Lecture 02 Symmetric Cryptography

1
Lecture 02 Symmetric Cryptography

• Asst.Prof. Supakorn Kungpisdan, Ph.D.
• supakorn_at_mut.ac.th

2
Outline

• Overview of Cryptography
• Symmetric Cryptography
• Classical Cryptographic Techniques
• Block Ciphers VS Stream Cipher
• DES and 3DES
• Advanced Encryption Standard (AES)
• Design of Symmetric Cryptosystems
• Locations of Encryption Devices
• Key Distribution
• Random Numbers
• Problems of Symmetric Cryptography

3
Basic Terminology

• plaintext - original message
• ciphertext - coded message
• cipher - algorithm for transforming plaintext to
  ciphertext
• key - info used in cipher known only to
  sender/receiver
• encipher (encrypt) - converting plaintext to
  ciphertext
• decipher (decrypt) - recovering ciphertext from
  plaintext
• cryptography - study of encryption
  principles/methods
• cryptanalysis (codebreaking) - study of
  principles/ methods of deciphering ciphertext
  without knowing key
• cryptology - field of both cryptography and
  cryptanalysis

4
How a Cryptosystem Works
Plaintext (M) (data file or messages) encryptio
n algorithm (E) secret
key A (KA) Ciphertext (C) (stored or transmitted
safely) decryption algorithm (D)
secret key B (KB) Plaintext (M)
(original data or messages)
EKa(M) C DKb(C) M DKb(EKa(M)) M
Note Key A may be the same as Key B, depending
on the algorithm
5
Brute Force Search

• always possible to simply try every key
• most basic attack, proportional to key size
• assume either know / recognise plaintext

Key Size (bits) Number of Alternative Keys Time required at 1 decryption/µs Time required at 106 decryptions/µs
32 232 4.3 ? 109 231 µs 35.8 minutes 2.15 milliseconds
56 256 7.2 ? 1016 255 µs 1142 years 10.01 hours
128 2128 3.4 ? 1038 2127 µs 5.4 ? 1024 years 5.4 ? 1018 years
168 2168 3.7 ? 1050 2167 µs 5.9 ? 1036 years 5.9 ? 1030 years
26 characters (permutation) 26! 4 ? 1026 2 ? 1026 µs 6.4 ? 1012 years 6.4 ? 106 years
6
Types of Cryptography

• Symmetric Cryptography
• Deploy the same secret key to encrypt and decrypt
  messages
• The secret key is shared between two parties
• Encryption algorithm is the same as decryption
  algorithm
• Asymmetric (Public-key) Cryptography
• Private key, Public key
• The secret key is not shared and two parties can
  still communicate using their public keys
• Encryption alg. is different from decryption alg.

7
Symmetric Cryptography
8
Public-Key Cryptography
9
Outline

• Overview of Cryptography
• Symmetric Cryptography
• Classical Cryptographic Techniques
• Block Ciphers VS Stream Ciphers
• DES and 3DES
• Advanced Encryption Standard (AES)
• Design of Symmetric Cryptosystems
• Locations of Encryption Devices
• Key Distribution
• Random Numbers
• Problems of Symmetric Cryptography

10
Model of Symmetric Cryptosystem
11
What is Symmetric Encryption used for?

• Transmitting data over an insecure channel
• Secure stored data (encrypt store)
• Provide integrity check

12
Properties of Symmetric Cryptography

• Message Confidentiality
• Message Authentication
• Message Integrity

13
Cryptanalysis

• Depending on what a cryptanalyst has to work
  with, attacks can be classified into
• Ciphertext only attack
• Known plaintext attack
• Chosen plaintext attack
• Chosen ciphertext attack (most severe)

14
Ciphertext-only Attack

• Collect ciphertexts of several messages encrypted
  using the same encryption algorithm and try to
  recover plaintexts or encrypting key(s).
• Given C1 Ek(P1), C2Ek(P2), ..., CiEk(Pi)
• Deduce Either P1, P2, , Pi k or an algorithm
  to infer Pi1 from Ci1Ek(Pi1)

15
Known-plaintext Attack

• Able to collect ciphertext of several messages
  and corresponding plaintext, and try to resolve
  the encrypting key(s).
• Given P1, C1 Ek(P1), P2, C2Ek(P2), ..., Pi,
  CiEk(Pi)
• Deduce Either k, or an algorithm
• to infer Pi1 from Ci1Ek(Pi1)

16
Chosen-plaintext Attack

• Able to collect ciphertext of several messages
  and associated plaintext, and also able to choose
  the plaintext that gets encrypted. Try to deduce
  the encrypting key(s).
• More powerful than known-plaintext attack
• Given P1, C1 Ek(P1), P2, C2Ek(P2), ..., Pi,
  CiEk(Pi)
• where the cryptanalyst gets to choose P1,, Pi
• Deduce Either k, or an algorithm
• to infer Pi1 from Ci1Ek(Pi1)

17
Chosen-ciphertext Attack

• Able to choose different ciphertext to be
  decrypted and has access to the decrypted
  plaintext. Try to deduce the key
• E.g. has access to a tamperproof box that does
  automatically decryption.
• Given C1, P1 Dk(C1), C2, P2Dk(C2), ..., Ci,
  PiDk(Ci)
• Deduce k
• Primarily applicable to public-key algorithms.

18
More Definitions

• unconditional security
• no matter how much computer power or time is
  available, the cipher cannot be broken since the
  ciphertext provides insufficient information to
  uniquely determine the corresponding plaintext
• computational security
• given limited computing resources (eg time needed
  for calculations is greater than age of
  universe), the cipher cannot be broken

19
Outline

• Overview of Cryptography
• Symmetric Cryptography
• Classical Cryptographic Techniques
• Block Ciphers VS Stream Ciphers
• DES and 3DES
• Advanced Encryption Standard (AES)
• Design of Symmetric Cryptosystems
• Locations of Encryption Devices
• Key Distribution
• Random Numbers
• Problems of Symmetric Cryptography

20
Substitution Ciphers

• Character in plaintext is substituted for another
  character in ciphertext
• Caesar Cipher each plaintext character is
  replaced by the character three to the right
  modulo 26. E.g. A?D, B?E, X?A
• ROT13 commonly found in UNIX systems. Every
  plaintext character is rotated 13 places.

21
Caesar Cipher

• earliest known substitution cipher
• by Julius Caesar
• first attested use in military affairs
• replaces each letter by 3rd letter on
• example
• meet me after the toga party
• PHHW PH DIWHU WKH WRJD SDUWB

22
Caesar Cipher (cont.)
K3
Outer plaintext
Inner ciphertext
23
Caesar Cipher (cont.)

• can define transformation as
• a b c d e f g h i j k l m n o p q r s t u v w x y
  z
• D E F G H I J K L M N O P Q R S T U V W X Y Z A B
  C
• mathematically give each letter a number
• a b c d e f g h i j k l m n o p q r s t
  u v w x y z
• 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
  20 21 22 23 24 25
• then have Caesar cipher as
• c E(p) (p k) mod (26)
• p D(c) (c k) mod (26)

24
Cryptanalysis of Caesar Cipher

• only have 26 possible ciphers
• A maps to A,B,..Z
• could simply try each in turn
• a brute force search
• given ciphertext, just try all shifts of letters
• do need to recognize when have plaintext
• eg. break ciphertext "GCUA VQ DTGCM"

25
Monoalphabetic Cipher

• rather than just shifting the alphabet
• could shuffle (jumble) the letters arbitrarily
• each plaintext letter maps to a different random
  ciphertext letter
• hence key is 26 letters long
• Plain abcdefghijklmnopqrstuvwxyz
• Cipher DKVQFIBJWPESCXHTMYAUOLRGZN
• Plaintext ifwewishtoreplaceletters
• Ciphertext WIRFRWAJUHYFTSDVFSFUUFYA

26
Monoalphabetic Cipher Security

• now have a total of 26! 4 x 1026 keys
• with so many keys, might think is secure
• but would be !!!WRONG!!!
• problem is language characteristics

27
Language Redundancy and Cryptanalysis

• human languages are redundant
• eg "th lrd s m shphrd shll nt wnt"
• letters are not equally commonly used
• in English E is by far the most common letter
• followed by T,R,N,I,O,A,S
• other letters like Z,J,K,Q,X are fairly rare
• have tables of single, double triple letter
  frequencies for various languages

28
English Letter Frequencies
29
Use in Cryptanalysis

• key concept - monoalphabetic substitution ciphers
  do not change relative letter frequencies
• discovered by Arabian scientists in 9th century
• calculate letter frequencies for ciphertext
• compare counts/plots against known values
• if caesar cipher look for common peaks/troughs
• peaks at A-E-I triple, NO pair, RST triple
• troughs at JK, X-Z
• for monoalphabetic must identify each letter
• tables of common double/triple letters help

30
Example Cryptanalysis

• given ciphertext
• UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZ
• VUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSX
• EPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ
• count relative letter frequencies (see text)
• guess P Z are e and t
• guess ZW is th and hence ZWP is the
• proceeding with trial and error finally get
• it was disclosed yesterday that several informal
  but
• direct contacts have been made with political
• representatives of the viet cong in moscow

31
Vigenère Cipher

• simplest polyalphabetic substitution cipher
• effectively multiple caesar ciphers
• key is multiple letters long K k1 k2 ... kd
• ith letter specifies ith alphabet to use
• use each alphabet in turn
• repeat from start after d letters in message
• decryption simply works in reverse

32
Example of Vigenère Cipher

• write the plaintext out
• write the keyword repeated above it
• use each key letter as a caesar cipher key
• encrypt the corresponding plaintext letter
• eg using keyword deceptive
• key deceptivedeceptivedeceptive
• plaintext wearediscoveredsaveyourself
• ciphertextZICVTWQNGRZGVTWAVZHCQYGLMGJ

33
Transposition Ciphers

• now consider classical transposition or
  permutation ciphers
• these hide the message by rearranging the letter
  order
• without altering the actual letters used
• can recognise these since have the same frequency
  distribution as the original text

34
Rail Fence cipher

• write message letters out diagonally over a
  number of rows
• then read off cipher row by row
• eg. write message out as
• m e m a t r h t g p r y
• e t e f e t e o a a t
• giving ciphertext
• MEMATRHTGPRYETEFETEOAAT

35
Row Transposition Ciphers

• a more complex transposition
• write letters of message out in rows over a
  specified number of columns
• then reorder the columns according to some key
  before reading off the rows
• Key 3 4 2 1 5 6 7
• Plaintext a t t a c k p
• o s t p o n e
• d u n t i l t
• w o a m x y z
• Ciphertext APTMTTNAAODWTSUOCOIXKNLYPETZ

36
Steganography

• Plaintext can be hidden by two ways
• Steganography conceal the existence of the
  message
• Cryptography render the message unintelligible
  to outsiders using various kinds of
  transformation of the text
• Examples of Steganography
• Character marking overwrite text with pencil
• Invisible ink use special substance
• Pin punctures pin puncture on selected letters

37
One-Time Pad

• One-time pad is a large non-repeating set of
  truly random key letters
• Encryption is a additional modulo 26 of plaintext
  character
• Pad length must be equal to the message length
  !!!
• For example
• Message ONETIMEPAD
• Pad Sequence TBFRGFARFM
• Ciphertext IPKLPSFHGQ
• Because
• OT mod 26 I ? 1520 mod 26 9
• NB mod 26 P ? 142 mod 26 16
• EF mod 26 K, etc.

Decryption PK mod 26 C P C-K
mod 26 I-T mod 26 9-20 mod 26
-11 mod 26 -1126 mod 26
15 mod 26
O
38
One-Time Pad (cont.)

• if a truly random key as long as the message is
  used, the cipher will be secure
• called a One-Time pad
• is unbreakable since ciphertext bears no
  statistical relationship to the plaintext
• since for any plaintext any ciphertext there
  exists a key mapping one to other
• can only use the key once though
• problems in generation safe distribution of key

39
Outline

• Overview of Cryptography
• Symmetric Cryptography
• Classical Cryptographic Techniques
• Block Ciphers VS Stream Ciphers
• DES and 3DES
• Advanced Encryption Standard (AES)
• Design of Symmetric Cryptosystems
• Locations of Encryption Devices
• Key Distribution
• Random Numbers
• Problems of Symmetric Cryptography

40
Cryptographic Process
41
Block Cipher VS Stream Cipher

• Block cipher divides entire message in to blocks
  used to produce ciphertext.
• Stream cipher encrypts a data stream one bit or
  one byte at a time.

42
Stream Ciphers

• process message bit by bit (as a stream)
• have a pseudo random keystream
• combined (XOR) with plaintext bit by bit
• randomness of stream key completely destroys
  statistically properties in message
• Ci Mi XOR StreamKeyi
• but must never reuse stream key
• otherwise can recover messages (cf book cipher)

43
Stream Cipher Structure
44
Stream Cipher Properties

• some design considerations are
• long period with no repetitions
• statistically random
• depends on large enough key
• large linear complexity
• properly designed, can be as secure as a block
  cipher with same size key
• but usually simpler faster

45
RC4

• a proprietary cipher owned by RSA DSI
• another Ron Rivest design, simple but effective
• variable key size, byte-oriented stream cipher
• widely used (web SSL/TLS, wireless WEP)
• key forms random permutation of all 8-bit values
• uses that permutation to scramble input info
  processed a byte at a time

46
RC4 Key Schedule

• starts with an array S of numbers 0..255
• use key to well and truly shuffle
• S forms internal state of the cipher
• for i 0 to 255 do
• Si i
• Ti Ki mod keylen)
• j 0
• for i 0 to 255 do
• j (j Si Ti) (mod 256)
• swap (Si, Sj)

47
RC4 Encryption

• encryption continues shuffling array values
• sum of shuffled pair selects "stream key" value
  from permutation
• XOR St with next byte of message to en/decrypt
• i j 0
• for each message byte Mi
• i (i 1) (mod 256)
• j (j Si) (mod 256)
• swap(Si, Sj)
• t (Si Sj) (mod 256)
• Ci Mi XOR St

48
RC4 Overview
49
RC4 Security

• claimed secure against known attacks
• have some analyses, none practical
• result is very non-linear
• since RC4 is a stream cipher, must never reuse a
  key
• have a concern with WEP, but due to key handling
  rather than RC4 itself

50
Block Cipher Principles

• most symmetric block ciphers are based on a
  Feistel Cipher Structure
• needed since must be able to decrypt ciphertext
  to recover messages efficiently
• block ciphers look like an extremely large
  substitution
• would need table of 264 entries for a 64-bit
  block
• instead create from smaller building blocks
• using idea of a product cipher

51
Ideal Block Cipher
52
Claude Shannon and Substitution-Permutation
Ciphers

• Claude Shannon introduced idea of
  substitution-permutation (S-P) networks in 1949
  paper
• form basis of modern block ciphers
• S-P nets are based on the two primitive
  cryptographic operations seen before
• substitution (S-box)
• permutation (P-box)
• provide confusion diffusion of message key

53
Diffusion and Confusion

• Confusion hard to find any relationship between
  ciphertext and key.
• Diffusion spreads influence of individual
  plaintext or key bits over as much of the
  ciphertext as possible.
• In particular, one bit change of plaintext or key
  must increase the difficulty of cryptanalysis.

54
Block Cipher

• Divide a message M into m1, , mn
• Add padding to last block
• Use Ek to produce (ciphertext blocks) x1, , xn
• Use Dk to recover M from m1, , mn
• Modes of Block Ciphers
• Electronic Codebook
• Cipher Block Chaining
• Cipher Feedback
• Output Feedback
• Counter (CTR)

55
Electronic Codebook
56
Electronic Codebook (contd)

• Ideal for short amount of data transfer e.g.
  encryption key
• ECB produces the same message pattern if using
  the same input.
• Not secure for lengthy message, easy for
  cryptanalysis.

57
Cipher Block Chaining
58
Cipher Feedback
59
Output Feedback
60
Counter (CTR)

• a new mode, though proposed early on
• similar to OFB but encrypts counter value rather
  than any feedback value
• must have a different key counter value for
  every plaintext block (never reused)
• Ci Pi XOR Oi
• Oi DESK1(i)
• uses high-speed network encryptions

61
Counter (CTR) (cont.)
62
Advantages and Limitations of CTR

• efficiency
• can do parallel encryptions in h/w or s/w
• can preprocess in advance of need
• good for bursty high speed links
• random access to encrypted data blocks
• provable security (good as other modes)
• but must ensure never reuse key/counter values,
  otherwise could break (cf OFB)

63
Outline

• Overview of Cryptography
• Symmetric Cryptography
• Classical Cryptographic Techniques
• Block Ciphers VS Stream Ciphers
• DES and 3DES
• Advanced Encryption Standard (AES)
• Design of Symmetric Cryptosystems
• Locations of Encryption Devices
• Key Distribution
• Random Numbers
• Problems of Symmetric Cryptography

64
Feistel Cipher Structure

• Virtually all conventional block encryption
  algorithms, including DES have a structure first
  described by Horst Feistel of IBM in 1973
• The realization of a Fesitel Network depends on
  the choice of the following parameters and design
  features (see next slide)

65
Feistel Cipher Structure (cont.)

• Block size larger block sizes mean greater
  security
• Key Size larger key size means greater security
• Number of rounds multiple rounds offer
  increasing security
• Subkey generation algorithm greater complexity
  will lead to greater difficulty of cryptanalysis.
• Fast software encryption/decryption the speed of
  execution of the algorithm becomes a concern
• Roung Function (F) Greater complexity is better,
  resistance to cryptanalysis

66
Feistel Encryption and Decryption
67
Proof LD1 RE15

• Encryption side
• LE16 RE15
• RE16 LE15 ? F(RE15, K16)
• Decryption side
• LD1 RD0 LE16 RE15
• RD1 LD0 ? F(RD0, K16)
• RE16 ? F(RE15, K16)
• LE15 ? F(RE15, K16) ? F(RE15, K16)
• LE15 ? F(RE15, K16) ? F(RE15, K16)
• LE15 ? 0
• LE15

68
Data Encryption Standard (DES)

• most widely used block cipher in world
• adopted in 1977 by NBS (now NIST)
• as FIPS PUB 46
• encrypts 64-bit data using 56-bit key
• has widespread use
• has been considerable controversy over its
  security

69
DES History

• IBM developed Lucifer cipher
• by team led by Feistel in late 60s
• used 64-bit data blocks with 128-bit key
• then redeveloped as a commercial cipher with
  input from NSA and others
• in 1973 NBS issued request for proposals for a
  national cipher standard
• IBM submitted their revised Lucifer which was
  eventually accepted as the DES

70
DES Design Controversy

• although DES standard is public
• was considerable controversy over design
• in choice of 56-bit key (vs Lucifer 128-bit)
• and because design criteria were classified
• subsequent events and public analysis show in
  fact design was appropriate
• use of DES has flourished
• especially in financial applications
• still standardised for legacy application use

71
Data Encryption Standard (DES)

• A block of 64-bit data is encrypted using 56-bit
  key to produce a 64-bit block of ciphertext.
• Decryption can be done by encrypting the
  ciphertext using the same key.

72
DES Encryption
73
Single Round of DES Encryption
74
Permutation Table for DES
75
Permutation Tables for DES
76
DES Key Schedule Calculation

• Permuted Choice 1 and 2

77
Calculation of F(R, K)

1. R is expanded to 48 bits.
2. The expanded R is XORed with 48-bit K.
3. Split 48-bit data into 8 groups of 6-bit data to
   enter S-Boxes
4. For each of the group, do the following
5. For the 6-bit data to enter each Si, 1st and 6th
   bits form a 2-bit binary number to identity the
   row number in Si.
6. The decimal value of 2nd 5th bits identify the
   column number in Si.
7. The selected decimal value from Si is then
   converted into 4-bit binary output of Si.

78
DES S-Boxes
Permutation Function
79
DES S-Boxes (cont.)
80
DES S-Boxes (cont.)
81
Example

• Input to S5 100111
• 1st and 6th bits are 11 -gt row 3
• 2nd-5th bits are 0011 -gt column 3
• The decimal value in row 3 and column 3 of S5 is
  7.
• The output value of S5 is 0111

2 12 4 1 7 14 11 2 12 4
4 2 1 11 10 11 8 12 7 1

S5
82
Avalanche Effect

• key desirable property of encryption alg
• where a change of one input or key bit results in
  changing approx half output bits
• making attempts to home-in by guessing keys
  impossible
• DES exhibits strong avalanche

83
Avalanche Effect in DES
84
Strength of DES Key Size

• 56-bit keys have 256 7.2 x 1016 values
• brute force search looks hard
• recent advances have shown is possible
• in 1997 on Internet in a few months
• in 1998 on dedicated h/w (EFF) in a few days
• in 1999 above combined in 22hrs!
• Recently, ....
• still must be able to recognize plaintext
• must now consider alternatives to DES

85
More about DES

• If only the attack on DES is brute force, then
  use longer key size.

86
Multiple Encryption DES

• clear a replacement for DES was needed
• theoretical attacks that can break it
• demonstrated exhaustive key search attacks
• AES is a new cipher alternative
• prior to this alternative was to use multiple
  encryption with DES implementations
• Triple-DES (3DES) is the chosen form

87
3DES with Two-Keys

• hence must use 3 encryptions
• would seem to need 3 distinct keys
• but can use 2 keys with E-D-E sequence
• C EK1(DK2(EK1(P)))
• nb encrypt decrypt equivalent in security
• if K1K2 then can work with single DES
• standardized in ANSI X9.17 ISO8732
• no current known practical attacks

88
3DES with Two-Keys (cont.)
89
Triple-DES with Three-Keys

• although are no practical attacks on two-key
  Triple-DES have some indications
• can use Triple-DES with Three-Keys to avoid even
  these
• C EK3(DK2(EK1(P)))
• has been adopted by some Internet applications,
  eg PGP, S/MIME

90
3DES with Three-Keys (cont.)
91
Other Symmetric Block Ciphers

• International Data Encryption Algorithm (IDEA)
• 128-bit key
• Used in PGP
• Blowfish
• Easy to implement
• High execution speed
• Run in less than 5K of memory

92
Other Symmetric Block Ciphers

• RC5
• Suitable for hardware and software
• Fast, simple
• Adaptable to processors of different word lengths
• Variable number of rounds
• Variable-length key
• Low memory requirement
• High security
• Data-dependent rotations
• Cast-128
• Key size from 40 to 128 bits
• The round function differs from round to round

93
Outline

• Overview of Cryptography
• Symmetric Cryptography
• Classical Cryptographic Techniques
• Block Ciphers VS Stream Ciphers
• DES and 3DES
• Advanced Encryption Standard (AES)
• Design of Symmetric Cryptosystems
• Locations of Encryption Devices
• Key Distribution
• Random Numbers
• Problems of Symmetric Cryptography

94
Origins

• clear a replacement for DES was needed
• have theoretical attacks that can break it
• have demonstrated exhaustive key search attacks
• can use Triple-DES but slow, has small blocks
• US NIST issued call for ciphers in 1997
• 15 candidates accepted in Jun 98
• 5 were shortlisted in Aug-99
• Rijndael was selected as the AES in Oct-2000
• issued as FIPS PUB 197 standard in Nov-2001

95
AES Requirements

• private key symmetric block cipher
• 128-bit data, 128/192/256-bit keys
• stronger faster than Triple-DES
• active life of 20-30 years ( archival use)
• provide full specification design details
• both C Java implementations
• NIST have released all submissions unclassified
  analyses

96
AES

• 128-bit plaintext block
• Key length -gt 128, 192, 256 bits
• 10 rounds for each encryption and decryption
• 128-bit plaintext is divided into 16 8-bit
  (1-byte) blocks.
• 128-bit key is generated to 44 32-bit words,
  and 4 different words will be used in each round
• 11 sets of 4-word keys are used in 10-round
  encryption !
• Decryption algorithm is not identical to
  encryption algorithm

97
AES Parameters
98
AES Key Expansion
99
AES Encryption and Decryption
XOR
XOR
100
AES Encryption

• 4 stages in each round
• Substitution bytes -gt use S-box for byte-to-byte
  substitution
• Shift rows -gt simple row-by-row permutation
• Mix columns -gt a substitution that alters each
  byte in a column as a function of all of the
  bytes in the column
• Add round keys -gt bitwise XOR of the current
  block with the key

101
AES Encryption Round
16 bytes
102
SubBytes
103
SubBytes (cont.)
S-box
104
SubBytes (cont.)
Inverse S-box
105
SubBytes (cont.)
106
ShiftRows
107
MixColumns
108
MixColumns (cont.)
109
AddRoundKey
110
AddRoundKey (cont.)
111
AES Operations
112
Implementation Aspects

• can efficiently implement on 8-bit CPU
• byte substitution works on bytes using a table of
  256 entries
• shift rows is simple byte shift
• add round key works on byte XORs
• mix columns requires matrix multiply in GF(28)
  which works on byte values, can be simplified to
  use table lookups byte XORs

113
Implementation Aspects (cont.)

• can efficiently implement on 32-bit CPU
• redefine steps to use 32-bit words
• can precompute 4 tables of 256-words
• then each column in each round can be computed
  using 4 table lookups 4 XORs
• at a cost of 4Kb to store tables
• designers believe this very efficient
  implementation was a key factor in its selection
  as the AES cipher

114
Outline

• Overview of Cryptography
• Symmetric Cryptography
• Classical Cryptographic Techniques
• Block Ciphers Vs Stream Ciphers
• DES and 3DES
• Advanced Encryption Standard (AES)
• Design of Symmetric Cryptosystems
• Locations of Encryption Devices
• Key Distribution
• Random Numbers
• Problems of Symmetric Cryptography

115
Design of Symmetric Cryptosystems

• A Cryptographic algorithm should be efficient for
  good use
• It should be fast and key length should be of the
  right length e.g. not too short
• Cryptographic algorithms are not impossible to
  break without a key
• If we try all the combinations, we can get the
  original message

2-115
116
Design of Symmetric Cryptosystems (cont.)

• The security of a cryptographic algorithm depends
  on how much work it takes for someone to break it
• E.g. If it takes 10 mil. years to break a
  cryptographic algorithm X using all the computers
  of a state, X can be thought of as a secure one
  reason cluster computers and quantum computers
  are powerful enough to crack many current
  cryptographic algorithms.

117
Design of Symmetric Cryptosystems (cont.)

• Encryption Algorithm Design
• Should the block size of messages be small or
  large?
• Should the keyspace be large?
• Should we consider other search rather than
  brute-force search?

2-117
118
Outline

• Overview of Cryptography
• Symmetric Cryptography
• Classical Cryptographic Techniques
• Block Ciphers VS Stream Ciphers
• DES and 3DES
• Advanced Encryption Standard (AES)
• Design of Symmetric Cryptosystems
• Locations of Encryption Devices
• Key Distribution
• Problems of Symmetric Cryptography

119
Placement of Encryption

• have two major placement alternatives
• link encryption
• encryption occurs independently on every link
• implies must decrypt traffic between links
• requires many devices, but paired keys
• end-to-end encryption
• encryption occurs between original source and
  final destination
• need devices at each end with shared keys

120
Locations of Encryption Devices
121
Placement of Encryption (cont.)

• when using end-to-end encryption must leave
  headers in clear
• so network can correctly route information
• hence although contents protected, traffic
  pattern flows are not
• ideally want both at once
• end-to-end protects data contents over entire
  path and provides authentication
• link protects traffic flows from monitoring

122
Placement of Encryption (cont.)

• can place encryption function at various layers
  in OSI Reference Model
• link encryption occurs at layers 1 or 2, 3
• end-to-end can occur at layers 4, 6, 7
• as move higher less information is encrypted but
  it is more secure though more complex with more
  entities and keys

123
Link Encryption VS End-to-end Encryption
124
Encryption VS Protocol Level
125
Traffic Padding
126
Outline

• Overview of Cryptography
• Symmetric Cryptography
• Classical Cryptographic Techniques
• Block Ciphers VS Stream Ciphers
• DES and 3DES
• Advanced Encryption Standard (AES)
• Design of Symmetric Cryptosystems
• Locations of Encryption Devices
• Key Distribution
• Random Numbers
• Problems of Symmetric Cryptography

127
Key Distribution

• The security of symmetric cryptosystem is based
  on the security of key distribution.
• Important process ? two hosts need a shared key
  before transmitting a message securely.
• Secret key must be securely distributed between
  hosts, and need to be updated frequently.
• But, HOW can we securely distribute the shared
  key?

128
Key Exchange with Symmetric Cryptography

• Two kinds of keys
• Session key
• temporary key
• used for encryption of data between users
• for one logical session then discarded
• Master key
• used to encrypt and distribute session keys
• shared by user key distribution center
• Key Distribution Center (KDC)
• Shares permanent key with hosts
• Distributes session keys upon the requests of
  hosts

129
Key Distribution Scenario
130
Steps

• Alice sends a request (IDA, IDB) for a session
  key and a nonce (N1) to KDC.
• Nonce may be a random number.
• What is nonce for?
• KDC sends an encrypted message to A containing
• Session key KS
• Encrypted session key for Bob EKb(KS, IDA)
• Alice forwards EKb(KS, IDA) to Bob. Bob can
  decrypt it. (anyone else?)
• Bob confirms that he has received KS by sending
  Alice EKsN2.
• Alice responses by sending f(N2) encrypted with
  KS.

131
Hierarchical Key Control

• In a very large network, a single KDC is not
  enough -gt a hierarchy of KDCs can be established.
• Local KDCs and a global KDC
• Local KDC is responsible for parties in the same
  domain, whereas global KDC is taking care of
  communications of parties in different domains.

132
Key Distribution Issues

• hierarchies of KDCs required for large networks,
  but must trust each other
• session key lifetimes should be limited for
  greater security
• use of automatic key distribution on behalf of
  users, but must trust system
• use of decentralized key distribution
• controlling key usage

133
Session Key Lifetime

• The more frequently session keys are exchanged,
  the more secure they are.
• However, each session key distribution causes
  delays.
• In connection-oriented protocols, a new session
  key is issued for each connection.
• However, if the connection is open for a long
  time, it may be needed to retransmit a new
  session key.
• In connectionless protocols, not obvious how
  often the new session key is exchanged.
• A better strategy is to use a given session key
  for a certain fixed period only or for a certain
  number of transaction.

134
A Transparent Key Control Scheme
135
Decentralized Key Control

• Centralized Key Control -gt KDC is normally
  assumed to be trusted and secured from attacks.
• However, attacks may occur. -gt try decentralized
  approach
• Decentralization is suitable for local
  connection.
• Involved parties need a master key between pairs
  of parties as many as n(n-1)/2 keys among n
  users.

136
Decentralized Key Distribution
137
Decentralized Key Distribution (cont.)

1. Alice and Bob share a master key MKm.
2. Alice sends a request for a session key with a
   nonce N1 to Bob.
3. Bob sends KS encrypted with shared master key
   MKm. The message contains a nonce N2.
4. Alice responses with f(N2) encrypted with the
   session key.

138
Outline

• Overview of Cryptography
• Symmetric Cryptography
• Classical Cryptographic Techniques
• Block Ciphers VS Stream Ciphers
• DES and 3DES
• Advanced Encryption Standard (AES)
• Design of Symmetric Cryptosystems
• Locations of Encryption Devices
• Key Distribution
• Random Numbers
• Problems of Symmetric Cryptography

139
Random Numbers

• many uses of random numbers in cryptography
• nonces in authentication protocols to prevent
  replay
• session keys
• public key generation
• keystream for a one-time pad
• in all cases its critical that these values be
• statistically random, uniform distribution,
  independent
• unpredictability of future values from previous
  values

140
Pseudorandom Number Generators (PRNGs)

• often use deterministic algorithmic techniques to
  create random numbers
• although are not truly random
• can pass many tests of randomness
• known as pseudorandom numbers
• created by Pseudorandom Number Generators
  (PRNGs)

141
Using Block Ciphers as PRNGs

• for cryptographic applications, can use a block
  cipher to generate random numbers
• often for creating session keys from master key
• Counter Mode
• Xi EKmi
• Output Feedback Mode
• Xi EKmXi-1

142
ANSI X9.17 PRG
Date/time
Seed value
143
ANSI X9.17 PRG (cont.)

• It uses date/time seed inputs and 3 triple-DES
  encryptions to generate a new seed random
  value.
• DTi - Date/time value at the beginning of ith
  generation stage
• Vi - Seed value at the beginning of ith
  generation stage
• Ri - Pseudorandom number produced by the ith
  generation stage
• K1, K2 - DES keys used for each stage
• Then compute successive values as
• Ri EDE(K1, K2, Vi XOR EDE(K1, K2,
  DTi))
• Vi1 EDE(K1, K2, Ri XOR EDE(K1, K2,
  DTi))

144
Natural Random Noise

• best source is natural randomness in real world
• find a regular but random event and monitor
• do generally need special h/w to do this
• eg. radiation counters, radio noise, audio noise,
  thermal noise in diodes, leaky capacitors,
  mercury discharge tubes etc
• starting to see such h/w in new CPU's
• problems of bias or uneven distribution in signal
  
• have to compensate for this when sample and use
• best to only use a few noisiest bits from each
  sample

145
Published Sources

• a few published collections of random numbers
• Rand Co, in 1955, published 1 million numbers
• generated using an electronic roulette wheel
• has been used in some cipher designs cf Khafre
• earlier Tippett in 1927 published a collection
• issues are that
• these are limited
• too well-known for most uses

146
Outline

• Overview of Cryptography
• Symmetric Cryptography
• Classical Cryptographic Techniques
• Block Ciphers VS Stream Ciphers
• DES and 3DES
• Advanced Encryption Standard (AES)
• Design of Symmetric Cryptosystems
• Locations of Encryption Devices
• Key Distribution
• Random Numbers
• Problems of Symmetric Cryptography

147
Problems of Symmetric Cryptography

• Keys must be distributed in secret.
• Keys are valuable as all the messages they
  encrypt.
• If a key is compromised, then so the security of
  the entire system.
• Not scalable -gt assume that each pair of total n
  users shares different secrets. Number of keys
  needed is n(n-1)/2 keys
• Algorithms are easy to break compared to
  public-key cryptographic algorithms
• However symmetric one can be performed faster -gt
  less time -gt less power consumption -gt suitable
  for being implemented in mobile devices
• Lack of necessary security services e.g. non
  repudiation, provide low-level of integrity check

148
Questions?

• Next week
• Public-key Cryptography

149
Discussion

• Discuss two differences between Block Cipher and
  Stream Cipher
• Explain how symmetric cryptography can provide
  authentication
• Suggest a key distribution technique that
  provides offline key generation and distribution