ECE596C: Handout #7. Analysis of DES and the AES Standard. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Transcription

1 ECE596C: Handout #7 Analysis of DES and the AES Standard Electrical and Computer Engineering, University of Arizona, Loukas Lazos Abstract. In this lecture we analyze the security properties of DES and present the AES cryptosystem. 1 On the Security of DES 1.1 The Avalanche Effect For any encryption/decryption algorithm, a desirable property is that a small change in either the plaintext or the key should result in a significant change in the produced ciphertext (WHY?). DES indeed exhibits a strong avalanche effect. The avalanche effect can be illustrated by considering the following two experiments: Experiment 1 Pick two plaintexts that differ at only one bit. Encrypt both plaintexts with the same key. XOR the two ciphertexts and count the number of ones. Example: and x 1 = , x 2 = , K = , yields two ciphertexts that differ at 35 bits after the third round in DES, and a final difference of 34 bits after all 16 rounds have been executed. Experiment 2 Pick two keys that differ at only one bit. Encrypt the same plaintext using the two different keys. XOR the two ciphertexts and count the number of ones. Example: and x = , K 1 = , K 2 = , yields two ciphertexts that differ to 26 bits after the third round in DES, and a final difference of 35 bits after all 16 rounds have been executed.

2 2 ECE 596C: Cryptography for Secure Communications with Applications to Network Security 1.2 The strength of 56-Bit keys With a key length of 56 bits, there are 2 56 possible keys, i.e. approximately keys. With today s technology breaking a DES encryption via brute-force attack has been proved feasible. In 1998 the Electronic Frontier Foundation (EFF) developed a DES cracker worth a quarter million dollars, that broke DES in 56 hours. The DES cracker searched 88 billion keys per second. In 1999, DES was cracked within 22 hours and 15 minutes by using the idle cycles of 100,000 networked computers worldwide. The network was capable of searching 245 billion keys per second. In 2007, researchers from Germany developed an FPGA based machine called COPACOBANA, with off-the-self components that can break a DES encryption in 6.4 days (on average). Given the short key length, the DES scheme cannot be considered secure. However, note that the adversary must have an estimate of the plaintext to perform a brute-force attack. Without plaintext knowledge or a plaintext estimate, it is not possible to determine when the right DES key is found. 2 The AES Standard The Advanced Encryption Standard (AES) standard was adopted by NIST in December of It was designed by two Belgian scientists, Rinjmen and Daemen (it is also known as the Rijmen cipher). It has been adopted by the US government as the default encryption cipher, wherever encryption is required (details can be found at pdf) 2.1 Description of the cipher The AES is a block cipher with a block length of 128 bits (as opposed to 64 bits in DES). It can operate with three different key lengths; 128 bits, 192 bits and 256 bits. Like DES, it is also an iterative cipher with a number of rounds that depends on the key length. 10 rounds for a key length of 128 bits, 12 rounds for a key length of 192 bits and 14 rounds for a key length of 256 bits. In AES, all operations are performed on a byte basis. Blocks of 128 bits are split to 16 bytes which are organized into 4x4 arrays, which are also referred to as states. The following operations take place Key Expansion using Rijndael s key schedule Initial Round 1. AddRoundKey Nr 1 Rounds 1. SubBytes: a non-linear substitution step where each byte is replaced with another according to a lookup table. 2. ShiftRows: a transposition step where each row of the state is left-shifted cyclically a number of steps equal to the row number. 3. MixColumns: a mixing operation which operates on the columns of the state, combining the four bytes in each column. 4. AddRoundKey: each byte of the state is XORed with the round key. Final round 1. SubBytes 2. ShiftRows 3. AddRoundKey

3 Handout # The SubBytes transformation This is a typical S-box lookup table operation. For example, if s 1,1 = {53}, then the substitution value would be determined by the intersection of the row with index 5 and the column with index 3 in Fig. 7. This would result in s 1,1 = {ed}. Fig. 1. The SubBytes transformation. Fig. 2. The SubBytes lookup table. 2.3 The ShiftRows Transformation In the ShiftRows transformation, the bytes in each row of the state are cyclically shifted over a number of bytes equal to the row number.

4 4 ECE 596C: Cryptography for Secure Communications with Applications to Network Security Fig. 3. The ShiftRows tranformation. 2.4 The MixColumns Transformation The MixColumns transformation operates on the state column-by-column, treating each column as a four-term polynomial GF(2 8 ) and multiplied modulo x 4 +1 with a fixed polynomial a(x). Fig. 4. The MixColumns transformation. 2.5 Key Expansion The AES algorithm takes the cipher key K and expands it to generate a key schedule. The total number of keys generated is equal to (Nr +1), each of which is 16 bytes long. The key scheduling is word oriented with each word consisting of 4 bytes. For a 10 round AES, we need a total of 11*4 = 44 words to be generated from an initial key of 4 words. Key Expansion transformations,

5 Handout # 7 5 Algorithm 1 Key Expansion Algorithm 1: INPUT K 2: RCon[1] : RCon[2] : RCon[3] : RCon[4] : RCon[5] : RCon[6] : RCon[7] : RCon[8] : RCon[9] 1B : RCon[10] : for i 0 to 3 do w[i] (key[4i],key[4i+1],key[4i+2],key[4i+3]) 13: end for 14: for i 4 to 43 do 15: temp w[i 1] 16: if i 0 (mod 4) then 17: temp SubWord(RotWord(temp)) RCon[ i 4 ] 18: end if 19: w[i] w[i 4] temp 20: end for 21: return (w[0],...,w[43]) SubWord: transformation that takes a four-byte input word and applies the S-box to each of the four bytes to produce an output word. RotWord: transformation that takes a word [a 0,a 1,a 2,a 3 ] as input, performs a cyclic permutation, and returns the word [a 1,a 2,a 3,a 0 ]. Rcon[i] :, A constant array of ten words 2.6 Example Key, K = c d c 7a w[0] = c 41, w[1] = , w[2] = d 27, w[3] = c 7a for i = 4, temp = w[3] = c 7a. Because i 0 (mod 4) temp SubWord(RotWord(temp))) RCon[1] temp 55 3c 7a = 54 3c 7a 26 w[4] w[0] temp = c c 7a 26 = 32 6c for i = 5, temp = w[4] = 32 6c w[5] w[1] w[4] = c = 55 4e 25 21

6 6 ECE 596C: Cryptography for Secure Communications with Applications to Network Security x x y y IV = y + + d d e e IV = y + + y y x x (a) (b) Fig. 5. The diagram for the CBC mode of operation. (a) Encryption, (b) Decryption 3 Modes of operation DES has four modes of operation that were standardized in These modes can be used with minor modifications with any block cipher. A brief description of the four modes of operation is outlined as follows. 3.1 Electronic Codebook Mode (ECB) Each plaintext block is encrypted with the same key K, producing a stream of ciphers. Identical plaintext blocks yield identical ciphers. What is the vulnerability of an ECB mode of operation? Do you see any advantage in using the ECB mode of operation? 3.2 Cipher Block Chaining Mode (CBC) In CBC operation mode, each plaintext x i is XORed with the last ciphertext before being encrypted with the same key K. The first plaintext is encrypted with an initialization vector IV, of the same length as the plaintext. The encrypting rule under the CBC operation mode becomes y i = e K (y i 1 x i ), y 0 = IV. (1) In CBC operation mode, if any block of the plaintext is changed, the entire ciphertext sequence will be changed. Think of how we can use this property to provide Message Authentication. In figure 5 we show the encryption/decryption schematics of the CBC operation mode. CBC is the most common mode of operation. What are the advantages and disadvantages of CBC mode of operation? 3.3 Output Feedback Mode (OFB) In OFB mode, a keystream is generated which is XORed to the plaintext in order to produce the ciphertext. This is a synchronous stream cipher mode of operation. The keystream is generated using the DES encryption algorithm,

7 Handout # 7 7 The ciphertext is then computed as: z i = e K (z i 1 ), z 0 = IV. (2) y i = x i z i. (3) The OFB mode can be used as a pseudo-random number generator. Given that much faster stream ciphers exist in the literature, the OFB mode is not used in practical applications. 3.4 Cipher Feedback Mode (CFB) The CFB mode of opertion is very similar to the OFB mode, with the difference being in the generation of the keystream. In CFB, the ciphertext is encrypted to produce the keystream elements z i. The ciphertext is then computed as: z i = e K (y i 1 ), y 0 = IV. (4) y i = x i z i. (5) Given that much faster stream ciphers exist in the literature, the OFB mode is not used in practical applications.