Posted: October 27th, 2022

Subject: CRYPTOGRAPHY.

Provide a reflection of at least 500 words (**2 pages double spaced PROPER APA FORMAT**) of how the knowledge, skills, or theories of this course have been applied, or could be applied, in a practical manner to your current work environment. If you are not currently working, share times when you have or could observe these theories and knowledge could be applied to an employment opportunity in your field of study.

Don't use plagiarized sources. Get Your Custom Essay on

Practical Connection essay.

Just from $13/Page

Cryptography and Network Security: Principles and Practice

Eighth Edition

Chapter 1

Information and Network Security Concepts

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Lecture slides prepared for “Cryptography and Network Security”, 8/e, by William Stallings. Chapter 1, “Information and Network Security Concepts”.

This book focuses on two broad areas: cryptography and network security. This overview chapter first looks at some of the fundamental principles of security, encompassing both information security and network security. These include the concepts of security attacks, security services, and security mechanisms. Next, the chapter introduces the two areas of cryptography and network security. Finally, the concepts of trust and trustworthiness are examined.

1

Learning Objectives

Describe the key security requirements of confidentiality, integrity, and availability.

Discuss the types of security threats and attacks that must be dealt with and give examples of the types of threats and attacks that apply to different categories of computer and network assets.

Provide an overview of keyless, single-key, and two-key cryptographic algorithms.

Provide an overview of the main areas of network security.

Describe a trust model for information security.

List and briefly describe key organizations involved in cryptography standards.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Cybersecurity (1 of 3)

Cybersecurity is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance, and technologies that can be used to protect the cyberspace environment and organization and users’ assets. Organization and users’ assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyberspace environment.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

It would be useful to start this chapter with a definition of the terms cybersecurity, information security, and network security. A reasonably comprehensive definition of cybersecurity is found in ITU-T (International Telecommunication Union Telecommunication Standardization Sector) Recommendation X.1205 (Overview of Cybersecurity, 2014).

Cybersecurity is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance, and technologies that can be used to protect the cyberspace environment and organization and users’ assets. Organization and users’ assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyberspace environment. Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and users’ assets against relevant security risks in the cyberspace environment. The general security objectives comprise the following: availability; integrity, which may include data authenticity and nonrepudiation; and confidentiality.

3

Cybersecurity (2 of 3)

Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and users’ assets against relevant security risks in the cyberspace environment. The general security objectives comprise the following: availability; integrity, which may include data authenticity and nonrepudiation; and confidentiality

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

It would be useful to start this chapter with a definition of the terms cybersecurity, information security, and network security. A reasonably comprehensive definition of cybersecurity is found in ITU-T (International Telecommunication Union Telecommunication Standardization Sector) Recommendation X.1205 (Overview of Cybersecurity, 2014).

Cybersecurity is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance, and technologies that can be used to protect the cyberspace environment and organization and users’ assets. Organization and users’ assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyberspace environment. Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and users’ assets against relevant security risks in the cyberspace environment. The general security objectives comprise the following: availability; integrity, which may include data authenticity and nonrepudiation; and confidentiality.

4

Cybersecurity (3 of 3)

Information Security

This term refers to preservation of confidentiality, integrity, and availability of information. In addition, other properties, such as authenticity, accountability, nonrepudiation, and reliability can also be involved

Network Security

This term refers to protection of networks and their service from unauthorized modification, destruction, or disclosure, and provision of assurance that the network performs its critical functions correctly and there are no harmful side effects

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

As subsets of cybersecurity, we can define the following:

◆ Information security: This term refers to preservation of confidentiality, integrity, and availability of information. In addition, other properties, such as authenticity, accountability, nonrepudiation, and reliability can also be involved.

◆ Network security: This term refers to protection of networks and their service from unauthorized modification, destruction, or disclosure, and provision of assurance that the network performs its critical functions correctly and there are no harmful side effects.

Cybersecurity encompasses information security, with respect to electronic information, and network security. Information security also is concerned with physical (e.g., paper-based) information. However, in practice, the terms cybersecurity and information security are often used interchangeably.

5

Security Objectives (1 of 2)

The cybersecurity definition introduces three key objectives that are at the heart of information and network security:

Confidentiality: This term covers two related concepts:

Data confidentiality: Assures that private or confidential information is not made available or disclosed to unauthorized individuals

Privacy: Assures that individuals control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The cybersecurity definition introduces three key objectives that are at the heart of information and network security:

◆ Confidentiality: This term covers two related concepts:

◆ Data confidentiality: Assures that private or confidential information is not made available or disclosed to unauthorized individuals.

6

Security Objectives (2 of 2)

Integrity: This term covers two related concepts:

Data integrity: Assures that data and programs are changed only in a specified and authorized manner. This concept also encompasses data authenticity, which means that a digital object is indeed what it claims to be or what it is claimed to be, and nonrepudiation, which is assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the information

System integrity: Assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system

Availability: Assures that systems work promptly and service is not denied to authorized users

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

◆ Integrity: This term covers two related concepts:

◆ Data integrity: Assures that data (both stored and in transmitted packets) and programs are changed only in a specified and authorized manner. This concept also encompasses data authenticity, which means that a digital object is indeed what it claims to be or what it is claimed to be, and nonrepudiation, which is assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the information.

◆ System integrity: Assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system.

7

Figure 1.1 Essential Information and Network Security Objectives

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

These three concepts form what is often referred to as the CIA triad. The three

concepts embody the fundamental security objectives for both data and for information

and computing services. For example, the NIST standard FIPS 199 (Standards

for Security Categorization of Federal Information and Information Systems ) lists

confidentiality, integrity, and availability as the three security objectives for information

and for information systems. FIPS 199 provides a useful characterization of

these three objectives in terms of requirements and the definition of a loss of security

in each category:

• Confidentiality: Preserving authorized restrictions on information access

and disclosure, including means for protecting personal privacy and proprietary

information. A loss of confidentiality is the unauthorized disclosure of

information.

• Integrity: Guarding against improper information modification or destruction,

including ensuring information nonrepudiation and authenticity. A loss

of integrity is the unauthorized modification or destruction of information.

• Availability: Ensuring timely and reliable access to and use of information.

A loss of availability is the disruption of access to or use of information or an

information system.

Although the use of the CIA triad to define security objectives is well established, some

in the security field feel that additional concepts are needed to present a complete picture (Figure 1.1).

Two of the most commonly mentioned are as follows:

• Authenticity: The property of being genuine and being able to be verified and

trusted; confidence in the validity of a transmission, a message, or message

originator. This means verifying that users are who they say they are and that

each input arriving at the system came from a trusted source.

• Accountability: The security goal that generates the requirement for actions

of an entity to be traced uniquely to that entity. This supports nonrepudiation,

deterrence, fault isolation, intrusion detection and prevention, and after action

recovery and legal action. Because truly secure systems are not yet an

achievable goal, we must be able to trace a security breach to a responsible

party. Systems must keep records of their activities to permit later forensic

analysis to trace security breaches or to aid in transaction disputes.

8

Computer Security Challenges

Security is not simple

Potential attacks on the security features need to be considered

Procedures used to provide particular services are often counter-intuitive

It is necessary to decide where to use the various security mechanisms

Requires constant monitoring

Is too often an afterthought

Security mechanisms typically involve more than a particular algorithm or protocol

Security is essentially a battle of wits between a perpetrator and the designer

Little benefit from security investment is perceived until a security failure occurs

Strong security is often viewed as an impediment to efficient and user-friendly operation

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Computer and network security is both fascinating and complex. Some of the

reasons follow:

1. Security is not as simple as it might first appear to the novice. The requirements

seem to be straightforward; indeed, most of the major requirements

for security services can be given self-explanatory, one-word labels: confidentiality,

authentication, nonrepudiation, or integrity. But the mechanisms used

to meet those requirements can be quite complex, and understanding them

may involve rather subtle reasoning.

2. In developing a particular security mechanism or algorithm, one must always

consider potential attacks on those security features. In many cases, successful

attacks are designed by looking at the problem in a completely different way,

therefore exploiting an unexpected weakness in the mechanism.

3. Because of point 2, the procedures used to provide particular services are

often counterintuitive. Typically, a security mechanism is complex, and it is

not obvious from the statement of a particular requirement that such elaborate

measures are needed. It is only when the various aspects of the threat are

considered that elaborate security mechanisms make sense.

4. Having designed various security mechanisms, it is necessary to decide where

to use them. This is true both in terms of physical placement (e.g., at what points

in a network are certain security mechanisms needed) and in a logical sense

(e.g., at what layer or layers of an architecture such as TCP/IP [Transmission

Control Protocol/Internet Protocol] should mechanisms be placed).

5. Security mechanisms typically involve more than a particular algorithm or

protocol. They also require that participants be in possession of some secret

information (e.g., an encryption key), which raises questions about the creation,

distribution, and protection of that secret information. There also may

be a reliance on communications protocols whose behavior may complicate

the task of developing the security mechanism. For example, if the proper

functioning of the security mechanism requires setting time limits on the transit

time of a message from sender to receiver, then any protocol or network

that introduces variable, unpredictable delays may render such time limits

meaningless.

6. Computer and network security is essentially a battle of wits between a perpetrator

who tries to find holes and the designer or administrator who tries to

close them. The great advantage that the attacker has is that he or she need

only find a single weakness, while the designer must find and eliminate all

weaknesses to achieve perfect security.

7. There is a natural tendency on the part of users and system managers to perceive

little benefit from security investment until a security failure occurs.

8. Security requires regular, even constant, monitoring, and this is difficult in

today’s short-term, overloaded environment.

9. Security is still too often an afterthought to be incorporated into a system

after the design is complete rather than being an integral part of the design

process.

10. Many users and even security administrators view strong security as an impediment

to efficient and user-friendly operation of an information system or use of

information.

9

O S I Security Architecture

Security attack

Any action that compromises the security of information owned by an organization

Security mechanism

A process (or a device incorporating such a process) that is designed to detect, prevent, or recover from a security attack

Security service

A processing or communication service that enhances the security of the data processing systems and the information transfers of an organization

Intended to counter security attacks, and they make use of one or more security mechanisms to provide the service

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

To assess effectively the security needs of an organization and to evaluate and

choose various security products and policies, the manager responsible for security

needs some systematic way of defining the requirements for security and characterizing

the approaches to satisfying those requirements. This is difficult enough in a

centralized data processing environment; with the use of local and wide area networks,

the problems are compounded.

ITU-T Recommendation X.800, Security Architecture for OSI, defines such a

systematic approach. The OSI security architecture is useful to managers as a way

of organizing the task of providing security. Furthermore, because this architecture

was developed as an international standard, computer and communications vendors

have developed security features for their products and services that relate to this

structured definition of services and mechanisms.

For our purposes, the OSI security architecture provides a useful, if abstract,

overview of many of the concepts that this book deals with. The OSI security architecture

focuses on security attacks, mechanisms, and services. These can be defined

briefly as

• Security attack: Any action that compromises the security of information

owned by an organization.

• Security mechanism: A process (or a device incorporating such a process) that

is designed to detect, prevent, or recover from a security attack.

• Security service: A processing or communication service that enhances the

security of the data processing systems and the information transfers of an

organization. The services are intended to counter security attacks, and they

make use of one or more security mechanisms to provide the service.

10

Threats and Attacks

Threat

A potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. That is, a threat is a possible danger that might exploit a vulnerability.

Attack

An assault on system security that derives from an intelligent threat; that is, an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of a system.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

In the literature, the terms threat and attack are commonly used, with the following meanings:

■ Threat: Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.

■. Attack: Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or the information itself.

11

Figure 1.2 Key Concepts in Security (1 of 2)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The following three sections provide an overview of the concepts of attacks, services, and mechanisms. The key concepts that are covered are summarized in Figure 1.2.

12

Figure 1.2 Key Concepts in Security (2 of 2)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The following three sections provide an overview of the concepts of attacks, services, and mechanisms. The key concepts that are covered are summarized in Figure 1.2.

13

Security Attacks

A means of classifying security attacks, used both in X.800 and R F C 4949, is in terms of passive attacks and active attacks

A passive attack attempts to learn or make use of information from the system but does not affect system resources

An active attack attempts to alter system resources or affect their operation

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

A useful means of classifying security attacks, used both in X.800, is in terms of passive attacks and active attacks (Figure 1.2a). A passive attack attempts to learn or make use of information from the system but does not affect system resources. An active attack attempts to alter system resources or affect their operation.

14

Passive Attacks

Are in the nature of eavesdropping on, or monitoring of, transmissions

Goal of the opponent is to obtain information that is being transmitted

Two types of passive attacks are:

The release of message contents

Traffic analysis

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Passive attacks are in the nature of eavesdropping on, or monitoring

of, transmissions. The goal of the opponent is to obtain information that is being

transmitted. Two types of passive attacks are the release of message contents and

traffic analysis.

The release of message contents is easily understood. A telephone conversation,

an electronic mail message, and a transferred file may contain sensitive or

confidential information. We would like to prevent an opponent from learning the

contents of these transmissions.

A second type of passive attack, traffic analysis, is subtler. Suppose that we

had a way of masking the contents of messages or other information traffic so that

opponents, even if they captured the message, could not extract the information

from the message. The common technique for masking contents is encryption. If we

had encryption protection in place, an opponent might still be able to observe the

pattern of these messages. The opponent could determine the location and identity

of communicating hosts and could observe the frequency and length of messages

being exchanged. This information might be useful in guessing the nature of the

communication that was taking place.

Passive attacks are very difficult to detect, because they do not involve any

alteration of the data. Typically, the message traffic is sent and received in an apparently

normal fashion, and neither the sender nor receiver is aware that a third party

has read the messages or observed the traffic pattern. However, it is feasible to prevent

the success of these attacks, usually by means of encryption. Thus, the emphasis

in dealing with passive attacks is on prevention rather than detection.

15

Active Attacks

Involve some modification of the data stream or the creation of a false stream

Difficult to prevent because of the wide variety of potential physical, software, and network vulnerabilities

Goal is to detect attacks and to recover from any disruption or delays caused by them

Masquerade

Takes place when one entity pretends to be a different entity

Usually includes one of the other forms of active attack

Replay

Involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect

Data Modification

Some portion of a legitimate message is altered, or messages are delayed or reordered to produce an unauthorized effect

Denial of service

Prevents or inhibits the normal use or management of communications facilities

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Active attacks involve some modification of the data stream or the

creation of a false stream and can be subdivided into four categories: masquerade,

replay, modification of messages, and denial of service.

A masquerade takes place when one entity pretends to be a different entity.

A masquerade attack usually includes one of the

other forms of active attack. For example, authentication sequences can be captured

and replayed after a valid authentication sequence has taken place, thus enabling an

authorized entity with few privileges to obtain extra privileges by impersonating an

entity that has those privileges.

Replay involves the passive capture of a data unit and its subsequent retransmission

to produce an unauthorized effect.

Data modification simply means that some portion of a legitimate message is altered,

or that messages are delayed or reordered, to produce an unauthorized effect. For example,

a message stating, “Allow John Smith to read confidential file accounts” is modified to say,

“Allow Fred Brown to read confidential file accounts.”

The denial of service prevents or inhibits the normal use or management of

communications facilities. This attack may have a specific target; for

example, an entity may suppress all messages directed to a particular destination

(e.g., the security audit service). Another form of service denial is the disruption

of an entire network, either by disabling the network or by overloading it with

messages so as to degrade performance.

Active attacks present the opposite characteristics of passive attacks. Whereas

passive attacks are difficult to detect, measures are available to prevent their success.

On the other hand, it is quite difficult to prevent active attacks absolutely

because of the wide variety of potential physical, software, and network vulnerabilities.

Instead, the goal is to detect active attacks and to recover from any disruption

or delays caused by them. If the detection has a deterrent effect, it may also

contribute to prevention.

16

Figure 1.3 Security Attacks

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Figure 1.3 illustrates the types of attacks in the context of a client/server interaction. A passive attack (Figure 1.3b)

does not disturb the information flow between the client and server, but is able to observe that flow.

A masquerade can take the form of a man-in-the-middle attack (Figure 1.3c). In this type of attack, the attacker intercepts masquerades as the client to the server and as the server to the client. We see specific applications of this attack in defeating key exchange and distribution protocols (Chapters 10 and 14) and in message authentication protocols (Chapter 11). More generally, it can be used to impersonate the two ends of a legitimate communication. Another form of masquerade is illustrated in Figure 1.3d. Here, an attacker is able to access server resources by masquerading as an authorized user.

Data modification may involve a man-in-the middle attack, in which the attacker selectively modifies communicated data between a client and server (Figure 1.3c). Another form of data modification attack is the modification of data residing on a serve or other system after an attacker gains unauthorized access (Figure 1.3d).

Figure 1.3e illustrates the replay attack. As in a passive attack, the attacker does not disturb the information flow between client and server, but does capture client message. The attacker can then subsequently replay any client message to the server.

Figure 1.3d also illustrates denial of service in the context of a client/server environment. The denial of service can take two forms: (1) flooding the server with an overwhelming amount of data; and (2) triggering some action on the server that consumes substantial computing resources.

17

Authentication (1 of 2)

Concerned with assuring that a communication is authentic

In the case of a single message, assures the recipient that the message is from the source that it claims to be from

In the case of ongoing interaction, assures the two entities are authentic and that the connection is not interfered with in such a way that a third party can masquerade as one of the two legitimate parties

Two specific authentication services are defined in X.800:

Peer entity authentication

Data origin authentication

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The authentication service is concerned with assuring that a communication is

authentic. In the case of a single message, such as a warning or alarm signal, the

function of the authentication service is to assure the recipient that the message

is from the source that it claims to be from. In the case of an ongoing interaction,

such as the connection of a terminal to a host, two aspects are involved. First,

at the time of connection initiation, the service assures that the two entities are

authentic, that is, that each is the entity that it claims to be. Second, the service

must assure that the connection is not interfered with in such a way that a third

party can masquerade as one of the two legitimate parties for the purposes of

unauthorized transmission or reception.

Two specific authentication services are defined in X.800:

• Peer entity authentication: Provides for the corroboration of the identity

of a peer entity in an association. Two entities are considered peers if they

implement to same protocol in different systems; for example two TCP modules

in two communicating systems. Peer entity authentication is provided for

use at the establishment of, or at times during the data transfer phase of, a

connection. It attempts to provide confidence that an entity is not performing

either a masquerade or an unauthorized replay of a previous connection.

• Data origin authentication: Provides for the corroboration of the source of a

data unit. It does not provide protection against the duplication or modification

of data units. This type of service supports applications like electronic mail,

where there are no prior interactions between the communicating entities.

18

Authentication (2 of 2)

Peer entity authentication

Provides for the corroboration of the identity of a peer entity in an association. Two entities are considered peers if they implement the same protocol in different systems. Peer entity authentication is provided for use at the establishment of, or at times during the data transfer phase of, a connection. It attempts to provide confidence that an entity is not performing either a masquerade or an unauthorized replay of a previous connection

Data origin authentication

Provides for the corroboration of the source of a data unit. It does not provide protection against the duplication or modification of data units. This type of service supports applications like electronic mail, where there are no ongoing interactions between the communicating entities

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

■. Peer entity authentication: Provides for the corroboration of the identity of a peer entity in an association. Two entities are considered peers if they implement the same protocol in different systems; for example, two TCP modules in two communicating systems. Peer entity authentication is provided for use at the establishment of, or at times during the data transfer phase of, a connection. It attempts to provide confidence that an entity is not performing either a masquerade or an unauthorized replay of a previous connection.

■ Data origin authentication: Provides for the corroboration of the source of a data unit. It does not provide protection against the duplication or modification of data units. This type of service supports applications like electronic mail, where there are no ongoing interactions between the communicating entities.

19

Access Control

The ability to limit and control the access to host systems and applications via communications links

To achieve this, each entity trying to gain access must first be identified, or authenticated, so that access rights can be tailored to the individual

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

In the context of network security, access control is the ability to limit and control

the access to host systems and applications via communications links. To achieve

this, each entity trying to gain access must first be identified, or authenticated, so

that access rights can be tailored to the individual.

20

Data Confidentiality

The protection of transmitted data from passive attacks

Broadest service protects all user data transmitted between two users over a period of time

Narrower forms of service includes the protection of a single message or even specific fields within a message

The protection of traffic flow from analysis

This requires that an attacker not be able to observe the source and destination, frequency, length, or other characteristics of the traffic on a communications facility

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Confidentiality is the protection of transmitted data from passive attacks. With

respect to the content of a data transmission, several levels of protection can be

identified. The broadest service protects all user data transmitted between two

users over a period of time. For example, when a TCP connection is set up between

two systems, this broad protection prevents the release of any user data transmitted

over the TCP connection. Narrower forms of this service can also be defined,

including the protection of a single message or even specific fields within a message.

These refinements are less useful than the broad approach and may even be more

complex and expensive to implement.

The other aspect of confidentiality is the protection of traffic flow from analysis.

This requires that an attacker not be able to observe the source and destination, frequency,

length, or other characteristics of the traffic on a communications facility.

21

Data Integrity

Can apply to a stream of messages, a single message, or selected fields within a message

Connection-oriented integrity service, one that deals with a stream of messages, assures that messages are received as sent with no duplication, insertion, modification, reordering, or replays

A connectionless integrity service, one that deals with individual messages without regard to any larger context, generally provides protection against message modification only

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

As with confidentiality, integrity can apply to a stream of messages, a single message,

or selected fields within a message. Again, the most useful and straightforward

approach is total stream protection.

A connection-oriented integrity service, one that deals with a stream of messages,

assures that messages are received as sent with no duplication, insertion,

modification, reordering, or replays. The destruction of data is also covered under

this service. Thus, the connection-oriented integrity service addresses both message

stream modification and denial of service. On the other hand, a connectionless integrity

service, one that deals with individual messages without regard to any larger

context, generally provides protection against message modification only.

We can make a distinction between service with and without recovery.

Because the integrity service relates to active attacks, we are concerned with detection

rather than prevention. If a violation of integrity is detected, then the service

may simply report this violation, and some other portion of software or human

intervention is required to recover from the violation. Alternatively, there are

mechanisms available to recover from the loss of integrity of data, as we will review

subsequently. The incorporation of automated recovery mechanisms is, in general,

the more attractive alternative.

22

Nonrepudiation

Prevents either sender or receiver from denying a transmitted message

When a message is sent, the receiver can prove that the alleged sender in fact sent the message

When a message is received, the sender can prove that the alleged receiver in fact received the message

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Nonrepudiation prevents either sender or receiver from denying a transmitted message.

Thus, when a message is sent, the receiver can prove that the alleged sender in

fact sent the message. Similarly, when a message is received, the sender can prove

that the alleged receiver in fact received the message.

23

Availability Service

Protects a system to ensure its availability

This service addresses the security concerns raised by denial-of-service attacks

It depends on proper management and control of system resources and thus depends on access control service and other security services

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Availability is the property of a system or a

system resource being accessible and usable upon demand by an authorized system

entity, according to performance specifications for the system (i.e., a system is available

if it provides services according to the system design whenever users request

them). A variety of attacks can result in the loss of or reduction in availability. Some

of these attacks are amenable to automated countermeasures, such as authentication

and encryption, whereas others require some sort of physical action to prevent

or recover from loss of availability of elements of a distributed system.

X.800 treats availability as a property to be associated with various security

services. However, it makes sense to call out specifically an availability service. An

availability service is one that protects a system to ensure its availability. This service

addresses the security concerns raised by denial-of-service attacks. It depends

on proper management and control of system resources and thus depends on access

control service and other security services.

24

Security Mechanisms (1 of 2)

Cryptographic algorithms: We can distinguish between reversible cryptographic mechanisms and irreversible cryptographic mechanisms. A reversible cryptographic mechanism is simply an encryption algorithm that allows data to be encrypted and subsequently decrypted. Irreversible cryptographic mechanisms include hash algorithms and message authentication codes, which are used in digital signature and message authentication applications.

Data integrity: This category covers a variety of mechanisms used to assure the integrity of a data unit or stream of data units.

Digital signature: Data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Figure 1.2c lists the most important security mechanism discussed in this book. These mechanisms will be covered in the appropriate places in the book. So, we do not elaborate now, except to provide the following brief definitions.

■ Cryptographic algorithms: We can distinguish between reversible cryptographic mechanisms and irreversible cryptographic mechanisms. A reversible cryptographic mechanism is simply an encryption algorithm that allows data to be encrypted and subsequently decrypted. Irreversible cryptographic mechanisms include hash algorithms and message authentication codes, which are used in digital signature and message authentication applications.

■ Data integrity: This category covers a variety of mechanisms used to assure the integrity of a data unit or stream of data units.

■ Digital signature: Data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery.

■ Authentication exchange: A mechanism intended to ensure the identity of an entity by means of information exchange.

■ Traffic padding: The insertion of bits into gaps in a data stream to frustrate traffic analysis attempts.

■ Routing control: Enables selection of particular physically or logically secure routes for certain data and allows routing changes, especially when a breach of security is suspected.

■ Notarization: The use of a trusted third party to assure certain properties of a data exchange

■ Access control: A variety of mechanisms that enforce access rights to resources.

25

Security Mechanisms (2 of 2)

Authentication exchange: A mechanism intended to ensure the identity of an entity by means of information exchange.

Traffic padding: The insertion of bits into gaps in a data stream to frustrate traffic analysis attempts.

Routing control: Enables selection of particular physically or logically secure routes for certain data and allows routing changes, especially when a breach of security is suspected.

Notarization: The use of a trusted third party to assure certain properties of a data exchange

Access control: A variety of mechanisms that enforce access rights to resources.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Figure 1.2c lists the most important security mechanism discussed in this book. These mechanisms will be covered in the appropriate places in the book. So, we do not elaborate now, except to provide the following brief definitions.

■ Cryptographic algorithms: We can distinguish between reversible cryptographic mechanisms and irreversible cryptographic mechanisms. A reversible cryptographic mechanism is simply an encryption algorithm that allows data to be encrypted and subsequently decrypted. Irreversible cryptographic mechanisms include hash algorithms and message authentication codes, which are used in digital signature and message authentication applications.

■ Data integrity: This category covers a variety of mechanisms used to assure the integrity of a data unit or stream of data units.

■ Digital signature: Data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery.

■ Authentication exchange: A mechanism intended to ensure the identity of an entity by means of information exchange.

■ Traffic padding: The insertion of bits into gaps in a data stream to frustrate traffic analysis attempts.

■ Routing control: Enables selection of particular physically or logically secure routes for certain data and allows routing changes, especially when a breach of security is suspected.

■ Notarization: The use of a trusted third party to assure certain properties of a data exchange

■ Access control: A variety of mechanisms that enforce access rights to resources.

26

Figure 1.4 Cryptographic Algorithms

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Cryptographic algorithms can be divided into three categories (Figure 1.4):

Keyless: Do not use any keys during cryptographic transformations.

Single-key: The result of a transformation are a function of the input data and

a single key, known as a secret key.

Two-key: At various stages of the calculation, two different but related keys are used, referred to as private key and public key.

27

Keyless Algorithms

Deterministic functions that have certain properties useful for cryptography

One type of keyless algorithm is the cryptographic hash function

A hash function turns a variable amount of text into a small, fixed-length value called a hash value, hash code, or digest

A cryptographic hash function is one that has additional properties that make it useful as part of another cryptographic algorithm, such as a message authentication code or a digital signature

A pseudorandom number generator produces a deterministic sequence of numbers or bits that has the appearance of being a truly random sequence

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Keyless algorithms are deterministic functions that have certain properties useful for cryptography.

One important type of keyless algorithm is the cryptographic hash function. A hash function turns a variable amount of text into a small, fixed-length value called a hash value, hash code, or digest. A cryptographic hash function is one that has additional properties that make it useful as part of another cryptographic algorithm, such as a message authentication code or a digital signature.

A pseudorandom number generator produces a deterministic sequence of numbers or bits that has the appearance of being a truly random sequence. Although the sequence appears to lack any definite pattern, it will repeat after a certain sequence length. Nevertheless, for some cryptographic purposes this apparently random sequence is sufficient.

28

Single-Key Algorithms (1 of 3)

Single-key cryptographic algorithms depend on the use of a secret key

Encryption algorithms that use a single key are referred to as symmetric encryption algorithms

With symmetric encryption, an encryption algorithm takes as input some data to be protected and a secret key and produces an unintelligible transformation on that data

A corresponding decryption algorithm takes the transformed data and the same secret key and recovers the original data

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Single-key cryptographic algorithms depend on the use of a secret key. This key may be known to a single user; for example, this is the case for protecting stored data that is only going to be accessed by the data creator. Commonly, two parties share the

secret key so that communication between the two parties is protected. For certain applications, more than two users may share the same secret key. In this last case, the algorithm protects data from those outside the group who share the key.

Encryption algorithms that use a single key are referred to as symmetric encryption algorithms. With symmetric encryption, an encryption algorithm takes as input some data to be protected and a secret key and produces an unintelligible transformation on that data. A corresponding decryption algorithm takes the transformed data and the same secret key and recovers the original data. Symmetric encryption takes the following forms:

■ Block cipher: A block cipher operates on data as a sequence of blocks. A typical block size is 128 bits. In most versions of the block cipher, known as modes of operation, the transformation depends not only on the current data block and the secret key but also on the content of preceding blocks.

■ Stream cipher: A stream cipher operates on data as a sequence of bits. Typically, an exclusive-OR operation is used to produce a bit-by-bit transformation. As with the block cipher, the transformation depends on a secret key.

29

Single-Key Algorithms (2 of 3)

Symmetric encryption takes the following forms:

Block cipher

A block cipher operates on data as a sequence of blocks

In most versions of the block cipher, known as modes of operation, the transformation depends not only on the current data block and the secret key but also on the content of preceding blocks

Stream cipher

A stream cipher operates on data as a sequence of bits

As with the block cipher, the transformation depends on a secret key

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Single-key cryptographic algorithms depend on the use of a secret key. This key may be known to a single user; for example, this is the case for protecting stored data that is only going to be accessed by the data creator. Commonly, two parties share the

secret key so that communication between the two parties is protected. For certain applications, more than two users may share the same secret key. In this last case, the algorithm protects data from those outside the group who share the key.

Encryption algorithms that use a single key are referred to as symmetric encryption algorithms. With symmetric encryption, an encryption algorithm takes as input some data to be protected and a secret key and produces an unintelligible transformation on that data. A corresponding decryption algorithm takes the transformed data and the same secret key and recovers the original data. Symmetric encryption takes the following forms:

■ Block cipher: A block cipher operates on data as a sequence of blocks. A typical block size is 128 bits. In most versions of the block cipher, known as modes of operation, the transformation depends not only on the current data block and the secret key but also on the content of preceding blocks.

■ Stream cipher: A stream cipher operates on data as a sequence of bits. Typically, an exclusive-OR operation is used to produce a bit-by-bit transformation. As with the block cipher, the transformation depends on a secret key.

30

Single-Key Algorithms (3 of 3)

Another form of single-key cryptographic algorithm is the message authentication code (M A C)

A M A C is a data element associated with a data block or message

The M A C is generated by a cryptographic transformation involving a secret key and, typically, a cryptographic hash function of the message

The M A C is designed so that someone in possession of the secret key can verify the integrity of the message

The recipient of the message plus the M A C can perform the same calculation on the message; if the calculated M A C matches the M A C accompanying the message, this provides assurance that the message has not been altered

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Another form of single-key cryptographic algorithm is the message authentication code (MAC). A MAC is a data element associated with a data block or message. The MAC is generated by a cryptographic transformation involving a secret key and, typically, a cryptographic hash function of the message. The MAC is designed so that someone in possession of the secret key can verify the integrity of the message. Thus, the MAC algorithm takes as input a message and secret key and produces the MAC. The recipient of the message plus the MAC can perform the same calculation on the message; if the calculated MAC matches the MAC accompanying the message, this provides assurance that the message has not been altered.

31

Asymmetric Algorithms

Encryption algorithms that use a single key are referred to as asymmetric encryption algorithms

Digital signature algorithm

A digital signature is a value computed with a cryptographic algorithm and associated with a data object in such a way that any recipient of the data can use the signature to verify the data’s origin and integrity

Key exchange

The process of securely distributing a symmetric key to two or more parties

User authentication

The process of authenticating that a user attempting to access an application or service is genuine and, similarly, that the application or service is genuine

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Two-key algorithms involve the use of two related keys. A private key is known only to a single user or entity, whereas the corresponding public key is made available to a number of users. Encryption algorithms that use a single key are referred to as asymmetric encryption algorithms. Asymmetric encryption can work in two ways:

An encryption algorithm takes as input some data to be protected and the private key and produces an unintelligible transformation on that data. A corresponding decryption algorithm takes the transformed data and the corresponding public key and recovers the original data. In this case, only the possessor of the private key can have performed the encryption and any possessor of the public key can perform the decryption.

An encryption algorithm takes as input some data to be protected and a public key and produces an unintelligible transformation on that data. A corresponding decryption algorithm takes the transformed data and the corresponding private key and recovers the original data. In this case, any possessor of the public key can have performed the encryption and only the possessor of the private key can perform the decryption.

Asymmetric encryption has a variety of applications. One of the most important is the digital signature algorithm. A digital signature is a value computed with a cryptographic algorithm and associated with a data object in such a way that any recipient of the data can use the signature to verify the data’s origin and integrity. Typically, the signer of a data object uses the signer’s private key to generate the signature, and anyone in possession of the corresponding public key can verify that validity of the signature.

Asymmetric algorithms can also be used in two other important applications. Key exchange is the process of securely distributing a symmetric key to two or more parties. User authentication is the process of authenticating that a user attempting to access an application or service is genuine and, similarly, that the application or service is genuine. These concepts are explained in detail in subsequent chapters.

32

Figure 1.5 Key Elements of Network Security

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Network security is a broad term that encompasses security of the communications pathways of the network and the security of network devices and devices attached to the network (Figure 1.5).

33

Communications Security

Deals with the protection of communications through the network, including measures to protect against both passive and active attacks

Communications security is primarily implemented using network protocols

A network protocol consists of the format and procedures that governs the transmitting and receiving of data between points in a network

A protocol defines the structure of the individual data units and the control commands that manage the data transfer

With respect to network security, a security protocol may be an enhancement that is part of an existing protocol or a standalone protocol

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

In the context of network security, communications security deals with the protection of communications through the network, including measures to protect against both passive and active attacks (Figure 1.3).

Communications security is primarily implemented using network protocols. A network protocol consists of the format and procedures that governs the transmitting and receiving of data between points in a network. A protocol defines the structure of the individual data units (e.g., packets) and the control commands that manage the data transfer.

With respect to network security, a security protocol may be an enhancement that is part of an existing protocol or a standalone protocol. Examples of the former are IPsec, which is part of the Internet Protocol (IP) and IEEE 802.11i, which is part of the IEEE 802.11 Wi-Fi standard. Examples of the latter are Transport Layer Security (TLS) and Secure Shell (SSH). Part Six examines these and other secure network protocols.

One common characteristic of all of these protocols is that they use a number of cryptographic algorithms as part of the mechanism to provide security.

34

Device Security (1 of 2)

The other aspect of network security is the protection of network devices, such as routers and switches, and end systems connected to the network, such as client systems and servers

The primary security concerns are intruders that gain access to the system to perform unauthorized actions, insert malicious software (malware), or overwhelm system resources to diminish availability

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The other aspect of network security is the protection of network devices, such as routers and switches, and end systems connected to the network, such as client systems and servers. The primary security concerns are intruders that gain access to the system to perform unauthorized actions, insert malicious software (malware), or overwhelm system resources to diminish availability. Three types of device security are noteworthy:

■ Firewall: A hardware and/or software capability that limits access between a network and device attached to the network, in accordance with a specific security policy. The firewall acts as a filter that permits or denies data traffic, both incoming and outgoing, based on a set of rules based on traffic content and/or traffic pattern.

■ Intrusion detection: Hardware or software products that gather and analyze information from various areas within a computer or a network for the purpose of finding, and providing real-time or near-real-time warning of, attempts to access system resources in an unauthorized manner.

■ Intrusion prevention: Hardware or software products designed to detect intrusive activity and attempt to stop the activity, ideally before it reaches its target.

These device security capabilities are more closely related to the field of computer security than network security. Accordingly, they are dealt with more briefly than communications security in Part Six. For a more detailed treatment, see [STAL18].

35

Device Security (2 of 2)

Three types of device security are:

Firewall

A hardware and/or software capability that limits access between a network and device attached to the network, in accordance with a specific security policy. The firewall acts as a filter that permits or denies data traffic, both incoming and outgoing, based on a set of rules based on traffic content and/or traffic pattern

Intrusion detection

Hardware or software products that gather and analyze information from various areas within a computer or a network for the purpose of finding, and providing real-time or near-real-time warning of, attempts to access system resources in an unauthorized manner

Intrusion prevention

Hardware or software products designed to detect intrusive activity and attempt to stop the activity, ideally before it reaches its target

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The other aspect of network security is the protection of network devices, such as routers and switches, and end systems connected to the network, such as client systems and servers. The primary security concerns are intruders that gain access to the system to perform unauthorized actions, insert malicious software (malware), or overwhelm system resources to diminish availability. Three types of device security are noteworthy:

■ Firewall: A hardware and/or software capability that limits access between a network and device attached to the network, in accordance with a specific security policy. The firewall acts as a filter that permits or denies data traffic, both incoming and outgoing, based on a set of rules based on traffic content and/or traffic pattern.

■ Intrusion detection: Hardware or software products that gather and analyze information from various areas within a computer or a network for the purpose of finding, and providing real-time or near-real-time warning of, attempts to access system resources in an unauthorized manner.

■ Intrusion prevention: Hardware or software products designed to detect intrusive activity and attempt to stop the activity, ideally before it reaches its target.

These device security capabilities are more closely related to the field of computer security than network security. Accordingly, they are dealt with more briefly than communications security in Part Six. For a more detailed treatment, see [STAL18].

36

Trust Model (1 of 2)

One of the most widely accepted and most cited definitions of trust is:

“the willingness of a party to be vulnerable to the actions of another party based on the expectation that the other will perform a particular action important to the trustor, irrespective of the ability to monitor or control that other party”

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

One of the most widely accepted and most cited definitions of trust in the organizational science literature is from [MAYE95], which defines trust as follows: the willingness of a party to be vulnerable to the actions of another party based on the expectation that the other will perform a particular action important to the trustor, irrespective of the ability to monitor or control that other party.

Three related concepts are relevant to a trust model:

■ Trustworthiness: A characteristic of an entity that reflects the degree to which that entity is deserving of trust.

■ Propensity to trust: A tendency to be willing to trust others across a broad spectrum of situations and trust targets. This suggests that every individual has some baseline level of trust that will influence the person’s willingness to rely on the words and actions of others.

■ Risk: A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of 1) the adverse impacts that would arise if the circumstance or event occurs; and 2) the likelihood of occurrence.

37

Trust Model (2 of 2)

Three related concepts are relevant to a trust model:

Trustworthiness: A characteristic of an entity that reflects the degree to which that entity is deserving of trust

Propensity to trust: A tendency to be willing to trust others across a broad spectrum of situations and trust targets. This suggests that every individual has some baseline level of trust that will influence the person’s willingness to rely on the words and actions of others

Risk: A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of 1) the adverse impacts that would arise if the circumstance or event occurs; and 2) the likelihood of occurrence

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

One of the most widely accepted and most cited definitions of trust in the organizational science literature is from [MAYE95], which defines trust as follows: the willingness of a party to be vulnerable to the actions of another party based on the expectation that the other will perform a particular action important to the trustor, irrespective of the ability to monitor or control that other party.

Three related concepts are relevant to a trust model:

■ Trustworthiness: A characteristic of an entity that reflects the degree to which that entity is deserving of trust.

■ Propensity to trust: A tendency to be willing to trust others across a broad spectrum of situations and trust targets. This suggests that every individual has some baseline level of trust that will influence the person’s willingness to rely on the words and actions of others.

■ Risk: A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of 1) the adverse impacts that would arise if the circumstance or event occurs; and 2) the likelihood of occurrence.

38

Figure 1.6 Trust Model

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Figure 1.6, adapted from [MAYE95], illustrates the relationship among these concepts. Propensity can also be expressed as the level of risk that an entity (individual or organization) is prepared to tolerate.

Typically, a trustor uses a number of factors to establish the trustworthiness of an entity. Three general factors are commonly cited:

■ Ability: Also referred to as competence, this relates to the potential ability of the evaluated entity to do a given task or be entrusted with given information.

■ Benevolence: This implies a disposition of goodwill towards the trusting party. That is, a trustworthy party does not intend to cause harm to the trusting party.

■ Integrity: This can be defined as the trustor’s perception that the trustee adheres to a set of principles that the trustor finds acceptable. Integrity implies that a benevolent party takes such measures are necessary to assure that it in fact does not cause harm to the trusting party.

The goal of trust, in the model of Figure 1.6, is to determine what course of action, if any, the trusting party is willing to take in relation to the trusted party. Based on the level of trust, and the perceived risk, the trusting party may decide to take some action the involves some degree of risk taking. The outcome of the risk taking could be a reliance on the trusted party to perform some action or the disclosure of information to the trusted party with the expectation that the information will be protected as agreed between the parties.

39

The Trust Model and Information Security

Trust is confidence that an entity will perform in a way that will not prejudice the security of the user of the system of which that entity is a part

Trust is always restricted to specific functions or ways of behavior and is meaningful only in the context of a security policy

Generally, an entity is said to trust a second entity when the first entity assumes that the second entity will behave exactly as the first entity expects

In this context, the term entity may refer to a single hardware component or software module, a piece of equipment identified by make and model, a site or location, or an organization

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Trust is confidence that an entity will perform in a way that will not prejudice the security of the user of the system of which that entity is a part. Trust is always restricted to specific functions or ways of behavior and is meaningful only in the context of a security policy. Generally, an entity is said to trust a second entity when the first entity assumes that the second entity will behave exactly as the first entity expects. This trust may apply only for some specific function. In this context, the term entity may refer to a single hardware component or software module, a piece of equipment identified by make and model, a site or location, or an organization.

40

Trustworthiness of an Individual (1 of 2)

Organizations need to be concerned about both internal users (employees, on-site contractors) and external users (customers, suppliers) of their information systems

With respect to internal users, an organization develops a level of trust in individuals by policies in the following two areas:

Human resource security

Sound security practice dictates that information security requirements be embedded into each stage of the employment life cycle, specifying security-related actions required during the induction of each individual, their ongoing management, and termination of their employment. Human resource security also includes assigning ownership of information (including responsibility for its protection) to capable individuals and obtaining confirmation of their understanding and acceptance

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Organizations need to be concerned about both internal users (employees, on-site contractors) and external users (customers, suppliers) of their information systems. With respect to internal users, an organization develops a level of trust in individuals by policies in the following two areas [STAL19]:

■ Human resource security: Sound security practice dictates that information security requirements be embedded into each stage of the employment life cycle, specifying security-related actions required during the induction of each individual, their ongoing management, and termination of their employment. Human resource security also includes assigning ownership of information (including responsibility for its protection) to capable individuals and obtaining confirmation of their understanding and acceptance.

■ Security awareness and training: This area refers to disseminating security information to all employees, including IT staff, IT security staff, and management, as well as IT users and other employees. A workforce that has a high level of security awareness and appropriate security training for each individual’s role is as important, if not more important, than any other security countermeasure or control.

For external users, trust will depend on the context. In general terms, the factors of perceived trustworthiness and the trustor’s propensity, as depicted in Figure 1.6, determine the level of trust. Further, the issue of trust is mutual. That is, not only must an organization determine a level of trust towards external users, but external users need to be concerned about the degree to which they can trust an information resource that they use. This mutual trust involves a number a practical consequences, including the use of a public-key infrastructure and user authentication protocols. These matters are explored in Part Five.

41

Trustworthiness of an Individual (2 of 2)

Security awareness and training

This area refers to disseminating security information to all employees, including I T staff, I T security staff, and management, as well as I T users and other employees. A workforce that has a high level of security awareness and appropriate security training for each individual’s role is as important, if not more important, than any other security countermeasure or control

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Organizations need to be concerned about both internal users (employees, on-site contractors) and external users (customers, suppliers) of their information systems. With respect to internal users, an organization develops a level of trust in individuals by policies in the following two areas [STAL19]:

■ Human resource security: Sound security practice dictates that information security requirements be embedded into each stage of the employment life cycle, specifying security-related actions required during the induction of each individual, their ongoing management, and termination of their employment. Human resource security also includes assigning ownership of information (including responsibility for its protection) to capable individuals and obtaining confirmation of their understanding and acceptance.

■ Security awareness and training: This area refers to disseminating security information to all employees, including IT staff, IT security staff, and management, as well as IT users and other employees. A workforce that has a high level of security awareness and appropriate security training for each individual’s role is as important, if not more important, than any other security countermeasure or control.

For external users, trust will depend on the context. In general terms, the factors of perceived trustworthiness and the trustor’s propensity, as depicted in Figure 1.6, determine the level of trust. Further, the issue of trust is mutual. That is, not only must an organization determine a level of trust towards external users, but external users need to be concerned about the degree to which they can trust an information resource that they use. This mutual trust involves a number a practical consequences, including the use of a public-key infrastructure and user authentication protocols. These matters are explored in Part Five.

42

Trustworthiness of an Organization

Most organizations rely on information system service and information provided by external organizations, as well as partnerships to accomplish missions and business functions (examples are cloud service providers and companies that form part of the supply chain for the organization)

To manage risk to the organization, it must establish trust relationships with these external organizations

N I S T S P 800-39 (Managing Information Security Risk, March 2011) indicates that such trust relationships can be:

Formally established, for example, by documenting the trust-related information in contracts, service-level agreements, statements of work, memoranda of agreement/understanding, or interconnection security agreements

Scalable and inter-organizational or intra-organizational in nature

Represented by simple (bilateral) relationships between two partners or more complex many-to-many relationships among many diverse partners

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Most organizations rely, to a greater or lesser extent, on information system service and information provided by external organizations, as well as partnerships to accomplish missions and business functions. Examples are cloud service providers and companies that form part of the supply chain for the organization. To manage risk to the organization, it must establish trust relationships with these external organizations. NIST SP 800-39 (Managing Information Security Risk, March 2011) indicates that such trust relationships can be:

■ Formally established, for example, by documenting the trust-related information in contracts, service-level agreements, statements of work, memoranda of agreement/understanding, or interconnection security agreements;

■ Scalable and inter-organizational or intra-organizational in nature; and/or

■ Represented by simple (bilateral) relationships between two partners or more

complex many-to-many relationships among many diverse partners.

The requirements for establishing and maintaining trust depend on mission/business requirements, the participants involved in the trust relationship, the criticality/sensitivity of the information being shared or the types of services being rendered, the history between the organizations, and the overall risk to the organizations participating in the relationship.

As with individuals, trust related to organizations can involve the use of public-key infrastructure and user authentication, as well as the network security measures described in Part Six.

43

Trustworthiness of Information Systems

S P 800-39 defines trustworthiness for information systems as

“the degree to which information systems (including the information technology products from which the systems are built) can be expected to preserve the confidentiality, integrity, and availability of the information being processed, stored, or transmitted by the systems across the full range of threats”

Two factors affecting the trustworthiness of information systems are:

Security functionality: The security features/functions employed within the system. These include cryptographic and network security technologies

Security assurance: The grounds for confidence that the security functionality is effective in its application. This area is addressed by security management techniques, such as auditing and incorporating security considerations into the system development life cycle

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

SP 800-39 defines trustworthiness for information systems as the degree to which information systems (including the information technology products from which the systems are built) can be expected to preserve the confidentiality, integrity, and availability of the information being processed, stored, or transmitted by the systems across the full range of threats. Two factors affecting the trustworthiness of information systems are:

■ Security functionality: The security features/functions employed within the system. These include cryptographic and network security technologies discussed throughout this book.

■ Security assurance: The grounds for confidence that the security functionality is effective in its application. This area is addressed by security management techniques, such as auditing and incorporating security considerations into the system development life cycle [STAL19].

44

Establishing Trust Relationships

Validated trust:

Trust is based on evidence obtained by the trusting organization about the trusted organization or entity. The information may include information security policy, security measures, and level of oversight

Direct historical trust:

This type of trust is based on the security-related track record exhibited by an organization in the past, particularly in interactions with the organization seeking to establish trust

Mediated trust:

Mediated trust involves the use of a third party that is mutually trusted by two parties, with the third party providing assurance or guarantee of a given level of trust between the first two parties

Mandated trust:

An organization establishes a level of trust with another organization based on a specific mandate issued by a third party in a position of authority

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The methods used by an organization to establish a trust relationship with various entities will depend on a variety of factors, such as laws and regulations, risk tolerance, and the criticality and sensitivity of the relationship. SP 800-39 describes the following methods:

■ Validated trust: Trust is based on evidence obtained by the trusting organization about the trusted organization or entity. The information may include information security policy, security measures, and level of oversight. An example for one organization to develop an application or information system and provides evidence (e.g., security plan, assessment results) to a second organization that supports the claims by the first organization that the application/system meets certain security requirements and/or addresses the appropriate security controls.

■ Direct historical trust: This type of trust is based on the security-related track record exhibited by an organization in the past, particularly in interactions with the organization seeking to establish trust.

■ Mediated trust: Mediated trust involves the use of a third party that is mutually trusted by two parties, with the third party providing assurance or guarantee of a given level of trust between the first two parties. An example of this form of trust establishment is the use of public-key certificate authorities, described in Chapter 14.

■ Mandated trust: An organization establishes a level of trust with another organization based on a specific mandate issued by a third party in a position of authority. For example, an organization may be given the responsibility and the authority to issue public key certificates for a group of organizations.

An organization is likely to use a combination of these methods to establish relationships with a number of other entities.

45

Standards (1 of 2)

National Institute of Standards and Technology:

N I S T is a U.S. federal agency that deals with measurement science, standards, and technology related to U.S. government use and to the promotion of U.S. private-sector innovation. Despite its national scope, N I S T Federal Information Processing Standards (F I P S) and Special Publications (S P) have a worldwide impact

Internet Society:

I S O C is a professional membership society with worldwide organizational and individual membership. It provides leadership in addressing issues that confront the future of the Internet and is the organization home for the groups responsible for Internet infrastructure standards, including the Internet Engineering Task Force (I E T F) and the Internet Architecture Board (I A B). These organizations develop Internet standards and related specifications, all of which are published as Requests for Comments (R F C s).

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Many of the security techniques and applications described in this book have been specified as standards. Additionally, standards have been developed to cover management practices and the overall architecture of security mechanisms and services. Throughout this book, we describe the most important standards in use or being developed for various aspects of cryptography and network security. Various organizations have been involved in the development or promotion of these standards. The most important (in the current context) of these organizations are as follows:

■ National Institute of Standards and Technology: NIST is a U.S. federal agency that deals with measurement science, standards, and technology related to U.S. government use and to the promotion of U.S. private-sector innovation. Despite its national scope, NIST Federal Information Processing Standards (FIPS) and Special Publications (SP) have a worldwide impact.

■ Internet Society: ISOC is a professional membership society with worldwide organizational and individual membership. It provides leadership in addressing issues that confront the future of the Internet and is the organization home for the groups responsible for Internet infrastructure standards, including the Internet Engineering Task Force (IETF) and the Internet Architecture Board (IAB). These organizations develop Internet standards and related specifications, all of which are published as Requests for Comments (RFCs).

■ ITU-T: The International Telecommunication Union (ITU) is an international organization within the United Nations System in which governments and the private sector coordinate global telecom networks and services. The ITU Telecommunication Standardization Sector (ITU-T) is one of the three sectors of the ITU. ITU-T’s mission is the development of technical standards covering all fields of telecommunications. ITU-T standards are referred to as Recommendations.

■ ISO: The International Organization for Standardization (ISO) is a worldwide federation of national standards bodies from more than 140 countries, one from each country. ISO is a nongovernmental organization that promotes the development of standardization and related activities with a view to facilitating the international exchange of goods and services and to developing cooperation in the spheres of intellectual, scientific, technological, and economic activity. ISO’s work results in international agreements that are published as International Standards.

46

Standards (2 of 2)

I T U-T:

The International Telecommunication Union (I T U) is an international organization within the United Nations System in which governments and the private sector coordinate global telecom networks and services. The I T U Telecommunication Standardization Sector (I T U-T) is one of the three sectors of the I T U. I T U-T’s mission is the development of technical standards covering all fields of telecommunications. I T U-T standards are referred to as Recommendations

I S O:

The International Organization for Standardization (I S O) is a worldwide federation of national standards bodies from more than 140 countries, one from each country. I S O is a nongovernmental organization that promotes the development of standardization and related activities with a view to facilitating the international exchange of goods and services and to developing cooperation in the spheres of intellectual, scientific, technological, and economic activity. I S O’s work results in international agreements that are published as International Standards

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Many of the security techniques and applications described in this book have been specified as standards. Additionally, standards have been developed to cover management practices and the overall architecture of security mechanisms and services. Throughout this book, we describe the most important standards in use or being developed for various aspects of cryptography and network security. Various organizations have been involved in the development or promotion of these standards. The most important (in the current context) of these organizations are as follows:

■ National Institute of Standards and Technology: NIST is a U.S. federal agency that deals with measurement science, standards, and technology related to U.S. government use and to the promotion of U.S. private-sector innovation. Despite its national scope, NIST Federal Information Processing Standards (FIPS) and Special Publications (SP) have a worldwide impact.

■ Internet Society: ISOC is a professional membership society with worldwide organizational and individual membership. It provides leadership in addressing issues that confront the future of the Internet and is the organization home for the groups responsible for Internet infrastructure standards, including the Internet Engineering Task Force (IETF) and the Internet Architecture Board (IAB). These organizations develop Internet standards and related specifications, all of which are published as Requests for Comments (RFCs).

■ ITU-T: The International Telecommunication Union (ITU) is an international organization within the United Nations System in which governments and the private sector coordinate global telecom networks and services. The ITU Telecommunication Standardization Sector (ITU-T) is one of the three sectors of the ITU. ITU-T’s mission is the development of technical standards covering all fields of telecommunications. ITU-T standards are referred to as Recommendations.

■ ISO: The International Organization for Standardization (ISO) is a worldwide federation of national standards bodies from more than 140 countries, one from each country. ISO is a nongovernmental organization that promotes the development of standardization and related activities with a view to facilitating the international exchange of goods and services and to developing cooperation in the spheres of intellectual, scientific, technological, and economic activity. ISO’s work results in international agreements that are published as International Standards.

47

Summary

Describe the key security requirements of confidentiality, integrity, and availability

List and briefly describe key organizations involved in cryptography standards

Provide an overview of keyless, single-key and two-key cryptographic algorithms

Provide an overview of the main areas of network security

Describe a trust model for information security

Discuss the types of security threats and attacks that must be dealt with and give examples of the types of threats and attacks that apply to different categories of computer and network assets

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Chapter 1 summary.

48

Copyright

This work is protected by United States copyright laws and is provided solely for the use of instructors in teaching their courses and assessing student learning. Dissemination or sale of any part of this work (including on the World Wide Web) will destroy the integrity of the work and is not permitted. The work and materials from it should never be made available to students except by instructors using the accompanying text in their classes. All recipients of this work are expected to abide by these restrictions and to honor the intended pedagogical purposes and the needs of other instructors who rely on these materials.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

49

.MsftOfcThm_Text1_Fill {

fill:#000000;

}

.MsftOfcThm_MainDark1_Stroke {

stroke:#000000;

}

Cryptography and Network Security: Principles and Practice

Eighth Edition

Chapter 3

Classical Encryption Techniques

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Lecture slides prepared for “Cryptography and Network Security”, 8/e, by William Stallings, Chapter 3 – “Classical Encryption Techniques”.

Symmetric encryption, also referred to as conventional encryption or single-key

encryption, was the only type of encryption in use prior to the development of public-key

encryption in the 1970s. It remains by far the most widely used of the two types

of encryption. Part One examines a number of symmetric ciphers. In this chapter, we

begin with a look at a general model for the symmetric encryption process; this will

enable us to understand the context within which the algorithms are used. Next, we

examine a variety of algorithms in use before the computer era. Finally, we look briefly

at a different approach known as steganography. Chapters 4 and 6 introduce the two

most widely used symmetric cipher: DES and AES.

1

Learning Objectives

Present an overview of the main concepts of symmetric cryptography.

Explain the difference between cryptanalysis and brute-force attack.

Understand the operation of a monoalphabetic substitution cipher.

Understand the operation of a polyalphabetic cipher.

Present an overview of the Hill cipher.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Definitions (1 of 2)

Plaintext

An original message

Ciphertext

The coded message

Enciphering/encryption

The process of converting from plaintext to ciphertext

Deciphering/decryption

Restoring the plaintext from the ciphertext

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Before beginning, we define some terms. An original message is known as the

plaintext, while the coded message is called the ciphertext. The process of converting

from plaintext to ciphertext is known as enciphering or encryption; restoring the

plaintext from the ciphertext is deciphering or decryption. The many schemes used

for encryption constitute the area of study known as cryptography Such a scheme

is known as a cryptographic system or a cipher. Techniques used for deciphering a

message without any knowledge of the enciphering details fall into the area of cryptanalysis.

Cryptanalysis is what the layperson calls “breaking the code.” The areas of

cryptography and cryptanalysis together are called cryptology.

3

Definitions (2 of 2)

Cryptography

The area of study of the many schemes used for encryption

Cryptographic system/cipher

A scheme

Cryptanalysis

Techniques used for deciphering a message without any knowledge of the enciphering details

Cryptology

The areas of cryptography and cryptanalysis

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Before beginning, we define some terms. An original message is known as the

plaintext, while the coded message is called the ciphertext. The process of converting

from plaintext to ciphertext is known as enciphering or encryption; restoring the

plaintext from the ciphertext is deciphering or decryption. The many schemes used

for encryption constitute the area of study known as cryptography Such a scheme

is known as a cryptographic system or a cipher. Techniques used for deciphering a

message without any knowledge of the enciphering details fall into the area of cryptanalysis.

Cryptanalysis is what the layperson calls “breaking the code.” The areas of

cryptography and cryptanalysis together are called cryptology.

4

Figure 3.1 Simplified Model of Symmetric Encryption

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

A symmetric encryption scheme has five ingredients (Figure 3.1)

■ Plaintext: This is the original intelligible message or data that is fed into the

algorithm as input.

■ Encryption algorithm: The encryption algorithm performs various substitutions

and transformations on the plaintext.

■ Secret key: The secret key is also input to the encryption algorithm. The key is

a value independent of the plaintext and of the algorithm. The algorithm will

produce a different output depending on the specific key being used at the

time. The exact substitutions and transformations performed by the algorithm

depend on the key.

■ Ciphertext: This is the scrambled message produced as output. It depends on

the plaintext and the secret key. For a given message, two different keys will

produce two different ciphertexts. The ciphertext is an apparently random

stream of data and, as it stands, is unintelligible.

■ Decryption algorithm: This is essentially the encryption algorithm run in

reverse. It takes the ciphertext and the secret key and produces the original

plaintext.

5

Symmetric Cipher Model

There are two requirements for secure use of conventional encryption:

A strong encryption algorithm

Sender and receiver must have obtained copies of the secret key in a secure fashion and must keep the key secure

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

There are two requirements for secure use of conventional encryption:

1. We need a strong encryption algorithm. At a minimum, we would like the algorithm

to be such that an opponent who knows the algorithm and has access to

one or more ciphertexts would be unable to decipher the ciphertext or figure

out the key. This requirement is usually stated in a stronger form: The opponent

should be unable to decrypt ciphertext or discover the key even if he or

she is in possession of a number of ciphertexts together with the plaintext that

produced each ciphertext.

2. Sender and receiver must have obtained copies of the secret key in a secure

fashion and must keep the key secure. If someone can discover the key and

knows the algorithm, all communication using this key is readable.

We assume that it is impractical to decrypt a message on the basis of the

ciphertext plus knowledge of the encryption/decryption algorithm. In other words,

we do not need to keep the algorithm secret; we need to keep only the key secret.

This feature of symmetric encryption is what makes it feasible for widespread use.

The fact that the algorithm need not be kept secret means that manufacturers can

and have developed low-cost chip implementations of data encryption algorithms.

These chips are widely available and incorporated into a number of products. With

the use of symmetric encryption, the principal security problem is maintaining the

secrecy of the key.

6

Figure 3.2 Model of Symmetric Cryptosystem

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Let us take a closer look at the essential elements of a symmetric encryption scheme, using Figure 3.2.

7

Cryptographic Systems

Characterized along three independent dimensions:

The type of operations used for transforming plaintext to ciphertext

Substitution

Transposition

The number of keys used

Symmetric, single-key, secret-key, conventional encryption

Asymmetric, two-key, or public-key encryption

The way in which the plaintext is processed

Block cipher

Stream cipher

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Cryptographic systems are characterized along three independent dimensions:

1. The type of operations used for transforming plaintext to ciphertext. All

encryption algorithms are based on two general principles: substitution, in

which each element in the plaintext (bit, letter, group of bits or letters) is

mapped into another element, and transposition, in which elements in the

plaintext are rearranged. The fundamental requirement is that no information

be lost (i.e., that all operations are reversible). Most systems, referred to as

product systems , involve multiple stages of substitutions and transpositions.

2. The number of keys used. If both sender and receiver use the same key, the

system is referred to as symmetric, single-key, secret-key, or conventional

encryption. If the sender and receiver use different keys, the system is referred

to as asymmetric, two-key, or public-key encryption.

3. The way in which the plaintext is processed. A block cipher processes the

input one block of elements at a time, producing an output block for each

input block. A stream cipher processes the input elements continuously,

producing output one element at a time, as it goes along.

8

Cryptanalysis and Brute-Force Attack

Cryptanalysis

Attack relies on the nature of the algorithm plus some knowledge of the general characteristics of the plaintext

Attack exploits the characteristics of the algorithm to attempt to deduce a specific plaintext or to deduce the key being used

Brute-force attack

Attacker tries every possible key on a piece of ciphertext until an intelligible translation into plaintext is obtained

On average, half of all possible keys must be tried to achieve success

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Typically, the objective of attacking an encryption system is to recover the key in

use rather than simply to recover the plaintext of a single ciphertext. There are two

general approaches to attacking a conventional encryption scheme:

• Cryptanalysis: Cryptanalytic attacks rely on the nature of the algorithm plus

perhaps some knowledge of the general characteristics of the plaintext or

even some sample plaintext–ciphertext pairs. This type of attack exploits the

characteristics of the algorithm to attempt to deduce a specific plaintext or to

deduce the key being used.

• Brute-force attack: The attacker tries every possible key on a piece of ciphertext

until an intelligible translation into plaintext is obtained. On average, half

of all possible keys must be tried to achieve success.

If either type of attack succeeds in deducing the key, the effect is catastrophic:

All future and past messages encrypted with that key are compromised.

9

Table 3.1 Types of Attacks on Encrypted Messages

Type of Attack Known to Cryptanalyst

Ciphertext Only Encryption algorithm

Ciphertext

Known Plaintext Encryption algorithm

Ciphertext

One or more plaintext–ciphertext pairs formed with the secret key

Chosen Plaintext Encryption algorithm

Ciphertext

Plaintext message chosen by cryptanalyst, together with its corresponding ciphertext generated with the secret key

Chosen Ciphertext Encryption algorithm

Ciphertext

Ciphertext chosen by cryptanalyst, together with its corresponding decrypted plaintext generated with the secret key

Chosen Text Encryption algorithm

Ciphertext

Plaintext message chosen by cryptanalyst, together with its corresponding ciphertext generated with the secret key

Ciphertext chosen by cryptanalyst, together with its corresponding decrypted plaintext generated with the secret key

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Table 3.1 summarizes the various types of cryptanalytic attacks based on the

amount of information known to the cryptanalyst. The most difficult problem is

presented when all that is available is the ciphertext only . In some cases, not even

the encryption algorithm is known, but in general, we can assume that the opponent

does know the algorithm used for encryption. One possible attack under these

circumstances is the brute-force approach of trying all possible keys. If the key space

is very large, this becomes impractical. Thus, the opponent must rely on an analysis

of the ciphertext itself, generally applying various statistical tests to it. To use this

approach, the opponent must have some general idea of the type of plaintext that

is concealed, such as English or French text, an EXE file, a Java source listing, an

accounting file, and so on.

The ciphertext-only attack is the easiest to defend against because the

opponent has the least amount of information to work with. In many cases, however,

the analyst has more information. The analyst may be able to capture one or more

plaintext messages as well as their encryptions. Or the analyst may know that certain

plaintext patterns will appear in a message. For example, a file that is encoded in the

Postscript format always begins with the same pattern, or there may be a standardized

header or banner to an electronic funds transfer message, and so on. All these are

examples of known plaintext . With this knowledge, the analyst may be able to deduce

the key on the basis of the way in which the known plaintext is transformed.

Closely related to the known-plaintext attack is what might be referred to as a

probable-word attack. If the opponent is working with the encryption of some general

prose message, he or she may have little knowledge of what is in the message.

However, if the opponent is after some very specific information, then parts of the

message may be known. For example, if an entire accounting file is being transmitted,

the opponent may know the placement of certain key words in the header of the

file. As another example, the source code for a program developed by Corporation

X might include a copyright statement in some standardized position.

If the analyst is able somehow to get the source system to insert into the system

a message chosen by the analyst, then a chosen-plaintext attack is possible. In general,

if the analyst is able to choose the messages to encrypt, the analyst may deliberately

pick patterns that can be expected to reveal the structure of the key.

Table 3.1 lists two other types of attack: chosen ciphertext and chosen text.

These are less commonly employed as cryptanalytic techniques but are nevertheless

possible avenues of attack.

10

Encryption Scheme Security

Unconditionally secure

No matter how much time an opponent has, it is impossible for him or her to decrypt the ciphertext simply because the required information is not there

Computationally secure

The cost of breaking the cipher exceeds the value of the encrypted information

The time required to break the cipher exceeds the useful lifetime of the information

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Two more definitions are worthy of note. An encryption scheme is unconditionally

secure if the ciphertext generated by the scheme does not contain enough

information to determine uniquely the corresponding plaintext, no matter how

much ciphertext is available. That is, no matter how much time an opponent has, it

is impossible for him or her to decrypt the ciphertext simply because the required

information is not there. With the exception of a scheme known as the one-time pad

(described later in this chapter), there is no encryption algorithm that is unconditionally

secure. Therefore, all that the users of an encryption algorithm can strive

for is an algorithm that meets one or both of the following criteria:

• The cost of breaking the cipher exceeds the value of the encrypted information.

• The time required to break the cipher exceeds the useful lifetime of the

information.

An encryption scheme is said to be computationally secure if either of the

foregoing two criteria are met. Unfortunately, it is very difficult to estimate the

amount of effort required to cryptanalyze ciphertext successfully.

All forms of cryptanalysis for symmetric encryption schemes are designed

to exploit the fact that traces of structure or pattern in the plaintext may survive

encryption and be discernible in the ciphertext. This will become clear as we examine

various symmetric encryption schemes in this chapter. We will see in Part Three

that cryptanalysis for public-key schemes proceeds from a fundamentally different

premise, namely, that the mathematical properties of the pair of keys may make it

possible for one of the two keys to be deduced from the other.

11

Brute-Force Attack

Involves trying every possible key until an intelligible translation of the ciphertext into plaintext is obtained

On average, half of all possible keys must be tried to achieve success

To supplement the brute-force approach, some degree of knowledge about the expected plaintext is needed, and some means of automatically distinguishing plaintext from garble is also needed

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

A brute-force attack involves trying every possible key until an intelligible

translation of the ciphertext into plaintext is obtained. On average, half of all possible

keys must be tried to achieve success. That is, if there are X different keys, on

average an attacker would discover the actual key after X/2 tries. It is important to

note that there is more to a brute-force attack than simply running through all possible

keys. Unless known plaintext is provided, the analyst must be able to recognize

plaintext as plaintext. If the message is just plain text in English, then the result pops

out easily, although the task of recognizing English would have to be automated. If

the text message has been compressed before encryption, then recognition is more

difficult. And if the message is some more general type of data, such as a numerical

file, and this has been compressed, the problem becomes even more difficult to

automate. Thus, to supplement the brute-force approach, some degree of knowledge

about the expected plaintext is needed, and some means of automatically

distinguishing plaintext from garble is also needed.

12

Strong Encryption

The term strong encryption refers to encryption schemes that make it impractically difficult for unauthorized persons or systems to gain access to plaintext that has been encrypted

Properties that make an encryption algorithm strong are:

Appropriate choice of cryptographic algorithm

Use of sufficiently long key lengths

Appropriate choice of protocols

A well-engineered implementation

Absence of deliberately introduced hidden flaws

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

For users, security managers, and organization executives, there is a requirement for strong encryption to protect data. The term strong encryption is an imprecise one, but in general terms, it refers to encryption schemes that make it impractically difficult for unauthorized persons or systems to gain access to plaintext that has been encrypted. [NAS18] lists the following properties that make an encryption algorithm strong: appropriate choice of cryptographic algorithm, use of sufficiently long key lengths, appropriate choice of protocols, a well-engineered implementation, and the absence of deliberately introduced hidden flaws. The first two factors relate to cryptanalysis, discussed in this section, and the third factor relates to the discussion in Part Six. The last two factors are beyond the scope of this book.

13

Substitution Technique

Is one in which the letters of plaintext are replaced by other letters or by numbers or symbols

If the plaintext is viewed as a sequence of bits, then substitution involves replacing plaintext bit patterns with ciphertext bit patterns

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The two basic building blocks of all encryption techniques are substitution

and transposition. We examine these in the next two sections. Finally, we discuss a

system that combines both substitution and transposition.

A substitution technique is one in which the letters of plaintext are replaced by

other letters or by numbers or symbols. If the plaintext is viewed as a sequence of bits,

then substitution involves replacing plaintext bit patterns with ciphertext bit patterns.

14

Caesar Cipher

Simplest and earliest known use of a substitution cipher

Used by Julius Caesar

Involves replacing each letter of the alphabet with the letter standing three places further down the alphabet

Alphabet is wrapped around so that the letter following Z is A

plain: meet me after the toga party

cipher: PHHW PH DIWHU WKH WRJD SDUWB

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The earliest known, and the simplest, use of a substitution cipher was by Julius

Caesar. The Caesar cipher involves replacing each letter of the alphabet with the

letter standing three places further down the alphabet.

15

Caesar Cipher Algorithm

Can define transformation as:

a b c d e f g h i j k l m n o p q r s t u v w x y z

D E F G H I J K L M N O P Q R S T U V W X Y Z A B C

Mathematically give each letter a number

a b c d e f g h i j k l m n o p q r s t u v w x y z

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

Algorithm can be expressed as:

c = E(3, p) = (p + 3) mod (26)

A shift may be of any amount, so that the general Caesar algorithm is:

C = E(k , p ) = (p + k ) mod 26

Where k takes on a value in the range 1 to 25; the decryption algorithm is simply:

p = D(k , C ) = (C − k ) mod 26

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Note that the alphabet is wrapped around, so that the letter following Z is A.

An algorithm can be expressed as follows. For each plaintext letter p , substitute

the ciphertext letter C

16

Figure 3.3 Brute-Force Cryptanalysis of Caesar Cipher

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

If it is known that a given ciphertext is a Caesar cipher, then a brute-force

cryptanalysis is easily performed: simply try all the 25 possible keys. Figure 3.3

shows the results of applying this strategy to the example ciphertext. In this case, the

plaintext leaps out as occupying the third line.

Three important characteristics of this problem enabled us to use a brute-force

cryptanalysis:

1. The encryption and decryption algorithms are known.

2. There are only 25 keys to try.

3. The language of the plaintext is known and easily recognizable.

17

Sample of Compressed Text

Figure 3.4 Sample of Compressed Text

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

In most networking situations, we can assume that the algorithms are known.

What generally makes brute-force cryptanalysis impractical is the use of an algorithm

that employs a large number of keys. For example, the triple DES algorithm,

examined in Chapter 7, makes use of a 168-bit key, giving a key space of 2168 or

greater than 3.7 * 1050 possible keys.

The third characteristic is also significant. If the language of the plaintext

is unknown, then plaintext output may not be recognizable. Furthermore, the

input may be abbreviated or compressed in some fashion, again making recognition

difficult. For example, Figure 3.4 shows a portion of a text file compressed

using an algorithm called ZIP. If this file is then encrypted with a simple substitution

cipher (expanded to include more than just 26 alphabetic characters),

then the plaintext may not be recognized when it is uncovered in the brute-force

cryptanalysis.

18

Monoalphabetic Cipher

Permutation

Of a finite set of elements S is an ordered sequence of all the elements of S , with each element appearing exactly once

If the “cipher” line can be any permutation of the 26 alphabetic characters, then there are 26! or greater than 4 x 1026 possible keys

This is 10 orders of magnitude greater than the key space for DES

Approach is referred to as a monoalphabetic substitution cipher because a single cipher alphabet is used per message

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

With only 25 possible keys, the Caesar cipher is far from secure. A dramatic increase

in the key space can be achieved by allowing an arbitrary substitution. Before proceeding,

we define the term permutation . A permutation of a finite set of elements S

is an ordered sequence of all the elements of S, with each element appearing exactly

once.

For example, if S = {a, b, c}, there are six permutations of S :

abc, acb, bac, bca, cab, cba

In general, there are n ! permutations of a set of n elements, because the first

element can be chosen in one of n ways, the second in n – 1 ways, the third in n – 2

ways, and so on.

If, instead, the “cipher” line can be any permutation of the 26 alphabetic characters,

then there are 26! or greater than 4 * 1026 possible keys. This is 10 orders of magnitude

greater than the key space for DES and would seem to eliminate brute-force

techniques for cryptanalysis. Such an approach is referred to as a monoalphabetic

substitution cipher, because a single cipher alphabet (mapping from plain alphabet

to cipher alphabet) is used per message.

19

Figure 3.5 Relative Frequency of Letters in English Text

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

There is, however, another line of attack. If the cryptanalyst knows the nature

of the plaintext (e.g., noncompressed English text), then the analyst can exploit the

regularities of the language. To see how such a cryptanalysis might proceed, we give

a partial example here that is adapted from one in [SINK09]. The ciphertext to be

solved is

UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZ

VUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSX

EPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ

As a first step, the relative frequency of the letters can be determined and

compared to a standard frequency distribution for English, such as is shown in

Figure 3.5 (based on [LEWA00]). If the message were long enough, this technique

alone might be sufficient, but because this is a relatively short message, we cannot

expect an exact match. In any case, the relative frequencies of the letters in the

ciphertext (in percentages) are as follows:

P 13.33 H 5.83 F 3.33 B 1.67 C 0.00

Z 11.67 D 5.00 W 3.33 G 1.67 K 0.00

S 8.33 E 5.00 Q 2.50 Y 1.67 L 0.00

U 8.33 V 4.17 T 2.50 I 0.83 N 0.00

O 7.50 X 4.17 A 1.67 J 0.83 R 0.00

M 6.67

Comparing this breakdown with Figure 3.5, it seems likely that cipher letters P

and Z are the equivalents of plain letters e and t, but it is not certain which is which.

The letters S, U, O, M, and H are all of relatively high frequency and probably correspond

to plain letters from the set {a, h, i, n, o, r, s}. The letters with the lowest

frequencies (namely, A, B, G, Y, I, J) are likely included in the set {b, j, k, q, v, x, z}.

There are a number of ways to proceed at this point. We could make some tentative

assignments and start to fill in the plaintext to see if it looks like a reasonable

“skeleton” of a message. A more systematic approach is to look for other regularities.

For example, certain words may be known to be in the text. Or we could look for

repeating sequences of cipher letters and try to deduce their plaintext equivalents.

20

Monoalphabetic Ciphers

Easy to break because they reflect the frequency data of the original alphabet

Countermeasure is to provide multiple substitutes (homophones) for a single letter

Digram

Two-letter combination

Most common is th

Trigram

Three-letter combination

Most frequent is the

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

A powerful tool is to look at the frequency of two-letter combinations, known

as digrams . A table similar to Figure 3.5 could be drawn up showing the relative frequency

of digrams. The most common such digram is th. In our ciphertext, the most

common digram is ZW, which appears three times. So we make the correspondence

of Z with t and W with h. Then, by our earlier hypothesis, we can equate P with e.

Now notice that the sequence ZWP appears in the ciphertext, and we can translate

that sequence as “the.” This is the most frequent trigram (three-letter combination)

in English, which seems to indicate that we are on the right track.

Next, notice the sequence ZWSZ in the first line. We do not know that these

four letters form a complete word, but if they do, it is of the form th_t. If so, S

equates with a.

So far, then, we have

UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZ

t a e e te a that e e a a

VUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSX

e t ta t ha e ee a e th t a

EPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ

e e e tat e the t

Only four letters have been identified, but already we have quite a bit of the

message. Continued analysis of frequencies plus trial and error should easily yield a

solution from this point. The complete plaintext, with spaces added between words,

follows:

it was disclosed yesterday that several informal but

direct contacts have been made with political

representatives of the Viet cong in Moscow

Monoalphabetic ciphers are easy to break because they reflect the frequency

data of the original alphabet. A countermeasure is to provide multiple substitutes,

known as homophones, for a single letter. For example, the letter e could be assigned

a number of different cipher symbols, such as 16, 74, 35, and 21, with each

homophone assigned to a letter in rotation or randomly. If the number of symbols

assigned to each letter is proportional to the relative frequency of that letter, then

single-letter frequency information is completely obliterated. The great mathematician

Carl Friedrich Gauss believed that he had devised an unbreakable cipher using

homophones. However, even with homophones, each element of plaintext affects

only one element of ciphertext, and multiple-letter patterns (e.g., digram frequencies)

still survive in the ciphertext, making cryptanalysis relatively straightforward.

Two principal methods are used in substitution ciphers to lessen the extent to

which the structure of the plaintext survives in the ciphertext: One approach is to

encrypt multiple letters of plaintext, and the other is to use multiple cipher alphabets.

We briefly examine each.

21

Playfair Cipher

Best-known multiple-letter encryption cipher

Treats digrams in the plaintext as single units and translates these units into ciphertext digrams

Based on the use of a 5 × 5 matrix of letters constructed using a keyword

Invented by British scientist Sir Charles Wheatstone in 1854

Used as the standard field system by the British Army in World War I and the U.S. Army and other Allied forces during World War II

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The best-known multiple-letter encryption cipher is the Playfair, which treats

digrams in the plaintext as single units and translates these units into ciphertext

Digrams.

The Playfair algorithm is based on the use of a 5 * 5 matrix of letters constructed

using a keyword.

22

Playfair Key Matrix

Fill in letters of keyword (minus duplicates) from left to right and from top to bottom, then fill in the remainder of the matrix with the remaining letters in alphabetic order

Using the keyword MONARCHY:

M O N A R

C H Y B D

E F G I/J K

L P Q S T

U V W X Z

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

In this case, the keyword is monarchy . The matrix is constructed by filling

in the letters of the keyword (minus duplicates) from left to right and from top to

bottom, and then filling in the remainder of the matrix with the remaining letters in

alphabetic order. The letters I and J count as one letter. Plaintext is encrypted two

letters at a time, according to the following rules:

1. Repeating plaintext letters that are in the same pair are separated with a filler

letter, such as x, so that balloon would be treated as ba lx lo on.

2. Two plaintext letters that fall in the same row of the matrix are each replaced

by the letter to the right, with the first element of the row circularly following

the last. For example, ar is encrypted as RM.

3. Two plaintext letters that fall in the same column are each replaced by the

letter beneath, with the top element of the column circularly following the last.

For example, mu is encrypted as CM.

4. Otherwise, each plaintext letter in a pair is replaced by the letter that lies in

its own row and the column occupied by the other plaintext letter. Thus, hs

becomes BP and ea becomes IM (or JM, as the encipherer wishes).

The Playfair cipher is a great advance over simple monoalphabetic ciphers.

For one thing, whereas there are only 26 letters, there are 26 * 26 = 676 digrams, so

that identification of individual digrams is more difficult. Furthermore, the relative

frequencies of individual letters exhibit a much greater range than that of digrams,

making frequency analysis much more difficult. For these reasons, the Playfair

cipher was for a long time considered unbreakable. It was used as the standard field

system by the British Army in World War I and still enjoyed considerable use by the

U.S. Army and other Allied forces during World War II.

Despite this level of confidence in its security, the Playfair cipher is relatively

easy to break, because it still leaves much of the structure of the plaintext language

intact. A few hundred letters of ciphertext are generally sufficient.

23

Figure 3.6 Relative Frequency of Occurrence of Letters

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

One way of revealing the effectiveness of the Playfair and other ciphers

is shown in Figure 3.6. The line labeled plaintext plots a typical frequency

distribution of the 26 alphabetic characters (no distinction between upper

and lower case) in ordinary text. This is also the frequency distribution of any

monoalphabetic substitution cipher, because the frequency values for individual

letters are the same, just with different letters substituted for the original letters.

The plot is developed in the following way: The number of occurrences of each

letter in the text is counted and divided by the number of occurrences of the

most frequently used letter. Using the results of Figure 3.5, we see that

e is the most frequently used letter. As a result, e has a relative frequency of 1, t of

9.056/12.702 0.72, and so on. The points on the horizontal axis correspond

to the letters in order of decreasing frequency.

Figure 3.6 also shows the frequency distribution that results when the text

is encrypted using the Playfair cipher. To normalize the plot, the number of

occurrences of each letter in the ciphertext was again divided by the number of

occurrences of e in the plaintext. The resulting plot therefore shows the extent

to which the frequency distribution of letters, which makes it trivial to solve

substitution ciphers, is masked by encryption. If the frequency distribution

information were totally concealed in the encryption process, the ciphertext plot

of frequencies would be flat, and cryptanalysis using ciphertext only would be

effectively impossible. As the figure shows, the Playfair cipher has a flatter distribution

than does plaintext, but nevertheless, it reveals plenty of structure for

a cryptanalyst to work with. The plot also shows the Vigenère cipher, discussed

subsequently. The Hill and Vigenère curves on the plot are based on results

reported in [SIMM93].

24

Hill Cipher

Developed by the mathematician Lester Hill in 1929

Strength is that it completely hides single-letter frequencies

The use of a larger matrix hides more frequency information

A 3 x 3 Hill cipher hides not only single-letter but also two-letter frequency information

Strong against a ciphertext-only attack but easily broken with a known plaintext attack

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Another interesting multiletter cipher is the Hill cipher, developed by the mathematician

Lester Hill in 1929.

Before describing the Hill cipher, let us briefly

review some terminology from linear algebra. In this discussion, we are concerned

with matrix arithmetic modulo 26. For the reader who needs a refresher on matrix

multiplication and inversion, see Appendix A.

We define the inverse M-1 of a square matrix M by the equation

M (M-1 ) = M-1M = I , where I is the identity matrix. I is a square matrix that is all

zeros except for ones along the main diagonal from upper left to lower right. The

inverse of a matrix does not always exist, but when it does, it satisfies the preceding

equation.

To explain how the inverse of a matrix is computed, we begin with the concept

of determinant. For any square matrix (m * m ), the determinant equals the sum of

all the products that can be formed by taking exactly one element from each row

and exactly one element from each column, with certain of the product terms preceded

by a minus sign.

This encryption algorithm takes m successive plaintext letters

and substitutes for them m ciphertext letters. The substitution is determined

by m linear equations in which each character is assigned a numerical value

(a = 0, b = 1, …. , z = 25).

As with Playfair, the strength of the Hill cipher is that it completely hides

single-letter frequencies. Indeed, with Hill, the use of a larger matrix hides more

frequency information. Thus, a 3 * 3 Hill cipher hides not only single-letter but

also two-letter frequency information.

Although the Hill cipher is strong against a ciphertext-only attack, it is

easily broken with a known plaintext attack.

25

Polyalphabetic Ciphers

Polyalphabetic substitution cipher

Improves on the simple monoalphabetic technique by using different monoalphabetic substitutions as one proceeds through the plaintext message

All these techniques have the following features in common:

A set of related monoalphabetic substitution rules is used

A key determines which particular rule is chosen for a given transformation

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Another way to improve on the simple monoalphabetic technique is to use different

monoalphabetic substitutions as one proceeds through the plaintext message.

The general name for this approach is polyalphabetic substitution cipher . All these

techniques have the following features in common:

1. A set of related monoalphabetic substitution rules is used.

2. A key determines which particular rule is chosen for a given transformation.

26

Vigenère Cipher

Best known and one of the simplest polyalphabetic substitution ciphers

In this scheme the set of related monoalphabetic substitution rules consists of the 26 Caesar ciphers with shifts of 0 through 25

Each cipher is denoted by a key letter which is the ciphertext letter that substitutes for the plaintext letter a

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The best known, and one of the simplest, polyalphabetic ciphers

is the Vigenère cipher. In this scheme, the set of related monoalphabetic substitution

rules consists of the 26 Caesar ciphers with shifts of 0 through 25. Each cipher is

denoted by a key letter, which is the ciphertext letter that substitutes for the plaintext

letter a. Thus, a Caesar cipher with a shift of 3 is denoted by the key value 3.

27

Example of Vigenère Cipher

To encrypt a message, a key is needed that is as long as the message

Usually, the key is a repeating keyword

For example, if the keyword is deceptive, the message “we are discovered save yourself” is encrypted as:

key: deceptivedeceptivedeceptive

plaintext: wearediscoveredsaveyourself

ciphertext: ZICVTWQNGRZGVTWAVZHCQYGLMGJ

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

To encrypt a message, a key is needed that is as long as the message. Usually,

the key is a repeating keyword. For example, if the keyword is deceptive, the

message “we are discovered save yourself” is encrypted as

key: deceptivedeceptivedeceptive

plaintext: wearediscoveredsaveyourself

ciphertext: ZICVTWQNGRZGVTWAVZHCQYGLMGJ

The strength of this cipher is that there are multiple ciphertext letters for

each plaintext letter, one for each unique letter of the keyword. Thus, the letter

frequency information is obscured. However, not all knowledge of the plaintext

structure is lost. For example, Figure 3.6 shows the frequency distribution for a

Vigenère cipher with a keyword of length 9. An improvement is achieved over the

Playfair cipher, but considerable frequency information remains.

28

Vigenère Autokey System

A keyword is concatenated with the plaintext itself to provide a running key

Example:

key: deceptivewearediscoveredsav

plaintext: wearediscoveredsaveyourself

ciphertext: ZICVTWQNGKZEIIGASXSTSLVVWLA

Even this scheme is vulnerable to cryptanalysis

Because the key and the plaintext share the same frequency distribution of letters, a statistical technique can be applied

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The periodic nature of the keyword can be eliminated by using a nonrepeating

keyword that is as long as the message itself. Vigenère proposed what is referred to

as an autokey system , in which a keyword is concatenated with the plaintext itself to

provide a running key. For our example,

key: deceptivewearediscoveredsav

plaintext: wearediscoveredsaveyourself

ciphertext: ZICVTWQNGKZEIIGASXSTSLVVWLA

Even this scheme is vulnerable to cryptanalysis. Because the key and the

plaintext share the same frequency distribution of letters, a statistical technique

can be applied. For example, e enciphered by e , by Figure 3.5, can be expected to

occur with a frequency of (0.127)2 = 0.016, whereas t enciphered by t would occur

only about half as often. These regularities can be exploited to achieve successful

cryptanalysis.

29

Vernam Cipher

Figure 3.7 Vernam Cipher

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The ultimate defense against such a cryptanalysis is to choose a

keyword that is as long as the plaintext and has no statistical relationship to it. Such

a system was introduced by an AT&T engineer named Gilbert Vernam in 1918.

His system works on binary data (bits) rather than letters.

The essence of this technique is the means of construction of the key. Vernam

proposed the use of a running loop of tape that eventually repeated the key, so

that in fact the system worked with a very long but repeating keyword. Although

such a scheme, with a long key, presents formidable cryptanalytic difficulties, it

can be broken with sufficient ciphertext, the use of known or probable plaintext

sequences, or both.

30

One-Time Pad

Improvement to Vernam cipher proposed by an Army Signal Corp officer, Joseph Mauborgne

Use a random key that is as long as the message so that the key need not be repeated

Key is used to encrypt and decrypt a single message and then is discarded

Each new message requires a new key of the same length as the new message

Scheme is unbreakable

Produces random output that bears no statistical relationship to the plaintext

Because the ciphertext contains no information whatsoever about the plaintext, there is simply no way to break the code

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

An Army Signal Corp officer, Joseph Mauborgne, proposed an improvement to the

Vernam cipher that yields the ultimate in security. Mauborgne suggested using a

random key that is as long as the message, so that the key need not be repeated. In

addition, the key is to be used to encrypt and decrypt a single message, and then is

discarded. Each new message requires a new key of the same length as the new message.

Such a scheme, known as a one-time pad , is unbreakable. It produces random

output that bears no statistical relationship to the plaintext. Because the ciphertext

contains no information whatsoever about the plaintext, there is simply no way to

break the code.

In fact, given any plaintext of equal length to the ciphertext, there is a key that

produces that plaintext. Therefore, if you did an exhaustive search of all possible

keys, you would end up with many legible plaintexts, with no way of knowing which

was the intended plaintext. Therefore, the code is unbreakable.

The security of the one-time pad is entirely due to the randomness of

the key. If the stream of characters that constitute the key is truly random, then the

stream of characters that constitute the ciphertext will be truly random. Thus, there

are no patterns or regularities that a cryptanalyst can use to attack the ciphertext.

31

Difficulties

The one-time pad offers complete security but, in practice, has two fundamental difficulties:

There is the practical problem of making large quantities of random keys

Any heavily used system might require millions of random characters on a regular basis

Mammoth key distribution problem

For every message to be sent, a key of equal length is needed by both sender and receiver

Because of these difficulties, the one-time pad is of limited utility

Useful primarily for low-bandwidth channels requiring very high security

The one-time pad is the only cryptosystem that exhibits perfect secrecy (see Appendix F)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

In theory, we need look no further for a cipher. The one-time pad offers complete

security but, in practice, has two fundamental difficulties:

1. There is the practical problem of making large quantities of random keys.

Any heavily used system might require millions of random characters

on a regular basis. Supplying truly random characters in this volume is a

significant task.

2. Even more daunting is the problem of key distribution and protection. For

every message to be sent, a key of equal length is needed by both sender and

receiver. Thus, a mammoth key distribution problem exists.

Because of these difficulties, the one-time pad is of limited utility and is useful

primarily for low-bandwidth channels requiring very high security.

The one-time pad is the only cryptosystem that exhibits what is referred to as

perfect secrecy . This concept is explored in Appendix B.

32

Rail Fence Cipher

Simplest transposition cipher

Plaintext is written down as a sequence of diagonals and then read off as a sequence of rows

To encipher the message “meet me after the toga party” with a rail fence of depth 2, we would write:

m e m a t r h t g p r y

e t e f e t e o a a t

Encrypted message is:

MEMATRHTGPRYETEFETEOAAT

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

All the techniques examined so far involve the substitution of a ciphertext symbol

for a plaintext symbol. A very different kind of mapping is achieved by performing

some sort of permutation on the plaintext letters. This technique is referred to as a

transposition cipher.

The simplest such cipher is the rail fence technique, in which the plaintext is

written down as a sequence of diagonals and then read off as a sequence of rows.

For example, to encipher the message “meet me after the toga party” with a rail

fence of depth 2, we write the following:

m e m a t r h t g p r y

e t e f e t e o a a t

The encrypted message is

MEMATRHTGPRYETEFETEOAAT

33

Row Transposition Cipher

Is a more complex transposition

Write the message in a rectangle, row by row, and read the message off, column by column, but permute the order of the columns

The order of the columns then becomes the key to the algorithm

Key: 4 3 1 2 5 6 7

Plaintext: a t t a c k p

o s t p o n e

d u n t i l t

w o a mx y z

Ciphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

A more complex scheme is

to write the message in a rectangle, row by row, and read the message off, column

by column, but permute the order of the columns. The order of the columns then

becomes the key to the algorithm. For example,

Key: 4 3 1 2 5 6 7

Plaintext: a t t a c k p

o s t p o n e

d u n t i l t

w o a m x y z

Ciphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ

Thus, in this example, the key is 4312567. To encrypt, start with the column

that is labeled 1, in this case column 3. Write down all the letters in that column.

Proceed to column 4, which is labeled 2, then column 2, then column 1, then

columns 5, 6, and 7.

A pure transposition cipher is easily recognized because it has the same letter

frequencies as the original plaintext. For the type of columnar transposition just

shown, cryptanalysis is fairly straightforward and involves laying out the ciphertext

in a matrix and playing around with column positions. Digram and trigram

frequency tables can be useful.

The transposition cipher can be made significantly more secure by performing

more than one stage of transposition. The result is a more complex permutation

that is not easily reconstructed.

34

Summary

Present an overview of the main concepts of symmetric cryptography

Explain the difference between cryptanalysis and brute-force attack

Understand the operation of a monoalphabetic substitution cipher

Understand the operation of a polyalphabetic cipher

Present an overview of the Hill cipher

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Chapter 3 summary.

35

Copyright

This work is protected by United States copyright laws and is provided solely for the use of instructors in teaching their courses and assessing student learning. Dissemination or sale of any part of this work (including on the World Wide Web) will destroy the integrity of the work and is not permitted. The work and materials from it should never be made available to students except by instructors using the accompanying text in their classes. All recipients of this work are expected to abide by these restrictions and to honor the intended pedagogical purposes and the needs of other instructors who rely on these materials.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

36

.MsftOfcThm_Text1_Fill {

fill:#000000;

}

.MsftOfcThm_MainDark1_Stroke {

stroke:#000000;

}

Cryptography and Network Security: Principles and Practice

Eighth Edition

Chapter 2

Introduction to Number Theory

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Lecture slides prepared for “Cryptography and Network Security”, 8/e, by William Stallings, Chapter 2 – “Introduction to Number Theory”.

Number theory is pervasive in cryptographic algorithms. This chapter provides sufficient breadth and depth of coverage of relevant number theory topics for understanding the wide range of applications in cryptography. The reader familiar with these topics can safely skip this chapter.

The first three sections introduce basic concepts from number theory that are needed for understanding finite fields; these include divisibility, the Euclidian algorithm, and modular arithmetic. The reader may study these sections now or wait until ready to tackle Chapter 5 on finite fields.

Sections 2.4 through 2.8 discuss aspects of number theory related to prime numbers and discrete logarithms. These topics are fundamental to the design of asymmetric (public-key) cryptographic algorithms. The reader may study these sections now or wait until ready to read Part Three.

The concepts and techniques of number theory are quite abstract, and it is often difficult to grasp them intuitively without examples. Accordingly, this chapter includes a number of examples, each of which is highlighted in a shaded box.

1

Learning Objectives 1 of 2

Understand the concept of divisibility and the division algorithm.

Understand how to use the Euclidean algorithm to find the greatest common divisor.

Present an overview of the concepts of modular arithmetic.

Explain the operation of the extended Euclidean algorithm.

Discuss key concepts relating to prime numbers.

.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Learning Objectives 2 of 2

Understand Fermat’s theorem.

Understand Euler’s theorem.

Define Euler’s totient function.

Make a presentation on the topic of testing for primality.

Explain the Chinese remainder theorem.

Define discrete logarithms

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Divisibility

We say that a nonzero b divides a if a = mb for some m, where a, b, and m are integers

b divides a if there is no remainder on division

The notation b | a is commonly used to mean b divides a

If b | a we say that b is a divisor of a

The positive divisors of 24 are 1, 2, 3, 4, 6, 8, 12, and 24

13 | 182; − 5 | 30; 17 | 289; − 3 | 33; 17 | 0

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

We say that a nonzero b divides a if a=mb for some m, where a, b, and m are integers. That is, b divides a if there is no remainder on division.

The notation b | a is commonly used to mean b divides a . Also, if b | a , we say that b is a divisor of a .

4

Properties of Divisibility (1 of 2)

If a | 1, then a = ±1

If a | b and b | a, then a = ±b

Any b ≠ 0 divides 0

If a | b and b | c, then a | c

11 | 66 and 66 | 198 = 11 | 198

If b | g and b | h, then b | (mg + nh) for arbitrary integers m and n

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Subsequently, we will need some simple properties of divisibility for integers, which are as follows:

• If a|1, then a = ±1.

• If a|b and b|a, then a = ±b.

• Any b ≠ 0 divides 0.

• If a | b and b | c, then a | c

• If b|g and b|h, then b|(mg + nh) for arbitrary integers m and n.

5

Properties of Divisibility (2 of 2)

To see this last point, note that:

If b | g , then g is of the form g = b * g1 for some integer g1

If b | h , then h is of the form h = b * h1 for some integer h1

So:

mg + nh = mbg1 + nbh1 = b * (mg1 + nh1 )

and therefore b divides mg + nh

b = 7; g = 14; h = 63; m = 3; n = 2

7 | 14 and 7 | 63.

To show 7 (3 * 14 + 2 * 63),

we have (3 * 14 + 2 * 63) = 7(3 * 2 + 2 * 9),

and it is obvious that 7 | (7(3 * 2 + 2 * 9)).

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

To see this last point, note that

• If b | g , then g is of the form g = b * g1 for some integer g1 .

• If b | h , then h is of the form h = b * h1 for some integer h1 .

So

mg + nh = mbg1 + nbh1 = b * (mg1 + nh1 )

and therefore b divides mg + nh .

6

Division Algorithm

Given any positive integer n and any nonnegative integer a, if we divide a by n we get an integer quotient q and an integer remainder r that obey the following relationship:

a = qn + r

0 ≤ r < n; q = [a/n]
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Given any positive integer n and any nonnegative integer a, if we divide a by n, we get an integer quotient q and an integer remainder r that obey the following relationship:
a = qn + r, 0 ≤ r < n; q = [a/n] which is referred to as the division algorithm.
7
Figure 2.1 The Relationship a = qn + r; 0 ≤ r < n
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Figure 2.1a demonstrates that, given a and positive n, it is always possible to find q and r that satisfy the preceding relationship. Represent the integers on the number line; a will fall somewhere on that line (positive a is shown, a similar demonstration can be made for negative a). Starting at 0, proceed to n, 2n, up to qn such that qn ≤ a and (q + 1)n > a. The distance from qn to a is r, and we have found the unique values of q and r. The remainder r is often referred to as a residue .

For example:

a = 11; n = 7; 11 = 1 x 7 + 4; r = 4 q = 1

a = –11; n = 7; –11 = (–2) x 7 + 3; r = 3 q = –2

Figure 4.1b provides another example.

8

Euclidean Algorithm

One of the basic techniques of number theory

Procedure for determining the greatest common divisor of two positive integers

Two integers are relatively prime if their only common positive integer factor is 1

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

One of the basic techniques of number theory is the Euclidean algorithm, which

is a simple procedure for determining the greatest common divisor of two positive

integers. First, we need a simple definition: Two integers are relatively prime if their

only common positive integer factor is 1.

9

Greatest Common Divisor (GCD)

The greatest common divisor of a and b is the largest integer that divides both a and b

We can use the notation gcd(a,b) to mean the greatest common divisor of a and b

We also define gcd(0,0) = 0

Positive integer c is said to be the gcd of a and b if:

c is a divisor of a and b

Any divisor of a and b is a divisor of c

An equivalent definition is:

gcd(a,b) = max[k, such that k | a and k | b]

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Recall that nonzero b is defined to be a divisor of a if a = mb for some m , where a , b , and

m are integers. We will use the notation gcd(a , b ) to mean the greatest common divisor

of a and b . The greatest common divisor of a and b is the largest integer that divides

both a and b . We also define gcd(0, 0) = 0.

More formally, the positive integer c is said to be the greatest common divisor

of a and b if

1. c is a divisor of a and of b .

2. Any divisor of a and b is a divisor of c .

An equivalent definition is the following:

gcd(a , b ) = max[k , such that k | a and k | b ]

10

GCD

Because we require that the greatest common divisor be positive, gcd(a,b) = gcd(a, −b) = gcd(−a,b) = gcd(−a, −b)

In general, gcd(a,b) = gcd(| a |, | b |)

gcd(60, 24) = gcd(60, − 24) = 12

Also, because all nonzero integers divide 0, we have gcd(a,0) = | a |

We stated that two integers a and b are relatively prime if their only common positive integer factor is 1; this is equivalent to saying that a and b are relatively prime if gcd(a,b) = 1

8 and 15 are relatively prime because the positive divisors of 8 are 1, 2, 4, and 8, and the positive divisors of 15 are 1, 3, 5, and 15. So 1 is the only integer on both lists.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Because we require that the greatest common divisor be positive, gcd(a , b ) =

gcd(a , -b ) = gcd(-a , b ) = gcd(-a ,-b ). In general, gcd(a , b ) = gcd( | a | , | b | ).

Also, because all nonzero integers divide 0, we have gcd(a , 0) = a .

We stated that two integers a and b are relatively prime if their only common

positive integer factor is 1. This is equivalent to saying that a and b are relatively

prime if gcd(a , b ) = 1.

11

Figure 2.2 Euclidean Algorithm

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

We now describe an algorithm credited to Euclid for easily finding the greatest

common divisor of two integers (Figure 2.2). This algorithm has broad significance

in cryptography.

12

Figure 2.3 Euclidean Algorithm Example: gcd(710, 310)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

We can find the greatest common divisor of two integers by repetitive application

of the division algorithm. This scheme is known as the Euclidean algorithm.

Figure 2.3 illustrates a simple example.

13

Table 2.1 Euclidean Algorithm Example

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

In this example, we begin by dividing 1160718174 by 316258250, which gives 3

with a remainder of 211943424. Next we take 316258250 and divide it by 211943424.

The process continues until we get a remainder of 0, yielding a result of 1078.

14

Modular Arithmetic (1 of 3)

The modulus

If a is an integer and n is a positive integer, we define a mod n to be the remainder when a is divided by n; the integer n is called the modulus

Thus, for any integer a:

a = qn + r 0 ≤ r < n; q = [a/ n]
a = [a/ n] * n + ( a mod n)
11 mod 7 = 4; - 11 mod 7 = 3
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
If a is an integer and n is a positive integer, we define a mod n to be the remainder
when a is divided by n . The integer n is called the modulus . Thus, for any integer a:
a = qn + r 0 ≤ r < n; q = [ a/ n]
a = [a/ n] * n + ( a mod n)
15
Modular Arithmetic (2 of 3)
Congruent modulo n
Two integers a and b are said to be congruent modulo n if (a mod n) = (b mod n)
This is written as a = b(mod n)2
Note that if a = 0(mod n), then n | a
73 = 4 (mod 23); 21 = −9 (mod 10)
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Two integers a and b are said to be congruent modulo n , if (a mod n ) =
(b mod n ). This is written as a K b (mod n ).2
Note that if a = 0 (mod n ), then n | a .
16
Properties of Congruences
Congruences have the following properties:
a = b (mod n) if n (a – b)
a = b (mod n) implies b = a (mod n)
a = b (mod n) and b = c (mod n) imply a = c (mod n)
To demonstrate the first point, if n (a − b), then (a − b) = kn for some k
So we can write a = b + kn
Therefore, (a mod n) = (remainder when b + kn is divided by n) = (remainder when b is divided by n) = (b mod n)
23 = 8 (mod 5) because 23 − 8 = 15 = 5 * 3
−11 = 5 (mod 8) because − 11 − 5 = −16 = 8 * (−2)
81 = 0 (mod 27) because 81 − 0 = 81 = 27 * 3
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Congruences have the following properties:
1. a = b (mod n) if n (a – b)
2. a = b (mod n) implies b = a (mod n)
3. a = b (mod n) and b = c (mod n) imply a = c (mod n)
To demonstrate the first point, if n (a - b), then (a - b) = kn for some k
So we can write a = b + kn
Therefore, (a mod n) = (remainder when b + kn is divided by n) = (remainder when b is divided by n) = (b mod n)
17
Modular Arithmetic (3 of 3)
Modular arithmetic exhibits the following properties:
[(a mod n) + (b mod n)] mod n = (a + b) mod n
[(a mod n) − (b mod n)] mod n = (a - b) mod n
[(a mod n) * (b mod n)] mod n = (a * b) mod n
We demonstrate the first property:
Define (a mod n) = ra and (b mod n) = rb. Then we can write a = ra + jn for some integer j and b = rb + kn for some integer k
Then:
(a + b) mod n = (ra + jn + rb + kn) mod n
= (ra + rb + (k + j)n) mod n
= (ra + rb) mod n
= [(a mod n) + (b mod n)] mod n
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Modular arithmetic exhibits the following properties:
1. [(a mod n) + (b mod n)] mod n = (a + b) mod n
2. [(a mod n) - (b mod n)] mod n = (a - b) mod n
3. [(a mod n) * (b mod n)] mod n = (a * b) mod n
We demonstrate the first property:
Define (a mod n) = ra and (b mod n) = rb. Then we can write a = ra + jn for some integer j and b = rb + kn for some integer k.
Then:
(a + b) mod n = (ra + jn + rb + kn) mod n
= (ra + rb + (k + j)n) mod n
= (ra + rb) mod n
= [(a mod n) + (b mod n)] mod n
18
Thamizharasan Dhanaseelan (TD) -
Remaining Properties
Examples of the three remaining properties:
11 mod 8 = 3; 15 mod 8 = 7
[(11 mod 8) + (15 mod 8)] mod 8 = 10 mod 8 = 2
(11 + 15) mod 8 = 26 mod 8 = 2
[(11 mod 8) − (15 mod 8)] mod 8 = − 4 mod 8 = 4
(11 − 15) mod 8 = − 4 mod 8 = 4
[(11 mod 8) * (15 mod 8)] mod 8 = 21 mod 8 = 5
(11 * 15) mod 8 = 165 mod 8 = 5
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The remaining properties are proven as easily. Here are examples of the three
properties.
19
Table 2.2 (a) Arithmetic Modulo 8
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Table 2.2a and Table 2.2b provide an illustration of modular addition and multiplication
modulo 8. Looking at addition, the results are straightforward, and there is a regular
pattern to the matrix. Both matrices are symmetric about the main diagonal
in conformance to the commutative property of addition and multiplication.
20
Table 2.2 (b) Multiplication Modulo 8
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Similarly, the entries in the multiplication table are straightforward. In ordinary
arithmetic, there is a multiplicative inverse, or reciprocal, to each integer. In modular
arithmetic mod 8, the multiplicative inverse of x is the integer y such that
(x * y ) mod 8 = 1 mod 8. Now, to find the multiplicative inverse of an integer
from the multiplication table, scan across the matrix in the row for that integer to
find the value 1; the integer at the top of that column is the multiplicative inverse;
thus, (3 * 3) mod 8 = 1. Note that not all integers mod 8 have a multiplicative
inverse; more about that later.
21
Table 2.2 (c) Additive and Multiplicative Inverse Modulo 8
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
As in ordinary addition, there is an additive inverse, or negative, to each integer in
modular arithmetic. In this case, the negative of an integer x is the integer y such
that (x + y ) mod 8 = 0. To find the additive inverse of an integer in the left-hand
column, scan across the corresponding row of the matrix to find the value 0; the
integer at the top of that column is the additive inverse; thus, (2 + 6) mod 8 = 0.
22
Table 2.3 Properties of Modular Arithmetic for Integers in Zn
Property Expression
Commutative Laws (w + x) mod n = (x + w) mod n
(w × x) mod n = (x × w) mod n
Associative Laws [(w + x) + y] mod n = [w + (x + y)] mod n
[(w × x) × y] mod n = [w × (x × y)] mod n
Distributive Law [w × (x + y)] mod n = [(w × x) + (w × y)] mod n
Identities (0 + w) mod n = w mod n
(1 × w) mod n = w mod n
Additive Inverse (−w) For each w Zn, there exists a z such that w + z 0 mod n
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
If we perform modular arithmetic within Zn, the properties shown in Table 2.3 hold for integers in Zn We show in the next section that this implies that Zn is a commutative ring with a multiplicative identity element.
In general, an integer has a multiplicative inverse in Zn if that integer is relatively prime to n. Table 2.2c in the text shows that the integers 1, 3, 5, and 7 have a multiplicative inverse in Z 8, but 2, 4, and 6 do not.
23
Table 2.4 Extended Euclidean Algorithm Example
i ri qi xi yi
−1 1759 Blank 1 0
0 550 Blank 0 1
1 109 3 1 −3
2 5 5 −5 16
3 4 21 106 −339
4 1 1 −111 355
5 0 4 Blank Blank
Result: d = 1; x = −111; y = 355
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Example of the Extended Euclidean Algorithm.
24
Prime Numbers
Prime numbers only have divisors of 1 and itself
They cannot be written as a product of other numbers
Prime numbers are central to number theory
Any integer a > 1 can be factored in a unique way as

a = p1 a1 * p2 a2 * . . . * pp1 a1

where p1 < p2 < . . . < pt are prime numbers and where each ai is a positive integer
This is known as the fundamental theorem of arithmetic
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
An integer p > 1 is a prime number if and only if its only divisors are ±1

and ± p . Prime numbers play a critical role in number theory and in the techniques

discussed in this chapter.

Any integer a > 1 can be factored in a unique way as

a = p1 a1 * p2 a2 * . . . * pp1 a1

where p1 < p2 < . . . < pt are prime numbers and where each ai is a positive integer
This is known as the fundamental theorem of arithmetic; a proof can be found in any text on number theory.
25
Table 2.5 Primes Under 2000
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Table 2.5 shows the primes less than 2000. Note the way
the primes are distributed. In particular, note the number of primes in each range
of 100 numbers.
26
Fermat’s Theorem
States the following:
If p is prime and a is a positive integer not divisible by p then
ap−1 = 1 (mod p)
An alternate form is:
If p is prime and a is a positive integer then
ap = a (mod p)
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Two theorems that play important roles in public-key cryptography are Fermat’s
theorem and Euler’s theorem.
Fermat’s theorem states the following: If p is prime and a is a positive integer not
divisible by p, then
ap-1 = 1 (mod p)
An alternative form of Fermat’s theorem is also useful: If p is prime and a is a
positive integer, then
ap = a (mod p)
27
Table 2.6 Some Values of Euler’s Totient Function ø(n)
n ɸ (n)
1 1
2 1
3 2
4 2
5 4
6 2
7 6
8 4
9 6
10 4
n ɸ (n)
11 10
12 4
13 12
14 6
15 8
16 8
17 16
18 6
19 18
20 8
n ɸ (n)
21 12
22 10
23 22
24 8
25 20
26 12
27 18
28 12
29 28
30 8
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Before presenting Euler’s theorem, we need to introduce an important quantity in
number theory, referred to as Euler’s totient function, written ø (n ), and defined as
the number of positive integers less than n and relatively prime to n . By convention,
ø(1) = 1.
Table 2.6 lists the first 30 values of ø (n ). The value ø(1) is without meaning
but is defined to have the value 1.
It should be clear that, for a prime number p ,
ø (p ) = p - 1
28
Euler’s Theorem
States that for every a and n that are relatively prime:
aø(n) = 1(mod n)
An alternate form is:
aø(n)+1 = a(mod n)
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Euler’s theorem states that for every a and n that are relatively prime:
aø(n) = 1(mod n)
As is the case for Fermat’s theorem, an alternative form of the theorem is also
Useful:
aø(n)+1 = a(mod n)
29
Miller-Rabin Algorithm
Typically used to test a large number for primality
Algorithm is:
TEST (n)
Find integers k, q, with k > 0, q odd, so that (n – 1)=2kq ;

Select a random integer a, 1 < a < n – 1 ;
if aq mod n = 1 then return (“inconclusive") ;
for j = 0 to k – 1 do
if (a2jq mod n = n – 1) then return (“inconclusive") ;
return (“composite”) ;
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The algorithm due to Miller and Rabin [MILL75, RABI80] is typically used to test
a large number for primality.
The procedure TEST takes a candidate integer n as input and returns the result composite
if n is definitely not a prime, and the result inconclusive if n may or may not
be a prime.
How can we use the Miller-Rabin algorithm to determine with a high degree of confidence whether or not an integer
is prime? It can be shown [KNUT98] that given an odd number n that is not prime
and a randomly chosen integer, a with 1 < a < n - 1, the probability that TEST
will return inconclusive (i.e., fail to detect that n is not prime) is less than 1/4.
Thus, if t different values of a are chosen, the probability that all of them will pass
TEST (return inconclusive) for n is less than (1/4)t . For example, for t = 10, the
probability that a nonprime number will pass all ten tests is less than 10-6 . Thus,
for a sufficiently large value of t, we can be confident that n is prime if Miller’s test
always returns inconclusive .
This gives us a basis for determining whether an odd integer n is prime
with a reasonable degree of confidence. The procedure is as follows: Repeatedly
invoke TEST (n) using randomly chosen values for a . If, at any point, TEST returns
composite , then n is determined to be nonprime. If TEST continues to
return inconclusive for t tests, then for a sufficiently large value of t , assume
that n is prime.
30
Deterministic Primality Algorithm
Prior to 2002 there was no known method of efficiently proving the primality of very large numbers
All of the algorithms in use produced a probabilistic result
In 2002 Agrawal, Kayal, and Saxena developed an algorithm that efficiently determines whether a given large number is prime
Known as the AKS algorithm
Does not appear to be as efficient as the Miller-Rabin algorithm
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Prior to 2002, there was no known method of efficiently proving the primality of very
large numbers. All of the algorithms in use, including the most popular (Miller-Rabin),
produced a probabilistic result. In 2002 (announced in 2002, published in 2004),
Agrawal, Kayal, and Saxena [AGRA04] developed a relatively simple deterministic
algorithm that efficiently determines whether a given large number is a prime. The algorithm,
known as the AKS algorithm, does not appear to be as efficient as the Miller-
Rabin algorithm. Thus far, it has not supplanted this older, probabilistic technique.
31
Chinese Remainder Theorem (CRT)
Believed to have been discovered by the Chinese mathematician Sun-Tsu in around 100 A.D.
One of the most useful results of number theory
Says it is possible to reconstruct integers in a certain range from their residues modulo a set of pairwise relatively prime moduli
Can be stated in several ways
Provides a way to manipulate (potentially very large) numbers mod M in terms of tuples of smaller numbers
This can be useful when M is 150 digits or more
However, it is necessary to know beforehand the factorization of M
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
One of the most useful results of number theory is the Chinese remainder theorem
(CRT). In essence, the CRT says it is possible to reconstruct integers in a certain
range from their residues modulo a set of pairwise relatively prime moduli.
The CRT can be stated in several ways. We present here a formulation that is most
useful from the point of view of this text. An alternative formulation is explored in
Problem 2.33.
One of the useful features of the Chinese remainder theorem is that it provides
a way to manipulate (potentially very large) numbers mod M in terms of tuples of
smaller numbers. This can be useful when M is 150 digits or more. However, note
that it is necessary to know beforehand the factorization of M .
32
Table 2.7 Powers of Integers, Modulo 19
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Table 2.7 shows all the powers of a, modulo 19 for all positive a <19. The
length of the sequence for each base value is indicated by shading. Note the
following:
1. All sequences end in 1. This is consistent with the reasoning of the preceding
few paragraphs.
2. The length of a sequence divides ø (19) = 18. That is, an integral number of
sequences occur in each row of the table.
3. Some of the sequences are of length 18. In this case, it is said that the base
integer a generates (via powers) the set of nonzero integers modulo 19. Each
such integer is called a primitive root of the modulus 19.
More generally, we can say that the highest possible exponent to which a number
can belong (mod n ) is ø (n ). If a number is of this order, it is referred to as a
primitive root of n . The importance of this notion is that if a is a primitive root of n ,
then its powers
a , a2 ,. . . , aø(n)
are distinct (mod n ) and are all relatively prime to n . In particular, for a prime number
p , if a is a primitive root of p , then
a , a2 ,. . . , ap-1
are distinct (mod p ). For the prime number 19, its primitive roots are 2, 3, 10, 13, 14,
and 15.
Not all integers have primitive roots. In fact, the only integers with primitive
roots are those of the form 2, 4, pa , and 2pa , where p is any odd prime and a is a
positive integer. The proof is not simple but can be found in many number theory
books, including [ORE76].
33
Table 2.8 Tables of Discrete Logarithms, Modulo 19 (1 of 2)
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Table 2.8, which is directly derived from Table 2.7, shows the sets of discrete
logarithms that can be defined for modulus 19.
34
Table 2.8 Tables of Discrete Logarithms, Modulo 19 (2 of 2)
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Table 2.8, which is directly derived from Table 2.7, shows the sets of discrete
logarithms that can be defined for modulus 19.
35
Summary
Understand the concept of divisibility and the division algorithm
Understand how to use the Euclidean algorithm to find the greatest common divisor
Present an overview of the concepts of modular arithmetic
Explain the operation of the extended Euclidean algorithm
Discuss key concepts relating to prime numbers
Understand Fermat’s theorem
Understand Euler’s theorem
Define Euler’s totient function
Make a presentation on the topic of testing for primality
Explain the Chinese remainder theorem
Define discrete logarithms
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Chapter 2 summary.
36
Copyright
This work is protected by United States copyright laws and is provided solely for the use of instructors in teaching their courses and assessing student learning. Dissemination or sale of any part of this work (including on the World Wide Web) will destroy the integrity of the work and is not permitted. The work and materials from it should never be made available to students except by instructors using the accompanying text in their classes. All recipients of this work are expected to abide by these restrictions and to honor the intended pedagogical purposes and the needs of other instructors who rely on these materials.
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
37
.MsftOfcThm_Text1_Fill {
fill:#000000;
}
.MsftOfcThm_MainDark1_Stroke {
stroke:#000000;
}

Cryptography and Network Security: Principles and Practice

Eighth Edition

Chapter 4

Block Ciphers and the Data Encryption Standard

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Lecture slides prepared for “Cryptography and Network Security”, 8/e, by William Stallings, Chapter 4 – “Block Ciphers and the Data Encryption Standard”.

The objective of this chapter is to illustrate the principles of modern symmetric

ciphers. For this purpose, we focus on the most widely used symmetric cipher: the Data

Encryption Standard (DES). Although numerous symmetric ciphers have been developed

since the introduction of DES, and although it is destined to be replaced by the

Advanced Encryption Standard (AES), DES remains the most important such algorithm.

Furthermore, a detailed study of DES provides an understanding of the principles

used in other symmetric ciphers.

This chapter begins with a discussion of the general principles of symmetric block

ciphers, which are the principal type of symmetric ciphers studied in this book. The

other form of symmetric ciphers, stream ciphers, are discussed in Chapter 8. Next, we

cover full DES. Following this look at a specific algorithm, we return to a more general

discussion of block cipher design.

Several important symmetric block encryption algorithms in current use are based

on a structure referred to as a Feistel block cipher [FEIS73]. For that reason, it is

important to examine the design principles of the Feistel cipher. We begin with a

comparison of stream ciphers and block ciphers. Then we discuss the motivation for

the Feistel block cipher structure. Finally, we discuss some of its implications.

1

Learning Objectives

Understand the distinction between stream ciphers and block ciphers.

Present an overview of the Feistel cipher and explain how decryption is the inverse of encryption.

Present an overview of Data Encryption Standard (DES).

Explain the concept of the avalanche effect.

Discuss the cryptographic strength of DES.

Summarize the principal block cipher design principles.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Stream Cipher (1 of 2)

Encrypts a digital data stream one bit or one byte at a time

Examples:

Autokeyed Vigenère cipher

Vernam cipher

In the ideal case, a one-time pad version of the Vernam cipher would be used, in which the keystream is as long as the plaintext bit stream

If the cryptographic keystream is random, then this cipher is unbreakable by any means other than acquiring the keystream

Keystream must be provided to both users in advance via some independent and secure channel

This introduces insurmountable logistical problems if the intended data traffic is very large

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

A stream cipher is one that encrypts a digital data stream one bit or one byte at

a time. Examples of classical stream ciphers are the autokeyed Vigenère cipher

and the Vernam cipher. In the ideal case, a one-time pad version of the Vernam

cipher would be used (Figure 3.7), in which the keystream (ki ) is as long as the

plaintext bit stream (pi ). If the cryptographic keystream is random, then this cipher

is unbreakable by any means other than acquiring the keystream. However, the

keystream must be provided to both users in advance via some independent and

secure channel. This introduces insurmountable logistical problems if the intended

data traffic is very large.

Accordingly, for practical reasons, the bit-stream generator must be

implemented as an algorithmic procedure, so that the cryptographic bit stream

can be produced by both users. In this approach (Figure 4.1a), the bit-stream

generator is a key-controlled algorithm and must produce a bit stream that is

cryptographically strong. That is, it must be computationally impractical to

predict future portions of the bit stream based on previous portions of the bit

stream. The two users need only share the generating key, and each can produce

the keystream.

3

Stream Cipher (2 of 2)

For practical reasons the bit-stream generator must be implemented as an algorithmic procedure so that the cryptographic bit stream can be produced by both users

It must be computationally impractical to predict future portions of the bit stream based on previous portions of the bit stream

The two users need only share the generating key and each can produce the keystream

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

A stream cipher is one that encrypts a digital data stream one bit or one byte at

a time. Examples of classical stream ciphers are the autokeyed Vigenère cipher

and the Vernam cipher. In the ideal case, a one-time pad version of the Vernam

cipher would be used (Figure 3.7), in which the keystream (ki ) is as long as the

plaintext bit stream (pi ). If the cryptographic keystream is random, then this cipher

is unbreakable by any means other than acquiring the keystream. However, the

keystream must be provided to both users in advance via some independent and

secure channel. This introduces insurmountable logistical problems if the intended

data traffic is very large.

Accordingly, for practical reasons, the bit-stream generator must be

implemented as an algorithmic procedure, so that the cryptographic bit stream

can be produced by both users. In this approach (Figure 4.1a), the bit-stream

generator is a key-controlled algorithm and must produce a bit stream that is

cryptographically strong. That is, it must be computationally impractical to

predict future portions of the bit stream based on previous portions of the bit

stream. The two users need only share the generating key, and each can produce

the keystream.

4

Block Cipher

A block of plaintext is treated as a whole and used to produce a ciphertext block of equal length

Typically a block size of 64 or 128 bits is used

As with a stream cipher, the two users share a symmetric encryption key

The majority of network-based symmetric cryptographic applications make use of block ciphers

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

A block cipher is one in which a block of plaintext is treated as a whole

and used to produce a ciphertext block of equal length. Typically, a block size of

64 or 128 bits is used. As with a stream cipher, the two users share a symmetric

encryption key (Figure 4.1b). Using some of the modes of operation explained

in Chapter 7, a block cipher can be used to achieve the same effect as a stream

cipher.

Far more effort has gone into analyzing block ciphers. In general, they seem

applicable to a broader range of applications than stream ciphers. The vast majority

of network-based symmetric cryptographic applications make use of block

ciphers. Accordingly, the concern in this chapter, and in our discussions throughout

the book of symmetric encryption, will primarily focus on block ciphers.

5

Figure 4.1 Stream Cipher and Block Cipher

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Examples of stream and block ciphers.

6

Figure 4.2 General n-bit-n-bit Block Substitution (shown with n = 4)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

A block cipher operates on a plaintext block of n bits to produce a ciphertext

block of n bits. There are 2n possible different plaintext blocks and, for the

encryption to be reversible (i.e., for decryption to be possible), each must produce

a unique ciphertext block. Such a transformation is called reversible, or nonsingular.

Figure 4.2 illustrates the logic of a general substitution cipher for n = 4.

A 4-bit input produces one of 16 possible input states, which is mapped by the substitution

cipher into a unique one of 16 possible output states, each of which is represented

by 4 ciphertext bits.

7

Table 4.1 Encryption and Decryption Tables for Substitution Cipher of Figure 4.2

Plaintext Ciphertext

0000 1110

0001 0100

0010 1101

0011 0001

0100 0010

0101 1111

0110 1011

0111 1000

1000 0011

1001 1010

1010 0110

1011 1100

1100 0101

1101 1001

1110 0000

1111 0111

Ciphertext Plaintext

0000 1110

0001 0011

0010 0100

0011 1000

0100 0001

0101 1100

0110 1010

0111 1111

1000 0111

1001 1101

1010 1001

1011 0110

1100 1011

1101 0010

1110 0000

1111 0101

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The encryption and decryption mappings can be defined

by a tabulation, as shown in Table 4.1. This is the most general form of block cipher

and can be used to define any reversible mapping between plaintext and ciphertext.

Feistel refers to this as the ideal block cipher, because it allows for the maximum

number of possible encryption mappings from the plaintext block [FEIS75].

8

Feistel Cipher

Feistel proposed the use of a cipher that alternates substitutions and permutations

Substitutions

Each plaintext element or group of elements is uniquely replaced by a corresponding ciphertext element or group of elements

Permutation

No elements are added or deleted or replaced in the sequence, rather the order in which the elements appear in the sequence is changed

Is a practical application of a proposal by Claude Shannon to develop a product cipher that alternates confusion and diffusion functions

Is the structure used by many significant symmetric block ciphers currently in use

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Feistel proposed [FEIS73] that we can approximate the ideal block cipher by utilizing

the concept of a product cipher, which is the execution of two or more simple ciphers

in sequence in such a way that the final result or product is cryptographically stronger

than any of the component ciphers. The essence of the approach is to develop a block

cipher with a key length of k bits and a block length of n bits, allowing a total of 2k

possible transformations, rather than the 2n ! transformations available with the ideal

block cipher.

In particular, Feistel proposed the use of a cipher that alternates substitutions

and permutations, where these terms are defined as follows:

• Substitution: Each plaintext element or group of elements is uniquely replaced

by a corresponding ciphertext element or group of elements.

• Permutation: A sequence of plaintext elements is replaced by a permutation

of that sequence. That is, no elements are added or deleted or replaced in the

sequence, rather the order in which the elements appear in the sequence is

changed.

In fact, Feistel’s is a practical application of a proposal by Claude Shannon

to develop a product cipher that alternates confusion and diffusion functions

[SHAN49]. We look next at these concepts of diffusion and confusion and then

present the Feistel cipher. But first, it is worth commenting on this remarkable fact:

The Feistel cipher structure, which dates back over a quarter century and which, in

turn, is based on Shannon’s proposal of 1945, is the structure used by many significant

symmetric block ciphers currently in use.

In particular, the Feistel structure

is used for Triple Data Encryption Algorithm (TDEA), which is one of the two

encryption algorithms (along with AES), approved for general use by the National

Institute of Standards and Technology (NIST). The Feistel structure is also used for

several schemes for format-preserving encryption, which have recently come into

prominence. In addition, the Camellia block cipher is a Feistel structure; it is one

of the possible symmetric ciphers in TLS and a number of other Internet security

protocols. Both TDEA and format-preserving encryption are covered in Chapter 7.

9

Diffusion and Confusion

Terms introduced by Claude Shannon to capture the two basic building blocks for any cryptographic system

Shannon’s concern was to thwart cryptanalysis based on statistical analysis

Diffusion

The statistical structure of the plaintext is dissipated into long-range statistics of the ciphertext

This is achieved by having each plaintext digit affect the value of many ciphertext digits

Confusion

Seeks to make the relationship between the statistics of the ciphertext and the value of the encryption key as complex as possible

Even if the attacker can get some handle on the statistics of the ciphertext, the way in which the key was used to produce that ciphertext is so complex as to make it difficult to deduce the key

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The terms diffusion and confusion were introduced by

Claude Shannon to capture the two basic building blocks for any cryptographic

system [SHAN49]. Shannon’s concern was to thwart cryptanalysis based on statistical

analysis. The reasoning is as follows. Assume the attacker has some knowledge

of the statistical characteristics of the plaintext. For example, in a human-readable

message in some language, the frequency distribution of the various letters may be

known. Or there may be words or phrases likely to appear in the message (probable

words). If these statistics are in any way reflected in the ciphertext, the cryptanalyst

may be able to deduce the encryption key, part of the key, or at least a set of keys

likely to contain the exact key. In what Shannon refers to as a strongly ideal cipher,

all statistics of the ciphertext are independent of the particular key used. The arbitrary

substitution cipher that we discussed previously (Figure 4.2) is such a cipher,

but as we have seen, it is impractical.

Other than recourse to ideal systems, Shannon suggests two methods for

frustrating statistical cryptanalysis: diffusion and confusion. In diffusion, the

statistical structure of the plaintext is dissipated into long-range statistics of the

ciphertext. This is achieved by having each plaintext digit affect the value of many

ciphertext digits; generally, this is equivalent to having each ciphertext digit be

affected by many plaintext digits.

Every block cipher involves a transformation of a block of plaintext into a

block of ciphertext, where the transformation depends on the key. The mechanism

of diffusion seeks to make the statistical relationship between the plaintext and

ciphertext as complex as possible in order to thwart attempts to deduce the key. On

the other hand, confusion seeks to make the relationship between the statistics of

the ciphertext and the value of the encryption key as complex as possible, again to

thwart attempts to discover the key. Thus, even if the attacker can get some handle

on the statistics of the ciphertext, the way in which the key was used to produce that

ciphertext is so complex as to make it difficult to deduce the key. This is achieved by

the use of a complex substitution algorithm. In contrast, a simple linear substitution

function would add little confusion.

As [ROBS95b] points out, so successful are diffusion and confusion in capturing

the essence of the desired attributes of a block cipher that they have become the

cornerstone of modern block cipher design.

10

Figure 4.3 Feistel Encryption and Decryption (16 rounds)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The left-hand side of Figure 4.3 depicts the structure

proposed by Feistel. The inputs to the encryption algorithm are a plaintext block of

length 2w bits and a key K . The plaintext block is divided into two halves, LE0 and RE0 .

The two halves of the data pass through n rounds of processing and then combine to

produce the ciphertext block. Each round i has as inputs LEi-1 and REi-1 derived from

the previous round, as well as a subkey Ki derived from the overall K . In general,

the subkeys Ki are different from K and from each other. In Figure 4.3, 16 rounds

are used, although any number of rounds could be implemented.

All rounds have the same structure. A substitution is performed on the left half

of the data. This is done by applying a round function F to the right half of the data

and then taking the exclusive-OR of the output of that function and the left half of the

data. The round function has the same general structure for each round but is parameterized

by the round subkey Ki . Another way to express this is to say that F is a function

of right-half block of w bits and a subkey of y bits, which produces an output value

of length w bits: F (REi , Ki+1 ). Following this substitution, a permutation is performed

that consists of the interchange of the two halves of the data. This structure is a particular

form of the substitution-permutation network (SPN) proposed by Shannon.

11

Feistel Cipher Design Features (1 of 2)

Block size

Larger block sizes mean greater security but reduced encryption/decryption speed for a given algorithm

Key size

Larger key size means greater security but may decrease encryption/decryption speeds

Number of rounds

The essence of the Feistel cipher is that a single round offers inadequate security but that multiple rounds offer increasing security

Subkey generation algorithm

Greater complexity in this algorithm should lead to greater difficulty of cryptanalysis

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The exact realization of a Feistel network depends on the choice of the following

parameters and design features:

• Block size: Larger block sizes mean greater security (all other things being

equal) but reduced encryption/decryption speed for a given algorithm. The

greater security is achieved by greater diffusion. Traditionally, a block size of

64 bits has been considered a reasonable tradeoff and was nearly universal in

block cipher design. However, the new AES uses a 128-bit block size.

• Key size: Larger key size means greater security but may decrease encryption/

decryption speed. The greater security is achieved by greater resistance to

brute-force attacks and greater confusion. Key sizes of 64 bits or less are now

widely considered to be inadequate, and 128 bits has become a common size.

• Number of rounds: The essence of the Feistel cipher is that a single round

offers inadequate security but that multiple rounds offer increasing security.

A typical size is 16 rounds.

• Subkey generation algorithm: Greater complexity in this algorithm should

lead to greater difficulty of cryptanalysis.

• Round function F: Again, greater complexity generally means greater resistance

to cryptanalysis.

There are two other considerations in the design of a Feistel cipher:

• Fast software encryption/decryption: In many cases, encryption is embedded in

applications or utility functions in such a way as to preclude a hardware implementation.

Accordingly, the speed of execution of the algorithm becomes a

concern.

• Ease of analysis: Although we would like to make our algorithm as difficult as

possible to cryptanalyze, there is great benefit in making the algorithm easy to

analyze. That is, if the algorithm can be concisely and clearly explained, it is

easier to analyze that algorithm for cryptanalytic vulnerabilities and therefore

develop a higher level of assurance as to its strength. DES, for example, does

not have an easily analyzed functionality.

12

Feistel Cipher Design Features (2 of 2)

Round function F

Greater complexity generally means greater resistance to cryptanalysis

Fast software encryption/decryption

In many cases, encrypting is embedded in applications or utility functions in such a way as to preclude a hardware implementation; accordingly, the speed of execution of the algorithm becomes a concern

Ease of analysis

If the algorithm can be concisely and clearly explained, it is easier to analyze that algorithm for cryptanalytic vulnerabilities and therefore develop a higher level of assurance as to its strength

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The exact realization of a Feistel network depends on the choice of the following

parameters and design features:

• Block size: Larger block sizes mean greater security (all other things being

equal) but reduced encryption/decryption speed for a given algorithm. The

greater security is achieved by greater diffusion. Traditionally, a block size of

64 bits has been considered a reasonable tradeoff and was nearly universal in

block cipher design. However, the new AES uses a 128-bit block size.

• Key size: Larger key size means greater security but may decrease encryption/

decryption speed. The greater security is achieved by greater resistance to

brute-force attacks and greater confusion. Key sizes of 64 bits or less are now

widely considered to be inadequate, and 128 bits has become a common size.

• Number of rounds: The essence of the Feistel cipher is that a single round

offers inadequate security but that multiple rounds offer increasing security.

A typical size is 16 rounds.

• Subkey generation algorithm: Greater complexity in this algorithm should

lead to greater difficulty of cryptanalysis.

• Round function F: Again, greater complexity generally means greater resistance

to cryptanalysis.

There are two other considerations in the design of a Feistel cipher:

• Fast software encryption/decryption: In many cases, encryption is embedded in

applications or utility functions in such a way as to preclude a hardware implementation.

Accordingly, the speed of execution of the algorithm becomes a

concern.

• Ease of analysis: Although we would like to make our algorithm as difficult as

possible to cryptanalyze, there is great benefit in making the algorithm easy to

analyze. That is, if the algorithm can be concisely and clearly explained, it is

easier to analyze that algorithm for cryptanalytic vulnerabilities and therefore

develop a higher level of assurance as to its strength. DES, for example, does

not have an easily analyzed functionality.

13

Feistel Example

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The process of decryption with a Feistel cipher

is essentially the same as the encryption process. The rule is as follows: Use the

ciphertext as input to the algorithm, but use the subkeys Ki in reverse order. That

is, use Kn in the first round, Kn-1 in the second round, and so on, until K1 is used in

the last round. This is a nice feature, because it means we need not implement two

different algorithms; one for encryption and one for decryption.

14

Data Encryption Standard (DES)

Issued in 1977 by the National Bureau of Standards (now NIST) as Federal Information Processing Standard 46

Was the most widely used encryption scheme until the introduction of the Advanced Encryption Standard (AES) in 2001

Algorithm itself is referred to as the Data Encryption Algorithm (DEA)

Data are encrypted in 64-bit blocks using a 56-bit key

The algorithm transforms 64-bit input in a series of steps into a 64-bit output

The same steps, with the same key, are used to reverse the encryption

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Until the introduction of the Advanced Encryption Standard (AES) in 2001, the

Data Encryption Standard (DES) was the most widely used encryption scheme.

DES was issued in 1977 by the National Bureau of Standards, now the National

Institute of Standards and Technology (NIST), as Federal Information Processing

Standard 46 (FIPS PUB 46). The algorithm itself is referred to as the Data

Encryption Algorithm (DEA). For DEA, data are encrypted in 64-bit blocks using

a 56-bit key. The algorithm transforms 64-bit input in a series of steps into a 64-bit

output. The same steps, with the same key, are used to reverse the encryption.

Over the years, DES became the dominant symmetric encryption algorithm,

especially in financial applications. In 1994, NIST reaffirmed DES for federal use

for another five years; NIST recommended the use of DES for applications other

than the protection of classified information. In 1999, NIST issued a new version

of its standard (FIPS PUB 46-3) that indicated that DES should be used only for

legacy systems and that triple DES (which in essence involves repeating the DES

algorithm three times on the plaintext using two or three different keys to produce

the ciphertext) be used. We study triple DES in Chapter 7. Because the underlying

encryption and decryption algorithms are the same for DES and triple DES, it

remains important to understand the DES cipher. This section provides an overview.

For the interested reader, Appendix C provides further detail.

15

Figure 4.5 General Depiction of DES Encryption Algorithm

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The overall scheme for DES encryption is illustrated in Figure 4.5. As with any encryption

scheme, there are two inputs to the encryption function: the plaintext to be

encrypted and the key. In this case, the plaintext must be 64 bits in length and the

key is 56 bits in length.

Looking at the left-hand side of the figure, we can see that the processing

of the plaintext proceeds in three phases. First, the 64-bit plaintext passes through

an initial permutation (IP) that rearranges the bits to produce the permuted input .

This is followed by a phase consisting of sixteen rounds of the same function, which

involves both permutation and substitution functions. The output of the last (sixteenth)

round consists of 64 bits that are a function of the input plaintext and the

key. The left and right halves of the output are swapped to produce the preoutput .

Finally, the preoutput is passed through a permutation [IP -1 ] that is the inverse of

the initial permutation function, to produce the 64-bit ciphertext. With the exception

of the initial and final permutations, DES has the exact structure of a Feistel

cipher, as shown in Figure 4.3.

The right-hand portion of Figure 4.5 shows the way in which the 56-bit key is

used. Initially, the key is passed through a permutation function. Then, for each of

the sixteen rounds, a subkey (Ki ) is produced by the combination of a left circular

shift and a permutation. The permutation function is the same for each round, but a

different subkey is produced because of the repeated shifts of the key bits.

As with any Feistel cipher, decryption uses the same algorithm as encryption,

except that the application of the subkeys is reversed. Additionally, the initial and

final permutations are reversed.

16

Table 4.2 DES Example

Note: DES subkeys are shown as eight 6-bit values in hex format

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

We now work through an example and consider some of its implications. Although

you are not expected to duplicate the example by hand, you will find it informative

to study the hex patterns that occur from one step to the next.

For this example, the plaintext is a hexadecimal palindrome. The plaintext,

key, and resulting ciphertext are as follows:

Plaintext: 02468aceeca86420

Key: 0f1571c947d9e859

Ciphertext: da02ce3a89ecac3b

Table 4.2 shows the progression of the algorithm. The first row shows the 32-bit

values of the left and right halves of data after the initial permutation. The next 16

rows show the results after each round. Also shown is the value of the 48-bit subkey

generated for each round. Note that Li = Ri-1 . The final row shows the left- and

right-hand values after the inverse initial permutation. These two values combined

form the ciphertext.

17

Table 4.3 Avalanche Effect in DES: Change in Plaintext

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

A desirable property of any encryption algorithm is that a small change in either

the plaintext or the key should produce a significant change in the ciphertext. In

particular, a change in one bit of the plaintext or one bit of the key should produce

a change in many bits of the ciphertext. This is referred to as the avalanche effect. If

the change were small, this might provide a way to reduce the size of the plaintext

or key space to be searched.

Using the example from Table 4.2, Table 4.3 shows the result when the fourth

bit of the plaintext is changed, so that the plaintext is 12468aceeca86420. The

second column of the table shows the intermediate 64-bit values at the end of each

round for the two plaintexts. The third column shows the number of bits that differ

between the two intermediate values. The table shows that, after just three rounds,

18 bits differ between the two blocks. On completion, the two ciphertexts differ in

32 bit positions.

18

Table 4.4 Avalanche Effect in DES: Change in Key

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Table 4.4 shows a similar test using the original plaintext of with two keys that

differ in only the fourth bit position: the original key, 0f1571c947d9e859, and

the altered key, 1f1571c947d9e859. Again, the results show that about half of

the bits in the ciphertext differ and that the avalanche effect is pronounced after just

a few rounds.

19

Table 4.5 Average Time Required for Exhaustive Key Search

Key Size (bits) Cipher Number of Alternative Keys Time Required at 109 Decryptions/s Time Required at 1013 Decryptions/s

56 DES 256 ≈ 7.2 × 1016 255 ns = 1.125 years 1 hour

128 AES 2128 ≈ 3.4 × 1038 2127 ns = 5.3 × 1021 years 5.3 × 1017 years

168 Triple DES 2168 ≈ 3.7 × 1050 2167 ns = 5.8 × 1033 years 5.8 × 1029 years

192 AES 2192 ≈ 6.3 × 1057 2191 ns = 9.8 × 1040 years 9.8 × 1036 years

256 AES 2256 ≈ 1.2 × 1077 2255 ns = 1.8 × 1060 years 1.8 × 1056 years

26 characters (permutation) Monoalphabetic 2! = 4 × 1026 2 × 1026 ns = 6.3 × 109 years 6.3 × 106 years

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Since its adoption as a federal standard, there have been lingering concerns about

the level of security provided by DES. These concerns, by and large, fall into two

areas: key size and the nature of the algorithm.

With a key length of 56 bits, there are 256 possible keys, which is approximately

7.2 * 1016 keys. Thus, on the face of it, a brute-force attack appears impractical.

Assuming that, on average, half the key space has to be searched, a single machine

performing one DES encryption per microsecond would take more than a thousand

years to break the cipher.

However, the assumption of one encryption per microsecond is overly conservative.

As far back as 1977, Diffie and Hellman postulated that the technology

existed to build a parallel machine with 1 million encryption devices, each of which

could perform one encryption per microsecond [DIFF77]. This would bring the

average search time down to about 10 hours. The authors estimated that the cost

would be about $20 million in 1977 dollars.

With current technology, it is not even necessary to use special, purpose-built

hardware. Rather, the speed of commercial, off-the-shelf processors threaten the

security of DES. A recent paper from Seagate Technology [SEAG08] suggests that

a rate of 1 billion (109 ) key combinations per second is reasonable for today’s multicore

computers. Recent offerings confirm this. Both Intel and AMD now offer

hardware-based instructions to accelerate the use of AES. Tests run on a contemporary

multicore Intel machine resulted in an encryption rate of about half a billion

encryptions per second [BASU12]. Another recent analysis suggests that with

contemporary supercomputer technology, a rate of 1013 encryptions per second is

reasonable [AROR12].

With these results in mind, Table 4.5 shows how much time is required for

a brute-force attack for various key sizes. As can be seen, a single PC can break

DES in about a year; if multiple PCs work in parallel, the time is drastically shortened.

And today’s supercomputers should be able to find a key in about an hour.

Key sizes of 128 bits or greater are effectively unbreakable using simply a brute-force

approach. Even if we managed to speed up the attacking system by a factor

of 1 trillion (1012 ), it would still take over 100,000 years to break a code using a

128-bit key.

Fortunately, there are a number of alternatives to DES, the most important of

which are AES and triple DES, discussed in Chapters 6 and 7, respectively.

20

Strength of DES

Timing attacks

One in which information about the key or the plaintext is obtained by observing how long it takes a given implementation to perform decryptions on various ciphertexts

Exploits the fact that an encryption or decryption algorithm often takes slightly different amounts of time on different inputs

So far it appears unlikely that this technique will ever be successful against DES or more powerful symmetric ciphers such as triple DES and AES

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

We discuss timing attacks in more detail in Part Three, as they relate to public-key

algorithms. However, the issue may also be relevant for symmetric ciphers. In essence,

a timing attack is one in which information about the key or the plaintext is obtained

by observing how long it takes a given implementation to perform decryptions on

various ciphertexts. A timing attack exploits the fact that an encryption or decryption

algorithm often takes slightly different amounts of time on different inputs. [HEVI99]

reports on an approach that yields the Hamming weight (number of bits equal to one)

of the secret key. This is a long way from knowing the actual key, but it is an intriguing

first step. The authors conclude that DES appears to be fairly resistant to a successful

timing attack but suggest some avenues to explore. Although this is an interesting line

of attack, it so far appears unlikely that this technique will ever be successful against

DES or more powerful symmetric ciphers such as triple DES and AES.

21

Block Cipher Design Principles: Number of Rounds

The greater the number of rounds, the more difficult it is to perform cryptanalysis

In general, the criterion should be that the number of rounds is chosen so that known cryptanalytic efforts require greater effort than a simple brute-force key search attack

If DES had 15 or fewer rounds, differential cryptanalysis would require less effort than a brute-force key search

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The cryptographic strength of a Feistel cipher derives from three aspects of the

design: the number of rounds, the function F, and the key schedule algorithm. Let

us look first at the choice of the number of rounds.

The greater the number of rounds, the more difficult it is to perform cryptanalysis,

even for a relatively weak F. In general, the criterion should be that the

number of rounds is chosen so that known cryptanalytic efforts require greater

effort than a simple brute-force key search attack. This criterion was certainly used

in the design of DES. Schneier [SCHN96] observes that for 16-round DES, a differential

cryptanalysis attack is slightly less efficient than brute force: The differential

cryptanalysis attack requires 255.1 operations, whereas brute force requires 255 . If

DES had 15 or fewer rounds, differential cryptanalysis would require less effort

than a brute-force key search.

This criterion is attractive, because it makes it easy to judge the strength of

an algorithm and to compare different algorithms. In the absence of a cryptanalytic

breakthrough, the strength of any algorithm that satisfies the criterion can be

judged solely on key length.

22

Block Cipher Design Principles: Design of Function F

The heart of a Feistel block cipher is the function F

The more nonlinear F, the more difficult any type of cryptanalysis will be

The SAC and BIC criteria appear to strengthen the effectiveness of the confusion function

The algorithm should have good avalanche properties

Strict avalanche criterion (SAC)

States that any output bit j of an S-box should change with probability 1/2 when any single input bit i is inverted for all i , j

Bit independence criterion (BIC)

States that output bits j and k should change independently when any single input bit i is inverted for all i , j , and k

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The heart of a Feistel block cipher is the function F, which provides the element

of confusion in a Feistel cipher. Thus, it must be difficult to “unscramble” the

substitution performed by F. One obvious criterion is that F be nonlinear, as we

discussed previously. The more nonlinear F, the more difficult any type of cryptanalysis

will be. There are several measures of nonlinearity, which are beyond

the scope of this book. In rough terms, the more difficult it is to approximate F

by a set of linear equations, the more nonlinear F is.

Several other criteria should be considered in designing F. We would like the

algorithm to have good avalanche properties. Recall that, in general, this means that

a change in one bit of the input should produce a change in many bits of the output.

A more stringent version of this is the strict avalanche criterion (SAC) [WEBS86],

which states that any output bit j of an S-box (see Appendix C for a discussion of

S-boxes) should change with probability 1/2 when any single input bit i is inverted

for all i , j . Although SAC is expressed in terms of S-boxes, a similar criterion could

be applied to F as a whole. This is important when considering designs that do not

include S-boxes.

Another criterion proposed in [WEBS86] is the bit independence criterion

(BIC), which states that output bits j and k should change independently when any

single input bit i is inverted for all i , j , and k . The SAC and BIC criteria appear to

strengthen the effectiveness of the confusion function.

23

Block Cipher Design Principles: Key Schedule Algorithm

With any Feistel block cipher, the key is used to generate one subkey for each round

In general, we would like to select subkeys to maximize the difficulty of deducing individual subkeys and the difficulty of working back to the main key

It is suggested that, at a minimum, the key schedule should guarantee key/ciphertext Strict Avalanche Criterion and Bit Independence Criterion

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

With any Feistel block cipher, the key is used to generate one subkey for each

round. In general, we would like to select subkeys to maximize the difficulty of

deducing individual subkeys and the difficulty of working back to the main key. No

general principles for this have yet been promulgated.

Adams suggests [ADAM94] that, at minimum, the key schedule should

guarantee key/ciphertext Strict Avalanche Criterion and Bit Independence

Criterion.

24

Summary

Explain the concept of the avalanche effect

Discuss the cryptographic strength of DES

Summarize the principal block cipher design principles

Understand the distinction between stream ciphers and block ciphers

Present an overview of the Feistel cipher and explain how decryption is the inverse of encryption

Present an overview of Data Encryption Standard (DES)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Chapter 4 summary.

25

Copyright

This work is protected by United States copyright laws and is provided solely for the use of instructors in teaching their courses and assessing student learning. Dissemination or sale of any part of this work (including on the World Wide Web) will destroy the integrity of the work and is not permitted. The work and materials from it should never be made available to students except by instructors using the accompanying text in their classes. All recipients of this work are expected to abide by these restrictions and to honor the intended pedagogical purposes and the needs of other instructors who rely on these materials.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

26

.MsftOfcThm_Text1_Fill {

fill:#000000;

}

.MsftOfcThm_MainDark1_Stroke {

stroke:#000000;

}

Cryptography and Network Security: Principles and Practice

Eighth Edition

Chapter 6

Advanced Encryption Standard

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Lecture slides prepared for “Cryptography and Network Security”, 8/e, by William Stallings, Chapter 6 – “Advanced Encryption Standard”.

The Advanced Encryption Standard (AES) was published by the National Institute

of Standards and Technology (NIST) in 2001. AES is a symmetric block cipher that

is intended to replace DES as the approved standard for a wide range of applications.

[NECH01], available from NIST, summarizes the evaluation criteria used by NIST to select from among the candidates for AES, plus the rationale for picking Rijndael, which was the winning candidate. This material is useful in understanding not just the AES design but also the criteria by which to judge any symmetric encryption algorithm. The essence of the criteria was to develop an algorithm with a high level of security and good performance on a range of systems.

It is worth making additional comment about the performance of AES. Because of the popularity of AES, a number of efforts have been made to improve performance through both software and hardware optimization. Most notably, in 2008, Intel introduced the Advanced Encryption Standard New Instructions (AES-NI) as a hardware extension to the x86 instruction set to improve the speed of encryption and decryption. The AES-NI instruction enables x86 processors to achieve a performance of 0.64 cycles/byte for an authenticated encryption mode known as AES-GCM (described in Chapter 12).

In 2018, Intel added vectorized instructions, referred to as VAES*, to the existing AES-NI for its high-end processors [INTE17]. These instructions are intended to push the performance of AES software further down, to a new theoretical throughput of 0.16 cycles/byte [DRUC18].

AES has become the most widely used symmetric cipher. Compared to public-key ciphers such as RSA, the structure of AES and most symmetric ciphers is quite complex and cannot be explained as easily as many other cryptographic algorithms. Accordingly, the reader may wish to begin with a simplified version of AES, which is described in Appendix A. This version allows the reader to perform encryption and decryption by hand and gain a good understanding of the working of the algorithm details. Classroom experience indicates that a study of this simplified version enhances understanding of AES. One possible approach is to read the chapter first, then carefully read Appendix A and then re-read the main body of the chapter

1

Learning Objectives

Present an overview of the general structure of Advanced Encryption Standard (AES).

Understand the four transformations used in AES.

Explain the AES key expansion algorithm.

Understand the use of polynomials with coefficients in GF(28).

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

2

Finite Field Arithmetic (1 of 2)

In the Advanced Encryption Standard (A E S) all operations are performed on 8-bit bytes

The arithmetic operations of addition, multiplication, and division are performed over the finite field G F(28)

A field is a set in which we can do addition, subtraction, multiplication, and division without leaving the set

Division is defined with the following rule:

a /b = a (b−1 )

An example of a finite field (one with a finite number of elements) is the set Zp consisting of all the integers {0, 1, . . . . , p − 1}, where p is a prime number and in which arithmetic is carried out modulo p

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

In AES, all operations are performed on 8-bit bytes. In particular, the arithmetic operations of addition, multiplication, and division are performed over the finite field GF(28 ). Section 5.6 discusses such operations in some detail. For the reader who has not studied Chapter 5, and as a quick review for those who have, this section summarizes the important concepts.

In essence, a field is a set in which we can do addition, subtraction, multiplication, and division without leaving the set. Division is defined with the following rule: a /b = a (b-1 ). An example of a finite field (one with a finite number of elements) is the set Zp consisting of all the integers {0, 1, . . . . , p – 1}, where p is a prime number and in which arithmetic is carried out modulo p .

3

Finite Field Arithmetic (2 of 2)

If one of the operations used in the algorithm is division, then we need to work in arithmetic defined over a field

Division requires that each nonzero element have a multiplicative inverse

For convenience and for implementation efficiency we would like to work with integers that fit exactly into a given number of bits with no wasted bit patterns

Integers in the range 0 through 2n – 1, which fit into an n-bit word

The set of such integers, Z2n, using modular arithmetic, is not a field

For example, the integer 2 has no multiplicative inverse in Z2n, that is, there is no integer b, such that 2b mod 2n = 1

A finite field containing 2n elements is referred to as G F(2n)

Every polynomial in G F(2n) can be represented by an n-bit number

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Virtually all encryption algorithms, both conventional and public-key, involve arithmetic operations on integers. If one of the operations used in the algorithm is division, then we need to work in arithmetic defined over a field; this is because division requires that each nonzero element have a multiplicative inverse. For convenience and for implementation efficiency, we would also like to work with integers

that fit exactly into a given number of bits, with no wasted bit patterns. That is, we wish to work with integers in the range 0 through 2n – 1, which fit into an n –bit word. Unfortunately, the set of such integers, Z2n , using modular arithmetic, is not a field. For example, the integer 2 has no multiplicative inverse in Z2n , that is, there is no integer b , such that 2b mod 2n = 1.

There is a way of defining a finite field containing 2n elements; such a field is referred to as GF(2n ).

4

Figure 6.1 A E S Encryption Process

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Figure 6.1 shows the overall structure of the AES encryption process. The cipher takes a plaintext block size of 128 bits, or 16 bytes. The key length can be 16, 24, or 32 bytes (128, 192, or 256 bits). The algorithm is referred to as AES-128, AES-192, or AES-256, depending on the key length.

5

Figure 6.2 A E S Data Structures

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The input to the encryption and decryption algorithms is a single 128-bit block. In FIPS PUB 197, this block is depicted as a 4 * 4 square matrix of bytes. This block is copied into the State array, which is modified at each stage of encryption or decryption. After the final stage, State is copied to an output matrix. These operations are depicted in Figure 6.2a. Similarly, the key is depicted as a square matrix of bytes. This key is then expanded into an array of key schedule words. Figure 6.2b shows the expansion for the 128-bit key. Each word is four bytes, and the total key schedule is 44 words for the 128-bit key. Note that the ordering of bytes within a matrix is by column. So, for example, the first four bytes of a 128-bit plaintext input to the encryption cipher occupy the first column of the in matrix, the second four bytes occupy the second column, and so on. Similarly, the first four bytes of the expanded key, which form a word, occupy the first column of the w matrix.

6

Table 6.1 A E S Parameters

Key Size (words/bytes/bits) 4/16/128 6/24/192 8/32/256

Plaintext Block Size (words/bytes/bits) 4/16/128 4/16/128 4/16/128

Number of Rounds 10 12 14

Round Key Size (words/bytes/bits) 4/16/128 4/16/128 4/16/128

Expanded Key Size (words/bytes) 44/176 52/208 60/240

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The cipher consists of N rounds, where the number of rounds depends on the key length: 10 rounds for a 16-byte key, 12 rounds for a 24-byte key, and 14 rounds for a 32-byte key (Table 6.1). The first N – 1 rounds consist of four distinct transformation functions: SubBytes, ShiftRows, MixColumns, and AddRoundKey, which are described subsequently. The final round contains only three transformations, and

there is a initial single transformation (AddRoundKey) before the first round, which can be considered Round 0. Each transformation takes one or more 4 * 4 matrices as input and produces a 4 * 4 matrix as output. Figure 6.1 shows that the output of each round is a 4 * 4 matrix, with the output of the final round being the ciphertext. Also, the key expansion function generates N + 1 round keys, each of which is a distinct 4 * 4 matrix. Each round key serves as one of the inputs to the AddRoundKey transformation in each round.

7

Figure 6.3 A E S Encryption and Decryption

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Figure 6.3 shows the AES cipher in more detail, indicating the sequence of transformations in each round and showing the corresponding decryption function. As was done in Chapter 4, we show encryption proceeding down the page and decryption proceeding up the page.

8

Detailed Structure (1 of 2)

Processes the entire data block as a single matrix during each round using substitutions and permutation

The key that is provided as input is expanded into an array of forty-four 32-bit words, w[i]

Four different stages are used:

Substitute bytes – uses an S-box to perform a byte-by-byte substitution of the block

ShiftRows – a simple permutation

MixColumns – a substitution that makes use of arithmetic over GF(28)

AddRoundKey – a simple bitwise X O R of the current block with a portion of the expanded key

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Before delving into details, we can make several comments about the overall AES structure.

1. One noteworthy feature of this structure is that it is not a Feistel structure. Recall that, in the classic Feistel structure, half of the data block is used to modify the other half of the data block and then the halves are swapped. AES instead processes the entire data block as a single matrix during each round using substitutions and permutation.

2. The key that is provided as input is expanded into an array of forty-four 32-bit words, w [i ]. Four distinct words (128 bits) serve as a round key for each round; these are indicated in Figure 6.3.

3. Four different stages are used, one of permutation and three of substitution:

• Substitute bytes: Uses an S-box to perform a byte-by-byte substitution of the block

• ShiftRows: A simple permutation

• MixColumns: A substitution that makes use of arithmetic over GF(28 )

• AddRoundKey: A simple bitwise XOR of the current block with a portion of the expanded key

4. The structure is quite simple. For both encryption and decryption, the cipher begins with an AddRoundKey stage, followed by nine rounds that each includes all four stages, followed by a tenth round of three stages.

5. Only the AddRoundKey stage makes use of the key. For this reason, the cipher begins and ends with an AddRoundKey stage. Any other stage, applied at the beginning or end, is reversible without knowledge of the key and so would add no security.

6. The AddRoundKey stage is, in effect, a form of Vernam cipher and by itself would not be formidable. The other three stages together provide confusion, diffusion, and nonlinearity, but by themselves would provide no security because they do not use the key. We can view the cipher as alternating operations of XOR encryption (AddRoundKey) of a block, followed by scrambling of the block (the other three stages), followed by XOR encryption, and so on. This scheme is both efficient and highly secure.

7. Each stage is easily reversible. For the Substitute Byte, ShiftRows, and MixColumns stages, an inverse function is used in the decryption algorithm. For the AddRoundKey stage, the inverse is achieved by XORing the same round key to the block.

8. As with most block ciphers, the decryption algorithm makes use of the expanded key in reverse order. However, the decryption algorithm is not identical to the encryption algorithm. This is a consequence of the particular structure of AES.

9. Once it is established that all four stages are reversible, it is easy to verify that decryption does recover the plaintext. Figure 6.3 lays out encryption and decryption going in opposite vertical directions. At each horizontal point (e.g., the dashed line in the figure), State is the same for both encryption and decryption.

10. The final round of both encryption and decryption consists of only three stages. Again, this is a consequence of the particular structure of AES and is required to make the cipher reversible.

9

Detailed Structure (2 of 2)

The cipher begins and ends with an AddRoundKey stage

Can view the cipher as alternating operations of X O R encryption (AddRoundKey) of a block, followed by scrambling of the block (the other three stages), followed by X O R encryption, and so on

Each stage is easily reversible

The decryption algorithm makes use of the expanded key in reverse order, however the decryption algorithm is not identical to the encryption algorithm

State is the same for both encryption and decryption

Final round of both encryption and decryption consists of only three stages

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Before delving into details, we can make several comments about the overall

AES structure.

1. One noteworthy feature of this structure is that it is not a Feistel structure.

Recall that, in the classic Feistel structure, half of the data block is used to

modify the other half of the data block and then the halves are swapped. AES

instead processes the entire data block as a single matrix during each round

using substitutions and permutation.

2. The key that is provided as input is expanded into an array of forty-four 32-bit

words, w [i ]. Four distinct words (128 bits) serve as a round key for each round;

these are indicated in Figure 6.3.

3. Four different stages are used, one of permutation and three of substitution:

• Substitute bytes: Uses an S-box to perform a byte-by-byte substitution of

the block

• ShiftRows: A simple permutation

• MixColumns: A substitution that makes use of arithmetic over GF(28 )

• AddRoundKey: A simple bitwise XOR of the current block with a portion

of the expanded key

4. The structure is quite simple. For both encryption and decryption, the

cipher begins with an AddRoundKey stage, followed by nine rounds that each

includes all four stages, followed by a tenth round of three stages.

5. Only the AddRoundKey stage makes use of the key. For this reason, the cipher

begins and ends with an AddRoundKey stage. Any other stage, applied at the

beginning or end, is reversible without knowledge of the key and so would add

no security.

6. The AddRoundKey stage is, in effect, a form of Vernam cipher and by itself

would not be formidable. The other three stages together provide confusion,

diffusion, and nonlinearity, but by themselves would provide no security

because they do not use the key. We can view the cipher as alternating operations

of XOR encryption (AddRoundKey) of a block, followed by scrambling

of the block (the other three stages), followed by XOR encryption, and so on.

This scheme is both efficient and highly secure.

7. Each stage is easily reversible. For the Substitute Byte, ShiftRows, and

MixColumns stages, an inverse function is used in the decryption algorithm.

For the AddRoundKey stage, the inverse is achieved by XORing the same

round key to the block.

8. As with most block ciphers, the decryption algorithm makes use of the

expanded key in reverse order. However, the decryption algorithm is not

identical to the encryption algorithm. This is a consequence of the particular

structure of AES.

9. Once it is established that all four stages are reversible, it is easy to verify

that decryption does recover the plaintext. Figure 6.3 lays out encryption

and decryption going in opposite vertical directions. At each horizontal point

(e.g., the dashed line in the figure), State is the same for both encryption and

decryption.

10. The final round of both encryption and decryption consists of only three stages.

Again, this is a consequence of the particular structure of AES and is required

to make the cipher reversible.

10

Figure 6.4 A E S Encryption Round

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Figure 6.4 depicts the structure of a full encryption round.

11

Figure 6.5 A E S Byte-Level Operations

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The forward substitute byte transformation, called SubBytes, is a simple table lookup (Figure 6.5a).

12

Table 6.2 AES S-Boxes (1 of 2)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

AES defines a 16 * 16 matrix of byte values, called an S-box (Table 6.2a), that contains

a permutation of all possible 256 8-bit values. Each individual byte of State

is mapped into a new byte in the following way: The leftmost 4 bits of the byte

are used as a row value and the rightmost 4 bits are used as a column value.

These row and column values serve as indexes into the S-box to select a unique

8-bit output value. For example, the hexadecimal value {95} references row 9,

column 5 of the S-box, which contains the value {2A}. Accordingly, the value {95}

is mapped into the value {2A}.

13

Table 6.2 AES S-Boxes (2 of 2)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The inverse substitute byte transformation , called InvSubBytes, makes use

of the inverse S-box shown in Table 6.2b.

14

Figure 6.6 Construction of S-Box and IS-Box

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Construction of S-Box and IS-Box

15

S-Box Rationale

The S-box is designed to be resistant to known cryptanalytic attacks

The Rijndael developers sought a design that has a low correlation between input bits and output bits and the property that the output is not a linear mathematical function of the input

The nonlinearity is due to the use of the multiplicative inverse

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The S-box is designed to be resistant to known cryptanalytic attacks.

Specifically, the Rijndael developers sought a design that has a low correlation

Between input bits and output bits and the property that the output is not a linear

mathematical function of the input [DAEM01]. The nonlinearity is due to the use

of the multiplicative inverse.

16

Figure 6.7 A E S Row and Column Operations

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The forward shift row transformation ,

called ShiftRows, is depicted in Figure 6.7a. The first row of State is not altered. For

the second row, a 1-byte circular left shift is performed. For the third row, a 2-byte

circular left shift is performed. For the fourth row, a 3-byte circular left shift is performed.

The following is an example of ShiftRows.

The inverse shift row transformation , called InvShiftRows, performs the circular

shifts in the opposite direction for each of the last three rows, with a 1-byte

circular right shift for the second row, and so on.

The forward mix column transformation,

called MixColumns, operates on each column individually. Each byte of a column

is mapped into a new value that is a function of all four bytes in that column. The

transformation can be defined by the following matrix multiplication on State

(Figure 6.7b)

Each element in the product matrix is the sum of products of elements of one row

and one column. In this case, the individual additions and multiplications are

performed in GF(28 ).

17

Shift Row Rationale

More substantial than it may first appear

The State, as well as the cipher input and output, is treated as an array of four 4-byte columns

On encryption, the first 4 bytes of the plaintext are copied to the first column of State, and so on

The round key is applied to State column by column

Thus, a row shift moves an individual byte from one column to another, which is a linear distance of a multiple of 4 bytes

Transformation ensures that the 4 bytes of one column are spread out to four different columns

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The shift row transformation is more substantial than it may first

appear. This is because the State , as well as the cipher input and output, is

treated as an array of four 4-byte columns. Thus, on encryption, the first 4 bytes

of the plaintext are copied to the first column of State, and so on. Furthermore,

as will be seen, the round key is applied to State column by column. Thus, a row

shift moves an individual byte from one column to another, which is a linear

distance of a multiple of 4 bytes. Also note that the transformation ensures that

the 4 bytes of one column are spread out to four different columns. Figure 6.4

illustrates the effect.

18

Mix Columns Rationale

Coefficients of a matrix based on a linear code with maximal distance between code words ensures a good mixing among the bytes of each column

The mix column transformation combined with the shift row transformation ensures that after a few rounds all output bits depend on all input bits

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The coefficients of the matrix in Equation (6.3) are based on a linear

code with maximal distance between code words, which ensures a good mixing

among the bytes of each column. The mix column transformation combined with

the shift row transformation ensures that after a few rounds all output bits depend

on all input bits. See [DAEM99] for a discussion.

In addition, the choice of coefficients in MixColumns, which are all {01}, { 02},

or { 03}, was influenced by implementation considerations. As was discussed, multiplication

by these coefficients involves at most a shift and an XOR. The coefficients

in InvMixColumns are more formidable to implement. However, encryption was

deemed more important than decryption for two reasons:

1. For the CFB and OFB cipher modes (Figures 7.5 and 7.6; described in Chapter 7),

only encryption is used.

2. As with any block cipher, AES can be used to construct a message authentication

code (Chapter 13), and for this, only encryption is used.

19

AddRoundKey Transformation

The 128 bits of State are bitwise XORed with the 128 bits of the round key

Operation is viewed as a columnwise operation between the 4 bytes of a State column and one word of the round key

Can also be viewed as a byte-level operation

Rationale:

Is as simple as possible and affects every bit of State

The complexity of the round key expansion plus the complexity of the other stages of A E S ensure security

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

In the forward add round key transformation ,

called AddRoundKey, the 128 bits of State are bitwise XORed with the 128

bits of the round key. As shown in Figure 6.5b, the operation is viewed as a columnwise

operation between the 4 bytes of a State column and one word of the round

key; it can also be viewed as a byte-level operation.

The add round key transformation is as simple as possible and affects

every bit of State . The complexity of the round key expansion, plus the complexity

of the other stages of AES, ensure security.

20

Figure 6.8 Inputs for Single A E S Round

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Figure 6.8 is another view of a single round of AES, emphasizing the mechanisms

and inputs of each transformation.

21

A E S Key Expansion

Takes as input a four-word (16 byte) key and produces a linear array of 44 words (176) bytes

This is sufficient to provide a four-word round key for the initial AddRoundKey stage and each of the 10 rounds of the cipher

Key is copied into the first four words of the expanded key

The remainder of the expanded key is filled in four words at a time

Each added word w[i] depends on the immediately preceding word, w[i – 1], and the word four positions back, w[i – 4]

In three out of four cases a simple X O R is used

For a word whose position in the w array is a multiple of 4, a more complex function is used

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The AES key expansion algorithm takes as input a four-word (16-byte) key and

produces a linear array of 44 words (176 bytes). This is sufficient to provide a four word

round key for the initial AddRoundKey stage and each of the 10 rounds of the

cipher. The pseudocode on the next page describes the expansion.

The key is copied into the first four words of the expanded key. The remainder

of the expanded key is filled in four words at a time. Each added word w [i]

depends on the immediately preceding word, w [i – 1], and the word four positions

back, w [i – 4]. In three out of four cases, a simple XOR is used. For a word whose

position in the w array is a multiple of 4, a more complex function is used.

22

Figure 6.9 A E S Key Expansion

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Figure 6.9 illustrates the generation of the expanded key, using the symbol g to represent that

complex function.

23

Key Expansion Rationale (1 of 2)

The Rijndael developers designed the expansion key algorithm to be resistant to known cryptanalytic attacks

Inclusion of a round-dependent round constant eliminates the symmetry between the ways in which round keys are generated in different rounds

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The Rijndael developers designed the expansion key algorithm to be resistant to

known cryptanalytic attacks. The inclusion of a round-dependent round constant

eliminates the symmetry, or similarity, between the ways in which round keys are

generated in different rounds. The specific criteria that were used are [DAEM99]

• Knowledge of a part of the cipher key or round key does not enable calculation

of many other round-key bits.

• An invertible transformation [i.e., knowledge of any Nk consecutive words of

the expanded key enables regeneration of the entire expanded key (Nk = key

size in words)].

• Speed on a wide range of processors.

• Usage of round constants to eliminate symmetries.

• Diffusion of cipher key differences into the round keys; that is, each key bit

affects many round key bits.

• Enough nonlinearity to prohibit the full determination of round key differences

from cipher key differences only.

• Simplicity of description.

The authors do not quantify the first point on the preceding list, but the idea

is that if you know less than Nk consecutive words of either the cipher key or one of

the round keys, then it is difficult to reconstruct the remaining unknown bits. The

fewer bits one knows, the more difficult it is to do the reconstruction or to determine

other bits in the key expansion.

24

Key Expansion Rationale (2 of 2)

The specific criteria that were used are:

Knowledge of a part of the cipher key or round key does not enable calculation of many other round-key bits

An invertible transformation

Speed on a wide range of processors

Usage of round constants to eliminate symmetries

Diffusion of cipher key differences into the round keys

Enough nonlinearity to prohibit the full determination of round key differences from cipher key differences only

Simplicity of description

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The Rijndael developers designed the expansion key algorithm to be resistant to

known cryptanalytic attacks. The inclusion of a round-dependent round constant

eliminates the symmetry, or similarity, between the ways in which round keys are

generated in different rounds. The specific criteria that were used are [DAEM99]

• Knowledge of a part of the cipher key or round key does not enable calculation

of many other round-key bits.

• An invertible transformation [i.e., knowledge of any Nk consecutive words of

the expanded key enables regeneration of the entire expanded key (Nk = key

size in words)].

• Speed on a wide range of processors.

• Usage of round constants to eliminate symmetries.

• Diffusion of cipher key differences into the round keys; that is, each key bit

affects many round key bits.

• Enough nonlinearity to prohibit the full determination of round key differences

from cipher key differences only.

• Simplicity of description.

The authors do not quantify the first point on the preceding list, but the idea

is that if you know less than Nk consecutive words of either the cipher key or one of

the round keys, then it is difficult to reconstruct the remaining unknown bits. The

fewer bits one knows, the more difficult it is to do the reconstruction or to determine

other bits in the key expansion.

25

Table 6.3 Example Round Key Calculation

Description Value

i (decimal) 36

temp = w[i − 1] 7F8D292F

RotWord (temp) 8D292F7F

SubWord (RotWord (temp)) 5DA515D2

Rcon (9) 1B000000

SubWord (RotWord (temp)) ⊕ Rcon (9) 46A515D2

w[i − 4] EAD27321

w[i] = w[i − 4] ⊕ SubWord (RotWord (temp)) ⊕ Rcon (9) AC7766F3

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Table 6.3. Example Round Key Calculation

26

Table 6.4 Key Expansion for A E S Example (1 of 3)

Key Words Auxiliary Function

w0 = 0f 15 71 c9

w1 = 47 d9 e8 59

w2 = 0c b7 ad d6

w3 = af 7f 67 98 RotWord (w3) = 7f 67 98 af = x1

SubWord (x1) = d2 85 46 79 = y1

Rcon (1) = 01 00 00 00

y1 ⊕ Rcon (1) = d3 85 46 79 = z1

w4 = w0 ⊕ z1 = dc 90 37 b0

w5 = w4 ⊕ w1 = 9b 49 df e9

w6 = w5 ⊕ w2 = 97 fe 72 3f

w7 = w6 ⊕ w3 = 38 81 15 a7 RotWord (w7) = 81 15 a7 38 = x2

SubWord (x2) = 0c 59 5c 07 = y2

Rcon (2) = 02 00 00 00

y2 ⊕ Rcon (2) = 0e 59 5c 07 = z2

w8 = w4 ⊕ z2 = d2 c9 6b b7

w9 = w8 ⊕ w5 = 49 80 b4 5e

w10 = w9 ⊕ w6 = de 7e c6 61

w11 = w10 ⊕ w7 = e6 ff d3 c6 RotWord (w11) = ff d3 c6 e6 = x3

SubWord (x3) = 16 66 b4 83 = y3

Rcon (3) = 04 00 00 00

y3 ⊕ Rcon (3) = 12 66 b4 8e = z3

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Table 6.4 shows the expansion of the 16-byte key into 10 round keys. As previously explained, this process is performed word by word, with each four-byte word occupying one column of the word round-key matrix. The left-hand column shows the four round-key words generated for each round. The right-hand column shows

the steps used to generate the auxiliary word used in key expansion. We begin, of course, with the key itself serving as the round key for round 0.

27

Table 6.4 Key Expansion for A E S Example (2 of 3)

Key Words Auxiliary Function

w12 = w8 ⊕ z3 = c0 af df 39

w13 = w12 ⊕ w9 = 89 2f 6b 67

w14 = w13 ⊕ w10 = 57 51 ad 06

w15 = w14 ⊕ w11 = b1 ae 7e c0 RotWord (w15) = ae 7e c0 b1 = x4

SubWord (x4) = e4 f3 ba c8 = y4

Rcon (4) = 08 00 00 00

y4 ⊕ Rcon (4) = ec f3 ba c8 = 4

w16 = w12 ⊕ z4 = 2c 5c 65 f1

w17 = w16 ⊕ w13 = a5 73 0e 96

w18 = w17 ⊕ w14 = f2 22 a3 90

w19 = w18 ⊕ w15 = 43 8c dd 50 RotWord (w19) = 8c dd 50 43 = x5

SubWord (x5) = 64 c1 53 1a = y5

Rcon(5) = 10 00 00 00

y5 ⊕ Rcon (5) = 74 c1 53 1a = z5

w20 = w16 ⊕ z5 = 58 9d 36 eb

w21 = w20 ⊕ w17 = fd ee 38 7d

w22 = w21 ⊕ w18 = 0f cc 9b ed

w23 = w22 ⊕ w19 = 4c 40 46 bd RotWord (w23) = 40 46 bd 4c = x6

SubWord (x6) = 09 5a 7a 29 = y6

Rcon(6) = 20 00 00 00

y6 ⊕ Rcon(6) = 29 5a 7a 29 = z6

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Table 6.4 shows the expansion of the 16-byte key into 10 round keys. As previously explained, this process is performed word by word, with each four-byte word occupying one column of the word round-key matrix. The left-hand column shows the four round-key words generated for each round. The right-hand column shows

the steps used to generate the auxiliary word used in key expansion. We begin, of course, with the key itself serving as the round key for round 0.

28

Table 6.4 Key Expansion for A E S Example (3 of 3)

Key Words Auxiliary Function

w24 = w20 ⊕ z6 = 71 c7 4c c2

w25 = w24 ⊕ w21 = 8c 29 74 bf

w26 = w25 ⊕ w22 = 83 e5 ef 52

w27 = w26 ⊕ w23 = cf a5 a9 ef RotWord (w27) = a5 a9 ef cf = x7

SubWord (x7) = 06 d3 bf 8a = y7

Rcon (7) = 40 00 00 00

y7 ⊕ Rcon(7) = 46 d3 df 8a = z7

w28 = w24 ⊕ z7 = 37 14 93 48

w29 = w28 ⊕ w25 = bb 3d e7 f7

w30 = w29 ⊕ w26 = 38 d8 08 a5

w31 = w30 ⊕ w27 = f7 7d a1 4a RotWord (w31) = 7d a1 4a f7 = x8

SubWord (x8) = ff 32 d6 68 = y8

Rcon (8) = 80 00 00 00

y8 ⊕ Rcon(8) = 7f 32 d6 68 = z8

w32 = w28 ⊕ z8 = 48 26 45 20

w33 = w32 ⊕ w29 = f3 1b a2 d7

w34 = w33 ⊕ w30 = cb c3 aa 72

w35 = w34 ⊕ w32 = 3c be 0b 3 RotWord (w35) = be 0b 38 3c = x9

SubWord (x9) = ae 2b 07 eb = y9

Rcon (9) = 1B 00 00 00

y9 ⊕ Rcon (9) = b5 2b 07 eb = z9

w36 = w32 ⊕ z9 = fd 0d 42 cb

w37 = w36 ⊕ w33 = 0e 16 e0 1c

w38 = w37 ⊕ w34 = c5 d5 4a 6e

w39 = w38 ⊕ w35 = f9 6b 41 56 RotWord (w39) = 6b 41 56 f9 = x10

SubWord (x10) = 7f 83 b1 99 = y10

Rcon (10) = 36 00 00 00

y10 ⊕ Rcon (10) = 49 83 b1 99 = z10

w40 = w36 ⊕ z10 = b4 8e f3 52

w41 = w40 ⊕ w37 = ba 98 13 4e

w42 = w41 ⊕ w38 = 7f 4d 59 20

w43 = w42 ⊕ w39 = 86 26 18 76

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Table 6.4 shows the expansion of the 16-byte key into 10 round keys. As previously explained, this process is performed word by word, with each four-byte word occupying one column of the word round-key matrix. The left-hand column shows the four round-key words generated for each round. The right-hand column shows

the steps used to generate the auxiliary word used in key expansion. We begin, of course, with the key itself serving as the round key for round 0.

29

Table 6.5 A E S Example (1 of 2)

Start of Round After SubBytes After ShiftRows After MixColumns Round Key

01 89 fe 76

23 ab dc 54

45 cd ba 32

67 ef 98 10 0f 47 0c af

15 d9 b7 7f

71 e8 ad 67

c9 59 d6 98

0e ce f2 d9

36 72 6b 2b

34 25 17 55

ae b6 4e 88 ab 8b 89 35

05 40 7f f1

18 3f f0 fc

e4 4e 2f c4 ab 8b 89 35

40 7f f1 05

f0 fc 18 3f

c4 e4 4e 2f b9 94 57 75

e4 8e 16 51

47 20 9a 3f

c5 d6 f5 3b dc 9b 97 38

90 49 fe 81

37 df 72 15

b0 e9 3f a7

65 0f c0 4d

74 c7 e8 d0

70 ff e8 2a

75 3f ca 9c 4d 76 ba e3

92 c6 9b 70

51 16 9b e5

9d 75 74 de 4d 76 ba e3

c6 9b 70 92

9b e5 51 16

de 9d 75 74 8e 22 db 12

b2 f2 dc 92

df 80 f7 c1

2d c5 1e 52 d2 49 de e6

c9 80 7e ff

6b b4 c6 d3

b7 5e 61 c6

5c 6b 05 f4

7b 72 a2 6d

b4 34 31 12

9a 9b 7f 94 4a 7f 6b bf

21 40 3a 3c

8d 18 c7 c9

b8 14 d2 22 4a 7f 6b bf

40 3a 3c 21

c7 c9 8d 18

22 b8 14 d2 b1 c1 0b cc

ba f3 8b 07

f9 1f 6a c3

1d 19 24 5c c0 89 57 b1

af 2f 51 ae

df 6b ad 7e

39 67 06 c0

71 48 5c 7d

15 dc da a9

26 74 c7 bd

24 7e 22 9c a3 52 4a ff

59 86 57 d3

f7 92 c6 7a

36 f3 93 de a3 52 4a ff

86 57 d3 59

c6 7a f7 92

de 36 f3 93 d4 11 fe 0f

3b 44 06 73

cb ab 62 37

19 b7 07 ec 2c a5 f2 43

5c 73 22 8c

65 0e a3 dd

f1 96 90 50

f8 b4 0c 4c

67 37 24 ff

ae a5 c1 ea

e8 21 97 bc 41 8d fe 29

85 9a 36 16

e4 06 78 87

9b fd 88 65 41 8d fe 29

9a 36 16 85

78 87 e4 06

65 9b fd 88 2a 47 c4 48

83 e8 18 ba

84 18 27 23

eb 10 0a f3 58 fd 0f 4c

9d ee cc 40

36 38 9b 46

eb 7d ed bd

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Table 6.5 shows the progression of State through the AES encryption process. The first column shows the value of State at the start of a round. For the first row, State is just the matrix arrangement of the plaintext. The second, third, and fourth columns show the value of State for that round after the SubBytes, ShiftRows, and MixColumns transformations, respectively. The fifth column shows the round key. You can verify that these round keys equate with those shown in Table 6.4. The first column shows the value of State resulting from the bitwise XOR of State after the preceding MixColumns with the round key for the preceding round.

If a small change in the key or plaintext were to produce a corresponding small change in the ciphertext, this might be used to effectively reduce the size of the plaintext (or key) space to be searched. What is desired is the avalanche effect, in which a small change in plaintext or key produces a large change in the ciphertext.

30

Table 6.5 A E S Example (2 of 2)

Start of Round After SubBytes After ShiftRows After MixColumns Round Key

72 ba cb 04

1e 06 d4 fa

b2 20 bc 65

00 6d e7 4e 40 f4 1f f2

72 6f 48 2d

37 b7 65 4d

63 3c 94 2f 40 f4 1f f2

6f 48 2d 72

65 4d 37 b7

2f 63 3c 94 7b 05 42 4a

1e d0 20 40

94 83 18 52

94 c4 43 fb 71 8c 83 cf

c7 29 e5 a5

4c 74 ef a9

c2 bf 52 ef

0a 89 c1 85

d9 f9 c5 e5

d8 f7 f7 fb

56 7b 11 14 67 a7 78 97

35 99 a6 d9

61 68 68 0f

b1 21 82 fa 67 a7 78 97

99 a6 d9 35

68 0f 61 68

fa b1 21 82 ec 1a c0 80

0c 50 53 c7

3b d7 00 ef

b7 22 72 e0 37 bb 38 f7

14 3d d8 7d

93 e7 08 a1

48 f7 a5 4a

db a1 f8 77

18 6d 8b ba

a8 30 08 4e

ff d5 d7 aa b9 32 41 f5

ad 3c 3d f4

c2 04 30 2f

16 03 0e ac b9 32 41 f5

3c 3d f4 ad

30 2f c2 04

ac 16 03 0e b1 1a 44 17

3d 2f ec b6

0a 6b 2f 42

9f 68 f3 b1 48 f3 cb 3c

26 1b c3 be

45 a2 aa 0b

20 d7 72 38

f9 e9 8f 2b

1b 34 2f 08

4f c9 85 49

bf bf 81 89 99 1e 73 f1

af 18 15 30

84 dd 97 3b

08 08 0c a7 99 1e 73 f1

18 15 30 af

97 3b 84 dd

a7 08 08 0c 31 30 3a c2

ac 71 8c c4

46 65 48 eb

6a 1c 31 62 fd 0e c5 f9

0d 16 d5 6b

42 e0 4a 41

cb 1c 6e 56

cc 3e ff 3b

a1 67 59 af

04 85 02 aa

a1 00 5f 34 4b b2 16 e2

32 85 cb 79

f2 97 77 ac

32 63 cf 18 4b b2 16 e2

85 cb 79 32

77 ac f2 97

18 32 63 cf b4 ba 7f 86

8e 98 4d 26

f3 13 59 18

52 4e 20 76

ff 08 69 64

0b 53 34 14

84 bf ab 8f

4a 7c 43 b9

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Table 6.5 shows the progression of State through the AES encryption process. The first column shows the value of State at the start of a round. For the first row, State is just the matrix arrangement of the plaintext. The second, third, and fourth columns show the value of State for that round after the SubBytes, ShiftRows, and MixColumns transformations, respectively. The fifth column shows the round key. You can verify that these round keys equate with those shown in Table 6.4. The first column shows the value of State resulting from the bitwise XOR of State after the preceding MixColumns with the round key for the preceding round.

If a small change in the key or plaintext were to produce a corresponding small change in the ciphertext, this might be used to effectively reduce the size of the plaintext (or key) space to be searched. What is desired is the avalanche effect, in which a small change in plaintext or key produces a large change in the ciphertext.

31

Table 6.6 Avalanche Effect in A E S: Change in Plaintext (1 of 2)

Round Number of Bits

that Differ

0123456789abcdeffedcba9876543210

0023456789abcdeffedcba9876543210 1

0 0e3634aece7225b6f26b174ed92b5588

0f3634aece7225b6f26b174ed92b5588 1

1 657470750fc7ff3fc0e8e8ca4dd02a9c

c4a9ad090fc7ff3fc0e8e8ca4dd02a9c 20

2 5c7bb49a6b72349b05a2317ff46d1294

fe2ae569f7ee8bb8c1f5a2bb37ef53d5 58

3 7115262448dc747e5cdac7227da9bd9c

ec093dfb7c45343d689017507d485e62 59

4 f867aee8b437a5210c24c1974cffeabc

43efdb697244df808e8d9364ee0ae6f5 61

5 721eb200ba06206dcbd4bce704fa654e

7b28a5d5ed643287e006c099bb375302 68

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Using the example from Table 6.5, Table 6.6 shows the result when the eighth bit of the plaintext is changed. The second column of the table shows the value of the State matrix at the end of each round for the two plaintexts. Note that after just one round, 20 bits of the State vector differ. After two rounds, close to half the bits differ. This magnitude of difference propagates through the remaining rounds. A bit difference in approximately half the positions in the most desirable outcome. Clearly, if almost all the bits are changed, this would be logically equiva- lent to almost none of the bits being changed. Put another way, if we select two plaintexts at random, we would expect the two plaintexts to differ in about half of the bit positions and the two ciphertexts to also differ in about half the positions.

32

Table 6.6 Avalanche Effect in A E S: Change in Plaintext (2 of 2)

Round Number of Bits

that Differ

6 0ad9d85689f9f77bc1c5f71185e5fb14

3bc2d8b6798d8ac4fe36a1d891ac181a 64

7 db18a8ffa16d30d5f88b08d777ba4eaa

9fb8b5452023c70280e5c4bb9e555a4b 67

8 f91b4fbfe934c9bf8f2f85812b084989

20264e1126b219aef7feb3f9b2d6de40 65

9 cca104a13e678500ff59025f3bafaa34

b56a0341b2290ba7dfdfbddcd8578205 61

10 ff0b844a0853bf7c6934ab4364148fb9

612b89398d0600cde116227ce72433f0 58

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Using the example from Table 6.5, Table 6.6 shows the result when the eighth bit of the plaintext is changed. The second column of the table shows the value of the State matrix at the end of each round for the two plaintexts. Note that after just one round, 20 bits of the State vector differ. After two rounds, close to half the bits differ. This magnitude of difference propagates through the remaining rounds. A bit difference in approximately half the positions in the most desirable outcome. Clearly, if almost all the bits are changed, this would be logically equiva- lent to almost none of the bits being changed. Put another way, if we select two plaintexts at random, we would expect the two plaintexts to differ in about half of the bit positions and the two ciphertexts to also differ in about half the positions.

33

Table 6.7 Avalanche Effect in A E S: Change in Key (1 of 2)

Round Number of Bits

that Differ

0123456789abcdeffedcba9876543210

0123456789abcdeffedcba9876543210 0

0 0e3634aece7225b6f26b174ed92b5588

0f3634aece7225b6f26b174ed92b5588 1

1 657470750fc7ff3fc0e8e8ca4dd02a9c

c5a9ad090ec7ff3fc1e8e8ca4cd02a9c 22

2 5c7bb49a6b72349b05a2317ff46d1294

90905fa9563356d15f3760f3b8259985 58

3 7115262448dc747e5cdac7227da9bd9c

18aeb7aa794b3b66629448d575c7cebf 67

4 f867aee8b437a5210c24c1974cffeabc

f81015f993c978a876ae017cb49e7eec 63

5 721eb200ba06206dcbd4bce704fa654e

5955c91b4e769f3cb4a94768e98d5267 81

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Table 6.7 shows the change in State matrix values when the same plaintext is used and the two keys differ in the eighth bit. That is, for the second case, the key is 0e1571c947d9e8590cb7add6af7f6798. Again, one round produces a significant change, and the magnitude of change after all subsequent rounds is roughly half the bits. Thus, based on this example, AES exhibits a very strong avalanche effect.

Note that this avalanche effect is stronger than that for DES (Table 4.2), which requires three rounds to reach a point at which approximately half the bits are changed, both for a bit change in the plaintext and a bit change in the key.

34

Table 6.7 Avalanche Effect in A E S: Change in Key (2 of 2)

Round Number of Bits

that Differ

6 0ad9d85689f9f77bc1c5f71185e5fb14

dc60a24d137662181e45b8d3726b2920 70

7 db18a8ffa16d30d5f88b08d777ba4eaa

fe8343b8f88bef66cab7e977d005a03c 74

8 f91b4fbfe934c9bf8f2f85812b084989

da7dad581d1725c5b72fa0f9d9d1366a 67

9 cca104a13e678500ff59025f3bafaa34

0ccb4c66bbfd912f4b511d72996345e0 59

10 ff0b844a0853bf7c6934ab4364148fb9

fc8923ee501a7d207ab670686839996b 53

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Table 6.7 shows the change in State matrix values when the same plaintext is used and the two keys differ in the eighth bit. That is, for the second case, the key is 0e1571c947d9e8590cb7add6af7f6798. Again, one round produces a significant change, and the magnitude of change after all subsequent rounds is roughly half the bits. Thus, based on this example, AES exhibits a very strong avalanche effect.

Note that this avalanche effect is stronger than that for DES (Table 4.2), which requires three rounds to reach a point at which approximately half the bits are changed, both for a bit change in the plaintext and a bit change in the key.

35

A E S Implementation

A E S decryption cipher is not identical to the encryption cipher

The sequence of transformations differs although the form of the key schedules is the same

Has the disadvantage that two separate software or firmware modules are needed for applications that require both encryption and decryption

Two separate changes are needed to bring the decryption structure in line with the encryption structure

The first two stages of the decryption round need to be interchanged

The second two stages of the decryption round need to be interchanged

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

As was mentioned, the AES decryption cipher is not identical to the encryption

cipher (Figure 6.3). That is, the sequence of transformations for decryption differs

from that for encryption, although the form of the key schedules for encryption

and decryption is the same. This has the disadvantage that two separate software

or firmware modules are needed for applications that require both encryption and

decryption. There is, however, an equivalent version of the decryption algorithm

that has the same structure as the encryption algorithm. The equivalent version has

the same sequence of transformations as the encryption algorithm (with transformations

replaced by their inverses). To achieve this equivalence, a change in key

schedule is needed.

Two separate changes are needed to bring the decryption structure in line

with the encryption structure. As illustrated in Figure 6.3, an encryption round has

the structure SubBytes, ShiftRows, MixColumns, AddRoundKey. The standard

decryption round has the structure InvShiftRows, InvSubBytes, AddRoundKey,

InvMixColumns. Thus, the first two stages of the decryption round need to

be interchanged, and the second two stages of the decryption round need to be

interchanged.

36

Interchanging InvShiftRows and Inv SubBytes

InvShiftRows affects the sequence of bytes in State but does not alter byte contents and does not depend on byte contents to perform its transformation

InvSubBytes affects the contents of bytes in State but does not alter byte sequence and does not depend on byte sequence to perform its transformation

Thus, these two operations commute and can be interchanged

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

affects the sequence of bytes in State but does not alter byte contents and does not depend on byte contents to perform its transformation. InvSubBytes affects the contents of bytes in State but does not alter byte sequence and does not depend on byte sequence to perform its transformation. Thus, these two operations commute and can be interchanged. For a given State Si,

37

Interchanging AddRoundKey and InvMixColumns

The transformations AddRoundKey and InvMixColumns do not alter the sequence of bytes in State

If we view the key as a sequence of words, then both AddRoundKey and InvMixColumns operate on State one column at a time

These two operations are linear with respect to the column input

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The transformations

AddRoundKey and InvMixColumns do not alter the sequence of bytes in State . If we

view the key as a sequence of words, then both AddRoundKey and InvMixColumns

operate on State one column at a time. These two operations are linear with respect

to the column input.

38

Figure 6.10 Equivalent Inverse Cipher

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Figure 6.10 illustrates the equivalent decryption algorithm.

39

Implementation Aspects (1 of 2)

AES can be implemented very efficiently on an 8-bit processor

AddRoundKey is a bytewise XOR operation

ShiftRows is a simple byte-shifting operation

SubBytes operates at the byte level and only requires a table of 256 bytes

MixColumns requires matrix multiplication in the field GF(28), which means that all operations are carried out on bytes

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The Rijndael proposal [DAEM99] provides some suggestions for efficient implementation

on 8-bit processors, typical for current smart cards, and on 32-bit processors,

typical for PCs.

AES can be implemented very efficiently on an 8-bit processor.

AddRoundKey is a bytewise XOR operation. ShiftRows is a simple byteshifting

operation. SubBytes operates at the byte level and only requires a table of

256 bytes.

The transformation MixColumns requires matrix multiplication in the field

GF(28 ), which means that all operations are carried out on bytes. MixColumns only

requires multiplication by {02} and {03}, which, as we have seen, involved simple

shifts, conditional XORs, and XORs. This can be implemented in a more efficient

way that eliminates the shifts and conditional XORs.

40

Implementation Aspects (2 of 2)

Can efficiently implement on a 32-bit processor

Redefine steps to use 32-bit words

Can precompute 4 tables of 256-words

Then each column in each round can be computed using 4 table lookups + 4 XORs

At a cost of 4Kb to store tables

Designers believe this very efficient implementation was a key factor in its selection as the AES cipher

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The implementation described in the preceding subsection uses

only 8-bit operations. For a 32-bit processor, a more efficient implementation can

be achieved if operations are defined on 32-bit words. To show this, we first define

the four transformations of a round in algebraic form.

The developers of Rijndael believe that this compact, efficient implementation

was probably one of the most important factors in the selection of Rijndael for AES.

41

Summary

Present an overview of the general structure of Advanced Encryption Standard (AES)

Understand the four transformations used in AES

Explain the AES key expansion algorithm

Understand the use of polynomials with coefficients in GF(28)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Chapter 6 summary.

42

This work is protected by United States copyright laws and is provided solely for the use of instructors in teaching their courses and assessing student learning. Dissemination or sale of any part of this work (including on the World Wide Web) will destroy the integrity of the work and is not permitted. The work and materials from it should never be made available to students except by instructors using the accompanying text in their classes. All recipients of this work are expected to abide by these restrictions and to honor the intended pedagogical purposes and the needs of other instructors who rely on these materials.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

43

.MsftOfcThm_Text1_Fill {

fill:#000000;

}

.MsftOfcThm_MainDark1_Stroke {

stroke:#000000;

}

Cryptography and Network Security: Principles and Practice

Eighth Edition

Chapter 5

Finite Fields

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Lecture slides prepared for “Cryptography and Network Security”, 8/e, by William Stallings, Chapter 5 – “Finite Fields”.

Finite fields have become increasingly important in cryptography. A number of

cryptographic algorithms rely heavily on properties of finite fields, notably the

Advanced Encryption Standard (AES) and elliptic curve cryptography. Other examples

include the message authentication code CMAC and the authenticated encryption

scheme GCM.

This chapter provides the reader with sufficient background on the concepts of

finite fields to be able to understand the design of AES and other cryptographic algorithms

that use finite fields. Because students unfamiliar with abstract algebra may find

the concepts behind finite fields somewhat difficult to grasp, we approach the topic in a

way designed to enhance understanding. Our plan of attack is as follows:

1. Fields are a subset of a larger class of algebraic structures called rings, which

are in turn a subset of the larger class of groups. In fact, as shown in Figure 5.1,

both groups and rings can be further differentiated. Groups are defined by

a simple set of properties and are easily understood. Each successive subset

(abelian group, ring, commutative ring, and so on) adds additional properties

and is thus more complex. Sections 5.1 through 5.3 will examine groups, rings,

and fields, successively.

2. Finite fields are a subset of fields, consisting of those fields with a finite number

of elements. These are the class of fields that are found in cryptographic

algorithms. With the concepts of fields in hand, we turn in Section 5.4 to a

specific class of finite fields, namely those with p elements, where p is prime.

Certain asymmetric cryptographic algorithms make use of such fields.

3. A more important class of finite fields, for cryptography, comprises those with

2n elements depicted as fields of the form GF(2n ). These are used in a wide

variety of cryptographic algorithms. However, before discussing these fields, we

need to analyze the topic of polynomial arithmetic, which is done in Section 5.5.

4. With all of this preliminary work done, we are able at last, in Section 5.6, to

discuss finite fields of the form GF(2n ).

Before proceeding, the reader may wish to review Sections 2.1 through 2.3, which

cover relevant topics in number theory.

1

Learning Objectives

Distinguish among groups, rings, and fields.

Define finite fields of the form GF(p)

Explain the differences among ordinary polynomial arithmetic, polynomial arithmetic with coefficients in Zp, and modular polynomial arithmetic in GF(2n).

Define finite fields of the form GF(2n).

Explain the two different uses of the mod operator.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Figure 5.1 Groups, Rings, and Fields

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Groups, rings, and fields are the fundamental elements of a branch of mathematics

known as abstract algebra, or modern algebra. In abstract algebra, we are concerned

with sets on whose elements we can operate algebraically; that is, we can combine

two elements of the set, perhaps in several ways, to obtain a third element of the set.

These operations are subject to specific rules, which define the nature of the set. By

convention, the notation for the two principal classes of operations on set elements is

usually the same as the notation for addition and multiplication on ordinary numbers.

However, it is important to note that, in abstract algebra, we are not limited to

ordinary arithmetical operations. All this should become clear as we proceed.

3

Groups

A set of elements with a binary operation denoted by • that associates to each ordered pair (a,b) of elements in G an element (a • b ) in G, such that the following axioms are obeyed:

(A1) Closure:

If a and b belong to G, then a • b is also in G

(A2) Associative:

a • (b • c) = (a • b) • c for all a, b, c in G

(A3) Identity element:

There is an element e in G such that a • e = e • a = a for all a in G

(A4) Inverse element:

For each a in G, there is an element a1 in G such that a • a1 = a1 • a = e

(A5) Commutative:

a • b = b • a for all a, b in G

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

A group G , sometimes denoted by {G , * }, is a set of elements with a binary operation

denoted by * that associates to each ordered pair (a, b ) of elements in G an element

(a * b ) in G , such that the following axioms are obeyed:

(A1) Closure:

If a and b belong to G, then a * b is also in G

(A2) Associative:

a * (b * c) = (a * b) * c for all a, b, c in G

(A3) Identity element:

There is an element e in G such that a * e = e * a = a for all a in G

(A4) Inverse element:

For each a in G, there is an element a1 in G such that a*a1 = a1 * a = e

(A5) Commutative:

a * b = b * a for all a, b in G

If a group has a finite number of elements, it is referred to as a finite group , and

the order of the group is equal to the number of elements in the group. Otherwise,

the group is an infinite group .

A group is said to be abelian if it satisfies the following additional condition:

(A5) Commutative: a * b = b * a for all a, b in G.

4

Cyclic Group

Exponentiation is defined within a group as a repeated application of the group operator, so that a3 = a • a • a

We define a0 = e as the identity element, and a−n = (a’)n, where a’ is the inverse element of a within the group

A group G is cyclic if every element of G is a power ak (k is an integer) of a fixed element a € G

The element a is said to generate the group G or to be a generator of G

A cyclic group is always abelian and may be finite or infinite

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

We define exponentiation within a group as a repeated application of the group operator, so that a3 = a *a * a. Furthermore, we define a0 = e as the identity element, and a-n = (a′)n, where a′ is the inverse element of a within the group. A group G is cyclic if every element of G is a power ak (k is an integer) of a fixed element a ∈ G. The element a is said to generate the group G or to be a generator of G. A cyclic group is always abelian and may be finite or infinite.

5

Rings (1 of 3)

A ring R , sometimes denoted by {R , + , * }, is a set of elements with two binary operations, called addition and multiplication, such that for all a , b , c in R the following axioms are obeyed:

(A1–A5)

R is an abelian group with respect to addition; that is, R satisfies axioms A1 through A5. For the case of an additive group, we denote the identity element as 0 and the inverse of a as –a

(M1) Closure under multiplication:

If a and b belong to R , then ab is also in R

(M2) Associativity of multiplication:

a (bc ) = (ab)c for all a , b , c in R

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

A ring R , sometimes denoted by {R , + , * }, is a set of elements with two binary operations, called addition and multiplication, such that for all a , b , c in R the following axioms are obeyed:

(A1–A5)

R is an abelian group with respect to addition; that is, R satisfies axioms A1 through A5. For the case of an additive group, we denote the identity element as 0 and the inverse of a as –a

(M1) Closure under multiplication:

If a and b belong to R , then ab is also in R

(M2) Associativity of multiplication:

a (bc ) = (ab)c for all a , b , c in R

(M3) Distributive laws:

a (b + c ) = ab + ac for all a , b , c in R

(a + b )c = ac + bc for all a , b , c in R

In essence, a ring is a set in which we can do addition, subtraction [a – b = a + (-b )], and multiplication without leaving the set.

6

Rings (2 of 3)

(M3) Distributive laws:

a (b + c ) = ab + ac for all a, b, c in R

(a + b )c = ac + bc for all a, b, c in R

In essence, a ring is a set in which we can do addition, subtraction [a − b = a + (−b )], and multiplication without leaving the set

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

A ring R , sometimes denoted by {R , + , * }, is a set of elements with two binary operations, called addition and multiplication, such that for all a , b , c in R the following axioms are obeyed:

(A1–A5)

R is an abelian group with respect to addition; that is, R satisfies axioms A1 through A5. For the case of an additive group, we denote the identity element as 0 and the inverse of a as –a

(M1) Closure under multiplication:

If a and b belong to R , then ab is also in R

(M2) Associativity of multiplication:

a (bc ) = (ab)c for all a , b , c in R

(M3) Distributive laws:

a (b + c ) = ab + ac for all a , b , c in R

(a + b )c = ac + bc for all a , b , c in R

In essence, a ring is a set in which we can do addition, subtraction [a – b = a + (-b )], and multiplication without leaving the set.

7

Rings (3 of 3)

A ring is said to be commutative if it satisfies the following additional condition:

(M4) Commutativity of multiplication:

ab = ba for all a, b in R

An integral domain is a commutative ring that obeys the following axioms.

(M5) Multiplicative identity:

There is an element 1 in R such that a1 = 1a = a for all a in R

(M6) No zero divisors:

If a , b in R and ab = 0, then either a = 0 or b = 0

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

A ring is said to be commutative if it satisfies the following additional condition:

(M4) Commutativity of multiplication:

ab = ba for all a, b in R

An integral domain is a commutative ring that obeys the following axioms.

(M5) Multiplicative identity:

There is an element 1 in R such that a 1 = 1a = a for all a in R

(M6) No zero divisors:

If a , b in R and ab = 0, then either a = 0 or b = 0

8

Fields

A field F , sometimes denoted by {F, +,* }, is a set of elements with two binary operations, called addition and multiplication, such that for all a, b, c in F the following axioms are obeyed:

(A1–M6)

F is an integral domain; that is, F satisfies axioms A1 through A5 and M1 through M6

(M7) Multiplicative inverse:

For each a in F, except 0, there is an element a−1 in F such that aa−1 = (a−1 )a = 1

In essence, a field is a set in which we can do addition, subtraction, multiplication, and division without leaving the set. Division is defined with the following rule: a /b = a (b−1 )

Familiar examples of fields are the rational numbers, the real numbers, and the complex numbers. Note that the set of all integers is not a field, because not every element of the set has a multiplicative inverse.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

A field F, sometimes denoted by {F , + , * }, is a set of elements with two binary operations,

called addition and multiplication, such that for all a, b, c in F the following

axioms are obeyed.

(A1–M6) F is an integral domain; that is, F satisfies axioms A1 through A5 and

M1 through M6.

(M7) Multiplicative inverse: For each a in F , except 0, there is an element

a-1 in F such that aa-1 = (a-1 )a = 1.

In essence, a field is a set in which we can do addition, subtraction, multiplication,

and division without leaving the set. Division is defined with the following rule: a /b = a (b-1 ).

Familiar examples of fields are the rational numbers, the real numbers, and the complex numbers. Note that the set of all integers is not a field, because not every element of the set has a multiplicative inverse; in fact, only the elements 1 and – 1 have multiplicative inverses in the integers.

9

Figure 5.2 Properties of Groups, Rings, and Fields

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Figure 5.2 summarizes the axioms that define groups, rings, and fields.

10

Figure 5.3 Types of Fields

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

In Section 5.3, we defined a field as a set that obeys all of the axioms of Figure 5.2

and gave some examples of infinite fields. Infinite fields are not of particular interest

in the context of cryptography. However, in addition to infinite fields, there are

two types of finite fields, as illustrated in Figure 5.3. Finite fields play a crucial role

in many cryptographic algorithms.

11

Finite Fields of the Form GF(p)

Finite fields play a crucial role in many cryptographic algorithms

It can be shown that the order of a finite field must be a power of a prime pn, where n is a positive integer

The finite field of order pn is generally written GF(pn)

GF stands for Galois field, in honor of the mathematician who first studied finite fields

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

It can be shown that the order of a finite field (number of

elements in the field) must be a power of a prime pn , where n is a positive integer.

The finite field of order pn is generally written GF(pn); GF stands for Galois

field, in honor of the mathematician who first studied finite fields. Two special cases

are of interest for our purposes. For n = 1, we have the finite field GF(p); this finite

field has a different structure than that for finite fields with n > 1 and is studied in

this section.

12

Table 5.1 Arithmetic Modulo 8 and Modulo 7(1 of 6)

(a) Addition modulo 8

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Table 5.1 Arithmetic Modulo 8 and Modulo 7

13

Table 5.1 Arithmetic Modulo 8 and Modulo 7 (2 of 6)

(b) Multiplication modulo 8

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Table 5.1 Arithmetic Modulo 8 and Modulo 7

14

Table 5.1 Arithmetic Modulo 8 and Modulo 7 (3 of 6)

(c) Additive and multiplicative inverses modulo 8

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Table 5.1 Arithmetic Modulo 8 and Modulo 7

15

Table 5.1 Arithmetic Modulo 8 and Modulo 7 (4 of 6)

(d) Addition modulo 7

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Table 5.1 Arithmetic Modulo 8 and Modulo 7

16

Table 5.1 Arithmetic Modulo 8 and Modulo 7 (5 of 6)

(e) Multiplication modulo 7

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Table 5.1 Arithmetic Modulo 8 and Modulo 7

17

Table 5.1 Arithmetic Modulo 8 and Modulo 7 (6 of 6)

(f) Additive and multiplicative inverses modulo 7

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Table 5.1 Arithmetic Modulo 8 and Modulo 7

18

In this section, we have shown how to construct a finite field of order p, where p is prime

GF(p) is defined with the following properties:

1. GF(p) consists of p elements

2. The binary operations + and * are defined over the set. The operations of addition, subtraction, multiplication, and division can be performed without leaving the set. Each element of the set other than 0 has a multiplicative inverse

We have shown that the elements of GF(p) are the integers {0, 1, . . . , p – 1} and that the arithmetic operations are addition and multiplication mod p

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

In this section, we have shown how to construct a finite field of order p, where p is prime.

GF(p) is defined with the following properties:

GF(p) consists of p elements

2. The binary operations + and * are defined over the set. The operations of addition, subtraction, multiplication, and division can be performed without leaving the set. Each element of the set other than 0 has a multiplicative inverse

We have shown that the elements of GF(p) are the integers {0, 1, . . . , p – 1} and that the arithmetic operations are addition and multiplication mod p

19

Figure 5.4 Treatment of Polynomials

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Before continuing our discussion of finite fields, we need to introduce the interesting

subject of polynomial arithmetic. We are concerned with polynomials in a single

variable x , and we can distinguish three classes of polynomial arithmetic. (Figure 5.4)

• Ordinary polynomial arithmetic, using the basic rules of algebra.

• Polynomial arithmetic in which the arithmetic on the coefficients is performed

modulo p ; that is, the coefficients are in GF(p ).

• Polynomial arithmetic in which the coefficients are in GF(p ), and the polynomials

are defined modulo a polynomial m (x ) whose highest power is some integer n .

20

Figure 5.5 Examples of Polynomial Arithmetic

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Examples of Polynomial Arithmetic

21

Polynomial Arithmetic With Coefficients in Zp

If each distinct polynomial is considered to be an element of the set, then that set is a ring

When polynomial arithmetic is performed on polynomials over a field, then division is possible

Note: this does not mean that exact division is possible

If we attempt to perform polynomial division over a coefficient set that is not a field, we find that division is not always defined

Even if the coefficient set is a field, polynomial division is not necessarily exact

With the understanding that remainders are allowed, we can say that polynomial division is possible if the coefficient set is a field

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Let us now consider polynomials in which the coefficients are elements of some

field F; we refer to this as a polynomial over the field F. In that case, it is easy to

show that the set of such polynomials is a ring, referred to as a polynomial ring .

That is, if we consider each distinct polynomial to be an element of the set, then

that set is a ring.

When polynomial arithmetic is performed on polynomials over a field, then

division is possible. Note that this does not mean that exact division is possible.

Let us clarify this distinction. Within a field, given two elements a and b , the

quotient a /b is also an element of the field. However, given a ring R that is not a

field, in general, division will result in both a quotient and a remainder; this is not

exact division.

Now, if we attempt to perform polynomial division over a coefficient set that

is not a field, we find that division is not always defined.

However, as we demonstrate presently, even if the coefficient set is a field,

polynomial division is not necessarily exact. In general, division will produce a quotient

and a remainder.

With the understanding that remainders are allowed, we can say that polynomial

division is possible if the coefficient set is a field.

22

Polynomial Division

We can write any polynomial in the form:

f(x) = q(x) g(x) + r(x)

r(x) can be interpreted as being a remainder

So r(x) = f(x) mod g(x)

If there is no remainder we can say g(x) divides f(x)

Written as g(x) | f(x)

We can say that g(x) is a factor of f(x)

Or g(x) is a divisor of f(x)

A polynomial f(x) over a field F is called irreducible if and only if f(x) cannot be expressed as a product of two polynomials, both over F, and both of degree lower than that of f(x)

An irreducible polynomial is also called a prime polynomial

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Note that we can write any polynomial in the form of f(x) = q(x) g(x) + r(x), where division of f(x) by g(x) results in a quotient q(x) and remainder r(x). Can then extend the concept of divisors from the integer case, and show that the Euclidean algorithm can be extended to find the greatest common divisor of two polynomials whose coefficients are elements of a field.

Define an irreducible (or prime) polynomial as one with no divisors other than itself & 1. If compute polynomial arithmetic modulo an irreducible polynomial, this forms a finite field, and the GCD & Inverse algorithms can be adapted for it.

23

Example of Polynomial Arithmetic Over GF(2) (1 of 2)

(a) Addition

(b) Subtraction

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Figure 5.6 shows an example of polynomial arithmetic over GF(2).

24

Example of Polynomial Arithmetic Over GF(2) (2 of 2)

(c) Multiplication

(d) Division

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Figure 5.6 shows an example of polynomial arithmetic over GF(2).

25

Polynomial G C D

The polynomial c(x) is said to be the greatest common divisor of a(x) and b(x) if the following are true:

c(x) divides both a(x) and b(x)

Any divisor of a(x) and b(x) is a divisor of c(x)

An equivalent definition is:

gcd[a(x), b(x)] is the polynomial of maximum degree that divides both a(x) and b(x)

The Euclidean algorithm can be extended to find the greatest common divisor of two polynomials whose coefficients are elements of a field

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

We can extend the analogy between polynomial arithmetic over a field and integer

arithmetic by defining the greatest common divisor as follows. The polynomial c(x)

is said to be the greatest common divisor of a(x) and b(x) if the following are true.

1. c(x) divides both a(x) and b(x).

2. Any divisor of a(x) and b(x) is a divisor of c(x).

An equivalent definition is the following: gcd[a (x ), b (x )] is the polynomial of

maximum degree that divides both a (x ) and b (x ).

We can adapt the Euclidean algorithm to compute the greatest common

Divisor of two polynomials.

26

Table 5.2 Arithmetic in GF(23) (1 of 3)

(a) Addition

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Table 5.2 Arithmetic in GF(23)

27

Table 5.2 Arithmetic in GF(23) (2 of 3)

(b) Multiplication

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Table 5.2 Arithmetic in GF(23)

28

Table 5.2 Arithmetic in GF(23) (3 of 3)

(c) Additive and multiplicative inverses

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Table 5.2 Arithmetic in GF(23)

29

Table 5.3 Polynomial Arithmetic Modulo (x3 + x + 1) (1 of 2)

(a) Addition

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Example shows addition & multiplication in GF(23)

30

Table 5.3 Polynomial Arithmetic Modulo (x3 + x + 1) (2 of 2)

(b) Multiplication

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Example shows addition & multiplication in GF(23)

31

Table 5.4 Extended Euclid [(x8 + x4 + x3 + x + 1), (x7 + x + 1)]

(Table 5.4 can be found on page 138 in textbook)

Initialization a(x) = x8 + x4 + x3 + x + 1; v-1(x) = 1; w-1(x) = 0

b(x) = x7 + x + 1; v0(x) = 0; w0(x) = 1

Iteration 1 q1(x) = x; r1 (x) = x4 + x3 + x2 + 1

v1(x) = 1; w1(x) = x

Iteration 2 q2(x) = x3 + x2 + 1; r2(x) = x

v2(x) = x3 + x2 + 1; w2(x) = x4 + x3 + x + 1

Iteration 3 q3(x) = x3 + x2 + x; r3(x) = 1

v3(x) = x6 + x2 + x + 1; w3(x) = x7

Iteration 4 q4(x) = x; r4(x) = 0

v4(x) = x7 + x + 1; w4(x) = x8 + x4 + x3 + x + 1

Result d(x) = r3(x) = gcd(a(x), b(x)) = 1

w(x) = w3(x) = (x7 + x + 1)-1 mod (x8 + x4 + x3 + x + 1) = x7

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Table 5.4 Extended Euclid [(x8 + x4 + x3 + x + 1), (x7 + x + 1)]

32

Computational Considerations

Since coefficients are 0 or 1, they can represent any such polynomial as a bit string

Addition becomes XOR of these bit strings

Multiplication is shift and XOR

cf long-hand multiplication

Modulo reduction is done by repeatedly substituting highest power with remainder of irreducible polynomial (also shift and XOR)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

A key motivation for using polynomial arithmetic in GF(2n) is that the polynomials can be represented as a bit string, using all possible bit values, and the calculations only use simple common machine instructions – addition is just XOR, and multiplication is shifts & XOR’s. See text for additional discussion. The shortcut for polynomial reduction comes from the observation that if in GF(2n) then irreducible poly g(x) has highest term xn , and if compute xn mod g(x) answer is g(x)- xn

33

Using a Generator

A generator g of a finite field F of order q (contains q elements) is an element whose first q−1 powers generate all the nonzero elements of F

The elements of F consist of 0, g0, g1, . . . ., gq−2

Consider a field F defined by a polynomial fx

An element b contained in F is called a root of the polynomial if f(b) = 0

Finally, it can be shown that a root g of an irreducible polynomial is a generator of the finite field defined on that polynomial

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

An equivalent technique for defining a finite field of the form GF(2n ), using the

same irreducible polynomial, is sometimes more convenient. To begin, we need two

definitions: A generator g of a finite field F of order q (contains q elements) is an

element whose first q – 1 powers generate all the nonzero elements of F. That is, the

elements of F consist of 0, g0 , g1 , c , gq-2 .

Consider a field F defined by a polynomial

f (x ). An element b contained in F is called a root of the polynomial if f (b ) = 0.

Finally, it can be shown that a root g of an irreducible polynomial is a generator of the

finite field defined on that polynomial.

34

Table 5.5 Generator for GF(23) using x3 + x + 1

Power

Representation Polynomial

Representation Binary

Representation Decimal (Hex)

Representation

0 0 000 0

g0(= g7) 1 001 1

g1 g 010 2

g2 g2 100 4

g3 g + 1 011 3

g4 g2 + g 110 6

g5 g2 + g + 1 111 7

g6 g2 + 1 101 5

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Table 5.5 Generator for GF(23) using x3 + x + 1

35

Table 5.6 GF(23) Arithmetic Using Generator for the Polynomial (x3 + x + 1) (1 of 2)

(a) Addition

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Table 5.6 GF(23) Arithmetic Using Generator for the Polynomial (x3 + x + 1)

36

Table 5.6 GF(23) Arithmetic Using Generator for the Polynomial (x3 + x + 1) (2 of 2)

(b) Multiplication

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Table 5.6 GF(23) Arithmetic Using Generator for the Polynomial (x3 + x + 1)

37

Summary

Distinguish among groups, rings, and fields

Define finite fields of the form GF(p)

Define finite fields of the form GF(2n)

Explain the differences among ordinary polynomial arithmetic, polynomial arithmetic with coefficients in Zp, and modular polynomial arithmetic in GF(2n)

Explain the two different uses of the mod operator

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Chapter 5 summary.

38

This work is protected by United States copyright laws and is provided solely for the use of instructors in teaching their courses and assessing student learning. Dissemination or sale of any part of this work (including on the World Wide Web) will destroy the integrity of the work and is not permitted. The work and materials from it should never be made available to students except by instructors using the accompanying text in their classes. All recipients of this work are expected to abide by these restrictions and to honor the intended pedagogical purposes and the needs of other instructors who rely on these materials.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

39

.MsftOfcThm_Text1_Fill {

fill:#000000;

}

.MsftOfcThm_MainDark1_Stroke {

stroke:#000000;

}

Cryptography and Network Security: Principles and Practice

Eighth Edition

Chapter 7

Block Cipher Operation

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Lecture slides prepared for “Cryptography and Network Security”, 8/e, by William Stallings, Chapter 7 – “Block Cipher Operation”.

This chapter continues our discussion of symmetric ciphers. We begin with the topic of

multiple encryption, looking in particular at the most widely used multiple-encryption

scheme: triple DES.

The chapter next turns to the subject of block cipher modes of operation. We

find that there are a number of different ways to apply a block cipher to plaintext, each

with its own advantages and particular applications.

1

Learning Objectives

Analyze the security of multiple encryption schemes.

Explain the meet-in-the-middle attack.

Compare and contrast ECB, CBC, CFB, OFB, and counter modes of operation.

Present an overview of the XTS-AES mode of operation.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

2

Figure 7.1 Multiple Encryption (1 of 2)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Because of its vulnerability to brute-force attack, DES, once the most widely used

symmetric cipher, has been largely replaced by stronger encryption schemes. Two

approaches have been taken. One approach is to design a completely new algorithm

that is resistant to both cryptanalytic and brute-force attacks, of which AES

is a prime example. Another alternative, which preserves the existing investment in

software and equipment, is to use multiple encryption with DES and multiple keys.

We begin by examining the simplest example of this second alternative. We then

look at the widely accepted triple DES (3DES) algorithm.

The simplest form of multiple encryption has two encryption stages and two keys

(Figure 7.1a).

Given a plaintext P and two encryption keys K1 and K2 , ciphertext C

is generated as

C = E(K2 , E(K1 , P ))

Decryption requires that the keys be applied in reverse order:

P = D(K1 , D(K2 , C ))

For DES, this scheme apparently involves a key length of 56 * 2 = 112 bits, and should result

in a dramatic increase in cryptographic strength. But we need to examine the

algorithm more closely.

it is reasonable to assume that if DES is used twice with different keys, it

will produce one of the many mappings that are not defined by a single application

of DES. Although there was much supporting evidence for this assumption, it was

not until 1992 that the assumption was proven [CAMP92].

3

Meet-in-the-Middle Attack

The use of double D E S results in a mapping that is not equivalent to a single D E S encryption

The meet-in-the-middle attack algorithm will attack this scheme and does not depend on any particular property of D E S but will work against any block encryption cipher

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Thus, the use of double DES results in a mapping

that is not equivalent to a single DES encryption. But there is a way to attack this

scheme, one that does not depend on any particular property of DES but that will

work against any block encryption cipher.

The algorithm, known as a meet-in-the-middle attack, was first described in

[DIFF77].

4

Figure 7.1 Multiple Encryption (2 of 2)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

An obvious counter to the meet-in-the-middle attack is to use three stages of encryption

with three different keys. Using DES as the underlying algorithm, this approach is commonly

referred to as 3DES, or Triple Data Encryption Algorithm (TDEA). As shown in Figure 7.1b,

there are two versions of 3DES; one using two keys and one using three keys. NIST SP 800-67 (Recommendation for the Triple Data Encryption Block Cipher, January 2012) defines the two-key and three-key versions. We look first at the strength of the two-key version and then examine the three-key version.

Two-key triple encryption was first proposed by Tuchman [TUCH79]. The function follows an encrypt-decrypt-encrypt (EDE) sequence (Figure 7.1b).

There is no cryptographic significance to the use of decryption for the second stage. Its only advantage is that it allows users of 3DES to decrypt data encrypted by users of the older single DES.

3DES with two keys is a relatively popular alternative to DES and has been adopted for use in the key management standards ANSI X9.17 and ISO 8732

The first serious proposal came from Merkle and Hellman [MERK81]. Their

plan involves finding plaintext values that produce a first intermediate value of

A = 0 (Figure 7.1b) and then using the meet-in-the-middle attack to determine

the two keys. The level of effort is 256 , but the technique requires 256 chosen plaintext–

ciphertext pairs, which is a number unlikely to be provided by the holder of

the keys.

A known-plaintext attack is outlined in [VANO90]. This method is an improvement

over the chosen-plaintext approach but requires more effort. The attack

is based on the observation that if we know A and C (Figure 7.1b), then the problem

reduces to that of an attack on double DES. Of course, the attacker does not know

A , even if P and C are known, as long as the two keys are unknown. However, the

attacker can choose a potential value of A and then try to find a known (P , C ) pair

that produces A .

5

Figure 7.2 Known-Plaintext Attack on Triple D E S

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The attack proceeds as follows.

1. Obtain n (P , C ) pairs. This is the known plaintext. Place these in a table

(Table 1) sorted on the values of P (Figure7.2b).

2. Pick an arbitrary value a for A, and create a second table (Figure 7.2c) with entries

defined in the following fashion. For each of the 256 possible keys K1 = i,

calculate the plaintext value P, such that

Pi = D(i, a)

For each Pi that matches an entry in Table 1, create an entry in Table 2 consisting

of the K1 value and the value of B that is produced for the (P, C) pair from

Table 1, assuming that value of K1:

B = D(i, C)

At the end of this step, sort Table 2 on the values of B.

3. We now have a number of candidate values of K1 in Table 2 and are in a position

to search for a value of K2. For each of the 256 possible keys K2 = j, calculate

the second intermediate value for our chosen value of a:

Bj = D(j, a)

At each step, look up Bj in Table 2. If there is a match, then the corresponding

key i from Table 2 plus this value of j are candidate values for the unknown

keys (K1, K2). Why? Because we have found a pair of keys (i, j) that produce a

known (P, C) pair (Figure 7.2a).

4. Test each candidate pair of keys (i, j) on a few other plaintext–ciphertext

pairs. If a pair of keys produces the desired ciphertext, the task is complete. If

no pair succeeds, repeat from step 1 with a new value of a.

For a given known (P , C ), the probability of selecting the unique value of a

that leads to success is 1/264 . Thus, given n (P , C ) pairs, the probability of success for

a single selected value of a is n /264 .

6

Triple D E S with Three Keys

Many researchers now feel that three-key 3D E S is the preferred alternative

Three-key 3D E S has an effective key length of 168 bits and is defined as:

C = E( K3, D( K2, E( K1, P)))

Backward compatibility with DES is provided by putting:

K3 = K2 or K1 = K2

A number of Internet-based applications have adopted three-key 3D E S including P G P and S/M I M E

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Although the attacks just described appear impractical, anyone using two-key 3DES

may feel some concern. Thus, many researchers now feel that three-key 3DES is

the preferred alternative (e.g., [KALI96a]). Three-key 3DES has an effective key

length of 168 bits and is defined as

C = E( K3, D( K2, E( K1, P)))

Backward compatibility with DES is provided by putting

K3 = K2 or K1 = K2

A number of Internet-based applications have adopted three-key 3DES, including

PGP and S/MIME, both discussed in Chapter 21.

7

Modes of Operation

A technique for enhancing the effect of a cryptographic algorithm or adapting the algorithm for an application

To apply a block cipher in a variety of applications, five modes of operation have been defined by N I S T

The five modes are intended to cover a wide variety of applications of encryption for which a block cipher could be used

These modes are intended for use with any symmetric block cipher, including triple D E S and A E S

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

A block cipher takes a fixed-length block of text of length b bits and a key as input

and produces a b -bit block of ciphertext. If the amount of plaintext to be encrypted

is greater than b bits, then the block cipher can still be used by breaking the plaintext

up into b -bit blocks. When multiple blocks of plaintext are encrypted using the

same key, a number of security issues arise. To apply a block cipher in a variety of

applications, five modes of operation have been defined by NIST (SP 800-38A).

In essence, a mode of operation is a technique for enhancing the effect of a cryptographic

algorithm or adapting the algorithm for an application, such as applying

a block cipher to a sequence of data blocks or a data stream. The five modes are

intended to cover a wide variety of applications of encryption for which a block

cipher could be used. These modes are intended for use with any symmetric block

cipher, including triple DES and AES.

8

Table 7.1 Block Cipher Modes of Operation

Mode Description Typical Application

Electronic Codebook (E C B) Each block of plaintext bits is encoded independently using the same key. Secure transmission of single values (e.g., an encryption key)

Cipher Block Chaining (C B C) The input to the encryption algorithm is the X O R of the next block of plaintext and the preceding block of ciphertext. General-purpose block-oriented transmission

Authentication

Cipher Feedback (C F B) Input is processed s bits at a time. Preceding ciphertext is used as input to the encryption algorithm to produce pseudorandom output, which is X O Red with plaintext to produce next unit of ciphertext. General-purpose stream-oriented transmission

Authentication

Output Feedback (O F B) Similar to C F B, except that the input to the encryption algorithm is the preceding encryption output, and full blocks are used. Stream-oriented transmission over noisy channel (e.g., satellite communication)

Counter (C T R) Each block of plaintext is X ORed with an encrypted counter. The counter is incremented for each subsequent block. General-purpose block-oriented transmission

Useful for high-speed requirements

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The modes are summarized in Table 7.1 and described in this and the following sections.

9

Figure 7.3 Electronic Codebook (E C B) Mode

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The simplest mode is the electronic codebook (ECB ) mode, in which plaintext

is handled one block at a time and each block of plaintext is encrypted using the

same key (Figure 7.3). The term codebook is used because, for a given key, there is

a unique ciphertext for every b -bit block of plaintext. Therefore, we can imagine a

gigantic codebook in which there is an entry for every possible b -bit plaintext pattern

showing its corresponding ciphertext.

For a message longer than b bits, the procedure is simply to break the message

into b -bit blocks, padding the last block if necessary. Decryption is performed one

block at a time, always using the same key. In Figure 7.3, the plaintext (padded as

necessary) consists of a sequence of b -bit blocks, P1 , P2 , . . . , PN ; the corresponding

sequence of ciphertext blocks is C1 , C2 , . . . , CN . We can define ECB mode as

follows.

ECB Cj = E(K, Pj) j = 1, . . . , N Pj = D(K, Cj) j = 1, . . . , N

The ECB mode should be used only to secure messages shorter than a single block of underlying cipher (i.e., 64 bits for 3DES and 128 bits for AES), such as to encrypt a secret key. Because in most of the cases messages are longer than the encryption block mode, this mode has a minimum practical value.

The most significant characteristic of ECB is that if the same b -bit block of

plaintext appears more than once in the message, it always produces the same

ciphertext.

For lengthy messages, the ECB mode may not be secure. If the message is

highly structured, it may be possible for a cryptanalyst to exploit these regularities.

For example, if it is known that the message always starts out with certain

predefined fields, then the cryptanalyst may have a number of known plaintext–

ciphertext pairs to work with. If the message has repetitive elements with a

period of repetition a multiple of b bits, then these elements can be identified by the

analyst. This may help in the analysis or may provide an opportunity for substituting

or rearranging blocks.

10

Criteria and properties for evaluating and constructing block cipher modes of operation that are superior to ECB:

Overhead

Error recovery

Error propagation

Diffusion

Security

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

We now turn to more complex modes of operation. [KNUD00] lists the following

criteria and properties for evaluating and constructing block cipher modes of

operation that are superior to ECB:

• Overhead: The additional operations for the encryption and decryption

operation when compared to encrypting and decrypting in the ECB mode.

• Error recovery: The property that an error in the i th ciphertext block is inherited

by only a few plaintext blocks after which the mode resynchronizes.

• Error propagation: The property that an error in the i th ciphertext block is

inherited by the i th and all subsequent plaintext blocks. What is meant here is

a bit error that occurs in the transmission of a ciphertext block, not a computational

error in the encryption of a plaintext block.

• Diffusion: How the plaintext statistics are reflected in the ciphertext. Low

entropy plaintext blocks should not be reflected in the ciphertext blocks.

Roughly, low entropy equates to predictability or lack of randomness (see

Appendix B).

• Security: Whether or not the ciphertext blocks leak information about the

plaintext blocks.

11

Figure 7.4 Cipher Block Chaining (C B C) Mode

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

To overcome the security deficiencies of ECB, we would like a technique in which

the same plaintext block, if repeated, produces different ciphertext blocks. A

simple way to satisfy this requirement is the cipher block chaining (CBC ) mode

(Figure 7.4). In this scheme, the input to the encryption algorithm is the XOR of the

current plaintext block and the preceding ciphertext block; the same key is used for

each block. In effect, we have chained together the processing of the sequence of

plaintext blocks. The input to the encryption function for each plaintext block bears

no fixed relationship to the plaintext block. Therefore, repeating patterns of b bits

are not exposed. As with the ECB mode, the CBC mode requires that the last block

be padded to a full b bits if it is a partial block.

For decryption, each cipher block is passed through the decryption algorithm.

The result is XORed with the preceding ciphertext block to produce the plaintext

block.

To produce the first block of ciphertext, an initialization vector (IV) is XORed

with the first block of plaintext. On decryption, the IV is XORed with the output

of the decryption algorithm to recover the first block of plaintext. The IV is a data

block that is the same size as the cipher block.

The IV must be known to both the sender and receiver but be unpredictable

by a third party. In particular, for any given plaintext, it must not be possible to

predict the IV that will be associated to the plaintext in advance of the generation

of the IV. For maximum security, the IV should be protected against unauthorized

changes. This could be done by sending the IV using ECB encryption. One reason

for protecting the IV is as follows: If an opponent is able to fool the receiver into

using a different value for IV, then the opponent is able to invert selected bits in the

first block of plaintext.

So long as it is unpredictable, the specific choice of IV is unimportant.

SP800-38A recommends two possible methods: The first method is to apply the

encryption function, under the same key that is used for the encryption of the plaintext,

to a nonce . The nonce must be a data block that is unique to each execution of

the encryption operation. For example, the nonce may be a counter, a timestamp, or

a message number. The second method is to generate a random data block using a

random number generator.

In conclusion, because of the chaining mechanism of CBC, it is an appropriate

mode for encrypting messages of length greater than b bits.

In addition to its use to achieve confidentiality, the CBC mode can be used for

authentication. This use is described in Chapter 12.

12

Cipher Feedback Mode

For A E S, D E S, or any block cipher, encryption is performed on a block of b bits

In the case of D E S b = 64

In the case of A E S b = 128

There are three modes that make it possible to convert a block cipher into a stream cipher:

Cipher feedback (CFB) mode

Output feedback (OFB) mode

Counter (CTR) mode

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

For AES, DES, or any block cipher, encryption is performed on a block of b bits. In

the case of DES, b = 64 and in the case of AES, b = 128. However, it is possible

to convert a block cipher into a stream cipher, using one of the three modes to be

discussed in this and the next two sections: cipher feedback (CFB) mode, output

feedback (OFB) mode, and counter (CTR) mode. A stream cipher eliminates the

need to pad a message to be an integral number of blocks. It also can operate in

real time. Thus, if a character stream is being transmitted, each character can be

encrypted and transmitted immediately using a character-oriented stream cipher.

One desirable property of a stream cipher is that the ciphertext be of the same

length as the plaintext. Thus, if 8-bit characters are being transmitted, each character

should be encrypted to produce a ciphertext output of 8 bits. If more than 8 bits

are produced, transmission capacity is wasted.

13

Figure 7.5 s-bit Cipher Feedback (C F B) Mode (1 of 2)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Figure 7.5 depicts the CFB scheme. In the figure, it is assumed that the unit of

transmission is s bits; a common value is s = 8. As with CBC, the units of plaintext

are chained together, so that the ciphertext of any plaintext unit is a function of all

the preceding plaintext. In this case, rather than blocks of b bits, the plaintext is

divided into segments of s bits.

First, consider encryption. The input to the encryption function is a b -bit shift

register that is initially set to some initialization vector (IV). The leftmost (most

significant) s bits of the output of the encryption function are XORed with the

first segment of plaintext P1 to produce the first unit of ciphertext C1 , which is then

transmitted. In addition, the contents of the shift register are shifted left by s bits,

and C1 is placed in the rightmost (least significant) s bits of the shift register. This

process continues until all plaintext units have been encrypted.

For decryption, the same scheme is used, except that the received ciphertext

unit is XORed with the output of the encryption function to produce the plaintext

unit. Note that it is the encryption function that is used, not the decryption function.

Although CFB can be viewed as a stream cipher, it does not conform to the

typical construction of a stream cipher. In a typical stream cipher, the cipher takes

as input some initial value and a key and generates a stream of bits, which is then

XORed with the plaintext bits (see Figure 4.1). In the case of CFB, the stream of

bits that is XORed with the plaintext also depends on the plaintext.

In CFB encryption, like CBC encryption, the input block to each forward

Cipher function (except the first) depends on the result of the previous forward

Cipher function; therefore, multiple forward cipher operations cannot be performed

in parallel. In CFB decryption, the required forward cipher operations can be performed

in parallel if the input blocks are first constructed (in series) from the IV and

the ciphertext.

14

Figure 7.5 s-bit Cipher Feedback (C F B) Mode (2 of 2)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Figure 7.5 depicts the CFB scheme. In the figure, it is assumed that the unit of

transmission is s bits; a common value is s = 8. As with CBC, the units of plaintext

are chained together, so that the ciphertext of any plaintext unit is a function of all

the preceding plaintext. In this case, rather than blocks of b bits, the plaintext is

divided into segments of s bits.

First, consider encryption. The input to the encryption function is a b -bit shift

register that is initially set to some initialization vector (IV). The leftmost (most

significant) s bits of the output of the encryption function are XORed with the

first segment of plaintext P1 to produce the first unit of ciphertext C1 , which is then

transmitted. In addition, the contents of the shift register are shifted left by s bits,

and C1 is placed in the rightmost (least significant) s bits of the shift register. This

process continues until all plaintext units have been encrypted.

For decryption, the same scheme is used, except that the received ciphertext

unit is XORed with the output of the encryption function to produce the plaintext

unit. Note that it is the encryption function that is used, not the decryption function.

Although CFB can be viewed as a stream cipher, it does not conform to the

typical construction of a stream cipher. In a typical stream cipher, the cipher takes

as input some initial value and a key and generates a stream of bits, which is then

XORed with the plaintext bits (see Figure 4.1). In the case of CFB, the stream of

bits that is XORed with the plaintext also depends on the plaintext.

In CFB encryption, like CBC encryption, the input block to each forward

Cipher function (except the first) depends on the result of the previous forward

Cipher function; therefore, multiple forward cipher operations cannot be performed

in parallel. In CFB decryption, the required forward cipher operations can be performed

in parallel if the input blocks are first constructed (in series) from the IV and

the ciphertext.

15

Figure 7.6 Output Feedback (O F B) Mode (1 of 2)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The output feedback (OFB) mode is similar in structure to that of CFB. For OFB,

the output of the encryption function is fed back to become the input for encrypting

the next block of plaintext (Figure 7.6). In CFB, the output of the XOR unit is fed

back to become input for encrypting the next block. The other difference is that the

OFB mode operates on full blocks of plaintext and ciphertext, whereas CFB operates

on an s -bit subset.

As with CBC and CFB, the OFB mode requires an initialization vector. In

the case of OFB, the IV must be a nonce; that is, the IV must be unique to each

execution of the encryption operation. The reason for this is that the sequence of

encryption output blocks, Oi , depends only on the key and the IV and does not depend

on the plaintext. Therefore, for a given key and IV, the stream of output bits

used to XOR with the stream of plaintext bits is fixed. If two different messages had

an identical block of plaintext in the identical position, then an attacker would be

able to determine that portion of the Oi stream.

One advantage of the OFB method is that bit errors in transmission do not

propagate. For example, if a bit error occurs in C1 , only the recovered value of P1 is

affected; subsequent plaintext units are not corrupted. With CFB, C1 also serves as

input to the shift register and therefore causes additional corruption downstream.

The disadvantage of OFB is that it is more vulnerable to a message stream

modification attack than is CFB. Consider that complementing a bit in the ciphertext

complements the corresponding bit in the recovered plaintext. Thus, controlled

changes to the recovered plaintext can be made. This may make it possible for an

opponent, by making the necessary changes to the checksum portion of the message

as well as to the data portion, to alter the ciphertext in such a way that it is not detected

by an error-correcting code. For a further discussion, see [VOYD83].

OFB has the structure of a typical stream cipher, because the cipher generates

a stream of bits as a function of an initial value and a key, and that stream of

bits is XORed with the plaintext bits (see Figure 4.1). The generated stream that is

XORed with the plaintext is itself independent of the plaintext; this is highlighted

by dashed boxes in Figure 7.6. One distinction from the stream ciphers we discuss

in Chapter 8 is that OFB encrypts plaintext a full block at a time, where typically a

block is 64 or 128 bits. Many stream ciphers encrypt one byte at a time.

16

Figure 7.6 Output Feedback (O F B) Mode (2 of 2)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The output feedback (OFB) mode is similar in structure to that of CFB. For OFB,

the output of the encryption function is fed back to become the input for encrypting

the next block of plaintext (Figure 7.6). In CFB, the output of the XOR unit is fed

back to become input for encrypting the next block. The other difference is that the

OFB mode operates on full blocks of plaintext and ciphertext, whereas CFB operates

on an s -bit subset.

As with CBC and CFB, the OFB mode requires an initialization vector. In

the case of OFB, the IV must be a nonce; that is, the IV must be unique to each

execution of the encryption operation. The reason for this is that the sequence of

encryption output blocks, Oi , depends only on the key and the IV and does not depend

on the plaintext. Therefore, for a given key and IV, the stream of output bits

used to XOR with the stream of plaintext bits is fixed. If two different messages had

an identical block of plaintext in the identical position, then an attacker would be

able to determine that portion of the Oi stream.

One advantage of the OFB method is that bit errors in transmission do not

propagate. For example, if a bit error occurs in C1 , only the recovered value of P1 is

affected; subsequent plaintext units are not corrupted. With CFB, C1 also serves as

input to the shift register and therefore causes additional corruption downstream.

The disadvantage of OFB is that it is more vulnerable to a message stream

modification attack than is CFB. Consider that complementing a bit in the ciphertext

complements the corresponding bit in the recovered plaintext. Thus, controlled

changes to the recovered plaintext can be made. This may make it possible for an

opponent, by making the necessary changes to the checksum portion of the message

as well as to the data portion, to alter the ciphertext in such a way that it is not detected

by an error-correcting code. For a further discussion, see [VOYD83].

OFB has the structure of a typical stream cipher, because the cipher generates

a stream of bits as a function of an initial value and a key, and that stream of

bits is XORed with the plaintext bits (see Figure 4.1). The generated stream that is

XORed with the plaintext is itself independent of the plaintext; this is highlighted

by dashed boxes in Figure 7.6. One distinction from the stream ciphers we discuss

in Chapter 8 is that OFB encrypts plaintext a full block at a time, where typically a

block is 64 or 128 bits. Many stream ciphers encrypt one byte at a time.

17

Figure 7.7 Counter (C T R) Mode (1 of 2)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Although interest in the counter (CTR) mode has increased recently with applications

to ATM (asynchronous transfer mode) network security and IP sec (IP security),

this mode was proposed in 1979 (e.g., [DIFF79]).

Figure 7.7 depicts the CTR mode. A counter equal to the plaintext block

size is used. The only requirement stated in SP 800-38A is that the counter value

must be different for each plaintext block that is encrypted. Typically, the counter

is initialized to some value and then incremented by 1 for each subsequent block

(modulo 2b , where b is the block size). For encryption, the counter is encrypted and

then XORed with the plaintext block to produce the ciphertext block; there is no

chaining. For decryption, the same sequence of counter values is used, with each encrypted

counter XORed with a ciphertext block to recover the corresponding plaintext

block. Thus, the initial counter value must be made available for decryption.

As with the OFB mode, the initial counter value must be a nonce; that is, T1

must be different for all of the messages encrypted using the same key. Further,

all Ti values across all messages must be unique. If, contrary to this requirement, a

counter value is used multiple times, then the confidentiality of all of the plaintext

blocks corresponding to that counter value may be compromised. In particular, if

any plaintext block that is encrypted using a given counter value is known, then

the output of the encryption function can be determined easily from the associated

ciphertext block. This output allows any other plaintext blocks that are encrypted

using the same counter value to be easily recovered from their associated ciphertext

blocks.

One way to ensure the uniqueness of counter values is to continue to increment

the counter value by 1 across messages. That is, the first counter value of the

each message is one more than the last counter value of the preceding message.

18

Figure 7.7 Counter (C T R) Mode (2 of 2)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Although interest in the counter (CTR) mode has increased recently with applications

to ATM (asynchronous transfer mode) network security and IP sec (IP security),

this mode was proposed in 1979 (e.g., [DIFF79]).

Figure 7.7 depicts the CTR mode. A counter equal to the plaintext block

size is used. The only requirement stated in SP 800-38A is that the counter value

must be different for each plaintext block that is encrypted. Typically, the counter

is initialized to some value and then incremented by 1 for each subsequent block

(modulo 2b , where b is the block size). For encryption, the counter is encrypted and

then XORed with the plaintext block to produce the ciphertext block; there is no

chaining. For decryption, the same sequence of counter values is used, with each encrypted

counter XORed with a ciphertext block to recover the corresponding plaintext

block. Thus, the initial counter value must be made available for decryption.

As with the OFB mode, the initial counter value must be a nonce; that is, T1

must be different for all of the messages encrypted using the same key. Further,

all Ti values across all messages must be unique. If, contrary to this requirement, a

counter value is used multiple times, then the confidentiality of all of the plaintext

blocks corresponding to that counter value may be compromised. In particular, if

any plaintext block that is encrypted using a given counter value is known, then

the output of the encryption function can be determined easily from the associated

ciphertext block. This output allows any other plaintext blocks that are encrypted

using the same counter value to be easily recovered from their associated ciphertext

blocks.

One way to ensure the uniqueness of counter values is to continue to increment

the counter value by 1 across messages. That is, the first counter value of the

each message is one more than the last counter value of the preceding message.

19

Advantages of C T R

Hardware efficiency

Software efficiency

Preprocessing

Random access

Provable security

Simplicity

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

[LIPM00] lists the following advantages of CTR mode.

• Hardware efficiency: Unlike the three chaining modes, encryption (or decryption)

in CTR mode can be done in parallel on multiple blocks of plaintext or

ciphertext. For the chaining modes, the algorithm must complete the computation

on one block before beginning on the next block. This limits the maximum

throughput of the algorithm to the reciprocal of the time for one execution of

block encryption or decryption. In CTR mode, the throughput is only limited

by the amount of parallelism that is achieved.

• Software efficiency: Similarly, because of the opportunities for parallel execution

in CTR mode, processors that support parallel features, such as aggressive

pipelining, multiple instruction dispatch per clock cycle, a large number of

registers, and SIMD instructions, can be effectively utilized.

• Preprocessing: The execution of the underlying encryption algorithm does

not depend on input of the plaintext or ciphertext. Therefore, if sufficient

memory is available and security is maintained, preprocessing can be used to

prepare the output of the encryption boxes that feed into the XOR functions,

as in Figure 7.7. When the plaintext or ciphertext input is presented, then

the only computation is a series of XORs. Such a strategy greatly enhances

throughput.

• Random access: The ith block of plaintext or ciphertext can be processed in

random-access fashion. With the chaining modes, block Ci cannot be computed

until the i – 1 prior block are computed. There may be applications in

which a ciphertext is stored and it is desired to decrypt just one block; for such

applications, the random access feature is attractive.

• Provable security: It can be shown that CTR is at least as secure as the other

modes discussed in this chapter.

• Simplicity: Unlike ECB and CBC modes, CTR mode requires only the implementation

of the encryption algorithm and not the decryption algorithm.

This matters most when the decryption algorithm differs substantially from

the encryption algorithm, as it does for AES. In addition, the decryption key

scheduling need not be implemented.

20

Figure 7.8 Feedback Characteristic of Modes of Operation (1 of 4)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Note that, with the exception of ECB, all of the NIST-approved block

cipher modes of operation involve feedback. This is clearly seen in Figure 7.8. To

highlight the feedback mechanism, it is useful to think of the encryption function

as taking input from a input register whose length equals the encryption block

length and with output stored in an output register. The input register is updated

one block at a time by the feedback mechanism. After each update, the encryption

algorithm is executed, producing a result in the output register. Meanwhile,

a block of plaintext is accessed. Note that both OFB and CTR produce output

that is independent of both the plaintext and the ciphertext. Thus, they are natural

candidates for stream ciphers that encrypt plaintext by XOR one full block

at a time.

21

Figure 7.8 Feedback Characteristic of Modes of Operation (2 of 4)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Note that, with the exception of ECB, all of the NIST-approved block

cipher modes of operation involve feedback. This is clearly seen in Figure 7.8. To

highlight the feedback mechanism, it is useful to think of the encryption function

as taking input from a input register whose length equals the encryption block

length and with output stored in an output register. The input register is updated

one block at a time by the feedback mechanism. After each update, the encryption

algorithm is executed, producing a result in the output register. Meanwhile,

a block of plaintext is accessed. Note that both OFB and CTR produce output

that is independent of both the plaintext and the ciphertext. Thus, they are natural

candidates for stream ciphers that encrypt plaintext by XOR one full block

at a time.

22

Figure 7.8 Feedback Characteristic of Modes of Operation (3 of 4)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Note that, with the exception of ECB, all of the NIST-approved block

cipher modes of operation involve feedback. This is clearly seen in Figure 7.8. To

highlight the feedback mechanism, it is useful to think of the encryption function

as taking input from a input register whose length equals the encryption block

length and with output stored in an output register. The input register is updated

one block at a time by the feedback mechanism. After each update, the encryption

algorithm is executed, producing a result in the output register. Meanwhile,

a block of plaintext is accessed. Note that both OFB and CTR produce output

that is independent of both the plaintext and the ciphertext. Thus, they are natural

candidates for stream ciphers that encrypt plaintext by XOR one full block

at a time.

23

Figure 7.8 Feedback Characteristic of Modes of Operation (4 of 4)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Note that, with the exception of ECB, all of the NIST-approved block

cipher modes of operation involve feedback. This is clearly seen in Figure 7.8. To

highlight the feedback mechanism, it is useful to think of the encryption function

as taking input from a input register whose length equals the encryption block

length and with output stored in an output register. The input register is updated

one block at a time by the feedback mechanism. After each update, the encryption

algorithm is executed, producing a result in the output register. Meanwhile,

a block of plaintext is accessed. Note that both OFB and CTR produce output

that is independent of both the plaintext and the ciphertext. Thus, they are natural

candidates for stream ciphers that encrypt plaintext by XOR one full block

at a time.

24

X T S-A E S Mode for Block-Oriented Storage Devices

Approved as an additional block cipher mode of operation by N I S T in 2010

Mode is also an I E E E Standard, I E E E Std 1619-2007

Standard describes a method of encryption for data stored in sector-based devices where the threat model includes possible access to stored data by the adversary

Has received widespread industry support

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

In 2010, NIST approved an additional block cipher mode of operation, XTS-AES.

This mode is also an IEEE standard, IEEE Std 1619-2007, which was developed

by the IEEE Security in Storage Working Group (P1619). The standard describes

a method of encryption for data stored in sector-based devices where the threat

model includes possible access to stored data by the adversary. The standard has

received widespread industry support.

25

Tweakable Block Ciphers

X T S-A E S mode is based on the concept of a tweakable block cipher

General structure:

Has three inputs:

A plaintext P

A symmetric key K

A tweak T

Produces a ciphertext output C

Tweak need not be kept secret

Purpose is to provide variability

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The XTS-AES mode is based on the concept of a tweakable block cipher, introduced

in [LISK02], The form of this concept used in XTS-AES was first described in [ROGA04].

Before examining XTS-AES, let us consider the general structure of a tweakable

block cipher. A tweakable block cipher is one that has three inputs: a plaintext P ,

a symmetric key K , and a tweak T ; and produces a ciphertext output C . We can

write this as C = E(K , T , P ). The tweak need not be kept secret. Whereas the purpose

of the key is to provide security, the purpose of the tweak is to provide variability.

That is, the use of different tweaks with the same plaintext and same key

produces different outputs.

26

Figure 7.9 Tweakable Block Cipher

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The basic structure of several tweakable clock ciphers

that have been implemented is shown in Figure 7.9.

27

Storage Encryption Requirements

The requirements for encrypting stored data, also referred to as “data at rest”, differ somewhat from those for transmitted data

The P1619 standard was designed to have the following characteristics:

The ciphertext is freely available for an attacker

The data layout is not changed on the storage medium and in transit

Data are accessed in fixed sized blocks, independently from each other

Encryption is performed in 16-byte blocks, independently from each other

There are no other metadata used, except the location of the data blocks within the whole data set

The same plaintext is encrypted to different ciphertexts at different locations, but always to the same ciphertext when written to the same location again

A standard conformant device can be constructed for decryption of data encrypted by another standard conformant device

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The requirements for encrypting stored data, also referred to as “data at rest” differ

somewhat from those for transmitted data. The P1619 standard was designed to

have the following characteristics:

1. The ciphertext is freely available for an attacker. Among the circumstances

that lead to this situation:

a. A group of users has authorized access to a database. Some of the records in

the database are encrypted so that only specific users can successfully read/

write them. Other users can retrieve an encrypted record but are unable to

read it without the key.

b. An unauthorized user manages to gain access to encrypted records.

c. A data disk or laptop is stolen, giving the adversary access to the encrypted

data.

2. The data layout is not changed on the storage medium and in transit. The encrypted

data must be the same size as the plaintext data.

3. Data are accessed in fixed sized blocks, independently from each other. That is,

an authorized user may access one or more blocks in any order.

4. Encryption is performed in 16-byte blocks, independently from other blocks

(except the last two plaintext blocks of a sector, if its size is not a multiple of

16 bytes).

5. There are no other metadata used, except the location of the data blocks

within the whole data set.

6. The same plaintext is encrypted to different ciphertexts at different locations,

but always to the same ciphertext when written to the same location again.

7. A standard conformant device can be constructed for decryption of data encrypted

by another standard conformant device.

The P1619 group considered some of the existing modes of operation for use with

stored data. For CTR mode, an adversary with write access to the encrypted media can

flip any bit of the plaintext simply by flipping the corresponding ciphertext bit.

Next, consider requirement 6 and the use of CBC. To enforce the requirement

that the same plaintext encrypts to different ciphertext in different locations, the IV

could be derived from the sector number. Each sector contains multiple blocks. An

adversary with read/write access to the encrypted disk can copy a ciphertext sector

from one position to another, and an application reading the sector off the new

location will still get the same plaintext sector (except perhaps the first 128 bits).

For example, this means that an adversary that is allowed to read a sector from the

second position but not the first can find the content of the sector in the first position

by manipulating the ciphertext. Another weakness is that an adversary can flip

any bit of the plaintext by flipping the corresponding ciphertext bit of the previous

block, with the side-effect of “randomizing” the previous block.

28

X T S-A E S Operation on Single Block

Figure 7.10 X T S-A E S Operation on Single Block

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Figure 7.10 shows the encryption and decryption of a single block. The operation involves

two instances of the AES algorithm with two keys.

29

X T S-A E S Operation on Single Block

Figure 7.10 X T S-A E S Operation on Single Block

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Figure 7.10 shows the encryption and decryption of a single block. The operation involves

two instances of the AES algorithm with two keys.

30

Figure 7.11 X T S-A E S Mode

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The plaintext of a sector or data unit is organized into blocks of 128 bits. Blocks are

labeled P0 , P1 , . . . , Pm . The last block my be null or may contain from 1 to 127 bits.

In other words, the input to the XTS-AES algorithm consists of m 128-bit blocks

and possibly a final partial block.

As can be seen, XTS-AES mode, like CTR mode, is suitable for parallel operation. Because there is no chaining, multiple blocks can be encrypted or decrypted simultaneously. Unlike CTR mode, XTS-AES mode includes a nonce (the parameter i) as well as a counter (parameter j).

For encryption and decryption, each block is treated independently and

encrypted/decrypted as shown in Figure 7.10. The only exception occurs when

the last block has less than 128 bits. In that case, the last two blocks are encrypted/

decrypted using a ciphertext-stealing technique instead of padding.

Figure 7.11 shows the scheme.

31

Format-Preserving Encryption (F P E)

Refers to any encryption technique that takes a plaintext in a given format and produces a ciphertext in the same format

For example: credit cards consist of 16 decimal digits. An F P E that can accept this type of input would produce a ciphertext output of 16 decimal digits. (Note that the ciphertext need not be, and in fact in unlikely to be, a valid credit card number.) But it will have the same format and can be stored in the same way as credit card number plaintext.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Format-preserving encryption (FPE) refers to any encryption technique that takes

a plaintext in a given format and produces a ciphertext in the same format. For

example, credit cards consist of 16 decimal digits. An FPE that can accept this type of

input would produce a ciphertext output of 16 decimal digits. Note that the ciphertext

need not be, and in fact is unlikely to be, a valid credit card number. But it will have

the same format and can be stored in the same way as credit card number plaintext.

32

Table 7.2 Comparison of Format- Preserving Encryption and A E S

Blank Credit Card Tax I D Bank Account Number

Plaintext 8123 4512 3456 6780 219-09-9999 800N2982K-22

FPE 8123 4521 7292 6780 078-05-1120 709G9242H-35

AES (hex) af411326466add24

c86abd8aa525db7a 7b9af4f3f218ab25

07c7376869313afa 9720ec7f793096ff

d37141242e1c51bd

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

A simple encryption algorithm is not format preserving, with the exception

that it preserves the format of binary strings. For example, Table 7.2 shows three

types of plaintext for which it might be desired to perform FPE. The third row

shows examples of what might be generated by an FPE algorithm. The fourth row

shows (in hexadecimal) what is produced by AES with a given key.

33

Motivation (1 of 2)

F P E facilitates the retrofitting of encryption technology to legacy applications, where a conventional encryption mode might not be feasible because it would disrupt data fields/pathways

F P E has emerged as a useful cryptographic tool, whose applications include financial-information security, data sanitization, and transparent encryption of fields in legacy databases

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

FPE facilitates the retrofitting of encryption technology to legacy applications,

where a conventional encryption mode might not be feasible because it would disrupt

data fields/pathways. FPE has emerged as a useful cryptographic tool, whose

applications include financial-information security, data sanitization, and transparent

encryption of fields in legacy databases.

The principal benefit of FPE is that it enables protection of particular data

elements in a legacy database that did not provide encryption of those data elements,

while still enabling workflows that were in place before FPE was in use. With

FPE, as opposed to ordinary AES encryption or TDEA encryption, no database

schema changes and minimal application changes are required. Only applications

that need to see the plaintext of a data element need to be modified and generally

these modifications will be minimal.

Some examples of legacy applications where FPE is desirable:

■ COBOL data-processing applications: Any changes in the structure of a record

Typical code sizes involve hundreds of modules, each containing around 5,000–10,000

lines on average.

■ Database applications: Fields that are specified to take only character strings cannot be used to store conventionally encrypted binary ciphertext. Base64 encoding of such binary ciphertext is not always feasible without increase in data lengths, requiring augmentation of corresponding field lengths.

■. FPE-encrypted characters can be significantly compressed for efficient transmission. This cannot be said about AES-encrypted binary ciphertext.

34

Motivation (2 of 2)

The principal benefit of F P E is that it enables protection of particular data elements, while still enabling workflows that were in place before F P E was in use

No database schema changes and minimal application changes are required

Only applications that need to see the plaintext of a data element need to be modified and generally these modifications will be minimal

Some examples of legacy applications where F P E is desirable are:

C O B O L data-processing applications

Database applications

F P E-encrypted characters can be significantly compressed for efficient transmission

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

FPE facilitates the retrofitting of encryption technology to legacy applications,

where a conventional encryption mode might not be feasible because it would disrupt

data fields/pathways. FPE has emerged as a useful cryptographic tool, whose

applications include financial-information security, data sanitization, and transparent

encryption of fields in legacy databases.

The principal benefit of FPE is that it enables protection of particular data

elements in a legacy database that did not provide encryption of those data elements,

while still enabling workflows that were in place before FPE was in use. With

FPE, as opposed to ordinary AES encryption or TDEA encryption, no database

schema changes and minimal application changes are required. Only applications

that need to see the plaintext of a data element need to be modified and generally

these modifications will be minimal.

Some examples of legacy applications where FPE is desirable:

■ COBOL data-processing applications: Any changes in the structure of a record

Typical code sizes involve hundreds of modules, each containing around 5,000–10,000

lines on average.

■ Database applications: Fields that are specified to take only character strings cannot be used to store conventionally encrypted binary ciphertext. Base64 encoding of such binary ciphertext is not always feasible without increase in data lengths, requiring augmentation of corresponding field lengths.

■. FPE-encrypted characters can be significantly compressed for efficient transmission. This cannot be said about AES-encrypted binary ciphertext.

35

Difficulties in Designing an F P E

A general-purpose standardized F P E should meet a number of requirements:

The ciphertext is of the same length and format as the plaintext

It should be adaptable to work with a variety of character and number types

It should work with variable plaintext length

Security strength should be comparable to that achieved with A E S

Security should be strong even for very small plaintext lengths

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

A general-purpose standardized FPE should meet a number of requirements:

1. The ciphertext is of the same length and format as the plaintext.

2. It should be adaptable to work with a variety of character and number types.

Examples include decimal digits, lowercase alphabetic characters, and the full

character set of a standard keyboard or international keyboard.

3. It should work with variable plaintext lengths.

4. Security strength should be comparable to that achieved with AES.

Security should be strong even for very small plaintext lengths.

Meeting the first requirement is not at all straightforward. As illustrated in

Table 7.2, a straightforward encryption with AES yields a 128-bit binary block that

does not resemble the required format. Also, a standard symmetric block cipher is

not easily adaptable to produce an FPE.

36

Figure 7.12 Feistel Structure for Format-Preserving Encryption

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Figure 7.12 shows the Feistel structure used in all of

the NIST algorithms, with encryption shown on the left-hand side and decryption

on the right-hand side. The structure in Figure 7.12 is the same as that shown in

Figure 4.3 but, to simplify the presentation, it is untwisted, not illustrating the swap

that occurs at the end of each round.

The process of decryption is essentially the same as the encryption process.

The differences are: (1) the addition function is replaced by a subtraction function

that is its inverse; and (2) the order of the round indices is reversed.

To demonstrate that the decryption produces the correct result, Figure 7.12b

shows the encryption process going down the left-hand side and the decryption process

going up the right-hand side. The diagram indicates that, at every round, the

intermediate value of the decryption process is equal to the corresponding value of

the encryption process.

37

Character Strings

The N I S T, and the other F P E algorithms that have been proposed, are used with plaintext consisting of a string of elements, called characters

A finite set of two or more symbols is called an alphabet

The elements of an alphabet are called characters

A character string is a finite sequence of characters from an alphabet

Individual characters may repeat in the string

The number of different characters in an alphabet is called the base (also referred to as the radix) of the alphabet

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

The NIST algorithms, and the other FPE algorithms that have

been proposed, are used with plaintext consisting of a string of elements, called

characters. Specifically, a finite set of two or more symbols is called an alphabet ,

and the elements of an alphabet are called characters . A character string is a finite

sequence of characters from an alphabet. Individual characters may repeat in the

string. The number of different characters in an alphabet is called the base , also

referred to as the radix of the alphabet.

38

Table 7.3 Notation and Parameters Used in F P E Algorithms. (a) Notation

[x]s Converts an integer into a byte string; it is the string of s bytes that encodes the number x, with 0 ≤ x < 28s. The equivalent notation is
LEN(X) Length of the character string X.
NUMradix(X) Converts strings to numbers. The number that the numeral string X represents in base radix, with the most significant character first. In other words, it is the nonnegative integer less than radixLEN(X) whose most-significant-character-first representation in base radix is X.
PRFK(X) A pseudorandom function that produces a 128-bit output with X as the input, using encryption key K.
Given a nonnegative integer x less than radixm, this function produces a representation of x as a string of m characters in base radix, with the most significant character first.
[i .. j] The set of integers between two integers i and j, including i and j.
X[i .. j] The substring of characters of a string X from X[i] to X[j], including X[i] and X[j].
REV(X) Given a bit string, X, the string that consists of the bits of X in reverse order.
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The NIST document defines notation for specifying these conversions
(Table 7.3a).
39
Table 7.3 Notation and Parameters Used in F P E Algorithms. (b) Parameters
radix The base, or number of characters, in a given plaintext alphabet.
tweak Input parameter to the encryption and decryption functions whose confidentiality is not protected by the mode.
tweakradix The base for tweak strings
minlen Minimum message length, in characters.
maxlen Maximum message length, in characters.
maxTlen Maximum tweak length
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
40
Figure 7.13 Algorithm P R F(X)
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Algorithm FF1 was submitted to NIST as a proposed FPE mode
[BELL10a, BELL10b] with the name FFX[Radix]. FF1 uses a pseudorandom function
PRFK (X ) that produces a 128-bit output with inputs X that is a multiple of 128
bits and encryption key K (Figure 7.13).
41
Figure 7.14 Algorithm FF1 (F F X[Radix])
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The FF1 encryption algorithm is illustrated in Figure 7.14. The shaded lines correspond to the function FK.
42
Figure 7.15 Algorithm FF2 (V A E S3)
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Algorithm FF2 was submitted to NIST as a proposed FPE
mode with the name VAES3 [VANC11]. The encryption algorithm is defined in
Figure 7.15.
The shaded lines correspond to the function FK.
43
Figure 7.16 Algorithm FF3 (B P S-B C)
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Algorithm FF3 was submitted to NIST as a proposed FPE mode
with the name BPS-BC [BRIE10]. The encryption algorithm is illustrated in
Figure 7.16. The shaded lines correspond to the function FK.
44
Summary
Analyze the security of multiple encryption schemes
Explain the meet-in-the-middle attack
Compare and contrast E C B, C B C, C F B, O F B, and counter modes of operation
Present an overview of the X T S-A E S mode of operation
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Chapter 7 summary.
45
Copyright
This work is protected by United States copyright laws and is provided solely for the use of instructors in teaching their courses and assessing student learning. Dissemination or sale of any part of this work (including on the World Wide Web) will destroy the integrity of the work and is not permitted. The work and materials from it should never be made available to students except by instructors using the accompanying text in their classes. All recipients of this work are expected to abide by these restrictions and to honor the intended pedagogical purposes and the needs of other instructors who rely on these materials.
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
46
8
2
)
STR
(
.
s
x
STR()
m
radix
x
.MsftOfcThm_Text1_Fill {
fill:#000000;
}
.MsftOfcThm_MainDark1_Stroke {
stroke:#000000;
}

Place an order in 3 easy steps. Takes less than 5 mins.