UNIVERSITY OF BEDFORDSHIRE

DEPARTMENT OF COMPUTER SCIENCE AND TECHNOLOGY

NAME: Yusuff Modupe

STUDENT ID: 1313775

PROGRAMME: Msc. COMPUTER SECURITY AND FORENSICS

MODULE CODE: CIS014-6

MODULE NAME: CRYPTOGRAPHY AND CRYPTANALYSIS

1
Table of Contents
1. Introduction ...................................................................................................... 3
1.1 AES ............................................................................................................. 3
1.2 Transformations .......................................................................................... 3
1.3 Implementation and Code size Trade off .................................................... 5
1.4 Attacks ........................................................................................................ 5
2. Coding in Matlab .......................................................................................... 6
3. Applications .................................................................................................. 7
3.1 Application 1 : Bitlocker ............................................................................. 7
3.2 Application 2 : Skype .................................................................................. 8
3.3 Conclusion .................................................................................................. 8
4 References ...................................................................................................... 8

2
1. Introduction
This report discusses AES and its implementation. The first section of this report discusses
the history and transformations involved in AES. The second section presents a script on how
AES is implemented in Matlab. Finally the last section discusses how AES is implemented in
two applications.

1.1 AES
Advanced encryption standard (AES) is a symmetric key encryption standard used to encrypt
data for the purpose of preventing information from being tampered thereby ensuring
privacy. It is symmetric because the same key is used to encrypt and decrypt data. As shown
in the figure below, the plain text is passed through the cipher (AES) and the key is used on
the plain text to get an encrypted text (cipher text) (Kagude, et al. 2011).

Plain Text

Cipher
Cipher Key
Key AES

Cipher Text

Figure 2 (Kagude et al, 2011)

AES is a block cipher that was developed by Joan Daemen and Vincent Rijmen and
published in 2001 by the National Institute of standards and technology. Prior to the existence
of AES, block ciphers such as DES (Data Encryption Standard) and TDES (Triple DES) were
used to transmit private information. However, DES has been proven to be inadequate as it
slow when used in software and its key can be cracked with the right hardware. As a result of
this, NIST decided to search for other algorithms which led to the existence of AES. AES can
be accessed publicly and also the first approved open cipher by the NSA (National Security
Agency) for top secret information (Kagude et al, 2011).

There are three versions of the cipher namely AES-128, AES-192 and AES-256. There are
different versions as a result of the different key length such as 128, 192 and 256 bits.
It functions on a 4x4 matrix of bytes known as state where bytes are the fundamental unit for
processing of data. The input state array has to be XORed with the 1st four words of the key
schedule before encryption takes place. However, with the decryption process the cipher text
is XORed with the last four words of the key schedule.
AES operations are divided into round functions and the number of iterations depends on the
length of the key. AES 128,192 and 256 have round functions of 10, 12 and 14 respectively
(Ali, et al. 2012).
1.2 Transformations
It consists of four different transformations: SubBytes, ShiftRows, MixColumns and
AddRoundKey during all the rounds except the last round that skips the mix columns.

SubBytes: This is the first transformation used for encryption. It involves 16 byte to byte
transformations where each byte is interpreted as two hexadecimal digits. In this
transformation, the bytes in the data block are substituted with the values in the S-Box
3
(16X16 matrix). The first byte value of the state is used as a row value of the S-Box while the
second byte value is used as the column value of the S-Box. For instance, (s 1, 3) represents
row 1 column 3 in the s-box as shown in the figure below. These values are used to pick an 8
bit output value (Kagude et al, 2011).

Figure 2 (Kagude et al, 2011)

ShiftRows: This involves shifting the rows in the state array to the left. The first row is left
unaffected, on the second row, a 1-byte shift is done, 2-byte on the third row and 3-byte on
the fourth row. During the process of encryption, the rows are shifted left and during
decryption the rows are inversely shifted to the right (Kagude et al, 2011).

Figure 3 (Kagude et al, 2011)

MixColumns: This transformation operates at column level whereby each byte of a column
is transformed to a new value which is a function of all four bytes in the column. In other
words, a matrix multiplication is performed on each state (Kagude et al, 2011).

Figure 4 (Kagude et al, 2011)

AddRoundKey: During this transformation, every bit if the state is bitwise XORed with a
round key. This transformation ensures security as it is the only transformation that makes
use of a key (Kagude et al, 2011).

4
 Figure 5 (Kagude et al, 2011)

1.3 Implementation and Code size Trade off

AES can be implemented in hardware and software. The implementation can be achieved by
either using a table lookup process or routines with good algebraic structure. On high end
servers where you can have larger code, lookup tables can be computed and stored giving a
fast performance. However low end machines that cannot handle large code size can have a
smaller implementation of AES but a slower performance.

For instance it has been used in Smartcards, this was achieved with best performance pre-
computing and storing the results in look-up tables (Bertoni, et al. 2003). It can also be
implemented in hardware for instance on a PCI bus card Celoxica RC1000 where the cipher
design was downloaded to the hardware and the key was used to encrypt the plaintext and the
resulting cipher text was written back to the host (Mali, et al. 2005).

Pre-computation Code size Performance

Round functions largest fastest

S-box only smaller slower
None smallest slowest

Table 1: Code size/performance trade-off (Boneh 2014)

In the process of implementing AES, if no pre-computation including s-box is allowed, the

result would be a small implementation of AES. In other words, it could fit in a constrained
environment where there is little or no room to contain complicated code and this makes the
computation slow. However, if there is enough space to support large code, lookup tables of
size up to 24kb can be implemented. This results in a faster computation because no other
complicated arithmetic is done apart from table lookups and XORs. The s-box can be
computed with a smaller code size where the implementation would have only 256bytes
which makes the performance slower (Boneh, 2014).
1.4 Attacks
One of the attacks on AES is the Best key recovery attack. This attack is only four times
faster than exhaustive search. However, this makes AES only 126-bit key as a result of the
exhaustive search.

Another attack is on the AES-256 algorithm which is called the related key attack. In a key
related attack, the attacker knows a relation between various keys and has access to
encryption and decryption functions. The goal of the adversary here is to find the genuine
keys. The relation between the keys can be chosen by the attacker prior to the attack. This
gives the attacker more power as he can manipulate the key.
There is a weakness in the key expansion that is, given 2^99 input and output pairs from four
keys that are closely associated there is a possibility of recovering the keys in time 2^99.

5
Although this is still a lot of time to recover the keys and it requires the use of related keys
and this does not have a huge impact on the limitation of AES.

An attack on the 9-round AES-256 is the XOR difference attack. In this attack, the plaintexts
can be encrypted under two unknown keys where the attacker can chose the XOR difference.
2^38 plaintexts were chosen for this attack however, the most time consuming part of the
attack is asking the genuine user to provide the subsequent cipher texts using the two keys. At
the end of this, the 256 bit key can be derived in time less than 2^39.

Another attack is the distinguishing attack on the 8-round AES-256. In this attack, the
attacker requests for the encryption of 2^30 pairs of plaintexts along with the input and key
differences of the differential. This attack has been experimented by testing a sample of 100
pairs of related keys where the keys have been found with the right pair (Biryukov, et al.
2009).

According to (Goodin, 2011) there is a new attack called the Biclique Cryptanalysis which
allows attackers to get AES secret keys up to five times faster. The keys can be found by
partitioning all possible keys into a set of groups and partial bit of keys can be reused in later
phases of the computation.
2. Coding in Matlab
AES requires 128bits so we need a plaintext of 128bits which is 16characters because 1byte
is equal to 8bits which equals one character. String of length 16 is created and then converted
to decimal. To be able to encrypt, convert the decimal form to binary by using the dec2bin
function. Furthermore, we add (8) to the binary so as to have a binary in 8bits.
We generate a 4bytes by 4bytes random key using the function Randi and convert to binary
form using the dec2bin function as seen in the script below.

For the AES encryption, we XOR the plaintext generated in binary with the Random keys.
Furthermore, we convert the result of the XOR to decimal because the S-box is in decimal
form and reshape the cipher text to a 4x4 matrix (A1).
The S-box is then loaded into Matlab using the load function so as to perform a
transformation. This can be achieved by substituting each byte in the A1 with bytes in the S-
box such that A1 (i, j) becomes W (i, j). A new matrix is formed after the process of
substitution has been completed as shown in steps 27-32 in the attached script.

6
3. Applications
3.1 Application 1 : Bitlocker
Bitlocker Drive Encryption is a disk encrypting feature present in Windows vista which
enables users to encrypt the system volume. It is used to protect data by encrypting the user,
swap, hibernation and system files in the operating system and ensures integrity of the boot
configuration data. Bitlocker can use either AES-128 or AES-256 however the default mode
in Bitlocker uses AES encryption algorithm with a 128 bit key and a diffuser.

Data on the volume is encrypted using AES in Cipher Block Chaining mode (CBC). Data is
encrypted by first XOR’ing it with a sector key and then encrypted with AES in CBC mode.
For the decryption process, data is decrypted with AES-CBC and then XOR’ed with a sector
key.
The keys used to encrypt and decrypt data in the volume is derived from the 512 full volume
encryption key (FVEK). When using AES-128 for encryption, 0-127 bits of the FVEK is
used in CBC key and the sector key uses 256-383 bits. When using AES-256, 0-255 bits of
the full volume encryption key is used for the CBC key while 256-511 are used for the sector
key. There are many keys used to protect data in the Bitlocker key management system.
Firstly, the FVEK is encrypted with volume master key (256-bit AES key) which works in
CCM (Counter with CBC-MAC) mode. In addition, each copy of the volume master key is
encrypted using a different key.
7
By encrypting the keys in CCM mode, Bitlocker is able to verify a successful decryption
process and cipher text includes a 16 byte Message authentication code (Kornblum, 2009).
According to (Microsoft, 2009), protecting the volume master key with AES is important as it
allows the system to re-key when any of the other keys have been compromised.
3.2 Application 2 : Skype
Skype is a voice over IP protocol system that uses AES to encrypt video, voice, file transfers
and messages. Encryption of video and audio signals can be used to protect crucial
information or communication from being heard or modified by an attacker.

When a user registers on Skype, the user’s client then generates an RSA key pair and
establishes an AES session with the server. It implements AES by using a block size of 128
bits and a key size of 256 bits (Berson, 2005).
The key used during this session is selected by the client. All communication in a session is
encrypted by XOR’ing the plaintext with a key generated by the AES algorithm in integer
counter mode (ICM). In other words, the counter is encrypted with the session key and this
returns a key stream which is then XOR’ed with the plaintext. The result of the encryption is
a cipher text which is the message that is sent to the recipient. The use of AES for encryption
of video and audio signals provides security (Wang, H. 2005).

3.3 Conclusion
This report has discussed AES in detail by describing its data structure and transformations.
Furthermore, previous and current attacks on AES have been described. AES has been
implemented in Bitlocker encryption software and also used to encrypt messages on Skype. A
script has been presented showing how AES can be implemented in Matlab.
4 References

Ali, S. Mukhopadhyay, D. and Tunstall, M. 2012. Differential Fault Analysis of AES:

Towards Reaching its Limits [pdf] Available at : <http://eprint.iacr.org/2012/446.pdf>
[Accessed 28th Apr. 2014]

Berson, Tom. 2005. Skype Security Evaluation. [pdf]. Available at:

<http://download.skype.com/share/security/2005-031%20security%20evaluation.pdf >
[Accessed 4th May. 2014].

Bertoni, G. Breveglieri, L., Fragneto, P. Macchetti, M. and Marchesin, S. 2003. Efficient

software Implementation of AES on 32-Bit Platforms. [pdf]. Available at:
<http://link.springer.com/chapter/10.1007%2F3-540-36400-5_13> [Accessed 2nd May.
2014].

Biryukov, A. Dunkelman, O. Keller, N. Khovratovich, D. and Shamir, A. 2009. Key

Recovery Attacks of Practical Complexity on AES Variants With Up To 10 Rounds [pdf]
Available at: < https://eprint.iacr.org/2009/374.pdf > [Accessed 28th Apr. 2014]

Boneh, Dan. 2014. Block ciphers : The AES block cipher [pdf] Available at:<http://spark-
university.s3.amazonaws.com/stanford-crypto/slides/03.5-block-annotated.pdf> [Accessed
30th Apr. 2014]

8
Goodin, Dan. 2011. AES crypto attack. The register, 19 Aug Available at:
http://www.theregister.co.uk/2011/08/19/AES_crypto_attack/ [Accessed 3rd May. 2014]

Kangude, K. Wani, P. and Raut, S. 2011. Advanced Encryption Standard. [pdf]. Available at:
<www.ijcset.net/docs/Volumes/volume1issue3/ijcset2011010306.pdf> [Accessed 4th May.
2014]

Kornblum, Jesse D. 2009. Implementing BitLocker Drive Encryption for Forensic Analysis.
[pdf]. Available at: <http://jessekornblum.com/publications/di09.pdf> [Accessed 3rd May.
2014]

Mali, M. Novak, F and Biasizzo, A. 2005. Hardware Implementation of AES Algorithm.

[pdf]. Available at: < http://www-csd.ijs.si/novak/k2005-01.pdf > [Accessed 2nd May. 2014]

Microsoft, 2009. Windows 7 BitLocker™ Drive Encryption Security Policy. [pdf]. Available
at : <http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1332.pdf >
[Accessed 4th May. 2014].

Wang, Hao. 2005 Skype VoIP service- architecture and comparison. [pdf]. Available at:
<www.linecity.de-INFOTECH_ACS_SS05-acs5_top1_paper.pdf >
[Accessed 6th May. 2014].