Symmetric Encryption

In symmetric encryption, ciphering and deciphering are done using the same key. This means that the endpoints have somehow agreed on a shared secret, such as by utilizing Diffie-Hellman key exchange. Symmetric ciphers are divided into two categories or operating modes: block phers and stream ciphers. Figure 25 shows difference between a stream cipher and a block ci-pher.

Figure 25: Block vs stream cipher [51]

The main difference between the two cipher types is, as Figure 25 shows, the input size on which the cipher operates. A block cipher operates on a block of bits, for example, 128 bits. The application calling the block cipher must split the input into blocks of 128 bits and feed them to the cipher which then produces a 128-bit long cipher text block. If there is not enough input data to meet the 128-bit requirement for length, the input block can be zero-padded.

Where a block cipher operates on a block of bits, a stream cipher operates on a bit or a byte of data and each cipher round is affected by the state of the cipher which in turn is affected by previous ciphering rounds. Block ciphers can be made to work similarly by using the block cipher-ing in a mode where the previous round affects current round and current round in turn affects all future rounds.

Both ciphers have their own benefits and drawbacks. Block cipher is easier to implement but requires more memory as they operate on multiple bytes at a time whereas stream ciphers are harder to implement correctly but are faster in their operations. [51]

Both SRTP and ZRTP use a block cipher to implement encryption. They support two compet-ing but very similar symmetric encryption standards, AES and Twofish. The focus is gocompet-ing to be in AES as it is the mandatory algorithm required by both specifications. SRTP and ZRTP also utilize two different modes of operation in their ciphers.

4.2.1 Mode of Operation

There are multiple ways to use a block cipher, and these are called modes of operation. This defines how to the block cipher operates, i.e., what are its inputs and how to the final ciphertext is generated. SRTP and ZRTP use both Counter mode (CM) and Cipher feedback (CFB) mode [52]. Figure 26 shows the operating principle of CM ciphering.

Figure 26: Counter mode ciphering

In CM, Initialization Vector (IV) consists of a random nonce and a counter that is incremented by one after each cipher round. As the figure shows, the IV is ciphered using the cipher key and the block cipher that produces random output. After that, an exclusive-or operation is performed between the plaintext and the output of the block cipher, producing cipher text. After this, the counter is incremented, and the second cipher round uses number 1 for counter when it is creating the IV. Figure 27 shows the operating principle of CFB mode ciphering.

Figure 27: Cipher feedback mode ciphering

In CFB mode ciphering, the IV does not convey any special information and can be just ran-dom nonce. The ciphering principle is otherwise the same as with CM, but the difference is that the ciphertext of current round is used as the IV of the next round.

4.2.2 Advanced Encryption Standard

Rijndael, named after its authors Vincent Rijmen and Joan Daemen, was selected in 2001 by NIST to be the successor of Data Encryption Standard (DES), AES [53]. It is a symmetric encryp-tion standard that supports 128-, 192-, and 256-bit keys, supports a 128-bit blocks, and is imple-mented as a substitution-permutation network. It works by converting the input block into a 4x4

matrix of column-major order and performing either 10, 12, or 14 rounds of byte substitutions, row shifting, and column mixing, for 128-, 192-, and 256-bit keys, respectively. Figure 28 shows a block diagram of AES encryption and decryption.

Figure 28: Block diagram of AES encryption and decryption [54]

The algorithm starts by deriving a key for the following round of operations and the key deri-vation is done for each round. What happens during round key derideri-vation is that, for example, the 128-bit input key is expanded into 10 128-bit round keys, each key used for one round. The input key is rotated and shifted according to rules defined in [53] to create a round-specific keys.

After the round key has been derived, the algorithm proceeds to substitute bytes in the 4x4 matrix. For that, AES uses multiplicative inverse in a finite field, and something called substitution boxes or S-boxes [55].

The first thing that happens during substitution is taking the multiplicative inverse of the input value in 𝐺𝐹(2⁸). The process consists of expressing the input byte x as a polynomial, for example, value 0x53 would be expressed as:

𝑝(𝑥) = 𝑥⁶+ 𝑥⁴+ 𝑥 + 1 (23) and finding another polynomial p(x^-1) that satisfies:

𝑝(𝑥⁻¹)𝑝(𝑥) = 1 (𝑚𝑜𝑑 𝑥⁸+ 𝑥⁴+ 𝑥³+ 𝑥 + 1) (24)

When x^-1 has been found, it is represented as a vector, multiplied by a matrix and a constant 0x63 is added to it prevent getting zero output from zero input:

[ vector the value 0x63 in binary format. The matrix that is used for the multiplication is given by [53].

When the substitutions are done, the algorithm proceeds to mixing the columns. The first row of the matrix is left untouched. The second row is shifted to the left by one such that the overflown byte is rotated to the right as follows:

[𝑎_1,0 𝑎_1,1 𝑎_1,2 𝑎_1,3] → [𝑎_1,1 𝑎_1,2 𝑎_1,3 𝑎_1,0] (26) This shifting is also done for rows three and four, but they are shifted by two and three, re-spectively. After shifting, the columns are mixed by multiplying each column with a predefined matrix: again by generating a key for the round and following the same steps again. This is done until all rounds are executed after which the cipher text is complete.

AES has gone under extensive cryptanalysis and is considered to be uncrackable with 256-bit keys as it would take billions of years to go through the whole key space [56]. This also shows the glaring difference between symmetric and asymmetric key sizes: NIST-recommended key size for AES is 24 times smaller than its recommendation for RSA [41].