1 / 112

There is no security on this earth, there is only opportunity - General Douglas MacArthur

There is no security on this earth, there is only opportunity - General Douglas MacArthur. Origins. A replacement for DES was needed worked out theoretical attacks, that may break it demonstrated exhaustive key search attacks

evadne
Download Presentation

There is no security on this earth, there is only opportunity - General Douglas MacArthur

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. There is no security on this earth, there is only opportunity - General Douglas MacArthur

  2. Origins • A replacement for DES was needed • worked out theoretical attacks, that may break it • demonstrated exhaustive key search attacks • 1999: NIST issued FIPS PUB 43: DES for legacy systems only; Triple DES prescribed for new systems • can use Triple-DES up to 2030– but slow –particularly in software implementations-with small blocks • Jan 2, 1997: NIST begins work on the new standard. • Sept 12, 1997: formal call for AES proposals

  3. AES Requirements issued by NIST in 1997 • private key, symmetric block cipher • 128-bit data, 128/192/256-bit keys • stronger & faster than Triple-DES • active life of 20-30 years (+ archival use) • provide full specification & design details • both C & Java implementations

  4. History of Development of AES • June 1998: 21 proposals • Aug 20, 1998: shortlisted to 15 proposals: CAST-256, CRYPTON, DEAL, DFC, E2, FROG, HPC, LOKI 197, MAGENTA, MARS, RC6, RIJNDAEL, SAFER+, SERPENT, TWOFISH • March 22, 23, 1999: AES2: Second AES Candidate Conference, Rome • Aug 1999: five candidates: MARS, RC6, RIJNDAEL, SERPENT, TWOFISH: equally secure; issues of efficiency, speed and less resource hunger were to be studied.

  5. AES Shortlist • shortlist in Aug-99: • MARS (IBM) - complex, fast, high security margin • RC6 (USA) - v. simple, v. fast, low security margin • Rijndael (Belgium) - clean, fast, good security margin --academic • Serpent (Euro) – slow (1/3rd the speed of AES), clean, highest security margin out of the 5 finalists --academic • Twofish (USA) – complex, Feistel, DES-like structure; v. fast (as fast as AES), high security margin– key dependent S-boxes; Uses whitening: at both the start and the end of the cipger process, add key-material to data • then subject to further analysis & comment

  6. AES Evaluation Criteria initial criteria : • security – effort to practically cryptanalyse • cost – computational • algorithm & implementation characteristics (Used to reduce the field from 21 proposals to 15. Thereafter 5 candidates were shortlisted out of the 15, by using the same criterion. )

  7. final criteriafor selecting Rijndael out of the five: 1.general security 2. software & hardware implementation ease 3. implementation attacks 4. flexibility (in en/decrypt, other factors) 5. restricted memory requirement (for use in smart devices) 6. Key Agility: ability to change keys fast, with a minimum of resources.

  8. AES • October 2, 2000: RIJNDAEL selected as AES • Unclassified, publicly disclosed encryption algorithm • Available royalty-free world-wide • Symmetric-key block cipher

  9. Selection of AES • saw contrast between algorithms • with few complex rounds versus many simple rounds • which refined existing ciphers versus new proposals • which could be implemented efficiently both in software only and through special purpose ICs • AES: issued as FIPS PUB 197 standard in Nov-2001 • AES: initially developed as Rijndael Cipher by Joan Daemen and Vincent Rijmen ;

  10. Rijndael Cipher • an iterative rather than Feistel-type cipher • operates on an entire block of data in every round (and not on half the block, as in Feistel type ciphers) • designed to be: • resistant against known attacks • speed and code compactness on many CPUs • design simplicity • Plaintext Data: written in the form of a matrix • Input Key: also written in the form of a matrix

  11. Key • Key and data bytes arranged in rectangular arrays Variable Key size: 16,24 or 32 bytes; Ki,j represents a byte in the ith row and jth column. Nk = Number of column vectors of the key (4-byte vectors)

  12. Block of data Variable Block size: 16,24 or 32 bytes; ai,j represents a byte in the ith row and jth column. Nb = Number of column vectors (4-byte vectors)

  13. State • The plaintext block of data is represented as a matrix. Each cell of the matrix is a byte. • The en/de-cryption process is a multi-step process. • The matrix is manipulated at each step to yield a new matrix as the output of the step. • At each stage, the matrix of data, whether it is the input to the stage or it is the output of the stage, is called a STATE. • The final output of the multi-step encryption process yields the ciphertext.

  14. Rijndael CipherEach stage in the en/de-cryption process A matrix of input, called a STATE A matrix of output, also called a STATE (The output state would be naturally different from the input state.) A stage in the en/de-cryption process Given: A key K KEY EXPANSION process: One key is expanded into multiple sub-keys of the same size ROUND: a collection of steps, which are sequentially performed on a state, to produce a new state.

  15. Rijandael encryption (and decryption) process: Number of Rounds (Nr) 10/12/14 times applying (nearly) the same round function. Nr = 6 + Max (Nk, Nb) • Nb = 4 Nb = 6 Nb = 8 Nk = 4 10 12 14 Nk = 6 12 12 14 Nk = 8 14 14 14

  16. Rijndael Cipher Rijndael Cipher: Three-step Process of encryption : • initial XOR of the 128-bit block of plaintext with the sub-key 1 • has 9/11/13 rounds. Each round consists of: • byte substitution (The same S-box used on every byte, unlike DES, where 8 different S-boxes are used.) • shift rows(permute bytes between columns) • mix columns (subs using matrix multiply of groups) • add round key (XOR state with separate sub-keys for each round) • Incomplete last (i.e. 10/12/14th) round (without mix columns operation)

  17. Example: Key Expansion for a 128 bit key and 128 bit block If Nb be fixed at 4, the number of rounds Nr = 1 + 10 or 12 or 14, depending upon the value of Nk. No of keys required= Nr + 1. Example: Given: A key of 128 bits.  Nk = 4 Key: first rewritten into four components of 4 bytes each, called w(0) to w(3); Each w is of 32 bits.. Then the Key is expanded from 4 to 44 components of 32 bits each, called w(i), i = 0 to 43 For the jth round, the sub-key consists of w(4j) to w(4j+3). Total number of key bits = N(Nr + 1), where N = block size in bits

  18. Rijandael Cipher continued • The Rijndael cipher has a variable block length and key length. currently keys with a length of 128, 192, or 256 bits to encrypt blocks with a length of 128, 192 or 256 bits (all nine combinations of key length and block length are possible). Both block length and key length can be extended very easily by multiples of 32 bits. • Rijndael can be implemented efficiently on a wide range of processors and in hardware. • all operations can be combined into XOR and table lookups - hence very fast & efficient

  19. Rijandael Cipher continued • for 128 bit block:processes data as 4 groups of 4 bytes each. • Each group is shown as a column in a matrix of four columns. Each column has 4 rows. Each cell of the 4x4 matrix contains one byte. • The output in every round creates a new state of 128 bits or of 4 columns of 4bytes each. • The ciphertext is the final output generated by the cipher system.

  20. Example of selection process:Cryptographic Hash Algorithm (SHA-3) • 2005: Prof. Xiaoyun Wang: a differential attack on SHA-1: can find a hash collision (two messages with the same hash value) on the SHA-1 hash with an estimated work of 263 operations • the ideal: 280 operations should be required for any good 160-bit hash function. • Recommendation: Use SHA-2” family of hash functions (SHA-224, SHA-256, SHA-384 and SHA-512) • A competition by NIST: Entries received by October 31, 2008; July 2009: Second Round candidates selected (Reference: http://csrc.nist.gov/as of Oct 5, 2009)

  21. The AES Cipher • A FIPS –approved cryptographic algorithm that can be used to protect electronic data. • AES: uses 128 bit block only. Key may be of 128, 192 or 256 bits. Nk may be 4/6/8. • Nr = Number of rounds = 6 + Nk Reference: Federal Information Processing Standards (FIPS) Publication 197 http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf as of Oct 5, 2009 Reference: Federal Information Processing Standards (FIPS) Publication 197 http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf as of Oct 5, 2009

  22. “This authority (National Protection and Programs Directorate) will assist us in recruiting the best people in the world to come work for us over the next few years as cyber analysts, developers and engineers. So look out – we’re coming.” -- Janet Napolitano, Homeland Security Secretary in "DHS could hire 1000 more cyber security professionals", FederalComputerWeek, October 1, 2009 http://fcw.com/Articles/2009/10/01/Web-DHS-hiring-cybersecurity-officials.aspx as of 7th Oct 2009

  23. AES vs Rijandael • AES: uses 128 bit block only. (Nb = 4 only.) Rijandael can use a block of 128/ 192/ 256 bits. (Nb may be 4/6/8.) • Both AES and Rijandael may use cryptographic keys of 128, 192 or 256 bits. (Nk may be 4/6/8.) • AES may have 10, 12 or 14 rounds depending upon Nk of 4, 6 or 8 respectively.

  24. Steps of a Round Function • Round function: composed of 4 steps (except for the incomplete– without MixColumn-- last round) • Each step has its own particular function: • ByteSub: non-linearity • ShiftRow: inter-column diffusion • Mix Column: inter-byte diffusion within columns • Round key addition • Figure on the next slide: shows both encryption and decryption processes; STATE at corresponding levels for encryption and decryption is the same.

  25. AES Cipher continued

  26. Pseudo Code for Encryptionfor the earlier rounds, and, for the last round • Round(State, RoundKey) { Bytesub(State); ShiftRow(State); MixColumn(State); AddRoundKey(State, Roundkey); } • For the last round, it is a little different: Round(State, RoundKey) { Bytesub(State); ShiftRow(State); AddRoundKey(State, Roundkey); }

  27. Three Steps of Decryption • initial XOR of the ciphertext with the sub-key • has 9/11/13 rounds in which state undergoes: • InvShift rows(permute bytes between columns) • InvByte substitution (The same Inverse S-box used on every byte) • add round key (XOR state with separate sub-keys for each round) • InvMix columns (subs using matrix multiply of groups) • Incomplete last (i.e. 10/12/14th) round (without InvMix columns operation)

  28. Pseudo Code for Decryptionfor the earlier rounds, and, for the last round • Round(State, RoundKey) { InvShiftRow(State); InvByteSub(State); AddRoundKey(State, Roundkey); InvMixColumn(State); } • For the last round, it is a little different: Round(State, RoundKey) { InvShiftRow(State); InvBytesub(State); AddRoundKey(State, Roundkey); }

  29. Sequence of Operations in a Round (SoOiaR)of Encryption vs. SoOiaR of Decryption Let Si be the input state for round i and let Si + 1 be the output state. • Encryption Let w(4*i, 4*i + 3) be the RoundKey for the ith round. Si + 1 = AddRoundKey(MixColumn(ShiftRow(Bytesub(Si)))) In the last round, the MixColumn operation is not included. • Decryption Let w(4*(10-i), 4*(10-i)+3) be the RoundKey for the ith round. Si + 1 = InvMixColumn(AddRoundKey (InvBytesub(InvShiftRow (Si)))) In the last round, the InvMixColumn operation is not included. Method of aligning the two sequences: After a study of the 4 operations.

  30. AES Cipher continued

  31. AES: sources of security • AES: Begins and ends with AddRoundKey  These steps do not provide much of a security to AES. • ByteSub, ShiftRow and MixColumn: • No use of key  invertible by any one; • but provide non-linearity, diffusion and confusion • Jointly the two above provide security.

  32. The process of Encryption: Add Round Key • XOR state with 128-bits of the round key • again processed by column (though effectively a series of byte operations) • inverse for decryption is identical since XOR is own inverse, just with correct round key

  33. ExampleReference: http://csrc.nist.gov/publications/fips/fips197/ fips-197.pdf, page 33 • Input M 32 43 f6 a8 88 5a 30 8d 31 31 98 a2 e0 37 07 34 • Cipher Key K = 2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c • 0th Round (The First Stage): M K = M0 32 88 31 e02b 28 ab 09 19 a0 9a e9 43 5a 31 37 7e ae f7 cf = 3d f4 c6 f8 f6 30 98 0715 d2 15 4f e3 e2 8d 48 a8 8d a2 3416 a6 88 3c be 2b 2a 08 Each stage generates a new STATE. Thus from M (the input state), this stage generates a new state M0.

  34. First Step in a Round of Encryption: ByteSub a i,j S - box • Bytes are transformed by applying invertible S-box • One single S-box for the complete cipher • High non-linearity b i,j

  35. Byte Substitution • a simple substitution of each byte • uses one S-box of 16x16 bytes containing a permutation of all 256 8-bit values • each byte of state is replaced by a byte from row (left 4-bits) & column (right 4-bits) • eg. byte {95} is replaced by a byte from the 9th row and 5th col of the S-box. (The value in the 9th row and 5th col {2A}) • S-box is constructed using a defined transformation of the values in GF(28) • designed to be resistant to all known attacks

  36. S-Box Reference: http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf, page 16 as of October 12, 2009

  37. Design Criteria for the S-box • Low correlation between input and output bits • Output cannot be a simple mathematical function of the input. • No fixed point of S-box: input and output for S-box cannot be the same. • No opposite fixed point of S-box: input and output cannot be bit-wise complement of each other.

  38. Construction of 16 X16 S-box Each cell of the s-box contains one byte. Rows and columns are numbered from 0 to F. Step 1: Initialization: put in each box the value equal to its position row: column Ex. : in row 0, column 2, the value would be 0216 or 0000 00102 Step 2: Replace the value in each cell by its multiplicative inverse by GF(28) mod (x8 + x4 + x3 + x + 1). Use extended Euclid’s algorithm – given in the Mathematical Background.

  39. Now Please Refer to the Mathematical background.

  40. Multiplicative inverse Extended Euclid[m(x), b(x)] Algorithm • (A1, A2, A3) (1, 0, m); (B1, B2, B3) (0, 1, b) • If B3 = 0, return A3 = gcd(m, b);no inverse exists. • If B3 = 1 return B2 as the multiplicative inverse of B. (i.e. b(x).B2 = 1 mod m(x) ) • Q = A3/B3 • (T1, T2, T3) (A1 - Q B1, A2 - Q B2, A3 - QB3) • (A1, A2, A3) (B1, B2, B3) • (B1, B2, B3) (T1, T2, T3) • Go to 2

  41. Construction of 16 X16 S-boxmultiplicative inverse mod (x8+x4+x3+x+1) Ex:In row 0, column 2, the value 0216( corresponding to a(x) = x )is replaced by its multiplicative inverse (which is shown below to be 8D16 .) To find c(x) so that a(x).c(x) = 1 mod (x8 + x4 + x3 + x + 1). A1 A2 A3 B1 B2 B3 Q 1 0 x8+x4+x3+x+1 0 1 x - 0 1 x 1 x7+x3+x2+1 1 x7+x3+x2+1 c(x) = x7+x3+x2+1 = 1000 11012 = 8D16 Step3: Use the matrix transformation, of next slide, to transform 8D16 (,called vector x], to a new vector y]).

  42. Example: Row 0 and column 2 .. Contd. c(x) = x7+x3+x2+1 = 8D16 = a7x7+a6x6+…+a1x+a0 a0 1 x] = a1 =0 . 1 1 0 . 0 a6 0 a71

  43. S-Box construction: Example…. continued [M1] = 1 0 0 0 1 1 1 1 m2] = 1 1 1 0 0 0 1 1 1 1 1 1 1 0 0 0 1 1 0 1 1 1 1 0 0 0 1 0 1 1 1 1 1 0 0 0 0 0 1 1 1 1 1 0 0 1 0 0 1 1 1 1 1 0 1 0 0 0 1 1 1 1 1 0 y] = [M1] x] + m2]

  44. Construction of 16 X16 S-box Example…. continued Step3 (continued): 1 1 0 1 1 1 0 1 1 0 1 0 1 0 1 = + = + Y2] = M1 1 0 0 0 0 0 0 1 0 1 0 1 0 1 1 0 1 0 1 1 1 0 0 0 0 NOTE: The transformed value is 7716. The Inverse S-box, provides the value 02 in the 7th row and 7th column. AES uses two substitution boxes : S-box for encryption and Inverse S-box for decryption The next slide again shows the S-box.

  45. S-Box Reference: http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf, page 16

  46. Example of Byte Sub Reference: http://csrc.nist.gov/publications/fips/fips197/ fips-197.pdf, page 33 Use M0 of slide 33 as the input data for this example. M0 – BYTE SUB  M11 19 a0 9a e9 d4 e0 b8 1e 3d f4 c6 f8  27 bf b4 41 e3 e2 8d 48 11 98 5d 52 be 2b 2a 08 ae f1 e5 30

  47. Inverse Byte Substitution 2a 95 S-Box 2a 95 Inv S-Box 95 ad Inv S-Box S-Box is NOT self-inverse.  For the same input, the S-Box and the Inv S-Box will NOT have the same output.

  48. Inverse S-Box x y Reference: http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf, page 22

  49. Construction of Inverse Substitution Box [M3] = 0 0 1 0 0 1 0 1 m4] = 1 1 0 0 1 0 0 1 0 0 0 1 0 0 1 0 0 1 1 1 0 1 0 0 1 0 0 0 0 1 0 1 0 0 1 0 0 0 0 1 0 1 0 0 1 0 1 0 0 1 0 1 0 0 0 0 1 0 0 1 0 1 0 0 x] = [M3] y] + m4]

  50. Justification x] = [M3] y] + m4] Using slide 38: x] = [M3] ([M1] x] + m2] ) + m4] = [M3] .[M1] x] + [M3]. m2] + m4] We find [M3] .[M1] = unity matrix [M3]. m2] + m4] = 0]

More Related