Chapter 20Symmetric Encryption and Message Confidentiality

Symmetric Encryption

also referred to as: conventional encryption secret-key or single-key encryption

only alternative before public-key encryption in 1970’s

still most widely used alternative

has five ingredients: plaintext encryption algorithm secret key ciphertext decryption algorithm

Cryptography

classified along three independent dimensions:

the type of operations used for transforming plaintext to ciphertext• substitution – each

element in the plaintext is mapped into another element

• transposition – elements in plaintext are rearranged

the number of keys used• sender and receiver

use same key – symmetric

• sender and receiver each use a different key - asymmetric

the way in which the plaintext is processed• block cipher –

processes input one block of elements at a time

• stream cipher – processes the input elements continuously

Cryptanalysis

type of attack

known to cryptanalyst

Computationally Secure Encryption Schemes

encryption is computationally secure if: cost of breaking cipher exceeds value of

information time required to break cipher exceeds the

useful lifetime of the information

usually very difficult to estimate the amount of effort required to break

can estimate time/cost of a brute-force attack

Feistel Cipher

Structure

Block Cipher Structure

symmetric block cipher consists of: a sequence of rounds with substitutions and permutations

controlled by key

parameters and design features:

block size key size number of rounds subkey generation algorithm round function

fast software encryption/decryption ease of analysis

DES

Most Widely used Encryption Minor variation on Feistel Network Modern symmetric-key cryptosystems

Data Encryption Standard (DES) Adopted in 1976 Block size = 64 bits Key length = 56 bits

Advanced Encryption Standard (AES) Adopted in 2000 Block sizes = 128, 192, or 256 bits Key lengths = 128, 192, or 256 bits

1973: NBS (now NIST) solicits proposals for crypto algorithm which: Provides a high level of security Completely specified and easy to understand Is available royalty-free Is efficient

DES - Keys

Any 56-bit string can be a DES key There are 256 keys

72,057,594,037,927,936 DES keys

Test one trillion keys per second 2 hours to find the key

A very small number of “weak keys”

DES – The Algorithm

To encrypt a 64-bit plaintext block

An initial permutation 16 rounds of

substitution, transposition

48-bit subkey added to each round,

Subkeys derived from 56-bit DES key

Final permutation

DES Initial Permutation

Permutes 64 bits of the plaintext

58th bit is moved to position 1 50th bit is moved to position 2

…. 7th bit is moved to position 64

DES – Subkey Generation

DES key: 64-bits (eight parity bits) A 56-bit DES key

11010001101010101000101011101010101000100011010101010101

The 64-bit representation 11010001110101001010001101011100101010100001000111

01010010101010

Sixteen 48-bit subkeys generated from 64-bit DES key (one for each round)

DES – Subkey (cont)

64-bit DES key 110100011101010010100011010111001010101

0000100011101010010101010

A key permutation removes eight parity bits and

The 57th bit is moved to position 1 The 49th bit is moved to position 2

… The 4th bit is moved to position 56

64-bit “key” to 56-bit DES key

DES – Subkey Gen (cont)

56 key bits (after permutation) divided into two 28-bit halves

Each half circularly shifted left by one bit (rounds 1,2,9 and 16) or 2 bits (all other rounds)

Halves recombined into 56 bit string

DES – Compression Perm

Compression permutation selects 48 bits

14th bit goes to output 117th bit goes to output 2

….32nd bit goes to output 48

DES Round 1 Subkey & Subkey overview

DES Round 1 Subkey DES - Subkey Overview

DES – Rounds

Each of 16 rounds takes 64-bit block of input to 64-bit block of output

The output from initial perm is input to round one

Round one output is input to round twoRound two output is input to round

three

Round 16 output is ciphertext

DES – Round 1

Subkey1

Input block (64)

L1 (32) R1 (32)

EP

XOR

S-box

P-box

XOR

L2 (32) R2 (32)

Output block (64)

DES Rounds

64-bit input divided into two 32-bit halves

Right half sent through expansion perm which produces 48 bits by Rearranging the input bits Repeating some input bits

more than once

Expansion permutation

DES – XOR Operation

XOR is applied to the 48-bit output of expansion perm and subkey

The resulting 48-bits go to S-boxes

DES – S-boxes

S-boxes perform substitution 8 different S-boxes Each S-box maps 6 bits to 4 bits

Bits 1-6 are input to S-box 1 Bits 7-12 are input to S-box 2, etc.

DES – Inside an S-box

Each S-box has 4 rows, 16 columns. First and last input bits specify the row. Middle four input bits specify the column e.g. S-box 1

S-box entry is the four-bit output. Examples with S-box 1

011010 row 0, column 13 9 = 1001 (output) 110010 row 2, column 9 12 = 1100 (output) 000011 row 1, column 1 15 = 1111 (output)

DES – S-boxes

DES – P-box

32-bit output of S-boxes goes to P-box

P-box permutes the bits

The first bit is moved to position 16 The second bit is moved to position 7 The third bit is moved to position 20

: The thirty-second bit is moved into

position 25

Chapter 3 Symmetric Key Cryptosystems

25

DES – Second XOR Operation

Output of P-box is XORed with the left half of 64-bit input block

32-bit output of the XOR operation: 01101111011011000110111010010010

DES – Rounds

64-bit output from round 1 is input for round 2

Output from round 2 is input for round 3:

Output from round 16 is passed through a final permutation

DES – Final Perm

Final permutation is inverse of initial perm

40th bit is moved into the 1st position 8th bit is moved into the 2nd position

: 25th bit is moved into the 64th

position Output of final permutation is

ciphertextDES – Encryption

Overview

DES - Decryption

Same algorithm and key as encryption Subkeys are applied in opposite order

Subkey 16 used in first round Subkey 15 used in second round

: Subkey 1 used in 16th round

AES

1997: NIST requests proposals for a new Advanced Encryption Standard (AES) to replace DES

NIST required that the algorithm be: A symmetric-key cryptosystem A block cipher Capable of supporting a block size of 128 bits Capable of supporting key lengths of 128, 192, and 256

bits Available on a worldwide, non-exclusive, royalty-free basis

Evaluation criteria: Security - soundness of the mathematical basis and the

results of analysis by the research community Computational efficiency, memory requirements, flexibility,

and simplicity

AES – Round 1 Results

After eight months of analysis and public comment, NIST: Eliminated DEAL, Frog, HPC, Loki97, and Magenta

Had what NIST considered major security flaws Were among the slowest algorithms submitted

Eliminated Crypton, DFC, E2, and SAFER+ Had what NIST considered minor security flaws Had unimpressive characteristics on the other evaluation

criteria Eliminated CAST-256

Had mediocre speed and large ROM requirements Five candidates, MARS, RC6, Rijndael, Serpent, and

Twofish, advanced to the second round Analysis and public comment on the five finalists circa 2000

Selects Rijndael Adequate security margin, fast encryption, decryption, and key setup

speeds, low RAM and ROM requirements

AES – Rijndael Algorithm

Symmetric-key block cipher Block sizes are 128, 192, or 256 bits Key lengths are 128, 192, or 256 bits

Performs several rounds of operations to transform each block of plaintext into a block of ciphertext The number of rounds depends on the block size

and the length of the key: Nine regular rounds if both the block and key are 128

bits Eleven regular rounds if either the block or key are

192 bits Thirteen regular rounds if either the block or key is

256 bits One, slightly different, final round is performed

after the regular rounds

AES – Rijndael Algorithm (cont)

For a 128-bit block of plaintext and a 128-bit key the algorithm performs: An initial AddRoundKey (ARK)

operation Nine regular rounds composed

of four operations: ByteSub (BSB) ShiftRow (SR) MixColumn (MC) AddRoundKey (ARK)

One final (reduced) round composed of three operations: ByteSub (BSB) ShiftRow (SR) AddRoundKey (ARK)

AES – Rijndael Keys

Keys are expressed as 128-bit (or bigger) quantities Keyspace contains at least 2128 elements:

340,282,366,920,938,463,463,374,607,431,768,211,456 Exhaustive search at one trillion keys per second

takes: 1x1019 years (the universe is thought to be about 1x1010 years

old) Blocks and keys are represented as a two-dimensional

array of bytes with four rows and four columns: Block = 128 bits = 16 bytes = b0 , b1, . . ., b15

Key = 128 bits = 16 bytes = k0 , k1, . . ., k15

AES Round Structu

re

AES - The ByteSub Operation

An S-box is applied to each of the 16 input bytes independently

Each byte is replaced by the output of the S-box:

AES – The Rijndael S-box

The input to the S-box is one byte:

Example 1: b0 = 01101011 (binary) = 6b (hex) b’0 = row 6, column b = 7f (hex) =

01111111 (binary) Example 2:

b1 = 00001000 (binary) = 08 (hex) b’1 = row 0, column 8 = 30 (hex) =

00110000 (binary) Example 3:

b2 = 11111001 (binary) = f9 (hex) b’2 = row f, column 9 = 99 (hex) =

10011001 (binary)

AES - ShiftRow Operation

Each row of the input is circularly left shifted: First row by zero places Second row by one place Third row by two places Fourth row by three places

AES - The MixColumn Operation

The four bytes in each input column are replaced with four new bytes:

AES - The AddRoundKey Operation

Each byte of the input block is XORed with the corresponding byte of the round subkey:

AES – Rijndael Overview

Advanced

Encryption

Standard (AES)

AES Summary

The research community participated very actively and expertly in the design and evaluation of the candidate algorithms

The AES selection process served to raise public awareness of cryptography and its importance

The AES algorithm is widely used The AES should offer useful cryptographic

protection for at least the next few decades

Triple DES (3DES)

first used in financial applications

in DES FIPS PUB 46-3 standard of 1999

uses three keys and three DES executions:

C = E(K3, D(K2, E(K1, P)))

decryption same with keys reversed

use of decryption in second stage gives compatibility with original DES users

effective 168-bit key length, slow, secure

AES will eventually replace 3DES

Stream Ciphers

processes input elements continuously

key input to a pseudorandom bit generator produces stream of random like numbers unpredictable without knowing input key XOR keystream output with plaintext bytes

are faster and use far less code

design considerations: encryption sequence should have a large period keystream approximates random number

properties uses a sufficiently long key

Table 20.3

Source: http://www.cryptopp.com/benchmarks.html

Speed Comparisons of Symmetric Ciphers on a Pentium 4

The RC4 Algorithm

Block Cipher Modes

Many modes of operation We discuss two in particular later on

Electronic Codebook (ECB) mode Obvious thing to do Encrypt each block independently There is a serious weakness

Cipher Block Chaining (CBC) mode Chain the blocks together More secure than ECB, virtually no

extra work

Modes of Operation

Electronic Codebook (ECB)

simplest mode

plaintext is handled b bits at a time and each block is encrypted using the same key

“codebook” because have unique ciphertext value for each plaintext block not secure for long messages since repeated

plaintext is seen in repeated ciphertext

to overcome security deficiencies you need a technique where the same plaintext block, if repeated, produces different ciphertext blocks

Alice Hates ECB Mode

Alice’s uncompressed image, Alice ECB encrypted (TEA)

Why does this happen? Same plaintext block same ciphertext!

CBC Mode

Blocks are “chained” togetherA random initialization vector, or IV,

is required to initialize CBC modeIV is random, but need not be secret

Encryption DecryptionC0 = E(IVP0,K), P0 = IVD(C0,K),

C1 = E(C0P1,K), P1 = C0D(C1,K),

C2 = E(C1P2,K),… P2 = C1D(C2,K),…

Cipher Block Chaining (CBC)

Intro to Information Security 52

CBC Mode

Identical plaintext blocks yield different ciphertext blocks

Cut and paste is still possible, but more complex (and will cause garbles)

If C1 is garbled to, say, G thenP1 C0D(G,K), P2 GD(C2,K)

But, P3 = C2D(C3,K), P4 = C3D(C4,K), …Automatically recovers from errors!

Alice Likes CBC Mode

Alice’s uncompressed image, Alice CBC encrypted (TEA)

Why does this happen? Same plaintext yields different ciphertext!

Location of Encryption

Key Distribution

the means of delivering a key to two parties that wish to exchange data without allowing others to see the key

two parties (A and B) can achieve this by:1

•a key could be selected by A and physically delivered to B

2

•a third party could select the key and physically deliver it to A and B

3

•if A and B have previously and recently used a key, one party could transmit the new key to the other, encrypted using the old key

4

•if A and B each have an encrypted connection to a third party C, C could deliver a key on the encrypted links to A and B

Key Distribution

Chapter Summary

symmetric encryption principles cryptography

cryptanalysis

Feistel cipher structure

data encryption standard triple DES

advanced encryption standard algorithm details

key distribution

stream ciphers and RC4 stream cipher

structure

RC4 algorithm

cipher block modes of operation electronic codebook mode

cipher block chaining mode

cipher feedback mode

counter mode

location of symmetric encryption devices