UNIT-2

SYMMETRIC KEY CIPHERS

BLOCK CIPHER PRICNIPLLES

Stream Ciphers and Block Ciphers

A stream cipher is one that encrypts a digital data stream one bit or one byte at
a time.

Examples of classical stream ciphers are the autokeyed Vigenère cipher and the
Vernam cipher.

In the ideal case, a one-time pad version of the Vernam cipher wouldbe used, in
which the keystream (Ki) is as long as the plaintext bit stream (Pi). If the
cryptographic keystream is random, then this cipher is unbreakable by anymeans
other than acquiring the keystream.

The bit-stream generator is akey-controlled algorithm and must produce a bit

stream that is cryptographicallystrong.

A block cipher is one in which a block of plaintext is treated as a whole andused

to produce a ciphertext block of equal length. Typically, a block size of 64 or128
bits is used. As with a stream cipher, the two users share a symmetric
encryptionkey.

Motivation for the Feistel Cipher Structure

A block cipher operates on a plaintext block of n bits to produce a

ciphertextblock of n bits. There are 2npossible different plaintext blocks and,
forthe encryption to be reversible (i.e., for decryption to be possible), each
mustproduce a unique ciphertext block.

The logic of a general substitution cipher for A 4-bit input produces one of 16
possible input states, which is mapped by thesubstitution cipher into a unique
one of 16 possible output states, each of which isrepresented by 4 ciphertext
bits.

Block Cipher Principles

A block cipher is designed by considering its three critical aspects which are
listed as below:

1. Number of Rounds
2. Design of Function F
3. Key Schedule Algorithm

1. Number of Rounds

The number of rounds judges the strength of the block cipher algorithm. It is
considered that more is the number of rounds, difficult is for cryptanalysis to
break the algorithm.

It is considered that even if the function F is relatively weak, the number of

rounds would make the algorithm tough to break.

2. Design of Function F

The function F of the block cipher must be designed such that it must be
impossible for any cryptanalysis to unscramble the substitution. The criterion
that strengthens the function F is it non-linearity.

More the function F is nonlinear, more it would be difficult to crack it. Well,
while designing the function F it should be confirmed that it has a good
avalanche property which states that a change in one-bit of input must reflect
the change in many bits of output.

The Function F should be designed such that it possesses a bit independence

criterion which states that the output bits must change independently if there
is any change in the input bit.

3. Key Schedule Algorithm

It is suggested that the key schedule should confirm the strict avalanche effect
and bit independence criterion.

BLOWFISH ALGORITHM

Blowfish is an encryption technique designed by Bruce Schneier in 1993 as an

alternative to DES Encryption Technique. It is significantly faster than DES and
provides a good encryption rate with no effective cryptanalysis technique found
to date. It is one of the first, secure block cyphers not subject to any patents
and hence freely available for anyone to use.

1. blockSize: 64-bits
 2. keySize: 32-bits to 448-bits variable size
3. number of subkeys: 18 [P-array]
4. number of rounds: 16
5. number of substitution boxes: 4 [each having 512 entries of 32-bits each]

Blowfish Encryption Algorithm

The entire encryption process can be elaborated as:

Lets see each step one by one:

Step1: Generation of subkeys:

• 18 subkeys{P[0]…P[17]} are needed in both encryption as well as decryption

process and the same subkeys are used for both the processes. • These 18
subkeys are stored in a P-array with each array element being a 32-bit
entry.
• It is initialized with the digits of pi(?).
• The hexadecimal representation of each of the subkeys is given by:

Cryptography and Network Security, Dept. of CSE, AITS 57

Now each of the subkey is changed with respect to the input key as:

P[0] = P[0] xor 1st 32-bits of input key

 P[1] = P[1] xor 2nd 32-bits of input key
.
.
.
P[i] = P[i] xor (i+1)th 32-bits of input key
(roll over to 1st 32-bits depending on the key length)
.
.
.
P[17] = P[17] xor 18th 32-bits of input key
(roll over to 1st 32-bits depending on key length)

The resultant P-array holds 18 subkeys that is used during the entire
encryption process

Step2: initialise Substitution Boxes:

•4 Substitution boxes(S-boxes) are needed{S[0]…S[4]} in both encryption

aswell as decryption process with each S-box having 256
entries{S[i][0]…S[i][255], 0&lei&le4} where each entry is 32-bit. • It is
initialized with the digits of pi(?) after initializing the P-array.

Step3: Encryption:

• The encryption function consists of two parts:

a. Rounds: The encryption consists of 16 rounds with each round(Ri)

Cryptography and Network Security, Dept. of CSE, AITS 58

taking inputs the plainText(P.T.) from previous round and corresponding
subkey(Pi). The description of each round is as follows:
The description of the function ” F ” is as follows:

Here the function “add” is addition modulo 2^32.

Cryptography and Network Security, Dept. of CSE, AITS 59

b. Post-processing: The output after the 16 rounds is processed as follows:
DIFFERENTIAL AND LINEAR CRYPTANALYSIS
One of the most significant advances in cryptanalysis in recent years is
differentialcryptanalysis.

DIFFERENTIAL CRYPTANALYSIS ATTACK The differential cryptanalysis

attack is complex, provides a complete description. The rationale behind
differentialcryptanalysis is to observe the behaviour of pairs of text blocks
evolving along eachround of the cipher, instead of observing the evolution of a
single text block.

Cryptography and Network Security, Dept. of CSE, AITS 60

Linear Cryptanalysis

This attackis based on finding linear approximations to describe the

transformations performed inDES. This method can find a DES key given
243known plaintexts, as compared to 247chosen plaintexts for differential
cryptanalysis. Although this is a minor improvement,because it may be easier to
acquire known plaintext rather than chosen plaintext, it stillleaves linear
cryptanalysis infeasible as an attack on DES.

BLOCK CIPHER MODES OF OPERATION

A block cipher processes the data blocks of fixed size. Usually, the size of a
message is larger than the block size. Hence, the long message is divided into a
series of sequential message blocks, and the cipher operates on these blocks one
at a time.

Electronic Code Book (ECB) Mode

This mode is a most straightforward way of processing a series of sequentially listed message
blocks.

Operation

• The user takes the first block of plaintext and encrypts it with the key
to produce the first block of ciphertext.
• He then takes the second block of plaintext and follows the same process
with same key and so on so forth.

Cryptography and Network Security, Dept. of CSE, AITS 61

The ECB mode is deterministic, that is, if plaintext block P1, P2,…, Pm are
encrypted twice under the same key, the output ciphertext blocks will be the
same.
In fact, for a given key technically we can create a codebook of ciphertexts for
all possible plaintext blocks. Encryption would then entail only looking up for
required plaintext and select the corresponding ciphertext. Thus, the operation
is analogous to the assignment of code words in a codebook, and hence gets an
official name − Electronic Codebook mode of operation (ECB). It is illustrated as
follows

Analysis of ECB Mode

In reality, any application data usually have partial information which can be
guessed. For example, the range of salary can be guessed. A ciphertext from
ECB can allow an attacker to guess the plaintext by trial-and-error if the
plaintext message is within predictable.

For example, if a ciphertext from the ECB mode is known to encrypt a salary
figure, then a small number of trials will allow an attacker to recover the figure.
In general, we do not wish to use a deterministic cipher, and hence the ECB
mode should not be used in most applications.

Cipher Block Chaining (CBC) Mode

CBC mode of operation provides message dependence for generating ciphertext

and makes the system non-deterministic.

Operation

The operation of CBC mode is depicted in the following illustration. The steps
are as follows −

• Load the n-bit Initialization Vector (IV) in the top register. • XOR the
n-bit plaintext block with data value in top register. • Encrypt the result
of XOR operation with underlying block cipher with key K.

Cryptography and Network Security, Dept. of CSE, AITS 62

• Feed ciphertext block into top register and continue the operation till all
plaintext blocks are processed.
• For decryption, IV data is XORed with first ciphertext block decrypted.
The first ciphertext block is also fed into to register replacing IV for
decrypting next ciphertext block.
Analysis of CBC Mode
In CBC mode, the current plaintext block is added to the previous ciphertext
block, and then the result is encrypted with the key. Decryption is thus the
reverse process, which involves decrypting the current ciphertext and then
adding the previous ciphertext block to the result.

Advantage of CBC over ECB is that changing IV results in different ciphertext

for identical message. On the drawback side, the error in transmission gets
propagated to few further block during decryption due to chaining effect.

It is worth mentioning that CBC mode forms the basis for a well-known data
origin authentication mechanism. Thus, it has an advantage for those
applications that require both symmetric encryption and data origin
authentication.

Cipher Feedback (CFB) Mode

In this mode, each ciphertext block gets ‘fed back’ into the encryption process
in order to encrypt the next plaintext block.

Operation

The operation of CFB mode is depicted in the following illustration. For example,
in the present system, a message block has a size ‘s’ bits where 1 < s < n. The CFB
mode requires an initialization vector (IV) as the initial random n-bit input block.
The IV need not be secret. Steps of operation are –

• Load the IV in the top register.

Cryptography and Network Security, Dept. of CSE, AITS 63

• Encrypt the data value in top register with underlying block cipher with key
K.
• Take only ‘s’ number of most significant bits (left bits) of output of
encryption process and XOR them with ‘s’ bit plaintext message block to
generate ciphertext block.
 • Feed ciphertext block into top register by shifting already present data to
the left and continue the operation till all plaintext blocks are processed.
• Essentially, the previous ciphertext block is encrypted with the key, and
then the result is XORed to the current plaintext block.
• Similar steps are followed for decryption. Pre-decided IV is initially loaded
at the start of decryption.

Analysis of CFB Mode

CFB mode differs significantly from ECB mode, the ciphertext corresponding to
a given plaintext block depends not just on that plaintext block and the key, but
also on the previous ciphertext block. In other words, the ciphertext block is
dependent of message.

CFB has a very strange feature. In this mode, user decrypts the ciphertext
using only the encryption process of the block cipher. The decryption algorithm
of the underlying block cipher is never used.

Apparently, CFB mode is converting a block cipher into a type of stream cipher.
The encryption algorithm is used as a key-stream generator to produce key
stream that is placed in the bottom register. This key stream is then XORed
with the plaintext as in case of stream cipher.

By converting a block cipher into a stream cipher, CFB mode provides some of
the advantageous properties of a stream cipher while retaining the
advantageous properties of a block cipher.

Cryptography and Network Security, Dept. of CSE, AITS 64

On the flip side, the error of transmission gets propagated due to changing of
blocks.

Output Feedback (OFB) Mode

It involves feeding the successive output blocks from the underlying block
cipher back to it. These feedback blocks provide string of bits to feed the
encryption algorithm which act as the key-stream generator as in case of CFB
mode.

The key stream generated is XOR-ed with the plaintext blocks. The OFB mode
requires an IV as the initial random n-bit input block. The IV need not be secret.

The operation is depicted in the following illustration –

Counter (CTR) Mode

It can be considered as a counter-based version of CFB mode without the

feedback. In this mode, both the sender and receiver need to access to a
reliable counter, which computes a new shared value each time a ciphertext
block is exchanged. This shared counter is not necessarily a secret value, but
challenge is that both sides must keep the counter synchronized.

Operation

Both encryption and decryption in CTR mode are depicted in the following
illustration. Steps in operation are −

• Load the initial counter value in the top register is the same for both the
sender and the receiver. It plays the same role as the IV in CFB (and CBC)
mode.
• Encrypt the contents of the counter with the key and place the result in
the bottom register.

Cryptography and Network Security, Dept. of CSE, AITS 65

• Take the first plaintext block P1 and XOR this to the contents of the
bottom register. The result of this is C1. Send C1 to the receiver and
update the counter. The counter update replaces the ciphertext feedback
in CFB mode.
• Continue in this manner until the last plaintext block has been encrypted. •
The decryption is the reverse process. The ciphertext block is XORed with
 the output of encrypted contents of counter value. After decryption of each
ciphertext block counter is updated as in case of encryption.

STREAM CIPHERS
A typical stream cipher encrypts plaintext one byte at a time, although a stream
cipher may be designed to operate on one bit at a time or on units larger than a
byteat a time. A key is input to a pseudorandom bit generator that produces a
stream of8-bit numbers that are apparently random. The output of the
generator, called akeystream, is combined one byte at a time with the plaintext
stream using the bit-wise exclusive-OR (XOR) operation. For example, if the
next byte generated by thegenerator is 01101100 and the next plaintext byte is
11001100, then the resultingciphertext byte is

Cryptography and Network Security, Dept. of CSE, AITS 66

 STREAM CIPHERS
Decryption requires the use of the same pseudorandom

sequence

RC4

RC4 is a stream cipher designed in 1987 by Ron Rivest for RSA Security. It is a
variable key size stream cipher with byte-oriented operations. The algorithm is
based onthe use of a random permutation. Analysis shows that the period of the
cipher is overwhelmingly likely to be greater than 10100. Eight to sixteen machine
operations are required per output byte, and the cipher can be expected to run
veryquickly in software. RC4 is used in the Secure Sockets Layer/Transport
Layer Security(SSL/TLS) standards that have been defined for communication
between Webbrowsers and servers.

The RC4 algorithm is remarkably simple and quite easy to explain. A variable
length key of from 1 to 256 bytes (8 to 2048 bits) is used to initialize a 256-
bytestate vector S, with elementsS[0],S[1],S[2],. . . . . S[255].

Initialization of S

To begin, the entries are set equal to the values from 0 through 255 in
ascendingorder; that is, S[0],S[1],S[2],. . . . . S[255]=255.
Cryptography and Network Security, Dept. of CSE, AITS 67
A temporary vector, T, is alsocreated. If the length of the key K is 256 bytes,
then T is transferred to T. Otherwise,for a key of length keylen bytes, the first
keylen elements of T are copied from K,and then K is repeated as many times as
necessary to fill out T. These preliminaryoperations can be summarized as

Stream Generation
Once the S vector is initialized, the input key is no longer used. Stream
generationinvolves cycling through all the elements of S[i] , and for each S[i],
swapping S[i] withanother byte in S according to a scheme dictated by the
current configuration of S.After S[255]is reached, the process continues,
starting over again at S[0].

/* Stream Generation */
i, j = 0;
while (true)
i = (i + 1) mod 256;
j = (j + S[i]) mod 256;
Swap (S[i], S[j]);
t = (S[i] + S[j]) mod 256;
k = S[t];

LOCATION AND PLACEMENT OF ENCRYPTION FUNCTION

If encryption is to be used to counter attacks on confidentiality, we need to

decide what to encrypt and where the encryption function should be located. To
begin, this section examines the potential locations of security attacks and then
looks at the two major approaches to encryption placement: link and end to end.
Cryptography and Network Security, Dept. of CSE, AITS 68
Potential Locations for Confidentiality Attacks

As an example, consider a user workstation in a typical business organization.

Figure 7.1 suggests the types of communications facilities that might be
employed by such a workstation and therefore gives an indication of the points
of vulnerability.

Figure 7.1. Points of Vulnerability

In most organizations, workstations are attached to local area networks (LANs).
Typically, the user can reach other workstations, hosts, and servers directly on
the LAN or on other LANs in the same building that are interconnected with
bridges and routers. Here, then, is the first point of vulnerability. In this case,
the main concern is eavesdropping by another employee. Typically, a LAN is a
broadcast network: Transmission from any station to any other station is visible
on the LAN medium to all stations. Data are transmitted in the form of frames,
with each frame containing the source and destination address. An eavesdropper
can monitor the traffic on the LAN and capture any traffic desired on the basis
of source and destination addresses. If part or all of the LAN is wireless, then
the potential for eavesdropping is greater.

Link versus End-to-End Encryption

The most powerful and most common approach to securing the points of
vulnerability highlighted in the preceding section is encryption. If encryption is
to be used to counter these attacks, then we need to decide what to encrypt and

Cryptography and Network Security, Dept. of CSE, AITS 69

where the encryption gear should be located. As Figure indicates, there are two
fundamental alternatives: link encryption and end-to-end encryption.

Encryption Across a Packet-Switching Network

Cryptography and Network Security, Dept. of CSE, AITS 70
PRINCIPLES OF PUBLIC KEY CRYPTOSYSTEMS
The concept of public-key cryptography evolved from an attempt to attack two
ofthe most difficult problems associated with symmetric encryption. The first
problem is that of key distribution.

The second problem that Diffie pondered, and one that was apparentlyunrelated
to the first, was that of digital signatures.

Public key Cryptosystem − Asymmetric algorithms depends on one key for

encryption and a distinct but related key for decryption. These algorithms have
the following characteristics which are as follows −

Cryptography and Network Security, Dept. of CSE, AITS 71

 • Itis computationally infeasible to decide the decryption key given only
information of the cryptographic algorithm and the encryption key. • There
are two related keys such as one can be used for encryption, with the other
used for decryption.

A public key encryption scheme has the following ingredients which are as follows

• Plaintext − This is the readable message or information that is informer

into the algorithm as input.
• Encryption algorithm − The encryption algorithm performs several
conversion on the plaintext.
• Public and Private keys − This is a set of keys that have been selected so
that if one can be used for encryption, and the other can be used for
decryption.
• Ciphertext − This is scrambled message generated as output. It based on
the plaintext and the key. For a given message, there are two specific
keys will create two different ciphertexts.
• Decryption Algorithm − This algorithm get the ciphertext and the matching
key and create the original plaintext.

The essential steps are the following.

1. Each user generates a pair of keys to be used for the encryption and
decryption of messages.

2. Each user places one of the two keys in a public register or other accessible
file. This is the public key.The companion key is kept private. As in Figure
suggests, each user maintains a collection of public keys obtained from others.

3. If Bob wishes to send a confidential message to Alice, Bob encrypts the

message using Alice’s public key.

4. When Alice receives the message, she decrypts it using her private key. No
other recipient can decrypt the message because only Alice knows Alice’sprivate
key.
Cryptography and Network Security, Dept. of CSE, AITS 72

Public Key Cryptography Requirements

To accomplish the public key cryptography there are following requirements as
discussed below.

• The computation of the pair of keys i.e. private key and the public key must
be easy.
• Knowing the encryption algorithm and public key of the intended receiver,
 computation of cipher text must be easy.
• For a receiver of the message, it should be computationally easy to decrypt
the obtained cipher text using his private key.
• It is also required that any opponent in the network knowing the public key
should be unable to determine its corresponding private key.
• Having the cipher text and public key an opponent should be unable to
determine the original message.

Cryptography and Network Security, Dept. of CSE, AITS 73

• Thetwo keys i.e. public and private key can be implemented in both orders
D[PU, E(PR, M)] = D[PR, E(PU, M)]

RSA ALGORITHM

In this algorithm two keys were used. One is private key and another one is
public key.
Cryptography and Network Security, Dept. of CSE, AITS 74
Diffie–Hellman Key Exchange/Agreement Algorithm
In this scheme the two parties, who want to communicatesecurely, can agree on
a symmetric key using this technique. This key can then be used for encryption/
decryption. However, we must note that Diffie–Hellman key exchange algorithm
can be used only forkey agreement, but not for encryption or decryption of
messages. Once both the parties agree on the keyto be used, they need to use
other symmetric key encryption algorithms for actual encryption or decryption
of messages.

Cryptography and Network Security, Dept. of CSE, AITS 75

Description of the Algorithm
Diffie–Hellman key exchange algorithm

Cryptography
and Network Security, Dept. of CSE, AITS 76
Example of the Algorithm
ELAGAMAL CRYPTOGRAPHY (ECC)
In this ECC we have three phases

1. Key generation
2. Encryption
3. Decryption

Cryptography and Network Security, Dept. of CSE, AITS 77

 ElGamal process as follows,

Cryptography and Network Security, Dept. of CSE, AITS 78

 KEY
DISTRIBUTION
• Key distribution is the function that delivers a key to two parties who wish
to exchange secure encrypted data. Some sort of mechanism or protocol
is needed to provide for the secure distribution of keys.
• Key distribution often involves the use of master keys, which are
infrequently used and are long lasting, and session keys, which are
generated and distributed for temporary use between two parties.
• Public-key encryption schemes are secure only if the authenticity of the
public key is assured. A public-key certificate scheme provides the
necessary security.
• X.509 defines the format for public-key certificates. This format is widely
used in a variety of applications.
Cryptography and Network Security, Dept. of CSE, AITS 79