Network Security

Essentials
Chapter 2
Fourth Edition
by William Stallings

(Based on Lecture slides by

Lawrie Brown)
 Outline
 Symmetric encryption
 Block encryption algorithms
 Stream ciphers
 Block cipher modes of operations
 Symmetric Encryption
 or conventional / private-key / single-key
 sender and recipient share a common key
 all classical encryption algorithms are
private-key
 was only type prior to invention of public-
key in 1970’s
 and by far most widely used
 Some Basic Terminology
 plaintext - original message
 ciphertext - coded message
 cipher - algorithm for transforming plaintext to ciphertext
 key - info used in cipher known only to sender/receiver
 encipher (encrypt) - converting plaintext to ciphertext
 decipher (decrypt) - recovering ciphertext from plaintext
 cryptography - study of encryption principles/methods
 cryptanalysis (codebreaking) - study of principles/
methods of deciphering ciphertext without knowing key
 cryptology - field of both cryptography and cryptanalysis
Symmetric Cipher Model
 Requirements
 two requirements for secure use of
symmetric encryption:
 a strong encryption algorithm
 a secret key known only to sender / receiver
 mathematically have:
Y = E(K, X)
X = D(K, Y)
 assume encryption algorithm is known
 implies a secure channel to distribute key
 Cryptography
 can characterize cryptographic system by:
 type of encryption operations used
• substitution
• transposition
• product
 number of keys used
• single-key or private
• two-key or public
 way in which plaintext is processed
• block
• stream
 Cryptanalysis
 objective to recover key not just message
 general approaches:
 cryptanalytic attack
 brute-force attack
 if either succeed all key use compromised
 Cryptanalytic Attacks
 ciphertext only
 only know algorithm & ciphertext, is statistical,
know or can identify plaintext
 known plaintext
 know/suspect plaintext & ciphertext
 chosen plaintext
 select plaintext and obtain ciphertext
 chosen ciphertext
 select ciphertext and obtain plaintext
 chosen text
 select plaintext or ciphertext to en/decrypt
 Anencryption scheme: computationally
secure if
 The cost of breaking the cipher exceeds the
value of information
 The time required to break the cipher exceeds
the lifetime of information
 Brute Force Search
 always possible to simply try every key
 most basic attack, proportional to key size
 assume either know / recognise plaintext

Key Size (bits) Number of Alternative Time required at 1 Time required at 106
Keys decryption/µs decryptions/µs
32 232 = 4.3  109 231 µs = 35.8 minutes 2.15 milliseconds
56 256 = 7.2  1016 255 µs = 1142 years 10.01 hours
128 2128 = 3.4  1038 2127 µs = 5.4  1024 years 5.4  1018 years

168 2168 = 3.7  1050 2167 µs = 5.9  1036 years 5.9  1030 years

26 characters 26! = 4  1026 2  1026 µs = 6.4  1012 years 6.4  106 years
(permutation)
 Feistel Cipher Structure
 Horst Feistel devised the feistel cipher
 based on concept of invertible product cipher
 partitions input block into two halves
 process through multiple rounds which
 perform a substitution on left data half
 based on round function of right half & subkey
 then have permutation swapping halves
 implements Shannon’s S-P net concept
Feistel Cipher Structure
Feistel Cipher Design Elements
 block size: 128 bits
 key size: 128 bits
 number of rounds: 16
 subkey generation algorithm
 round function
 fast software en/decryption
 ease of analysis
 Symmetric Block Cipher
Algorithms
 DES (Data Encryption Standard)
 3DES (Triple DES)
 AES (Advanced Encryption Standard)
Data Encryption Standard (DES)
 most widely used block cipher in world
 adopted in 1977 by NBS (now NIST)
 as FIPS PUB 46
 encrypts 64-bit data using 56-bit key
 has widespread use
 has considerable controversy over its
security
 6.1.2 Overview

DES is a block cipher, as shown in Figure 6.1.

Figure 6.1 Encryption and decryption with DES

6.17
6.17
 6-2 Continue

Figure 6.2 General structure of DES

6.18
6.18
 6.2.1 Continue

Table 6.1 Initial and final permutation tables

6.20
6.20
ROUNDS

Key Transformation
Expansion Permutation
S-Box Substitution
P-Box Permutation
XOR and Swap
 6.2.2 Continued

DES Function
The heart of DES is the DES function. The DES function
applies a 48-bit key to the rightmost 32 bits to produce a
32-bit output.

Figure 6.5
DES function

6.23
6.23
 6.2.2 Continue

Expansion P-box
Since RI−1 is a 32-bit input and KI is a 48-bit key, we first
need to expand RI−1 to 48 bits.

Figure 6.6 Expansion permutation

6.24
6.24
 6.2.2 Continue

Although the relationship between the input and output can

be defined mathematically, DES uses Table 6.2 to define
this P-box.
Table 6.6 Expansion P-box table

6.25
6.25
 6.2.2 Continue

Whitener (XOR)
After the expansion permutation, DES uses the XOR
operation on the expanded right section and the round key.
Note that both the right section and the key are 48-bits in
length. Also note that the round key is used only in this
operation.

6.26
6.26
 6.2.2 Continue

S-Boxes
The S-boxes do the real mixing (confusion). DES uses 8 S-
boxes, each with a 6-bit input and a 4-bit output. See
Figure 6.7.

Figure 6.7 S-boxes

6.27
6.27
 Encryption (Round) (cont.)

 S-box

[1
]
 6.2.2 Continue

Figure 6.8 S-box rule

6.30
6.30
 6.2.2 Continued

Example 6.3

The input to S-box 1 is 100011. What is the output?

Solution
If we write the first and the sixth bits together, we get 11 in
binary, which is 3 in decimal. The remaining bits are 0001 in
binary, which is 1 in decimal. We look for the value in row 3,
column 1, in Table 6.3 (S-box 1). The result is 12 in decimal,
which in binary is 1100. So the input 100011 yields the output
1100.

6.31
6.31
 6.2.2 Continued

Example 6.4

The input to S-box 8 is 000000. What is the output?

Solution
If we write the first and the sixth bits together, we get 00 in
binary, which is 0 in decimal. The remaining bits are 0000 in
binary, which is 0 in decimal. We look for the value in row 0,
column 0, in Table 6.10 (S-box 8). The result is 13 in decimal,
which is 1101 in binary. So the input 000000 yields the output
1101.

6.32
6.32
 6.2.2 Continue

Straight Permutation

Table 6.11 Straight permutation table

6.33
6.33
Encryptio
n

[1
]
 Multiple Encryption & DES
 clear a replacement for DES was needed
 theoretical attacks that can break it
 demonstrated exhaustive key search attacks
 AES is a new cipher alternative
 prior to this alternative was to use multiple
encryption with DES implementations
 Triple-DES is the chosen form
 Double-DES?
 could use 2 DES encrypts on each block
 C = EK2(EK1(P))
 issue of reduction to single stage
 and have “meet-in-the-middle” attack
 works whenever use a cipher twice
 since X = EK1(P) = DK2(C)
 attack by encrypting P with all keys and store
 then decrypt C with keys and match X value
 takes O(256) steps
 Triple-DES with Two-Keys
 hence must use 3 encryptions
 would seem to need 3 distinct keys
 but can use 2 keys with E-D-E sequence

C = EK1(DK2(EK1(P)))
 nb encrypt & decrypt equivalent in security
 if K1=K2 then can work with single DES
 standardized in ANSI X9.17 & ISO8732
 no current known practical attacks
 several proposed impractical attacks might
become basis of future attacks
 Triple-DES with Three-Keys
 although no practical attacks on two-key
Triple-DES have some concerns
 Two-key: key length = 56*2 = 112 bits
 Three-key: key length = 56*3 = 168 bits
 can use Triple-DES with Three-Keys to
avoid even these

C = EK3(DK2(EK1(P)))
 has been adopted by some Internet
applications, eg PGP, S/MIME
Triple DES
 Origins
 clearly a replacement for DES was needed
 have theoretical attacks that can break it
 have demonstrated exhaustive key search attacks
 can use Triple-DES – but slow, has small blocks
 US NIST issued call for ciphers in 1997
 15 candidates accepted in Jun 98
 5 were shortlisted in Aug-99
 Rijndael was selected as the AES in Oct-2000
 issued as FIPS PUB 197 standard in Nov-2001
 The AES Cipher - Rijndael
 designed by Rijmen-Daemen in Belgium
 has 128/192/256 bit keys, 128 bit data
 an iterative rather than feistel cipher
 processes data as block of 4 columns of 4 bytes
 operates on entire data block in every round
 designed to be:
 resistant against known attacks
 speed and code compactness on many CPUs
 design simplicity
 AES
Encryption
Process
 AES Structure
 data block of 4 columns of 4 bytes is state
 key is expanded to array of words
 has 9/11/13 rounds in which state undergoes:
 byte substitution (1 S-box used on every byte)
 shift rows (permute bytes between groups/columns)
 mix columns (subs using matrix multiply of groups)
 add round key (XOR state with key material)
 view as alternating XOR key & scramble data bytes
 initial XOR key material & incomplete last round
 with fast XOR & table lookup implementation
AES Structure
AES Round
 Random Numbers
 many uses of random numbers in cryptography
 nonces in authentication protocols to prevent replay
 session keys
 public key generation
 keystream for a one-time pad
 in all cases its critical that these values be
 statistically random, uniform distribution, independent
 unpredictability of future values from previous values
 true random numbers provide this
 care needed with generated random numbers
 Pseudorandom Number
Generators (PRNGs)
 often use deterministic algorithmic
techniques to create “random numbers”
 although are not truly random
 can pass many tests of “randomness”
 known as “pseudorandom numbers”
 created by “Pseudorandom Number
Generators (PRNGs)”
Random & Pseudorandom
Number Generators
 PRNG Algorithm Design
 Purpose-built algorithms
 E.g. RC4
 Algorithms
based on existing
cryptographic algorithms
 Symmetric block ciphers
 Asymmetric ciphers
 Hash functions and message authentication
codes
Stream Cipher Structure
 Stream Cipher Properties
 some design considerations are:
 long period with no repetitions
 statistically random
 depends on large enough key, e.g. 128 bits
 large linear complexity
 properly designed, can be as secure as a
block cipher with same size key
 but usually simpler & faster
 RC4
 a proprietary cipher owned by RSA DSI
 another Ron Rivest design, simple but effective
 variable key size, byte-oriented stream cipher
 widely used (web SSL/TLS, wireless WEP/WPA)
 key forms random permutation of all 8-bit values
 uses that permutation to scramble input info
processed a byte at a time
 RC4 Key Schedule
 starts with an array S of numbers: 0..255
 use key to well and truly shuffle
 S forms internal state of the cipher
for i = 0 to 255 do
S[i] = i;
T[i] = K[i mod keylen];
j = 0
for i = 0 to 255 do
j = (j + S[i] + T[i]) (mod 256);
swap (S[i], S[j]);
 RC4 Encryption
 encryption continues shuffling array values
 sum of shuffled pair selects "stream key"
value from permutation
 XOR S[t] with next byte of message to
en/decrypt
i = j = 0;
for each message byte Mi
i = (i + 1) (mod 256);
j = (j + S[i]) (mod 256);
swap(S[i], S[j]);
t = (S[i] + S[j]) (mod 256);
Ci = Mi XOR S[t];
RC4 Overview
 RC4 Security
 claimed secure against known attacks
 have some analyses, none practical
 result is very non-linear
 since RC4 is a stream cipher, must never
reuse a key
 have a concern with WEP, but due to key
handling rather than RC4 itself
 Modes of Operation
 block ciphers encrypt fixed size blocks
 eg. DES encrypts 64-bit blocks with 56-bit key
 need some way to en/decrypt arbitrary
amounts of data in practise
 NIST SP 800-38A defines 5 modes
 have block and stream modes
 to cover a wide variety of applications
 can be used with any block cipher
 The Most Important Modes
 ElectronicCodebook Mode (ECB)
 Cipher Block Chaining Mode (CBC)
 Cipher Feedback Mode (CFB)
 Counter Mode (CTR)
Electronic Codebook Book (ECB)
 message is broken into independent
blocks which are encrypted
 each block is a value which is substituted,
like a codebook, hence name
 each block is encoded independently of
the other blocks
Ci = EK(Pi)
 uses: secure transmission of single values
 Advantages and Limitations of
ECB
 message repetitions may show in ciphertext
 if aligned with message block
 particularly with data such as graphics
 or with messages that change very little, which
become a code-book analysis problem
 weakness is due to the encrypted message
blocks being independent
 main use is sending a few blocks of data
Cipher Block Chaining (CBC)
 message is broken into blocks
 linked together in encryption operation
 each previous cipher blocks is chained
with current plaintext block, hence name
 use Initial Vector (IV) to start process
Ci = EK(Pi XOR Ci-1)
C0 = IV
 uses: bulk data encryption, authentication
 Cipher
Block
Chaining
(CBC)
 Cipher FeedBack (CFB)
 message is treated as a stream of bits
 added to the output of the block cipher
 result is feed back for next stage (hence name)
 standard allows any number of bit (1,8, 64 or
128 etc) to be fed back
 denoted CFB-1, CFB-8, CFB-64, CFB-128 etc
 most efficient to use all bits in block (64 or 128)
Ci = Pi XOR EK(Ci-1)
C0 = IV
 uses: stream data encryption, authentication
 s-bit
Cipher
FeedBack
(CFB-s)
 Advantages and Limitations of
CFB
 appropriate when data arrives in bits/bytes
 most common stream mode
 Limitation: need to stall while doing block
encryption after every n-bits
 note that the block cipher is used in
encryption mode at both ends
 errors propagate for several blocks after
the error
 Counter (CTR)
 a “new” mode, though proposed early on
 similar to OFB but encrypts counter value
rather than any feedback value
 must have a different key & counter value
for every plaintext block (never reused)
Oi = EK(i)
Ci = Pi XOR Oi
 uses: high-speed network encryptions
Counter
(CTR)
 Advantages and Limitations of
CTR
 efficiency
 can do parallel encryptions in h/w or s/w
 can preprocess in advance of need
 good for bursty high speed links
 random access to encrypted data blocks
 provable security (good as other modes)
 but must ensure never reuse key/counter
values, otherwise could break (cf OFB)
Output Feedback Mode (OFB)