Posted: October 27th, 2022

Practical Connection essay.

  Subject: CRYPTOGRAPHY. 

Provide a reflection of at least 500 words (**2 pages double spaced PROPER APA FORMAT**) of how the knowledge, skills, or theories of this course have been applied, or could be applied, in a practical manner to your current work environment. If you are not currently working, share times when you have or could observe these theories and knowledge could be applied to an employment opportunity in your field of study. 

Don't use plagiarized sources. Get Your Custom Essay on
Practical Connection essay.
Just from $13/Page
Order Essay

Cryptography and Network Security: Principles and Practice

Eighth Edition

Chapter 1

Information and Network Security Concepts

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Lecture slides prepared for “Cryptography and Network Security”, 8/e, by William Stallings. Chapter 1, “Information and Network Security Concepts”.
This book focuses on two broad areas: cryptography and network security. This overview chapter first looks at some of the fundamental principles of security, encompassing both information security and network security. These include the concepts of security attacks, security services, and security mechanisms. Next, the chapter introduces the two areas of cryptography and network security. Finally, the concepts of trust and trustworthiness are examined.
1

Learning Objectives
Describe the key security requirements of confidentiality, integrity, and availability.
Discuss the types of security threats and attacks that must be dealt with and give examples of the types of threats and attacks that apply to different categories of computer and network assets.
Provide an overview of keyless, single-key, and two-key cryptographic algorithms.
Provide an overview of the main areas of network security.
Describe a trust model for information security.
List and briefly describe key organizations involved in cryptography standards.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Cybersecurity (1 of 3)
Cybersecurity is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance, and technologies that can be used to protect the cyberspace environment and organization and users’ assets. Organization and users’ assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyberspace environment.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
It would be useful to start this chapter with a definition of the terms cybersecurity, information security, and network security. A reasonably comprehensive definition of cybersecurity is found in ITU-T (International Telecommunication Union Telecommunication Standardization Sector) Recommendation X.1205 (Overview of Cybersecurity, 2014).
Cybersecurity is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance, and technologies that can be used to protect the cyberspace environment and organization and users’ assets. Organization and users’ assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyberspace environment. Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and users’ assets against relevant security risks in the cyberspace environment. The general security objectives comprise the following: availability; integrity, which may include data authenticity and nonrepudiation; and confidentiality.
3

Cybersecurity (2 of 3)
Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and users’ assets against relevant security risks in the cyberspace environment. The general security objectives comprise the following: availability; integrity, which may include data authenticity and nonrepudiation; and confidentiality

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
It would be useful to start this chapter with a definition of the terms cybersecurity, information security, and network security. A reasonably comprehensive definition of cybersecurity is found in ITU-T (International Telecommunication Union Telecommunication Standardization Sector) Recommendation X.1205 (Overview of Cybersecurity, 2014).
Cybersecurity is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance, and technologies that can be used to protect the cyberspace environment and organization and users’ assets. Organization and users’ assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyberspace environment. Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and users’ assets against relevant security risks in the cyberspace environment. The general security objectives comprise the following: availability; integrity, which may include data authenticity and nonrepudiation; and confidentiality.
4

Cybersecurity (3 of 3)
Information Security
This term refers to preservation of confidentiality, integrity, and availability of information. In addition, other properties, such as authenticity, accountability, nonrepudiation, and reliability can also be involved
Network Security
This term refers to protection of networks and their service from unauthorized modification, destruction, or disclosure, and provision of assurance that the network performs its critical functions correctly and there are no harmful side effects

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
As subsets of cybersecurity, we can define the following:
◆ Information security: This term refers to preservation of confidentiality, integrity, and availability of information. In addition, other properties, such as authenticity, accountability, nonrepudiation, and reliability can also be involved.
◆ Network security: This term refers to protection of networks and their service from unauthorized modification, destruction, or disclosure, and provision of assurance that the network performs its critical functions correctly and there are no harmful side effects.
Cybersecurity encompasses information security, with respect to electronic information, and network security. Information security also is concerned with physical (e.g., paper-based) information. However, in practice, the terms cybersecurity and information security are often used interchangeably.
5

Security Objectives (1 of 2)
The cybersecurity definition introduces three key objectives that are at the heart of information and network security:
Confidentiality: This term covers two related concepts:
Data confidentiality: Assures that private or confidential information is not made available or disclosed to unauthorized individuals
Privacy: Assures that individuals control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The cybersecurity definition introduces three key objectives that are at the heart of information and network security:
◆ Confidentiality: This term covers two related concepts:
◆ Data confidentiality: Assures that private or confidential information is not made available or disclosed to unauthorized individuals.
6

Security Objectives (2 of 2)
Integrity: This term covers two related concepts:
Data integrity: Assures that data and programs are changed only in a specified and authorized manner. This concept also encompasses data authenticity, which means that a digital object is indeed what it claims to be or what it is claimed to be, and nonrepudiation, which is assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the information
System integrity: Assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system
Availability: Assures that systems work promptly and service is not denied to authorized users

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
◆ Integrity: This term covers two related concepts:
◆ Data integrity: Assures that data (both stored and in transmitted packets) and programs are changed only in a specified and authorized manner. This concept also encompasses data authenticity, which means that a digital object is indeed what it claims to be or what it is claimed to be, and nonrepudiation, which is assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the information.
◆ System integrity: Assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system.
7

Figure 1.1 Essential Information and Network Security Objectives

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
These three concepts form what is often referred to as the CIA triad. The three
concepts embody the fundamental security objectives for both data and for information
and computing services. For example, the NIST standard FIPS 199 (Standards
for Security Categorization of Federal Information and Information Systems ) lists
confidentiality, integrity, and availability as the three security objectives for information
and for information systems. FIPS 199 provides a useful characterization of
these three objectives in terms of requirements and the definition of a loss of security
in each category:
• Confidentiality: Preserving authorized restrictions on information access
and disclosure, including means for protecting personal privacy and proprietary
information. A loss of confidentiality is the unauthorized disclosure of
information.
• Integrity: Guarding against improper information modification or destruction,
including ensuring information nonrepudiation and authenticity. A loss
of integrity is the unauthorized modification or destruction of information.
• Availability: Ensuring timely and reliable access to and use of information.
A loss of availability is the disruption of access to or use of information or an
information system.
Although the use of the CIA triad to define security objectives is well established, some
in the security field feel that additional concepts are needed to present a complete picture (Figure 1.1).
Two of the most commonly mentioned are as follows:
• Authenticity: The property of being genuine and being able to be verified and
trusted; confidence in the validity of a transmission, a message, or message
originator. This means verifying that users are who they say they are and that
each input arriving at the system came from a trusted source.
• Accountability: The security goal that generates the requirement for actions
of an entity to be traced uniquely to that entity. This supports nonrepudiation,
deterrence, fault isolation, intrusion detection and prevention, and after action
recovery and legal action. Because truly secure systems are not yet an
achievable goal, we must be able to trace a security breach to a responsible
party. Systems must keep records of their activities to permit later forensic
analysis to trace security breaches or to aid in transaction disputes.
8

Computer Security Challenges
Security is not simple
Potential attacks on the security features need to be considered
Procedures used to provide particular services are often counter-intuitive
It is necessary to decide where to use the various security mechanisms
Requires constant monitoring
Is too often an afterthought
Security mechanisms typically involve more than a particular algorithm or protocol
Security is essentially a battle of wits between a perpetrator and the designer
Little benefit from security investment is perceived until a security failure occurs
Strong security is often viewed as an impediment to efficient and user-friendly operation

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Computer and network security is both fascinating and complex. Some of the
reasons follow:
1. Security is not as simple as it might first appear to the novice. The requirements
seem to be straightforward; indeed, most of the major requirements
for security services can be given self-explanatory, one-word labels: confidentiality,
authentication, nonrepudiation, or integrity. But the mechanisms used
to meet those requirements can be quite complex, and understanding them
may involve rather subtle reasoning.
2. In developing a particular security mechanism or algorithm, one must always
consider potential attacks on those security features. In many cases, successful
attacks are designed by looking at the problem in a completely different way,
therefore exploiting an unexpected weakness in the mechanism.
3. Because of point 2, the procedures used to provide particular services are
often counterintuitive. Typically, a security mechanism is complex, and it is
not obvious from the statement of a particular requirement that such elaborate
measures are needed. It is only when the various aspects of the threat are
considered that elaborate security mechanisms make sense.
4. Having designed various security mechanisms, it is necessary to decide where
to use them. This is true both in terms of physical placement (e.g., at what points
in a network are certain security mechanisms needed) and in a logical sense
(e.g., at what layer or layers of an architecture such as TCP/IP [Transmission
Control Protocol/Internet Protocol] should mechanisms be placed).
5. Security mechanisms typically involve more than a particular algorithm or
protocol. They also require that participants be in possession of some secret
information (e.g., an encryption key), which raises questions about the creation,
distribution, and protection of that secret information. There also may
be a reliance on communications protocols whose behavior may complicate
the task of developing the security mechanism. For example, if the proper
functioning of the security mechanism requires setting time limits on the transit
time of a message from sender to receiver, then any protocol or network
that introduces variable, unpredictable delays may render such time limits
meaningless.
6. Computer and network security is essentially a battle of wits between a perpetrator
who tries to find holes and the designer or administrator who tries to
close them. The great advantage that the attacker has is that he or she need
only find a single weakness, while the designer must find and eliminate all
weaknesses to achieve perfect security.
7. There is a natural tendency on the part of users and system managers to perceive
little benefit from security investment until a security failure occurs.
8. Security requires regular, even constant, monitoring, and this is difficult in
today’s short-term, overloaded environment.
9. Security is still too often an afterthought to be incorporated into a system
after the design is complete rather than being an integral part of the design
process.
10. Many users and even security administrators view strong security as an impediment
to efficient and user-friendly operation of an information system or use of
information.
9

O S I Security Architecture
Security attack
Any action that compromises the security of information owned by an organization
Security mechanism
A process (or a device incorporating such a process) that is designed to detect, prevent, or recover from a security attack
Security service
A processing or communication service that enhances the security of the data processing systems and the information transfers of an organization
Intended to counter security attacks, and they make use of one or more security mechanisms to provide the service

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
To assess effectively the security needs of an organization and to evaluate and
choose various security products and policies, the manager responsible for security
needs some systematic way of defining the requirements for security and characterizing
the approaches to satisfying those requirements. This is difficult enough in a
centralized data processing environment; with the use of local and wide area networks,
the problems are compounded.
ITU-T Recommendation X.800, Security Architecture for OSI, defines such a
systematic approach. The OSI security architecture is useful to managers as a way
of organizing the task of providing security. Furthermore, because this architecture
was developed as an international standard, computer and communications vendors
have developed security features for their products and services that relate to this
structured definition of services and mechanisms.
For our purposes, the OSI security architecture provides a useful, if abstract,
overview of many of the concepts that this book deals with. The OSI security architecture
focuses on security attacks, mechanisms, and services. These can be defined
briefly as
• Security attack: Any action that compromises the security of information
owned by an organization.
• Security mechanism: A process (or a device incorporating such a process) that
is designed to detect, prevent, or recover from a security attack.
• Security service: A processing or communication service that enhances the
security of the data processing systems and the information transfers of an
organization. The services are intended to counter security attacks, and they
make use of one or more security mechanisms to provide the service.
10

Threats and Attacks
Threat
A potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. That is, a threat is a possible danger that might exploit a vulnerability.
Attack
An assault on system security that derives from an intelligent threat; that is, an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of a system.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
In the literature, the terms threat and attack are commonly used, with the following meanings:
■ Threat: Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
■. Attack: Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or the information itself.

11

Figure 1.2 Key Concepts in Security (1 of 2)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The following three sections provide an overview of the concepts of attacks, services, and mechanisms. The key concepts that are covered are summarized in Figure 1.2.

12

Figure 1.2 Key Concepts in Security (2 of 2)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The following three sections provide an overview of the concepts of attacks, services, and mechanisms. The key concepts that are covered are summarized in Figure 1.2.

13

Security Attacks
A means of classifying security attacks, used both in X.800 and R F C 4949, is in terms of passive attacks and active attacks
A passive attack attempts to learn or make use of information from the system but does not affect system resources
An active attack attempts to alter system resources or affect their operation

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
A useful means of classifying security attacks, used both in X.800, is in terms of passive attacks and active attacks (Figure 1.2a). A passive attack attempts to learn or make use of information from the system but does not affect system resources. An active attack attempts to alter system resources or affect their operation.

14

Passive Attacks
Are in the nature of eavesdropping on, or monitoring of, transmissions
Goal of the opponent is to obtain information that is being transmitted
Two types of passive attacks are:
The release of message contents
Traffic analysis

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Passive attacks are in the nature of eavesdropping on, or monitoring
of, transmissions. The goal of the opponent is to obtain information that is being
transmitted. Two types of passive attacks are the release of message contents and
traffic analysis.
The release of message contents is easily understood. A telephone conversation,
an electronic mail message, and a transferred file may contain sensitive or
confidential information. We would like to prevent an opponent from learning the
contents of these transmissions.
A second type of passive attack, traffic analysis, is subtler. Suppose that we
had a way of masking the contents of messages or other information traffic so that
opponents, even if they captured the message, could not extract the information
from the message. The common technique for masking contents is encryption. If we
had encryption protection in place, an opponent might still be able to observe the
pattern of these messages. The opponent could determine the location and identity
of communicating hosts and could observe the frequency and length of messages
being exchanged. This information might be useful in guessing the nature of the
communication that was taking place.
Passive attacks are very difficult to detect, because they do not involve any
alteration of the data. Typically, the message traffic is sent and received in an apparently
normal fashion, and neither the sender nor receiver is aware that a third party
has read the messages or observed the traffic pattern. However, it is feasible to prevent
the success of these attacks, usually by means of encryption. Thus, the emphasis
in dealing with passive attacks is on prevention rather than detection.
15

Active Attacks
Involve some modification of the data stream or the creation of a false stream
Difficult to prevent because of the wide variety of potential physical, software, and network vulnerabilities
Goal is to detect attacks and to recover from any disruption or delays caused by them
Masquerade
Takes place when one entity pretends to be a different entity
Usually includes one of the other forms of active attack
Replay
Involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect
Data Modification
Some portion of a legitimate message is altered, or messages are delayed or reordered to produce an unauthorized effect
Denial of service
Prevents or inhibits the normal use or management of communications facilities

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Active attacks involve some modification of the data stream or the
creation of a false stream and can be subdivided into four categories: masquerade,
replay, modification of messages, and denial of service.
A masquerade takes place when one entity pretends to be a different entity.
A masquerade attack usually includes one of the
other forms of active attack. For example, authentication sequences can be captured
and replayed after a valid authentication sequence has taken place, thus enabling an
authorized entity with few privileges to obtain extra privileges by impersonating an
entity that has those privileges.
Replay involves the passive capture of a data unit and its subsequent retransmission
to produce an unauthorized effect.
Data modification simply means that some portion of a legitimate message is altered,
or that messages are delayed or reordered, to produce an unauthorized effect. For example,
a message stating, “Allow John Smith to read confidential file accounts” is modified to say,
“Allow Fred Brown to read confidential file accounts.”
The denial of service prevents or inhibits the normal use or management of
communications facilities. This attack may have a specific target; for
example, an entity may suppress all messages directed to a particular destination
(e.g., the security audit service). Another form of service denial is the disruption
of an entire network, either by disabling the network or by overloading it with
messages so as to degrade performance.
Active attacks present the opposite characteristics of passive attacks. Whereas
passive attacks are difficult to detect, measures are available to prevent their success.
On the other hand, it is quite difficult to prevent active attacks absolutely
because of the wide variety of potential physical, software, and network vulnerabilities.
Instead, the goal is to detect active attacks and to recover from any disruption
or delays caused by them. If the detection has a deterrent effect, it may also
contribute to prevention.
16

Figure 1.3 Security Attacks

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Figure 1.3 illustrates the types of attacks in the context of a client/server interaction. A passive attack (Figure 1.3b)
does not disturb the information flow between the client and server, but is able to observe that flow.
A masquerade can take the form of a man-in-the-middle attack (Figure 1.3c). In this type of attack, the attacker intercepts masquerades as the client to the server and as the server to the client. We see specific applications of this attack in defeating key exchange and distribution protocols (Chapters 10 and 14) and in message authentication protocols (Chapter 11). More generally, it can be used to impersonate the two ends of a legitimate communication. Another form of masquerade is illustrated in Figure 1.3d. Here, an attacker is able to access server resources by masquerading as an authorized user.
Data modification may involve a man-in-the middle attack, in which the attacker selectively modifies communicated data between a client and server (Figure 1.3c). Another form of data modification attack is the modification of data residing on a serve or other system after an attacker gains unauthorized access (Figure 1.3d).
Figure 1.3e illustrates the replay attack. As in a passive attack, the attacker does not disturb the information flow between client and server, but does capture client message. The attacker can then subsequently replay any client message to the server.
Figure 1.3d also illustrates denial of service in the context of a client/server environment. The denial of service can take two forms: (1) flooding the server with an overwhelming amount of data; and (2) triggering some action on the server that consumes substantial computing resources.

17

Authentication (1 of 2)
Concerned with assuring that a communication is authentic
In the case of a single message, assures the recipient that the message is from the source that it claims to be from
In the case of ongoing interaction, assures the two entities are authentic and that the connection is not interfered with in such a way that a third party can masquerade as one of the two legitimate parties
Two specific authentication services are defined in X.800:
Peer entity authentication
Data origin authentication

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The authentication service is concerned with assuring that a communication is
authentic. In the case of a single message, such as a warning or alarm signal, the
function of the authentication service is to assure the recipient that the message
is from the source that it claims to be from. In the case of an ongoing interaction,
such as the connection of a terminal to a host, two aspects are involved. First,
at the time of connection initiation, the service assures that the two entities are
authentic, that is, that each is the entity that it claims to be. Second, the service
must assure that the connection is not interfered with in such a way that a third
party can masquerade as one of the two legitimate parties for the purposes of
unauthorized transmission or reception.
Two specific authentication services are defined in X.800:
• Peer entity authentication: Provides for the corroboration of the identity
of a peer entity in an association. Two entities are considered peers if they
implement to same protocol in different systems; for example two TCP modules
in two communicating systems. Peer entity authentication is provided for
use at the establishment of, or at times during the data transfer phase of, a
connection. It attempts to provide confidence that an entity is not performing
either a masquerade or an unauthorized replay of a previous connection.
• Data origin authentication: Provides for the corroboration of the source of a
data unit. It does not provide protection against the duplication or modification
of data units. This type of service supports applications like electronic mail,
where there are no prior interactions between the communicating entities.
18

Authentication (2 of 2)
Peer entity authentication
Provides for the corroboration of the identity of a peer entity in an association. Two entities are considered peers if they implement the same protocol in different systems. Peer entity authentication is provided for use at the establishment of, or at times during the data transfer phase of, a connection. It attempts to provide confidence that an entity is not performing either a masquerade or an unauthorized replay of a previous connection
Data origin authentication
Provides for the corroboration of the source of a data unit. It does not provide protection against the duplication or modification of data units. This type of service supports applications like electronic mail, where there are no ongoing interactions between the communicating entities

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
■. Peer entity authentication: Provides for the corroboration of the identity of a peer entity in an association. Two entities are considered peers if they implement the same protocol in different systems; for example, two TCP modules in two communicating systems. Peer entity authentication is provided for use at the establishment of, or at times during the data transfer phase of, a connection. It attempts to provide confidence that an entity is not performing either a masquerade or an unauthorized replay of a previous connection.
■ Data origin authentication: Provides for the corroboration of the source of a data unit. It does not provide protection against the duplication or modification of data units. This type of service supports applications like electronic mail, where there are no ongoing interactions between the communicating entities.
19

Access Control
The ability to limit and control the access to host systems and applications via communications links
To achieve this, each entity trying to gain access must first be identified, or authenticated, so that access rights can be tailored to the individual

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
In the context of network security, access control is the ability to limit and control
the access to host systems and applications via communications links. To achieve
this, each entity trying to gain access must first be identified, or authenticated, so
that access rights can be tailored to the individual.
20

Data Confidentiality
The protection of transmitted data from passive attacks
Broadest service protects all user data transmitted between two users over a period of time
Narrower forms of service includes the protection of a single message or even specific fields within a message
The protection of traffic flow from analysis
This requires that an attacker not be able to observe the source and destination, frequency, length, or other characteristics of the traffic on a communications facility

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Confidentiality is the protection of transmitted data from passive attacks. With
respect to the content of a data transmission, several levels of protection can be
identified. The broadest service protects all user data transmitted between two
users over a period of time. For example, when a TCP connection is set up between
two systems, this broad protection prevents the release of any user data transmitted
over the TCP connection. Narrower forms of this service can also be defined,
including the protection of a single message or even specific fields within a message.
These refinements are less useful than the broad approach and may even be more
complex and expensive to implement.
The other aspect of confidentiality is the protection of traffic flow from analysis.
This requires that an attacker not be able to observe the source and destination, frequency,
length, or other characteristics of the traffic on a communications facility.
21

Data Integrity
Can apply to a stream of messages, a single message, or selected fields within a message
Connection-oriented integrity service, one that deals with a stream of messages, assures that messages are received as sent with no duplication, insertion, modification, reordering, or replays
A connectionless integrity service, one that deals with individual messages without regard to any larger context, generally provides protection against message modification only

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
As with confidentiality, integrity can apply to a stream of messages, a single message,
or selected fields within a message. Again, the most useful and straightforward
approach is total stream protection.
A connection-oriented integrity service, one that deals with a stream of messages,
assures that messages are received as sent with no duplication, insertion,
modification, reordering, or replays. The destruction of data is also covered under
this service. Thus, the connection-oriented integrity service addresses both message
stream modification and denial of service. On the other hand, a connectionless integrity
service, one that deals with individual messages without regard to any larger
context, generally provides protection against message modification only.
We can make a distinction between service with and without recovery.
Because the integrity service relates to active attacks, we are concerned with detection
rather than prevention. If a violation of integrity is detected, then the service
may simply report this violation, and some other portion of software or human
intervention is required to recover from the violation. Alternatively, there are
mechanisms available to recover from the loss of integrity of data, as we will review
subsequently. The incorporation of automated recovery mechanisms is, in general,
the more attractive alternative.
22

Nonrepudiation
Prevents either sender or receiver from denying a transmitted message
When a message is sent, the receiver can prove that the alleged sender in fact sent the message
When a message is received, the sender can prove that the alleged receiver in fact received the message

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Nonrepudiation prevents either sender or receiver from denying a transmitted message.
Thus, when a message is sent, the receiver can prove that the alleged sender in
fact sent the message. Similarly, when a message is received, the sender can prove
that the alleged receiver in fact received the message.
23

Availability Service
Protects a system to ensure its availability
This service addresses the security concerns raised by denial-of-service attacks
It depends on proper management and control of system resources and thus depends on access control service and other security services

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Availability is the property of a system or a
system resource being accessible and usable upon demand by an authorized system
entity, according to performance specifications for the system (i.e., a system is available
if it provides services according to the system design whenever users request
them). A variety of attacks can result in the loss of or reduction in availability. Some
of these attacks are amenable to automated countermeasures, such as authentication
and encryption, whereas others require some sort of physical action to prevent
or recover from loss of availability of elements of a distributed system.
X.800 treats availability as a property to be associated with various security
services. However, it makes sense to call out specifically an availability service. An
availability service is one that protects a system to ensure its availability. This service
addresses the security concerns raised by denial-of-service attacks. It depends
on proper management and control of system resources and thus depends on access
control service and other security services.
24

Security Mechanisms (1 of 2)
Cryptographic algorithms: We can distinguish between reversible cryptographic mechanisms and irreversible cryptographic mechanisms. A reversible cryptographic mechanism is simply an encryption algorithm that allows data to be encrypted and subsequently decrypted. Irreversible cryptographic mechanisms include hash algorithms and message authentication codes, which are used in digital signature and message authentication applications.
Data integrity: This category covers a variety of mechanisms used to assure the integrity of a data unit or stream of data units.
Digital signature: Data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Figure 1.2c lists the most important security mechanism discussed in this book. These mechanisms will be covered in the appropriate places in the book. So, we do not elaborate now, except to provide the following brief definitions.
■ Cryptographic algorithms: We can distinguish between reversible cryptographic mechanisms and irreversible cryptographic mechanisms. A reversible cryptographic mechanism is simply an encryption algorithm that allows data to be encrypted and subsequently decrypted. Irreversible cryptographic mechanisms include hash algorithms and message authentication codes, which are used in digital signature and message authentication applications.
■ Data integrity: This category covers a variety of mechanisms used to assure the integrity of a data unit or stream of data units.
■ Digital signature: Data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery.
■ Authentication exchange: A mechanism intended to ensure the identity of an entity by means of information exchange.
■ Traffic padding: The insertion of bits into gaps in a data stream to frustrate traffic analysis attempts.
■ Routing control: Enables selection of particular physically or logically secure routes for certain data and allows routing changes, especially when a breach of security is suspected.
■ Notarization: The use of a trusted third party to assure certain properties of a data exchange
■ Access control: A variety of mechanisms that enforce access rights to resources.
25

Security Mechanisms (2 of 2)
Authentication exchange: A mechanism intended to ensure the identity of an entity by means of information exchange.
Traffic padding: The insertion of bits into gaps in a data stream to frustrate traffic analysis attempts.
Routing control: Enables selection of particular physically or logically secure routes for certain data and allows routing changes, especially when a breach of security is suspected.
Notarization: The use of a trusted third party to assure certain properties of a data exchange
Access control: A variety of mechanisms that enforce access rights to resources.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Figure 1.2c lists the most important security mechanism discussed in this book. These mechanisms will be covered in the appropriate places in the book. So, we do not elaborate now, except to provide the following brief definitions.
■ Cryptographic algorithms: We can distinguish between reversible cryptographic mechanisms and irreversible cryptographic mechanisms. A reversible cryptographic mechanism is simply an encryption algorithm that allows data to be encrypted and subsequently decrypted. Irreversible cryptographic mechanisms include hash algorithms and message authentication codes, which are used in digital signature and message authentication applications.
■ Data integrity: This category covers a variety of mechanisms used to assure the integrity of a data unit or stream of data units.
■ Digital signature: Data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery.
■ Authentication exchange: A mechanism intended to ensure the identity of an entity by means of information exchange.
■ Traffic padding: The insertion of bits into gaps in a data stream to frustrate traffic analysis attempts.
■ Routing control: Enables selection of particular physically or logically secure routes for certain data and allows routing changes, especially when a breach of security is suspected.
■ Notarization: The use of a trusted third party to assure certain properties of a data exchange
■ Access control: A variety of mechanisms that enforce access rights to resources.
26

Figure 1.4 Cryptographic Algorithms

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Cryptographic algorithms can be divided into three categories (Figure 1.4):
Keyless: Do not use any keys during cryptographic transformations.
Single-key: The result of a transformation are a function of the input data and
a single key, known as a secret key.
Two-key: At various stages of the calculation, two different but related keys are used, referred to as private key and public key.
27

Keyless Algorithms
Deterministic functions that have certain properties useful for cryptography
One type of keyless algorithm is the cryptographic hash function
A hash function turns a variable amount of text into a small, fixed-length value called a hash value, hash code, or digest
A cryptographic hash function is one that has additional properties that make it useful as part of another cryptographic algorithm, such as a message authentication code or a digital signature
A pseudorandom number generator produces a deterministic sequence of numbers or bits that has the appearance of being a truly random sequence

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Keyless algorithms are deterministic functions that have certain properties useful for cryptography.
One important type of keyless algorithm is the cryptographic hash function. A hash function turns a variable amount of text into a small, fixed-length value called a hash value, hash code, or digest. A cryptographic hash function is one that has additional properties that make it useful as part of another cryptographic algorithm, such as a message authentication code or a digital signature.
A pseudorandom number generator produces a deterministic sequence of numbers or bits that has the appearance of being a truly random sequence. Although the sequence appears to lack any definite pattern, it will repeat after a certain sequence length. Nevertheless, for some cryptographic purposes this apparently random sequence is sufficient.

28

Single-Key Algorithms (1 of 3)
Single-key cryptographic algorithms depend on the use of a secret key
Encryption algorithms that use a single key are referred to as symmetric encryption algorithms
With symmetric encryption, an encryption algorithm takes as input some data to be protected and a secret key and produces an unintelligible transformation on that data
A corresponding decryption algorithm takes the transformed data and the same secret key and recovers the original data

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Single-key cryptographic algorithms depend on the use of a secret key. This key may be known to a single user; for example, this is the case for protecting stored data that is only going to be accessed by the data creator. Commonly, two parties share the
secret key so that communication between the two parties is protected. For certain applications, more than two users may share the same secret key. In this last case, the algorithm protects data from those outside the group who share the key.
Encryption algorithms that use a single key are referred to as symmetric encryption algorithms. With symmetric encryption, an encryption algorithm takes as input some data to be protected and a secret key and produces an unintelligible transformation on that data. A corresponding decryption algorithm takes the transformed data and the same secret key and recovers the original data. Symmetric encryption takes the following forms:
■ Block cipher: A block cipher operates on data as a sequence of blocks. A typical block size is 128 bits. In most versions of the block cipher, known as modes of operation, the transformation depends not only on the current data block and the secret key but also on the content of preceding blocks.
■ Stream cipher: A stream cipher operates on data as a sequence of bits. Typically, an exclusive-OR operation is used to produce a bit-by-bit transformation. As with the block cipher, the transformation depends on a secret key.

29

Single-Key Algorithms (2 of 3)
Symmetric encryption takes the following forms:
Block cipher
A block cipher operates on data as a sequence of blocks
In most versions of the block cipher, known as modes of operation, the transformation depends not only on the current data block and the secret key but also on the content of preceding blocks
Stream cipher
A stream cipher operates on data as a sequence of bits
As with the block cipher, the transformation depends on a secret key

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Single-key cryptographic algorithms depend on the use of a secret key. This key may be known to a single user; for example, this is the case for protecting stored data that is only going to be accessed by the data creator. Commonly, two parties share the
secret key so that communication between the two parties is protected. For certain applications, more than two users may share the same secret key. In this last case, the algorithm protects data from those outside the group who share the key.
Encryption algorithms that use a single key are referred to as symmetric encryption algorithms. With symmetric encryption, an encryption algorithm takes as input some data to be protected and a secret key and produces an unintelligible transformation on that data. A corresponding decryption algorithm takes the transformed data and the same secret key and recovers the original data. Symmetric encryption takes the following forms:
■ Block cipher: A block cipher operates on data as a sequence of blocks. A typical block size is 128 bits. In most versions of the block cipher, known as modes of operation, the transformation depends not only on the current data block and the secret key but also on the content of preceding blocks.
■ Stream cipher: A stream cipher operates on data as a sequence of bits. Typically, an exclusive-OR operation is used to produce a bit-by-bit transformation. As with the block cipher, the transformation depends on a secret key.

30

Single-Key Algorithms (3 of 3)
Another form of single-key cryptographic algorithm is the message authentication code (M A C)
A M A C is a data element associated with a data block or message
The M A C is generated by a cryptographic transformation involving a secret key and, typically, a cryptographic hash function of the message
The M A C is designed so that someone in possession of the secret key can verify the integrity of the message
The recipient of the message plus the M A C can perform the same calculation on the message; if the calculated M A C matches the M A C accompanying the message, this provides assurance that the message has not been altered

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Another form of single-key cryptographic algorithm is the message authentication code (MAC). A MAC is a data element associated with a data block or message. The MAC is generated by a cryptographic transformation involving a secret key and, typically, a cryptographic hash function of the message. The MAC is designed so that someone in possession of the secret key can verify the integrity of the message. Thus, the MAC algorithm takes as input a message and secret key and produces the MAC. The recipient of the message plus the MAC can perform the same calculation on the message; if the calculated MAC matches the MAC accompanying the message, this provides assurance that the message has not been altered.

31

Asymmetric Algorithms
Encryption algorithms that use a single key are referred to as asymmetric encryption algorithms
Digital signature algorithm
A digital signature is a value computed with a cryptographic algorithm and associated with a data object in such a way that any recipient of the data can use the signature to verify the data’s origin and integrity
Key exchange
The process of securely distributing a symmetric key to two or more parties
User authentication
The process of authenticating that a user attempting to access an application or service is genuine and, similarly, that the application or service is genuine

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Two-key algorithms involve the use of two related keys. A private key is known only to a single user or entity, whereas the corresponding public key is made available to a number of users. Encryption algorithms that use a single key are referred to as asymmetric encryption algorithms. Asymmetric encryption can work in two ways:
An encryption algorithm takes as input some data to be protected and the private key and produces an unintelligible transformation on that data. A corresponding decryption algorithm takes the transformed data and the corresponding public key and recovers the original data. In this case, only the possessor of the private key can have performed the encryption and any possessor of the public key can perform the decryption.
An encryption algorithm takes as input some data to be protected and a public key and produces an unintelligible transformation on that data. A corresponding decryption algorithm takes the transformed data and the corresponding private key and recovers the original data. In this case, any possessor of the public key can have performed the encryption and only the possessor of the private key can perform the decryption.
Asymmetric encryption has a variety of applications. One of the most important is the digital signature algorithm. A digital signature is a value computed with a cryptographic algorithm and associated with a data object in such a way that any recipient of the data can use the signature to verify the data’s origin and integrity. Typically, the signer of a data object uses the signer’s private key to generate the signature, and anyone in possession of the corresponding public key can verify that validity of the signature.
Asymmetric algorithms can also be used in two other important applications. Key exchange is the process of securely distributing a symmetric key to two or more parties. User authentication is the process of authenticating that a user attempting to access an application or service is genuine and, similarly, that the application or service is genuine. These concepts are explained in detail in subsequent chapters.
32

Figure 1.5 Key Elements of Network Security

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Network security is a broad term that encompasses security of the communications pathways of the network and the security of network devices and devices attached to the network (Figure 1.5).

33

Communications Security
Deals with the protection of communications through the network, including measures to protect against both passive and active attacks
Communications security is primarily implemented using network protocols
A network protocol consists of the format and procedures that governs the transmitting and receiving of data between points in a network
A protocol defines the structure of the individual data units and the control commands that manage the data transfer
With respect to network security, a security protocol may be an enhancement that is part of an existing protocol or a standalone protocol

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
In the context of network security, communications security deals with the protection of communications through the network, including measures to protect against both passive and active attacks (Figure 1.3).
Communications security is primarily implemented using network protocols. A network protocol consists of the format and procedures that governs the transmitting and receiving of data between points in a network. A protocol defines the structure of the individual data units (e.g., packets) and the control commands that manage the data transfer.
With respect to network security, a security protocol may be an enhancement that is part of an existing protocol or a standalone protocol. Examples of the former are IPsec, which is part of the Internet Protocol (IP) and IEEE 802.11i, which is part of the IEEE 802.11 Wi-Fi standard. Examples of the latter are Transport Layer Security (TLS) and Secure Shell (SSH). Part Six examines these and other secure network protocols.
One common characteristic of all of these protocols is that they use a number of cryptographic algorithms as part of the mechanism to provide security.
34

Device Security (1 of 2)
The other aspect of network security is the protection of network devices, such as routers and switches, and end systems connected to the network, such as client systems and servers
The primary security concerns are intruders that gain access to the system to perform unauthorized actions, insert malicious software (malware), or overwhelm system resources to diminish availability

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The other aspect of network security is the protection of network devices, such as routers and switches, and end systems connected to the network, such as client systems and servers. The primary security concerns are intruders that gain access to the system to perform unauthorized actions, insert malicious software (malware), or overwhelm system resources to diminish availability. Three types of device security are noteworthy:
■ Firewall: A hardware and/or software capability that limits access between a network and device attached to the network, in accordance with a specific security policy. The firewall acts as a filter that permits or denies data traffic, both incoming and outgoing, based on a set of rules based on traffic content and/or traffic pattern.
■ Intrusion detection: Hardware or software products that gather and analyze information from various areas within a computer or a network for the purpose of finding, and providing real-time or near-real-time warning of, attempts to access system resources in an unauthorized manner.
■ Intrusion prevention: Hardware or software products designed to detect intrusive activity and attempt to stop the activity, ideally before it reaches its target.
These device security capabilities are more closely related to the field of computer security than network security. Accordingly, they are dealt with more briefly than communications security in Part Six. For a more detailed treatment, see [STAL18].
35

Device Security (2 of 2)
Three types of device security are:
Firewall
A hardware and/or software capability that limits access between a network and device attached to the network, in accordance with a specific security policy. The firewall acts as a filter that permits or denies data traffic, both incoming and outgoing, based on a set of rules based on traffic content and/or traffic pattern
Intrusion detection
Hardware or software products that gather and analyze information from various areas within a computer or a network for the purpose of finding, and providing real-time or near-real-time warning of, attempts to access system resources in an unauthorized manner
Intrusion prevention
Hardware or software products designed to detect intrusive activity and attempt to stop the activity, ideally before it reaches its target

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The other aspect of network security is the protection of network devices, such as routers and switches, and end systems connected to the network, such as client systems and servers. The primary security concerns are intruders that gain access to the system to perform unauthorized actions, insert malicious software (malware), or overwhelm system resources to diminish availability. Three types of device security are noteworthy:
■ Firewall: A hardware and/or software capability that limits access between a network and device attached to the network, in accordance with a specific security policy. The firewall acts as a filter that permits or denies data traffic, both incoming and outgoing, based on a set of rules based on traffic content and/or traffic pattern.
■ Intrusion detection: Hardware or software products that gather and analyze information from various areas within a computer or a network for the purpose of finding, and providing real-time or near-real-time warning of, attempts to access system resources in an unauthorized manner.
■ Intrusion prevention: Hardware or software products designed to detect intrusive activity and attempt to stop the activity, ideally before it reaches its target.
These device security capabilities are more closely related to the field of computer security than network security. Accordingly, they are dealt with more briefly than communications security in Part Six. For a more detailed treatment, see [STAL18].
36

Trust Model (1 of 2)
One of the most widely accepted and most cited definitions of trust is:
“the willingness of a party to be vulnerable to the actions of another party based on the expectation that the other will perform a particular action important to the trustor, irrespective of the ability to monitor or control that other party”

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
One of the most widely accepted and most cited definitions of trust in the organizational science literature is from [MAYE95], which defines trust as follows: the willingness of a party to be vulnerable to the actions of another party based on the expectation that the other will perform a particular action important to the trustor, irrespective of the ability to monitor or control that other party.
Three related concepts are relevant to a trust model:
■ Trustworthiness: A characteristic of an entity that reflects the degree to which that entity is deserving of trust.
■ Propensity to trust: A tendency to be willing to trust others across a broad spectrum of situations and trust targets. This suggests that every individual has some baseline level of trust that will influence the person’s willingness to rely on the words and actions of others.
■ Risk: A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of 1) the adverse impacts that would arise if the circumstance or event occurs; and 2) the likelihood of occurrence.
37

Trust Model (2 of 2)
Three related concepts are relevant to a trust model:
Trustworthiness: A characteristic of an entity that reflects the degree to which that entity is deserving of trust
Propensity to trust: A tendency to be willing to trust others across a broad spectrum of situations and trust targets. This suggests that every individual has some baseline level of trust that will influence the person’s willingness to rely on the words and actions of others
Risk: A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of 1) the adverse impacts that would arise if the circumstance or event occurs; and 2) the likelihood of occurrence

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
One of the most widely accepted and most cited definitions of trust in the organizational science literature is from [MAYE95], which defines trust as follows: the willingness of a party to be vulnerable to the actions of another party based on the expectation that the other will perform a particular action important to the trustor, irrespective of the ability to monitor or control that other party.
Three related concepts are relevant to a trust model:
■ Trustworthiness: A characteristic of an entity that reflects the degree to which that entity is deserving of trust.
■ Propensity to trust: A tendency to be willing to trust others across a broad spectrum of situations and trust targets. This suggests that every individual has some baseline level of trust that will influence the person’s willingness to rely on the words and actions of others.
■ Risk: A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of 1) the adverse impacts that would arise if the circumstance or event occurs; and 2) the likelihood of occurrence.
38

Figure 1.6 Trust Model

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Figure 1.6, adapted from [MAYE95], illustrates the relationship among these concepts. Propensity can also be expressed as the level of risk that an entity (individual or organization) is prepared to tolerate.
Typically, a trustor uses a number of factors to establish the trustworthiness of an entity. Three general factors are commonly cited:
■ Ability: Also referred to as competence, this relates to the potential ability of the evaluated entity to do a given task or be entrusted with given information.
■ Benevolence: This implies a disposition of goodwill towards the trusting party. That is, a trustworthy party does not intend to cause harm to the trusting party.
■ Integrity: This can be defined as the trustor’s perception that the trustee adheres to a set of principles that the trustor finds acceptable. Integrity implies that a benevolent party takes such measures are necessary to assure that it in fact does not cause harm to the trusting party.
The goal of trust, in the model of Figure 1.6, is to determine what course of action, if any, the trusting party is willing to take in relation to the trusted party. Based on the level of trust, and the perceived risk, the trusting party may decide to take some action the involves some degree of risk taking. The outcome of the risk taking could be a reliance on the trusted party to perform some action or the disclosure of information to the trusted party with the expectation that the information will be protected as agreed between the parties.
39

The Trust Model and Information Security
Trust is confidence that an entity will perform in a way that will not prejudice the security of the user of the system of which that entity is a part
Trust is always restricted to specific functions or ways of behavior and is meaningful only in the context of a security policy
Generally, an entity is said to trust a second entity when the first entity assumes that the second entity will behave exactly as the first entity expects
In this context, the term entity may refer to a single hardware component or software module, a piece of equipment identified by make and model, a site or location, or an organization

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Trust is confidence that an entity will perform in a way that will not prejudice the security of the user of the system of which that entity is a part. Trust is always restricted to specific functions or ways of behavior and is meaningful only in the context of a security policy. Generally, an entity is said to trust a second entity when the first entity assumes that the second entity will behave exactly as the first entity expects. This trust may apply only for some specific function. In this context, the term entity may refer to a single hardware component or software module, a piece of equipment identified by make and model, a site or location, or an organization.
40

Trustworthiness of an Individual (1 of 2)
Organizations need to be concerned about both internal users (employees, on-site contractors) and external users (customers, suppliers) of their information systems
With respect to internal users, an organization develops a level of trust in individuals by policies in the following two areas:
Human resource security
Sound security practice dictates that information security requirements be embedded into each stage of the employment life cycle, specifying security-related actions required during the induction of each individual, their ongoing management, and termination of their employment. Human resource security also includes assigning ownership of information (including responsibility for its protection) to capable individuals and obtaining confirmation of their understanding and acceptance

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Organizations need to be concerned about both internal users (employees, on-site contractors) and external users (customers, suppliers) of their information systems. With respect to internal users, an organization develops a level of trust in individuals by policies in the following two areas [STAL19]:
■ Human resource security: Sound security practice dictates that information security requirements be embedded into each stage of the employment life cycle, specifying security-related actions required during the induction of each individual, their ongoing management, and termination of their employment. Human resource security also includes assigning ownership of information (including responsibility for its protection) to capable individuals and obtaining confirmation of their understanding and acceptance.
■ Security awareness and training: This area refers to disseminating security information to all employees, including IT staff, IT security staff, and management, as well as IT users and other employees. A workforce that has a high level of security awareness and appropriate security training for each individual’s role is as important, if not more important, than any other security countermeasure or control.
For external users, trust will depend on the context. In general terms, the factors of perceived trustworthiness and the trustor’s propensity, as depicted in Figure 1.6, determine the level of trust. Further, the issue of trust is mutual. That is, not only must an organization determine a level of trust towards external users, but external users need to be concerned about the degree to which they can trust an information resource that they use. This mutual trust involves a number a practical consequences, including the use of a public-key infrastructure and user authentication protocols. These matters are explored in Part Five.
41

Trustworthiness of an Individual (2 of 2)
Security awareness and training
This area refers to disseminating security information to all employees, including I T staff, I T security staff, and management, as well as I T users and other employees. A workforce that has a high level of security awareness and appropriate security training for each individual’s role is as important, if not more important, than any other security countermeasure or control

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Organizations need to be concerned about both internal users (employees, on-site contractors) and external users (customers, suppliers) of their information systems. With respect to internal users, an organization develops a level of trust in individuals by policies in the following two areas [STAL19]:
■ Human resource security: Sound security practice dictates that information security requirements be embedded into each stage of the employment life cycle, specifying security-related actions required during the induction of each individual, their ongoing management, and termination of their employment. Human resource security also includes assigning ownership of information (including responsibility for its protection) to capable individuals and obtaining confirmation of their understanding and acceptance.
■ Security awareness and training: This area refers to disseminating security information to all employees, including IT staff, IT security staff, and management, as well as IT users and other employees. A workforce that has a high level of security awareness and appropriate security training for each individual’s role is as important, if not more important, than any other security countermeasure or control.
For external users, trust will depend on the context. In general terms, the factors of perceived trustworthiness and the trustor’s propensity, as depicted in Figure 1.6, determine the level of trust. Further, the issue of trust is mutual. That is, not only must an organization determine a level of trust towards external users, but external users need to be concerned about the degree to which they can trust an information resource that they use. This mutual trust involves a number a practical consequences, including the use of a public-key infrastructure and user authentication protocols. These matters are explored in Part Five.
42

Trustworthiness of an Organization
Most organizations rely on information system service and information provided by external organizations, as well as partnerships to accomplish missions and business functions (examples are cloud service providers and companies that form part of the supply chain for the organization)
To manage risk to the organization, it must establish trust relationships with these external organizations
N I S T S P 800-39 (Managing Information Security Risk, March 2011) indicates that such trust relationships can be:
Formally established, for example, by documenting the trust-related information in contracts, service-level agreements, statements of work, memoranda of agreement/understanding, or interconnection security agreements
Scalable and inter-organizational or intra-organizational in nature
Represented by simple (bilateral) relationships between two partners or more complex many-to-many relationships among many diverse partners

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Most organizations rely, to a greater or lesser extent, on information system service and information provided by external organizations, as well as partnerships to accomplish missions and business functions. Examples are cloud service providers and companies that form part of the supply chain for the organization. To manage risk to the organization, it must establish trust relationships with these external organizations. NIST SP 800-39 (Managing Information Security Risk, March 2011) indicates that such trust relationships can be:
■ Formally established, for example, by documenting the trust-related information in contracts, service-level agreements, statements of work, memoranda of agreement/understanding, or interconnection security agreements;
■ Scalable and inter-organizational or intra-organizational in nature; and/or
■ Represented by simple (bilateral) relationships between two partners or more
complex many-to-many relationships among many diverse partners.
The requirements for establishing and maintaining trust depend on mission/business requirements, the participants involved in the trust relationship, the criticality/sensitivity of the information being shared or the types of services being rendered, the history between the organizations, and the overall risk to the organizations participating in the relationship.
As with individuals, trust related to organizations can involve the use of public-key infrastructure and user authentication, as well as the network security measures described in Part Six.

43

Trustworthiness of Information Systems
S P 800-39 defines trustworthiness for information systems as
“the degree to which information systems (including the information technology products from which the systems are built) can be expected to preserve the confidentiality, integrity, and availability of the information being processed, stored, or transmitted by the systems across the full range of threats”
Two factors affecting the trustworthiness of information systems are:
Security functionality: The security features/functions employed within the system. These include cryptographic and network security technologies
Security assurance: The grounds for confidence that the security functionality is effective in its application. This area is addressed by security management techniques, such as auditing and incorporating security considerations into the system development life cycle

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
SP 800-39 defines trustworthiness for information systems as the degree to which information systems (including the information technology products from which the systems are built) can be expected to preserve the confidentiality, integrity, and availability of the information being processed, stored, or transmitted by the systems across the full range of threats. Two factors affecting the trustworthiness of information systems are:
■ Security functionality: The security features/functions employed within the system. These include cryptographic and network security technologies discussed throughout this book.
■ Security assurance: The grounds for confidence that the security functionality is effective in its application. This area is addressed by security management techniques, such as auditing and incorporating security considerations into the system development life cycle [STAL19].
44

Establishing Trust Relationships
Validated trust:
Trust is based on evidence obtained by the trusting organization about the trusted organization or entity. The information may include information security policy, security measures, and level of oversight
Direct historical trust:
This type of trust is based on the security-related track record exhibited by an organization in the past, particularly in interactions with the organization seeking to establish trust
Mediated trust:
Mediated trust involves the use of a third party that is mutually trusted by two parties, with the third party providing assurance or guarantee of a given level of trust between the first two parties
Mandated trust:
An organization establishes a level of trust with another organization based on a specific mandate issued by a third party in a position of authority

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The methods used by an organization to establish a trust relationship with various entities will depend on a variety of factors, such as laws and regulations, risk tolerance, and the criticality and sensitivity of the relationship. SP 800-39 describes the following methods:
■ Validated trust: Trust is based on evidence obtained by the trusting organization about the trusted organization or entity. The information may include information security policy, security measures, and level of oversight. An example for one organization to develop an application or information system and provides evidence (e.g., security plan, assessment results) to a second organization that supports the claims by the first organization that the application/system meets certain security requirements and/or addresses the appropriate security controls.
■ Direct historical trust: This type of trust is based on the security-related track record exhibited by an organization in the past, particularly in interactions with the organization seeking to establish trust.
■ Mediated trust: Mediated trust involves the use of a third party that is mutually trusted by two parties, with the third party providing assurance or guarantee of a given level of trust between the first two parties. An example of this form of trust establishment is the use of public-key certificate authorities, described in Chapter 14.
■ Mandated trust: An organization establishes a level of trust with another organization based on a specific mandate issued by a third party in a position of authority. For example, an organization may be given the responsibility and the authority to issue public key certificates for a group of organizations.
An organization is likely to use a combination of these methods to establish relationships with a number of other entities.
45

Standards (1 of 2)
National Institute of Standards and Technology:
N I S T is a U.S. federal agency that deals with measurement science, standards, and technology related to U.S. government use and to the promotion of U.S. private-sector innovation. Despite its national scope, N I S T Federal Information Processing Standards (F I P S) and Special Publications (S P) have a worldwide impact
Internet Society:
I S O C is a professional membership society with worldwide organizational and individual membership. It provides leadership in addressing issues that confront the future of the Internet and is the organization home for the groups responsible for Internet infrastructure standards, including the Internet Engineering Task Force (I E T F) and the Internet Architecture Board (I A B). These organizations develop Internet standards and related specifications, all of which are published as Requests for Comments (R F C s).

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Many of the security techniques and applications described in this book have been specified as standards. Additionally, standards have been developed to cover management practices and the overall architecture of security mechanisms and services. Throughout this book, we describe the most important standards in use or being developed for various aspects of cryptography and network security. Various organizations have been involved in the development or promotion of these standards. The most important (in the current context) of these organizations are as follows:
■ National Institute of Standards and Technology: NIST is a U.S. federal agency that deals with measurement science, standards, and technology related to U.S. government use and to the promotion of U.S. private-sector innovation. Despite its national scope, NIST Federal Information Processing Standards (FIPS) and Special Publications (SP) have a worldwide impact.
■ Internet Society: ISOC is a professional membership society with worldwide organizational and individual membership. It provides leadership in addressing issues that confront the future of the Internet and is the organization home for the groups responsible for Internet infrastructure standards, including the Internet Engineering Task Force (IETF) and the Internet Architecture Board (IAB). These organizations develop Internet standards and related specifications, all of which are published as Requests for Comments (RFCs).
■ ITU-T: The International Telecommunication Union (ITU) is an international organization within the United Nations System in which governments and the private sector coordinate global telecom networks and services. The ITU Telecommunication Standardization Sector (ITU-T) is one of the three sectors of the ITU. ITU-T’s mission is the development of technical standards covering all fields of telecommunications. ITU-T standards are referred to as Recommendations.
■ ISO: The International Organization for Standardization (ISO) is a worldwide federation of national standards bodies from more than 140 countries, one from each country. ISO is a nongovernmental organization that promotes the development of standardization and related activities with a view to facilitating the international exchange of goods and services and to developing cooperation in the spheres of intellectual, scientific, technological, and economic activity. ISO’s work results in international agreements that are published as International Standards.
46

Standards (2 of 2)
I T U-T:
The International Telecommunication Union (I T U) is an international organization within the United Nations System in which governments and the private sector coordinate global telecom networks and services. The I T U Telecommunication Standardization Sector (I T U-T) is one of the three sectors of the I T U. I T U-T’s mission is the development of technical standards covering all fields of telecommunications. I T U-T standards are referred to as Recommendations
I S O:
The International Organization for Standardization (I S O) is a worldwide federation of national standards bodies from more than 140 countries, one from each country. I S O is a nongovernmental organization that promotes the development of standardization and related activities with a view to facilitating the international exchange of goods and services and to developing cooperation in the spheres of intellectual, scientific, technological, and economic activity. I S O’s work results in international agreements that are published as International Standards

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Many of the security techniques and applications described in this book have been specified as standards. Additionally, standards have been developed to cover management practices and the overall architecture of security mechanisms and services. Throughout this book, we describe the most important standards in use or being developed for various aspects of cryptography and network security. Various organizations have been involved in the development or promotion of these standards. The most important (in the current context) of these organizations are as follows:
■ National Institute of Standards and Technology: NIST is a U.S. federal agency that deals with measurement science, standards, and technology related to U.S. government use and to the promotion of U.S. private-sector innovation. Despite its national scope, NIST Federal Information Processing Standards (FIPS) and Special Publications (SP) have a worldwide impact.
■ Internet Society: ISOC is a professional membership society with worldwide organizational and individual membership. It provides leadership in addressing issues that confront the future of the Internet and is the organization home for the groups responsible for Internet infrastructure standards, including the Internet Engineering Task Force (IETF) and the Internet Architecture Board (IAB). These organizations develop Internet standards and related specifications, all of which are published as Requests for Comments (RFCs).
■ ITU-T: The International Telecommunication Union (ITU) is an international organization within the United Nations System in which governments and the private sector coordinate global telecom networks and services. The ITU Telecommunication Standardization Sector (ITU-T) is one of the three sectors of the ITU. ITU-T’s mission is the development of technical standards covering all fields of telecommunications. ITU-T standards are referred to as Recommendations.
■ ISO: The International Organization for Standardization (ISO) is a worldwide federation of national standards bodies from more than 140 countries, one from each country. ISO is a nongovernmental organization that promotes the development of standardization and related activities with a view to facilitating the international exchange of goods and services and to developing cooperation in the spheres of intellectual, scientific, technological, and economic activity. ISO’s work results in international agreements that are published as International Standards.
47

Summary
Describe the key security requirements of confidentiality, integrity, and availability
List and briefly describe key organizations involved in cryptography standards
Provide an overview of keyless, single-key and two-key cryptographic algorithms
Provide an overview of the main areas of network security
Describe a trust model for information security
Discuss the types of security threats and attacks that must be dealt with and give examples of the types of threats and attacks that apply to different categories of computer and network assets

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Chapter 1 summary.
48

Copyright
This work is protected by United States copyright laws and is provided solely for the use of instructors in teaching their courses and assessing student learning. Dissemination or sale of any part of this work (including on the World Wide Web) will destroy the integrity of the work and is not permitted. The work and materials from it should never be made available to students except by instructors using the accompanying text in their classes. All recipients of this work are expected to abide by these restrictions and to honor the intended pedagogical purposes and the needs of other instructors who rely on these materials.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

49

.MsftOfcThm_Text1_Fill {
fill:#000000;
}
.MsftOfcThm_MainDark1_Stroke {
stroke:#000000;
}

Cryptography and Network Security: Principles and Practice

Eighth Edition

Chapter 3

Classical Encryption Techniques

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Lecture slides prepared for “Cryptography and Network Security”, 8/e, by William Stallings, Chapter 3 – “Classical Encryption Techniques”.
Symmetric encryption, also referred to as conventional encryption or single-key
encryption, was the only type of encryption in use prior to the development of public-key
encryption in the 1970s. It remains by far the most widely used of the two types
of encryption. Part One examines a number of symmetric ciphers. In this chapter, we
begin with a look at a general model for the symmetric encryption process; this will
enable us to understand the context within which the algorithms are used. Next, we
examine a variety of algorithms in use before the computer era. Finally, we look briefly
at a different approach known as steganography. Chapters 4 and 6 introduce the two
most widely used symmetric cipher: DES and AES.
1

Learning Objectives
Present an overview of the main concepts of symmetric cryptography.
Explain the difference between cryptanalysis and brute-force attack.
Understand the operation of a monoalphabetic substitution cipher.
Understand the operation of a polyalphabetic cipher.
Present an overview of the Hill cipher.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Definitions (1 of 2)
Plaintext
An original message
Ciphertext
The coded message
Enciphering/encryption
The process of converting from plaintext to ciphertext
Deciphering/decryption
Restoring the plaintext from the ciphertext

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Before beginning, we define some terms. An original message is known as the
plaintext, while the coded message is called the ciphertext. The process of converting
from plaintext to ciphertext is known as enciphering or encryption; restoring the
plaintext from the ciphertext is deciphering or decryption. The many schemes used
for encryption constitute the area of study known as cryptography Such a scheme
is known as a cryptographic system or a cipher. Techniques used for deciphering a
message without any knowledge of the enciphering details fall into the area of cryptanalysis.
Cryptanalysis is what the layperson calls “breaking the code.” The areas of
cryptography and cryptanalysis together are called cryptology.
3

Definitions (2 of 2)
Cryptography
The area of study of the many schemes used for encryption
Cryptographic system/cipher
A scheme
Cryptanalysis
Techniques used for deciphering a message without any knowledge of the enciphering details
Cryptology
The areas of cryptography and cryptanalysis

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Before beginning, we define some terms. An original message is known as the
plaintext, while the coded message is called the ciphertext. The process of converting
from plaintext to ciphertext is known as enciphering or encryption; restoring the
plaintext from the ciphertext is deciphering or decryption. The many schemes used
for encryption constitute the area of study known as cryptography Such a scheme
is known as a cryptographic system or a cipher. Techniques used for deciphering a
message without any knowledge of the enciphering details fall into the area of cryptanalysis.
Cryptanalysis is what the layperson calls “breaking the code.” The areas of
cryptography and cryptanalysis together are called cryptology.
4

Figure 3.1 Simplified Model of Symmetric Encryption

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
A symmetric encryption scheme has five ingredients (Figure 3.1)
■ Plaintext: This is the original intelligible message or data that is fed into the
algorithm as input.
■ Encryption algorithm: The encryption algorithm performs various substitutions
and transformations on the plaintext.
■ Secret key: The secret key is also input to the encryption algorithm. The key is
a value independent of the plaintext and of the algorithm. The algorithm will
produce a different output depending on the specific key being used at the
time. The exact substitutions and transformations performed by the algorithm
depend on the key.
■ Ciphertext: This is the scrambled message produced as output. It depends on
the plaintext and the secret key. For a given message, two different keys will
produce two different ciphertexts. The ciphertext is an apparently random
stream of data and, as it stands, is unintelligible.
■ Decryption algorithm: This is essentially the encryption algorithm run in
reverse. It takes the ciphertext and the secret key and produces the original
plaintext.
5

Symmetric Cipher Model
There are two requirements for secure use of conventional encryption:
A strong encryption algorithm
Sender and receiver must have obtained copies of the secret key in a secure fashion and must keep the key secure

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
There are two requirements for secure use of conventional encryption:
1. We need a strong encryption algorithm. At a minimum, we would like the algorithm
to be such that an opponent who knows the algorithm and has access to
one or more ciphertexts would be unable to decipher the ciphertext or figure
out the key. This requirement is usually stated in a stronger form: The opponent
should be unable to decrypt ciphertext or discover the key even if he or
she is in possession of a number of ciphertexts together with the plaintext that
produced each ciphertext.
2. Sender and receiver must have obtained copies of the secret key in a secure
fashion and must keep the key secure. If someone can discover the key and
knows the algorithm, all communication using this key is readable.
We assume that it is impractical to decrypt a message on the basis of the
ciphertext plus knowledge of the encryption/decryption algorithm. In other words,
we do not need to keep the algorithm secret; we need to keep only the key secret.
This feature of symmetric encryption is what makes it feasible for widespread use.
The fact that the algorithm need not be kept secret means that manufacturers can
and have developed low-cost chip implementations of data encryption algorithms.
These chips are widely available and incorporated into a number of products. With
the use of symmetric encryption, the principal security problem is maintaining the
secrecy of the key.
6

Figure 3.2 Model of Symmetric Cryptosystem

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Let us take a closer look at the essential elements of a symmetric encryption scheme, using Figure 3.2.
7

Cryptographic Systems
Characterized along three independent dimensions:
The type of operations used for transforming plaintext to ciphertext
Substitution
Transposition
The number of keys used
Symmetric, single-key, secret-key, conventional encryption
Asymmetric, two-key, or public-key encryption
The way in which the plaintext is processed
Block cipher
Stream cipher

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Cryptographic systems are characterized along three independent dimensions:
1. The type of operations used for transforming plaintext to ciphertext. All
encryption algorithms are based on two general principles: substitution, in
which each element in the plaintext (bit, letter, group of bits or letters) is
mapped into another element, and transposition, in which elements in the
plaintext are rearranged. The fundamental requirement is that no information
be lost (i.e., that all operations are reversible). Most systems, referred to as
product systems , involve multiple stages of substitutions and transpositions.
2. The number of keys used. If both sender and receiver use the same key, the
system is referred to as symmetric, single-key, secret-key, or conventional
encryption. If the sender and receiver use different keys, the system is referred
to as asymmetric, two-key, or public-key encryption.
3. The way in which the plaintext is processed. A block cipher processes the
input one block of elements at a time, producing an output block for each
input block. A stream cipher processes the input elements continuously,
producing output one element at a time, as it goes along.
8

Cryptanalysis and Brute-Force Attack
Cryptanalysis
Attack relies on the nature of the algorithm plus some knowledge of the general characteristics of the plaintext
Attack exploits the characteristics of the algorithm to attempt to deduce a specific plaintext or to deduce the key being used
Brute-force attack
Attacker tries every possible key on a piece of ciphertext until an intelligible translation into plaintext is obtained
On average, half of all possible keys must be tried to achieve success

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Typically, the objective of attacking an encryption system is to recover the key in
use rather than simply to recover the plaintext of a single ciphertext. There are two
general approaches to attacking a conventional encryption scheme:
• Cryptanalysis: Cryptanalytic attacks rely on the nature of the algorithm plus
perhaps some knowledge of the general characteristics of the plaintext or
even some sample plaintext–ciphertext pairs. This type of attack exploits the
characteristics of the algorithm to attempt to deduce a specific plaintext or to
deduce the key being used.
• Brute-force attack: The attacker tries every possible key on a piece of ciphertext
until an intelligible translation into plaintext is obtained. On average, half
of all possible keys must be tried to achieve success.
If either type of attack succeeds in deducing the key, the effect is catastrophic:
All future and past messages encrypted with that key are compromised.
9

Table 3.1 Types of Attacks on Encrypted Messages
Type of Attack Known to Cryptanalyst
Ciphertext Only Encryption algorithm
Ciphertext
Known Plaintext Encryption algorithm
Ciphertext
One or more plaintext–ciphertext pairs formed with the secret key
Chosen Plaintext Encryption algorithm
Ciphertext
Plaintext message chosen by cryptanalyst, together with its corresponding ciphertext generated with the secret key
Chosen Ciphertext Encryption algorithm
Ciphertext
Ciphertext chosen by cryptanalyst, together with its corresponding decrypted plaintext generated with the secret key
Chosen Text Encryption algorithm
Ciphertext
Plaintext message chosen by cryptanalyst, together with its corresponding ciphertext generated with the secret key
Ciphertext chosen by cryptanalyst, together with its corresponding decrypted plaintext generated with the secret key

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Table 3.1 summarizes the various types of cryptanalytic attacks based on the
amount of information known to the cryptanalyst. The most difficult problem is
presented when all that is available is the ciphertext only . In some cases, not even
the encryption algorithm is known, but in general, we can assume that the opponent
does know the algorithm used for encryption. One possible attack under these
circumstances is the brute-force approach of trying all possible keys. If the key space
is very large, this becomes impractical. Thus, the opponent must rely on an analysis
of the ciphertext itself, generally applying various statistical tests to it. To use this
approach, the opponent must have some general idea of the type of plaintext that
is concealed, such as English or French text, an EXE file, a Java source listing, an
accounting file, and so on.
The ciphertext-only attack is the easiest to defend against because the
opponent has the least amount of information to work with. In many cases, however,
the analyst has more information. The analyst may be able to capture one or more
plaintext messages as well as their encryptions. Or the analyst may know that certain
plaintext patterns will appear in a message. For example, a file that is encoded in the
Postscript format always begins with the same pattern, or there may be a standardized
header or banner to an electronic funds transfer message, and so on. All these are
examples of known plaintext . With this knowledge, the analyst may be able to deduce
the key on the basis of the way in which the known plaintext is transformed.
Closely related to the known-plaintext attack is what might be referred to as a
probable-word attack. If the opponent is working with the encryption of some general
prose message, he or she may have little knowledge of what is in the message.
However, if the opponent is after some very specific information, then parts of the
message may be known. For example, if an entire accounting file is being transmitted,
the opponent may know the placement of certain key words in the header of the
file. As another example, the source code for a program developed by Corporation
X might include a copyright statement in some standardized position.
If the analyst is able somehow to get the source system to insert into the system
a message chosen by the analyst, then a chosen-plaintext attack is possible. In general,
if the analyst is able to choose the messages to encrypt, the analyst may deliberately
pick patterns that can be expected to reveal the structure of the key.
Table 3.1 lists two other types of attack: chosen ciphertext and chosen text.
These are less commonly employed as cryptanalytic techniques but are nevertheless
possible avenues of attack.
10

Encryption Scheme Security
Unconditionally secure
No matter how much time an opponent has, it is impossible for him or her to decrypt the ciphertext simply because the required information is not there
Computationally secure
The cost of breaking the cipher exceeds the value of the encrypted information
The time required to break the cipher exceeds the useful lifetime of the information

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Two more definitions are worthy of note. An encryption scheme is unconditionally
secure if the ciphertext generated by the scheme does not contain enough
information to determine uniquely the corresponding plaintext, no matter how
much ciphertext is available. That is, no matter how much time an opponent has, it
is impossible for him or her to decrypt the ciphertext simply because the required
information is not there. With the exception of a scheme known as the one-time pad
(described later in this chapter), there is no encryption algorithm that is unconditionally
secure. Therefore, all that the users of an encryption algorithm can strive
for is an algorithm that meets one or both of the following criteria:
• The cost of breaking the cipher exceeds the value of the encrypted information.
• The time required to break the cipher exceeds the useful lifetime of the
information.
An encryption scheme is said to be computationally secure if either of the
foregoing two criteria are met. Unfortunately, it is very difficult to estimate the
amount of effort required to cryptanalyze ciphertext successfully.
All forms of cryptanalysis for symmetric encryption schemes are designed
to exploit the fact that traces of structure or pattern in the plaintext may survive
encryption and be discernible in the ciphertext. This will become clear as we examine
various symmetric encryption schemes in this chapter. We will see in Part Three
that cryptanalysis for public-key schemes proceeds from a fundamentally different
premise, namely, that the mathematical properties of the pair of keys may make it
possible for one of the two keys to be deduced from the other.
11

Brute-Force Attack
Involves trying every possible key until an intelligible translation of the ciphertext into plaintext is obtained
On average, half of all possible keys must be tried to achieve success
To supplement the brute-force approach, some degree of knowledge about the expected plaintext is needed, and some means of automatically distinguishing plaintext from garble is also needed

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
A brute-force attack involves trying every possible key until an intelligible
translation of the ciphertext into plaintext is obtained. On average, half of all possible
keys must be tried to achieve success. That is, if there are X different keys, on
average an attacker would discover the actual key after X/2 tries. It is important to
note that there is more to a brute-force attack than simply running through all possible
keys. Unless known plaintext is provided, the analyst must be able to recognize
plaintext as plaintext. If the message is just plain text in English, then the result pops
out easily, although the task of recognizing English would have to be automated. If
the text message has been compressed before encryption, then recognition is more
difficult. And if the message is some more general type of data, such as a numerical
file, and this has been compressed, the problem becomes even more difficult to
automate. Thus, to supplement the brute-force approach, some degree of knowledge
about the expected plaintext is needed, and some means of automatically
distinguishing plaintext from garble is also needed.
12

Strong Encryption
The term strong encryption refers to encryption schemes that make it impractically difficult for unauthorized persons or systems to gain access to plaintext that has been encrypted
Properties that make an encryption algorithm strong are:
Appropriate choice of cryptographic algorithm
Use of sufficiently long key lengths
Appropriate choice of protocols
A well-engineered implementation
Absence of deliberately introduced hidden flaws

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
For users, security managers, and organization executives, there is a requirement for strong encryption to protect data. The term strong encryption is an imprecise one, but in general terms, it refers to encryption schemes that make it impractically difficult for unauthorized persons or systems to gain access to plaintext that has been encrypted. [NAS18] lists the following properties that make an encryption algorithm strong: appropriate choice of cryptographic algorithm, use of sufficiently long key lengths, appropriate choice of protocols, a well-engineered implementation, and the absence of deliberately introduced hidden flaws. The first two factors relate to cryptanalysis, discussed in this section, and the third factor relates to the discussion in Part Six. The last two factors are beyond the scope of this book.
13

Substitution Technique
Is one in which the letters of plaintext are replaced by other letters or by numbers or symbols
If the plaintext is viewed as a sequence of bits, then substitution involves replacing plaintext bit patterns with ciphertext bit patterns

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The two basic building blocks of all encryption techniques are substitution
and transposition. We examine these in the next two sections. Finally, we discuss a
system that combines both substitution and transposition.
A substitution technique is one in which the letters of plaintext are replaced by
other letters or by numbers or symbols. If the plaintext is viewed as a sequence of bits,
then substitution involves replacing plaintext bit patterns with ciphertext bit patterns.
14

Caesar Cipher
Simplest and earliest known use of a substitution cipher
Used by Julius Caesar
Involves replacing each letter of the alphabet with the letter standing three places further down the alphabet
Alphabet is wrapped around so that the letter following Z is A
plain: meet me after the toga party
cipher: PHHW PH DIWHU WKH WRJD SDUWB

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The earliest known, and the simplest, use of a substitution cipher was by Julius
Caesar. The Caesar cipher involves replacing each letter of the alphabet with the
letter standing three places further down the alphabet.
15

Caesar Cipher Algorithm
Can define transformation as:
a b c d e f g h i j k l m n o p q r s t u v w x y z
D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
Mathematically give each letter a number
a b c d e f g h i j k l m n o p q r s t u v w x y z
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
Algorithm can be expressed as:
c = E(3, p) = (p + 3) mod (26)
A shift may be of any amount, so that the general Caesar algorithm is:
C = E(k , p ) = (p + k ) mod 26
Where k takes on a value in the range 1 to 25; the decryption algorithm is simply:
p = D(k , C ) = (C − k ) mod 26

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Note that the alphabet is wrapped around, so that the letter following Z is A.
An algorithm can be expressed as follows. For each plaintext letter p , substitute
the ciphertext letter C
16

Figure 3.3 Brute-Force Cryptanalysis of Caesar Cipher

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
If it is known that a given ciphertext is a Caesar cipher, then a brute-force
cryptanalysis is easily performed: simply try all the 25 possible keys. Figure 3.3
shows the results of applying this strategy to the example ciphertext. In this case, the
plaintext leaps out as occupying the third line.
Three important characteristics of this problem enabled us to use a brute-force
cryptanalysis:
1. The encryption and decryption algorithms are known.
2. There are only 25 keys to try.
3. The language of the plaintext is known and easily recognizable.
17

Sample of Compressed Text
Figure 3.4 Sample of Compressed Text

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
In most networking situations, we can assume that the algorithms are known.
What generally makes brute-force cryptanalysis impractical is the use of an algorithm
that employs a large number of keys. For example, the triple DES algorithm,
examined in Chapter 7, makes use of a 168-bit key, giving a key space of 2168 or
greater than 3.7 * 1050 possible keys.
The third characteristic is also significant. If the language of the plaintext
is unknown, then plaintext output may not be recognizable. Furthermore, the
input may be abbreviated or compressed in some fashion, again making recognition
difficult. For example, Figure 3.4 shows a portion of a text file compressed
using an algorithm called ZIP. If this file is then encrypted with a simple substitution
cipher (expanded to include more than just 26 alphabetic characters),
then the plaintext may not be recognized when it is uncovered in the brute-force
cryptanalysis.
18

Monoalphabetic Cipher
Permutation
Of a finite set of elements S is an ordered sequence of all the elements of S , with each element appearing exactly once
If the “cipher” line can be any permutation of the 26 alphabetic characters, then there are 26! or greater than 4 x 1026 possible keys
This is 10 orders of magnitude greater than the key space for DES
Approach is referred to as a monoalphabetic substitution cipher because a single cipher alphabet is used per message

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
With only 25 possible keys, the Caesar cipher is far from secure. A dramatic increase
in the key space can be achieved by allowing an arbitrary substitution. Before proceeding,
we define the term permutation . A permutation of a finite set of elements S
is an ordered sequence of all the elements of S, with each element appearing exactly
once.
For example, if S = {a, b, c}, there are six permutations of S :
abc, acb, bac, bca, cab, cba
In general, there are n ! permutations of a set of n elements, because the first
element can be chosen in one of n ways, the second in n – 1 ways, the third in n – 2
ways, and so on.
If, instead, the “cipher” line can be any permutation of the 26 alphabetic characters,
then there are 26! or greater than 4 * 1026 possible keys. This is 10 orders of magnitude
greater than the key space for DES and would seem to eliminate brute-force
techniques for cryptanalysis. Such an approach is referred to as a monoalphabetic
substitution cipher, because a single cipher alphabet (mapping from plain alphabet
to cipher alphabet) is used per message.
19

Figure 3.5 Relative Frequency of Letters in English Text

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
There is, however, another line of attack. If the cryptanalyst knows the nature
of the plaintext (e.g., noncompressed English text), then the analyst can exploit the
regularities of the language. To see how such a cryptanalysis might proceed, we give
a partial example here that is adapted from one in [SINK09]. The ciphertext to be
solved is
UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZ
VUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSX
EPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ
As a first step, the relative frequency of the letters can be determined and
compared to a standard frequency distribution for English, such as is shown in
Figure 3.5 (based on [LEWA00]). If the message were long enough, this technique
alone might be sufficient, but because this is a relatively short message, we cannot
expect an exact match. In any case, the relative frequencies of the letters in the
ciphertext (in percentages) are as follows:
P 13.33 H 5.83 F 3.33 B 1.67 C 0.00
Z 11.67 D 5.00 W 3.33 G 1.67 K 0.00
S 8.33 E 5.00 Q 2.50 Y 1.67 L 0.00
U 8.33 V 4.17 T 2.50 I 0.83 N 0.00
O 7.50 X 4.17 A 1.67 J 0.83 R 0.00
M 6.67
Comparing this breakdown with Figure 3.5, it seems likely that cipher letters P
and Z are the equivalents of plain letters e and t, but it is not certain which is which.
The letters S, U, O, M, and H are all of relatively high frequency and probably correspond
to plain letters from the set {a, h, i, n, o, r, s}. The letters with the lowest
frequencies (namely, A, B, G, Y, I, J) are likely included in the set {b, j, k, q, v, x, z}.
There are a number of ways to proceed at this point. We could make some tentative
assignments and start to fill in the plaintext to see if it looks like a reasonable
“skeleton” of a message. A more systematic approach is to look for other regularities.
For example, certain words may be known to be in the text. Or we could look for
repeating sequences of cipher letters and try to deduce their plaintext equivalents.
20

Monoalphabetic Ciphers
Easy to break because they reflect the frequency data of the original alphabet
Countermeasure is to provide multiple substitutes (homophones) for a single letter
Digram
Two-letter combination
Most common is th
Trigram
Three-letter combination
Most frequent is the

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
A powerful tool is to look at the frequency of two-letter combinations, known
as digrams . A table similar to Figure 3.5 could be drawn up showing the relative frequency
of digrams. The most common such digram is th. In our ciphertext, the most
common digram is ZW, which appears three times. So we make the correspondence
of Z with t and W with h. Then, by our earlier hypothesis, we can equate P with e.
Now notice that the sequence ZWP appears in the ciphertext, and we can translate
that sequence as “the.” This is the most frequent trigram (three-letter combination)
in English, which seems to indicate that we are on the right track.
Next, notice the sequence ZWSZ in the first line. We do not know that these
four letters form a complete word, but if they do, it is of the form th_t. If so, S
equates with a.
So far, then, we have
UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZ
t a e e te a that e e a a
VUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSX
e t ta t ha e ee a e th t a
EPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ
e e e tat e the t

Only four letters have been identified, but already we have quite a bit of the
message. Continued analysis of frequencies plus trial and error should easily yield a
solution from this point. The complete plaintext, with spaces added between words,
follows:
it was disclosed yesterday that several informal but
direct contacts have been made with political
representatives of the Viet cong in Moscow
Monoalphabetic ciphers are easy to break because they reflect the frequency
data of the original alphabet. A countermeasure is to provide multiple substitutes,
known as homophones, for a single letter. For example, the letter e could be assigned
a number of different cipher symbols, such as 16, 74, 35, and 21, with each
homophone assigned to a letter in rotation or randomly. If the number of symbols
assigned to each letter is proportional to the relative frequency of that letter, then
single-letter frequency information is completely obliterated. The great mathematician
Carl Friedrich Gauss believed that he had devised an unbreakable cipher using
homophones. However, even with homophones, each element of plaintext affects
only one element of ciphertext, and multiple-letter patterns (e.g., digram frequencies)
still survive in the ciphertext, making cryptanalysis relatively straightforward.
Two principal methods are used in substitution ciphers to lessen the extent to
which the structure of the plaintext survives in the ciphertext: One approach is to
encrypt multiple letters of plaintext, and the other is to use multiple cipher alphabets.
We briefly examine each.
21

Playfair Cipher
Best-known multiple-letter encryption cipher
Treats digrams in the plaintext as single units and translates these units into ciphertext digrams
Based on the use of a 5 × 5 matrix of letters constructed using a keyword
Invented by British scientist Sir Charles Wheatstone in 1854
Used as the standard field system by the British Army in World War I and the U.S. Army and other Allied forces during World War II

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The best-known multiple-letter encryption cipher is the Playfair, which treats
digrams in the plaintext as single units and translates these units into ciphertext
Digrams.
The Playfair algorithm is based on the use of a 5 * 5 matrix of letters constructed
using a keyword.
22

Playfair Key Matrix
Fill in letters of keyword (minus duplicates) from left to right and from top to bottom, then fill in the remainder of the matrix with the remaining letters in alphabetic order
Using the keyword MONARCHY:
M O N A R
C H Y B D
E F G I/J K
L P Q S T
U V W X Z

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
In this case, the keyword is monarchy . The matrix is constructed by filling
in the letters of the keyword (minus duplicates) from left to right and from top to
bottom, and then filling in the remainder of the matrix with the remaining letters in
alphabetic order. The letters I and J count as one letter. Plaintext is encrypted two
letters at a time, according to the following rules:
1. Repeating plaintext letters that are in the same pair are separated with a filler
letter, such as x, so that balloon would be treated as ba lx lo on.
2. Two plaintext letters that fall in the same row of the matrix are each replaced
by the letter to the right, with the first element of the row circularly following
the last. For example, ar is encrypted as RM.
3. Two plaintext letters that fall in the same column are each replaced by the
letter beneath, with the top element of the column circularly following the last.
For example, mu is encrypted as CM.
4. Otherwise, each plaintext letter in a pair is replaced by the letter that lies in
its own row and the column occupied by the other plaintext letter. Thus, hs
becomes BP and ea becomes IM (or JM, as the encipherer wishes).
The Playfair cipher is a great advance over simple monoalphabetic ciphers.
For one thing, whereas there are only 26 letters, there are 26 * 26 = 676 digrams, so
that identification of individual digrams is more difficult. Furthermore, the relative
frequencies of individual letters exhibit a much greater range than that of digrams,
making frequency analysis much more difficult. For these reasons, the Playfair
cipher was for a long time considered unbreakable. It was used as the standard field
system by the British Army in World War I and still enjoyed considerable use by the
U.S. Army and other Allied forces during World War II.
Despite this level of confidence in its security, the Playfair cipher is relatively
easy to break, because it still leaves much of the structure of the plaintext language
intact. A few hundred letters of ciphertext are generally sufficient.
23

Figure 3.6 Relative Frequency of Occurrence of Letters

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
One way of revealing the effectiveness of the Playfair and other ciphers
is shown in Figure 3.6. The line labeled plaintext plots a typical frequency
distribution of the 26 alphabetic characters (no distinction between upper
and lower case) in ordinary text. This is also the frequency distribution of any
monoalphabetic substitution cipher, because the frequency values for individual
letters are the same, just with different letters substituted for the original letters.
The plot is developed in the following way: The number of occurrences of each
letter in the text is counted and divided by the number of occurrences of the
most frequently used letter. Using the results of Figure 3.5, we see that
e is the most frequently used letter. As a result, e has a relative frequency of 1, t of
9.056/12.702 0.72, and so on. The points on the horizontal axis correspond
to the letters in order of decreasing frequency.
Figure 3.6 also shows the frequency distribution that results when the text
is encrypted using the Playfair cipher. To normalize the plot, the number of
occurrences of each letter in the ciphertext was again divided by the number of
occurrences of e in the plaintext. The resulting plot therefore shows the extent
to which the frequency distribution of letters, which makes it trivial to solve
substitution ciphers, is masked by encryption. If the frequency distribution
information were totally concealed in the encryption process, the ciphertext plot
of frequencies would be flat, and cryptanalysis using ciphertext only would be
effectively impossible. As the figure shows, the Playfair cipher has a flatter distribution
than does plaintext, but nevertheless, it reveals plenty of structure for
a cryptanalyst to work with. The plot also shows the Vigenère cipher, discussed
subsequently. The Hill and Vigenère curves on the plot are based on results
reported in [SIMM93].
24

Hill Cipher
Developed by the mathematician Lester Hill in 1929
Strength is that it completely hides single-letter frequencies
The use of a larger matrix hides more frequency information
A 3 x 3 Hill cipher hides not only single-letter but also two-letter frequency information
Strong against a ciphertext-only attack but easily broken with a known plaintext attack

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Another interesting multiletter cipher is the Hill cipher, developed by the mathematician
Lester Hill in 1929.
Before describing the Hill cipher, let us briefly
review some terminology from linear algebra. In this discussion, we are concerned
with matrix arithmetic modulo 26. For the reader who needs a refresher on matrix
multiplication and inversion, see Appendix A.
We define the inverse M-1 of a square matrix M by the equation
M (M-1 ) = M-1M = I , where I is the identity matrix. I is a square matrix that is all
zeros except for ones along the main diagonal from upper left to lower right. The
inverse of a matrix does not always exist, but when it does, it satisfies the preceding
equation.
To explain how the inverse of a matrix is computed, we begin with the concept
of determinant. For any square matrix (m * m ), the determinant equals the sum of
all the products that can be formed by taking exactly one element from each row
and exactly one element from each column, with certain of the product terms preceded
by a minus sign.
This encryption algorithm takes m successive plaintext letters
and substitutes for them m ciphertext letters. The substitution is determined
by m linear equations in which each character is assigned a numerical value
(a = 0, b = 1, …. , z = 25).
As with Playfair, the strength of the Hill cipher is that it completely hides
single-letter frequencies. Indeed, with Hill, the use of a larger matrix hides more
frequency information. Thus, a 3 * 3 Hill cipher hides not only single-letter but
also two-letter frequency information.
Although the Hill cipher is strong against a ciphertext-only attack, it is
easily broken with a known plaintext attack.

25

Polyalphabetic Ciphers
Polyalphabetic substitution cipher
Improves on the simple monoalphabetic technique by using different monoalphabetic substitutions as one proceeds through the plaintext message
All these techniques have the following features in common:
A set of related monoalphabetic substitution rules is used
A key determines which particular rule is chosen for a given transformation

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Another way to improve on the simple monoalphabetic technique is to use different
monoalphabetic substitutions as one proceeds through the plaintext message.
The general name for this approach is polyalphabetic substitution cipher . All these
techniques have the following features in common:
1. A set of related monoalphabetic substitution rules is used.
2. A key determines which particular rule is chosen for a given transformation.
26

Vigenère Cipher
Best known and one of the simplest polyalphabetic substitution ciphers
In this scheme the set of related monoalphabetic substitution rules consists of the 26 Caesar ciphers with shifts of 0 through 25
Each cipher is denoted by a key letter which is the ciphertext letter that substitutes for the plaintext letter a

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The best known, and one of the simplest, polyalphabetic ciphers
is the Vigenère cipher. In this scheme, the set of related monoalphabetic substitution
rules consists of the 26 Caesar ciphers with shifts of 0 through 25. Each cipher is
denoted by a key letter, which is the ciphertext letter that substitutes for the plaintext
letter a. Thus, a Caesar cipher with a shift of 3 is denoted by the key value 3.

27

Example of Vigenère Cipher
To encrypt a message, a key is needed that is as long as the message
Usually, the key is a repeating keyword
For example, if the keyword is deceptive, the message “we are discovered save yourself” is encrypted as:
key: deceptivedeceptivedeceptive
plaintext: wearediscoveredsaveyourself
ciphertext: ZICVTWQNGRZGVTWAVZHCQYGLMGJ

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
To encrypt a message, a key is needed that is as long as the message. Usually,
the key is a repeating keyword. For example, if the keyword is deceptive, the
message “we are discovered save yourself” is encrypted as
key: deceptivedeceptivedeceptive
plaintext: wearediscoveredsaveyourself
ciphertext: ZICVTWQNGRZGVTWAVZHCQYGLMGJ
The strength of this cipher is that there are multiple ciphertext letters for
each plaintext letter, one for each unique letter of the keyword. Thus, the letter
frequency information is obscured. However, not all knowledge of the plaintext
structure is lost. For example, Figure 3.6 shows the frequency distribution for a
Vigenère cipher with a keyword of length 9. An improvement is achieved over the
Playfair cipher, but considerable frequency information remains.
28

Vigenère Autokey System
A keyword is concatenated with the plaintext itself to provide a running key
Example:
key: deceptivewearediscoveredsav
plaintext: wearediscoveredsaveyourself
ciphertext: ZICVTWQNGKZEIIGASXSTSLVVWLA
Even this scheme is vulnerable to cryptanalysis
Because the key and the plaintext share the same frequency distribution of letters, a statistical technique can be applied

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The periodic nature of the keyword can be eliminated by using a nonrepeating
keyword that is as long as the message itself. Vigenère proposed what is referred to
as an autokey system , in which a keyword is concatenated with the plaintext itself to
provide a running key. For our example,
key: deceptivewearediscoveredsav
plaintext: wearediscoveredsaveyourself
ciphertext: ZICVTWQNGKZEIIGASXSTSLVVWLA
Even this scheme is vulnerable to cryptanalysis. Because the key and the
plaintext share the same frequency distribution of letters, a statistical technique
can be applied. For example, e enciphered by e , by Figure 3.5, can be expected to
occur with a frequency of (0.127)2 = 0.016, whereas t enciphered by t would occur
only about half as often. These regularities can be exploited to achieve successful
cryptanalysis.
29

Vernam Cipher
Figure 3.7 Vernam Cipher

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The ultimate defense against such a cryptanalysis is to choose a
keyword that is as long as the plaintext and has no statistical relationship to it. Such
a system was introduced by an AT&T engineer named Gilbert Vernam in 1918.
His system works on binary data (bits) rather than letters.
The essence of this technique is the means of construction of the key. Vernam
proposed the use of a running loop of tape that eventually repeated the key, so
that in fact the system worked with a very long but repeating keyword. Although
such a scheme, with a long key, presents formidable cryptanalytic difficulties, it
can be broken with sufficient ciphertext, the use of known or probable plaintext
sequences, or both.

30

One-Time Pad
Improvement to Vernam cipher proposed by an Army Signal Corp officer, Joseph Mauborgne
Use a random key that is as long as the message so that the key need not be repeated
Key is used to encrypt and decrypt a single message and then is discarded
Each new message requires a new key of the same length as the new message
Scheme is unbreakable
Produces random output that bears no statistical relationship to the plaintext
Because the ciphertext contains no information whatsoever about the plaintext, there is simply no way to break the code

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
An Army Signal Corp officer, Joseph Mauborgne, proposed an improvement to the
Vernam cipher that yields the ultimate in security. Mauborgne suggested using a
random key that is as long as the message, so that the key need not be repeated. In
addition, the key is to be used to encrypt and decrypt a single message, and then is
discarded. Each new message requires a new key of the same length as the new message.
Such a scheme, known as a one-time pad , is unbreakable. It produces random
output that bears no statistical relationship to the plaintext. Because the ciphertext
contains no information whatsoever about the plaintext, there is simply no way to
break the code.
In fact, given any plaintext of equal length to the ciphertext, there is a key that
produces that plaintext. Therefore, if you did an exhaustive search of all possible
keys, you would end up with many legible plaintexts, with no way of knowing which
was the intended plaintext. Therefore, the code is unbreakable.
The security of the one-time pad is entirely due to the randomness of
the key. If the stream of characters that constitute the key is truly random, then the
stream of characters that constitute the ciphertext will be truly random. Thus, there
are no patterns or regularities that a cryptanalyst can use to attack the ciphertext.
31

Difficulties
The one-time pad offers complete security but, in practice, has two fundamental difficulties:
There is the practical problem of making large quantities of random keys
Any heavily used system might require millions of random characters on a regular basis
Mammoth key distribution problem
For every message to be sent, a key of equal length is needed by both sender and receiver
Because of these difficulties, the one-time pad is of limited utility
Useful primarily for low-bandwidth channels requiring very high security
The one-time pad is the only cryptosystem that exhibits perfect secrecy (see Appendix F)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
In theory, we need look no further for a cipher. The one-time pad offers complete
security but, in practice, has two fundamental difficulties:
1. There is the practical problem of making large quantities of random keys.
Any heavily used system might require millions of random characters
on a regular basis. Supplying truly random characters in this volume is a
significant task.
2. Even more daunting is the problem of key distribution and protection. For
every message to be sent, a key of equal length is needed by both sender and
receiver. Thus, a mammoth key distribution problem exists.
Because of these difficulties, the one-time pad is of limited utility and is useful
primarily for low-bandwidth channels requiring very high security.
The one-time pad is the only cryptosystem that exhibits what is referred to as
perfect secrecy . This concept is explored in Appendix B.

32

Rail Fence Cipher
Simplest transposition cipher
Plaintext is written down as a sequence of diagonals and then read off as a sequence of rows
To encipher the message “meet me after the toga party” with a rail fence of depth 2, we would write:
m e m a t r h t g p r y
e t e f e t e o a a t
Encrypted message is:
MEMATRHTGPRYETEFETEOAAT

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
All the techniques examined so far involve the substitution of a ciphertext symbol
for a plaintext symbol. A very different kind of mapping is achieved by performing
some sort of permutation on the plaintext letters. This technique is referred to as a
transposition cipher.
The simplest such cipher is the rail fence technique, in which the plaintext is
written down as a sequence of diagonals and then read off as a sequence of rows.
For example, to encipher the message “meet me after the toga party” with a rail
fence of depth 2, we write the following:
m e m a t r h t g p r y
e t e f e t e o a a t
The encrypted message is
MEMATRHTGPRYETEFETEOAAT
33

Row Transposition Cipher
Is a more complex transposition
Write the message in a rectangle, row by row, and read the message off, column by column, but permute the order of the columns
The order of the columns then becomes the key to the algorithm
Key: 4 3 1 2 5 6 7
Plaintext: a t t a c k p
o s t p o n e
d u n t i l t
w o a mx y z
Ciphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
A more complex scheme is
to write the message in a rectangle, row by row, and read the message off, column
by column, but permute the order of the columns. The order of the columns then
becomes the key to the algorithm. For example,
Key: 4 3 1 2 5 6 7
Plaintext: a t t a c k p
o s t p o n e
d u n t i l t
w o a m x y z
Ciphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ
Thus, in this example, the key is 4312567. To encrypt, start with the column
that is labeled 1, in this case column 3. Write down all the letters in that column.
Proceed to column 4, which is labeled 2, then column 2, then column 1, then
columns 5, 6, and 7.
A pure transposition cipher is easily recognized because it has the same letter
frequencies as the original plaintext. For the type of columnar transposition just
shown, cryptanalysis is fairly straightforward and involves laying out the ciphertext
in a matrix and playing around with column positions. Digram and trigram
frequency tables can be useful.
The transposition cipher can be made significantly more secure by performing
more than one stage of transposition. The result is a more complex permutation
that is not easily reconstructed.
34

Summary
Present an overview of the main concepts of symmetric cryptography
Explain the difference between cryptanalysis and brute-force attack
Understand the operation of a monoalphabetic substitution cipher
Understand the operation of a polyalphabetic cipher
Present an overview of the Hill cipher

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Chapter 3 summary.
35

Copyright
This work is protected by United States copyright laws and is provided solely for the use of instructors in teaching their courses and assessing student learning. Dissemination or sale of any part of this work (including on the World Wide Web) will destroy the integrity of the work and is not permitted. The work and materials from it should never be made available to students except by instructors using the accompanying text in their classes. All recipients of this work are expected to abide by these restrictions and to honor the intended pedagogical purposes and the needs of other instructors who rely on these materials.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

36

.MsftOfcThm_Text1_Fill {
fill:#000000;
}
.MsftOfcThm_MainDark1_Stroke {
stroke:#000000;
}

Cryptography and Network Security: Principles and Practice

Eighth Edition

Chapter 2

Introduction to Number Theory

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Lecture slides prepared for “Cryptography and Network Security”, 8/e, by William Stallings, Chapter 2 – “Introduction to Number Theory”.
Number theory is pervasive in cryptographic algorithms. This chapter provides sufficient breadth and depth of coverage of relevant number theory topics for understanding the wide range of applications in cryptography. The reader familiar with these topics can safely skip this chapter.
The first three sections introduce basic concepts from number theory that are needed for understanding finite fields; these include divisibility, the Euclidian algorithm, and modular arithmetic. The reader may study these sections now or wait until ready to tackle Chapter 5 on finite fields.
Sections 2.4 through 2.8 discuss aspects of number theory related to prime numbers and discrete logarithms. These topics are fundamental to the design of asymmetric (public-key) cryptographic algorithms. The reader may study these sections now or wait until ready to read Part Three.
The concepts and techniques of number theory are quite abstract, and it is often difficult to grasp them intuitively without examples. Accordingly, this chapter includes a number of examples, each of which is highlighted in a shaded box.

1

Learning Objectives 1 of 2
Understand the concept of divisibility and the division algorithm.
Understand how to use the Euclidean algorithm to find the greatest common divisor.
Present an overview of the concepts of modular arithmetic.
Explain the operation of the extended Euclidean algorithm.
Discuss key concepts relating to prime numbers.
.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Learning Objectives 2 of 2
Understand Fermat’s theorem.
Understand Euler’s theorem.
Define Euler’s totient function.
Make a presentation on the topic of testing for primality.
Explain the Chinese remainder theorem.
Define discrete logarithms

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Divisibility
We say that a nonzero b divides a if a = mb for some m, where a, b, and m are integers
b divides a if there is no remainder on division
The notation b | a is commonly used to mean b divides a
If b | a we say that b is a divisor of a
The positive divisors of 24 are 1, 2, 3, 4, 6, 8, 12, and 24
13 | 182; − 5 | 30; 17 | 289; − 3 | 33; 17 | 0

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
We say that a nonzero b divides a if a=mb for some m, where a, b, and m are integers. That is, b divides a if there is no remainder on division.
The notation b | a is commonly used to mean b divides a . Also, if b | a , we say that b is a divisor of a .
4

Properties of Divisibility (1 of 2)
If a | 1, then a = ±1
If a | b and b | a, then a = ±b
Any b ≠ 0 divides 0
If a | b and b | c, then a | c
11 | 66 and 66 | 198 = 11 | 198
If b | g and b | h, then b | (mg + nh) for arbitrary integers m and n

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Subsequently, we will need some simple properties of divisibility for integers, which are as follows:
• If a|1, then a = ±1.
• If a|b and b|a, then a = ±b.
• Any b ≠ 0 divides 0.
• If a | b and b | c, then a | c
• If b|g and b|h, then b|(mg + nh) for arbitrary integers m and n.
5

Properties of Divisibility (2 of 2)
To see this last point, note that:
If b | g , then g is of the form g = b * g1 for some integer g1
If b | h , then h is of the form h = b * h1 for some integer h1
So:
mg + nh = mbg1 + nbh1 = b * (mg1 + nh1 )
and therefore b divides mg + nh
b = 7; g = 14; h = 63; m = 3; n = 2
7 | 14 and 7 | 63.
To show 7 (3 * 14 + 2 * 63),
we have (3 * 14 + 2 * 63) = 7(3 * 2 + 2 * 9),
and it is obvious that 7 | (7(3 * 2 + 2 * 9)).

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
To see this last point, note that
• If b | g , then g is of the form g = b * g1 for some integer g1 .
• If b | h , then h is of the form h = b * h1 for some integer h1 .
So
mg + nh = mbg1 + nbh1 = b * (mg1 + nh1 )
and therefore b divides mg + nh .
6

Division Algorithm
Given any positive integer n and any nonnegative integer a, if we divide a by n we get an integer quotient q and an integer remainder r that obey the following relationship:
a = qn + r
0 ≤ r < n; q = [a/n] Copyright © 2020 Pearson Education, Inc. All Rights Reserved. Given any positive integer n and any nonnegative integer a, if we divide a by n, we get an integer quotient q and an integer remainder r that obey the following relationship: a = qn + r, 0 ≤ r < n; q = [a/n] which is referred to as the division algorithm. 7 Figure 2.1 The Relationship a = qn + r; 0 ≤ r < n Copyright © 2020 Pearson Education, Inc. All Rights Reserved. Figure 2.1a demonstrates that, given a and positive n, it is always possible to find q and r that satisfy the preceding relationship. Represent the integers on the number line; a will fall somewhere on that line (positive a is shown, a similar demonstration can be made for negative a). Starting at 0, proceed to n, 2n, up to qn such that qn ≤ a and (q + 1)n > a. The distance from qn to a is r, and we have found the unique values of q and r. The remainder r is often referred to as a residue .
For example:
a = 11; n = 7; 11 = 1 x 7 + 4; r = 4 q = 1
a = –11; n = 7; –11 = (–2) x 7 + 3; r = 3 q = –2
Figure 4.1b provides another example.

8

Euclidean Algorithm
One of the basic techniques of number theory
Procedure for determining the greatest common divisor of two positive integers
Two integers are relatively prime if their only common positive integer factor is 1

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
One of the basic techniques of number theory is the Euclidean algorithm, which
is a simple procedure for determining the greatest common divisor of two positive
integers. First, we need a simple definition: Two integers are relatively prime if their
only common positive integer factor is 1.
9

Greatest Common Divisor (GCD)
The greatest common divisor of a and b is the largest integer that divides both a and b
We can use the notation gcd(a,b) to mean the greatest common divisor of a and b
We also define gcd(0,0) = 0
Positive integer c is said to be the gcd of a and b if:
c is a divisor of a and b
Any divisor of a and b is a divisor of c
An equivalent definition is:
gcd(a,b) = max[k, such that k | a and k | b]

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Recall that nonzero b is defined to be a divisor of a if a = mb for some m , where a , b , and
m are integers. We will use the notation gcd(a , b ) to mean the greatest common divisor
of a and b . The greatest common divisor of a and b is the largest integer that divides
both a and b . We also define gcd(0, 0) = 0.
More formally, the positive integer c is said to be the greatest common divisor
of a and b if
1. c is a divisor of a and of b .
2. Any divisor of a and b is a divisor of c .
An equivalent definition is the following:
gcd(a , b ) = max[k , such that k | a and k | b ]

10

GCD
Because we require that the greatest common divisor be positive, gcd(a,b) = gcd(a, −b) = gcd(−a,b) = gcd(−a, −b)
In general, gcd(a,b) = gcd(| a |, | b |)
gcd(60, 24) = gcd(60, − 24) = 12
Also, because all nonzero integers divide 0, we have gcd(a,0) = | a |
We stated that two integers a and b are relatively prime if their only common positive integer factor is 1; this is equivalent to saying that a and b are relatively prime if gcd(a,b) = 1
8 and 15 are relatively prime because the positive divisors of 8 are 1, 2, 4, and 8, and the positive divisors of 15 are 1, 3, 5, and 15. So 1 is the only integer on both lists.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Because we require that the greatest common divisor be positive, gcd(a , b ) =
gcd(a , -b ) = gcd(-a , b ) = gcd(-a ,-b ). In general, gcd(a , b ) = gcd( | a | , | b | ).
Also, because all nonzero integers divide 0, we have gcd(a , 0) = a .
We stated that two integers a and b are relatively prime if their only common
positive integer factor is 1. This is equivalent to saying that a and b are relatively
prime if gcd(a , b ) = 1.
11

Figure 2.2 Euclidean Algorithm

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
We now describe an algorithm credited to Euclid for easily finding the greatest
common divisor of two integers (Figure 2.2). This algorithm has broad significance
in cryptography.
12

Figure 2.3 Euclidean Algorithm Example: gcd(710, 310)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
We can find the greatest common divisor of two integers by repetitive application
of the division algorithm. This scheme is known as the Euclidean algorithm.
Figure 2.3 illustrates a simple example.
13

Table 2.1 Euclidean Algorithm Example

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
In this example, we begin by dividing 1160718174 by 316258250, which gives 3
with a remainder of 211943424. Next we take 316258250 and divide it by 211943424.
The process continues until we get a remainder of 0, yielding a result of 1078.
14

Modular Arithmetic (1 of 3)
The modulus
If a is an integer and n is a positive integer, we define a mod n to be the remainder when a is divided by n; the integer n is called the modulus
Thus, for any integer a:
a = qn + r 0 ≤ r < n; q = [a/ n] a = [a/ n] * n + ( a mod n) 11 mod 7 = 4; - 11 mod 7 = 3 Copyright © 2020 Pearson Education, Inc. All Rights Reserved. If a is an integer and n is a positive integer, we define a mod n to be the remainder when a is divided by n . The integer n is called the modulus . Thus, for any integer a: a = qn + r 0 ≤ r < n; q = [ a/ n] a = [a/ n] * n + ( a mod n) 15 Modular Arithmetic (2 of 3) Congruent modulo n Two integers a and b are said to be congruent modulo n if (a mod n) = (b mod n) This is written as a = b(mod n)2 Note that if a = 0(mod n), then n | a 73 = 4 (mod 23); 21 = −9 (mod 10) Copyright © 2020 Pearson Education, Inc. All Rights Reserved. Two integers a and b are said to be congruent modulo n , if (a mod n ) = (b mod n ). This is written as a K b (mod n ).2 Note that if a = 0 (mod n ), then n | a . 16 Properties of Congruences Congruences have the following properties: a = b (mod n) if n (a – b) a = b (mod n) implies b = a (mod n) a = b (mod n) and b = c (mod n) imply a = c (mod n) To demonstrate the first point, if n (a − b), then (a − b) = kn for some k So we can write a = b + kn Therefore, (a mod n) = (remainder when b + kn is divided by n) = (remainder when b is divided by n) = (b mod n) 23 = 8 (mod 5) because 23 − 8 = 15 = 5 * 3 −11 = 5 (mod 8) because − 11 − 5 = −16 = 8 * (−2) 81 = 0 (mod 27) because 81 − 0 = 81 = 27 * 3 Copyright © 2020 Pearson Education, Inc. All Rights Reserved. Congruences have the following properties: 1. a = b (mod n) if n (a – b) 2. a = b (mod n) implies b = a (mod n) 3. a = b (mod n) and b = c (mod n) imply a = c (mod n) To demonstrate the first point, if n (a - b), then (a - b) = kn for some k So we can write a = b + kn Therefore, (a mod n) = (remainder when b + kn is divided by n) = (remainder when b is divided by n) = (b mod n) 17 Modular Arithmetic (3 of 3) Modular arithmetic exhibits the following properties: [(a mod n) + (b mod n)] mod n = (a + b) mod n [(a mod n) − (b mod n)] mod n = (a - b) mod n [(a mod n) * (b mod n)] mod n = (a * b) mod n We demonstrate the first property: Define (a mod n) = ra and (b mod n) = rb. Then we can write a = ra + jn for some integer j and b = rb + kn for some integer k Then: (a + b) mod n = (ra + jn + rb + kn) mod n = (ra + rb + (k + j)n) mod n = (ra + rb) mod n = [(a mod n) + (b mod n)] mod n Copyright © 2020 Pearson Education, Inc. All Rights Reserved. Modular arithmetic exhibits the following properties: 1. [(a mod n) + (b mod n)] mod n = (a + b) mod n 2. [(a mod n) - (b mod n)] mod n = (a - b) mod n 3. [(a mod n) * (b mod n)] mod n = (a * b) mod n We demonstrate the first property: Define (a mod n) = ra and (b mod n) = rb. Then we can write a = ra + jn for some integer j and b = rb + kn for some integer k. Then: (a + b) mod n = (ra + jn + rb + kn) mod n = (ra + rb + (k + j)n) mod n = (ra + rb) mod n = [(a mod n) + (b mod n)] mod n 18 Thamizharasan Dhanaseelan (TD) - Remaining Properties Examples of the three remaining properties: 11 mod 8 = 3; 15 mod 8 = 7 [(11 mod 8) + (15 mod 8)] mod 8 = 10 mod 8 = 2 (11 + 15) mod 8 = 26 mod 8 = 2 [(11 mod 8) − (15 mod 8)] mod 8 = − 4 mod 8 = 4 (11 − 15) mod 8 = − 4 mod 8 = 4 [(11 mod 8) * (15 mod 8)] mod 8 = 21 mod 8 = 5 (11 * 15) mod 8 = 165 mod 8 = 5 Copyright © 2020 Pearson Education, Inc. All Rights Reserved. The remaining properties are proven as easily. Here are examples of the three properties. 19 Table 2.2 (a) Arithmetic Modulo 8 Copyright © 2020 Pearson Education, Inc. All Rights Reserved. Table 2.2a and Table 2.2b provide an illustration of modular addition and multiplication modulo 8. Looking at addition, the results are straightforward, and there is a regular pattern to the matrix. Both matrices are symmetric about the main diagonal in conformance to the commutative property of addition and multiplication. 20 Table 2.2 (b) Multiplication Modulo 8 Copyright © 2020 Pearson Education, Inc. All Rights Reserved. Similarly, the entries in the multiplication table are straightforward. In ordinary arithmetic, there is a multiplicative inverse, or reciprocal, to each integer. In modular arithmetic mod 8, the multiplicative inverse of x is the integer y such that (x * y ) mod 8 = 1 mod 8. Now, to find the multiplicative inverse of an integer from the multiplication table, scan across the matrix in the row for that integer to find the value 1; the integer at the top of that column is the multiplicative inverse; thus, (3 * 3) mod 8 = 1. Note that not all integers mod 8 have a multiplicative inverse; more about that later. 21 Table 2.2 (c) Additive and Multiplicative Inverse Modulo 8 Copyright © 2020 Pearson Education, Inc. All Rights Reserved. As in ordinary addition, there is an additive inverse, or negative, to each integer in modular arithmetic. In this case, the negative of an integer x is the integer y such that (x + y ) mod 8 = 0. To find the additive inverse of an integer in the left-hand column, scan across the corresponding row of the matrix to find the value 0; the integer at the top of that column is the additive inverse; thus, (2 + 6) mod 8 = 0. 22 Table 2.3 Properties of Modular Arithmetic for Integers in Zn Property Expression Commutative Laws (w + x) mod n = (x + w) mod n (w × x) mod n = (x × w) mod n Associative Laws [(w + x) + y] mod n = [w + (x + y)] mod n [(w × x) × y] mod n = [w × (x × y)] mod n Distributive Law [w × (x + y)] mod n = [(w × x) + (w × y)] mod n Identities (0 + w) mod n = w mod n (1 × w) mod n = w mod n Additive Inverse (−w) For each w  Zn, there exists a z such that w + z  0 mod n Copyright © 2020 Pearson Education, Inc. All Rights Reserved. If we perform modular arithmetic within Zn, the properties shown in Table 2.3 hold for integers in Zn We show in the next section that this implies that Zn is a commutative ring with a multiplicative identity element. In general, an integer has a multiplicative inverse in Zn if that integer is relatively prime to n. Table 2.2c in the text shows that the integers 1, 3, 5, and 7 have a multiplicative inverse in Z 8, but 2, 4, and 6 do not. 23 Table 2.4 Extended Euclidean Algorithm Example i ri qi xi yi −1 1759 Blank 1 0 0 550 Blank 0 1 1 109 3 1 −3 2 5 5 −5 16 3 4 21 106 −339 4 1 1 −111 355 5 0 4 Blank Blank Result: d = 1; x = −111; y = 355 Copyright © 2020 Pearson Education, Inc. All Rights Reserved. Example of the Extended Euclidean Algorithm. 24 Prime Numbers Prime numbers only have divisors of 1 and itself They cannot be written as a product of other numbers Prime numbers are central to number theory Any integer a > 1 can be factored in a unique way as
a = p1 a1 * p2 a2 * . . . * pp1 a1
where p1 < p2 < . . . < pt are prime numbers and where each ai is a positive integer This is known as the fundamental theorem of arithmetic Copyright © 2020 Pearson Education, Inc. All Rights Reserved. An integer p > 1 is a prime number if and only if its only divisors are ±1
and ± p . Prime numbers play a critical role in number theory and in the techniques
discussed in this chapter.
Any integer a > 1 can be factored in a unique way as
a = p1 a1 * p2 a2 * . . . * pp1 a1
where p1 < p2 < . . . < pt are prime numbers and where each ai is a positive integer This is known as the fundamental theorem of arithmetic; a proof can be found in any text on number theory. 25 Table 2.5 Primes Under 2000 Copyright © 2020 Pearson Education, Inc. All Rights Reserved. Table 2.5 shows the primes less than 2000. Note the way the primes are distributed. In particular, note the number of primes in each range of 100 numbers. 26 Fermat’s Theorem States the following: If p is prime and a is a positive integer not divisible by p then ap−1 = 1 (mod p) An alternate form is: If p is prime and a is a positive integer then ap = a (mod p) Copyright © 2020 Pearson Education, Inc. All Rights Reserved. Two theorems that play important roles in public-key cryptography are Fermat’s theorem and Euler’s theorem. Fermat’s theorem states the following: If p is prime and a is a positive integer not divisible by p, then ap-1 = 1 (mod p) An alternative form of Fermat’s theorem is also useful: If p is prime and a is a positive integer, then ap = a (mod p) 27 Table 2.6 Some Values of Euler’s Totient Function ø(n) n ɸ (n) 1 1 2 1 3 2 4 2 5 4 6 2 7 6 8 4 9 6 10 4 n ɸ (n) 11 10 12 4 13 12 14 6 15 8 16 8 17 16 18 6 19 18 20 8 n ɸ (n) 21 12 22 10 23 22 24 8 25 20 26 12 27 18 28 12 29 28 30 8 Copyright © 2020 Pearson Education, Inc. All Rights Reserved. Before presenting Euler’s theorem, we need to introduce an important quantity in number theory, referred to as Euler’s totient function, written ø (n ), and defined as the number of positive integers less than n and relatively prime to n . By convention, ø(1) = 1. Table 2.6 lists the first 30 values of ø (n ). The value ø(1) is without meaning but is defined to have the value 1. It should be clear that, for a prime number p , ø (p ) = p - 1 28 Euler’s Theorem States that for every a and n that are relatively prime: aø(n) = 1(mod n) An alternate form is: aø(n)+1 = a(mod n) Copyright © 2020 Pearson Education, Inc. All Rights Reserved. Euler’s theorem states that for every a and n that are relatively prime: aø(n) = 1(mod n) As is the case for Fermat’s theorem, an alternative form of the theorem is also Useful: aø(n)+1 = a(mod n) 29 Miller-Rabin Algorithm Typically used to test a large number for primality Algorithm is: TEST (n) Find integers k, q, with k > 0, q odd, so that (n – 1)=2kq ;
Select a random integer a, 1 < a < n – 1 ; if aq mod n = 1 then return (“inconclusive") ; for j = 0 to k – 1 do if (a2jq mod n = n – 1) then return (“inconclusive") ; return (“composite”) ; Copyright © 2020 Pearson Education, Inc. All Rights Reserved. The algorithm due to Miller and Rabin [MILL75, RABI80] is typically used to test a large number for primality. The procedure TEST takes a candidate integer n as input and returns the result composite if n is definitely not a prime, and the result inconclusive if n may or may not be a prime. How can we use the Miller-Rabin algorithm to determine with a high degree of confidence whether or not an integer is prime? It can be shown [KNUT98] that given an odd number n that is not prime and a randomly chosen integer, a with 1 < a < n - 1, the probability that TEST will return inconclusive (i.e., fail to detect that n is not prime) is less than 1/4. Thus, if t different values of a are chosen, the probability that all of them will pass TEST (return inconclusive) for n is less than (1/4)t . For example, for t = 10, the probability that a nonprime number will pass all ten tests is less than 10-6 . Thus, for a sufficiently large value of t, we can be confident that n is prime if Miller’s test always returns inconclusive . This gives us a basis for determining whether an odd integer n is prime with a reasonable degree of confidence. The procedure is as follows: Repeatedly invoke TEST (n) using randomly chosen values for a . If, at any point, TEST returns composite , then n is determined to be nonprime. If TEST continues to return inconclusive for t tests, then for a sufficiently large value of t , assume that n is prime. 30 Deterministic Primality Algorithm Prior to 2002 there was no known method of efficiently proving the primality of very large numbers All of the algorithms in use produced a probabilistic result In 2002 Agrawal, Kayal, and Saxena developed an algorithm that efficiently determines whether a given large number is prime Known as the AKS algorithm Does not appear to be as efficient as the Miller-Rabin algorithm Copyright © 2020 Pearson Education, Inc. All Rights Reserved. Prior to 2002, there was no known method of efficiently proving the primality of very large numbers. All of the algorithms in use, including the most popular (Miller-Rabin), produced a probabilistic result. In 2002 (announced in 2002, published in 2004), Agrawal, Kayal, and Saxena [AGRA04] developed a relatively simple deterministic algorithm that efficiently determines whether a given large number is a prime. The algorithm, known as the AKS algorithm, does not appear to be as efficient as the Miller- Rabin algorithm. Thus far, it has not supplanted this older, probabilistic technique. 31 Chinese Remainder Theorem (CRT) Believed to have been discovered by the Chinese mathematician Sun-Tsu in around 100 A.D. One of the most useful results of number theory Says it is possible to reconstruct integers in a certain range from their residues modulo a set of pairwise relatively prime moduli Can be stated in several ways Provides a way to manipulate (potentially very large) numbers mod M in terms of tuples of smaller numbers This can be useful when M is 150 digits or more However, it is necessary to know beforehand the factorization of M Copyright © 2020 Pearson Education, Inc. All Rights Reserved. One of the most useful results of number theory is the Chinese remainder theorem (CRT). In essence, the CRT says it is possible to reconstruct integers in a certain range from their residues modulo a set of pairwise relatively prime moduli. The CRT can be stated in several ways. We present here a formulation that is most useful from the point of view of this text. An alternative formulation is explored in Problem 2.33. One of the useful features of the Chinese remainder theorem is that it provides a way to manipulate (potentially very large) numbers mod M in terms of tuples of smaller numbers. This can be useful when M is 150 digits or more. However, note that it is necessary to know beforehand the factorization of M . 32 Table 2.7 Powers of Integers, Modulo 19 Copyright © 2020 Pearson Education, Inc. All Rights Reserved. Table 2.7 shows all the powers of a, modulo 19 for all positive a <19. The length of the sequence for each base value is indicated by shading. Note the following: 1. All sequences end in 1. This is consistent with the reasoning of the preceding few paragraphs. 2. The length of a sequence divides ø (19) = 18. That is, an integral number of sequences occur in each row of the table. 3. Some of the sequences are of length 18. In this case, it is said that the base integer a generates (via powers) the set of nonzero integers modulo 19. Each such integer is called a primitive root of the modulus 19. More generally, we can say that the highest possible exponent to which a number can belong (mod n ) is ø (n ). If a number is of this order, it is referred to as a primitive root of n . The importance of this notion is that if a is a primitive root of n , then its powers a , a2 ,. . . , aø(n) are distinct (mod n ) and are all relatively prime to n . In particular, for a prime number p , if a is a primitive root of p , then a , a2 ,. . . , ap-1 are distinct (mod p ). For the prime number 19, its primitive roots are 2, 3, 10, 13, 14, and 15. Not all integers have primitive roots. In fact, the only integers with primitive roots are those of the form 2, 4, pa , and 2pa , where p is any odd prime and a is a positive integer. The proof is not simple but can be found in many number theory books, including [ORE76]. 33 Table 2.8 Tables of Discrete Logarithms, Modulo 19 (1 of 2) Copyright © 2020 Pearson Education, Inc. All Rights Reserved. Table 2.8, which is directly derived from Table 2.7, shows the sets of discrete logarithms that can be defined for modulus 19. 34 Table 2.8 Tables of Discrete Logarithms, Modulo 19 (2 of 2) Copyright © 2020 Pearson Education, Inc. All Rights Reserved. Table 2.8, which is directly derived from Table 2.7, shows the sets of discrete logarithms that can be defined for modulus 19. 35 Summary Understand the concept of divisibility and the division algorithm Understand how to use the Euclidean algorithm to find the greatest common divisor Present an overview of the concepts of modular arithmetic Explain the operation of the extended Euclidean algorithm Discuss key concepts relating to prime numbers Understand Fermat’s theorem Understand Euler’s theorem Define Euler’s totient function Make a presentation on the topic of testing for primality Explain the Chinese remainder theorem Define discrete logarithms Copyright © 2020 Pearson Education, Inc. All Rights Reserved. Chapter 2 summary. 36 Copyright This work is protected by United States copyright laws and is provided solely for the use of instructors in teaching their courses and assessing student learning. Dissemination or sale of any part of this work (including on the World Wide Web) will destroy the integrity of the work and is not permitted. The work and materials from it should never be made available to students except by instructors using the accompanying text in their classes. All recipients of this work are expected to abide by these restrictions and to honor the intended pedagogical purposes and the needs of other instructors who rely on these materials. Copyright © 2020 Pearson Education, Inc. All Rights Reserved. 37 .MsftOfcThm_Text1_Fill { fill:#000000; } .MsftOfcThm_MainDark1_Stroke { stroke:#000000; }

Cryptography and Network Security: Principles and Practice

Eighth Edition

Chapter 4

Block Ciphers and the Data Encryption Standard

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Lecture slides prepared for “Cryptography and Network Security”, 8/e, by William Stallings, Chapter 4 – “Block Ciphers and the Data Encryption Standard”.
The objective of this chapter is to illustrate the principles of modern symmetric
ciphers. For this purpose, we focus on the most widely used symmetric cipher: the Data
Encryption Standard (DES). Although numerous symmetric ciphers have been developed
since the introduction of DES, and although it is destined to be replaced by the
Advanced Encryption Standard (AES), DES remains the most important such algorithm.
Furthermore, a detailed study of DES provides an understanding of the principles
used in other symmetric ciphers.
This chapter begins with a discussion of the general principles of symmetric block
ciphers, which are the principal type of symmetric ciphers studied in this book. The
other form of symmetric ciphers, stream ciphers, are discussed in Chapter 8. Next, we
cover full DES. Following this look at a specific algorithm, we return to a more general
discussion of block cipher design.
Several important symmetric block encryption algorithms in current use are based
on a structure referred to as a Feistel block cipher [FEIS73]. For that reason, it is
important to examine the design principles of the Feistel cipher. We begin with a
comparison of stream ciphers and block ciphers. Then we discuss the motivation for
the Feistel block cipher structure. Finally, we discuss some of its implications.
1

Learning Objectives
Understand the distinction between stream ciphers and block ciphers.
Present an overview of the Feistel cipher and explain how decryption is the inverse of encryption.
Present an overview of Data Encryption Standard (DES).
Explain the concept of the avalanche effect.
Discuss the cryptographic strength of DES.
Summarize the principal block cipher design principles.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Stream Cipher (1 of 2)
Encrypts a digital data stream one bit or one byte at a time
Examples:
Autokeyed Vigenère cipher
Vernam cipher
In the ideal case, a one-time pad version of the Vernam cipher would be used, in which the keystream is as long as the plaintext bit stream
If the cryptographic keystream is random, then this cipher is unbreakable by any means other than acquiring the keystream
Keystream must be provided to both users in advance via some independent and secure channel
This introduces insurmountable logistical problems if the intended data traffic is very large

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
A stream cipher is one that encrypts a digital data stream one bit or one byte at
a time. Examples of classical stream ciphers are the autokeyed Vigenère cipher
and the Vernam cipher. In the ideal case, a one-time pad version of the Vernam
cipher would be used (Figure 3.7), in which the keystream (ki ) is as long as the
plaintext bit stream (pi ). If the cryptographic keystream is random, then this cipher
is unbreakable by any means other than acquiring the keystream. However, the
keystream must be provided to both users in advance via some independent and
secure channel. This introduces insurmountable logistical problems if the intended
data traffic is very large.
Accordingly, for practical reasons, the bit-stream generator must be
implemented as an algorithmic procedure, so that the cryptographic bit stream
can be produced by both users. In this approach (Figure 4.1a), the bit-stream
generator is a key-controlled algorithm and must produce a bit stream that is
cryptographically strong. That is, it must be computationally impractical to
predict future portions of the bit stream based on previous portions of the bit
stream. The two users need only share the generating key, and each can produce
the keystream.
3

Stream Cipher (2 of 2)
For practical reasons the bit-stream generator must be implemented as an algorithmic procedure so that the cryptographic bit stream can be produced by both users
It must be computationally impractical to predict future portions of the bit stream based on previous portions of the bit stream
The two users need only share the generating key and each can produce the keystream

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
A stream cipher is one that encrypts a digital data stream one bit or one byte at
a time. Examples of classical stream ciphers are the autokeyed Vigenère cipher
and the Vernam cipher. In the ideal case, a one-time pad version of the Vernam
cipher would be used (Figure 3.7), in which the keystream (ki ) is as long as the
plaintext bit stream (pi ). If the cryptographic keystream is random, then this cipher
is unbreakable by any means other than acquiring the keystream. However, the
keystream must be provided to both users in advance via some independent and
secure channel. This introduces insurmountable logistical problems if the intended
data traffic is very large.
Accordingly, for practical reasons, the bit-stream generator must be
implemented as an algorithmic procedure, so that the cryptographic bit stream
can be produced by both users. In this approach (Figure 4.1a), the bit-stream
generator is a key-controlled algorithm and must produce a bit stream that is
cryptographically strong. That is, it must be computationally impractical to
predict future portions of the bit stream based on previous portions of the bit
stream. The two users need only share the generating key, and each can produce
the keystream.
4

Block Cipher
A block of plaintext is treated as a whole and used to produce a ciphertext block of equal length
Typically a block size of 64 or 128 bits is used
As with a stream cipher, the two users share a symmetric encryption key
The majority of network-based symmetric cryptographic applications make use of block ciphers

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
A block cipher is one in which a block of plaintext is treated as a whole
and used to produce a ciphertext block of equal length. Typically, a block size of
64 or 128 bits is used. As with a stream cipher, the two users share a symmetric
encryption key (Figure 4.1b). Using some of the modes of operation explained
in Chapter 7, a block cipher can be used to achieve the same effect as a stream
cipher.
Far more effort has gone into analyzing block ciphers. In general, they seem
applicable to a broader range of applications than stream ciphers. The vast majority
of network-based symmetric cryptographic applications make use of block
ciphers. Accordingly, the concern in this chapter, and in our discussions throughout
the book of symmetric encryption, will primarily focus on block ciphers.
5

Figure 4.1 Stream Cipher and Block Cipher

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Examples of stream and block ciphers.
6

Figure 4.2 General n-bit-n-bit Block Substitution (shown with n = 4)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
A block cipher operates on a plaintext block of n bits to produce a ciphertext
block of n bits. There are 2n possible different plaintext blocks and, for the
encryption to be reversible (i.e., for decryption to be possible), each must produce
a unique ciphertext block. Such a transformation is called reversible, or nonsingular.
Figure 4.2 illustrates the logic of a general substitution cipher for n = 4.
A 4-bit input produces one of 16 possible input states, which is mapped by the substitution
cipher into a unique one of 16 possible output states, each of which is represented
by 4 ciphertext bits.
7

Table 4.1 Encryption and Decryption Tables for Substitution Cipher of Figure 4.2
Plaintext Ciphertext
0000 1110
0001 0100
0010 1101
0011 0001
0100 0010
0101 1111
0110 1011
0111 1000
1000 0011
1001 1010
1010 0110
1011 1100
1100 0101
1101 1001
1110 0000
1111 0111

Ciphertext Plaintext
0000 1110
0001 0011
0010 0100
0011 1000
0100 0001
0101 1100
0110 1010
0111 1111
1000 0111
1001 1101
1010 1001
1011 0110
1100 1011
1101 0010
1110 0000
1111 0101

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The encryption and decryption mappings can be defined
by a tabulation, as shown in Table 4.1. This is the most general form of block cipher
and can be used to define any reversible mapping between plaintext and ciphertext.
Feistel refers to this as the ideal block cipher, because it allows for the maximum
number of possible encryption mappings from the plaintext block [FEIS75].
8

Feistel Cipher
Feistel proposed the use of a cipher that alternates substitutions and permutations
Substitutions
Each plaintext element or group of elements is uniquely replaced by a corresponding ciphertext element or group of elements
Permutation
No elements are added or deleted or replaced in the sequence, rather the order in which the elements appear in the sequence is changed
Is a practical application of a proposal by Claude Shannon to develop a product cipher that alternates confusion and diffusion functions
Is the structure used by many significant symmetric block ciphers currently in use

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Feistel proposed [FEIS73] that we can approximate the ideal block cipher by utilizing
the concept of a product cipher, which is the execution of two or more simple ciphers
in sequence in such a way that the final result or product is cryptographically stronger
than any of the component ciphers. The essence of the approach is to develop a block
cipher with a key length of k bits and a block length of n bits, allowing a total of 2k
possible transformations, rather than the 2n ! transformations available with the ideal
block cipher.
In particular, Feistel proposed the use of a cipher that alternates substitutions
and permutations, where these terms are defined as follows:
• Substitution: Each plaintext element or group of elements is uniquely replaced
by a corresponding ciphertext element or group of elements.
• Permutation: A sequence of plaintext elements is replaced by a permutation
of that sequence. That is, no elements are added or deleted or replaced in the
sequence, rather the order in which the elements appear in the sequence is
changed.
In fact, Feistel’s is a practical application of a proposal by Claude Shannon
to develop a product cipher that alternates confusion and diffusion functions
[SHAN49]. We look next at these concepts of diffusion and confusion and then
present the Feistel cipher. But first, it is worth commenting on this remarkable fact:
The Feistel cipher structure, which dates back over a quarter century and which, in
turn, is based on Shannon’s proposal of 1945, is the structure used by many significant
symmetric block ciphers currently in use.
In particular, the Feistel structure
is used for Triple Data Encryption Algorithm (TDEA), which is one of the two
encryption algorithms (along with AES), approved for general use by the National
Institute of Standards and Technology (NIST). The Feistel structure is also used for
several schemes for format-preserving encryption, which have recently come into
prominence. In addition, the Camellia block cipher is a Feistel structure; it is one
of the possible symmetric ciphers in TLS and a number of other Internet security
protocols. Both TDEA and format-preserving encryption are covered in Chapter 7.
9

Diffusion and Confusion
Terms introduced by Claude Shannon to capture the two basic building blocks for any cryptographic system
Shannon’s concern was to thwart cryptanalysis based on statistical analysis
Diffusion
The statistical structure of the plaintext is dissipated into long-range statistics of the ciphertext
This is achieved by having each plaintext digit affect the value of many ciphertext digits
Confusion
Seeks to make the relationship between the statistics of the ciphertext and the value of the encryption key as complex as possible
Even if the attacker can get some handle on the statistics of the ciphertext, the way in which the key was used to produce that ciphertext is so complex as to make it difficult to deduce the key

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The terms diffusion and confusion were introduced by
Claude Shannon to capture the two basic building blocks for any cryptographic
system [SHAN49]. Shannon’s concern was to thwart cryptanalysis based on statistical
analysis. The reasoning is as follows. Assume the attacker has some knowledge
of the statistical characteristics of the plaintext. For example, in a human-readable
message in some language, the frequency distribution of the various letters may be
known. Or there may be words or phrases likely to appear in the message (probable
words). If these statistics are in any way reflected in the ciphertext, the cryptanalyst
may be able to deduce the encryption key, part of the key, or at least a set of keys
likely to contain the exact key. In what Shannon refers to as a strongly ideal cipher,
all statistics of the ciphertext are independent of the particular key used. The arbitrary
substitution cipher that we discussed previously (Figure 4.2) is such a cipher,
but as we have seen, it is impractical.
Other than recourse to ideal systems, Shannon suggests two methods for
frustrating statistical cryptanalysis: diffusion and confusion. In diffusion, the
statistical structure of the plaintext is dissipated into long-range statistics of the
ciphertext. This is achieved by having each plaintext digit affect the value of many
ciphertext digits; generally, this is equivalent to having each ciphertext digit be
affected by many plaintext digits.
Every block cipher involves a transformation of a block of plaintext into a
block of ciphertext, where the transformation depends on the key. The mechanism
of diffusion seeks to make the statistical relationship between the plaintext and
ciphertext as complex as possible in order to thwart attempts to deduce the key. On
the other hand, confusion seeks to make the relationship between the statistics of
the ciphertext and the value of the encryption key as complex as possible, again to
thwart attempts to discover the key. Thus, even if the attacker can get some handle
on the statistics of the ciphertext, the way in which the key was used to produce that
ciphertext is so complex as to make it difficult to deduce the key. This is achieved by
the use of a complex substitution algorithm. In contrast, a simple linear substitution
function would add little confusion.
As [ROBS95b] points out, so successful are diffusion and confusion in capturing
the essence of the desired attributes of a block cipher that they have become the
cornerstone of modern block cipher design.
10

Figure 4.3 Feistel Encryption and Decryption (16 rounds)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The left-hand side of Figure 4.3 depicts the structure
proposed by Feistel. The inputs to the encryption algorithm are a plaintext block of
length 2w bits and a key K . The plaintext block is divided into two halves, LE0 and RE0 .
The two halves of the data pass through n rounds of processing and then combine to
produce the ciphertext block. Each round i has as inputs LEi-1 and REi-1 derived from
the previous round, as well as a subkey Ki derived from the overall K . In general,
the subkeys Ki are different from K and from each other. In Figure 4.3, 16 rounds
are used, although any number of rounds could be implemented.
All rounds have the same structure. A substitution is performed on the left half
of the data. This is done by applying a round function F to the right half of the data
and then taking the exclusive-OR of the output of that function and the left half of the
data. The round function has the same general structure for each round but is parameterized
by the round subkey Ki . Another way to express this is to say that F is a function
of right-half block of w bits and a subkey of y bits, which produces an output value
of length w bits: F (REi , Ki+1 ). Following this substitution, a permutation is performed
that consists of the interchange of the two halves of the data. This structure is a particular
form of the substitution-permutation network (SPN) proposed by Shannon.
11

Feistel Cipher Design Features (1 of 2)
Block size
Larger block sizes mean greater security but reduced encryption/decryption speed for a given algorithm
Key size
Larger key size means greater security but may decrease encryption/decryption speeds
Number of rounds
The essence of the Feistel cipher is that a single round offers inadequate security but that multiple rounds offer increasing security
Subkey generation algorithm
Greater complexity in this algorithm should lead to greater difficulty of cryptanalysis

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The exact realization of a Feistel network depends on the choice of the following
parameters and design features:
• Block size: Larger block sizes mean greater security (all other things being
equal) but reduced encryption/decryption speed for a given algorithm. The
greater security is achieved by greater diffusion. Traditionally, a block size of
64 bits has been considered a reasonable tradeoff and was nearly universal in
block cipher design. However, the new AES uses a 128-bit block size.
• Key size: Larger key size means greater security but may decrease encryption/
decryption speed. The greater security is achieved by greater resistance to
brute-force attacks and greater confusion. Key sizes of 64 bits or less are now
widely considered to be inadequate, and 128 bits has become a common size.
• Number of rounds: The essence of the Feistel cipher is that a single round
offers inadequate security but that multiple rounds offer increasing security.
A typical size is 16 rounds.
• Subkey generation algorithm: Greater complexity in this algorithm should
lead to greater difficulty of cryptanalysis.
• Round function F: Again, greater complexity generally means greater resistance
to cryptanalysis.
There are two other considerations in the design of a Feistel cipher:
• Fast software encryption/decryption: In many cases, encryption is embedded in
applications or utility functions in such a way as to preclude a hardware implementation.
Accordingly, the speed of execution of the algorithm becomes a
concern.
• Ease of analysis: Although we would like to make our algorithm as difficult as
possible to cryptanalyze, there is great benefit in making the algorithm easy to
analyze. That is, if the algorithm can be concisely and clearly explained, it is
easier to analyze that algorithm for cryptanalytic vulnerabilities and therefore
develop a higher level of assurance as to its strength. DES, for example, does
not have an easily analyzed functionality.
12

Feistel Cipher Design Features (2 of 2)
Round function F
Greater complexity generally means greater resistance to cryptanalysis
Fast software encryption/decryption
In many cases, encrypting is embedded in applications or utility functions in such a way as to preclude a hardware implementation; accordingly, the speed of execution of the algorithm becomes a concern
Ease of analysis
If the algorithm can be concisely and clearly explained, it is easier to analyze that algorithm for cryptanalytic vulnerabilities and therefore develop a higher level of assurance as to its strength

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The exact realization of a Feistel network depends on the choice of the following
parameters and design features:
• Block size: Larger block sizes mean greater security (all other things being
equal) but reduced encryption/decryption speed for a given algorithm. The
greater security is achieved by greater diffusion. Traditionally, a block size of
64 bits has been considered a reasonable tradeoff and was nearly universal in
block cipher design. However, the new AES uses a 128-bit block size.
• Key size: Larger key size means greater security but may decrease encryption/
decryption speed. The greater security is achieved by greater resistance to
brute-force attacks and greater confusion. Key sizes of 64 bits or less are now
widely considered to be inadequate, and 128 bits has become a common size.
• Number of rounds: The essence of the Feistel cipher is that a single round
offers inadequate security but that multiple rounds offer increasing security.
A typical size is 16 rounds.
• Subkey generation algorithm: Greater complexity in this algorithm should
lead to greater difficulty of cryptanalysis.
• Round function F: Again, greater complexity generally means greater resistance
to cryptanalysis.
There are two other considerations in the design of a Feistel cipher:
• Fast software encryption/decryption: In many cases, encryption is embedded in
applications or utility functions in such a way as to preclude a hardware implementation.
Accordingly, the speed of execution of the algorithm becomes a
concern.
• Ease of analysis: Although we would like to make our algorithm as difficult as
possible to cryptanalyze, there is great benefit in making the algorithm easy to
analyze. That is, if the algorithm can be concisely and clearly explained, it is
easier to analyze that algorithm for cryptanalytic vulnerabilities and therefore
develop a higher level of assurance as to its strength. DES, for example, does
not have an easily analyzed functionality.
13

Feistel Example

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The process of decryption with a Feistel cipher
is essentially the same as the encryption process. The rule is as follows: Use the
ciphertext as input to the algorithm, but use the subkeys Ki in reverse order. That
is, use Kn in the first round, Kn-1 in the second round, and so on, until K1 is used in
the last round. This is a nice feature, because it means we need not implement two
different algorithms; one for encryption and one for decryption.
14

Data Encryption Standard (DES)
Issued in 1977 by the National Bureau of Standards (now NIST) as Federal Information Processing Standard 46
Was the most widely used encryption scheme until the introduction of the Advanced Encryption Standard (AES) in 2001
Algorithm itself is referred to as the Data Encryption Algorithm (DEA)
Data are encrypted in 64-bit blocks using a 56-bit key
The algorithm transforms 64-bit input in a series of steps into a 64-bit output
The same steps, with the same key, are used to reverse the encryption

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Until the introduction of the Advanced Encryption Standard (AES) in 2001, the
Data Encryption Standard (DES) was the most widely used encryption scheme.
DES was issued in 1977 by the National Bureau of Standards, now the National
Institute of Standards and Technology (NIST), as Federal Information Processing
Standard 46 (FIPS PUB 46). The algorithm itself is referred to as the Data
Encryption Algorithm (DEA). For DEA, data are encrypted in 64-bit blocks using
a 56-bit key. The algorithm transforms 64-bit input in a series of steps into a 64-bit
output. The same steps, with the same key, are used to reverse the encryption.
Over the years, DES became the dominant symmetric encryption algorithm,
especially in financial applications. In 1994, NIST reaffirmed DES for federal use
for another five years; NIST recommended the use of DES for applications other
than the protection of classified information. In 1999, NIST issued a new version
of its standard (FIPS PUB 46-3) that indicated that DES should be used only for
legacy systems and that triple DES (which in essence involves repeating the DES
algorithm three times on the plaintext using two or three different keys to produce
the ciphertext) be used. We study triple DES in Chapter 7. Because the underlying
encryption and decryption algorithms are the same for DES and triple DES, it
remains important to understand the DES cipher. This section provides an overview.
For the interested reader, Appendix C provides further detail.
15

Figure 4.5 General Depiction of DES Encryption Algorithm

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The overall scheme for DES encryption is illustrated in Figure 4.5. As with any encryption
scheme, there are two inputs to the encryption function: the plaintext to be
encrypted and the key. In this case, the plaintext must be 64 bits in length and the
key is 56 bits in length.
Looking at the left-hand side of the figure, we can see that the processing
of the plaintext proceeds in three phases. First, the 64-bit plaintext passes through
an initial permutation (IP) that rearranges the bits to produce the permuted input .
This is followed by a phase consisting of sixteen rounds of the same function, which
involves both permutation and substitution functions. The output of the last (sixteenth)
round consists of 64 bits that are a function of the input plaintext and the
key. The left and right halves of the output are swapped to produce the preoutput .
Finally, the preoutput is passed through a permutation [IP -1 ] that is the inverse of
the initial permutation function, to produce the 64-bit ciphertext. With the exception
of the initial and final permutations, DES has the exact structure of a Feistel
cipher, as shown in Figure 4.3.
The right-hand portion of Figure 4.5 shows the way in which the 56-bit key is
used. Initially, the key is passed through a permutation function. Then, for each of
the sixteen rounds, a subkey (Ki ) is produced by the combination of a left circular
shift and a permutation. The permutation function is the same for each round, but a
different subkey is produced because of the repeated shifts of the key bits.
As with any Feistel cipher, decryption uses the same algorithm as encryption,
except that the application of the subkeys is reversed. Additionally, the initial and
final permutations are reversed.
16

Table 4.2 DES Example
Note: DES subkeys are shown as eight 6-bit values in hex format

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
We now work through an example and consider some of its implications. Although
you are not expected to duplicate the example by hand, you will find it informative
to study the hex patterns that occur from one step to the next.
For this example, the plaintext is a hexadecimal palindrome. The plaintext,
key, and resulting ciphertext are as follows:
Plaintext: 02468aceeca86420
Key: 0f1571c947d9e859
Ciphertext: da02ce3a89ecac3b
Table 4.2 shows the progression of the algorithm. The first row shows the 32-bit
values of the left and right halves of data after the initial permutation. The next 16
rows show the results after each round. Also shown is the value of the 48-bit subkey
generated for each round. Note that Li = Ri-1 . The final row shows the left- and
right-hand values after the inverse initial permutation. These two values combined
form the ciphertext.
17

Table 4.3 Avalanche Effect in DES: Change in Plaintext

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
A desirable property of any encryption algorithm is that a small change in either
the plaintext or the key should produce a significant change in the ciphertext. In
particular, a change in one bit of the plaintext or one bit of the key should produce
a change in many bits of the ciphertext. This is referred to as the avalanche effect. If
the change were small, this might provide a way to reduce the size of the plaintext
or key space to be searched.
Using the example from Table 4.2, Table 4.3 shows the result when the fourth
bit of the plaintext is changed, so that the plaintext is 12468aceeca86420. The
second column of the table shows the intermediate 64-bit values at the end of each
round for the two plaintexts. The third column shows the number of bits that differ
between the two intermediate values. The table shows that, after just three rounds,
18 bits differ between the two blocks. On completion, the two ciphertexts differ in
32 bit positions.
18

Table 4.4 Avalanche Effect in DES: Change in Key

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Table 4.4 shows a similar test using the original plaintext of with two keys that
differ in only the fourth bit position: the original key, 0f1571c947d9e859, and
the altered key, 1f1571c947d9e859. Again, the results show that about half of
the bits in the ciphertext differ and that the avalanche effect is pronounced after just
a few rounds.
19

Table 4.5 Average Time Required for Exhaustive Key Search
Key Size (bits) Cipher Number of Alternative Keys Time Required at 109 Decryptions/s Time Required at 1013 Decryptions/s
56 DES 256 ≈ 7.2 × 1016 255 ns = 1.125 years 1 hour
128 AES 2128 ≈ 3.4 × 1038 2127 ns = 5.3 × 1021 years 5.3 × 1017 years
168 Triple DES 2168 ≈ 3.7 × 1050 2167 ns = 5.8 × 1033 years 5.8 × 1029 years
192 AES 2192 ≈ 6.3 × 1057 2191 ns = 9.8 × 1040 years 9.8 × 1036 years
256 AES 2256 ≈ 1.2 × 1077 2255 ns = 1.8 × 1060 years 1.8 × 1056 years
26 characters (permutation) Monoalphabetic 2! = 4 × 1026 2 × 1026 ns = 6.3 × 109 years 6.3 × 106 years

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Since its adoption as a federal standard, there have been lingering concerns about
the level of security provided by DES. These concerns, by and large, fall into two
areas: key size and the nature of the algorithm.
With a key length of 56 bits, there are 256 possible keys, which is approximately
7.2 * 1016 keys. Thus, on the face of it, a brute-force attack appears impractical.
Assuming that, on average, half the key space has to be searched, a single machine
performing one DES encryption per microsecond would take more than a thousand
years to break the cipher.
However, the assumption of one encryption per microsecond is overly conservative.
As far back as 1977, Diffie and Hellman postulated that the technology
existed to build a parallel machine with 1 million encryption devices, each of which
could perform one encryption per microsecond [DIFF77]. This would bring the
average search time down to about 10 hours. The authors estimated that the cost
would be about $20 million in 1977 dollars.
With current technology, it is not even necessary to use special, purpose-built
hardware. Rather, the speed of commercial, off-the-shelf processors threaten the
security of DES. A recent paper from Seagate Technology [SEAG08] suggests that
a rate of 1 billion (109 ) key combinations per second is reasonable for today’s multicore
computers. Recent offerings confirm this. Both Intel and AMD now offer
hardware-based instructions to accelerate the use of AES. Tests run on a contemporary
multicore Intel machine resulted in an encryption rate of about half a billion
encryptions per second [BASU12]. Another recent analysis suggests that with
contemporary supercomputer technology, a rate of 1013 encryptions per second is
reasonable [AROR12].
With these results in mind, Table 4.5 shows how much time is required for
a brute-force attack for various key sizes. As can be seen, a single PC can break
DES in about a year; if multiple PCs work in parallel, the time is drastically shortened.
And today’s supercomputers should be able to find a key in about an hour.
Key sizes of 128 bits or greater are effectively unbreakable using simply a brute-force
approach. Even if we managed to speed up the attacking system by a factor
of 1 trillion (1012 ), it would still take over 100,000 years to break a code using a
128-bit key.
Fortunately, there are a number of alternatives to DES, the most important of
which are AES and triple DES, discussed in Chapters 6 and 7, respectively.
20

Strength of DES
Timing attacks
One in which information about the key or the plaintext is obtained by observing how long it takes a given implementation to perform decryptions on various ciphertexts
Exploits the fact that an encryption or decryption algorithm often takes slightly different amounts of time on different inputs
So far it appears unlikely that this technique will ever be successful against DES or more powerful symmetric ciphers such as triple DES and AES

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
We discuss timing attacks in more detail in Part Three, as they relate to public-key
algorithms. However, the issue may also be relevant for symmetric ciphers. In essence,
a timing attack is one in which information about the key or the plaintext is obtained
by observing how long it takes a given implementation to perform decryptions on
various ciphertexts. A timing attack exploits the fact that an encryption or decryption
algorithm often takes slightly different amounts of time on different inputs. [HEVI99]
reports on an approach that yields the Hamming weight (number of bits equal to one)
of the secret key. This is a long way from knowing the actual key, but it is an intriguing
first step. The authors conclude that DES appears to be fairly resistant to a successful
timing attack but suggest some avenues to explore. Although this is an interesting line
of attack, it so far appears unlikely that this technique will ever be successful against
DES or more powerful symmetric ciphers such as triple DES and AES.
21

Block Cipher Design Principles: Number of Rounds
The greater the number of rounds, the more difficult it is to perform cryptanalysis
In general, the criterion should be that the number of rounds is chosen so that known cryptanalytic efforts require greater effort than a simple brute-force key search attack
If DES had 15 or fewer rounds, differential cryptanalysis would require less effort than a brute-force key search

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The cryptographic strength of a Feistel cipher derives from three aspects of the
design: the number of rounds, the function F, and the key schedule algorithm. Let
us look first at the choice of the number of rounds.
The greater the number of rounds, the more difficult it is to perform cryptanalysis,
even for a relatively weak F. In general, the criterion should be that the
number of rounds is chosen so that known cryptanalytic efforts require greater
effort than a simple brute-force key search attack. This criterion was certainly used
in the design of DES. Schneier [SCHN96] observes that for 16-round DES, a differential
cryptanalysis attack is slightly less efficient than brute force: The differential
cryptanalysis attack requires 255.1 operations, whereas brute force requires 255 . If
DES had 15 or fewer rounds, differential cryptanalysis would require less effort
than a brute-force key search.
This criterion is attractive, because it makes it easy to judge the strength of
an algorithm and to compare different algorithms. In the absence of a cryptanalytic
breakthrough, the strength of any algorithm that satisfies the criterion can be
judged solely on key length.
22

Block Cipher Design Principles: Design of Function F
The heart of a Feistel block cipher is the function F
The more nonlinear F, the more difficult any type of cryptanalysis will be
The SAC and BIC criteria appear to strengthen the effectiveness of the confusion function
The algorithm should have good avalanche properties
Strict avalanche criterion (SAC)
States that any output bit j of an S-box should change with probability 1/2 when any single input bit i is inverted for all i , j
Bit independence criterion (BIC)
States that output bits j and k should change independently when any single input bit i is inverted for all i , j , and k

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The heart of a Feistel block cipher is the function F, which provides the element
of confusion in a Feistel cipher. Thus, it must be difficult to “unscramble” the
substitution performed by F. One obvious criterion is that F be nonlinear, as we
discussed previously. The more nonlinear F, the more difficult any type of cryptanalysis
will be. There are several measures of nonlinearity, which are beyond
the scope of this book. In rough terms, the more difficult it is to approximate F
by a set of linear equations, the more nonlinear F is.
Several other criteria should be considered in designing F. We would like the
algorithm to have good avalanche properties. Recall that, in general, this means that
a change in one bit of the input should produce a change in many bits of the output.
A more stringent version of this is the strict avalanche criterion (SAC) [WEBS86],
which states that any output bit j of an S-box (see Appendix C for a discussion of
S-boxes) should change with probability 1/2 when any single input bit i is inverted
for all i , j . Although SAC is expressed in terms of S-boxes, a similar criterion could
be applied to F as a whole. This is important when considering designs that do not
include S-boxes.
Another criterion proposed in [WEBS86] is the bit independence criterion
(BIC), which states that output bits j and k should change independently when any
single input bit i is inverted for all i , j , and k . The SAC and BIC criteria appear to
strengthen the effectiveness of the confusion function.
23

Block Cipher Design Principles: Key Schedule Algorithm
With any Feistel block cipher, the key is used to generate one subkey for each round
In general, we would like to select subkeys to maximize the difficulty of deducing individual subkeys and the difficulty of working back to the main key
It is suggested that, at a minimum, the key schedule should guarantee key/ciphertext Strict Avalanche Criterion and Bit Independence Criterion

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
With any Feistel block cipher, the key is used to generate one subkey for each
round. In general, we would like to select subkeys to maximize the difficulty of
deducing individual subkeys and the difficulty of working back to the main key. No
general principles for this have yet been promulgated.
Adams suggests [ADAM94] that, at minimum, the key schedule should
guarantee key/ciphertext Strict Avalanche Criterion and Bit Independence
Criterion.
24

Summary
Explain the concept of the avalanche effect
Discuss the cryptographic strength of DES
Summarize the principal block cipher design principles
Understand the distinction between stream ciphers and block ciphers
Present an overview of the Feistel cipher and explain how decryption is the inverse of encryption
Present an overview of Data Encryption Standard (DES)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Chapter 4 summary.
25

Copyright
This work is protected by United States copyright laws and is provided solely for the use of instructors in teaching their courses and assessing student learning. Dissemination or sale of any part of this work (including on the World Wide Web) will destroy the integrity of the work and is not permitted. The work and materials from it should never be made available to students except by instructors using the accompanying text in their classes. All recipients of this work are expected to abide by these restrictions and to honor the intended pedagogical purposes and the needs of other instructors who rely on these materials.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

26

.MsftOfcThm_Text1_Fill {
fill:#000000;
}
.MsftOfcThm_MainDark1_Stroke {
stroke:#000000;
}

Cryptography and Network Security: Principles and Practice

Eighth Edition

Chapter 6

Advanced Encryption Standard

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Lecture slides prepared for “Cryptography and Network Security”, 8/e, by William Stallings, Chapter 6 – “Advanced Encryption Standard”.
The Advanced Encryption Standard (AES) was published by the National Institute
of Standards and Technology (NIST) in 2001. AES is a symmetric block cipher that
is intended to replace DES as the approved standard for a wide range of applications.
[NECH01], available from NIST, summarizes the evaluation criteria used by NIST to select from among the candidates for AES, plus the rationale for picking Rijndael, which was the winning candidate. This material is useful in understanding not just the AES design but also the criteria by which to judge any symmetric encryption algorithm. The essence of the criteria was to develop an algorithm with a high level of security and good performance on a range of systems.
It is worth making additional comment about the performance of AES. Because of the popularity of AES, a number of efforts have been made to improve performance through both software and hardware optimization. Most notably, in 2008, Intel introduced the Advanced Encryption Standard New Instructions (AES-NI) as a hardware extension to the x86 instruction set to improve the speed of encryption and decryption. The AES-NI instruction enables x86 processors to achieve a performance of 0.64 cycles/byte for an authenticated encryption mode known as AES-GCM (described in Chapter 12).
In 2018, Intel added vectorized instructions, referred to as VAES*, to the existing AES-NI for its high-end processors [INTE17]. These instructions are intended to push the performance of AES software further down, to a new theoretical throughput of 0.16 cycles/byte [DRUC18].
AES has become the most widely used symmetric cipher. Compared to public-key ciphers such as RSA, the structure of AES and most symmetric ciphers is quite complex and cannot be explained as easily as many other cryptographic algorithms. Accordingly, the reader may wish to begin with a simplified version of AES, which is described in Appendix A. This version allows the reader to perform encryption and decryption by hand and gain a good understanding of the working of the algorithm details. Classroom experience indicates that a study of this simplified version enhances understanding of AES. One possible approach is to read the chapter first, then carefully read Appendix A and then re-read the main body of the chapter
1

Learning Objectives
Present an overview of the general structure of Advanced Encryption Standard (AES).
Understand the four transformations used in AES.
Explain the AES key expansion algorithm.
Understand the use of polynomials with coefficients in GF(28).

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

2

Finite Field Arithmetic (1 of 2)
In the Advanced Encryption Standard (A E S) all operations are performed on 8-bit bytes
The arithmetic operations of addition, multiplication, and division are performed over the finite field G F(28)
A field is a set in which we can do addition, subtraction, multiplication, and division without leaving the set
Division is defined with the following rule:
a /b = a (b−1 )
An example of a finite field (one with a finite number of elements) is the set Zp consisting of all the integers {0, 1, . . . . , p − 1}, where p is a prime number and in which arithmetic is carried out modulo p

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
In AES, all operations are performed on 8-bit bytes. In particular, the arithmetic operations of addition, multiplication, and division are performed over the finite field GF(28 ). Section 5.6 discusses such operations in some detail. For the reader who has not studied Chapter 5, and as a quick review for those who have, this section summarizes the important concepts.
In essence, a field is a set in which we can do addition, subtraction, multiplication, and division without leaving the set. Division is defined with the following rule: a /b = a (b-1 ). An example of a finite field (one with a finite number of elements) is the set Zp consisting of all the integers {0, 1, . . . . , p – 1}, where p is a prime number and in which arithmetic is carried out modulo p .
3

Finite Field Arithmetic (2 of 2)
If one of the operations used in the algorithm is division, then we need to work in arithmetic defined over a field
Division requires that each nonzero element have a multiplicative inverse
For convenience and for implementation efficiency we would like to work with integers that fit exactly into a given number of bits with no wasted bit patterns
Integers in the range 0 through 2n – 1, which fit into an n-bit word
The set of such integers, Z2n, using modular arithmetic, is not a field
For example, the integer 2 has no multiplicative inverse in Z2n, that is, there is no integer b, such that 2b mod 2n = 1
A finite field containing 2n elements is referred to as G F(2n)
Every polynomial in G F(2n) can be represented by an n-bit number

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Virtually all encryption algorithms, both conventional and public-key, involve arithmetic operations on integers. If one of the operations used in the algorithm is division, then we need to work in arithmetic defined over a field; this is because division requires that each nonzero element have a multiplicative inverse. For convenience and for implementation efficiency, we would also like to work with integers
that fit exactly into a given number of bits, with no wasted bit patterns. That is, we wish to work with integers in the range 0 through 2n – 1, which fit into an n –bit word. Unfortunately, the set of such integers, Z2n , using modular arithmetic, is not a field. For example, the integer 2 has no multiplicative inverse in Z2n , that is, there is no integer b , such that 2b mod 2n = 1.
There is a way of defining a finite field containing 2n elements; such a field is referred to as GF(2n ).
4

Figure 6.1 A E S Encryption Process

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Figure 6.1 shows the overall structure of the AES encryption process. The cipher takes a plaintext block size of 128 bits, or 16 bytes. The key length can be 16, 24, or 32 bytes (128, 192, or 256 bits). The algorithm is referred to as AES-128, AES-192, or AES-256, depending on the key length.
5

Figure 6.2 A E S Data Structures

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The input to the encryption and decryption algorithms is a single 128-bit block. In FIPS PUB 197, this block is depicted as a 4 * 4 square matrix of bytes. This block is copied into the State array, which is modified at each stage of encryption or decryption. After the final stage, State is copied to an output matrix. These operations are depicted in Figure 6.2a. Similarly, the key is depicted as a square matrix of bytes. This key is then expanded into an array of key schedule words. Figure 6.2b shows the expansion for the 128-bit key. Each word is four bytes, and the total key schedule is 44 words for the 128-bit key. Note that the ordering of bytes within a matrix is by column. So, for example, the first four bytes of a 128-bit plaintext input to the encryption cipher occupy the first column of the in matrix, the second four bytes occupy the second column, and so on. Similarly, the first four bytes of the expanded key, which form a word, occupy the first column of the w matrix.
6

Table 6.1 A E S Parameters
Key Size (words/bytes/bits) 4/16/128 6/24/192 8/32/256
Plaintext Block Size (words/bytes/bits) 4/16/128 4/16/128 4/16/128
Number of Rounds 10 12 14
Round Key Size (words/bytes/bits) 4/16/128 4/16/128 4/16/128
Expanded Key Size (words/bytes) 44/176 52/208 60/240

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The cipher consists of N rounds, where the number of rounds depends on the key length: 10 rounds for a 16-byte key, 12 rounds for a 24-byte key, and 14 rounds for a 32-byte key (Table 6.1). The first N – 1 rounds consist of four distinct transformation functions: SubBytes, ShiftRows, MixColumns, and AddRoundKey, which are described subsequently. The final round contains only three transformations, and
there is a initial single transformation (AddRoundKey) before the first round, which can be considered Round 0. Each transformation takes one or more 4 * 4 matrices as input and produces a 4 * 4 matrix as output. Figure 6.1 shows that the output of each round is a 4 * 4 matrix, with the output of the final round being the ciphertext. Also, the key expansion function generates N + 1 round keys, each of which is a distinct 4 * 4 matrix. Each round key serves as one of the inputs to the AddRoundKey transformation in each round.
7

Figure 6.3 A E S Encryption and Decryption

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Figure 6.3 shows the AES cipher in more detail, indicating the sequence of transformations in each round and showing the corresponding decryption function. As was done in Chapter 4, we show encryption proceeding down the page and decryption proceeding up the page.
8

Detailed Structure (1 of 2)
Processes the entire data block as a single matrix during each round using substitutions and permutation
The key that is provided as input is expanded into an array of forty-four 32-bit words, w[i]
Four different stages are used:
Substitute bytes – uses an S-box to perform a byte-by-byte substitution of the block
ShiftRows – a simple permutation
MixColumns – a substitution that makes use of arithmetic over GF(28)
AddRoundKey – a simple bitwise X O R of the current block with a portion of the expanded key

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Before delving into details, we can make several comments about the overall AES structure.
1. One noteworthy feature of this structure is that it is not a Feistel structure. Recall that, in the classic Feistel structure, half of the data block is used to modify the other half of the data block and then the halves are swapped. AES instead processes the entire data block as a single matrix during each round using substitutions and permutation.
2. The key that is provided as input is expanded into an array of forty-four 32-bit words, w [i ]. Four distinct words (128 bits) serve as a round key for each round; these are indicated in Figure 6.3.
3. Four different stages are used, one of permutation and three of substitution:
• Substitute bytes: Uses an S-box to perform a byte-by-byte substitution of the block
• ShiftRows: A simple permutation
• MixColumns: A substitution that makes use of arithmetic over GF(28 )
• AddRoundKey: A simple bitwise XOR of the current block with a portion of the expanded key
4. The structure is quite simple. For both encryption and decryption, the cipher begins with an AddRoundKey stage, followed by nine rounds that each includes all four stages, followed by a tenth round of three stages.
5. Only the AddRoundKey stage makes use of the key. For this reason, the cipher begins and ends with an AddRoundKey stage. Any other stage, applied at the beginning or end, is reversible without knowledge of the key and so would add no security.
6. The AddRoundKey stage is, in effect, a form of Vernam cipher and by itself would not be formidable. The other three stages together provide confusion, diffusion, and nonlinearity, but by themselves would provide no security because they do not use the key. We can view the cipher as alternating operations of XOR encryption (AddRoundKey) of a block, followed by scrambling of the block (the other three stages), followed by XOR encryption, and so on. This scheme is both efficient and highly secure.
7. Each stage is easily reversible. For the Substitute Byte, ShiftRows, and MixColumns stages, an inverse function is used in the decryption algorithm. For the AddRoundKey stage, the inverse is achieved by XORing the same round key to the block.
8. As with most block ciphers, the decryption algorithm makes use of the expanded key in reverse order. However, the decryption algorithm is not identical to the encryption algorithm. This is a consequence of the particular structure of AES.
9. Once it is established that all four stages are reversible, it is easy to verify that decryption does recover the plaintext. Figure 6.3 lays out encryption and decryption going in opposite vertical directions. At each horizontal point (e.g., the dashed line in the figure), State is the same for both encryption and decryption.
10. The final round of both encryption and decryption consists of only three stages. Again, this is a consequence of the particular structure of AES and is required to make the cipher reversible.
9

Detailed Structure (2 of 2)
The cipher begins and ends with an AddRoundKey stage
Can view the cipher as alternating operations of X O R encryption (AddRoundKey) of a block, followed by scrambling of the block (the other three stages), followed by X O R encryption, and so on
Each stage is easily reversible
The decryption algorithm makes use of the expanded key in reverse order, however the decryption algorithm is not identical to the encryption algorithm
State is the same for both encryption and decryption
Final round of both encryption and decryption consists of only three stages

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Before delving into details, we can make several comments about the overall
AES structure.
1. One noteworthy feature of this structure is that it is not a Feistel structure.
Recall that, in the classic Feistel structure, half of the data block is used to
modify the other half of the data block and then the halves are swapped. AES
instead processes the entire data block as a single matrix during each round
using substitutions and permutation.
2. The key that is provided as input is expanded into an array of forty-four 32-bit
words, w [i ]. Four distinct words (128 bits) serve as a round key for each round;
these are indicated in Figure 6.3.
3. Four different stages are used, one of permutation and three of substitution:
• Substitute bytes: Uses an S-box to perform a byte-by-byte substitution of
the block
• ShiftRows: A simple permutation
• MixColumns: A substitution that makes use of arithmetic over GF(28 )
• AddRoundKey: A simple bitwise XOR of the current block with a portion
of the expanded key
4. The structure is quite simple. For both encryption and decryption, the
cipher begins with an AddRoundKey stage, followed by nine rounds that each
includes all four stages, followed by a tenth round of three stages.
5. Only the AddRoundKey stage makes use of the key. For this reason, the cipher
begins and ends with an AddRoundKey stage. Any other stage, applied at the
beginning or end, is reversible without knowledge of the key and so would add
no security.
6. The AddRoundKey stage is, in effect, a form of Vernam cipher and by itself
would not be formidable. The other three stages together provide confusion,
diffusion, and nonlinearity, but by themselves would provide no security
because they do not use the key. We can view the cipher as alternating operations
of XOR encryption (AddRoundKey) of a block, followed by scrambling
of the block (the other three stages), followed by XOR encryption, and so on.
This scheme is both efficient and highly secure.
7. Each stage is easily reversible. For the Substitute Byte, ShiftRows, and
MixColumns stages, an inverse function is used in the decryption algorithm.
For the AddRoundKey stage, the inverse is achieved by XORing the same
round key to the block.
8. As with most block ciphers, the decryption algorithm makes use of the
expanded key in reverse order. However, the decryption algorithm is not
identical to the encryption algorithm. This is a consequence of the particular
structure of AES.
9. Once it is established that all four stages are reversible, it is easy to verify
that decryption does recover the plaintext. Figure 6.3 lays out encryption
and decryption going in opposite vertical directions. At each horizontal point
(e.g., the dashed line in the figure), State is the same for both encryption and
decryption.
10. The final round of both encryption and decryption consists of only three stages.
Again, this is a consequence of the particular structure of AES and is required
to make the cipher reversible.
10

Figure 6.4 A E S Encryption Round

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Figure 6.4 depicts the structure of a full encryption round.
11

Figure 6.5 A E S Byte-Level Operations

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The forward substitute byte transformation, called SubBytes, is a simple table lookup (Figure 6.5a).
12

Table 6.2 AES S-Boxes (1 of 2)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
AES defines a 16 * 16 matrix of byte values, called an S-box (Table 6.2a), that contains
a permutation of all possible 256 8-bit values. Each individual byte of State
is mapped into a new byte in the following way: The leftmost 4 bits of the byte
are used as a row value and the rightmost 4 bits are used as a column value.
These row and column values serve as indexes into the S-box to select a unique
8-bit output value. For example, the hexadecimal value {95} references row 9,
column 5 of the S-box, which contains the value {2A}. Accordingly, the value {95}
is mapped into the value {2A}.
13

Table 6.2 AES S-Boxes (2 of 2)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The inverse substitute byte transformation , called InvSubBytes, makes use
of the inverse S-box shown in Table 6.2b.
14

Figure 6.6 Construction of S-Box and IS-Box

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Construction of S-Box and IS-Box
15

S-Box Rationale
The S-box is designed to be resistant to known cryptanalytic attacks
The Rijndael developers sought a design that has a low correlation between input bits and output bits and the property that the output is not a linear mathematical function of the input
The nonlinearity is due to the use of the multiplicative inverse

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The S-box is designed to be resistant to known cryptanalytic attacks.
Specifically, the Rijndael developers sought a design that has a low correlation
Between input bits and output bits and the property that the output is not a linear
mathematical function of the input [DAEM01]. The nonlinearity is due to the use
of the multiplicative inverse.
16

Figure 6.7 A E S Row and Column Operations

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The forward shift row transformation ,
called ShiftRows, is depicted in Figure 6.7a. The first row of State is not altered. For
the second row, a 1-byte circular left shift is performed. For the third row, a 2-byte
circular left shift is performed. For the fourth row, a 3-byte circular left shift is performed.
The following is an example of ShiftRows.
The inverse shift row transformation , called InvShiftRows, performs the circular
shifts in the opposite direction for each of the last three rows, with a 1-byte
circular right shift for the second row, and so on.
The forward mix column transformation,
called MixColumns, operates on each column individually. Each byte of a column
is mapped into a new value that is a function of all four bytes in that column. The
transformation can be defined by the following matrix multiplication on State
(Figure 6.7b)
Each element in the product matrix is the sum of products of elements of one row
and one column. In this case, the individual additions and multiplications are
performed in GF(28 ).

17

Shift Row Rationale
More substantial than it may first appear
The State, as well as the cipher input and output, is treated as an array of four 4-byte columns
On encryption, the first 4 bytes of the plaintext are copied to the first column of State, and so on
The round key is applied to State column by column
Thus, a row shift moves an individual byte from one column to another, which is a linear distance of a multiple of 4 bytes
Transformation ensures that the 4 bytes of one column are spread out to four different columns

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The shift row transformation is more substantial than it may first
appear. This is because the State , as well as the cipher input and output, is
treated as an array of four 4-byte columns. Thus, on encryption, the first 4 bytes
of the plaintext are copied to the first column of State, and so on. Furthermore,
as will be seen, the round key is applied to State column by column. Thus, a row
shift moves an individual byte from one column to another, which is a linear
distance of a multiple of 4 bytes. Also note that the transformation ensures that
the 4 bytes of one column are spread out to four different columns. Figure 6.4
illustrates the effect.
18

Mix Columns Rationale
Coefficients of a matrix based on a linear code with maximal distance between code words ensures a good mixing among the bytes of each column
The mix column transformation combined with the shift row transformation ensures that after a few rounds all output bits depend on all input bits

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The coefficients of the matrix in Equation (6.3) are based on a linear
code with maximal distance between code words, which ensures a good mixing
among the bytes of each column. The mix column transformation combined with
the shift row transformation ensures that after a few rounds all output bits depend
on all input bits. See [DAEM99] for a discussion.
In addition, the choice of coefficients in MixColumns, which are all {01}, { 02},
or { 03}, was influenced by implementation considerations. As was discussed, multiplication
by these coefficients involves at most a shift and an XOR. The coefficients
in InvMixColumns are more formidable to implement. However, encryption was
deemed more important than decryption for two reasons:
1. For the CFB and OFB cipher modes (Figures 7.5 and 7.6; described in Chapter 7),
only encryption is used.
2. As with any block cipher, AES can be used to construct a message authentication
code (Chapter 13), and for this, only encryption is used.
19

AddRoundKey Transformation
The 128 bits of State are bitwise XORed with the 128 bits of the round key
Operation is viewed as a columnwise operation between the 4 bytes of a State column and one word of the round key
Can also be viewed as a byte-level operation
Rationale:
Is as simple as possible and affects every bit of State
The complexity of the round key expansion plus the complexity of the other stages of A E S ensure security

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
In the forward add round key transformation ,
called AddRoundKey, the 128 bits of State are bitwise XORed with the 128
bits of the round key. As shown in Figure 6.5b, the operation is viewed as a columnwise
operation between the 4 bytes of a State column and one word of the round
key; it can also be viewed as a byte-level operation.
The add round key transformation is as simple as possible and affects
every bit of State . The complexity of the round key expansion, plus the complexity
of the other stages of AES, ensure security.
20

Figure 6.8 Inputs for Single A E S Round

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Figure 6.8 is another view of a single round of AES, emphasizing the mechanisms
and inputs of each transformation.
21

A E S Key Expansion
Takes as input a four-word (16 byte) key and produces a linear array of 44 words (176) bytes
This is sufficient to provide a four-word round key for the initial AddRoundKey stage and each of the 10 rounds of the cipher
Key is copied into the first four words of the expanded key
The remainder of the expanded key is filled in four words at a time
Each added word w[i] depends on the immediately preceding word, w[i – 1], and the word four positions back, w[i – 4]
In three out of four cases a simple X O R is used
For a word whose position in the w array is a multiple of 4, a more complex function is used

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The AES key expansion algorithm takes as input a four-word (16-byte) key and
produces a linear array of 44 words (176 bytes). This is sufficient to provide a four word
round key for the initial AddRoundKey stage and each of the 10 rounds of the
cipher. The pseudocode on the next page describes the expansion.
The key is copied into the first four words of the expanded key. The remainder
of the expanded key is filled in four words at a time. Each added word w [i]
depends on the immediately preceding word, w [i – 1], and the word four positions
back, w [i – 4]. In three out of four cases, a simple XOR is used. For a word whose
position in the w array is a multiple of 4, a more complex function is used.
22

Figure 6.9 A E S Key Expansion

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Figure 6.9 illustrates the generation of the expanded key, using the symbol g to represent that
complex function.
23

Key Expansion Rationale (1 of 2)
The Rijndael developers designed the expansion key algorithm to be resistant to known cryptanalytic attacks
Inclusion of a round-dependent round constant eliminates the symmetry between the ways in which round keys are generated in different rounds

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The Rijndael developers designed the expansion key algorithm to be resistant to
known cryptanalytic attacks. The inclusion of a round-dependent round constant
eliminates the symmetry, or similarity, between the ways in which round keys are
generated in different rounds. The specific criteria that were used are [DAEM99]
• Knowledge of a part of the cipher key or round key does not enable calculation
of many other round-key bits.
• An invertible transformation [i.e., knowledge of any Nk consecutive words of
the expanded key enables regeneration of the entire expanded key (Nk = key
size in words)].
• Speed on a wide range of processors.
• Usage of round constants to eliminate symmetries.
• Diffusion of cipher key differences into the round keys; that is, each key bit
affects many round key bits.
• Enough nonlinearity to prohibit the full determination of round key differences
from cipher key differences only.
• Simplicity of description.
The authors do not quantify the first point on the preceding list, but the idea
is that if you know less than Nk consecutive words of either the cipher key or one of
the round keys, then it is difficult to reconstruct the remaining unknown bits. The
fewer bits one knows, the more difficult it is to do the reconstruction or to determine
other bits in the key expansion.
24

Key Expansion Rationale (2 of 2)
The specific criteria that were used are:
Knowledge of a part of the cipher key or round key does not enable calculation of many other round-key bits
An invertible transformation
Speed on a wide range of processors
Usage of round constants to eliminate symmetries
Diffusion of cipher key differences into the round keys
Enough nonlinearity to prohibit the full determination of round key differences from cipher key differences only
Simplicity of description

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The Rijndael developers designed the expansion key algorithm to be resistant to
known cryptanalytic attacks. The inclusion of a round-dependent round constant
eliminates the symmetry, or similarity, between the ways in which round keys are
generated in different rounds. The specific criteria that were used are [DAEM99]
• Knowledge of a part of the cipher key or round key does not enable calculation
of many other round-key bits.
• An invertible transformation [i.e., knowledge of any Nk consecutive words of
the expanded key enables regeneration of the entire expanded key (Nk = key
size in words)].
• Speed on a wide range of processors.
• Usage of round constants to eliminate symmetries.
• Diffusion of cipher key differences into the round keys; that is, each key bit
affects many round key bits.
• Enough nonlinearity to prohibit the full determination of round key differences
from cipher key differences only.
• Simplicity of description.
The authors do not quantify the first point on the preceding list, but the idea
is that if you know less than Nk consecutive words of either the cipher key or one of
the round keys, then it is difficult to reconstruct the remaining unknown bits. The
fewer bits one knows, the more difficult it is to do the reconstruction or to determine
other bits in the key expansion.
25

Table 6.3 Example Round Key Calculation
Description Value
i (decimal) 36
temp = w[i − 1] 7F8D292F
RotWord (temp) 8D292F7F
SubWord (RotWord (temp)) 5DA515D2
Rcon (9) 1B000000
SubWord (RotWord (temp)) ⊕ Rcon (9) 46A515D2
w[i − 4] EAD27321
w[i] = w[i − 4] ⊕ SubWord (RotWord (temp)) ⊕ Rcon (9) AC7766F3

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Table 6.3. Example Round Key Calculation

26

Table 6.4 Key Expansion for A E S Example (1 of 3)
Key Words Auxiliary Function
w0 = 0f 15 71 c9
w1 = 47 d9 e8 59
w2 = 0c b7 ad d6
w3 = af 7f 67 98 RotWord (w3) = 7f 67 98 af = x1
SubWord (x1) = d2 85 46 79 = y1
Rcon (1) = 01 00 00 00
y1 ⊕ Rcon (1) = d3 85 46 79 = z1
w4 = w0 ⊕ z1 = dc 90 37 b0
w5 = w4 ⊕ w1 = 9b 49 df e9
w6 = w5 ⊕ w2 = 97 fe 72 3f
w7 = w6 ⊕ w3 = 38 81 15 a7 RotWord (w7) = 81 15 a7 38 = x2
SubWord (x2) = 0c 59 5c 07 = y2
Rcon (2) = 02 00 00 00
y2 ⊕ Rcon (2) = 0e 59 5c 07 = z2
w8 = w4 ⊕ z2 = d2 c9 6b b7
w9 = w8 ⊕ w5 = 49 80 b4 5e
w10 = w9 ⊕ w6 = de 7e c6 61
w11 = w10 ⊕ w7 = e6 ff d3 c6 RotWord (w11) = ff d3 c6 e6 = x3
SubWord (x3) = 16 66 b4 83 = y3
Rcon (3) = 04 00 00 00
y3 ⊕ Rcon (3) = 12 66 b4 8e = z3

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Table 6.4 shows the expansion of the 16-byte key into 10 round keys. As previously explained, this process is performed word by word, with each four-byte word occupying one column of the word round-key matrix. The left-hand column shows the four round-key words generated for each round. The right-hand column shows
the steps used to generate the auxiliary word used in key expansion. We begin, of course, with the key itself serving as the round key for round 0.

27

Table 6.4 Key Expansion for A E S Example (2 of 3)
Key Words Auxiliary Function
w12 = w8 ⊕ z3 = c0 af df 39
w13 = w12 ⊕ w9 = 89 2f 6b 67
w14 = w13 ⊕ w10 = 57 51 ad 06
w15 = w14 ⊕ w11 = b1 ae 7e c0 RotWord (w15) = ae 7e c0 b1 = x4
SubWord (x4) = e4 f3 ba c8 = y4
Rcon (4) = 08 00 00 00
y4 ⊕ Rcon (4) = ec f3 ba c8 = 4
w16 = w12 ⊕ z4 = 2c 5c 65 f1
w17 = w16 ⊕ w13 = a5 73 0e 96
w18 = w17 ⊕ w14 = f2 22 a3 90
w19 = w18 ⊕ w15 = 43 8c dd 50 RotWord (w19) = 8c dd 50 43 = x5
SubWord (x5) = 64 c1 53 1a = y5
Rcon(5) = 10 00 00 00
y5 ⊕ Rcon (5) = 74 c1 53 1a = z5
w20 = w16 ⊕ z5 = 58 9d 36 eb
w21 = w20 ⊕ w17 = fd ee 38 7d
w22 = w21 ⊕ w18 = 0f cc 9b ed
w23 = w22 ⊕ w19 = 4c 40 46 bd RotWord (w23) = 40 46 bd 4c = x6
SubWord (x6) = 09 5a 7a 29 = y6
Rcon(6) = 20 00 00 00
y6 ⊕ Rcon(6) = 29 5a 7a 29 = z6

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Table 6.4 shows the expansion of the 16-byte key into 10 round keys. As previously explained, this process is performed word by word, with each four-byte word occupying one column of the word round-key matrix. The left-hand column shows the four round-key words generated for each round. The right-hand column shows
the steps used to generate the auxiliary word used in key expansion. We begin, of course, with the key itself serving as the round key for round 0.

28

Table 6.4 Key Expansion for A E S Example (3 of 3)
Key Words Auxiliary Function
w24 = w20 ⊕ z6 = 71 c7 4c c2
w25 = w24 ⊕ w21 = 8c 29 74 bf
w26 = w25 ⊕ w22 = 83 e5 ef 52
w27 = w26 ⊕ w23 = cf a5 a9 ef RotWord (w27) = a5 a9 ef cf = x7
SubWord (x7) = 06 d3 bf 8a = y7
Rcon (7) = 40 00 00 00
y7 ⊕ Rcon(7) = 46 d3 df 8a = z7
w28 = w24 ⊕ z7 = 37 14 93 48
w29 = w28 ⊕ w25 = bb 3d e7 f7
w30 = w29 ⊕ w26 = 38 d8 08 a5
w31 = w30 ⊕ w27 = f7 7d a1 4a RotWord (w31) = 7d a1 4a f7 = x8
SubWord (x8) = ff 32 d6 68 = y8
Rcon (8) = 80 00 00 00
y8 ⊕ Rcon(8) = 7f 32 d6 68 = z8
w32 = w28 ⊕ z8 = 48 26 45 20
w33 = w32 ⊕ w29 = f3 1b a2 d7
w34 = w33 ⊕ w30 = cb c3 aa 72
w35 = w34 ⊕ w32 = 3c be 0b 3 RotWord (w35) = be 0b 38 3c = x9
SubWord (x9) = ae 2b 07 eb = y9
Rcon (9) = 1B 00 00 00
y9 ⊕ Rcon (9) = b5 2b 07 eb = z9
w36 = w32 ⊕ z9 = fd 0d 42 cb
w37 = w36 ⊕ w33 = 0e 16 e0 1c
w38 = w37 ⊕ w34 = c5 d5 4a 6e
w39 = w38 ⊕ w35 = f9 6b 41 56 RotWord (w39) = 6b 41 56 f9 = x10
SubWord (x10) = 7f 83 b1 99 = y10
Rcon (10) = 36 00 00 00
y10 ⊕ Rcon (10) = 49 83 b1 99 = z10
w40 = w36 ⊕ z10 = b4 8e f3 52
w41 = w40 ⊕ w37 = ba 98 13 4e
w42 = w41 ⊕ w38 = 7f 4d 59 20
w43 = w42 ⊕ w39 = 86 26 18 76

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Table 6.4 shows the expansion of the 16-byte key into 10 round keys. As previously explained, this process is performed word by word, with each four-byte word occupying one column of the word round-key matrix. The left-hand column shows the four round-key words generated for each round. The right-hand column shows
the steps used to generate the auxiliary word used in key expansion. We begin, of course, with the key itself serving as the round key for round 0.
29

Table 6.5 A E S Example (1 of 2)
Start of Round After SubBytes After ShiftRows After MixColumns Round Key
01 89 fe 76
23 ab dc 54
45 cd ba 32
67 ef 98 10 0f 47 0c af
15 d9 b7 7f
71 e8 ad 67
c9 59 d6 98
0e ce f2 d9
36 72 6b 2b
34 25 17 55
ae b6 4e 88 ab 8b 89 35
05 40 7f f1
18 3f f0 fc
e4 4e 2f c4 ab 8b 89 35
40 7f f1 05
f0 fc 18 3f
c4 e4 4e 2f b9 94 57 75
e4 8e 16 51
47 20 9a 3f
c5 d6 f5 3b dc 9b 97 38
90 49 fe 81
37 df 72 15
b0 e9 3f a7
65 0f c0 4d
74 c7 e8 d0
70 ff e8 2a
75 3f ca 9c 4d 76 ba e3
92 c6 9b 70
51 16 9b e5
9d 75 74 de 4d 76 ba e3
c6 9b 70 92
9b e5 51 16
de 9d 75 74 8e 22 db 12
b2 f2 dc 92
df 80 f7 c1
2d c5 1e 52 d2 49 de e6
c9 80 7e ff
6b b4 c6 d3
b7 5e 61 c6
5c 6b 05 f4
7b 72 a2 6d
b4 34 31 12
9a 9b 7f 94 4a 7f 6b bf
21 40 3a 3c
8d 18 c7 c9
b8 14 d2 22 4a 7f 6b bf
40 3a 3c 21
c7 c9 8d 18
22 b8 14 d2 b1 c1 0b cc
ba f3 8b 07
f9 1f 6a c3
1d 19 24 5c c0 89 57 b1
af 2f 51 ae
df 6b ad 7e
39 67 06 c0
71 48 5c 7d
15 dc da a9
26 74 c7 bd
24 7e 22 9c a3 52 4a ff
59 86 57 d3
f7 92 c6 7a
36 f3 93 de a3 52 4a ff
86 57 d3 59
c6 7a f7 92
de 36 f3 93 d4 11 fe 0f
3b 44 06 73
cb ab 62 37
19 b7 07 ec 2c a5 f2 43
5c 73 22 8c
65 0e a3 dd
f1 96 90 50
f8 b4 0c 4c
67 37 24 ff
ae a5 c1 ea
e8 21 97 bc 41 8d fe 29
85 9a 36 16
e4 06 78 87
9b fd 88 65 41 8d fe 29
9a 36 16 85
78 87 e4 06
65 9b fd 88 2a 47 c4 48
83 e8 18 ba
84 18 27 23
eb 10 0a f3 58 fd 0f 4c
9d ee cc 40
36 38 9b 46
eb 7d ed bd

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Table 6.5 shows the progression of State through the AES encryption process. The first column shows the value of State at the start of a round. For the first row, State is just the matrix arrangement of the plaintext. The second, third, and fourth columns show the value of State for that round after the SubBytes, ShiftRows, and MixColumns transformations, respectively. The fifth column shows the round key. You can verify that these round keys equate with those shown in Table 6.4. The first column shows the value of State resulting from the bitwise XOR of State after the preceding MixColumns with the round key for the preceding round.
If a small change in the key or plaintext were to produce a corresponding small change in the ciphertext, this might be used to effectively reduce the size of the plaintext (or key) space to be searched. What is desired is the avalanche effect, in which a small change in plaintext or key produces a large change in the ciphertext.
30

Table 6.5 A E S Example (2 of 2)
Start of Round After SubBytes After ShiftRows After MixColumns Round Key
72 ba cb 04
1e 06 d4 fa
b2 20 bc 65
00 6d e7 4e 40 f4 1f f2
72 6f 48 2d
37 b7 65 4d
63 3c 94 2f 40 f4 1f f2
6f 48 2d 72
65 4d 37 b7
2f 63 3c 94 7b 05 42 4a
1e d0 20 40
94 83 18 52
94 c4 43 fb 71 8c 83 cf
c7 29 e5 a5
4c 74 ef a9
c2 bf 52 ef
0a 89 c1 85
d9 f9 c5 e5
d8 f7 f7 fb
56 7b 11 14 67 a7 78 97
35 99 a6 d9
61 68 68 0f
b1 21 82 fa 67 a7 78 97
99 a6 d9 35
68 0f 61 68
fa b1 21 82 ec 1a c0 80
0c 50 53 c7
3b d7 00 ef
b7 22 72 e0 37 bb 38 f7
14 3d d8 7d
93 e7 08 a1
48 f7 a5 4a
db a1 f8 77
18 6d 8b ba
a8 30 08 4e
ff d5 d7 aa b9 32 41 f5
ad 3c 3d f4
c2 04 30 2f
16 03 0e ac b9 32 41 f5
3c 3d f4 ad
30 2f c2 04
ac 16 03 0e b1 1a 44 17
3d 2f ec b6
0a 6b 2f 42
9f 68 f3 b1 48 f3 cb 3c
26 1b c3 be
45 a2 aa 0b
20 d7 72 38
f9 e9 8f 2b
1b 34 2f 08
4f c9 85 49
bf bf 81 89 99 1e 73 f1
af 18 15 30
84 dd 97 3b
08 08 0c a7 99 1e 73 f1
18 15 30 af
97 3b 84 dd
a7 08 08 0c 31 30 3a c2
ac 71 8c c4
46 65 48 eb
6a 1c 31 62 fd 0e c5 f9
0d 16 d5 6b
42 e0 4a 41
cb 1c 6e 56
cc 3e ff 3b
a1 67 59 af
04 85 02 aa
a1 00 5f 34 4b b2 16 e2
32 85 cb 79
f2 97 77 ac
32 63 cf 18 4b b2 16 e2
85 cb 79 32
77 ac f2 97
18 32 63 cf b4 ba 7f 86
8e 98 4d 26
f3 13 59 18
52 4e 20 76
ff 08 69 64
0b 53 34 14
84 bf ab 8f
4a 7c 43 b9

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Table 6.5 shows the progression of State through the AES encryption process. The first column shows the value of State at the start of a round. For the first row, State is just the matrix arrangement of the plaintext. The second, third, and fourth columns show the value of State for that round after the SubBytes, ShiftRows, and MixColumns transformations, respectively. The fifth column shows the round key. You can verify that these round keys equate with those shown in Table 6.4. The first column shows the value of State resulting from the bitwise XOR of State after the preceding MixColumns with the round key for the preceding round.
If a small change in the key or plaintext were to produce a corresponding small change in the ciphertext, this might be used to effectively reduce the size of the plaintext (or key) space to be searched. What is desired is the avalanche effect, in which a small change in plaintext or key produces a large change in the ciphertext.
31

Table 6.6 Avalanche Effect in A E S: Change in Plaintext (1 of 2)
Round Number of Bits
that Differ
0123456789abcdeffedcba9876543210
0023456789abcdeffedcba9876543210 1
0 0e3634aece7225b6f26b174ed92b5588
0f3634aece7225b6f26b174ed92b5588 1
1 657470750fc7ff3fc0e8e8ca4dd02a9c
c4a9ad090fc7ff3fc0e8e8ca4dd02a9c 20
2 5c7bb49a6b72349b05a2317ff46d1294
fe2ae569f7ee8bb8c1f5a2bb37ef53d5 58
3 7115262448dc747e5cdac7227da9bd9c
ec093dfb7c45343d689017507d485e62 59
4 f867aee8b437a5210c24c1974cffeabc
43efdb697244df808e8d9364ee0ae6f5 61
5 721eb200ba06206dcbd4bce704fa654e
7b28a5d5ed643287e006c099bb375302 68

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Using the example from Table 6.5, Table 6.6 shows the result when the eighth bit of the plaintext is changed. The second column of the table shows the value of the State matrix at the end of each round for the two plaintexts. Note that after just one round, 20 bits of the State vector differ. After two rounds, close to half the bits differ. This magnitude of difference propagates through the remaining rounds. A bit difference in approximately half the positions in the most desirable outcome. Clearly, if almost all the bits are changed, this would be logically equiva- lent to almost none of the bits being changed. Put another way, if we select two plaintexts at random, we would expect the two plaintexts to differ in about half of the bit positions and the two ciphertexts to also differ in about half the positions.
32

Table 6.6 Avalanche Effect in A E S: Change in Plaintext (2 of 2)
Round Number of Bits
that Differ
6 0ad9d85689f9f77bc1c5f71185e5fb14
3bc2d8b6798d8ac4fe36a1d891ac181a 64
7 db18a8ffa16d30d5f88b08d777ba4eaa
9fb8b5452023c70280e5c4bb9e555a4b 67
8 f91b4fbfe934c9bf8f2f85812b084989
20264e1126b219aef7feb3f9b2d6de40 65
9 cca104a13e678500ff59025f3bafaa34
b56a0341b2290ba7dfdfbddcd8578205 61
10 ff0b844a0853bf7c6934ab4364148fb9
612b89398d0600cde116227ce72433f0 58

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Using the example from Table 6.5, Table 6.6 shows the result when the eighth bit of the plaintext is changed. The second column of the table shows the value of the State matrix at the end of each round for the two plaintexts. Note that after just one round, 20 bits of the State vector differ. After two rounds, close to half the bits differ. This magnitude of difference propagates through the remaining rounds. A bit difference in approximately half the positions in the most desirable outcome. Clearly, if almost all the bits are changed, this would be logically equiva- lent to almost none of the bits being changed. Put another way, if we select two plaintexts at random, we would expect the two plaintexts to differ in about half of the bit positions and the two ciphertexts to also differ in about half the positions.
33

Table 6.7 Avalanche Effect in A E S: Change in Key (1 of 2)
Round Number of Bits
that Differ
0123456789abcdeffedcba9876543210
0123456789abcdeffedcba9876543210 0
0 0e3634aece7225b6f26b174ed92b5588
0f3634aece7225b6f26b174ed92b5588 1
1 657470750fc7ff3fc0e8e8ca4dd02a9c
c5a9ad090ec7ff3fc1e8e8ca4cd02a9c 22
2 5c7bb49a6b72349b05a2317ff46d1294
90905fa9563356d15f3760f3b8259985 58
3 7115262448dc747e5cdac7227da9bd9c
18aeb7aa794b3b66629448d575c7cebf 67
4 f867aee8b437a5210c24c1974cffeabc
f81015f993c978a876ae017cb49e7eec 63
5 721eb200ba06206dcbd4bce704fa654e
5955c91b4e769f3cb4a94768e98d5267 81

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Table 6.7 shows the change in State matrix values when the same plaintext is used and the two keys differ in the eighth bit. That is, for the second case, the key is 0e1571c947d9e8590cb7add6af7f6798. Again, one round produces a significant change, and the magnitude of change after all subsequent rounds is roughly half the bits. Thus, based on this example, AES exhibits a very strong avalanche effect.
Note that this avalanche effect is stronger than that for DES (Table 4.2), which requires three rounds to reach a point at which approximately half the bits are changed, both for a bit change in the plaintext and a bit change in the key.

34

Table 6.7 Avalanche Effect in A E S: Change in Key (2 of 2)
Round Number of Bits
that Differ
6 0ad9d85689f9f77bc1c5f71185e5fb14
dc60a24d137662181e45b8d3726b2920 70
7 db18a8ffa16d30d5f88b08d777ba4eaa
fe8343b8f88bef66cab7e977d005a03c 74
8 f91b4fbfe934c9bf8f2f85812b084989
da7dad581d1725c5b72fa0f9d9d1366a 67
9 cca104a13e678500ff59025f3bafaa34
0ccb4c66bbfd912f4b511d72996345e0 59
10 ff0b844a0853bf7c6934ab4364148fb9
fc8923ee501a7d207ab670686839996b 53

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Table 6.7 shows the change in State matrix values when the same plaintext is used and the two keys differ in the eighth bit. That is, for the second case, the key is 0e1571c947d9e8590cb7add6af7f6798. Again, one round produces a significant change, and the magnitude of change after all subsequent rounds is roughly half the bits. Thus, based on this example, AES exhibits a very strong avalanche effect.
Note that this avalanche effect is stronger than that for DES (Table 4.2), which requires three rounds to reach a point at which approximately half the bits are changed, both for a bit change in the plaintext and a bit change in the key.

35

A E S Implementation
A E S decryption cipher is not identical to the encryption cipher
The sequence of transformations differs although the form of the key schedules is the same
Has the disadvantage that two separate software or firmware modules are needed for applications that require both encryption and decryption
Two separate changes are needed to bring the decryption structure in line with the encryption structure
The first two stages of the decryption round need to be interchanged
The second two stages of the decryption round need to be interchanged

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
As was mentioned, the AES decryption cipher is not identical to the encryption
cipher (Figure 6.3). That is, the sequence of transformations for decryption differs
from that for encryption, although the form of the key schedules for encryption
and decryption is the same. This has the disadvantage that two separate software
or firmware modules are needed for applications that require both encryption and
decryption. There is, however, an equivalent version of the decryption algorithm
that has the same structure as the encryption algorithm. The equivalent version has
the same sequence of transformations as the encryption algorithm (with transformations
replaced by their inverses). To achieve this equivalence, a change in key
schedule is needed.
Two separate changes are needed to bring the decryption structure in line
with the encryption structure. As illustrated in Figure 6.3, an encryption round has
the structure SubBytes, ShiftRows, MixColumns, AddRoundKey. The standard
decryption round has the structure InvShiftRows, InvSubBytes, AddRoundKey,
InvMixColumns. Thus, the first two stages of the decryption round need to
be interchanged, and the second two stages of the decryption round need to be
interchanged.
36

Interchanging InvShiftRows and Inv SubBytes
InvShiftRows affects the sequence of bytes in State but does not alter byte contents and does not depend on byte contents to perform its transformation
InvSubBytes affects the contents of bytes in State but does not alter byte sequence and does not depend on byte sequence to perform its transformation
Thus, these two operations commute and can be interchanged

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
affects the sequence of bytes in State but does not alter byte contents and does not depend on byte contents to perform its transformation. InvSubBytes affects the contents of bytes in State but does not alter byte sequence and does not depend on byte sequence to perform its transformation. Thus, these two operations commute and can be interchanged. For a given State Si,
37

Interchanging AddRoundKey and InvMixColumns
The transformations AddRoundKey and InvMixColumns do not alter the sequence of bytes in State
If we view the key as a sequence of words, then both AddRoundKey and InvMixColumns operate on State one column at a time
These two operations are linear with respect to the column input

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The transformations
AddRoundKey and InvMixColumns do not alter the sequence of bytes in State . If we
view the key as a sequence of words, then both AddRoundKey and InvMixColumns
operate on State one column at a time. These two operations are linear with respect
to the column input.
38

Figure 6.10 Equivalent Inverse Cipher

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Figure 6.10 illustrates the equivalent decryption algorithm.
39

Implementation Aspects (1 of 2)
AES can be implemented very efficiently on an 8-bit processor
AddRoundKey is a bytewise XOR operation
ShiftRows is a simple byte-shifting operation
SubBytes operates at the byte level and only requires a table of 256 bytes
MixColumns requires matrix multiplication in the field GF(28), which means that all operations are carried out on bytes

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The Rijndael proposal [DAEM99] provides some suggestions for efficient implementation
on 8-bit processors, typical for current smart cards, and on 32-bit processors,
typical for PCs.
AES can be implemented very efficiently on an 8-bit processor.
AddRoundKey is a bytewise XOR operation. ShiftRows is a simple byteshifting
operation. SubBytes operates at the byte level and only requires a table of
256 bytes.
The transformation MixColumns requires matrix multiplication in the field
GF(28 ), which means that all operations are carried out on bytes. MixColumns only
requires multiplication by {02} and {03}, which, as we have seen, involved simple
shifts, conditional XORs, and XORs. This can be implemented in a more efficient
way that eliminates the shifts and conditional XORs.
40

Implementation Aspects (2 of 2)
Can efficiently implement on a 32-bit processor
Redefine steps to use 32-bit words
Can precompute 4 tables of 256-words
Then each column in each round can be computed using 4 table lookups + 4 XORs
At a cost of 4Kb to store tables
Designers believe this very efficient implementation was a key factor in its selection as the AES cipher

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The implementation described in the preceding subsection uses
only 8-bit operations. For a 32-bit processor, a more efficient implementation can
be achieved if operations are defined on 32-bit words. To show this, we first define
the four transformations of a round in algebraic form.
The developers of Rijndael believe that this compact, efficient implementation
was probably one of the most important factors in the selection of Rijndael for AES.
41

Summary
Present an overview of the general structure of Advanced Encryption Standard (AES)
Understand the four transformations used in AES
Explain the AES key expansion algorithm
Understand the use of polynomials with coefficients in GF(28)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Chapter 6 summary.
42

Copyright
This work is protected by United States copyright laws and is provided solely for the use of instructors in teaching their courses and assessing student learning. Dissemination or sale of any part of this work (including on the World Wide Web) will destroy the integrity of the work and is not permitted. The work and materials from it should never be made available to students except by instructors using the accompanying text in their classes. All recipients of this work are expected to abide by these restrictions and to honor the intended pedagogical purposes and the needs of other instructors who rely on these materials.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

43

.MsftOfcThm_Text1_Fill {
fill:#000000;
}
.MsftOfcThm_MainDark1_Stroke {
stroke:#000000;
}

Cryptography and Network Security: Principles and Practice

Eighth Edition

Chapter 5

Finite Fields

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Lecture slides prepared for “Cryptography and Network Security”, 8/e, by William Stallings, Chapter 5 – “Finite Fields”.
Finite fields have become increasingly important in cryptography. A number of
cryptographic algorithms rely heavily on properties of finite fields, notably the
Advanced Encryption Standard (AES) and elliptic curve cryptography. Other examples
include the message authentication code CMAC and the authenticated encryption
scheme GCM.
This chapter provides the reader with sufficient background on the concepts of
finite fields to be able to understand the design of AES and other cryptographic algorithms
that use finite fields. Because students unfamiliar with abstract algebra may find
the concepts behind finite fields somewhat difficult to grasp, we approach the topic in a
way designed to enhance understanding. Our plan of attack is as follows:
1. Fields are a subset of a larger class of algebraic structures called rings, which
are in turn a subset of the larger class of groups. In fact, as shown in Figure 5.1,
both groups and rings can be further differentiated. Groups are defined by
a simple set of properties and are easily understood. Each successive subset
(abelian group, ring, commutative ring, and so on) adds additional properties
and is thus more complex. Sections 5.1 through 5.3 will examine groups, rings,
and fields, successively.
2. Finite fields are a subset of fields, consisting of those fields with a finite number
of elements. These are the class of fields that are found in cryptographic
algorithms. With the concepts of fields in hand, we turn in Section 5.4 to a
specific class of finite fields, namely those with p elements, where p is prime.
Certain asymmetric cryptographic algorithms make use of such fields.
3. A more important class of finite fields, for cryptography, comprises those with
2n elements depicted as fields of the form GF(2n ). These are used in a wide
variety of cryptographic algorithms. However, before discussing these fields, we
need to analyze the topic of polynomial arithmetic, which is done in Section 5.5.
4. With all of this preliminary work done, we are able at last, in Section 5.6, to
discuss finite fields of the form GF(2n ).
Before proceeding, the reader may wish to review Sections 2.1 through 2.3, which
cover relevant topics in number theory.
1

Learning Objectives
Distinguish among groups, rings, and fields.
Define finite fields of the form GF(p)
Explain the differences among ordinary polynomial arithmetic, polynomial arithmetic with coefficients in Zp, and modular polynomial arithmetic in GF(2n).
Define finite fields of the form GF(2n).
Explain the two different uses of the mod operator.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Figure 5.1 Groups, Rings, and Fields

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Groups, rings, and fields are the fundamental elements of a branch of mathematics
known as abstract algebra, or modern algebra. In abstract algebra, we are concerned
with sets on whose elements we can operate algebraically; that is, we can combine
two elements of the set, perhaps in several ways, to obtain a third element of the set.
These operations are subject to specific rules, which define the nature of the set. By
convention, the notation for the two principal classes of operations on set elements is
usually the same as the notation for addition and multiplication on ordinary numbers.
However, it is important to note that, in abstract algebra, we are not limited to
ordinary arithmetical operations. All this should become clear as we proceed.

3

Groups
A set of elements with a binary operation denoted by • that associates to each ordered pair (a,b) of elements in G an element (a • b ) in G, such that the following axioms are obeyed:
(A1) Closure:
If a and b belong to G, then a • b is also in G
(A2) Associative:
a • (b • c) = (a • b) • c for all a, b, c in G
(A3) Identity element:
There is an element e in G such that a • e = e • a = a for all a in G
(A4) Inverse element:
For each a in G, there is an element a1 in G such that a • a1 = a1 • a = e
(A5) Commutative:
a • b = b • a for all a, b in G

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
A group G , sometimes denoted by {G , * }, is a set of elements with a binary operation
denoted by * that associates to each ordered pair (a, b ) of elements in G an element
(a * b ) in G , such that the following axioms are obeyed:
(A1) Closure:
If a and b belong to G, then a * b is also in G
(A2) Associative:
a * (b * c) = (a * b) * c for all a, b, c in G
(A3) Identity element:
There is an element e in G such that a * e = e * a = a for all a in G
(A4) Inverse element:
For each a in G, there is an element a1 in G such that a*a1 = a1 * a = e
(A5) Commutative:
a * b = b * a for all a, b in G
If a group has a finite number of elements, it is referred to as a finite group , and
the order of the group is equal to the number of elements in the group. Otherwise,
the group is an infinite group .
A group is said to be abelian if it satisfies the following additional condition:
(A5) Commutative: a * b = b * a for all a, b in G.
4

Cyclic Group
Exponentiation is defined within a group as a repeated application of the group operator, so that a3 = a • a • a
We define a0 = e as the identity element, and a−n = (a’)n, where a’ is the inverse element of a within the group
A group G is cyclic if every element of G is a power ak (k is an integer) of a fixed element a € G
The element a is said to generate the group G or to be a generator of G
A cyclic group is always abelian and may be finite or infinite

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
We define exponentiation within a group as a repeated application of the group operator, so that a3 = a *a * a. Furthermore, we define a0 = e as the identity element, and a-n = (a′)n, where a′ is the inverse element of a within the group. A group G is cyclic if every element of G is a power ak (k is an integer) of a fixed element a ∈ G. The element a is said to generate the group G or to be a generator of G. A cyclic group is always abelian and may be finite or infinite.

5

Rings (1 of 3)
A ring R , sometimes denoted by {R , + , * }, is a set of elements with two binary operations, called addition and multiplication, such that for all a , b , c in R the following axioms are obeyed:
(A1–A5)
R is an abelian group with respect to addition; that is, R satisfies axioms A1 through A5. For the case of an additive group, we denote the identity element as 0 and the inverse of a as –a
(M1) Closure under multiplication:
If a and b belong to R , then ab is also in R
(M2) Associativity of multiplication:
a (bc ) = (ab)c for all a , b , c in R

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
A ring R , sometimes denoted by {R , + , * }, is a set of elements with two binary operations, called addition and multiplication, such that for all a , b , c in R the following axioms are obeyed:
(A1–A5)
R is an abelian group with respect to addition; that is, R satisfies axioms A1 through A5. For the case of an additive group, we denote the identity element as 0 and the inverse of a as –a
(M1) Closure under multiplication:
If a and b belong to R , then ab is also in R
(M2) Associativity of multiplication:
a (bc ) = (ab)c for all a , b , c in R
(M3) Distributive laws:
a (b + c ) = ab + ac for all a , b , c in R
(a + b )c = ac + bc for all a , b , c in R
In essence, a ring is a set in which we can do addition, subtraction [a – b = a + (-b )], and multiplication without leaving the set.
6

Rings (2 of 3)
(M3) Distributive laws:
a (b + c ) = ab + ac for all a, b, c in R
(a + b )c = ac + bc for all a, b, c in R
In essence, a ring is a set in which we can do addition, subtraction [a − b = a + (−b )], and multiplication without leaving the set

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
A ring R , sometimes denoted by {R , + , * }, is a set of elements with two binary operations, called addition and multiplication, such that for all a , b , c in R the following axioms are obeyed:
(A1–A5)
R is an abelian group with respect to addition; that is, R satisfies axioms A1 through A5. For the case of an additive group, we denote the identity element as 0 and the inverse of a as –a
(M1) Closure under multiplication:
If a and b belong to R , then ab is also in R
(M2) Associativity of multiplication:
a (bc ) = (ab)c for all a , b , c in R
(M3) Distributive laws:
a (b + c ) = ab + ac for all a , b , c in R
(a + b )c = ac + bc for all a , b , c in R
In essence, a ring is a set in which we can do addition, subtraction [a – b = a + (-b )], and multiplication without leaving the set.
7

Rings (3 of 3)
A ring is said to be commutative if it satisfies the following additional condition:
(M4) Commutativity of multiplication:
ab = ba for all a, b in R
An integral domain is a commutative ring that obeys the following axioms.
(M5) Multiplicative identity:
There is an element 1 in R such that a1 = 1a = a for all a in R
(M6) No zero divisors:
If a , b in R and ab = 0, then either a = 0 or b = 0

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
A ring is said to be commutative if it satisfies the following additional condition:
(M4) Commutativity of multiplication:
ab = ba for all a, b in R
An integral domain is a commutative ring that obeys the following axioms.
(M5) Multiplicative identity:
There is an element 1 in R such that a 1 = 1a = a for all a in R
(M6) No zero divisors:
If a , b in R and ab = 0, then either a = 0 or b = 0
8

Fields
A field F , sometimes denoted by {F, +,* }, is a set of elements with two binary operations, called addition and multiplication, such that for all a, b, c in F the following axioms are obeyed:
(A1–M6)
F is an integral domain; that is, F satisfies axioms A1 through A5 and M1 through M6
(M7) Multiplicative inverse:
For each a in F, except 0, there is an element a−1 in F such that aa−1 = (a−1 )a = 1
In essence, a field is a set in which we can do addition, subtraction, multiplication, and division without leaving the set. Division is defined with the following rule: a /b = a (b−1 )
Familiar examples of fields are the rational numbers, the real numbers, and the complex numbers. Note that the set of all integers is not a field, because not every element of the set has a multiplicative inverse.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
A field F, sometimes denoted by {F , + , * }, is a set of elements with two binary operations,
called addition and multiplication, such that for all a, b, c in F the following
axioms are obeyed.
(A1–M6) F is an integral domain; that is, F satisfies axioms A1 through A5 and
M1 through M6.
(M7) Multiplicative inverse: For each a in F , except 0, there is an element
a-1 in F such that aa-1 = (a-1 )a = 1.
In essence, a field is a set in which we can do addition, subtraction, multiplication,
and division without leaving the set. Division is defined with the following rule: a /b = a (b-1 ).
Familiar examples of fields are the rational numbers, the real numbers, and the complex numbers. Note that the set of all integers is not a field, because not every element of the set has a multiplicative inverse; in fact, only the elements 1 and – 1 have multiplicative inverses in the integers.

9

Figure 5.2 Properties of Groups, Rings, and Fields

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Figure 5.2 summarizes the axioms that define groups, rings, and fields.
10

Figure 5.3 Types of Fields

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
In Section 5.3, we defined a field as a set that obeys all of the axioms of Figure 5.2
and gave some examples of infinite fields. Infinite fields are not of particular interest
in the context of cryptography. However, in addition to infinite fields, there are
two types of finite fields, as illustrated in Figure 5.3. Finite fields play a crucial role
in many cryptographic algorithms.
11

Finite Fields of the Form GF(p)
Finite fields play a crucial role in many cryptographic algorithms
It can be shown that the order of a finite field must be a power of a prime pn, where n is a positive integer
The finite field of order pn is generally written GF(pn)
GF stands for Galois field, in honor of the mathematician who first studied finite fields

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
It can be shown that the order of a finite field (number of
elements in the field) must be a power of a prime pn , where n is a positive integer.
The finite field of order pn is generally written GF(pn); GF stands for Galois
field, in honor of the mathematician who first studied finite fields. Two special cases
are of interest for our purposes. For n = 1, we have the finite field GF(p); this finite
field has a different structure than that for finite fields with n > 1 and is studied in
this section.
12

Table 5.1 Arithmetic Modulo 8 and Modulo 7(1 of 6)
(a) Addition modulo 8

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Table 5.1 Arithmetic Modulo 8 and Modulo 7
13

Table 5.1 Arithmetic Modulo 8 and Modulo 7 (2 of 6)
(b) Multiplication modulo 8

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Table 5.1 Arithmetic Modulo 8 and Modulo 7
14

Table 5.1 Arithmetic Modulo 8 and Modulo 7 (3 of 6)
(c) Additive and multiplicative inverses modulo 8

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Table 5.1 Arithmetic Modulo 8 and Modulo 7
15

Table 5.1 Arithmetic Modulo 8 and Modulo 7 (4 of 6)
(d) Addition modulo 7

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Table 5.1 Arithmetic Modulo 8 and Modulo 7
16

Table 5.1 Arithmetic Modulo 8 and Modulo 7 (5 of 6)
(e) Multiplication modulo 7

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Table 5.1 Arithmetic Modulo 8 and Modulo 7
17

Table 5.1 Arithmetic Modulo 8 and Modulo 7 (6 of 6)
(f) Additive and multiplicative inverses modulo 7

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Table 5.1 Arithmetic Modulo 8 and Modulo 7
18

In this section, we have shown how to construct a finite field of order p, where p is prime
GF(p) is defined with the following properties:
1. GF(p) consists of p elements
2. The binary operations + and * are defined over the set. The operations of addition, subtraction, multiplication, and division can be performed without leaving the set. Each element of the set other than 0 has a multiplicative inverse
We have shown that the elements of GF(p) are the integers {0, 1, . . . , p – 1} and that the arithmetic operations are addition and multiplication mod p

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
In this section, we have shown how to construct a finite field of order p, where p is prime.
GF(p) is defined with the following properties:
GF(p) consists of p elements
2. The binary operations + and * are defined over the set. The operations of addition, subtraction, multiplication, and division can be performed without leaving the set. Each element of the set other than 0 has a multiplicative inverse
We have shown that the elements of GF(p) are the integers {0, 1, . . . , p – 1} and that the arithmetic operations are addition and multiplication mod p

19

Figure 5.4 Treatment of Polynomials

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Before continuing our discussion of finite fields, we need to introduce the interesting
subject of polynomial arithmetic. We are concerned with polynomials in a single
variable x , and we can distinguish three classes of polynomial arithmetic. (Figure 5.4)
• Ordinary polynomial arithmetic, using the basic rules of algebra.
• Polynomial arithmetic in which the arithmetic on the coefficients is performed
modulo p ; that is, the coefficients are in GF(p ).
• Polynomial arithmetic in which the coefficients are in GF(p ), and the polynomials
are defined modulo a polynomial m (x ) whose highest power is some integer n .
20

Figure 5.5 Examples of Polynomial Arithmetic

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Examples of Polynomial Arithmetic
21

Polynomial Arithmetic With Coefficients in Zp
If each distinct polynomial is considered to be an element of the set, then that set is a ring
When polynomial arithmetic is performed on polynomials over a field, then division is possible
Note: this does not mean that exact division is possible
If we attempt to perform polynomial division over a coefficient set that is not a field, we find that division is not always defined
Even if the coefficient set is a field, polynomial division is not necessarily exact
With the understanding that remainders are allowed, we can say that polynomial division is possible if the coefficient set is a field

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Let us now consider polynomials in which the coefficients are elements of some
field F; we refer to this as a polynomial over the field F. In that case, it is easy to
show that the set of such polynomials is a ring, referred to as a polynomial ring .
That is, if we consider each distinct polynomial to be an element of the set, then
that set is a ring.
When polynomial arithmetic is performed on polynomials over a field, then
division is possible. Note that this does not mean that exact division is possible.
Let us clarify this distinction. Within a field, given two elements a and b , the
quotient a /b is also an element of the field. However, given a ring R that is not a
field, in general, division will result in both a quotient and a remainder; this is not
exact division.
Now, if we attempt to perform polynomial division over a coefficient set that
is not a field, we find that division is not always defined.
However, as we demonstrate presently, even if the coefficient set is a field,
polynomial division is not necessarily exact. In general, division will produce a quotient
and a remainder.
With the understanding that remainders are allowed, we can say that polynomial
division is possible if the coefficient set is a field.

22

Polynomial Division
We can write any polynomial in the form:
f(x) = q(x) g(x) + r(x)
r(x) can be interpreted as being a remainder
So r(x) = f(x) mod g(x)
If there is no remainder we can say g(x) divides f(x)
Written as g(x) | f(x)
We can say that g(x) is a factor of f(x)
Or g(x) is a divisor of f(x)
A polynomial f(x) over a field F is called irreducible if and only if f(x) cannot be expressed as a product of two polynomials, both over F, and both of degree lower than that of f(x)
An irreducible polynomial is also called a prime polynomial

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Note that we can write any polynomial in the form of f(x) = q(x) g(x) + r(x), where division of f(x) by g(x) results in a quotient q(x) and remainder r(x). Can then extend the concept of divisors from the integer case, and show that the Euclidean algorithm can be extended to find the greatest common divisor of two polynomials whose coefficients are elements of a field.
Define an irreducible (or prime) polynomial as one with no divisors other than itself & 1. If compute polynomial arithmetic modulo an irreducible polynomial, this forms a finite field, and the GCD & Inverse algorithms can be adapted for it.

23

Example of Polynomial Arithmetic Over GF(2) (1 of 2)
(a) Addition
(b) Subtraction

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Figure 5.6 shows an example of polynomial arithmetic over GF(2).
24

Example of Polynomial Arithmetic Over GF(2) (2 of 2)
(c) Multiplication
(d) Division

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Figure 5.6 shows an example of polynomial arithmetic over GF(2).
25

Polynomial G C D
The polynomial c(x) is said to be the greatest common divisor of a(x) and b(x) if the following are true:
c(x) divides both a(x) and b(x)
Any divisor of a(x) and b(x) is a divisor of c(x)
An equivalent definition is:
gcd[a(x), b(x)] is the polynomial of maximum degree that divides both a(x) and b(x)
The Euclidean algorithm can be extended to find the greatest common divisor of two polynomials whose coefficients are elements of a field

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
We can extend the analogy between polynomial arithmetic over a field and integer
arithmetic by defining the greatest common divisor as follows. The polynomial c(x)
is said to be the greatest common divisor of a(x) and b(x) if the following are true.
1. c(x) divides both a(x) and b(x).
2. Any divisor of a(x) and b(x) is a divisor of c(x).
An equivalent definition is the following: gcd[a (x ), b (x )] is the polynomial of
maximum degree that divides both a (x ) and b (x ).
We can adapt the Euclidean algorithm to compute the greatest common
Divisor of two polynomials.
26

Table 5.2 Arithmetic in GF(23) (1 of 3)
(a) Addition

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Table 5.2 Arithmetic in GF(23)
27

Table 5.2 Arithmetic in GF(23) (2 of 3)
(b) Multiplication

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Table 5.2 Arithmetic in GF(23)
28

Table 5.2 Arithmetic in GF(23) (3 of 3)
(c) Additive and multiplicative inverses

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Table 5.2 Arithmetic in GF(23)
29

Table 5.3 Polynomial Arithmetic Modulo (x3 + x + 1) (1 of 2)
(a) Addition

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Example shows addition & multiplication in GF(23)
30

Table 5.3 Polynomial Arithmetic Modulo (x3 + x + 1) (2 of 2)
(b) Multiplication

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Example shows addition & multiplication in GF(23)
31

Table 5.4 Extended Euclid [(x8 + x4 + x3 + x + 1), (x7 + x + 1)]
(Table 5.4 can be found on page 138 in textbook)
Initialization a(x) = x8 + x4 + x3 + x + 1; v-1(x) = 1; w-1(x) = 0
b(x) = x7 + x + 1; v0(x) = 0; w0(x) = 1
Iteration 1 q1(x) = x; r1 (x) = x4 + x3 + x2 + 1
v1(x) = 1; w1(x) = x
Iteration 2 q2(x) = x3 + x2 + 1; r2(x) = x
v2(x) = x3 + x2 + 1; w2(x) = x4 + x3 + x + 1
Iteration 3 q3(x) = x3 + x2 + x; r3(x) = 1
v3(x) = x6 + x2 + x + 1; w3(x) = x7
Iteration 4 q4(x) = x; r4(x) = 0
v4(x) = x7 + x + 1; w4(x) = x8 + x4 + x3 + x + 1
Result d(x) = r3(x) = gcd(a(x), b(x)) = 1
w(x) = w3(x) = (x7 + x + 1)-1 mod (x8 + x4 + x3 + x + 1) = x7

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Table 5.4 Extended Euclid [(x8 + x4 + x3 + x + 1), (x7 + x + 1)]
32

Computational Considerations
Since coefficients are 0 or 1, they can represent any such polynomial as a bit string
Addition becomes XOR of these bit strings
Multiplication is shift and XOR
cf long-hand multiplication
Modulo reduction is done by repeatedly substituting highest power with remainder of irreducible polynomial (also shift and XOR)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
A key motivation for using polynomial arithmetic in GF(2n) is that the polynomials can be represented as a bit string, using all possible bit values, and the calculations only use simple common machine instructions – addition is just XOR, and multiplication is shifts & XOR’s. See text for additional discussion. The shortcut for polynomial reduction comes from the observation that if in GF(2n) then irreducible poly g(x) has highest term xn , and if compute xn mod g(x) answer is g(x)- xn
33

Using a Generator
A generator g of a finite field F of order q (contains q elements) is an element whose first q−1 powers generate all the nonzero elements of F
The elements of F consist of 0, g0, g1, . . . ., gq−2
Consider a field F defined by a polynomial fx
An element b contained in F is called a root of the polynomial if f(b) = 0
Finally, it can be shown that a root g of an irreducible polynomial is a generator of the finite field defined on that polynomial

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
An equivalent technique for defining a finite field of the form GF(2n ), using the
same irreducible polynomial, is sometimes more convenient. To begin, we need two
definitions: A generator g of a finite field F of order q (contains q elements) is an
element whose first q – 1 powers generate all the nonzero elements of F. That is, the
elements of F consist of 0, g0 , g1 , c , gq-2 .
Consider a field F defined by a polynomial
f (x ). An element b contained in F is called a root of the polynomial if f (b ) = 0.
Finally, it can be shown that a root g of an irreducible polynomial is a generator of the
finite field defined on that polynomial.
34

Table 5.5 Generator for GF(23) using x3 + x + 1
Power
Representation Polynomial
Representation Binary
Representation Decimal (Hex)
Representation
0 0 000 0
g0(= g7) 1 001 1
g1 g 010 2
g2 g2 100 4
g3 g + 1 011 3
g4 g2 + g 110 6
g5 g2 + g + 1 111 7
g6 g2 + 1 101 5

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Table 5.5 Generator for GF(23) using x3 + x + 1
35

Table 5.6 GF(23) Arithmetic Using Generator for the Polynomial (x3 + x + 1) (1 of 2)
(a) Addition

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Table 5.6 GF(23) Arithmetic Using Generator for the Polynomial (x3 + x + 1)
36

Table 5.6 GF(23) Arithmetic Using Generator for the Polynomial (x3 + x + 1) (2 of 2)
(b) Multiplication

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Table 5.6 GF(23) Arithmetic Using Generator for the Polynomial (x3 + x + 1)
37

Summary
Distinguish among groups, rings, and fields
Define finite fields of the form GF(p)
Define finite fields of the form GF(2n)
Explain the differences among ordinary polynomial arithmetic, polynomial arithmetic with coefficients in Zp, and modular polynomial arithmetic in GF(2n)
Explain the two different uses of the mod operator

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Chapter 5 summary.
38

Copyright
This work is protected by United States copyright laws and is provided solely for the use of instructors in teaching their courses and assessing student learning. Dissemination or sale of any part of this work (including on the World Wide Web) will destroy the integrity of the work and is not permitted. The work and materials from it should never be made available to students except by instructors using the accompanying text in their classes. All recipients of this work are expected to abide by these restrictions and to honor the intended pedagogical purposes and the needs of other instructors who rely on these materials.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

39

.MsftOfcThm_Text1_Fill {
fill:#000000;
}
.MsftOfcThm_MainDark1_Stroke {
stroke:#000000;
}

Cryptography and Network Security: Principles and Practice

Eighth Edition

Chapter 7

Block Cipher Operation

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Lecture slides prepared for “Cryptography and Network Security”, 8/e, by William Stallings, Chapter 7 – “Block Cipher Operation”.
This chapter continues our discussion of symmetric ciphers. We begin with the topic of
multiple encryption, looking in particular at the most widely used multiple-encryption
scheme: triple DES.
The chapter next turns to the subject of block cipher modes of operation. We
find that there are a number of different ways to apply a block cipher to plaintext, each
with its own advantages and particular applications.
1

Learning Objectives
Analyze the security of multiple encryption schemes.
Explain the meet-in-the-middle attack.
Compare and contrast ECB, CBC, CFB, OFB, and counter modes of operation.
Present an overview of the XTS-AES mode of operation.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

2

Figure 7.1 Multiple Encryption (1 of 2)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Because of its vulnerability to brute-force attack, DES, once the most widely used
symmetric cipher, has been largely replaced by stronger encryption schemes. Two
approaches have been taken. One approach is to design a completely new algorithm
that is resistant to both cryptanalytic and brute-force attacks, of which AES
is a prime example. Another alternative, which preserves the existing investment in
software and equipment, is to use multiple encryption with DES and multiple keys.
We begin by examining the simplest example of this second alternative. We then
look at the widely accepted triple DES (3DES) algorithm.
The simplest form of multiple encryption has two encryption stages and two keys
(Figure 7.1a).
Given a plaintext P and two encryption keys K1 and K2 , ciphertext C
is generated as
C = E(K2 , E(K1 , P ))
Decryption requires that the keys be applied in reverse order:
P = D(K1 , D(K2 , C ))
For DES, this scheme apparently involves a key length of 56 * 2 = 112 bits, and should result
in a dramatic increase in cryptographic strength. But we need to examine the
algorithm more closely.
it is reasonable to assume that if DES is used twice with different keys, it
will produce one of the many mappings that are not defined by a single application
of DES. Although there was much supporting evidence for this assumption, it was
not until 1992 that the assumption was proven [CAMP92].
3

Meet-in-the-Middle Attack
The use of double D E S results in a mapping that is not equivalent to a single D E S encryption
The meet-in-the-middle attack algorithm will attack this scheme and does not depend on any particular property of D E S but will work against any block encryption cipher

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Thus, the use of double DES results in a mapping
that is not equivalent to a single DES encryption. But there is a way to attack this
scheme, one that does not depend on any particular property of DES but that will
work against any block encryption cipher.
The algorithm, known as a meet-in-the-middle attack, was first described in
[DIFF77].
4

Figure 7.1 Multiple Encryption (2 of 2)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
An obvious counter to the meet-in-the-middle attack is to use three stages of encryption
with three different keys. Using DES as the underlying algorithm, this approach is commonly
referred to as 3DES, or Triple Data Encryption Algorithm (TDEA). As shown in Figure 7.1b,
there are two versions of 3DES; one using two keys and one using three keys. NIST SP 800-67 (Recommendation for the Triple Data Encryption Block Cipher, January 2012) defines the two-key and three-key versions. We look first at the strength of the two-key version and then examine the three-key version.
Two-key triple encryption was first proposed by Tuchman [TUCH79]. The function follows an encrypt-decrypt-encrypt (EDE) sequence (Figure 7.1b).
There is no cryptographic significance to the use of decryption for the second stage. Its only advantage is that it allows users of 3DES to decrypt data encrypted by users of the older single DES.
3DES with two keys is a relatively popular alternative to DES and has been adopted for use in the key management standards ANSI X9.17 and ISO 8732
The first serious proposal came from Merkle and Hellman [MERK81]. Their
plan involves finding plaintext values that produce a first intermediate value of
A = 0 (Figure 7.1b) and then using the meet-in-the-middle attack to determine
the two keys. The level of effort is 256 , but the technique requires 256 chosen plaintext–
ciphertext pairs, which is a number unlikely to be provided by the holder of
the keys.
A known-plaintext attack is outlined in [VANO90]. This method is an improvement
over the chosen-plaintext approach but requires more effort. The attack
is based on the observation that if we know A and C (Figure 7.1b), then the problem
reduces to that of an attack on double DES. Of course, the attacker does not know
A , even if P and C are known, as long as the two keys are unknown. However, the
attacker can choose a potential value of A and then try to find a known (P , C ) pair
that produces A .
5

Figure 7.2 Known-Plaintext Attack on Triple D E S

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The attack proceeds as follows.
1. Obtain n (P , C ) pairs. This is the known plaintext. Place these in a table
(Table 1) sorted on the values of P (Figure7.2b).
2. Pick an arbitrary value a for A, and create a second table (Figure 7.2c) with entries
defined in the following fashion. For each of the 256 possible keys K1 = i,
calculate the plaintext value P, such that
Pi = D(i, a)
For each Pi that matches an entry in Table 1, create an entry in Table 2 consisting
of the K1 value and the value of B that is produced for the (P, C) pair from
Table 1, assuming that value of K1:
B = D(i, C)
At the end of this step, sort Table 2 on the values of B.
3. We now have a number of candidate values of K1 in Table 2 and are in a position
to search for a value of K2. For each of the 256 possible keys K2 = j, calculate
the second intermediate value for our chosen value of a:
Bj = D(j, a)
At each step, look up Bj in Table 2. If there is a match, then the corresponding
key i from Table 2 plus this value of j are candidate values for the unknown
keys (K1, K2). Why? Because we have found a pair of keys (i, j) that produce a
known (P, C) pair (Figure 7.2a).
4. Test each candidate pair of keys (i, j) on a few other plaintext–ciphertext
pairs. If a pair of keys produces the desired ciphertext, the task is complete. If
no pair succeeds, repeat from step 1 with a new value of a.
For a given known (P , C ), the probability of selecting the unique value of a
that leads to success is 1/264 . Thus, given n (P , C ) pairs, the probability of success for
a single selected value of a is n /264 .
6

Triple D E S with Three Keys
Many researchers now feel that three-key 3D E S is the preferred alternative
Three-key 3D E S has an effective key length of 168 bits and is defined as:
C = E( K3, D( K2, E( K1, P)))
Backward compatibility with DES is provided by putting:
K3 = K2 or K1 = K2
A number of Internet-based applications have adopted three-key 3D E S including P G P and S/M I M E

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Although the attacks just described appear impractical, anyone using two-key 3DES
may feel some concern. Thus, many researchers now feel that three-key 3DES is
the preferred alternative (e.g., [KALI96a]). Three-key 3DES has an effective key
length of 168 bits and is defined as
C = E( K3, D( K2, E( K1, P)))
Backward compatibility with DES is provided by putting
K3 = K2 or K1 = K2
A number of Internet-based applications have adopted three-key 3DES, including
PGP and S/MIME, both discussed in Chapter 21.
7

Modes of Operation
A technique for enhancing the effect of a cryptographic algorithm or adapting the algorithm for an application
To apply a block cipher in a variety of applications, five modes of operation have been defined by N I S T
The five modes are intended to cover a wide variety of applications of encryption for which a block cipher could be used
These modes are intended for use with any symmetric block cipher, including triple D E S and A E S

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
A block cipher takes a fixed-length block of text of length b bits and a key as input
and produces a b -bit block of ciphertext. If the amount of plaintext to be encrypted
is greater than b bits, then the block cipher can still be used by breaking the plaintext
up into b -bit blocks. When multiple blocks of plaintext are encrypted using the
same key, a number of security issues arise. To apply a block cipher in a variety of
applications, five modes of operation have been defined by NIST (SP 800-38A).
In essence, a mode of operation is a technique for enhancing the effect of a cryptographic
algorithm or adapting the algorithm for an application, such as applying
a block cipher to a sequence of data blocks or a data stream. The five modes are
intended to cover a wide variety of applications of encryption for which a block
cipher could be used. These modes are intended for use with any symmetric block
cipher, including triple DES and AES.
8

Table 7.1 Block Cipher Modes of Operation
Mode Description Typical Application
Electronic Codebook (E C B) Each block of plaintext bits is encoded independently using the same key. Secure transmission of single values (e.g., an encryption key)
Cipher Block Chaining (C B C) The input to the encryption algorithm is the X O R of the next block of plaintext and the preceding block of ciphertext. General-purpose block-oriented transmission
Authentication
Cipher Feedback (C F B) Input is processed s bits at a time. Preceding ciphertext is used as input to the encryption algorithm to produce pseudorandom output, which is X O Red with plaintext to produce next unit of ciphertext. General-purpose stream-oriented transmission
Authentication
Output Feedback (O F B) Similar to C F B, except that the input to the encryption algorithm is the preceding encryption output, and full blocks are used. Stream-oriented transmission over noisy channel (e.g., satellite communication)
Counter (C T R) Each block of plaintext is X ORed with an encrypted counter. The counter is incremented for each subsequent block. General-purpose block-oriented transmission
Useful for high-speed requirements

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The modes are summarized in Table 7.1 and described in this and the following sections.
9

Figure 7.3 Electronic Codebook (E C B) Mode

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The simplest mode is the electronic codebook (ECB ) mode, in which plaintext
is handled one block at a time and each block of plaintext is encrypted using the
same key (Figure 7.3). The term codebook is used because, for a given key, there is
a unique ciphertext for every b -bit block of plaintext. Therefore, we can imagine a
gigantic codebook in which there is an entry for every possible b -bit plaintext pattern
showing its corresponding ciphertext.
For a message longer than b bits, the procedure is simply to break the message
into b -bit blocks, padding the last block if necessary. Decryption is performed one
block at a time, always using the same key. In Figure 7.3, the plaintext (padded as
necessary) consists of a sequence of b -bit blocks, P1 , P2 , . . . , PN ; the corresponding
sequence of ciphertext blocks is C1 , C2 , . . . , CN . We can define ECB mode as
follows.
ECB Cj = E(K, Pj) j = 1, . . . , N Pj = D(K, Cj) j = 1, . . . , N
The ECB mode should be used only to secure messages shorter than a single block of underlying cipher (i.e., 64 bits for 3DES and 128 bits for AES), such as to encrypt a secret key. Because in most of the cases messages are longer than the encryption block mode, this mode has a minimum practical value.
The most significant characteristic of ECB is that if the same b -bit block of
plaintext appears more than once in the message, it always produces the same
ciphertext.
For lengthy messages, the ECB mode may not be secure. If the message is
highly structured, it may be possible for a cryptanalyst to exploit these regularities.
For example, if it is known that the message always starts out with certain
predefined fields, then the cryptanalyst may have a number of known plaintext–
ciphertext pairs to work with. If the message has repetitive elements with a
period of repetition a multiple of b bits, then these elements can be identified by the
analyst. This may help in the analysis or may provide an opportunity for substituting
or rearranging blocks.

10

Criteria and properties for evaluating and constructing block cipher modes of operation that are superior to ECB:
Overhead
Error recovery
Error propagation
Diffusion
Security

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
We now turn to more complex modes of operation. [KNUD00] lists the following
criteria and properties for evaluating and constructing block cipher modes of
operation that are superior to ECB:
• Overhead: The additional operations for the encryption and decryption
operation when compared to encrypting and decrypting in the ECB mode.
• Error recovery: The property that an error in the i th ciphertext block is inherited
by only a few plaintext blocks after which the mode resynchronizes.
• Error propagation: The property that an error in the i th ciphertext block is
inherited by the i th and all subsequent plaintext blocks. What is meant here is
a bit error that occurs in the transmission of a ciphertext block, not a computational
error in the encryption of a plaintext block.
• Diffusion: How the plaintext statistics are reflected in the ciphertext. Low
entropy plaintext blocks should not be reflected in the ciphertext blocks.
Roughly, low entropy equates to predictability or lack of randomness (see
Appendix B).
• Security: Whether or not the ciphertext blocks leak information about the
plaintext blocks.
11

Figure 7.4 Cipher Block Chaining (C B C) Mode

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
To overcome the security deficiencies of ECB, we would like a technique in which
the same plaintext block, if repeated, produces different ciphertext blocks. A
simple way to satisfy this requirement is the cipher block chaining (CBC ) mode
(Figure 7.4). In this scheme, the input to the encryption algorithm is the XOR of the
current plaintext block and the preceding ciphertext block; the same key is used for
each block. In effect, we have chained together the processing of the sequence of
plaintext blocks. The input to the encryption function for each plaintext block bears
no fixed relationship to the plaintext block. Therefore, repeating patterns of b bits
are not exposed. As with the ECB mode, the CBC mode requires that the last block
be padded to a full b bits if it is a partial block.
For decryption, each cipher block is passed through the decryption algorithm.
The result is XORed with the preceding ciphertext block to produce the plaintext
block.
To produce the first block of ciphertext, an initialization vector (IV) is XORed
with the first block of plaintext. On decryption, the IV is XORed with the output
of the decryption algorithm to recover the first block of plaintext. The IV is a data
block that is the same size as the cipher block.
The IV must be known to both the sender and receiver but be unpredictable
by a third party. In particular, for any given plaintext, it must not be possible to
predict the IV that will be associated to the plaintext in advance of the generation
of the IV. For maximum security, the IV should be protected against unauthorized
changes. This could be done by sending the IV using ECB encryption. One reason
for protecting the IV is as follows: If an opponent is able to fool the receiver into
using a different value for IV, then the opponent is able to invert selected bits in the
first block of plaintext.
So long as it is unpredictable, the specific choice of IV is unimportant.
SP800-38A recommends two possible methods: The first method is to apply the
encryption function, under the same key that is used for the encryption of the plaintext,
to a nonce . The nonce must be a data block that is unique to each execution of
the encryption operation. For example, the nonce may be a counter, a timestamp, or
a message number. The second method is to generate a random data block using a
random number generator.
In conclusion, because of the chaining mechanism of CBC, it is an appropriate
mode for encrypting messages of length greater than b bits.
In addition to its use to achieve confidentiality, the CBC mode can be used for
authentication. This use is described in Chapter 12.
12

Cipher Feedback Mode
For A E S, D E S, or any block cipher, encryption is performed on a block of b bits
In the case of D E S b = 64
In the case of A E S b = 128
There are three modes that make it possible to convert a block cipher into a stream cipher:
Cipher feedback (CFB) mode
Output feedback (OFB) mode
Counter (CTR) mode

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
For AES, DES, or any block cipher, encryption is performed on a block of b bits. In
the case of DES, b = 64 and in the case of AES, b = 128. However, it is possible
to convert a block cipher into a stream cipher, using one of the three modes to be
discussed in this and the next two sections: cipher feedback (CFB) mode, output
feedback (OFB) mode, and counter (CTR) mode. A stream cipher eliminates the
need to pad a message to be an integral number of blocks. It also can operate in
real time. Thus, if a character stream is being transmitted, each character can be
encrypted and transmitted immediately using a character-oriented stream cipher.
One desirable property of a stream cipher is that the ciphertext be of the same
length as the plaintext. Thus, if 8-bit characters are being transmitted, each character
should be encrypted to produce a ciphertext output of 8 bits. If more than 8 bits
are produced, transmission capacity is wasted.
13

Figure 7.5 s-bit Cipher Feedback (C F B) Mode (1 of 2)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Figure 7.5 depicts the CFB scheme. In the figure, it is assumed that the unit of
transmission is s bits; a common value is s = 8. As with CBC, the units of plaintext
are chained together, so that the ciphertext of any plaintext unit is a function of all
the preceding plaintext. In this case, rather than blocks of b bits, the plaintext is
divided into segments of s bits.
First, consider encryption. The input to the encryption function is a b -bit shift
register that is initially set to some initialization vector (IV). The leftmost (most
significant) s bits of the output of the encryption function are XORed with the
first segment of plaintext P1 to produce the first unit of ciphertext C1 , which is then
transmitted. In addition, the contents of the shift register are shifted left by s bits,
and C1 is placed in the rightmost (least significant) s bits of the shift register. This
process continues until all plaintext units have been encrypted.
For decryption, the same scheme is used, except that the received ciphertext
unit is XORed with the output of the encryption function to produce the plaintext
unit. Note that it is the encryption function that is used, not the decryption function.
Although CFB can be viewed as a stream cipher, it does not conform to the
typical construction of a stream cipher. In a typical stream cipher, the cipher takes
as input some initial value and a key and generates a stream of bits, which is then
XORed with the plaintext bits (see Figure 4.1). In the case of CFB, the stream of
bits that is XORed with the plaintext also depends on the plaintext.
In CFB encryption, like CBC encryption, the input block to each forward
Cipher function (except the first) depends on the result of the previous forward
Cipher function; therefore, multiple forward cipher operations cannot be performed
in parallel. In CFB decryption, the required forward cipher operations can be performed
in parallel if the input blocks are first constructed (in series) from the IV and
the ciphertext.
14

Figure 7.5 s-bit Cipher Feedback (C F B) Mode (2 of 2)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Figure 7.5 depicts the CFB scheme. In the figure, it is assumed that the unit of
transmission is s bits; a common value is s = 8. As with CBC, the units of plaintext
are chained together, so that the ciphertext of any plaintext unit is a function of all
the preceding plaintext. In this case, rather than blocks of b bits, the plaintext is
divided into segments of s bits.
First, consider encryption. The input to the encryption function is a b -bit shift
register that is initially set to some initialization vector (IV). The leftmost (most
significant) s bits of the output of the encryption function are XORed with the
first segment of plaintext P1 to produce the first unit of ciphertext C1 , which is then
transmitted. In addition, the contents of the shift register are shifted left by s bits,
and C1 is placed in the rightmost (least significant) s bits of the shift register. This
process continues until all plaintext units have been encrypted.
For decryption, the same scheme is used, except that the received ciphertext
unit is XORed with the output of the encryption function to produce the plaintext
unit. Note that it is the encryption function that is used, not the decryption function.
Although CFB can be viewed as a stream cipher, it does not conform to the
typical construction of a stream cipher. In a typical stream cipher, the cipher takes
as input some initial value and a key and generates a stream of bits, which is then
XORed with the plaintext bits (see Figure 4.1). In the case of CFB, the stream of
bits that is XORed with the plaintext also depends on the plaintext.
In CFB encryption, like CBC encryption, the input block to each forward
Cipher function (except the first) depends on the result of the previous forward
Cipher function; therefore, multiple forward cipher operations cannot be performed
in parallel. In CFB decryption, the required forward cipher operations can be performed
in parallel if the input blocks are first constructed (in series) from the IV and
the ciphertext.
15

Figure 7.6 Output Feedback (O F B) Mode (1 of 2)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The output feedback (OFB) mode is similar in structure to that of CFB. For OFB,
the output of the encryption function is fed back to become the input for encrypting
the next block of plaintext (Figure 7.6). In CFB, the output of the XOR unit is fed
back to become input for encrypting the next block. The other difference is that the
OFB mode operates on full blocks of plaintext and ciphertext, whereas CFB operates
on an s -bit subset.
As with CBC and CFB, the OFB mode requires an initialization vector. In
the case of OFB, the IV must be a nonce; that is, the IV must be unique to each
execution of the encryption operation. The reason for this is that the sequence of
encryption output blocks, Oi , depends only on the key and the IV and does not depend
on the plaintext. Therefore, for a given key and IV, the stream of output bits
used to XOR with the stream of plaintext bits is fixed. If two different messages had
an identical block of plaintext in the identical position, then an attacker would be
able to determine that portion of the Oi stream.
One advantage of the OFB method is that bit errors in transmission do not
propagate. For example, if a bit error occurs in C1 , only the recovered value of P1 is
affected; subsequent plaintext units are not corrupted. With CFB, C1 also serves as
input to the shift register and therefore causes additional corruption downstream.
The disadvantage of OFB is that it is more vulnerable to a message stream
modification attack than is CFB. Consider that complementing a bit in the ciphertext
complements the corresponding bit in the recovered plaintext. Thus, controlled
changes to the recovered plaintext can be made. This may make it possible for an
opponent, by making the necessary changes to the checksum portion of the message
as well as to the data portion, to alter the ciphertext in such a way that it is not detected
by an error-correcting code. For a further discussion, see [VOYD83].
OFB has the structure of a typical stream cipher, because the cipher generates
a stream of bits as a function of an initial value and a key, and that stream of
bits is XORed with the plaintext bits (see Figure 4.1). The generated stream that is
XORed with the plaintext is itself independent of the plaintext; this is highlighted
by dashed boxes in Figure 7.6. One distinction from the stream ciphers we discuss
in Chapter 8 is that OFB encrypts plaintext a full block at a time, where typically a
block is 64 or 128 bits. Many stream ciphers encrypt one byte at a time.
16

Figure 7.6 Output Feedback (O F B) Mode (2 of 2)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The output feedback (OFB) mode is similar in structure to that of CFB. For OFB,
the output of the encryption function is fed back to become the input for encrypting
the next block of plaintext (Figure 7.6). In CFB, the output of the XOR unit is fed
back to become input for encrypting the next block. The other difference is that the
OFB mode operates on full blocks of plaintext and ciphertext, whereas CFB operates
on an s -bit subset.
As with CBC and CFB, the OFB mode requires an initialization vector. In
the case of OFB, the IV must be a nonce; that is, the IV must be unique to each
execution of the encryption operation. The reason for this is that the sequence of
encryption output blocks, Oi , depends only on the key and the IV and does not depend
on the plaintext. Therefore, for a given key and IV, the stream of output bits
used to XOR with the stream of plaintext bits is fixed. If two different messages had
an identical block of plaintext in the identical position, then an attacker would be
able to determine that portion of the Oi stream.
One advantage of the OFB method is that bit errors in transmission do not
propagate. For example, if a bit error occurs in C1 , only the recovered value of P1 is
affected; subsequent plaintext units are not corrupted. With CFB, C1 also serves as
input to the shift register and therefore causes additional corruption downstream.
The disadvantage of OFB is that it is more vulnerable to a message stream
modification attack than is CFB. Consider that complementing a bit in the ciphertext
complements the corresponding bit in the recovered plaintext. Thus, controlled
changes to the recovered plaintext can be made. This may make it possible for an
opponent, by making the necessary changes to the checksum portion of the message
as well as to the data portion, to alter the ciphertext in such a way that it is not detected
by an error-correcting code. For a further discussion, see [VOYD83].
OFB has the structure of a typical stream cipher, because the cipher generates
a stream of bits as a function of an initial value and a key, and that stream of
bits is XORed with the plaintext bits (see Figure 4.1). The generated stream that is
XORed with the plaintext is itself independent of the plaintext; this is highlighted
by dashed boxes in Figure 7.6. One distinction from the stream ciphers we discuss
in Chapter 8 is that OFB encrypts plaintext a full block at a time, where typically a
block is 64 or 128 bits. Many stream ciphers encrypt one byte at a time.
17

Figure 7.7 Counter (C T R) Mode (1 of 2)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Although interest in the counter (CTR) mode has increased recently with applications
to ATM (asynchronous transfer mode) network security and IP sec (IP security),
this mode was proposed in 1979 (e.g., [DIFF79]).
Figure 7.7 depicts the CTR mode. A counter equal to the plaintext block
size is used. The only requirement stated in SP 800-38A is that the counter value
must be different for each plaintext block that is encrypted. Typically, the counter
is initialized to some value and then incremented by 1 for each subsequent block
(modulo 2b , where b is the block size). For encryption, the counter is encrypted and
then XORed with the plaintext block to produce the ciphertext block; there is no
chaining. For decryption, the same sequence of counter values is used, with each encrypted
counter XORed with a ciphertext block to recover the corresponding plaintext
block. Thus, the initial counter value must be made available for decryption.
As with the OFB mode, the initial counter value must be a nonce; that is, T1
must be different for all of the messages encrypted using the same key. Further,
all Ti values across all messages must be unique. If, contrary to this requirement, a
counter value is used multiple times, then the confidentiality of all of the plaintext
blocks corresponding to that counter value may be compromised. In particular, if
any plaintext block that is encrypted using a given counter value is known, then
the output of the encryption function can be determined easily from the associated
ciphertext block. This output allows any other plaintext blocks that are encrypted
using the same counter value to be easily recovered from their associated ciphertext
blocks.
One way to ensure the uniqueness of counter values is to continue to increment
the counter value by 1 across messages. That is, the first counter value of the
each message is one more than the last counter value of the preceding message.
18

Figure 7.7 Counter (C T R) Mode (2 of 2)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Although interest in the counter (CTR) mode has increased recently with applications
to ATM (asynchronous transfer mode) network security and IP sec (IP security),
this mode was proposed in 1979 (e.g., [DIFF79]).
Figure 7.7 depicts the CTR mode. A counter equal to the plaintext block
size is used. The only requirement stated in SP 800-38A is that the counter value
must be different for each plaintext block that is encrypted. Typically, the counter
is initialized to some value and then incremented by 1 for each subsequent block
(modulo 2b , where b is the block size). For encryption, the counter is encrypted and
then XORed with the plaintext block to produce the ciphertext block; there is no
chaining. For decryption, the same sequence of counter values is used, with each encrypted
counter XORed with a ciphertext block to recover the corresponding plaintext
block. Thus, the initial counter value must be made available for decryption.
As with the OFB mode, the initial counter value must be a nonce; that is, T1
must be different for all of the messages encrypted using the same key. Further,
all Ti values across all messages must be unique. If, contrary to this requirement, a
counter value is used multiple times, then the confidentiality of all of the plaintext
blocks corresponding to that counter value may be compromised. In particular, if
any plaintext block that is encrypted using a given counter value is known, then
the output of the encryption function can be determined easily from the associated
ciphertext block. This output allows any other plaintext blocks that are encrypted
using the same counter value to be easily recovered from their associated ciphertext
blocks.
One way to ensure the uniqueness of counter values is to continue to increment
the counter value by 1 across messages. That is, the first counter value of the
each message is one more than the last counter value of the preceding message.
19

Advantages of C T R
Hardware efficiency
Software efficiency
Preprocessing
Random access
Provable security
Simplicity

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
[LIPM00] lists the following advantages of CTR mode.
• Hardware efficiency: Unlike the three chaining modes, encryption (or decryption)
in CTR mode can be done in parallel on multiple blocks of plaintext or
ciphertext. For the chaining modes, the algorithm must complete the computation
on one block before beginning on the next block. This limits the maximum
throughput of the algorithm to the reciprocal of the time for one execution of
block encryption or decryption. In CTR mode, the throughput is only limited
by the amount of parallelism that is achieved.
• Software efficiency: Similarly, because of the opportunities for parallel execution
in CTR mode, processors that support parallel features, such as aggressive
pipelining, multiple instruction dispatch per clock cycle, a large number of
registers, and SIMD instructions, can be effectively utilized.
• Preprocessing: The execution of the underlying encryption algorithm does
not depend on input of the plaintext or ciphertext. Therefore, if sufficient
memory is available and security is maintained, preprocessing can be used to
prepare the output of the encryption boxes that feed into the XOR functions,
as in Figure 7.7. When the plaintext or ciphertext input is presented, then
the only computation is a series of XORs. Such a strategy greatly enhances
throughput.
• Random access: The ith block of plaintext or ciphertext can be processed in
random-access fashion. With the chaining modes, block Ci cannot be computed
until the i – 1 prior block are computed. There may be applications in
which a ciphertext is stored and it is desired to decrypt just one block; for such
applications, the random access feature is attractive.
• Provable security: It can be shown that CTR is at least as secure as the other
modes discussed in this chapter.
• Simplicity: Unlike ECB and CBC modes, CTR mode requires only the implementation
of the encryption algorithm and not the decryption algorithm.
This matters most when the decryption algorithm differs substantially from
the encryption algorithm, as it does for AES. In addition, the decryption key
scheduling need not be implemented.
20

Figure 7.8 Feedback Characteristic of Modes of Operation (1 of 4)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Note that, with the exception of ECB, all of the NIST-approved block
cipher modes of operation involve feedback. This is clearly seen in Figure 7.8. To
highlight the feedback mechanism, it is useful to think of the encryption function
as taking input from a input register whose length equals the encryption block
length and with output stored in an output register. The input register is updated
one block at a time by the feedback mechanism. After each update, the encryption
algorithm is executed, producing a result in the output register. Meanwhile,
a block of plaintext is accessed. Note that both OFB and CTR produce output
that is independent of both the plaintext and the ciphertext. Thus, they are natural
candidates for stream ciphers that encrypt plaintext by XOR one full block
at a time.
21

Figure 7.8 Feedback Characteristic of Modes of Operation (2 of 4)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Note that, with the exception of ECB, all of the NIST-approved block
cipher modes of operation involve feedback. This is clearly seen in Figure 7.8. To
highlight the feedback mechanism, it is useful to think of the encryption function
as taking input from a input register whose length equals the encryption block
length and with output stored in an output register. The input register is updated
one block at a time by the feedback mechanism. After each update, the encryption
algorithm is executed, producing a result in the output register. Meanwhile,
a block of plaintext is accessed. Note that both OFB and CTR produce output
that is independent of both the plaintext and the ciphertext. Thus, they are natural
candidates for stream ciphers that encrypt plaintext by XOR one full block
at a time.
22

Figure 7.8 Feedback Characteristic of Modes of Operation (3 of 4)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Note that, with the exception of ECB, all of the NIST-approved block
cipher modes of operation involve feedback. This is clearly seen in Figure 7.8. To
highlight the feedback mechanism, it is useful to think of the encryption function
as taking input from a input register whose length equals the encryption block
length and with output stored in an output register. The input register is updated
one block at a time by the feedback mechanism. After each update, the encryption
algorithm is executed, producing a result in the output register. Meanwhile,
a block of plaintext is accessed. Note that both OFB and CTR produce output
that is independent of both the plaintext and the ciphertext. Thus, they are natural
candidates for stream ciphers that encrypt plaintext by XOR one full block
at a time.
23

Figure 7.8 Feedback Characteristic of Modes of Operation (4 of 4)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Note that, with the exception of ECB, all of the NIST-approved block
cipher modes of operation involve feedback. This is clearly seen in Figure 7.8. To
highlight the feedback mechanism, it is useful to think of the encryption function
as taking input from a input register whose length equals the encryption block
length and with output stored in an output register. The input register is updated
one block at a time by the feedback mechanism. After each update, the encryption
algorithm is executed, producing a result in the output register. Meanwhile,
a block of plaintext is accessed. Note that both OFB and CTR produce output
that is independent of both the plaintext and the ciphertext. Thus, they are natural
candidates for stream ciphers that encrypt plaintext by XOR one full block
at a time.
24

X T S-A E S Mode for Block-Oriented Storage Devices
Approved as an additional block cipher mode of operation by N I S T in 2010
Mode is also an I E E E Standard, I E E E Std 1619-2007
Standard describes a method of encryption for data stored in sector-based devices where the threat model includes possible access to stored data by the adversary
Has received widespread industry support

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
In 2010, NIST approved an additional block cipher mode of operation, XTS-AES.
This mode is also an IEEE standard, IEEE Std 1619-2007, which was developed
by the IEEE Security in Storage Working Group (P1619). The standard describes
a method of encryption for data stored in sector-based devices where the threat
model includes possible access to stored data by the adversary. The standard has
received widespread industry support.

25

Tweakable Block Ciphers
X T S-A E S mode is based on the concept of a tweakable block cipher
General structure:
Has three inputs:
A plaintext P
A symmetric key K
A tweak T
Produces a ciphertext output C
Tweak need not be kept secret
Purpose is to provide variability

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The XTS-AES mode is based on the concept of a tweakable block cipher, introduced
in [LISK02], The form of this concept used in XTS-AES was first described in [ROGA04].
Before examining XTS-AES, let us consider the general structure of a tweakable
block cipher. A tweakable block cipher is one that has three inputs: a plaintext P ,
a symmetric key K , and a tweak T ; and produces a ciphertext output C . We can
write this as C = E(K , T , P ). The tweak need not be kept secret. Whereas the purpose
of the key is to provide security, the purpose of the tweak is to provide variability.
That is, the use of different tweaks with the same plaintext and same key
produces different outputs.
26

Figure 7.9 Tweakable Block Cipher

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The basic structure of several tweakable clock ciphers
that have been implemented is shown in Figure 7.9.
27

Storage Encryption Requirements
The requirements for encrypting stored data, also referred to as “data at rest”, differ somewhat from those for transmitted data
The P1619 standard was designed to have the following characteristics:
The ciphertext is freely available for an attacker
The data layout is not changed on the storage medium and in transit
Data are accessed in fixed sized blocks, independently from each other
Encryption is performed in 16-byte blocks, independently from each other
There are no other metadata used, except the location of the data blocks within the whole data set
The same plaintext is encrypted to different ciphertexts at different locations, but always to the same ciphertext when written to the same location again
A standard conformant device can be constructed for decryption of data encrypted by another standard conformant device

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The requirements for encrypting stored data, also referred to as “data at rest” differ
somewhat from those for transmitted data. The P1619 standard was designed to
have the following characteristics:
1. The ciphertext is freely available for an attacker. Among the circumstances
that lead to this situation:
a. A group of users has authorized access to a database. Some of the records in
the database are encrypted so that only specific users can successfully read/
write them. Other users can retrieve an encrypted record but are unable to
read it without the key.
b. An unauthorized user manages to gain access to encrypted records.
c. A data disk or laptop is stolen, giving the adversary access to the encrypted
data.
2. The data layout is not changed on the storage medium and in transit. The encrypted
data must be the same size as the plaintext data.
3. Data are accessed in fixed sized blocks, independently from each other. That is,
an authorized user may access one or more blocks in any order.
4. Encryption is performed in 16-byte blocks, independently from other blocks
(except the last two plaintext blocks of a sector, if its size is not a multiple of
16 bytes).
5. There are no other metadata used, except the location of the data blocks
within the whole data set.
6. The same plaintext is encrypted to different ciphertexts at different locations,
but always to the same ciphertext when written to the same location again.
7. A standard conformant device can be constructed for decryption of data encrypted
by another standard conformant device.
The P1619 group considered some of the existing modes of operation for use with
stored data. For CTR mode, an adversary with write access to the encrypted media can
flip any bit of the plaintext simply by flipping the corresponding ciphertext bit.
Next, consider requirement 6 and the use of CBC. To enforce the requirement
that the same plaintext encrypts to different ciphertext in different locations, the IV
could be derived from the sector number. Each sector contains multiple blocks. An
adversary with read/write access to the encrypted disk can copy a ciphertext sector
from one position to another, and an application reading the sector off the new
location will still get the same plaintext sector (except perhaps the first 128 bits).
For example, this means that an adversary that is allowed to read a sector from the
second position but not the first can find the content of the sector in the first position
by manipulating the ciphertext. Another weakness is that an adversary can flip
any bit of the plaintext by flipping the corresponding ciphertext bit of the previous
block, with the side-effect of “randomizing” the previous block.
28

X T S-A E S Operation on Single Block
Figure 7.10 X T S-A E S Operation on Single Block

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Figure 7.10 shows the encryption and decryption of a single block. The operation involves
two instances of the AES algorithm with two keys.
29

X T S-A E S Operation on Single Block
Figure 7.10 X T S-A E S Operation on Single Block

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Figure 7.10 shows the encryption and decryption of a single block. The operation involves
two instances of the AES algorithm with two keys.
30

Figure 7.11 X T S-A E S Mode

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The plaintext of a sector or data unit is organized into blocks of 128 bits. Blocks are
labeled P0 , P1 , . . . , Pm . The last block my be null or may contain from 1 to 127 bits.
In other words, the input to the XTS-AES algorithm consists of m 128-bit blocks
and possibly a final partial block.
As can be seen, XTS-AES mode, like CTR mode, is suitable for parallel operation. Because there is no chaining, multiple blocks can be encrypted or decrypted simultaneously. Unlike CTR mode, XTS-AES mode includes a nonce (the parameter i) as well as a counter (parameter j).
For encryption and decryption, each block is treated independently and
encrypted/decrypted as shown in Figure 7.10. The only exception occurs when
the last block has less than 128 bits. In that case, the last two blocks are encrypted/
decrypted using a ciphertext-stealing technique instead of padding.
Figure 7.11 shows the scheme.
31

Format-Preserving Encryption (F P E)
Refers to any encryption technique that takes a plaintext in a given format and produces a ciphertext in the same format
For example: credit cards consist of 16 decimal digits. An F P E that can accept this type of input would produce a ciphertext output of 16 decimal digits. (Note that the ciphertext need not be, and in fact in unlikely to be, a valid credit card number.) But it will have the same format and can be stored in the same way as credit card number plaintext.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Format-preserving encryption (FPE) refers to any encryption technique that takes
a plaintext in a given format and produces a ciphertext in the same format. For
example, credit cards consist of 16 decimal digits. An FPE that can accept this type of
input would produce a ciphertext output of 16 decimal digits. Note that the ciphertext
need not be, and in fact is unlikely to be, a valid credit card number. But it will have
the same format and can be stored in the same way as credit card number plaintext.

32

Table 7.2 Comparison of Format- Preserving Encryption and A E S
Blank Credit Card Tax I D Bank Account Number
Plaintext 8123 4512 3456 6780 219-09-9999 800N2982K-22
FPE 8123 4521 7292 6780 078-05-1120 709G9242H-35
AES (hex) af411326466add24
c86abd8aa525db7a 7b9af4f3f218ab25
07c7376869313afa 9720ec7f793096ff
d37141242e1c51bd

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
A simple encryption algorithm is not format preserving, with the exception
that it preserves the format of binary strings. For example, Table 7.2 shows three
types of plaintext for which it might be desired to perform FPE. The third row
shows examples of what might be generated by an FPE algorithm. The fourth row
shows (in hexadecimal) what is produced by AES with a given key.
33

Motivation (1 of 2)
F P E facilitates the retrofitting of encryption technology to legacy applications, where a conventional encryption mode might not be feasible because it would disrupt data fields/pathways
F P E has emerged as a useful cryptographic tool, whose applications include financial-information security, data sanitization, and transparent encryption of fields in legacy databases

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
FPE facilitates the retrofitting of encryption technology to legacy applications,
where a conventional encryption mode might not be feasible because it would disrupt
data fields/pathways. FPE has emerged as a useful cryptographic tool, whose
applications include financial-information security, data sanitization, and transparent
encryption of fields in legacy databases.
The principal benefit of FPE is that it enables protection of particular data
elements in a legacy database that did not provide encryption of those data elements,
while still enabling workflows that were in place before FPE was in use. With
FPE, as opposed to ordinary AES encryption or TDEA encryption, no database
schema changes and minimal application changes are required. Only applications
that need to see the plaintext of a data element need to be modified and generally
these modifications will be minimal.
Some examples of legacy applications where FPE is desirable:
■ COBOL data-processing applications: Any changes in the structure of a record
Typical code sizes involve hundreds of modules, each containing around 5,000–10,000
lines on average.
■ Database applications: Fields that are specified to take only character strings cannot be used to store conventionally encrypted binary ciphertext. Base64 encoding of such binary ciphertext is not always feasible without increase in data lengths, requiring augmentation of corresponding field lengths.
■. FPE-encrypted characters can be significantly compressed for efficient transmission. This cannot be said about AES-encrypted binary ciphertext.

34

Motivation (2 of 2)
The principal benefit of F P E is that it enables protection of particular data elements, while still enabling workflows that were in place before F P E was in use
No database schema changes and minimal application changes are required
Only applications that need to see the plaintext of a data element need to be modified and generally these modifications will be minimal
Some examples of legacy applications where F P E is desirable are:
C O B O L data-processing applications
Database applications
F P E-encrypted characters can be significantly compressed for efficient transmission

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
FPE facilitates the retrofitting of encryption technology to legacy applications,
where a conventional encryption mode might not be feasible because it would disrupt
data fields/pathways. FPE has emerged as a useful cryptographic tool, whose
applications include financial-information security, data sanitization, and transparent
encryption of fields in legacy databases.
The principal benefit of FPE is that it enables protection of particular data
elements in a legacy database that did not provide encryption of those data elements,
while still enabling workflows that were in place before FPE was in use. With
FPE, as opposed to ordinary AES encryption or TDEA encryption, no database
schema changes and minimal application changes are required. Only applications
that need to see the plaintext of a data element need to be modified and generally
these modifications will be minimal.
Some examples of legacy applications where FPE is desirable:
■ COBOL data-processing applications: Any changes in the structure of a record
Typical code sizes involve hundreds of modules, each containing around 5,000–10,000
lines on average.
■ Database applications: Fields that are specified to take only character strings cannot be used to store conventionally encrypted binary ciphertext. Base64 encoding of such binary ciphertext is not always feasible without increase in data lengths, requiring augmentation of corresponding field lengths.
■. FPE-encrypted characters can be significantly compressed for efficient transmission. This cannot be said about AES-encrypted binary ciphertext.

35

Difficulties in Designing an F P E
A general-purpose standardized F P E should meet a number of requirements:
The ciphertext is of the same length and format as the plaintext
It should be adaptable to work with a variety of character and number types
It should work with variable plaintext length
Security strength should be comparable to that achieved with A E S
Security should be strong even for very small plaintext lengths

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
A general-purpose standardized FPE should meet a number of requirements:
1. The ciphertext is of the same length and format as the plaintext.
2. It should be adaptable to work with a variety of character and number types.
Examples include decimal digits, lowercase alphabetic characters, and the full
character set of a standard keyboard or international keyboard.
3. It should work with variable plaintext lengths.
4. Security strength should be comparable to that achieved with AES.
Security should be strong even for very small plaintext lengths.
Meeting the first requirement is not at all straightforward. As illustrated in
Table 7.2, a straightforward encryption with AES yields a 128-bit binary block that
does not resemble the required format. Also, a standard symmetric block cipher is
not easily adaptable to produce an FPE.
36

Figure 7.12 Feistel Structure for Format-Preserving Encryption

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Figure 7.12 shows the Feistel structure used in all of
the NIST algorithms, with encryption shown on the left-hand side and decryption
on the right-hand side. The structure in Figure 7.12 is the same as that shown in
Figure 4.3 but, to simplify the presentation, it is untwisted, not illustrating the swap
that occurs at the end of each round.

The process of decryption is essentially the same as the encryption process.
The differences are: (1) the addition function is replaced by a subtraction function
that is its inverse; and (2) the order of the round indices is reversed.
To demonstrate that the decryption produces the correct result, Figure 7.12b
shows the encryption process going down the left-hand side and the decryption process
going up the right-hand side. The diagram indicates that, at every round, the
intermediate value of the decryption process is equal to the corresponding value of
the encryption process.
37

Character Strings
The N I S T, and the other F P E algorithms that have been proposed, are used with plaintext consisting of a string of elements, called characters
A finite set of two or more symbols is called an alphabet
The elements of an alphabet are called characters
A character string is a finite sequence of characters from an alphabet
Individual characters may repeat in the string
The number of different characters in an alphabet is called the base (also referred to as the radix) of the alphabet

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The NIST algorithms, and the other FPE algorithms that have
been proposed, are used with plaintext consisting of a string of elements, called
characters. Specifically, a finite set of two or more symbols is called an alphabet ,
and the elements of an alphabet are called characters . A character string is a finite
sequence of characters from an alphabet. Individual characters may repeat in the
string. The number of different characters in an alphabet is called the base , also
referred to as the radix of the alphabet.
38

Table 7.3 Notation and Parameters Used in F P E Algorithms. (a) Notation
[x]s Converts an integer into a byte string; it is the string of s bytes that encodes the number x, with 0 ≤ x < 28s. The equivalent notation is LEN(X) Length of the character string X. NUMradix(X) Converts strings to numbers. The number that the numeral string X represents in base radix, with the most significant character first. In other words, it is the nonnegative integer less than radixLEN(X) whose most-significant-character-first representation in base radix is X. PRFK(X) A pseudorandom function that produces a 128-bit output with X as the input, using encryption key K. Given a nonnegative integer x less than radixm, this function produces a representation of x as a string of m characters in base radix, with the most significant character first. [i .. j] The set of integers between two integers i and j, including i and j. X[i .. j] The substring of characters of a string X from X[i] to X[j], including X[i] and X[j]. REV(X) Given a bit string, X, the string that consists of the bits of X in reverse order. Copyright © 2020 Pearson Education, Inc. All Rights Reserved. The NIST document defines notation for specifying these conversions (Table 7.3a). 39 Table 7.3 Notation and Parameters Used in F P E Algorithms. (b) Parameters radix The base, or number of characters, in a given plaintext alphabet. tweak Input parameter to the encryption and decryption functions whose confidentiality is not protected by the mode. tweakradix The base for tweak strings minlen Minimum message length, in characters. maxlen Maximum message length, in characters. maxTlen Maximum tweak length Copyright © 2020 Pearson Education, Inc. All Rights Reserved. 40 Figure 7.13 Algorithm P R F(X) Copyright © 2020 Pearson Education, Inc. All Rights Reserved. Algorithm FF1 was submitted to NIST as a proposed FPE mode [BELL10a, BELL10b] with the name FFX[Radix]. FF1 uses a pseudorandom function PRFK (X ) that produces a 128-bit output with inputs X that is a multiple of 128 bits and encryption key K (Figure 7.13). 41 Figure 7.14 Algorithm FF1 (F F X[Radix]) Copyright © 2020 Pearson Education, Inc. All Rights Reserved. The FF1 encryption algorithm is illustrated in Figure 7.14. The shaded lines correspond to the function FK. 42 Figure 7.15 Algorithm FF2 (V A E S3) Copyright © 2020 Pearson Education, Inc. All Rights Reserved. Algorithm FF2 was submitted to NIST as a proposed FPE mode with the name VAES3 [VANC11]. The encryption algorithm is defined in Figure 7.15. The shaded lines correspond to the function FK. 43 Figure 7.16 Algorithm FF3 (B P S-B C) Copyright © 2020 Pearson Education, Inc. All Rights Reserved. Algorithm FF3 was submitted to NIST as a proposed FPE mode with the name BPS-BC [BRIE10]. The encryption algorithm is illustrated in Figure 7.16. The shaded lines correspond to the function FK. 44 Summary Analyze the security of multiple encryption schemes Explain the meet-in-the-middle attack Compare and contrast E C B, C B C, C F B, O F B, and counter modes of operation Present an overview of the X T S-A E S mode of operation Copyright © 2020 Pearson Education, Inc. All Rights Reserved. Chapter 7 summary. 45 Copyright This work is protected by United States copyright laws and is provided solely for the use of instructors in teaching their courses and assessing student learning. Dissemination or sale of any part of this work (including on the World Wide Web) will destroy the integrity of the work and is not permitted. The work and materials from it should never be made available to students except by instructors using the accompanying text in their classes. All recipients of this work are expected to abide by these restrictions and to honor the intended pedagogical purposes and the needs of other instructors who rely on these materials. Copyright © 2020 Pearson Education, Inc. All Rights Reserved. 46 8 2 ) STR ( . s x STR() m radix x .MsftOfcThm_Text1_Fill { fill:#000000; } .MsftOfcThm_MainDark1_Stroke { stroke:#000000; }

Expert paper writers are just a few clicks away

Place an order in 3 easy steps. Takes less than 5 mins.

Calculate the price of your order

You will get a personal manager and a discount.
We'll send you the first draft for approval by at
Total price:
$0.00

Order your essay today and save 30% with the discount code ESSAYHELP