× back

Advanced Encrption Algorithm

Advanced Encryption Algorithms (AEA) are sophisticated techniques used to secure data and ensure confidentiality in modern cryptographic systems. These algorithms are designed to provide robust protection against unauthorized access by leveraging complex mathematical operations. This unit explores some of the widely used encryption algorithms, such as Blowfish, International Data Encryption Algorithm (IDEA), and RC-5, along with their unique features and applications. Additionally, it delves into key concepts like Symmetric Key Distribution, which facilitates secure key sharing, and Random Number Generators, critical for generating unpredictable keys. Lastly, the Placement of the Encryption Function is examined, highlighting its significance in optimizing security and system performance.

Blowfish Algorithm

Properties

  • Fast encryption and decryption process, making it suitable for real-time applications.
  • Requires less memory, making it efficient for resource-constrained environments.
  • Simple to understand and implement compared to other complex encryption algorithms.
  • Highly secure due to the use of a variable-length key, allowing for flexibility in security strength.
  • Resistant to known cryptographic attacks like brute force due to its key size flexibility.

Blowfish Algorithm Steps

The Blowfish algorithm consists of two main steps:

  1. Key Generation: Generates subkeys and initializes the algorithm components.
  2. Data Encryption: Encrypts plaintext using the generated keys and the block cipher process.

Key Generation

  1. Keys are stored in an array:
    • Array elements: k1, k2, k3, ..., kn where 1 ≤ n ≤ 14.
    • Each key block has a length of 32 bits.
    • The total key length can be up to 448 bits (32 × 14), which is a multiple of 32.
  2. Initialize the P-array:
    • The P-array consists of 18 subkeys: P1, P2, P3, ..., P18.
    • Each element in the P-array is 32 bits long.
  3. Initialize the S-boxes:
    • There are 4 S-boxes, each containing 256 entries.
    • Example for S-box initialization:
      • S1: s0, s1, ..., s255
      • S2: s0, s1, ..., s255
      • The same pattern applies for S3 and S4.
  4. Initialize each element of the P-array and S-boxes with predefined hexadecimal values.
  5. Perform XOR operations to further initialize the P-array:
    • P1 = P1 XOR K1
    • P2 = P2 XOR K2
    • ... (continue for all key values)
    • When all 14 keys are used, restart from K1 for the remaining P-array elements.
    • Example:
      • P15 = P15 XOR K1
      • P18 = P18 XOR K4
  6. Process a 64-bit block of plaintext (initially all bits are 0) to generate subkeys:
    • Initial plaintext: (0, 0, 0, ..., 0)
    • Subkeys are generated and used in the encryption process.

Data Encryption

  • The plaintext size is 64 bits, which is divided into two halves:
    • The left half (L) consists of the first 32 bits.
    • The right half (R) consists of the remaining 32 bits.
  • The encryption process involves the following steps:
    • The left half (L) is XORed with the first subkey (P1).
    • The result of this XOR operation (denoted as `x`) is input to the function `F` to produce an output (denoted as `y`).
    • The output `y` is XORed with the right half (R).
    • After XORing, the left and right halves are swapped.
    • This process is repeated for all 18 subkeys in the P-array (P1 to P18).
  • After processing through all 18 rounds:
    • The final left (L) and right (R) halves are combined to form a 64-bit block of ciphertext.
    • The swapping step ensures the encryption provides strong diffusion and security.

Understanding the Function (F)

  • The input to the function `F` is 32 bits, which is divided into four 8-bit segments:
    • Each 8-bit segment is independently processed by one of the four S-boxes (S1, S2, S3, S4).
  • The output of the S-boxes undergoes the following operations:
    • The output of S-box 1 is XORed with the output of S-box 2.
    • The result of this XOR operation is then XORed with the output of S-box 3.
    • Finally, the result is XORed with the output of S-box 4.
  • The final output of the function `F` is a 32-bit value (denoted as `y`), which is used in the encryption process.
  • The purpose of the function `F` is to provide a non-linear transformation of the input, contributing to the algorithm's security by introducing confusion and diffusion.

IDEA Algorithm (International Data Encryption Algorithm)

Working

  • The plaintext of 64 bits is divided into 4 equal parts, each of size 16 bits.
  • These 4 parts are denoted as X1, X2, X3, and X4.
  • The algorithm involves 17 rounds, out of which 16 are primary rounds and the 17th is a final transformation round.
  • Each round processes the input blocks using specific subkeys from the 52 subkeys generated during the key expansion phase.
  • For each round:
    • Subkeys are applied to the blocks using modular addition, modular multiplication, and XOR operations.
    • Data blocks are mixed to ensure confusion and diffusion.
    • Odd and even rounds have distinct operations, explained further below.
  • The final transformation round applies the last 4 subkeys (K49, K50, K51, K52) to the blocks.
  • After all rounds, the 4 resulting 16-bit blocks are concatenated to form the 64-bit ciphertext.

What Happens in Each Round?

Each round involves processing the 4 parts (X1, X2, X3, X4) using subkeys and simple operations to create layers of scrambling. Here's how it works:

Odd Rounds (e.g., Round 1, 3, 5...):

  • 4 subkeys are used, one for each part: X1, X2, X3, and X4.
  • The keys are applied directly to the parts, followed by rearrangements and combinations to mix the data.
  • The result is passed to the next round.

Even Rounds (e.g., Round 2, 4, 6...):

  • 2 subkeys are used instead of 4, making these rounds slightly different from the odd rounds.
  • The keys are applied to specific parts of the data, followed by scrambling and rearrangements.
  • This adds another layer of complexity to the scrambled data.

Final Round (Round 17):

  • The 4 parts (X1, X2, X3, X4) are processed with the last set of subkeys.
  • This step finalizes the ciphertext.
  • The scrambled 4 parts are combined into the final 64-bit ciphertext.

RC5 Algorithm (Rivest Cipher)

Block Diagram

  • The secret key is first processed through the Key Expansion Algorithm to generate multiple subkeys. For example, a 128-bit secret key can be expanded into a sequence of subkeys depending on the block size.
  • These subkeys are then used during the encryption rounds to transform the plaintext into ciphertext.
  • During decryption, the same subkeys are used in reverse order to retrieve the original plaintext.

What Happens in Each Stage?

1. Key Expansion

  • Key expansion is a preprocessing step that generates a large number of subkeys from the original secret key.

Steps:

  1. The plaintext of 64 bits is divided into two equal blocks: A (32 bits) and B (32 bits).
  2. The secret key is expanded into a subkey array S, containing 2(r+1) subkeys (e.g., S[0], S[1], ..., S[2r+1]).
  3. Initial values for A and B are created by adding the first two subkeys:
    • A = A + S[0]
    • B = B + S[1]

2. Encryption

  • Encryption involves multiple rounds of transformations using subkeys.
  • Each round performs the following steps:
    1. A is updated using a combination of bitwise operations (XOR, left rotation) and addition with a subkey.
    2. B is updated in a similar manner using the next subkey.
  • After completing all rounds, the output is combined to form the final ciphertext.

3. Decryption

  • The decryption process reverses the encryption steps.
  • It uses the same subkeys, but applies them in reverse order.
  • By undoing the operations (e.g., subtracting instead of adding, reversing rotations), the ciphertext is converted back into the original plaintext.

Symmetric Key Distribution

Methods of Symmetric Key Distribution

1. Pre-Shared Key

  • The secret key is manually shared between the sender and receiver before communication begins.
  • This can be done using secure channels such as:
    • Face-to-face meetings.
    • Delivery by trusted couriers.
  • Advantages:
    • Simple and direct for small-scale systems.
    • Does not require additional infrastructure.
  • Drawbacks:
    • Not practical for large-scale or geographically distributed systems.
    • Risk of key interception during transmission.

2. Using a Trusted Third Party (Key Distribution Center)

  • A trusted third party, called a Key Distribution Center (KDC), facilitates the secure exchange of keys.
  • Steps:
    1. The sender and receiver each establish a secure connection with the KDC.
    2. The KDC generates a unique session key for communication between the two parties.
    3. This session key is securely transmitted to both parties by the KDC.
  • Advantages:
    • Eliminates the need for direct key sharing between sender and receiver.
    • Scalable for larger systems.
  • Drawbacks:
    • The KDC becomes a single point of failure.
    • Requires additional infrastructure and trust in the KDC.

3. Using Symmetric Encryption with Public Key Infrastructure (PKI)

  • Public key cryptography is used to securely exchange symmetric keys.
  • Steps:
    1. The sender encrypts the symmetric key with the receiver's public key.
    2. The encrypted key is transmitted to the receiver.
    3. The receiver decrypts the key using their private key.
  • Advantages:
    • Secure even over insecure channels.
    • Scalable for large systems.
  • Drawbacks:
    • Requires a functioning PKI infrastructure.
    • Introduces additional computational overhead.

4. Diffie-Hellman Key Exchange

  • A mathematical algorithm allows two parties to generate a shared symmetric key over an insecure channel.
  • Steps:
    1. Both parties agree on a public base and a public modulus.
    2. Each party selects a private key and generates a public value using the agreed parameters.
    3. They exchange public values and compute the shared secret key using their private key.
  • Advantages:
    • Secure key generation over insecure channels.
    • No prior shared secret is required.
  • Drawbacks:
    • Vulnerable to man-in-the-middle attacks if authentication is not used.
    • Limited to key agreement, not encryption itself.

Challenges in Symmetric Key Distribution

  • Ensuring secure key transfer without interception.
  • Managing keys in systems with a large number of users.
  • Handling key revocation and replacement in case of compromise.

Random Number Generators in Cryptography

Types of Random Number Generators

1. True Random Number Generators (TRNGs)

  • Generate randomness based on physical phenomena such as:
    • Thermal noise.
    • Electromagnetic interference.
    • Radioactive decay.
  • Features:
    • Non-deterministic: Results cannot be predicted.
    • Highly secure for cryptographic applications.
  • Drawbacks:
    • Slower than PRNGs due to dependency on physical events.
    • Requires specialized hardware to collect randomness.

2. Pseudo-Random Number Generators (PRNGs)

  • Generate randomness using mathematical algorithms based on a seed value.
  • Features:
    • Deterministic: Output depends on the seed, making it reproducible if the seed is known.
    • Faster than TRNGs and suitable for software implementations.
  • Drawbacks:
    • Less secure if the seed or algorithm is compromised.
    • Not truly random, as the randomness relies on the algorithm's complexity.

Cryptographically Secure PRNGs (CSPRNGs)

  • A special class of PRNGs designed for cryptographic applications.
  • Features:
    • Passes stringent randomness tests, ensuring unpredictability.
    • Resilient against attacks, even if part of the output is known.
  • Examples:
    • Yarrow Algorithm.
    • Fortuna Algorithm.
    • Dual_EC_DRBG (now deprecated due to vulnerabilities).

Applications in Cryptography

  • Key Generation: Random numbers are used to generate cryptographic keys that are unpredictable.
  • Initialization Vectors (IVs): Randomness ensures that IVs are unique for each encryption operation.
  • Nonces: Unique random values prevent replay attacks in protocols.
  • Salt Values: Random salts ensure secure password hashing by preventing rainbow table attacks.

Challenges in Random Number Generation

  • Bias: Random numbers must be uniformly distributed without any bias.
  • Predictability: Ensuring unpredictability is critical, especially for PRNGs.
  • Entropy Source: TRNGs rely on sufficient entropy from physical phenomena, which can be limited.

Reference