data security and cryptology, viii other symmetric cryptoalgorithms (beyond aes) october 22nd, 2014...
TRANSCRIPT
Data Security and Cryptology, VIII
Other Symmetric Cryptoalgorithms (beyond AES)
Data Security and Cryptology, VIII
Other Symmetric Cryptoalgorithms (beyond AES)
October 22nd, 2014
Valdo Praust
Lecture Course in Estonian IT CollegeAutumn 2014
October 22nd, 2014
Valdo Praust
Lecture Course in Estonian IT CollegeAutumn 2014
Main Types of Cryptoalgorithms
Main Types of Cryptoalgorithms
1. Symmetric cryptoalgorithms or secret-key crypotoalgorithms are traditional (historical) cryptoalgorithms
2. Asymmetric cryptoalgorithms or public-key crypotoalgorithms are widely spread within last 30 years
3. Cryptographic message digests and similar constructions
4. Special-purpose algorithms for proofing, authentication etc
Secret-Key Cryptoalgorithm: Fields of Use
• transmitting of confidential information using some (interceptable) networks
• secure storing of confidential information (with an appropriate key management system)
• secure erasing of confidential data• generating a secure white noise
(keys of cryptoalgorithms’ etc.)
Secret-Key Cryptoalgorithm
Is considered to be practically secure if the following two conditons are satisfied: • The key is at least 80 bit long (it’s considered to
be infeasible to perform 280 operations in practice), for enhanced security cases at least 128 bits long
• There aren’t known effective cryptoanalytic methods
Secret-key cryptoalgorithm (salajase võtmega krüptoalgoritm) or symmetric cryptoalgorithm (sümmeetriline krüptoalgorithm) is such a cryptoalgorithm where the same secret key is used both for enciphering and deciphering purposes
Secret-key cryptoalgorithm (salajase võtmega krüptoalgoritm) or symmetric cryptoalgorithm (sümmeetriline krüptoalgorithm) is such a cryptoalgorithm where the same secret key is used both for enciphering and deciphering purposes
Encrypting or encipherment (krüpteerimine, šifreerimine) needs the using of certain key as a pre-defined queue of bits
Opposite process is a decrypting or deciphering (dešifreerimine), which needs a same key in order to restore the initial data (plaintext) from the encrypted text (ciphertext)
Without knowing the key the both processes are impossible to peform
Without knowing the key the both processes are impossible to peform
Role of Key in Enciphering and Deciphering Process
Role of Key in Enciphering and Deciphering Process
Secret-Key Cryptoalgorithm
Secret-Key Cryptoalgorithm – Possibility to Break
Secret-key cryptoalgorithm is considered to be practically enough secure when the keylength is at least 80 bits (for enhanced security cases 128 bits)
Secret-key cryptoalgorithm is considered to be practically enough secure when the keylength is at least 80 bits (for enhanced security cases 128 bits)
DES is already considered insecure because its keylenght is only 56 bits (until 2005 it was allowed to use DES is triple mode as 3DES)
Additionally to sufficient keylenght the effective cryptoanalytic attacks must not be known
Most-Of-Spread Algorithms, I
1. AES (keylength 128, 192 or 256 bits). Is international de facto commercial standard since 2001, involves estimatedly 70-80% from all symmetric cryptoalgorithm usages
2. IDEA (keylenght 128 bits). Switzerland, late 1980s
3. CAST5 or CAST-128 (keylenght from 40 to 128 bits). 1996, Carlisle Adams and Stafford Tavares
Most-Of-Spread Algorithms, II
4. Blowfish (variable keylenght up to 448 bits). Bruce Schneier, 1990s
5. RC4. Stream cipher, keylenght between 40 and 256 bits, from 1987
6. DES (keylenght 56 bits). Has been U.S. commercial standard from 1977 and was widely used in all around the world. NB! Today isn’t consideres secure because of short keylenght!
Block and Stream CiphersSymmetric cryptoalgorithm can be divided into block ciphers and stream ciphers. Block ciphers are much more spread than stream ciphers
Symmetric cryptoalgorithm can be divided into block ciphers and stream ciphers. Block ciphers are much more spread than stream ciphers
• Block cipher (plokkšiffer) is an enciphering method where plaintext is divided into the blocks of certain lenght and these blocks are encrypted separately. How and if the encryption result of one block is related from the prevoius blocks is determined by the block cipher mode, which is curtrently used
• Stream cipher (jadašiffer) is a method where there is generated a key sequence (võtmejada) from a given secret key. Encryption process is an ordinary XOR operation between plaintext and key sequence
Electronic Codebook Mode
Plaintext blocks are encrypted independently from each other using the same secret key:
Disadvatnage: each ciphertext block depends on only one plaintext block – repeats in ciphertext
Disadvatnage: each ciphertext block depends on only one plaintext block – repeats in ciphertext
Advantage: one block of ciphertext depends on all previous plaintext – no repeats in ciphertext
Advantage: one block of ciphertext depends on all previous plaintext – no repeats in ciphertext
Cipher Block Chaining ModeBefore encrypting of the sequent block, the result of previous block was XORed to the plaintext:
Output Feedback Mode
• The most convenient but not sufficiently secure for a long plaintexts is an electronic codebook mode – each bit of a ciphertext depends only on one plaintext block
• The most-of-used and sufficently secure mode is a cipher block chaining mode – each bit of a ciphertext depends on all previous plaintext
• Feedback modes are less frequently used but they allow to use a block cipher as a stream cipher in order to produce the key sequence. Main usage area of them is secure erasing of a data from any rewritable media (disks, flash memory etc).
Using of Different Modes
• Block cipher block usually involves a numerous subsequent similar standard transformations of a plaintext called rounds (raund). Output of a previous round is an input to the next round
• How differents rounds use (generally different) keys is determined by a key sequence algorithm (võtmejaotusalgoritm). Key sequence algoroithm may also be missing, in these cases all rounds use straightly the original key
• If such a key sequence algorithm exists, it comuptes from initial key the special round keys (raundivõtmed) for different rounds
Inner Structure of a Block Cipher
Inner Structure of a Block Cipher
• Lenght of a key
• Lenght of a block (sometimes is equal to keylenght, but sometimes it’s not)
• Number of rounds (and sometimes also the number of different round types)
• Presence of key sequence algorithm
• Number of round keys (if key sequence algorithm exists, sometimes is equal to number of rounds sometimes it’s not)
• Lenght of round keys (sometimes is equal to initial key, sometimes it’s not)
Parameters of a Typical Block Cipher
Main Basic Operations Inside the Rounds• substitution (substitutsioon) –
replacing of original characters (letters) by another characters (letters)
• transposition or permutation (transpositsioon, permutatsioon) – changing the order of characters (letters)
Most of transformations inside the block cipher rounds are certain (usually complex) combinations of them
Most of transformations inside the block cipher rounds are certain (usually complex) combinations of them
AES: Main Facts• Is the main commercial secret-key
cryptoalgorithm (about 75-85% from all use cases)
• Has won in the AES Competition, before it was known as a Rijndael
• Has three different versions with different strenght (with different key lenghts)
• Is a block cipher with a block lenght of 128, 192 or 256 bits cosequently
• Uses a key which lenght is equal to the block lenght - consequently 128, 192 or 256 bits
• Authors are Joan Daemen and Vincent Rijmen Belgium
AES: Technical DescriptionFor a 128-bit key involves 10 rounds, for a 192-bit key involves 12 rounds and for a 256-bit key involves 14 rounds
Key sequence algorithm is missing (all rounds use straightly initial key)
Each round consists of four subsequent different type of transforms:• byte sub (asendusbaidi faas)• shift row (ridade nihutuse faas)• mix column (tulpade segamise faas)• add round key (raundivõtme lisamise faas)
AES: Cryptanalysis• Exhaustive search needs to performe a 2128
to 2256 operations – it is clearly infeasible
• Effective cryptanalytic means are not known up to this time (the algorithm is practically secure)
• Authors of AES (Rjindael) have itself shown it for a most of cryptanalytic methods known in these times (in 1999)
AES: Cryptanalysis• In October 2002 there was offered a new type of
cryptanalysis, an algebraic cryotanalysis (Courtois, Piperszyk) which probably allows to break 128-bit AESi with 287 operations
• It needs the solving of a complex algebraic equation systems which is not yet realized. Therefore, the algrebraic cryptanalysis has remained a pure theoretical constuction
• There has been a little succees in a field of related key attack (seotud võtmete rünne) in 2009 where there is used different keys which are mathematically related to each other. It is a pure theoretical construction and doesn’t affect practice
• There has also been some success using a side channel attack (lisakanali rünne) which is again a pure theorectical approach and is based on getting some internal information from inside the block
AES: Realizations• There’s possible to realize fast AES both in
hardware and software
• Hardware realizations are hundreds of times faster (depends on chip-making techniques and used programming language)
• Both hardware and software realizations of AES can be used as "background“ activities, for example, the data reading/writing background activities
Both hardware and software realizations of AES are widely spread
Both hardware and software realizations of AES are widely spread
IDEA: Main Facts• Is a block cipher with a block size 64 bits (8
bytes)
• Keylenght is 128 bits (16 bytes)
• Was constructed in Switzerland, was published in 1991
• Was patented by MediaCrypt, patent has expired in 2010-11
• In 2005 there was published the successor of IDEA called IDEA NXT (FOX), but it hasn’t gained the popularity of IDEA
IDEA: Technical Description• Is designed, oppositely to DES, to gain also fast
software realizations, not only fast hardware realisations
• Uses one-way hash functions instead of typical for symmetric algorithms S-boxes
• Includes a key sequence algorithm which generates 52 16-bit subkeys (round keys) from 128-bit general key
• Consists of 8 rounds• Each round uses 6 subkeys, after thew rounds there
were used 4 other subkeys• Considers 64-bit plaintext as four 16-bit parts
IDEA: Inside the Round
Inside the round there are a numerous functions with 16-bit parts (quarters of result, subkeys) are realised:
• Ordinary adding (by module 216 or mod 65536)• XOR • multiplying with module 216+1 (65537)
These functions together will gain us a sufficiently non-linear function. One reason for this property is, that 65537 is a prime number
These functions together will gain us a sufficiently non-linear function. One reason for this property is, that 65537 is a prime number
IDEA: Round Scheme
IDEA: A General Scheme
IDEA: Key Sequence Algorithm• First 8 subkeys are received by dividing of
general key into 8 parts
• After it the bit circular shift by 25 bits is realised and next 8 subkeys were received againg by dividing the result into 8 parts
• This procedure is repeated 7 times, as we have find 52 subkeys (last 4 keys will remain unused as 7 x 8 = 56)
Consequently, subkeys are related together after each of eight keyConsequently, subkeys are related together after each of eight key
IDEA: Cryptanalysis• Exhaustive search needs considering of
2128 variants
• The effective cryptanalytic algorithms are not known – consequenlty the algorithm is considered to be practically secure
• Best known result is a breaking of 5-round algoritm by the plaintext collision attack (DeMirci 2003)
Conclusion: IDEA is still a suitable algorithm for a practical use (despite of it long age)
Conclusion: IDEA is still a suitable algorithm for a practical use (despite of it long age)
IDEA: Advantages and Disadvantages
Advantages:• Is well-realizable in software
• Has used in many programs and standards during last 20 years
• Is extremely small – C-source of IDEA is only some KBs long and executable file (file part) consists of only some hundreds of bytes
Disadvantages: • AES is more effective and more secure (if to
take into account the long-term security)
Skipjack: Main Facts• Is a block cipher with a block lenght 64 bits (8
bytes)
• Keylenght is 80 bits (10 bytes)
• Is constructed in U.S. by NSA (National Security Agency) in early 1990s
• Was initally planned to use in Clipper chip (but this project hasn’t realized)
• As an exception, the technical description of an algorith,was kept secret until 1998
Skipjack: Technical Description• Is possible to realize both fast hardware and
software realizations of Skipjack (don’t consist special bit operations)
• Plaintext is considered as for 16-bit quarters (parts)
• Consists of 32 rounds
• Each round changes only one quarter (16 bits) of message
• There are A and B type rounds - after 8 A-rounds there were used 8 B-rounds (and the same combination is repeated)
• 80-bitine key is divided to 10 8-bit round keys by a simple sharing
Skipjack: Description of Rounds
• A- and B-type rounds differ only by a minor differencies of the place of XORing
• Each round includes the same encryption function G or so-called Feistel structure, where 16-bit text is transforming using 4 subkeys and a permutation F
• Before implementing of G, the round number and previous quarter was XORed to the result
Skipjack: Function G
Skipjack: Permutation F (Feistel Structure)
Skipjack: First 8 Rounds (type A)
Skipjack: Rounds 8-16 (type B)
Skipjack: Appliability
• Exhaustive search needs a considening of 280 variants – it’s infeasible for contemporary computers
• The effective cryptoanalytic means are not known
• There has realized the impossible differential cryptanalysis (võimatute erinevuste krüptoanalüüs) in 1998 for a reduced number of rounds (Biham, Shamir, Birjukov)
Conclusion: Skipjack can still considered as a parctically secure algorithm (although not suitable for a long-term security)
Conclusion: Skipjack can still considered as a parctically secure algorithm (although not suitable for a long-term security)
• Paralleel Names: ARC4, ARCFOUR
• Is a stream cipher (the most popular stream cipher in all the world)
• Uses a variable lenght key, from 40 to 128 bits
• Was constructed by Bruce Schneier in 1987
• Has widely spread with the WiFi-related protocols WEP and WPA
• There are a full familty of RC (RC-2, RC-5, RC-6)
RC4: Main Facts
• Is (as all stream ciphers) a pseudo-random bitstream generator (step is 256 bits)
• Includes two phases:
A. Forming of bit permutation with a lenght of 256 bits
B. Forming of two 8-bit index pointer
Permutation S was determined by the initial key of the key sequence algorithm:
RC4: Inner Construction
Finds 256 next values by a following PRGA algorithm (pseudo-random generation algoritm):
RC4 Step of a Random Generator
• For a stream ciphers the crytptoanalytic means’ effectiveness can’t be expressed in the form of 2N as for block ciphers
• Attack of Flucher, Martin and Shamir (2001): first bits of key sequence (768 or 3072) are not reliable and they shouldn’t be used
• Klein’s attack: 104-bit RC4 can be broken for a minute (128-bit RC4 is probably not yet broken)
RC4: Usage in Practice
Because of these facts RC4 was used very seldom and is usually replaced by other more secure algorithms (AES in a stream cipher mode)
Because of these facts RC4 was used very seldom and is usually replaced by other more secure algorithms (AES in a stream cipher mode)
• Is a block cipher with a block size 64 bits (8 bytes)
• Uses a variable lenght key, max. keylenght is 448 bits
• Was constructed by Bruce Schneier in 1993
• The successor of Blowfish is Twofish (late 1990s, was one of the candidates of AES), which uses the cinstruction details of Blowfish
Blowfish: Facts
Blowfish: Technical Description
• Coinsists of 16 rounds, their’ main component is F as a Feistel structure
• Uses 18 32-bit subkeys, which are generated from the initial key
• Uses four 32-bit S-boxes
• Inside the rounds the 64-bit block is divided into two halves (each round changes only one half)
Blowfish: A Scheme
Blowfish: A Key Sequence Algorithm
• Massive S (which length is equal to keylenght) is valued by a binary digits of a trancendence number π (3,1415926...)
• Key value is XORed by S values
• Half values are replaced by the values, derived from a number π and the XORind procedure is repeated
• There were found 18 16-bit subkeys as a result of 521 iterations
• key schedule calculation (võtmejaotusarvutus), which founds 16 48-bit subkeys (alamvõtmed) from 56-bit initial key
• initial permutation (algpermutatsioon)
• 16 rounds (raund), each of them using one subkey
• final permutation (lõpp-permutatsioon)
Retrospective View — DES
DES is a typical iterative block cipher, consisting of the following parts:
DES – A General Scheme
DES: Initial Permutation
DES: Finding Subkeys
16 subkeys (round keys), 48 bits long, are found from 56-bit initial key by a special key sequence algorithm. Each subkey is used exactly in one round
16 subkeys (round keys), 48 bits long, are found from 56-bit initial key by a special key sequence algorithm. Each subkey is used exactly in one round
There are following typical construction elements of DES:
• substitution - replacing of bit combinations by an another bit combinations
• permutation – changing of bits order
DES: Key Sequence Algorithm
Permuted choices (permuteerivad valikud):
DES: Finding Subkeys
• 64-bit block is divided into two 32-bit halves
• One 32-bit part is tranformed by a round function, using corresponding 48-bit subkey
• Second half remains intact
• The result was XORed to the second half
• Halves are flipped by each other
DES: Inside The Rounds
• 32-bit text is expanded to 48-bit
• 48-bit subkey was XORed
• The result is transformed back to 32-bit
48-bit result was transformed into 32-bit using S-boxes (S-boksid). S-boxes form mathematically a most critical part of the whole DES algorithm
48-bit result was transformed into 32-bit using S-boxes (S-boksid). S-boxes form mathematically a most critical part of the whole DES algorithm
DES: Round Function
DES: A Round Function
DES: Expanding Table in Rounds
DES: S-Boxes Used in Rounds
DES: S-Boxes Used in Rounds
DES: Final Permutation of Round
Is actually the inverse permutation of initial permutation:
DES: Final Permutation of Calculations
• Because there are used some complex (special) bit operations, the software realisations are much more (thousands times) slower than hardware realisations (Modern algorithms are different)
• Because of the huge speed of contemporary computers there’s possibility to use DES as a backgound operations also in software already during last 15 years
• DES has integrated in a numerous standards and devices (especially during 1990s) which are sometimes still somewhere in operation
DES: Realisations
• Can be performed by 256 operations – is is already feasible for contemporary computers (mainframe computers)
• There’s possible to construct a special parallel “breaking machine” consisting of a lot of chips, which cost (AD 2014) is about 100 000 EUR and is able to break DES about within one second
• The cost and breaking time are related together (more expensive machine is able to break faster)
DES – Exhaustive Search
• There are also some effective cryptoanalytic means found
• Differential cryptanalysis (erinevuste krüptoanalüüs, Biham, Shamir, 1991) allows for a adaptive chosen plaintext attack to break algorithm using 247 variants instead of 256
• Linear cryptanalysis allows to break DES only by 243 variants (Junod 2001)
Sad conclusion : DES is unsuitable for practical use already for last 15 years
Sad conclusion : DES is unsuitable for practical use already for last 15 years
DES - Cryptoanalysis
• Alternative 1 (highly recommended): to use other symmetric algorithm, especially AES
• Alternative 2 (unrecommended, only use as emergency option): to use triple DES or 3DES (kolmekordne DES), with a keylenght of 168 bits and which is not yet broken in practice
DES - Recommendations for Practice
Last version of DES standad FIPS PUB 46-3 (October 1999) determines only usage of triple DES, but the standard was valid only until 2005
Last version of DES standad FIPS PUB 46-3 (October 1999) determines only usage of triple DES, but the standard was valid only until 2005
Triple DES
Conclusions
Since 2001 AES is better from other algorithms and it’s recommended to use AES if it is possible
Since 2001 AES is better from other algorithms and it’s recommended to use AES if it is possible
All the presented algorithms (excepted DES) can be used in practice because they are still practically secure
There are also other symmetric algorithms which are not considered here (both older and newer algorithms)
Other Symmetric Algorithms?
If it’s necessary to use them, it must be taken account:• If the effective keylenght is not less
than 80 (128) bits• If there aren’t known effective
cryptanalytic means• If the algorithms is published at least
3-4 years ago
If it’s necessary to use them, it must be taken account:• If the effective keylenght is not less
than 80 (128) bits• If there aren’t known effective
cryptanalytic means• If the algorithms is published at least
3-4 years ago