On Permutation Operations in Cipher Design

Unmatched performance and reliabilityBypass isolation ATS Eaton’s bypass isolation automatic transfer switch (ATS) is designed to provide unmatched performance, reliability and versatility for critical standby power applications. Supervisory intelligence is provided by an ATC-900 or ATC-300+ controller, delivering operational simplicity and field adaptability coupled with diagnostic and troubleshooting capabilities. The bypass isolation ATS design is ideal for those applications where the ability to perform maintenance is required without interrupting power to life safety and other critical loads.Product configuration• Automatic operation—ATS and bypass switch• Open and closed transition• 100–1200 A rating• Two-, three- or four-pole• NEMA T 1, 3R• Up to 600 Vac, three- orfour-wire, 60 Hz or 50/60 Hz• Drawout ATS and fixedbypass switch, facilitatingconcurrent maintenance• Service entranceFeatures and benefitsProven performanceand reliability• Automatic and non-automaticoperation modes are availableto provide multiple methods oftransferring the load betweenpower sources• Manual operation allowsunloaded transfer betweenpower sources for allproduct configurations• UL T 1008 Listed short-circuitand short-time (select catalognumbers only) withstandclosing current ratingsmaximize system reliabilitySimplified installationand integration• Factory-configured powersource and load terminalsfor top/bottom cable ingress• Removable enclosure panelsprovide front and rear accessto cable terminal connections• Seismic certified to OSHPD,CBC, IBC and UBCEnhanced safety• Two-door, compartmentalizedconstruction provides steelbarriers, protecting workers• Integral safety interlocksautomatically open the maincontacts prior to the ATSbeing isolated for test orremoved for serviceImproved serviceability• Two-door design eliminatesthe need to scheduleshutdowns for routine test,inspection or maintenanceof the ATS• Drawout design allows theATS to be disconnectedfrom the electrical bus andisolated in cell for regulartesting as prescribed bycode (NFPA T 70, 99, 110)• Testing of the isolated ATScan be performed whilethe bypass switch is in theautomatic or non-automaticmode of operationDesign featuresDual automatic technology Eaton’s bypass isolationtransfer switch design includes an automatic bypass switch and an ATS housed within a single assembly.Regardless of which power switch is actively distributing power, redundant automatic operation provides for a rapid load transfer and restoration of power to life safety and critical loads, eliminating the need for active supervision by qualified personnel.Segmented construction The ATS and automatic bypass switch are housed in separate compartments, with robust steel walls, that isolate the power switches from each other to facilitate ease of maintenance and worker safety. Eachcompartment includes a door with padlockable handle. This design prevents the possibility of inadvertent contact andunnecessary exposure to power cable terminations and energized electrical control components.Drawout ATS and fixed-mounted bypassService personnel can rack-out and isolate the ATS (with compartment door closed) from the electrical bus for routine test or exercise. A Kirk T -key interlock prevents access to the racking mechanism until the load connection has been transitioned to the automatic bypass switch.Opening the compartment door allows the ATS to be completely drawn out of the cell for inspection or maintenance.Safety interlocks prevent rack-out or rack-in of the ATS from the electrical bus with the main contacts closed. The automatic bypass switch is fixed mounted to the electrical bus and stands ready to initiate an automatic load transfer when the ATS is undergoing maintenance.Multi-tap control power transformerSystem voltage can be fieldconfigured via a multi-tap control power transformer (CPT) with quick-disconnect plugs.T ransition to bypass mode When maintenance or testing of the ATS needs to be performed, qualified personnel can easily and quickly transition the load connection between the ATS and automatic bypass switch using door-mounted operator controls fitted with indication lights. The transition occurs in a make-before-break fashion, ensuring continuous power flow to loads.Multiple operation modes Operation is possible in the following modes:• Automatic • Non-automatic •Manual AIn automatic mode, the transfer switch is self-acting, and atransfer is automatically initiated by the intelligent logic controller.In non-automatic mode(optional), a transfer is initiated by the operator using a door-mounted selector switch.In manual mode, a transfer is initiated by the operator using controls mounted directly on the automatic bypass switch or ATS.Alternatively, a transfer can be initiated remotely via an HMi remote annunciator controller.A Manual operation (unloaded) is provided forall product configurations.for top and bottom cable terminationFixed-mounted automatic Drawout ATS can be isolated for test within compartment orand automatic bypassswitch compartments600–1200 A rating (480 V), NEMA 1 enclosure100–400 A rating (480 V), NEMA 1 enclosureFixed-mounted automatic Drawout ATS can within compartmentor completely removedRemoveable optionpanels allow front access for top and bottom cableterminationDrawout ATS removed for bench level inspection/Automatic bypass switch stands ready to transfer load2EATON Bypass isolation automatic transfer switchesStandard enclosure dimensions and weightsDimensions and weights shown are approximate and subject to change. Reference product outline drawings for the latest information.NEMA 1 enclosure NEMA 3R enclosureNEMA 12/4X enclosureTransferswitch rating Device Dimensions in inches (mm)Normal,emergency, loadNeutral A Weight ABCA Neutral connection size listed is for product configuration with a solid neutral. For product configurations with a switched neutral (four-pole), reference the size listed in theEmergency/Load Connection column.B Three-pole product configuration.C Four-pole product configuration.3EATON Bypass isolation automatic transfer switchesEaton is a registered trademark.All other trademarks are property of their respective owners.Eaton1000 Eaton Boulevard Cleveland, OH 44122United States © 2022 EatonAll Rights Reserved Printed in USAPublication No. PA01602019E / Z25954March 2022Product selectionCatalog numbering systemote: N Some catalog number combinations may not be available. For additional information, please contact your local Eaton sales representative.Bypass isolation ATS schematic diagramUL 1008 withstand and closing current ratings (kA)Ampere Device Up to 480 VUp to 600 V Short-circuit (specific circuit Short-circuit (specific circuit SpecificFollow us on social media to get the latest product and support information.。

aetAET: Exploring the Advanced Encryption Technique in Computer SecurityIntroductionIn today's digital world, where sensitive data is constantly being transmitted and stored, ensuring its security is of utmost importance. Cryptography plays a vital role in safeguarding information, and one of the most widely used encryption techniques is the Advanced Encryption Technique (AET). AET is a robust encryption algorithm that secures data by transforming it into an unreadable format. In this document, we will explore the technical aspects of AET and its significance in computer security.1. A Brief Overview of Encryption Techniques1.1 Historical Development of EncryptionEncryption techniques have a long history stretching back thousands of years, with the earliest known examples beingthe use of substitution ciphers by the ancient Greeks and Romans. Over time, encryption methods have become more sophisticated to counter evolving threats.1.2 Basics of EncryptionEncryption involves converting plaintext into ciphertext, which can only be deciphered with the correct key or algorithm. It uses various mathematical operations to scramble the data, making it unintelligible to unauthorized individuals.2. Understanding the Advanced Encryption Technique (AET)2.1 AET BackgroundAET, also known as the Advanced Encryption Standard (AES), is an encryption algorithm adopted by the U.S. government in 2001. It replaced its predecessor, the Data Encryption Standard (DES), and is now considered the gold standard for securing information.2.2 AET FeaturesAET possesses several key features that contribute to its robustness:2.2.1 Symmetric Key AlgorithmAET employs a symmetric key algorithm, meaning the same key is used for both encryption and decryption. This ensures efficiency and simplicity in the encryption process.2.2.2 Block Cipher Operation ModeAET operates as a block cipher, encrypting data in fixed-size blocks. The most common block size used is 128 bits. Larger files are divided into these blocks, which are then individually encrypted.2.2.3 Key Sizes and VariantsAET supports three key sizes: 128 bits, 192 bits, and 256 bits. The larger the key size, the stronger the encryption. Additionally, AET has three variants based on the key size, namely AES-128, AES-192, and AES-256.2.2.4 Substitution-Permutation Network (SPN)AET utilizes a symmetric key permutation network, which combines substitution and permutation operations. This ensures a high level of confusion and diffusion, preventing adversaries from obtaining valuable information.3. AET Mode of Operation3.1 Electronic Codebook (ECB) ModeIn ECB mode, each block of plaintext is encrypted independently with the same key. While simple, this mode is vulnerable to certain attacks because identical plaintext blocks produce identical ciphertext blocks.3.2 Cipher Block Chaining (CBC) ModeCBC mode XORs each plaintext block with the previous ciphertext block before encryption. This introduces randomness and eliminates the vulnerability found in ECB mode. Initialization Vector (IV) is used to ensure the initialblock has no predictable relationship with the subsequent ones.3.3 Counter (CTR) ModeCTR mode transforms a block cipher into a stream cipher. It generates a unique counter value for each block, creating an encryption keystream. The keystream is then XORed with the plaintext to produce the ciphertext.4. Security and Applications of AET4.1 Security of AETAET has gained widespread acceptance due to its robust security. It has undergone extensive academic scrutiny and cryptographic analysis, standing up against various attacks. However, it is crucial to properly implement and use AET to avoid potential vulnerabilities.4.2 Applications of AETAET is extensively employed in various applications, including:- Secure communication systems- File and disk encryption- Virtual Private Networks (VPNs)- Wireless communication protocols- The Internet of Things (IoT) security5. ConclusionAET, with its strong security features and widespread industry adoption, has become an integral part of computer security. It provides a reliable encryption technique for safeguarding sensitive data from unauthorized access and tampering. As technology continues to advance, AET's significance in ensuring information security will remain invaluable. Organizations and individuals must understand and implement AET correctly to maximize its benefits and protect their valuable data.。

aes128原理AES128, which stands for Advanced Encryption Standard with a 128-bit key, is a widely-used encryption algorithm to protect sensitive information. It has become the de facto standard for encryption and is used in various applications, including securing data at rest and in transit. AES128 operates on 128-bit block sizes and uses a 128-bit key and is considered secure for most practical applications.AES128 works through a series of mathematical operations, including substitution, permutation, and linear transformation, to transform plaintext into ciphertext. This process ensures that even if an unauthorized party were to intercept the encrypted data, they would not be able to decipher the original message without the correct key. This level of security provided by AES128 makes it an essential component of modern cybersecurity protocols.The strength of AES128 lies in its ability to resist known cryptanalytic attacks when implemented correctly. The algorithm has been thoroughly vetted by cryptographers and has withstood rigorous scrutiny for many years. Furthermore, AES128 has been adopted byvarious government and industry standards organizations, further validating its security and reliability.From a practical standpoint, AES128 is also relatively efficient in terms of computational resources compared to higher bit key lengths such as AES256. This makes it a popular choice for resource-constrained environments where performance is a critical factor. Additionally, AES128 is resistant to attacks like brute force and is resilient against quantum computing threats, making it a reliable choice for long-term security.However, it's essential to note that while AES128 is secure for most use cases, its strength is contingent on the proper management of keys and the overall implementation of the encryption scheme. Weaknesses in key generation, storage, or distribution can undermine the security provided by AES128. Therefore, it's crucial to follow best practices for key management and encryption implementation to maximize the effectiveness of AES128.In conclusion, AES128 is a robust and versatile encryption algorithm that has become an integral part of modern cybersecurity. Its strongsecurity guarantees, efficiency, and widespread adoption make it a compelling choice for safeguarding sensitive information in various applications. As technology continues to evolve, AES128 remains a cornerstone for ensuring data confidentiality and integrity in an increasingly interconnected digital world. AES128的原理与应用是现代信息安全领域的重要组成部分。

密码技术期末复习（⽜⽐版）讲解密码技术期末复习（⽜⽐版）⼀、填空：1、Cryptology include the two fields：密码编码学和密码分析学，根据每次处理数据的多少可以把密码算法分为流密码和分组密码其代表算法有：维基尼亚（RC4）和DES算法。

轮转机密钥空间有：26（n 次⽅）。

2、Monoalphabetic Cipher has a total of keys：26!；playfair cipher has 25！keys。

3、IDEA算法的密钥长度为128 bits，RC4算法的密钥长度为8-2048 bits，AES4算法的密钥长度分别为128，192，256。

4、In EDS cipher data block is 64 bit and the input key is 56 bit product 48 sub-key。

5、In Security services，X.800 defines it in 5 major categories:数据机密性，认证，访问控制，数据完整性，⾮否认机制。

6、Consider three aspects of information security：安全攻击、安全机制、安全服务。

7、Security Mechanisms:基于密码技术机制，常规机制。

8、密钥分发中⼼的认证协议（KDC）：该协议的缺点是不能防范重放攻击。

9、Type of encryption operations used：置换，代换。

⼆、名词解释：碰撞攻击（Collision）:⼀般是对Hash函数⽽⾔，即不同的数据，得到了相同Hash值，就称之为⼀次碰撞。

⽤数学语⾔表⽰，即对函数f(x)，找到了x1，x2，且x1不等于x2，有f(x1)=f(x2)。

既然是把任意长度的字符串变成固定长度的字符串，所以，必有⼀个输出串对应⽆穷多个输⼊串，碰撞是必然存在的。

blowfishBlowfish: A Powerful Symmetric Block Cipher AlgorithmIntroduction:Blowfish is a symmetric block cipher algorithm designed by Bruce Schneier in 1993. It gained widespread recognition due to its simplicity, security, and efficiency. Blowfish operates on 64-bit blocks and supports key sizes ranging from 32 bits to 448 bits. It has been widely used in various applications such as secure communication protocols, file encryption, and password storage.Structure and Operation:Blowfish employs a Feistel network structure, which is a widely used design in block ciphers. It consists of 16 rounds, each round applying a modified version of the cipher's key to the right half of the data block. The left and right halves are then swapped, and the process is repeated. This iteration process increases Blowfish's security and cryptographic strength.Key Generation:Blowfish uses a key expansion algorithm to generate a series of subkeys before encryption or decryption can take place. The key expansion process involves applying the user's supplied key multiple times using a combination of modular arithmetic operations and the cipher's internal structure. The subkeys generated during this process are then used in each round of encryption or decryption.Feistel Network:The Feistel network structure used in Blowfish is one of the key features contributing to its success. This structure allows for efficient and secure encryption and decryption by dividing the input block into two halves and applying a series of transformation rounds on each half. Blowfish's Feistel network utilizes a combination of substitution and permutation operations, known as the F-function, to provide confusion and diffusion properties.Security:Blowfish is considered a secure algorithm and has stood the test of time against various cryptographic attacks. However, due to advances in technology and computing power, certain vulnerabilities have been identified. One vulnerability is related to weak keys, which refer to a specific set of keys that make Blowfish encryption less secure. To mitigate thisvulnerability, proper key management and the usage of sufficient key sizes are recommended.Applications:Blowfish has found wide application in various domains due to its desirable properties and simplicity. It is commonly used in Virtual Private Networks (VPNs), Secure Shell (SSH) protocols, and secure file transfer protocols (SFTP) to secure data transmission. Furthermore, it has been incorporated into popular cryptographic libraries and frameworks, making it easily accessible for developers looking to implement encryption and decryption functionality.Comparison with AES:Although Blowfish gained significant popularity in the past, it has been largely surpassed by the Advanced Encryption Standard (AES). AES provides a higher level of security and efficiency compared to Blowfish. Nonetheless, Blowfish continues to be used in legacy systems due to its simplicity and compatibility.Conclusion:Blowfish has been a pioneering symmetric block cipher algorithm that has stood the test of time. It offers a goodbalance between security and efficiency, making it suitable for various cryptographic applications. However, with the advent of newer and more secure algorithms, like AES, it is important to assess the specific security requirements and select the most appropriate encryption algorithm for each use case.。

BrochureProduct OverviewS6720-HI series full-featured 10 GE routing switches are Huawei's new-generation fixed switches to provide 10 GE downlink ports as well as 40 GE and 100 GE uplink ports.S6720-HI series switches provide native AC capabilities and can manage 1K APs. They provide a free mobility function to ensure consistent user experience and are Virtual Extensible LAN（VXLAN ）capable to implement network virtualization.S6720-HI series switches also provide built-in security probes and support abnormal traffic detection, Encrypted Communications Analytics (ECA), and network-wide threat deception. The S6720-HI is ideal for enterprise campuses, carriers, higher education institutions, and governments.Models and AppearanceModels and AppearanceDescriptionS6720-50L-HI-48S ●48 x 10 Gig SFP+, 6 x 40 Gig QSFP+ or 44 x 10 Gig SFP+, 4 x 40 Gig QSFP+, 2x 100 Gig QSFP28●Dual pluggable power modules, 600W AC or 350W DC (equipped powermodules by default not available)●Switching capacity: 2.56 Tbit/sS6720-30L-HI-24S ●24 x 10 Gig SFP+, 4 x 40 Gig QSFP+,and 2 x 100 Gig QSFP28●Dual pluggable power modules, 600W AC or 350W DC (equipped powermodules by default not available)●Switching capacity: 2.56 Tbit/sFeatures and HighlightsAbundant Convergence●This S6720-HI provides the integrated WLAN AC function that can manage 1,000 APs, reducing the costs of purchasing additional WLAN AC hardware. The wireless forwarding performance reaches up to 668 Gbit/s, breaking the forwarding performance bottleneck of an external WLAN AC. With this switch series, customers can stay ahead in the high-speed wireless era.The wireless forwarding performance is calculated based on 1024-byte packets.●The S6720-HI supports SVF and functions as a parent switch. With this virtualization technology, a physical network with the "Small-sized core and aggregation switches + Access switches + APs" structure can be virtualized into a "super switch", greatly simplifying network management.●The S6720-HI provides excellent QoS capabilities and supports queue scheduling and congestion control algorithms. Additionally, it adopts innovative priority queuing and multi-level scheduling mechanisms to implement fine-grained scheduling of data flows, meeting service quality requirements of different user terminals and services.Providing Granular Network Management●The S6720-HI uses the Packet Conservation Algorithm for Internet (iPCA) technology that alters the traditional method of using simulated traffic for fault location. iPCA technology can monitor network quality for any service flow anywhere, anytime, without extra costs. It can detect temporary service interruptions in a very short time and can identify faulty ports accurately. This cutting-edge fault detection technology turns "extensive management" to "granular management."●The S6720-HI supports Two-Way Active Measurement Protocol (TWAMP) to accurately check any IP link and obtain the entire network's IP performance. This protocol eliminates the need of using a dedicated probe or a proprietary protocol. Flexible Ethernet Networking●In addition to traditional Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP), the S6720-HI supports Huawei-developed Smart Ethernet Protection (SEP) technology and the latest Ethernet Ring Protection Switching (ERPS) standard. SEP is a ring protection protocol specific to the Ethernet link layer, and applies to various ring network topologies, such as open ring topology, closed ring topology, and cascading ring topology. This protocol is reliable, easy to maintain, and implements fast service switching within 50 milliseconds. ERPS is defined in ITU-T G.8032. It implements millisecond-level protection switching based on traditional Ethernet MAC and bridging functions.●The S6720-HI supports Smart Link and Virtual Router Redundancy Protocol (VRRP), which implement backup of uplinks. One S6720-HI switch can connect to multiple aggregation switches through multiple links, significantly improving reliability of access devices.Intelligent Stack (iStack)●The S6720-HI supports the iStack function that combines multiple switches into a logical switch. Member switches in a stack implement redundancy backup to improve device reliability and use inter-device link aggregation to improve link reliability. iStack provides high network scalability. You can increase a stack's ports, bandwidth, and processing capability by simply adding member switches. iStack also simplifies device configuration and management. After a stack is set up, multiple physical switches can be virtualized into one logical device. You can log in to any member switch in the stack to manage all the member switches in it.Cloud-based Management●The Huawei cloud management platform allows users to configure, monitor, and inspect switches on the cloud, reducing on-site deployment and O&M manpower costs and decreasing network OPEX. Huawei switches support both cloud management and on-premise management modes. These two management modes can be flexibly switched as required to achieve smooth evolution while maximizing return on investment (ROI).VXLAN●VXLAN is used to construct a Unified Virtual Fabric (UVF). As such, multiple service networks or tenant networks can be deployed on the same physical network, and service and tenant networks are isolated from each other. This capability truly achieves 'one network for multiple purposes'. The resulting benefits include enabling data transmission of different services or customers, reducing the network construction costs, and improving network resource utilization.●The S6720-HI series switches are VXLAN-capable and allow centralized and distributed VXLAN gateway deployment modes. These switches also support the BGP EVPN protocol for dynamically establishing VXLAN tunnels and can be configured using NETCONF/YANG.Clock Synchronization●The S6720-HI supports the IEEE 1588v2 protocol, which implements low-cost, high-precision, and high-reliability time and clock synchronization. This feature can meet strict requirements of power and transportation industry customers on time and clock synchronization.OPS●Open Programmability System (OPS) is an open programmable system based on the Python language. IT administrators can program the O&M functions of a switch through Python scripts to quickly innovate functions and implement intelligent O&M. Big Data Powered Collaborative Security●Agile switches use NetStream to collect campus network data and then report such data to the Huawei Cybersecurity Intelligence System (CIS). The purposes of doing so are to detect network security threats, display the security posture across the entire network, and enable automated or manual response to security threats. The CIS delivers the security policies to the Agile Controller. The Agile Controller then delivers such policies to agile switches that will handle security events accordingly. All these ensure campus network security.●The S6720-HI supports Encrypted Communication Analytics (ECA). It uses built-in ECA probes to extract characteristics of encrypted streams based on NetStream sampling and Service Awareness (SA), generates metadata, and reports the metadata to Huawei Cybersecurity Intelligence System (CIS). The CIS uses the AI algorithm to train the traffic model and compare characteristics of extracted encrypted traffic to identify malicious traffic. The CIS displays detection results on the GUI, provides threat handling suggestions, and automatically isolates threats with the Agile Controller to ensure campus network security.●The S6720-HI supports deception. It functions as a sensor to detect threats such as IP address scanning and port scanning on a network and lures threat traffic to the honeypot for further checks. The honeypot performs in-depth interaction with the initiator of the threat traffic, records various application-layer attack methods of the initiator, and reports security logs to the CIS. The CIS analyzes security logs. If the CIS determines that the suspicious traffic is an attack, it generates an alarm and provides handling suggestions. After the administrator confirms the alarm, the CIS delivers a policy to the Agile Controller. The Agile Controller delivers the policy to the switch for security event processing, ensuring campus network security. Intelligent O&M●The S6720-HI provides telemetry technology to collect device data in real time and send the data to Huawei campus network analyzer CampusInsight. The CampusInsight analyzes network data based on the intelligent fault identification algorithm, accurately displays the real-time network status, effectively demarcates and locates faults in a timely manner, and identifies network problems that affect user experience, accurately guaranteeing user experience.●The S6720-HI supports a variety of intelligent O&M features for audio and video services, including the enhanced Media Delivery Index (eMDI). With this eDMI function, the S6720-HI can function as a monitored node to periodically conduct statistics and report audio and video service indicators to the CampusInsight platform. In this way, the CampusInsight platform can quickly demarcate audio and video service quality faults based on the results of multiple monitored nodes.Intelligent Upgrade●Switches support the intelligent upgrade feature. Specifically, switches obtain the version upgrade path and download the newest version for upgrade from the Huawei Online Upgrade Platform (HOUP). The entire upgrade process is highly automated and achieves one-click upgrade. In addition, preloading the version is supported, which greatly shortens the upgrade time and service interruption time.●The intelligent upgrade feature greatly simplifies device upgrade operations and makes it possible for the customer to upgrade the version independently. This greatly reduces the customer's maintenance costs. In addition, the upgrade policies on the HOUP platform standardize the upgrade operations, which greatly reduces the risk of upgrade failures. Product SpecificationsFixed ports 48 x 10 Gig SFP+, 6 x 40 Gig QSFP+ or 44 x 10Gig SFP+, 4 x 40 Gig QSFP+, 2 x 100 Gig QSFP2824 x 10 Gig SFP+, 4 x 40 Gig QSFP+, 2 x100 Gig QSFP28MAC 256000(Max) MAC address entriesIEEE 802.1d standards complianceMAC address learning and agingStatic, dynamic, and blackhole MAC address entries Packet filtering based on source MAC addressesVLAN 4K VLANsGuest VLANs and voice VLANsGVRPMUX VLANVLAN assignment based on MAC addresses, protocols, IP subnets, policies, and ports VLAN mappingIP routing Static routes, RIP v1/2, RIPng, OSPF, OSPFv3, IS-IS, IS-ISv6, BGP, BGP4+, ECMP, routing policyInteroperability VLAN-Based Spanning Tree (VBST), working with PVST, PVST+, and RPVST Link-type Negotiation Protocol (LNP), similar to DTPVLAN Central Management Protocol (VCMP), similar to VTPWireless service AP access control, AP domain management, and AP configuration template management Radio management, unified static configuration, and dynamic centralized management WLAN basic services, QoS, security, and user managementCAPWAP, tag/terminal location, and spectrum analysisEthernet loop protection RRPP ring topology and RRPP multi-instanceSmart Link tree topology and Smart Link multi-instance, providing millisecond-level protection switchoverSEPERPS (G.8032)BFD for OSPF, BFD for IS-IS, BFD for VRRP, and BFD for PIMSTP (IEEE 802.1d), RSTP (IEEE 802.1w), and MSTP (IEEE 802.1s)BPDU protection, root protection, and loop protectionMPLS MPLS L3VPNMPLS L2VPN (VPWS/VPLS) MPLS-TEMPLS QoSIPv6 features Neighbor Discover (ND)PMTUIPv6 Ping, IPv6 Tracert, IPv6 TelnetACLs based on source IPv6 addresses, destination IPv6 addresses, Layer 4 ports, or protocol typesMulticast Listener Discovery snooping (MLDv1/v2)IPv6 addresses configured for sub-interfaces, VRRP6, DHCPv6, and L3VPNMulticast IGMP v1/v2/v3 snooping and IGMP fast leaveMulticast forwarding in a VLAN and multicast replication between VLANs Multicast load balancing among member ports of a trunkControllable multicastPort-based multicast traffic statisticsIGMP v1/v2/v3, PIM-SM, PIM-DM, and PIM-SSMMSDPMulticast VPNQoS/ACL Rate limiting in the inbound and outbound directions of a portPacket redirectionPort-based traffic policing and two-rate three-color CARHQoSEight queues on each portDRR, SP, and DRR+SP queue scheduling algorithmsWREDRe-marking of the 802.1p and DSCP fields of packetsPacket filtering at Layer 2 to Layer 4, filtering out invalid frames based on the source MAC address, destination MAC address, source IP address, destination IP address, TCP/UDP source/destination port number, protocol type, and VLAN IDQueue-based rate limiting and shaping on portsSecurity Hierarchical user management and password protectionDoS attack defense, ARP attack defense, and ICMP attack defenseBinding of the IP address, MAC address, port number, and VLAN IDPort isolation, port security, and sticky MACMAC Forced Forwarding (MFF)Blackhole MAC address entriesLimit on the number of learned MAC addressesIEEE 802.1X authentication and limit on the number of users on a portAAA authentication, RADIUS authentication, and HWTACACS authenticationNACSSH V2.0HTTPSCPU protectionBlacklist and whitelistAttack source tracing and punishment for IPv6 packets such as ND, DHCPv6, and MLD packets IPSec for management packet encryptionReliability LACPE-TrunkEthernet OAM (IEEE 802.3ah and IEEE 802.1ag)ITU-Y.1731DLDPLLDPBFD for BGP, BFD for IS-IS, BFD for OSPF, BFD for static routesVXLAN VXLAN functions, VXLAN L2 and L3 gateways, BGP EVPN VXLAN configuration using NETCONF/YANGSVF Acting as the parent node to vertically virtualize downlink switches and APs as one device for managementTwo-layer client architectureASs can be independently configured. Services not supported by templates can be configured on the parent node.Third-party devices allowed between SVF parent and clientsiPCA Marking service packets to obtain the packet loss ratio and number of lost packets in real time Measurement of the number of lost packets and packet loss ratio on networks and devicesManagement and maintenance Cloud-based managementVirtual cable testSNMP v1/v2c/v3RMONWeb-based NMSSystem logs and alarms of different severities GVRPMUX VLAN802.3az Energy Efficient Ethernet (EEE) NetStreamDying gasp upon power-offDimensions (W x D xH)442 mm x 420 mm x 43.6 mm 442 mm x 420 mm x 43.6 mm Height 1 U 1 UInput voltage AC:●Rated AC voltage: 100V to 240V AC; 50/60 Hz ●Max. AC voltage: 90V to 264V AC; 47–63 Hz DC:●Rated DC power: –48V to 60V DC●Max. DC voltage: –38.4V to 72V DCMaximum powerconsumption279W 232WPower consumption(30% traffic load)194W 138WOperating temperature ●0–1800 m altitude: 0°C to 45°C●1800–5000 m altitude: The operating temperature reduces by 1°C every time the altitudeincreases by 220 m.Relative humidity 5% to 95% (non-condensing)Heat dissipation Heat dissipation with fan, intelligent fan speed adjustmentNetworking and ApplicationsHuawei S6720-HI is the first fixed agile switch with 10GE downlink and 40GE/100GE uplink ports. It supports in-depth wired and wireless convergence and unified management on devices, users, and services. The S6720-HI can be used as the core device in an enterprise branch network or a small- or middle-sized campus network, or as the aggregation device in a large-sized campus network. The switch helps achieve a manageable and highly reliable enterprise campus network with scalable services.Ordering InformationThe following table lists ordering information of the S6720-HI series switches.Model Product DescriptionS6720-50L-HI-48S S6720-50L-HI-48S (48 x 10 Gig SFP+, 6 x 40 Gig QSFP+ or 44 x 10 Gig SFP+, 4 x 40 Gig QSFP+, 2 x 100 Gig QSFP28; without power module)S6720-30L-HI-24S S6720-30L-HI-24S (24 x 10 Gig SFP+, 4 x 40 Gig QSFP+, 2 x 100 Gig QSFP28; without power module)PAC-600WA-B 600W AC power modulePDC-350WA-B 350W DC power moduleMore InformationFor more information about Huawei Campus Switches, visit or contact us in the following ways:●Global service hotline: /en/service-hotline●Logging in to the Huawei Enterprise technical support website: /enterprise/●Sending an email to the customer service mailbox: ********************Copyright © Huawei Technologies Co., Ltd. 2019. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd.Trademarks and Permissionsand other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respective holders.NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, andrecommendations in this document are provided "AS IS" without warranties, guarantees or representations ofany kind, either express or implied.The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied. Huawei Technologies Co., Ltd. Address:Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China Website:。

密码编码学与网络安全中文答案密码编码学与网络安全中文答案【篇一：密码编码学与网络安全第四版第二章答案翻译】是对称密码的本质成分？plaintext, encryption algorithm, secret key, ciphertext, decryption algorithm.明文加密算法密钥密文解密算法2.2 密码算法中两个基本函数式什么？permutation and substitution.代换和置换p202.3用密码进行通信的两个人需要多少密钥？对称密码只需要一把，非对称密码要两把p202.4 分组密码和流密码的区别是什么？a stream cipher is one that encrypts a digital data stream one bit or one byte at a time. a block cipher is one in which a block of plaintext is treated as a whole and used to produce a ciphertext block of equal length.分组密码每次输入的一组元素，相应地输出一组元素。

流密码则是连续地处理输入元素，每次输出一个元素。

p202.5攻击密码的两种一般方法是什么？cryptanalysis and brute force.密码分析和暴力破解2.6列出并简要定力基于攻击者所知道信息的密码分析攻击类型。

ciphertext only. one possible attack under these circumstances is the brute-force approach of trying all possible keys. if the key space is very large, this becomes impractical. thus, the opponent must rely on an analysis of the ciphertext itself, generally applying various statistical tests to it.known plaintext.the analyst may be able to capture one or more plaintext messages as well as their encryptions. with this knowledge, the analyst may be able to deduce the key on the basis of the way in which the known plaintext is transformed.chosen plaintext. if the analyst is able to choose themessages to encrypt, the analyst may deliberately pickpatterns that can be expected to reveal the structure of the key.惟密文已知明文选择明文2.7无条件安全密码和计算上安全密码的区别是什么？an encryption scheme is unconditionally secure if the ciphertext generated by the scheme does not contain enough information to determine uniquely the corresponding plaintext, no matter how much ciphertext is available. an encryption scheme is said to be computationally secure if:(1) the cost of breaking the cipher exceeds the value of the encrypted information, and (2) the time required to break the cipher exceeds the useful lifetime of the information.书本p212.8简要定义caesar密码the caesar cipher involves replacing each letter of the alphabet with the letter standing k places further down the alphabet, for k in the range 1 through 25.书本p222.9简要定义单表代换密码a monoalphabetic substitution cipher maps a plaintext alphabet to a ciphertext alphabet, so that each letter of the plaintext alphabet maps to a single unique letter of the ciphertext alphabet.2.10简要定义playfair密码the playfair algorithm is based on the use of a 5?5 matrix of letters constructed using a keyword. plaintext is encrypted two letters at a time using this matrix.书本p262.11单表代换密码和夺标代换密码的区别是什么？a polyalphabetic substitution cipher uses a separate monoalphabetic substitution cipher for each successive letter of plaintext, depending on a key.书本p302.12一次一密的两个问题是什么？1. there is the practical problem of making large quantities of random keys. any heavily usedsystem might require millions of random characters on a regular basis. supplying truly random characters in this volume isa significant task.2. even more daunting is the problem of key distribution and protection. for every message to be sent, a key of equal length is needed by both sender and receiver. thus, a mammoth key distribution problem exists.书本p332.13什么是置换密码？a transposition cipher involves a permutation of the plaintext letters.书本p332.14什么是隐写术？steganography involves concealing the existence of a message.书本p362.1a.对b的取值是否有限制？解释原因。

流程密码第五章要点英文回答：Chapter 5: Block Ciphers and the Data Encryption Standard (DES)。

Block ciphers are symmetric key ciphers that operate on fixed-size blocks of data. The Data Encryption Standard (DES) is a classic example of a block cipher that was widely used for many years.Key Features of Block Ciphers:Block size: Block ciphers operate on blocks of data with a fixed size, typically 64 or 128 bits.Key: Block ciphers use a symmetric key known to both the sender and receiver.Encryption and Decryption: Encryption and decryptionprocesses involve transforming the input block using a series of mathematical operations guided by the key.Confusion and Diffusion: Block ciphers employ techniques called confusion and diffusion to make it difficult to derive the key or the plaintext from the ciphertext.The Data Encryption Standard (DES)。

《信息安全原理与技术》复习资料一、写出下面术语的中文名称Block CipherCiphertextKnown-Plaintext AttackEncryptionNon-RepudiationKey Distribution CenterDenial of ServiceData IntegrityAESAuthorizationRelpay AttackOne-way FunctionKey Distribution CenterBrute Force SearchStream CipherSymmetric EncryptionAsymmetric EncryptionCiphertext-only AttackKnown-Plaintext AttackChosen-Plaintext AttackMan-in-the-Middle AttackMessage Authentication CodeHashed Message Authentication CodeDigital SignatureSecure Socket Layer二、选择题1.如果m表示明文,c表示密文,E代表加密变换,D代表解密变换,则下列表达式中描述加密过程的是( )A、c=E(m)B、c=D(m)C、m=E(c)D、m=D(c)2.将获得的信息再次发送以在非授权情况下进行传输，这属于（）A 窃听B篡改C 伪装D 重放3. DES加密过程用以下形式交换，其中正确的是( )A、L i-1=R i-1R i-1=L i-1⊕f(R i,K i) i=1,2,3, (16)B、L i=R i-1R i=L i-1⊕f(R i-1,K i) i=1,2,3, (16)C、L i-1=R i+1R i=L i+1⊕f(R i-1,K i) i=1,2,3, (16)D、L i-1=R i-1R i=L i+1⊕f(R i-1,K i) i=0,1,2,3, (15)4. 在不知道密钥的情况下，通过获取密文而恢复明文的方法是。

LBlock:A Lightweight Block CipherWenling Wu and Lei ZhangState Key Laboratory of Information Security,Institute of Software,Chinese Academy of Sciences,Beijing100190,P.R.China{wwl,zhanglei}@Abstract.In this paper,we propose a new lightweight block ciphercalled LBlock.Similar to many other lightweight block ciphers,the blocksize of LBlock is64-bit and the key size is80-bit.Our security evaluationshows that LBlock can achieve enough security margin against knownattacks,such as differential cryptanalysis,linear cryptanalysis,impossi-ble differential cryptanalysis and related-key attacks etc.Furthermore,LBlock can be implemented efficiently not only in hardware environ-ments but also in software platforms such as8-bit microcontroller.Ourhardware implementation of LBlock requires about1320GE on0.18μmtechnology with a throughput of200Kbps at100KHz.The softwareimplementation of LBlock on8-bit microcontroller requires about3955clock cycles to encrypt a plaintext block.Keywords:Block cipher,Lightweight,Hardware efficiency,Design,Cryptanalysis.1IntroductionWith the development of electronic and communication applications,RFID tech-nology has been used in many aspects of life,such as access control,parking management,identification,goods tracking etc.In this kind of new cryptogra-phy environment,the applications of RFID technology and sensor networking both have similar features,such as weak computation ability,small storage space, and strict power constraints.Therefore,traditional block ciphers such as AES are not suitable for this kind of extremely constrained environment.Hence,in recent years,research on lightweight ciphers has received a lot of pared with traditional block ciphers,lightweight ciphers have the following three main properties.Firstly,applications for constrained devices are unlikely to require the encryption of large amounts of data,and hence there is no requirement of high throughput for lightweight ciphers.Secondly,in this cryptography environment, attackers are lack of data and computing ability,which means lightweight ciphers only need to achieve moderate stly,lightweight ciphers are usually implemented in hardware environment,and small part of them are also imple-mented on software platforms such as8-bit microcontroller.Therefore,hardware performance will be the primary consideration for lightweight ciphers.Hardware efficiency can be measured in many different ways:the length of the critical path, J.Lopez and G.Tsudik(Eds.):ACNS2011,LNCS6715,pp.327–344,2011.c Springer-Verlag Berlin Heidelberg2011328W.Wu and L.Zhanglatency,clock cycles,power consumption,throughput,area requirements,and so on.Among them area requirement is the most important parameter,since small area requirement can minimize both the cost and the power consumption effi-ciently.Therefore,it has become common to use the term hardware efficient as a synonym for small area requirements,and the area requirements are usually measured as gate equivalents(GE).At present,for the hardware implementation of lightweight cipher,area requirements are usually dominated by the registers storing the data state and the key,since registers typically consist offlipflops which have a rather high area and power demand.For example,when using the standard cell library it requires between6and12GE to store a single bit[26]. Therefore,in the design of lightweight block ciphers,64-bit block size and80-bit key size are popular parameters.While there is a growing requirement of ciphers suited for resource-constraint applications,a series of lightweight block ciphers have been proposed recently, e.g.PRESENT[9],HIGHT[14],mCrypton[21],DESL[19],CGEN[28],MIBS[15], KATAN&KTANTAN[10],TWIS[23],SEA[30]etc.All of these ciphers are de-signed and targeted specifically for extremely constrained environments such as RFID tags and sensor networks.Among them,PRESENT is supposed to be very competitive,since its hardware requirement is comparable with today’s leading compact stream ciphers,and it is called an ultra-lightweight block cipher.Since its publication,only a few cryptanalytic results have been proposed against PRESENT,including the related-key rectangle attack on17-round PRESENT in[24]and the side-channel attacks described in[27,35].HIGHT has a32-round generalized Feistel structure.Its main feature is the compact round function which contains no S-box and all the operations are simple computations such as XOR,rotation,and addition operating on8-bit input.In respect of crypt-analysis,a related-key attack on full-round HIGHT was presented in ICISC2010, and an impossible differential attack on26-round HIGHT were presented in[24]. mCrypton can be considered as a miniature of the block cipher Crypton[20],and a related-key rectangle attack on8-round mCrypton has been reported in[25]. DESL and DESXL are lightweight modified versions of the well-known DES,and they adopt only one single S-box in order to minimize the hardware implementa-tion.CGEN employs a compact round function called mixtable operation,and the main design strategies include using afixed and per-device seed key which reduces the key scheduling and the decryption operation is not needed either. MIBS is a32-round Feistel cipher,and its round function employs SP-network with XOR operations as diffusion layer,whose hardware requirements are more expensive than the bitwise permutation used in PRESENT etc.KATAN and KTANTAN are a family of lightweight block ciphers which contain six vari-ants altogether.The KATAN family of ciphers all employ the same components, whose design strategy exploits some features of stream cipher[11].Meet-in-the-middle attacks to the KTANTAN family with a key of80bits were presented in [36].TWIS is inspired from the existing block cipher CLEFIA[29].However,a differential distinguisher with probability1for full-round TWIS was presented in[31].SEA is a Feistel cipher with scalable block and key sizes,and its roundLBlock:A Lightweight Block Cipher 329function only consists of rotation,XOR,and a single 3-bit S-box operations.TEA [33]and XTEA [34]are lightweight block ciphers proposed several years earlier.In this paper we propose a new lightweight block cipher called LBlock.The design of its structure and components,such as S-box layer,P permutation layer etc,all represent the trade-offbetween security and performance.Our se-curity analysis shows that full-round LBlock can provide enough security margin against known cryptanalytic techniques,such as differential cryptanalysis,linear cryptanalysis,impossible differential cryptanalysis,related-key attack etc.Fur-thermore,the performance evaluation of LBlock shows that not only hardware efficiency but also software implementations on 8-bit/32-bit platforms are ultra lightweight.The rest of this paper is organized as follows.Sect.2presents the specification of LBlock.Sect.3introduces the design rationale briefly.Sect.4and Sect.5describe the security analysis and performance evaluation of LBlock respectively.Finally,Sect.6concludes the paper.2Specification of LBlockThe block length of LBlock is 64-bit,and the key length is 80-bit.It employs a variant Feistel structure and consists of 32rounds.The specification of LBlock consists of three parts:encryption algorithm,decryption algorithm and key scheduling.2.1NotationsIn the specification of LBlock,we use the following notations:−M :64-bit plaintext −C :64-bit ciphertext −K :80-bit master key −K i :32-bit round subkey −F :Round function −s :4×4S-box −S :S-box layer consists of eight s in parallel −P,P 1:Permutations operate on 32-bit − :Bitwise exclusive-OR operation−<<<8:8-bit left cyclic shift operation −>>>8:8-bit right cyclic shift operation −||:Concatenation of two binary strings −[i ]2:Binary form of an integer i 2.2Encryption AlgorithmThe encryption algorithm of LBlock consists of a 32-round iterative structure which is a variant of Feistel network.The encryption procedure is illustrated in Fig.1.Let M =X 1||X 0denote a 64-bit plaintext,and then the data processing procedure can be expressed as follows.330W.Wu and L.ZhangX 1X 0<<<8cc K 1E F E h h h h h h h h h@@@@@@@@@h h h h h h h h h@@@@@@@@@c <<<8c c c K 32E F E X 32X 33Fig.1.Encryption procedure of LBlock1.For i =2,3,...,33,doX i =F (X i −1,K i −1)⊕(X i −2<<<8)2.Output C =X 32||X 33as the 64-bit ciphertextSpecifically,the components used in each round are defined as follows.(1)Round function FThe round function F is defined as follows,where S and P denote the confu-sion and diffusion functions which will be defined later.F :{0,1}32×{0,1}32−→{0,1}32(X,K i )−→U =P (S (X ⊕K i ))Fig.2illustrates the structure of round function F in detail.(2)Confusion function SConfusion function S denotes the non-linear layer of round function F ,and it consists of eight 4-bit S-boxes s i in parallel.S :{0,1}32−→{0,1}32Y =Y 7||Y 6||Y 5||Y 4||Y 3||Y 2||Y 1||Y 0−→Z =Z 7||Z 6||Z 5||Z 4||Z 3||Z 2||Z 1||Z 0Z 7=s 7(Y 7),Z 6=s 6(Y 6),Z 5=s 5(Y 5),Z 4=s 4(Y 4),Z 3=s 3(Y 3),Z 2=s 2(Y 2),Z 1=s 1(Y 1),Z 0=s 0(Y 0).LBlock:A Lightweight Block Cipher 331XK ic 'c c c c c c c c s 7s 6s 5s 4s 3s 2s 1s 0 ¨¨¨r r r$$$$$$ ¨¨¨r r r $$$$$$c c c c c c c c Fig.2.Round function FThe contents of eight 4-bit S-boxes are listed in Table 1.(3)Diffusion function PDiffusion function P is defined as a permutation of eight 4-bit words,and it can be expressed as the following equations.P :{0,1}32−→{0,1}32Z =Z 7||Z 6||Z 5||Z 4||Z 3||Z 2||Z 1||Z 0−→U =U 7||U 6||U 5||U 4||U 3||U 2||U 1||U 0U 7=Z 6,U 6=Z 4,U 5=Z 7,U 4=Z 5,U 3=Z 2,U 2=Z 0,U 1=Z 3,U 0=Z 1.2.3Decryption AlgorithmThe decryption algorithm of LBlock is the inverse of encryption procedure,and it consists of a 32-round variant Feistel structure too.Let C =X 32||X 33denotes a 64-bit ciphertext,and then the decryption procedure can be expressed as follows.1.For j =31,30,...,0,doX j =(F (X j +1,K j +1)⊕X j +2)>>>82.Output M =X 1||X 0as the 64-bit plaintext.2.4Key SchedulingThe 80-bit master key K is stored in a key register and denoted as K =k 79k 78k 77k 76......k 1k 0.Output the leftmost 32bits of current content of register K as round subkey K 1,and then operate as follows:1.For i =1,2,...,31,update the key register K as follows:(a)K <<<29(b)[k 79k 78k 77k 76]=s 9[k 79k 78k 77k 76][k 75k 74k 73k 72]=s 8[k 75k 74k 73k 72](c)[k 50k 49k 48k 47k 46]⊕[i ]2332W.Wu and L.Zhang(d)Output the leftmost32bits of current content of register K as roundsubkey K i+1.where s8and s9are two4-bit S-boxes,and they are defined in Table1.Table1.Contents of the S-boxes used in LBlocks014,9,15,0,13,4,10,11,1,2,8,3,7,6,12,5s14,11,14,9,15,13,0,10,7,12,5,6,2,8,1,3s21,14,7,12,15,13,0,6,11,5,9,3,2,4,8,10s37,6,8,11,0,15,3,14,9,10,12,13,5,2,4,1s414,5,15,0,7,2,12,13,1,8,4,9,11,10,6,3s52,13,11,12,15,14,0,9,7,10,6,3,1,8,4,5s611,9,4,14,0,15,10,13,6,12,5,7,3,8,1,2s713,10,15,0,14,4,9,11,2,1,8,3,7,5,12,6s814,9,15,0,13,4,10,11,1,2,8,3,7,6,12,5s94,11,14,9,15,13,0,10,7,12,5,6,2,8,1,33Design Rationale3.1StructureThe structure of LBlock is a variant of Feistel network,and its design decisions contain a lot of considerations about security and efficient implementations(such as area,cost and performance etc.).In the aspect of implementation,the most important consideration is the area requirement when implemented in hardware. Therefore,we try to reduce the number of S-boxes used in each round and also min-imize the size of each S-box used.Hence a Feistel-type structure seems a proper choice.Furthermore,for all kinds of generalized Feistel structures which operate less bits in each round,to achieve enough security margin they must take more rounds iteration which will affect its performance(such as speed and throughput). Therefore,in each round of LBlock,we choose only half of the data to go through round function F,and the other half applies a simple rotation operation.In the diffusion layer,we also choose to use permutation which can be implemented with no cost in hardware.However,instead of the bitwise permutation usually used, we apply a4-bit word-wise permutation which can be implemented cheaply not only in hardware but also in software environments such as8-bit microprocessor platforms.For example,the word-wise permutation in round function F can be combined with the S-box layer to form8×8table lookups.Moreover,we specif-ically choose the rotation offsets of right half in each round as8bits which can be omitted in8-bit platform implementation.On the other hand,in the aspect of security requirement,we choose the word-wise permutation carefully so that the structure of LBlock satisfies that in both encryption and decryption directions it can achieve best diffusion[32]in8rounds.Furthermore,the number of differential and linear active S-boxes both increase quickly,and the following Table2lists the guaranteed number of active S-boxes before20rounds.LBlock:A Lightweight Block Cipher333 Table2.Guaranteed number of active S-boxes of LBlockRounds DS LS Rounds DS LS10011222221112242432213272743314303054515323266616353578817363681111183939914141941411018182044443.2Diffusion LayerThe diffusion permutation of LBlock consists of two parts,namely the word-wise permutation in round function which is denoted as P,and the rotation of right half data in each round which is denoted as P1.Both of these permutations can be implemented by wiring in hardware which needs no additional area cost. For software environments such as8-bit and32-bit microprocessor platforms, P can be combined with the S-box layer in round function as table lookups and P1(8-bit rotation)can be implemented quite easily.Therefore,the diffusion permutations of LBlock can be implemented efficiently both in hardware and in software environments.Furthermore,the combination of P and P1can guarantee the best diffusion rounds and the least number of active S-boxes of LBlock.For example,there already exist at least32active S-boxes for15-round LBlock.3.3S-Box LayerOn the pursuit of hardware efficiency,we use4×4S-boxes s:F42→F42in pared with the regular8×8S-box,small S-box has much more advantage when implemented in hardware.For example,to implement the S-box of AES in hardware more than200GE are needed.On the other hand,for the4×4S-boxes used in LBlock,all of them can be implemented in hardware with only about22GE.Furthermore,in the aspect of security,the S-boxes used in LBlock are carefully chosen so that they all fulfill the following conditions:no fix point,completed,best non linearity,best differential probability,and good algebraic order etc.3.4Key SchedulingSimilar to many other lightweight block ciphers,the key scheduling of LBlock is also designed in a stream cipher way.We only apply simple rotation and non-linear operations to generate the round subkeys.First of all,the operation of 29-bit left rotation can be implemented freely in hardware,and it can also break the4-bit word structure,which helps to improve the security of LBlock against334W.Wu and L.Zhangrelated-key attacks.Secondly,we choose to use two4×4S-boxes as the non-linear operation which represents a trade-offbetween security and stly, the exact values of rotation offset,constants and positions of constant addition are carefully chosen,so as to avoid weak relations between round subkeys.4Security Evaluation4.1Differential CryptanalysisFor differential cryptanalysis,we adopt an approach to count the number of ac-tive S-boxes of differential characteristics.This is a regular method to evaluate the security against differential attack,which were adopted by many other block ciphers,such as AES[12],Camellia[1]and CLEFIA[29]etc.We found the guaranteed number of differential active S-boxes of LBlock by computer pro-gram,and the results before20-round are listed in Table2.Considering that there are at least32active S-boxes for15-round LBlock and the best differential probabilities of s i are all equal to2−2,then the maximum probability of differ-ential characteristics for15-round LBlock satisfies DCP15rmax ≤232×(−2)=2−64.This means there is no useful15-round differential characteristic for LBlock, since the block length of LBlock is only64-bit.Therefore,we believe that the full32-round LBlock is secure against differential cryptanalysis.4.2Linear CryptanalysisWe also apply the method of counting active S-boxes for the evaluation of LBlock against linear cryptanalysis.Since there are at least32active S-boxes for15-round LBlock and the best linear bias of each s i is2−2,the maximum bias oflinear approximations for15-round LBlock satisfies LCP15rmax ≤232−1·232×(−2)=2−33.Therefore,according to the complexity estimation of linear cryptanalysis, we can conclude that it is difficult tofind useful15-round linear-hulls which can be used to distinguish LBlock from a random permutation.As a result,we believe that the full32-round LBlock has enough security margin against linear cryptanalysis.4.3Impossible Differential CryptanalysisImpossible differential attack[3]is one of the most powerful cryptanalytic tech-niques,and its applications to many block ciphers(such as Camellia and CLEFIA etc.)represent the best cryptanalytic results obtained so far.We search for the impossible differential characteristic of LBlock using the algorithm proposed by Kim et al.[16].The best distinguisher found is the following14-round impossible differential characteristic:(00000000,00α00000)14r→(0β000000,00000000),(1)whereα,β∈{0,1}4\{0}represent non-zero differences.Note that by changing the positions ofα,β,we can construct other14-round impossible differential characteristics in a similar way.LBlock:A Lightweight Block Cipher335 Based on the14-round impossible differential distinguishers,we can mount a key recovery attack on20-round LBlock.The attack procedure can be described as follows.1.Choose a set of212plaintexts to construct a structure,where the4-bit wordsX0,1,X0,3and X1,2take all possible values and all the other words take con-stants.Then each structure can generate about223plaintext pairs satisfying the input difference(ΔX1,ΔX0)=(00000∗00,0000∗0∗0).Choose251 different structures which can generate about274candidate plaintext pairs.2.For each corresponding ciphertext structure after20-round encryption,choose the pairs satisfying the output difference(ΔX21,ΔX20)=(∗∗00∗∗0∗,000∗0∗∗0),where∗denotes non-zero difference.After this test,there remains about274×2−32=242candidate pairs.3.For every guess of28-bit subkey K20,0,K20,1,K20,2,K20,4,K20,5,K20,6,K20,7,partially decrypt Round20to check if the pairs satisfying(ΔX20,ΔX19)= (000∗0∗∗0,00∗0000∗).After this test,there remains about242×2−12=230 pairs.4.For every guess of the16-bit subkey K19,0,K19,2,K19,3,K19,5,partially de-crypt Round19to check if the pairs satisfying(ΔX19,ΔX18)=(00∗0000∗,∗0000000).After this test,there remains230×2−8=222pairs.5.For every guess of the8-bit subkey K18,1,K18,7,partially decrypt Round18to check if the candidate pairs satisfying(ΔX18,ΔX17)=(∗0000000,0∗000000).After this test,there remains about222×2−4=218pairs.6.For every guess of the4-bit subkey K17,6,partially decrypt Round17to checkif the candidate pairs satisfying(ΔX17,ΔX16)=(0∗000000,00000000).After this test,there remains about218×2−4=214pairs.7.For every guess of the8-bit subkey K1,2,K1,7,partially encrypt Round1tocheck if the candidate pairs satisfying(ΔX2,ΔX1)=(00∗00000,00000∗00).After this test,there remains about214×2−4=210pairs.8.For every guess of the4-bit subkey K2,5,partially encrypt Round2to checkif the candidate pairs satisfying the following equation:(ΔX3,ΔX2)=(00000000,00∗00000).9.If there still remains a pair satisfying the impossible differential,then the68-bit subkey guessed must be wrong.Delete it from the candidate subkey table.If the table of candidate subkey is not empty after analyzing all the remaining pairs,output the subkey remained in table as correct subkey. For each of the candidate pair in Step8,the probability that it satisfies the filtering condition is about2−4.Therefore,for a wrong subkey guess,the prob-ability of its remaining after Step8is about(1−2−4)210≈2−95.Then we can expect that after all thesefiltering,there remains about268×2−95≈2−27wrong subkey guess,and only the correct subkey will be output.The data and time complexities of above attack can be estimated as follows. First of all,we choose251structures and the data complexity is251×212=263 chosen plaintexts.The time complexity is dominated by Step7to Step8,and336W.Wu and L.Zhangeach step needs about278S-box operations.Therefore,the time complexity of the attack is about2×2×278×18×120≈272.720-round encryptions.According to the complexities of impossible differential attack on20-round LBlock,we expect that the full32-round LBlock has enough security margin against this attack.4.4Integral AttackSince LBlock is a4-bit word oriented cipher,we also consider that integral attack[18]may be one of the most powerful attacks against LBlock.The best integral characteristic found is the15-round distinguisher.Table3illustrates one of the15-round integral distinguisher in detail,where C denotes a constant word,A denotes an active word and B denotes a balanced word respectively. Note that by changing the position of C in plaintext,we can obtain similar integral distinguishers easily.Based on the15-round integral distinguisher,we can mount a key recovery attack up to20-round LBlock.For simplicity,wefirst give the integral attack on 18-round LBlock,and the attack procedure is as follows.1.Choose a set of260plaintexts to construct a structure,where only4-bitword takes a constant and all the other words take all the possible values of{0,1}60.Obtain the corresponding ciphertext after18-round encryption.Count the number of value X18,6,X18,4,X18,1,X19,6,X19,0occurs,and dis-card the values which occur even times.2.Guess corresponding subkeys to decrypt the ciphertexts.(a)For every guess of the8-bit subkey(K18,1,K18,4),partially decryptRound18to compute X17,4=s4(X18,4⊕K18,4)⊕X19,6and X17,6= s1(X18,1⊕K18,1)⊕X19,0.Table3.15-Round integral distinguisher of LBlockRounds Integral characterisitcs0AAAC AAAA AAAA AAAA1AAAC ACAC AAAC AAAA2CCCC AAAC AAAC ACAC3ACAC CCCC CCCC AAAC4CCCC ACCC ACAC CCCC5ACCC CCCC CCCC ACCC6CCCC CCCC ACCC CCCC7CCCC CCAC CCCC CCCC8CCCC CCCA CCCC CCAC9CCCC AACC CCCC CCCA10CCCC AAAC CCCC AACC11CCAA ACAA CCCC AAAC12CAAB AAAA CCAA ACAA13B?AA BBAA CAAB AAAA14?B?B?B?B B?AA BBAA15?????????B?B?B?BLBlock:A Lightweight Block Cipher 337(b)For every guess of the 4-bit subkey K 17,4,partially decrypt Round 17tocompute X 16,4=s 4(X 17,4⊕K 17,4)⊕X 18,6.(c)For every guess of the 4-bit subkey K 16,4,partially decrypt Round 16tocompute X 15,4=s 4(X 16,4⊕K 16,4)⊕X 17,6.3.Check if the equation ⊕lX 15,4=0is satisfied,where l is the number of plain-texts.If the equation is satisfied,then X 15,4is a balance word.Otherwise,guess another subkey and repeat until we get the correct subkey.The complexity of this attack can be estimated as follows.Step 1needs about 260plaintexts which requires 260encryptions.For the five words counted in Step 1,there are at most 220values.Therefore,the time complexity of Step 1to Step 3are less than 220×216encryptions.For a wrong subkey guess,the probability that equation ⊕lX 15,4=0is satisfied is about 2−4.Therefore,to discard all the wrong 16-bit subkey guesses,we need about five plaintext structures.Therefore,the total data and time complexities of this attack are both 5×260.Moreover,we can mount an integral attack on 20-round LBlock based on the 15-round integral distinguisher.The attack procedure is similar with the attack on 18-round LBlock,and we add two additional rounds in the end.Therefore,12subkey words need to be guessed and the data and time complexities will increase to about 13×260≈263.7.4.5Related-Key AttacksRecently,the combination of related-key [2,17]and traditional cryptanalysis has become one of the most powerful attacks,and its application to some ciphers has improved the cryptanalytic results significantly [4,6,7,8,13].Therefore,we have studied the possible related-key differential characteristic of LBlock so as to evaluate the security of LBlock against related-key attacks.In order to get related-key differential characteristic with high probability,we have to control the number of active S-boxes.Therefore,we first choose the output differences of 10S-boxes (8S-boxes in round function and 2S-boxes in key scheduling)in Round i all have hamming weight less than 2.Then we search for the related-key differential before Round i in the decryption direction and after Round i in the encryption direction respectively,and count the total number of active S-boxes.The best related-key differential obtained so far is a 13-round distinguisher with 26active S-boxes,and its probability is (2−2)25·(2−3)=2−53.For the 14-round related-key differential obtained,there are 32active S-boxes and its probability is less than (2−2)31·(2−3)=2−65.Table 4illustrates the propagation of 14-round related-key differential of LBlock in detail.5Performance Evaluation5.1Hardware PerformanceWe implemented LBlock in VHDL and synthesized it on 0.18μm CMOS tech-nology to check for its hardware complexity.Figure 3in Appendix III shows338W.Wu and L.ZhangTable4.14-Round related-key differential characteristic of LBlock RoundsΔX LΔRKΔI SΔO PΔX R 101200101000000000120010120012100012221212022000010000000002200001200101000120010130000000102000000020000012000010002200001400000002000000000000000200000100000000015000000000000000800000008000002000000000260000000000000000000000000000000000000000700000000000000000000000000000000000000008000000000000040000000400000010000000000090000100000000000000010000000001000000000100000001000000000000000100000000200001000110010000200020000001200020101010000000010120101110000000000010111002100201000100002133100221000000000310022102010201201011100142101201304000000250120134120021231002210parison of lightweight block cipher implementationsAlgorithm Block Key Area Speed LogicSize Size#GE kbps@100KHz Process XTEA64128349057.10.13μmHIGHT641283048188.20.25μmmCrypton641282500492.30.13μm DES6456230044.40.18μmDESXL64184216844.40.18μmKATAN6480105425.10.13μmKTANTAN648068825.10.13μmPRESENT648015702000.18μmLBlock648013202000.18μmthe datapath of an parallelization implementation of LBlock,which performs one round in one clock cycle.In this optimized implementation,we use a64-bit width datapath and implement the eight S-boxes of round function in parallel. Then,to encrypt64-bit plaintext with an80-bit key occupies about1320GE and requires32clock cycles.Table5compares the hardware performances of LBlock with other lightweight block ciphers.Specifically,in the above implementation the area requirement is occupied by flip-flops for storing the key and the data state.To store the80-bit key requires about480GE and to store the64-bit data state requires two32-bit registers (denoted as memleft and memright)which are about384GE.For round function F,it is consisted of the following three parts.The KeyAddition is a32-bit XOR operation which requires about87GE.The S-box layer consists of eight4×4 S-boxes in parallel,which requires about21.84×8=174.8GE.The diffusion layer P can be implemented by simple wiring and costs no area.Then in the end of each round,another32-bit XOR operation of two halves is needed which。

Analysis of the Statistical Cipher FeedbackMode of Block CiphersHoward M.HeysAbstract—In this paper,we examine a recently proposed mode of operation for block ciphers which we refer to as statistical cipher feedback(SCFB)mode.SCFB mode configures the block cipher as a keystream generator for use in a stream cipher such that it has the property of statistical self-synchronization,thereby allowing the stream cipher to recover from bit slips in the communication channel.Statistical self-synchronization involves feeding back ciphertext to the input of the block cipher similar to the conventional cipher feedback(CFB)mode,except that the feedback only occurs when a special synchronization pattern is recognized in the ciphertext.In the paper,we examine the efficiency,resynchronization,and error propagation characteristics of SCFB and compare these to conventional modes such as CFB and output feedback(OFB).In particular,we study these characteristics of SCFB as a function of the synchronization pattern size.As well,we examine implementation issues of SCFB,focusing on the buffer requirements and resulting delay for a practical realization of the cipher.We conclude that SCFB mode can be used to provide practical,efficient, self-synchronizing implementations for stream ciphers.In particular,SCFB mode is best used in circumstances where slips are a concern and where implementation efficiency is a high priority in comparison to encryption latency.Index Terms—Cryptography,stream ciphers,block cipher modes,synchronization,error propagation.æ1I NTRODUCTIONI N this paper,we discuss a structure for self-synchronizing stream ciphers,recently proposed in[1].Stream ciphers are used to encrypt one symbol,typically one bit,at a time.They are usually used when error propagation must be minimized or when the communication channel suffers from periodic slips.The basic form of a stream cipher involves the generation of a keystream—a keyed, pseudorandom,unpredictable sequence of bits—that is XORed bit by bit with the plaintext to generate the ciphertext at the transmitter[2].At the receiver,the plaintext is recovered by generating the identical keystream such that it is exactly synchronized with the received ciphertext stream.Hence,the XOR of the keystream bits and received ciphertext bits produces the original plaintext bits.We shall concern ourselves with stream ciphers which are derived from block ciphers such as the Data Encryption Standard(DES)[3]and the Advanced Encryption Standard (AES)[4].Unlike stream ciphers,which conceptually operate on bits individually,block ciphers operate on a fixed size block of plaintext bits to produce a block of ciphertext bits.When configuring a block cipher for use as a stream cipher,the keystream is generated by the output of the block cipher.There are several conventional modes of operation of block ciphers that allow their use as stream ciphers including output feedback(OFB)mode and cipher feedback(CFB)mode[2].In this work,we focus on an unconventional mode which we shall refer to as statistical cipher feedback(SCFB)mode.SCFB mode has been proposed [1]to provide physical layer security for a SONET/SDH environment and is suitable for many other applications as well.It has the benefits of being self-synchronizing and yet being more efficient in its implementation than conven-tional cipher feedback mode.In this paper,the character-istics of SCFB mode are thoroughly examined and its merits are discussed.2B ACKGROUNDThere are several conventional block cipher modes of operation that may be applied to derive a stream cipher, each with its own advantages and disadvantages.We briefly review the important modes of output feedback and cipher feedback here.In our notation,we let B represent the block size in bits of the block cipher.For example,for DES, B¼64and,for AES,B¼128.Output feedback(OFB)mode,a standardized mode of operation for block ciphers such as DES[5],generates the keystream by directly feeding back the B-bit output of the block cipher to the input.An implementation of OFB is parameterized by j,1j B,where every block cipher operation produces j bits of keystream which can be XORed with j bits of plaintext to produce j bits of ciphertext.For efficiency purposes,it is convenient to let j¼B,thereby making use of all possible B output bits of the block cipher for every block cipher operation.This basic configuration is illustrated in Fig. 1.The primary advantage of output feedback mode is that error propagation is minimized.In fact,a single bit error in the ciphertext in the communica-tion channel results in only a single bit error in the recovered plaintext.The most significant disadvantage of OFB is that the system relies on the maintaining of synchronization between the transmitter and receiver.For example,if a slip.The author is with Electrical and Computer Engineering,Faculty ofEngineering and Applied Science,Memorial University of Newfoundland,St.John’s,NF,Canada A1B3X5.E-mail:howard@engr.mun.ca.Manuscript received10Aug.2001;revised26Feb.2002;accepted22Apr.2002.For information on obtaining reprints of this article,please send e-mail to:tc@,and reference IEEECS Log Number114746.0018-9340/03/$17.00ß2003IEEE Published by the IEEE Computer Societyoccurs(i.e.,one or more bits are eliminated from the received ciphertext stream),synchronization loss will occur between the transmitter and receiver and half the bits following the slip are expected to be in error until synchronization is recovered.Resynchronization can be achieved by periodically sending an initialization vector(IV) from the transmitter to the receiver through the signaling channel of the communication system.Obviously,the price of such a scheme involves extra messaging overhead and the associated delays while synchronizing.As well,the rate at which synchronization messages are sent must balance the overhead of sending such messages frequently with the penalty of losing synchronization for a long period of time should the messages be sent too infrequently.However, OFB(not considering the resynchronization messaging overhead)can be implemented as efficiently as straight block encryption by having B bits of keystream produced from one block cipher output.Cipher feedback(CFB)mode[5]allows for automatic resynchonization should slips occur in the communication channel and,hence,CFB stream ciphers fall into the category of self-synchronizing stream ciphers.There are several parameters that may be set for an implementation of CFB,however,a typical application would have the input to the block cipher driven by ciphertext data which is fedback into a shift register at the input of the block cipher in groups of m(B)bits at a time,as shown in Fig.2.The plaintext is encrypted by XORing m bits with m bits of the block cipher output.Since the input to the block cipher is being generated from the ciphertext,which is available to both ends of the communication,it is possible to recover from slips using CFB.For example,if any single or multiple bit slip occurs, the CFB cipher with m¼1can recover synchronization since the next B bits will be shifted into the register at the input to the block cipher and,at this point,the receiver will again be synchronized with the transmitter.Resynchroniza-tion therefore requires only B bits in CFB mode with m¼1.Unfortunately,the self-synchronization property achieved by the CFB mode is costly in terms of implemen-tation efficiency.For CFB with m¼1,only one keystream bit is generated from a B-bit block cipher output and,hence, the cipher is only capable of operating at1=B times the rate of block encryption and,consequently,can only be implemented at1=B times the best rate of OFB.This can be improved by increasing m,but,if m>1and a single bit slip occurs,the input to the block cipher at the receiver will become misaligned and resynchronization will not occur.In fact,slips must occur as multiples of m bits or resynchro-nization will not occur.Hence,usually for CFB mode,m¼1 is the desirable configuration.1Finally,it should be noted that the error propagation advantage of OFB is no longer applicable to CFB mode. This occurs because,at the receiver,a bit error must work its way through the shift register at the input to the block cipher.As a result,for CFB mode with m¼1,a single bit error in the communication channel will result in the corrupted bit plus the next B bits being randomly decrypted due to the receiver’s corrupted keystream.So, a bit error is expected to result,on average,in B=2þ1 errors in the recovered plaintext.3D ESCRIPTION OF SCFBIn[1],the concept of statistical self-synchronization is proposed as a mechanism to provide physical layer security for a SONET/SDH environment.2Operation of the mode is illustrated in Fig.3,where E represents the block cipher encryption operation with block size B and both the encryption and decryption of SCFB mode are illustrated. Essentially,the concept of statistical self-synchronization involves a hybrid of OFB3and CFB modes:The cipher operates in OFB mode,while scanning the ciphertext for a special sync pattern of n bits in length.When this pattern is recognized,the next B bits are stored for a new initialization vector(IV)and,after all B bits have been collected,the input register for the block cipher is loaded with the new IV. The cipher then proceeds in OFB mode until the next n bit sync pattern is received.During the collection of B bits for the new IV,the sync pattern scanning is turned off so that any n bits matching the sync pattern are ignored until the IV collection phase is complete.This process follows for both encryption and decryption and,since both the transmitterFig.1.OFBmode.Fig.2.CFB mode.1.There are cases where m>1makes sense.For example,CFB withm¼8can be used to encrypt an asynchronous communication link so thatan8-bit character can be encrypted with each block cipher output.Here,CFB mode is used to recover from losses of synchronization due toasynchronous characters being lost,as opposed to individual bit slips.2.This scheme appears to have also been invented earlier and is referredto in[6].3.SCFB can also be implemented as a hybrid of counter mode[2]andCFB mode.However,in this paper,we focus our description on the OFB-based configuration only.and receiver are examining the ciphertext,synchronization is achieved.To provide enough detail for precise clarity of the operation of SCFB mode,a pseudocode representation for encryption at the transmitter using SCFB is given in Fig.4.The sync pattern is given by Q 0...Q n À1and W 0...W n À1represents the window of n bits that is currently being compared to the sync pattern.In order for the algorithm,as presented,to work with the initialization of W 0...W n À1to all zeros,Q 0must be 1.The function E K ðÁÞrepresents theblock cipher encryption (using key K ).Z 0...Z B À1is used to collect the IV bits.The flags loading IV and new IV are used to indicate that IV is currently being collected (and sync pattern scanning is therefore suspended)and collec-tion of IV has just completed,respectively.Note that the initial block cipher input X 0...X B À1is given an initial value known to both the transmitter and receiver at the beginning of the communication.From the pseudocode,it may be seen that the encryption of a bit would encounter a significant delay whenever a new block encryption is required since E K can be expected to take much longer than any other operation in the algorithm.Hence,in practice,for an efficient synchronous system,an implementation would need a buffer in order to ensure that plaintext bits can be accepted at a uniform rate and ciphertext bits can be produced at a uniform rate at the output of the encryption process.Since both the transmitter and receiver are using recognized bits within the ciphertext as a cue to resynchro-nize the stream cipher,SCFB mode is capable of self-synchronization and will clearly perform better in an environment where slips occur than OFB mode.Also,although individual bit errors will typically only cause one bit error if the bit is not part of the sync pattern or the initialization vector,there is the possibility that a bit error will cause a synchronization to be missed,an incorrect IV to be used,or a false synchronization to be detected at the receiver.In these cases,a single bit error in the commu-nication channel will result in many bit errors at the output of the decryption as synchronization will be lost until the next sync pattern is properly detected.Hence,clearly,the error propagation characteristics of SCFB will be worse than OFB mode.It should be noted that a mode similar in nature to SCFB was recently proposed in [7]and is referred to as Optimized Cipher Feedback (OCFB).As in SCFB,OCFB uses recognition of a synchronization pattern in the ciphertext to resynchro-nize the states of the transmitter’s and receiver’s keystream generators.Hence,the characteristics of SCFB and OCFB are very similar and,in our work,we focus on SCFB.Although the SCFB mode was proposed in [1],the cipher characteristics were not fully examined.Notably,the effect of the sync pattern size on the cipher properties was not discussed.In the following sections,we shall consider theHEYS:ANALYSIS OF THE STATISTICAL CIPHER FEEDBACKMODE OF BLOCK CIPHERS 79Fig.3.SCFB mode.Fig.4.SCFB pseudocode.efficiency,resynchronization,and error propagation char-acteristics of SCFB and,in particular,make a comparison to other conventional cipher modes.Further,we shall discuss the implementation issues associated with a practical realization of the SCFB cipher mode and briefly comment on the security of the scheme in relation to the likelihood of the keystream repeating.4T HEORETICAL E FFICIENCYThe principal advantage of implementing SCFB versus conventional CFB is that the efficiency(and,hence,the potential speed)of the implementation can approach that of straight block encryption,depending on the sync pattern size.Letting D represent the number of bits transmitted,we can define the theoretical efficiency for a stream cipher based on a block cipher core as:¼limD!1D=BE f#block cipher operations for D bits g;ð1Þwhere E fÁg represents the expectation operator.The nu-merator represents the number of block cipher operations required for straight block encryption and the denominator represents the expected number of block cipher operations required in SCFB mode(or other mode of interest).Hence,the theoretical efficiency is essentially a measure of the rate at which the stream cipher can encrypt in comparison to block encryption.In reality,the theoretical efficiency represents an upper bound on the efficiency:As we shall see in Section7, real implementations place constraints on the system so that the practical efficiency(which we shall refer to as full-queue efficiency)is marginally smaller.For OFB mode,when all B bits are used in the XOR operation, ¼1and,for conventional CFB with m¼B, ¼1.However,if we are to be guaranteed to correct slips of any number of bits,conventional CFB must operate with m¼1and,in this case, ¼1=B(1.So,conventional CFB is very inefficient in comparison to block encryption.Consider now SCFB.We can assume that,for SCFB,the ciphertext bits transmitted in the communication channel can be categorized as illustrated in Fig.5,where it is clear that some bits belong to the sync pattern(n bits),some belong to the subsequent IV(B bits),and the remaining bits,which we shall refer to as the OFB block,occur between the end of the IV and the beginning of the next sync pattern.We shall refer to the set of bits from the beginning of the sync pattern to the beginning of the next sync pattern as a synchronization cycle and,hence,a synchronization cycle consists of nþBþk bits, where k is the size of the OFB block.The size k of the OFB block is variable and dependent on the position of the next sync pattern.Since we assume that the block cipher used in the SCFB configuration displays strong randomness properties(or else it would be insecure), k is a random variable with a probability distribution determined by assuming that each bit of ciphertext is equally likely to be a0or1and that each bit is independent. Strictly,the distribution of k is dependent on the sync pattern used(e.g.,11...11,or10...00,etc.).The value of k is determined by the process of taking samples of n bits and comparing each to the sync pattern where k is the number of samples taken before the sync pattern is found.Now,if we assume that each n-bit sample is independent,then the value of k follows the geometric distribution where the probability that the sync pattern occurs in a sample is1=2n.In this case,we have the probability distribution for k given byPðkÞ¼ð1À1=2nÞkÁ1=2n;ð2Þthe expected value of k given byE f k g¼2nÀ1;ð3Þand the second moment of k given byE f k2g¼22nþ1À3Á2nþ1:ð4ÞBased on the geometric distribution,we can define the average synchronization cycle size to be represented by", where"¼nþBþ2nÀ1:ð5ÞFor SCFB mode where k actually represents the size of the OFB block as determined by the next occurrence of the sync pattern,consecutive samples overlap in nÀ1bits and, hence,samples are not independent and k does not follow the geometric distribution exactly.However,we have verified experimentally that,for most sync patterns,the probability distribution of k can be approximated by the geometric distribution.We therefore use this distribution in our development and defer a more detailed discussion of the effect of the selection of the sync pattern on the distribution of k to the Appendix.Consider now the scenario for Fig.5where kþnþB is not a multiple of B.In this case,after the second IV is collected,the input register of the block cipher will be loaded and a new block cipher output will be produced after a block cipher operation that is used for encrypting only a subset of a full B-bit block of plaintext.For example, let kþnþB¼ Bþ ,where and are integers and <B.Hence,the block cipher must execute þ1block encryptions from the beginning of the OFB block to the end of the second IV,producingð þ1ÞB bits,to encrypt only Bþ plaintext bits(i.e.,only bits of the last block cipher output are used in the XOR).Therefore,in SCFB mode,the block cipher must be run at a rate slightly greater than for straight block encryption and a buffer must be used to accommodate scenarios where only partial outputs of the block cipher are used by the XOR operation.Using(1)as the basic definition,it is possible to define the theoretical efficiency of SCFB as¼E f sync cycle size g=BE f#block cipher operations per sync cycle g:ð6Þ80IEEE TRANSACTIONS ON COMPUTERS,VOL.52,NO.1,JANUARY2003Fig.5.Synchronization cycle.This leads to¼"=BP 1k ¼0P ðk ÞÁdðk þn þB Þ=B e:ð7ÞConsider now the computation of the denominator of (7).The expression for the denominator can be rewritten to bedenom ¼X 1k ¼0P ðk ÞÁk þnB$%þ1:ð8ÞFurther,considering the effect of the ceiling operator,it may be shown thatdenom ¼d A þd B þ1;ð9Þwhered A ¼X B Àn k ¼0P ðk Þð10Þandd B ¼X1j ¼2XjB Àn k ¼ðj À1ÞB Àn þ1j ÁP ðk Þ:ð11ÞRecall that P ðk Þis given by (2).Letting '¼ð1À1=2n Þandnoting that d A is represented by the sum of a geometric series,it is easily derived thatd A ¼1À'B Àn þ1:ð12ÞAs well,it can be shown thatd B ¼X 1j ¼2j Áð'ðj À1ÞB Àn þ1À'jB Àn þ1Þ¼ð1À'BÞ'ÀB Àn þ1X1j ¼2j'jB ¼ð1À'B Þ'ÀB Àn þ1'Bð1À'B Þ2À'B "#:ð13ÞNow,substituting for d A and d B leads to the denominator of (7)given bydenom ¼2þ'B Àn þ11À'B:ð14ÞFinally,the efficiency of SCFB mode can be straightfor-wardly computed from n and B using¼"=B 2þð1À1=2n Þ1Àð1À1=2n ÞB:ð15ÞWe have computed the theoretical efficiency for block sizes of 64,128,and 256bits and these are plotted in Fig.6as a function of the sync pattern size.It is obvious from the graph that,as n increases,the efficiency of the implementa-tion increases and,for large n ,the efficiency approaches 100percent,implying that the stream cipher can be run at a rate very nearly equivalent to the speed of block encryption.In fact,a cipher can be run at a rate approaching times the block encryption rate with a suitably large enough buffer to account for the scenario of several resynchronizations within a short time frame.This is discussed in detail in Section 7.Note that all efficiencies for SCFB mode are greater than 50percent.This occurs because at least one full block is used in each synchronization cycle since B bits are associated with the IV.For small values of n ,SCFB is significantly less efficient than straight block encryption.For example,for n ¼1,theHEYS:ANALYSISOF THE STATISTICAL CIPHER FEEDBACK MODE OF BLOCK CIPHERS 81Fig.6.Theoretical efficiency vs.sync pattern size.cipher is resynchronizing after an expected OFB block size of 1and,as a result,virtually every second block cipher output is used only for a small number of bits in the XOR operation. Hence,the efficiency is only about50percent.For conven-tional CFB mode with m¼1to accommodate sync recovery from a slip of any number of bits,the efficiency would be <2%and<1%for a block size of B¼64and B¼128, respectively.In contrast,for OFB mode,efficiencies are100 percent when all B bits of block cipher output are used in the keystream.Also from the graph,it is clear that SCFB mode applied to a block cipher with a large block size suffers in efficiency. For example,for n¼8,the theoretical efficiencies are91.1 percent,85.3percent,and78.1percent for64,128,and256 bit blocks,respectively.However,these efficiencies are still many times more than the conventional CFB mode and,in fact,the ratio of SCFB efficiency to conventional CFB efficiency increases as B increases.5R ESYNCHRONIZATIONA fundamental requirement of a self-synchronizing stream cipher is that resynchronization occurs quickly to minimize the corruption of data due to a sync lost condition. Conventional CFB mode with m¼1,for example,will synchronize within B bits of the end of a slip of one or more bits.Resynchronization delay for an OFB cipher relying on signaling messages to provide synchronization information will generally be very large since synchronization usually relies on a low rate signaling channel and synchronization messages are exchanged relatively infrequently.In this section,we examine the resynchronization properties of SCFB mode.We shall consider the metric of interest to be the synchronization recovery delay(SRD), defined as the expected number of bits following a sync loss due to a slip before synchronization is regained.It is important to note that,in our analysis,when we refer to the occurrence of a slip,we are referring to the position representing the termination of the bits lost in the slip. Hence,we consider SRD to represent the number of bits for which the receiver is out of sync following the termination of the slip.That is,SRD does not include the bits that are lost directly due to the slip and no explicit assumptions are made about the number of bits lost in the slip.In our work,we will present lower and upper bounds on SRD and experimental measurements of SRD for varying values of n.Our analysis shows that,except for very small sync pattern sizes(i.e.,n4),SRD is approximately2n,a value that can be significantly larger than SRD for CFB for large n.This fact encourages the use of modest size values of n in SCFB mode.5.1Lower Bound on SRDWe begin by considering a lower bound on the sync recovery delay.Assume that a slip randomly occurs such that there are no other slips in the synchronization cycle in which the slip terminates.The probability that the slip occurs within a synchronization cycle of size nþBþk is given byPÃðkÞ¼ðnþBþkÞÁPðkÞ";ð16Þwhere PðkÞand"are given by(2)and(5),respectively. Assuming that the receiver resynchronizes at the next sync pattern,i.e.,at the end of the next IV,it will take an average ofðnþBþkÞ=2þnþB bits to resynchronize.This is determined by the average position of a slip within the synchronization cycle plus the nþB bits required at the beginning of the next synchronization cycle to resynchro-nize.Now,if we consider the average over all synchroniza-tion cycle sizes,then the synchronization recovery delay is lower bounded as inSRD>X1k¼03ðnþBÞþk2ÁPÃðkÞ¼32ðnþBÞþ12X1k¼0ðnþBÞkPðkÞþk2PðkÞ"¼32ðnþBÞþ12"ðnþBÞE f k gþE f k2gÂÃ;ð17Þwhere E f k g and E f k2g are given by(3)and(4),respec-tively.For large n,the sync recovery delay lower bound of (17)is approximated by2n.Equation(17)represents a lower bound because it is possible that the position of the slip can result in scenarios which prevent resynchronization at the next sync pattern. For example,a slip could occur in such a way that the new sequence of ciphertext bits results in a false synchroniza-tion.It is possible for this to occur near the end of the OFB block so that the receiver will interpret the next valid sync pattern bits as part of the false IV and will ignore them.As a result,resynchronization will be delayed until the next sync pattern.For small OFB block sizes,this could even happen in a manner such that several proper sync patterns are misinterpreted as part of the initialization vectors of several false synchronizations.This phenomenon is particularly prevalent for small values of n since small OFB block sizes are much more likely.5.2Upper Bound on SRDNow,consider an upper bound on SRD.In our analysis,we consider two regions in which a slip may occur within a sync cycle of size nþBþk,as illustrated in Fig.5.If a slip occurs such that the first bit following the slip is not within nþB bits of the sync pattern for the next cycle,then synchronization is lost until the valid sync pattern is detected for the next cycle.The probability of a slip occurring in this region is k=ðnþBþkÞ.When a slip occurs within the last nþB bits of a sync cycle,one must consider the possibility that the resulting bit sequence at the receiver could result in a false synchronization.The probability of a slip occurring in this region is given by ðnþBÞ=ðnþBþkÞand,for simplicity,in deriving the upper bound for SRD,we shall assume that any such occurrence of a slip causes a false synchronization.Once a false synchronization has occurred,we assume that the next valid synchronization will be missed due to a portion of the valid sync pattern lying within the false IV.Subsequently, false synchronizations may occur at the receiver if the receiver misinterpretes a sync pattern appearing within an82IEEE TRANSACTIONS ON COMPUTERS,VOL.52,NO.1,JANUARY2003。

（ohm）。

3、其误差（error）为1012分之六。

4、这台计算机所储存的信息比那台多三倍。

（要求把“计算机”用作为主语的“主谓宾”结构的句型）5、月球的质量为地球的1/ 80.6、不久的将来对这种设备的需求量（demand）为现在的20倍。

7、这个元件（component）上的电压为零点几伏特（volt）。

8、现在其内部的压力是原来的三分之一。

III、将下列小段的内容译成英语：温度这一概念对我们大家来说都是熟悉的。

这是因为我们的身体对温差是非常灵敏的。

当我们拾起（pick up）一块冰时，我们感到冷，因为其温度低于我们手的温度。

在喝了一杯咖啡后，我们可能把它说成（refer to … as …）“热的”，“温的”（lukewarm）或“很糟的”（atrocious）。

在头两种情况下，至少我们在描述其温度超过（exceed）我们的（温度的）程度。

IV、根据所给的汉语文本，改正各英语文本中的错误：1、【汉语原文】这个电容器上的电压为零点零几伏特。

【英语文本】The voltage on this capacitor is zero point zero several volt.2、【汉语原文】这物体比那物体重四倍。

【英语文本】This object is four times heavy than that one is.3、【汉语原文】除非另有说明，我们假设使用的是硅管、I CBO可以忽略不计。

【英语文本】 Unless otherwise stated, it is assumed that silicon transistors are used andI CBO can be neglected.4、【汉语原文】这个电路的优点是结构简单、容易调整。

【英语文本】This circuit has the advantage of simpe in structure、easy to adjust.5、【汉语原文】图1、2、3画出了这个过程。

Computer SecurityTwo main issues are current regarding security for computer communication systems •Data encryption•User authenticationEncryption and authentication between single users can be performed quite simply by ciphers and private keys etc.Once computer networks are involved the task takes on a new set of problems.•The number of possible users is huge.•Users with whom communication is required are often unknown.•The only communication path to the user is often the path that needs to be secured.We will firstly look at a block cipher technique (DES), then a public key algorithm (RSA)Data Encryption Standard (DES)This encryption system is of the conventional block cipher type.It has been certified by the US government and others as secure but not classified communications.It works on 64 bits of data at a time by using a 56 bit key.•The 64 bits of data are first permuted using a function.•This data is then permuted 16 times with subkey versions of the key which was also permuted on input.•After a 32 bit swap the data is permuted in the reverse of the initial function.•The sub keys are produced by a circular shift and a permutation.Concerns have been raised whether the S boxes are cryptographically strong.Another worry is the fact that there are only 256 (7.2 x 1016) possible keys.If a computer could try one key each microsecond it would take over 1000 years to try half the keys.Lots of money (parallel processing) can crack the key(Assuming you know the data when you see it)Plus development costsAn improvement over DES has been developed called Triple DESThis gives the system an effective key length of 112 bits thus improving the security.5.2 x 1033 combinations giving 8.2 x 1019 years to break at 1 microsecond per try for half the combinations.AuthenticationIf a message is encrypted then authentication is also performed when the message is correctly decoded. There are often times when we do not wish to encrypt but do need to authenticate the sender.•Sending a message to a large number of destinations. They would all have to have the same correct key or individual correct keys. This in itself is a security risk.•When high traffic at a destination means the time to decrypt all messages would beexcessive.•A code is produced from a key and the data to be sent•The code is appended to the data before sending•At the receive end the same procedure is performed•The code is comparedThis is similar to generating and checking a CRC on a data frame where the generating polynomial is kept secret.Hash FunctionsA hash function is a function that the data is passed through. It produces a code fingerprint identifying the data.H(x) = m H Hash functionx datam hash codeApart from being able to handle the size of data passed to it efficiently, it must •Have a one way property, ie you can generate the code from the data but not the data from the code. (Given m you can't find x)•Alternative messages with the same hash code cannot easily be found.(Can't find y ≠ x where H(x) = H(y)•Not easy to find two data sets with the same hash code(Can't find x & y where H(x) = H(y))A simple hash function is an XOR of the data arranged into blocks with the number of columns equal to the hash code sizec i=b i1⊕b i2⊕....⊕b imThis type of hash has no cryptographic strength itself.MD5MD5 is a very common function algorithm1.Data is padded to be 64 bits less than an integer multiple of 512 bits2.The 64 bits at the end are used to contain the length of the data (LSBs of it).3.Four buffers contain 128 bit, used to hold the hash code are initialised4. The data is then processed 512 bits at a timeThe data is broken up into 512 bit chunks and the MD5 algorithm appliedThe functions in the MD5 areX •Z)F(X,Y,Z)=(X•Y)+(′Z )G(X,Y,Z)=(X•Y)+(Y•′H(X,Y,Z)=X⊕Y⊕ZZ )I(X,Y,Z)=Y⊕(X+′5. The output from this is the 128 bit digestThe data is very well represented in the hash which produces a digest which satisfies the criteria for the hash.Before we look at public key encryption we should examine one more technique that is used very commonly. This is another algorithm for fast encryption of data for privacy.RC4 (Rivest's Cipher 4)RC4 is a symmetric key algorithm, but instead of operating on a block of bits at a time, it operates on a bitstream. It operates with a variable-length key up to 256 bits.This cipher has a 256-entry substitution-box, the entries are permutations of the numbers 0 through 255, and the particular permutation is a function of the key.To initialise the box first fill it linearly so that S0=0, S1=1, …, S255=255. Then fill another 256-byte array with the key, repeating the key as often as necessary to fill the whole array (K0, K1, …, K255).Set the index j = 0, then:For i = 0 to 255j = (j + S i + K i) mod 256swap S i and S jTo generate a byte for encryption, first take two counters (i and j) initialized to zero, then:i = ( i + 1) mod 256j = (j + S i) mod 256swap S i and S jt = (S i + S j) mod 256K = StThe byte K is then XORed with the plaintext to produce ciphertext, or XORed with the ciphertext to produce the plaintext.Encryption is about 10 times faster than DES in software.Public Key EncryptionThe system entails the generation of 2 keys for each participant•A public key which is placed in a register where anyone may get a copy of it•A private key that only the participant has access to•Either key can be used to encrypt the data.•The other key will then be used to decrypt it.•The heart of the system is the mathematical algorithm that generates the related key pair.•The cryptographic strength is related to the algorithm and the key length.•The system can be used for privacy and/or authenticationPublic key system for privacyPublic key system for authenticationRSA Public-Key Algorithm (Rivest, Shamir & Adleman)The system uses a block cipher for values < nFor Plaintext M and Ciphertext CC = M e modulo nM = C d modulo n = (M e)d modulo n = M ed modulo nBoth sender and receiver know n, the sender knows e and the receiver knows d. ThusK pub = K{e,n}K priv = K{d,n}•It is possible to find e, d & n such that M=M ed modulo n for all M < n •It is possible to calculate M e and C d for all M < n•It is not easy to find d given e and n when e and n are largeThe values for e, d and n need to be carefully chosen.Key generationSelect n as the product of two prime numbers p & qWe choose p = 11, q = 7 ( p and q might normally have 100's of digits)n = p x q = 11 x 7 = 77Now choose e where e is relatively prime to (p-1) x (q-1)(relatively prime means they have no common factors except 1)(p-1) x (q-1) = (11-1) x (7-1) = 10 x 6 = 60let us choose e = 7For d we must find a number where (e x d) -1 = 0 modulo (p-1) x (q-1)This means (e x d) -1 is evenly divisible by (p-1) x (q-1) = 60Choose d = 43(e x d) -1 = (7 x 43)-1 = 300(300 is divisible by 60)K pub = K{7,77}K priv = K{43,77}Encrypt a messageLets send a simple message containing the letters of the alphabet number 1-26. HELLO = 8, 5, 12, 12, 15(In real life we would send messages containing much more than one letter.) To encrypt we multiply out the message87modulo 77, 57modulo 77, 127modulo 77, 127modulo 77, 157modulo 77 =57, 47, 12, 12, 71Decrypt a message57, 47, 12, 12, 71is receivedRemember our keys wereK pub = K{7,77}K priv = K{43,77}We now raise these received numbers to 43rd power modulo 77.5743modulo 77, 4743modulo 77, 1243modulo 77, 1243modulo 77, 7143modulo 77 = 8, 5, 12, 12, 15= HELLOThe original message!!These calculations results in large numbers (especially if you try it on your calculator)Eg7143≈ 1079But it can be made simpler (computers can use this technique as well). Write it as a sum of powers of 27143 = 7132+8+2+1 = 7132 x 718 x 712 x 711Now 712 = 5041 = 36 modulo 77Similarly718 = (712)4 = 3647132 = (712)16 = 3616So7143 = 3616 x 364 x 36x 71 modulo 777143 = 3616 x 364 x 36x 71 modulo 77 We can continue further362 = 1296 = 64 modulo 77and so364 = (362)2 = 642 modulo 773616 = (362)8 = 648 modulo 77so7143 = 648 x 642 x 36x 71 modulo 77 continuing we get7143= 648 x 642 x 36x 71 modulo 77= 154 x 15x 36x 71 modulo 77= 712 x 15x 36x 71 modulo 77= 36x 15x 36x 71 modulo 77= 15 modulo 77= 15the correct answer.This encryption and authentication process works well when each partner has the appropriate keys.I can verify that it is you sending me data by using your public key. But how do I know the key that I am using is really YOUR public key and not the key of an imposter.If you send me a copy of it(a) I don't know it is you sending it(b) Someone may intercept it on the way and tamper with itTo solve these problems protocols have been developed.We will examine the most popular which is used for secure internet communications.SSL (Secure Socket Layer)This protocol was developed by Netscape for use in their WWW browser. It has since found use in many applications and is the present standard for secure WWW commerce (eCommerce) for all browsers (even IE4).It can•Authenticate the server to the client.•Allow the client and server to select the cryptographic algorithms that they both support.•Optionally authenticate the client to the server.•Use public-key encryption techniques to generate shared secrets.•Establish an encrypted SSL connection.Data from Netscape - /docs/manuals/security/sslin another good site is /rsalabs/faq/Strength category and recommended use Cipher suitesStrongest cipher suite.Permitted for deployment within the United States only. This cipher suite is appropriate for banks and other institutions that handle highly sensitive data.Cipher SuitesTriple DES, which supports 168-bit encryption,with SHA-1 message authentication. Triple DES is the strongest cipher supported by SSL, but it is not as fast as RC4. Triple DES uses a key three times as long as the key for standard DES. Because the key size is so large, there are more possible keys than for any other cipher--approximately 3.7 * 1050 . Both SSL 2.0 and SSL 3.0 support this cipher suite.SHA-1 is a Secure Hash Algorithm similar to MD5Strong cipher suites.Permitted for deployments within the United States only (now released to the world). These cipher suites support encryption that is strong enough for most business or government needs.RC4 with 128-bit encryption and MD5 message authentication. Because the RC4 and RC2 ciphers have 128-bit encryption, they are the second strongest next to Triple DES (Data Encryption Standard), with 168-bit encryption. RC4 and RC2 128-bit encryption permits approximately 3.4 * 1038 possible keys, making them very difficult to crack. RC4 ciphers are the fastest of the supported ciphers. Both SSL 2.0 and SSL 3.0 support this cipher suite.RC2 with 128-bit encryption . RC2 ciphers are slower than RC4 ciphers. This cipher suite is supported by SSL 2.0 but not by SSL 3.0. DES, which supports 56-bit encryption, with SHA-1 message authentication. DES is stronger than 40-bit encryption, but not as strong as 128-bit encryption. DES 56-bit encryption permits approximately 7.2 * 1016 possible keys. Both SSL 2.0 and SSL 3.0 support this cipher suite, except that SSL 2.0 uses MD5 rather than SHA-1 for message authentication.Exportable(old) (from US)cipher suites. These cipher suites are not as strong as those listed above, but may be exported to most countries (note that France permits them for SSL but not for S/MIME). They provide the strongest encryption available for exportable products.RC4 with 40-bit encryption and MD5 message authentication. RC4 40-bit encryption permits approximately 1.1 * 1012 (a trillion) possible keys. RC4 ciphers are the fastest of the supported ciphers. Both SSL 2.0 and SSL 3.0 support this cipher.RC2 with 40-bit encryption and MD5 message authentication. RC2 40-bit encryption permits approximately 1.1 * 1012 (a trillion) possible keys. RC2 ciphers are slower than the RC4 ciphers. Both SSL 2.0 and SSL 3.0 support this cipher.Weakest cipher suite.This cipher suite provides authentication and tamper detection but no encryption. Server administrators must be careful about enabling it, however, because data sent using this cipher suite is not encrypted and may be accessed by eavesdroppers.No encryption, MD5 message authentication only. This cipher suite uses MD5 message authentication to detect tampering. It is typically supported in case a client and server have none of the other ciphers in common. This cipher suite is supported by SSL 3.0 but not by SSL 2.0.The heart of SSL is the "handshake"1. The client contacts a secure web server (HTTPS) with SSL version, cipher settings, etc_________________________________________________________2. The server responds with its certificate and information about itself (SSL version, cipher settings etc)The client attempts to authenticate the server from the certificate it was sent. We need to see the contents of the certificate first.The certificate contains the servers public key plus information about the certificate including the distinguished name (DN) of the server.It also has the DN of an issueing Certifying Authority (CA) and a digital signature from this CA.A CA is a respected company or authority that deals in accrediting the identity of web server sites.Your web browser will already have certificates (containing public keys) from these CAs and more may be added.The correct public key for the CA who signed the server's certificate is used to authenticate the digital signature (which was encrypted using the CA's private key).If the expected DN of the server is revealed then the certificate must be authentic. This therefore forms a letter of introduction, for the server, from the CA.For full authentication the client must verify•Is the date of the certificate valid•Is the CA a trusted CA•Does the CA's public key validate the digital signature•Does the domain name in the server's DN match the domain name the certificate was sent from. (This is to prevent a "man-in-the-middle" attack)3. The client now uses the public key of the server to encrypt a "premaster secret" which it sends to the server.If the server has requested client authentication the client will also send its certificate containing its public key to the server. The server will perform authentication on the clients certificate._________________________________________________________4. The server takes the premaster secret from the client and performs a number of steps with it to create a "master secret". The client also does the same thing. Now both server and client have the same shared master secret._________________________________________________________5. Server and client both create a session key from the master secret6. Both server and client send messages to each other saying that the handshake is complete. Further communication is now conducted using a symetric key cipher (RC4 for example, 40 bits or 128 bits, or another supported cipher.)Symetric key ciphers are much faster than public key encryption.Public key encryption must use a very large key to achieve crytpographic strength. (Typically more than 500 bits) This makes it slow for general data encryption.CertificatesCertificates used in SSL conform to the X.509 certificate standard.Certificate:Data:Version: v3 (0x2)Serial Number: 3 (0x3)Signature Algorithm: PKCS #1 MD5 With RSA EncryptionIssuer: OU=Ace Certificate Authority,O=Ace Industry, C=USValidity:Not Before: Fri Oct 17 18:36:25 1997Not After: Sun Oct 17 18:36:25 1999 Subject: CN=Jane Doe, OU=Finance, O=Ace Industry, C=USSubject Public Key Info:Algorithm: PKCS #1 RSA EncryptionPublic Key:Modulus:00:ca:fa:79:98:8f:19:f8:d7:de:e4:49:80:48: e6:2a:2a:86:ed:27:40:4d:86:b3:05:c0:01:bb: 50:15:c9:de:dc:85:19:22:43:7d:45:6d:71:4e: 17:3d:f0:36:4b:5b:7f:a8:51:a3:a1:00:98:ce: 7f:47:50:2c:93:36:7c:01:6e:cb:89:06:41:72: b5:e9:73:49:38:76:ef:b6:8f:ac:49:bb:63:0f: 9b:ff:16:2a:e3:0e:9d:3b:af:ce:9a:3e:48:65: de:96:61:d5:0a:11:2a:a2:80:b0:7d:d8:99:cb: 0c:99:34:c9:ab:25:06:a8:31:ad:8c:4b:aa:54:91:f4:15Public Exponent: 65537 (0x10001) Extensions:Identifier: Certificate TypeCritical: noCertified Usage:SSL ClientIdentifier: Authority Key Identifier Critical: noKey Identifier:f2:f2:06:59:90:18:47:51:f5:89:33:5a:31:7a: e6:5c:fb:36:26:c9Signature:Algorithm: PKCS #1 MD5 With RSA Encryption Signature:6d:23:af:f3:d3:b6:7a:df:90:df:cd:7e:18:6c: 01:69:8e:54:65:fc:06:30:43:34:d1:63:1f:06: 7d:c3:40:a8:2a:82:c1:a4:83:2a:fb:2e:8f:fb: f0:6d:ff:75:a3:78:f7:52:47:46:62:97:1d:d9: c6:11:0a:02:a2:e0:cc:2a:75:6c:8b:b6:9b:87: 00:7d:7c:84:76:79:ba:f8:b4:d2:62:58:c3:c5: b6:c1:43:ac:63:44:42:fd:af:c8:0f:2f:38:85: 6d:d6:59:e8:41:42:a5:4a:e5:26:38:ff:32:78: a1:38:f1:ed:dc:0d:31:d1:b0:6d:67:e9:46:a8: dd:c4CA verification is often performed in a hierarchical chainThe chain must be authenticated until a trusted CA is found in the browser certificate database.。