CS5285

Information Security for eCommerce

Dr. Gerhard Hancke

CS Department
City University of Hong Kong

1
 Reminder of last week
❑ Information security
o Basic concepts and terminology
o Threats, services, mechanisms, algorithms
❑ Whereto find countermeasures and
mechanisms?
o What is a standard? Good and bad aspects.
o Standard bodies
o Internet/company standards

2
 Today’s Lecture
❑ Confidentiality
o Symmetric key encryption mechanisms
❑ CILO2 and CILO5
(technology that impact systems, and
security mechanisms)

3
 Cryptographic Tools:

Symmetric Key Encryption

Symmetric Key Encryption 4

 Crypto – a brief introduction
❑ Cryptology ⎯ The art and science of making and breaking
“secret codes”
❑ Cryptography ⎯ making “secret codes”
o ychrpyaprtgo
o C=MK
❑ Cryptanalysis ⎯ breaking “secret codes”
o ychrpyaprtgo is cracked to ______________, QED.
❑ Crypto ⎯ all of the above (and more)
o More on non-repudiation (signature), authentication,
identification, zero-knowledge, commitment, and more…
o Any reference books?... Bruce Schneier’s Applied Cryptography, Handbook
of Applied Cryptography, Introduction to Modern Cryptography

Symmetric Key Encryption 5

 "The history of codes and ciphers
is the story of the centuries-old
battle between codemakers and
codebreakers, an intellectual arms
race that has had a dramatic
impact on the course of history."
– Simon Singh, The Code Book

Cryptography – Part I 6
• A symmetric-key cipher or cryptosystem is used for encrypting/decrypting a
plaintext/ciphertext
• The same key is used for encrypting and decrypting

Alice Bob

eavesdropper
plaintext
cryptanalysis key

Symmetric Key Encryption 7

 Cryptanalysis
Basic assumptions
o The system is completely known to the attacker
o Only the key is secret
o Also known as Kerckhoffs Principle
o Crypto algorithms are not secret
o No “security through obscurity”

Objective of an attacker
o Identify secret key used to encrypt a ciphertext
o (OR) recover the plaintext of a ciphertext without the
secret key

Symmetric Key Encryption 8

Examples of (Classical) Symmetric Key Encryption
Algorithms – Classical Cryptography
Ciphertexts:
1. IRXUVFRUHDQGVHYHQBHDUVDJR
2. VSRQJHEREVTXDUHSDQWV
ab c d e f g h i j k l mn o p q r s t u v wx y z
D E F G H I J K L M N O P Q R S T U V WX Y Z A B C

Caesar Cipher
• Famous early use of cryptography was by the Roman Emperor Julius Caesar
• Caesar cipher (a.k.a. shift cipher) is a type of substitution cipher
• Cipher algorithm: each letter in the plain alphabet is replaced with the letter
n places further on in the alphabet
• Key: n, the number of letters to shift

Symmetric Key Encryption 9

 Example
❑ Plain letters are written in lower case and
cipher letters in UPPER CASE
❑ Key is 3

abcdefghijklmnopqrstuvwxyz
DEFGHIJKLMNOPQRSTUVWXYZABC
❑ Write out plain message: hello everyone
❑ encipher each letter in turn by looking for the
corresponding letter in the cipher translation
table.
❑ This gives the ciphertext message:
KHOOR HYHUBRQH
So as long as the message recipient
knows the key – how many letters you
have shifted the alphabet by – they can
build the cipher alphabet and decipher
the message by going through the
cipher algorithm in reverse.
KHOOR HYHUBRQH

hello everyone
 Other simple substitution
ciphers
❑ Caesar cipher has only 25 possible
cipher alphabets
❑ Wouldn’t take long to try them all
❑ Other cipher systems use less regular
methods for generating alphabets
❑ Must still have a key to generate an
alphabet the recipient can reproduce
 Example
❑ Take as your key a favourite quote.
❑ For example, take:
“pure mathematics is, in its way, the
poetry of logical ideas”
❑ First strip out repeating letters so
each letter is unique
pure mathematics is, in its way,

pure*math****ics **, *n *** w*y,

the poetry of logical ideas

*** ****** of l*g**** *d***

puremathicsnwyoflgd
 ❑ Fill in this sequence as the start of your
cipher alphabet.
a b c d e f g h ij k l m n o p q r s t u v w x y z
P U R E M A T H IC S N W Y O F L G D Z X V Q K J B
❑ Fill up the alphabet with the letters which
have not been used, in some systematic order
(here we have used reverse alphabetical
order)
❑ This cipher alphabet is less predictable than
the Caesar cipher, yet it is still simple for
both sender and receiver to generate,
provided they know the key phrase
Simple Substitution: each plaintext letter is substituted by
a distinct ciphertext letter
EIMBULJIWLNYANJMVLIURAHIWAI
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

DEPARTMENTOFCOMPUTERSCIENCE

Symmetric Key Encryption 16

An example of simple substitution…

Symmetric Key Encryption 17

 An Example

Ciphertext (encrypted using simple substitution)

PBFPVYFBQXZTYFPBFEQJHDXXQVAPTPQJKTOYQWIPBVWLXTOXBTFXQWAX
BVCXQWAXFQJVWLEQNTOZQGGQLFXQWAKVWLXQWAEBIPBFXFQVXGTVJ
VWLBTPQWAEBFPBFHCVLXBQUFEVWLXGDPEQVPQGVPPBFTIXPFHXZHVFA
GFOTHFEFBQUFTDHZBQPOTHXTYFTODXQHFTDPTOGHFQPBQWAQJJTODX
QHFOQPWTBDHHIXQVAPBFZQHCFWPFHPBFIPBQWKFABVYYDZBOTHPBQP
QJTQOTOGHFQAPBFEQJHDXXQVAVXEBQPEFZBVFOJIWFFACFCCFHQWAUV
WFLQHGFXVAFXQHFUFHILTTAVWAFFAWTEVOITDHFHFQAITIXPFHXAFQHEF
ZQWGFLVWPTOFFA

Symmetric Key Encryption 18

 Question: how secure is Simple Substitution?

Let’s do some analysis…

Symmetric Key Encryption 19

• A secret key (in Simple Substitution) is a random permutation of the alphabetic
characters.
• E.g.

• Each permutation is a potential candidate of the secret key

• Question: how many distinct permutations are there? (in other words,
how many distinct secret keys are in the key space?)

Symmetric Key Encryption 20

• Total number of possible permutations
26!
• 26! = 403,291,461,126,605,635,584,000,000 (27 digits)  288

• Maybe… write a computer program to try all the possible keys

exhaustively… (so-called Brute-force Attack)

• Calculation: suppose we have one million 3GHz PCs which can try 3
billion permutations per second, the machines will take 4,263 years to
try all the 26! permutations…
• Not so efficient

• Question: any better cracking algorithm?

Symmetric Key Encryption 21

 Cracking substitution ciphers
❑ In the eighth century AD, Islamic culture
entered a golden age
❑ The most learned society of its time
❑ Cryptography was routinely used for matters
of state
❑ This led to the development of cryptanalysis,
with scholars using a combination of
mathematics, statistics and linguistics to
develop techniques for deciphering messages
when the key is unknown
 Letter frequencies
❑ In studies of the text of the Qur’an,
scholars had noticed that some letters
appear more frequently than others
❑ In English the letters e and t are used
much more frequently than the letters z
and q, and this fact can be used to
decipher messages
❑ This process is called frequency analysis
 Statistical Attack / Frequency Analysis
• An interesting observation on simple substitution: the relative
letter frequencies do not change during encryption
• Average letter frequencies in English (Beker and Piper, 1982)

letter frequency letter frequency

A .082 N .067
B .015 O .075
C .028 P .019
D .043 Q .001
E .127 R .060
F .022 S .063
G .020 T .091
H .061 U .028
I .070 V .010
J .002 W .023
K .008 X .001
L .040 Y .020
M .024 Z .001

Symmetric Key Encryption 24

 Further frequency analysis
❑ Pairs of letters in words are most
likely to be: “ss”, “ee”, “tt”, “ff”, “ll”,
“mm” or “oo”.
❑ A one letter word is either “a” or “I”.
❑ Two letter words are commonly: “of”,
“to”, “in”, “it”, “is”, “be”, “as”, “at”, “so”,
“we”, “he”, “by”, “or”, “on” or “do”, in
that order.
 Further frequency analysis
❑ Three letter words are commonly
“the” or “and”.
❑ The letter h frequently goes before e
(as in “he”, “the”, “then”, etc.) but
rarely goes after e. No other pair of
letters has such an asymmetric
relationship.
 Further frequency analysis
❑ Another technique is to use a crib,
which is a word or phrase you can
guess will be in the message
 Example
NKRRU NKXK OY G ZKYZ
SKYYGMK ZU KTIOVNKX LUX AYK
GY GT KDGSVRK OT GT GXZOIRK
LUX OYWAGXKJ SGMGFOTK

a b c d e f g h ij k l m n o p q r s t u v w x y z
G K
 Example
NeRRU heXe
heRRU NeXe OY a ZeYZ
SeYYaMe ZU eTIOVheX
eTIOVNeX LUX AYe
aY aT eDaSVRe OT aT aXZOIRe
LUX OYWAaXeJ SaMaFOTe

a b c d e f g h ij k l m n o p q r s t u v w x y z
G K N
 Example
ahello
n heXe hOY a ZeYZ t
SeYYaMe Zo eTIOpheX
meYYaMe eTIOVheX LoX AYe
aY e x a OT
aT eDaSVle
example m aTp aXZOIRe
l e
LoX OYWAaXeJ maMaFOTe
SaMaFOTe
n o
❑ Notice all the letters are in alphabetical
positions?
a b c d e f g h ij k l m n o p q r s t u v w x y z
G K N R S U V D
 Example
hello heXe
here OY
is a ZeYZ
test
message Zo
meYYaMe to eTIOpheX
encipher LoX
for AYe
use
as aT
aY an example OT
in aT
an aXZOIRe
article
for OYWAaXeJ
LoX isquared maMaFOTe
magazine
❑ Could this be a Caesar cipher?

a b c d e f g h ij k l m n o p q r s t u v w x y z
G H I J K L M N OP Q R S T U V W X Y Z A B C D E F
Knowing the key is 6, you can now
decipher future messages from your
enemy. Be careful what information you
act on though – if you seem too knowing
your enemy might get suspicious and
change their key or algorithm!
 Ciphertext:
PBFPVYFBQXZTYFPBFEQJHDXXQVAPTPQJKTOYQWIPBVWLXTOXBTFXQWAX
BVCXQWAXFQJVWLEQNTOZQGGQLFXQWAKVWLXQWAEBIPBFXFQVXGTVJV
WLBTPQWAEBFPBFHCVLXBQUFEVWLXGDPEQVPQGVPPBFTIXPFHXZHVFAG
FOTHFEFBQUFTDHZBQPOTHXTYFTODXQHFTDPTOGHFQPBQWAQJJTODXQH
FOQPWTBDHHIXQVAPBFZQHCFWPFHPBFIPBQWKFABVYYDZBOTHPBQPQJT
QOTOGHFQAPBFEQJHDXXQVAVXEBQPEFZBVFOJIWFFACFCCFHQWAUVWFL
QHGFXVAFXQHFUFHILTTAVWAFFAWTEVOITDHFHFQAITIXPFHXAFQHEFZQW
GFLVWPTOFFA

Ciphertext frequency counts:

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
21 26 6 10 12 51 10 25 10 9 3 10 0 1 15 28 42 0 0 27 4 24 22 28 6 8

Symmetric Key Encryption 33

Question: How to beat frequency analysis?

Symmetric Key Encryption 34

 Beating frequency analysis
❑ Methods for countering frequency
analysis were developed, including:
o Omitting spaces
o Deliberate misspellings
o Nulls – characters that have no meaning
o Codes – replacing whole words or phrases
with letters, words or phrases
❑ Such methods helped, but ultimately
cryptanalysts won out and each method could
be accounted for
❑ A better cipher was needed
❑ Led to different variations on substitution
ciphers using principle of polyalphabetic
substitution (repeating plaintext letter
mapped to different ciphertext based in
changing state of cipher).
 Vigenère cipher
❑ Emerged in sixteenth century
❑ The same plain letter can be enciphered and
the same cipher letter deciphered in several
different ways, significantly disrupting
frequency analysis
❑ Uses more than one cipher alphabet and
different letters are enciphered with these
in turn (basically interwoven Caesar cipher).
❑ Cipher alphabets must be chosen by some
systematic process
Copyright information: some of the slides are taken from Peter Rowlett’s Substitution Ciphers: Ancient – Renaissance in the
History of Maths and 
www.historyofmathsandx.co.uk/topics/cryptography
 Example
❑ First, choose a word for your key
❑ Key: Choose “pauli”
❑ The Caesar cipher alphabets beginning with
the letters of the keyword are then
produced:
a b c d e f g h i j k l m n o p q r s t u v w x y z
P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
LMNOPQRSTUVWXYZABCDEFGHIJK
IJKLMNOPQRSTUVWXYZABCDEFGH
❑ Take as plaintext message: hello
❑ Cipher algorithm: encode each letter
using each cipher alphabet in turn,
cycling through the cipher alphabets
❑ If your plaintext is longer than the key
word then keep repeating the keyword
o hellobob >> paulipau
a b c d e f g h i j k l m n o p q r s t u v w x y z
P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
LMNOPQRSTUVWXYZABCDEFGHIJK
IJKLMNOPQRSTUVWXYZABCDEFGH
❑ “h” is enciphered using the “P” alphabet, giving “W”
❑ “e” is enciphered using the “A” alphabet, giving “E”
❑ “l” is enciphered using the “U” alphabet, giving “F”
❑ “l” is enciphered using the “L” alphabet, giving “W”
❑ “o” is enciphered using the “I” alphabet, giving “W”

❑ ciphertext message: WEFWW

❑ hello to ciphertext message: WEFWW
❑ Notice that, crucially, we have
o (a) enciphered the two letters “l” to give
different cipher letters “F” and “W”;
o and, (b) enciphered different plaintext
letters “h”, “l” and “o” to give the same
ciphertext letter “W”.
❑ Through use of multiple alphabets, the chart
of letter frequencies is distorted, providing
strong resistance to frequency analysis
❑ Vigenère is more complicated to
implement than single-alphabet
substitution ciphers
❑ This adds to the time taken to encipher
and decipher messages
❑ It becomes worth the time and hassle if
you know your enemy can decipher your
simple substitution cipher messages
❑ Can the Vigenère cipher be broken?
❑ Vigenère was for 300 years considered
undecipherable (1553-1863)
❑ Primary weakness is that if the length of the
codeword is known we can break each of the
individual Caesar ciphers independently
❑ 1863 Friedrich Kasiski published his Kasiski
Examination method
o Estimates keyword length without plaintext
knowledge or the keyword needing to be a
recognisable word

Source: https://en.wikipedia.org/wiki/Vigen%C3%A8re_cipher
❑ Kasiski notices that repeated words are by
chance encrypted using same key letters
❑ For keyword ABCD:
Key: ABCDABCDABCDABCDABCDABCDABCD
Plaintext: CRYPTOISSHORTFORCRYPTOGRAPHY
Ciphertext: CSASTPKVSIQUTGQUCSASTPIUAQJB

❑ Repetition distance is 16 - key size is

16,8,4,2,1
❑ If you find multiple repetitions then easier

Ciphertext: VHVSSPQUCEMRVBVBBBVHVSURQGIBDUGRNICJQUCERVUAXSSR

❑ VHVS is 18 (18,9,6,3,2,1) and QUCE is 30

(30,15,10,6,5,3,2,1)
❑ Key size 6,3,2,1 (most probably 6)
 Enigma Machine
❑ Used by Germany in World War II
o Last famous substitution cipher
❑ Polyalphabetic substitution
o To recover message receiver must have
machine configured in same initial state as
the sender

Credit: https://brilliant.org/wiki/enigma-machine/
 Enigma Machine
❑ Sender and receiver used monthly code
books to configure machine for specific
day
❑ Plugboard (up to 10 pair swops)
o Letter swop, if codebook said A/L connect
these by wire causing A input to be seen as
L, and L as A
❑ Rotors
o Choose 3 of 5 rotors in specified order
o Set initial letter of each rotor
 Enigma Machine
❑ This mean the machine has many states
o Approximately 267 or 160 x 1018
❑ Cryptanalysis
o One feature (turned weakness) was a plaintext
cannot encrypt to itself. So this gives clue as
to what the message is not.
o Used cribs (known plaintext to eliminate
states)
▪ Weather report, “nothing to report”, message sign
off
❑ State then calculated through search
o Bombe machines (each emulating 36 Enigmas)
 One-time Pad Encryption
Encryption: Plaintext  Key = Ciphertext

We use ASCII to represent the text (shown as hexadecimal numbers)

eXclusive OR () binary operation (11=0; 10=1; 00=0)

h e l l o a l i c e
Plaintext: 68 65 6C 6C 6F 61 6C 69 63 65
Key: FF 0A B2 5D C7 C3 EE 22 3F 68
Ciphertext: 97 6F DE 31 A8 A2 82 4B 5C 0D

Symmetric Key Encryption 48

 One-time Pad Decryption
Decryption: Ciphertext  Key = Plaintext

Ciphertext: 97 6F DE 31 A8 A2 82 4B 5C 0D
Key: FF 0A B2 5D C7 C3 EE 22 3F 68
Plaintext: 68 65 6C 6C 6F 61 6C 69 63 65

h e l l o a l i c e

❑ Pad must be random, used only once

❑ Pad has the same size as message

Symmetric Key Encryption 49

 One-time Pad Use

Ciphertext: 97 6F DE 31 A8 A2 82 4B 5C 0D
Key: F5 16 BB 53 D1 C7 E8 24 34 63
Plaintext: 62 79 65 62 79 65 6A 6F 68 6E

b y e b y e j o h n

❑ Good: The ciphertext can decrypt to any possible plaintext

❑ Bad: Managing the key (the pad) is not practical

Symmetric Key Encryption 50

• A symmetric-key cipher or cryptosystem is used for encrypting/decrypting a
plaintext/ciphertext
• The same key is used for encrypting and decrypting

Alice Bob

eavesdropper
plaintext
cryptanalysis key

Symmetric Key Encryption 51

 Stream Ciphers

• Deterministic Algorithm a.k.a. Keystream Generator

• Ciphering Sequence a.k.a. Keystream

Symmetric Key Encryption 52

 Stream Ciphers

Secret Key Keystream Generator

keystream
Plaintext
 Ciphertext

❑ Secret key length: 128 bits, 256 bits, etc.

❑ Maximum plaintext length: usually can be arbitrarily long.
❑ Security: Given a “long” segment of keystream (e.g. 240 bits), the secret key cannot be
derived AND the subsequent segment of the keystream cannot be deduced.

Symmetric Key Encryption 53

 RC4
❑ A stream cipher
❑ Ron’s code version 4 (Ronald Rivest)
❑ Stream ciphers are generally faster than block
ciphers
❑ RC4
o Stage 1: RC4 initialization
o Stage 2: RC4 keystream generation

Symmetric Key Encryption 54

 RC4 Initialization
o Setup:
byte key[N]; // secret key (e.g. N = 16, i.e. 128-bit key)
byte K[256]; // keying material
byte S[256]; // internal states
o Initialization:
for i = 0 to 255
S[i] = i
K[i] = key[i (mod N)]
j=0
for i = 0 to 255
j = (j + S[i] + K[i]) mod 256
swap(S[i], S[j])
i=j=0
❑ S[] is the permutation of 0,1,...,255

Symmetric Key Encryption 55

 RC4 Keystream Generation
❑ To output a keystream byte, swap table elements and select a byte

i = (i + 1) mod 256
j = (j + S[i]) mod 256
swap(S[i], S[j])
t = (S[i] + S[j]) mod 256
KeyStreamByteSelected = S[t]

❑ Use the KeyStreamByteSelected to do XOR with one byte of plaintext,

then iterate the keystream generation steps above for getting
another byte of keystream
❑ Note: Some research results show that the first 256 bytes must be
discarded, otherwise attacker may be able to recover the key.

Symmetric Key Encryption 56

Questions: What are the current symmetric key cryptosystems?

There are many…

They can be categorized into two types:

1.Stream Cipher
Cryptosystems
2.Block Cipher

Symmetric Key Public Key

Cryptosystems Cryptosystems

Stream Ciphers Block Ciphers

Symmetric Key Encryption 57

 Block Ciphers
plaintext Block Ciphertext
Cipher

secret key

❑ A block cipher takes a block of plaintext and a secret key,

produces a block of ciphertext.
❑ The key is reused for different plaintext blocks
❑ Typical block sizes: 64 bits, 128 bits, 192 bits, 256 bits
❑ Key sizes: 56 bits (DES), 128/192/256 bits (AES)
❑ Popular block ciphers: DES, 3DES, AES, Twofish, Serpent

Symmetric Key Encryption 58

 DES (Data Encryption Standard)
❑ Ciphertext obtained from 64-bit Plaintext Block
plaintext by iterating a
round function (i.e.
cryptographic operations)
❑ Input to round function 56-bit Secret Key
16 rounds
consists of a round key Ki
and the output of the Ki
previous round

❑ The DES round function is

also known as Feistel
Transformation

64-bit Ciphertext Block

Symmetric Key Encryption 59
 Feistel Structure

Cryptography – Part I 60
 56-bit Secret Key

Round Key-expansion
Function Algorithm
.
.
.

Symmetric Key Encryption 61

Li-1 Ri-1 key
32 28 28

expand shift shift

48 28 28
One
32
Ki Round

48 48 compress
of
S-boxes
28 28
DES
32

P box
32
32

32
Li Ri key
Symmetric Key Encryption 62
 Properties of good block cipher algorithms

• Confusion
– A small change in the key should be able to change 50% of the
ciphertext
– An attacker using a bruteforce attack shouldn’t receive any signs that
he is getting closer to the correct key
• Diffusion
– A small change in the plaintext should cause 50% of the ciphertext to
change
– Hide any statistical relation between the plaintext and the ciphertext
• Completion
– Each bit of the ciphertext depends on each bit of the key
– The attacker won’t be able to find valid parts of the key using divide
and conquer methods

Symmetric Key Encryption 63

 Security of DES
❑ Security of DES depends solely on the internals of f
❑ More than thirty years of intense analysis has revealed no
“back door”
❑ The most effective attack today against DES is still the
exhaustive key search (a.k.a. bruteforce attack)

Symmetric Key Encryption 64

 Bruteforce Attack | Exhaustive Key Search

• An algorithm is secure when the easiest way of attacking it is

by bruteforce attack.
• i.e. check all possible key combinations one by one (could
be done in parallel)
• For a key of n bits, the total number of possible keys (or the
entire key space) is 2n.
• An average of half the combinations should be tried in order
to find the key, i.e. 2n-1.
• Nowadays the minimum recommended key size is 128 bits to
make it impossible for a bruteforce attack.

Symmetric Key Encryption 65

 Bruteforce Attack Against DES
❑ Known-Plaintext Attack: Given a plaintext x and corresponding
ciphertext y, every possible key would be tested until a key K is
found such that
E(K, x) = y
Note: there may be more than one such key K.
❑ Total number of keys = 256  7.21016 keys
❑ Assume at the speed of 106 encryptions per second, it would need
more than 1000 years to break DES.
❑ Two cryptographers, Diffie and Hellman, postulated in 1977 that a
DES cracking machine with 106 processors, each could test 106
keys per second, could be built for about US$20M.
o This machine can break DES in about 10 hours.

Symmetric Key Encryption 66

 Exhaustive Key Search

Symmetric Key Encryption 67

 What Should We Use Today?

❑ 3DES (or Triple DES)

❑ AES (or Rijndael)
❑ Other candidates
o Twofish
o RC6
o Serpent

Symmetric Key Encryption 68

 Triple DES and DESX
❑ Triple DES: two 56-bit keys
C
M
DES DES-1 DES

K1 K2 K1
❑ DESX: three keys
C = K3  DES(K2 , M  K1)

M  DES  C

K1 K2 K3
• Similar security to DES using differential cryptanalysis and linear
cryptanalysis, which are theoretical attacks
• But much harder to break using exhaustive key search than DES.

Symmetric Key Encryption 69

Advanced Encryption Standard
❑ Replacement for DES
o Selection by public process and chosen algorithm design
details freely available for public use.
o Required to operate at a faster speed than Triple DES
across a number of different platforms.
❑ AES competition (late 90’s)
o NSA openly involved
o Many strong algorithms were proposed and cryptanalyzed
publicly
o Rijndael Algorithm was ultimately selected
▪ Pronounced like “Rain Doll” or “Rhine Doll”
❑ Iterated block cipher (like DES)
❑ Not using Feistel round function (unlike DES)
Symmetric Key Encryption 70
AES (Advanced Encryption Standard)
❑ Replacement of DES
❑ Block size: 128 bits
❑ Key length: 16, 24, or 32 bytes (128, 192,
or 256 bits) – independent of block size
❑ 10 to 14 rounds (depends on key length)
❑ Substitution-Permutation Network (SPN)
❑ Each round has 4 transformations (except
the last round)
o ByteSub
o ShiftRow
o MixColumn
o AddRoundKey

Symmetric Key Encryption 71

 AES Encryption Process

•In AES, all operations are performed on 8-bit bytes

•The arithmetic operations of addition,
multiplication, and division are performed over the
finite field GF(28) (more details later)
•The ordering of bytes within a matrix is by column
•N rounds
•Last round has three transformations only
•AddRoundKey carries out N+1 times:
(1) Initial transformation
(2) N rounds
•M = 16, 24, or 32 (bytes)
 AES Encryption and Decryption

•Different from Feistel Transformation

• Feistel: process/encrypt half of the
data block in each round
• AES: process/encrypt the entire
data block in each round
•Key Scheduling = Key Expansion
•A 16-byte Key is expanded into 11 round
keys
•Each round key is 4 words (16 bytes or 128
bits) long.
• Each word has 4 bytes (32 bits)
• E.g. for Round 0 (i.e. the Initial
Transformation), the 4 words are
denoted as w[0,3]
• for Round 1, the 4 words are
denoted as w[4,7]
• for Round 9, the 4 words are
denoted as w[36,39]
• for Round 10, the 4 words are
denoted as w[40,43]
•Decryption: each transformation is
reversible
AES
The Four Transformations in Each Round (Except the Last Round):
• ByteSub: use an S-box to perform a byte-by-byte substitution of the data block
• ShiftRow: a permutation
• MixColumn: a substitution that makes use of arithmetic over GF(28)
• AddRoundKey: a simple bitwise XOR of the current data block with a round key
AES
ByteSub (substitute byte transformation)
• Each individual byte in a data block is mapped into a new byte using a 16x16 matrix of byte values
• The leftmost 4 bits of a data block byte are used as a row value
• The rightmost 4 bits of a data block byte are used as a column value
• E.g. a data block byte value 95 references row 9, column 5 of the S-box, which contains the value
2A. So the value 95 is substituted by 2A in ByteSub

S-box Inverse S-box

(for encryption) (for decryption)
AES
ByteSub
An example of the ByteSub transformation of a 128-bit data block using the S-box.

EA 04 65 85 87 F2 4D 97
83 45 5D 96 S-box EC 6E 4C 90
5C 33 98 B0 4A C3 46 E7
F0 2D AD C5 8C D8 95 A6
AES
ShiftRow
•The first row of the data block is not altered
•The second row: 1-byte circular left shift
•The third row: 2-byte circular left shift
•The fourth row: 3-byte circular left shift

87 F2 4D 97 87 F2 4D 97
EC 6E 4C 90 6E 4C 90 EC
4A C3 46 E7 46 E7 4A C3
8C D8 95 A6 A6 8C D8 95
AES
MixColumn
•Operate on each column individually
•Each byte of a column is mapped into a new value that is a function of all the four bytes in that
column
•Matrix multiplication over GF(28) with irreducible polynomial m(x) = x8 + x4 + x3 + x + 1

e.g.
s’0,0 = 02s0,0 + 03s1,0 + s2,0 + s3,0 mod m(x)
 s’0,0 = (x)s0,0 + (x+1)s1,0 + s2,0 + s3,0 mod m(x)
Note: each si,j represents 8 bits (i.e. a polynomial of degree 7 with binary coefficients)
Mathematical Background: Finite Field Arithmetic
Galois Field or Finite Field: we only focus on GF(2n) here
•Informally: a field is a set in which we can do addition, subtraction, multiplication, and division
without leaving the set
•GF(2n) is a finite field containing 2n elements
•Consider a set S of all polynomials of degree n-1 or less with binary coefficients. Thus, each
polynomial has the form
f(x) = an-1xn-1 + an-2xn-2 + … + a1x + a0
where each ai takes on the value 0 or 1 only.
•There are a total of 2n different polynomials in S.
•For n = 3, GF(23) has 8 polynomials in the form of f(x) = a2x2 + a1x + a0.
They are: {0, 1, x, x + 1, x2, x2 + 1, x2 + x, x2 + x + 1}.
•Arithmetic on coefficients is performed modulo 2
•Addition:
• E.g. f(x) + g(x) = (x2 + 1) + (x2 + x + 1) = x
• This is the same as the bitwise XOR operation
• Represent each element in GF(23) by a 3-bit value: {000, 001, 010, 011, 100, 101, 110, 111}
• f(x) + g(x) = (101) + (111) = (010)  x
 Mathematical Background: Finite Field Arithmetic
• Multiplication:
• Multiply two polynomials together. If the resulting polynomial has degree greater than n-1,
then the polynomial is reduced modulo some irreducible polynomial m(x) of degree n.
• Irreducible polynomial m(x): a polynomial cannot be expressed as a product of two
polynomials, both with degree smaller than that of m(x).
• Irreducible polynomials of degree 3: (x3 + x2 + 1) and (x3 + x + 1)
• f(x)  g(x) = (x2 + 1)  (x2 + x + 1) mod m(x) = (x4 + x3 + x2) + (x2 + x + 1) mod m(x)
= x4 + x3 + x + 1 mod m(x)
take m(x) = (x3 + x + 1) as the irreducible polynomial, we have
f(x)  g(x) = x4 + x3 + x + 1 mod (x3 + x + 1) = (x + 1)(x3 + x + 1) + (x2 + x) mod (x3 + x + 1)
= x2 + x
• Represent each element in GF(23) by a 3-bit value: {000, 001, 010, 011, 100, 101, 110, 111}
• f(x)  g(x) = (101)  (111) = (110)

• AES uses arithmetic in the finite field GF(28) with the irreducible polynomial
m(x) = x8 + x4 + x3 + x + 1
AES
MixColumn

e.g.
s’0,0 = 02s0,0 + 03s1,0 + s2,0 + s3,0 mod m(x)
 s’0,0 = (x)s0,0 + (x+1)s1,0 + s2,0 + s3,0 mod m(x)
Note: each si,j represents 8 bits (i.e. a polynomial of degree 7 with binary coefficients)

•s’0,0 is a polynomial of degree 7 with binary coefficients obtained by adding four

polynomials together (i.e. the bitwise XOR operation) and each of the first two
polynomials is obtained by multiplying two polynomials modulo m(x).
• i.e. s’0,0 = [(x)s0,0 mod m(x)]  [(x+1)s1,0 mod m(x)]  s2,0  s3,0
AES
MixColumn

87 F2 4D 97 47 40 A3 4C
6E 4C 90 EC 37 D4 70 9F
46 E7 4A C3 94 E4 3A 42
A6 8C D8 95 ED A5 A6 BC
 Example
❑ Calculate S’0,0 = 02 . S0,0 + 03. S1,0 + S2,0 + S3,0
❑ 02h(10b). 87h(10000111b) + 03h(11b). 6Eh(01101110b) +
46h(01000110b) + A6h(10100110b)
❑ (x)(x7+x2+x+1)+(x+1)(x6+x5+x3+x2+x)+(x6+x2+x)+(x7+x5+x2+x)
❑ x8+x3+x2+x+x7+x6+x4+x3+x2+x6+x5+x3+x2+x+x6+x2+x+x7+x5+x2+x
❑ x8+x3+x2+x6+x4 mod x8+x4+x3+x+1
❑ x8+x3+x2+x6+x4+(x+x+1+1) mod x8+x4+x3+x+1
❑ x6+x2+x+1+(x8+x4+x3+x+1) mod x8+x4+x3+x+1
❑ x6+x2+x+1 mod x8+x4+x3+x+1
❑ x6+x2+x+1 is 01000111b is 47h

Cryptography – Part I 83
AES
AddRoundKey

47 40 A3 4C AC 19 28 57 EB 59 8B 1B
37 D4 70 9F 77 FA D1 5C 40 2E A1 C3
94 E4 3A 42
 66 DC 29 00
= F2 38 13 42
ED A5 A6 BC F3 21 41 6A 1E 84 E7 D6
AES Summary of One AES Round (except the last round)
 AES
Key Expansion / Key Scheduling

Review:
•A 16-byte (128-bit) Key is expanded
into 11 round keys
•Each round key is 4 words (or 16 bytes
or 128 bits) long
•Total size of the 11 round keys = 44
words (or 176 bytes)

Notations:
•Key: k0, k1, … k15
•Round Keys: w0, w1, …, w43

•Round 0 key: w0, w1, w2, w3

•Round 1 key: w4, w5, w6, w7
•Round 2 key: w8, w9, w10, w11
•…
•Round 10 key: w40, w41, w42, w43
 AES
Key Expansion / Key Scheduling

Summary:
•The 16-byte key is copied into the first
four words for Round 0 key
•i.e. the key is used directly to do the
AddRoundKey at the initial
transformation

•Each subsequent word w[i] in a round

key depends on the immediately
preceding word w[i-1], and the word
four positions back, w[i-4]
• in three out of the four cases a
simple XOR is used, e.g. w5, w6,
and w7
• for a word whose position in
the w array is a multiple of 4, a
more complex function g is
used

•RC stands for Round Constant

 Key Space
❑ The Key Space of a cipher is the set of all possible
and distinct secret keys
❑ E.g. The key space of DES is all distinct 56-bit
binary strings
❑ E.g. The size of the key space of simple
substitution for case-insensitive English alphabet
is 26!
❑ What’s the key space size of AES?
❑ What’s the key space size of one-time pad?
❑ What’s the key space size of RC4?

Symmetric Key Encryption 88

 Multiple Blocks
Message Ciphertext
ENC
(n bits) (n bits)

secret key
(k bits)

❑ How to encrypt multiple blocks?

❑ A new key for each block?
o As bad as (or worse than) the one-time pad!
❑ Encrypt each block independently?
❑ Make encryption depend on previous block(s), i.e.,
“chain” the blocks together?
❑ How to handle partial blocks?
Symmetric Key Encryption 89
 Modes of Operation
❑ Many modes of operation ⎯ we discuss three
❑ Electronic Codebook (ECB) mode
o Obvious thing to do
o Encrypt each block independently
o There is a serious weakness
❑ Cipher Block Chaining (CBC) mode
o Chain the blocks together
o More secure than ECB
❑ Counter Mode (CTR) mode
o Acts like a stream cipher
o Popular for random access

Symmetric Key Encryption 90

 ECB Mode
❑ Notations: C=E(K, P) P=D(K,C)
❑ Given plaintext P = P0,P1,…,Pm,… (in blocks)
❑ Obvious way of using a block cipher is to encrypt
plaintext blocks independently
Encrypt Decrypt
C0 = E(K, P0), P0 = D(K, C0),
C1 = E(K, P1), P1 = D(K, C1),
C2 = E(K, P2),… P2 = D(K, C2),…

P0 P1 Pi
K K K
ENC ENC ENC

C0 C1 Ci

Symmetric Key Encryption 91

 ECB Cut and Paste Attack
❑ Suppose plaintext is
Alice digs Bob. Trudy digs Tom.
❑ Assuming 64-bit blocks and 8-bit ASCII:
P0 = “Alice di”, P1 = “gs Bob. ”,
P2 = “Trudy di”, P3 = “gs Tom. ”
❑ Ciphertext: C0,C1,C2,C3
❑ Trudy cuts and pastes: C0,C3,C2,C1
❑ Decrypts as
Alice digs Tom. Trudy digs Bob.
Symmetric Key Encryption 92
 ECB Weakness
❑ Suppose Pi = Pj
❑ Then Ci = Cj and Trudy knows Pi = Pj
❑ This gives Trudy some information,
even if she does not know Pi or Pj
❑ Is this a serious issue?

Symmetric Key Encryption 93

 Alice Hates ECB Mode
❑ Alice’s uncompressed image, Alice ECB encrypted

❑ Why does this happen?

❑ Same plaintext block  same ciphertext!
Symmetric Key Encryption 94
 CBC Mode
❑ Blocks are “chained” together
❑ A random initialization vector, or IV, is required to initialize
CBC mode
❑ IV is random, but is not a secret
Encryption Decryption
C0 = E(K, IV  P0), P0 = IV  D(K, C0),
C1 = E(K, C0  P1), P1 = C0  D(K, C1),
C2 = E(K, C1  P2),… P2 = C1  D(K, C2),…

P0 P1

IV
ENC ENC
K K
C1
C0

Symmetric Key Encryption 95

 Alice Likes CBC Mode
❑ Alice’s uncompressed image, Alice CBC encrypted

❑ Why does this happen?

❑ Same plaintext yields different ciphertext!
Symmetric Key Encryption 96
 What is a ‘good’ mode?
Good properties:
❑Message dependence of ciphertext
❑Limited error propagation
❑Works without block synchronisation
❑Optimise use of decrypt/encrypt
❑Reduce padding

Cryptography – Part I 97
 Type of transmission errors
❑ Transmission errors are errors (a 1
becomes a 0 or a 0 becomes a 1) that
occur in the communication channel.
❑ Transmission losses are bits that get
lost (they never arrive) in the
communication channel.

Slide 98-105 (credit to Keith Martin)

Everyday Cryptography: Fundamental Principles and
Applications
Cryptography – Part I 98
 Error Propagation
❑A decryption process involves error
propagation if a ciphertext input
that has one incorrect bit produces a
plaintext output that has more than
one incorrect bit.

Cryptography – Part I 99
 Counter Mode (CTR)
❑ Use block cipher like stream cipher
Encryption Decryption
C0 = P0  E(K, IV), P0 = C0  E(K, IV),
C1 = P1  E(K, IV+1), P1 = C1  E(K, IV+1),
C2 = P2  E(K, IV+2),… P2 = C2  E(K, IV+2),…

❑ CTR is good for random access (both READ and WRITE)

❑ CBC is good for random READ only, but not WRITE
IV IV+1 IV+i

K K K
ENC ENC ENC

P0 P1  Pi 

C1 Ci
C0

Symmetric Key Encryption

100
 Cipher Feedback Mode (CFB)
❑ One more mode…
❑ Use block cipher like stream cipher (like counter mode)
Encryption Decryption
C0 = P0  E(K, IV), P0 = C0  E(K, IV),
C1 = P1  E(K, C0), P1 = C1  E(K, C0),
C2 = P2  E(K, C1),… P2 = C2  E(K, C1),…
C0 Ci
IV
K K K
ENC ENC ENC

P0 P1  Pi 

Ci
C0

Cryptography – Part I 101

 CFB Mode

Cryptography – Part I 102

 CFB Error

Cryptography – Part I 103

 CBC Mode

Cryptography – Part I 104

 CBC Error

Cryptography – Part I 105

 Supplementary Materials

Cryptography – Part I 106

 Practical Cipher Knowledge
❑ I am not a cryptographer – how do I know a good
cipher?
❑ Basic cipher analysis in under a minute
o Keysize
▪ For symmetric ciphers key > 128 is now considered best practice
o Public
▪ Security cannot come from obscurity (Kerkhoffs principle)
o Standard
▪ If the cipher is as result of open competition good, if proprietary be wary?
▪ If it is old and public and still not ‘broken’ then could be OK.
o Mode of operation?
▪ Of the basic modes CBC is considered good (ECB not good)

107
 Mifare Classic
❑ Developed in 1995 (NXP Semiconductor) – Crypto1 algorithm
o 48 bit key, stream cipher
❑ Used in a significant number of current systems
o Access control
o Travel
o Closed payment
❑ Cipher kept secret…was securely used for a long time
❑ Researchers reverse engineered cipher by analysis of the IC
architecture
o Subsequently another group also used these findings to
reconstruct the full cipher
❑ Mifare Classic also shown to have further security flaws

108
 Mifare Classic Metal Layers

Nohl, et al (2008)
109
 Reconstructing the Algorithm

Nohl, et al (2008)

110
 Security through obscurity
❑ Legacy/proprietary RFID
systems available and
possibly used for security
sensitive applications.
❑ Several examples of reverse
engineering
o NXP Mifare Classic, TI DST,
NXP HiTag, Microchip
Keeloq,
HID and Atmel CryptoRF
❑ The first….
o TI DST algorithm reverse
engineered (2005), used for
Speedpass, car immobilizers
o Researchers had general
idea of cipher architecture
used black box, brute force
method
o Recover the 40-bit key in a
111 few hours and masquerade
as a real DST device
 The end!

?
Any questions…
112