680 likes | 778 Views
Data Security and Cryptology, VIII Other Symmetric Cryptoalgorithms (beyond AES). October 24th , 2012 Valdo Praust mois @ mois .ee Lecture Course in Estonian IT College Autumn 2012. Main Types of Cryptoalgorithms.
E N D
Data Security and Cryptology, VIII Other Symmetric Cryptoalgorithms (beyond AES) October24th, 2012 Valdo Praust mois@mois.ee Lecture Course in Estonian IT College Autumn2012
Main Types of Cryptoalgorithms Symmetric cryptoalgorithms or secret-key crypotoalgorithmsare traditional (historical) cryptoalgorithms Asymmetric cryptoalgorithms or public-key crypotoalgorithmsare widely spread within last 25-30 years Cryptographic message digests and similar constructions Special-purpose algorithmsfor proofing, authentication etc
Secret-Key Cryptoalgorithm: Fields of Use • transmitting of confidential information using some (interceptable) networks • secure storing of confidential information (with an appropriate key management system) • secure erasing of confidential data
Secret-Key Cryptoalgorithm Secret-key cryptoalgorithm(salajase võtmega krüptoalgoritm) or symmetric cryptoalgorithm(sümmeetriline krüptoalgorithm)is such a cryptoalgorithm where the same secret key is used both for enciphering and deciphering purposes • Is considered to be practically secure if the following two conditons are satisfied: • The key is at least 80 bit long (it’s considered to be infeasible to perform 280 operations in practice), forenhancedsecuritycasesat least128 bitslong • There aren’t known effective cryptoanalytic methods
Role of Key in Enciphering and Deciphering Process Encrypting or encipherment (krüpteerimine, šifreerimine) needs the using of certain key as a pre-defined queue of bits Opposite process is a decrypting or deciphering (dešifreerimine), which needs a same key in order to restore the initial data (plaintext) from the encrypted text (ciphertext) Without knowing the key the both processes are impossible to peform
Secret-Key Cryptoalgorithm – Possibility to Break Secret-key cryptoalgorithm is considered to be practically enough secure when the keylength is at least 80 bits (for enhanced security cases 128 bits) DES is already considered insecure because its keylenght is only 56 bits (until 2005 it was allowed to use DES is triple mode as 3DES) Additionally to sufficient keylenght the effective cryptoanalytic attacks must not be known
Most-Of-Spread Algorithms, I AES(keylength 128, 192 or 256 bits). Is internationalde facto commercial standard since 2001, involves estimatedly 70-80% from all symmetric cryptoalgorithm usages IDEA (keylenght 128 bits). Switzerland, late 1980s CAST5 or CAST-128 (keylenght from 40 to 128 bits). 1996, Carlisle Adams and Stafford Tavares
Most-Of-Spread Algorithms, II Blowfish (variable keylenght up to 448 bits). Bruce Schneier, 1990s RC4. Stream cipher, keylenght between 40 and 256 bits, from 1987 DES(keylenght 56 bits). Has been U.S. commercial standard from 1977 and was widely used in all around the world. NB! Today isn’t consideres secure because of short keylenght!
Block and Stream Ciphers Symmetric cryptoalgorithm can be divided into block ciphers and stream ciphers. Block ciphers are much more spread than stream ciphers • Block cipher (plokkšiffer) is an enciphering method where plaintext is divided into the blocks of certain lenght and these blocks are encrypted separately. How and if the encryption result of one block is related from the prevoius blocks is determined by the block cipher mode, which is curtrently used • Stream cipher (jadašiffer) is a method where there is generated a key sequence(võtmejada) from a given secret key. Encryption process is an ordinary XOR operation between plaintext and key sequence
Electronic Codebook Mode Plaintext blocks are encrypted independently from each other using the same secret key: Disadvatnage:each ciphertext block depends on only one plaintext block – repeats in ciphertext
Cipher Block Chaining Mode Before encrypting of the sequent block, the result of previous block was XORed to the plaintext: Advantage:one block of ciphertext depends on all previous plaintext – no repeats in ciphertext
Using of Different Modes • The most convenient but not sufficiently secure for a long plaintexts is an electronic codebook mode– each bit of a ciphertext depends only on one plaintext block • The most-of-used and sufficently secure mode is a cipher block chaining mode– each bit of a ciphertext depends on all previous plaintext • Feedback modes are less frequently used but they allow to use a block cipher as a stream cipher in order to produce the key sequence. Main usage area of them is secure erasing of a data from any rewritable media (disks, flash memory etc).
Inner Structure of a Block Cipher • Block cipher block usually involves a numerous subsequent similar standard transformations of a plaintext called rounds (raund). Output of a previous round is an input to the next round • How differents rounds use (generally different) keys is determined by a key sequence algorithm(võtmejaotusalgoritm). Key sequence algoroithm may also be missing, in these cases all rounds use straightly the original key • If such a key sequence algorithm exists, it comuptes from initial key the special round keys(raundivõtmed) for different rounds
Parameters of a Typical Block Cipher • Lenght of a key • Lenght of a block (sometimes is equal to keylenght, but sometimes it’s not) • Number of rounds (and sometimes also the number of different round types) • Presence of key sequence algorithm • Number of round keys (if key sequence algorithm exists, sometimes is equal to number of rounds sometimes it’s not) • Lenght of round keys (sometimes is equal to initial key, sometimes it’s not)
Main Basic Operations Inside the Rounds • substitution(substitutsioon) – replacing of original characters (letters) by another characters (letters) • transposition or permutation(transpositsioon, permutatsioon) – changing the order of characters (letters) Most of transformations inside the block cipher rounds are certain (usually complex) combinations of them
AES: Main Facts • Is the main commercial secret-key cryptoalgorithm (70-80% from all use cases) • Has won in the AES Competition, before it was known as a Rijndael • Has three different versions with different strenght (with different key lenghts) • Is a block cipher with a block lenght of 128, 192 or 256 bits cosequently • Uses a key which lenght is equal to the block lenght - consequently 128, 192 or 256 bits • Authors are Joan Daemen and Vincent Rijmen Belgium
AES: Technical Description For a 128-bit key involves 10 rounds, for a 192-bit key involves 12 rounds and for a 256-bit key involves 14 rounds Key sequence algorithm is missing (all rounds use straightly initial key) Each round consists of four subsequent different type of transforms: • byte sub(asendusbaidi faas) • shift row(ridade nihutuse faas) • mix column(tulpade segamise faas) • add round key(raundivõtme lisamise faas)
AES: Cryptanalysis • Exhaustive search needs to performe a 2128 to 2256 operations – it is clearly infeasible • Effective cryptanalytic means are not known up to this time (the algorithm is practically secure) • Authors of AES (Rjindael) have itself shown it for a most of cryptanalytic methods known in these times (in 1999)
AES: Cryptanalysis • In October 2002 there was offered a new type of cryptanalysis, an algebraic cryotanalysis(Courtois, Piperszyk) which probably allows to break 128-bit AESi with 287 operations • It needs the solving of a complex algebraic equation systems which is not yet realized. Therefore, the algrebraic cryptanalysis has remained a pure theoretical constuction • There has been a little succees in a field of related key attack(seotud võtmete rünne) in 2009 where there is used different keys which are mathematically related to each other. It is a pure theoretical construction and doesn’t affect practice • There has also been some success using a side channel attack(lisakanali rünne) which is again a pure theorectical approach and is based on getting some internal information from inside the block
AES: Realizations • There’s possible to realize fast AES both in hardware and software • Hardware realizations are hundreds of times faster (depends on chip-making techniques and used programming language) • Both hardware and software realizations of AES can be used as "background“ activities, for example, the data reading/writing background activities Both hardware and software realizations of AES are widely spread
IDEA: Main Facts • Is a block cipher with a block size 64 bits (8 bytes) • Keylenght is 128 bits (16 bytes) • Was constructed in Switzerland, was published in 1991 • Was patented by MediaCrypt, patent has expired in 2010-11 • In 2005 there was published the successor of IDEA called IDEA NXT (FOX), but it hasn’t gained the popularity of IDEA
IDEA: Technical Description • Is designed,oppositely to DES, to gain also fast software realizations, not only fast hardware realisations • Uses one-way hash functions instead of typical for symmetric algorithms S-boxes • Includes a key sequence algorithm which generates 52 16-bit subkeys (round keys) from 128-bit general key • Consists of 8 rounds • Each round uses 6 subkeys, after thew rounds there were used 4 other subkeys • Considers 64-bit plaintext as four 16-bit parts
IDEA: Inside the Round • Inside the round there are a numerous functions with 16-bit parts (quarters of result, subkeys) are realised: • Ordinary adding (by module 216 or mod 65536) • XOR • multiplying with module 216+1 (65537) These functions together will gain us a sufficiently non-linear function. One reason for this property is, that 65537 is a prime number
IDEA: A General Scheme
IDEA: Key Sequence Algorithm • First 8 subkeys are received by dividing of general key into 8 parts • After it the bit circular shift by 25 bits is realised and next 8 subkeys were received againg by dividing the result into 8 parts • This procedure is repeated 7 times, as we have find 52 subkeys (last 4 keys will remain unused as 7 x 8 = 56) Consequently, subkeys are related together after each of eight key
IDEA: Cryptanalysis • Exhaustive search needs considering of 2128 variants • The effective cryptanalytic algorithms are not known –consequenlty the algorithm is considered to be practically secure • Best known result is a breaking of 5-round algoritm by the plaintext collision attack (DeMirci 2003) Conclusion: IDEA is still a suitable algorithm for a practical use (despite of it long age)
IDEA: Advantages and Disadvantages Advantages: • Is well-realizable in software • Has used in many programs and standards during last 20 years • Is extremely small – C-source of IDEA is only some KBs long and executable file (file part) consists of only some hundreds of bytes Disadvantages: • AES is more effective and more secure (if to take into account the long-term security)
Skipjack: Main Facts • Is a block cipher with a block lenght 64 bits (8 bytes) • Keylenght is 80 bits (10 bytes) • Is constructed in U.S. by NSA (National Security Agency) in early 1990s • Was initally planned to use in Clipper chip (but this project hasn’t realized) • As an exception, the technical description of an algorith,was kept secret until 1998
Skipjack: Technical Description • Is possible to realize both fast hardware and software realizations of Skipjack (don’t consist special bit operations) • Plaintext is considered as for 16-bit quarters (parts) • Consists of 32 rounds • Each round changes only one quarter (16 bits) of message • There are A and B type rounds - after 8 A-rounds there were used 8 B-rounds (and the same combination is repeated) • 80-bitine key is divided to 10 8-bit round keys by a simple sharing
Skipjack: Description of Rounds • A- and B-type rounds differ only by a minor differencies of the place of XORing • Each round includes the same encryption function G or so-called Feistel structure, where 16-bit text is transforming using 4 subkeys and a permutation F • Before implementing of G, the round number and previous quarter was XORed to the result
Skipjack: First 8 Rounds (type A)
Skipjack: Rounds 8-16 (type B)
Skipjack: Appliability • Exhaustive search needs a considening of 280 variants – it’s infeasible for contemporary computers • The effective cryptoanalytic means are not known • There has realized the impossible differential cryptanalysis (võimatute erinevuste krüptoanalüüs) in 1998 for a reduced number of rounds (Biham, Shamir, Birjukov) Conclusion: Skipjack can still considered as a parctically secure algorithm (although not suitable for a long-term security)
Paralleel Names: ARC4, ARCFOUR Is a stream cipher (the most popular stream cipher in all the world) Uses a variable lenght key, from 40 to 128 bits Was constructed by Bruce Schneier in 1987 Has widely spread with the WiFi-related protocols WEP and WPA There are a full familty of RC (RC-2, RC-5, RC-6) RC4: Main Facts
Is (as all stream ciphers) a pseudo-random bitstream generator (step is 256 bits) Includes two phases: A. Forming of bit permutation with a lenght of 256 bits B. Forming of two 8-bit index pointer Permutation S was determined by the initial key of the key sequence algorithm: RC4: Inner Construction
Finds 256 next values by a following PRGA algorithm (pseudo-random generation algoritm): RC4 Step of a Random Generator
For a stream ciphers the crytptoanalytic means’ effectiveness can’t be expressed in the form of 2N as for block ciphers Attack of Flucher, Martin and Shamir (2001): first bits of key sequence (768 or 3072) are not reliable and they shouldn’t be used Klein’s attack: 104-bit RC4 can be broken for a minute (128-bit RC4 is probably not yet broken) RC4: Usage in Practice Because of these facts RC4 was used very seldom and is usually replaced by other more secure algorithms (AES in a stream cipher mode)
Is a block cipher with a block size 64 bits (8 bytes) Uses a variable lenght key, max. keylenght is 448 bits Was constructed by Bruce Schneier in 1993 The successor of Blowfish is Twofish (late 1990s, was one of the candidates of AES), which uses the cinstruction details of Blowfish Blowfish: Facts
Blowfish: Technical Description • Coinsists of 16 rounds, their’ main component is F as a Feistel structure • Uses 18 32-bit subkeys, which are generated from the initial key • Uses four 32-bit S-boxes • Inside the rounds the 64-bit block is divided into two halves (each round changes only one half)
Blowfish: A Key Sequence Algorithm • Massive S (which length is equal to keylenght) is valued by a binary digits of a trancendence number π (3,1415926...) • Key value is XORed by S values • Half values are replaced by the values, derived from a number π and the XORind procedure is repeated • There were found 18 16-bit subkeys as a result of 521 iterations
Retrospective View— DES DES is a typical iterative block cipher, consisting of the following parts: • key schedule calculation (võtmejaotusarvutus), which founds 16 48-bit subkeys(alamvõtmed) from 56-bit initial key • initial permutation (algpermutatsioon) • 16 rounds(raund), each of them using one subkey • final permutation (lõpp-permutatsioon)