The document discusses various cryptographic techniques including symmetric and asymmetric encryption. Symmetric encryption uses the same key for encryption and decryption, while asymmetric encryption uses two different keys. The document then describes the Data Encryption Standard (DES) algorithm and its variants, including Triple DES. It also covers the Advanced Encryption Standard (AES) algorithm, its design principles, and modes of operation for block ciphers like ECB, CBC, CFB and OFB.

1. 1
241-427-SV-2-2553-COE-PSU 1
241-427 Computer Security
Chapter III: Cryptography
Dr. Sangsuree Vasupongayya
241-427-SV-2-2553-COE-PSU 2
Cryptography mechanisms
Symmetric-key encryption
Same key for encrypt and decrypt
Based on transformations
Asymmetric-key encryption
Two keys
One for encrypt
One for decrypt
Based on mathematical functions
241-427-SV-2-2553-COE-PSU 3
Symmetric-key cipher
Encryption: C = Ek(P)
Decryption: P = Dk(C)
Where Dk(Ek(x)) = Ek(Dk(x)) = x
Bob and Alice will need another channel, a secured one,
to exchange the secret key.
241-427-SV-2-2553-COE-PSU 4
Symmetric Encryption
Same key used to encrypt and decrypt
E(k) can be derived from D(k), and vice versa
DES is most commonly used symmetric block-
encryption algorithm (created by US Govt)
Encrypts a block of data at a time
Triple-DES considered more secure
Advanced Encryption Standard (AES), twofish up
and coming
RC4 is most common symmetric stream cipher, but
known to have vulnerabilities
Encrypts/decrypts a stream of bytes (i.e wireless
transmission)
Key is a input to psuedo-random-bit generator
Generates an infinite keystream
241-427-SV-2-2553-COE-PSU 5
Substitution-Permutation Ciphers
Claude Shannon introduced idea of substitution-
permutation (S-P) networks in 1949 paper
form basis of modern block ciphers
S-P nets are based on the two primitive
cryptographic operations seen before:
substitution (S-box)
permutation (P-box)
provide confusion & diffusion of message & key
241-427-SV-2-2553-COE-PSU 6
Confusion and Diffusion
cipher needs to completely obscure statistical
properties of original message
a one-time pad does this
more practically Shannon suggested combining S &
P elements to obtain:
diffusion – dissipates statistical structure of
plaintext over bulk of ciphertext
confusion – makes relationship between ciphertext
and key as complex as possible

2. 2
241-427-SV-2-2553-COE-PSU 7
Data Encryption Standard (DES)
most widely used block cipher in world
adopted in 1977 by NBS (now NIST)
as FIPS PUB 46
encrypts 64-bit data using 56-bit key
has widespread use
has been considerable controversy over its security
241-427-SV-2-2553-COE-PSU 8
DES overview
241-427-SV-2-2553-COE-PSU 9
DES structure
241-427-SV-2-2553-COE-PSU 10
Initial and Final Permutations
The initial and final permutations are straight P-
boxes that are inverses of each other. They have
no cryptography significance in DES.
241-427-SV-2-2553-COE-PSU 11
Initial and Final Permutations
The initial and final permutations are straight P-
boxes that are inverses of each other. They have
no cryptography significance in DES.
241-427-SV-2-2553-COE-PSU 12
Rounds
DES uses 16 rounds. Each round of DES is a Feistel
cipher.

3. 3
241-427-SV-2-2553-COE-PSU 13
DES function
Applies a 48-bit key to the rightmost 32 bits (Ri-1)
to produce a 32-bit output.
Found sections: An expansion P-box, A whitener
(need key), A group of S-boxes, A straight P-box
241-427-SV-2-2553-COE-PSU 14
Expansion P-box
Expand 32-bit data to 48-bit data using P-box
241-427-SV-2-2553-COE-PSU 15
S-Boxes
Do the real mixing (confusion)
241-427-SV-2-2553-COE-PSU 16
Straight Permutation
Straight permutation with a 32-bit input and a 32-
bit output
241-427-SV-2-2553-COE-PSU 17 241-427-SV-2-2553-COE-PSU 18
Key generation
Create sixteen 48-
bit keys out of a
56-bit cipher key.

4. 4
241-427-SV-2-2553-COE-PSU 19
Parity-bit drop table
Drop bit 8,16,24,32,40,48,56 & 64
241-427-SV-2-2553-COE-PSU 20
Shift left (circular shift)
Round 1, 2, 9 and 16 shift 1 bit; other rounds shift
2 bits
241-427-SV-2-2553-COE-PSU 21
Compression Permutation
Changes 56-bit to 48-bit, which are used as a key
for a round.
241-427-SV-2-2553-COE-PSU 22
DES analysis
Avalanche effect: a small change in the plaintext
(or key) should create a significant change in the
ciphertext.
Completeness effect: each bit of the ciphertext
needs to depend on many bits on the plaintext.
A brute-force attack on DES is feasible with
available technology and the possibility of parallel
processing.
241-427-SV-2-2553-COE-PSU 23
Variants of DES
Double DES (2DES)
Use DES twice instead of 1 DES
Vulnerable to a known-plain text attack
Triple DES (3DES)
the middle stage use reverse cipher
With 2 keys (DES1 & DES3 use the same key)
With 3 keys (e.g., PGP)
241-427-SV-2-2553-COE-PSU 24
Double-DES?
could use 2 DES encrypts on each block
C = EK2(EK1(P))
issue of reduction to single stage
and have “meet-in-the-middle” attack
works whenever use a cipher twice
since X = EK1(P) = DK2(C)
attack by encrypting P with all keys and store
then decrypt C with keys and match X value
can show takes O(256) steps

5. 5
241-427-SV-2-2553-COE-PSU 25
Triple-DES with Two-Keys
hence must use 3 encryptions
would seem to need 3 distinct keys
but can use 2 keys with E-D-E sequence
C = EK1(DK2(EK1(P)))
nb encrypt & decrypt equivalent in security
if K1=K2 then can work with single DES
standardized in ANSI X9.17 & ISO8732
no current known practical attacks
241-427-SV-2-2553-COE-PSU 26
Triple-DES with Two-Keys
241-427-SV-2-2553-COE-PSU 27
Triple-DES with Three-Keys
although are no practical attacks on two-key Triple-
DES have some indications
can use Triple-DES with Three-Keys to avoid even
these
C = EK3(DK2(EK1(P)))
has been adopted by some Internet applications, eg
PGP, S/MIME
241-427-SV-2-2553-COE-PSU 28
designed by Rijment-Daemen in Belgium
has 128/192/256 bit keys, 128 bit data
designed to be:
resistant against known attacks
speed and code compactness on many CPUs
design simplicity
Basic Algebraic structures
Groups
Rings
Fields
Advanced Encryption Standard (AES)
241-427-SV-2-2553-COE-PSU 29
General Design of AES
241-427-SV-2-2553-COE-PSU 30
Data Units
Bit: a binary digit with a value of 0 or 1
Byte: a group of 8 bits can be
A row matrix (1x8), insert a bit from left to right
A column matrix (8x1), insert a bit from top
Word: a group of 32 bits can be
A row matrix of 4 bytes
A column matrix of 4 bytes
Block: a group of 128 bits or a row matrix of 16
bytes

6. 6
241-427-SV-2-2553-COE-PSU 31
Structure of round in AES
241-427-SV-2-2553-COE-PSU 32
Byte Substitution (ByteSub)
a simple substitution of each byte
uses one table of 16x16 bytes containing a
permutation of all 256 8-bit values
each byte of state is replaced by byte indexed by
row (left 4-bits) & column (right 4-bits)
eg. byte {95} is replaced by byte in row 9
column 5
which has value {2A}
S-box constructed using defined transformation of
values in GF(28)
designed to be resistant to all known attacks
241-427-SV-2-2553-COE-PSU 33
Byte Substitution
241-427-SV-2-2553-COE-PSU 34
Shift Rows
a circular byte shift in each row
1st row is unchanged
2nd row does 1 byte circular shift to left
3rd row does 2 byte circular shift to left
4th row does 3 byte circular shift to left
decrypt inverts using shifts to right
since state is processed by columns, this step
permutes bytes between the columns
241-427-SV-2-2553-COE-PSU 35
Shift Rows
241-427-SV-2-2553-COE-PSU 36
Mix Columns
each column is processed separately
each byte is replaced by a value dependent on all 4
bytes in the column
effectively a matrix multiplication in GF(28) using
prime poly m(x) =x8+x4+x3+x+1

7. 7
241-427-SV-2-2553-COE-PSU 37
Mix Columns
241-427-SV-2-2553-COE-PSU 38
Mix Columns
can express each col as 4 equations
to derive each new byte in col
decryption requires use of inverse matrix
with larger coefficients, hence a little harder
have an alternate characterisation
each column a 4-term polynomial
with coefficients in GF(28)
and polynomials multiplied modulo (x4+1)
241-427-SV-2-2553-COE-PSU 39
Add Round Key
XOR state with 128-bits of the round key
again processed by column (though effectively a
series of byte operations)
inverse for decryption identical
since XOR own inverse, with reversed keys
designed to be as simple as possible
a form of Vernam cipher on expanded key
requires other stages for complexity / security
241-427-SV-2-2553-COE-PSU 40
Add Round Key
241-427-SV-2-2553-COE-PSU 41
AES Round
241-427-SV-2-2553-COE-PSU 42
AES Key Expansion
takes 128-bit (16-byte) key and expands into array
of 44/52/60 32-bit words
start by copying key into first 4 words
then loop creating words that depend on values in
previous & 4 places back
in 3 of 4 cases just XOR these together
1st word in 4 has rotate + S-box + XOR round
constant on previous, before XOR 4th back
designed to resist known attacks

8. 8
241-427-SV-2-2553-COE-PSU 43
AES Key Expansion
241-427-SV-2-2553-COE-PSU 44
Key Expansion Rationale
design criteria included
knowing part key insufficient to find many more
invertible transformation
fast on wide range of CPU’s
use round constants to break symmetry
diffuse key bits into round keys
enough non-linearity to hinder analysis
simplicity of description
241-427-SV-2-2553-COE-PSU 45
AES Decryption
AES decryption is not identical to encryption since
steps done in reverse
but can define an equivalent inverse cipher with
steps as for encryption
but using inverses of each step
with a different key schedule
works since result is unchanged when
swap byte substitution & shift rows
swap mix columns & add (tweaked) round key
241-427-SV-2-2553-COE-PSU 46
Cipher and inverse cipher
241-427-SV-2-2553-COE-PSU 47
Implementation Aspects
can efficiently implement on 8-bit CPU
byte substitution works on bytes using a table of 256
entries
shift rows is simple byte shift
add round key works on byte XOR’s
mix columns requires matrix multiply in GF(28) which
works on byte values, can be simplified to use table
lookups & byte XOR’s
241-427-SV-2-2553-COE-PSU 48
Implementation Aspects
can efficiently implement on 32-bit CPU
redefine steps to use 32-bit words
can precompute 4 tables of 256-words
then each column in each round can be computed
using 4 table lookups + 4 XORs
at a cost of 4Kb to store tables
designers believe this very efficient implementation
was a key factor in its selection as the AES cipher

9. 9
241-427-SV-2-2553-COE-PSU 49
Modes of Operation
block ciphers encrypt fixed size blocks
eg. DES encrypts 64-bit blocks with 56-bit key
need some way to en/decrypt arbitrary amounts of
data in practise
ANSI X3.106-1983 Modes of Use (now FIPS 81)
defines 4 possible modes
subsequently 5 defined for AES & DES
have block and stream modes
241-427-SV-2-2553-COE-PSU 50
Electronic Codebook Book (ECB)
message is broken into independent blocks which are
encrypted
each block is a value which is substituted, like a
codebook, hence name
each block is encoded independently of the other
blocks
Ci = DESK1(Pi)
uses: secure transmission of single values
241-427-SV-2-2553-COE-PSU 51
Electronic Codebook Book (ECB)
241-427-SV-2-2553-COE-PSU 52
ECB Advantages & Limitations
message repetitions may show in ciphertext
if aligned with message block
particularly with data such graphics
or with messages that change very little, which
become a code-book analysis problem
weakness is due to the encrypted message blocks being
independent
main use is sending a few blocks of data
241-427-SV-2-2553-COE-PSU 53
Cipher Block Chaining (CBC)
message is broken into blocks
linked together in encryption operation
each previous cipher blocks is chained with current
plaintext block, hence name
use Initial Vector (IV) to start process
Ci = DESK1(Pi XOR Ci-1)
C-1 = IV
uses: bulk data encryption, authentication
241-427-SV-2-2553-COE-PSU 54
Cipher Block Chaining (CBC)

10. 10
241-427-SV-2-2553-COE-PSU 55
Advantages and Limitations of CBC
a ciphertext block depends on all blocks before it
any change to a block affects all following ciphertext
blocks
need Initialization Vector (IV)
which must be known to sender & receiver
if sent in clear, attacker can change bits of first block, and
change IV to compensate
hence IV must either be a fixed value (as in EFTPOS)
or must be sent encrypted in ECB mode before rest of message
241-427-SV-2-2553-COE-PSU 56
Cipher FeedBack (CFB)
Size of the block in AES or DES is n
Size of the plaintext is r; r <= n
Encrypt or decrypt the contents of a shift register,
S, of size n
Encryption XOR r-bit plaintext w/ r-bits of the shift
register
241-427-SV-2-2553-COE-PSU 57
Cipher FeedBack (CFB)
241-427-SV-2-2553-COE-PSU 58
CFB Advantages & Limitations
appropriate when data arrives in bits/bytes
most common stream mode
limitation is need to stall while do block encryption
after every n-bits
note that the block cipher is used in encryption
mode at both ends
errors propogate for several blocks after the error
241-427-SV-2-2553-COE-PSU 59
Output FeedBack (OFB)
Similar to CFB
Each bit in the ciphertext is independent of the
previous bit or bits
241-427-SV-2-2553-COE-PSU 60
Advantages and Limitations of OFB
bit errors do not propagate
more vulnerable to message stream modification
a variation of a Vernam cipher
hence must never reuse the same sequence
(key+IV)
sender & receiver must remain in sync
originally specified with m-bit feedback
subsequent research has shown that only full
block feedback (ie CFB-64 or CFB-128) should
ever be used

11. 11
241-427-SV-2-2553-COE-PSU 61
Counter (CTR)
similar to OFB but encrypts counter value rather than
any feedback value
must have a different key & counter value for every
plaintext block (never reused)
241-427-SV-2-2553-COE-PSU 62
Advantages and Limitations of CTR
efficiency
can do parallel encryptions in h/w or s/w
can preprocess in advance of need
good for bursty high speed links
random access to encrypted data blocks
provable security (good as other modes)
but must ensure never reuse key/counter values,
otherwise could break (cf OFB)
241-427-SV-2-2553-COE-PSU 63
Asymmetric-key cryptosystem
241-427-SV-2-2553-COE-PSU 64
Conceptual differences
slowfast
numbers are manipulated
(mathematical function)
symbols are permuted or
substituted
only n personal secrets(n-1)n/2 shared secrets
The secret is not sharedThe secret is shared
asymmetricsymmetric
241-427-SV-2-2553-COE-PSU 65
General idea
241-427-SV-2-2553-COE-PSU 66
General idea (cont.)
Bob must create two keys; distribute to others
Eve should not be able to advertise her public key
pretending to be Bob’s key
Each key pair can be used for one-way
communication
Bob only needs one private key to receive message
from anyone
Bob needs n public keys to talk to n people
(one for each person)
The plaintext and ciphertext are treated as integers
C = f(Kpublic, P) while P = g(Kprivate, C)
And f must be a trapdoor one-way function

12. 12
241-427-SV-2-2553-COE-PSU 67
Trapdoor one-way function
One-way function
f is easy
given x compute y = f(x) is easy
f-1 is difficult
given y, it is computationally infeasible to calculate x
= f-1(y)
Trapdoor one-way function
A one-way function that
given y and a trapdoor (secret), x can be easily
computed
E.g., y = xk mod n when n is large
241-427-SV-2-2553-COE-PSU 68
y = xk mod n
Given x, k and n, it is easy to calculate y
Square-and multiply method
Given y, k and n, it is very difficult to compute x
Discrete logarithm problem
However if a trapdoor k’ such that
k’ • k = 1 mod Ф(n) is known
x can be easily calculated by
x = yk’ mod n
This is used in RSA
241-427-SV-2-2553-COE-PSU 69
RSA cryptosystem
Named for its inventors (Rivest, Shamir, Adleman)
241-427-SV-2-2553-COE-PSU 70
RSA: key generation
Recommended size
n should be at least 1024 bits
e and d should be at least 512 bits
Key generation
1. Select two large prime p and q
2. n ← p • q
3. Ф(n) = (p-1)(q-1)
4. Select e such that
1 < e < Ф(n) and gcd(e, Ф(n)) = 1
5. d ← e-1 mod Ф(n)
{e,n} is the public key
{d,n} is the private key
241-427-SV-2-2553-COE-PSU 71
Exponentiation
can use the Square and Multiply Algorithm
a fast, efficient algorithm for exponentiation
concept is based on repeatedly squaring base
and multiplying in the ones that are needed to
compute the result
look at binary representation of exponent
only takes O(log2 n) multiples for number n
eg. 75 mod 11 = 10
241-427-SV-2-2553-COE-PSU 72
square-and-multiply
Square-and-multiply (x, k, n)
y ← 1
for i=0 to nb-1
if(ki = 1)
y ← x • y mod n
x ← x2 mod n
return y
Where nb is the number of bits in k

13. 13
241-427-SV-2-2553-COE-PSU 73
RSA Example - Key Setup
1. Select primes: p=17 & q=11
2. Compute n = pq =17 x 11=187
3. Compute ø(n)=(p–1)(q-1)=16 x 10=160
4. Select e: gcd(e,160)=1; choose e=7
5. Determine d: de=1 mod 160 and d < 160 Value is
d=23 since 23x7=161= 10x160+1
6. Publish public key PU={7,187}
7. Keep secret private key PR={23,187}
241-427-SV-2-2553-COE-PSU 74
Attacking RSA
possible approaches:
brute force key search
(infeasible given size of numbers)
mathematical attacks
(based on difficulty of computing ø(n), by factoring
modulus n)
timing attacks (on running of decryption)
chosen ciphertext attacks
(given properties of RSA)
If the ciphertext is a permutation of the plaintext
Continuous encryption of the ciphertext will eventually
results in the plaintext
241-427-SV-2-2553-COE-PSU 75
Man-in-the-middle Attack
241-427-SV-2-2553-COE-PSU 76
Symmetric-key distribution
How to distribute and maintain secret keys
Two approach
Use a trusted third party
Use no third party
241-427-SV-2-2553-COE-PSU 77
Use a trusted third party
Key-distribution center (KDC)
Each user has a shared secret key wit the KDC
Problems
Not scale
Bottleneck problem
241-427-SV-2-2553-COE-PSU 78
Example of KDC approach

14. 14
241-427-SV-2-2553-COE-PSU 79
No third party
Diffie-Hellman key agreement
241-427-SV-2-2553-COE-PSU 80
Diffie-Hellman
Initial: choose two number p and g
p: a large prime number > 300 decimal digits
1024 bits
g: an integer < p such that foe every number n
between 1 to p-1, there is a power k of g such that n
= gk mod p
Idea
Key is gxy mod p
where one party knows x and the other knows y
Problems
Discrete logarithm attack
Man-in-the-middle attack
241-427-SV-2-2553-COE-PSU 81
Man-in-the-middle-attack
241-427-SV-2-2553-COE-PSU 82
Public-key distribution
Public announcement
simple and easy
Subject to forgery
Anyone can pretend to be
anyone
The key can be switched
during the communication
241-427-SV-2-2553-COE-PSU 83
Public-key distribution (cont.)
Trusted center: keep
information of public key
and dynamically updated
the information
Each user must prove
his/her identity
The user’s public key is
kept at the trusted
center
241-427-SV-2-2553-COE-PSU 84
Public-key distribution (cont.)
Controlled trusted center

15. 15
241-427-SV-2-2553-COE-PSU 85
Public-key distribution (cont.)
Both trusted center models
Create heavy load on the trusted center
Objectives
A person wants people to know his public-key
Wants no one to accept a forged key as his
Solutions
Certification authority (CA): a federal or state
organization that binds a public key to an entity and
issues a certificate
The CA checks Bob’s identity
The CA issue the certificate by signing Bob’s public
key using the center private key
241-427-SV-2-2553-COE-PSU 86
Certification authority
241-427-SV-2-2553-COE-PSU 87
Public-Key Infrastructures (PKI)
A model for creating, distributing and revoking
certificates based on the X.509
Duties
Certificates’ issuing, renewal and revocation
Keys’ storage and update: store members’ private
keys and update these keys on members’ demands
Providing services to other protocols
e.g., IPSec, TLS
Providing access control
different access levels
241-427-SV-2-2553-COE-PSU 88
PKI: trust model
Reason: not possible to have a single CA
Q1: how user1 can trust user3?
Q2: how user1 can trust user4?
241-427-SV-2-2553-COE-PSU 89
X.509
the Internationally accepted standard for how to
construct a public key certificate
used by S/MIME secure email, SSL/TLS secure
Internet links (e.g., for secure web)
241-427-SV-2-2553-COE-PSU 90
X.509 Certificates

16. 16
241-427-SV-2-2553-COE-PSU 91
X.509 Certificates
issued by a Certification Authority (CA), containing:
version (1, 2, or 3)
serial number (unique within CA) identifying certificate
signature algorithm identifier
issuer X.500 name (CA)
period of validity (from - to dates)
subject X.500 name (name of owner)
subject public-key info (algorithm, parameters, key)
issuer unique identifier (v2+)
subject unique identifier (v2+)
extension fields (v3)
signature (of hash of all fields in certificate)
notation CA<<A>> : certificate for A signed by CA
241-427-SV-2-2553-COE-PSU 92
X.509: certificate revocation
Reasons
Compromised key
The CA is no longer willing to certify the user
The CA private key is compromised
Actions:
Issue a certificate revocation list (CRL)
Before using any certificate, the user must check
this list
241-427-SV-2-2553-COE-PSU 93
References
W. Stallings, Cryptography and Network Security,
3rd ed.
B.A. Forouzan, Cryptograhpy and Network Security,
McGraw-Hill, 2008.
A.Kahate, Cryptography and network Security,
McGraw-Hill, 2003.