Computer Security: Principles and Practice, 1/e
Skim read the info on the link below (Link is in the chat).
UK Home Office open letter to Mark Zuckerberg about end-to-end encryption
Symmetric Encryption
Symmetric encryption, also referred to as conventional encryption, secret-key,
or single-key encryption, was the only type of encryption in use prior to the
development of public-key encryption in the late 1970s. It remains by far the most
widely used of the two types of encryption.
2
Overview
Key bits – Symmetric not a history
Computationally secure cipher
Feistel Structure
DES
3DES
AES
End-to-end encryption
Completed last week Completed on Tuesday From Today
4
Classified along three independent dimensions:
The type of operations used for transforming plaintext to ciphertext
Substitution – each element in the plaintext is mapped into another element
Transposition – elements in plaintext are rearranged
The number of keys used
Sender and receiver use same key – symmetric
Sender and receiver each use a different key – asymmetric
The way in which the plaintext is processed
Block cipher – processes input one block of elements at a time
Stream cipher – processes the input elements continuously
Symmetric Encryption
Also referred to as:
Conventional encryption
Secret-key or single-key encryption
Only alternative before public-key encryption in 1970’s
Still most widely used alternative
Has five ingredients:
Plaintext
Encryption algorithm
Secret key
Ciphertext
Decryption algorithm
5
Recall that a symmetric encryption scheme has five ingredients
• Plaintext: This is the original message or data that is fed into the algorithm as input.
• Encryption algorithm: The encryption algorithm performs various substitutions
and transformations on the plaintext.
• Secret key: The secret key is also input to the algorithm. The exact substitutions
and transformations performed by the algorithm depend on the key.
• Ciphertext: This is the scrambled message produced as output. It depends on
the plaintext and the secret key. For a given message, two different keys will
produce two different ciphertexts.
• Decryption algorithm: This is essentially the encryption algorithm run in
reverse. It takes the ciphertext and the same secret key and produces the
original plaintext.
Computationally Secure Encryption Schemes
Encryption is computationally secure if:
Cost of breaking cipher exceeds value of information
Time required to break cipher exceeds the useful lifetime of the information
Usually very difficult to estimate the amount of effort required to break
Can estimate time/cost of a brute-force attack –
did this in last lecture [timing consideration]
6
An encryption scheme is computationally secure if the ciphertext generated
by the scheme meets one or both of the following criteria:
• The cost of breaking the cipher exceeds the value of the encrypted information.
• The time required to break the cipher exceeds the useful lifetime of the
information.
Unfortunately, it is very difficult to estimate the amount of effort required
to cryptanalyze ciphertext successfully. However, assuming there are no inherent
mathematical weaknesses in the algorithm, then a brute-force approach is indicated,
and here we can make some reasonable estimates about costs and time.
A brute-force approach involves trying every possible key until an intelligible
translation of the ciphertext into plaintext is obtained. On average, half of all
possible keys must be tried to achieve success.
Used in block ciphers
No of steps
Plaintext divided into Left and Right
Function is used on the right text and also receive key (function depends on what algorithm you use e.g. DES or 3DES)
Results of function is XOR with plaintext from left
Plaintext of right goes to left
Results of XOR goes to right
These new left and right texts become inputs for further rounds
7
Many symmetric block encryption algorithms, including DES, have a structure first
described by Horst Feistel of IBM in 1973 [FEIS73] and shown in Figure 20.1 . The
inputs to the encryption algorithm are a plaintext block of length 2 w bits and a key
K . The plaintext block is divided into two halves, L 0 and R 0 . The two halves of the
data pass through n rounds of processing and then combine to produce the ciphertext
block. Each round i has as inputs L i-1 and R i-1 , derived from the previous
round, as well as a subkey Ki , derived from the overall K . In general, the subkeys
K i are different from K and from each other and are generated from the key by a
subkey generation algorithm.
All rounds have the same structure. A substitution is performed on the left
half of the data. This is done by applying a round function F to the right half of
the data and then taking the exclusive-OR (XOR) of the output of that function
and the left half of the data. The round function has the same general structure for
each round but is parameterized by the round subkey K i . Following this substitution,
a permutation is performed that consists of the interchange of the two halves
of the data.
Block Cipher Structure
Symmetric block cipher consists of:
A sequence of rounds
With substitutions and permutations controlled by key
Parameters and design features:
8
The Feistel structure is a particular example of the more general structure
used by all symmetric block ciphers. In general, a symmetric block cipher consists of
a sequence of rounds, with each round performing substitutions and permutations
conditioned by a secret key value. The exact realization of a symmetric block cipher
depends on the choice of the following parameters and design features:
• Block size: Larger block sizes mean greater security (all other things being
equal) but reduced encryption/decryption speed. A block size of 128 bits
is a reasonable tradeoff and is nearly universal among recent block cipher
designs.
• Key size: Larger key size means greater security but may decrease encryption/
decryption speed. The most common key length in modern algorithms is
128 bits.
• Number of rounds: The essence of a symmetric block cipher is that a single
round offers inadequate security but that multiple rounds offer increasing
security. A typical size is 16 rounds.
• Subkey generation algorithm : Greater complexity in this algorithm should
lead to greater difficulty of cryptanalysis.
• Round function: Again, greater complexity generally means greater resistance
to cryptanalysis.
There are two other considerations in the design of a symmetric block cipher:
• Fast software encryption/decryption: In many cases, encryption is embedded in
applications or utility functions in such a way as to preclude a hardware implementation.
Accordingly, the speed of execution of the algorithm becomes a
concern.
• Ease of analysis: Although we would like to make our algorithm as difficult as
possible to cryptanalyze, there is great benefit in making the algorithm easy to
analyze. That is, if the algorithm can be concisely and clearly explained, it is
easier to analyze that algorithm for cryptanalytic vulnerabilities and therefore
develop a higher level of assurance as to its strength. DES, for example, does
not have an easily analyzed functionality.
Decryption with a symmetric block cipher is essentially the same as the
encryption process. The rule is as follows: Use the ciphertext as input to the
algorithm, but use the subkeys K i in reverse order. That is, use K n in the first round,
K n-1 in the second round, and so on until K 1 is used in the last round. This is a nice
feature because it means we need not implement two different algorithms, one for
encryption and one for decryption.
Block size
Key size
Number of rounds
Subkey generation algorithm
Round function
Fast software encryption/decryption
Ease of analysis
Most widely used encryption scheme
Adopted in 1977 by National Bureau of Standards (Now NIST)
FIPS PUB 46
Algorithm is referred to as the Data Encryption Algorithm (DEA)
Minor variation of the Feistel network
Used 16 rounds of Feistel cipher
Block size 64 bits
Key size is 64 bits but effective key size is 56 bits, 8 bits of the key are check bits (64 bits – 8 check bits = 56 bits key size)
Data
Encryption Standard
(DES)
9
The most commonly used encryption scheme is based on the Data Encryption Standard
(DES) adopted in 1977 by the National Bureau of Standards, now the National
Institute of Standards and Technology (NIST), as FIPS 46 (Data Encryption Standard, January 1977).
The algorithm itself is referred to as the Data Encryption Algorithm (DEA).
The DES algorithm can be described as follows. The plaintext is 64 bits in
length and the key is 56 bits in length; longer plaintext amounts are processed in
64-bit blocks. The DES structure is a minor variation of the Feistel network shown
in Figure 20.1 . There are 16 rounds of processing. From the original 56-bit key, 16
subkeys are generated, one of which is used for each round.
The process of decryption with DES is essentially the same as the encryption
process. The rule is as follows: Use the ciphertext as input to the DES
algorithm, but use the subkeys K i in reverse order. That is, use K 16 on the first
iteration, K 15 on the second iteration, and so on until K 1 is used on the sixteenth
and last iteration.
Key processes in DES:
Permutation
Round function
Key generation
DES process
Plaintext is represented in 64 bits
Permutation in DES
In initial permutation 58 bit becomes first position and 7 becomes last
A quick solution to overcome the DES weakness was 3-DES
To save time and money
K3==K1 2 keys of 56 bits 112 bits
Problem: too slow
3DES
12
Triple DES (3DES) was first standardized for use in financial applications in ANSI standard X9.17 in 1985. 3DES was incorporated as part of the Data Encryption Standard in 1999, with the publication of FIPS PUB 46-3.
3DES uses three keys and three executions of the DES algorithm. The function follows an encrypt-decrypt-encrypt (EDE) sequence (see Figure 20.2a):
C = E(K3, D(K2, E(K1, P)))
where: C = ciphertext; P = plaintext; E[K, X] = encryption of X using key K, and D[K, Y] = decryption of Y using key K.
Decryption is simply the same operation with the keys reversed (Figure 20.2b):
P = D(K1, E(K2, D(K3, C)))
There is no cryptographic significance to the use of decryption for the second stage of 3DES encryption. Its only advantage is that it allows users of 3DES to decrypt data encrypted by users of the older single DES:
C = E(K1, D(K1, E(K1, P))) = E[K, P]
With three distinct keys, 3DES has an effective key length of 168 bits. FIPS 46-3 also allows for the use
of two keys, with K1 = K3; this provides for a key length of 112 bits. FIPS 46-3 includes the following guidelines for 3DES:
• 3DES is the FIPS approved symmetric encryption algorithm of choice.
• The original DES, which uses a single 56-bit key, is permitted under the standard
for legacy systems only. New procurements should support 3DES.
• Government organizations with legacy DES systems are encouraged to
transition to 3DES.
• It is anticipated that 3DES and the Advanced Encryption Standard (AES) will
coexist as FIPS-approved algorithms, allowing for a gradual transition to AES.
It is easy to see that 3DES is a formidable algorithm. Because the underlying
cryptographic algorithm is DEA, 3DES can claim the same resistance to cryptanalysis
based on the algorithm as is claimed for DEA. Further, with a 168-bit key length,
brute-force attacks are effectively impossible.
Ultimately, AES is intended to replace 3DES, but this process will take a
number of years. NIST anticipates that 3DES will remain an approved algorithm
(for U.S. government use) for the foreseeable future.
AES
DES Key size too small, exhaustive key search possible with increasing computing power
3-DES too slow
Alternative is AES
Key features of AES:
Secret or symmetric cipher
Block cipher
3) 128-bit data, 128/192/256-bit keys
Stronger and faster than Triple-DES
Not based on Feistel structure
Iterative – a no of substitution & permutation
Performed operations on bytes rather than on bits
128 bits – 16 bytes: arranged in 4 x 4 matrix
No of rounds depend on key size; 10 for 128 bits, 12 192 bits and 14 for 256 bits
Each round use a unique key
14
The Advanced Encryption Standard (AES) was issued as a federal information processing
standard FIPS 197 (Advanced Encryption Standard, November 2001).
It is intended to replace DES and triple DES with an
algorithm that is more secure and efficient.
AES uses a block length of 128 bits and a key length that can be 128, 192, or 256 bits.
In the description of this section, we assume a key length of 128 bits, which is likely
to be the one most commonly implemented.
Figure 20.3 shows the overall structure of AES. The input to the encryption
and decryption algorithms is a single 128-bit block. In FIPS PUB 197, this block is
depicted as a square matrix of bytes. This block is copied into the State array, which
is modified at each stage of encryption or decryption. After the final stage, State is
copied to an output matrix. Similarly, the 128-bit key is depicted as a square matrix
of bytes. This key is then expanded into an array of key schedule words; each word
is 4 bytes and the total key schedule is 44 words for the 128-bit key. The ordering
of bytes within a matrix is by column. So, for example, the first 4 bytes of a 128-bit
plaintext input to the encryption cipher occupy the first column of the in matrix,
the second 4 bytes occupy the second column, and so on. Similarly, the first 4 bytes
of the expanded key, which form a word, occupy the first column of the w matrix.
The following comments give some insight into AES:
1. One noteworthy feature of this structure is that it is not a Feistel structure.
Recall that in the classic Feistel structure, half of the data block is used to
modify the other half of the data block, and then the halves are swapped. AES
does not use a Feistel structure but processes the entire data block in parallel
during each round using substitutions and permutation.
2. The key that is provided as input is expanded into an array of forty-four 32-bit
words, w [ i ]. Four distinct words (128 bits) serve as a round key for each round.
3. Four different stages are used, one of permutation and three of substitution:
• Substitute Bytes: Uses a table, referred to as an S-box, to perform a byte-by-
byte substitution of the block
• Shift Rows: A simple permutation that is performed row by row
• Mix Columns: A substitution that alters each byte in a column as a function
of all of the bytes in the column
• Add Round key: A simple bitwise XOR of the current block with a portion
of the expanded key
Plaintext — Welcome To Computer
Text W E L C O M T O C O M P U T E R
57 65 6c 63 6f 6d 65 54 6f 43 6f 6d 70 75 74 65
57 6f
65 — — —
6c — — —
63 — — —
State
Suppose this is Hex
16 bytes = 128 bits AES block,
1byte for each character
Don’t forget about padding
16
4. The structure is quite simple. For both encryption and decryption, the cipher
begins with an Add Round Key stage, followed by nine rounds that each
includes all four stages, followed by a tenth round of three stages. Figure 20.4
depicts the structure of a full encryption round.
5. Only the Add Round Key stage makes use of the key. For this reason, the
cipher begins and ends with an Add Round Key stage. Any other stage,
applied at the beginning or end, is reversible without knowledge of the key
and so would add no security.
6. The Add Round Key stage by itself would not be formidable. The other three
stages together scramble the bits, but by themselves would provide no security
because they do not use the key. We can view the cipher as alternating operations
of XOR encryption (Add Round Key) of a block, followed by scrambling
of the block (the other three stages), followed by XOR encryption, and
so on. This scheme is both efficient and highly secure.
7. Each stage is easily reversible. For the Substitute Byte, Shift Row, and Mix
Columns stages, an inverse function is used in the decryption algorithm. For
the Add Round Key stage, the inverse is achieved by XORing the same round
key to the block, using the result that A ⊕ A ⊕ B = B.
8. As with most block ciphers, the decryption algorithm makes use of the
expanded key in reverse order. However, the decryption algorithm is not
identical to the encryption algorithm. This is a consequence of the particular
structure of AES.
9. Once it is established that all four stages are reversible, it is easy to verify
that decryption does recover the plaintext. Figure 20.3 lays out encryption
and decryption going in opposite vertical directions. At each horizontal point
(e.g., the dashed line in the figure), State is the same for both encryption and
decryption.
10. The final round of both encryption and decryption consists of only three
stages. Again, this is a consequence of the particular structure of AES and is
required to make the cipher reversible.
17
The forward substitute byte transformation,
called SubBytes, is a simple table lookup. AES defines a 16·16 matrix of byte values,
called an S-box ( Table 20.2a ), that contains a permutation of all possible 256 8-bit
values. Each individual byte of State is mapped into a new byte in the following
way: The leftmost 4 bits of the byte are used as a row value and the rightmost 4
bits are used as a column value. These row and column values serve as indexes
into the S-box to select a unique 8-bit output value. For example, the hexadecimal
value {95} references row 9, column 5 of the S-box, which contains the value {2A}.
Accordingly, the value {95} is mapped into the value {2A}.
Table 20.2 AES S-Boxes
Table 20.2 AES S-Boxes
The inverse substitute byte transformation, called InvSubBytes, makes use of
the inverse S-box shown in Table 20.2b . Note, for example, that the input {2A} produces
the output {95}, and the input {95} to the S-box produces {2A}.
The S-box is designed to be resistant to known cryptanalytic attacks.
Specifically, the AES developers sought a design that has a low correlation between
input bits and output bits and the property that the output cannot be described as a
simple mathematical function of the input.
18
Shift
Rows
19
For the forward shift row transformation, called ShiftRows, the first row of State is not altered. For the second row, a 1-byte circular left shift is performed. For the third row, a 2-byte circular left shift is performed. For the third row, a 3-byte circular left shift is performed.
The inverse shift row transformation, called InvShiftRows, performs the circular shifts in the opposite direction for each of the last three rows, with a one-byte circular right shift for the second row, and so on.
The shift row transformation is more substantial than it may first appear. This is because the State, as well as the cipher input and output, is treated as an array of four 4-byte columns. Thus, on encryption, the first four bytes of the plaintext are copied to the first column of State, and so on. Further, as will be seen, the round key is applied to State column by column. Thus, a row shift moves an individual byte from one column to another, which is a linear distance of a multiple of 4 bytes. Also note that the transformation ensures that the four bytes of one column are spread out to four different columns.
On encryption left rotate each row of State by 0,1,2,3 bytes respectively
Decryption does reverse
To move individual bytes from one column to another and spread bytes over columns
Mix Columns and Add Key
Mix columns
Operates on each column individually
Mapping each byte to a new value that is a function of all four bytes in the column
Use of equations over finite fields
A finite field or Galois field is a field that contains a finite number of elements. As with any field, a finite field is a set on which the operations of multiplication, addition, subtraction and division are defined and satisfy certain basic rules
To provide good mixing of bytes in column
Add round key
Simply XOR State with bits of expanded key
Security from complexity of round key expansion and other stages of AES
21
The forward mix column transformation, called MixColumns, operates on each column individually. Each byte of a column is mapped into a new value that is a function of all four bytes in the column. The mapping makes use of equations over finite fields. The mapping is designed to provide a good mixing among the bytes of each column. The mix column transformation combined with the shift row transformation ensures that after a few rounds, all output bits depend on all input bits.
In the forward add round key transformation, called AddRoundKey, the 128 bits of State are bitwise XORed with the 128 bits of the round key. The operation is viewed as a column-wise operation between the four bytes of a State column and one word of the round key; it can also be viewed as a byte-level operation.
The inverse add round key transformation is identical to the forward add round key transformation, because the XOR operation is its own inverse.
The add round key transformation is as simple as possible and affects every bit of State. The complexity of the round key expansion, plus the complexity of the other stages of AES, ensure security.
The AES key expansion algorithm takes as input a 4-word
(16-byte) key and produces a linear array of 44 words (156 bytes). This is sufficient
to provide a 4-word round key for the initial Add Round Key stage and each of the
10 rounds of the cipher.
The key is copied into the first four words of the expanded key. The remainder
of the expanded key is filled in four words at a time. Each added word w [i] depends on
the immediately preceding word, w [i – 1], and the word four positions back, w [i – 4]. A
complex finite-field algorithm is used in generating the expanded key.
Key Distribution
The means of delivering a key to two parties that wish to exchange data without allowing others to see the key
Two parties (A and B) can achieve this by:
22
For symmetric encryption to work, the two parties to an exchange must share the
same key, and that key must be protected from access by others. Furthermore, frequent
key changes are usually desirable to limit the amount of data compromised if
an attacker learns the key. Therefore, the strength of any cryptographic system rests
with the key distribution technique, a term that refers to the means of delivering a
key to two parties that wish to exchange data, without allowing others to see the
key. Key distribution can be achieved in a number of ways. For two parties A and B,
1. A key could be selected by A and physically delivered to B.
2. A third party could select the key and physically deliver it to A and B.
3. If A and B have previously and recently used a key, one party could transmit
the new key to the other, encrypted using the old key.
4. If A and B each have an encrypted connection to a third party C, C could
deliver a key on the encrypted links to A and B.
Options 1 and 2 call for manual delivery of a key. For link encryption between two
directly-connected devices, this is a reasonable requirement, because each link encryption
device is only going to be exchanging data with its partner on the other end of the
link. However, for end-to-end encryption over a network, manual delivery is awkward.
In a distributed system, any given host or terminal may need to engage in exchanges with
many other hosts and terminals over time. Thus, each device needs a number of keys, supplied
dynamically. The problem is especially difficult in a wide area distributed system.
Option 3 is a possibility for either link encryption or end-to-end encryption, but
if an attacker ever succeeds in gaining access to one key, then all subsequent keys are
revealed. Even if frequent changes are made to the link encryption keys, these should
be done manually. To provide keys for end-to-end encryption, option 4 is preferable.
1
A third party could select the key and physically deliver it to A and B
If A and B have previously and recently used a key, one party could transmit the new key to the other, encrypted using the old key
If A and B each have an encrypted connection to a third party C, C could deliver a key on the encrypted links to A and B
2
3
4
A key could be selected by A and physically delivered to B
23
Figure 20.10 illustrates an implementation that satisfies option 4 for end-to-end
encryption. In the figure, link encryption is ignored. This can be added, or not,
as required. For this scheme, two kinds of keys are identified:
• Session key: When two end systems (hosts, terminals, etc.) wish to communicate,
they establish a logical connection (e.g., virtual circuit). For the duration
of that logical connection, all user data are encrypted with a one-time session
key. At the conclusion of the session, or connection, the session key is
destroyed.
• Permanent key: A permanent key is a key used between entities for the purpose
of distributing session keys.
The configuration consists of the following elements:
• Key distribution center: The key distribution center (KDC) determines
which systems are allowed to communicate with each other. When permission
is granted for two systems to establish a connection, the KDC provides a
one-time session key for that connection.
• Security service module (SSM): This module, which may consist of functionality
at one protocol layer, performs end-to-end encryption and obtains session
keys on behalf of users.
The steps involved in establishing a connection are shown in Figure 20.10 . When
one host wishes to set up a connection to another host, it transmits a connection request
packet (step 1). The SSM saves that packet and applies to the KDC for permission
to establish the connection (step 2). The communication between the SSM and
the KDC is encrypted using a master key shared only by this SSM and the KDC. If the
KDC approves the connection request, it generates the session key and delivers it to
the two appropriate SSMs, using a unique permanent key for each SSM (step 3). The
requesting SSM can now release the connection request packet, and a connection is
set up between the two end systems (step 4). All user data exchanged between the two
end systems are encrypted by their respective SSMs using the one-time session key.
The automated key distribution approach provides the flexibility and dynamic
characteristics needed to allow a number of terminal users to access a number of
hosts and for the hosts to exchange data with each other.
Criminals use of end-to-end encryption
https://privacyinternational.org/news-analysis/3242/no-uk-hasnt-just-signed-treaty-meaning-end-end-end-encryption
f1
Ciphertext (2w bits)
Figure 20.1 Classical Feistel Network
Ki
Round i
Li Ri
F
w bits w bits
K1
Round 1
Kn
Round n
Ln Rn
Ln+1 Rn+1
F
L0 R0
L1 R1
F
Plaintext (2w bits)
Ciphertext (2w bits)
Figure 20.1 Classical Feistel Network
K
i
Round i
L
i
R
i
F
w bits w bits
K
1
Round 1
K
n
Round n
L
n
R
n
L
n+1
R
n+1
F
L
0
R
0
L
1
R
1
F
Plaintext (2w bits)
f3
Add round key
w[4, 7]
w[0, 3]
Plaintext
Substitute bytes Expand key
Shift rows
Mix columnsR
ou
nd
1
R
ou
nd
9
R
ou
nd
1
0
Add round key
Substitute bytes
Shift rows
Mix columns
Add round key
Substitute bytes
Shift rows
Add round key
Ciphertext
(a) Encryption
Figure 20.3 AES Encryption and Decryption
Key
Add round key
Plaintext
Inverse sub bytes
Inverse shift rows
Inverse mix cols
R
ou
nd
1
0
R
ou
nd
9
R
ou
nd
1
Add round key
Inverse sub bytes
Inverse shift rows
Inverse mix cols
Add round key
Inverse sub bytes
Inverse shift rows
Add round key
Ciphertext
(b) Decryption
w[36, 39]
w[40, 43]
Add round key
w[4, 7]
w[0, 3]
Plaintext
Substitute bytes Expand key
Shift rows
Mix columns
R
o
u
n
d
1
R
o
u
n
d
9
R
o
u
n
d
1
0
Add round key
Substitute bytes
Shift rows
Mix columns
Add round key
Substitute bytes
Shift rows
Add round key
Ciphertext
(a) Encryption
Figure 20.3 AES Encryption and Decryption
Key
Add round key
Plaintext
Inverse sub bytes
Inverse shift rows
Inverse mix cols
R
o
u
n
d
1
0
R
o
u
n
d
9
R
o
u
n
d
1
Add round key
Inverse sub bytes
Inverse shift rows
Inverse mix cols
Add round key
Inverse sub bytes
Inverse shift rows
Add round key
Ciphertext
(b) Decryption
w[36, 39]
w[40, 43]
f4
SSubBytes
State
State
State
State
State
ShiftRows
MixColumns
AddRoundKey
Figure 20.4 AES Encryption Round
S S S S S S S S S S S S S S S
M M M M
r0 r1 r2 r3 r4 r5 r6 r7 r8 r9 r10 r11 r12 r13 r14 r15
S
SubBytes
State
State
State
State
State
ShiftRows
MixColumns
AddRoundKey
Figure 20.4 AES Encryption Round
SSSSSSSSSSSSSSS
M M M M
r
0
r
1
r
2
r
3
r
4
r
5
r
6
r
7
r
8
r
9
r
10
r
11
r
12
r
13
r
14
r
15
Table 20.2 AES S-Boxes
(a) S-box
y
0 1 2 3 4 5 6 7 8 9 A B C D E F
x
0 63 7C 77 7B F2 6B 6F C5 30 01 67 2B FE D7 AB 76
1 CA 82 C9 7D FA 59 47 F0 AD D4 A2 AF 9C A4 72 C0
2 B7 FD 93 26 36 3F F7 CC 34 A5 E5 F1 71 D8 31 15
3 04 C7 23 C3 18 96 05 9A 07 12 80 E2 EB 27 B2 75
4 09 83 2C 1A 1B 6E 5A A0 52 3B D6 B3 29 E3 2F 84
5 53 D1 00 ED 20 FC B1 5B 6A CB BE 39 4A 4C 58 CF
6 D0 EF AA FB 43 4D 33 85 45 F9 02 7F 50 3C 9F A8
7 51 A3 40 8F 92 9D 38 F5 BC B6 DA 21 10 FF F3 D2
8 CD 0C 13 EC 5F 97 44 17 C4 A7 7E 3D 64 5D 19 73
9 60 81 4F DC 22 2A 90 88 46 EE B8 14 DE 5E 0B DB
A E0 32 3A 0A 49 06 24 5C C2 D3 AC 62 91 95 E4 79
B E7 C8 37 6D 8D D5 4E A9 6C 56 F4 EA 65 7A AE 08
C BA 78 25 2E 1C A6 B4 C6 E8 DD 74 1F 4B BD 8B 8A
D 70 3E B5 66 48 03 F6 0E 61 35 57 B9 86 C1 1D 9E
E E1 F8 98 11 69 D9 8E 94 9B 1E 87 E9 CE 55 28 DF
F 8C A1 89 0D BF E6 42 68 41 99 2D 0F B0 54 BB 16
Table 20.2 AES S-Boxes
(a) S-box
y
0 1 2 3 4 5 6 7 8 9 A B C D E F
x
0 63 7C 77 7B F2 6B 6F C5 30 01 67 2B FE D7 AB 76
1 CA 82 C9 7D FA 59 47 F0 AD D4 A2 AF 9C A4 72 C0
2 B7 FD 93 26 36 3F F7 CC 34 A5 E5 F1 71 D8 31 15
3 04 C7 23 C3 18 96 05 9A 07 12 80 E2 EB 27 B2 75
4 09 83 2C 1A 1B 6E 5A A0 52 3B D6 B3 29 E3 2F 84
5 53 D1 00 ED 20 FC B1 5B 6A CB BE 39 4A 4C 58 CF
6 D0 EF AA FB 43 4D 33 85 45 F9 02 7F 50 3C 9F A8
7 51 A3 40 8F 92 9D 38 F5 BC B6 DA 21 10 FF F3 D2
8 CD 0C 13 EC 5F 97 44 17 C4 A7 7E 3D 64 5D 19 73
9 60 81 4F DC 22 2A 90 88 46 EE B8 14 DE 5E 0B DB
A E0 32 3A 0A 49 06 24 5C C2 D3 AC 62 91 95 E4 79
B E7 C8 37 6D 8D D5 4E A9 6C 56 F4 EA 65 7A AE 08
C BA 78 25 2E 1C A6 B4 C6 E8 DD 74 1F 4B BD 8B 8A
D 70 3E B5 66 48 03 F6 0E 61 35 57 B9 86 C1 1D 9E
E E1 F8 98 11 69 D9 8E 94 9B 1E 87 E9 CE 55 28 DF
F 8C A1 89 0D BF E6 42 68 41 99 2D 0F B0 54 BB 16
(b) Inverse S-box
y
0 1 2 3 4 5 6 7 8 9 A B C D E F
x
0 52 09 6A D5 30 36 A5 38 BF 40 A3 9E 81 F3 D7 FB
1 7C E3 39 82 9B 2F FF 87 34 8E 43 44 C4 DE E9 CB
2 54 7B 94 32 A6 C2 23 3D EE 4C 95 0B 42 FA C3 4E
3 08 2E A1 66 28 D9 24 B2 76 5B A2 49 6D 8B D1 25
4 72 F8 F6 64 86 68 98 16 D4 A4 5C CC 5D 65 B6 92
5 6C 70 48 50 FD ED B9 DA 5E 15 46 57 A7 8D 9D 84
6 90 D8 AB 00 8C BC D3 0A F7 E4 58 05 B8 B3 45 06
7 D0 2C 1E 8F CA 3F 0F 02 C1 AF BD 03 01 13 8A 6B
8 3A 91 11 41 4F 67 DC EA 97 F2 CF CE F0 B4 E6 73
9 96 AC 74 22 E7 AD 35 85 E2 F9 37 E8 1C 75 DF 6E
A 47 F1 1A 71 1D 29 C5 89 6F B7 62 0E AA 18 BE 1B
B FC 56 3E 4B C6 D2 79 20 9A DB C0 FE 78 CD 5A F4
C 1F DD A8 33 88 07 C7 31 B1 12 10 59 27 80 EC 5F
D 60 51 7F A9 19 B5 4A 0D 2D E5 7A 9F 93 C9 9C EF
E A0 E0 3B 4D AE 2A F5 B0 C8 EB BB 3C 83 53 99 61
F 17 2B 04 7E BA 77 D6 26 E1 69 14 63 55 21 0C 7D
(b) Inverse S-box
y
0 1 2 3 4 5 6 7 8 9 A B C D E F
x
0
52 09 6A D5 30 36 A5 38 BF 40 A3 9E 81 F3 D7 FB
1
7C E3 39 82 9B 2F FF 87 34 8E 43 44 C4 DE E9 CB
2
54 7B 94 32 A6 C2 23 3D EE 4C 95 0B 42 FA C3 4E
3
08 2E A1 66 28 D9 24 B2 76 5B A2 49 6D 8B D1 25
4
72 F8 F6 64 86 68 98 16 D4 A4 5C CC 5D 65 B6 92
5
6C 70 48 50 FD ED B9 DA 5E 15 46 57 A7 8D 9D 84
6
90 D8 AB 00 8C BC D3 0A F7 E4 58 05 B8 B3 45 06
7
D0 2C 1E 8F CA 3F 0F 02 C1 AF BD 03 01 13 8A 6B
8
3A 91 11 41 4F 67 DC EA 97 F2 CF CE F0 B4 E6 73
9
96 AC 74 22 E7 AD 35 85 E2 F9 37 E8 1C 75 DF 6E
A
47 F1 1A 71 1D 29 C5 89 6F B7 62 0E AA 18 BE 1B
B
FC 56 3E 4B C6 D2 79 20 9A DB C0 FE 78 CD 5A F4
C
1F DD A8 33 88 07 C7 31 B1 12 10 59 27 80 EC 5F
D
60 51 7F A9 19 B5 4A 0D 2D E5 7A 9F 93 C9 9C EF
E
A0 E0 3B 4D AE 2A F5 B0 C8 EB BB 3C 83 53 99 61
F
17 2B 04 7E BA 77 D6 26 E1 69 14 63 55 21 0C 7D
f10
Key
distribution
center
Network
1. Host sends packet requesting connection.
2. Security service buffers packet; asks
KDC for session key.
3. KDC distributes session key to both hosts.
4. Buffered packet transmitted.
Figure 20.10 Automatic Key Distribution for Connection-Oriented Protocol
HOST
Application
Security
service
HOST
Application
Security
service
2
3
4
1
Key
distribution
center
Network
1. Host sends packet requ esting connection.
2. Security service buffers packet; asks
KDC for session key.
3. KDC distributes session key to both hosts.
4. Buffered packet transmitted.
Figure 20.10 Automatic Key Distribution for Connection-Oriented Protocol
HOST
Application
Security
service
HOST
Application
Security
service
2
3
4
1