IN3210/4210 Network and Communications Security

Symmetric Encryption

Nils Nordbotten
29.8.2023

Terminology

● plaintext (P) original message/data

● ciphertext (C)- coded message/data
Cryptology
● cipher - algorithm for transforming
plaintext to ciphertext or vice versa
● key (K)– info used in cipher known
only to sender/receiver
Cryptography Cryptanalysis ● encipher (encrypt) (E) - converting
study of encryption study of principles/methods of plaintext to ciphertext
principles/methods recovering key or deciphering ● decipher (decrypt) (D) - recovering
ciphertext without knowing the key plaintext from ciphertext

IN3210/4210 2

1
 Main cryptographic cipher types

Symmetric Asymmetric
(one key, i.e., shared secret key) (two keys, i.e., public / private key)

Stream Block

Green = this lecture

Orange = next week
IN3210/4210 3

Outline of today´s lecture on symmetric encryption

● Model of symmetric cryptosystem

● The one-time pad and notions of cryptographic security
● Stream ciphers
- RC4 and ChaCha20
● Block ciphers
- AES
- Block cipher modes of operation
● Attacks on (symmetric) cryptosystems

IN3210/4210 4

2
 Model of symmetric cryptosystem (i.e., the sender and receiver share a
secret key)

Secret key (K) Secret key (K)

Ciphertext (C)
Plaintext (P) E(K,P) D(K,C)
Plaintext (P)
=C =P
Opponent
Encrypter Decrypter

The secret key must be distributed over a secure channel, while the encryption algorithm
is assumed to be publicly known

IN3210/4210 5

Outline of today´s lecture on symmetric encryption

● Model of symmetric cryptosystem

● The one-time pad and notions of cryptographic security
● Stream ciphers
- RC4 and ChaCha20
● Block ciphers
- AES
- Block cipher modes of operation
● Attacks on (symmetric) cryptosystems

IN3210/4210 6

3
 The one-time pad (the Vernam cipher)

101 101
K K

011 110 011

P ⨁ C = E(K,P) = K ⨁ P
⨁ P = D(K,C) = K ⨁ C

+ Provides perfect secrecy (and is fast)

− Requires a random one-time key as long as the plaintext
(⨁ is the exclusive OR, operator)
(e.g., 0⨁0=0, 0⨁1=1, 1⨁1=0)
IN3210/4210 7

Perfect secrecy: the ciphertext provides no information about the

plaintext (except its maximum length), even if trying all possible keys!
Key (K) (exhaustive Corresponding
brute-force attack) plaintext
All possible keys
P = D(K,C) = D(K,110)
000 110
C=110 P=?
001 111 ⨁
010 100

011 101 All possible plaintexts of the given length,

but no information as to which one is the
100 010 correct one!
101 011

110 000

111 001

IN3210/4210 8

4
 If the key is reused, the one time pad no longer provides perfect secrecy

C1 and C2 encrypted using the same key:

● C1 ⨁ C2 = (K ⨁ P1) ⨁ (K ⨁ P2) = P1 ⨁ P2
● E.g., given known plaintext P1:
C1 ⨁ C2 ⨁ P1 = P1 ⨁ P2 ⨁ P1 = P2

The Venona project (1943-1980):

● U.S. project decrypting Soviet diplomatic/intelligence messages
transmitted during WW2
● The messages were encrypted using a one time pad, but
some of the key material had been duplicated
● The decrypted messages are now publicly available
https://www.nsa.gov/Helpful-Links/NSA-FOIA/Declassification-Transparency-Initiatives/Historical-Releases/Venona/

IN3210/4210 9

The one-time pad does not provide integrity/authenticity

If we know that the plaintext starts with a 0, how can we manipulate the
ciphertext so that the decrypted plaintext starts with a 1?

101 101
K K
110 010
011 111
P ⨁ ⨁ P

D(K, C ⨁ i) = P ⨁ i (i.e., changes to C are not detected and results in predictable changes to P)

The general lesson: a cipher only providing confidentiality does not provide
integrity/authenticity!
IN3210/4210 10

5
 Notions of cryptographic security

Unconditional security - The system cannot be broken even with infinite

computational resources
- E.g., the one-time pad (confidentiality)

Computational security - It is impossible to break the system in practice due to the

computational resources required by the best-known algorithms for breaking the
system
- E.g., symmetric ciphers such as AES or ChaCha20

Provable security – Breaking the system is equivalent to solving a difficult problem

(e.g., factoring of large numbers, discrete logarithm)
- E.g., asymmetric ciphers such as RSA (factoring)

IN3210/4210 11

Outline of today´s lecture on symmetric encryption

● Model of symmetric cryptosystem

● The one-time pad and notions of cryptographic security
● Stream ciphers Stream ciphers can be seen as more practical
- RC4 and ChaCha20 realizations of the one-time pad

● Block ciphers
- AES
- Block cipher modes of operation
● Attacks on (symmetric) cryptosystems

IN3210/4210 12

6
 Stream ciphers use pseudo-random number generators to generate a
keystream that is XORed with the plaintext/ciphertext

Key K Key K

Pseudorandom Pseudorandom
number generator number generator

Keystream k Keystream k

Plaintext stream P ⨁ ⨁ Plaintext stream P

Ciphertext stream C

Stream ciphers can be realized using a blockcipher in a «stream mode» or by

dedicated stream ciphers (e.g., ChaCha20)

IN3210/4210 13

RC4 is a variable key-size (1 – 256 bytes / 2048 bits), byte-oriented

stream cipher making use of a permutation of all 8-bit values

Designed to be efficient to implement in software (as opposed to traditional stream

ciphers intended to be implemented in HW)

Has been widely used, including:

● SSL/TLS
- No longer recommended after attack demonstrated in 2013
§ Enabled by biases in the start of the RC4 keystream
§ The attack was not very practical but…(http://www.isg.rhul.ac.uk/tls/)

● WEP/WPA
- The attack on TLS with RC4 also applies to WPA/TKIP
- The vulnerabilities in WEP were not due to RC4 itself, but the way it was used

IN3210/4210 14

7
 RC4 initialization
● Start with a key K of length ≤ 256:
for i = 0 to 255 do
S[i] = i S = 0, 1, 2, 3 ......, 255
T[i] = K[i mod keylength] e.g., K=2, 5 then T= 2, 5, 2, 5, 2 , 5,....

S is now initialized with all numbers from 0-255. T is initialized with K (where K is
repeated if necessary to generate T of length 256).

● Use T to shuffle S:
j=0
for i = 0 to 255 do
j = (j + S[i] + T[i]) mod 256
swap(S[i], S[j])

● S forms the internal state of the cipher

IN3210/4210 15

RC4 keystream generation - encryption/decryption

For each byte plaintext/ciphertext: shuffle S and generate keystream value that is
XORed with plaintext/ciphertext byte:

i=j=0
for each plaintext byte Pi do
i = (i + 1) (mod 256)
j = (j + S[i]) (mod 256)
swap(S[i], S[j])
t = (S[i] + S[j]) (mod 256)
S[t] S[t]

Ci = Pi ⨁ S[t] (Decryption: Pi = Ci ⨁ S[t] )

Pi ⨁ Ci ⨁ Pi

IN3210/4210 16

8
 Original 16x32 bits input/state
Cons- Cons- Cons- Cons-
ChaCha20 stream cipher (RFC 8439) tant tant tant tant
Key Key Key Key
● ChaCha20 is a variation of Salsa20 that completed the final phase Key Key Key Key
of eSTREAM in 2008, both designed by D. Bernstein
Block Nonce Nonce Nonce
● Designed to be fast when implemented in software count
- faster than AES when AES is not supported in hardware
Quarter round function
● Successively calls a round function with increasing block counter:
- 20 rounds (i.e., 80 quarter rounds) before the original input is added to the
current state to produce a block of keystream
- Quarter round function: addition (mod 232), XOR and roll/shift
- Alters between column and diagonal rounds, where each quarter
round takes one column or diagonal as input

● ChaCha20-Poly1305 is an Authenticated Encryption with

Associated Data (AEAD), e.g., supported in TLS 1.3 and QUIC

IN3210/4210 17
Figure by Tony Arcieri (CC BY-SA)

Small deviations or wrong assumptions can cause insecurity

Unless message authentication is used, stream ciphers do not provide integrity/authenticity:

- Remember the example with the OTP, stream ciphers are the same
- Lesson: only depend on a cryptographic mechanism for its intended purpose(s)!

A stream cipher is insecure if the same keystream is used twice

- Again, see the example with the OTP
- Reuse of the keystream may also happen for instance due to using the same key for
encrypting traffic in both directions or because some type of counter wraps around
- Lesson: only use keys for their intended purpose and duration!

The keystream must be completely unpredictable (without the key)!

IN3210/4210 18

9
 Random numbers

● Many applications of random numbers in cryptography and security (e.g., key

generation, keystreams,..)

● Critical that these values are statistically random (uniform distribution and independence)
and that future values are unpredictable
- Improper random number generation is a common source of security vulnerabilities

● Often use a Pseudorandom Number Generator (PRNG):

- Deterministic sequence of outputs, given a seed (e.g., the secret key) as input
- Such pseudorandom numbers are not truly random but can pass many tests of randomness
- May be based on e.g., symmetric/asymmetric ciphers or hash functions

IN3210/4210 19

Outline of today´s lecture on symmetric encryption

● Model of symmetric cryptosystem

● The one-time pad and notions of cryptographic security
● Stream ciphers
- RC4 and ChaCha20
● Block ciphers
- AES
- Block cipher modes of operation
● Attacks on (symmetric) cryptosystems

IN3210/4210 20

10
 Symmetric block ciphers maps a fixed size input block to a
fixed size output block

● Block size: Number of bits taken as

Plaintext block input/output at a time
- AES: 128 bits

● Key size: Larger keys are more secure but

Key Block cipher
may reduce speed
- AES: 128, 192 or 256 bits

● Block ciphers can be used in different

Ciphertext block
modes of operation

IN3210/4210 21

Block ciphers typically iterate a weaker round function

Input block

Key k1 Round 1 • The key is expanded into a

sequence of round keys
Round key k2
generation Round 2 • AES-128: 10 rounds
algorithm kN • AES-192: 12 rounds
• AES-256: 14 rounds
Round
• DES: 16 rounds
N

Output block
IN3210/4210 22

11
 Advanced Encryption Standard (AES) uses the Rijndael block cipher

AES process highlights:

● January 1997: NIST issued a call for proposals for a new AES
- Received 15 proposals in total
● Ocotber 2000: Rijndael selected as the proposed AES cipher
● November 2001: AES approved as FIPS PUB 197

Rijndael was developed by Belgium cryptographers Joan Daemen and Vincent Rijmen

IN3210/4210 23

AES-128

• Plaintext represented as
4x4 byte matrix

• Key is expanded into 11

round keys, each 4x4 byte
Encryption

Decryption

IN3210/4210 24

12
 Rijndael/AES round function uses four invertible operations

Substitute Byte-by-byte substitution,

bytes based on table (S-box)

Shift rows Permutation performed

by rotating row by row

Mix Substitution altering each

columns byte in a column based on
all the bytes in the column
⨁ Round key

IN3210/4210 25

AES Instruction Set and Intel’s AES-NI

● Extensions to x86 instruction set providing hardware support for AES

● Provided by Intel, AMD, and others

● Used by many libraries and applications

IN3210/4210 26

13
 Data Encryption Standard (DES)

● Issued as a standard by NIST in 1977

§ Block size is 64 bits
§ Key is 56 bits – too short today!
§ Variation of a Feistel network

● DES is expired and should no longer be used

- Use AES instead

3DES

IN3210/4210 27 27

Block Cipher Modes of Operation specifies how to use symmetric block

ciphers for practical applications

● NIST SP 800-38A specifies five modes of operation:

- ECB
- CBC
Confidentiality modes (do not ensure
- CFB integrity/authenticity!)
- OFB
- CTR

● SPs 800-38 B - G specifies additional modes of operation, including authenticated

encryption modes such as GCM and modes intended for storage encryption

IN3210/4210 28

14
 Using Electronic Codebook (ECB) mode, each block is
encrypted/decrypted independently

Identical plaintext blocks (encrypted

Pj with the same key) result in identical
ciphertext blocks – may be insecure

K Encrypt

Cj

Plaintext ECB mode Secure mode

IN3210/4210 29 29

Cipher Block Chaining (CBC) mode

IN3210/4210 30

15
 Cipher Block Chaining (CBC) mode

● The IV must be unpredictable (but does not need to be secret)

● Does not provide integrity/authenticity

● Correct decryption depends on correct receipt of the corresponding and previous

ciphertext block

● Can not be parallelized well (decryption can to some extent)

● Needs to pad last block if the plaintext is not a multiple of the block size (can be
avoided using ciphertext stealing)
IN3210/4210 31

Counter (CTR) mode (stream mode)

Counter Counter
X0=IV, Xi=Xi-1+1 X0=IV, Xi=Xi-1+1

K Encrypt K Encrypt

Yi Yi

Ci
Pi ⨁ ⨁ Pi

IN3210/4210 32

16
 Counter (CTR) mode

● Hardware and software efficiency:

- Encryption/decryption can be done in parallel
- Preprocessing - The underlying encryption algorithm does not depend on
plaintext or ciphertext input

● Random access to ciphertext/plaintext blocks

● Only requires implementation of the encryption algorithm and not the decryption
algorithm
● Does not provide integrity protection

IN3210/4210 33

Galois/Counter Mode (GCM)

● Uses a variation of CTR mode encryption for

confidentiality and a keyed hash function
(GMAC) to create the authentication tag

● Mode of operation that combines encryption

and authentication (i.e., authenticated
encryption with associated data)

● To be used with 128-bit block cipher – the

“typical mode” used with AES (used in e.g., TLS
and IPsec)

Figure from NIST - page 7 of D. McGrew, J. Viega, The Galois/Counter Mode of Operation (GCM), Natl. Inst. Stand.Technol.
IN3210/4210 [Web page] , http://www.csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf, 34
May 31, 2005., CC0, https://commons.wikimedia.org/w/index.php?curid=74845777

17
 Output feedback mode (OFB) (used in this weeks’ exercise)

Decryption is the same as encryption, using the ciphertext (instead of the plaintext) as input

IN3210/4210 35

Outline of today´s lecture on symmetric encryption

● Model of symmetric cryptosystem

● The one-time pad and notions of cryptographic security
● Stream ciphers
- RC4 and ChaCha20
● Block ciphers
- AES
- Block cipher modes of operation
● Attacks on (symmetric) cryptosystems

IN3210/4210 36

18
 Attacks on cryptosystems

● Brute-force attack
- On average half the keys must be tried
- Must be able to recognize valid plaintext
- Mitigated by sufficient key length
● Cryptanalysis
- Weaknesses may result in much less resources/effort being required than for a brute-force
attack
● Attacks on implementation
- E.g., side channel attacks based on variations in power consumption, timing, or emanations
● Attacks on key management or the environment
- E.g., circumventing encryption by exploiting vulnerabilities in the end-user operating system

IN3210/4210 37

Cryptanalytic attacks

● Ciphertext only - only know algorithm and ciphertext

● Known plaintext - know/suspect plaintext and ciphertext

● Chosen plaintext – attacker select plaintext and obtain the corresponding

ciphertext

● Chosen ciphertext – attacker select ciphertext and obtain the corresponding

plaintext

IN3210/4210 38

19
 Relative Illustration of Average Time Required for Exhaustive Key Search

• Using a meet-in-the-middle attack the effort for 3DES can be reduced to 112 bits
• Given successful quantum computers, the symmetric key size must be about doubled to achieve the same
security (Grover's algorithm)
IN3210/4210 39
Table from: W. Stallings, Cryptography and Network Security

Categorization of
269 cryptographic
vulnerabilities from
the CVE database
in the period 2011-
2014

D. Lazar et al., “Why does

cryptographic software
fail? – A case study and
open problems”, Proc.
APSys 2014

IN3210/4210 40

20