110 likes | 200 Views
Symmetric Cryptography. AES in depth. Replacing DES .
E N D
Symmetric Cryptography AES in depth
Replacing DES • Between 1972 and 1974 NIST issued the first public request for an encryption standard. As a result DES became the accepted encryption standard. Although this algorithm was very popular, it has always been surrounded by controversy as many cryptographers objected to the “closed-door” design of the algorithm. There was also a suspicion that NSA planted a “back-door” in the algorithm, as NSA modified it before it was standardized, although none was able to prove this until now. • Furthermore the key length of DES became to small for acceptable commercial security, so as a interim solution Triple-DES was used for a while because it provided increased security. • Responding to the desire to replace DES with stronger and more reliable algorithm, NIST announced another public request for an encryption standard, called Advanced Encryption Standard(AES), in 1997. • Twofish is one of the candidates that made it to the final round of the AES program.
NIST General Criteria for AES • A 128-bit symmetric block cipher. • Key lengths of 128 bits, 192 bits, and 256 bits. • No weak keys. • Efficiency, both on the Intel Pentium Pro and other software and hardware platforms. • Flexible design: e.g., accept additional key lengths; be implementable on a wide variety of platforms and applications; and be suitable for a stream cipher, hash function, and MAC. • Simple design, both to facilitate ease of analysis and ease of implementation.
AES Advanced Encryption Standard was ultimately chosen as a replacement for DES. AES is also Known as Rijndaelblock cipher. It was officially designated as a replacement for DES in 2001 after a 5 year process involving 15 competing algorithms. AES is designated as FIPS 197. Other algorithms that did not win that competition include such well known algorithms as Twofish. AES can have three different key sizes, they are:128, 192, or 256 bits. The three different implementations of AES are referred to as AES 128, AES 192, and AES 256. All three operate on a block size of 128 bits. This algorithm was developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen. Unlike both DES And 3DES, AES is not based on a Feistel network.
AES Continued • This uses a substitution-permutation matrix rather than a Feistel network • AES operates on a 4×4 column-major order matrix of bytes, termed the state (versions of AES with a larger block size have additional columns in the state).
AES General Overview • 1.Key Expansion—round keys are derived from the cipher key using Rijndael's key schedule • 2.Initial Round • 1.AddRoundKey—each byte of the state is combined with the round key using bitwise xor • 3.Rounds • 1.SubBytes—a non-linear substitution step where each byte is replaced with another according to a lookup table. • 2.ShiftRows—a transposition step where each row of the state is shifted cyclically a certain number of steps. • 3.MixColumns—a mixing operation which operates on the columns of the state, combining the four bytes in each column. • 4.AddRoundKey • 4.Final Round (no MixColumns) • 1.SubBytes • 2.ShiftRows • 3.AddRoundKey
AES specifics • In the SubBytes step, each byte in the matrix is substitued for another byte using an 8-bit substitution box, called the Rijndael S-box • The ShiftRows step by shifting the bytes in each row by a certain amount. The first row is left unchanged. The second row is shifted one to the left. The third row by two, etc. • In the MixColumns step, the four bytes of each column of the state are combined using an invertible linear transformation. This takes four bytes as input and outputs four bytes. Together with ShiftRows, MixColumns provides diffusion in the cipher.
Rijndael key scheduleThe Steps • Rotate: The rotate operation takes a 32-bit word (in hexadecimal) and rotates it eight bits to the left such that the high eight bits "wrap around" and become the low eight bits of the result. • Rcon: Rcon is what the Rijndael documentation calls the exponentiation of 2 to a user-specified value. Note that this operation is not performed with regular integers, but in Rijndael's finite field. In polynomial form, 2 is 2 = 00000010 = 0 x^7 + 0 x^6 + 0 x^5 + 0 x^4 + 0 x^3 + 0 x^2 + 1 x + 0 = x. • For example, the rcon(1) = 1, the rcon(2) = 2, the rcon(3) = 4, and the rcon(9) is the hexadecimal number 0x1b (27 in decimal). • Key schedule inner loop • The input is a 32-bit word and at an iteration number i. The output is a 32-bit word. • Copy the input over to the output. • Use the above described rotate operation to rotate the output eight bits to the left • Apply Rijndael's S-box on all four individual bytes in the output word • On just the first (leftmost) byte of the output word, exclusive OR the byte with 2 to the power of (i-1). In other words, perform the rcon operation with i as the input, and exclusive or the rcon output with the first byte of the output word
Rijndael key scheduleSome constants • Since the key schedule for 128-bit, 192-bit, and 256-bit encryption are very similar, with only some constants changed, the following keysize constants are defined here: • n has a value of 16 for 128-bit keys, 24 for 192-bit keys, and 32 for 256-bit keys • b has a value of 176 for 128-bit keys, 208 for 192-bit keys, and 240 for 256-bit keys (with 128-bit blocks as in AES, it is correspondingly larger for variants of Rijndael with larger block sizes).
Rijndael key scheduleThe actual key schedule • The first n bytes of the expanded key are simply the encryption key. • The rcon iteration value i is set to 1 • Until we have b bytes of expanded key, we do the following to generate n more bytes of expanded key: • We do the following to create 4 bytes of expanded key: • We create a 4-byte temporary variable, t • We assign the value of the previous four bytes in the expanded key to t • We perform the key schedule core (see above) on t, with i as the rcon iteration value • We increment i by 1 • We exclusive-OR t with the four-byte block n bytes before the new expanded key. This becomes the next 4 bytes in the expanded key • We then do the following three times to create the next twelve bytes of expanded key: • We assign the value of the previous 4 bytes in the expanded key to t • We exclusive-OR t with the four-byte block n bytes before the new expanded key. This becomes the next 4 bytes in the expanded key • If we are processing a 256-bit key, we do the following to generate the next 4 bytes of expanded key: • We assign the value of the previous 4 bytes in the expanded key to t • We run each of the 4 bytes in t through Rijndael's S-box • We exclusive-OR t with the 4-byte block n bytes before the new expanded key. This becomes the next 4 bytes in the expanded key. • If we are processing a 128-bit key, we do not perform the following steps. If we are processing a 192-bit key, we run the following steps twice. If we are processing a 256-bit key, we run the following steps three times: • We assign the value of the previous 4 bytes in the expanded key to t • We exclusive-OR t with the four-byte block n bytes before the new expanded key. This becomes the next 4 bytes in the expanded key
References • http://www.samiam.org/key-schedule.html • https://engineering.purdue.edu/kak/compsec/NewLectures/Lecture8.pdf • http://www.utdallas.edu/~muratk/courses/crypto09s_files/aes.pdf • http://www.utdallas.edu/~muratk/courses/crypto09s_files/aes.pdf • http://buzzard.ups.edu/courses/2013spring/projects/berger-aes-ups-434-2013.pdf • http://www.math.wisc.edu/~boston/nover.pdf • http://eprint.iacr.org/2009/317.pdf • http://comp.utm.my/pars/files/2013/04/A-Survey-on-the-Cryptanalysis-of-the-Advanced-Encryption-Standard.pdf