption Algorithm

❑ The block cipher IDEA encrypts a 64-bit block of plain text and a 64-bit of cipher text, and a
128-bit key controls it. The algorithm consists of eight identical rounds plus a half round
for output transformation.

❑ The fundamental design in IDEA is the use of the mixing of three in compatible algebraic
groups: bit-by-bit XOR, addition modulo 216, and multiplication modulo 216+1.

❑ The plain text is a fixed size (64-bit block) that is divided into four 16-bit blocks (X1|| X2|| X3||
X4). The key is a 128-bit block that is divided into eight 16-bit sub keys.

❑ The division into 16 bits is because all of the algebraic operations used in the encryption and
decryption process operate at 16-bit numbers. The last output round is four 16- bit sub keys.

❑ Each round uses six 16-bit sub keys and the remaining two sub keys are used in the next round
by implementing left shifting by 25 positions. The total sub keys is 52 {52=8 rounds*6 sub keys
+ (4 sub keys “output transformation”)}.

❑ The following steps are the encryption process in each round –

1. First multiplication between X1 and the first sub key Z1.

JIT/Dept. of CSE/ Page 11

 2. Addition operation of X2 with the second sub key Z2

3. Addition operation between X3 and the third sub-key Z3

4. Second multiplication between X4 and the fourth sub-key Z4

5. Calculating Bitwise XOR from the results of steps 1 and 3.

6. Calculating Bitwise XOR from the results of steps 2 and 4.

❑ The decryption process is an essential process that is applied on cipher text to transform it into
the original message (plaintext). The computational process for the decryption is the same as that
used for the encryption of the plain text. The difference compared to the encryption is that the
16-bit subkeys are generated in reverse order.

RC5 Ciphers

❑ RC5 is a family of ciphers RC5-w/r/b

❑ w = word size in bits (16/32/64). Encrypts 2w data blocks

❑ r = number of rounds (0..255)

❑ b = number of bytes in the key (0..255)

❑ nominal version is RC5-32/12/16

❑ ie 32-bit words so encrypts 64-bit data blocks

❑ using 12 rounds

❑ with 16 bytes (128-bit) secret key

RC5 Key Expansion

❑ RC5 uses t=2r+2 subkey words (w-bits)

❑ subkeys are stored in array S[i], i=0..t-1

❑ then the key schedule consists of

❑ initializing S to a fixed pseudorandom value, based on constants e and phi

❑ the byte key is copied into a c-words array L

❑ a mixing operation then combines L and S to form the final S array

JIT/Dept. of CSE/ Page 12

 RC5 Encryption

❑ Three main operations: + mod 2w, XOR, circular left shift <<<, and there inverses used.

❑ split input into two halves A & B (w-bits each)

❑ L0 = A + S[0];

❑ R0 = B + S[1];

❑ for i = 1 to r do

❑ Li = ((Li-1 XOR Ri-1) <<< Ri-1) + S[2 x i];

❑ Ri = ((Ri-1 XOR Li) <<< Li) + S[2 x i + 1];

❑ each round is like 2 DES rounds

❑ note rotation is main source of non-linearity

❑ need reasonable number of rounds (eg 12-16)

JIT/Dept. of CSE/ Page 13

RC5 Modes

❑ 4 modes used by RC5 –

❑ RC5 Block Cipher, is ECB mode

❑ RC5-CBC, is CBC mode

❑ RC5-CBC-PAD, is CBC with padding by bytes with value being the number of
padded bytes

❑ RC5-CTS, a variant of CBC which is the same size as the original message, uses
ciphertext stealing to keep size same as original

JIT/Dept. of CSE/ Page 14