2 - 1
Encryption and Exploits - SANS
©2001
1
Introduction to Encryption II
Security Essentials
The SANS Institute
This is the second of two of the most important classes we have the privilege to teach as part of the
SANS Security Essentials course. In the first course, we went on a quick tour of some of the
important issues and concepts in the field of cryptography. We saw that encryption is real, it is
crucial, it is a foundation of so much that happens in the world around us today and, most of it in a
manner that is completely transparent to us.
I guess you know that one of SANS’ mottos is, “Never teach anything in a class which the student
can’t use at work the next day.” One of our goals in this course is to help you be aware of how
cryptography operates under the covers in some of the major cryptosystems which are used on a
24x7 basis in our world. Along the way, we’ll share some hard-earned pragmatic lessons we’ve
learned, and hope that our experience will be of help to you.
Enjoy!
2 - 2
Encryption II - SANS
©2001
2
Why Do I Care About Crypto?
U.S. Dept. of Commerce
no longer supports DES
Distributed Denial of Service
attack daemon found to be
protected by “blowfish”
a DES-like block cipher
National Institute of Standards
and Technology (NIST) is

leading the development of AES
the replacement for DES
Mobile Code
Communications in the presence of adversaries…
Confidentiality Ì Integrity Ì Authentication Ì Non-repudiation
Insecure Global Networks
Privacy
The Internet
E-Business
E-Commerce
Smart Cards
“Alice” “Bob”
“Adversary”
Digital Signatures
Public Key Infrastructure (PKI)
Digital Certificates
Without cryptography, there is no e-business, no viable e-commerce infrastructures, no military
presence on the Internet and no privacy for the citizens of the world. There are numerous and
continually increasing everyday instances in which we encounter cryptosystems at work and at play,
often without even realizing it. The underlying cryptographic infrastructure actually works so well
that we only take notice when it is absent, or implemented incorrectly!
When you use a secure mobile telephone, all communications between you and the party on the other
end are rapidly encrypted and decrypted on the fly, so that any eavesdropper will not be able to listen
in on your conversation. Every once in awhile, we hear how the confidential communication of a
public figure was intercepted and his or her privacy compromised. Yet another example of not using
cryptographically enabled products.
One of the more important emerging applications of cryptographically-enabled communications is at
e-commerce-enabled web sites on the Internet and the World Wide Web. When supported with an
enterprise-wide Public Key Infrastructure (PKI), a whole suite of new and innovative products and
services is instantly enabled. Today, this is leading to new business opportunities, new capabilities

being delivered to consumers, new functionality provided by organizations to their shareholders,
fundamental changes in the way entire industries function, new legislation, tapping into global
opportunities, etc.
2 - 3
Encryption II - SANS
©2001
3
• Concepts in Cryptography
• Secret (Symmetric) Key Systems
–Triple-DES
–AES
• Public (Asymmetric) Key Systems
–RSA
–ECC
Course Objectives
We begin this course by examining the conceptual underpinnings behind major cryptosystems that
are in use today. In particular, we’ll look at Triple-DES which is a good alternative for the now
obsolete DES algorithm, which is officially no longer considered to be secure. Next, we’ll stop by
for a quick status update on the development activity that is currently underway throughout the
global cryptographic community in connection with the new Advanced Encryption Standard
(AES).
Our next stop will be the RSA algorithm, which is a widely implemented public key cryptographic
algorithm, and which came off-patent in September 2000. We’ll perform an exercise in which we’ll
walk through a highly simplified version of the mathematical mechanism upon which the RSA
algorithm is based.
We’ll wrap up this course by considering the characteristics of emerging Elliptic Curve
Cryptosystems (ECC), which are rapidly growing in popularity due to the proliferation of such
devices as PDAs, mobile telephones, information appliances, ATMs, and smart cards.
All right. Enough of the big picture. Let’s dive right into it…
2 - 4

Encryption II - SANS
©2001
4
• What if…
– we can find a mathematical “problem”
that exhibits characteristics of one-way
functions (with trapdoors)?
– or, as mathematicians would prefer to say,
a problem that is “impossible” to solve in
polynomial time?
Concepts in Cryptography 1
• Probability Theory
• Information Theory
• Complexity Theory
• Number Theory
• Abstract Algebra
• Finite Fields
• Hmm…
– we could use it to build a new cryptosystem!
Confidentiality Integrity of Data
Authentication Non-repudiation
You’ll recognize the four important characteristics of cryptosystems that are at the top of this slide:
Confidentiality, Integrity of Data, Authentication, and Non-repudiation. We covered this
material in Encryption I. So we know that these are important characteristics that any good
cryptosystem must have. But, how do we go about actually constructing such a cryptosystem?
Where do we begin?
Mathematics comes to our rescue. In general, there are many fields in mathematics that contain
concepts that could prove to be useful as we seek to build a cryptosystem. Specifically, we find that
the following branches of mathematics are particularly rich in ideas we could use: Probability
Theory, Information Theory, Complexity Theory, Number Theory, Abstract Algebra, and Finite

Fields.
In Encryption I, we were introduced to one-way mathematical functions. We saw how such
functions which have “trapdoors” have interesting properties that could prove to be useful in
cryptography. We are using the term “trapdoor” to refer to a way to decrypt a message using a
different key. So with public key cryptography, one would encrypt the message with a public key.
The “trapdoor” would be the corresponding private key that would be used to decrypt or retrieve the
message. If the one-way function deals with a “hard” mathematical problem – one that is impossible
to solve in polynomial time – then it could be used to make things very difficult for any adversary
who might be eavesdropping on our communications over an insecure public network like the global
Internet. At the same time, the existence of a “trapdoor” could be used to provide an easy solution to
the “intractable” problem for use by the sender and/or the recipient. Hmmm
2 - 5
Encryption II - SANS
©2001
5
Concepts in Cryptography 2
Tractable Problems
“Easy” problems. Can be solved in polynomial
time (i.e. “quickly”) for certain inputs
Examples:
• constant problems
• linear problems
• quadratic problems
• cubic problems
Intractable Problems
“Hard” problems. Cannot be solved in polynomial
time (i.e. “quickly”)
Examples:
• exponential or super-polynomial problems
• factoring large integers into primes (RSA)

• solving the discrete logarithm problem (El Gamal)
• computing elliptic curves in a finite field (ECC)
Computational Complexity deals
with time and space requirements for
the execution of algorithms.
Problems can be classified as
tractable or intractable.
This is exactly the
class of problems
we are looking for!
Following this train of thought, let’s see what hard or intractable problems are already well-known
in mathematics. These problems just might provide us with the building blocks upon which we could
build our cryptosystem.
Computational complexity is a branch of mathematics which studies time and space requirements
for the execution of algorithms. It classifies problems as either tractable (easy to solve) or
intractable (hard to solve). This is really neat, because its exactly what we’re looking for.
It turns out that there are many well-known intractable problems – the class of problems we’re
interested in. These exponential or super-polynomial problems are “hard” problems which cannot
be solved in polynomial time (i.e., quickly). Actually, it is more accurate to say that these problems
are believed to be intractable by the worldwide mathematical community that is active in researching
issues in the field of computation complexity.
Three well-known examples of intractable problems include: factoring large integers into their two
prime factors (the basis for RSA); solving the discrete logarithm problem over finite fields (the basis
for ElGamal); and computing elliptic curves over finite fields (the basis for Elliptic Curve
Cryptosystems).
Now, let’s examine each of these three important classes of intractable problems in greater detail, as
each one of them forms the basis of important cryptosystems that are widely used all over the world
today.
2 - 6
Encryption II - SANS

©2001
6
Concepts in Cryptography 3
Example: RSA
• based on difficulty of
factoring a large integer
into its prime factors
• ~1000 times slower
than DES
• considered “secure”
•de facto standard
• patent expires in 2000
An Example of an Intractable Problem
Difficulty of factoring a large integer into its two
prime factors
• A “hard” problem
• Years of intense public scrutiny
suggest intractability
• No mathematical proof so far
Every middle school student knows how to factor integers. So, given an integer 15, they can
immediately respond that the integer factors are 1x15 and 3x5. Easy enough! So why is this a hard
problem? Why is it on our list of intractable problems?
It turns out that the key here – no pun intended – is the word “large.” Factoring a large integer into
its prime factors is decidedly non-trivial. In fact, there is no easy solution to the problem. This is
the general consensus of the global community that actively researches such mathematical topics. It
is important to note, however, that there is no unequivocal mathematical “proof” that this problem
cannot be solved easily. It’s the years of public scrutiny of the problem that leads us to conclude that
it is a hard problem which cannot be solved in polynomial time.
For our purposes, this is good enough to build a cryptosystem upon. Actually that’s already been
done! The most widely used example is the RSA algorithm, which takes advantage of the

intractability of the integer factorization problem to build the public key (asymmetric)
cryptosystem which is widely used throughout the world.
How about some of the other intractable problems we found from our brief survey of the field of
mathematics? Can they also be used to construct cryptosystems?
Great question! Glad you asked.
2 - 7
Encryption II - SANS
©2001
7
Concepts in Cryptography 4
Examples
• El Gamal encryption
and signature schemes
•Diffie-Hellman key
agreement scheme
• Schnorr signature
scheme
• NIST’s Digital Signature
Algorithm (DSA)
Another Intractable Problem
Difficulty of solving the discrete logarithm problem
for finite fields
• A “hard” problem
• Years of intense public scrutiny
suggest intractability
• No mathematical proof so far
• The discrete logarithm problem
is as difficult as the problem of
factoring a large integer into its
prime factors

Another intractable problem that appears to have useful properties that we can use to build a
cryptosystem upon is the difficulty of solving what is known as the discrete logarithm problem for
finite fields. The mathematics behind this type of problem are complex and we will not attempt an
explanation of the working mechanism in this brief course.
It turns out that there is no easy solution to this problem either. Again, this is the general consensus
of the global community that actively researches such mathematical topics. It is important to note,
however, that there is no unequivocal mathematical “proof” that this problem cannot be solved
easily. It’s the years of public scrutiny of the problem that leads us to conclude that it is a hard
problem which cannot be solved in polynomial time.
But, how does it compare with the previous intractable problem we looked at – the factorization of
large integers into their two prime factors? There is evidence that the discrete logarithm problem is
just as difficult.
So, we should be able to use this problem in building a cryptosystem? Right? Absolutely!
Again that’s already been done! The following cryptosystems are all built upon the intractability of
the discrete logarithm problem over finite fields: the ElGamal encryption and signature schemes,
the Diffie-Hellman key agreement scheme, the Schnorr signature scheme, and the Digital
Signature Algorithm (DSA) by the U.S. Department of Commerce’s National Institute of Standards
and Technology (NIST).
2 - 8
Encryption II - SANS
©2001
8
Concepts in Cryptography 5
Examples
• Elliptic curve El Gamal
encryption and signature
schemes
• Elliptic curve Diffie-Hellman
key agreement scheme
• Elliptic curve Schnorr

signature scheme
• Elliptic Curve Digital
Signature Algorithm
(ECDSA)
Yet Another Intractable Problem
Difficulty of solving the discrete logarithm problem
as applied to elliptic curves
• A “hard” problem
• Years of intense public scrutiny
suggest intractability
• No mathematical proof so far
• In general, elliptic curve
cryptosystems (ECC) offer
higher speed, lower power
consumption, and tighter code
Now, let’s take a quick look at yet another class of intractable problems. This one involves the
difficulty of solving the discrete logarithm problem (we just discussed it in the previous slide) as
applied to elliptic curves.
So, how does this class of intractable problem compare with the previous intractable problem we’ve
looked at – the factorization of large integers into their two prime factors, and solving the discrete
logarithm problem over finite fields? Very well, thank you! And…it has a number of very attractive
features to boot. Features that include high security levels even at low key lengths, high speed
processing, and low power and storage requirements.
These characteristics are very useful in crypto-enabling the many new devices that are rapidly
appearing in the marketplace, e.g. mobile telephones, information appliances, smart cards, and even
the venerable ATMs. Of course it has been broken a few times so they are still working on this one.
2 - 9
Encryption II - SANS
©2001
9

Voila! We Can Now Build
Hash
Digital
Signature
Original
Document

Ciphertext
or
plaintext
Original
Document

Ciphertext
or
plaintext
Digital
Signature
Hash
Hash
“Alice” first creates a Hash of the Original
Document. Next, she encrypts the Hash
with her Private Key to generate a Digital
Signature. Finally, she transmits the
Original Document and the Digital
Signature to “Bob.”
“Bob” first creates a Hash of the Original
Document. Next, he decrypts the Digital
Signature with Alice’s Public Key to
regenerate the Hash that Alice originally

created. Finally, he compares the two
Hashes. A match indicates the Original
Document was not tampered with.
Bob compares
the two hashes
Hash
Algorithm
Same
Hash
Algorithm
Alice encrypts
with her
Private Key
Bob decrypts
with Alice’s
Public Key
Authentication!
Non-repudiation!
Integrity of Data!
Confidentiality!
Communications in the presence of adversaries…
Confidentiality Ì Integrity Ì Authentication Ì Non-repudiation
We started out by noting that communicating in the presence of adversaries meant constructing a
cryptosystem that was capable of providing support for important requirements such as
Confidentiality, Integrity of Data, Authentication, and Non-repudiation. We briefly examined some
of the well-known intractable mathematical problems which could be used as building blocks upon
which to construct our cryptosystem.
But how do we make the connection between complex and abstract mathematical concepts, to
crypto-enabled products we use routinely every day of our lives?
While each type of cryptosystem addresses the specific details in its own unique way, the

fundamental concepts behind the working crypto-mechanism that actually delivers the functionality
that makes it possible to support Confidentiality, Integrity of Data, Authentication, and Non-
repudiation are fundamentally quite similar.
This “big picture” slide puts it all together from the perspective of a message being sent by Alice
over an insecure public network (like the global Internet) to Bob. Please study this slide carefully for
a few moments, and trace the working mechanism that is at the foundation of many cryptosystems.
See for yourself exactly how the users of the cryptosystem are able to tap into the Confidentiality,
Integrity of Data, Authentication, and Non-repudiation services that are supported by the
cryptosystem.
2 - 10
Encryption II - SANS
©2001
10
Milestones in Cryptography
Index of Coincidence
(Friedman, 1918)
Vernam Cipher
(Vernam, 1926)
Secure Communications
(Shannon, 1949)
Lucifer Cryptosystem
(Feistel, 1974)
Public-Key Cryptography
(Diffie and Hellman, 1976)
RSA
(Rivest, Shamir, Adleman, 1978)
Public-Key Encryption
(Rabin, 1979)
Public-Key Encryption & Signature
(ElGamal, 1985)

Elliptic Curve Cryptography
(Miller, 1986 & Koblitz, 1987)
ECA: Elliptic Curve Algorithm
(Lenstra, 1987)
Differential Cryptanalysis
(Biham and Shamir, 1993)
X.509 v3 Digital Certificates
(ITU-T, 1993)
Linear Cryptanalysis
(Matsui, 1994)
AES: Advanced Encryption Standard
(sponsored by NIST, finalist selected.)
Origins of Cryptography
(traced as far back as 4000 years!
Key-Exchange Method
(Diffie and Hellman, 1976)
DES: Data Encryption Standard
(U.S. FIPS-46, 1977)
Public-Key Cryptography
(Merkle, 1978)

…built upon
the work of
giants!
We noted earlier in our discussion that a number of mathematicians and researchers had made
important contributions, over the years, to the advanced mathematical ideas that serve as the
foundation of many widely used cryptosystems in use today. We also noted that each of the three
classes of intractable problems we discussed had been successfully employed as building blocks for
constructing cryptosystems.
There is a long, rich history behind modern cryptosystems. This slide lists a few (by no means, all!)

of the leading cryptographers whose work and ideas have been successfully incorporated into
everyday products that we use on a routine basis. Modern day cryptosystems are truly built upon the
work of giants!
The mathematics behind cryptosystems is invariably abstract and can be highly complex. The
process of developing new cryptographic algorithms works best when the attention of the entire
global cryptographic community can be focused on the development activity. It is generally
acknowledged that openness to intense scrutiny by the global cryptographic community in the
development process of new cryptographic algorithms is the most effective way to achieving
algorithms that can be trusted to serve as the foundation of our growing ecommerce infrastructure.
The U.S. Department of Commerce’s NIST has done just that as it selected the finalist for the
Advanced Encryption Standard (AES).
2 - 11
Encryption II - SANS
©2001
11
• Released March 17, 1975
• Rather fast encryption algorithm
• Widely used; a
de facto
standard
• Symmetric-key, 64-bit block cipher
• 56-bit key size Æ Small 2
56
key space
• Today, DES is not considered secure
DES: Data Encryption Standard
DES is the most commonly used encryption algorithm in the world. On March 17, 1975, the United
States government proposed the adoption of the Data Encryption Standard (DES) cryptosystem as
a national standard for use with “unclassified computer data.” It was based upon IBM’s Lucifer
cryptosystem. DES is specified in FIPS-42. The Data Encryption Algorithm (DEA) is essentially the

same cipher based on the ANSI X.3.92 standard.
Due to the internal bit-oriented operations in the design of DES, software implementations of DES
are slow, while hardware implementations are faster. Four different modes of operation for DES
were standardized for use in the USA by the National Institute of Standards and Technology (NIST):
Electronic Code Book (ECB) mode, Cipher Block Chaining (CBC) mode, Output Feedback (OFB)
mode, and Cipher Feedback (CFB) mode.
From the very beginning, concerns were raised about the vulnerability of DES due to the rather small
key length of 56 bits, resulting in a keyspace containing only 2
56
possible different keys.
The effectiveness of attacks based on brute force searches depends upon the size of the keyspace
involved. Because DES is limited to an effective key size of only 56-bits (= 64-bit block - 8 parity
bits), it is vulnerable to brute force attacks. DES was first [publicly] cracked in in theRSA
Challenge, which was a five month effort, and subsequent attempts are taking less and less time. At
the present time, there is a general consensus that DES is not secure.
2 - 12
Encryption II - SANS
©2001
12
DES
• In 1992 it was proven that DES is not a
group. This means that multiple DES
encryptions are not equivalent to a
single encryption. THIS IS A GOOD
THING.
• If something is a group than
– E(E(K,M)K2) = E(K3,M)
• Since DES is not a group, multiple
encryptions will increase the security.
As we know, DES is no longer supported because of the key length. With current technology and

computers, this key length is considered non-secure. For additional information, see the book
Cracking DES
. It gives you all of the code you would need to build your own DES cracking engine.
Just think, you would be the envy of the entire neighborhood!
Since DES is weak, someone proposed whether you could perform multiple encipherments to
increase the key length. In order to do this, you would have to prove whether DES is a group or not.
It was proven that DES is not a group; this means that multiple DES encryptions are not equivalent to
a single encryption. This is a very good thing. If DES was a group, then triple DES would provide
the same key length as single DES. Since DES is not a group, multiple encryptions will increase the
security.
If something is a group, then
E(E(K,M)K2) = E(K3,M), which means multiple encipherments are equivalent to a single
encipherment.
2 - 13
Encryption II - SANS
©2001
13
DES Weaknesses
• DES is considered non-secure for very
sensitive encryption. It is crackable in a short
period of time.
• See the “Cracking DES” book by O’Reilly.
• Multiple encryptions and key size will increase
the security.
• Double DES is vulnerable to the meet-in-the-
middle attack and only has an effective key
length of 57 bits.
• Triple DES is preferred.
Now that we know that multiple enchipherments of DES will help the key length, why “triple” DES?
What happened to double DES, and why isn’t it used? Funny thing you should ask. It turns out that

double DES is vulnerable to the meet-in-the-middle attack, which gives an effective key length of
57 bits, which is only one more bit more than DES. So because of this weakness, triple DES is used.
We will look at the meet-in-the-middle attack on the next slide.
2 - 14
Encryption II - SANS
©2001
14
Meet-in-the-middle Attack
E
E(M,K1) = C’ , 2
56
possibilities
D(C,K2) = C’ , 2
56
possibilities
2
56 +
2
56 =
2
57
so double DES only gives effective key length of 57 bits which is 1
more than DES
M
K2K1
CC’
CM
D
C’
D

K2 K1
EE
With the meet-in-the-middle attack, you start with both the message and the ciphertext. In this case
M and C.
For each choice of K1 compute
C’=E(K1,M) – this is a table of 2
56
For each choice of K2 compute
C”=D(K2, C) – this is a table of 2
56
Therefore the amount of keys tried is
2
56
+ 2
56
= 2
57
, which gives an effective key length of 57 bits.
Now when you play Geek Trivial Pursuit and someone asks, “Why isn’t double DES used?”, you
will know the answer!
2 - 15
Encryption II - SANS
©2001
15
Triple-DES
64-bit plaintext
Initial
Permutation
Final
Permutation

64-bit ciphertext
16 rounds
(iterations)
of function f
L
i-1
R
i-1
L
i
R
i
⊕
K
i
f
One round
of DES
In Triple-DES, the DES algorithm, shown
on the left, is applied three times, and
two different crypto-variables are used.
3
2
Earlier in this discussion and also in Encryption I, we noted that the Data Encryption Standard (DES)
is no longer officially considered to be secure. We also noted that the Advanced Encryption
Standard (AES) is currently under development as we implement the chosen standard. In the
meantime, the global e-commerce infrastructure build-out is proceeding at a furious pace, due to all
the new e-business initiatives that are sprouting up all over the world. The need for a fast symmetric
key block cipher is extremely urgent. If DES can no longer be considered to be secure, what can we
do in the interim?

Well, there are a number of alternative and fast symmetric key block ciphers that are available today,
and which can be used instead of DES. However, it turns out that while DES is definitely not to be
considered as a secure algorithm, there are derived algorithms that use DES at their core which can
still be considered to be secure and can be used. Specifically, the Triple-DES algorithm is an
example of one such derived algorithm, and it is a viable option which can be used in place of DES
at least until AES is officially selected and becomes available.
This slide shows the mechanism of the Triple-DES algorithm. Note, that it looks (not surprisingly!)
a lot like the DES algorithm. It is the unique way in which the DES algorithm is applied three times,
with two different crypto-variables, that makes Triple-DES secure enough to use in the interim
between DES and AES.
2 - 16
Encryption II - SANS
©2001
16
Triple-DES
USAGE
Supported in latest releases
of Web clients, such as
Microsoft Internet Explorer
& Netscape Communicator
Prefer Triple-DES over DES
(which is officially no
longer considered to be
secure)
VULNERABILITIES
Cracking Triple-DES means
examining all possible pairs
of crypto-variables (a task
considered to be beyond
today’s technology)

So far, there have been no
public reports claiming to
have cracked Triple-DES
Triple-DES is a well-known and widely implemented algorithm which has been intensely
scrutinized by the global cryptographic community. See the ANSI X9.52 standard for additional
information on Triple-DES encryption.
Support for Triple-DES is built right into popular web clients, such as the Microsoft Internet
Explorer and the Netscape Communicator. Using Triple-DES from the end user perspective is often
as simple as simply reconfiguring the SSL v3.0 service in the web client to prefer Triple-DES over
DES.
As an aside – when was the last time you configured the SSL v3.0 service in your Web client? Have
you disabled SSL v2.0, which is vulnerable to man-in-the-middle attacks? If not, then whenever you
browse your way to an incorrectly configured SSL-enabled web site on the global Internet, you
might end up using SSL v2.0 with DES in your communications with that web site. This may or may
not be a problem for you, depending on the sensitivity of your communications. But, it might be
worth taking some time to verify that your web client is configured as you’d like it to be.
2 - 17
Encryption II - SANS
©2001
17
• Advanced Encryption Standard
• AES is a new encryption algorithm(s) that is being
designed to be effective well into the 21st century
AES
Countdown
to AES !
• 1/2/1997, the quest for
AES begins
• 8/9/1999, five finalist
algorithms announced

• Announced winner -
Rijndeal
THE FIVE “AES” FINALISTS !
• MARS
IBM
• RC6™ RSA Laboratories
• Rijndael Joan Daemen, Vincent Rijmen
• Serpent Ross Anderson, Eli Biham, Lars Knudsen
• Twofish Bruce Schneier, John Kelsey, Doug Whiting,
David Wagner, Chris Hall, Niels Ferguson
Significance
Developing “good” cryptographic algorithms that can be trusted is
hard. The only practical way to develop such algorithms is to
perform the development process in an open manner, and under
intense public scrutiny of the global cryptographic community.
Can you think of a recent example in which this was not followed?
On January 2, 1997, NIST announced the initiation of an effort to develop the Advanced
Encryption Standard (AES). A formal call for algorithms was made on September 12, 1997. The
call stipulated that the AES must specify an unclassified, publicly disclosed encryption algorithm(s),
available royalty-free, worldwide. In addition, the algorithm(s) would implement symmetric key
cryptography as a block cipher and (at a minimum) support a block size of 128-bits and key sizes of
128, 192, and 256-bits. The evaluation criteria were divided into three major categories: Security,
Cost, and Algorithm and Implementation Characteristics.
In October, 2000, NIST selected a finalist for the Advanced Encyption Standard (AES). The two
researchers who developed Rijndael (pronounced “Rain Doll” or “Rhine Dahl”) for the AES are
from Belgium: Dr. Joan Daemen (Yo'-ahn Dah'-mun) of Proton World International and Dr. Vincent
Rijmen (Rye'-mun) of Katholieke Universiteit Leuven. The AES will supplant the inadequate 56-bit
key Data Encryption Standard (DES), which is to be used only in legacy systems. AES has three key
sizes: 128-bit, 192-bit, and 256-bit. Testing of the algorithm was performed by NIST and the
Canadian Commiunications Security Establishment (CSE).

2 - 18
Encryption II - SANS
©2001
18
AES Algorithm
Cipher (byte in[4*Nb], byte out[4*Nb], word w[Nb*(Nr+1)])
begin
byte state[4,Nb]
state = in
AddRoundKey(state, w)
for round = 1 step 1 to Nr-1
SubBytes(state)
ShiftRows(state)
MixColumns(state)
AddRoundKey(state, w+round*Nb)
end for
SubBytes(state)
ShiftRows(state)
AddRoundKey(state, w+Nr*Nb)
out = state
end
After all this build-up, here's the AES algorithm in pseudo-code. There are three parameters passed to this
program:
• in[] is an array containing the block of plaintext. In general, in[] is 4*Nb bytes in size, meaning 16
bytes in the current AES specification.
• out[] is an array containing the ciphertext and is also 4*Nb bytes in size.
• w[] is the array containing the Expanded Key and is Nb*(Nr+1) words in size.
The code also shows one additional data structure, namely state[], a two-dimensional array containing the
current value of the transformed ciphertext. The transformations themselves are defined by four function
calls, namely AddRoundKey(), SubBytes(), ShiftRows(), and MixColumns(); the specifics of these

transformations are described on the next page.
The code is then pretty straightforward:
• The plaintext is moved into the state[] array
• The first Round Key is applied
•There are then Nr-1 rounds that apply all four transformations
• The final round applies all but the MixColumns() transformation
•The state[] array is moved into the ciphertext data structure
2 - 19
Encryption II - SANS
©2001
19
AES Basic Functions
• AES algorithm employs four basic
transformations:
–
AddRoundKey:
XOR Round Key with State
–
SubBytes:
Substitute bytes in State s to
form State s' on a byte-for-byte basis using
S-box
–
ShiftRows:
Left circular shift of rows 1-3 in
State s by 1, 2, and 3 bytes, respectively
–
MixColumns:
Apply mathematical
transformation to each column in State s to

form State s'
The four AES transformations act as follows:
• AddRoundKey: Takes the appropriate Round Key and performs a bit-by-bit XOR with the current
State
• SubBytes: Using a Substitution box (S-box) defined in the specification, substitutes each 8-bit
quantity in the State array to a different 8-bit value.
• ShiftRows: Left circularly shift the contents of State array rows 1, 2, and 3 by 1, 2, and 3 bytes,
respectively. A "left circular shift of one byte," for example, means that the bytes in columns 1, 2,
and 3 move to position 0, 1, and 2, respectively, the value in byte position 0 moves to position 3.
• MixColumns: Another byte value substitution, but in this case performed on a column (32 bit)
basis; i.e., rather than perform an S-box substitution on a per byte basis, this transformation applies a
polynomial transformation on four bytes at a time.
2 - 20
Encryption II - SANS
©2001
20
AES
USAGE
The AES algorithm is being
developed to replace DES,
which is no longer officially
considered to be secure.
DES/Triple-DES is very
widely used throughout the
world today, and AES is
expected to be just as
popular
VULNERABILITIES
Too early to tell…
At the moment, the

algorithm(s) has been
selected. Lets see how it
stands the test of time.
So far so good….
The NIST is spearheading
the selection process.
The Advanced Encryption Standard (AES) development process is a splendid opportunity to see
first-hand what it takes to develop a cryptographic algorithm. The development process is inherently
complex, and the only realistic way to reduce the risk is to open up the development activity to all
interested parties, and also to intense scrutiny by the global cryptographic community.
Visit the AES web site at NIST at />to learn more about the effort, which is
still ongoing. You see, now that the algorithm is agreed on, it is important to test the
implementations of the algorithm.
Can you think of another recent cryptographic algorithm development effort which was not
performed in an open manner with intense scrutiny by the global cryptographic community? The
cryptographic algorithm was developed in relative secrecy. When it finally shipped as part of a
product to end users, it was quickly cracked shortly after it was released causing significant
embarrassment for the sponsors. Sure, that was the DVD encryption we discussed in the last lesson.
2 - 21
Encryption II - SANS
©2001
21
RSA
USAGE
Wide-spread support in
major web clients, such as
Microsoft Internet Explorer
& Netscape Communicator.
Expected to become even
more popular after it

comes off-patent later in
2000
VULNERABILITIES
Cracking RSA generally
means compromising poor
implementations, or those
using small key lengths.
So far, there have been no
public reports claiming to
have compromised the RSA
algorithm itself
The RSA algorithm has been widely implemented all over the world in all kinds of crypto-enabled
applications. It can be used to support both encryption/decryption schemes and digital signature
schemes. It is also included in major web clients such as Microsoft Internet Explorer and Netscape
Communicator.
Now that the patent is expired, we can expect to see even more implementations of the RSA
algorithm (in addition to that marketed by RSA Security, Inc.) from a variety of third-parties.
There’s no public confirmation that RSA algorithm itself has been successfully compromised. To be
sure there have been a large number of claims to having “cracked” the RSA algorithm. However,
upon scrutiny, all these claims have proven to be false. There are, however, implementation details
that can impact the security of an RSA implementation. Poor implementations of the RSA algorithm
can be compromised, but as in the case of other cryptographic algorithms, this does not mean that the
RSA algorithm has been cracked. This again, is why there is still a significant development effort
going on with AES even though the standard has been selected.
The working mechanism of most public-key (asymmetric) cryptographic algorithms is generally
openly published and widely known. The security of the cryptosystem comes from the secrecy and
size of the private key and not from the secrecy of the algorithm itself. As for other cryptographic
algorithms, it is important to ensure that the key size is not so small that brute force attacks become
feasible due to the small size of the resulting key space.
2 - 22

Encryption II - SANS
©2001
22
RSA
Encryption
Bob’s
Public Key
{n, e}
Plain
Text
Nialp
Txet
Nialp
Txet
Plain
Text
Decryption
INSECURE
NETWORK
“Alice”
“Bob”
Bob’s
Private Key
{n, d}
MMCC
C = M
e
(mod n) M = C
d
(mod n)

RSA Encryption and Decryption
p
q
ne
d
RSA Key Generation
Public
Key
Private
Key
Widely published in
directories, etc
Closely guarded
secret
Now, let’s take a look at the working mechanism of the RSA algorithm which is a widely used and as
of October 2000, no longer patented, public key (asymmetric) cryptographic algorithm. It is based
upon the intractable problem of the difficulty of factorizing large integers into their two prime
factors.
Next, we consider the encryption and decryption process. Let’s see how Alice and Bob can
communicate using the RSA algorithm and Bob’s public and private key pair. First, Alice gets a
copy of Bob’s public key {n,e} from a public directory. Next, she uses Bob’s public key to encrypt
her plaintext message M to get the ciphertext C = M
e
(mod n). This ciphertext is then communicated
to Bob over possibly an insecure network with adversaries present. When Bob receives the
ciphertext, he uses his (trapdoor) private key {n,d} to regenerate the plaintext by calculating M = C
d
(mod n). On the other hand, an adversary, does not have a trapdoor and must solve the intractable
problem of factoring a large integer which is infeasible at large key lengths.
2 - 23

Encryption II - SANS
©2001
23
Generating RSA Keys
• p and q are large primes
• n = p * q
• e is relatively prime to (p-1) *(q-1)
•d = e
-1
mod (p-1) * (q-1)
•Public Key: {n,e}
• Private key: {n,d}
• Large primes can be found using probalistic
algorithms due to Solvay and Strassen
The following are the main steps that are performed to generate an RSA key pair:
Choose p and q which are large primes
Calculate n = p * q
Choose e so it is relatively prime to (p-1) *(q-1)
Compute d = e
-1
mod (p-1) * (q-1)
Publish the Public Key: {n,e}
Keep the Private key: {n,d} secret
Large primes can be found using probalistic algorithms due to Solvay and Strassen.
2 - 24
Encryption II - SANS
©2001
24
RSA Example
• Select p=3, q=5

• n = pq = 15
• Choose e=11,
relatively prime to
(p-1)(q-1) = 8
• (11d-1)/8 must be
an integer; choose
d=3
• M = 8384 (0x8384)
• Encrypt
– Public key value is (e,n) =
(11,15)
–C
i
= M
i
11
mod 15
– C = 0x2c24
• Decrypt
– Private key value is (d,n)
= (3,15)
–M
i
= C
i
3
mod 15
– M = 0x8384
Now, the description of RSA might look complex and, indeed, the calculations take a lot of computer power
given the large size of the numbers; since P and Q may be 100 or more decimal digits or more in length, D and

E will be about the same size, and N may be well over 200 digits in length. Nevertheless, a simple example
may help. In this example, the values for p, q, e, and d are purposely chosen to be very small.
1. Select p=3 and q=5.
2. The modulus n = pq = 15.
3. The value e must be relatively prime to (p-1)(q-1) = 2•4 = 8. Select e=11.
4. The value d must be chosen so that (ed-1)/[(p-1)(q-1)] is an integer. Thus, the value (11d-1)/[(2)(4)] = (11d-
1)/8 must be an integer. Calculate one possible value, d=3.
5. Let's say we wish to encrypt the hex value 8384. For this example, we will encrypt each hex digit
individually.
6. The sender encrypts each digit of M one at a time using the public key value (e,n)=(11,15). Thus, each
ciphertext character C
i
= M
i
11
mod 15. The input string M=0x8384 will be transmitted as C=0x2c24.
7. The receiver decrypts each digit using the private key value (d,n)=(3,15). As above, each plaintext character
M
i
= C
i
3
mod 15. The input string C=0x2c24 will now yield M=0x8384.
2 - 25
Encryption II - SANS
©2001
25
RSA vs. DES
(Asymmetric vs. Symmetric)
• Fastest implementation of RSA can encrypt

kilobits/second
• Fastest implementation of DES can encrypt
megabits/second
• It is often proposed that RSA can be used for
secure exchange of DES keys
• This 1000-fold difference in speed is likely to
remain independent of technology advances
• In software, DES is about 100 times faster
than RSA
At this point, it is important to point out that DES is a symmetric key encryption scheme and RSA is
an asymmetric scheme. Symmetric key is much faster than asymmetric but the drawback is, since
both the sender and receiver use the same key, the key has to be exchanged via a secure mechanism
before the two parties can communicate. Therefore what is often done, is RSA is used for the initial
exchange of a session key. Once the session key has been securely transmitted, than DES or a
variant is used for the remainder of the session, since it is quicker.