1. Introduction
Information security: Ensures that both physical and
digital data is protected.
Cyber security: Subset of information security,
protects organizations networks, computer and data.
Network Security: Subset of cyber security, protects
data sent through devices in network.
Field of network and Internet security: measures to
deter, prevent, detect and correct security violations.
2.
3. Introduction
•
• Definition of Computer Security from NIST:
Confidentiality-Data and privacy
Integrity- Data and System
Availability
5. • Confidentiality: preserving authorized
restrictions on information access and
disclosure-protects personal privacy
– Loss of confidentiality: unauthorized
disclosure of information
6. • Integrity: guarding against improper
information destruction and modification
– Loss of Integrity- unauthorized modification.
7. • Availability: ensures timely and reliable
access of information
– Loss of availability: disruption of service.
8. • Authenticity: property being genuine and
able to verify and trust.
• Accountability: Security goal that
generates the requirement for actions of
an entity to be traced uniquely.
– Supports non repudiation, fault isolation, IDS.
10. OSI Security Architecture
• The OSI (open systems interconnection) security architecture provides a
systematic framework for defining security attacks, mechanisms, and
services
• Security attacks any action compromises security of information owned
by the organization.
• A security mechanism is any process designed to detect, prevent, or
recover from a security attack.
• Security services a processing or communication service that enhances the
security of data processing system and information transfers of an
organization.
• The generic name for the collection of tools designed to protect data and to
thwart hackers is computer security
13. Security Attacks
Passive Attack
• Passive attacks are in the nature of eavesdropping on, or monitoring of,
transmissions. The goal of the opponent is to obtain information that is
being transmitted
• Two types of passive attacks are release of message contents and traffic
analysis
• The release of message contents is easily understood (Figure a).
15. Security Attacks
• A second type of passive attack, traffic analysis (Figure b)
• Mask the message contents.
• The common technique for masking contents is encryption.
• The opponent could determine the location and identity of communicating
hosts and could observe the frequency and length of messages being
exchanged. This information might be useful in guessing the nature of the
communication that was taking place.
17. Security Attacks
• Passive attacks are very difficult to detect because they do not involve any
alteration of the data.
18. Security Attacks
Active Attacks
• Active attacks involve some modification of the data stream or the creation
of a false stream and can be subdivided into four categories:
– Masquerade : One entity pretends to be a different entity
– Replay : The passive capture of a data unit and its subsequent
transmission to produce an unauthorized effect
– Modification of messages : The portion of the legitimate message is
altered
– Denial of service : Preventing or inhibiting the normal use or
management of communications facilities
19. General categories of
security attacks
• Interruption: An asset of the system is destroyed or becomes unavailable
or unusable - attack on availability
• Interception: An unauthorized party gains access to an asset – attack on
confidentiality
• Modification: An unauthorized party not only gains access to but tampers
with an asset – attack on integrity
• Fabrication: An unauthorized party inserts counterfeit objects into the
system – attack on authenticity
21. Security Services
• AUTHENTICATION -: The assurance that the communicating entity is
the one that it claims to be
– Peer Entity Authentication -: Used in association with a logical
connection to provide confidence in the identity of the entities
connected
– Data Origin Authentication -: In a connectionless transfer, provides
assurance that the source of received data is as claimed
• ACCESS CONTROL -: The prevention of unauthorized use of a resource
(i.e., this service controls who can have access to a resource, under what
conditions access can occur, and what those accessing the resource are
allowed to do)
22. Security Services
• DATA CONFIDENTIALITY -: The protection of data from unauthorized
disclosure
– Connection Confidentiality -: The protection of all user data on a
connection
– Connectionless Confidentiality -: The protection of all user data in a
single data block
– Selective-Field Confidentiality -: The confidentiality of selected fields
within the user data on a connection or in a single data block
– Traffic Flow Confidentiality -: The protection of the information that
might be derived from observation of traffic flows
23. Security Services
• DATA INTEGRITY -: The assurance that data received are exactly as
sent by an authorized entity (i.e., contain no modification, insertion,
deletion, or replay)
– Connection Integrity with Recovery -: Provides for the integrity of all
user data on a connection and detects any modification, insertion,
deletion, or replay of any data within an entire data sequence, with
recovery attempted
– Connection Integrity without Recovery -: As above, but provides
only detection without recovery
24. Security Services
• NONREPUDIATION -: Provides protection against denial by one of the
entities involved in a communication of having participated in all or part of
the communication
– Nonrepudiation, Origin -: Proof that the message was sent by the
specified party
– Nonrepudiation, Destination -: Proof that the message was received
by the specified party
• AVAILABILITY-: Requires that computer system assets be available to
authorized parties when needed
26. SECURITY
MECHANISMS
• Encipherment -: The use of mathematical algorithms to transform data
into a form that is not readily intelligible
• Digital Signature -: Data appended to, or a cryptographic transformation
of, a data unit that allows a recipient of the data unit to prove the source
and integrity of the data unit and protect against forgery (e.g., by the
recipient)
• Access Control -: A variety of mechanisms that enforce access rights to
resources
• Data Integrity -: A variety of mechanisms used to assure the integrity of a
data unit or stream of data units
27. SECURITY
MECHANISMS
• Authentication Exchange -: A mechanism intended to ensure the identity
of an entity by means of information exchange
• Traffic Padding -: The insertion of bits into gaps in a data stream to
frustrate traffic analysis attempts
• Routing Control -: Enables selection of particular physically secure routes
for certain data and allows routing changes, especially when a breach of
security is suspected
• Notarization -: The use of a trusted third party to assure certain properties
of a data exchange
32. 3.33
3.1.1 Kerckhoff’s Principle
Based on Kerckhoff’s principle, one should always
assume that the adversary knows the
encryption/decryption algorithm. The resistance of the
cipher to attack must be based only on the secrecy of the
key.
33. 3.34
3.1.2 Cryptanalysis
As cryptography is the science and art of creating secret
codes, cryptanalysis is the science and art of breaking
those codes.
Two approaches to attack: Cryptanalysis and Brute
force
Figure 3.3 Cryptanalysis attacks
39. Types of cryptanalytic
attacks
• Ciphertext-only attack
– The cryptanalyst does not know any of the underlying plaintext
– A basic assumption is that ciphertext is always available to an attacker
• Known-plaintext attack
– The attacker is having the ciphertext and as well as some of the
corresponding plaintext (One or more plaintext-ciphertext pairs formed
with the secret key)
40. Types of cryptanalytic
attacks
• Chosen plaintext attack
– cryptanalyst can encrypt a plaintext of his choosing and study the
resulting ciphertext
– This is most common against asymmetric cryptography, where a
cryptanalyst has access to a public key
• Chosen ciphertext attack
– cryptanalyst chooses a ciphertext and attempts to find a matching
plaintext
– This can be done with a decryption oracle (a machine that decrypts
without exposing the key)
41. Symmetric Encryption
• A symmetric encryption scheme has five ingredients
• Plaintext
• Encryption algorithm
• Secret key
43. • An original message is known as the plaintext, while the coded message is
called the ciphertext
• The process of converting from plaintext to ciphertext is known as
enciphering or encryption; restoring the plaintext from the ciphertext is
deciphering or decryption
• The many schemes used for encryption constitute the area of study known
as cryptography. Such a scheme is known as a cryptographic system or a
cipher
• Techniques used for deciphering a message without any knowledge of the
enciphering details fall into the area of cryptanalysis. Cryptanalysis is
what the layperson calls "breaking the code”
• The areas of cryptography and cryptanalysis together are called cryptology
44. Cryptographic Systems
• Cryptographic systems are characterized along three independent
dimensions:
• The type of operations used for transforming plaintext to ciphertext
– All encryption algorithms are based on two general principles:
– Substitution: in which each element in the plaintext (bit, letter, group
of bits or letters) is mapped into another element
– Transposition: in which elements in the plaintext are rearranged
• The number of keys used
– If both sender and receiver use the same key, the system is referred to
as symmetric encryption
– If the sender and receiver use different keys, the system is referred to as
asymmetric, two-key, or public-key encryption
45. Cryptographic Systems
• The way in which the plaintext is processed
– A block cipher processes the input one block of elements at a time,
producing an output block for each input block
– A stream cipher processes the input elements continuously, producing
output one element at a time, as it goes along
46. Cryptanalysis and brute
force attack
• Cryptanalysis
– Cryptanalytic attacks rely on the nature of the algorithm plus perhaps
some knowledge of the general characteristics of the plaintext or even
some sample plaintext-ciphertext pairs
• Brute-force attack
– The attacker tries every possible key on a piece of ciphertext until an
intelligible translation into plaintext is obtained
47. Unconditionally Secured &computationally
secured encryption schemes
• If the ciphertext generated by the scheme doesn’t contain enough
information to determine uniquely the corresponding plain text and no
matter that how much ciphertext is available
• The encryption algorithm should meet one or both of the following
criteria:
– The cost of breaking the cipher exceeds the value of the encrypted
information
– The time required to break the cipher exceeds the useful lifetime of the
information
• If both the above criteria are met, such an encryption scheme is said to be
computationally secure
48. 3.49
3-2 SUBSTITUTION CIPHERS
A substitution cipher replaces one symbol with another. Substitution ciphers can be
categorized as either monoalphabetic ciphers or polyalphabetic ciphers.
A substitution cipher replaces one
symbol with another.
Note
49. 3.50
3.2.1 Monoalphabetic Ciphers
In monoalphabetic substitution, the
relationship between a symbol in the
plaintext to a symbol in the ciphertext is
always one-to-one.
Note
50. 3.51
3.2.1 Continued
The following shows a plaintext and its corresponding ciphertext.
The cipher is probably monoalphabetic because both l’s (els) are
encrypted as O’s.
Example 3.1
51. 3.52
3.2.1 Continued
The simplest monoalphabetic cipher is the additive cipher. This
cipher is sometimes called a shift cipher and sometimes a Caesar
cipher, but the term additive cipher better reveals its
mathematical nature.
Additive Cipher
Figure 3.8 Plaintext and ciphertext in Z26
52. 3.53
Figure 3.9 Additive cipher
3.2.1 Continued
When the cipher is additive, the
plaintext, ciphertext, and key are
integers in Z26.
Note
53. 3.54
3.2.1 Continued
Use the additive cipher with key = 15 to encrypt the message
“hello”.
Example 3.3
We apply the encryption algorithm to the plaintext, character by
character:
Solution
54. 3.55
3.2.1 Continued
Use the additive cipher with key = 15 to decrypt the message
“WTAAD”.
Example 3.4
We apply the decryption algorithm to the plaintext character by
character:
Solution
55. 3.56
3.2.1 Continued
Historically, additive ciphers are called shift ciphers. Julius Caesar
used an additive cipher to communicate with his officers. For this
reason, additive ciphers are sometimes referred to as the Caesar
cipher. Caesar used a key of 3 for his communications.
Shift Cipher and Caesar Cipher
Additive ciphers are sometimes referred
to as shift ciphers or Caesar cipher.
Note
56. 3.57
3.2.1 Continued
Eve has intercepted the ciphertext “UVACLYFZLJBYL”. Show
how she can use a brute-force attack to break the cipher.
Example 3.5
Eve tries keys from 1 to 7. With a key of 7, the plaintext is “not
very secure”, which makes sense.
Solution
58. 3.59
3.2.1 Continued
A better solution is to create a mapping between each plaintext
character and the corresponding ciphertext character. Alice and
Bob can agree on a table showing the mapping for each character.
Figure 3.12 An example key for monoalphabetic substitution cipher
Brute force attack difficult -26! Keys.
statistical attack based on frequency of characters
59. 3.60
3.2.1 Continued
We can use the key in Figure 3.12 to encrypt the message
Example 3.13
The ciphertext is
60. 3.61
3.2.2 Polyalphabetic Ciphers
In polyalphabetic substitution, each occurrence of a
character may have a different substitute. The
relationship between a character in the plaintext to a
character in the ciphertext is one-to-many.
Autokey Cipher
61. 3.62
3.2.2 Continued
Assume that Alice and Bob agreed to use an autokey cipher with
initial key value k1 = 12. Now Alice wants to send Bob the message
“Attack is today”. Enciphering is done character by character.
Example 3.14
Hides single letter frequency of plaintext. Vulnerable to brute force
attack,since limited key space of first subkey.(only 25)
62. Substitution Ciphers
1. Repeating plaintext letters that are in the same
pair are separated with a filler letter, such as x, so
that full would be treated as fu lx lz
2. Two plaintext letters that fall in the same row of
the matrix are each replaced by the letter to the
right, with the first element of the row circularly
following the last. For example, ar is encrypted as
RM.
3. Two plaintext letters that fall in the same column
are each replaced by the letter beneath, with the top
element of the column circularly following the last.
For example, mu is encrypted as CM.
4. Otherwise, each plaintext letter in a pair is
replaced by the letter that lies in its own row and the
column occupied by the other plaintext letter. Thus,
hs becomes BP and ea becomes IM (or JM, as the
encipherer wishes).
The 'key' for a playfair
cipher is generally a
word, for the sake of
example we will choose
'monarchy'. This is then
used to generate a 'key
square', e.g.
Note that there is no 'j', it is
combined with 'i'. We now
apply the encryption rules to
encrypt the plaintext.
63. 3.64
3.2.2 Continued
Playfair Cipher
Figure 3.13 An example of a secret key in the Playfair cipher
Let us encrypt the plaintext “hello” using the key in Figure 3.13.
Example 3.15
64. Substitution Ciphers
Vigenere cipher
• Using more than one alphabet, switching between them systematically
• How this Cipher Works
1. Pick a keyword
2. Write your keyword across the top of the text you want to encipher,
repeating it as many times as necessary.
EXAMPLE:
66. 3.67
3.2.2 Continued
Let us see how we can encrypt the message “She is listening” using
the 6-character keyword “PASCAL”. The initial key stream is (15,
0, 18, 2, 0, 11). The key stream is the repetition of this initial key
stream (as many times as needed).
Example 3.16
67. Vernam Cipher (One - time pad)
• It is implemented using a random set of characters as the key
• One-Time usgae
• Length of the key text is equal to the length of the original plain text
Algorithm
• Translate each plain text alphabet in to corresponding Number (i.e. A=0,
B=1,…,Z=25)
• Do the same for each character key text
• Add each number corresponding to the plain text alphabet to the
corresponding key text alphabet number
• If the sum thus produced is greater than 26, subtract 26 from it
• Translate each number of the sum back to the corresponding alphabet. This
gives the output ciphertext
68. Substitution Ciphers
Example
• Plain text message: HOW ARE YOU
• One-time pad (KEY TEXT) : NCBTZQARX
• One-time pad is discarded after a single use
• This technique is highly secure and suitable for small plain text message.
• It is clearly impractical for large messages
69. Transposition Ciphers
• In the Transposition technique,there is no any substitution of characters;
instead their position change
• A character in 1st position of Plaintext may appear in the 10 th position of
the cipher text
• A transposition cipher re-orders characters in a block of symbols. There are
Various Transposition cipher techniques given following:
– Keyless transposition techniques
– Keyed transposition techniques
70. keyless Ciphers
1) Rail Fence Technique
• Rail Fence technique involves writing plain text message as a sequence of
diagonals and then reading it row-by-row to produce cipher text
• Encryption Algorithm:-
– Write down the plain text message as a sequence of diagonals
– Read the Plain text Row-by-Row and write down left to right then top
to bottom
Example
• Original Plain text massage: Come Home Tomorrow
• After we arrange the plaintext message as a sequence of diagonals, it look
like follows
• Now read the text row-by-row, and write it sequentially. Thus we have:
• CMHMTMROOEOEOORW as the cipher text
71. Transposition Ciphers
2) Simple Columnar Transposition Technique
• Simple columnar transposition technique simply arranges the plaintext as a
sequence of rows of a rectangle that are read in columns randomly
– Write the plain text message row-by-row in a rectangle of a pre-defined
size
– Read the message column-by-column. However it need not be in order
of columns 1, 2, 3 etc. it can be in any order such as 2, 3, 1 etc
– The message thus obtained is the cipher text message
Example
• Original Plain text massage: Come Home Tomorrow
• Let us consider a rectangle with six columns. Therefore, when we write the
message in the rectangle row-by-row suppressing spaces
• Now , let us decide the order of columns as some random order, say 4, 6,
1, 2, 5 & 3. Then read the text in the order of these columns
• The ciphertext thus obtained would be EOWOOCMROEHMMTO
72. Transposition Ciphers
3) Simple Columnar Transposition Technique with multiple Rounds
• To improve the basic simple columnar, we can introduce more complexity
• Use the same basic operation of simple columnar technique, but do it more
than once
Algorithm:
– Write the plain text message row-by-row in a rectangle of a pre-defined
size
– Read the message column-by-column. However, it need not to be in
order of column 1, 2, 3 etc. it can be any random order such as 2, 3, 1
etc
– The message thus obtained is the cipher text message of round 1
– Repeat steps 1to 3 as many times as desired
73. 3.74
3.3.2 Keyed Transposition Ciphers
The keyless ciphers permute the characters by using
writing plaintext in one way and reading it in another
way The permutation is done on the whole plaintext to
create the whole ciphertext. Another method is to divide
the plaintext into groups of predetermined size, called
blocks, and then use a key to permute the characters in
each block separately.
74. 3.75
3.3.2 Continued
Alice needs to send the message “Enemy attacks tonight” to Bob..
Example 3.25
The key used for encryption and decryption is a permutation key,
which shows how the character are permuted.
The permutation yields
80. 3.81
3.4.1 Continued
Vigenere ciphers are also stream ciphers according to the
definition. In this case, the key stream is a repetition of m values,
where m is the size of the keyword. In other words,
Example 3.32
81. 3.82
3.4.2 block Ciphers
In a block cipher, a group of plaintext symbols of size m
(m > 1) are encrypted together creating a group of
ciphertext of the same size. A single key is used to
encrypt the whole block even if the key is made of
multiple values. Figure 3.27 shows the concept of a block
cipher.
Figure 3.27 Block cipher
83. Claude Shannon and
Substitution-Permutation
Ciphers
• in 1949 Claude Shannon introduced idea of substitution-permutation (S-P)
networks
– modern ciphers re -substitution-transposition- product cipher
• S-P networks are based on the two primitive cryptographic operations we
have seen before:
– substitution (S-box)- Each plaintext element/group of element uniquely
replaced by corresponding ciphertext/group of elements.
– permutation (P-box) – Order of elements changed
• provide confusion and diffusion of message
84. Confusion and Diffusion
• cipher needs to completely obscure statistical properties of original
message (all statists tics of cipher text is independent of key used.)
• a one-time pad does this
• more practically Shannon suggested combining elements to obtain:
• diffusion – dissipates statistical structure of plaintext over bulk of cipher
text
• confusion – makes relationship between ciphertext and key as complex as
possible
85. Feistel Cipher Structure
• Horst Feistel devised the feistel cipher
– based on concept of invertible product cipher
• partitions input block into two halves
– process through multiple rounds which
– perform a substitution on left data half based on round function of right
half & subkey
– then have permutation swapping halves
• implements Shannon’s substitution-permutation network concept
87. Feistel Cipher Design
Principles
• block size
– increasing size improves security, but slows cipher
• key size
– increasing size improves security, makes exhaustive key searching
harder, but may slow cipher
• number of rounds
– increasing number improves security, but slows cipher
• subkey generation
– greater complexity can make analysis harder, but slows cipher
• round function
– greater complexity can make analysis harder, but slows cipher
• fast software en/decryption & ease of analysis
– are more recent concerns for practical use and testing
90. 91
Conventional Encryption
Algorithms
• Data Encryption Standard (DES)
– The most widely used encryption scheme
– The algorithm is reffered to the Data
Encryption Algorithm (DEA)
– DES is a block cipher
– The plaintext is processed in 64-bit blocks
– The key is 56-bits in length
91. 92
Data Encryption Standard
(DES)
• The algorithm has 16 rounds. Each
round has the following architecture:
Li and Ri are each 32-bit long strings
92. 93
DES
• The overall processing at each
iteration:
– Li = Ri-1
– Ri = Li-1 F(Ri-1, Ki)
• Concerns about:
– The algorithm and the key length (56-
bits)
94. 95
DES
• Before any rounds, the plaintext bits are
permuted using an initial permutation.
• Hence, at the end of the 16 rounds the
inverse permutation is applied.
• The initial permutation is public
knowledge
95. DES Round Structure
• uses two 32-bit L & R halves
• as for any Feistel cipher can describe as:
Li = Ri–1
Ri = Li–1 xor F(Ri–1, Ki)
• takes 32-bit R half and 48-bit subkey and:
– expands R to 48-bits using perm E
– adds to subkey
– passes through 8 S-boxes to get 32-bit result
– finally permutes this using 32-bit perm P
99. 100
DES: S Blocks.
• S blocks takes in as input 6-bit arguments
and outputs four bits.
• This is the substitution part of the cipher.
• Each S block has a different functionality as
defined by the corresponding tables.
102. 103
DES
• After substitution, the
function output is now 32
bits and it goes through a
fixed permutation.
• Thus we perform
“confusion” and
“diffusion” steps in each
round.
103. DES Key Schedule
• forms subkeys used in each round
• consists of:
– initial permutation of the key (PC1) which selects 56-bits in two 28-bit
halves
– 16 stages consisting of:
• selecting 24-bits from each half
• permuting them by PC2 for use in function f,
• rotating each half separately either 1 or 2 places depending on the
key rotation schedule K
104.
105. 106
DES Decryption
• decrypt must unwind steps of data computation
• with Feistel design, do encryption steps again
• using subkeys in reverse order (SK16 … SK1)
106. Avalanche Effect
• key desirable property of encryption algorithm.
• where a change of one input or key bit results in changing approximately
half output bits
•
107. Strength of DES (cont.)
• Avalanche effect in
DES
– If a small change in
either the plaintext or
the key, the ciphertext
should change
markedly.
• DES exhibits a strong
avalanche effect.
108. Strength of DES – Key Size
• 56-bit keys have 256 = 7.2 x 1016 values
• brute force search looks hard
• recent advances have shown is possible
– in 1998 on dedicated h/w (EFF) broken DES in a few days
• alternatives available for DES: AES, triple DES etc.
109. Strength of DES
• – Nature of the algorithm
• -Timing Attacks – information about key or plaintext is
obtained by observing time for decryption of cipher text
110.
111. 8.112
USE OF MODERN BLOCK CIPHERS
Symmetric-key encipherment can be done using modern
block ciphers. Modes of operation have been devised to
encipher text of any size employing either DES or AES.
113. 8.114
The simplest mode of operation is called the electronic
codebook (ECB) mode.
8.1.1 Electronic Codebook (ECB) Mode
Figure 8.2 Electronic codebook (ECB) mode
114. Electronic Codebook Book
(ECB)
• message is broken into independent blocks which are encrypted
• each block is a value which is substituted, like a codebook, hence name
• each block is encoded independently of the other blocks
Ci = DESK1 (Pi)
• uses: secure transmission of single values
116. Advantages and Limitations
of ECB
• repetitions in message may show in ciphertext
• weakness due to encrypted message blocks being independent
• main use is sending a few blocks of data
117. 8.118
In CBC mode, each plaintext block is exclusive-ored with
the previous ciphertext block before being encrypted.
8.1.2 Cipher Block Chaining (CBC) Mode
Figure 8.3 Cipher block chaining (CBC) mode
119. 8.120
8.1.2 Continued
It can be proved that each plaintext block at Alice’s site is recovered
exactly at Bob’s site. Because encryption and decryption are inverses
of each other,
Example 8.4
Initialization Vector (IV)
The initialization vector (IV) should be known by the
sender and the receiver.
122. Output FeedBack (OFB)
• message is treated as a stream of bits
• output of cipher is added to message
• output is then feed back (hence name)
• feedback is independent of message
• can be computed in advance
Ci = Pi XOR Oi
Oi = DESK1(Oi-1)
O-1 = IV
• uses: stream encryption over noisy channels
130. 1-1 INTRODUCTION
The Advanced Encryption Standard (AES) is a
symmetric-key block cipher published by the National
Institute of Standards and Technology (NIST) in
December 2001.
1.1.1 History
1.1.2 Criteria
1.1.3 Rounds
1.1.4 Data Units
1.1.5 Structure of Each Round
Topics discussed in this section:
131. 1.1.1 History.
In February 2001, NIST announced that a draft of the
Federal Information Processing Standard (FIPS) was
available for public review and comment. Finally, AES
was published as FIPS 197 in the Federal Register in
December 2001.
Joan Daemen & Vincent Rijment - Rinjndael
132. 1.1.2 Criteria
The criteria defined by NIST for selecting AES fall into
three areas:
1. Security
2. Cost
3. Implementation.
133. 1.1.3 Rounds.
AES is a non-Feistel cipher that encrypts and decrypts a
data block of 128 bits. It uses 10, 12, or 14 rounds. The
key size, which can be 128, 192, or 256 bits, depends on
the number of rounds.
AES has defined three versions, with 10, 12,
and 14 rounds.
Each version uses a different cipher key size
(128, 192, or 256), but the round keys are
always 128 bits.
Note
138. 1.1.5 Structure of Each Round
Figure 1.5 Structure of each round at the encryption site
139. 1-2 TRANSFORMATIONS
To provide security, AES uses four types of
transformations: substitution, permutation, mixing, and
key-adding.
1.2.1 Substitution
1.2.2 Permutation
1.2.3 Mixing
1.2.4 Key Adding
Topics discussed in this section:
140. 1.2.1 Substitution
AES, like DES, uses substitution. AES uses two
invertible transformations.
SubBytes
The first transformation, SubBytes, is used at the
encryption site. To substitute a byte, we interpret the byte
as two hexadecimal digits.
The SubBytes operation involves 16
independent byte-to-byte transformations.
Note
146. 1.2.1 Continue
Example 1.2
Figure 1.7 shows how a state is transformed using the SubBytes
transformation. The figure also shows that the InvSubBytes
transformation creates the original one. Note that if the two bytes
have the same values, their transformation is also the same.
Figure 1.7 SubBytes transformation for Example 1.2
147. 1.2.2 Permutation
Another transformation found in a round is shifting,
which permutes the bytes.
ShiftRows
In the encryption, the transformation is called ShiftRows.
Figure 1.9 ShiftRows transformation
148. 1.2.2 Continue
Example 1.4
Figure 1.10 shows how a state is transformed using ShiftRows
transformation. The figure also shows that InvShiftRows
transformation creates the original state.
Figure 1.10 ShiftRows transformation in Example 1.4
149. 1.2.3 Mixing
We need an interbyte transformation that changes the
bits inside a byte, based on the bits inside the
neighboring bytes. We need to mix bytes to provide
diffusion at the bit level.
Figure 1.11 Mixing bytes using matrix multiplication
151. MixColumns
The MixColumns transformation operates at the column
level; it transforms each column of the state to a new
column.
1.2.3 Continue
Figure 1.13 MixColumns transformation
152. InvMixColumns
The InvMixColumns transformation is basically the same
as the MixColumns transformation.
1.2.3 Continue
The MixColumns and InvMixColumns
transformations are inverses of each other.
Note
153. 1.2.3 Continue
Example 1.5
Figure 1.14 shows how a state is transformed using the
MixColumns transformation. The figure also shows that the
InvMixColumns transformation creates the original one.
Figure 1.14 The MixColumns transformation in Example 1.5
154. 1.2.4 Key Adding
AddRoundKey
AddRoundKey proceeds one column at a time.
AddRoundKey adds a round key word with each state
column matrix; the operation in AddRoundKey is matrix
addition.
The AddRoundKey transformation is the
inverse of itself.
Note
156. 1-3 KEY EXPANSION
To create round keys for each round, AES uses a key-
expansion process. If the number of rounds is Nr , the
key-expansion routine creates Nr + 1 128-bit round keys
from one single 128-bit cipher key.
1.3.1 Key Expansion in AES-128
1.3.2 Key Expansion in AES-192 and AES-256
1.3.3 Key-Expansion Analysis
Topics discussed in this section:
162. 1.3.2 Key Expansion in AES-192 and AES-256
Key-expansion algorithms in the AES-192 and AES-256
versions are very similar to the key expansion algorithm in
AES-128, with the following differences:
163. 1.3.3 Key-Expansion Analysis
The key-expansion mechanism in AES has been
designed to provide several features that thwart the
cryptanalyst.
164. 1-4 CIPHERS
AES uses four types of transformations for encryption
and decryption. In the standard, the encryption
algorithm is referred to as the cipher and the decryption
algorithm as the inverse cipher.
1.4.1 Original Design
1.4.2 Alternative Design
Topics discussed in this section:
165. 1-6 ANALYSIS OF AES
This section is a brief review of the three characteristics
of AES.
1.6.1 Security
1.6.2 Implementation
1.6.3 Simplicity and Cost
Topics discussed in this section:
166. 1.6.1 Security
AES was designed after DES. Most of the known attacks
on DES were already tested on AES.
Brute-Force Attack
AES is definitely more secure than DES due to the
larger-size key.
Statistical Attacks
Numerous tests have failed to do statistical analysis of
the ciphertext.
168. 1.6.2 Implementation
AES can be implemented in software, hardware, and
firmware. The implementation can use table lookup
process or routines that use a well-defined algebraic
structure.
169. 1.6.3 Simplicity and Cost
The algorithms used in AES are so simple that they can
be easily implemented using cheap processors and a
minimum amount of memory.
171. Modes of Operation
• It is a technique for enhancing the effect of cryptographic algorithm or
adapting the algorithm for an application.
• Five modes defined by NIST(SP-800-38A)
172. Electronic Codebook Book
(ECB)
• message is broken into independent blocks which are encrypted
• each block is a value which is substituted, like a codebook, hence name
• each block is encoded independently of the other blocks
• uses: secure transmission of single values
174. Advantages and Limitations
of ECB
• repetitions in message may show in ciphertext
– if aligned with message block
– particularly with data such graphics
– or with messages that change very little, which become a code-book
analysis problem
• weakness due to encrypted message blocks being independent
• main use is sending a few blocks of data
175. Cipher Block Chaining
(CBC)
• message is broken into blocks
• but these are linked together in the encryption operation
• each previous cipher blocks is chained with current plaintext block, hence
name
• use Initial Vector (IV) to start process
Ci = DESK1(Pi XOR Ci-1)
C-1 = IV
• uses: bulk data encryption, authentication
178. Advantages and Limitations
of CBC
• each ciphertext block depends on all message blocks
• thus a change in the message affects all ciphertext blocks after the change
as well as the original block
• need Initial Value (IV) known to sender & receiver
– however if IV is sent in the clear, an attacker can change bits of the first
block, and change IV to compensate
– hence either IV must be a fixed value (as in EFTPOS) or it must be sent
encrypted in ECB mode before rest of message
• at end of message, handle possible last short block
– by padding either with known non-data value (eg nulls)
– or pad last block with count of pad size
• eg. [ b1 b2 b3 0 0 0 0 5] <- 3 data bytes, then 5 bytes pad+count
180. CFB
• Block cipher can be converted to stream cipher using CFB,OFB,CTR
• Padding not needed.
• Plaintext and ciphertext size is same.
181. Advantages and Limitations
of CFB
• appropriate when data arrives in bits/bytes
• most common stream mode
• limitation is need to stall while do block encryption after every n-bits
• note that the block cipher is used in encryption mode at both ends
• errors propogate for several blocks after the error
184. Advantages and Limitations
of OFB
• used when error feedback a problem or where need to encryptions before
message is available
• superficially similar to CFB
• but feedback is from the output of cipher and is independent of message
• a variation of a Vernam cipher
– hence must never reuse the same sequence (key+IV)
• sender and receiver must remain in sync, and some recovery method is
needed to ensure this occurs
• originally specified with m-bit feedback in the standards
• subsequent research has shown that only OFB-64 should ever be used
185. Counter (CTR)
• a “new” mode, though proposed early on
• similar to OFB but encrypts counter value rather than any feedback value
• must have a different key & counter value for every plaintext block (never
reused)
Ci = Pi XOR Oi
Oi = DESK1(i)
• uses: high-speed network encryptions
188. Advantages and Limitations
of CTR
• efficiency
– can do parallel encryptions
– in advance of need
– good for bursty high speed links
• random access to encrypted data blocks
• provable security (good as other modes)
• but must ensure never reuse key/counter values, otherwise could break (cf
OFB)