Chapter 4

Cryptography and Security Services: Mechanisms and Applications

Manuel [email protected]

M. Mogollon – 1

Chapter 4Chapter 4Confidentiality – Symmetric Encryption

M. Mogollon – 2 Encryption Systems Basic Encryption Shift Registers Key Generators AES Block Ciphers

Session 2 – Contents

• Types of Crypto Systems— Symmetric Encryption

– Stream Cipher– Block Cipher Systems

— Asymmetric encryption

• Basic Theory of Enciphering

• Shift Registers— Linear Shift Registers— Non-Linear Combinations of LFSR Devices

• Key Generators

• Block Ciphers— Data Encryption Standard (DES) (FIPS 46-3)— Modes of Operation (FIPS 81)— Triple DES (FIPS 46-3 and ANXI X9.52)— Advanced Encryption Standard (AES)


What is Confidentiality?

• confidentiality / Protection against unauthorized individuals reading information that is supposed to be kept private. Confidentiality is achieved by enciphering the information using encryption algorithms.


Confidentiality

Encryption Algorithms

Symmetric Asymmetric

Stream Ciphers Block Cipher

Synchronous

Self-Synchronous

ECC

RSADES

Public-Key

Pohlig Hellman

OFB

CFB

ElGamal3DES

MARS

CAST

AES

Blowfish

RC5

IDEA

Schnorr

Confidentiality and its Security Mechanisms

Protection of data from unauthorized disclosure

RC4


Types of Crypto Systems

• Symmetric Cryptography – Secret Key— A single key serves as both the encryption and the decryption key.— Initial arrangements need to be made for individuals to share the

secret key.— Stream Ciphers and Block Ciphers (DES, AES)

• Asymmetric Cryptography – Public-Key— One key is used to encipher and another to decipher.— Privacy is achieved without having to keep the enciphering key

secret because a different key is used for deciphering.— Pohlig Hellman, Schnorr, RSA, ElGamal, and Elliptic Curve

Cryptography (ECC) are popular asymmetric crypto systems.


Symmetric Key Crypto System

• Security is based on the secret key, not on the encryption algorithm.

• The sharing of secret keys is necessary.

• Strengths: Fast, good for encrypting large amounts of data.

• Weakness: Key delivery.

• There are two types of symmetric crypto systems: Stream Cipher (RC4) and Block Ciphers (DES, AES, RC5, CAST, IDEA).

PlaintextPlaintext Encryption Algorithm

Encryption Algorithm

Ciphertext

Encipher Decipher

Secret Key

As the market requirements for secure products has exponentially increased, our strategy will be to ….

Asdfe8i4*(74mjsd(9&*nng654mKhnamshy75*72mnasjadif3%j*j^3cdf(#4215kndh_!8g,kla/”2acd:{qien*38mnap4*h&fk>0820&ma012M



Asymmetric Key Crypto System(Public Key Algorithm)

• Public key encryption involves two mathematically related keys.• Either key can be used to encipher.• One of the keys can be made public and the other kept private.• Strengths: No key delivery issues, can be used for non-repudiation.• Weakness: Slow, inefficient for large amounts of data, computationally expensive.• Algorithms: RSA, ElGamal, Schnorr, Pohlig-Hellman, Elliptic Curve Cryptography.• Used mainly for key exchange or digital signatures.

One Key to Encipher Another Key to Decipher

PlaintextPlaintext Encryption Algorithm

Encryption Algorithm

Ciphertext

Encipher DecipherAs the market requirements for secure products has exponentially increased, our strategy will be to ….

Asdfe8i4*(74mjsd(9&*nng654mKhnamshy75*72mnasjadif3%j*j^3cdf(#4215kndh_!8g,kla/”2acd:{qien*38mnap4*h&fk>0820&ma012M



Stream Ciphers

• Plaintext is broken up into successive bits, and each one is enciphered with a bit from a keystream

• If the key stream repeats itself after n characters, the stream is periodic; otherwise, it is non-periodic.

• Types of Stream Ciphers— Synchronous stream cipher— Self-synchronous stream cipher

Output

One-time Keypad

1

0

1

1

01

1

0

0

0

0

11

1

0


Stream Cipher Encryption Using Modulo-2

Modulo 2 Adder 1 + 0 = 1 1 + 1 = 00 + 1 = 1 0 + 0 = 0

Enciphering Plaintext 1 0 0 1 1 0 0 0 1 0 1 0 0 0 1 1 0Keystream 1 0 1 1 0 0 1 1 1 0 0 1 0 0 0 1 1Ciphertext 0 0 1 0 1 0 1 1 0 0 1 1 0 0 1 0 1 DecipheringCiphertext 0 0 1 0 1 0 1 1 0 0 1 1 0 0 1 0 1Keystream 1 0 1 1 0 0 1 1 1 0 0 1 0 0 0 1 1Plaintext 1 0 0 1 1 0 0 0 1 0 1 0 0 0 1 1 0

PlaintextPlaintext

Encryption AlgorithmModulo 2 Adder

Ciphertext

Encipher Decipher

Key Stream

Key Stream

+ +Encryption Algorithm

Modulo 2 Adder


Symmetric Key Stream Cipher

• Key stream generated independently of the cleartext or cipher text.

• Crypto variable and initialization vector required.• Periodic key stream

Key Generator

Key Generator

Synchronization

Cryptographic Variables (CV)


Initialization Vector (IV)

Initialization Vector (IV)

PlaintextPlaintext

Encryption AlgorithmModulo 2 Adder

Ciphertext

Encipher Decipher

Key Stream

Key Stream

+ +Encryption Algorithm

Modulo 2 Adder


Bit Flip and Missing Bits

A bit is not received correctly (bit flip)

Enciphering

Plaintext 1 0 0 1 1 0 0 0 1 0 1 0 0 0 1 1 0

Keystream 1 0 1 1 0 0 1 1 1 0 0 1 0 0 0 1 1

Ciphertext 0 0 1 0 1 0 1 1 0 0 1 1 0 0 1 0 1

Deciphering

Ciphertext 1 0 1 0 1 0 1 1 0 0 1 1 0 0 1 0 1

Keystream 1 0 1 1 0 0 1 1 1 0 0 1 0 0 0 1 1

Plaintext 0 0 0 1 1 0 0 0 1 0 1 0 0 0 1 1 0

A bit is missing

Enciphering

Plaintext 1 0 0 1 1 0 0 0 1 0 1 0 0 0 1 1 0

Keystream 1 0 1 1 0 0 1 1 1 0 0 1 0 0 0 1 1

Ciphertext 0 0 1 0 1 0 1 1 0 0 1 1 0 0 1 0 1

Deciphering

Ciphertext 0 0 1 0 1 1 1 0 0 1 1 0 0 1 0 1

Keystream 1 0 1 1 0 0 1 1 1 0 0 1 0 0 0 1 1

Plaintext 1 0 0 1 1 1 0 1 1 1 1 1 0 1 0 0 0

Modulo-2 Adder1 + 0 = 1 1 + 1 = 00 + 1 = 1 0 + 0 = 0


Self-Synchronous Stream Cipher

• Keystream function of the ciphertext• Allows late entry.• Non-periodic Key stream.

PlaintextPlaintext Ciphertext

Encipher Decipher

Key Generator

Key Generator

N-bit Feedback Shift Register



Key Stream

Key Stream

+ +


Perfect Crypto System

• From the theoretical point of view, the only system that offers perfect secrecy is the one in which the keystream is — totally random, — infinitely long, — and used only one time.

• A perfect crypto system is achieved only with Vernam's cipher, the One-Time key, in which the keystream is random, is as long as the message, and is used only one time.

• However, Vernam's cipher system is not widely used because of the following problems: — The length of the key is as long as the plaintext and can be cumbersome. — There is an immense volume of key material that needs to be sent to the

receiver. — The cryptographer needs to find a safe way of letting the recipient know the

key that was used to encipher the message.


Perfect Key Generator• Infinite Number of Crypto Variables

(Keys)— 56, 64, 128, 256, 512, 1028, 2056 bits

• Random Keystream— A pseudorandom keystream that is

random for all statistical tests, but which can be re-created by the same type of key generator when the same crypto variables are loaded in both key generators.

• Infinite Cycle Length• Random Starting Places

— Random Starting Places (Message Key, Initialization Vector). With many different message keys (starting positions in the key generator), the probability that the key used to encipher a message is used only one time is very high. This is one of the most important of Vernam's conditions for a perfect keystream.

• Fail Safe-Alarms.

1

0

1

1

01

1

0

0

0

0

1

1

1

0

1

0

1

1

10

1

0

0

0

1

00

1

0

Key Variable

1

Key Variable

2128

Starting position 1

Starting position 10 40

Cycle Length


Linear Shift Register

Advantages

• They produce sequences of 1s and 0s.

• Identical shift registers with the same initial input behave alike and produce exactly the same outputs.

• They easily produce long cycles.

• Their outputs are statistically balanced.

• They have well known properties.

Disadvantages

• They are described by a single recursion equation.

• Previous stages are easily calculated.

• In the initial starting condition, all zeros must be avoided to prevent collapse. Setting at least one of the stages to 1 prevents this problem.

• Improper selection of the feedback taps may not produce maximum length periods.


Linear Feedback Shift Registers (LFSR)

The polynomial f(x) of any shift register, called the Characteristic Polynomial, can be determined as the sum of the values of CiXi for which the Si stage is fed

back into the modulo-2 adder.

C1 C2 C3 Cn-1 Cn

S1 S2 S3 Sn-1 Sn

+ + + +

C1 X1 C2 X2 C3 X3 Cn-1 Xn-1 Cn Xn

S1 S2 S3 Sn-1 Sn

+ + + +

Co X0

xC= (x) f nn

n

0=n

x+ xC ......+ xC+ xC+ xC+ 1= (x) f n1-n1-n

33

22

11


Shift Register Theory

1 0 1 1

0 1 0 1

0 0 1 0

0 0 0 1

0 0 0 0

Step 1

Step 2

Step 3

Step 4

Modulo-2 Adder1 + 0 = 1 1 + 1 = 00 + 1 = 1 0 + 0 = 0

0 0 0 1

x1 x2 x3 x4x 0

f(x) = 1 + x + x4

Clock States Clock States(Initial) 0 0 0 11 1 0 0 0 10 0 1 1 02 1 1 0 0 11 0 0 1 13 1 1 1 0 12 1 0 0 14 1 1 1 1 13 0 1 0 05 0 1 1 1 14 0 0 1 06 1 0 1 1 15 0 0 0 17 0 1 0 1 16 1 0 0 08 1 0 1 0 17 1 1 0 09 1 1 0 1 18 1 1 1 0

x + x ...... + x + x + x+ 1= (x) f n1-n321

Characteristic Polynomial of a Shift Register

Maximum length of a four-stage shift register:

Period = 15 = 2 4 –1Number of “ones = 2 4 – 1

Number of “zeros” = 2 4 – 1 –1

Maximum length of a four-stage shift register:

Period = 15 = 2 4 –1Number of “ones = 2 4 – 1

Number of “zeros” = 2 4 – 1 –1

+


Shift Register Theory Modulo-2 Adder1 + 0 = 1 1 + 1 = 00 + 1 = 1 0 + 0 = 0

0 0 0 1

x1 x2 x3 x4x 0

f(x) = 1 + x2 + x4

Clock States(Initial) 0 0 0 1

1 1 0 0 02 0 1 0 03 1 0 1 04 0 1 0 15 0 0 1 06 0 0 0 1


1 1 1 0 12 0 1 1 03 1 0 1 1

0 0 0 1

x1 x2 x3 x4x 0

f(x) = 1 + x + x2 + x3 + x4


1 1 0 0 02 1 1 0 03 0 1 1 04 0 0 1 15 0 0 0 1

If an LFSRs doesn’t have maximum length, the initial conditions (the initial sequence loaded into the shift

register) determine which sequence is generated and the period of such sequence.

In any LFSR, the feedback connections determine whether the sequence will be

maximum or not.

+ + ++


Shift Register Properties

• A Shift Register produces sequences that depend upon the number of stages, feedback tap connections, and initial conditions.

• The succession of states in a Shift Register is periodic, with a period p £ 2n - 1, where n is the number of stages. The value of p depends on the feedback coefficients, but a period of (2n - 1) can sometimes be achieved.

• A sequence generated by an n-stage Shift Register is said to have maximum length if its period is p = 2n - 1. This maximum length holds, no matter what the initial state of the shift register is. Also, if a Shift Register sequence has a period of p = 2n - 1, then every possible binary vector (except all zeros) of length n occurs exactly once in each period.

• In any LFSR, the feedback connections determine whether the sequence will be maximum or not.

• In LFSRs with reducible characteristic polynomials (non-maximal sequences), the initial conditions (the initial sequence loaded into the shift register) determine which sequence is generated and the period of such sequence.



• If all the exponents of a polynomial are even, then the characteristic polynomial is reducible, and it can’t have a maximum length sequence; e.g., the characteristic polynomial is reducible.

• If a shift register sequence has maximum length, its characteristic polynomial is irreducible; however, the converse of this property does not hold true. There actually are irreducible polynomials which correspond to no maximum-length sequences.

• If the characteristic polynomial of a LFSR is primitive, the shift register sequence has maximum length.

• A maximum length sequence cannot be generated from a Shift Register that has an odd number of taps because this means that f(x) is divisible by(x - 1).

• The number of ways to achieve maximum length (p = 2n - 1) in a Shift Register is given by

n2

n

1) -2(= (n)N

nn

m

x + x + 1= (x) f 42



• If a sequence has an irreducible characteristic polynomial of degree n, the period of the sequence is a factor of 2n - 1, and it may or may not be maximum. The period is always the same, regardless of the initial state. However, if the maximal length, p = 2n - 1, is prime, every irreducible polynomial of degree n corresponds to a shift register sequence of maximum length. When p = 2n - 1 is prime, it is known as Mersenne Prime.

• If a sequence has an irreducible characteristic polynomial of degree n, its maximum length does not depend on the initial conditions, except for the initial condition, "all 0s."

• If a sequence has a primitive characteristic polynomial of degree n, its period is the smallest positive integer p for which the characteristic polynomial f(x) divides xp - 1, modulo 2.


Non-Linear Combination of LFSR Devices

0 0 0 1 1

0 0 0 1

0 0 0Key

Stream

LFSR 1

LFSR 2

LFSR 3

Maximum Length

LFSR 1 25 – 1 = 31

LFSR 1 24 – 1 = 15

LFSR 1 23 – 1 = 7

P .... ,P ,P ,P of factors commonAny

) P ....x Px Px P(= M

n321

n321l

Maximum Length = 31 x 15 x 7 = 3255

3157)x (3

7)x x5x x(=

7)x 15 x (63= M l

)3()79

Replace LFSR 1 for a six stage SR

Maximum Length = 26 – 1 = 63

+

+

+

+

+

Plaintext

Key Generator

Initialization Vector

Key Stream

+Ciphertext


Gears and Shift Registers

15, 31, 127

When will the marked teeth return to their original position?


Block Cipher

• Encryption algorithm is used to transform x bits of Plaintext into x bits of ciphertext.

• Every bit of the plaintext has an effect on every bit of the ciphertext.

• Each block is independent, no influence between blocks.

• Identical plaintext blocks produce identical ciphertext blocks.

• Error in ciphertext has an effect only on that block.

• Types of Block Ciphers— DES Electronic Code Book— DES Cipher Block Chaining— Advanced Encryption Standard


Block Cipher

Block Cipher

Algorithm

Encipher

Crypto Variables

PlaintextBlock

cipher block

Block Cipher

Algorithm

Decipher

Plaintext Blocks

Crypto Variables

Cipher Block

Block SizeDES: 64-bitAES: 128-bit


Data Encryption Standard (DES)

• Approved in 1977.• Enciphers a 64-bit block of plaintext into a 64-bit block of

ciphertext, under the control of a 64-bit crypto variable where 56 bits are the key and 8 bits are used for parity.

• Uses transposition and substitution.• Has 16 separate rounds of encipherment. Each round

involves operations with a different 48-bit key developed from the original 64-bit cryptographic key.

• Distributed.Net, a worldwide coalition of computer enthusiasts, worked with EFF's DES Cracker and a global network of nearly 100,000 PCs in 1998 and broke a DES 56-bit key in 22 hours and 15 minutes.


DES -Steps

Perform an initial permutation on the bit string according to a function derived from the encryption key.

Perform a set of constant substitution functions using 8 S-boxes (4 x 16 matrix) followed by the permutation.

Split the 64-bit permuted block of data into 32-bit halves and expand the 32- bit string to 48 bits.

Encipher the right half with an encryption key, using 48 bits of the original 56-bit of the encryption key.

Repeat the whole set of functions 16 times with a different encryption key every time.

Perform a final permutation, the inverse of the initial permutation.

Initial Permutation

L0

INPUT

R0

L1 = R0 R1 = L0 + f (R0 +K1)

L2 = R1 R2 = L1 + f (R1 +K2)

Key 1

+ f

L15 = R14 R15 = L14 + f (R14 +K15)

+ f

+ f

+ f

R16 = L15 + f (R15 +K16) L16 = R15

Inverse Initial Permutation

INPUT

Key 2

Key n

Key 16


Advanced Encryption Standard

• In September 1997, the NIST issued a Federal Register Notice soliciting encryption algorithms to replace the DES.

• Fifteen algorithms were presented and five were selected for the second round: — MARS, submitted by IBM (United States).— RC6, submitted by RSA Laboratories (United States).— Rijndael, submitted by Joan Daemen and Vincent Rijmen (Belgium).— Serpent, submitted by Ross Anderson (United Kingdom), Eli Biham (Israel), and Lars

Knudsen (Norway).— Twofish, submitted by Bruce Schneier, John Kelsey, Doug Whiting, David Wagner,

Chris Hall, and Niels Ferguson (United States).

• On October 2, 2000, the NIST announced that it had selected Rijndael for the AES.

• The standard became effective May 26, 2002.

• The AES can be used by U.S. government organizations to protect secret and top secret (classified) information.


AES

• Symmetric block cipher that uses cryptographic keys of 128, 192, and 256 bits to encrypt and decrypt data blocks of 128 bits.

• Substitution and linear transformation are done with different numbers of rounds depending on the key size: 10 (128 bits), 12 (192 bits) or 14 (256 bits).

• A data block to be processed using the AES is partitioned into an array of bytes, and each of the cipher operations is byte-oriented.

• The AES encryption consists of the following:— Key expansion— An initial round key addition— Several rounds of ByteSub, ShiftRow, MixColumn, and AddRoundKey— Final round of ByteSub, ShiftRow, and AddRoundKey

• The S-box has a mathematical structure, based on the combination of inversion over a Galois field and an affine transformation. Although this mathematical structure might conceivably aid an attack, the structure is not hidden as would be the case for a trapdoor. If the S-box were suspected of containing a trapdoor, then the S-box could be replaced.


0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

0 1 2

Input bit sequence

Byte number

Bit number in bytes

….

7 6 5 4 3 2 1 0 7 6 5 4 3 2 1 0 7 6 5 4 3 2 1 0

Block Length = 128 bits = 16 bytes

Byte 0

Byte 4

Byte 8

Byte 12

Byte 1

Byte 5

Byte 9

Byte 13

Byte 2

Byte 6

Byte 10

Byte 14

Byte 3

Byte 7

Byte 11

Byte 15

in0

in1 in5

in2 in6 in10

in15in11in7in3

in9

in4 in8

in14

in13

in12 S0,0

S1,0 S1,1

S2,0 S2,1 S2,2

S3,3S3,2S3,0

S1,2

S0,1 S0,2

S2,3

S1,3

S0,3

S3,1

Input Bytes Array State ArrayBytes Array

….

….

State Array


AES Standard Round Transformations

Round transformations are composed of four steps

• SubByte: A nonlinear substitution that replaces the bytes in the State Array by the byte determined by the row and column intersection in a substitution box, S-box. Provides non-linearity.

• ShiftRow: Rows of the State Array are shifted for inter-column diffusion (linear mixing).

• MixColumn: Every column in the State Array is transformed using a matrix multiplication for inter-byte diffusion within columns (linear mixing). In the last round, the column mixing is omitted.

• Round Key Addition: Subkey bytes are XORed into each byte of the array.


AES ImplementationPlaintext

Initial RoundAddRoundKey

Standard RoundSubBytesShiftRows

MixColumnsAddRoundKey

Final RoundSubBytesShiftRows

AddRoundKey

Ciphertext

N r - 1

Key Expansion(Nr + 1 )

K(0)

K(1)...K(Nr-1)

K(Nr)

Key

Picture from: http://home.ecn.ab.ca/~jsavard/crypto/co040401.htm


Key Expansion• The AES algorithm takes the Cipher Key, K, and performs a Key Expansion routine to

generate a key schedule.

• Key Expansion routine generates a total of Nb (Nr +1) words.• Nb is equal to number of columns in the data block. For a data block of 128 bits,

Nb is equal to 4 • Nr is the number of rounds• For a data block and Cipher Key of 128 bits, it generates 4 x (10 + 1) = 44 words

• The Cipher Key becomes the first words. All other words are calculated using the following transformation:

temp = SubWord(RotWord (temp)) xor Rcon [ i / nk]

w0 w1 w2 w3

Cipher Key : 2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c

w0 w1 w2 w3 w4 w5

w06

w7

w40 w41 w42 w43

For a 128-bit Data Block and Cipher

Key

2b

7e ae

15 d2 15

3c88a616

f7

28 ab

4f

cf

09

•••••

K0 K1 K10


SubBytes Transformation

S’0,0

S’1,0 S’1,1

S’2,0 S’2,1 S’2,2

S’3,3S’3,2S’3,0

S’1,2

S’0,1 S’0,2

S’2,3

S’1,3

S’0,3

S’3,1

State’ Array

S0,0

S1,0 S1,1

S2,0 S2,1 S2,2

S3,3S3,2S3,0

S1,2

S0,1 S0,2

S2,3

S1,3

S0,3

S3,1

State Array

S-Box

0 1 2 3 4 5 6 7 8 9 a b c d e f 0 63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76 1 ca 82 c9 7d fa 59 47 f0 ad d4 a2 af 9c a4 72 c0 2 b7 fd 93 26 36 3f f7 cc 34 a5 e5 f1 71 d8 31 15 3 04 c7 23 c3 18 96 05 9a 07 12 80 e2 eb 27 b2 75 4 09 83 2c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f 84 5 53 d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf 6 d0 ef aa fb 43 4d 33 85 45 f9 02 7f 50 3c 9f a8 7 51 a3 40 8f 92 9d 38 f5 bc b6 da 21 10 ff f3 d2 8 cd 0c 13 ec 5f 97 44 17 c4 a7 7e 3d 64 5d 19 73 9 60 81 4f dc 22 2a 90 88 46 ee b8 14 de 5e 0b db a e0 32 3a 0a 49 06 24 5c c2 d3 ac 62 91 95 e4 79 b e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08 c ba 78 25 2e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8a d 70 3e b5 66 48 03 f6 0e 61 35 57 b9 86 c1 1d 9e e e1 f8 98 11 69 d9 8e 94 9b 1e 87 e9 ce 55 28 df f 8c a1 89 0d bf e6 42 68 41 99 2d 0f b0 54 bb 16

S-Box

S1,1 = 0 1 0 1 0 0 1 1 = S{53}

S’1,1 = S’{ed} = 1 1 1 0 1 1 0 1

S1,1 = 0 1 0 1 0 0 1 1 = S{53}

S’1,1 = S’{ed} = 1 1 1 0 1 1 0 1


ShiftRows Transformation

S’0,0

S’1,1 S’1,2

S’2,2 S’2,3 S’2,0

S’3,2S’3,1S’3,3

S’1,3

S’0,1 S’0,2

S’2,1

S’1,0

S’0,3

S’3,0

S0,0

S1,0 S1,1

S2,0 S2,1 S2,2

S3,3S3,2S3,0

S1,2

S0,1 S0,2

S2,3

S1,3

S0,3

S3,1

The bytes in the last three rows of the State Array are shifted 1, 2, or 3 times to the left.

The bytes in the last three rows of the State Array are shifted 1, 2, or 3 times to the left.


MixColumns Transformation

S’0,0

S’1,0

S’2,0 S’2,2

S’3,3S’3,2S’3,0

S’1,2

S’0,2

S’2,3

S’1,3

S’0,3

S’1,1

S’2,1

S’0,1

S’3,1

S0,0

S1,0

S2,0 S2,2

S3,3S3,2S3,0

S1,2

S0,2

S2,3

S1,3

S0,3

S1,1

S2,1

S0,1

S3,1

State Array

MixColumn

The MixColumns transformation treats each column as a four term polynomial over GF(28) and multiplied

modulo x4 + 1 with a fixed polynomial a(x), given by

The MixColumns transformation treats each column as a four term polynomial over GF(28) and multiplied

modulo x4 + 1 with a fixed polynomial a(x), given by

}02{}01{}01{}03{)( 23 xxxxa

s’(x) = a(x) s(x)X


AddRoundKey Transformation

In the AddRoundKey transformation, every entry in the State Array is XOR with its corresponding entry in the cipher sub-key.

32 88 31 e0

43 5a 31 37

f6 30 98 07

a8 8d a2 34

2b

7e ae

15 d2 15

3c88a616

f7

28 ab

4f

cf

09 19

3d f4

e3 e2 8d

082abe

c6

a0 9a

48

f8

e9

2b

Cipher Key Array State Array (After the Transformation)

State Array (Before the Transformation)

XOR

=+

Input = {32} = 00110010Cipher Key = {2b} = 00101011State Array = {19} = 00011001

Modulo-2 Adder (XOR)1 + 0 = 1 1 + 1 = 00 + 1 = 1 0 + 0 = 0


AES Advanced Validation Suite

• The AES Advanced Validation Suite provides the basic design and configuration of a battery of tests designed to perform automated tests on an AES implementation.

• The battery of tests includes the following:— Known Answer Test (KAT)— Multi-block Message Test (MMT)— Monte Carlo Test (MCT).

• The successful completion of the tests as they are described in the AES Advanced Validation Suite is required to claim conformance to the Advanced Encryption Standard FIFS 197.


Block Cipher Modes of Operation Electronic Code Book (ECB)

Input Block

Plaintext

Ciphertext

• Basic mode; x-bit block input, x-bit block output.

• Identical plaintext blocks produce identical ciphertext blocks.

• Same as a code book.

• Easier to cryptoanalyze.

• One bit error propagates over the x-bit block.

CIPHK

Output Block

Input Block

Ciphertext

Plaintext

CIPHK

Output Block

EBC Encryption EBC Decryption


Cipher Block Chaining (CBC)

+

Input Block 1

CIPHK

Output Block 1

Plaintext 1

Ciphertext 1

+

Input Block 1

CIPH-1K

Output Block 1

Plaintext 1

Ciphertext 1

InitializationVector


+

Input Block 2

CIPHK

Output Block 2

Plaintext 2

Ciphertext 2

+

Input Block 2

CIPH-1K

Output Block 2

Plaintext 2

Ciphertext 2

+

Input Block n

CIPHK

Output Block n

Plaintext n

Ciphertext n

+

Input Block n

CIPH-1K

Output Block n

Plaintext n

Ciphertext n

Enc

rypt

Dec

ryp

t


Ciphertext n

Cipher Feedback (CFB) Mode

+Plaintext 1

+

Plaintext 1

Ciphertext 1



En

cryp

tD

ecry

pt

Ciphertext 1

+Plaintext 2

+

Plaintext 2

Ciphertext 2

Ciphertext 2

+Plaintext n

+

Plaintext n

Ciphertext n

Input Block 2(b-s) Bits s Bits

CIPHK

Output Block 2 Select Discard S Bits (b–s ) bits

Input Block n(b-s) Bits s Bits

CIPHK

Output Block n Select Discard s Bits (b–s) bits

Input Block 1

CIPHK

Output Block 1 Select Discard s Bits (b–s) bits

Input Block 2(b-s) Bits s Bits

CIPHK


Input Block 1

CIPHK


Input Block n(b-s) Bits s Bits

CIPHK



Output Feedback (OFB) Mode

+

Input Block 1

CIPHK

Output Block 1

Plaintext 1

+

Plaintext 1

Ciphertext 1

Input Block 1

CIPHK

Output Block 1



En

cryp

tD

ecry

pt

Ciphertext 1

+

Input Block 2

CIPHK

Output Block 2

Plaintext 2

+

Plaintext 2

Ciphertext 2

Input Block 2

CIPHK

Output Block 2

Ciphertext 2

+

Input Block n

CIPHK

Output Block n

Plaintext n

+

Plaintext n

Ciphertext n

Input Block n

CIPHK

Output Block n

Ciphertext n


Counter (CTR) Mode

+

Input Block 1

CIPHK

Output Block 1

Plaintext 1

+

Plaintext 1

Ciphertext 1

Input Block 1

CIPHK

Output Block 1

Counter 1

En

cryp

tD

ecry

pt

Ciphertext 1

+

Input Block 2

CIPHK

Output Block 2

Plaintext 2

+

Plaintext 2

Ciphertext 2

Input Block 2

CIPHK

Output Block 2

Ciphertext 2

+

Input Block n

CIPHK

Output Block n

Plaintext n

+

Plaintext n

Ciphertext n

Input Block n

CIPHK

Output Block n

Ciphertext n

Counter 2 Counter n

Counter 1 Counter 2 Counter n


Block Cipher Multiple Encryption

• Double DES with two crypto variables

• Triple DES with two crypto variables

• Triple DES with three crypto variables

MC C C M

MD D D MC

K K

K K

2 1

1 2

( ( ))

( ( )

M C C D C M

M D D C D M C

K K K

K K K

1 2 1

1 2 1

( ( ( ) ) )

( ( ( ) ) )

MC C D C M

MD D C D MC

K K K

K K K

3 2 1

3 2 1

( ( ( )))

( ( ( )))


IP Encryption

IPSec uses a DES encryption algorithm with three crypto variables in the Cipher Block

Chaining mode to encipher the IP packets.

Or,

IPSec uses a 3DES-CBC to encipher the IP packets.

IV

2KD

CK1

CK3

+

CK1

CK3

+

CK1

+

MessageBlock

1

Block Cipher 1

Block Cipher 2

Block Cipher n

~~

MessageBlock

2

MessageBlock

n

3KC

2KD2KD

2KD


To Probe Further

• Golomb, S. (1967). Shift Register Sequences. San Francisco: Holden-Day Publishers• Articles related to Solomon W. Golomb Shift Register Sequences

http://citeseer.nj.nec.com/nrelatedgid/35609

• Data Encryption Standard (DES) Federal Information Standards Publication FIPS PUB 46-3.

http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf

• DES Modes of Operationhttp://csrc.nist.gov/publications/fips/fips81/fips81.htm

• Advanced Encryption Standard (AES) web sitehttp://csrc.nist.gov/encryption/aes/

• Rijndael Home Page, Authors: Joan Daemen, Vicent Rijmem http://www.esat.kuleuven.ac.be/~rijmen/rijndael/

• Encryption Standards: AES vs. DES, Author: Gerwin Sturm, 2000http://stud3.tuwien.ac.at/~e9825530/computerscience/aes/

• Randomness Recommendations for Securityhttp://www.ietf.org/rfc/rfc1750.txt?number=1750


To Probe Further

• The AES Algorithm Validation Suite document specifies the procedures involved in validating implementation of the Advanced Encryption Standard (AES) algorithm in FIPS 197. Author: Lawrence E. Bassham III, 2002

http://csrc.nist.gov/cryptval/aes/AESAVS.pdf

• AES Matlab Implementation, Author: Jörg Buchholz — This documentation describes a Matlab implementation of the Advanced Encryption Standard

(AES)

http://www.mathworks.co.uk/matlabcentral/fileexchange/loadFile.do?objectId=1190&objectType=file

• A Specification for Rijndael Algorithm, Author: Dr. Brian Gladman, 2002 http://fp.gladman.plus.com/cryptography_technology/rijndael/aesspec.pdf

Documents

Chapter 4