Prepared By: Prof. Ajaykumar T. Shah Aforajayshahnirma.wordpress.com Stream Cipher • A stream cipher is one that encrypts a digital data stream one bit.
Download ReportTranscript Prepared By: Prof. Ajaykumar T. Shah Aforajayshahnirma.wordpress.com Stream Cipher • A stream cipher is one that encrypts a digital data stream one bit.
Slide 1
Prepared By: Prof. Ajaykumar T. Shah
Aforajayshahnirma.wordpress.com
Slide 2
Stream Cipher
• A stream cipher is one that encrypts a digital data stream
one bit or one byte at a time.
• Examples: One Time Pad.
• In which the keystream ki is as long as the plaintext bit
stream pi .
• If the cryptographic key stream is random, then this cipher is
unbreakable by any means other than acquiring the key
stream.
• However, the key stream must be provided to both users in
advance via some independent and secure channel.
Aforajayshahnirma.wordpress.com
Slide 3
Block Cipher
• A block cipher is one in which a block of plaintext is treated
as a whole and used to produce a cipher text block of equal
length.
• Typically, a block size of 8 or 64 bytes is used.
• As same as stream cipher, the two users share a symmetric
encryption key.
• Plaintext: 227 bytes
Block size: 16 bytes
=227/16 = 14 blocks & 3 bytes
• Total Blocks 15 in which last block contain 3 bytes and
padding bytes
Aforajayshahnirma.wordpress.com
Slide 4
http://ajpatelit.hpage.com
Slide 5
Difference
Stream Cipher
Block Cipher
Stream cipher operates on smaller Units Block cipher operates on larger block of
of Plaintext
data
Faster than block cipher
Slower than Stream Cipher
Stream cipher processes the input Block cipher processes the input one
element continuously producing output block of element at a time, producing an
one element at a time
output block for each input block
Require less code
Requires more code
Only one time of key used.
Reuse of key is possible
Ex: One time pad
Ex: DES (Data Encryption Standard)
Application: SSL (secure connection on Application: Database, file encryption.
the web)
Stream cipher is more suitable for Easier to implement in software.
hardware implementation
Aforajayshahnirma.wordpress.com
Slide 6
Generate n-bit-n-bit block Substitution
Aforajayshahnirma.wordpress.com
Slide 7
Generate n-bit-n-bit block Substitution
Aforajayshahnirma.wordpress.com
Slide 8
Feistel Cipher Structure
• Substitution: Each plaintext element or group of elements is
uniquely replaced by a corresponding cipher text element or
group of elements.
• Permutation: A sequence of plaintext elements is replaced
by a permutation of that sequence. That is, no elements are
added or deleted or replaced in the sequence, rather the
order in which the elements appear in the sequence is
changed.
Aforajayshahnirma.wordpress.com
Slide 9
Feistel Cipher Structure cont…
Parameters and Design Features
I.
Block Size
If Larger block is used security is greater but speed is reduced,
normal 64 bit is used in block cipher method
II. Key Size
If Larger key is used security is greater but speed is reduced,
default key length is 128 bits.
III. Number of Rounds
Security is increased by increasing the no. of rounds but typical
size is 16 rounds.
IV. Subkey generation
V. Round Function
Aforajayshahnirma.wordpress.com
Slide 10
http://ajpatelit.hpage.com
Slide 11
Aforajayshahnirma.wordpress.com
Slide 12
Diffusion and Confusion
Diffusion
• To make the statistical relationship between the plaintext
and cipher text as complex as possible in order to thwart
attempts to discover the key.
• Can be achieved by a Permutation followed by a function
Confusion
• To make the relationship between the statistics of the cipher
text and the value of the encryption key as complex as
possible to thwart attempts to discover the key.
• Can be achieved by a Substitution.
Aforajayshahnirma.wordpress.com
Slide 13
Data Encryption Standard (DES)
• DES Encryption
Initial Permutation
Details of Single Round
Key Generation
• The Avalanche Effect
Aforajayshahnirma.wordpress.com
Slide 14
http://ajpatelit.hpage.com
Slide 15
Initial Permutation
The permutation
• X = IP(M)
The inverse permutation
• Y = IP-1(X) = IP-1(IP(M))
• The original ordering
is restored
Aforajayshahnirma.wordpress.com
Slide 16
Single Round
F function
• Ri-1 is expanded to
48-bits using E.
• The result is XORed
with the 48-bit
round key.
• The 48-bit is
substituted by a
32-bit.
• The 32-bit is
permuted by P.
Slide 17
E-Step
• First divide the 32-bit block into eight 4-bit
words.
• Attach an additional bit on the left to each
4-bit word that is the last bit of the previous
4-bit word.
• Attach an additional bit to the right of each
4-bit word that is the beginning bit of the
next 4-bit word.
Aforajayshahnirma.wordpress.com
Slide 18
E-Step Cont…
Expansion E
• 32 bits 48 bits
• 16 bits are
reused.
Permutation P
Aforajayshahnirma.wordpress.com
Slide 19
E-Step with S Boxes Cont…
Substitution
• 48 bits 32 bits
• 8 S-boxes
• Each S-box get 6 bits and
Output 4 bits.
Aforajayshahnirma.wordpress.com
Slide 20
Single Round of DES Algorithm
http://ajpatelit.hpage.com
Slide 21
S-Boxes
Aforajayshahnirma.wordpress.com
Slide 22
S-Boxes
Aforajayshahnirma.wordpress.com
Slide 23
Working of S-Boxes
I. Outer bits 1 & 6 (rowbits) select one rows
II. Inner bits 2-5 (colbits) are substituted
Example : Input : 011001
• The row is 01 (row 1)
• The column is 1100 (column 12)
• Output is 1001
http://ajpatelit.hpage.com
Slide 24
Key Generation
• A 64-bit key used as input
Every 8th bit is ignored.
Thus, the key is 56 bits.
• PC1 permute 56 bits into
two 28-bit halves.
Aforajayshahnirma.wordpress.com
Slide 25
DES Decryption
Decryption uses the same algorithm as encryption.
I.
Feistel cipher
II. Round key schedule is reversed.
Aforajayshahnirma.wordpress.com
Slide 26
The Avalanche Effect
A small change of plaintext or key produces a
significant change in the cipher text.
DES exhibits a strong avalanche effect.
Aforajayshahnirma.wordpress.com
Slide 27
The Avalanche Effect cont…
Example
Aforajayshahnirma.wordpress.com
Slide 28
The Avalanche Effect cont…
Example
Aforajayshahnirma.wordpress.com
Slide 29
The Strength of DES
The Use of 56-bit keys
The Nature of the DES Algorithm
Timing Attacks
Aforajayshahnirma.wordpress.com
Slide 30
The Use of 56-bits Keys
• If the key length is 56-bit, we have 256= 7.2 x 1016 keys
• A single m/c performing one DES encryption / microsecond
takes more than 1000 yrs to break the cipher. (brute-force
attack becomes impractical)
• Diffie and Hellman - the same can be possible if we
implement it by using parallel m/c with 1 million devices it
takes 10 hours but the cost for developing it is too high ($20
million dollars)
• In 1998, Electronic Frontier Foundation (EFF) announced
‘DES cracker’ which can attack DES in 3 days.
• It was built for less than $250,000.
• EEF has published their detailed description of the M/C ,
enabling others to build their own crackers (making DES
virtually worthless)
Aforajayshahnirma.wordpress.com
Slide 31
Strength…
• Plain text
Only English - easily automated
Has compressed before encryption - difficult to
automate
Data with numeric values - more difficult to
automate
• To supplement brute force attack some degree of
knowledge about plaintext is required.
• EEF addressed an alternatives to DES
AES(key size is 128 ~ 256 bit) and triple DES
(112 ~ 168 bit)
Aforajayshahnirma.wordpress.com
Slide 32
Nature of DES
• Possibilities of cryptanalysis is done by
finding the characteristics of DES Algorithm
• Learning of S-Box logic is complex
• Weakness of S-Box has not been discovered
Aforajayshahnirma.wordpress.com
Slide 33
Block Cipher Design Principles
Criteria for S- Boxes.
1. No output bit of any S-box should be too close a linear
function of the input bits. Specifically, if we select any output
bit and any subset of the six input bits, the fraction of inputs
for which this output bit equals the XOR of these input bits
should not be close to 0 or 1, but rather should be near 1/2.
2. Each row of an S-box should include all 16 possible output
bit combinations.
3. If two inputs to an S-box differ in exactly one bit, the outputs
must differ in at least two bits.
Aforajayshahnirma.wordpress.com
Slide 34
Block Cipher Design Principles
4. If two inputs to an S-box differ in the two middle bits exactly,
the outputs must differ in at least two bits.
5. If two inputs to an S-box differ in their first two bits and are
identical in their last two bits, the two outputs must not be
the same.
6. For any nonzero 6-bit difference between inputs, no more
than eight of the 32 pairs of inputs exhibiting that difference
may result in the same output difference.
7. This is a criterion similar to the previous one, but for the case
of three S-boxes.
Aforajayshahnirma.wordpress.com
Slide 35
Cipher Block Modes of Operations
Electronic Code Book (ECB)
Cipher Block Chaining Mode (CBC)
Cipher Feedback Mode (CFB)
Counter Mode
Aforajayshahnirma.wordpress.com
Slide 36
Electronic Code Book (ECB)
Plaintext is handled one block at a time and each block of
plaintext is encrypted using the same key. The term codebook is
used because, for a given key, there is a unique cipher text for
every bit block of plaintext. Therefore, we can imagine a
gigantic codebook in which there is an entry for every possible bit plaintext pattern showing its corresponding cipher text.
Aforajayshahnirma.wordpress.com
Slide 37
http://ajpatelit.hpage.com
Slide 38
Electronic Code Book (ECB)
•
The ECB method is ideal for a short amount of data, such as
an encryption key. Thus, if you want to transmit a DES or
AES key securely, ECB is the appropriate mode to use.
•
The most significant characteristic of ECB is that if the same
bit block of plaintext appears more than once in the
message, it always produces the same cipher text.
•
For lengthy messages, the ECB mode may not be secure. If
the message is highly structured, it may be possible for a
cryptanalyst to exploit these regularities.
Aforajayshahnirma.wordpress.com
Slide 39
Cipher Block Changing Mode (CBC)
A simple way to satisfy this requirement is the cipher block
chaining (CBC) mode.
In this scheme, the input to the encryption algorithm is the XOR
of the current plaintext block and the preceding cipher text
block; the same key is used for each block.
For decryption, each cipher block is passed through the
decryption algorithm. The result is XORed with the preceding
cipher text block to produce the plaintext block. To see that this
works, we can write
Aforajayshahnirma.wordpress.com
Slide 40
Initialization
Vector
http://ajpatelit.hpage.com
Slide 41
Cipher Feedback Block (CFB)
• The input to the encryption function is a -bit shift register
that is initially set to some initialization vector (IV).
• The leftmost (most significant) bits of the output of the
encryption function are XORed with the first segment of
plaintext P1 to produce the first unit of cipher text C1, which
is then transmitted.
• In addition, the contents of the shift register are shifted left
by s bits, and C1 is placed in the rightmost (least significant) s
bits of the shift register. This process continues until all
plaintext units have been encrypted.
Aforajayshahnirma.wordpress.com
Slide 42
Cipher Feedback Block (CFB)
Aforajayshahnirma.wordpress.com
Slide 43
Cipher Feedback Block (CFB)
Aforajayshahnirma.wordpress.com
Slide 44
Counter Mode
The counter is encrypted and then XORed with the plaintext
block to produce the cipher text block; there is no chaining.
For decryption, the same sequence of counter values is used,
with each encrypted counter XORed with a cipher text block to
recover the corresponding plaintext block. Thus, the initial
counter value must be made available for decryption.
Aforajayshahnirma.wordpress.com
Slide 45
Counter Mode
Aforajayshahnirma.wordpress.com
Slide 46
Counter Mode
Aforajayshahnirma.wordpress.com
Slide 47
Cryptanalytic Attacks.
Ciphertext-only attack
Known-plaintext attack
Chosen-plaintext attack
Adaptive chosen plaintext attack
Aforajayshahnirma.wordpress.com
Slide 48
Ciphertext only attack
• The cryptanalyst has the cipher text of several messages, of
all of which have been encrypted using the same encryption
algorithm.
• The analyst may be able to capture one or more plaintext
message as well as their encryptions.
• Better yet to assume the key used to encrypt the messages,
in order to decrypt other messages encrypted with the same
key.
Aforajayshahnirma.wordpress.com
Slide 49
Known Plaintext attack
• The cryptanalyst has access not only to the ciphertext of
several messages, but also to the plaintext of those
messages
• Job is to deduce the key used to encrypt the messages.
• OR an algorithm to decrypt any new messages encrypted
with the same key.
• It is also referred to as a probable word attack.
Aforajayshahnirma.wordpress.com
Slide 50
Chosen Plaintext attack
• This is more powerful than a known plaintext attack because
the cryptanalyst can chose specific plaintext blocks to
encrypt.
• The cryptanalyst not only has access to the ciphertext and
associated plaintext for several messages, but he also
chooses the plaintext that gets encrypted.
Aforajayshahnirma.wordpress.com
Slide 51
Adaptive Chosen Plaintext attack
• Not only can the cryptanalyst choose the plaintext that is
encrypted , but he can also modify his choice based on the
result of the previous encryption.
• A cryptanalyst might just be able to choose one large block
of the plaintext to be encrypted – in chosen plaintext
attack.
Aforajayshahnirma.wordpress.com
Slide 52
Double DES
The simplest form of multiple encryption has two encryption
stages and two keys. Given a plaintext P and two encryption
keys K1 and K2, ciphertext C is generated as
C = E(K2, E(K1, P))
Decryption requires that the keys be applied in reverse order:
P = D(K1, D(K2, C))
http://ajpatelit.hpage.com
Slide 53
Triple DES
The simplest form of multiple encryption has three encryption
stages and three keys. Given a plaintext P and three encryption
keys K1, K2 and K3, ciphertext C is generated as
C = E(K3, D(K2, E(K1, P)))
Decryption Process is shown below
P = D(K3, E(K2, D(K1, P)))
http://ajpatelit.hpage.com
Slide 54
International Data Encryption
Algorithm
•
•
•
•
•
•
IDEA is Block Cipher.
Works on 64 bits plaintext blocks.
Key is longer and consist of 128 bits.
IDEA use Diffusion and Confusion for Encryption.
Plaintext = 64 bits
Total 4 block of Plaintext each containing 16bits.
Plaintext = (p1,p2,p3,p4)
• Eight Round in Algorithm. 6 sub key is generated in each
such round from the original key.
Aforajayshahnirma.wordpress.com
Slide 55
B
L
O
C
K
Input Plaintext(64 bits)
P1 (16 bits) P2 (16 bits)
P3 (16 bits)
P4 (16 bits)
K1
Round 1
K6
K7
Round 2
K12
D
I
A
G
R
A
M
. . .
K43
Round 8
K48
K49
Output Transformation
K52
C1 (16 bits) C2 (16 bits)
C3 (16 bits)
Input Ciphertext(64 bits)
C4 (16 bits)
Slide 56
Details of Single Round in IDEA
Step1:
Step2:
Step3:
Step4:
Step5:
Step6:
Step7:
Step8:
Step9:
Step10:
Step11:
Step12:
Step13:
Step14:
Multiply P1 and K1 (P1 * K1)
Add P2 and K2 (P2 + K2)
Add P3 and K3 (P3 + K3)
Multiply P4 and K4 (P4 * K4)
XOR the result of step 1 and step 3
XOR the result of step 2 and step 4
Multiply the result of step 5 with K5.
Add the result of step 6 and step 7.
Multiply the result of step 8 with K6.
Add the result of step 7 and step 9.
XOR the result of step 1 and step 9.
XOR the result of step 3 and step 9.
XOR the result of step 2 and step 10.
XOR the result of step 4 and step 10.
Aforajayshahnirma.wordpress.com
Slide 57
Structure of Single Round in IDEA
P1
P2
P3
P4
XOR
MULTIPLICATION
ADD
C1
C2
C3
C4
Slide 58
Strength of IDEA
• IDEA uses a 128 bits key, which is double than the key size of
DES.
• Thus, to break into IDEA, 2128 (i.e. 1038) encryption
operations would be required.
• As before, even if we assume that to obtain the correct key,
only half of the possible keys need to be examined and tried
out, a single computer performing one IDEA encryption per
microsecond
would
require
more
than
5400000000000000000000000 years to break IDEA!
Aforajayshahnirma.wordpress.com
Slide 59
RC
• RC4 was designed by Ron Rivest of RSA Security in 1987.
• RC4 is known as “Rivest Cipher 4”.
• RC5 is the modified version of RC4.
o Word Size in bits (Encry 2-word blocks at a time): 16, 32, 64
o No. of Rounds: 0-255
o No. 0f 8-bit Bytes in the key: 0-255
Aforajayshahnirma.wordpress.com
Slide 60
RC5
• RC5 use only primitive computer operations such as
addition, substation, XOR, shift, etc.
• RC5 requires less memory for execution and therefore
suitable not only for desktop computer but also for smart
cards and other devices that have a small memory capacity.
Parameter
Allowed Values
Word size in bits (RC5 encrypt 2 word at a time)
16, 32, 64
Number of Rounds
0-255
Number of 8-bit bytes in the key
0-255
Aforajayshahnirma.wordpress.com
Slide 61
Encryption using RC5
http://ajpatelit.hpage.com
Slide 62
Key Generation in RC5
http://ajpatelit.hpage.com
Slide 63
BLOWFISH
Blowfish was design on the following objectives:
FAST: Blowfish encryption rate on 32-bit microprocessors is 26 clock cycles
per byte.
COMPACT: Blowfish can execute in less than 5kb memory.
SIMPLE: Blowfish uses only primitives operations, such as addition XOR,
and table lookup, making its design and implementation simple.
SECURE: Blowfish has a variable key length up to a maximum of 448 bits
long, making it both flexible and secure.
Aforajayshahnirma.wordpress.com
Slide 64
BLOWFISH Encryption
http://ajpatelit.hpage.com
Slide 65
Function F in Blowfish
Aforajayshahnirma.wordpress.com
Slide 66
Advance Encryption Standard
AES Evaluation
• Security:
I. Actual Security compared to other submitted standard.
II. Randomness: The extent to which the algorithm output
indistinguishable from a random permutation on the
input block.
III. Soundness of the mathematical basis for the
algorithm’s security.
Aforajayshahnirma.wordpress.com
Slide 67
Advance Encryption Standard
• Cost:
I. Licensing requirements: When the AES is issued, the
algorithm specified the AES shall be available on a
worldwide, non –exclusive, royalty free basis.
II. Computational efficiency: The evaluation of
computational efficiency will be applicable to both
hardware and software implementation.
III. Memory requirements: The memory requirement for
implementing the algorithm in hardware and software
will be considered.
Aforajayshahnirma.wordpress.com
Slide 68
Advance Encryption Standard
• Algorithm and Implementation characteristics: This
category includes a variety of considerations, including
flexibility; suitability for a variety of hardware and software
implementations; and simplicity, which will make an analysis
of security more straight forward.
Aforajayshahnirma.wordpress.com
Slide 69
Advance Encryption Standard
•
•
•
•
•
•
•
•
•
General Security
Software implementations
Restricted-space environments
Hardware implementations
Attacks on implementations
Encryption versus decryption
Key agility
Other versatility and flexibility
Potential for instruction-level parallelism
Aforajayshahnirma.wordpress.com
Slide 70
AES
Encryption
Process
State
Slide 71
AES Round Contains
I.
II.
III.
IV.
Byte Substitution
Row Shift
Column mixing
Round Key Addition
Aforajayshahnirma.wordpress.com
Slide 72
AES Data Structure
Aforajayshahnirma.wordpress.com
Slide 73
AES Data Structure
Aforajayshahnirma.wordpress.com
Slide 74
AES
Encryption
And
Decryption
Slide 75
Slide 76
AES
Bites
Level
Operations
Slide 77
Shift Row Transformation
AES Row and Column Operations
Aforajayshahnirma.wordpress.com
Slide 78
Shift Column Transformation
Aforajayshahnirma.wordpress.com
Slide 79
Random Number
A number of network security algorithms and protocols based on
cryptography make use of random binary numbers:
• Key distribution and reciprocal authentication schemes
• Session key generation
• Generation of keys for the RSA public-key encryption
algorithm
• Generation of a bit stream for symmetric stream encryption
Randomness
There are two distinct
requirements for a
sequence of random
numbers:
Unpredictability
Slide 80
Randomness
The generation of a sequence of allegedly random numbers
being random in some well-defined statistical sense has been
a concern
Two criteria are used to validate that a sequence of
numbers is random:
Uniform distribution
• The frequency of occurrence of ones and zeros should be
approximately equal
Independence
• No one subsequence in the sequence can be inferred from the others
Aforajayshahnirma.wordpress.com
Slide 81
Unpredictability
The requirement is not just that the sequence of numbers be
statistically random, but that the successive members of the
sequence are unpredictable
With “true” random sequences each number is statistically
independent of other numbers in the sequence and therefore
unpredictable
True random numbers have their limitations, such as inefficiency,
so it is more common to implement algorithms that generate
sequences of numbers that appear to be random
Care must be taken that an opponent not be able to predict
future elements of the sequence on the basis of earlier elements
Aforajayshahnirma.wordpress.com
Slide 82
Pseudorandom numbers
Cryptographic applications typically make use of algorithmic
techniques for random number generation.
These algorithms are deterministic and therefore produce
sequences of numbers that are not statistically random.
If the algorithm is good, the resulting sequences will pass many
reasonable tests of randomness. Such numbers are referred to
as pseudorandom numbers.
Aforajayshahnirma.wordpress.com
Slide 83
True Random Number Generator (TRNG)
A TRNG takes as input a source that is effectively random; the
source is often referred to as an entropy source.
In essence, the entropy source is drawn from the physical
environment of the computer and could include things such as
keystroke timing patterns, disk electrical activity, mouse
movements, and instantaneous values of the system clock.
The source, or combination of sources, serve as input to an
algorithm that produces random binary output.
The TRNG may simply involve conversion of an analog source
to a binary output. The TRNG may involve additional
processing to overcome any bias in the source;
Aforajayshahnirma.wordpress.com
Slide 84
True Random Number Generator (TRNG)
Aforajayshahnirma.wordpress.com
Slide 85
Pseudorandom Number Generator (PRNG)
PRNG takes as input a fixed value, called the seed, and
produces a sequence of output bits using a deterministic
algorithm. Typically, as shown, there is some feedback path by
which some of the results of the algorithm are feed back as
input as additional output bits are produced. The important
thing to note is that the output bit stream is determined solely
by the input value or values, so that an adversary who knows
the algorithm and the seed can reproduce the entire bit stream.
Aforajayshahnirma.wordpress.com
Slide 86
Aforajayshahnirma.wordpress.com
Prepared By: Prof. Ajaykumar T. Shah
Aforajayshahnirma.wordpress.com
Slide 2
Stream Cipher
• A stream cipher is one that encrypts a digital data stream
one bit or one byte at a time.
• Examples: One Time Pad.
• In which the keystream ki is as long as the plaintext bit
stream pi .
• If the cryptographic key stream is random, then this cipher is
unbreakable by any means other than acquiring the key
stream.
• However, the key stream must be provided to both users in
advance via some independent and secure channel.
Aforajayshahnirma.wordpress.com
Slide 3
Block Cipher
• A block cipher is one in which a block of plaintext is treated
as a whole and used to produce a cipher text block of equal
length.
• Typically, a block size of 8 or 64 bytes is used.
• As same as stream cipher, the two users share a symmetric
encryption key.
• Plaintext: 227 bytes
Block size: 16 bytes
=227/16 = 14 blocks & 3 bytes
• Total Blocks 15 in which last block contain 3 bytes and
padding bytes
Aforajayshahnirma.wordpress.com
Slide 4
http://ajpatelit.hpage.com
Slide 5
Difference
Stream Cipher
Block Cipher
Stream cipher operates on smaller Units Block cipher operates on larger block of
of Plaintext
data
Faster than block cipher
Slower than Stream Cipher
Stream cipher processes the input Block cipher processes the input one
element continuously producing output block of element at a time, producing an
one element at a time
output block for each input block
Require less code
Requires more code
Only one time of key used.
Reuse of key is possible
Ex: One time pad
Ex: DES (Data Encryption Standard)
Application: SSL (secure connection on Application: Database, file encryption.
the web)
Stream cipher is more suitable for Easier to implement in software.
hardware implementation
Aforajayshahnirma.wordpress.com
Slide 6
Generate n-bit-n-bit block Substitution
Aforajayshahnirma.wordpress.com
Slide 7
Generate n-bit-n-bit block Substitution
Aforajayshahnirma.wordpress.com
Slide 8
Feistel Cipher Structure
• Substitution: Each plaintext element or group of elements is
uniquely replaced by a corresponding cipher text element or
group of elements.
• Permutation: A sequence of plaintext elements is replaced
by a permutation of that sequence. That is, no elements are
added or deleted or replaced in the sequence, rather the
order in which the elements appear in the sequence is
changed.
Aforajayshahnirma.wordpress.com
Slide 9
Feistel Cipher Structure cont…
Parameters and Design Features
I.
Block Size
If Larger block is used security is greater but speed is reduced,
normal 64 bit is used in block cipher method
II. Key Size
If Larger key is used security is greater but speed is reduced,
default key length is 128 bits.
III. Number of Rounds
Security is increased by increasing the no. of rounds but typical
size is 16 rounds.
IV. Subkey generation
V. Round Function
Aforajayshahnirma.wordpress.com
Slide 10
http://ajpatelit.hpage.com
Slide 11
Aforajayshahnirma.wordpress.com
Slide 12
Diffusion and Confusion
Diffusion
• To make the statistical relationship between the plaintext
and cipher text as complex as possible in order to thwart
attempts to discover the key.
• Can be achieved by a Permutation followed by a function
Confusion
• To make the relationship between the statistics of the cipher
text and the value of the encryption key as complex as
possible to thwart attempts to discover the key.
• Can be achieved by a Substitution.
Aforajayshahnirma.wordpress.com
Slide 13
Data Encryption Standard (DES)
• DES Encryption
Initial Permutation
Details of Single Round
Key Generation
• The Avalanche Effect
Aforajayshahnirma.wordpress.com
Slide 14
http://ajpatelit.hpage.com
Slide 15
Initial Permutation
The permutation
• X = IP(M)
The inverse permutation
• Y = IP-1(X) = IP-1(IP(M))
• The original ordering
is restored
Aforajayshahnirma.wordpress.com
Slide 16
Single Round
F function
• Ri-1 is expanded to
48-bits using E.
• The result is XORed
with the 48-bit
round key.
• The 48-bit is
substituted by a
32-bit.
• The 32-bit is
permuted by P.
Slide 17
E-Step
• First divide the 32-bit block into eight 4-bit
words.
• Attach an additional bit on the left to each
4-bit word that is the last bit of the previous
4-bit word.
• Attach an additional bit to the right of each
4-bit word that is the beginning bit of the
next 4-bit word.
Aforajayshahnirma.wordpress.com
Slide 18
E-Step Cont…
Expansion E
• 32 bits 48 bits
• 16 bits are
reused.
Permutation P
Aforajayshahnirma.wordpress.com
Slide 19
E-Step with S Boxes Cont…
Substitution
• 48 bits 32 bits
• 8 S-boxes
• Each S-box get 6 bits and
Output 4 bits.
Aforajayshahnirma.wordpress.com
Slide 20
Single Round of DES Algorithm
http://ajpatelit.hpage.com
Slide 21
S-Boxes
Aforajayshahnirma.wordpress.com
Slide 22
S-Boxes
Aforajayshahnirma.wordpress.com
Slide 23
Working of S-Boxes
I. Outer bits 1 & 6 (rowbits) select one rows
II. Inner bits 2-5 (colbits) are substituted
Example : Input : 011001
• The row is 01 (row 1)
• The column is 1100 (column 12)
• Output is 1001
http://ajpatelit.hpage.com
Slide 24
Key Generation
• A 64-bit key used as input
Every 8th bit is ignored.
Thus, the key is 56 bits.
• PC1 permute 56 bits into
two 28-bit halves.
Aforajayshahnirma.wordpress.com
Slide 25
DES Decryption
Decryption uses the same algorithm as encryption.
I.
Feistel cipher
II. Round key schedule is reversed.
Aforajayshahnirma.wordpress.com
Slide 26
The Avalanche Effect
A small change of plaintext or key produces a
significant change in the cipher text.
DES exhibits a strong avalanche effect.
Aforajayshahnirma.wordpress.com
Slide 27
The Avalanche Effect cont…
Example
Aforajayshahnirma.wordpress.com
Slide 28
The Avalanche Effect cont…
Example
Aforajayshahnirma.wordpress.com
Slide 29
The Strength of DES
The Use of 56-bit keys
The Nature of the DES Algorithm
Timing Attacks
Aforajayshahnirma.wordpress.com
Slide 30
The Use of 56-bits Keys
• If the key length is 56-bit, we have 256= 7.2 x 1016 keys
• A single m/c performing one DES encryption / microsecond
takes more than 1000 yrs to break the cipher. (brute-force
attack becomes impractical)
• Diffie and Hellman - the same can be possible if we
implement it by using parallel m/c with 1 million devices it
takes 10 hours but the cost for developing it is too high ($20
million dollars)
• In 1998, Electronic Frontier Foundation (EFF) announced
‘DES cracker’ which can attack DES in 3 days.
• It was built for less than $250,000.
• EEF has published their detailed description of the M/C ,
enabling others to build their own crackers (making DES
virtually worthless)
Aforajayshahnirma.wordpress.com
Slide 31
Strength…
• Plain text
Only English - easily automated
Has compressed before encryption - difficult to
automate
Data with numeric values - more difficult to
automate
• To supplement brute force attack some degree of
knowledge about plaintext is required.
• EEF addressed an alternatives to DES
AES(key size is 128 ~ 256 bit) and triple DES
(112 ~ 168 bit)
Aforajayshahnirma.wordpress.com
Slide 32
Nature of DES
• Possibilities of cryptanalysis is done by
finding the characteristics of DES Algorithm
• Learning of S-Box logic is complex
• Weakness of S-Box has not been discovered
Aforajayshahnirma.wordpress.com
Slide 33
Block Cipher Design Principles
Criteria for S- Boxes.
1. No output bit of any S-box should be too close a linear
function of the input bits. Specifically, if we select any output
bit and any subset of the six input bits, the fraction of inputs
for which this output bit equals the XOR of these input bits
should not be close to 0 or 1, but rather should be near 1/2.
2. Each row of an S-box should include all 16 possible output
bit combinations.
3. If two inputs to an S-box differ in exactly one bit, the outputs
must differ in at least two bits.
Aforajayshahnirma.wordpress.com
Slide 34
Block Cipher Design Principles
4. If two inputs to an S-box differ in the two middle bits exactly,
the outputs must differ in at least two bits.
5. If two inputs to an S-box differ in their first two bits and are
identical in their last two bits, the two outputs must not be
the same.
6. For any nonzero 6-bit difference between inputs, no more
than eight of the 32 pairs of inputs exhibiting that difference
may result in the same output difference.
7. This is a criterion similar to the previous one, but for the case
of three S-boxes.
Aforajayshahnirma.wordpress.com
Slide 35
Cipher Block Modes of Operations
Electronic Code Book (ECB)
Cipher Block Chaining Mode (CBC)
Cipher Feedback Mode (CFB)
Counter Mode
Aforajayshahnirma.wordpress.com
Slide 36
Electronic Code Book (ECB)
Plaintext is handled one block at a time and each block of
plaintext is encrypted using the same key. The term codebook is
used because, for a given key, there is a unique cipher text for
every bit block of plaintext. Therefore, we can imagine a
gigantic codebook in which there is an entry for every possible bit plaintext pattern showing its corresponding cipher text.
Aforajayshahnirma.wordpress.com
Slide 37
http://ajpatelit.hpage.com
Slide 38
Electronic Code Book (ECB)
•
The ECB method is ideal for a short amount of data, such as
an encryption key. Thus, if you want to transmit a DES or
AES key securely, ECB is the appropriate mode to use.
•
The most significant characteristic of ECB is that if the same
bit block of plaintext appears more than once in the
message, it always produces the same cipher text.
•
For lengthy messages, the ECB mode may not be secure. If
the message is highly structured, it may be possible for a
cryptanalyst to exploit these regularities.
Aforajayshahnirma.wordpress.com
Slide 39
Cipher Block Changing Mode (CBC)
A simple way to satisfy this requirement is the cipher block
chaining (CBC) mode.
In this scheme, the input to the encryption algorithm is the XOR
of the current plaintext block and the preceding cipher text
block; the same key is used for each block.
For decryption, each cipher block is passed through the
decryption algorithm. The result is XORed with the preceding
cipher text block to produce the plaintext block. To see that this
works, we can write
Aforajayshahnirma.wordpress.com
Slide 40
Initialization
Vector
http://ajpatelit.hpage.com
Slide 41
Cipher Feedback Block (CFB)
• The input to the encryption function is a -bit shift register
that is initially set to some initialization vector (IV).
• The leftmost (most significant) bits of the output of the
encryption function are XORed with the first segment of
plaintext P1 to produce the first unit of cipher text C1, which
is then transmitted.
• In addition, the contents of the shift register are shifted left
by s bits, and C1 is placed in the rightmost (least significant) s
bits of the shift register. This process continues until all
plaintext units have been encrypted.
Aforajayshahnirma.wordpress.com
Slide 42
Cipher Feedback Block (CFB)
Aforajayshahnirma.wordpress.com
Slide 43
Cipher Feedback Block (CFB)
Aforajayshahnirma.wordpress.com
Slide 44
Counter Mode
The counter is encrypted and then XORed with the plaintext
block to produce the cipher text block; there is no chaining.
For decryption, the same sequence of counter values is used,
with each encrypted counter XORed with a cipher text block to
recover the corresponding plaintext block. Thus, the initial
counter value must be made available for decryption.
Aforajayshahnirma.wordpress.com
Slide 45
Counter Mode
Aforajayshahnirma.wordpress.com
Slide 46
Counter Mode
Aforajayshahnirma.wordpress.com
Slide 47
Cryptanalytic Attacks.
Ciphertext-only attack
Known-plaintext attack
Chosen-plaintext attack
Adaptive chosen plaintext attack
Aforajayshahnirma.wordpress.com
Slide 48
Ciphertext only attack
• The cryptanalyst has the cipher text of several messages, of
all of which have been encrypted using the same encryption
algorithm.
• The analyst may be able to capture one or more plaintext
message as well as their encryptions.
• Better yet to assume the key used to encrypt the messages,
in order to decrypt other messages encrypted with the same
key.
Aforajayshahnirma.wordpress.com
Slide 49
Known Plaintext attack
• The cryptanalyst has access not only to the ciphertext of
several messages, but also to the plaintext of those
messages
• Job is to deduce the key used to encrypt the messages.
• OR an algorithm to decrypt any new messages encrypted
with the same key.
• It is also referred to as a probable word attack.
Aforajayshahnirma.wordpress.com
Slide 50
Chosen Plaintext attack
• This is more powerful than a known plaintext attack because
the cryptanalyst can chose specific plaintext blocks to
encrypt.
• The cryptanalyst not only has access to the ciphertext and
associated plaintext for several messages, but he also
chooses the plaintext that gets encrypted.
Aforajayshahnirma.wordpress.com
Slide 51
Adaptive Chosen Plaintext attack
• Not only can the cryptanalyst choose the plaintext that is
encrypted , but he can also modify his choice based on the
result of the previous encryption.
• A cryptanalyst might just be able to choose one large block
of the plaintext to be encrypted – in chosen plaintext
attack.
Aforajayshahnirma.wordpress.com
Slide 52
Double DES
The simplest form of multiple encryption has two encryption
stages and two keys. Given a plaintext P and two encryption
keys K1 and K2, ciphertext C is generated as
C = E(K2, E(K1, P))
Decryption requires that the keys be applied in reverse order:
P = D(K1, D(K2, C))
http://ajpatelit.hpage.com
Slide 53
Triple DES
The simplest form of multiple encryption has three encryption
stages and three keys. Given a plaintext P and three encryption
keys K1, K2 and K3, ciphertext C is generated as
C = E(K3, D(K2, E(K1, P)))
Decryption Process is shown below
P = D(K3, E(K2, D(K1, P)))
http://ajpatelit.hpage.com
Slide 54
International Data Encryption
Algorithm
•
•
•
•
•
•
IDEA is Block Cipher.
Works on 64 bits plaintext blocks.
Key is longer and consist of 128 bits.
IDEA use Diffusion and Confusion for Encryption.
Plaintext = 64 bits
Total 4 block of Plaintext each containing 16bits.
Plaintext = (p1,p2,p3,p4)
• Eight Round in Algorithm. 6 sub key is generated in each
such round from the original key.
Aforajayshahnirma.wordpress.com
Slide 55
B
L
O
C
K
Input Plaintext(64 bits)
P1 (16 bits) P2 (16 bits)
P3 (16 bits)
P4 (16 bits)
K1
Round 1
K6
K7
Round 2
K12
D
I
A
G
R
A
M
. . .
K43
Round 8
K48
K49
Output Transformation
K52
C1 (16 bits) C2 (16 bits)
C3 (16 bits)
Input Ciphertext(64 bits)
C4 (16 bits)
Slide 56
Details of Single Round in IDEA
Step1:
Step2:
Step3:
Step4:
Step5:
Step6:
Step7:
Step8:
Step9:
Step10:
Step11:
Step12:
Step13:
Step14:
Multiply P1 and K1 (P1 * K1)
Add P2 and K2 (P2 + K2)
Add P3 and K3 (P3 + K3)
Multiply P4 and K4 (P4 * K4)
XOR the result of step 1 and step 3
XOR the result of step 2 and step 4
Multiply the result of step 5 with K5.
Add the result of step 6 and step 7.
Multiply the result of step 8 with K6.
Add the result of step 7 and step 9.
XOR the result of step 1 and step 9.
XOR the result of step 3 and step 9.
XOR the result of step 2 and step 10.
XOR the result of step 4 and step 10.
Aforajayshahnirma.wordpress.com
Slide 57
Structure of Single Round in IDEA
P1
P2
P3
P4
XOR
MULTIPLICATION
ADD
C1
C2
C3
C4
Slide 58
Strength of IDEA
• IDEA uses a 128 bits key, which is double than the key size of
DES.
• Thus, to break into IDEA, 2128 (i.e. 1038) encryption
operations would be required.
• As before, even if we assume that to obtain the correct key,
only half of the possible keys need to be examined and tried
out, a single computer performing one IDEA encryption per
microsecond
would
require
more
than
5400000000000000000000000 years to break IDEA!
Aforajayshahnirma.wordpress.com
Slide 59
RC
• RC4 was designed by Ron Rivest of RSA Security in 1987.
• RC4 is known as “Rivest Cipher 4”.
• RC5 is the modified version of RC4.
o Word Size in bits (Encry 2-word blocks at a time): 16, 32, 64
o No. of Rounds: 0-255
o No. 0f 8-bit Bytes in the key: 0-255
Aforajayshahnirma.wordpress.com
Slide 60
RC5
• RC5 use only primitive computer operations such as
addition, substation, XOR, shift, etc.
• RC5 requires less memory for execution and therefore
suitable not only for desktop computer but also for smart
cards and other devices that have a small memory capacity.
Parameter
Allowed Values
Word size in bits (RC5 encrypt 2 word at a time)
16, 32, 64
Number of Rounds
0-255
Number of 8-bit bytes in the key
0-255
Aforajayshahnirma.wordpress.com
Slide 61
Encryption using RC5
http://ajpatelit.hpage.com
Slide 62
Key Generation in RC5
http://ajpatelit.hpage.com
Slide 63
BLOWFISH
Blowfish was design on the following objectives:
FAST: Blowfish encryption rate on 32-bit microprocessors is 26 clock cycles
per byte.
COMPACT: Blowfish can execute in less than 5kb memory.
SIMPLE: Blowfish uses only primitives operations, such as addition XOR,
and table lookup, making its design and implementation simple.
SECURE: Blowfish has a variable key length up to a maximum of 448 bits
long, making it both flexible and secure.
Aforajayshahnirma.wordpress.com
Slide 64
BLOWFISH Encryption
http://ajpatelit.hpage.com
Slide 65
Function F in Blowfish
Aforajayshahnirma.wordpress.com
Slide 66
Advance Encryption Standard
AES Evaluation
• Security:
I. Actual Security compared to other submitted standard.
II. Randomness: The extent to which the algorithm output
indistinguishable from a random permutation on the
input block.
III. Soundness of the mathematical basis for the
algorithm’s security.
Aforajayshahnirma.wordpress.com
Slide 67
Advance Encryption Standard
• Cost:
I. Licensing requirements: When the AES is issued, the
algorithm specified the AES shall be available on a
worldwide, non –exclusive, royalty free basis.
II. Computational efficiency: The evaluation of
computational efficiency will be applicable to both
hardware and software implementation.
III. Memory requirements: The memory requirement for
implementing the algorithm in hardware and software
will be considered.
Aforajayshahnirma.wordpress.com
Slide 68
Advance Encryption Standard
• Algorithm and Implementation characteristics: This
category includes a variety of considerations, including
flexibility; suitability for a variety of hardware and software
implementations; and simplicity, which will make an analysis
of security more straight forward.
Aforajayshahnirma.wordpress.com
Slide 69
Advance Encryption Standard
•
•
•
•
•
•
•
•
•
General Security
Software implementations
Restricted-space environments
Hardware implementations
Attacks on implementations
Encryption versus decryption
Key agility
Other versatility and flexibility
Potential for instruction-level parallelism
Aforajayshahnirma.wordpress.com
Slide 70
AES
Encryption
Process
State
Slide 71
AES Round Contains
I.
II.
III.
IV.
Byte Substitution
Row Shift
Column mixing
Round Key Addition
Aforajayshahnirma.wordpress.com
Slide 72
AES Data Structure
Aforajayshahnirma.wordpress.com
Slide 73
AES Data Structure
Aforajayshahnirma.wordpress.com
Slide 74
AES
Encryption
And
Decryption
Slide 75
Slide 76
AES
Bites
Level
Operations
Slide 77
Shift Row Transformation
AES Row and Column Operations
Aforajayshahnirma.wordpress.com
Slide 78
Shift Column Transformation
Aforajayshahnirma.wordpress.com
Slide 79
Random Number
A number of network security algorithms and protocols based on
cryptography make use of random binary numbers:
• Key distribution and reciprocal authentication schemes
• Session key generation
• Generation of keys for the RSA public-key encryption
algorithm
• Generation of a bit stream for symmetric stream encryption
Randomness
There are two distinct
requirements for a
sequence of random
numbers:
Unpredictability
Slide 80
Randomness
The generation of a sequence of allegedly random numbers
being random in some well-defined statistical sense has been
a concern
Two criteria are used to validate that a sequence of
numbers is random:
Uniform distribution
• The frequency of occurrence of ones and zeros should be
approximately equal
Independence
• No one subsequence in the sequence can be inferred from the others
Aforajayshahnirma.wordpress.com
Slide 81
Unpredictability
The requirement is not just that the sequence of numbers be
statistically random, but that the successive members of the
sequence are unpredictable
With “true” random sequences each number is statistically
independent of other numbers in the sequence and therefore
unpredictable
True random numbers have their limitations, such as inefficiency,
so it is more common to implement algorithms that generate
sequences of numbers that appear to be random
Care must be taken that an opponent not be able to predict
future elements of the sequence on the basis of earlier elements
Aforajayshahnirma.wordpress.com
Slide 82
Pseudorandom numbers
Cryptographic applications typically make use of algorithmic
techniques for random number generation.
These algorithms are deterministic and therefore produce
sequences of numbers that are not statistically random.
If the algorithm is good, the resulting sequences will pass many
reasonable tests of randomness. Such numbers are referred to
as pseudorandom numbers.
Aforajayshahnirma.wordpress.com
Slide 83
True Random Number Generator (TRNG)
A TRNG takes as input a source that is effectively random; the
source is often referred to as an entropy source.
In essence, the entropy source is drawn from the physical
environment of the computer and could include things such as
keystroke timing patterns, disk electrical activity, mouse
movements, and instantaneous values of the system clock.
The source, or combination of sources, serve as input to an
algorithm that produces random binary output.
The TRNG may simply involve conversion of an analog source
to a binary output. The TRNG may involve additional
processing to overcome any bias in the source;
Aforajayshahnirma.wordpress.com
Slide 84
True Random Number Generator (TRNG)
Aforajayshahnirma.wordpress.com
Slide 85
Pseudorandom Number Generator (PRNG)
PRNG takes as input a fixed value, called the seed, and
produces a sequence of output bits using a deterministic
algorithm. Typically, as shown, there is some feedback path by
which some of the results of the algorithm are feed back as
input as additional output bits are produced. The important
thing to note is that the output bit stream is determined solely
by the input value or values, so that an adversary who knows
the algorithm and the seed can reproduce the entire bit stream.
Aforajayshahnirma.wordpress.com
Slide 86
Aforajayshahnirma.wordpress.com