1 Chapter 3 Symmetric Key Crypto Stream Ciphers Block Ciphers Block Cipher Modes Integrity Chapter 3...

1

Chapter 3Symmetric Key

CryptoStream Ciphers

Block CiphersBlock Cipher Modes

Integrity

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto 2

Symmetric Key Crypto

Stream cipher like a one-time pad Key is relatively short Key is stretched into a long keystream Keystream is then used like a one-time pad

except provable security Employ confusion only


Symmetric Key Crypto Examples of Stream cipher

A5/1: employed GSM cell phones Representative stream cipher based in H/W

RC4: used SSL protocol Almost unique stream cipher since efficiently implemented

in S/W



Block cipher based on codebook concept Block cipher key determines a “electronic”

codebook Each key yields a different codebook Employ both “confusion” and “diffusion”



Examples of Block cipher Data Encryption Stantard(DES): relatively

simple, Advanced Encryption STD(AES) International Data Encrytption Alg.(IEDA) Blowfish, RC6 Tiny Encryption Algorithm


Mode of Operation of block cipher Examples of block cipher mode Op

Electronic codebook (EOB) Cipher-block chaining (CBC) Cipher feedback (CFB) Output feedback (OFB) Counter (CTR)

Data integrity of block cipher Message Authentication code (MAC)



Goal of this section Introduce symmetric ciphers Understand their inner working and

uses Focus more on the “how” than the

“why” To understand :”why” -> need to

understand cryptanalysis (Chapter 6)



Stream Ciphers


Stream Ciphers

Not as popular today as block ciphers Key K of n bits stretches it into a long

keystream Function of stream cipher

StreamCipher(K) = S where K:key, S:keystream S is used like a one-time pad

c0 = p0 s0, c1 = p1 s1, c2 = p2 s2, … p0 = c0 s0, p1 = c1 s1, p2 = c2 s2, …

Sender and receiver have same stream cipher algorithm and both know the key K


Stream Ciphers We’ll discuss two examples A5/1

Based on linear feedback shift registers Used in GSM mobile phone system

A5/1 is used in Europe and the United States; A5/2, is used in countries that are not

considered trustworthy enough to have strong crypto.

RC4 Based on a changing lookup table Used many places – SSL


A5/1


A5/1

A5/1 is Representative stream cipher based in H/W

Consists of 3 Linear feedback shift registers

X: 19 bits (x0, x1, x2, …, x18)

Y: 22 bits (y0, y1, y2, ………, y21)

Z: 23 bits (z0, z1, z2, ………….,z22)

X+Y+Z = 64 bits


A5/1

At each step: m = maj(x8, y10, z10) Examples: maj(0,1,0) = 0 and maj(1,1,0) = 1

If x8 = m then X steps t = x13 x16 x17 x18 xi = xi1 for i = 18, 17, …, 1 and x0 = t

If y10 = m then Y steps t = y20 y21 yi = yi1 for i = 21, 20, …, 1 and y0 = t

If z10 = m then Z steps t = z7 z20 z21 z22 zi = zi1 for i = 22, 21, …, 1 and z0 = t

Keystream bit is x18 y21 z22


A5/1

Each value is a single bit Key is used as initial fill of registers Each register steps or not, based on (x8, y10, z10) Keystream bit is XOR of right bits of registers

y0 y1 y2 y3 y4 y5 y6 y7 y8 y9 y10 y11 y12 y13 y14 y15 y16 y17 y18 y19 y20 y21

z0 z1 z2 z3 z4 z5 z6 z7 z8 z9 z10 z11 z12 z13 z14 z15 z16 z17 z18 z19 z20 z21 z22

X

Y

Z

x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18

From Wikipedia



A5/1

In this example, m = maj(x8, y10, z10) = maj(1,0,1) = 1 Register X steps, Y does not step, and Z steps Keystream bit is XOR of right bits of registers Here, keystream bit will be 0 1 0 = 1

1 1 0 0 1 1 0 0 1 1 0 0 1 1 0 0 1 1 0 0 0 1

1 1 1 0 0 0 0 1 1 1 1 0 0 0 0 1 1 1 1 0 0 0 1

X

Y

Z

1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1


RC4


RC4

RC4 Optimized for software implementation, whereas A5/1 for hardware

RC4 produces a keystream BYTE at each step, whereas A5/1 only produce a single keystream bit


RC4

RC4 is remarkably simple Because it is essentially just lookup

table containing permutation of the 256(28)-byte values

Each time a byte of keystream is produced, the lookup table is modified in such a way that the table always contains a permutation of {0,1,2,…256}


RC4 Initialization The first phase -

initialize the lookup table using key Key: key[i] for

i=0,1,…,N-1 where key[i] is a byte

Lookup table: S[i] is a byte

Key can be any length 0 to 256 bytes Key is only use to

initialize the permutation S

S[] is permutation of 0,1,…,255

key[] contains N bytes of key

for i = 0 to 255S[i] = iK[i] = key[i (mod N)]

next ij = 0for i = 0 to 255

j = (j + S[i] + K[i]) mod 256

swap(S[i], S[j])next ji = j = 0


RC4 Keystream The next phase – each keystream byte is

generated according the following algorithm

i = (i + 1) mod 256j = (j + S[i]) mod 256swap(S[i], S[j])t = (S[i] + S[j]) mod 256keystreamByte = S[t]

Use keystream bytes like a one-time pad Note: first 256 bytes must be discarded

Otherwise attacker may be able to recover key


Stream Ciphers

Stream ciphers were big in the past Efficient in hardware Speed needed to keep up with voice,

etc. Today, processors are fast, so

software-based crypto is fast enough Future of stream ciphers?

Shamir: “the death of stream ciphers” May be exaggerated…


Block Ciphers


Block Cipher

Plaintext and ciphertext consists of fixed sized blocks

Design goal: security and efficiency It is not easy to design a block cipher that is

secure and efficient


(Iterated) Block Cipher

Ciphertext obtained from plaintext by iterating a round function

Input to round function consists of key and the output of previous round

Usually implemented in software

Typical Type is Feistel Cipher


Feistel Cipher

Feistel cipher refers to a type of block cipher design, not a specific cipher

Split plaintext block into left and right halves: Plaintext = (L0,R0)

For each round i=1,2,...,n, computeLi= Ri1

Ri= Li1 F(Ri1,Ki)

where F is round function and Ki is subkey

Ciphertext = (Ln,Rn)


Feistel Cipher

Decryption: Ciphertext = (Ln,Rn) For each round i=n,n1,…,1, compute

Ri1 = Li

Li1 = Ri F(Ri1,Ki)

where F is round function and Ki is subkey

Plaintext = (L0,R0) Formula “works” for any function F But only secure for certain functions F

Ex: F(Ri-1, Ki) = 0 for all Ri-1 and Ki -> not secure


Data Encryption Standard


Data Encryption Standard

DES developed in 1970’s Based on IBM Lucifer cipher U.S. government standard DES development was controversial

NSA was secretly involved Design process not open Key length was reduced Subtle changes to Lucifer algorithm

National Security Agency/Central Security Service



DES Numerology ( 수비학 )

DES is a Feistel cipher 64 bit block length 56 bit key length 16 rounds 48 bits of key used each round (subkey)

Each round is simple (for a block cipher) Security depends primarily on “S-boxes”

Each S-boxes maps 6 bits to 4 bits Total 8 S-boxes


One Round of DES

L

expandL

R

S-boxes(8)

P Box

L R

key

R

Compress

key

48

32 32

32

48

32

32

32

48

28

2828

28

28 28

Next Slide


DES Expansion Permutation

Input 32 bits

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Output 48 bits

31 0 1 2 3 4 3 4 5 6 7 8

7 8 9 10 11 12 11 12 13 14 15 16

15 16 17 18 19 20 19 20 21 22 23 24

23 24 25 26 27 28 27 28 29 30 31 0 BACK


DES S-box 8 “substitution boxes” or S-boxes Each S-box maps 6 bits to 4 bits S-box number 1

0000

0001

0010

0011

0100

0101

0110

0111

1000

1001

1010

1011

1100

1101

1110

1111

00

1110

0100

1101

0001

0010

1111

1011

1000

0011

1010

0110

1100

0101

1001

0000

0111

01

0000

1111

0111

0100

1110

0010

1101

0001

1010

0110

1100

1011

1001

0101

0011

1000

10

0100

1101

1110

1000

1101

0110

0010

1011

1111

1100

1001

0111

0011

1010

0101

0000

11

1111

1100

1000

0010

0100

1001

0001

0111

0111

1011

0011

1110

1010

0000

0110

1101

input bits (0,5)

input bits (1,2,3,4)

BACK


DES P-box

Input 32 bits

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Output 32 bits15 6 19 20 28 11 27 16 0 14 22 25 4 17 30 9

1 7 23 13 31 26 2 8 18 12 29 5 21 10 3 24

BACK


DES Subkey

56 bit DES key, numbered 0,1,2,…,55

49 42 35 28 21 14 7

0 50 43 36 29 22 15

8 1 51 44 37 30 23

16 9 2 52 45 38 31

Left half key bits, LK

Right half key bits, RK55 48 41 34 27 20 13

6 54 47 40 33 26 19

12 5 53 46 39 32 25

18 11 4 24 17 10 3


DES Subkey

For rounds i=1,2,...,16 Let LK = (LK circular shift left by ri) Let RK = (RK circular shift left by ri) Left half of subkey Ki is of LK bits13 16 10 23 0 4 2 27 14 5 20 922 18 11 3 25 7 15 6 26 19 12 1

Right half of subkey Ki is RK bits12 23 2 8 18 26 1 11 22 16 4 1915 20 10 27 5 24 17 13 21 7 0 3


DES Subkey

For rounds 1, 2, 9 and 16 the shift ri is 1, and in all other rounds ri is 2

Bits 8,17,21,24 of LK omitted each round Bits 6,9,14,25 of RK omitted each round Compression permutation yields 48 bit

subkey Ki from 56 bits of LK and RK Key schedule generates subkey

BACK


DES Last Word (Almost)

An initial perm P before round 1 Halves are swapped after last round A final permutation (inverse of P) is

applied to (R16,L16) to yield ciphertext None of these serve any security

purpose


Security of DES

Security of DES depends a lot on S-boxes Everything else in DES is linear

Thirty years of intense analysis has revealed no “back door”

Attacks today use exhaustive key search Inescapable conclusions

Designers of DES knew what they were doing Designers of DES were ahead of their time

Exhaustive Key Search time

Key size(bits)

# of possible keys

Execution time(1 Encypt/us)

Execution time(10 Encypt/us)

3256128168

232=4.3X109

256=7.2X1016

2128=4.3X103

8

2168=4.3X105

0

231us=35.8 min 255 us=1142 yrs 2127 us=5.4X1024

yr 2167 us=5.9X1036

yr

2.15 ms10.01 hrs5.4X1018 yrs5.9X1030 yr


Block Cipher Notation

P = plaintext block C = ciphertext block Encrypt P with key K to get ciphertext C

C = E(P, K) Decrypt C with key K to get plaintext P

P = D(C, K) Note that

P = D(E(P, K), K) and C = E(D(C, K), K)


Double DES

DES’s key length is insufficient today. A clear way to use DES with a larger key

length: intuitively “double DES” C = E(E(P,K),K) ?

Problem: Still just 56 bit key

C = E(E(P,K1),K2) ? There is an attack that is more-or-less

equivalent to single DES Although the attack is somewhat impractical,

it’s close enough to being practical


Double DES attack

C = E(E(P,K1),K2) Attack: chosen plaintext attack For particular P, precompute table of E(P,K)

for every possible key K (resulting table has 256 entries)

Given this table(C= E(P,K), K) and C corresponding to chosen P

Then for each possible K2, compute D(C,K2) until a match in table is found Here, P = D(C,K2) → E(P,K2) = E(D(C,K2), K2) = C,

that is, D(C,K2) should be in the table


Double DES attack

When match is found, have E(P,K1) = D(C,K2)

Result is keys: C = E(E(P,K1),K2) where K1 and K2 are known, i.e. C is decrypted

Neglecting the work needed to precompute the table, the work consists of computing D(C,K) until we find a match in the table

This has an expected work of 255 : single DES exhausted key search work

So, double DES is not secure


Triple DES

Logical approach to triple DES

But practically, Triple DES is C = E(D(E(P,K1),K2),K1)

P = D(E(D(C,K1),K2),K1) (112 bit key)


Triple DES

Why use Encrypt-Decrypt-Encrypt (EDE) with 2 keys? (Why not EEE and not 3 keys?) Backward compatible with single DES:

If K1=K2=K then E(D(E(P,K),K),K) = E(P,K) And 112 bits is enough

3DES is popular today, But with coming of the AES, 3DES should fade from use over time


Advanced Encryption STD


AES History

Needs for replacement for DES DES had outlived its usefulness

Attacked by exhaustive key search: Special purpose DES crackers and distributed attack at internet

3DES is very resistant to crypto analysis but No efficient software code Too slow: 3 times as many rounds as DES 3DES use 64-bit block size: for reasons of both

efficient and security, a larger blk size desirable So, 3DES is not solution for long-term use

In 1997, NIST made a formal call for advanced encryption standard algorithms

AES History

GOAL: replace DES for both government and private sector encryption.

ROC of AES Unclassified, publicly disclosed encryption

algorithm, available royalty-free, worldwide. The algorithm must implement symmetric key Cryptography as a block cipher and (at a minimum)

support block sizes of 128-bits and key sizes of 128- , 192-, and 256-bits.

In 1998, NIST announced a group of 15 AES candidate algorithms.



AES History

Criteria for selecting AES: Security, Robustness, Speed

In 1999, out of 15, the selection was narrowed to 5 candidates: MARS, RC6, Rijndael, Serpent, and Twofish.

All the five protocols were thought to be secure On October 2, 2000, NIST has selected Rijndael

to propose for the AES. Pronounced like “Rain Doll” or “Rhine Doll” Invented by Joan Daemen and Vincent Rijmen

AES Features

Designed to be efficient in both hardware and software across a variety of platforms.

Not a Feistel Network Iterated block cipher (like DES) Not a Feistel cipher (unlike DES) “Secure forever” – Shamir


AES Features

Rijndael proposed a variable block size, 128,192, 256-bits, key size of 128-, 192-, or 256-bits. Variable number of rounds (10, 12, 14):

10 if B = K = 128 bits 12 if either B or K is 192 and the other is ≤

192 14 if either B or K is 256 bits

But note: AES uses a 128-bit block size.


AES Overview

Definition: State→ 4X4 array of bytes 128 bits = 16 bytes

Variable number of rounds (10, 12, 14): 10 if K is 128 bits 12 if K is 192 bites 14 if K is 256 bits

128-bit round key used for each round: 128 bits = 16 bytes = 4 words needs Nr+1 round keys for Nr rounds

needs 44 words for 128-bit key (10 rounds)



AES Overview

Each round uses 4 functions (in 3 “layers”) 4 functions: 1 of permutation and 3 substitutions 3 layers: Linear, Nonlinear and Key addition

Permutation Linear mixing layer: ShiftRow (State)

Substitutions Nonlinear layer: ByteSub (State, S-box) Nonlinear layer: MixColumn (State) Key addition layer: AddRoundKey (State, KeyNr)

AES: High-Level Description

State = XAddRoundKey(State, Key0) (op1)for r = 1 to Nr - 1

SubBytes(State, S-box) (op2)ShiftRows(State) (op3)MixColumns(State) (op4)AddRoundKey(State, KeyNr)

endforSubBytes(State, S-box)ShiftRows(State)AddRoundKey(State, KeyNr)Y = State


State: 4 X 4 array of bytes: 128 bits = 16 bytes


AES AddRoundKey

RoundKey (subkey) determined by key schedule algorithm

We will ignore the AES key schedule

XOR subkey with block: Assume 128-bits block


AES ByteSub

ByteSub is AES’s “S-box” Can be viewed as nonlinear (but invertible)

composition of two math operations

Assume 128 bit block, i.e. 4ⅹ4 bytes

AES BytesSub

Byte substitution using non-linear S-Box (independently on each byte).

S-box is represented as a 16x16 array, rows and columns indexed by hexadecimal bits

8 bits replaced as follows: 8 bits defines a hexadecimal number

(r,c), then (sr,sc) = binary(Sbox(r, c))



AES “S-box”

First 4bits ofinput

Last 4 bits of input

Example: hexa 53 is replaced with hexa ED


AES ShiftRow

Cyclic shift rows


AES MixColumn

Implemented as a (big) lookup table

Nonlinear, invertible operation applied to each column


AES Decryption

To decrypt, process must be invertible Inverse of AddRoundKey is easy, since

is its own inverse MixColumn is invertible (inverse is also

implemented as a lookup table) Inverse of ShiftRow is easy (cyclic shift

the other direction) ByteSub is invertible (inverse is also

implemented as a lookup table)

AES Design Rationale

Substitute Byte To be resistant to known cryptanalytic

attacks by making a low correlation between input bits and output bits.

Shift Row Note input and output are treated as

State(4X4 array) To move an individual byte from one

column to another


AES Design Rationale

Mix Column To ensure a good mixing the bytes of

each column Add Round Key

To affect every bit of State The complexity of the round key

expension ensure security



A Few Other Block Ciphers

Briefly… IDEA Blowfish RC6

More detailed… TEA


IDEA

International Data Encryption Alg Invented by Xuejia Lai ( 學嘉來 ) and James

Massey One of the giants of modern crypto Used in Pretty Good Privacy(PGP) V2.0

Characteristics IDEA uses mixed-mode arithmetic

IDEA the first to use this approach Frequently used today

64-bit block, 128-bit key 8 rounds, operates on 16-bit numbers


IDEA

mixed-mode arithmetic

Bitwise eXclusive OR (denoted with a blue ⊕)

Addition modulo 216 (denoted with a green )

Multiplication modulo 216+1, where the all-zero word (0x0000) is interpreted as 216 (denoted by a red )


Blowfish

Invented by Bruce Schneier Characteristics

Block length: 64-bit blocks Key is variable length, up to 448 bits Fast Compact: can run in less than 5K of memory Simple: simple structure and to implement Variably secure: dependent on the key

length Key-dependent S-boxes

S-boxes determined by the key


Blowfish Almost a Feistel

cipherRi = Li1 Ki

Li = Ri1 F(Li1 Ki)

The round function F uses 4 S-boxes Each S-box maps

8 bits to 32 bits Key-dependent

S-boxes S-boxes

determined by the key

Where Pi: round key


RC6

Invented by Ron Rivest Public key: RSA, Block cipher: RC6 Stream cipher: RC4, Hash function: MD5,

Characteristics Variables

Block size, Key size, Number of rounds Very fast, Clean and simple design An AES finalist Uses data dependent rotations

Unusual to rely on data as part of algorithm


Tiny Encryption Algorithm

Invented by David Wheeler Characteristics

64 bit block, 128 bit key Assumes 32-bit arithmetic

Targeting 32-bit computer Operation based on modulo 232

Number of rounds is variable 32 is considered secure

Uses “weak” round function, so large number rounds required


Tiny Encryption Algorithm

Trade off between complexity of each round and no. of rounds DES: balance between these two. (16) AES: reduce the no. of rounds and more

complex round function (10,12,14) TEA: simple round function and large

no. of rounds 32 is considered secure


TEA EncryptionAssuming 32 rounds:

(<<: L shift, >> R shift)

(K[0],K[1],K[2],K[3]) = 128 bit key

(L,R) = plaintext (64-bit block)delta = 0x9e3779b9sum = 0for i = 1 to 32 sum = sum+delta L = L +

((R<<4)+K[0])^(R+sum) ^((R>>5)+K[1])

R = R + ((L<<4)+K[2])^(L+sum)

^((L>>5)+K[3])next iciphertext = (L,R)


TEA Decryption

Assuming 32 rounds:(K[0],K[1],K[2],K[3]) = 128 bit key(L,R) = ciphertext (64-bit block)delta = 0x9e3779b9sum = delta << 5for i = 1 to 32 R = R - ((L<<4)+K[2])^(L+sum)^((L>>5)+K[3]) L = L - ((R<<4)+K[0])^(R+sum)^((R>>5)+K[1])

sum = sum - deltanext iplaintext = (L,R)


TEA comments

Almost a Feistel cipher Uses + and - instead of (XOR) Need to separate encryption and decryption

routines Simple, easy to implement, fast, low

memory requirement, etc. Possibly a related key attack

If a cryptanalyst knows that two TEA messages are encrypted with keys that are related to each other in a special way, then the plaintext can be recovered


TEA comments

eXtended TEA (XTEA) eliminates related key attack (slightly more complex)

Simplified TEA (STEA) insecure version used as an example for cryptanalysis


Block Cipher Modes


Symmetric cipher encryption

Stream cipher is easy: keystream is the same length as the

plaintext and XOR How to encrypt multiple blocks?

A new key for each block? As bad as (or worse than) a one-time pad!

Encrypt each block independently? Make encryption depend on previous

block(s), i.e., “chain” the blocks together? How to handle partial blocks?


Modes of Operation

Many encryption ways (modes of operation) for multiple block cipher we discuss three Electronic Codebook (ECB) mode

Obvious thing to do Encrypt each block independently There is a serious weakness

Cipher Block Chaining (CBC) mode Chain the blocks together More secure than ECB, virtually no extra work

Counter Mode (CTR) mode Acts like a stream cipher Popular for random access


ECB(Electronic Codebook) Mode

Notation: C=E(P,K) Given plaintext P0, P1, …, Pm, … Obvious way to use a block cipher is

Encrypt DecryptC0 = E(P0, K), P0 = D(C0, K),

C1 = E(P1, K), P1 = D(C1, K),

C2 = E(P2, K),… P2 = D(C2, K),…

For a fixed key K, this is an electronic version of a codebook cipher

A new codebook for each key

ECB Mode



ECB Cut and Paste Attack

Suppose plaintext is Alice digs Bob. Trudy digs Tom.

Assuming 64-bit blocks and 8-bit ASCII:P0 = “Alice di”, P1 = “gs Bob. ”,

P2 = “Trudy di”, P3 = “gs Tom. ” Ciphertext: C0, C1, C2, C3

Trudy cuts and pastes 복사 - 붙여넣기공격 : C0, C3, C2, C1

Decrypts asAlice digs Tom. Trudy digs Bob.


ECB Weakness

Suppose Pi = Pj

Then Ci = Cj and Trudy knows Pi = Pj

This gives Trudy some information, even if she does not know Pi or Pj

We should not give the cryptanalyst anything for free.

Trudy might know Pi

Is this a serious issue? -> Next slide


Alice Hates ECB Mode

Alice’s uncompressed image, Alice ECB encrypted (TEA)

Why does this happen? Same plaintext block same ciphertext!

Solution??? -> Next slide


Cipher Block Chaining Mode

Blocks are “chained” together A random initialization vector, or IV, is

required to initialize CBC mode IV is random, but need not be secret

Encryption Decryption

C0 = E(IV P0, K), P0 = IV D(C0, K),

C1 = E(C0 P1, K), P1 = C0 D(C1, K),

C2 = E(C1 P2, K),… P2 = C1 D(C2, K),…

Cipher Block Chaining Mode


Main drawbacks encryption is sequential (i.e., it cannot be

parallelized), the message must be padded to a multiple of the

cipher blk size.


CBC Mode

Identical plaintext blocks yield different ciphertext blocks

Cut and paste is still possible, but more complex (and will cause garbles)

If C1 is garbled to, say, G then

P1 C0 D(G, K), P2 G D(C2, K)

But P3 = C2 D(C3, K), P4 = C3 D(C4, K),…

Automatically recovers from errors!


Alice Likes CBC Mode

Alice’s uncompressed image, Alice CBC encrypted (TEA)

Why does this happen? Same plaintext yields different ciphertext!


Counter (CTR) Mode

CTR is popular for random access Use block cipher like stream cipher

Encryption DecryptionC0 = P0 E(IV, K), P0 = C0 E(IV, K),

C1 = P1 E(IV+1, K), P1 = C1 E(IV+1, K),

C2 = P2 E(IV+2, K),… P2 = C2 E(IV+2, K),…

EBC can also be used for random access!!!


Counter (CTR) Mode

1 Chapter 3 Symmetric Key Crypto Stream Ciphers Block Ciphers Block Cipher Modes Integrity Chapter 3...

Documents

Transcript of 1 Chapter 3 Symmetric Key Crypto Stream Ciphers Block Ciphers Block Cipher Modes Integrity Chapter 3...