360 likes | 380 Views
Explore Triple-DES, Blowfish, and AES, advanced encryption methods in computer security, their implementation, and key properties in this presentation from CS 395: Computer Security.
E N D
Chapters 5-6:Contemporary Symmetric Ciphers Triple DES Blowfish AES CS 395: Computer Security
Again Special Thanks to Dr. Lawrie Brown at the Australian Defense Force Academy whose PowerPoint slides provided the basis for these slides. CS 395: Computer Security
Triple DES • A replacement for DES was needed • theoretical attacks can break it • demonstrated exhaustive key search attacks • AES is a new cipher alternative that didn’t exist at the time • prior to this alternative was to use multiple encryption with DES implementations • Triple-DES is the chosen form CS 395: Computer Security
Why Not Double DES? • That is, why not just use C=EK1[EK2[P]]? • Proven that it’s NOT same as C=EK3[P] • Susceptible to Meet-in-the-MiddleAttack • Described by Diffie & Hellman in 1977 • Based on observation that if C= EK2[EK1[P]], then X=EK1[P]=DK2[C] CS 395: Computer Security
Meet-in-the-Middle Attack • Given a known plaintext-ciphertext pair, proceed as follows: • Encrypt P for all possible values of K1 • Store results in table and sort by value of X • Decrypt C for all possible values of K2 • During each decryption, check table for match. If find one, test two keys against another known plaintext-ciphertext pair CS 395: Computer Security
Meet-in-the-Middle Attack • Analysis: • For any given plaintext P, there are 264 possible ciphertexts produced by Double DES. • But Double DES effectively has 112 bit key, so there are 2112 possible keys. • On average then, for a given plaintext, the number of different 112 bit keys that will produce a given ciphertext is 2112/264=248 • Thus, first (P,C) pair will produce about 248 false alarms • Second (P,C) pair, however, reduces false alarm rate to 248-64 = 2-16. So for two (P,C) pairs, the probability that correct key is determined is 1–216. • Bottom line: a known plaintext attack will succeed against Double DES with an effort on order of 256, not much more than the 255 required to crack single DES CS 395: Computer Security
Triple-DES with Two-Keys • Would think Triple DES must use 3 encryptions but can use 2 keys with E-D-E sequence • C = EK1[DK2[EK1[P]]] • N.b. encrypt & decrypt equivalent in security • if K1=K2 then can work with single DES • standardized in ANSI X9.17 & ISO8732 • no current known practical attacks • Though some indications of potential attack strategies, so some use Triple DES with three keys • has been adopted by some Internet applications, eg PGP, S/MIME • Three times slower than DES CS 395: Computer Security
Blowfish • a symmetric block cipher designed by Bruce Schneier in 1993/94 • characteristics • fast implementation on 32-bit CPUs (18 clock cycles per block) • compact in use of memory (less than 5K) • simple structure eases analysis/implementation • variable security by varying key size • has been implemented in various products CS 395: Computer Security
Blowfish Key Schedule • uses a 32 to 448 bit key (1 to 14 32-bit words) • Key used to generate • 18 32-bit subkeys stored in K-array Kj • four 8x32 S-boxes • Each element of the S-box is a 32 bit word, so each S-box contains 256 32-bit words. Total of all S-boxes is 1024 32-bit words
Generating P-array and S-boxes • Initialize P-array and S-boxes in order using bit of fractional part of Pi • Perform bitwise XOR of P-array and K-array, reusing words from K-array as needed • Ex. For maximum key length (14 32 bit words): CS 395: Computer Security
Generating P-array and S-boxes • Encrypt 64-bit block of zeros using current P and S arrays, replace P1 and P2 with output of the encryption • Encrypt the output of previous step using current S and P arrays and replace P3 and P4 with the resulting ciphertext • Continue this process to update all elements of P in order and then, in order, all elements of S, using at each step the output of the continuously changing Blowfish algorithm CS 395: Computer Security
Summary of Process CS 395: Computer Security
Note: • Total of 521 executions of Blowfish required to produce final S and P arrays. • Thus Blowfish not good for applications in which secret key changes frequently • P and S arrays can be stored rather than derived from key each time • Requires 4K of memory, so not appropriate for limited memory apps (I.e. smartcards) CS 395: Computer Security
Subscript corresponds to round CS 395: Computer Security
Single Blowfish Round Note difference between XOR and addition (mod 232) (also, they don’t commute) CS 395: Computer Security
Discussion • key dependent S-boxes and subkeys, generated using cipher itself, makes analysis very difficult • changing both halves in each round increases security • provided key is large enough, brute-force key search is not practical, especially given the high key schedule cost CS 395: Computer Security
Advanced Encryption Standard (AES) • clear a replacement for DES was needed • have theoretical attacks that can break it • have demonstrated exhaustive key search attacks • can use Triple-DES – but slow with small blocks • US NIST issued call for ciphers in 1997 • 15 candidates accepted in Jun 98 • 5 were shortlisted in Aug-99 • Rijndael was selected as the AES in Oct-2000 • issued as FIPS PUB 197 standard in Nov-2001 CS 395: Computer Security
AES Requirements • private key symmetric block cipher • 128-bit data, 128/192/256-bit keys • stronger & faster than Triple-DES • active life of 20-30 years (+ archival use) • provide full specification & design details • both C & Java implementations • NIST have released all submissions & unclassified analyses CS 395: Computer Security
AES Evaluation Criteria • initial criteria: • security – effort to practically cryptanalyze • cost – computational • algorithm & implementation characteristics • final criteria • general security • software & hardware implementation ease • implementation attacks • flexibility (in en/decrypt, keying, other factors) CS 395: Computer Security
AES Shortlist • after testing and evaluation, shortlist in Aug-99: • MARS (IBM) - complex, fast, high security margin • RC6 (USA) - v. simple, v. fast, low security margin • Rijndael (Belgium) - clean, fast, good security margin • Serpent (Euro) - slow, clean, v. high security margin • Twofish (USA) - complex, v. fast, high security margin • then subject to further analysis & comment • saw contrast between algorithms with • few complex rounds verses many simple rounds • which refined existing ciphers verses new proposals CS 395: Computer Security
The AES Cipher - Rijndael • designed by Rijmen-Daemen in Belgium • has 128/192/256 bit keys, 128 bit data • an iterative rather than feistel cipher • treats data in 4 groups of 4 bytes • operates an entire block in every round • designed to be: • resistant against known attacks • speed and code compactness on many CPUs • design simplicity CS 395: Computer Security
Rijndael • processes data as 4 groups of 4 bytes (state) • has 9/11/13 rounds in which state undergoes: • byte substitution (1 S-box used on every byte) • shift rows (permute bytes between groups/columns) • mix columns (subs using matrix multipy of groups) • add round key (XOR state with key material) • initial XOR key material & incomplete last round • all operations can be combined into XOR and table lookups - hence very fast & efficient CS 395: Computer Security
Rijndael CS 395: Computer Security
Byte Substitution • a simple substitution of each byte • uses one table of 16x16 bytes containing a permutation of all 256 8-bit values • each byte of state is replaced by byte in row (left 4-bits) & column (right 4-bits) • eg. byte {95} is replaced by row 9 col 5 byte • which is the value {2A} • S-box is constructed using a defined transformation of the values in GF(28) • designed to be resistant to all known attacks CS 395: Computer Security
Shift Rows • a circular byte shift in each each • 1st row is unchanged • 2nd row does 1 byte circular shift to left • 3rd row does 2 byte circular shift to left • 4th row does 3 byte circular shift to left • decrypt does shifts to right • since state is processed by columns, this step permutes bytes between the columns CS 395: Computer Security
Mix Columns • each column is processed separately • each byte is replaced by a value dependent on all 4 bytes in the column • effectively a matrix multiplication in GF(28) using prime poly m(x) =x8+x4+x3+x+1 CS 395: Computer Security
Add Round Key • XOR state with 128-bits of the round key • again processed by column (though effectively a series of byte operations) • inverse for decryption is identical since XOR is own inverse, just with correct round key • designed to be as simple as possible CS 395: Computer Security
AES Round CS 395: Computer Security
AES Key Expansion • takes 128-bit (16-byte) key and expands into array of 44/52/60 32-bit words • start by copying key into first 4 words • then loop creating words that depend on values in previous & 4 places back • in 3 of 4 cases just XOR these together • every 4th has S-box + rotate + XOR constant of previous before XOR together • designed to resist known attacks CS 395: Computer Security
AES Decryption • AES decryption is not identical to encryption since steps done in reverse • but can define an equivalent inverse cipher with steps as for encryption • but using inverses of each step • with a different key schedule • works since result is unchanged when • swap byte substitution & shift rows • swap mix columns & add (tweaked) round key CS 395: Computer Security
Implementation Aspects • can efficiently implement on 8-bit CPU • byte substitution works on bytes using a table of 256 entries • shift rows is simple byte shifting • add round key works on byte XORs • mix columns requires matrix multiply in GF(28) which works on byte values, can be simplified to use a table lookup CS 395: Computer Security
Implementation Aspects • can efficiently implement on 32-bit CPU • redefine steps to use 32-bit words • can precompute 4 tables of 256-words • then each column in each round can be computed using 4 table lookups + 4 XORs • at a cost of 16Kb to store tables • designers believe this very efficient implementation was a key factor in its selection as the AES cipher CS 395: Computer Security
What To Take From All This…(I.e. Characteristics of Advanced Block Ciphers • Variable Key Length • Strength is typically proportional to key length. Variable key length allows speed, strength tradeoff • Mixed Operators • Use of one or more arithmetic or boolean operator complicates cryptanalysis, especially if operators are not distributive or associative • Data-dependent Rotation • Instead of S-boxes, use rotations that depend on the data • Rotation dependence on data (rather than on subkeys) makes recovery of subkeys much more difficult CS 395: Computer Security
Characteristics of Advanced Block Ciphers • Key-dependent S-boxes • Instead of fixed S-boxes, have contents depend on the key • Yields highly non-linear results and provides better protection from modern cryptanalysis techniques • Lengthy key-scheduling algorithm • Generation of subkey takes much longer than single encryption or decryption, so effort of brute force attack is greatly magnified CS 395: Computer Security
Characteristics of Advanced Block Ciphers • Variable plaintext/ciphertext block length • Longer block means greater cryptographic strength • Variable block length allows tailoring to specific apps • Variable number of rounds • More rounds generally means more security (all other things being equal) • More rounds also means longer to encrypt/decrypt • Operations on both halves of data each round • Performing simple operation on other half of data in Feistel cipher increases strength with minimal increase in execution time CS 395: Computer Security
Characteristics of Advanced Block Ciphers • Variable function F • Using a different function from round to round can increase difficulty of cryptanalysis • Key-dependent rotation • A rotation can be used than depends on key rather than on data CS 395: Computer Security