Unformatted text preview: Cryptography and Network Security
TECH 6350 Session 2 Confidentiality – Symmetric
Encryption
Manuel Mogollon
[email protected]
Graduate School of Management
Information Assurance
University of Dallas 0 Session 2 – Contents
• Types of Crypto Systems
— Symmetric Encryption
– Stream Cipher
– Block Cipher Systems
— Asymmetric encryption • Basic Theory of Enciphering • Shift Registers
— Linear Shift Registers
— NonLinear Combinations of LFSR Devices • Key Generators • Block Ciphers
— Data Encryption Standard (DES) (FIPS 463)
— Modes of Operation (FIPS 81)
— Triple DES (FIPS 463 and ANXI X9.52)
— Advanced Encryption Standard (AES)
Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation
M. Mogollon – 01/08  1 1 What is Confidentiality?
• confidentiality / Protection against unauthorized
individuals reading information that is supposed
to be kept private. Confidentiality is achieved by
enciphering the information using encryption
algorithms. Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation
M. Mogollon – 01/08  2 2 Confidentiality and its Security Mechanisms
Confidentiality Protection of data from
unauthorized disclosure Encryption
Algorithms Symmetric Stream Ciphers Asymmetric Block Cipher PublicKey DES MARS RC5 CAST Pohlig
Hellman Blowfish IDEA OFB SelfSynchronous AES 3DES Synchronous RSA CFB ElGamal Schnorr ECC RC4 Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation
M. Mogollon – 01/08  3 • Confidentiality and security are not the same
• Confidentiality – protection of information to ensure that it is not disclosed to
unauthorized audiences
• Security – protection of systems, resources, and information from unintended and
unauthorized access or misuse. 3 Types of Crypto Systems
• Symmetric Cryptography – Secret Key
— A single key serves as both the encryption and the decryption key.
— Initial arrangements need to be made for individuals to share the
secret key.
— Stream Ciphers and Block Ciphers (DES, AES) • Asymmetric Cryptography – PublicKey
— One key is used to encipher and another to decipher.
— Privacy is achieved without having to keep the enciphering key secret
because a different key is used for deciphering.
— Pohlig Hellman, Schnorr, RSA, ElGamal, and Elliptic Curve
Cryptography (ECC) are popular asymmetric crypto systems. Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation
M. Mogollon – 01/08  4 • Essentially, there are two main types of modern crypto systems: symmetric and asymmetric
encryption.
• The type of crypto system in which enciphering and deciphering keys are the same is called
symmetric (i.e., secret key) encryption. The system is analogous to having a box with a lock on it
that can be locked and unlocked with the same key.
• An asymmetric crypto system, uses a pair of keys, mathematically related but different, to
encipher and decipher messages. Messages encoded with either one of the keys can be decoded
by the other. It is possible to make one of the keys public; however, the other one must be kept
secret. 4 Symmetric Key Crypto System
Secret Key Plaintext
As the market
requirements
for secure
products has
exponentially
increased, our
strategy will be
to …. Encryption
Algorithm
Encipher Ciphertext
Asdfe8i4*(74mjsd(
9&*nng654mKhna
mshy75*72mnasja
dif3%j*j^3cdf(#421
5kndh_!8g,kla/”2a
cd:{qien*38mnap4
*h&fk>0820&ma01
2M Encryption
Algorithm
Decipher Plaintext
As the market
requirements
for secure
products has
exponentially
increased, our
strategy will be
to …. • Security is based on the secret key, not on the encryption algorithm.
• The sharing of secret keys is necessary.
• Strengths: Fast, good for encrypting large amounts of data.
• Weakness: Key delivery.
• There are two types of symmetric crypto systems: Stream Cipher (RC4) and
Block Ciphers (DES, AES, RC5, CAST, IDEA).
Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation
M. Mogollon – 01/08  5 • If a number of individuals wishes to send secure information, symmetric cryptosystems require
that initial arrangements be made for the individuals to share a unique secret key. The key must
be distributed to the individuals via some secure, protected means to ensure key confidentiality
and integrity. Knowledge of the ciphering key implies knowledge of the deciphering key and
vice versa.
• In order to establish the secure channel, it is necessary to deliver the secret key to the individuals
using a protected medium such as a courier. Of course, transporting the key in this way is risky,
troublesome, slow, and expensive. In addition, two users that have not exchanged a secret key
cannot send each other secure messages, because they first have to agree on a secret key. 5 Asymmetric Key Crypto System
(Public Key Algorithm)
One Key to Encipher Plaintext
As the market
requirements
for secure
products has
exponentially
increased, our
strategy will be
to …. •
•
•
•
•
•
• Another Key to Decipher Ciphertext Encryption
Algorithm Encryption
Algorithm Asdfe8i4*(74mjsd(
9&*nng654mKhna
mshy75*72mnasja
dif3%j*j^3cdf(#421
5kndh_!8g,kla/”2a
cd:{qien*38mnap4
*h&fk>0820&ma01
2M Encipher Decipher Plaintext
As the market
requirements
for secure
products has
exponentially
increased, our
strategy will be
to …. Public key encryption involves two mathematically related keys.
Either key can be used to encipher.
One of the keys can be made public and the other kept private.
public
private
Strengths: No key delivery issues, can be used for nonrepudiation.
Weakness: Slow, inefficient for large amounts of data, computationally expensive.
Algorithms: RSA, ElGamal, Schnorr, PohligHellman, Elliptic Curve Cryptography.
Used mainly for key exchange or digital signatures. Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation
M. Mogollon – 01/08  6 • In their paper "New Directions in Cryptography," Diffie and Hellman (1976) proposed a new
kind of cipher system in which the enciphering and deciphering keys are related but different:
one is made public, while the other is kept private. This type of crypto system is called
asymmetric, since it provides encryption in only one direction —a second pair of keys is needed
to communicate in the other direction. Once the two mathematically related keys are calculated,
there is no way to find out the private key from the public key. Asymmetric public cryptosystems
allow two users to communicate securely over an insecure channel without any key
prearrangement.
• The system is analogous to having a box with two locks on it: the one used to lock can be given
to anyone (it is public), and another key, used to unlock, is kept secret. The public key —to lock
the box— is different from the secret key —to unlock the box— and there is no way to find out
the secret key from the public key. If a person wants to receive a secure message, he can send an
open box and the key to lock the box. The person who receives the box places the message inside
it and locks it using the "lock" key. The box with the message already inside is sent back to the
recipient, who opens the box using the "unlock" key. 6 Stream Ciphers
• Plaintext is broken up into successive bits, and each one
is enciphered with a bit from a keystream • If the key stream repeats itself after n characters, the
stream is periodic; otherwise, it is nonperiodic. • Types of Stream Ciphers
— Synchronous stream cipher
— Selfsynchronous stream cipher 1 1 1 0
0 1 0 0 Output 1 1
0 0
1 1 0 Onetime Keypad
Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation
M. Mogollon – 01/08  7 • Stream ciphers can be synchronous or selfsynchronous (Denning, 1983). In a stream cipher,
plaintext is broken into successive bits, and each one is enciphered with a bit from a keystream
produced by a key generator. If the keystream repeats itself after p characters, the stream cipher
is periodic; otherwise, it is nonperiodic. The Vernam cipher (onetime pad) and runningkey
ciphers are nonperiodic.
• It is like a wheel with a lot of compartments. Depending on the secret key, the compartments are
filled with 0s and 1s. 7 Stream Cipher Encryption Using Modulo2
Key
Stream Key
Stream
Plaintext Ciphertext + + Encryption Algorithm
Modulo 2 Adder
Decipher Encryption Algorithm
Modulo 2 Adder
Encipher Modulo 2 Adder 1+0=1
0+1=1 1+1=0
0+0=0 Enciphering
Plaintext
Keystream
Ciphertext 10011000101000110
10110011100100011
00101011001100101 Deciphering
Ciphertext
Keystream
Plaintext
Encryption Systems Plaintext 00101011001100101
10110011100100011
10011000101000110 Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation
M. Mogollon – 01/08  8 • Stream cipher crypto machines use a keystream, also called running key, to transform the
plaintext into ciphertext. The set of rules used by the cipher system to mix the plaintext
information with the keystream in order to obtain the ciphertext is called the encryption
algorithm. We will use a stream cipher system to explain the basics of enciphering and
deciphering.
• The keystream can be produced by a random noise (onetime tape) generator or by a
pseudorandom bit generator. The onetime tape cannot be reproduced, and it needs to be
delivered to the receiving side. The pseudorandom bit generator has the properties of random
noise and can be duplicated at the receiving unit if both the sending and receiving units use the
same cryptographic variables. If the keystream is obtained from shift registers, the inputs or
initial states of the shift registers in the transmitting and receiving side need to be the same.
• To encipher a plaintext, a sequence of 1s and 0s, each bit of the plaintext is modulo2 added to
one bit from the keystream to get the ciphertext. At the receiving side, the ciphertext is again
modulo2 added to the same keystream to obtain the plaintext. If both keystream sequences are
not exactly the same, we will not be able to correctly decipher the message because the plaintext
will not be exactly the same as the plaintext. 8 Symmetric Key Stream Cipher
Cryptographic
Variables (CV) Cryptographic
Variables (CV)
Key
Generator Initialization
Vector (IV) Synchronization Key
Generator
Key
Stream Key
Stream
Plaintext Initialization
Vector (IV) Ciphertext + Plaintext + Encryption Algorithm
Modulo 2 Adder
Decipher Encryption Algorithm
Modulo 2 Adder
Encipher • Key stream generated independently of the
cleartext or cipher text.
• Crypto variable and initialization vector required.
• Periodic key stream
Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation
M. Mogollon – 01/08  9 • Plaintext is broken into successive bits, and each one is enciphered with a bit from a keystream
produced by a key generator.
• In a stream cipher, the keystream is generated independently of the clear or cipher text. Stream
ciphers adds modulo2 the plaintext to the keystream output of the key generator. The
deciphering process is also the addition of the keystream to the ciphertext.
• Since the key generator algorithm is fixed, a variable keystream is obtained by varying the
cryptographic variables, which are loaded by the user. The Initialization Vector (IV), also called
random seed, is the randomly generated variable which causes each cryptographic session to start
at a different point in the keystream.
• The initialization vector/random seed (IV) is normally generated by the transmitting cipher
machine, and then transmitted to the receiving unit in clear. This cleartext transmission does not
compromise the system’s security because both sender and receiver use a shared secret method
(H*) to transform the publicly known random seed into a secret H*(IV) called message key. The
transmitting and receiving machines load the message key into the key generator as part of the
crypto synchronization. Normally, the transmitting and the receiving machines know the random
seed (IV) just before the communication session begins.
• If the units lose synchronization, they must reinitialize, i.e. begin a new communication session
with a new initialization vector. For security reasons, the keystream should be different for each
session; this is achieved by having a different message key each time the unit synchronizes. 9 Bit Flip and Missing Bits
A bit is not received correctly (bit flip) A bit is missing Enciphering Modulo2 Adder
1+0=1 1+1=0
0+1=1 0+0=0 Enciphering Plaintext 10011000101000110 Plaintext 10011000101000110 Keystream 10110011100100011 Keystream 10110011100100011 Ciphertext 00101011001100101 Ciphertext 00101011001100101 Deciphering
Ciphertext Deciphering
10101011001100101 Ciphertext Keystream 10110011100100011 Keystream 10110011100100011 Plaintext 00011000101000110 Plaintext 10011101111101000 Encryption Systems Stream Ciphers Shift Registers DES 0010111001100101 AES Block Cipher Modes of Operation
M. Mogollon – 01/08  10 Effects of Bit Errors on Reception
• In the left side example, let's suppose that the first bit of the ciphertext is not received correctly
(bit flip); for example, instead of a 0 we received a 1. It can be seen that the only difference
between the plaintext and the deciphered text is the first bit; the rest of the bits are the same.
When the receiver’s crypto unit gets a bad ciphertext bit, it will not interfere with the deciphering
of the next ciphertext bit. In a message communication, one character will be incorrectly
deciphered, and in a voice communication, only a hiss or a click will be heard.
Effect on Missing Bits during Reception
• When one bit is missed, right side example, the keystream is offset, the plaintext after the
missing bit is not the same as the plaintext, and the plaintext is garbled. We can see that the first
five bits of the plaintext are the same as the plaintext, but later on the plaintext goes awry. 10 SelfSynchronous Stream Cipher
Cryptographic
Variables (CV) Key
Generator
Nbit Feedback
Shift Register Key
Stream
Plaintext + Cryptographic
Variables (CV) Key
Generator Key
Stream Ciphertext + Encipher Plaintext Decipher • Keystream function of the ciphertext
• Allows late entry.
• Nonperiodic Key stream.
Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation
M. Mogollon – 01/08  11 • In a selfsynchronous stream cipher, also called CiphertextAutoKey (CTAK), part of the
ciphertext is continuously fed back into the key generator. Consequently, each bit of the
keystream depends on a fixed number n of ciphertext bits, n being the length of the feedback
shift register used. The key generator's keystream is a function of the ciphertext.
• There is no real need for an initialization vector (IV). The sender unit starts transmitting
ciphertext, and, after just n incorrectly deciphered bits, the receiving unit begins deciphering the
traffic correctly; the system is selfsynchronizing. In broadcast communications, it is not
necessary to be listening from the beginning of a communication session to decipher correctly
the last parts of the message late entry is possible.
• The CTAK stream cipher prevents an active wiretapper (spoofer) from altering a segment of the
ciphertext bitstream. When the spoofer changes k bits in the ciphertext, due to the nbit error
propagation, it will produce n + k bad ciphertext bits; on the average, half of the corresponding
deciphered bits will be incorrect. If this is not normal in the communications environment in
which the cipher system is operating, the receiver will suspect that spoofing has occurred.
• The selfsynchronization and authentication characteristics of CTAK selfsynchronous stream
ciphers are very attractive because they make the key generator design much less complicated
than the synchronous stream cipher, and their features are widely used for message verification. 11 Perfect Crypto System
• From the theoretical point of view, the only system that offers
perfect secrecy is the one in which the keystream is
— totally random,
— infinitely long,
— and used only one time. • A perfect crypto system is achieved only with Vernam's cipher, the
OneTime key, in which the keystream is random, is as long as the
message, and is used only one time. • However, Vernam's cipher system is not widely used because of the
following problems:
— The length of the key is as long as the plaintext and can be cumbersome.
— There is an immense volume of key material that needs to be sent to the
receiver.
— The cryptographer needs to find a safe way of letting the recipient know the
key that was used to encipher the message. Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation
M. Mogollon – 01/08  12 • From the theoretical point of view, the only system that offers perfect secrecy is the one in which
the keystream is totally random, infinitely long, and used only one time. A perfect crypto system
is achieved only with Vernam's cipher, the onetime key, in which the keystream is random, as
long as the message, and used only one time. However, Vernam's cipher system is not widely
used because of the following problems:
• The length of the key should be at least as long as the plaintext.
• There is an immense volume of key material that needs to be sent to the receiver.
• It is imperative that the cryptographer find a safe way of letting the recipient know the key
that was used to encipher the message.
• In today's communications, there is a great volume of traffic, and the number of messages sent
and received in any corporation, army, or branch of government is immense. If a onetime key
system is used, a great deal of equipment and resources are necessary to ensure that each
keystream sequence is used only once. This is the reason why a onetime key system is only used
for topsecret messages in highlevel strategic communications.
• Several mathematicians and cryptologists have proven that Vernam's cipher, the onetime pad, is
unbreakable. As a result, many cryptographers believed that if they could emulate the onetime
key system in some way, without the key management problems mentioned before, they would
have a system with a guaranteed high level of security. Vernam's conditions led to the
introduction of the keystream generator, most commonly known as key generator, which
emulates the conditions for perfect secrecy. 12 Perfect Key Generator
• Random Keystream — 56, 64, 128, 256, 512, 1028, 2056 bits 1 1 Infinite Number of Crypto Variables
(Keys) • Starting
position 1
0 1 0 1
Key
Variable
1 0
1 — A pseudorandom keystream that is
random for all statistical tests, but which
can be recreated by the same type of
key generator when the same crypto
variables are loaded in both key
generators. 0
1
0 0
1 0 1 Cycle Length Starting position •
• — Random Starting Places (Message Key,
Initialization Vector). With many different
message keys (starting positions in the
key generator), the probability that the
key used to encipher a message is used
only one time is very high. This is one of
the most important of Vernam's
conditions for a perfect keystream. 10 40
0 1
0 0
1 1
0 Key
Variable 0 1 2128 Infinite Cycle Length
Random Starting Places 1 • Fail SafeAlarms. 1 0
0
Encryption Systems 1 0
Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation
M. Mogollon – 01/08  13 • • The following are some of the characteristics of a perfect key generator, if one could be built:
1. Infinite Number of Crypto Variables (Keys). In order to maintain the highest level of security, a different key
would be used to encipher each message. Therefore, the perfect key generator would have an infinite number of
keys from which to choose.
2. Completely Random Keystream. Ideally, the keystream from a perfect key generator would be completely
random, such as the output of a white noise generator. The value of this concept lies in the inability to recreate
exactly the same keystream.
3. Infinite Cycle Length. Each keystream of the perfect key generator would be infinitely long to ensure that the
keystream in use would never repeat itself.
4. Random Starting Places. The perfect key generator would never start enciphering a message with a portion of
the keystream already used to encipher a previous message. To prevent this occurrence, the key generator would
start at a different place on its infinitely long cycle length each time a new message was enciphered.
5. Fail SafeAlarms. An alarm system would be present to prevent any transmissions if the key generator fails.
In the real world, a key generator is very close to being perfect by having the following characteristics and
advantages:
1. CodeSetting Control. A codesetting control actually changes the generated keystream; thus, two identical
devices can "talk to each other" only if they have the same code setting or crypto variables. A good key
generator should have more than 1080 crypto variables.
2. Pseudorandom Keystream. A completely random keystream would be impractical because it could not be recreated and, thus, could not be deciphered. A more practical unit would be a key generator that produces a
pseudorandom keystream that is random for all statistical tests, but which can be recreated, by the same type of
key generator, when the same crypto variables are loaded into both key generators.
3. A Very Long Cycle Length. A very long cycle period more than 1090 is satisfactory.
4. Random Starting Places. By randomizing the starting position for the enciphering sequence, the keystream is
changed for every single message. This concept is called message key or initialization vector (IV). With many
different message keys (starting positions in the key generator), the probability that the key used to encipher a
message is used only one time is very high. This is one of the most important of Vernam's conditions for a
perfect keystream. In some crypto systems, the IV size is the same size as the block size, i.e., in AES the IV is
128 bits.
5. FailSafe Alarms. Most key generators employ an alarm system to monitor their own operation to prevent
transmission if a failure is detected. 13 Linear Shift Register
Advantages Disadvantages • They produce sequences of 1s • They are described by a single and 0s. recursion equation. • Identical shift registers with
the same initial input behave
alike and produce exactly the
same outputs. • They easily produce long
cycles. • Their outputs are statistically calculated. • In the initial starting condition,
all zeros must be avoided to
prevent collapse. Setting at
least one of the stages to 1
prevents this problem. • Improper selection of the balanced. feedback taps may not
produce maximum length
periods. • They have well known
properties. Encryption Systems • Previous stages are easily Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation
M. Mogollon – 01/08  14 • As mentioned before, information written in binary digits can be enciphered by XORing the
plaintext and keystream. An electricalnoise, random bit generator could be used to generate a
stream sequence of 1’s and 0’s, with the great advantage that it is totally random; however, since
the sequence cannot be reproduced, the keystream must be sent to the receiver to decipher the
message. This situation would lead back to the key management problem of Vernam's cipher, the
onetime key system.
• A shift register, implemented as a random sequence generator, generates the same keystream
sequence used to encipher and decipher information. Key generators based on shift registers
generate the sequence using only 1’s and 0’s, the sequence looks random, and slight
modifications to the shift register generate different sequences or keystreams.
• Shift registers are devices consisting of n consecutive, 2state memorystorage units (usually flipflops). These registers are connected so that the state of each stage memory can be transferred to
its neighbor to the immediate left or right under the control of a single clock signal.
• An nstage shift register consists of n consecutive storage or memory units regulated by a clock
signal. Each storage unit stores a 1 or a 0. At each clock signal, the state (1 or 0) of each memory
stage is shifted to the next stage in line. 14 Linear Feedback Shift Registers (LFSR)
S1
C1 S2
C2 S3 Sn1 C3 Cn Sn
Cn 1 + + + S1
Co X0 +
S2 S3 Sn1 C1 X1 + C2 X2 + C3 X3 + Cn1 Xn1 Sn
Cn Xn n f (x) = ∑ C n x n
n= 0 + The polynomial f(x) of any shift register, called the Characteristic Polynomial,
can be determined as the sum of the values of CiXi for which the Si stage is fed
back into the modulo2 adder. f (x) = 1 + C 1 x 1 + C 2 x 2 + C 3 x 3 + ...... C n1 x n1 + x n Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation
M. Mogollon – 01/08  15 • The shift register can be kept active during a longer period by including a feedback loop, which
computes a new term for the first stage based on the states of certain other stages. To compute
the new state (1 or 0) for the first stage, AND, OR, and XOR gates (or a combination of them)
are used. Linear shift registers use only XOR gates.
• The term Linear Feedback Shift Register (LFSR) is used to refer to a shift register with an XOR
function and a feedback line; shift register sequence is used to refer to the output, which is
normally from the last stage, but it can be from any stage.
• A shift register can be represented using the equation shown above.
• Each of the feedback coefficients, Ci, is either 1 when the feedback is connected or 0 when it is
disconnected. The symbol ⊕ denotes addition modulo2. Cn = 1 means that the last feedback
switch is always connected; otherwise, the last stage is not used. C0 =1 since the new computed
term is always loaded into the first stage. The characteristic polynomial is expressed as a modulo2 addition (in which the contents of each of the feedback coefficients is Ci = 1 or 0).
• Polynomial notation is a very convenient way to represent LFSRs. For example, the vector 1 1 0
1 1 0 0 0 1 may be represented as f(x) = x0 + x1 + x3 + x4 + x8, where the first bit starting from left
to right indicates the coefficient of x0. The polynomial f(x) of any shift register, called the
characteristic polynomial, can be determined as the sum of the values of Cixi for which the Si
stage is fed back into the modulo2 adder. 15 Shift Register Theory
1 0 1 1 Step 1 0 1 0 1 Step 2 0 0 1 0 Step 3 0 0 0 1 Step 4 0 0 0 Modulo2 Adder
1+0=1 1+1=0
0+1=1 0+0=0 0 x0 x1 x2 x3 x4 0 0 0 1 +
f(x) = 1 + x + x4 Characteristic Polynomial of a Shift Register f (x) = 1 + x 1 + x 2 + x 3 + ...... x n  1 + x n
Maximum length of a fourstage shift
Maximum length of a fourstage shift
register:
register:
Period = 15 = 2 44–1
Period = 15 = 2 –1
Number of “ones = 2 44 ––11
Number of “ones = 2 Clock
(Initial)
1
2
3
4
5
6
7
8
9 States
0001
1000
1100
1110
1111
0111
1011
0101
1010
1101 Clock States 10
11
12
13
14
15
16
17
18 0110
0011
1001
0100
0010
0001
1000
1100
1110 Number of “zeros” = 2 44 ––11 –1
Number of “zeros” = 2
–1
Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation
M. Mogollon – 01/08  16 • In the fourstage linear shift register, stages 1 and 4 are tapped and modulo2 added, with the
result being fed back to stage 1. The state diagram shows the initial state and the sequence of
successive states of the shift register.
• At the fifteenth clock signal, the state of the shift register returns to the initial state and starts
repeating itself. It can be said that the sequence is periodic with a period of p = 15 = 24  1.
Because all possible binary vectors of length 4, except 0000, occur in the shift register, it is
possible to say that p = 15 = 24  1 is the maximum length of a fourstage shift register.
• The shift register sequence is the output of the shift register, which can be taken from any of the
stages. If the output is taken from the fourth stage, the sequence will be the following: 0 0 0 1 1
1 1 0 1 0 1 1 0 0 1 0 0 0 1 1 1 1 0 1 0 1 1 0 0 1.
• Note that the sequence starts repeating itself after the 15th bit, even if the output sequence is
taken from any of the stages. Also, in the output sequence of any of the stages, there is one more
ones than zeros. In this case, there are eight 1’s and seven 0’s. This is the balance property of
maximum sequences in which there are 2n 1 ones and 2n1  1 zeros. 16 Shift Register Theory
x0 x1 x2 x3 x4 0 0 0 1 x0 x1 x2 x3 x4 1 0 1 Modulo2 Adder
1+0=1 1+1=0
0+1=1 0+0=0 1 + x0 Clock
(Initial)
1
2
3
4
5
6 States
0001
1000
0100
1010
0101
0010
0001 Clock
(Initial)
1
2
3 Stream Ciphers x4 0 0 1 + + f(x) = 1 + x + x2 + x3 + x4
States
1011
1101
0110
1011 If an LFSRs doesn’t have maximum length, the initial
conditions (the initial sequence loaded into the shift
register) determine which sequence is generated and
the period of such sequence.
Encryption Systems x3 + f(x) = 1 + x2 + x4 x2 0 + x1 Shift Registers Clock
(Initial)
1
2
3
4
5 States
0001
1000
1100
0110
0011
0001 In any LFSR, the feedback connections determine
whether the sequence will be maximum or not. DES AES Block Cipher Modes of Operation
M. Mogollon – 01/08  17 • In the above left example, (1) when the initial state is 0 0 0 1, the sequence starts repeating itself
after six clock signals; (2) when the initial state is 1 0 1 1, the period is 3; and (3) the
characteristic polynomial, f(x) = x0 + x2 + x4, is reducible (that is, it can be factored); we may say
that if the characteristic polynomial f(x) is reducible, the period depends on the initial conditions.
• In the LFSR on the right, the sequence starts repeating itself after five clock signals, and the
period is not maximum; therefore, the length of a shift register sequence is not always p = 2n  1,
but the length depends on how the feedback taps are selected. 17 Shift Register Properties
• A Shift Register produces sequences that depend upon the number of
stages, feedback tap connections, and initial conditions. • The succession of states in a Shift Register is periodic, with a period p ≤ 2n 1, where n is the number of stages. The value of p depends on the feedback
coefficients, but a period of (2n  1) can sometimes be achieved. • A sequence generated by an nstage Shift Register is said to have
maximum length if its period is p = 2n  1. This maximum length holds, no
matter what the initial state of the shift register is. Also, if a Shift Register
sequence has a period of p = 2n  1, then every possible binary vector
(except all zeros) of length n occurs exactly once in each period. • In any LFSR, the feedback connections determine whether the sequence
will be maximum or not. • In LFSRs with reducible characteristic polynomials (nonmaximal
sequences), the initial conditions (the initial sequence loaded into the shift
register) determine which sequence is generated and the period of such
sequence. Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation
M. Mogollon – 01/08  18 • Shift registers have some important properties when used as key generators; most of these
properties have been mathematically proven. 18 Shift Register Properties
• If all the exponents of a polynomial are even, then the characteristic
polynomial is reducible, and it can’t have a maximum length sequence; e.g.,
the characteristic polynomial f (x) = 1 + x 2 + x 4 is reducible. • If a shift register sequence has maximum length, its characteristic
polynomial is irreducible; however, the converse of this property does not
hold true. There actually are irreducible polynomials which correspond to
no maximumlength sequences. • If the characteristic polynomial of a LFSR is primitive, the shift register
sequence has maximum length. • A maximum length sequence cannot be generated from a Shift Register that
has an odd number of taps because this means that f(x) is divisible by
(x  1). • The number of ways to achieve maximum length (p = 2n  1) in a Shift
Register is given by
φ ( 2 n  1) 2 n
≈
N m (n) =
n
n
Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation
M. Mogollon – 01/08  19 19 Shift Register Properties
• If a sequence has an irreducible characteristic polynomial of degree
n, the period of the sequence is a factor of 2n  1, and it may or may
not be maximum. The period is always the same, regardless of the
initial state. However, if the maximal length, p = 2n  1, is prime,
every irreducible polynomial of degree n corresponds to a shift
register sequence of maximum length. When p = 2n  1 is prime, it is
known as Mersenne Prime. • If a sequence has an irreducible characteristic polynomial of degree
n, its maximum length does not depend on the initial conditions,
except for the initial condition, "all 0s." • If a sequence has a primitive characteristic polynomial of degree n,
its period is the smallest positive integer p for which the
characteristic polynomial f(x) divides xp  1, modulo 2. Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation
M. Mogollon – 01/08  20 20 NonLinear Combination of LFSR Devices
LFSR 1
0 Initialization
Vector Key
Generator 0 0 0 Key
Stream
Plaintext + 0 0 +
6 Maximum Length = 2 – 1 = 63 (63 x 15 x 7) = ( 9 x 7) x (5 x 3) x 7)
315
(3 x 7) + 1 + 0 Ml = Key
Stream Maximum Length
LFSR 1
LFSR 1
LFSR 1 Replace LFSR 1 for a six stage SR Ml = 0 + LFSR 3 Ciphertext 1 + LFSR 2
0 1 5 2 – 1 = 31
4
2 – 1 = 15
3
2 –1=7 ( P 1 x P 2 x P 3 x .... P n )
Any common factors of P 1 , P 2 , P 3 , .... P n
Maximum Length = 31 x 15 x 7 = 3255 Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation
M. Mogollon – 01/08  21 • Golomb demonstrated that shift register sequences satisfy all three of his randomness properties.
Shift registers are thus very good candidates to generate the sequences needed for stream ciphers.
In the examples above, however, linear shift registers with periods p, 2n – 1, have certain
disadvantages: (1) the entire sequence is known once it has been determined how the feedback
taps are connected; and (2) if the input is not changed before 2n clocks signals, the keystream
reverts to its initial state it starts repeating the original sequence. By solving 2n independent
equations involving the feedback coefficients and the initial states, a cryptanalyst would be able to
obtain the entire sequence.
• Most key generators consist of several mostly maximumlength LFSRs whose output sequences
are combined in a nonlinear function F to produce the keystream. Some of the functions used to
introduce some nonlinearity into the keystream are multiple registers, dynamic interconnection
between registers, stepping between registers, and random starting points.
• In the example presented in this diagram, three shift registers are used: one with five stages,
another with four, and another with three with their outputs XORed. Since the feedback taps in
each of the shift registers have been selected so as to produce a maximum length, the combination
of the three shift registers will produce a sequence that will start repeating itself, for S.R.1 ⊕
S.R.2 at 31 x 15 = 465, and for SR1 ⊕ SR2 ⊕ SR3 at 31 x 15 x 7 = 3255, or (25  1) x (24  1) x
(23  1).
• Will there be a longer sequence if a shift register with a greater number of stages is used instead
of the shift register with 5 stages? Perhaps not; for example, the maximum sequence obtained
with a shift register that has periods of 63, 15, and 7 is 315 instead of (26  1) x (24  1) x (23  1)
or 63 x 15 x 7 = 6615. Quite a difference! The reason is that when several shift registers are
combined to produce a long sequence, the maximum length Ml of the sequence is equal to the
formula shown above. 21 Gears and Shift Registers
When will the marked teeth return to their original position? 15, 31, 127
Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation
M. Mogollon – 01/08  22 • Establishing the similarity between shift registers and gears helps explain how to produce long
sequences using small shift registers. In a gear with t teeth, one of the teeth of the gear is marked
and the gear is rotated one step at a time; after t clock signals, the marked tooth will return to its
original position. The period of the gear is the same as the number of teeth in the gear. But if two
gears are used in which the number of teeth do not have any common factors (for example 127
and 31), then the period will be equal to 127 x 31 = 3937.
• Likewise, if there are three gears with lengths of 127, 31, 15, then the period will be 127 x 31 x
15; this is equivalent to having three shift registers, each one with a number of stages: n1 = 7; n2
= 5; and n3 = 4. If the feedbacks are chosen correctly, the maximum length of each shift register
sequence will be 2n 1, or 127, 31, and 15. 22 Block Cipher
• Encryption algorithm is used to transform x bits of Plaintext into x
bits of ciphertext. • Every bit of the plaintext has an effect on every bit of the ciphertext.
• Each block is independent, no influence between blocks.
• Identical plaintext blocks produce identical ciphertext blocks.
• Error in ciphertext has an effect only on that block.
• Types of Block Ciphers
— DES Electronic Code Book
— DES Cipher Block Chaining
— Advanced Encryption Standard Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation
M. Mogollon – 01/08  23 • A block cipher uses an encryption algorithm, in conjunction with cryptographic variables, to
transform a plaintext block of x bits into a ciphertext block of x bits (Denning, 1983. The positive
integer x is the block size. In the block cipher system, the block of x bits is encrypted by the
encryption algorithm. The enciphering and deciphering functions are such that every bit in the
ciphertext block depends jointly on every bit in the plaintext and on the cryptographic variable.
Block cipher systems are similar to codebooks in which, for every possible plaintext block, there
is a corresponding ciphertext block. A block cipher cryptosystem can be configured as a block
cipher or as a block stream cipher. 23 Block Cipher Plaintext
Block Cipher
Block Crypto
Variables Block
Cipher
Algorithm Block
Cipher
Algorithm
Block Size
DES: 64bit
AES: 128bit cipher
block Plaintext
Blocks Encipher Encryption Systems Stream Ciphers Crypto
Variables Shift Registers Decipher DES AES Block Cipher Modes of Operation
M. Mogollon – 01/08  24 • In the block cipher system , several Plaintext bits are encrypted at the same time by the
encryption algorithm, and every Plaintext bit affects every ciphertext bit within the block.
• Each block is treated independently, and there is no influence between blocks; i.e., two identical
plaintext blocks will produce identical ciphertext blocks. As in codebooks, decryption can be
performed on isolated blocks in an arbitrary order without any loss of crypto synchronization.
This was the initial mode of the DES algorithm known as the Electronic Code Book (ECB).
• When each block is enciphered independently with the same key variable, block ciphers are
especially susceptible to spoofing because one enciphered block can be replaced by another, or
blocks can be inserted or deleted. These changes do not affect surrounding blocks. For example,
in a credit transaction, the ciphertext block corresponding to the amount transferred could be
changed, and the message could be deciphered without the receiver noticing. 24 Data Encryption Standard (DES)
• Approved in 1977.
• Enciphers a 64bit block of plaintext into a 64bit block of
ciphertext, under the control of a 64bit crypto variable
where 56 bits are the key and 8 bits are used for parity.
• Uses transposition and substitution.
• Has 16 separate rounds of encipherment. Each round
involves operations with a different 48bit key developed
from the original 64bit cryptographic key.
• Distributed.Net, a worldwide coalition of computer
enthusiasts, worked with EFF's DES Cracker and a global
network of nearly 100,000 PCs in 1998 and broke a DES
56bit key in 22 hours and 15 minutes. Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation
M. Mogollon – 01/08  25 • In May 1973, the National Bureau of Standards (NBS), recognizing the need to adopt a standard
algorithm to encipher digital communications used by the government, industry, and private
organizations, requested several companies to propose techniques and algorithms for enciphering
computer data information with the idea that those techniques and algorithms might then be
considered for use in a Federal Standard.
• Several companies presented their proposals. The National Security Agency, NSA, tested all the
algorithms presented, and, according to the NBS, only the algorithm submitted by IBM was
found acceptable. On March 17, 1975, the National Bureau of Standards published the algorithm
in the Federal Register for public comment and published the proposed standard in the Federal
Register in August 1975. In January 1977, the proposed algorithm became the Data Encryption
Standard (DES) and was then published as a federal standard, FIPS PUB 46.
• The DES algorithm enciphers a 64bit block of plaintext into a 64bit block of ciphertext, under
the control of a 56bit crypto variable. DES keys are 64bit binary vectors consisting of 56
independent information bits and 8 parity bits. The parity bits are reserved for error detection
purposes and are not used by the encryption algorithm.
• The DES encryption algorithm has been broke using brute force, trying all the possible key
combinations, but no one has prove that there is a fault in the design. 25 INPUT DES Steps Initial Permutation Perform an initial permutation on the
bit string according to a function
derived from the encryption key. L0 Key 1 + Perform a set of constant substitution
functions using 8 Sboxes (4 x 16
matrix) followed by the permutation. Key 2 f L2 = R1 R2 = L1 + f (R1 +K2)
Key n + f L15 = R14 R15 = L14 + f (R14 +K15) + Shift Registers Key 16 f R16 = L15 + f (R15 +K16) Perform a final permutation, the
inverse of the initial permutation.
Stream Ciphers R1 = L0 + f (R0 +K1) + Encipher the right half with an
encryption key, using 48 bits of the
original 56bit of the encryption key. Encryption Systems f L1 = R0 Split the 64bit permuted block of data
into 32bit halves and expand the 32bit string to 48 bits. Repeat the whole set of functions 16
times with a different encryption key
every time. R0 L16 = R15 Inverse Initial Permutation
DES AESINPUT Block Cipher Modes of Operation
M. Mogollon – 01/08  26 • The encryption process consists of 16 separate rounds of encryption. First, the 64bit block of
data undergoes a permutation that rearranges the bits according to a matrix; then the 64bit
permuted block of data is split into two 32bit halves. The right half is enciphered with a key K1,
obtained from the original 56bit crypto variable, and then is XORed to the left half.
• For the second round of encryption, the result just obtained becomes the right half, and the
unaltered right half from the first round becomes the left. The procedure is repeated 16 times
with a different key, K, used each time. Figure above shows the enciphering compilation. After
the 16 rounds of encryption, the 64bit block of data undergoes a final permutation, the inverse
initial permutation, thus producing the ciphered 64bit block. 26 Advanced Encryption Standard
• In September 1997, the NIST issued a Federal Register Notice soliciting
encryption algorithms to replace the DES. • Fifteen algorithms were presented and five were selected for the second
round:
—
—
—
— MARS, submitted by IBM (United States).
RC6, submitted by RSA Laboratories (United States).
Rijndael, submitted by Joan Daemen and Vincent Rijmen (Belgium).
Serpent, submitted by Ross Anderson (United Kingdom), Eli Biham (Israel), and Lars
Knudsen (Norway).
— Twofish, submitted by Bruce Schneier, John Kelsey, Doug Whiting, David Wagner,
Chris Hall, and Niels Ferguson (United States). • On October 2, 2000, the NIST announced that it had selected Rijndael for
the AES. • The standard became effective May 26, 2002. • The AES can be used by U.S. government organizations to protect secret
and top secret (classified) information. Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation
M. Mogollon – 01/08  27 • The Advanced Encryption Standard (AES) is the new cryptographic algorithm for use by U.S.
government organizations. Initially, AES was endorsed to protect sensitive (unclassified)
electronic data. In June 2003, the National Security Agency conducted a review (Committee on
National Security Systems CNSS Policy 15, and determined that the design and strength of all
key lengths of the AES algorithm (i.e., 128, 192, and 256) were sufficient to protect classified
information up to the SECRET level. NSA’s policy stated that TOP SECRET information would
require use of either the 192 or 256 key lengths.
• NIST made a formal call for algorithms stipulating that the AES would be an unclassified,
publicly disclosed encryption algorithm(s), and available royaltyfree worldwide. In addition, the
algorithm(s) must implement symmetric key cryptography as a block cipher and (at a minimum)
support block sizes of 128bits and key sizes of 128, 192, and 256 bits.
• By August 20, 1998, members of the cryptographic community from around the world submitted
fifteen AES candidate algorithms. After an initial review of the algorithms, the NIST selected
five algorithms for the second round:
• MARS, submitted by IBM (United States).
• RC6, submitted by RSA Laboratories (United States).
• Rijndael, submitted by Joan Daemen and Vincent Rijmen (Belgium).
• Serpent, submitted by Ross Anderson (United Kingdom), Eli Biham (Israel), and Lars
Knudsen (Norway).
• Twofish, submitted by Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris
Hall, and Niels Ferguson (United States).
• On October 2, 2000, the NIST announced that it selected Rijndael for the AES. The standard
became effective on May 26, 2002. 27 AES
• Symmetric block cipher that uses cryptographic keys of 128, 192, and 256 bits to
encrypt and decrypt data blocks of 128 bits. • Substitution and linear transformation are done with different numbers of rounds
depending on the key size: 10 (128 bits), 12 (192 bits) or 14 (256 bits). • A data block to be processed using the AES is partitioned into an array of bytes, and
each of the cipher operations is byteoriented. • The AES encryption consists of the following:
— Key expansion
— An initial round key addition
— Several rounds of ByteSub, ShiftRow, MixColumn, and AddRoundKey
— Final round of ByteSub, ShiftRow, and AddRoundKey • The Sbox has a mathematical structure, based on the combination of inversion over
a Galois field and an affine transformation. Although this mathematical structure
might conceivably aid an attack, the structure is not hidden as would be the case for
a trapdoor. If the Sbox were suspected of containing a trapdoor, then the Sbox
could be replaced. Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation
M. Mogollon – 01/08  28 • The AES is a symmetric block cipher that can process data blocks of 128 bits, using cipher keys
with lengths of 128, 192, and 256 bits. The Rijndael algorithm was designed to handle additional
block sizes and cipher key lengths, but were not adopted in the AES algorithm.
• The input and the output for the AES algorithm each consists of block sequences of 128 bits
(digits with values of 0 or 1). The cipher key for the AES algorithm is a sequence of 128, 192 or
256 bits. Other input, output, and Cipher Key lengths are not permitted by the AES standard.
• The AES encryption consists of the following
• Key expansion
• An initial round key addition
• Several rounds of SubByte, ShiftRow, MixColumn, and AddRoundKey
• Final round of ByteSub, ShiftRow, and AddRoundKey
• In the Rijndael algorithm, the number of standard rounds depends on the data block size and the
cipher key length. Because the AES algorithm currently only uses data blocks of 128 bits, the
number of standard rounds is 10 rounds for a 128 bit cipher key length, 12 rounds for a 192 bit
cipher key length, or 14 rounds for a 256 bit cipher key length.
Block \ Key Length 128 192 256 128 10 12 14 192 12 12 14 256 14 14 14 28 State Array
Block Length = 128 bits = 16 bytes
Input bit sequence 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 1 0 Byte number
Bit number in bytes 7 6 5 4 3 2 1 0 7 6 5 23 2 4 3 2 1 0 7 6 5 4 3 2 Byte
0 Byte
4 Byte
8 Byte
12 in0 in4 in8 in12 S0,0 S0,1 S0,2 Byte
5 Byte
9 Byte
13 in1 in5 in9 in13 S1,0 S1,1 S1,2 S1,3 Byte
2 Byte
6 Byte
10 Byte
14 in2 in6 in10 in14 S2,0 S2,1 S2,2 S2,3 Byte
3 Byte
7 Byte
11 Byte
15 in3 in7 in11 in15 S3,0 S3,1 S3,2 0 S0,3 Byte
1 1 ….
….
…. S3,3 Bytes Array Encryption Systems Stream Ciphers Input Bytes Array Shift Registers DES State Array AES Block Cipher Modes of Operation
M. Mogollon – 01/08  29 • The basic unit for processing in the AES algorithm is a byte, a sequence of eight bits treated as a
single entity. During the ciphering and deciphering processes, the input, output, and cipher key
bit sequences are processed as bytes (eight continuous bits) in array form. The bytes in the
resulting array are referenced as inn or as Sr,c where r is the row number in the array and c is the
column number in the array.
• Internally, the AES algorithm’s operations are performed in a two dimensional array of bytes
called the State.
• The array’s number of rows is always 4, so there are 32 bits per column. The number of columns
depends on the cipher key length. The cipher keys may have lengths of 128, 192, or 256, so the
number of columns is calculated as follows:
• Cipher Key length = 128 bits, columns = 128 / 32 = 4
• Cipher Key length = 192 bits, columns = 192 / 32 = 6
• Cipher Key length = 256 bits, columns = 256 / 32 = 8 29 AES Standard Round Transformations
Round transformations are composed of four steps • SubByte: A nonlinear substitution that replaces the bytes in the
State Array by the byte determined by the row and column
intersection in a substitution box, Sbox. Provides nonlinearity. • ShiftRow: Rows of the State Array are shifted for intercolumn
diffusion (linear mixing). • MixColumn: Every column in the State Array is transformed using a
matrix multiplication for interbyte diffusion within columns (linear
mixing). In the last round, the column mixing is omitted. • Round Key Addition: Subkey bytes are XORed into each byte of the
array. Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation
M. Mogollon – 01/08  30 30 AES Implementation Key
Plaintext Key Expansion
(Nr + 1 ) Initial Round
AddRoundKey Nr  1 Standard Round
SubBytes
ShiftRows
MixColumns
AddRoundKey Final Round
SubBytes
ShiftRows
AddRoundKey K(0) K(1)...K(Nr1) K(Nr) Picture from:
http://home.ecn.ab.ca/~jsavard/crypto/co040401.htm Ciphertext
Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation
M. Mogollon – 01/08  31 Key Length 128 192 256 10 12 14 Standard Rounds 9 11 13 Final Round 1 1 1 11 13 15 Number of Rounds Key Expansion 31 Key Expansion
• The AES algorithm takes the Cipher Key, K, and performs a Key Expansion routine to
generate a key schedule. • Key Expansion routine generates a total of Nb (Nr +1) words.
• Nb is equal to number of columns in the data block. For a data block of 128 bits,
Nb is equal to 4
• Nr is the number of rounds
• For a data block and Cipher Key of 128 bits, it generates 4 x (10 + 1) = 44 words • The Cipher Key becomes the first words. All other words are calculated using the
following transformation:
temp = SubWord(RotWord (temp)) xor Rcon [ i / nk]
w0 w1 w2 w3 Cipher Key : 2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c w0 w2 w3 2b 28 ab 7e ae f7 d2 15
88 w40 w7 w41 w42 w43 3c K0
Encryption Systems w06 4f a6 w5 cf 15 w4 09 16 For a 128bit
Data Block
and Cipher
Key w1 Stream Ciphers ••••
• K1
Shift Registers DES K10
AES Block Cipher Modes of Operation
M. Mogollon – 01/08  32 • The AES algorithm takes the cipher key, K (128, 192, or 256 bits), and performs a key expansion
routine to generate a key schedule with a total number of subkeys equal to the required number
of rounds. First, the cipher key is grouped in words. A word is a group of 32 bits that is treated
either as a single entity or as an array of four bytes.
• Then, the key expansion routine generates a total of Nb (Nr +1) words where
• Nb is equal to number of columns in the data block. For a data block of 128 bits, Nb is equal
to 4.
• Nr is the number of rounds.
• For a 128bit data block and cipher key, the key expansion generates 4 x (10 + 1) = 44 words.
The cipher key becomes the first words. All other words are calculated using the following
transformation:
temp = SubWord(RotWord (temp)) xor Rcon [ i / nk]
• In the case of a key length of 128, the cipher key, K, will be expanded to generate 44 words
which are grouped in 11 subkeys; K(0), K(1), K(2), K(3), K(4) ………. K(10). Each subkey
has four words. K(0) is used in the first AddRoundKey, and the cipher subkeys K(1) to K(10)
are used in each of the different rounds. 32 SubBytes Transformation
SBox
0
1
2
3
4
5
6
7
8
9
a
b
c
d
e
f 0
63
ca
b7
04
09
53
d0
51
cd
60
e0
e7
ba
70
e1
8c 1
7c
82
fd
c7
83
d1
ef
a3
0c
81
32
c8
78
3e
f8
a1 2
77
c9
93
23
2c
00
aa
40
13
4f
3a
37
25
b5
98
89 3
7b
7d
26
c3
1a
ed
fb
8f
ec
dc
0a
6d
2e
66
11
0d 4
f2
fa
36
18
1b
20
43
92
5f
22
49
8d
1c
48
69
bf 5
6b
59
3f
96
6e
fc
4d
9d
97
2a
06
d5
a6
03
d9
e6 6
6f
47
f7
05
5a
b1
33
38
44
90
24
4e
b4
f6
8e
42 7
c5
f0
cc
9a
a0
5b
85
f5
17
88
5c
a9
c6
0e
94
68 8
30
ad
34
07
52
6a
45
bc
c4
46
c2
6c
e8
61
9b
41 9
01
d4
a5
12
3b
cb
f9
b6
a7
ee
d3
56
dd
35
1e
99 a
67
a2
e5
80
d6
be
02
da
7e
b8
ac
f4
74
57
87
2d b
2b
af
f1
e2
b3
39
7f
21
3d
14
62
ea
1f
b9
e9
0f c
fe
9c
71
eb
29
4a
50
10
64
de
91
65
4b
86
ce
b0 d
d7
a4
d8
27
e3
4c
3c
ff
5d
5e
95
7a
bd
c1
55
54 e
ab
72
31
b2
2f
58
9f
f3
19
0b
e4
ae
8b
1d
28
bb f
76
c0
15
75
84
cf
a8
d2
73
db
79
08
8a
9e
df
16 S1,1 = 0 1 0 1 0 0 1 1 = S{53}
S1,1 = 0 1 0 1 0 0 1 1 = S{53}
S’1,1 = S’{ed} = 1 1 1 0 1 1 0 1
S’1,1 = S’{ed} = 1 1 1 0 1 1 0 1 SBox S0,0 S0,1 S0,2 S0,3 S’0,0 S’0,1 S’0,2 S’0,3 S1,0 S1,1 S1,2 S1,3 S’1,0 S’1,1 S’1,2 S’1,3 S2,0 S2,1 S2,2 S2,3 S’2,0 S’2,1 S’2,2 S’2,3 S3,0 S3,1 S3,2 S3,3 S’3,0 S’3,1 S’3,2 S’3,3 State Array
Encryption Systems Stream Ciphers State’ Array
Shift Registers DES AES Block Cipher Modes of Operation
M. Mogollon – 01/08  33 • The SubByte transformation is a nonlinear substitution that replaces the bytes in the State Array
with the byte determined by the row and column intersection in a substitution box, Sbox.
• For example, if S1,1 = 0 1 0 1 0 0 1 1 = S{53}, then the substitution value would be determined
by the intersection of row 5 and column 3. This would be the value of S’1,1 = S’{ed} = 1 1 1 1 1
1 1 0 1.
• The Sbox has a mathematical structure based on the combination of inversion over a Galois field
and an affine transformation. Although this mathematical structure might conceivably aid an
attack, the structure is not hidden, as would be the case for a trapdoor. The Rijndael specification
asserts that if the Sbox were suspected of containing a trapdoor, then the Sbox could be
replaced. 33 ShiftRows Transformation S0,0 S0,1 S0,2 S0,3 S’0,0 S’0,1 S’0,2 S’0,3 S1,0 S1,1 S1,2 S1,3 S’1,1 S’1,2 S’1,3 S’1,0 S2,0 S2,1 S2,2 S2,3 S’2,2 S’2,3 S’2,0 S’2,1 S3,0 S3,1 S3,2 S3,3 S’3,3 S’3,0 S’3,1 S’3,2 The bytes in the last three rows of the State
The bytes in the last three rows of the State
Array are shifted 1, 2, or 3 times to the left.
Array are shifted 1, 2, or 3 times to the left. Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation
M. Mogollon – 01/08  34 • In the ShiftRow transformation, the bytes in the last three rows of the State Array are shifted 1, 2,
or 3 times to the left. 34 MixColumns Transformation
MixColumn
S0,0 S0,1 S1,0 S0,2 S0,3 S’0,0 S’0,1 S’0,2 S’0,3 S1,1 S1,2 S1,3 S’1,0 S’1,1 S’1,2 S’1,3 S2,0 S2,1 S2,2 S2,3 S’2,0 S’2,1 S’2,2 S’2,3 S3,0 S3,1 S3,2 S3,3 S’3,0 S’3,1 S’3,2 S’3,3 State Array The MixColumns transformation treats each column as
The MixColumns transformation treats each column as
a four term polynomial over GF(288)and multiplied
a four term polynomial over GF(2 ) and multiplied
modulo x44+ 1 with a fixed polynomial a(x), given by
modulo x + 1 with a fixed polynomial a(x), given by a ( x ) = {03} x 3 + {01} x 2 + {01} x + {02}
s’(x) = a(x) X s(x)
Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation
M. Mogollon – 01/08  35 35 AddRoundKey Transformation
In the AddRoundKey transformation, every entry in the State Array is XOR
with its corresponding entry in the cipher subkey.
Input = {32} = 00110010
Cipher Key = {2b} = 00101011
State Array = {19} = 00011001 32 88 31 e0 43 5a 31 37 f6 30 98 Modulo2 Adder (XOR)
1+0=1
1+1=0
0+1=1
0+0=0 2b + 28 ab 7e ae f7 19 cf a0 9a e9 3d 09 f4 c6 f8 =
15 07 d2 15 4f e3 e2 8d 48 16 a6 88 3c be 2b 2a 08 XOR
a8 8d a2 34 State Array (Before
the Transformation) Encryption Systems Stream Ciphers Cipher Key Array Shift Registers DES State Array (After
the Transformation) AES Block Cipher Modes of Operation
M. Mogollon – 01/08  36 • In the AddRoundKey transformation every entry in the State Array is XOR with its
corresponding entry in the cipher subkey. 36 AES Advanced Validation Suite
• The AES Advanced Validation Suite provides the basic
design and configuration of a battery of tests designed
to perform automated tests on an AES implementation. • The battery of tests includes the following:
— Known Answer Test (KAT)
— Multiblock Message Test (MMT)
— Monte Carlo Test (MCT). • The successful completion of the tests as they are
described in the AES Advanced Validation Suite is
required to claim conformance to the Advanced
Encryption Standard FIFS 197. Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation
M. Mogollon – 01/08  37 • FIFS 197, “Advanced Encryption Standard” provides information on how to implement the AES
algorithm. When the AES is implemented in software or hardware, the “Implementation Under
Test” (IUT), as it is called for testing purposes, needs to be used to determine if the design is
correct. The AES Advanced Validation Suite, (Bassham, L, 2002), provides the basic design and
configuration of a battery of tests designed to perform automated tests on the IUT.
• The battery of tests includes the following: Known Answer Test (KAT), the MultiBlock
Message Test (MMT), and the Monte Carlo Test (MCT). The successful completion of the tests
as they are described in the AES Advanced Validation Suite is required to claim conformance to
the Advanced Encryption Standard FIPS 197.
• Known Answer Test (KAT)
• For a specific Key, Input Variable (IV), and plaintext, the IUT should produce (Response) the
same cipher text for encryption or plaintext for decryption.
• Multiblock Message Test
• Block ciphers have several modes of operation in which the encryption process "chains"
successive ciphertext and plaintext blocks together until the last plaintext block of data is
enciphered. The MultiBlock Message Test checks if the IUT is able to chain information
from one block to another.
• Monte Carlo Test
• The Monte Carlo Test uses a specific algorithm to generate 100 pseudorandom texts. The
100 texts are enciphered by the AES Algorithm Validation Suite and by the IUT. The results,
the cipher text after encryption or plaintext after decryption, from the AES Algorithm
Validation Suite and from the IUT should be the same. 37 Block Cipher Modes of Operation
Electronic Code Book (ECB)
Electronic
EBC Encryption EBC Decryption Plaintext Ciphertext • Basic mode; xbit block input,
xbit block output. Input Block CIPHK CIPHK Output Block Output Block Ciphertext • Identical plaintext blocks Input Block Plaintext produce identical ciphertext
blocks. • Same as a code book.
• Easier to cryptoanalyze.
• One bit error propagates over
the xbit block. Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation
M. Mogollon – 01/08  38 • The Electronic Codebook (ECB) mode is a basic, block cryptographic mode that transforms x
bits of input to x bits of output, as specified in FIPS 80038A.
• In this mode of operation, x bits of data are loaded into the block input register, and the output
register yields the encrypted x bits of ciphertext. This method establishes a reference for
cryptanalysis because enciphering the same plaintext with the same key always produces the
same ciphertext, thus its comparison to a codebook.
• When each block is enciphered independently with the same key variable, block ciphers are
especially susceptible to spoofing because one enciphered block can be replaced by another, or
blocks can be inserted or deleted. These changes do not affect surrounding blocks.
• From the viewpoint of cryptanalysis, if certain blocks of the plaintext are the same in several
messages, the corresponding ciphertext blocks will be the same, thus enabling the attacker to
compile a codebook of plaintext/ciphertext pairs.
• To avoid this, encryption systems have an additional key that changes with every message,
block, or IP packet. In stream ciphers, the additional key is called message key or initialization
vector; in block ciphers, it is only called initialization vector. The additional key doesn’t need to
be secret, but it should not be used twice with the same key.
• In ECB, a onebit error is propagated throughout the entire xbit block which causes the
deciphered plaintext to have an average error rate of fifty percent. All block ciphers support the
ECB mode of operation. 38 Cipher Block Chaining (CBC)
Initialization
Vector Plaintext n + + Input Block 1 Input Block 2 Input Block n CIPHK CIPHK CIPHK Output Block 1 Output Block 2 Output Block n Ciphertext 1 Ciphertext 2 Ciphertext n Ciphertext 1 Ciphertext 2 Ciphertext n Input Block 1 Input Block 2 Input Block n CIPH1K CIPH1K CIPH1K Output Block 1 Encrypt Plaintext 2 + Decrypt Plaintext 1 Output Block 2 Output Block n +
Initialization
Vector Encryption Systems + + Plaintext 1 Plaintext 2 Plaintext n Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation
M. Mogollon – 01/08  39 • In block ciphers, the initialization vector could be XOR with the first plaintext block, as it is done
in the cipher block chaining (CBC) mode, or used as dummy plaintext in the cipher feedback
(CFB) mode, output feedback (OFB) mode, and counter (CTR) mode.
• In the CBC mode, the data to be encrypted is divided into blocks, and the first input block is
formed by XORing the first block of data to an xbit initialization vector (IV). The IV doesn’t
need to be secret, but it must be unpredictable .
• An initialization vector or random seed is used as the first block. Two identical, plaintext blocks
in different parts of the message will produce two different ciphertext blocks if the previous
plaintext blocks are not identical.
• The input block is processed through the block cipher algorithm in the encrypting state, and the
resulting output block is used as the ciphertext. The first ciphertext block is then XORed to the
second plaintext block of data to produce the second input block. The latter is processed through
the cipher block algorithm in the encrypting state to produce the second block of ciphertext
block. This encryption process continues to "chain" successive ciphertext and plaintext blocks
together until the last plaintext block of data is enciphered. A onebit error during transmission
will affect the deciphering of two blocks, the block with the error and the next block. Block
synchronization between the enciphering and deciphering units is required and is accomplished
by loading the same initialization vector into both units. If bits are loaded or lost in a ciphertext,
synchronization is lost. However, cryptographic synchronization will automatically be
reestablished x bits after block boundaries have been established. The cipher block chaining
mode is selfsynchronizing. 39 Cipher Feedback (CFB) Mode
Initialization
Vector
Input Block 2
(bs) Bits s Bits Encrypt Input Block 1 Input Block n
(bs) Bits s Bits CIPHK CIPHK CIPHK Output Block 1 Output Block 2 Output Block n Select
s Bits Select
S Bits Discard
(b–s) bits + Plaintext 1 Plaintext 2 Ciphertext 1 Discard
(b–s ) bits Select
s Bits + Plaintext n Ciphertext 2 Discard
(b–s) bits +
Ciphertext n Initialization
Vector
Input Block n
(bs) Bits s Bits Input Block 2
(bs) Bits s Bits Input Block 1 Decrypt CIPHK CIPHK CIPHK Output Block 1 Output Block 2 Output Block 2 Select
s Bits Ciphertext 1 Select
s Bits Discard
(b–s) bits +
Plaintext 1 Encryption Systems Stream Ciphers + Ciphertext 2 Ciphertext n Plaintext 2
Shift Registers DES Select
s Bits Discard
(b–s) bits AES Discard
(b–s) bits +
Plaintext n Block Cipher Modes of Operation
M. Mogollon – 01/08  40 • In Cipher Feedback (CFB) mode, Output Feedback (OFB) mode, and Counter (CTR) mode) the
initialization vector is used as dummy plaintext.
• The CFB mode is a stream method of encryption. In this method, the block cipher is used to
generate pseudorandom bits that are XORed to binary plaintext to form ciphertext.
• The plaintext and ciphertext consist of data units each containing s bits, such that (1 ≤ s ≥ b). The
value of s is sometimes incorporated into the name of the mode, e.g., the 1bit CFB mode, the 8bit CFB mode, the 64bit CFB mode,, or the 128bit CFB mode.
• In CFB encryption, the first input block is the IV and the most significant s bits of the forward
cipher function are XORed to the sbit plaintext to produce a sbit of ciphertext. The unused bits
of the forward cipher function, b – s, are discarded.
• The second input block is created by concatenating the b – s least significant bits of the IV with
the s bits of the ciphertext. This is done by shifting the first input block s positions to the left, and
then filling the empty bits with the s bits from the ciphertext. The process is repeated, and each
successive ciphertext block is input into the next input block to form the new input block.
• A onebit error in any sbit unit of ciphertext will affect the deciphering of succeeding ciphertexts
until the bits in error have been shifted out of the CFB input block. This normally occurs x bits
after the sbit boundaries have been reestablished. The cipher feedback method does not pass
data directly through the block encryption algorithm; instead, it uses the algorithm as a randomnumber generator.
• The CFB turns into a selfsynchronous stream cipher, onebit error in the ciphertext causes a onebit error in the corresponding plaintext block and complete corruption of the following plaintext
blocks; however, after several blocks it selfsynchronizes and all subsequent plaintext blocks are
decrypted normally. 40 Output Feedback (OFB) Mode
Initialization
Vector
Input Block 2 CIPHK CIPHK CIPHK Output Block 1 Encrypt Input Block 1 Output Block 2 Output Block n + Plaintext 1 Plaintext 2 Ciphertext 1 Input Block n + + Plaintext n Ciphertext 2 Ciphertext n Initialization
Vector CIPHK CIPHK Output Block 1
Ciphertext 1 Input Block 2 CIPHK Decrypt Input Block 1 Output Block 2 Output Block n +
Plaintext 1 Encryption Systems Stream Ciphers + Ciphertext 2 Input Block n Ciphertext n Plaintext 2 Shift Registers DES +
Plaintext n AES Block Cipher Modes of Operation
M. Mogollon – 01/08  41 • OFB mode turns a block cipher into a stream cipher.
• The Output Feedback mode operates in a way similar to the cipher feedback mode, except that
the feedback is taken directly from the output block and not from the ciphertext.
• In the OFB mode, the IV is transformed by the forward cipher function to produce the first
output block, which is fed back as the second input block and so on. Each output block is XORed
with the plaintext block producing the ciphertext block.
• For the last block, which may be a partial block of u bits, only the most significant bits of the last
output block of the forward cipher function are used for the exclusiveOR operation. The
remaining b – u bits are discarded.
• This feedback is completely independent of all plaintext and all ciphertext. As a result, there is
no error extension in the OFB mode.
• A onebit error in the ciphertext causes only a onebit error in the decrypted ciphertext block. Bit
errors within a ciphertext block do not affect the decryption of any other blocks. In the OFB
mode, bit errors in the IV affect the decryption of every ciphertext block until cryptographic
initialization is performed again. The OFB mode is not a selfsynchronizing cryptographic mode.
• The deletion or insertion of bits into a ciphertext block (or segment) causes that bit errors in the
bit position of the inserted or deleted bit, and in every subsequent bit position, as well as all
subsequent ciphertext blocks (or segments) until synchronization is restored. 41 Counter (CTR) Mode
Counter 2 Counter n Input Block 1 Input Block 2 Input Block n CIPHK CIPHK CIPHK Output Block 1 Encrypt Counter 1 Output Block 2 Output Block n + Plaintext 1 Plaintext 2 Ciphertext 1 + + Plaintext n Ciphertext 2 Ciphertext n Counter n Input Block 2 Input Block n CIPHK CIPHK CIPHK Output Block 1
Ciphertext 1 Counter 2 Input Block 1 Decrypt Counter 1 Output Block 2 Output Block n + Ciphertext 2 Plaintext 1 Encryption Systems Stream Ciphers + Ciphertext n Plaintext 2 Shift Registers DES +
Plaintext n AES Block Cipher Modes of Operation
M. Mogollon – 01/08  42 • The CTR mode, as well as the CFB and OFB modes, is a stream method of encryption. In this
method, the block cipher is used to generate pseudorandom bits that are XORed to binary
plaintext to form ciphertext.
• In CFB and OFB modes, the bits in the input blocks I2 ….In depend on the previous ciphertext
blocks or output blocks. In the CRT mode, input blocks don’t depend on the ciphertext nor the
output blocks. The input blocks are blocks of bits called counters that must have the property that
each counter block in the sequence is different form every other counter block. The counters for
a given message are denoted T1, T2, T3, ….Tn and there are several methods to generate them.
• The forward cipher function is invoked on each counter block, and the resulting output blocks are
XORed with the corresponding plaintext blocks to produce the ciphertext blocks. As in the OFM
mode, for the last block, which may be a partial block of u bits, only the most significant bits of
the last output block of the forward cipher function are used for the XOR operation. The
remaining b – u bits are discarded.
• Note that in the counter mode, the nonce is the same thing as an initialization vector (IV).
• Bit error(s) in the decrypted ciphertext block (or segment) occur in the same bit position(s) as in
the ciphertext block (or segment); the other bit positions are not affected. Bit errors within a
ciphertext block do not affect the decryption of any other blocks. 42 Block Cipher Multiple Encryption
• Double DES with two crypto variables
M C = C K 2 ( C K 1 ( M ))
M D = D K1 ( D K 2 ( M C ) • Triple DES with two crypto variables
M C = C K 1 ( D K 2 ( C K 1 ( M ) ))
M D = D K1 ( C K 2 ( D K1 ( M C ))) • Triple DES with three crypto variables
MC Encryption Systems =C MD =D Stream Ciphers K
K 3 1 (D
(C K 2 K 2 (C K 1 (D K 3 Shift Registers ( M )))
( MC ))) DES AES Block Cipher Modes of Operation
M. Mogollon – 01/08  43 • Comparison of different forms of DES multiple encryption *
# of Encryptions # of Keys Computation Type of attack single 1 256  known plaintext 1 238 238 chosen plaintext
chosen plaintext single
single 1  256 double 2 2112  known plaintext 2 256 256 known plaintext
known plaintext double
double 2  2112 triple 2 256 256 256 known plaintext triple 2 2120  t 2t 2 t known plaintext triple 2  256 chosen plaintext triple 3 2112 256 known plaintext triple 3 256 2112 chosen plaintext * B. Preneel. The State of DES. 1994 RSA Laboratories Seminar Series, August
1994 43 IP Encryption Message
Block
1
IV Message
Block
2 Message
Block
n + + +
DK 2 CK1
DK 2 C K3 CK3 C K3 Block
Cipher 1 Or, CK1
DK 2 IPSec uses a DES encryption algorithm with
three crypto variables in the Cipher Block
Chaining mode to encipher the IP packets. Block
Cipher 2 Block
Cipher n CK1
~
~ DK 2 IPSec uses a 3DESCBC
to encipher the IP packets. Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation
M. Mogollon – 01/08  44 • Most encryption mechanisms that use 3DESCBC mode with three crypto variables as shown in
the above slide. 44 To Probe Further
•
• Golomb, S. (1967). Shift Register Sequences. San Francisco: HoldenDay Publishers
Articles related to Solomon W. Golomb Shift Register Sequences
http://citeseer.nj.nec.com/nrelatedgid/35609 • Data Encryption Standard (DES) Federal Information Standards Publication FIPS PUB
463. • DES Modes of Operation • Advanced Encryption Standard (AES) web site http://csrc.nist.gov/publications/fips/fips463/fips463.pdf
http://csrc.nist.gov/publications/fips/fips81/fips81.htm
http://csrc.nist.gov/encryption/aes/ • Rijndael Home Page, Authors: Joan Daemen, Vicent Rijmem • Encryption Standards: AES vs. DES, Author: Gerwin Sturm, 2000 • Randomness Recommendations for Security http://www.esat.kuleuven.ac.be/~rijmen/rijndael/
http://stud3.tuwien.ac.at/~e9825530/computerscience/aes/
http://www.ietf.org/rfc/rfc1750.txt?number=1750 Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation
M. Mogollon – 01/08  45 45 To Probe Further
• The AES Algorithm Validation Suite document specifies the procedures involved in
validating implementation of the Advanced Encryption Standard (AES) algorithm in
FIPS 197. Author: Lawrence E. Bassham III, 2002
http://csrc.nist.gov/cryptval/aes/AESAVS.pdf • AES Matlab Implementation, Author: Jörg Buchholz
— This documentation describes a Matlab implementation of the Advanced Encryption Standard
(AES)
http://www.mathworks.co.uk/matlabcentral/fileexchange/loadFile.do?objectId=1190&objectType=file • A Specification for Rijndael Algorithm, Author: Dr. Brian Gladman, 2002
http://fp.gladman.plus.com/cryptography_technology/rijndael/aesspec.pdf Encryption Systems Stream Ciphers Shift Registers DES AES Block Cipher Modes of Operation
M. Mogollon – 01/08  46 46 ...
View
Full
Document
This note was uploaded on 05/26/2010 for the course TECH 6350 taught by Professor Mogollon during the Spring '10 term at University of Arkansas for Medical Sciences.
 Spring '10
 Mogollon

Click to edit the document details