1. Network Security Cryptology Cryptography Cryptanalysis

2. Topics Covered Modern Encryption Techniques Simplified DES (S-DES) Block Cipher Principles The Feistel Cipher Diffusion and Confusion Data Encryption Standard DES Design Principles The Strength of DES DES Modes of Operation

3. Modern Encryption Techniques Secret Key (Symmetric) Cryptography Simplified Data Encryption Standard Data Encryption Standard Advanced Encryption Standard Public Key (Asymmetric) Cryptography RSA (Rivest-Shamir-Adleman) ECC (Elliptic Curve Cryptography) NTRU (Number Theorist aRe Us)

4. Symmetric Cryptography

5. Asymmetric Cryptography

6. Simplified Data Encryption Standard (S-DES) Developed by Professor Edward Schaefer of Santa Clara University.

7. S-DES: An Overview Similar properties and structure to DES, with much smaller parameters. Encryption It takes an 8-bit block of plain text and a 10-bit key as input and produces an 8-bit block of cipher text as output. Decryption It takes an 8-bit block of cipher text and the same 10-bit key used to produce that ciphertext as input and produces the original 8-bit block of plaintext.

8. S-DES Algorithm Algorithm involves 5 functions 1. An initial permutation (IP). 2. A complex function, f k, that involves both permutation and substitution operations and depends on a key input. 3. A simple permutation function that switches the two halves of the data (SW). 4. The function f k again. 5. A permutation function that is the inverse of the initial one (IP -1 ).

9. S-DES Algorithm

11. S-DES Key Generation It depends on the use of a 10-bit key shared between sender and receiver. From this key, two 8-bit subkeys are produced for use in particular stages of the encryption and decryption algorithm. First permute the key in the following fashion, P10(k 1,k 2,k 3,k 4,k 5,k 6,k 7,k 8,k 9,k 10 )=(k 3,k 5,k 2,k 7,k 4,k 10,k 1,k 9,k 8,k 6 )

12. S-DES Key Generation (contd.) Next perform a circular-left shift (LS-1), or rotation, separately on the first five bits and the second five bits. LS-1(k 1,k 2,k 3,k 4,k 5 )=(k 2,k 3,k 4,k 5,k 1 ) Next apply P8, which permutes 8 of the 10 bits according to the following rule, P8(k 1,k 2,k 3,k 4,k 5,k 6,k 7,k 8,k 9,k 10 )=(k 6,k 3,k 7,k 4,k 8,k 5,k 10,k 9 ) The result is subkey 1 (K 1 )

13. S-DES Key Generation (contd.) To get the second subkey (K 2 ), perform again a 2-bit circular-left shift LS-2 on the product of LS-1 LS-2(LS-1(k 1,k 2,k 3,k 4,k 5 )=LS-2(k 2,k 3,k 4,k 5,k 1 )=(k 4,k 5,k 1, k 2,k 3 ) Finally, P8 is applied again to produce K 2.

14. Example - Key Generation Permute 10-bit key: 1010000010 P10(1010000010) = 1000001100 Perform circular left shift, separately, on first 5 bits and second 5 bits (LS-1). LS-1(10000) = 00001 and LS-1(01100) = 11000 Pick out and permute 8 of the 10 bits: (P8) P8(0000111000) = 10100100 Result is K 1 Now perform circular left shift of 2 bit positions, on first 5 bits and second 5 bits (LS-2) on the result LS-1. LS-2(00001) = 00100 and LS-2(11000) = 00011 Apply (P8) again. P8(0010000011) = 01000011 Result is K 2

16. S-DES Encryption Initial and final permutations The Function f k Let L and R be left and right halves of 8-bit input to f k. Let F be a map from 4-bit strings to 4-bit strings, and SK be the subkey (K1 or K2) and  XOR is the bit-by-bit exclusive-OR function. f k (L, R) = (L  F(R, SK), R) IP 26314857 IP -1 41357286

17. Mapping F Input is 4-bit number (n 1 n 2 n 3 n 4 ). Expansion/permutation operation 8-bit subkey K1 is added to output of E/P using exclusive-OR. E/P 41232341

18. Mapping F (contd.) First 4 bits fed to S-box S0,second 4 bits fed to S-box S1. S-box uses 1 st and 4 th bits to specify a row,2 nd and 3 rd bits to specify a column. Entry in that position (base 2) is 2-bit output. 4-bits produced by S-Boxes (S0 & S1) are permuted using P4. P4 = (k 2 k 4 k 3 k 1 ) Output of P4 is output of F.

19. The Switch function The function f k only alters the leftmost 4-bits of the input. Switch function interchanges left and right 4 bits so that second instance of f k operates on a different 4 bits. In this second instance, the E/P, S0, S1, and P4 functions are same. The key input isK2.

20. Analysis of S-DES Brute-force attack is feasible, 2 10 = 1024 possible 10-bit keys. Known plaintext? Suppose we know a sinlge 8-bit plaintext and corresponding 8-bit ciphertext, and key is unknown. Each c i is a polynomial function of p j 's and k j 's. This means 8 non-linear equations in 10 unknowns. Alternating linear maps with these nonlinear maps results in complex polynomial expressions for the ciphertext bits, making cryptanalysis difficult.

21. Block Cipher Principles

22. Stream Cipher vs. Block Cipher Stream cipher is one that encrypts a digital data stream one bit or one byte at a time, e.g. Vigenere cipher and Vernam cipher Block cipher is one in which a block of plaintext is treated as a whole and used to produce a ciphertext block of equal length (typically a block of 64 bits is used), e.g. S-DES and DES Various modes of operation can make a block cipher to achieve the same effect as a stream cipher. The vast majority of network-based cryptographic applications make use of block cipher.

23. Feistel Cipher Structure Reversible Transformation For the encryption to be reversible or non- singular (decryption is possible), each plaintext block must produce a unique ciphertext block. Irreversible Transformation For the encryption to be irreversible or singular (decryption is impossible), not all the plaintext block would have unique ciphertext block.

24. Feistel Cipher Symmetric block encryption algorithm are referred to as a Feistel block cipher. The concept is to have a product cipher which is performing two or more basic ciphers in sequence in such a way that the final result or product is cryptographically stronger than any of the component ciphers. Feistel proposed the use of a cipher that alternates substitution and permutation. This cipher is referred to as a product cipher that alternates confusion and diffusion functions.

25. Confusion and Diffusion Introduced by Claude Shannon in 1945 to capture the two basic building blocks for any cryptographic system. Shannon’s concern was to thwart cryptanalysis based on statistical analysis. In this way all statistics of the ciphertext are independent of the particular key used. Confusions is achieved through the XOR operation performed on ciphertext and the value of the encryption key. This is achieved by the use of a complex substitution algorithm. Diffusion is achieved through numerous permutations followed by applying a function to that permutation. The unknown values are put into the plaintext. This causes diffusion.

26. Classical Feistel Network

27. Feistel Network Parameters Block Size: Larger block sizes-greater security-reduced speed (64 bits) Key Size: Larger key sizes-greater security-reduced speed Number of rounds: Multiple rounds-increased security (16 rounds) Subkey generation algorithm: Greater complexity-greater security Round function: Greater complexity-greater security

28. Feistel Cipher Mechanism The text being encrypted is split into two halves. The round function F is applied to one half using a subkey K i and the output of F is XORed with the other half. The two halves are then swapped. Each round follows the same pattern except for the last round where there is no swap. R r XOR F(k r,L r ) = R r XOR F(k r,R r-1 ) = R r XOR (R r ÅL r-1 ) = L r-1

29. Data Encryption Standard The Actual DES

30. About DES The original ideas behind the Data Encryption Algorithm were developed by IBM in the 1960's and was based on Claude Shannon’s concept. The technique was first called as Lucifer and later refined and renamed as the DEA (Data Encryption Algorithm) and adopted as the standard in 1976. In 1977 the United States Government chose the Data Encryption Standard (DES). DES was widely adopted by industry for secure communication Example: DES is used to encrypt personal identification numbers (PINs) and account transactions in automated teller machines (ATMs

31. Data Encryption Standard There are two inputs to the encryption function, i.e. the plaintext and the key. The plain text must be 64 bits and the key is 56 bits in length. Processing of the plaintext proceeds in three phases, The 64 bit plaintext passes through an Initial Permutation (IP) Then a 16 "rounds" of operations which involves both permutation and substitution functions that mix the data and key together in a prescribed manner. The pre-output obtained from swapping the left and right halves of the output in each round, is then passed through a Permutation (IP -1 ) that is the inverse of the initial permutation function, to produce the 64-bit ciphertext.

32. DES Encryption Algorithm

33. Why 16 rounds? The goal is to completely scramble the data and key so that every bit of the ciphertext depends on every bit of the data and every bit of the key (a 56-bit quantity for the DES). After sufficient "rounds" with a good algorithm, there should be no correlation between the ciphertext and either the original data or key. The DES uses 16 rounds for some solid reasons. First, a minimum of 12 rounds were needed to sufficiently scramble the key and data together; the others provided a margin of safety. Second, the operation of 16 rounds would return the key back to its original position in an electronic device for the next use when used in accordance with the published algorithm.

34. Details of Single Round

36. Permutation Tables for DES Initial Permutation (IP) 585042342618102 605244362820124 625446383022146 645648403224168 57494133251791 595143352719113 615345372921135 635547393123157 Inverse Initial Permutation (IP -1 ) 408481656246432 397471555236331 386461454226230 375451353216129 364441252206028 353431151195927 342421050185826 33141949175725

37. Permutation Tables for DES Expansion Permutation (E) 3212345 456789 8910111213 121314151617 161718192021 202122232425 242526272829 28293031321 Permutation Function (P) 167202129122817 11523265183110 282414322739 19133062211425

38. DES Mechanism The 64-bit block being enciphered is broken into two halves. The right half goes through one DES round, and the result becomes the new left half. The old left half becomes the new right half, and will go through one round in the next round. This goes on for 16 rounds, but after the last round the left and right halves are not swapped, so that the result of the 16th round becomes the final right half, and the result of the 15th round (which became the left half of the 16th round) is the final left half.

39. DES Mechanism (contd.) Fundamentally DES performs only two operations on its input, Bit shifting, and Bit substitution. The key controls exactly how this process works. By doing these operations repeatedly and in a non-linear manner you end up with a result which can not be used to retrieve the original without the key. Those familiar with chaos theory should see a great deal of similarity to what DES does. By applying relatively simple operations repeatedly a system can achieve a state of near total randomness.

40. DES Mechanism (contd.) For each iteration a 48 bit subset of the 56 bit key is fed into the encryption block. Decryption is the inverse of the encryption process. The key is usually stored as a 64-bit number, where every eighth bit is a parity bit. The parity bits are pitched during the algorithm, and the 56-bit key is used to create 16 different 48-bit subkeys - one for each round.

41. DES Key Generation In order to generate 16  48-bit subkeys from the 56- bit key, the following process is used. First, the key is loaded according to the Permutation Choice 1 (PC-1) and then halved. Then each half is rotated by 2 bits in every round except the first, second, 9th and last rounds. The reason for this is that it makes it secure against related-key cryptanalysis. Then 48 of the 56 bits are chosen according to a compression permutation. The subkeys used by the 16 rounds are formed by the key schedule which consists of, An initial permutation of the key (PC-1) which selects 56-bits in two 28-bit halves

42. Key Schedule Calculation The key rotation schedule KS is specified as: Round12345678910111213141516 KS1122222212222221 Total Rot 124681012141517192123252728 Permutation Choice One (PC-1) 5749413325179 1585042342618 1025951433527 1911360524436 63554739312315 7625446383022 1466153453729 211352820124 Permutation Choice Two (PC-2) 1417112415328 15621102319124 2681672720132 4152313747553040 5145334844493956 3453464250362932

43. S-Box The S-boxes are somewhat different from the other permutations. While all the others are set up according to "bit x goes to bit y", the input bits can be viewed differently for the S- boxes. If the input is {d1,d2,d3,d4,d5,d6} then the two-bit number {d1,d6} and the four-bit number {d2,d3,d4,d5} are used as indices to the table. For the 48-bit word {d1,d2..d48}, the word {d1..d6} is sent to S-box 1, the word {d7,,d12} to S-box 2, etc. The output of S-box 1, {o1..o4}, that of S-box 2, {o5..o8} etc. are concatenated to form the output.

44. Mangler Function using S-Boxes

45. S-Box (contd.) S1S1 1441312151183106125907 0157414213110612119538 4114813621115129731050 1512824917511314100613 S2S2 1518146113497213120510 3134715281412011069115 0147111041315812693215 1381013154211671205149 S3S3 1009146315511312711428 1370934610285141211151 1364981530111212510147 1101306987415143115212

46. S-Box (contd.) S4S4 7131430691012851112415 1381156150347212110149 1069012117131513145284 3150610113894511127214 S5S5 2124171011685315130149 11212471315015103986 4211110137815912563014 1181271142136150910453 S6S6 1211015926801334147511 1015427129561131401138 9141552812370410113116 4321295151011141760813

47. S-Box (contd.) S7S7 4112141508133129751061 1301174911014351221586 1411131237141015680592 6111381410795015142312 S8S8 1328461511110931450127 1151381037412561101492 7114191214206101315358 2114741081315129035611

48. P-Box The output of each of the 8 S-boxes is concatenated to form a 32-bit number, which is then permutated with a P-box. This P-box is a straight permutation, and the resulting number is XOR-ed with the left half of the input block with which we started at the beginning of this round. Finally, if this is not the last round, we swap the left and right halves and start again.

49. Strength of DES A brute-force attack is impractical with a key length of 56 bits since there are 2 56 possible keys, which is approximately 7.2 x 10 16 keys. Strength can be increased by compression of plain text before encryption. Strength of DES has become questionable since very powerful machines is in action which can do parallel execution in a bit of time to break the cipher text.

50. Security Provided by DES The security provided by the DES depends on several factors: Mathematical soundness, length of key, key management, input data formatting, mode of operation, implementation, application and threat. The DES was developed to protect unclassified computer data in federal computer systems against a number of passive and active attacks in communications and storage systems. It was assumed that a knowledgeable person might seek to comprise the security system with resources commensurate to the value of the information to be obtained. Applications included Electronic Funds Transfer, privacy protection of personal information, personal authentication, password protection, access control, etc.

51. DES Cryptanalysis

52. Differential Cryptanalysis Quite complex! The overall strategy is based on consideration of seeing the probability of occurrence of same difference in output with same subkey used in a single round. Assume two plaintext messages with m and m ’ with a given difference and trace through a probable pattern of differences after each round to yield a probable difference for the cipher text. There can be two probable differences between two 32-bit halves. We repeat this process until all probable patterns are correct.

53. Differential Cryptanalysis (contd.) For a large number of plaintexts, you can determine a certain behavior of the algorithm, you can help determine how changing the key affects the ciphertext, and in fact begin to guess bits of the key Differential cryptanalysis guesses bits of the key through various methods, until a brute force search on the remaining bits of the key becomes feasible and faster than other, more complex methods

54. Linear Cryptanalysis Based on finding linear approximations to describe the transformations performed in DES. For a Cipher with n-bit of plain text and cipher text blocks and m-bit key, let the plaintext block be labeled P[1],……, P[n], the cipher text block C[1],……, C[n] and the key K[1],…., K[m] so we define A[i,j,….., k] = A[i]  A[j] ,……,  A[k] The objective of linear cryptanalysis is to find an effective linear equation of the form P[  1,  2, ……..,  n ]  C[β 1, β 2, ……., β n ]= K[γ 1, γ 2, …….. [γ c ] Where , β and γ represent fixed, unique bit locations

55. DES Modes of Operation Four modes of operation have been defined for the DES by ANSI in the standard: There are classified on the basis of the types of symmetric algorithms: Block Modes splits messages in blocks (ECB, CBC) Stream Modes on bit stream messages (CFB, OFB)

56. Electronic Code Book (ECB) In ECB mode, each plaintext block is encrypted independently with the block cipher. A 64 bit data block is entered into the algorithm with a key and a block of ciphertext is produced. For a given block of plaintext and a given key, the same block ciphertext is always produced.

57. Electronic Codebook (ECB)

58. Cipher Block Chaining (CBC) In CBC mode, each plaintext block is XORed with the previous ciphertext block and then encrypted. An initialization vector c0 is used as a ``seed'' for the process. In ECB mode, a block of plaintext and a key will always give the same ciphertext. In CBC each block of text, the key and the value based on the previous block is processed in the algorithm and applied to the next block of text.

59. Cipher Block Chaining (CBC)

60. Cipher Feedback Mode (CFB) In CFB mode, the previous ciphertext block is encrypted and the output produced is combined with the plaintext block using XOR to produce the current ciphertext block. It is possible to define CFB mode so it uses feedback that is less than one full data block. An initialization vector c0 is used as a ``seed'' for the process.

62. Output Feedback Mode (OFB) OFB mode is similar to CFB mode except that the quantity XORed with each plaintext block is generated independently of both the plaintext and ciphertext. An initialization vector s0 is used as a ``seed'' for a sequence of data blocks si, and each data block si is derived from the encryption of the previous data block si-1. The encryption of a plaintext block is derived by taking the XOR of the plaintext block with the relevant data block.

63. DES Mode of Operation contd. Counter Mode A “new” mode used in ATM network security and IPSec Similar to OFB but encrypts counter value rather than any feedback value Must have a different key & counter value for every plaintext block (never reused) Counter is incremented by one Efficiency: can do parallel encryptions in h/w or s/w and can preprocess in advance of need Applications: high-speed network encryptions

64. Counter Mode

65. Multiple Encryption & DES Clearly a replacement for DES was needed since theoretical attacks existed that could break it AES is a new cipher alternative Prior to this alternative was to use multiple encryption with DES implementations.

66. Double-DES? C = E K2 (E K1 (P)) P = D K1 (D K2 (D)) The double DES can be considered a single encryption with a key of length 112 bits. It is not a single encryption with a key of 56 bits. Hence there are more key combinations and its stronger than single DES. DES with twice keys will produce one of many mappings that is not defined by a single application of DES. Double DES is subject to “meet-in-the-middle” attack Works whenever use a cipher twice Since X = E K1 (P) = D K2 (C) Attack by encrypting P with all keys and store Then decrypt C with keys and match X value It takes O(2 56 ) steps which is slightly less than DES brute force attack.

67. Double-DES contd.

68. Triple-DES with Two-Keys To counter the meet-in-the-middle attack, triple DES with Three keys are used. The known plaintext attack is not possible anymore because it will require 2 112 steps. The key size is increased to 168 which is not practical. Tuchman proposed 3 encryptions but can use 2 keys with E-D-E sequence C = E K1 [D K2 [E K1 [P]]] P = D K1 [E K2 [D K1 [C]]] if K1=K2 then can work with single DES instead. Standardized in ANSI X9.17 & ISO8732 no current known practical attacks

69. Triple-DES with Two-Keys Contd.

70. Triple-DES with Three-Keys Although are no practical attacks on two-key Triple-DES have some indications. Can use Triple-DES with Three-Keys to avoid even these C = E K3 (D K2 (E K1 (P))) Has been adopted by some Internet applications, e.g. PGP, S/MIME

71. What Next? Advance Encryption Standard (AES) An Overview AES Requirements AES Algorithms