Computer network security

Group assignment

Group member:
ID Full Name
1. RMKD/2029/2013 L …………… ERMIYAS ALENE
2. RCD/4054/2013 L ………………. ABDURAHMAN ABDU
3. RCD/0245/2014 L ………………. AMIR TOFIK
4. RCD/4084/2013 L ………………. SAMUEL WABI
 1. Data Encryption Standard (DES)

 Data Encryption Standard (DES) is a symmetric-key algorithm for the

encryption of electronic data
 The Data Encryption Standard (DES) was developed in the 1970s by
the National Bureau of Standards with the help of the National Security
Agency.
 Its purpose is to provide a standard method for protecting sensitive
commercial and unclassified data.
 IBM created the first draft of the algorithm, calling it LUCIFER.
 DES officially became a federal standard in November of 1976.
 In May 1973, and again in Aug 1974 the NBS (now NIST) called for
possible encryption algorithms for use in unclassified government
applications.
 Response was mostly disappointing, however, IBM submitted their
Lucifer design
 Following a period of redesign and comment it became the Data
Encryption Standard
 The DES algorithm is a careful and complex combination of two
fundamental building blocks of encryption: substitution and
transposition. 41
 DES begins by encrypting the plain text as block of 64 bits.

DES Structure
The structure of the Data Encryption Standard (DES) involves several key
components:
1. Initial Permutation (IP): The plaintext is initially permuted according
to a fixed table of permutations.
2. Key Schedule: The 56-bit encryption key is expanded and
transformed into 16 subkeys, each 48 bits long, one for each round of
encryption. This process involves a combination of permutation and
shifting operations.
3. Rounds of Transformation: DES operates through 16 rounds of
transformation. Each round consists of the following steps:
 Expansion: The 32-bit half-block from the previous round
is expanded to 48 bits.
 Key Mixing: The expanded 48-bit block is combined with
the round subkey using bitwise XOR.
 Substitution (S-boxes): The result is divided into eight 6-
bit blocks, each of which is substituted using a specific S-
 box. Each S-box replaces its 6 input bits with 4 output bits
according to a predefined substitution table.
 Permutation (P-box): The output of the S-boxes is
permuted according to a fixed permutation table.
 Round Key: The result is combined with the other half-
block from the previous round using bitwise XOR.
4. Final Permutation (FP): After the 16 rounds of transformation, the
resulting data is permuted one last time to generate the ciphertext.
5. Decryption: Decryption in DES is essentially the same as encryption,
except that the subkeys are used in reverse order.
Overall, the structure of DES is designed to provide confusion and diffusion,
making it resistant to various cryptanalytic attacks. However, due to its small
key size, DES has become vulnerable to brute force attacks, which is why it's
no longer recommended for secure communication and has been replaced
by more robust encryption algorithms like AES.
Overview of DES Algorithm
 DES uses a 56-bit key. In fact, the 56-bit key is divided into eight 7-bit
blocks and an 8th odd parity bit is added to each block (i.e., a "0" or
"1" is added to the block so that there are an odd number of 1 bits in
each 8-bit block).
 By using the 8 parity bits for rudimentary error detection, a DES key is
actually 64 bits in length for computational purposes (although it only
has 56 bits worth of randomness, or entropy).
 DES is a symmetric-key block cipher published by the National
Institute of Standards and Technology (NIST).

DES Desired Effects

Avalanche effect
 A characteristic of an encryption algorithm in which a small change in
the plaintext gives rise to a large change in the cipher text
 Best: changing one input bit results in changes of approx. half the
output bits
Completeness effect
 where each output bit is a complex function of all the input bits
DES Basic
DES relies on two fundamental principles of cryptography: confusion and
diffusion.
1. Confusion: Confusion aims to make the relationship between the
plaintext, the ciphertext, and the encryption key as complex as
possible. In DES, confusion is achieved through the use of S-boxes
(Substitution-boxes) during the rounds of encryption. These S-boxes
substitute input bits with different output bits based on a predefined
table, introducing non-linearity into the encryption process and making
it more difficult for an attacker to discern patterns.
 2. Diffusion: Diffusion seeks to spread the influence of individual
plaintext bits over many ciphertext bits, making the statistical
properties of the encrypted data as different as possible from those of
the plaintext. In DES, diffusion is achieved through permutation (P-box)
operations and the Feistel network structure. Permutations ensure that
each output bit is influenced by many input bits, and the Feistel
structure iterates over multiple rounds, spreading the influence of each
plaintext bit throughout the ciphertext.
By combining confusion and diffusion, DES aims to provide robust encryption
that resists cryptanalysis while remaining computationally efficient.
However, the small key size of DES (56 bits) has rendered it vulnerable to
brute force attacks with modern computing power, leading to its deprecation
in favor of more secure encryption algorithms like AES.
DES - The 16 Rounds
the 16 rounds of the Data Encryption Standard (DES):
1. Initial Permutation (IP): The 64-bit plaintext block undergoes an
initial permutation, rearranging the bits according to a fixed
permutation table.
2. Key Schedule: The 64-bit encryption key is transformed into 16
subkeys, one for each round, through a process of permutation and
shifting.
3. Rounds 1-16:
o Each round operates on two 32-bit halves, often referred to as
the left half (L) and the right half (R).
o The right half of the data from the previous round becomes the
left half of the current round.
o The output of the previous round's function, combined with the
key for that round, is XORed with the left half to produce the
right half of the current round.
o The left half of the data from the previous round is XORed with
the output of the function applied to the right half and the round
key.
o This process repeats for 16 rounds, with each round using a
different round key derived from the main encryption key.
Each round consists of the following steps:
1. Expansion: The 32-bit right half of the data from the previous round is
expanded to 48 bits using a fixed permutation table.
2. Key Mixing: The expanded half-block is combined with the round
subkey using bitwise XOR.
3. Substitution (S-boxes): The 48-bit result is divided into eight 6-bit
blocks, each of which is substituted using a specific S-box, a table of
predefined permutations.
4. Permutation (P-box): The output of the S-boxes is permuted
according to a fixed permutation table.
After 16 rounds, the output of the final round undergoes a final permutation
(FP) to generate the ciphertext.
Decryption in DES is essentially the same as encryption, except that the
subkeys are used in reverse order.
This iterative process of 16 rounds, involving a combination of substitution,
permutation, and XOR operations, provides both confusion and diffusion,
making DES resistant to various cryptanalytic attacks. However, due to its
small key size, DES has become vulnerable to brute force attacks and is no
longer recommended for secure communication.
DES Encryption
1. The 64-bit plaintext passes through an initial permutation (IP) that
rearranges the bits to produce the permuted input.
2. This is followed by a phase consisting of 16 rounds of the same function (f)
which involves both permutation and substitution functions.
 Function f can be described as
 L(i) = R(i-1)
 R(i) = L(i-1)  P(S( E(R(i-1))  K(i) ))
 The output of the last (sixteenth) round consists of 64-bit text that
are functions of the input plaintext and the key.
3. Finally, the output is passed through an inverse permutation (IP-1), to 49
produce the 64-bit cipher text.
DES - Swapping of Left and Right Halves
 The 64-bit block being enciphered is broken into two halves.
 The right half goes through one DES round, and the result becomes
the new left half.
 The old left half becomes the new right half, and will go through one
round in the next round.
 This goes on for 16 rounds, but after the last round the left and right
halves are not swapped, so that the result of the 16th round becomes
the final right half, and the result of the 15th round (which became
the left half of the 16th round) is the final left half

DES Key Generation

 The key is first subjected to permutation governed by a table labeled
as permuted choice One.
 The resulting 56-key is then treated as two 28-bit quantities labeled as
C0 and D0.
 At each round, Ci-1 and Di-1 are separately subjected to a circular left
shift, or rotation of 1 or 2 bits as governed by left shift table.
 The shifted values serve as input to the next round. They also serve as
input to permuted choice 2, produces a 48-bit output that serve as
input to the function F(Ri-1, Ki).
 2. Double and Triple DES

 The simplest form of double DES encryption has two encryption

stages and two keys.
 Given a plaintext p and two encryption keys k1 and k2 and , cipher
text C is generated as : C=EK2 (E K1(p))
 Decryption requires that the keys be applied in reverse order: P=DK1
(DK2 (C))
 For Double DES, this scheme apparently involves a key length of
562 bits, resulting in a dramatic increase in cryptographic strength.
 The double DES encryption only doubles the work for the attacker.

Triple DES

Triple DES (3DES) is a symmetric-key block cipher encryption

algorithm that is an enhancement of the original Data Encryption
Standard (DES). It provides increased security by applying the DES
encryption algorithm multiple times in a specific configuration.

 Also referred as EDE (Encryption Decryption Encryption)

 Using two keys and applying them in three operations adds
apparent strength.
 Triple DES procedure is C=EK1 (DK2 (EK1(p))), that is, you
encrypt with one key, decrypt with the second key and encrypt
with the first key again.
 Although this process is called Triple DES, because of the three
applications of the DES algorithm, it only doubles the effective
key length.
 But a 112-bit effective key length is quite strong and it is
effective against all feasible known attacks.
 A straightforward implementation of Triple DES would be:
C=EK1(EK2(EK1(P))) but in practice: C = EK1(DK2(EK1(P)))
 If K1=K2, then 3DES = 1DES. Thus, a 3DES software can be
used as a single-DES.
 No current known practical attacks 62

Meet-in-the-Middle Attack on Triple DES

1. For each possible key for K1, encrypt P to produce a possible value for A
2. Using this A, and C, attack the 2DES to obtain a pair of keys (K2,K1’).
3. If K1’ = K1, try the key pair (K1, K2) on another (C’,P’).
4. If it works, (K1, K2) is the key pair with high probability.
5. It takes O(255 x 256) = O(2111) steps on average.
Triple DES with Three Keys
 Encryption: C = EK3(DK2(EK1(P)))
 If K1=K3 , we have 3DES with 2 keys.
 If K1=K2=K3, we have the regular DES.
 So, 3DES with 3keys is backward compatible with 3DES with 2 keys
and with the regular DES
 Some internet applications have adopted 3DES with three keys.
 E.g. PGP and MIME. 63 AES: Advanced Encryption Standard

3. AES
AES (Advanced Encryption Standard) is a block cipher algorithm that
encrypts and decrypts data using the same secret key. Here's how AES
works:

1.Key Expansion: The secret key used for encryption is expanded into a set
of round keys that are used in the encryption and decryption process.

2. SubBytes: In this step, each byte of the input data is replaced with a
corresponding byte from a substitution box (S-box) based on a predefined
lookup table.

3. ShiftRows: The rows of the data block are shifted cyclically to the left by
different offsets, creating a diffusion effect.

4. MixColumns: Each column of the data block is transformed by mixing its

four bytes using matrix multiplication with a fixed matrix.

5. AddRoundKey: Each round key is combined with the state (data block)
using bitwise XOR operation to add complexity and randomness to the
encryption process.

These steps are repeated for multiple rounds (10, 12, or 14 rounds
depending on the key size) to provide strong encryption. During decryption,
the process is reversed by applying the inverse operations in the reverse
order.

Overall, AES provides a high level of security and efficiency, making it a

popular choice for securing sensitive data in various applications.

4. Block Cipher Modes

Let's break down block ciphers, how they work in different modes, and other
important concepts in symmetric-key cryptography.

What are Block Ciphers?

* The Basics: A block cipher is a fundamental building block in symmetric-

key cryptography. It's a deterministic algorithm that encrypts fixed-size
blocks of data (typically 128 bits). Think of it like a "lock" where you use a
key (the encryption key) to scramble the data in a specific way.
* How it Works:
* The plaintext (original data) is divided into blocks of a specific size.
* Each block is encrypted using the same key and the encryption
algorithm.
* The encrypted blocks are then combined to form the ciphertext.
* To decrypt, the same key and algorithm are used in reverse.

Block Cipher Modes of Operation

Block ciphers alone can't handle variable-length data efficiently. To deal

with this, we use different "modes" of operation, which are specific ways to
use the block cipher on data streams. Here are some common modes:

1. Electronic Codebook (ECB):

* How it works: Each block is encrypted independently, meaning the
same plaintext block will always produce the same ciphertext block.
* Pros: Simple to implement.
* Cons: Highly insecure; patterns in the plaintext are directly reflected in
the ciphertext, making it susceptible to attacks.

2. Cipher Block Chaining (CBC):

* How it works: Each plaintext block is XORed with the previous
ciphertext block before encryption. This introduces a dependency between
blocks, making the encryption process more secure.
* Pros: More secure than ECB.
* Cons: Needs an initialization vector (IV) to start the chain; susceptible to
padding oracle attacks.

3. Cipher Feedback (CFB):

* How it works: The previous ciphertext block is encrypted, and the
result is XORed with the current plaintext block to produce the ciphertext.
* Pros: Can encrypt data in stream mode, allowing for variable-length
data.
* Cons: Requires an IV.

4. Output Feedback (OFB):

* How it works: A pseudo-random stream is generated using the key and
an IV, and this stream is XORed with the plaintext to create the ciphertext.
* Pros: Similar to CFB, handles variable-length data and can be used for
stream encryption.
* Cons: Requires an IV.

5. Counter Mode (CTR):

* How it works: A counter (starting with an IV) is encrypted for each
block, and the result is XORed with the plaintext block.
* Pros: Very fast, parallel encryption, suitable for high-throughput scenarios.
* Cons: Requires a unique IV for each message.

Choosing the Right Mode

The choice of block cipher mode depends on the specific security

requirements and application:

* ECB: Generally avoided due to its vulnerability.

* CBC: A good choice for most general-purpose encryption, but be aware of
potential attacks.
* CFB, OFB: Useful for stream encryption when variable-length data is
involved.
* CTR: Ideal for high-performance applications where speed is a priority.

Other Important Things Related to Symmetric-Key Cryptography

* Key Management: Securely storing and distributing keys is crucial.

* Padding: Block ciphers work on fixed-length blocks, so padding
techniques are used to ensure that data aligns with these block sizes.
* Cryptographic Hash Functions: Used for message integrity verification
and digital signatures.
* MAC (Message Authentication Code): Provides authentication and
integrity protection.
* AES (Advanced Encryption Standard): A widely used block cipher.