CCIE network engineers must know：DES and AES encryption principle

AES (Advanced Encryption Standard) is an encryption specification for electronic data established by the National Institute of Standards and Technology (NIST) in 2001. It is a block encryption standard. The size of each encrypted data block is fixed at 128 bits (16 bytes). The final encryption key length is 128 bits, 192 bits and 256 bits. In addition, AES mainly has five working modes (in fact, there are many other modes): ECB (Electroniccodebook), CBC (Cipher-block chaining), CFB (Cipher feedback), OFB ( Output feedback, output feedback), PCBC (Propagating cipher-block chaining, enhanced cipher-block chaining).

This standard is used to replace the original DES (Data Encryption Standard), which has been analyzed by many parties and is widely used all over the world. After a five-year selection process, the Advanced Encryption Standard was published by the National Institute of Standards and Technology (NIST) in FIPS PUB 197 on November 26, 2001, and became an effective standard on May 26, 2002. In 2006, the advanced encryption standard has become one of the most popular algorithms in symmetric key encryption.

Principles of the four working modes of AES:

1. ECB mode: ECB (electronic cipher book) mode is the simplest block cipher encryption mode. Before encryption, it is divided into several blocks according to the size of the data block (for example, AES is 128 bits), and then each block is passed through the block separately with the same key Encryptor. The advantage of this encryption mode is that it is simple, no initialization vector (IV) is required, and each data block is encrypted/decrypted independently, which is conducive to parallel computing and has high encryption/decryption efficiency. However, in this mode, all data is encrypted/decrypted with the same key, and without any logical operation, the same plaintext gets the same ciphertext, which may lead to “selected plaintext attacks”.

2. CBC mode: CBC (Cipher Block Chaining) mode is to first divide the plaintext into several small blocks, and then each small block is logically XORed with the initial block or the ciphertext segment of the previous paragraph, and then encrypted with the key . The first plaintext block is logically XORed with a data block called initialization vector. This effectively solves the problems exposed by the ECB mode. Even if the two plaintext blocks are the same, the ciphertext blocks obtained after encryption are different. But the shortcomings are quite obvious, such as complex encryption process and low efficiency.

3. CFB mode: Unlike ECB and CBC modes that can only encrypt block data, CFB mode can convert ciphertext into stream ciphertext. In this encryption mode, since the data encrypted by the block cipher in the encryption process and the decryption process is the cipher text of the previous block, even if the length of the plaintext data of this block is not an integer multiple of the data block size, it does not need to be filled. This guarantees The data length is the same before and after encryption.

4. OFB mode: The plaintext block is no longer directly encrypted. The encryption process is to first use the block cipher to generate the key stream, and then perform the logical exclusive OR operation on the key stream and the plaintext stream to obtain the ciphertext stream.

DES encryption algorithm:

DES (Data Encryption Standard) is a symmetric cryptographic algorithm (the same key is used for encryption and decryption) developed by IBM in the United States in 1972. In 1977, it was identified as a federal data processing standard by the National Bureau of Standards of the United States. (FIPS), and authorized to use in non-secret government communications, and then the algorithm was widely circulated internationally.

Two principles of block cipher design are used in the design of DES: confusion and diffusion. Its purpose is to resist the adversary’s statistical analysis of the cryptographic system. Confusion is to make the relationship between the statistical properties of the ciphertext and the value of the key as complicated as possible, so that the dependence between the key, the plaintext and the ciphertext is unavailable to the cryptanalyst. The function of diffusion is to apply the influence of each plaintext to more output ciphertext bits as quickly as possible, so as to eliminate the statistical structure of the plaintext in a large number of ciphertexts, and make the influence of each key as quickly as possible The ground is extended to more ciphertext bits to prevent deciphering the key piece by piece.

Compared with the AES algorithm, the main differences in the parameter characteristics of DES are reflected in the following aspects:

1. The data block size of DES is 8 bytes, and the data block size of AES is 16 bytes.

2. The key length of DES is 64 bits (of which 8 bits are used for verification), and the key length of AES is 128 bits (AES algorithm is more secure than DES algorithm).

3. Of course, the specific principles of the addition/decomposition of these two algorithms are different, but the block size and key length of the DES encryption algorithm can not meet the current security requirements, so this encryption algorithm is rarely used now , But use more advanced encryption algorithms like AES or 3DES.

3DES (ie Triple DES) is an encryption algorithm for the transition from DES to AES. It uses three 56-bit keys to encrypt data three times. It is a safer variant of DES. It uses DES as the basic module and designs a block encryption algorithm through a combined block method. Compared with the original DES, 3DES is more secure.

Due to the enhancement of computer computing power, the key length of the original DES cipher has become easy to be cracked by brute force; 3DES is designed to provide a relatively simple method to avoid similar attacks by increasing the key length of DES. Not to design a brand new block cipher algorithm.

Get 100% accurate CCIE/ CCNP/CCNA/HCIE dumps in IELAB .

Please follow us if you like our articles.

visit us: http://ielab.network

Facebook : https://www.facebook.com/ielab.network/

Linkedin: https://www.linkedin.com/company/ielabnetwork/

WhatsApp: +8617782638871

Skype:live:ielab.anna