advanced encryption standard (aes) - fbi · advanced encryption standard (aes) ... how to apply the...
TRANSCRIPT
Harald Baier Cryptography h_da, Summer Term 2010 35
Advanced Encryption Standard (AES)
● NIST announcement in 1997 with requirements:
Symmetric block cipher
Block length: 128 bits (P = C = {0,1}1 2 8 )
Key lengths: 128, 192, 256 bits (K = {0,1}1 2 8 , ...)
At least as secure as Triple-DES, but more efficient
To be used until about 2030
Data protection until 2100
Free of licences
● The winner: Rijndael (FIPS PUB 197, November 2001)
Harald Baier Cryptography h_da, Summer Term 2010 36
AES cipher: Pseudocode
Cipher(byte in[16], byte out[16], key_array round_key[Nr+1])
begin
byte state[16];state = in;AddRoundKey(state, round_key[0]);
for i = 1 to Nr-1 stepsize 1 doSubBytes(state);ShiftRows(state);MixColumns(state);AddRoundKey(state, round_key[i]);
end for
SubBytes(state);ShiftRows(state);AddRoundKey(state, round_key[Nr]);
end
Harald Baier Cryptography h_da, Summer Term 2010 37
AES function SubBytes()
● S-Box of Rijndael:
Permutation of bits in a byte (i.e. on a set of 256 elements)
Garantuees non-linearity of Rijndael
● Applied for every byte si, j
of current state
Source: FIPS PUB 197
Harald Baier Cryptography h_da, Summer Term 2010 38
How to apply the AES S-box
● Write the byte si, j
as a bit string: b7b
6b
5b
4b
3b
2b
1b
0
● Index of the row: x = 8b7 + 4b
6 +2b
5 + b
4
● Index of the column: y = 8b3 + 4b
2 +2b
1 + b
0
● Write x und y hexadecimal
● Substitute si, j
by the S-box element in x-th row and
y-th column
Harald Baier Cryptography h_da, Summer Term 2010 39
The AES S-box
Source: FIPS PUB 197
Harald Baier Cryptography h_da, Summer Term 2010 40
Application of the AES S-box: Example
● Input: 10011110
● Application of the S-box:
Index of the row: x = ________
Index of the column: y = ________
● Output: Bitstring ___________
Harald Baier Cryptography h_da, Summer Term 2010 41
Asymmetric Encryption
Alice Bob
Ciphertext
Document
Plaintext
Document
Plaintext
encrypt
Encryption key e
decrypt
Decryption key d
Public Key Private Key
≠asymmetric
Harald Baier Cryptography h_da, Summer Term 2010 42
1978: A method for obtaining digital signatures andpublic key cryptosystems
Ron Rivest Adi Shamir Leonard Adleman
Ideas Ideas Review
April 1977: Faktorisation problem (first ARS,then RSA)
The invention of RSA
Harald Baier Cryptography h_da, Summer Term 2010 43
RSA: Encryption and related problems
● Encryption: c ≡ me mod n (m is the plaintext)
● Decryption: m ≡ cd mod n (c is the ciphertext)
● RSA problem:
Given a ciphertext c and a public key (n,e),compute m such that c ≡ me mod n
Mathematical formulation: Compute an e-th root mod n
● Factorisation problem (in the context of RSA):
Given a natural number n composed of two primesp and q, compute p and q.
Harald Baier Cryptography h_da, Summer Term 2010 44
Security of RSA
● Attacker is able to decrypt (or sign), if he knows d
Computation of d is today done via (p-1)·(q-1)
He proceeds as follows: Attacker factors n , i.e. he computes p and q He determines d ≡ e-1 mod ((p-1) · (q-1)) using extended
Euclidian algorithm
● Consequence:
Attacker can solve the factorisation problem ==> Attacker can solve the RSA problem
RSA problem is at most as difficult as factorisation problem
Suggested bit length of n: 2.048 – 4.096
Harald Baier Cryptography h_da, Summer Term 2010 45
Which RSA numbers are factored?
1230186684530117755130494958384962720772853569595334792197322452151726400507263657518745202199786469389956474942774063845925192557326303453731548268507917026122142913461670429214311602221240479274737794080665351419597459856902143413
Factorisation startet in August 2007 and ended on December 12, 2009
Partners: EPFL, NTT, Uni Bonn, INRIA, Microsoft Research, CWI
Example: RSA-768
33478071698956898786044169848212690817704794983713768568912431388982883793878002287614711652531743087737814467999489 *36746043666799590428244633799627952632279158164343087642676032283815739666511279233373417143396810270092798736308917
=
Harald Baier Cryptography h_da, Summer Term 2010 46
RSA challenge
Award Status Presenting party Method
RSA-530 5,000 Factored March_2003 Uni Bonn, BSI GNFSRSA-576 10,000 Factored December_2003 Uni Bonn, BSI GNFS
RSA-640 20,000 Factored November_2005 Uni Bonn, BSI GNFSRSA-663 20,000 Factored May_2005 Uni Bonn, CWI, BSI GNFS
RSA-704 30,000 Not factoredRSA-768 50,000 Factored No submission EPFL (and others) GNFSRSA-1024 100,000 Not factored
Challenge Number
Submission due to
Source (parts): www.rsa.com (Challenge is closed since 2007.)
Harald Baier Cryptography h_da, Summer Term 2010 47
Message Authentication Code
secret secret
=Message Authentication Code (MAC)
Alice Bob
Signature
DocumentDocument
signing
Signature key d
verification
Verification key e
valid /invalid
Harald Baier Cryptography h_da, Summer Term 2010 48
Asymmetric electronic signature (without hash function)
Alice Bob
Signature
DocumentDocument
signing
Signature key d
verification
Verification key e
valid /invalid
Private Key
≠Public Key
Electronic Signature
Harald Baier Cryptography h_da, Summer Term 2010 49
Security Goals vs. Cryptographic Techniques: Overview
● Message Authentication Code (MAC):
Authenticity, integrity
● Electronic Signature (= asymmetric signature):
Authenticity, integrity, non-repudiation
● Encryption:
Confidentiality
Harald Baier Cryptography h_da, Summer Term 2010 50
Kerkhoff's Assumption
● Publish all details of a cryptographic algorithm:
Encryption scheme: Publish encryption and decryption function Confidentiality of plaintext only depends on the secrecy of
the private key Signature algorithm:
Publish signature generation and verification function Non-forgery of a signature only depends on the secrecy of
the private key (i.e. the signature generation key)
● Enables brute-force attack
● Public review process vs. non-disclosed algorithms(security by obscurity)