There is no security on this earth, there is only opportunity - PowerPoint PPT Presentation

Loading...

PPT – There is no security on this earth, there is only opportunity PowerPoint presentation | free to download - id: 9170a-MGI1Y



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

There is no security on this earth, there is only opportunity

Description:

algorithm & implementation characteristics (Used to reduce the field from 21 proposals to 15. ... 5. restricted memory requirement (for use in smart devices) ... – PowerPoint PPT presentation

Number of Views:134
Avg rating:3.0/5.0
Slides: 113
Provided by: web2Uw
Learn more at: http://web2.uwindsor.ca
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: There is no security on this earth, there is only opportunity


1
  • There is no security on this earth, there is only
    opportunity
  • - General Douglas MacArthur

2
Origins
  • A replacement for DES was needed
  • worked out theoretical attacks, that may break
    it
  • demonstrated exhaustive key search attacks
  • 1999 NIST issued FIPS PUB 43 DES for legacy
    systems only Triple DES prescribed for new
    systems
  • can use Triple-DES up to 2030 but slow
    particularly in software implementations-with
    small blocks
  • Jan 2, 1997 NIST begins work on the new
    standard.
  • Sept 12, 1997 formal call for AES proposals

3
AES Requirements issued by
NIST in 1997
  • private key, symmetric block cipher
  • 128-bit data, 128/192/256-bit keys
  • stronger faster than Triple-DES
  • active life of 20-30 years ( archival use)
  • provide full specification design details
  • both C Java implementations

4
History of Development of AES
  • June 1998 21 proposals
  • Aug 20, 1998 shortlisted to 15 proposals
    CAST-256, CRYPTON, DEAL, DFC, E2, FROG, HPC, LOKI
    197, MAGENTA, MARS, RC6, RIJNDAEL, SAFER,
    SERPENT, TWOFISH
  • March 22, 23, 1999 AES2 Second AES Candidate
    Conference, Rome
  • Aug 1999 five candidates MARS, RC6, RIJNDAEL,
    SERPENT, TWOFISH equally secure issues of
    efficiency, speed and less resource hunger were
    to be studied.

5
AES Shortlist
  • shortlist in Aug-99
  • MARS (IBM) - complex, fast, high security margin
  • RC6 (USA) - v. simple, v. fast, low security
    margin
  • Rijndael (Belgium) - clean, fast, good security
    margin --academic
  • Serpent (Euro) slow (1/3rd the speed of AES),
    clean, highest security margin out of the 5
    finalists --academic
  • Twofish (USA) complex, Feistel, DES-like
    structure v. fast (as fast as AES), high
    security margin key dependent S-boxes Uses
    whitening at both the start and the end of the
    cipger process, add key-material to data
  • then subject to further analysis comment

6
AES Evaluation Criteria
  • initial criteria
  • security effort to practically cryptanalyse
  • cost computational
  • algorithm implementation characteristics
  • (Used to reduce the field from 21 proposals to
    15.
  • Thereafter 5 candidates were shortlisted out of
    the 15,
  • by using the same criterion. )

7
final criteria for selecting Rijndael out of the
five
  • 1.general security
  • 2. software hardware implementation ease
  • 3. implementation attacks
  • 4. flexibility (in en/decrypt, other factors)
  • 5. restricted memory requirement (for use in
    smart devices)
  • 6. Key Agility ability to change keys fast, with
    a minimum of resources.

8
AES
  • October 2, 2000 RIJNDAEL selected as AES
  • Unclassified, publicly disclosed encryption
    algorithm
  • Available royalty-free world-wide
  • Symmetric-key block cipher

9
Selection of AES
  • saw contrast between algorithms
  • with few complex rounds versus many simple rounds
  • which refined existing ciphers versus new
    proposals
  • which could be implemented efficiently both in
    software only and through special purpose ICs
  • AES issued as FIPS PUB 197 standard in Nov-2001
  • AES initially developed as Rijndael Cipher by
  • Joan Daemen and Vincent Rijmen

10
Rijndael Cipher
  • an iterative rather than Feistel-type cipher
  • operates on an entire block of data in every
    round (and not on half the block, as in Feistel
    type ciphers)
  • designed to be
  • resistant against known attacks
  • speed and code compactness on many CPUs
  • design simplicity
  • Plaintext Data written in the form of a matrix
  • Input Key also written in the form of a matrix

11
Key
  • Key and data bytes arranged in rectangular arrays

Variable Key size 16,24 or 32 bytes Ki,j
represents a byte in the ith row and jth
column. Nk Number of column vectors of the key
(4-byte vectors)
12
Block of data
Variable Block size 16,24 or 32 bytes ai,j
represents a byte in the ith row and jth
column. Nb Number of column vectors (4-byte
vectors)
13
State
  • The plaintext block of data is represented as a
    matrix. Each cell of the matrix is a byte.
  • The en/de-cryption process is a multi-step
    process.
  • The matrix is manipulated at each step to yield a
    new matrix as the output of the step.
  • At each stage, the matrix of data, whether it is
    the input to the stage or it is the output of the
    stage, is called a STATE.
  • The final output of the multi-step encryption
    process yields the ciphertext.

14
Rijndael Cipher Each stage in the
en/de-cryption process
A matrix of output, also called a STATE (The
output state would be naturally different from
the input state.)
A stage in the en/de-cryption process
  • A matrix of input,
  • called a
  • STATE

Given A key K KEY EXPANSION process One key is
expanded into multiple sub-keys of the same
size ROUND a collection of steps, which are
sequentially performed on a state, to produce a
new state.
15
Rijandael encryption (and decryption) process
Number of Rounds (Nr)
  • 10/12/14 times applying (nearly) the same round
    function.
  • Nr 6 Max (Nk, Nb)
  • Nb 4 Nb 6 Nb 8
  • Nk 4 10 12 14
  • Nk 6 12 12 14
  • Nk 8 14 14 14

16
Rijndael Cipher
  • Rijndael Cipher Three-step Process of encryption
  • initial XOR of the 128-bit block of plaintext
    with the sub-key 1
  • has 9/11/13 rounds. Each round consists of
  • byte substitution (The same S-box used on every
    byte, unlike DES, where 8 different S-boxes are
    used.)
  • shift rows(permute bytes between columns)
  • mix columns (subs using matrix multiply of
    groups)
  • add round key (XOR state with separate sub-keys
    for each round)
  • Incomplete last (i.e. 10/12/14th) round (without
    mix columns operation)

17
Example Key Expansion for a 128 bit key and
128 bit block
  • If Nb be fixed at 4, the number of rounds
  • Nr 1 10 or 12 or 14,
  • depending upon the
    value of Nk.
  • No of keys required Nr 1.
  • Example Given A key of 128 bits. ? Nk 4
  • Key first rewritten into four components of 4
    bytes each, called w(0) to w(3) Each w is of 32
    bits..
  • Then the Key is expanded from 4 to 44 components
    of 32 bits each, called w(i), i 0 to 43
  • For the jth round, the sub-key consists of w(4j)
    to w(4j3).
  • Total number of key bits N(Nr 1), where N
    block size in bits

18
Rijandael Cipher continued
  • The Rijndael cipher has a variable block length
    and key length.
  • currently keys with a length of 128, 192, or
    256 bits to encrypt blocks with a length of 128,
    192 or 256 bits (all nine combinations of key
    length and block length are possible). Both block
    length and key length can be extended very easily
    by multiples of 32 bits.
  • Rijndael can be implemented efficiently on a wide
    range of processors and in hardware.
  • all operations can be combined into XOR and table
    lookups - hence very fast efficient

19
Rijandael Cipher continued
  • for 128 bit block processes data as 4 groups of
    4 bytes each.
  • Each group is shown as a column in a matrix of
    four columns.
  • Each column has 4 rows.
  • Each cell of the 4x4 matrix contains one byte.
  • The output in every round creates a new state of
    128 bits or of 4 columns of 4bytes each.
  • The ciphertext is the final output generated by
    the cipher system.

20
Example of selection processCryptographic Hash
Algorithm (SHA-3)
  • 2005 Prof. Xiaoyun Wang a differential attack
    on SHA-1 can find a hash collision (two messages
    with the same hash value) on the SHA-1 hash with
    an estimated work of 263 operations
  • the ideal 280 operations should be required for
    any good 160-bit hash function.
  • Recommendation Use SHA-2 family of hash
    functions (SHA-224, SHA-256, SHA-384 and SHA-512)
  • A competition by NIST Entries received by
    October 31, 2008 July 2009 Second Round
    candidates selected (Reference
    http//csrc.nist.gov/ as of Oct 5, 2009)

21
The AES Cipher
  • A FIPS approved cryptographic algorithm that can
    be used to protect electronic data.
  • AES uses 128 bit block only.
  • Key may be of 128, 192 or 256 bits.
  • Nk may be 4/6/8.
  • Nr Number of rounds 6 Nk
  • Reference Federal Information Processing
    Standards (FIPS) Publication 197
    http//csrc.nist.gov/publications/fips/fips197/fip
    s-197.pdf as of Oct 5, 2009
  • Reference Federal Information Processing
    Standards (FIPS) Publication 197
    http//csrc.nist.gov/publications/fips/fips197/fip
    s-197.pdf as of Oct 5, 2009

22
  • This authority (National Protection and Programs
    Directorate) will assist us in recruiting the
    best people in the world to come work for us over
    the next few years as cyber analysts, developers
    and engineers. So look out were coming.
  • -- Janet Napolitano,
    Homeland Security Secretary
  • in "DHS could hire 1000
    more cyber security professionals",

  • FederalComputerWeek, October 1, 2009
  • http//fcw.com/Articles/2009/10
    /01/Web-DHS-hiring-cybersecurity-officials.aspx
    as of 7th Oct 2009

23
AES vs Rijandael
  • AES uses 128 bit block only. (Nb 4 only.)
  • Rijandael can use a block of 128/ 192/ 256 bits.
    (Nb may be 4/6/8.)
  • Both AES and Rijandael may use cryptographic keys
    of 128, 192 or 256 bits. (Nk may be 4/6/8.)
  • AES may have 10, 12 or 14 rounds depending upon
    Nk of 4, 6 or 8 respectively.

24
Steps of a Round Function
  • Round function composed of 4 steps (except for
    the incomplete without MixColumn-- last round)
  • Each step has its own particular function
  • ByteSub non-linearity
  • ShiftRow inter-column diffusion
  • Mix Column inter-byte diffusion within columns
  • Round key addition
  • Figure on the next slide shows both encryption
    and decryption processes STATE at
    corresponding levels for encryption and
    decryption is the same.

25
AES Cipher continued
26
Pseudo Code for Encryption for the earlier
rounds, and, for the last round
  • Round(State, RoundKey)
  • Bytesub(State)
  • ShiftRow(State)
  • MixColumn(State)
  • AddRoundKey(State, Roundkey)
  • For the last round, it is a little different
  • Round(State, RoundKey)
  • Bytesub(State)
  • ShiftRow(State)
  • AddRoundKey(State, Roundkey)

27
Three Steps of Decryption
  • initial XOR of the ciphertext with the sub-key
  • has 9/11/13 rounds in which state undergoes
  • InvShift rows(permute bytes between columns)
  • InvByte substitution (The same Inverse S-box used
    on every byte)
  • add round key (XOR state with separate sub-keys
    for each round)
  • InvMix columns (subs using matrix multiply of
    groups)
  • Incomplete last (i.e. 10/12/14th) round (without
    InvMix columns operation)

28
Pseudo Code for Decryption for the earlier
rounds, and, for the last round
  • Round(State, RoundKey)
  • InvShiftRow(State)
  • InvByteSub(State)
  • AddRoundKey(State, Roundkey)
  • InvMixColumn(State)
  • For the last round, it is a little different
  • Round(State, RoundKey)
  • InvShiftRow(State)
  • InvBytesub(State)
  • AddRoundKey(State, Roundkey)

29
Sequence of Operations in a Round (SoOiaR)
of Encryption vs. SoOiaR of Decryption
  • Let Si be the input state for round i and
  • let Si 1 be the output
    state.
  • Encryption
  • Let w(4i, 4i 3) be the RoundKey for the ith
    round.
  • Si 1 AddRoundKey(MixColumn(ShiftRow(Bytesub(Si
    ))))
  • In the last round, the MixColumn operation is not
    included.
  • Decryption
  • Let w(4(10-i), 4(10-i)3) be the RoundKey for
    the ith round.
  • Si 1 InvMixColumn(AddRoundKey
    (InvBytesub(InvShiftRow (Si))))
  • In the last round, the InvMixColumn operation is
    not included.
  • Method of aligning the two sequences After a
    study of the 4 operations.

30
AES Cipher continued
31
AES sources of security
  • AES Begins and ends with AddRoundKey ? These
    steps do not provide much of a security to AES.
  • ByteSub, ShiftRow and MixColumn
  • No use of key ? invertible by any one
  • but provide non-linearity, diffusion and
    confusion
  • Jointly the two above provide security.

32
The process of Encryption
Add Round Key
  • XOR state with 128-bits of the round key
  • again processed by column (though effectively a
    series of byte operations)
  • inverse for decryption is identical since XOR is
    own inverse, just with correct round key

33
ExampleReference http//csrc.nist.gov/publicatio
ns/fips/fips197/ fips-197.pdf, page 33
  • Input M 32 43 f6 a8 88 5a 30 8d 31 31 98 a2 e0 37
    07 34
  • Cipher Key K 2b 7e 15 16 28 ae d2 a6 ab f7 15
    88 09 cf 4f 3c
  • 0th Round (The First Stage) M ? K M0
  • 32 88 31 e0 2b 28 ab 09 19 a0 9a
    e9
  • 43 5a 31 37 ? 7e ae f7 cf 3d f4 c6
    f8
  • f6 30 98 07 15 d2 15 4f e3 e2 8d
    48
  • a8 8d a2 34 16 a6 88 3c be 2b 2a
    08
  • Each stage generates a new STATE. Thus from M
    (the input state), this stage generates a new
    state M0.

34
First Step in a Round of Encryption
ByteSub
a i,j
S - box
  • Bytes are transformed by applying invertible
    S-box
  • One single S-box for the complete cipher
  • High non-linearity

b i,j
35
Byte Substitution
  • a simple substitution of each byte
  • uses one S-box of 16x16 bytes containing a
    permutation of all 256 8-bit values
  • each byte of state is replaced by a byte
  • from row (left 4-bits) column (right
    4-bits)
  • eg. byte 95 is replaced by a byte from the 9th
    row and 5th col of the S-box.
  • (The value in the 9th row and 5th col 2A)
  • S-box is constructed using a defined
    transformation of the values in GF(28)
  • designed to be resistant to all known attacks

36
S-Box
Reference http//csrc.nist.gov/publications/fips/
fips197/fips-197.pdf, page 16

as of October 12, 2009
37
Design Criteria for the S-box
  • Low correlation between input and output bits
  • Output cannot be a simple mathematical function
    of the input.
  • No fixed point of S-box input and output for
    S-box cannot be the same.
  • No opposite fixed point of S-box input and
    output cannot be bit-wise complement of each
    other.

38
Construction of 16 X16 S-box
  • Each cell of the s-box contains one byte.
  • Rows and columns are numbered from 0 to F.
  • Step 1 Initialization put in each box the value
    equal to its position row column
  • Ex. in row 0, column 2, the value would be 0216
    or 0000 00102
  • Step 2 Replace the value in each cell by its
    multiplicative inverse by GF(28) mod (x8 x4
    x3 x 1). Use extended Euclids algorithm
    given in the Mathematical Background.

39
  • Now
  • Please Refer to the Mathematical background.

40
Multiplicative inverse Extended
Euclidm(x), b(x) Algorithm
  • (A1, A2, A3)? (1, 0, m)
  • (B1, B2, B3)? (0, 1, b)
  • If B3 0,
  • return A3 gcd(m, b)no inverse exists.
  • If B3 1
  • return B2 as the multiplicative inverse of B.
  • (i.e. b(x).B2 1 mod m(x) )
  • Q ?A3/B3?
  • (T1, T2, T3)? (A1 - Q B1, A2 - Q B2, A3 - QB3)
  • (A1, A2, A3)? (B1, B2, B3)
  • (B1, B2, B3)? (T1, T2, T3)
  • Go to 2

41
Construction of 16 X16 S-box multiplicative
inverse mod (x8x4x3x1)
  • ExIn row 0, column 2,
  • the value 0216 ( corresponding to a(x) x )is
  • replaced by its multiplicative inverse (which
  • is shown below to be 8D16 .)
  • To find c(x) so that
  • a(x).c(x) 1 mod (x8 x4 x3 x 1).
  • A1 A2 A3 B1 B2 B3 Q
  • 1 0 x8x4x3x1 0 1 x -
  • 0 1 x 1 x7x3x21 1
    x7x3x21
  • c(x) x7x3x21 1000 11012 8D16
  • Step3 Use the matrix transformation, of next
    slide, to transform 8D16 (,called vector x, to a
    new vector y).

42
Example Row 0 and column 2 .. Contd.
  • c(x) x7x3x21 8D16
  • a7x7a6x6a1xa0
  • a0 1
  • x a1 0
  • . 1
  • 1
  • 0
  • . 0
  • a6 0
  • a7 1

43
S-Box construction
Example. continued
  • M1 1 0 0 0 1 1 1 1 m2 1
  • 1 1 0 0 0 1 1 1
    1
  • 1 1 1 0 0 0 1 1
    0
  • 1 1 1 1 0 0 0 1
    0
  • 1 1 1 1 1 0 0 0
    0
  • 0 1 1 1 1 1 0 0
    1
  • 0 0 1 1 1 1 1 0
    1
  • 0 0 0 1 1 1 1 1
    0
  • y M1 x m2

44
Construction of 16 X16 S-box
Example. continued
  • Step3 (continued)

1
1
0
1
1
1
0
1
1
0
1
0
1
0
1




M1
Y2
1
0
0
0
0
0
0
1
0
1
0
1
0
1
1
0
1
0
1
1
1
0
0
0
0
NOTE The transformed value is 7716. The Inverse
S-box, provides the value 02 in the 7th row and
7th column.
AES uses two substitution boxes S-box for
encryption and Inverse S-box for decryption
The next slide again shows the S-box.
45
S-Box
Reference http//csrc.nist.gov/publications/fips/
fips197/fips-197.pdf, page 16
46
Example of Byte Sub Reference
http//csrc.nist.gov/publications/fips/fips197/
fips-197.pdf, page 33
  • Use M0 of slide 33 as the input data for this
    example.
  • M0 BYTE SUB ? M11
  • 19 a0 9a e9 d4 e0 b8
    1e
  • 3d f4 c6 f8 ? 27 bf b4
    41
  • e3 e2 8d 48 11 98 5d
    52
  • be 2b 2a 08 ae f1 e5
    30

47
  • Inverse Byte Substitution

2a
95
S-Box
2a
95
Inv S-Box
95
ad
Inv S-Box
S-Box is NOT self-inverse. ? For the same input,
the S-Box and the Inv S-Box will NOT have the
same output.
48
Inverse S-Box
x
y
Reference http//csrc.nist.gov/publications/fips/
fips197/fips-197.pdf,

page 22
49
Construction of Inverse Substitution Box
  • M3 0 0 1 0 0 1 0 1 m4 1
  • 1 0 0 1 0 0 1 0
    0
  • 0 1 0 0 1 0 0 1
    1
  • 1 0 1 0 0 1 0 0
    0
  • 0 1 0 1 0 0 1 0
    0
  • 0 0 1 0 1 0 0 1
    0
  • 1 0 0 1 0 1 0 0
    0
  • 0 1 0 0 1 0 1 0
    0
  • x M3 y m4

50
Justification
  • x M3 y m4
  • Using slide 38
  • x M3 (M1 x m2 ) m4
  • M3 .M1 x M3. m2 m4
  • We find
  • M3 .M1 unity matrix
  • M3. m2 m4 0

51
Second Step in a Round of Encryption
ShiftRows
  • a circular byte shift to the left in each row
  • 1st row is unchanged
  • 2nd row does 1 byte circular shift to left
  • 3rd row does 2 byte circular shift to left
  • 4th row does 3 byte circular shift to left
  • In this step, the 4 bytes of each column are
    distributed over 4 different columns.
  • During decryption, the shifts are circular shifts
    to the right.
  • This step provides permutation of the data.

52
ShiftRow
  • Rows are shifted over 4 different offsets
  • High diffusion over multiple rounds
  • Interaction with Mix Column

53
Shift offsets Original Rijandael spec
  • The first row no shift
  • The second row circular shift by C1
  • The third row circular shift by C2
  • The fourth row circular shift by C3
  • Nb 4 C1 1, C2 2, C3 3
  • Nb 6 C1 1, C2 2, C3 3
  • Nb 8 C1 1, C2 3, C3 4
  • AES has Nb4 only.

54
Example of ShiftRowReference
http//csrc.nist.gov/publications/fips/fips197/
fips-197.pdf, page 33
  • Use M11 of slide 46 as the input data for this
    example.
  • M11 ShiftRow ? M12
  • d4 e0 b8 1e d4 e0 b8 1e
  • 27 bf b4 41 ? bf b4 41 27
  • 11 98 5d 52 5d 52 11
    98
  • ae f1 e5 30 30 ae f1
    e5

55
Third Step in a Round of Encryption
MixColumn
2 3 1 1 1 2 3 1 1 1 2
3 3 1 1 2
a 0,j
a 1,j
a 2,j
a 3,j
  • Bytes in columns are linearly combined
  • High intra-column diffusion
  • Based on theory of error-correcting codes

b 0,j
b 1,j
b 2,j
b 3,j
56
Mix Columns
  • each column is processed separately
  • each byte is replaced by a value dependent on all
    4 bytes in the column
  • effectively a matrix multiplication, where each
    byte is treated as a polynomial in GF(28) using
    prime poly m(x) x8x4x3x1
  • Input state S Output state S

57
ExampleMix Column Evaluation of S00
Reference Mathematical background
  • Use M12 of slide 54 as the input data for this
    example.
  • S00(02. S00) ? (03.S10) ? (01.S20) ? (01.S30)
  • values in first column S00d4, S10bf, S205d,
    S3030
  • 01.30 30 0011 0000
  • 01.5d 5d 0101 1101
  • 03.bf da 1101 1010
  • 03.bf can be represented by (x 1). a (x) mod m
    (x)
  • (x 1).(x7x5x4x3x2x1) mod (x8x4 x3 x
    1)
  • x.(x7x5x4x3x2x1) mod (x8x4 x3 x 1)
  • 02.bf shift left and XOR with 1b
  • 0111 1110 ? 0001 1011 0110
    0101
  • 01.bf bf 1011 1111
  • 03.bf 02.bf ? 01.bf 1101 1010

58
ExampleMix Column Evaluation of S00
.2
  • 02.d4 b3 1011 0011
  • x.(x7x6x4 x2) mod (x8x4 x3 x 1)
  • x.(x7x6x4 x2) requires
  • 10101000 ? 0001 1011 10110011
  • 0011 0000 ? 0101 1101 ? 1101 1010 ? 10110011
  • S00 0000 0100 04

59
ExampleMix Column Evaluation of S10
Reference Mathematical background
  • S10(01. S00) ? (02.S10) ? (03.S20) ? (01.S30)
  • S00 d4, S10 bf, S20 5d, S30 30
  • 01.d4 d4
  • 02.bf 65 by shifting bf once to the left and
    xor-ing with 1b
  • Shift 1011 111 to left ? 0111 1110
  • 0111 1110 ? 0001 1011 0110 01012 6516
  • 03.5d 5d ? 02.5d by splitting 03 into 01 and 02
  • 5d ? ba by shifting 5d once to
    the left
  • 5d160101
    11012 SL?1011 10102 ba16
  • e7 0101 11012 ? 1011
    10102 1110 01112
  • 01.30 30
  • S10 d4 ? 65 ? e7 ? 30 66

60
Example Mix Column
  • Use M12 of slide 54 as the input data for this
    example.
  • Previous 3 slides show the calculation of s00
    and s10. Similarly the whole of the state S can
    be calculated.
  • M12 MixColumn ? M13
  • d4 e0 b8 1e 04 e0 48 28
  • bf b4 41 27 ? 66 cb f8 06
  • 5d 52 11 98 81 19 d3 26
  • 30 ae f1 e5 e5 9a 7a 4c

61
Inverse Mix Column
MC
MC-1
Hence using MC-1 would be more difficult, since
it would require multiplication with more complex
polynomials.
62
Selection of values in MixColumn
  • Selected for good mixing based on a linear code,
    with maximum distance between code words
  • Small values 01, 02 and 03 lead to faster
    implementation ? require only shift and XOR
  • Leads to more difficult decryption CFB (Cipher
    Feedback) and OFB (Output Feedback) require
    encryption process for decryption.

63
Cipher FeedBack (CFB)
64
Output FeedBack (OFB)
65
Inverse Mix Column transformation
  • If s be the input matrix and s be the output
    matrix,
  • 0E 0B 0D 09
  • 09 0E 0B 0D
  • 0D 09 0E 0B
  • 0B 0D 09 0E
  • 0E 0B 0D 09 02 03 01 01 01 00 00 00
  • 09 0E 0B 0D 01 02 03 01 00 01 00 00
  • 0D 09 0E 0B 01 01 02 03 00 00 01 00
  • 0B 0D 09 0E 03 01 01 02 00 00 00 01


S
S
The above process is the inverse of the forward
process, of slide 51, because -

66
Inverse Mix Column transformation cont
  • Proof the output element in row 1 and column 1
  • A11 0E . 02 ? OB . 01 ? 0D . 01 ? 09 . 03
  • 0E . 02 1C by shifting 0E to the left
  • 09 . 03 09 ? 09 . 02 by splitting 03 into 01
    and 02
  • 09 ? 12 by shifting 09 to the left
  • 1B
  • A11 1C ? 0B ? 0D ? 1B
  • 01

67
Mix Column transformation Comments
  • Mix Column during encryption uses values of 01,
    02 and 03. these are implemented by shift or by
    shift XOR.
  • Inverse Mix Column for decryption is more
    complex.
  • However it was possible to make only one of the
    two processes simple. It was decided to make
    encryption process simpler than decryption
    because encryption is more important
  • AES may be used for authentication where only
    encryption may be used.
  • CFB, OFB and CTP modes do not require decryption
    process (refer DES part 2 slides 11 -23)

68
Example (using the example of slide
60) Inverse MixColumn
  • M13 InvMixColumn ? M12
  • 0e 0b 0d 09 04 e0 48 28
  • 09 0e 0b 0d 66 cb f8 06
  • 0d 09 0e 0b . 81 19 d3 26
  • 0b od 09 0e e5 9a 7a 4c
  • S00 0e.04 ? 0b.66 ? 0d.81 ? 09.e5
  • (In the next three 3 slides, we shall show the
    calculation of S00)

69
Example Inverse MixColumn.. 2
  • 0e.04 (0000 1110).(0000 0100)
  • Can be visualized as
  • (x3 x2 x). b(x) mod (x8x4x3x1)
  • x. b(x) 0000 1000
  • x2. b(x) 0001 0000
  • x3. b(x) 0010 0000
  • 0e.04 0011 1000

70
  • 0b.66 b(x) 0110 0110
  • 1. b(x) 0110 0110 x. b(x) 1100 1100
  • x2.b(x)1001 1000?0001 10111000 0011
  • x3.b(x)0000 0110?0001 10110001 1101
  • 0b.66 0110 0110?1100 1100?0001 1101 1011 0111
  • 0d.81 b(x) 1000 0001
  • x. b(x)0000 0010?0001 10110001 1001
  • x2.b(x)0011 0010 x3.b(x) 0110 0100
  • 0d.811000 0001?0011 0010?0110 0100
  • 1101 0111

71
Example Inverse MixColumn .. 4
  • 09.e5 b(x)1110 0101
  • x.b(x)1100 1010?0001 10111101 0001
  • x2.b(x)1010 0010?0001 10111011 1001
  • x3.b(x)0111 0010?0001 10110110 1001
  • 09.e5 0110 1001?1110 0101 1000 1100
  • S11 0e.04 ? 0b.66 ? 0d.81 ? 09.e5
  • 0011 1000?1011 0111?1101 0111?1000 1100
  • 1101 0100 ? d4

72
Example (using the example of slide
56) Inverse Mix Column .. 5
  • Proceeding in a similar manner, we shall find
    that,
  • M13 InvMixColumn ? M12
  • 04 e0 48 28 d4 e0 b8 1e
  • 66 cb f8 06 --IMC? bf b4 41 27
  • 81 19 d3 26 5d 52 11 98
  • e5 9a 7a 4c 30 ae f1 e5

73
Fourth Step in a Round of Encryption
AddRoundKey
  • Makes the round function dependent upon key
  • Computation of round keys keep it simple
  • Small number of operations
  • Small amount of memory

74
AES Round State of 16 bytes 16 bytes of Key
called ri (Ref Stallings Fig 5-3)
75
Key Expansion for 128 bit key and 128 bit block
slide 12
  • A key of 128 bits or of Nk 4 first rewritten
    into four components of 4 bytes each, called w(0)
    to w(3). Then it is expanded from 4 to 44
    components of 32 bits each, called w(i), i 0 to
    43
  • w(4j) to w(4j3)
  • For the jth round of encryption, the sub-key
    consists of w(4j) to w(4j3).
  • (For decryption, this would be the key for the
    (10-j)th round.)

76
AES Cipher continued
77
AES Key Expansion
  • takes 128-bit (16-byte) key and expands into
    array of 44/52/60 32-bit words
  • start by copying key into first 4 32-bit words,
    called w(0) to w(3).
  • then use a loop, in which,
  • each new 4-byte word depends on values in
  • the immediately previous word
  • the word, which is 4 places back.
  • in 3 of 4 cases just XOR these together
  • (For w(i) where i ? 0 mod 4)

78
AES Key Expansion continued
K4
K0
K12
K8
K5
K1
K13
K9
K6
K2
K14
K10
K7
K3
K15
K11
O
w1
w0
w3
w2
g
? ? ? ?
w5
w4
w7
w6
79
AES Key Expansion continued
  • every 4th case (For w(i), where i is a multiple
    of 4.)
  • The immediately preceding word goes through a
    process described by a function g.
  • Three steps of g
  • RotWord one byte circular left shift of the
    previous word
  • SubWord substitute each of the 4 bytes using the
    S-box
  • XOR with a 32-bit round constant called Rcon(j)
    where j is the round number

80
Example Key Expansion
Calculation of w4
  • Cipher Key 2b 7e 15 16 28 ae d2 a6 ab f7 15 88
    09 cf 4f 3c
  • w0 2b7e1516 w1 28aed2a6
  • w2 abf71588 w3 09cf4f3c
  • Calculation of w4 RotWord and SubWord
  • X1 RotWord (w3) cf4f3c09
  • By using the S-box
  • cf4f3c09 -- S-box ? 8a84eb01 X2
  • Example continued
    after two slides

81
AES Key Expansion Rcon(j) Reference for
Key expansion Problemhttp//csrc.nist.gov/
publications/fips/fips197/fips-97.pdf Page 28
  • Calculation of w(i) for every 4th case (For
    w(i), where i
  • is a multiple of 4.)
    continued from previous slide
  • The first byte of Rcon(j) is called RC(j). The
    second, third and the fourth bytes of Rcon(j) are
    0.
  • RC(1) 1
  • RC(j) 2.RC(j 1) for j2 to 10. The
    multiplication is defined over the field GF(28),
    with m(x) x8x4x3x
  • Thus RC(2) 2,RC(8) 128
  • rc9(x) x8 mod m(x) x4x3x1 ? RC(9) 1B
  • RC(10) 0011 0110 3616 x5x4x2x
  • obtained by shifting RC(9) to
    the left

82
AES Key Expansion
Rcon(j) Formulae
  • Key expansion formulae for i 0 to 43
  • w (i) w (i-1) ? w (i 4) if i is not a
    multiple of 4
  • w (i) g w (i-1) ? w (i-4) if i is a multiple
    of 4
  • g w (i-1)R con j ? Subword (Rotword
    (w(i-1)))
  • where j Round number
  • J 1 2 3 4 5 6 7
    8 9 10
  • RCj 01 02 04 08 10 20 40 80
    1B 36

R con j RCj 00 00 00 given in HEX
83
Example Key Expansion continued from slide 75
Calculation of w4, w5, w6 and w7 ...2
  • Rcon(1) 01 00 00 00
  • X3 8a84eb01 ? 01000000 8b84eb01
  • w4 w0 ? X3
  • 2b7e1516 ? 8b84eb01 a0fafe17
  • For w5, w6 and w7, only XOR is reqd
  • w5 w1 ? w4 28aed2a6 ? a0fafe17 88 54 2c b1
  • w6 w2?w5 abf71588?88542cb123 a3 39 39
  • w7w3 ?w6 09cf4f3c?23a339392a 6c 76 05

84
Important Considerations Round Key Generation
Algorithm
  • Knowledge of a part of the cipher key or less
    than Nk consecutive parts of a round key
    Insufficient for calculation of the key
  • Use of round constants to eliminate symmetries

85
AES Key Expansion Example
Calculation of the 9th round key
  • Example given the key for 8th round is
  • EA D2 73 21 B5 8D BA D2 31 2B F5 60 7F 8D
    29 2F
  • The Sub-key for the 8th round consists of w(32)
    to w(35). The
  • Sub-key for the 9th round consists of w(36) to
    w(39).
  • w(36) g w(35) ? w(32)
  • gw(35) (1B00 0000) ? subword (rotword(7F 8D
    29 2F))
  • (1B00 0000) ? subword (8D 29 2F 7F)
  • Now use S-Box
  • gw(35) (1B00 0000) ? (5D A5 15 D2)
  • 46 A5 15 D2
  • w(36) (46 A5 15 D2) ? (EA D2 73 21)
  • AC 77 66 F3

86
AES Key Expansion Example
Calculation of the 9th round key 2
  • w(37) w(36) ? w(33)
  • (AC 77 66 F3) ? (B5 8D BA D2)
  • 19 FA DC 21
  • w(38) w(37) ? w(34)
  • (19 FA DC 21) ? (31 2B F5 60)
  • 28 D1 29 41
  • w(39) w(38) ? w(35)
  • (28 D1 29 41) ? ( 7F 8D 29 2F)
  • 57 5C 00 6E
  • Key for the 9th round
  • AC 77 66 F3 19 FA DC 21 28 D1 29 41 57
    5C 00 6E

87
AES Decryption vs Encryption
  • Steps in AES decryption vs those in AES
    encryption
  • The steps for encryption and decryption
    processes are not identical (unlike the case for
    DES).
  • Moreover in each round, the steps are not in a
    similar sequence for encryption and decryption.
  • Each Round of Encryption
  • SubBytes ? ShiftRows ? MixColumns ? AddRoundkey
  • Each Round of Decryption
  • InvShiftRows ? InvSubBytes ? AddRoundkey ?
    InvMixColumns
  • Disadvantage AES requires 2 separate
    software/firmware systems for encryption and
    decryption

88
Methods for en/de-crypting larger amount of data,
by using only the AES Encryption process
  • Cipher Feedback (CFB) used over a reliable
    network layer for stream data encryption,
    authentication
  • Output Feedback (OFB) Can be used over noisy
    channels for bursty traffic aplications OFB
    requires that sender and receiver must remain in
    sync
  • Counter Mode (CTR) for high-speed network
    encryptions as in ATM or IPSec good for bursty
    high speed links

89
Sequence of Steps in a Round of Decryption
  • An equivalent inverse cipher with the same
    sequence ( but of inverse operation) of steps, as
    for encryption requires an additional step of
    InverseMixColumn on the Round Key, before the
    step of AddRoundKey ( except for the first and
    the last steps of AddRoundKey)
  • Reference Cryptography Network Security by
    William Stalling, Prentice Hall, 4th Ed ,Figure
    5.7, page 158.

90
  • Some tools may get the job done,
  • but they may not get the job
    done well
  • - Mike Shema et al,
    Anti-Hacker Toolkit,
  • pp xxiv, 3rd Ed,
    McGraw Hill, 2006

91
AES Implementation Aspects
  • can be efficiently implemented on 8-bit CPUs
  • byte substitution works on bytes using a S-box of
    256 entries
  • shift rows is simple byte shifting
  • add round key works on byte XORs
  • mix columns requires matrix multiply in GF(28)
    which works on byte values, can be simplified to
    use a table lookup

92
MixColumn 8-bit processor Implementation
  • Tmp Soj ? S1j ? S2j ? S3j
  • On putting the value of TMP and on replacing
  • 03.x 02.x ? x, the following 4
    equations are equivalent to the above MixColumn
    operation.
  • Soj Soj ? Tmp ? 2.(Soj ? S1j )
  • S1j S1j ? Tmp ? 2.(S1j ? S2j )
  • S2j S2j ? Tmp ? 2.(S2j ? S3j )
  • S3j S3j ? Tmp ? 2.(S3j ? S0j )

93
To ProveSoj Soj ? Tmp ? 2.(Soj ? S1j )
  • From the matrix equation in the previous slide,
  • Soj 02. Soj ? 03. S1j ? S2j ? S3j
  • We know 03. S1j 02. S1j ? S1j
  • RHS Soj ? Tmp ? 2.(Soj ? S1j )
  • Soj ? Soj ? S1j ? S2j ? S3j ? 2.(Soj ? S1j )
  • S1j ? S2j ? S3j ? 2.(Soj) ? 2. (S1j )
  • 2.(Soj) ? 03. S1j ? S2j ? S3j Soj LHS

94
MixColumn 8-bit processor Implementation2
  • 02.x requires (i) A left-shift if b7 0 OR
    (ii) A left-shift followed by XOR with 1b16 if b7
    1.
  • ? a timing attack.
  • SOLUTION
  • The 4 terms (Sij ? S((i1)mod4)j) for i 0 to
    3 can yield 256 different types of byte values.
  • Let X 02.Y where Y is a byte variable and
    can have any one of the 256 possible values. X is
    pre-calculated and stored in a 256-byte look-up
    table.
  • Soj Soj ? Tmp ? XSoj ? S1j
  • S1j S1j ? Tmp ? XS1j ? S2j
  • S2j S2j ? Tmp ? XS2j ? S3j
  • S3j S3j ? Tmp ? XS3j ? S0j

95
Implementation Aspects
  • can be efficiently implemented on 32-bit CPUs
  • redefine steps to use 32-bit words
  • can pre-compute 4 tables (Pl see page 159-160.)
  • Each 16x16 table Input of a byte Output of
    32 bits (1 KB of storage)
  • then each column in each round can be computed
    using 4 table lookups 4 XORs
  • at a cost of 4 KB to store tables
  • Joan Daemen and Vincent Rijmen believe This
    very efficient implementation a key factor in
    its selection as the AES cipher

96
Each Round of Rijndael
on Modern ProcessorsFor bj use a(0,j),
a(1,j-1), a(2,j-2) and a(3,j-3)
T1
T2
T3
T4
just (4 table-lookups and 4 XORS) per column and
per round Storage of 4 tables of 256 entries of
32 bits each. Each table Input of a byte Output
of 32 bits
97
Implementation Aspects .2
  • Most efficient on Itanium (64 bit machine)
  • Highest performer on limited processing power and
    limited memory devices twice as fast as the
    nearest rival from the 5 finalists (MARS, RC6,
    RIJNDAEL, SERPENT, TWOFISH)
  • Most efficient in feedback modes second best in
    CBC/ECB MODES

98
Implementation Aspects ...2
  • Throughput decreases by 20 and 40 on increase
    of key size from 128 to 192 and 256 respectively
  • If implemented in hardware in ECB (Electronic
    Code Book, where each block of 128 bits is sent
    separately after encryption) mode, speed matched
    only by SERPENT
  • Safety Margin 7 for 10 round case
  • (Safety Margin number of rounds, above which
    efficient attacks on the algorithm cannot be
    mounted and key-space exhaustion becomes the
    only way to crack it.)

99
Timing and Power Attacks
Some Facts
  • writing 1s consumes more power than for writing
    0s.
  • Table lookups in S-boxes, shifts, rotations, NOT,
    OR, AND, XOR
  • Not vulnerable to timing attacks
  • To avoid power attacks software balancing is
    required

100
Characteristics of Rijndael
  • symmetrical parallel structure
  • Gives implementers a lot of flexibility
  • has not allowed effective cryptanalytic attacks
  • Well adapted to modern processors
  • Pentium
  • RISC and parallel processors
  • Suited for Smart cards
  • Flexible in dedicated hardware
  • designed to resist known attacks

101
Misgivings about AES
  • AES (and Serpent) encryption can be written as a
    group of linear and quadratic equations in a
    finite field.
  • Mathematicians are trying to develop methods
    to solve such equations. (XSL, XL and FXL
    methods). If they succeed, the Encryption method
    will fail.
  • Due to Birthday and man-in-the-middle attack, for
    128 bit security, a key size of 256 bits is
    required. But AES is slower for 256 bit key.
    (Serpent has the same speed for all key sizes.
    Twofish is slower.)

102
Relative Performance
  • Fast
  • RC4 (Stream Cipher)
  • Blowfish, CAST-128, AES
  • Skipjack
  • DES, IDEA, RC2
  • 3DES, GOST
  • Typical speeds
  • RC4 Tens of MB/second
  • 3DES MB/second
  • Recommendations For performance, use Blowfish
    For job security, use 3DES

103
Advanced Encryption Standard Algorithm (Rijndael)
References
  • http//csrc.nist.gov/publications/fips/fips197/fip
    s-197.pdf
  • For historical information http//csrc.nist.gov/C
    ryptoToolkit/aes/
  • http//www.esat.kuleuven.ac.be/rijmen/rijndael/

104
Stream Cipher
  • Streaming Cipher encrypts data unit by unit,
    where a unit is of certain number of bits
    (Example If the unit be a bit, a stream cipher
    encrypts data unit by unit. Or if the unit be a
    byte, it encrypts byte by byte)
  • simpler and faster than block cipher but less
    secure
  • Two Modes of Stream Cipher
  • Synchronous Stream Cipher Sender uses a key to
    encrypt. Receiver uses the same key to decrypt.
  • Self-Synchronizing Stream Cipher The key stream
    generator (KSG) generates a key, which depends
    upon the original key and the cipher output.

105
Key Stream Generator (KSG)
Pseudorandom Byte Generator
Key
Stream of bytes
The stream of bytes cannot be determined, if the
Key is not known. The stream is
deterministic. The stream repeats after a long
chain of bits.
106
Self-Synchronizing Stream Cipher
  • Plaintext ?

Stream of bytes
Ciphertext
In a stream Cipher, a key must not be repeated.
107
Example of a Stream Cipher
  • RC4 A byte by byte encryption algorithm, used in
  • SSL (Secure socket Layer)
  • WEP (Wired Equivalent Privacy)
  • Developed in 1987 by Ron Rivest for RSA
  • Sept 1994 RC4 algorithm anonymously posted on
    Cypherpunks anonymous remailers list

108
RC4 Key and the Temporary Vector
  • Key 1 to 256 octets
  • First byte of Key K0 Second byte of key K1
  • No of bytes of key kbytes
  • A 256 byte Temporary vector T0 to T255
  • If kbytes 256, for i 0 to 255, Ti Ki
  • If kbytes lt 256, for i0 to 255,
  • Ti Ki mod kbytes

109
RC4 The State Vector
  • A 256 byte State vector S0 to S255
  • INITIALIZATION For i 0 to 255, Si i
  • Initial PERMUTATION of S j 0
  • For i 0 to 255,
  • j (j Si Ti)
    mod 256
  • Swap (Si and Sj).
  • After initial permutation, the key is not used.

110
Stream Encryption
  • mth byte of Plaintext Pm
  • i j 0 m 0
  • while (true)
  • i (i 1) mod 256
  • j (j Si) mod 256
  • swap (Si, Sj)
  • t (Si Sj) mod 256
  • k St
  • Cm Pm ? k
  • m m 1

111
Strength of RC4
  • For decryption, xor k with the next byte of
    ciphertext.
  • For a key length of 128 bits or more, RC4 is
    secure.
  • The weakness in WEP due to the weakness of the
    protocol for key generation ( not due to weakness
    in RC4).
  • Reference Fluhrer, S. Mantin, I. and Shamir,
    A. Weakness in the Key Scheduling Algorithm of
    RC4, Proceedings, Workshop in Selected Areas of
    Cryptography, 2001

112
Symmetric Key Ciphers
  • Symmetric key ciphers efficient, secure
  • Problem How to share a key securely between the
    sender and the receiver?
  • If 100 persons want to send message securely to
    one another ? 4950 different keys are required
    (Reference Niels Ferguson and Bruce Schneier ,
    Practical Cryptography, Wiley 2003)
About PowerShow.com