Top Banner

Click here to load reader

7/3/01 DES, Triple-DES, and AES Sandy Kutin CSPP 532 7/3/01

Mar 31, 2015

ReportDownload

Documents

  • Slide 1

7/3/01 DES, Triple-DES, and AES Sandy Kutin CSPP 532 7/3/01 Slide 2 Symmetric Cryptography zSecure communication has two parts: yEstablish a key (public key methods) yEncrypt message symmetrically using key zSymmetric encryption is faster zCryptographic scheme is only as good as its weakest link zWe need to understand strengths and weaknesses of symmetric encryption Slide 3 7/3/01 DES: Data Encryption Standard z1972: National Bureau of Standards begins search z1975: DES: Lucifer by IBM, modified by NSA (key reduced from 128 to 56 bits) zApproved by NBS 76, ANSI 81 zrenewed every 5 years by NIST znow considered obsolete Slide 4 7/3/01 DESiderata zSecure: hard to attack yClassic case: given ciphertext, get plaintext yAlso: given both, get key yAchieved through diffusion, confusion zEasy to implement (in hardware, software) yUse a few fast subroutines yDecryption uses same routines zEasy to analyze yProve that certain attacks fail Slide 5 7/3/01 DEScription: Overview zBlock cipher: 64 bits at a time zInitial permutation rearranges 64 bits (no cryptographic effect) zEncoding is in 16 rounds plaintext INITIAL PERMUTATION ROUND 1 ROUND 2 ROUND 16 INITIAL PERMUTATION -1... ciphertext Slide 6 7/3/01 DEScription: One Round z64 bits divided into left, right halves zRight half goes through function f, mixed with key zRight half added to left half zHalves swapped (except in last round) L i-1 R i-1 LiLi RiRi Slide 7 7/3/01 DEScription: InsiDES zExpand right side from 32 to 48 bits (some get reused) zAdd 48 bits of key (chosen by schedule) zS-boxes: each set of 6 bits reduced to 4 zP-box permutes 32 bits R i-1 Expansion KiKi Eight S-boxes P-box Output Slide 8 7/3/01 DESign Principles: Inverses zEquations for round i: zIn other words: zSo decryption is the same as encryption zLast round, no swap: really is the same L i-1 R i-1 LiLi RiRi Slide 9 7/3/01 MoDES of Operation zECB: Electronic CodeBook mode: yEncrypt each 64-bit block independently yAttacker could build codebook zCBC: Cipher Block Chaining mode: yEncryption: C i = E K (P i C i-1 ) yDecryption: P i = C i-1 D K (C i ) zCFB, OFB: allow byte-wise encryption yCipher FeedBack, Output FeedBack Slide 10 7/3/01 PeDEStrian attacks zObvious attack: guess the key. 2 56 keys zComplementation Property: 2 55 keys z1 million per second: 1100 years zStore E K (P 1 ) for all K: 512 petabytes zTime/Memory Tradeoff (Hellman, 1980): y1 terabyte y5 days Slide 11 7/3/01 DEStroying Security zDifferential Cryptanalysis (1990): zSay you know plaintext, ciphertext pairs zDifference d P = P 1 P 2, d C = C 1 C 2 zDistribution of d C s given d P may reveal key zNeed lots of pairs to get lots of good d P s zLook at pairs, build up key in pieces zCould find some bits, brute-force for rest Slide 12 7/3/01 DEServing of Praise zAgainst 8-round DES, attack requires: y2 14 = 16,384 chosen plaintexts, or y2 38 known plaintext-ciphertext pairs zAgainst 16-round DES, attack requires: y2 47 chosen plaintexts, or yRoughly 2 55.1 known plaintext-ciphertext pairs zDifferential cryptanalysis not effective zDesigners knew about it Slide 13 7/3/01 DESperate measures zLinear cryptanalysis: yLook at algorithm structure: find places where, if you XOR plaintext and ciphertext bits together, you get key bits yS-boxes not linear, but can approximate zNeed 2 43 known pairs; best known attack zDES apparently not optimized against this zStill, not an easy-to-mount attack Slide 14 7/3/01 DESuetude zWeakest link is size of key zAttacks take advantage of encryption speed z1993: Weiner: $1M machine, 3.5 hours z1998: EFFs Deep Crack: $250,000 y92 billion keys per second; 4 days on average z1999: distributed.net: 23 hours zOK for some things (e.g., short time horizon) zDES sliDES into wiDESpread DESuetude Slide 15 7/3/01 Triple-DES zRun DES three times: yECB mode: zIf K 2 = K 3, this is DES yBackwards compatibility zKnown not to be just DES with K 4 (1992) zHas 112 bits of security, not 3 56 = 168 zWhy? Whats the attack? zWhats wrong with Double-DES? Slide 16 7/3/01 DESpair zDouble-DES: C i = E B (E A (P i )) zGiven P 1, C 1 : Note that D B (C 1 ) = E A (P 1 ) zMake a list of every E K (P 1 ). zTry each L: if D L (C 1 ) = E K (P 1 ), then maybe K = A, L = B. (2 48 Ls might work.) zTest with P 2, C 2 : if it checks, it was probably right. zTime roughly 2 56. Memory very large. Slide 17 7/3/01 Advanced Encryption Standard zDES cracked, Triple-DES slow: what next? z1997: AES announced, call for algorithms zAugust 1998: 15 candidate algorithms zAugust 1999: 5 finalists zOctober 2000: Rijndael selected yTwo Belgians: Joan Daemen, Vincent Rijmen zMay 2001: Comment period ended zSummer 2001: Finalized, certified until 06 Slide 18 7/3/01 AESthetics zSimilar to DES: block cipher (with different modes), but 128-bit blocks z128-bit, 192-bit, or 256-bit key zMix of permutations, S-boxes zS-boxes based on modular arithmetic with polynomials: yNon-linear yEasy to analyze, prove attacks fail Slide 19 7/3/01 AES: State array State of machine given by 4x4 array of bytes Slide 20 7/3/01 AES: Pseudocode Slide 21 7/3/01 AES: SubBytes() (S-Box) Non-linear, based on polynomial arithmetic Slide 22 7/3/01 AES: ShiftRows() Slide 23 7/3/01 AES: MixColumns() Slide 24 7/3/01 AES: AddRoundKey() Key schedule: expand N b -word key to 4 words per round for (6 + N b ) rounds (N b could be 4, 6, or 8) Slide 25 7/3/01 Not just a CAESar Shift zA byte B=b 7 b 6 b 5 b 4 b 3 b 2 b 1 b 0 is a polynomial b 7 x 7 +b 6 x 6 +b 5 x 5 +b 4 x 4 +b 3 x 3 +b 2 x 2 +b 1 x 1 +b 0 x 0 zCan add, subtract, multiply polynomials zCoefficients are manipulated mod 2 zDo polynomial division, get remainders zCan work mod a particular polynomial zAES uses a particular prime polynomial Slide 26 7/3/01 KafkAESque Complexity zS-box: input is a byte B yFirst take B -1 (mod p) yNext, do a linear transformation on the bits yFinally, XOR with a fixed byte zMixColumns() also uses polynomials zS-box can be done with a lookup table zEasier to analyze then random S-boxes used in DES Slide 27 7/3/01 Suggested Reading zChapter references are to Stallings zModular Arithmetic: Sections 7.1-7.3, 7.5 zBig-Oh Notation: Appendix 6A zDES: Chapter 3 zDouble-DES, Triple-DES: Section 4.1 zAES: The AES home page: http://csrc.nist.gov/encryption/aes/