Internet.Security

Thus, the 16-th round decryption process is accomplished counting from the bottomup. In a similar fashion, the rest of the decryption processes are summarised in the following table.

Table for decryption blocks (Ri , Li ), 15 ≤ i ≤ 0

The preoutput block is (R0||L0) = 4713b8f45cd9b326.

Using Table 3.8 (IP−1), the plaintext is recovered as X = 785ac3a4bd0fe12d.

3.1.5 Triple DES

Triple DES is popular in Internet-based applications, including PGP and S/MIME. The possible vulnerability of DES to a brute-force attack brings us to find an alternative algorithm. Triple DES is a widely accepted approach which uses multiple encryption with DES and multiple keys, as shown in Figure 3.5. The three-key triple DES is the preferred alternative, whose effective key length is 168 bits.

Triple DES with two keys (K1 = K3, K2) is a relatively popular alternative to DES. But triple DES with three keys (K1, K2, K3) is preferred, as it results in a great increase in cryptographic strength. However, this alternative raises the cost of the known-plaintext attack to 2168, which is beyond what is practical.

Referring to Figure 3.5, the ciphertext C is produced as

C = EK3[DK2[EK1(P)]]

The sender encrypts with the first key K1, then decrypts with the second key K2, and finally encrypts with the third key K3. Decryption requires that the keys are applied in reverse order:

P = DK1[EK2[DK3(C)]]

(b) Decryption

Figure 3.5 Triple DES encryption/decryption.

The receiver decrypts with the third key K3, then encrypts with the second key K2, and finally decrypts with the first key K1. This process is sometimes known as Encrypt- Decrypt-Encrypt (EDE) mode.

Example 3.6 Using Figure 3.5, the triple DES computation is considered here. Given three keys:

K1 = 0x260b152f31b51c68

K2 = 0x321f0d61a773b558

K3 = 0x519b7331bf104ce3

and the plaintext P = 0x403da8a295d3fed9

The 16-round keys corresponding to each given key K1, K2 and K3 are computed as shown below.

Encryption: Compute the ciphertext C through the EDE mode operation of P. Each stage in the triple DES-EDE sequence is computed as:

First stage: EK1 = 0x7a39786f7ba32349

Second stage: DK2 = 0x9c60f85369113aea

Third stage: EK3 = 0xe22ae33494beb930 = C (ciphertext)

Decryption: Using the ciphertext C obtained above, the plaintext P is recovered as:

Forth stage: DK3 = 0x9c60f85369113aea

Fifth stage: EK2 = 0x7a39786f7ba32349

Final stage: DK1 = 0x403da8a295d3fed9 = P (plaintext)

3.1.6 DES-CBC Cipher Algorithm with IV

This section describes the use of the DES cipher algorithm in Cipher Block Chaining (CBC) mode as a confidentiality mechanism within the context of the Encapsulating Security Payload (ESP). ESP provides confidentiality for IP datagrams by encrypting the payload data to be protected (see Chapter 7).

DES-CBC requires an explicit Initialisation Vector (IV) of 64 bits that is the same size as the block size. The IV must be a random value which prevents the generation of identical ciphertext. IV implementations for inner CBC must not use a low Hamming distance between successive IVs. The IV is XORed with the first plaintext block before it is encrypted. For successive blocks, the previous ciphertext block is XORed with the current plaintext before it is encrypted.

DES-CBC is a symmetric secret key algorithm. The key size is 64 bits, but it is commonly known as a 56-bit key. The key has 56 significant bits; the least significant bit in every byte is the parity bit.

There are several ways to specify triple DES encryption, depending on the decision which affects both security and efficiency. For using triple encryption with three different

Figure 3.6 Triple DES-EDE in CBC mode.

keys, there are two possible triple-encryption modes (i.e. three DES-EDE modes): inner CBC and outer CBC, as shown in Figure 3.6.

Inner CBC

This mode requires three different IVs.

S0 = EK1(P1 (IV)1), T0 = EK1(P2 S0), R0 = EK1(P3 T0)

S1 = DK2(S0 (IV)2), T1 = DK2(T0 S1), R1 = DK2(R0 T1)

C1 = EK3(S1 (IV)3), C2 = EK3(T1 C1), C3 = EK3(R1 C2)

Outer CBC

This mode requires one IV.

C1 = EK3(DK2(EK1(P1 IV)))

C2 = EK3(DK2(EK1(P2 C1)))

C3 = EK3(DK2(EK1(P3 C2)))

strengthened against differential cryptographic attacks. In 1992, the revised version of PES appeared to be strong and was renamed as the International Data Encryption Algorithm (IDEA). IDEA is a block cipher that uses a 128-bit key to encrypt 64-bit data blocks.

Pretty Good Privacy (PGP) provides a privacy and authentication service that can be used for electronic mail and file storage applications. PGP uses IDEA for conventional block encryption, along with RSA for public-key encryption and MD5 for hash coding. The 128-bit key length seems to be long enough to effectively prevent exhaustive key searches. The 64-bit input block size is generally recognised as sufficiently strong enough to deter statistical analysis, as experienced with DES. The ciphertext depends on the plaintext and key, which are largely involved in a complicated manner. IDEA achieves this goal by mixing three different operations. Each operation is performed on two 16-bit inputs to produce a single 16-bit output. IDEA has a structure that can be used for both encryption and decryption, like DES.

3.2.1 Subkey Generation and Assignment

The 52 subkeys are all generated from the 128-bit original key. IDEA algorithm uses 52 16-bit key sub-blocks, i.e. six subkeys for each of the first eight rounds and four more for the ninth round of output transformation.

The 128-bit encryption key is divided into eight 16-bit subkeys. The first eight subkeys, labelled Z1, Z2, . . . , Z8 are taken directly from the key, with Z1 being equal to the first 16 bits, Z2 to the next 16 bits, and so on. The first eight subkeys for the algorithm are assigned such that the six subkeys are for the first round, and the first two for the second round. After that, the key is circularly shifted 25 bits to the left and again divided into eight subkeys. This procedure is repeated until all 52 subkeys have been generated. Since each round uses the 96-bit subkey (16 bit × 6) and the 128-bit subkey (16 bits × 8) is extracted with each 25-bit rotation of the key, there is no way to expect a simple shift relationship between the subkeys of one round and that of another. Thus, this key schedule provides an effective technique for varying the key bits used for subkeys in the eight rounds. Figure 3.7 illustrates the subkey generation scheme for making use of IDEA encryption/decryption.

If the original 128-bit key is labelled as Z(1, 2, . . . , 128), then the entire subkey blocks of the eight rounds have the following bit assignments (see Table 3.9).

Only six 16-bit subkeys are needed in each round, whereas the final transformation uses four 16-bit subkeys. But eight subkeys are extracted from the 128-bit key with the left shift of 25 bits. That is why the first subkey of each round is not in order, as shown in Table 3.9.

Example 3.8 Suppose the 128-bit original key Z is given as

Z = (5a14 fb3e 021c 79e0 6081 46a0 117b ff03)

The 52 16-bit subkey blocks are computed from the given key Z as follows: for the first round, the first eight subkeys are taken directly from Z. After that, the key Z is circularly shifted 25 bits to the left and again divided into eight 16-bit subkeys. These shift-divide

Figure 3.7 IDEA encryption/decryption block diagrams.

procedures are repeated until all 52 subkeys are generated, as shown in Table 3.9. The IDEA encryption key is computed as shown in Table 3.10.

3.2.2 IDEA Encryption

The overall scheme for IDEA encryption is illustrated in Figure 3.8. As with all block ciphers, there are two inputs to the encryption function, i.e. the plaintext block and encryption key. IDEA is unlike DES (which relies mainly on the XOR operation and on nonlinear S-boxes). In IDEA, the plaintext is 64 bits in length and the key size is 128 bits long. The design methodology behind the IDEA algorithm is based on mixing three different operations. These operations are:

Bit-by-bit XOR of 16-bit sub-blocks

+ Addition of 16-bit integers modulo 216

Multiplication of 16-bit integers modulo 216 + 1

IDEA utilises both confusion and diffusion by using these three different operations. For example, for the additive inverse modulo 216, −Zi + Zi = 0 where the notation −Zi

denotes the additive inverse; for the multiplicative inverse modulo 216 + 1, Zi Zi−1 = 1 where the notation Zi−1 denotes the multiplicative inverse.

In Figure 3.8, IDEA algorithm consists of eight rounds followed by a final output transformation. The 64-bit input block is divided into four 16-bit sub-blocks, labelled X1, X2, X3 and X4. These four sub-blocks become the input to the first round of IDEA algorithm. The subkey generator generates a total of 52 subkey blocks that are all generated from the original 128-bit encryption key. Each subkey block consists of 16 bits. The

first round makes use of six 16-bit subkeys (Z1, Z2, . . . , Z6), whereas the final output transformation uses four 16-bit subkeys (Z49, Z50, Z51, Z52). The final transformation stage also produces four 16-bit blocks, which are concatenated to form the 64-bit ciphertext. In each round of Figure 3.8, the four 16-bit sub-blocks are XORed, added and multiplied with one another and with six 16-bit key sub-blocks. Between each round, the second and third sub-blocks are interchanged. This swapping operation increases the mixing of the bits being processed and makes the IDEA algorithm more resistant to differential cryptanalysis.

In each round, the sequential operations will be taken into the following steps:

(1)X1 Z1

(2)X2 + Z2

(3)X3 + Z3

(4)X4 Z4

(5)(X1 Z1) (X3 + Z3) = (1) (3)

(6)(X2 + Z2) (X4 Z4) = (2) (4)

(7)(X1 Z1) (X3 + Z3) Z5 = ((1) (3)) Z5