CSE

Cryptography and Network Security

UNIT-I-II
Symmetric Key Cryptography: Symmetric Encryption Principles, Symmetric Encryption, Algorithms
(DES,Triple DES and AES), Cipher Block Modes of Operations.

1.1.Introduction:
 A block cipher is an encryption/decryption scheme in which a block of plaintext is treated as
a whole and used to produce a ciphertext block of equal length.
 Many block ciphers have a Feistel structure. Such a structure consists of a number of identical
rounds of processing. In each round, a substitution is performed on one half of the data
being processed, followed by a permutation that interchanges the two halves. The original
key is expanded so that a differe nt key is used for each round.
 The Data Encryption Standard (DES) has been the most widely used encryption algorithm until
recently. It exhibits the classic Feistel structure. DES uses a 64-bit block and a 56-bit
key.
1.2. Stream Ciphers and Block Ciphers :
 A stream cipher is one that encrypts a digital data stream one bit or one byte at a time.
Examples of classical stream ciphers are the auto keyed Vigenère cipher and the Vernam
cipher.
 A block cipher is one in which a block of plaintext is treated as a w hole and used to produce
a ciphertext block of equal length.
 Typically, a block size of 64 or 128 bits is used. As with a stream cipher, the two users share
a symmetric encryption key

1.3.The Feistel Cipher:

Feistel proposed that we can approximate the ideal block cipher by utilizing the concept of a
product cipher, which is the execution of two or more simple ciphers in sequence in such a way that
the final result or product is cryptographically stronger than any of the compo nent ciphers. The
essence of the approach is to develop a block cipher with a key length of k bits and a block length of n
bits, allowing a total of 2k possible transformations, rather than the 2n! transformations available with
the ideal block cipher.
In particular, Feistel proposed the use of a cipher that alternates substitutions and
permutations, where these terms are defined as follows:
 Substitution: Each plaintext element or group of elements is uniquely replaced by a
corresponding ciphertext element or group of elements.
 Permutation: A sequence of plaintext elements is replaced by a permutation of that sequence.
That is, no elements are added or deleted or replaced in the sequence, rather the order in
which the elements appear in the sequence is changed.

Feistel’s is a practical application of a proposal by Claude Shannon to develop a product cipher

that
alternates confusion and diffusion
functions

2.3.1 FEISTEL CIPHER STRUCTURE: The left-hand side of Figure depicts the structure proposed by
Feistel. The inputs to the encryption algorithm are a plaintext block of length 2w bits and a key. The
plaintext block is divided into two halves, L0 and R0 . The two halves of the data pass through n rounds
of processing and then combine to produce the ciphertext block. Each round i has as inputs Li-1 and Ri-
1 derived from the previous round, as well as a subkey Ki derived from the overall K. In general, the
subkeys Ki are different from K and from each other.

All rounds have the same structure. A substitution is performed on the left half of the data.
This is done by applying a round function F to the right half of the data and then taking the exclusive-
OR of the output of that function and the left half of the data. The round function has the same
general structure for each round but is parameterized by the round subkey Ki.

Permutation is performed that consists of the interchange of the two halves of the data. This
structure is a particular form of the substitution-permutation network (SPN) proposed by Shannon.

The exact realization of a Feistel network depends on the choice of the following parameters
and design features:
 CSE
 Block size: Larger block sizes mean greater security (all other things being equal) but
reduced encryption/decryption speed for a given algori thm. The greater security is achieved
by greater diffusion. Traditionally, a block size of 64 bits has been considered a reasonable
tradeoff and was nearly universal in block cipher design. However, the new AES uses a 128-
bit block size.
 Key size: Larger key size means greater security but may decrease encryption/
decryption speed. The greater security is achieved by greater resistance to brute -force
attacks and greater confusion. Key sizes of 64 bits or less are now widely considered to be
inadequ ate, and 128 bits has become a common size.
 Number of rounds: The essence of the Feistel cipher is that a single round offers
inadequate security but that multiple rounds offer increasing security. A typical size is 16
rounds.

Fig: Feistel Cipher structures

 Subkey generation algorithm: Greater complexity in this algorithm should lead to

greater difficulty of cryptanalysis.
 Round function F: Again, greater complexity generally means greater resistance to cryptanalysis.

There are two other considerations in the design of a Feistel cipher:

 Fast software encryption/decryption: In many cases, encryption is embedded in applications

or utility functions in such a way as to preclude a hardware implementation. Accordingly, the
speed of execution of the algorithm becomes a concern.
 Ease of analysis: Although we would like to make our algorithm as difficult as possible to
cryptanalyze, there is great benefit in making the algorithm easy to analyze. That is, if the
algorithm can be concisely and clearly explained, i t is easier to analyze that algorithm
for cryptanalytic vulnerabilities and therefore develop a higher level of assurance as to its
strength. DES, for example, does not have an easily analyzed functionality.

2.4. Data Encryption Standard:

 DES is a Symmetric-key algorithm for the encryption of electronic data.
 DES originated at IBM in 1977 & was adopted by the U.S Department of Defence. Now it is
under the NIST (National Institute of Standard & Technology)
 CSE
 Data Encryption Standard (DES) is a widely -used method of data encryption using a private
(secret) key
 DES applies a 56-bit key to each 64-bit block of data. The process can run in several modes and
involves 16 rounds or operations.

Inner workings of DES:

DES (and most of the other major symmetric ciphers) is based on a cipher known as the Feistel
block cipher. This was a block cipher developed by the IBM cryptography researcher Horst Feistel in
the early
70’s. It consists of a number of rounds where each round contains bit -shuffling, non-linear
substitutions (S-boxes) and exclusive OR operations. Most symmetric encry ption schemes today are
based on this structure (known as a Feistel network).

Overall
structure

DES (and most of the other major symmetric ciphers) is based on a cipher known as the Feistel
block cipher.
Looking at the left-hand side of the figure, we can see that the processing of the plaintext proceeds in
three phases.
 First, the 64-bit plaintext passes through an initial permutation (IP) that rearranges the bits to
produce the permuted input.
 This is followed by a phase consisting of sixteen rounds of the same function, which involves
both permutation and substitution functions. The output of the last (sixteenth) round consists
of 64 bits that are a function of the input plaintext and the key. The left and right halves of the
output are swapped to produce the preoutput.
 Finally, the preoutput is passed through a permutation that is the inverse of the initial
permutation function, to produce the 64-bit cipher text. With the exception of the initial and
final permutations, DES has the exact structure of a Feistel cipher,

The right-hand portion of below shows the way in which the 56-bit key is used. Initially, the key is
passed through a permutation function. Then, for each of the sixteen rounds, a subkey (Ki ) is
produced by the combination of a left circular shift and a permutation. The permutation function is
the same for each round, but a different subkey is produced because of the repeated shifts of the key
bits.

CSE
SACET
 CSE

Initial Permutation: The initial permutation and its inverse are defined b y tables, as shown in Tables
(a) and (b), respectively. The tables are to be interpreted as follows. The input to a table consists of 64
bits numbered from 1 to 64. The 64 entries in the permutation table contain a permutation of the
numbers from 1 to 64. Each entry i n the permutation table indicates the position of a numbered
input bit in the output, which also consists of 64 bits.
 CSE

CSE
To see that these two permutation functions are indeed the inverse of each other, consider the following
64-bit input M:

Where Mi is a binary digit. Then the permutation X = (IP(M)) is as follows:

 CSE

DETAILS OF SINGLE
ROUND

Below figure shows the internal structure of a single round. Again, begin by focusing on the left-hand
side of the diagram. The left and right halves of each 64-bit intermediate value are treated as separate
32-bit quantities, labeled L (left) and R (right). As in any classic Feistel cipher, the overall processing at
each round can be summarized in the following formulas:

CSE
The round key K i is 48 bits. The R input is 32 bits. This R input is first expanded to 48 bits by using a
table that defines a permutation plus an expansion that involves duplication of 16 of the R bits (Table
3.2c). The resulting 48 bits are XORed with K i . This 48-bit result passes through a substitution function
that produces a 32-bit output, which is permuted as defined by Table (d). The role of the S-boxes in
the function F is illustrated in Figure 3.7. The substitution consists of a set of eight S-boxes, each of
which accepts 6 bits as input and produces 4 bits as output. These transformations are defined in Table
3.3, which is interpreted as follows: The first and last bits of the input to box Si form a 2-bit binary
number to select one of four substitutions defined by the four rows in th e table for. The middle four
bits select one of the sixteen columns. The decimal value in the cell selected by the row and column
is then converted to its 4 -bit representation to produce the output.

For example, in S1 , for input 011001, the row is 01 (row 1) and the column is 1100 (column 12). The
value in row 1, column 12 is 9, so the output is 1001. Each row of an S -box defines a general
reversible substitution. Figure 3.2 may be useful in understanding the mapping. The figure shows the
substitution for row 0 of box S1 . The operation of the S-boxes is worth further comment. Ignore for
the moment the contribution of the key ( Ki). If you examine the expansion table, you see that the 32
bits of input are split into groups of 4 bits and then become groups of 6 bits by taking the outer bits
from the two adjacent groups. For example, if part of the input word is
... efgh ijkl mnop
...
This becomes ... defghi hijklm lmnopq
...
 CSE

The outer two bits of each group select one of four po ssible substitutions (one row of an S-box). Then
a
4-bit output value is substituted for the particular 4-bit input (the middle four input bits). The 32-bit
output from the eight S-boxes is then permuted, so that on the next round, the output from
each S -box immediately affects as many others as possible.

Substitution Boxes S: Have eight S-boxes which map 6 to 4 bits. Each S-box is actually 4 little 4 bit
boxes. Outer bits 1 & 6 (row bits) select one rows. inner bits 2-5 (col bits) are substituted. Result is 8
lots of 4 bits, or 32 bits. Row selection depends on both data & key

KEY GENERATION:
Returning to above all figures, we see that a 64-bit key is used as input to the algorithm. The
bits of the key are numbered from 1 through 64; every eighth bit is ignored, as indicated by the lack of
shading in Table 3.4a. The key is first subjected to a permutation governed by a table labeled
Permuted Choice One (Table 3.4b)
The resulting 56-bit key is then treated as two 28-bit quantities, labelled C0 and D0 . At each round, Ci-1
and Di-1 are separately subjected to a circular left shift or (rotation) of 1 or 2 bits, as governed by Table
3.4d. These shifted values serve as input to the next round. They also serve as input to the part l
abeled Permuted Choice Two (Table 3.4c), which produces a 48-bit output that serves as input to the
Function F(Ri-1 , Ki).

DES DECRYPTION:
Whatever process we following in the encryption that process is used for decryption also but
the order of key is changed on input message (cipher text).
Reverse order of keys are K 16 , K15 ,……,
K1 .
The Avalanche
Effect:

 A desirable property of any encryption algorithm is that a small change in either the plaintext
or the key should produce a significant change in the ciphertext.
 In particular, a change in one bit of the plaintext or one bit of the key should produce a ch ange
in many bits of the ciphertext.
 This is referred to as the avalanche effect.

TH E STRENGTH OF
DES:

The Use of 56-Bit Keys:

 With a key length of 56 bits, there are 256 possible keys, which is approximately 7.2 x 1016 .
A brute-force attack appears impractical. Assuming that, on average, half the key space has
to be searched, a single machine performing one DES encryption per microsecond would
take more than a thousand years to break the cipher. Diffie and Hellman postulated that
the technology existed to build a parallel machine with 1 million encryption devices, each
of which
 CSE

could perform one encryption per microsecond. This would bring the average search
time down to about 10 hours.
The Nature of the DES Algorithm:

 Possibilities of cryptanalysis is done by finding the characteristics of DES algorithm.

 Learning of S-Box logic is complex.
 Weakness of the S-boxes not been discovered.

Timing Attacks:

 A timing attack is one in which information about the key or the plaintext is obtained by
observing how long it takes a given implementation to perform decryptions on various
cipher texts.
 A timing attack exploits the fact that an encryption or decryption algorithm often takes slightly
different amounts of time on different inputs.
 DES appears to be fairly resistant to a successful timing attack.

2.5. Block Cipher Design Principles:

There are three critical aspects of block cipher design: the number of rounds, design of
the function F, and key scheduling.

Number of Rounds:

 The greater the number of rounds, the more difficult it is to perform cryptanalysis, even for
a relatively weak F.
 In general, the criterion should be that the number of rounds is chosen so that
known cryptanalytic efforts require greater effort than a simple brute -force key search
attack. This criterion was certainly used in the design of DES.

Design of Function F:

 The heart of a Feistel block cipher is the function F, which provides the element of confusion
in a Feistel cipher. Thus, it must be difficult to “unscramble” the substitution performed by F.
 F must be nonlinear. The more nonlinear F, the more difficult any type of cryptanalysis
will be.

Key Schedule Algorithm:

 With any Feistel block cipher, the key is used to generate one subkey for each round.
 In general, we would like to select subkeys to maximize the difficulty of deducing
individual subkeys and the difficulty of working back to the main key.

2.6.Triple DES (3DES):

 Triple DES is simply another mode of DES operation. It takes three 64-bit keys, for an
overall key length of 192 bits.
 The Triple DES then breaks the user provided key into three subkeys, padding the keys if
necessary so they are each 64 bits long.
 The procedure for encryption is exactly the same as regular DES, but it is repeated three times.
Hence the name Triple DES. The data is encrypted with the first key, decrypted with
the second key, and finally encrypted again with the third key.

2.7. ADVANCED EN CRYPTION STANDARD(AES):

 The Advanced Encryption Standard (AES) was published by the National Institute of
Standards and Technology (NIST) in 2001.
 AES is a block cipher intended to replace DES for commercial applications.
 It uses a 128-bit block size and a key size of 128, 192, or 256 bits.
 CSE

 AES does not use a Feistel structure. Instead, each full round consists of four
separate functions: byte substitution, permutation, arithmetic operations over a
finite field, and XOR with a key.
Rijndael was designed to have the following characteristics:
 Resistance against all known attacks
 Speed and code compactness on a wide range of platforms
 Design simplicity
AES parameters:
Key size(words/bytes/bits) 4/16/128 6/24/192 8/32/256

Plaintext block Size (words/bytes/bits) 4/16/128 4/16/128 4/16/128

Number of rounds 10 12 14

Round Key size (words/bytes/bits) 4/16/128 4/16/128 4/16/128

Expanded key size (words/bytes) 44/176 52/208 60/240

Inner Workings of a
Round
The algorithm begins with an Add round key stage followed by 9 rounds of four stages and
a
tenth round of three stages. This applies for both encryption and decryption with the
exception that each stage of a round the decryption algorithm is the inverse of its
counterpart in the encryption algorithm. The four stages are as follows:
1. Substitute
bytes
2. Shift rows
3. Mix
Columns
4. Add Round Key
The tenth round simply leaves out the Mix Columns stage. The first nine rounds of the
decryption
algorithm consist of the
following:
1. Inverse Shift
rows
2. Inverse Substitute
bytes
3. Inverse Add Round
Key
4. Inverse Mix
Columns
Again, the tenth round simply leaves out the Inverse Mix Columns stage. Each of these
stages
will now be considered in more
detail.
 CSE

FIGURE:7.1 overall structure of the AES

algorithm
 CSE

Substitute Byt es
This stage (known as SubBytes) is simply a table lookup using a 16×16 matrix of byte values
called an s-box. This matrix consists of all the possible combinations of an 8 -bit sequence (28
= 16 × 16
= 256). However, the s -box is not just a random permutation of these values and there is a
well - defined method for creating the s -box tables. The designers of Rijndael showed how
this was done unlike the s -boxes in DES for which no rationale
was given.

Figure 7.2: Data structures in the AES

algorithm.

Again the matrix that gets operated upon throughout the encryption is known as state. We
will be concerned with how this matrix is effected in each round. For this particular round
each byte is mapped into a new byte in the following wa y: the leftmost nibble of the byte is
used to specify a particular row of the s -box and the rightmost nibble specifies a column. For
example, the byte
{95} (curly brackets represent hex values in FIPS PUB 197) selects row 9 column 5 which turns
out
to contain the value
{2A}.
This is then used to update the state matrix. Figure 7.3 depicts this
idea.

SACET

The Inverse substitute byte transformation makes use of an inverse s -box. In this case what
is desired is to select the value {2A} and get the value {95}. Table 7.4 shows the two s -boxes
and it can be verified that this is in fact the case.

The s-box is designed to be resistant to known cryptanalytic attacks. Specifically, the

Rijndael developers sought a design that has a low correlation between input bits a nd
 CSE
output bits, and the property that the output cannot be described as a simple mathematical
function of the input.

In addition, the s -box has no fixed points (s -box(a) = a) and no opposite fixed points (s -
box(a) = ) where is the bitwise compliment of a.

Shift Rows Transformation :

Shift row transformation are two types.
 Forward Shift row transformation which is used in encryption.
 Inverse Shift row transformation which is used in decryption.

FORWARD SHIFT ROW TRANSFORMATION:

 The first row of State matrix is not altered.

 For the second row, a 1-byte circular left shift is performed.
 For the third row, a 2-byte circular left shift is performed.
 For the fourth row, a 3-byte circular left shift is
performed. The following is an example of ShiftRows:

INVERSE SHIFT ROWS:

 Performs the circular shifts in the opposite direction for each of the last three rows, with a
one- byte circular right shift for the second row and soon.

MIX COLUMNS TRANSFORMATION:

Mix columns transformation are two types.

 Forward Mix columns transformation which is used in encryption.
 Inverse Mix columns transformation which is used in decryption.
Forward Mix columns transformation:
 Forward Mix columns transformation called mix columns, operates on each column individually.
Each byte of a column is mapped into a new value that is a function of all 4 bytes in that
column. The transformation can be defined by the following matrix multiplication on state.
 CSE

inverse Mix columns transformation:

 The inverse mix column transformation, called InvMixColumns, is defined by the following
matrix multiplication:

AddRoundKey Transformation :
 In the forward add round key transformation, called AddRoundKey, the 128 bits of
State are bitwise XORed with the 128 bits of the round key.
 The inverse add round key transformation is identical to the forward add round key
transformation, because the XOR operation is its own inverse.
 CSE

AES Key Expansion:

 The 128-bit key value can be expanded into 44 words i.e. 44X32=1408bits
 In each round 4 words will be used i.e. 4x32=128 bits
 In Addroundkey first 4 words w0,w1,w2,w3 are used.
 In first round,w4,w5,w6,w7 are used and soon.
The 128 bit key is expanded as follows
 First 128 bit key is arranged as a 4x4 matrix each value size is 8 -bits
 The first 32 bits (k0,k1,k2,k3) is considered as w0.
 The first 32 bits (k4,k5,k6,k7) is considered as w1.
 The first 32 bits (k8,k9,k10,k11) is considered as w2.
 The first 32 bits (k12,k13,k14,k15) is considered as w4.
 Next 4 words w4,w5,w6,w7 are followed as

w4=w0 ⊕ w3

w5=w1 ⊕ w4

w6=w2 ⊕w5
w7=w3 ⊕w6

Figure. AES Key Expansion

2.11. Block Cipher Modes of Operation:

A block cipher algorithm is a basic building block for providing data security. To apply a block cipher in
a variety of applications, different "modes of operation" have been defined by NIST. In essence, a
mode of operation is a technique for enhancing the effect of a cryptographic algorithm or adapting the
algorithm for an application, such as applying a block cipher to a sequence of data blocks or a data
stream. The modes are intended to cover virtually all the possible applications of encrypti on for which
a block cipher could be used.

Electronic Codebook Mode:

The simplest mode is the electronic codebook (ECB) mode, in which plaintext is handled one
block at a time and each block of plaintext is encrypted using the same key (Figure a & b). The term
codebook is used because, for a given key, there is a unique ciphertext for every b -bit block of
plaintext. For a message longer than b bits, the procedure is simply to break the message into b -bit
blocks, padding the last block if necessary. Decryption is performed one block at a time, always using
the same key. In Figure, the plaintext (padded as necessary) consists of a sequence of b -bit blocks, P1,
P2,..., PN; the corresponding sequence of ciphertext blocks is C1, C2,..., CN.
 Figure. Electronic Codebook (ECB) Mode

The ECB method is ideal for a short amount of data, such as an encryption key. Thus, if you
want to transmit a DES key securely, ECB is the appropriate mode to use. The most significant
characteristic of ECB is that the same b-bit block of plaintext, if it appears more than once in the
message, always produces the same ciphertext.

For lengthy messages, the ECB mode may not be secure. If the message is highly structured,
it may be possible for a cryptanalyst to exploit these re gularities. For example, if it is known that
the message always starts out with certain predefined fields, then the cryptanalyst may have a
number of known plaintext-ciphertext pairs to work with. If the message has repetitive elements,
with a period of repetition a multiple of b bits, then these elements can be identified by the analyst.
This may help in the analysis or may provide an opportunity for substituting or rearranging blocks.

Cipher Block Chaining Mode :

To overcome the security deficiencies of ECB, we would like a technique in which the same
plaintext block, if repeated, produces different cipher text blocks. A simple way to satisfy this
requirement is the cipher block chaining (CBC) mode.

In this scheme, the input to the encryption algorithm is the XOR of the current plaintext block
and the preceding cipher text block; the same key is used for each block. In effect, we have chained
together the processing of the sequence of plaintext blocks. The input to the encryption function for
each plaintext block bears no fixed relationship to the plaintext block. Therefore, repeating patterns
of b bits are not exposed.

Figure : Cipher Block Chaining (CBC) Mode

For decryption, each cipher block is passed through the decryption algorithm. The result is XORe d
with the preceding cipher text block to produce the plaintext block. To produce the first block of cipher
text, an initialization vector (IV) is XORed with the first block of plaintext. On decryption, the IV is
XORed with the output of the decryption algorithm to recover the first block of plaintext. The IV is a
data block that is that same size as the cipher block. The IV must be known to both the sender and
receiver but be unpredictable by a third party. For maximum security, the IV should be protected
against unauthorized changes. This could be done by sending the IV using ECB encryption. Because of
the chaining mechanism of CBC, it is an appropriate mode for encrypting messages of length greater
than b bits. CBC mode can be used for authentication.

Cipher Fee dback Mode:

The DES scheme is essentially a block cipher technique that uses b -bit blocks. However, it
is possible to convert DES into a stream cipher, using either the cipher feedback (CFB) or the output
feedback mode. Figure depicts the CFB scheme . In the figure, it is assumed that the unit of
transmission is s bits; a common value is s = 8. As with CBC, the units of plaintext are chained together,
so that the cipher text of any plaintext unit is a function of all the preceding plaintext. In this ca se,
rather than units of b bits, the plaintext is divided into segments of s bits.

First, consider encryption. The input to the encryption function is a b -bit shift register that is
initially set to some initialization vector (IV). The leftmost (most significant) s bits of the output of the
encryption function are XORed with the first segment of plaintext P 1 to produce the first unit of
ciphertext C, which is then transmitted. In addition, the contents of the shift register are shifted left
by s bits and C is placed in the rightmost (least significant) s bits of the shift register. This process
continues until all plaintext units have been encrypted.

For decryption, the same scheme is used, except that the received ciphertext unit is XORed with
the output of the encryption function to produce the plaintext unit.

Let Ss (X) be defined as the most significant s bits of X. Then

C1 = P1⊕ Ss [E(K,IV)]

Therefore,
P1 = C1 ⊕ Ss [E(K, IV)]

SACET

Figure. s-bit Cipher Feedback (CFB) Mode

Output Fee dback Mode:

The output feedback (OFB) mode is similar in structure to that of CFB, as illustrated in Figure. As can
be seen, it is the output of the encryption function that is fed back to the shift register in OFB,
whereas in CFB the ciphertext unit is fed back to the shift register. One advantage of the OFB method
is that bit errors in transmission do not propagate. For example, if a bit error occurs in C1 only the
recovered value of is P1 affected; subsequent plaintext units are not corrupted. With CFB, C1 also
serves as input to the shift register and therefore causes additional corruption downstream. The
disadvantage of OFB is that it is more vulnerable to a message stream modification attack than is CFB.

Figure. s-bit Output Feedback (OFB) Mode

Counter Mode:

In CTR mode a counter, equal to the plaintext block size is used. The only requirement is that the
counter value must be different for each plaintext block that is encrypted. Typically, the counter is
initialized to some value and then incremented by 1 for each subsequent block. For encryption, the
counter is encrypted and then XORed with the plaintext block to produce the ciphertext block; there is
no chaining. For decryption, the same sequence of counter values is used, with each encrypted
counter XORed with a ciphertext block to recover the corresponding plaintext block.

Advantages:

1. Hardware efficiency

2. Software efficiency

3. Preprocessing

4. Random access

5. Provable security

6. Simplicity
Figure. Counter (CTR) Mode