There are several symmetrical algorithms available, each with its own key lengths and operations. Most symmetrical block ciphers (e.g., DES, RC5, CAST, and BlowFish) use the Feistel cipher, which is a round function. In the Feistel function, the data block is divided into two halves and repeatedly processed through a number of rounds using the key. The first half is used during the process to create the cipher for the second.
Once complete, the compiled half is used to complete the process on the first half.
Feistel is based on linear and nonlinear rounds and draws its strength from degree of diffusion.
To accomplish diffusion, some algorithms employ a process called substitution-box (S-box), such as DES and CAST, or bit-wise data-dependant rounds in which the data is used to drive diffusion. Bit-wise rounds can be seen in RC5. Other algorithms, such as IDEA, simply multiply their own rounds to accommodate diffusion in the entire process.
Exhibit 4-1. Symmetrical key encryption
DES and 3DES. The most typical algorithms, at least in IPSec implementations, are DES and Triple DES (3DES). The Data Encryption Standard (DES) is the Federal Informa-tion Processing Standard (FIPS) 46-1 that details the data encrypInforma-tion algorithm (DEA), which is the ANSI Standard X9.32.
Originally developed in 1974 by IBM, NSA, and the National Bureau of Standards (NBS) (now called the National Institute of Standards and Technology [NIST]), and code named Lucifer, DEA is the foundation of the encryption process referred to as DES. DEA became an accepted standard in 1977 by the NBS.
DES is the most widely used encryption algorithm and was developed primarily for implementation in hardware. As previously mentioned, it utilizes a 16-round Feistel cipher that is easily computed by characteristics found in common processors.
NIST continually recertified DES every five years, ending in 1993. With the develop-ment of the Advance Encryption Standard (AES), DES will be phased out to accommodate a much faster algorithm.
DES is extremely popular in IPSec due to its performance capabilities, hardware support, and market exposure. DES is a fine-tuned, symmetrical algorithm capable of encrypting large amounts of data very quickly. There is a large quantity of hardware available that can accelerate the encryption and decryption processes. Therefore, IPSec is an excellent candidate for employing hardware-based encryption support.
AES. In January 1997, NIST announced the initiation of AES development and made a formal request for proposed algorithms in September of that year. The endeavor stated that AES would become an unclassified, publicly disclosed encryption algorithm, avail-able free of charge worldwide. In addition, the algorithms for consideration must be based on symmetric key cryptography (e.g., DES) as a block cipher, and minimally support block sizes of 128 bits and key sizes of 128, 192, and 256 bits.
The goal is to develop a FIPS specification that defines an algorithm capable of protecting sensitive information for the foreseeable future. The algorithm is expected to be used by government as well as the private community.
In August 1998, NIST announced a group of 15 AES candidate algorithms at the First AES Candidate Conference (AES1). A Second AES Candidate Conference (AES2) was held in March 1999 to discuss the results of the analysis conducted by the cryptographic community on the proposed 15 algorithms. Once all the comments and suggestions were compiled, NIST identified five final qualifiers for the AES initiative. The AES finalists were MARS, RC6, Rijndael, Serpent, and Twofish. As the NIST hosts more candidate conferences, the final five will be reduced to one algorithm that will become AES. If all steps of the AES development process proceed as planned, it is anticipated that the standard will be completed by the summer of 2001.
Once AES is made available, the IPSec market will quickly shift to implement the new algorithm.* The sales aspects will be obvious: increased security and performance.
AES is much faster than DES, and once applied to IPSec, communication issues such as latency and throughput will be greatly reduced.
MARS. MARS is a candidate developed by IBM and supports 128-bit blocks and variable key lengths up to 448 bits. As with all the AES candidates, it is designed to take advantage of current processor designs, whether integrated onto the processor itself or implemented via software operations.
* In October 2000, NIST selected the Rijndael data encryption algorithm as the new AES. Immediately, dozens of companies avowed their support for AES and announced products that implemented it.
MARS employs three core computations: S-box lookups, multiplications, and data-dependant rotations. It also uses a multi-phased approach to rounds, in that there are core cryptographic rounds supported by simpler mixing rounds. By employing many of the standard techniques into the algorithm, MARS obtains a great deal on diffusion and the result is a highly resistant output.
In early tests, the algorithm produced a throughput, on average, of 100 Mbits per second, and the developers expect a tenfold increase when implemented in hardware.
RC6. RC6 was developed by RSA (Rivest, Shamir, and Adleman) and is an evolution-ary step from RC5. As with MARS, RC6 employs a second internal round, (or core round), which is similar to the half-round used in RC5. The AES block size requirement is 128 bits, and reorganizing RC5 to accommodate the enlarged blocks forces 64-bit registers because RC5 used two processing registers. The result was to develop a new algorithm based on RC5 that used four 32-bit registers to support the 128-bit block.
One of the primary factors taken from RC5 was the dependence on data-dependant rounds to create acceptable diffusion. An added process is integer multiplication used against the rounds to enhance the diffusion process creating a more robust ciphertext.
Rijndael. This algorithm was created by Joan Daemen and Vencent Rijmen, uses a 128-bit block, and supports keys of 128, 192, and 256 bits. Unfortunately, the algorithm is highly complex and it is difficult to provide a simple explanation of the foundation of the process because much of it is newly developed.
The algorithm obtains much of the diffusion from S-box manipulation in several instances of rounds performed. The process is primarily based on a process called iterated block cipher.
Serpent. Serpent was developed by Ross Anderson, Eli Biham, and Lars Knudsen, supports a 128-bit block cipher, and uses a 256-bit key. Serpent is directly based on DES and employs the well-known S-box process for diffusion.
The inventors decided to use well-tested and known technologies found in DES and then slightly modify the process to achieve enhanced performance. The greater security is obtained through a larger key size. The primary changes to DES were a modified S-box process and key schedule.
For the most part, Serpent is DES with a larger key refined to operate faster on current technology.
Twofish. Twofish is the next-generation encryption algorithm from the makers of Blowfish (i.e., Bruce Schneier and Counterpane Systems). Twofish is a 128-bit block cipher that employs a variable-length key up to 256 bits. As with other block ciphers, a 16-round Feistel function is used with four independent 8-bit S-boxes that are key dependant.
One of the processes that provides the algorithm its strength is the careful key schedule that is used during the encryption process, and its use with S-box processes.