A Brief Note on Encryption
Before discussing encryption algorithms and the AES algorithm in specific, we should know what exactly are hashing and encryption, two terms mistaken to be the same.
Encryption
Encryption is a two-way process where the data is transformed into cyphertext using certain rules, and can also be converted back to the original form provided the receiver has the 'key' to do so.
Hashing
Similar to encryption, hashing also involves transforming the data into a format that cannot be deciphered by humans, but unlike encryption, the resultant ciphertext cannot be converted back to the original data, or to be more appropriate, it is impractical to do so as it requires a lot of computational power. Hashing is commonly used for checking file integrity. The hash generated by the hashing algorithm is unique for each file; hence, to check the integrity of files downloaded over the internet, one can simply generate the hash and compare it with the one provided by the host. If they match, the file has not been tampered with.
Both encryption and hashing use certain algorithms for converting the data into ciphertexts. In this blog, we will go over one such encryption algorithm called Advanced Encryption Algorithm (AES) and why it is used by governments to secure their confidential data.
The Need for AES
Before the US government officially adopted AES as their encryption algorithm in 1999, Data Encryption Standard (DES) was the standard encryption algorithm used for encrypting confidential government data. So what prompted this change?
The Limitations of DES
DES was introduced by the National Institute of Standards and Technology (NIST) in 1977. The fact the it is more than 40 years old and is evidently outdated itself is a viable reason to replace it with a more efficient algorithm. Some of the limitations of DES that were eventually addressed by AES are:
- Less secure: DES uses a 56-bit fixed size key, which proved to be less secure for encrypting the government's confidential data (which was its primary purpose)
- Slow: To address the security issues described in the previous point, Triple DES was introduced which is basically applying the encryption algorithm three times. But the security improvements were overshadowed by the drastic drop in speeds; even a small change in the input would produce a different ciphertext
- Poor performance on software
AES To The Rescue
The first area where AES outperforms DES is the length of the keys. AES allows 128-bit, 192-bit or 256-bit key, making it much stronger than DES that uses 56-bit keys. Also, AES is proven to be efficient in both hardware and software implementations and is about 6 times faster than Triple DES algorithm.
The Algorithm
The underlying algorithm for AES was chosen from an open competition among 15 algorithm designs. The criteria based on which the selection was made were:
- The ability to handle 128-bit blocks using keys of size 128, 192 and 256 bits.
- The ability to fend off attacks, especially brute-force attacks
- Computational and memory efficiency
- Suitability for hardware and software implementation
Working of the Rijndael algorithm
Block Ciphers
The Substitution-Permutation Network
The DES algorithm employed the Feistel network structure for encryption, as did Twofish and Blowfish algorithms. AES on the other hand uses a design principle called the substitution-permutation network. Some other algorithms that use this design are 3-Way, Kalyna and Square.
Before going through the working of the substitution-permutation network, the notion of substitution and permutation in block ciphers must be clear. In modern symmetric block ciphers, S-Boxes (Substitution boxes) and P-Boxes (Permutation boxes) are two essential components. They provide confusion and diffusion respectively. Got it. Now you are confused. What are confusion and diffusion you ask. In cryptography, confusion and diffusion are two operations of a secure cipher, which help in preventing the deduction of the secret key. Confusion, as the name suggests is a mechanism that increases the obscurity of the cipher text, so that the plaintext may not be easily derived from the ciphertext. The goal is to make the relationship between the encryption key and the plain text as complex as possible. On the other hand, in diffusion, the relationship between the plaintext and cyphertext is made complex.
Getting back to S-Boxes and P-Boxes. S-Box substitutes a block of bits, such that the substitution is invertible, otherwise decryption would not be possible. The P-Box takes the output of the S-Box, permutes the bits, and passes the output to the S-Box of the next round. As we discussed earlier, AES provides three sizes for the keys: 128-bit, 192-bit and 256-bit. The number of 'rounds' of transformation applied to the plaintext depends on the key sizes: for 128-bit keys, 10 rounds are performed, for 192-bit 12 rounds, and for 256-bit keys 14 rounds. All rounds except for the last are identical in each case. The last round depends on the key size.
The Encryption Process
_Round_Function.png) |
| The 4 phases of encryption: Wikipedia |
- Substitute Rows (SubBytes): Each byte ai,j in the state array (4x4 byte array that constitutes the input 128-block) is substituted by SubByte S(ai,j) using an 8-bit substitution box (S-Box).
- Shift Rows: This step cyclically shifts each byte in a row by an offset. All rows except for the first are changed. The goal is to scramble the byte order in each 128-block.
- Mix Columns: The 4 bytes of each column in the state array are combined using an invertible linear transformation. Together with the Shift Rows step, it provides diffusion in the cipher.
- Add Round Key: A subkey is derived from the main key and is of the same size as the state array. Each byte of the state is combined with the corresponding byte of the subkey using bitwise XOR.
- Inverse Shift Rows
- Inverse Substitute Bytes
- Add Round Key
- Inverse Mix Columns
0 Comments