Denunciar

Compartir

Seguir

•10 recomendaciones•2,381 vistas

UNIT - 2 SYMMETRIC CIPHERS: Symmetric Cipher Model, Substitution Techniques, Transposition Techniques, Simplified DES, Data encryption standard (DES), The strength of DES, Differential and Linear Cryptanalysis, Block Cipher Design Principles and Modes of Operation, Evaluation Criteria for Advanced Encryption Standard, The AES Cipher.

•10 recomendaciones•2,381 vistas

Seguir

Denunciar

Compartir

UNIT - 2 SYMMETRIC CIPHERS: Symmetric Cipher Model, Substitution Techniques, Transposition Techniques, Simplified DES, Data encryption standard (DES), The strength of DES, Differential and Linear Cryptanalysis, Block Cipher Design Principles and Modes of Operation, Evaluation Criteria for Advanced Encryption Standard, The AES Cipher.

- 1. NETWORK SECURITY (10EC832) 8th SEM E&C JAYANTHDWIJESH H P M.tech (DECS) Assistant Professor – Dept of E&CE B.G.S INSTITUTE OF TECHNOLOGY (B.G.S.I.T) B.G Nagara, Nagamangala Tq, Mandya District- 571448
- 2. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 1 NETWORK SECURITY PART-A UNIT-2 UNIT - 2 SYMMETRIC CIPHERS: Symmetric Cipher Model, Substitution Techniques, Transposition Techniques, Simplified DES, Data encryption standard (DES), The strength of DES, Differential and Linear Cryptanalysis, Block Cipher Design Principles and Modes of Operation, Evaluation Criteria for Advanced Encryption Standard, The AES Cipher. TEXT BOOK: 1. Cryptography and Network Security, William Stalling, Pearson Education, 2003. REFERENCE BOOKS: 1. Cryptography and Network Security, Behrouz A. Forouzan, TMH, 2007. 2. Cryptography and Network Security, Atul Kahate, TMH, 2003.
- 3. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 2 UNIT - 2 SYMMETRIC CIPHERS: Symmetric Cipher Model, Substitution Techniques, Transposition Techniques, Simplified DES, Data encryption standard (DES), The strength of DES, Differential and Linear Cryptanalysis, Block Cipher Design Principles and Modes of Operation, Evaluation Criteria for Advanced Encryption Standard, The AES Cipher. 1. SYMMETRIC CIPHERS An original message is known as the plaintext. The coded message is called the cipher text. The process of converting from plaintext to cipher text is known as enciphering or encryption. Restoring the plaintext from the cipher text is deciphering or decryption. The many schemes used for encryption constitute the area of study known as cryptography. Such a scheme is known as a cryptographic system or a cipher. Techniques used for deciphering a message without any knowledge of the enciphering details fall into the area of cryptanalysis. The areas of cryptography and cryptanalysis together are called cryptology. 2. SYMMETRIC CIPHER MODEL Figure 1: Simplified Model of Symmetric Encryption A symmetric encryption scheme has five ingredients (Figure .1): Plaintext: This is the original intelligible message or data that is fed into the algorithm as input.
- 4. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 3 Encryption algorithm: The encryption algorithm performs various substitutions and transformations on the plaintext. Secret key: The secret key is also input to the encryption algorithm. The key is a value independent of the plaintext and of the algorithm. The algorithm will produce a different output depending on the specific key being used at the time. The exact substitutions and transformations performed by the algorithm depend on the key. Cipher text: This is the scrambled message produced as output. It depends on the plaintext and the secret key. For a given message, two different keys will produce two different cipher texts. The cipher text is an apparently random stream of data and, as it stands, is unintelligible. Decryption algorithm: This is essentially the encryption algorithm run in reverse. It takes the cipher text and the secret key and produces the original plaintext. Encryption Requirements: There are two requirements for secure use of conventional encryption 1. The encryption algorithm must be strong. At a minimum, an opponent who knows the algorithm and has access to one or more cipher texts would be unable to decipher the cipher text or figure out the key. In a stronger form, the opponent should be unable to decrypt cipher text or discover the key even if he or she has a number of cipher texts together with the plaintext for each cipher text. 2. Sender and receiver must have obtained copies of the secret key in a secure fashion and must keep the key secure. If someone can discover the key and knows the algorithm, all communication using this key is readable. We assume that it is impractical to decrypt a message on the basis of the Cipher text plus knowledge of the encryption/decryption algorithm. In other words, we do not need to keep the algorithm secret; we need to keep only the key secret.
- 5. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 4 3. MODEL OF SYMMETRIC CRYPTOSYSTEM The essential elements of a symmetric encryption scheme is described in the following figure: Figure 2: model of symmetric cryptosystem A source produces a message in plaintext, X= [𝑋1, 𝑋2, 𝑋3,.............𝑋 𝑀,]. A key of the form is K= [𝐾1, 𝐾2, 𝐾3,.............𝐾𝐽,] generated. If the key is generated at the message source, then it must also be provided to the destination by means of some secure channel. Alternatively, a third party could generate the key and securely deliver it to both source and destination. The cipher text is produced by the encryption algorithm with the message X and the encryption key K as input. The encryption process is: Y=E (K, X) This notation indicates that Y is produced by using encryption algorithm E as a function of the plaintext X, with the specific function determined by the value of the key K.
- 6. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 5 The intended receiver with the key is able to invert the transformation: X=D (K, Y) An opponent, observing Y but not having access to K or X, may attempt to recover X or K or both. It is assumed that the opponent knows the encryption (E) and decryption (D) algorithms. The opponent may do one of the following: Recover X by generating a plaintext estimate 0𝑋 , if the opponent is interested in only this particular message. Recover K by generating an estimate 0𝐾 , if the opponent is interested in being able to read future messages. 4. CRYPTOGRAPHY. [DEC-2013 / JAN-2014 (4M)] Cryptographic systems are characterized along three independent dimensions: 1. The Type of operations used for transforming plaintext to cipher text. All encryption algorithms are based on two general principles: Substitution: each element in the plaintext (bit, letter, group of bits or letters) is mapped into another element, Transposition: elements in the plaintext are rearranged. The fundamental requirement is that no information be lost (all operations are reversible). Product systems involve multiple stages of substitutions and transpositions. 2. The Number of keys used. If both sender and receiver use the same key, the system is referred to as symmetric, single-key, secret-key, or conventional encryption. If the sender and receiver use different keys, the system is referred to as asymmetric, two-key, or public-key encryption.
- 7. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 6 3. The way in which the plaintext is processed. A block cipher processes the input one block of elements at a time, producing an output block for each input block. A stream cipher processes the input elements continuously, producing output one element at a time, as it goes along. Or CRYPTOGRAPHY [DEC-2013 / JAN-2014 (4M)] The word cryptography was derives from combining 2 Greek words. “Krypto” it means “hidden” and “graphene” meaning “writing”. Cryptography is the art of secret information writing or secret data writing. The main goal of cryptography is a data secure from unauthorized persons or attackers or hackers. Cryptography is a method of storing and transmitting data in a particular form so that only those for whom it is intended can read and process it. Figure 3: Cryptographic Flow Encryption is a technique for transforming plain-text into an unreadable cipher-text or unintelligible format. Decryption is a technique for transforming cipher text (unreadable data) into plain text or original data (secret or confidential data). The key is also a group of bits which as a major role in the process of encryption and decryption. Types of Cryptography 1. Symmetric Key Cryptography (Secret Key Cryptography) 2. Asymmetric Key Cryptography (Public Key Cryptography) 3. HASH FUNCTION
- 8. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 7 1. Symmetric Key Cryptography: Symmetric key cryptography is called secret key cryptography or shared key or private key cryptography and it uses a same key or single-key for both of encryption & decryption method. The Symmetric key system is the DEC (data encryption standard).Symmetric key cryptography systems are simpler and faster. 2. Asymmetric Key Cryptography (Public Key Cryptography): where a different keys used for encryption and decryption. The different keys are a private key & a public key. 3. Hash functions: uses a mathematical transformation to irreversibility “encrypt” information. It is a one-way encryption. Uses no key for encryption and decryption. Advantages Enter (key) length will be generally short. Symmetric key cipher can be joined together to prepare stronger ciphers. It hides those secret or confidential messages and your protection or privacy may be sheltered or protected or safe. application On line banking. On line transaction. Media data base system. Medical application. Etc 5 CRYPTANALYSIS AND BRUTE-FORCE ATTACK The objective of attacking an encryption system is to recover the key in use rather than simply to recover the plaintext of a single cipher text. There are two general approaches to attacking a conventional encryption scheme: Cryptanalysis (cryptanalytic attacks): This attack relies on the nature of the algorithm plus some knowledge of the general characteristics of the plaintext or some sample plaintext–cipher text pairs. It exploits the characteristics of the algorithm to attempt to deduce a specific plaintext or to deduce the key being used.
- 9. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 8 Brute-force attack: The attacker tries every possible key on a piece of cipher text until an intelligible translation into plaintext is obtained. On average, half of all possible keys must be tried to achieve success. If either type of attack succeeds in deducing the key, then future and past messages encrypted with that key are compromised. The following table summarizes the various types of cryptanalytic attacks based on the amount of information known to the cryptanalyst. Type of Attack Known to Cryptanalyst Cipher text Only Encryption algorithm Cipher text Known Plaintext Encryption algorithm Cipher text One or more plaintext–cipher text pairs formed with the secret key Chosen Plaintext Encryption algorithm Cipher text Plaintext message chosen by cryptanalyst, together with its corresponding cipher text generated with the secret key Chosen Cipher text Encryption algorithm Cipher text Cipher text chosen by cryptanalyst, together with its corresponding decrypted plaintext generated with the secret key Chosen Text Combination of "Chosen Plaintext" and "Chosen Cipher text" Table1: Types of Attacks on Encrypted Messages 6 SUBSTITUTION TECHNIQUES The two basic building blocks of all encryption techniques are substitution and transposition. A substitution technique is one in which the letters of plaintext are replaced by other letters or by numbers or symbols.1 If the plaintext is viewed as a sequence of bits, then substitution involves replacing plaintext bit patterns with cipher text bit patterns.
- 10. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 9 6.1 CAESAR CIPHER [JUNE-2012 -6M], [JUNE/JULY− 2017 (6M)] The encryption rule is simple; replace each letter of the alphabet with the letter standing 3 places further down the alphabet. The alphabet is wrapped around so that Z follows A. Example: Plaintext: meet me after the party Cipher text: PHHW PH DIWHU WKH SDUWB Note that the alphabet is wrapped around, so that the letter following Z is A. We can define the transformation by listing all possibilities, as follows: Plain: a b c d e f g h i j k l m n o p q r s t u v w x y z Cipher: d e f g h i j k l m n o p q r s T u v w x y z a b c Let us assign a numerical equivalent to each letter: a b c d e f g H i j k l m 0 1 2 3 4 5 6 7 8 9 10 11 12 n o p q r s t u v w x y z 13 14 15 16 17 18 19 20 21 22 23 24 25 Then the algorithm can be expressed as follows. For each plaintext letter p, substitute the cipher text letter. C = E (3, p) = (p + 3) mod 26 A shift may be of any amount, so that the general Caesar algorithm is C = E (k, p) = (p + k) mod 26 Where k takes on a value in the range 1 to 25. The decryption algorithm is simply p = D (k, C) = (C - k) mod 26 If it is known that a given cipher text is a Caesar cipher, then a brute-force cryptanalysis is easily performed: simply try all the 25 possible keys. Three important characteristics of this problem enabled us to use a brute force cryptanalysis: 1. The encryption and decryption algorithms are known. 2. There are only 25 keys to try. 3. The language of the plaintext is known and easily recognizable.
- 11. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 10 6.2 MONOALPHABETIC CIPHER (SUBSTITUTION TECHNIQUES) Instead of shifting alphabets by the fixed amount as in Caesar cipher, any random permutation is assigned to the alphabets. This type of encryption called Monoalphabetic substitution cipher. For example, a replaced by Q, B by D, C by T etc. then it will be comparatively stronger than Caesar. 6.3 PLAYFAIR CIPHER [JUNE/JULY-2013(10M)], [DEC-2015/JAN-2016 (10M)] In this technique, multiple (2) letters encrypted at a time. This technique uses a 5 X 5 matrix which also called the key matrix. M O N A R C H Y B D E F G I/J K L P Q S T U V W X Z The plaintext encrypted two letters at a time, according to the following rules: Repeating plaintext letters that are in the same pair are separated with a filler letter, such as x, so that balloon would be treated as ba lx lo on. Two plaintext letters that fall in the same row of the matrix are each replaced by the letter to the right, with the first element of the row circularly following the last. For example, ar is encrypted as RM. Two plaintext letters that fall in the same column are each replaced by the letter beneath, with the top element of the column circularly following the last. For example, mu is encrypted as CM. Otherwise, each plaintext letter in a pair is replaced by the letter that lies in its own row and the column occupied by the other plaintext letter. Thus, hs become BP and ea becomes IM (or JM, as the enciphered wishes). Security much improved over Monoalphabetic as here two letters are encrypted at a time and hence there are 26 X 26 =676 diagrams and hence it needs a 676 entry frequency table.
- 12. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 11 However, it can break even if a few hundred letters known as much of plaintext structure retained in the cipher text. 6.4 HILL CIPHER [DEC-2012(10M)] , [DEC-2013 / JAN-2014 (10M)] This cipher is based on linear algebra. Each letter is represented by numbers from 0 to 25 and calculations are done modulo 26. This encryption algorithm takes m successive plaintext letters and substitutes them with m cipher text The substitution determined by m linear equations. For m = 3, the system can describe as: c1 = (k11p1 + k21p2 + k31p3) mod 26 c2 = (k12p1 + k22p2 + k32p3) mod 26 c3 = (k13p1 + k23p2 + k33p3) mod 26 This can also expressed in terms of row vectors and matrices. C = PK mod 26 Where C and P are row vectors of length 3 representing the plaintext and cipher text, and K is a 3 X 3 matrix representing the encryption key Key is an invertible matrix K modulo 26, of size m. For example: Encryption and decryption can give by the following formulae: Hill Cipher Encryption: C =E (K, P) = PK mod 26 Decryption: P = D (K, C) = CK-1 mod 26 = PKK-1 = P The strength of the Hill cipher is that it completely hides single-letter frequencies.
- 13. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 12 Although the Hill ciphers strong against a cipher text-only attack, it easily broke with a known plaintext attack. Collect m pair of plaintext-cipher text, where m is the size of the key. Write the m plaintexts as the rows of a square matrix P of size m. Write the m cipher texts as the rows of a square matrix C of size m. We have that C=PK mod 26. If P is invertible, then K=13-1 C mod 26, If P is not invertible, then collect more plaintext-cipher text pairs until an invertible P obtained. 6.5 POLYALPHABETIC CIPHERS Another way to improve on the simple Monoalphabetic technique is to use different Monoalphabetic substitutions as one proceeds through the plaintext message. The general name for this approach is polyalphabetic substitution cipher. All these techniques have the following features in common: 1. A set of related Monoalphabetic substitution rules is used. 2. A key determines which particular rule is chosen for a given transformation. 6.5.1 Vigenere cipher:- This is a type of polyalphabetic substitution cipher (includes multiple substitutions depending on the key). In this type of cipher, the key determines which particular substitution to use. To encrypt a message, a key needed that is as long as the message. Usually, the key a repeating We can express the Vigenere cipher in the following manner. Assume a sequence of plaintext letters P =𝑃0, 𝑃1, 𝑃2 ...... 𝑃𝑛−1 and a key consisting of the sequence of letters K =𝐾0 , 𝐾1 , 𝐾2 … 𝐾 𝑚−1, where typically m 6 n. The sequence of cipher text letters C = 𝐶0, 𝐶1, 𝐶2 … … 𝐶𝑛−1is calculated as follows: C = 𝐶0, 𝐶1, 𝐶2 … … 𝐶𝑛−1 = E (K, P) = E [(𝐾0 , 𝐾1 , 𝐾2 … 𝐾 𝑚−1,), (P =𝑃0, 𝑃1, 𝑃2 ...... 𝑃𝑛−1)] = (𝑃0 +𝐾0 ,) mod 26, ( 𝑃1 + 𝐾1) mod 26 .......... (𝑃 𝑚−1 +𝐾 𝑚−1) mod 26, (𝑃𝑚 +𝐾0 ,) mod 26, (𝑃 𝑚+1 + 𝐾1) mod 26, c, (𝑃2𝑚−1 + 𝐾 𝑚−1) mod 26,........ Thus, the first letter of the key is added to the first letter of the plaintext, mod 26, the second letters are added, and so on through the first m letters of the plaintext.
- 14. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 13 For the next m letters of the plaintext, the key letters are repeated. This process continues until all of the plaintext sequence is encrypted. A general equation of the encryption process is A general equation of the decryption process is To encrypt a message, a key is needed that is as long as the message. Usually, the key is a repeating keyword. For example, if the keyword is deceptive, the message “we are discovered save yourself” is encrypted as Key: d e c e p t i v e d e c e p t i v e d e c e p t i v e Plaintext: w e a r e d i s c o v e r e d s a v e y o u r s e l f Cipher text: Z I C V T W Q N G R Z G V T W A V Z H C Q Y G L M G J Expressed numerically, we have the following result. The strength of this cipher is that there are multiple cipher text letters for each plaintext letter, one for each unique letter of the keyword. Thus, the letter frequency information obscured, however, not all knowledge of the plaintext structure lost.
- 15. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 14 6.5.2 Vernam Cipher The ultimate defense against such a cryptanalysis is to choose a keyword that is as long as the plaintext and has no statistical relationship to it. Such a system was introduced by an AT&T engineer named Gilbert Vernam in 1918. Figure 4: Vernam Cipher His system works on binary data (bits) rather than letters. The system can be expressed succinctly as follows (Above figure 3) The cipher text is generated by performing the bitwise XOR of the plaintext and the key. Because of the properties of the XOR, decryption simply involves the same bitwise operation. 7 TRANSPOSITION TECHNIQUES A very different kind of mapping is achieved by performing some sort of permutation on the plaintext letters. This technique is referred to as a transposition cipher. The simplest such cipher is the rail fence technique, in which the plaintext is written down as a sequence of diagonals and then read off as a sequence of rows. For example, to encipher the message “meet me after the toga party” with a rail fence of depth 2, we write the following: m e m a t r h t g p r y
- 16. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 15 e t e f e t e o a a t The encrypted message is MEMATRHTGPRYETEFETEOAAT This sort of thing would be trivial to crypt analyze. A more complex scheme is to write the message in a rectangle, row by row, and read the message off, column by column, but permute the order of the columns. The order of the columns then becomes the key to the algorithm. For example, Thus, in this example, the key is 4312567. To encrypt, start with the column that is labelled 1, in this case column 3. Write down all the letters in that column. Proceed to column 4, which is labelled 2, then column 2, then column 1, then columns 5, 6, and 7. A pure transposition cipher is easily recognized because it has the same letter frequencies as the original plaintext. For the type of columnar transposition just shown, cryptanalysis is fairly straightforward and involves laying out the cipher text in a matrix and playing around with column positions. Diagram and trigram frequency tables can be useful. The transposition cipher can be made significantly more secure by performing more than one stage of transposition. The result is a more complex permutation that is not easily reconstructed. Thus, if the foregoing message is re-encrypted using the same algorithm, To visualize the result of this double transposition, designate the letters in the original plaintext message by the numbers designating their position. Thus, with 28 letters in the message, the original sequence of letters is
- 17. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 16 After the first transposition, we have Which has a somewhat regular structure. But after the second transposition, we have 8 DATA ENCRYPTION STANDARD DES encrypts 64-bit blocks using a 56-bit key and produces a 64-bit cipher text. Same steps, with the same key, used to reverse the encryption with the order of the keys reversed. The DES widely used. 8.1 DES Encryption [JUNE-2012 -10M] The DES encryption is shown in the figure below Encryption function has two inputs: the plaintext to be encrypted and the key. The processing of the plaintext proceeds in three phases. The permuted output then passed through sixteen rounds of the same function, which involves both permutation and substitution functions. The left and right halves from the last round swapped to produce pre output. The pre-output passed through a permutation that is the inverse of the initial permutation function, to produce the 64-bit cipher text. Moreover, The 64-bit plaintext passes through an initial permutation (IP) that rearranges the bits to produce the permuted input. The right-hand portion of the figure shows the way in which the 56-bit key used. Initially, the key passed through a permutation function. Then, a sub key (ki) produced for each of the sixteen rounds by the combination of a left circular shift and a permutation. The permutation functions the same for each round, but a different sub key produced because of the repeated shifts of the key bits.
- 18. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 17 Figure 5: General Depiction of DES Encryption Algorithm 8.2 DES Decryption As with any Feistel cipher, decryption uses the same algorithm as encryption, except that the application of the sub keys is reversed. Additionally, the initial and final permutations are reversed.
- 19. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 18 9 BLOCK CIPHER DESIGN PRINCIPLES [DEC-2011(8M)], [JUNE/JULY-2013(8M)] The followed criteria need to be taken into account when designing a block cipher: Number of Rounds: The greater the number of rounds. The more difficult it is to perform cryptanalysis, even for a weak function. The number of rounds chosen so that efforts required to crypt analyze it becomes greater than a simple brute-force attack. Design of Function F: F should be nonlinear and should satisfy strict avalanche criterion (SAC) and bit independence criterion (BIC). S-Box Design: S-Box obviously should non-linear and should satisfy SAC, BIC, and Guaranteed Avalanche criteria. One more obvious characteristic of the S-box is its size. Larger S-Boxes provide good diffusion but also result in greater look-up tables. Hence, general size is 8 to 10. Key schedule Algorithm: With any Feistel block cipher, the key used to generate one sub key for each round. In general, sub keys should be selected such that it should be deduced sub keys from one another or main key from the sub key. 10 BLOCK CIPHER MODES OF OERATIONS A block cipher algorithm is a basic building block for providing data security. to apply a block cipher in variety of applications.” Modes of operation have been defined by NIST. A mode of operation is a technique for enhancing the effect of a cryptographic algorithm or adapting the algorithm for an application. Such as applying a block cipher to a sequence of data blocks or a data stream. Block cipher modes of operation are 1. Electronic Codebook mode (ECB) 1. This is the simplest mode in which plaintext is handled one block at a time and each block of plaintext is encrypted using the same key. 2. The term codebook is used because, for a given key, there is a unique cipher text for every -bit block of plaintext.
- 20. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 19 3. Therefore, we can imagine a huge codebook in which there is an entry for every possible b-bit plaintext showing its corresponding cipher text. 4. For a message longer than b bits, the procedure is simply to break the message into b-bit blocks, padding the last block if necessary. Figure 6: Electronic Codebook mode (ECB) Decryption is performed one block at a time, always using the same key. For lengthy messages, ECB mode may be not secure. If the message has repetitive elements, then these elements can be identified by the analyst. Thus, the ECB method is ideal for a short amount of data, such as an encryption key. Lists the following criteria and properties for evaluating and constructing block cipher modes of operation that are superior to ECB: Overhead: The additional operations for the encryption and decryption operation when compared to encrypting and decrypting in the ECB mode. Error recovery: The property that an error in the ith cipher text block is inherited by only a few plaintext blocks after which the mode resynchronizes.
- 21. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 20 Error propagation: The property that an error in the ith cipher text block is inherited by the ith and all subsequent plaintext blocks. What is meant here is a bit error that occurs in the transmission of a cipher text block, not a computational error in the encryption of a plaintext block. Diffusion: How the plaintext statistics are reflected in the cipher text. Low entropy plaintext blocks should not be reflected in the cipher text blocks. Roughly, low entropy equates to predictability or lack of randomness Security: Whether or not the cipher text blocks leak information about the plaintext blocks. 2. Cipher Block Chaining Mode (CBC) Figure 7: Cipher Block Chaining (CBC) Mode To overcome the security deficiencies of ECB, a technique is needed in which the same plaintext block, if repeated, produces different cipher text blocks.
- 22. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 21 A simple way to satisfy this requirement is the cipher block chaining (CBC) which is shown in the figure. In this mode, the input to the encryption algorithm is the X-OR of the current plaintext block and the preceding cipher text block; the same key is used for each block. The input to the encryption function for each plaintext block has no fixed relationship to the plaintext block. Therefore, repeating patterns will not produce the same cipher text. The last block is padded to a full b bits if it is a partial block. For decryption, each cipher block is passed through the decryption algorithm. The result is X-OR ed with the preceding cipher text block to produce the plaintext block. The expressions for CBC are: Modes: Operations Encryption: Cj = E (K, [Cj-1 Pj]) Decryption: D (K, Cj) = D (K, E (K, [Cj-1 Pj])) D (K, Cj) = Cj-1 Pj Cj-1 D (K, Cj) = Cj-1 Cj-1 Pj = Pj 3. Cipher Feedback Mode (CFB) DES is a block cipher, but it may be used as a stream cipher if the Cipher Feedback Mode (CFM) or the Output Feedback Mode (OFB) is used. CFB scheme is depicted below. A stream cipher eliminates the need to pad a message to be an integral number of blocks. It also can operate in real time. ‘s’ bits the size usually selected by the user, most of the time it 8 bits. In this case, rather than the block of 64 bits, the plaintext is divided into segments of s bits. Encryption: The input to the encryption function a 64-bit shift register that is initially set to some initialization vector (IV). The leftmost (most significant) s bits of the output of the encryption function X-ORed with the first segment of plaintext P1 to produce the first unit of cipher text C1, which is then transmitted.
- 23. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 22 In addition, the contents of the shift register are shifted left by s bits and C1 is placed in the rightmost s bits of the shift register. This process continues until all plaintext units have been encrypted. Figure 8: s-bit Cipher Feedback (CFB) Mode Decryption: The same scheme used except that the received cipher text unit is X- ORed with the output of the encryption function to produce the plaintext unit. The main disadvantage of this scheme is that bit error in one cipher text propagates to next stage also.
- 24. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 23 4. Output Feedback Mode (OFM) The output feedback mode is similar in structure to that of CFB. The difference between CFB and OFB is that in OFB the output of the encryption function is fed back to the shift register in OFB, whereas in CFB the cipher text is fed to the shift register. The other difference is that the OFB mode operates on full blocks of plaintext and cipher text, not on „s‟ bit subset. One advantage of the OFB method is that bit errors in transmission do not propagate. The main disadvantage of OFB is that it is more vulnerable to a message stream modification attack than CFB Figure 9: Output Feedback (OFB) Mode
- 25. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 24 5. Counter Mode (CTR) [DEC-2010(10M)] In this mode, a counter equal to the plaintext block size used. The only requirement that the counter value must different for each plaintext block that encrypted. Typically, the counter initialized to some value and then incremented by 1 for each subsequent block (modulo 2b , where b the block size) Counter Mode works as follows: Encryption: The counter encrypted and then XORed with the plaintext block to produce the cipher text block; there is no chaining. Decryption: The same sequence of counter values used. Each encrypted counter X-ORed with a cipher text block to recover the corresponding plaintext block. Figure 10: Counter (CTR) Mode
- 26. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 25 CTR has following advantages: Modes: Operations Hardware efficiency: In this mode, encryption (or decryption) can do in parallel on multiple blocks of plaintext or cipher text. For the chaining modes, the algorithm must complete the computation on one block before beginning on the next block. Software efficiency: Similarly, because of the opportunities for parallel execution in CTR mode, processors that support parallel features, such as aggressive pipelining, multiple instruction dispatches per clock cycle, the large number of registers can effectively utilize. Preprocessing: The execution of the encryption algorithm does not depend on the input of the plaintext or cipher text. Therefore preprocessing can used to prepare the output of the encryption boxes which can feed into the X-OR functions when the plaintext or cipher text input presented. Random access: The ith block of plaintext or cipher text can process in the random- access fashion. With the chaining modes, a block cannot compute until i– 1 prior block computed. Provable security: It can show that CTR is as secure as the other modes. Simplicity: CTR mode requires only the implementation of the encryption algorithm and not the decryption algorithm and has a very simple implementation. This mode used in ATM (asynchronous transfer mode) and IP Sec (IP security) nowadays.
- 27. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 26 11 THE AES CIPHER AES is a non –Feistel cipher, which means that each transformation or group of transformation must be invertible. In addition, the cipher and the inverse cipher must use these operations in such a way that cancel each other. The round keys must also be used in the reverse order. Two different designs are given to be used for different implementation. 11.1 Original design or Detailed Structure In the original design, the order of transformations in each round is not the same in the cipher and reverse cipher. Shown in below figure 5. 1st , the order of sub bytes and shift rows is changed in the reverse cipher. 2nd , the order of mix columns and Add round key is changed in the reverse cipher. This difference in ordering is needed to make each transformation in the cipher aligned with its inverse in the reverse cipher. Consequently, the decryption algorithm as a whole is the inverse of the encryption algorithm. We have shown only three rounds, but the rest is the same. Note that the round keys are used in the reverse order. Note that the encryption and decryption algorithms in the original are not similar. OR
- 28. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 27 Figure 11: cipher and inverse cipher of the original design or AES Encryption and Decryption 11.2 Alternative design 1. Sub Bytes / shift rows pairs Sub bytes change the contents of each bytes without changing the order of the bytes in the state; shift rows change the order of the bytes in the state without changing the content of the bytes. This implies that we can change the order of these two transformations in the inverse cipher without affecting the invertibility of the whole algorithm. Below fig 6 shows the idea. Note that the combination of two transformations in the cipher and inverse cipher are the inverse of each other.
- 29. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 28 Figure 12: invertibility of sub bytes and shift rows combinations 2. Mix columns/Add round key pair Here the two involved transformations are of different nature. However, the pairs can become inverse of each if we multiply the key matrix by the inverse of the constant matrix – used in mix columns transformation. We call the new transformation InvAddRoundKey. Below fig 7 shows the new configuration. Figure 13: invertibility of mix columns and Addroundkey combinations It can be proved that the two combinations are now inverses of each other. In the cipher we call the input state to the combination S and the output state T. In the inverse cipher the input state to the combination is T. The following show that the output state is also S. Not the matrix columns transformation is actually multiplication of the C matrix. Now we can show the cipher and inverse cipher for the alternate design. Note that we still need to use two add round key transformations in the decryption. In other words, we have nine InvAddRoundKey and two Addroundkey transformation as shown in below fig8
- 30. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 29 Figure 14: cipher and reverse cipher in alternate design or AES Encryption and Decryption in alternate design 12. EVALUTION CRITERIA FOR ADVANCED ENCRYPTION STANDARD [MAY/JUNE -2010 (06M)], [DEC-2014 / JAN-2015 (8M)] Figure 9 shows the overall structure of the AES encryption process. The cipher takes a plaintext block size of 128 bits, or 16 bytes. The key length can be 16, 24, or 32 bytes (128, 192, or 256 bits). The algorithm is referred to as AES-128, AES-192, or AES-256, depending on the key length. The input to the encryption and decryption algorithms is a single 128-bit block. In FIPS PUB 197, this block is depicted as a 4 * 4 square matrix of bytes. This block is copied into the State array, which is modified at each stage of encryption or decryption. After the final stage, State is copied to an output matrix. These operations are depicted in 10 (a). Similarly, the key is depicted as a square matrix of bytes. This key is then expanded into an array of key schedule words.
- 31. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 30 Figure 10 (b). Shows the expansion for the 128-bit key. Each word is four bytes, and the total key schedule is 44 words for the 128-bit key. Note that the ordering of bytes Within a matrix is by column. So, for example, the first four bytes of a 128-bit plaintext input to the encryption cipher occupy the first column of the in matrix, the second four bytes occupy the second column, and so on. Similarly, the first four bytes of the expanded key, which form a word, occupy the first column of the w matrix. Figure 15: AES Encryption Process The cipher consists of N rounds, where the number of rounds depends on the key length: 10 rounds for a 16-byte key, 12 rounds for a 24-byte key and 14 rounds for a 32-byte key (Table 5.1). The first N - 1 round consist of four distinct transformation
- 32. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 31 functions: Sub Bytes, Shift Rows, Mix Columns, and Addroundkey, which are described subsequently. The final round contains only three transformations, and there is a initial single transformation (Addroundkey) before the first round, which can be considered Round 0. Each transformation takes one or more 4 X 4 matrices as input and produces a 4 X 4 matrix as output. Figure 9 shows that the output of each round is a 4 X 4 matrix, with the output of the final round being the cipher text. Also, the key expansion function generates N + 1 round key, each of which is a distinct 4 X 4 matrix. Each round key serves as one of the inputs to the Addroundkey transformation in each round. (a) Input, state array, and output (b) Key and expanded key Figure 2: AES Data Structures Table1 3: AES Parameters
- 33. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 32 13 DETAILS OF SINGLE ROUND DES [MAY/JUNE -2010 (08M)], [DEC-2010(10M)], [DEC-2014 / JAN-2015 (8M)], [JUNE/JULY− 2017 (6M)],[DEC-2013 / JAN-2014 (10M)] Figure 11 shows the internal structure of a single round. Figure 16: single round of DES algorithm The left and right halves are treted as separate 32-bit quantities, labelled L (left) and R (right). The overall processing at each round can be summarized as: 𝐿𝑖 = 𝑅𝑖 -1 𝑅𝑖 = 𝐿𝑖-1 ⊕ {F (𝑅𝑖-1,𝑘𝑖)} Expansion (E) The 32-bit input first expanded to 48 bits. o Bits of input split into groups of 4 bits.
- 34. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 33 Each group wrote as groups of 6 bits by taking the outer bits from the two adjacent groups. For example: … efgh ijkl mnop … is expanded to … defghi hijklm lmnopq … Table1 4: Expansion permutation (E) Substitution (S-Box) This 48-bit result input to S-Boxes that perform a substitution on input and produces a 32-bit output. It is easy to understand S-Box by the following figure: Figure 17: calculation of F( R,K)
- 35. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 34 DES consists of a set of eight S-Boxes. Each S-Box takes 6 bits as input and produces 4 bits as output. The first and last bits of the input to box form a 2-bit binary number which gives the binary value of row number. The middle four bits select one of the sixteen columns. The decimal value in the cell selected by the row and column then converted to its 4-bit binary number to produce the output. For example, in S1, for input 101110, the row is 10 (row 2) and the column is 0111 (column 7).The value in row 2, column 7 is 11, so the output is 1011. Permutation (P) The result permuted using a permutation table. Table1 5: Permutation function (p) Key Generation A 64-bit key used as input to the algorithm while only 56 bits actually used. Every eighth bit ignored. Sub-keys at each round generated as given below: The key first permuted using a table named Permuted Choice One table (6). The resulting 56-bit key divided into two 28-bit quantities, C0 and D0. At each round, Ci- 1 and Di-1 separately subjected to a circular left shift of 1 or 2 bits, as governed by a table. Moreover, these shifted values forwarded to the next round. They are also inputting to a permutation table Permuted Choice Two table (7). The table produces a 48-bit output that serves as the round key ki. Table1 6: Input key Table 7: Permuted choice one (PC-1)
- 36. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 35 Table 8: Permuted choice two (PC- 2) Table 9: Schedule of left shifts 14 STREAM CIPHERS AND BLOCK CIPHERS A. Stream ciphers A stream cipher is one that encrypts a digital data stream one bit or one byte at a time. Examples: one time pad In which the key stream (ki) is as long as the plaintext bit stream (pi). If the cryptographic key stream is random, then this cipher is unbreakable by any means other than acquiring the key stream. However, the key stream must be provided to both users in advance via some independent and secure channel. (Figure 13) Figure 18: Stream cipher using algorithmic bit-stream generator Accordingly, for practical reasons, the bit-stream generator must be implemented as an algorithmic procedure, so that the cryptographic bit stream can be produced by both users. In this approach (Figure 13), the bit-stream generator is a key-controlled algorithm and must produce a bit stream that is cryptographically strong. That is, it must be computationally impractical to predict future portions of the bit stream based on previous
- 37. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 36 portions of the bit stream. The two users need only share the generating key, and each can produce the key stream. B. Block ciphers A block cipher is one in which a block of plaintext is treated as a whole and used to produce a cipher text block of equal length. Typically, a block size of 64 or 128 bits is used. As with a stream cipher, the two users share a symmetric encryption key (Figure 14). Figure 19: Block Cipher Plaintext:227 bytes Block size: 16bytes =227/16=14 blocks & 3 bytes Total block 15 in which last block contain 3 bytes and padding bytes 15 DIFFERENCES BETWEEN BLOCK CIPHER AND STREAM CIPHER. [JUNE/JULY-2013(8M)]
- 38. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 37 0r 16 FEISTEL CIPHER STRUCTURE [JUNE-2012 -10M] Feistel cipher is based on the idea that instead of using Ideal block cipher which degrades performance, a “substitution-permutation network” can be used. Feistel Cipher Encryption (shown in below fig 15) The inputs to the encryption algorithm are a plaintext block of length 2w bits and a key K. The plaintext block is divided into two halves 𝐿 𝑂 and 𝑅 𝑂 The two halves of the data pass through rounds of processing and then combine to produce the cipher text block. Each round has as inputs 𝐿𝑖−1and 𝑅𝑖−1 derived from the previous round, as well as a sub key 𝐾𝑖 derived from the overall K. Any number of rounds could implement and all rounds have the same structure. A substitution is performed on the left half of the data. This done by applying around function F. The Round Function F: F takes the right-half block of the previous round and a sub key as input. The output of the function XORed with the left half of the data.
- 39. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 38 Left and right halves then swapped. Figure 20: Feistel Encryption and Decryption (16 rounds) Feistel Cipher Decryption The process of decryption with a Feistel cipher is same as the encryption process. The cipher text input to the algorithm and the sub keys used in reverse order. That is, sub key of the last round in encryption used in the first round in decryption, second last in the second round, and so.
- 40. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 39 The exact realization of a Feistel network depends on the choice of the following parameters: Block size: Larger block sizes mean greater security but reduced encryption/decryption speed for a given Traditionally, a block size of 64 bits used which gives enough security without greatly affecting the speed. Key size: Larger key size means greater security but may decrease encryption/ decryption speed. The greater security achieved by greater resistance to brute-force attacks and greater confusion. Key sizes of 64 bits or less now widely considered to inadequate, and 128 bits has become a common size. The number of rounds: The essence of the Feistel cipher that a single round offers inadequate security but that multiple rounds offer increased security. A typical size 16 rounds. Sub key generation algorithm: Greater complexity in this algorithm leads to greater difficulty of cryptanalysis Round function F: Again, greater complexity generally means greater resistance to cryptanalysis. There are two other considerations in the design of a Feistel cipher: Fast software encryption/decryption: In many cases, encryption embedded in applications implementation (as software). Accordingly, the speed of execution of the algorithm becomes a concern. Ease of analysis: Although we would like to make our algorithm as difficult as possible to crypt analyze, there is a great benefit in making the algorithm easy to analyze. That is if The algorithm can concisely and clearly explain, it is easier to analyze that algorithm for cryptanalytic vulnerabilities and therefore develop a high level of assurance as to its strength.
- 41. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 40 17 THE STRENGHTH OF DES [DEC-2011(4M)] A. The Use of 56-Bit Keys With a key length of 56 bits, there are 256 possible keys, which is approximately 7.2 X 1016 keys. Thus, on the face of it, a brute-force attack appears impractical. Assuming that, on average, half the key space has to be searched, a single machine performing one DES encryption per microsecond would take more than a thousand years to break the cipher. The assumption of one encryption per microsecond is overly conservative. As far back as 1977, Diffie and Hellman postulated that the technology existed to build a parallel machine with 1 million encryption devices, each of which could perform one encryption per microsecond [DIFF77]. This would bring the average search time down to about 10 hours. The authors estimated that the cost would be about $20 million in 1977 dollars. Table 9 shows how much time is required for a brute-force attack for various key sizes. As can be seen, a single PC can break DES in about a year; if multiple PCs work in parallel, the time is drastically shortened. Table 10 : Average Time Required for Exhaustive Key Search Today‟s supercomputers should be able to find a key in about an hour. Key sizes of 128 bits or greater are effectively unbreakable using simply a brute force approach. Even if we managed to speed up the attacking system by a factor of 1 trillion (1012), it would still take over 100,000 years to break a code using a 128-bit key. B. The Nature of the DES Algorithm Another concern is the possibility that cryptanalysis is possible by exploiting the characteristics of the DES algorithm.
- 42. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 41 The focus of concern has been on the eight substitution tables, or S-boxes, that are used in each iteration. Because the design criteria for these boxes, and indeed for the entire algorithm, were not made public, there is a suspicion that the boxes were constructed in such a way that cryptanalysis is possible for an opponent who knows the weaknesses in the S-boxes. This assertion is tantalizing, and over the years a number of regularities and unexpected behaviors of the S-boxes have been discovered. Despite this, no one has so far succeeded in discovering the supposed fatal weaknesses in the S-boxes. 18 DIFFERENTIAL AND LINEAR CRYPTANALYSIS For most of its life, the prime concern with DES has been its vulnerability to brute- force attack because of its relatively short (56 bits) key length. However, there has also been interest in finding cryptanalytic attacks on DES. With the increasing popularity of block ciphers with longer key lengths, including triple DES, brute-force attacks have become increasingly impractical. Thus, there has been increased emphasis on cryptanalytic attacks on DES and other symmetric block ciphers. In this section, we provide a brief overview of the two most powerful and promising approaches: differential cryptanalysis and linear cryptanalysis. Differential Cryptanalysis One of the most significant advances in cryptanalysis in recent years is differential cryptanalysis. In this section, we discuss the technique and its applicability to DES. Differential Cryptanalysis Attack The differential cryptanalysis attack is complex; [BIHA93] provides a complete description. The rationale behind differential cryptanalysis is to observe the behavior of pairs of text blocks evolving along each round of the cipher, instead of observing the evolution of a single text block. Here, we provide a brief overview so that you can get the flavor of the attack. We begin with a change in notation for DES. Consider the original plaintext block m to consist of two halves m0, m1.
- 43. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 42 Each round of DES maps the right-hand input into the left-hand output and sets the right-hand output to be a function of the left-hand input and the sub key for this round. So, at each round, only one new 32-bit block is created. If we label each new block m1(2 I 17), then the intermediate message halves are related as follows: In differential cryptanalysis, we start with two messages, m and m', with a known XOR difference m = m m' and consider the difference b/w the intermediate message halves: 𝑚𝑖 = 𝑚𝑖 𝑚𝑖+1 ′ . then we have Now, suppose that many pairs of inputs to f with the same difference yield the same output difference if the same sub key is used. To put this more precisely, let us say that X may cause Y with probability p, if for a fraction p of the pairs in which the input XOR is X, the output XOR equals Y. We want to suppose that there are a number of values of X that have high probability of causing a particular output difference. Therefore, if we know Dmi-1 and Dmi with high probability, then we know Dmi+1 with high probability. Furthermore, if a number of such differences are determined, it is feasible to determine the sub key used in the function f. The overall strategy of differential cryptanalysis is based on these considerations for a single round. The procedure is to begin with two plaintext messages m and m' with a given difference and trace through a probable pattern of differences after each round to yield a probable difference for the cipher text. there are two probable patterns of differences for the two 32-bit halves: (m17||m16). Next, we submit m and m' for encryption to determine the actual difference under the unknown key and compare the result to the probable difference. If there is a match, E (K, m) E (m') = (m17|| m16)
- 44. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 43 Then we suspect that all the probable patterns at all the intermediate rounds are correct. With that assumption, we can make some deductions about the key bits. This procedure must be repeated many times to determine all the key bits. Figure 21: Differential Propagation through Three Round of DES (numbers in hexadecimal)
- 45. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 44 Figure (16) based on a figure in [BIHA93], illustrates the propagation of differences through three rounds of DES. The probabilities shown on the right refer to the probability that a given set of intermediate differences will appear as a function of the input differences. Overall, after three rounds the probability that the output difference is as shown is equal to 0.25 x 1 x 0.25 = 0.0625. Linear Cryptanalysis A more recent development is linear cryptanalysis, described in [MATS93]. This attack is based on finding linear approximations to describe the transformations performed in DES. This method can find a DES key given 243 known plaintexts, as compared to 247 chosen plaintexts for differential cryptanalysis. Although this is a minor improvement, because it may be easier to acquire known plaintext rather than chosen plaintext, it still leaves linear cryptanalysis infeasible as an attack on DES. So far, little work has been done by other groups to validate the linear cryptanalytic approach. We now give a brief summary of the principle on which linear cryptanalysis is based. For a cipher with n-bit plaintext and cipher text blocks and an m-bit key, let the plaintext block be labelled P[1], ... P[n], the cipher text block C[1], ... C[n], and the key K[1], ... K[m]. Then define The objective of linear cryptanalysis is to find an effective linear equation of the form: That holds with probability p 0. If it is 1 most of the time, assume = 1. This gives us a linear equation on the key bits. Try to get more such relations so that we can solve for the key bits. Because we are dealing with linear equations, the problem can be approached one round of the cipher at a time, with the results combined.
- 46. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 45 19 ONE-TIME PAD [JUNE-2012 -4M] In this scheme, a random key that is as long as the message used. The key used to encrypt and decrypt a single message and then discarded. Each new message requires a new key of the same length as the new message. This scheme is unbreakable. It produces random output that bears no statistical relationship to the plaintext. Because the cipher text contains no information whatsoever about the plaintext, there is simply no way to break the code. For any plaintext of equal length to the cipher text, there is a key that produces that plaintext. Therefore, if you did an exhaustive search of all possible keys, you would end up with many legible plaintexts, with no way of knowing which the intended plaintext was. Therefore, the code is unbreakable. The security of the one-time pad is entirely due to the randomness of the key. The one-time pad offers complete security but, in practice, has two fundamental difficulties: 1. There is the practical problem of making large quantities of random keys. Any heavily used system might require millions of random characters on a regular basis. Supplying truly random characters in this volume is a significant task. 2. Another problem is that of key distribution and protection. For every message to sent, a key of equal length needed by both sender and receiver. Because of these difficulties, the one-time pad used where very high security required. The one-time pad is the only cryptosystem that exhibits perfect secrecy. 20 STEGANOGRAPHY [JUNE/JULY-2013(4M)]. [DEC-2013 / JAN-2014 (4M)] The steganography comes from Greek words, steganos in Greek meaning “hidden” or “covered” and graphic in Greek meaning “writing”. Steganography is the invisible communication.
- 47. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 46 The main idea of steganography is to hide secret messages in the other cover digital Medias such as a text, video, and audio, image etc. show that someone or hacker or other person cannot know the presence of the secret information. There are three basic types of steganography a. Pure or Stegano-graphy. b. secret key Stegano-graphy. c. Public key Stegano-graphy. a. Pure-steganography: is embedding the secret information or message into the thing (item) without using any private keys. Pure Stegano-graphy is entirely depends upon secrecy. In this steganography uses a cover image in which information is to be embedded. Figure 22: pure steganography Pure Stego cannot give the better security because of it will be not difficult for Extracting the information, if the hacker know the embedding technique. Advantage - It decreases the difficulty in key sharing. Secret key steganography: in this technique uses the individual key for combine the Information into The thing (item), so this will be similar to symmetric key. For a Decryption it will be uses the same-key, which will be utilized to encryption. Figure 23: secret key Steganography Advantage - Mystery-key Stego gives high security compare to pure-Stego.
- 48. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 47 Public-key Stego: this type of Stego uses 2 types of keys like, 1) Encryption 2) Decryption Figure 24: Public key Steganography Encryption used for private - key and Decryption used for public- key & it is saved in a public database. Applications Confidential communication and secret data storing. Protect of data alteration. Access control system for digital content distribution. Usage in modern printers Alleged use by terrorists. Alleged use by intelligence services etc. Advantages It is used in the way of hiding not the information but the password to reach that information. Difficult to detect. Only receiver can detect. Can be applied differently in digital image, sound, audio and video file.
- 49. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 48 21 SIMPLIFIED DATA ENCRYPTION STANDARD (S-DES) The overall structure of the simplified DES. The S-DES encryption algorithm takes an 8-bit block of plaintext (example: 10111101) and a 10-bit key as input and produces an 8-bit block of cipher text as output. The S-DES decryption algorithm takes an 8-bit block of cipher text and the same 10-bit key used to produce that cipher text as input and produces the original 8-bit block of plaintext. Figure 25: Simplified DES scheme The encryption algorithm involves five functions: an initial permutation (IP); a complex function labelled fk, which involves both permutation and substitution operations and depends on a key input ;a simple permutation function that switches (SW) the two halves
- 50. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 49 of the data; the function fk again; and finally a permutation function that is the inverse of the initial permutation( I𝑃−1 ) . The function fk takes as input not only the data passing through the encryption algorithm, but also an 8-bit key. Here a 10-bit key is used from which two 8-bit sub keys are generated. The key is first subjected to a permutation (P10). Then a shift operation is performed. The output of the shift operation then passes through a permutation function that produces an 8-bit output (P8) for the first sub key (K1). The output of the shift operation also feeds into another shift and another instance of P8 to produce the second sub key (K2). The encryption algorithm can be expressed as a composition composition1 of functions: IP-1 ο fK2 ο SW ο fk1 ο IP Which can also be written as Cipher text = IP-1 (fK2 (SW (fk1 (IP (plaintext))))) Where K1 = P8 (Shift (P10 (Key))) K2 = P8 (Shift (shift (P10 (Key)))) Decryption is also shown in above fig25 and is essentially the reverse of encryption: Plaintext = IP-1 (fK1 (SW (fk2 (IP (cipher text))))). 22 S-DES KEY GENERATIONS S-DES depends on the use of a 10-bit key shared between sender and receiver. From this key, two 8-bit sub keys are produced for use in particular stages of the encryption and decryption algorithm. First, permute the key in the following fashion. Let the 10-bit key be designated as (k1, K2, k3, k4, k5, k6, k7, k8, k9, k10). Then the permutation P10 is defined as: P10 (k1, K2, k3, k4, k5, k6, k7, k8, k9, k10) = (k3, k5, K2, k7, k4, k10 10, k1, k9, k8, k6) P10 can be concisely defined by the display:
- 51. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 50 Figure 26: Key generation for simplified DES This table is read from left to right; each position in the table gives the identity of the input bit that produces the output bit in that position. So the first output bit is bit 3 of the input; the second output bit is bit 5 of the input, and so on. For example, the key (1010000010) is permuted to (10000 01100). Next, perform a circular left shift (LS-1), or rotation, separately on the first five bits and the second five bits. In our example, the result is (00001 11000). Next we apply P8, which picks out and permutes 8 of the 10 bits according to the following rule: The result is sub key 1 (K1). In our example, this yields (10100100). We then go back to the pair of 5-bit strings produced by the two LS-1 functions and performs a circular left shift of 2 bit positions on each string. In our example, the value (00001 11000) becomes (00100 00011). Finally, P8 is applied again to produce K2. In our example, the result is (01000011).
- 52. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 51 23 S-DES ENCRYPTION Encryption involves the sequential application of five functions. Figure 27: simplified DES scheme Encryption Detail Initial and Final Permutations The input to the algorithm is an 8-bit block of plaintext, which we first permute using the IP function:
- 53. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 52 This retains all 8 bits of the plaintext but mixes them up. Consider the plaintext to be 11110011. Permuted output = 10111101 At the end of the algorithm, the inverse permutation is used: The Function fk The most complex component of S-DES is the function fk, which consists of a combination of permutation and substitution functions. The functions can be expressed as follows. Let L and R be the leftmost 4 bits and rightmost 4 bits of the 8-bit input to fk, and let F be a mapping (not necessarily one to one) from 4-bit strings to 4-bit strings. Then we let We now describe the mapping F. The input is a 4-bit number (n1 n2 n3 n4). The first operation is an expansion/permutation operation: e.g., R= 1101 E/P output = 11101011 It is clearer to depict the result in this fashion
- 54. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 53 The 8-bit sub key K1 = (k11, k12 12, k13 13, k14 14, k15 15, k16 16, k17 17, k18) is added to this value using exclusive-OR: The first 4 bits (first row of the preceding matrix) are fed into the S-box S0 to produce a 2- bit output, and the remaining 4 bits (second row) are fed into S1 to produce another 2-bit output. These two boxes are defined as follows: The S-boxes operate as follows. The first and fourth input bits are treated as a 2-bit number that specify a row of the S-box, and the second and third input bits specify a column of the S- box. The entry in that row and column, in base 2, is the 2-bit output. For example, if (p0,0 p0,3) = ) (00) and ( p0,1 p0,2) = (10), then the output is from row 0, column 2 of S0, which is 3, or (11) in ) binary. Similarly, (p1,0 p1,3) and ( p1,1p1,2) are used to index into a row and column of S1 to produce an additional 2 bits. Next, the 4 bits produced by S0 and S1 undergo a further permutation as follows: The output of P4 is the output of the function F.
- 55. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 54 QUESTION BANK –NETWORK SECURITY UNIT-2 MAY/JUNE 2010 1. In S-DES, 10-bit key is “1010000010”.find the sub keys K1 and K2. If 𝑃10= 3 5 2 7 4 10 1 9 8 6 𝑃8 = 6 3 7 4 8 5 10 9. [MAY/JUNE -2010 (06M)] 2. With a neat diagram, explain the single round of DEC encryption. [MAY/JUNE -2010 (08M)] 3. Discuss the evaluation criteria of AES. [MAY/JUNE -2010 (06M)] 4. Encrypt the plain text “SECURITY” using Hill cipher with the key 7 8 19 3 . [MAY/JUNE - 2010 (08M)] DEC – 2010 1. Encrypt the message “we will meet tomorrow” using Playfair cipher with a key “STORY”. Give the rules for encryption. [DEC-2010(10M)] 2. With a schematic diagram, explain the S-DES encryption and decryption process, highlighting the key generation phase. [DEC-2010(10M)] 3. Explain the counter mode of block cipher. What are its advantages? [DEC-2010(10M)] 𝐉𝐔𝐍𝐄/𝐉𝐔𝐋𝐘 − 𝟐𝟎𝟏𝟏 1. Encrypt the plain text “MONDAY” using Hill cipher with the key 9 4 5 7 . Show your calculation and cipher text. [Hint: a=0, b=1 …… z = 25] [JUNE/JULY− 2011(8M)] 2. Draw the single round of DES algorithm and explain the process. [JUNE/JULY− 2011(10M)] 3. Describe the block cipher modes of operation in details. [JUNE/JULY− 2011(10M)] DEC-2011 1. Explain block cipher design principles. [DEC-2011(8M)] 2. In S-DES, the plain text is 11110010 and key is 1011100110. Find cipher text. [DEC- 2011(8M)] 3. Explain the strength of DES. [DEC-2011(4M)] JUNE-2012 1. Explain the operation of Caesar cipher with an algorithm. Derive the cipher with an algorithm. Derive the cipher text using caser cipher for the following plain text message “WORK IS WORSHIP”. [JUNE-2012 -6M]
- 56. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 55 2. with a block diagram. Explain Feistel encryption and decryption algorithm. [JUNE-2012 - 10M] 3. Write a note on one-time pad. [JUNE-2012 -4M] 4. With a block diagram, explain DES encryption and key generation technique. [[JUNE- 2012 -10M] DEC-2012 1. With a neat diagram, explain the single round DES encryption. [DEC-2012(10M)] 2. Encrypt the plaintext “CRYPTOGRAPHY” using Hill cipher technique. Key K= 9 4 5 7 . [DEC-2012(10M)] JUNE/JULY-2013 1. Explain the working of the Playfair cipher with an example. [JUNE/JULY-2013(10M)] 2. Distinguish block cipher and stream cipher with examples. [JUNE/JULY-2013(8M)] 3. Explain block cipher design principles. [JUNE/JULY-2013(8M)] 4. Briefly describe about steganography. [JUNE/JULY-2013(4M)] DEC-2013 / JAN-2014 1. Define the terms cryptography and steganography.[ DEC-2013 / JAN-2014 (4M)] 2. Encrypt the message “ACT” using the Hill Cipher key K= 6 24 1 13 16 10 20 17 15 . And also the calculations for the corresponding decryption of the cipher text to recover original plain text 𝐾−1 = 8 5 10 21 8 21 21 12 8 . [DEC-2013 / JAN-2014 (10M)] 3. With the help of a block diagram, explain the overall structure of the S-DES. Explain the role of sub key generation with suitable analysis. [DEC-2013 / JAN-2014 (10M)] DEC-2014/JAN-2015 1. Encrypt the plain text “Hard work” using hill cipher with the key 7 8 19 3 . [DEC - 2014/JAN-2015 (8M)] 2. With a neat diagram, explain the single round of DEC encryption. [DEC-2014 / JAN-2015 (8M)] 3. In S-DES 10 bit key is 1000100010. Find the sub key K1 and K2 if 𝑃10= 3 5 2 7 4 10 1 9 8 6 𝑃8 = 6 3 7 4 8 5 10 9. [DEC-2014/JAN-2015 (8M)]
- 57. NETWORK SECURITY 10EC832 Dept. of ECE, BGSIT, BG Nagara, Mandya Page 56 4. Explain in brief the evaluation criteria of AES. [DEC-2014 / JAN-2015 (8M)] DEC-2015/JAN-2016 1. Encrypt the message “ELECTRONICS” using Playfair cipher with a key “INDIA”, also give the rules for encryption. [DEC-2015/JAN-2016 (10M)] 2. Encrypt the plain text “HAND” using hill cipher with the key = 5 8 17 3 . Also decrypt it and verify the encryption and decryption text. [DEC-2015/JAN-2016 (10M)] 3. In S-DES, 10-bit key is “1010000010”.find the sub keys K1 and K2. If 𝑃10= 3 5 2 7 4 10 1 9 8 6 𝑃8 = 6 3 7 4 8 5 10 9. [DEC-2015/JAN-2016 (10M)] 𝐉𝐔𝐍𝐄/𝐉𝐔𝐋𝐘 − 𝟐𝟎𝟏𝟕 1. Encrypt the plain text “HELLO” Using the play fair cipher with the key “EXAM”. [JUNE/ JULY− 2017 (8M)] 2. Explain the operation of caser cipher with an algorithm. Derive the cipher text using caser cipher for the following plain text message with key length K=3, “logic”. [JUNE/JULY− 2017 (6M)] 3. Explain the single round of DES – encryption model. [JUNE/JULY− 2017 (6M)]