CS 392/681 Computer Security. Module 1 Private Key Cryptography

Similar documents
CS Network Security. Module 6 Private Key Cryptography

Lecture 5. Encryption Continued... Why not 2-DES?

Lecture 4. Encryption Continued... Data Encryption Standard (DES)

Lecture 4: Symmetric Key Encryption

Lecture 3: Symmetric Key Encryption

Data Encryption Standard (DES)

Lecture 2: Secret Key Cryptography

ECE596C: Handout #7. Analysis of DES and the AES Standard. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

L3. An Introduction to Block Ciphers. Rocky K. C. Chang, 29 January 2015

Week 5: Advanced Encryption Standard. Click

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security

Cryptography III: Symmetric Ciphers

Comp527 status items. Crypto Protocols, part 2 Crypto primitives. Bart Preneel July Install the smart card software. Today

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Block Ciphers. Lucifer, DES, RC5, AES. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk Block Ciphers 1

Winter 2011 Josh Benaloh Brian LaMacchia

Computer Security CS 526

Cryptography MIS

Chapter 3 Block Ciphers and the Data Encryption Standard

Symmetric Key Cryptography

Symmetric Encryption. Thierry Sans

Computer and Data Security. Lecture 3 Block cipher and DES

Advanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50

CSC 474/574 Information Systems Security

UNIT - II Traditional Symmetric-Key Ciphers. Cryptography & Network Security - Behrouz A. Forouzan

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Content of this part

L3: Basic Cryptography II. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

EEC-484/584 Computer Networks

Stream Ciphers and Block Ciphers

CPSC 467: Cryptography and Computer Security

Block Ciphers and Stream Ciphers. Block Ciphers. Stream Ciphers. Block Ciphers

Network Security Essentials Chapter 2

CIT 380: Securing Computer Systems. Symmetric Cryptography

Fundamentals of Cryptography

Cryptography III: Symmetric Ciphers

Symmetric Encryption Algorithms

Block Ciphers. Secure Software Systems

Implementation and Performance analysis of Skipjack & Rijndael Algorithms. by Viswnadham Sanku ECE646 Project Fall-2001

Symmetric Cryptography CS461/ECE422

Understanding Cryptography by Christof Paar and Jan Pelzl. Chapter 4 The Advanced Encryption Standard (AES) ver. October 28, 2009

6 Block Ciphers. 6.1 Block Ciphers CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Secret Key Cryptography

Goals of Modern Cryptography

Cryptography and Network Security

Cryptography Functions

Cryptographic Algorithms - AES

7. Symmetric encryption. symmetric cryptography 1

Jaap van Ginkel Security of Systems and Networks

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Part XII. From theory to practice in cryptography

Conventional Encryption Principles Conventional Encryption Algorithms Cipher Block Modes of Operation Location of Encryption Devices Key Distribution

Stream Ciphers and Block Ciphers

CENG 520 Lecture Note III

AES Advanced Encryption Standard

CSCI 454/554 Computer and Network Security. Topic 3.1 Secret Key Cryptography Algorithms

Network Security Essentials

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

Symmetric Cryptography. CS4264 Fall 2016

Introduction to Cryptographic Systems. Asst. Prof. Mihai Chiroiu

A High-Performance VLSI Architecture for Advanced Encryption Standard (AES) Algorithm

Outline. Data Encryption Standard. Symmetric-Key Algorithms. Lecture 4

Modern Symmetric Block cipher

3 Symmetric Cryptography

Cryptography and Network Security. Sixth Edition by William Stallings

AIT 682: Network and Systems Security

Introduction to Network Security Missouri S&T University CPE 5420 Data Encryption Standard

Encryption is the process of encoding a message such. Decryption is the reverse process, ie, transforming an

Symmetric key cryptography

Cryptography and Network Security

ICT 6541 Applied Cryptography. Hossen Asiful Mustafa

Encryption Details COMP620

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

PRNGs & DES. Luke Anderson. 16 th March University Of Sydney.

Content of this part

Block Ciphers Introduction

Information Security CS526

Introduction to Cryptography CS 136 Computer Security Peter Reiher October 9, 2014

Block Encryption and DES

Applied Cryptography Data Encryption Standard

Introduction to Symmetric Cryptography

Implementation of the block cipher Rijndael using Altera FPGA

Conventional Encryption: Modern Technologies

Cryptography Symmetric Encryption Class 2

CSC 580 Cryptography and Computer Security

Block Ciphers. Advanced Encryption Standard (AES)

Private-Key Encryption

P2_L6 Symmetric Encryption Page 1

Computational Security, Stream and Block Cipher Functions

CS6701- CRYPTOGRAPHY AND NETWORK SECURITY UNIT 2 NOTES

Efficient Hardware Design and Implementation of AES Cryptosystem

Chapter 3 Traditional Symmetric-Key Ciphers 3.1

Optimized AES Algorithm Using FeedBack Architecture Chintan Raval 1, Maitrey Patel 2, Bhargav Tarpara 3 1, 2,

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Chap. 3. Symmetric Key Crypto (Block Ciphers)

Computer Security 3/23/18

Cryptography BITS F463 S.K. Sahay

Transcription:

CS 392/681 Computer Security Module 1 Private Key Cryptography

Logistics Office hours Thursday 3 to 5 (tentative). Lab 0 due today. Lab 1 assigned. Due next Thursday!! ISIS is still unstable. Will fix things in a week. Out of town this week. Will be back just a few hours before class on next Thursday. Out of town again on Friday and gone for 9 days. Class will be held as usual. My office hours will be taken by Kulesh. Module 1 - Private Key Crypto 2

Data Encryption Encryption is the process of encoding a message such that its meaning is not obvious. Decryption is the reverse process, ie, transforming an encrypted message to its original form. Plaintext Encryption Ciphertext Decryption Plaintext We denote plaintext by P and ciphertext by C. C = E(P), P = D(C) and P = D(E(P)), where E() is the encryption function (algorithm) and D() the decryption function. Module 1 - Private Key Crypto 3

Kerckhoff s Principle How do you prevent and eavesdropper from computing P, given C? Keep the encryption algorithm E() secret. BAD IDEA!! Choose E() (and corresponding D()) from a large collection, based on secret key. GOOD IDEA!! Kerckhoff s principle. Secret Key Plaintext Encryption Ciphertext Decryption Plaintext C = E(K, P) and P = D(K, C) Module 1 - Private Key Crypto 4

Symmetric and Asymmetric Cryptosystems Just by changing key we have different encryptions of one plaintext. If the encryption key and the decryption key are the same then we have a symmetric encryption scheme (also private key, one-key). If the encryption key and the decryption key are different then we have an asymmetric encryption scheme (also public key, two-key). A cryptosystem then a five-tuple consisting of 1) The set of all plaintexts 2) The set of all ciphertexts 3) The set of all keys 4) A family of encryption functions 5) A family of decryption functions. Module 1 - Private Key Crypto 5

Example Caesar Cipher Let messages be all lower case from a through z (no spaces or punctuation). itsnotthathardtoread Represent letters by numbers from 0 to 25. Encryption function C i = E(P i ) = P i + K. where K is secret key and addition done modulo 26. Decryption is P i = D(C i ) = C i - K. UNIX ROT13 uses K as 13. Module 1 - Private Key Crypto 6

Cryptanalysis A cryptosystem had to be secure against the following kinds of attacks: Ciphertext only attack. Known plaintext attack. Chosen plaintext attack. Adaptive chosen plaintext attack. Chosen ciphertext attack. Chosen key attack. Of course there is one attack against which no cryptosystem can offer protection rubber hose attack. Module 1 - Private Key Crypto 7

Brute Force Attacks. Since the key space is finite, given a ciphertext a cryptanalyst can try and check all possible keys. For above to be not feasible, key space should be large!! How large? How about 2 56? Large enough to make it impractical for an adversary. But what is impractical today, may not be so tomorrow. In practice, for a good cryptosystem, the only possible attack should be the brute force attack, which should be impractical into the foreseeable future, as slong as message may have value. Module 1 - Private Key Crypto 8

Substitution Ciphers Basic idea substitute each block of plaintext by a different block. If plaintext is English then Mona-alphabetic substitution. Poly-alphabetic substitution. If plaintext is binary string then map one block of bits to another. Plaintext: 0011010101010001 10100101 Ciphertext: 0100010000011100 00101001 This is called block encryption. Very common. Module 1 - Private Key Crypto 9

Module 1 - Private Key Crypto 10 Encryption by Mono-alphabetic Substitution. T E Z X Q M J G F D A W K B S R V U I N H C E Y L O P Z Y X W V U T S R Q P O N M L K J I H G F D C B A R E T S A M N O M E K O P A T F D P R S B R T U B K Key space is large 26! (How do you remember a key? See example). However, mono-alphabetic substitution is easy to break as it preserves source first order statistics. Large key space is necessary but not sufficient condition for security!

Encryption by Poly-alphabetic Substitution. P E U K G O C V W M L H R A Q Y N S D X T I/ BJ F Z Playfair cipher. Used by British Army in WW1 and WW2. Can be broken easily today with only a ciphertext of length about 100. Encrypt plaintext a pair at a time. Two letters specify a rectangle. Substitute by opposite corner pair. Eg: VX -> SM. If they fall in same row or column, then using next pair in circular manner. Eg: LY -> TP. Repeated letters are broken by filler letter. I/J chosen randomly. Module 1 - Private Key Crypto 11

Poly-alphabetic Cipher Vigenere. Use K mono-alphabetic ciphers E 1, E 2, E k. In position i, of plaintext, use cipher E i. Example using Caesar ciphers Plaintext: helloiloveyouwontyoutellmeyourname Key: polytechnicpolytechnicpolytechnicpoly Ciphertext: wswjhmnv coxc A little harder to break but trivial once you know key length! Some well known techniques for determining key length See text. Module 1 - Private Key Crypto 12

Vernam The Perfect Substitution Cipher. If we use Vigenere with key length as long as plaintext, then cryptanalysis will be difficult! If we change key every time we encrypt then cryptanalyst s job becomes even more difficult. Onetime pad or Vernam Cipher. How do we get such long keys? A large book shared by transmitter and receiver. Initial key followed by previous messages themselves!! Random number sequence based on common shared and secret seed. Such a cipher is difficult to break but not very practical. Module 1 - Private Key Crypto 13

Binary Vernam Unconditional Security. If plaintext is binary string and key is binary string of equal length then encryption can be done by a simple xor operation. Plaintext: 01010000010001010011 Key: 11010101001001100111 Ciphertext: 10000101011000110100 If plaintexts uniformly distributed and keys are random then such a system offers unconditional security perfect secrecy! (Under the right mathematical formulation and assumptions). Intuitively perfect secrecy can be seen from the fact that given any plaintext and ciphertext, there is a key which maps the selected plaintext to the selected ciphertext. So given a ciphertext, we get no information whatsoever on what key or plaintext could have been used. How do we obtain random bit-strings for shared secret keys? Again system is not practical. Module 1 - Private Key Crypto 14

Perfect Secrecy M 1 M 2 M 3 C 1 C 2 C 3 Four possible Keys K 1,K 2, K 3, And K 4 M 4 C 4 M 5 C 5 Given a ciphertext, cryptanalyst cannot reduce uncertainty. Property can be formulated in more mathematically rigorous manner. Module 1 - Private Key Crypto 15

Imperfect Secrecy M 1 C 1 M 2 C 2 M 3 C 3 C 4 C 5 Given C 1 we know Message is M 3!! Given C 5, only one bit of uncertainty. Module 1 - Private Key Crypto 16

Encryption by Transposition P O K E M O N M A S T E R 1 2 3 4 5 6 7 8 9 10 11 12 13 7 1 8 2 6 10 3 9 11 12 4 5 13 O E N T E M P K M O A S R Harder to break than substitution ciphers Preserve first order statistics One can arrange plaintext in table and sort rows and columns. Module 1 - Private Key Crypto 17

Product Ciphers To get improved security one can encrypt the ciphertext again. If one uses same algorithm super encryption. May or may not be useful. For example, super-encryption with Caesar cipher is as good as single encryption! If one uses different algorithms product cipher. Product ciphers based on sequence of substitutions and transpositions are very popular. You will see one later DES. Module 1 - Private Key Crypto 18

Shannon Characteristics of Good Ciphers The amount of secrecy needed should determine the amount of labor appropriate for encryption and decryption. The set of keys and enciphering algorithms should be free from complexity. The implementation of the process should be as simple as possible. Errors in ciphering should not propagate and cause corruption of future information in the message. The size of enciphered text should be no longer than the text of the original message. Module 1 - Private Key Crypto 19

Confusion and Diffusion Confusion: The cryptanalyst should not be able to predict what changing one character in the plaintext will do to the ciphertext. Diffusion: Changes in the key should affect many parts in the ciphertext. Module 1 - Private Key Crypto 20

DES Data Encryption Standard Private key. Encrypts by series of substitution and transpositions. Worldwide standard for more than 20 years. Has a history of controversy. Designed by IBM (Lucifer) with later help (interference?) from NSA. No longer considered secure for highly sensitive applications. Replacement standard (AES) recently completed. Module 1 - Private Key Crypto 21

DES - Overview Module 1 - Private Key Crypto 22

DES Each iteration. Module 1 - Private Key Crypto 23

DES Computation of F(R i-1,k i ) Module 1 - Private Key Crypto 24

Computation of F: Expansion function E: maps bit string of length 32 to bit string of length 48. Permutes bits in a fixed way and duplicates certain bits Key schedule: each round uses a 48 bit key obtained by performing permutations, shifts, and discarding bits from the original 56 bit key. Fixed algorithm for each round resulting 48 bit string broken into 8 6-bit strings Module 1 - Private Key Crypto 25

S-boxes: S1 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13 Sj Is the table entry from S( b1b 2b3b4b5b6) row : b 1 b 2 column : b 3 b 4 b 5 b 6 S( 011001) = table[1,9] = 6d = 0110 Module 1 - Private Key Crypto 26

x L0 R0 R 0 L0 F( R0, K 1) Plain text Initial permutation (IP) Round-1 (key K 1 ) Rounds 2-15 L15 R15 L15 F( R15, K16) L15 F( R15, K16) R15 y R15 Round-16 (key K 16 ) swap IP inverse Cipher text

L15 F( R15, K16) R15 y L15 F( R15, K16) R15 R15 = L IP inverse Cipher text IP Round-1 (K 16 ) 15 K F( R15, K16) F( R15, 16) encrypt decrypt R15 L15 Since b b = 0 b 0 = b

Encryption Modes - ECB. Although DES encrypts 64 bits (a block) at a time, it can encrypt a long message (file) in Electronic Code Book (ECB) mode. If same key is used then identical plaintext blocks map to identical ciphertext. Module 1 - Private Key Crypto 29

Block Ciphers and Stream Ciphers Block ciphers partition plaintext into blocks and encrypt each block independently (with the same key) to produce ciphertext blocks. Caesar, Vigenere, DES etc. A stream cipher generates a keystream and encrypts by combining the keystream with the plaintext, usually with the bitwise XOR operation. Generation of the keystream can be independent of the plaintext and ciphertext (a synchronous stream cipher) or it can depend on the data and its encryption (self-synchronizing stream cipher ). Module 1 - Private Key Crypto 30

Stream Ciphers A Simple Form In their simplest form, a stream ciphers convert plaintext to ciphertext 1 bit at a time. A keystream generator outputs a stream of bits: k 1, k 2,, k n. Module 1 - Private Key Crypto 31

Stream Ciphers - Security Issues The security of this approach depends totally on the keystream generator. If it outputs an endless stream of zeros, the ciphertext will equal the plaintext and the operation will be meaningless. If it outputs an endless stream of random bits you have a one-time pad and perfect security. The reality lies between the simple XOR and the onetime pad. So how do we generate random bitstreams? One way is Linear Feedback Shift Register (LFSR) Another way is using a block cipher technique in a feedback mode. Module 1 - Private Key Crypto 32

Generating Random Key Streams Linear feedback shift registers (LFSR) b i are bits and f is a function depending of b 1, b 2,..., b n. The result f(b 1, b 2,..., b n ) enters the nth position of the register and all other bits b n,..., b r are shifted right one position, b 1 being the output bit. Module 1 - Private Key Crypto 33

Example LFSR Let n = 4 and f(b1, b2, b3, b4) = b1 b4. Let 0110 be the starting position (the seed). Then this LFSR will generate the sequence 011001000111101... Stream ciphers based on LFSR s are well studied Module 1 - Private Key Crypto 34

Cipher Block Chain (CBC) Mode. Module 1 - Private Key Crypto 35

CBC Pros and Cons. If IV is different then different instances of same message (or block) will get encrypted differently. How does receiver know IV? Choose at random and send encrypted as first block. What happens if k th cipher block C K gets corrupted in transmission. With ECB Only decrypted P K is affected. With CBC? Only blocks P K and P K+1 are affected!! This can also allow some message tampering! What if one plaintext block P K is changed? With ECB only C K affected. With CBC all subsequent ciphertext blocks will be affected. This leads to an effective MAC based on DES CBC. Module 1 - Private Key Crypto 36

Cipher Feedback Mode (CFB). Module 1 - Private Key Crypto 37

CFB Properties J is normally 8. Change in one plaintext bit is going to affect all subsequent ciphertext bits. So can be used for MAC. Change in ciphertext bit results in??? Module 1 - Private Key Crypto 38

Output Feedback Mode (OFB). Module 1 - Private Key Crypto 39

OFB Properties. Bit errors in transmission do not propagate. One can selectively flip ciphertext bits to flip corresponding decrypted plaintext bits. Bad!! Module 1 - Private Key Crypto 40

DES Security S-Box design not well understood (secret). Has survived some recent sophisticated attacks (differential cryptanalysis). Key is too short (thanks to NSA!). Hence is vulnerable to brute force attack. 1998 distributed attack took 3 months. $1,000,000 machine will crack DES in 35 minutes 1997 estimate. 10,000 2.5 days. In 1999 EFF achieved 245 billion keys per second rate to crack in 22 hours. Module 1 - Private Key Crypto 41

DES Cracking machine Module 1 - Private Key Crypto 42

Super-encryption. If key length is a concern, then instead of encrypting once, encrypt twice!! C = E K2 (E K1 (P)) P = D K2 (D K1 (C)) Does this result in a larger key space? That is a new mapping that could not have been obtained by a single key? With Caesar cipher NO! With DES yes! Encrypting with multiple keys is known as superencryption. May not always be a good idea. Module 1 - Private Key Crypto 43

Double DES Double DES is almost as easy to break as single DES (Needs more memory though)! Module 1 - Private Key Crypto 44

Double DES Meet-in-the-middle Attack. Based on the observation that, if Then C = E K2 (E K1 (P)) X = E K1 (P) = D K2 (C). Given a known (P, C) pair, encrypt P with all possible values of K and store result in table T. Next, decrypt C with all possible keys K and check result. If match occurs then check key pair with new known (P, C) pair. If match occurs, you have found the keys. Else continue as before. Process will terminate successfully. Module 1 - Private Key Crypto 45

Meet-in-the-middle Explanation. The first match does not say anything as we have 2 64 ciphertexts and 2 112 keys. On the average 2 112 / 2 64 = 2 48 keys will produce same ciphertext. So there could be 2 48 false alarms. However, with second known (P, C) pair, probability that E K1 (P) = D K2 (C) is 2-64. So, probability that false alarm will survive two known (P, C) pairs is 2 48 / 2 64 = 2-16. One can always check a third pair to further reduce the chance of a false alarm. Module 1 - Private Key Crypto 46

Triple DES Triple DES (2 keys) requires 2 112 search. Is reasonably secure. 3 keys requires 2 168. Module 1 - Private Key Crypto 47

AES History National Institute of Science and Technology DES is an aging standard that no longer addresses today s needs for strong encryption Triple-DES: Endorsed by NIST as today s defacto standard AES: The Advanced Encryption Standard Finalized in 2001 Goal To define Federal Information Processing Standard (FIPS) by selecting a new powerful encryption algorithm suitable for encrypting government documents AES candidate algorithms were required to be: Symmetric-key, supporting 128, 192, and 256 bit keys Royalty-Free Unclassified (i.e. public domain) Available for worldwide export Module 1 - Private Key Crypto 48

History (cont.) AES Round-3 Finalist Algorithms: MARS Candidate offering from IBM RC6 Developed by Ron Rivest of RSA Labs, creator of the widely used RC4 algorithm Twofish From Counterpane Internet Security, Inc. Serpent Designed by Ross Anderson, Eli Biham and Lars Knudsen Rijndael Designed by Joan Daemen and Vincent Rijmen Module 1 - Private Key Crypto 49

Rijndael The Winner: Rijndael Joan Daemen (of Proton World International) and Vincent Rijmen (of Katholieke Universiteit Leuven). (pronounced Rhine-doll ) Allows only 128, 192, and 256-bit key sizes (unlike the other candidates) Variable block length of 128, 192, or 256 bits. All nine combinations of key/block length possible. A block is the smallest data size the algorithm will encrypt Vast speed improvement over DES in both hardware and software implementations 8416 bytes/sec on a 20MHz 8051 (@ 12 CPI) 8.8 Mbytes/sec on a 200MHz Pentium Pro Module 1 - Private Key Crypto 50

Rijndael Structure Rijndael consists of an initial Round Key addition; Nr-1 Rounds; a final round. In pseudo C code, this gives: Rijndael(State,CipherKey) { KeyExpansion(CipherKey,ExpandedKey) ; AddRoundKey(State,ExpandedKey); For( i=1 ; i<nr ; i++ ) Round(State,ExpandedKey + Nb*i) ; FinalRound(State,ExpandedKey + Nb*Nr); } Module 1 - Private Key Crypto 51

Rijndael Key W KE Key Expansion Round Keys K 1 K 2 K 3 K n-2 K n-1 K n X R 1 R 2 R 3 R n-2 R n-1 R n Y Encryption Rounds r 1 r n Key is expanded to a set of n round keys Input block X undergoes n rounds of operations (each operation is i based on value of the nth round key), until it reaches a final round. r Strength relies on the fact that it s difficult to obtain the intermediate result (or state) ) of round n from round n+1 without the round key. Module 1 - Private Key Crypto 52

Number of Rounds Number of rounds (Nr) as a function of the block (Nb) and key length (Nk) in 32 bit words. Nr Nb = 4 Nb = 6 Nb = 8 Nk = 4 10 12 14 Nk = 6 12 12 14 Nk = 8 14 14 14 Module 1 - Private Key Crypto 53

Rijndael K i Detailed view of round i Result from round i-1 ByteSub ShiftRow MixColumn AddRoundKey Pass to round i+1 Each round performs the following operations: Non-linear Layer: No linear relationship between the input and output of a round Linear Mixing Layer: Guarantees high diffusion over multiple rounds Very small correlation between bytes of the round input and the bytes of the output Key Addition Layer: Bytes of the input are simply XOR ed with the expanded round key Module 1 - Private Key Crypto 54

Rijndael Three layers provide strength against known types of cryptographic attacks: Rijndael provides full diffusion after only two rounds Linear and differential cryptanalysis Known-key and related-key attacks Square attack Interpolation attacks Weak-keys Rijndael has been shown to be K-secure: No key-recovery attacks faster than exhaustive search exist No known symmetry properties in the round mapping No weak keys No related-key attacks: No two keys have a high number of expanded round keys in common Module 1 - Private Key Crypto 55

Rijndael: ByteSub Each byte at the input of a round undergoes a nonlinear byte substitution according to the following: 1. First, taking the multiplicative inverse in GF(28). 00 is mapped onto itself. 2. Then, applying an affine (over GF(2)) transformation. Substitution ( S )-box Affine Transform Module 1 - Private Key Crypto 56

Rijndael: ShiftRow Depending on the block length, each row of the block is cyclically shifted according to the above table Module 1 - Private Key Crypto 57

Rijndael: MixColumn Each column is multiplied by a fixed polynomial C(x) = 03 *X 3 + 01 *X 2 + 01 *X + 02 This corresponds to matrix multiplication b(x) = c(x) a(x): Module 1 - Private Key Crypto 58

Rijndael: Key Expansion and Addition Each word is simply XOR ed with the expanded round key Key Expansion algorithm: KeyExpansion(int* Key[4*Nk], int* EKey[Nb*(Nr+1)]) { for(i = 0; i < Nk; i++) EKey[i] = (Key[4*i],Key[4*i+1],Key[4*i+2],Key[4*i+3]); for(i = Nk; i < Nb * (Nr + 1); i++) { temp = EKey[i - 1]; if (i % Nk == 0) temp = SubByte(RotByte(temp)) ^ Rcon[i / Nk]; EKey[i] = EKey[i - Nk] ^ temp; } } Module 1 - Private Key Crypto 59

Rijndael: Implementations Rijndael is well suited for software implementations on 8- bit processors (important for Smart Cards ) Operations focus on bytes and nibbles, not 32 or 64 bit integers Layers such as ByteSub can be efficiently implemented using small tables in ROM (e.g. < 256 bytes). No special instructions are required to speed up operation For 32-bit implementations: An entire round can be implemented via a fast table lookup routine on machines with 32-bit or higher word lengths Considerable parallelism exists in the algorithm Each layer operates in a parallel manner on bytes of the round state, all four component transforms act on individual parts of the block Although the Key expansion is complicated and cannot be parallelised, it only needs to be performed once until the two parties switch keys. Module 1 - Private Key Crypto 60

Rijndael: Implementations Hardware Implementations Performs very well in software, but in some cases more performance is required (e.g. server and VPN applications). Multiple S-Box engines, round-key EXORs, and byte shifts can all be implemented efficiently in hardware when absolute speed is required Small amount of hardware can vastly speed up 8-bit implementations Inverse Cipher Except for the non-linear ByteSub step, each part of Rijndael has a straightforward inverse and the operations simply need to be undone in the reverse order. Same code that encrypts a block can also decrypt the same block simply by changing certain tables and polynomials for each layer. The rest of the operation remains identical. Module 1 - Private Key Crypto 61

Rijndael Future Rijndael is an extremely fast, state-of-the-art, highly secure algorithm Has efficient implementations in both hardware and software; it requires no special instructions to obtain good performance on any computing platform Despite being the chosen by NIST as the AES candidate winner, Rijndael is not yet automatically the new encryption standard Triple-DES, still highly secure and supported by NIST, is expected to be common for the foreseeable future. Module 1 - Private Key Crypto 62

Other Private Key Cryptosystems IDEA Twofish Blowfish RC4, RC5, RC6 Serpent MARS Feal Module 1 - Private Key Crypto 63

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback