Arya Institute of Engineering &

Technology, Jaipur

Presented By:
Satish Kumar Alaria
Department of CSE/IT
Subject: Information Security System
Block v/s Stream Ciphers

 Block ciphers process messages in blocks,

each of which is then en/decrypted
 Like a substitution on very big characters
 64-bits or more
 Stream ciphers process messages a bit or
byte at a time when en/decrypting
 Many current ciphers are block ciphers
 Broader range of applications
Block Cipher Principles
 Most symmetric block ciphers are based on a
Feistel Cipher Structure
 Needed since must be able to decrypt
ciphertext to recover messages efficiently
 Block ciphers look like an extremely large
substitution
 Would need table of 264 entries for a 64-bit
block
 Instead create from smaller building blocks
 Using idea of a product cipher
Ideal Block Cipher
Claude Shannon and Substitution-
Permutation Ciphers
 Claude Shannon introduced idea of substitution-
permutation (S-P) networks in 1949 paper
 form basis of modern block ciphers
 S-P nets are based on the two primitive
cryptographic operations seen before:
 substitution (S-box)
 permutation (P-box)
 provide confusion & diffusion of message & key
Confusion and Diffusion
 Cipher needs to completely obscure
statistical properties of original message
 A one-time pad does this
 More practically Shannon suggested
combining S & P elements to obtain:
 Diffusion – dissipates statistical structure of
plaintext over bulk of ciphertext
 Confusion – makes relationship between
ciphertext and key as complex as possible
Feistel Cipher Structure

 Horst Feistel devised the feistel cipher

 based on concept of invertible product cipher
 Partitions input block into two halves
 process through multiple rounds which
 perform a substitution on left data half
 based on round function of right half & subkey
 then have permutation swapping halves
 Implements Shannon’s S-P net concept
Feistel Cipher Structure
Feistel Cipher Design Elements

 Block size
 Key size
 N umber of rounds
 Subkey generation algorithm
 Round function
 Fast software en/decryption
 Ease of analysis
Feistel Cipher Decryption
Data Encryption Standard (DES)

 Mostwidely used block cipher in world

 Adopted in 1977 by NBS (now NIST)
 as FIPS PUB 46
 Encrypts 64-bit data using 56-bit key
 Has widespread use
 Has been considerable controversy over
its security
DES History

 IBM developed Lucifer cipher

 by team led by Feistel in late 60’s
 used 64-bit data blocks with 128-bit key

 Then redeveloped as a commercial cipher

with input from NSA and others
 In 1973 NBS issued request for proposals for
a national cipher standard
 IBM submitted their revised Lucifer which
was eventually accepted as the DES
DES Encryption Overview
Initial Permutation (IP)

 First step of the data computation

 IP reorders the input data bits
 Even bits to LH half, odd bits to RH half
 Quite regular in structure (easy in h/w)
 Example:

IP(675a6967 5e5a6b5a) =
(ffb2194d 004df6fb)
DES Round Structure
 uses two 32-bit L & R halves
 as for any Feistel cipher can describe as:
Li = Ri–1
Ri = Li–1  F(Ri–1, Ki)
 F takes 32-bit R half and 48-bit subkey:
 expands R to 48-bits using perm E
 adds to subkey using XOR
 passes through 8 S-boxes to get 32-bit result
 finally permutes using 32-bit perm P
DES Round Structure
Substitution Boxes S
 Have eight S-boxes which map 6 to 4 bits
 Each S-box is actually 4 little 4 bit boxes
 outer bits 1 & 6 (row bits) select one row of 4
 inner bits 2-5 (col bits) are substituted
 result is 8 lots of 4 bits, or 32 bits
 Row selection depends on both data & key
 feature known as autoclaving (autokeying)
 Example:
S(18 09 12 3d 11 17 38
39) = 5fd25e03
DES Key Schedule

 Forms subkeys used in each round

 Initialpermutation of the key (PC1) which
selects 56-bits in two 28-bit halves
 16 stages consisting of:
 rotating each half separately either 1 or 2
places depending on the key rotation
schedule K
 selecting 24-bits from each half & permuting
them by PC2 for use in round function F
DES Decryption

 decrypt must unwind steps of data computation

 with Feistel design, do encryption steps again
using subkeys in reverse order (SK16 … SK1)
 IP undoes final FP step of encryption
 1st round with SK16 undoes 16th encrypt round
 ….

 16th round with SK1 undoes 1st encrypt round

 then final FP undoes initial encryption IP
 thus recovering original data value
Avalanche Effect
 Key desirable property of encryption
algorithm
 Where a change of one input or key bit
results in changing approximate half output
bits
 Making attempts to “home-in” by guessing
keys impossible
 DES exhibits strong avalanche
Strength of DES – Key Size

 56-bit keys have 256 = 7.2 x 1016 values

 Brute force search looks hard
 Recent advances have shown is possible
 in 1997 on Internet in a few months
 in 1998 on dedicated h/w (EFF) in a few days
 in 1999 above combined in 22hrs!
 Still must be able to recognize plaintext
 Must now consider alternatives to DES
Strength of DES – Analytic Attacks
 Now have several analytic attacks on DES
 These utilise some deep structure of the cipher
 by gathering information about encryptions
 can eventually recover some/all of the sub-key bits
 if necessary then exhaustively search for the rest

 Generally these are statistical attacks

 Include
 differentialcryptanalysis
 linear cryptanalysis
 related key attacks
Strength of DES – Timing Attacks

 Attacks actual implementation of cipher

 Useknowledge of consequences of
implementation to derive information
about some/all subkey bits
 Specifically
use fact that calculations can
take varying times depending on the
value of the inputs to it
 Particularly problematic on smartcards
AES Requirements

 Private key symmetric block cipher

 128-bit data, 128/192/256-bit keys
 Stronger & faster than Triple-DES
 Active life of 20-30 years (+ archival
use)
 Provide full specification & design
details
 Both C & Java implementations
 NIST have released all submissions &
unclassified analyses
The AES Cipher - Rijndael

 Designed by Rijmen-Daemen in Belgium

 Has 128/192/256 bit keys, 128 bit data
 An iterative rather than feistel cipher
 processes data as block of 4 columns of 4 bytes
 operates on entire data block in every round

 Designed to be:
 resistant
against known attacks
 speed and code compactness on many CPUs
 design simplicity
 Data block of 4 columns of 4 bytes is state
 Key is expanded to array of words
 Has 9/11/13 rounds in which state undergoes:
 byte substitution (1 S-box used on every byte)
 shift rows (permute bytes between groups/columns)
 mix columns (subs using matrix multipy of groups)
 add round key (XOR state with key material)
 view as alternating XOR key & scramble data bytes
 Initial XOR key material & incomplete last round
 With fast XOR & table lookup implementation
Byte Substitution

 Asimple substitution of each byte

 Uses one table of 16x16 bytes containing a
permutation of all 256 8-bit values
 Each byte of state is replaced by byte
indexed by row (left 4-bits) & column (right
4-bits)
 eg. byte {95} is replaced by byte in row 9 column
5
 which has value {2A}

 S-box constructed using defined

transformation of values in GF(28)
 Designed to be resistant to all known attacks
Byte Substitution
Shift Rows
 A circular byte shift in each each
 1st row is unchanged
 2nd row does 1 byte circular shift to left
 3rd row does 2 byte circular shift to left
 4th row does 3 byte circular shift to left
 Decrypt inverts using shifts to right
 Since state is processed by columns, this step
permutes bytes between the columns
Shift Rows
Mix Columns
 Each column is processed separately
 Each byte is replaced by a value
dependent on all 4 bytes in the column
 Effectively a matrix multiplication in
GF(28) using prime poly m(x)
=x8+x4+x3+x+1
Mix Columns
Mix Columns

 Can express each col as 4 equations

 to derive each new byte in col
 Decryption requires use of inverse matrix
 with larger coefficients, hence a little harder
 Have an alternate characterisation
 each column a 4-term polynomial
 with coefficients in GF(28)
 and polynomials multiplied modulo (x4+1)
Add Round Key
 XOR state with 128-bits of the round key
 again processed by column (though
effectively a series of byte operations)
 inverse for decryption identical
 since XOR own inverse, with reversed keys
 designed to be as simple as possible
a form of Vernam cipher on expanded key
 requires other stages for complexity /
security
Add Round Key
AES Round
AES Key Expansion
 Takes 128-bit (16-byte) key and expands into
array of 44/52/60 32-bit words
 Start by copying key into first 4 words
 Then loop creating words that depend on
values in previous & 4 places back
 in 3 of 4 cases just XOR these together
 1stword in 4 has rotate + S-box + XOR round
constant on previous, before XOR 4th back
AES Key Expansion
Key Expansion Rationale
 designed to resist known attacks
 design criteria included
 knowing part key insufficient to find many more
 invertible transformation
 fast on wide range of CPU’s
 use round constants to break symmetry
 diffuse key bits into round keys
 enough non-linearity to hinder analysis
 simplicity of description
AES Decryption
 AES decryption is not identical to encryption
since steps done in reverse
 but can define an equivalent inverse cipher
with steps as for encryption
 but using inverses of each step
 with a different key schedule

 works since result is unchanged when

 swap byte substitution & shift rows
 swap mix columns & add (tweaked) round key
AES Decryption
Difference Between DES & AES
Sr. Key AES DES
No.
Definition AES stands for Advanced Encryption DES stands for Data Encryption Standard.
1
Standard.
Key Length Key length varies from 128 bits, 192 bits to Key length is of 56 bits.
2
256 bits.
Rounds of Rounds per key length: 16 rounds of identical operations.
Operations 128 bits - 10;
3 192 bits - 12;
256 bits - 14.
Network AES structure is based on substitution- DES structure is based on feistal network.
4
permutation network.
Security AES is de-facto world standard and is more DES is weak and 3DES(Triple DES) is more
5
secure than DES. secure than DES.
Rounds Byte substitution, Shift Row, Mix Column Expansion, XOR operation with round key,
6 and Key Addition. Substitution and Permutation.

7 Size AES can encrypt 128 bits of plain text. DES can encrypt 64 bits of plain text.
Derived AES derives from Square cipher. DES derives from Lucifer cipher.
8
from
Desiged By AES was designed by Vincent Rijmen and DES was designed by IBM.
9
Joan Daemen.
Known No known attack. Brute-force, Linear crypt-analysis and
10 attacks Differential crypt-analysis.
Multiple Encryption & DES
 Cleara replacement for DES was
needed
 theoretical
attacks that can break it
 demonstrated exhaustive key search
attacks
 AES is a new cipher alternative
 Prior to this alternative was to use
multiple encryption with DES
implementations
 Triple-DES is the chosen form
Double-DES?
 Could use 2 DES encrypts on each block
C = EK2(EK1(P))
 Issue of reduction to single stage
 And have “meet-in-the-middle” attack
 works whenever use a cipher twice
 since X = EK1(P) = DK2(C)

 attack by encrypting P with all keys and store

 then decrypt C with keys and match X value
 can show takes O(256) steps
Triple-DES with Two-Keys

 Hence must use 3 encryptions

would seem to need 3 distinct keys
 But can use 2 keys with E-D-E
sequence
C = EK1(DK2(EK1(P)))
nb encrypt & decrypt equivalent in
security
if K1=K2 then can work with single DES
 Standardized in ANSI X9.17 & ISO8732
 No current known practical attacks
Triple-DES with Three-Keys

 Although are no practical attacks on

two-key Triple-DES have some
indications
 Can use Triple-DES with Three-Keys to
avoid even these
C = EK3(DK2(EK1(P)))
 Has been adopted by some Internet
applications, eg PGP, S/MIME
Modes of Operation
 Block ciphers encrypt fixed size blocks
 eg. DES encrypts 64-bit blocks with 56-bit
key
 Need
some way to en/decrypt arbitrary
amounts of data in practise
 ANSIX3.106-1983 Modes of Use (now
FIPS 81) defines 4 possible modes
 Subsequently 5 defined for AES & DES
 Have block and stream modes
Electronic Codebook Book (ECB)
 Message is broken into independent
blocks which are encrypted
 Each block is a value which is
substituted, like a codebook, hence name
 Each block is encoded independently of
the other blocks
Ci = DESK1(Pi)
 Uses: secure transmission of single values
Electronic Codebook Book (ECB)
Advantages and Limitations of ECB
 Message repetitions may show in ciphertext
 ifaligned with message block
 particularly with data such graphics
 or with messages that change very little, which
become a code-book analysis problem
 Weakness is due to the encrypted message
blocks being independent
 Main use is sending a few blocks of data
Cipher Block Chaining (CBC)
 Message is broken into blocks
 Linked together in encryption operation
 Eachprevious cipher blocks is chained
with current plaintext block, hence name
 Use Initial Vector (IV) to start process
Ci = DESK1(Pi XOR Ci-1)
C-1 = IV
 Uses: bulk data encryption, authentication
Cipher Block Chaining (CBC)
Message Padding
 At end of message must handle a possible last
short block
 which is not as large as blocksize of cipher
 pad either with known non-data value (eg nulls)

 or pad last block along with count of pad size

eg.[ b1 b2 b3 0 0 0 0 5]
means have 3 data bytes, then 5 bytes
pad+count
 this
may require an extra entire block over those in
message
 There are other, more esoteric modes, which
avoid the need for an extra block
Advantages and Limitations of CBC
 A ciphertext block depends on all blocks before it
 Any change to a block affects all following
ciphertext blocks
 Need Initialization Vector (IV)
 which must be known to sender & receiver
 if sent in clear, attacker can change bits of first
block, and change IV to compensate
 hence IV must either be a fixed value (as in
EFTPOS)
 or must be sent encrypted in ECB mode before
rest of message
Cipher FeedBack (CFB)
 Message is treated as a stream of bits
 Added to the output of the block cipher
 Result is feed back for next stage (hence name)
 Standard allows any number of bit (1,8, 64 or
128 etc) to be feed back
 denoted CFB-1, CFB-8, CFB-64, CFB-128 etc
 Most efficient to use all bits in block (64 or
128)
Ci = Pi XOR DESK1(Ci-1)
C-1 = IV
 Uses: stream data encryption, authentication
Cipher FeedBack (CFB)
Advantages and Limitations of CFB

 Appropriate when data arrives in bits/bytes

 Most common stream mode
 Limitation is need to stall while do block
encryption after every n-bits
 Note that the block cipher is used in
encryption mode at both ends
 Errors propogate for several blocks after the
error
Output FeedBack (OFB)
 Message is treated as a stream of bits
 Output of cipher is added to message
 Output is then feed back (hence name)
 Feedback is independent of message
 Can be computed in advance

Ci = Pi XOR Oi
Oi = DESK1(Oi-1)
O-1 = IV
 Uses: stream encryption on noisy channels
Output FeedBack (OFB)
Advantages and Limitations of OFB
 Bit errors do not propagate
 More vulnerable to message stream
modification
 A variation of a Vernam cipher
 hence must never reuse the same sequence (key+IV)

 Sender & receiver must remain in sync

 Originally specified with m-bit feedback
 Subsequent research has shown that only full
block feedback (ie CFB-64 or CFB-128) should
ever be used
Counter (CTR) Mode
A “new” mode, though proposed early
on
 Similar to OFB but encrypts counter
value rather than any feedback value
 Must have a different key & counter
value for every plaintext block (never
reused)
Ci = Pi XOR Oi
Oi = DESK1(i)
 Uses: high-speed network encryptions
Counter (CTR) Mode
Advantages and Limitations of CTR
 Efficiency
 can do parallel encryptions in h/w or s/w
 can preprocess in advance of need
 good for bursty high speed links
 Random access to encrypted data blocks
 Provable security (good as other modes)
 But must ensure never reuse key/counter
values, otherwise could break (cf OFB)
Stream Ciphers
 Process message bit by bit (as a stream)
 Have a pseudo random keystream
 Combined (XOR) with plaintext bit by bit
 Randomness of stream key completely
destroys statistically properties in message
Ci = Mi XOR StreamKeyi
 But must never reuse stream key
 otherwise can recover messages (cf book
cipher)
Stream Cipher Structure
Stream Cipher Properties

 Some design considerations are:

 long period with no repetitions
 statistically random
 depends on large enough key
 large linear complexity
 Properly designed, can be as secure as a
block cipher with same size key
 But usually simpler & faster
International Data Encryption
Algorithm
(IDEA)

68
Overview
 DES algorithm has been a popular secret key encryption
algorithm and is used in many commercial and financial
applications. However, its key size is too small by current
standards and its entire 56 bit key space can be searched
in approximately 22 hours
 IDEA is a block cipher designed by Xuejia Lai and James
L. Massey in 1991
 It is a minor revision of an earlier cipher, PES (Proposed
Encryption Standard)
 IDEA was originally called IPES (Improved PES) and was
developed to replace DES
 It entirely avoids the use of any lookup tables or S-boxes
 IDEA was used as the symmetric cipher in early versions
of the Pretty Good Privacy cryptosystem
69
70
Detailed description of IDEA

 IDEA operates with 64-bit plaintext and cipher text

blocks and is controlled by a 128-bit key
 Completely avoid substitution boxes and table
lookups used in the block ciphers
 The algorithm structure has been chosen such that
when different key sub-blocks are used, the
encryption process is identical to the decryption
process

71
 Key generation

 The 64-bit plaintext

block is partitioned
into four 16-bit sub-
blocks
 six 16-bit key are
generated from the
128-bit key. Since a
further four 16-bit key-
sub-blocks are
required for the
subsequent output
transformation, a total
of 52 (= 8 x 6 + 4)
different 16-bit sub-
blocks have to be
generated from the
128-bit key. 72
Key generation process
 First, the 128-bit key is partitioned into eight
16-bit sub-blocks which are then directly used
as the first eight key sub-blocks
 The 128-bit key is then cyclically shifted to the
left by 25 positions, after which the resulting
128-bit block is again partitioned into eight 16-
bit sub-blocks to be directly used as the next
eight key sub-blocks
 The cyclic shift procedure described above is
repeated until all of the required 52 16-bit key
sub-blocks have been generated

73
 Encryption of the key sub-blocks
 The key sub-blocks used for the encryption and
the decryption in the individual rounds are
shown in Table 1

74
 Encryption
 the first four 16-bit key sub-
blocks are combined with two of
the 16-bit plaintext blocks using
addition modulo 216, and with the
other two plaintext blocks using
multiplication modulo 216 + 1
 At the end of the first encryption
round four 16-bit values are
produced which are used as input
to the second encryption round
 The process is repeated in each
of the subsequent 7 encryption
rounds
 The four 16-bit values produced
at the end of the 8th encryption
round are combined with the last
four of the 52 key sub-blocks
using addition modulo 216 and
multiplication modulo 216 + 1 to
form the resulting four 16-bit
ciphertext blocks
78
Decryption
 The computational process used for
decryption of the ciphertext is essentially
the same as that used for encryption
 The only difference is that each of the 52
16-bit key sub-blocks used for decryption is
the inverse of the key sub-block used
during encryption
 In addition, the key sub-blocks must be
used in the reverse order during decryption
in order to reverse the encryption process

79
Modes of operation
 IDEA supports all modes of operation such as:
 ElectronicCode Book (ECB) mode
 Cipher Block Chaining (CBC)
 Cipher Feedback (CFB)
 Output Feedback (OFB) modes
 For plaintext exceeding this fixed size, the
simplest approach is to partition the plaintext
into blocks of equal length and encrypt each
separately. This method is named Electronic
Code Book (ECB) mode. However, Electronic
Code Book is not a good system to use with
small block sizes (for example, smaller than 40
bits)
80
Applications of IDEA

 Today, there are hundreds of IDEA-based

security solutions available in many market
areas, ranging from Financial Services, and
Broadcasting to Government
 The IDEA algorithm can easily be embedded in
any encryption software. Data encryption can
be used to protect data transmission and
storage. Typical fields are:
 Audio and video data for cable TV, pay TV, video
conferencing, distance learning
 Sensitive financial and commercial data
 Email via public networks
81

 Smart cards
Conclusion

 As electronic communications grow in

importance, there is also an increasing need for
data protection
 When PGP was designed, the developers were
looking for maximum security. IDEA was their
first choice for data encryption
 The fundamental criteria for the development
of IDEA were military strength for all security
requirements and easy hardware and software
implementation
82
Blowfish Encryption
Algorithm
Introduction
Structure
Cryptanalysis
Comparison
Introduction
designed in 1993 by Bruce Blowfish

64-bit block cipher with variable length key

Large key-dependent S-boxes

More resistant to cryptanalysis

Key-dependent permutations

Diverse Mathematical Operations

Combine X O R andaddition
Continue
Fast

Compact It can run in less than 5K of memory.

Simple to code

Easily modifiable for different security levels

Secure: The key length is variable ,it can be in
the range of 32~448 bits: default 128 bits key
length.
Unpatented and royality-free.
Structure

Feistel iterated block cipher

Scalable Key (32 to 448 bits)

Simple operation that are
efficient on microprocessors
XOR, Addition, Table lookup, etc

Employ Precomputable Subkeys

Variable number of iterations

Implementation:
Encryption
Arrays:
P – Number of rounds + 2 elements
4 S-boxes – 256 elements

Li = F ( Li−1  Pi−1 )  Ri−1

Ri = Li−1  Pi−1
L17 = L16  P18
R17 = R16  P17
(Implementation: Function F(x)

F (X 31−0 )= ((S1 X 31−24 + S 2X 23−16 ) S3 X15−8 )

+ S 4X 7−0 

Addition is mod 232

Data Encryption

• Divide 64-bits into two 32-bit halves: XL, XR

• For i = 1 to 16
o XL = XL X O R Pi
o XR=F(XL) X O R XR
o Swap XL and XR
• Swap XL and XR (Undo the last swap )
• XR=XR X O R P17
• XL = XL X O R P18
• Concatenate XL and XR
Cryptanalysis

Differential Attack
After 4 rounds a differential attack is no better than a
brute force attack

Weak Keys
S-box collisions
blowfish algorithm has yet to be cracked as the key size is
high, requires 2448 combinations
Future Concerns

Simplifications
Fewer and Smaller S-boxes

Fewer Iterations

On-the-fly subkey calculation

Twofish
AES Finalist

128-bit Block Size

More Operations
 RC 5 Algorithm

RC5 is a symmetric key block encryption algorithm designed by Ron

Rivest in 1994.
It is notable for being simple, fast (on account of using only primitive
computer operations like XOR, shift, etc.) and consumes less memory.

RC5 is a block cipher and addresses two word blocks at a time.

Depending on input plain text block size, number of rounds and key
size, various instances of RC5 can be defined and each instance is
denoted as RC5-w/r/b where w=word size in bits, r=number of
rounds and b=key size in bytes.
Allowed values are:

Parameter Possible Value

block/word size
16, 32, 64
(bits)

Number of Rounds 0 – 255

Key Size (bytes) 0 – 255

Notation used in the algorithm:

Symbol Operation

Cyclic left shift of x

x <<< y
by y bits

Two’s complement
addition of words
+
where addition is
modulo

^ Bit wise Exclusive-OR

Step-1: Initialization of constants P and Q.
RC5 makes use of 2 magic constants P and Q whose value is defined by the word size
w.

Word Size P Q
(bits) (Hexadecimal) (Hexadecimal)

16 b7e1 9e37

32 b7e15163 9e3779b9

b7e151628aed2 9e3779b97f4a7c
64
a6b 15

For any other word size, P and Q can be determined as:

Step-2: Converting secret key K from bytes to words.
Secret key K of size b bytes is used to initialize array L consisting of c words
where c = b/u, u = w/8 and w = word size used for that particular instance of
RC5.
For example, if we choose w=32 bits and Key k is of size 96 bytes then,
u=32/8=4, c=b/u=96/4=24.
L is pre initialized to 0 value before adding secret key K to it.

for i=b-1 to 0
L[i/u] = (L[u/i] <<< 8) + K[i]
Step-3: Initializing sub-key S.
Sub-key S of size t=2(r+1) is initialized using magic constants P and Q.

S[0] = P
for i = 1 to 2(r+1)-1
S[i] = S[i-1] + Q)
Step-4: Sub-key mixing.
The RC5 encryption algorithm uses Sub key S. L is merely, a temporary array
formed on the basis of user entered secret key.
Mix in user’s secret key with S and L.
Step-5: Encryption.
We divide the input plain text block into two registers A and B each of size w bits.
After undergoing the encryption process the result of A and B together forms the
cipher text block.
RC5 Encryption Algorithm:
THANKS