1.
Prof. Chintan Patel Information Security
CE Department. Unit - 2
MEFGI , RAJKOT
2.
• A stream cipher : is one that encrypts the digital data stream one bit
or one byte at a time
Example : Vigenere cipher or vernam cipher.
GATE : Its also called as a block cipher where size = 1.
• A block cipher : Asymmetric key modern cipher that encrypts n bit
block of plain text and decrypts n bits block of cipher text
• PADDING :
If the message has fewer than n bits , padding must be done to make it n bits.
If message size is not multiple of n bits then it should be divided into n bits and
last block should be padded.
3.
• Can we model substitution as a permutation ???
• Yes , n bits of input and outputs can be
represented as 2^n bit sequences , with 1’s and
0’s .
0 1 2 3 4 5 6 8
7 4 3 2 1 0 6 5
4.
• Reversible mapping : which produces unique
cipher text blocks .
Plain text Cipher text
00 11
01 10
10 00
11 01
Plain text Cipher text
00 11
01 10
10 01
11 01
a. Reversible mapping b. Irreversible mapping
5.
• Can be used to define any reversible mapping between plain text and
cipher text. Feistel refers it as a ideal block cipher
7.
• Ideal block cipher for large no. of block size is not practical , how ever
for implementation and performance point of view , Mapping it self
constitutes key.
• “Basic aim of key was to produce unique cipher text but here every
plain text it self is giving unique cipher text ”….
• So total key size is if n = 4 (refer previous slide table where n = 4) is
4(number of bits) * 16(no. of rows) = 64bits.
• In general , if n bits is there than n * 2^n bits.
8.
• Substitutions : Each plaintext element or group of
element is uniquely replaced by a corresponding cipher
text elements or group of elements.
• Permutation : A sequence of plain text element is
replaced by a permutation of that sequence . There is no
elements are added or deleted or replaced only order of
the elements is changed.
9.
• “ Based on knowledge of statistical characteristic of plain text ,
Attacker can assume the probable words of message.”………so Claude
Shannon refers a concept in which
• Relationship between plain text and cipher text was hidden : called
diffusion
• And Relation between cipher text and key was hidden : called
confusion
• The mechanism of diffusion seeks to make the statistical relationship
between the P.T and C.T as complex as possible in order to thwart
attempts to deduce the key.
• In confusion , Even if the attacker can get handle on some statistics of
C.T , the way in which the key was used to produce the that cipher
text is so complex as to make it difficult to deduce the key.
10.
• Diffusion can be achieved by repeatedly performing
the some permutation : The effect is that bits from
different positions in the original P.T contribute to a
single bits of character in cipher text.
• Confusion can be achieved by the use of complex
substitution algorithm like hill cipher or Playfair
cipher.
11.
Data Encryption Standard (DES)
The Data Encryption Standard (DES) is a symmetric-
key block cipher published by the National Institute of
Standards and Technology (NIST).
12.
•In 1973, NIST published a request for proposals for a
national symmetric-key cryptosystem.
•A proposal from IBM, a modification of a project called
Lucifer, was accepted as DES.
•DES was published in the Federal Register in March 1975
as a draft of the Federal Information Processing Standard
(FIPS).
16.
The initial and final permutations are
straight P-boxes that are inverses
of each other.
They have no cryptography significance
in DES.
Note
17.
DES uses 16 rounds. Each round of DES is a Feistel cipher.
A round in DES (encryption site)
18.
The heart of DES is the DES function. The DES function
applies a 48-bit key to the rightmost 32 bits to produce a 32-
bit output.
DES function
19.
Expansion P-box
Since RI−1 is a 32-bit input and KI is a 48-bit key, we first need
to expand RI−1 to 48 bits.
Expansion permutation
20.
Although the relationship between the input and output can
be defined mathematically, DES uses below Table to define
this P-box.
Expansion P-box table
21.
Whitener (XOR)
After the expansion permutation, DES uses the XOR
operation on the expanded right section and the round
key. Note that both the right section and the key are 48-
bits in length. Also note that the round key is used only in
this operation.
22.
S-Boxes
The S-boxes do the real mixing (confusion). DES uses 8 S-
boxes, each with a 6-bit input and a 4-bit output.
S-boxes
24.
S-box 1
Example : The input to S-box 1 is 100011. What is the
output?
If we write the first and the sixth bits together, we get 11 in binary,
which is 3 in decimal. The remaining bits are 0001 in binary, which
is 1 in decimal. We look for the value in row 3, column 1, in Table (S-
box 1). The result is 12 in decimal, which in binary is 1100. So the
input 100011 yields the output 1100.
28.
• DES Design Criteria
Design criteria for S-Box(substitution)
Design criteria for P-Box(permutation)
• Number of Rounds
• Design of The function F.
• Key scheduling
29.
• No o/p bit of any S-Box should be too close a linear function of i/p
bits.
• Each row of an S-Box should include all 16 possible o/p bit
combination
• If 2 i/p to an S-Box differ by 1 bit , than o/p must differ by at least 2
bits.
• If 2 i/p to an S-Box differ in two middle bit exactly , than o/p must
differ by at least 2 bits.
• If 2 i/p to an S-Box differ in their first 2 bits and identical in their last
2 bits, than o/p must not be same.
This criteria are intended to increase the confusion of the algorithm
30.
• 4 O/P Bits from each round I are distributed so
that 2 of them affect “middle bits” of round(i+1)
and other 2 affects end bits.
• 4 o/p bits from each S-box affect 6 different S-box
on next round and no two affect the same S-Box.
• This criteria are intended to increase the
diffusion of the algorithm
31.
• Schneier observes that for 16-rounds DES, a
differential crypt analysis attack is less efficient
than brute force.
• Differential cryptanalysis requires 2^55.1
operations while brute force requires 2^55.
• If DES has 15 or lesser rounds, Differential
cryptanalysis requires less effort than brute force
attack
32.
• SAC(STRONG AVALNCHE CRITERIA)
• It must provide avalanche effect :
Small changes in plain text and key must produce different cipher
text
• BIC(BIT INDEPENDENT CRITERIA)
O/P bit j and k should change independently , when any single bit input I is
inverted.
BIC and SAC criteria appear to strengthen the effectiveness of confusion
• Select the key to maximize the difficulty of deducing individual
subkeys and difficulty of working back the main key.
33.
• Multiple encryption and Triple DES
•Block Cipher Modes of Operation
•Book : William Stalling (Chapter 6)
34.
• Topics to be covered….
Introduction
Double DES
Triple DES With 2 keys
Triple DES with 3 keys..
35.
• Multiple Encryption : Encryption algorithm is
used multiple times.
• Triple DES : 3 stages of DES algorithms with 2 or
3 keys…
36.
• Is it true that some K3 which can be prepare from K1 and
K2……..?????
• Following is true ???
• E(K2 , E(K1 , p)) = E(K3 , P)
• No its not possible. DES is not a group cipher like Caeser
cipher.
• So double DES results in mapping which is not equal to a
Single DES encryption
37.
• Thus double DES results in mapping which is not equal to a Single
DES encryption.
• C = E(K2 , E(K1 , P))…..
• X = E(K1 , P) = D(K2 , C)..
•
• Based on Given (P,C) pair….
• Encrypt the P using K1 . Store these result in a table and then sort
table by value of X.
• Decrypt the C using K2 . Store these result in a table and match with
X. If 2 k same keys found than try on cipher text if it produce correct
plain text than accept as a correct keys..
38.
• hence must use 3 encryptions
would seem to need 3 distinct keys
• but can use 2 keys with E-D-E sequence
C = EK1(DK2(EK1(P)))
and encrypt & decrypt equivalent in security
if K1=K2 then can work with single DES
39.
• although are no practical attacks on two-key
Triple-DES have some indications
• can use Triple-DES with Three-Keys to avoid
even these
C = EK3(DK2(EK1(P)))
• has been adopted by some Internet applications,
eg PGP, S/MIME
40.
• a “new” mode, though proposed early on
• similar to OFB but encrypts counter value rather
than any feedback value
• must have a different key & counter value for
every plaintext block (never reused)
• uses: high-speed network encryptions
41.
• Hardware Efficiency : In CTR mode encryption can be done parallel
on multiple plaintext block.
• Software Efficiency : Because of parallel work , functions like
aggressive pipelining , multiple instruction dispatch , and large no. of
register can be done effectively.
• Preprocessing : Encryption does not depend on plaintext or cipher
text, preprocessing can be used to prepare the output of encryption
boxes that feed into XOR.
• Simplicity :
• Provable security :
42.
• IDEA (International Data Encryption Algorithms)
• Blowfish
• RC2 , RC 5
• Cast 128
43.
• It is a minor revision of an earlier cipher, PES
(Proposed Encryption Standard);
• IDEA was originally called IPES (Improved PES).
• IDEA was used as the symmetric cipher in early
versions of the Pretty Good Privacy cryptosystem.
44.
• The IDEA encryption algorithm
provides high level security not based on keeping the
algorithm a secret, but rather upon ignorance of the
secret key
is fully specified and easily understood
is available to everybody
is suitable for use in a wide range of applications
can be economically implemented in electronic
components (VLSI Chip)
can be used efficiently
may be exported world wide
is patent protected to prevent fraud and piracy
45.
• The algebraic idea behind IDEA is the mixing of
three incompatible algebraic
operations on 16-bit blocks:
bitwise XOR,
addition modulo 216, and
Multiplication modulo 216 + 1.
46.
• 64 bit plain text is divided into 4 , 16bit blocks.
Which are Called X1,X2,X3,X4.
• 128 Bit key is divided into 8 , bit blocks.
47.
• 1. Multiply X1 and the first subkey Z1.
• 2. Add X2 and the second subkey Z2.
• 3. Add X3 and the third subkey Z3.
• 4. Multiply X4 and the fourth subkey Z4.
• 5. Bitwise XOR the results of steps 1 and 3.
• 6. Bitwise XOR the results of steps 2 and 4.
• 7. Multiply the result of step 5 and the fifth subkey Z5.
• 8. Add the results of steps 6 and 7.
• 9. Multiply the result of step 8 and the sixth subkey Z6.
• 10. Add the results of steps 7 and 9.
• 11. Bitwise XOR the results of steps 1 and 9.
• 12. Bitwise XOR the results of steps 3 and 9.
• 13. Bitwise XOR the results of steps 2 and 10.
• 14. Bitwise XOR the results of steps 4 and 10.
48.
• final transformation occurs:
• 1. Multiply X1 and the first subkey Z1.
• 2. Add X2 and the second subkey Z2.
• 3. Add X3 and the third subkey Z3.
• 4. Multiply X4 and the fourth subkey Z4.
49.
• Each of the eight complete rounds requires six subkeys, and the final
transformation “half round” requires four subkeys; so, the entire
process requires 52 subkeys.
• The 128-bit key is split into eight 16-bit subkeys.
• The bits are shifted to the left 25 bits.
• The resulting 128-bit string is split into eight 16-bit blocks that
become the next eight subkeys.
• The shifting and splitting process is repeated until 52 subkeys are
generated.
• The shifts of 25 bits ensure that repetition does not occur in the
subkeys.
• Six subkeys are used in each of the 8 rounds. The final 4 subkeys are
used in
• the ninth “half round” final transformation.
50.
• simplified IDEA encrypts a 16-bit block of plaintext to a 16-bit block
of cipher text. It uses a 32-bit key. The simplified algorithm consists
of four identical rounds and a “half round” final transformation.
52.
• IDEA-based security solutions available in many market areas,
ranging from Financial Services, and Broadcasting to Government.
• The IDEA algorithm can easily be embedded in any encryption
software. Data encryption can be used to protect data transmission
and storage. Typical fields are:
• – Audio and video data for cable TV, pay TV, video conferencing,
distance learning, business TV, VoIP
• – Sensitive financial and commercial data
• – Email via public networks
• – Transmission links via modem, router or ATM link, GSM technology
• – Smart cards
54.
• Developed by Bruce Schneier in 1993/94 .
• Design objectives :
Fast : Blowfish encryption rate on 32 bit microprocessor is 26
clock cycles per byte.
Compact : It can be executed in less than 5 kb memory.
Simple : Uses only primitive operations like XOR , and table
lookup making its design and implementation simple.
Secure : Blowfish has a variable key length up to a maximum of
448 and minimum 32 bit , to make it flexible and secure.
Used in applications where key remains constant for a long time
(e.g. Communication link.) but not where key changes
frequently.(e.g. Packet switching).
55.
• Encrypts a 64 bit blocks with a variable-length
key. And contains 2 parts.
Subkeys Generation : Generates the key up to 448 bit
long to subkeys totaling 4168 bits.
Data encryption : Iteration of feistel function 16
times. each round contains a key dependent
permutation and key and data dependent substitution.
56.
• 1. Uses large no. of subkeys. And key must be ready before
encryption and decryption. Key size ranges from 32 bits to 448 bits.
Means 1 to 14 words with 32 bit/word.
K1, K2,K3,……..Kn ….each block contains 32 bits.
• 2. P-Array , consisting of 18, 32 bit subkeys.
P1,P2…..P18..
Schneier recommends the usage of the bits of fractional parts of constant pi=22/7.
P1 = 24F6C98
P2 = 85F6A88……..
P18 = 84F6D84.
57.
• 3. 4 S-boxes , each containing 256, 32 bit entries.
S1,0 ………………………..S1, 255
S2,0……………………… ..S2,255
S3,0…………………………S3,255
S4,0…………………………S4,255
Initialized same as P-Array with some hexadecimal value of fractional part of
constant pi = 22/7.
• 4. SO bitwise XOR Operation of P1 With K1, P2 with K2 ,…….P14
with K14. after that key array K will be exhausted and hence for P15
to P18….K1 to K4.
P1 = P1 XOR K1
P2 = P2 XOR K2…….
….
P18= P18 XOR K4
58.
• Symmetric block cipher developed by Ron Rivest.
• Quite Fast because uses only addition , XOR and shift
operation.
• Allows variable no. of rounds and variable size key to add
the flexibility.
• Requires less memory for execution and therefore
suitable not only for desktop application but also for
smart card and other devices.
59.
Parameter Allowed values
Word size in bits 16,32,64
Number of Rounds 0……….255
Number of 8-bit bytes in the key 0……….255
Word size , number of rounds and key , all can be of variable length. These are
variable means before execution of a particular instance of RC 5, These values can
be chosen from those allowed unlike DES and IDEA.
RC 5 Uses 2-words blocks
RC5-w/r/b where w = word size , r = number of rounds , b = number of 8 bit byte in
the key..
EX. RC-5 32/16/16 …Means 64(32*2) bits , 16 rounds , 16 bytes key
60.
• Input plain text is divided into equal size blocks A and B.
• To produce C and D , S[0] is added to A , S[1] is added to B
61.
• Step 1 : XOR C and D to produce E.
• Step 2. : Circular left of E by D bits.
• Step 3 : Add E with next sub key to produce F.
62.
• Step 4 : XOR D and F
• Step 5 : Circular left shift G.
• Step 6 : Add G and next sub-key
63.
• To check weather all rounds are finish or not.
64.
• Step 1 : The sub keys S[0],S[1]……..are generated.
• Step 2 : The original key is called L. all Sub keys
(S[0],S[1]……) are mixed with corresponding sub
portion of original keys (L[0],L[1]…..)
65.
• typically have a hierarchy of keys
• session key
temporary key
used for encryption of data between users
for one logical session then discarded
• master key
used to encrypt session keys
shared by user & key distribution center
67.
hierarchies of KDC’s required for large networks,
but must trust each other
session key lifetimes should be limited for
greater security(connection oriented and less)
use of automatic key distribution on behalf of
users, but must trust system
use of decentralized key distribution
controlling key usage
68.
• for cryptographic applications, can use a block
cipher to generate random numbers
• often for creating session keys from master key
• Counter Mode
Xi = EKm[i]
• Output Feedback Mode
Xi = EKm[Xi-1]
69.
• often use deterministic algorithmic techniques to
create “random numbers”
although are not truly random
can pass many tests of “randomness”
• known as “pseudorandom numbers”
• created by “Pseudorandom Number Generators
(PRNGs)”
70.
• common iterative technique using:
• Xn+1 = (aXn + c) mod m
• given suitable values of parameters can produce
a long random-like sequence
• suitable criteria to have are:
• function generates a full-period
• generated sequence should appear random
• efficient implementation with 32-bit arithmetic
• note that an attacker can reconstruct sequence
given a small number of values
• have possibilities for making this harder
71.
• Also called as Blum, Blum, Shub generator.
• Choose any two large prime number that both
have remainder 3 when divided by 4.
• Let n = p*q , Choose random s, such that s is
relatively prime to n.
• p and q can be factor s.
72.
• Xo = S^2 mod n
• For I = 0 to infinity.
• Xi = (X(i-1))^2 mod n
• Bi = Xi mod 2.
• BBS is also referred as Cryptographically secure
pseudorandom bit generator(CSPRBG).
74.
• Developed by Ron Rivest (RSA Data Security)
• 64-bit block cipher
• Variable key size (from one byte up to 128 bytes)
• Designed to be easy to implement on 16-bit
microprocessor
Use 16-bit word, 16-bit arithmetic (addition, XOR,
AND, ~, rotate)
• Non-Feistel
• 18 rounds (mixing/mashing)
• Used in S/MIME
75.
• RC2 assumes 128 (64 word) byte key buffer
For byte operation, key array is L[0], …, L[127]; each L[i] is a byte
For word operation, key array is K[0], …, K[63]; each K[i] is a 16-bit
word
These are alternative views of the same key buffer
• Key expansion
Assume that exactly T bytes of key are supplied, 1 T 128
The purpose of key expansion algorithm is to modify the key buffer so
that each bit of the expanded key depends in a complicated way on
every bit of the supplied input key
Key expansion begins by placing the supplied T-byte key into bytes L[0],
…, L[T-1] of the key buffer
L array is then computed making use of an auxiliary array P
P array is a random permutation of values of 0,…,255, which is
constructed based on p=3.14159… (See next page)
The computation is
K[i] = L[2*i] + 256*L[2*i+1].
76.
Here is the P array in hexadecimal notation:
0 1 2 3 4 5 6 7 8 9 a b c d e f
00: d9 78 f9 c4 19 dd b5 ed 28 e9 fd 79 4a a0 d8 9d
10: c6 7e 37 83 2b 76 53 8e 62 4c 64 88 44 8b fb a2
20: 17 9a 59 f5 87 b3 4f 13 61 45 6d 8d 09 81 7d 32
30: bd 8f 40 eb 86 b7 7b 0b f0 95 21 22 5c 6b 4e 82
40: 54 d6 65 93 ce 60 b2 1c 73 56 c0 14 a7 8c f1 dc
50: 12 75 ca 1f 3b be e4 d1 42 3d d4 30 a3 3c b6 26
60: 6f bf 0e da 46 69 07 57 27 f2 1d 9b bc 94 43 03
70: f8 11 c7 f6 90 ef 3e e7 06 c3 d5 2f c8 66 1e d7
80: 08 e8 ea de 80 52 ee f7 84 aa 72 ac 35 4d 6a 2a
90: 96 1a d2 71 5a 15 49 74 4b 9f d0 5e 04 18 a4 ec
a0: c2 e0 41 6e 0f 51 cb cc 24 91 af 50 a1 f4 70 39
b0: 99 7c 3a 85 23 b8 b4 7a fc 02 36 5b 25 55 97 31
c0: 2d 5d fa 98 e3 8a 92 ae 05 df 29 10 67 6c ba c9
d0: d3 00 e6 cf e1 9e a8 2c 63 16 01 3f 58 e2 89 a9
e0: 0d 38 34 1b ab 33 ff b0 bb 48 0c 5f b9 b1 cd 2e
f0: c5 f3 db 47 e5 a5 9c 77 0a a6 20 68 fe 7f c1 ad
77.
• Encryption algorithm takes a 64-bit input stored in R[0], R[1],
R[2], R[3], and places the result back in R[0] thru R[3].
• Algorithm consists of 18 rounds of two types: mixing and
mashing
• Mixing round:
R[0] = R[0] + K[j] + (R[3] & R[2]) + ((~R[3] & R[1]);
R[0] = R[0] <<< 1;
j = j + 1;
R[1] = R[1] + K[j] + (R[0] & R[3]) + ((~R[0] & R[2]);
R[1] = R[1] <<< 2;
j = j + 1;
R[2] = R[2] + K[j] + (R[1] & R[0]) + ((~R[1] & R[3]);
R[2] = R[2] <<< 3;
j = j + 1;
R[3] = R[3] + K[j] + (R[2] & R[1]) + ((~R[2] & R[0]);
R[3] = R[3] <<< 5;
j = j + 1;
Here j is the global variable; K[j] is the first
subkey word that has not yet been used
78.
• Decryption: Inverse operation of encryption with the keys used in
reverse order
Mashing Round : R[j] = + k[R[j-1] % 64]
79.
• 64-bit iterated block cipher
• key: 40 bits up to 128 bits (increments of 8 bits)
• 12 up to 16 rounds
• Feistel Network structure
• designed by C. Adams and S.Tavares (1996)
• S-box design procedure patented by Entrust
Technologies Inc: U.S. patent 5,511,123, filed Aug.
4, 1994, issued Apr. 3, 1996
80.
• CAST-128 is part of the GnuPG suite of
cryptographic algorithms (nicknamed CAST-5)
• CAST-128 uses fixed 8x32-bit S-boxes: for
encryption and decryption (S1, S2, S3, S4) and for
the key schedule (S5, S6, S7, S8)
• round operations: +, -, <<<,
• three round functions: f1, f2 and f3
• An official algorithm for use with the Canadian
Government:
http://www.cse-cst.gc.ca/services/crypto-services/crypto-algorithms-e.html
82.
• Three different round functions are used in CAST-128. The rounds
are as follows (where "D" is the data input to the f function and "Ia" -
"Id" are the most significant byte through least significant byte of I,
respectively).
• Note that "+" and "-" are addition and subtraction modulo 2**32, "^"
is bitwise XOR, and "<<<" is the circular left- shift operation.
• Type 1: I = ((Kmi + D) <<< Kri), f = ((S1[Ia] ^ S2[Ib]) - S3[Ic]) + S4[Id]
• Type 2: I = ((Kmi ^ D) <<< Kri), f = ((S1[Ia] - S2[Ib]) + S3[Ic]) ^ S4[Id]
• Type 3: I = ((Kmi - D) <<< Kri), f = ((S1[Ia] + S2[Ib]) ^ S3[Ic]) - S4[Id]
• Rounds 1, 4, 7, 10, 13, and 16 use f function Type 1.
• Rounds 2, 5, 8, 11, and 14 use f function Type 2.
• Rounds 3, 6, 9, 12, and 15 use f function Type 3.
83.
• Variable key length
Blowfish, RC5, CAST-128, RC2
• Mixed operators
More than one arithmetic and/or Boolean operator, especially ones
that are not associative or distributive
These operators provide nonlinearity as an alternative to S-boxes
• Data-dependent rotation
Provide excellent confusion and diffusion
RC5
• Key-dependent rotation
CAST-128
Key features found in advanced symmetric block
ciphers (not in DES)
84.
• Key-dependent S-boxes
Blowfish
• Expensive key schedule computation
Blowfish
• Variable round function (F)
CAST-128
• Variable plaintext/ciphertext block length
RC5
• Variable number of rounds
RC5
• Operation on both data halves each round
IDEA, Blowfish, RC5
A particular slide catching your eye?
Clipping is a handy way to collect important slides you want to go back to later.
Be the first to comment