8/7/2019 IS AES

1/21

Advanced Encryption Standard

3DES has 2 attractions that assure its

widespread use over the next few years.

1. The 168 bit-key length, it overcomes the

vulnerability in 3DES is the same as in DEA.

2. DES algorithm is the underlying base.

3DES is very resistant to cryptanalysis.

8/7/2019 IS AES

2/21

The Principal drawback of 3DES is that the

algorithm is relatively in software.

3DES , which has three times as many rounds as

DEA, is correspondingly slower.

The original DEA was designed for mid 1970`s

hardware implementation and does not produce

efficient software code.

Due to these reasons, 3DES is not

reasonable candidate for long term use.

8/7/2019 IS AES

3/21

As a replacement, NIST in 1997 issued a call for a

proposals for a new AES( Advanced Encryption

Standard ), which should have a security strength

equal to or greater than 3DES.

NIST specified that AES must be a symmetric

block cipher with a block length 128 bits andsupport for key length of 128, 192 and 256 bits.

NIST has selected Rijndael as the proposed AES

algorithm.2 researchers who developed Rijndael

are Dr.Joan Daemen and Dr.Vincent Rijmen.

8/7/2019 IS AES

4/21

AES uses a block cipher with a block length 128 bits

and support for key length of 128, 192 and 256 bits.

8/7/2019 IS AES

5/21

AES in brief:

AES is not a Feistel Structure.

AES does not use a Feistel Structure, but

processes the entire data block in parallel during

each round using substitution and permutation.

The key that is provided as input is expanded into

an array of forty-four 32-bit words. Four distinct

words(128 bits) serve as a round key for eachround.

8/7/2019 IS AES

6/21

Four different stages are used, 1 for permutation

(A complete change or a transformation or The

act of altering a given set of objects in a group)

and three for substitution:

1.Substitution bytes: uses a table (S-box) toperform a byte by byte substitution of the block.

2.Shift Rows : A simple permutation that isperformed row by row.

3.Mix Columns: A substitution that alerts each

byte in a column as a function of all of the bytes inthe column.

4.Add round Key: A simple bit-wise XOR of thecurrent block with a portion of the expanded key.

8/7/2019 IS AES

7/21

For encryption and decryption, the cipher text

begins with an Add round Key stage.

Only the Add round Key stage makes use of KEY.

Any other round applied at the beginning or end is

reversible with out the knowledge of the key.

The add round key stage itself is not formidable.

Other 3 rounds (except add round key) togetherscramble the bits, but do not provide any security

as they do not use any KEY.

8/7/2019 IS AES

8/21

8/7/2019 IS AES

9/21

Location Of Encryption Device:

In using encryption we need todecide what to encrypt and where to encrypt and

where the encryption gear should start.

There are two fundamental alternatives.

They are:

1. Link encryption.

2. end-to-end encryption.

8/7/2019 IS AES

10/21

8/7/2019 IS AES

11/21

1.Link encryption: In Link encryption, eachvulnerable communication link is equipped on

both ends with an encryption device. Thus all

traffic over all communications links is secured.

Although this requires a lot of encryption devices

in a large network, it provides a high level ofsecurity.

But one disadvantage with this approach is that,

the message must be decrypted each time itenters a packet Switch.

8/7/2019 IS AES

12/21

8/7/2019 IS AES

13/21

This is necessary because the switch must read

the address (virtual circuit number) in the packet

header to route the packet.

Thus the message is vulnerable at each switch. If

this is public packet switching network, the userhas no control over the security of the nodes.

8/7/2019 IS AES

14/21

2.End-to-End Encryption:

With end to end encryption process,

the encryption process is carried out at the twoend systems. The source host or the terminal

encrypts the data.

The data in encryption form is then transmittedunaltered over the network to the destination

terminal or host.

The destination shares a key with the host so to

decrypt the data. This approach seems to be

secured over the network links or switches

against the attacks. However this also have a bug?

8/7/2019 IS AES

15/21

8/7/2019 IS AES

16/21

Key Distribution: Key distribution can bedone in a no: of ways. For two parties A and B:

1. A key could be selected by A and physically

delivered to B.

2. A third party could select the key and physically

deliver it to A and B.

3. If A and B have previously and recently used a

key, one party could transmit the new key to the

other, encrypted using the old key.4. If A and B have an encrypted connection to a

third party C, C could deliver a key on the

encryption links to A and B.

8/7/2019 IS AES

17/21

To provide keys for end-to-end, option 4 is

preferable. Below diagram illustrate an

implementation of option 4.

8/7/2019 IS AES

18/21

For this session 2 kids of keys are identified.

They are:

1. Session Key: When 2 end systems (hosts,terminals) wish to communicate, they establisha logical connection (e.g. virtual circuit). For the

duration of that logical connection, all user data

are encrypted with a one time session key. At the conclusion of the session or connection

the key is destroyed.

2. Permanent Key: A permanent key is key usedbetween entities for the purpose of distributing

session keys.

8/7/2019 IS AES

19/21

The configuration consists of the following

elements:

1. Key distribution center (KDC): Determineswhich systems are allowed to communicate witheach other. When permission is granted for 2

systems to establish a connection, the KDC

provides a one time session key for thatconnection.

2. Security Service Module (SSM): Present atone protocol layer, performs end-to-end

encryption and obtain session keys on behalf ofusers.

8/7/2019 IS AES

20/21

8/7/2019 IS AES

21/21

THANK YOU