Advanced Encryption Standard (AES) - fbi · Advanced Encryption Standard (AES) ... How to apply the...

Harald Baier Cryptography h_da, Summer Term 2010 35

Advanced Encryption Standard (AES)

● NIST announcement in 1997 with requirements:

Symmetric block cipher

Block length: 128 bits (P = C = {0,1}1 2 8 )

Key lengths: 128, 192, 256 bits (K = {0,1}1 2 8 , ...)

At least as secure as Triple-DES, but more efficient

To be used until about 2030

Data protection until 2100

Free of licences

● The winner: Rijndael (FIPS PUB 197, November 2001)


AES cipher: Pseudocode

Cipher(byte in[16], byte out[16], key_array round_key[Nr+1])

begin

byte state[16];state = in;AddRoundKey(state, round_key[0]);

for i = 1 to Nr-1 stepsize 1 doSubBytes(state);ShiftRows(state);MixColumns(state);AddRoundKey(state, round_key[i]);

end for

SubBytes(state);ShiftRows(state);AddRoundKey(state, round_key[Nr]);

end


AES function SubBytes()

● S-Box of Rijndael:

Permutation of bits in a byte (i.e. on a set of 256 elements)

Garantuees non-linearity of Rijndael

● Applied for every byte si, j

of current state

Source: FIPS PUB 197


How to apply the AES S-box

● Write the byte si, j

as a bit string: b7b

6b

5b

4b

3b

2b

1b

0

● Index of the row: x = 8b7 + 4b

6 +2b

5 + b

4

● Index of the column: y = 8b3 + 4b

2 +2b

1 + b

0

● Write x und y hexadecimal

● Substitute si, j

by the S-box element in x-th row and

y-th column


The AES S-box

Source: FIPS PUB 197


Application of the AES S-box: Example

● Input: 10011110

● Application of the S-box:

Index of the row: x = ________

Index of the column: y = ________

● Output: Bitstring ___________


Asymmetric Encryption

Alice Bob

Ciphertext

Document

Plaintext

Document

Plaintext

encrypt

Encryption key e

decrypt

Decryption key d

Public Key Private Key

≠asymmetric


1978: A method for obtaining digital signatures andpublic key cryptosystems

Ron Rivest Adi Shamir Leonard Adleman

Ideas Ideas Review

April 1977: Faktorisation problem (first ARS,then RSA)

The invention of RSA


RSA: Encryption and related problems

● Encryption: c ≡ me mod n (m is the plaintext)

● Decryption: m ≡ cd mod n (c is the ciphertext)

● RSA problem:

Given a ciphertext c and a public key (n,e),compute m such that c ≡ me mod n

Mathematical formulation: Compute an e-th root mod n

● Factorisation problem (in the context of RSA):

Given a natural number n composed of two primesp and q, compute p and q.


Security of RSA

● Attacker is able to decrypt (or sign), if he knows d

Computation of d is today done via (p-1)·(q-1)

He proceeds as follows: Attacker factors n , i.e. he computes p and q He determines d ≡ e-1 mod ((p-1) · (q-1)) using extended

Euclidian algorithm

● Consequence:

Attacker can solve the factorisation problem ==> Attacker can solve the RSA problem

RSA problem is at most as difficult as factorisation problem

Suggested bit length of n: 2.048 – 4.096


Which RSA numbers are factored?

1230186684530117755130494958384962720772853569595334792197322452151726400507263657518745202199786469389956474942774063845925192557326303453731548268507917026122142913461670429214311602221240479274737794080665351419597459856902143413

Factorisation startet in August 2007 and ended on December 12, 2009

Partners: EPFL, NTT, Uni Bonn, INRIA, Microsoft Research, CWI

Example: RSA-768

33478071698956898786044169848212690817704794983713768568912431388982883793878002287614711652531743087737814467999489 *36746043666799590428244633799627952632279158164343087642676032283815739666511279233373417143396810270092798736308917

=


RSA challenge

Award Status Presenting party Method

RSA-530 5,000 Factored March_2003 Uni Bonn, BSI GNFSRSA-576 10,000 Factored December_2003 Uni Bonn, BSI GNFS

RSA-640 20,000 Factored November_2005 Uni Bonn, BSI GNFSRSA-663 20,000 Factored May_2005 Uni Bonn, CWI, BSI GNFS

RSA-704 30,000 Not factoredRSA-768 50,000 Factored No submission EPFL (and others) GNFSRSA-1024 100,000 Not factored

Challenge Number

Submission due to

Source (parts): www.rsa.com (Challenge is closed since 2007.)


Message Authentication Code

secret secret

=Message Authentication Code (MAC)

Alice Bob

Signature

DocumentDocument

signing

Signature key d

verification

Verification key e

valid /invalid


Asymmetric electronic signature (without hash function)

Alice Bob

Signature

DocumentDocument

signing

Signature key d

verification

Verification key e

valid /invalid

Private Key

≠Public Key

Electronic Signature


Security Goals vs. Cryptographic Techniques: Overview

● Message Authentication Code (MAC):

Authenticity, integrity

● Electronic Signature (= asymmetric signature):

Authenticity, integrity, non-repudiation

● Encryption:

Confidentiality


Kerkhoff's Assumption

● Publish all details of a cryptographic algorithm:

Encryption scheme: Publish encryption and decryption function Confidentiality of plaintext only depends on the secrecy of

the private key Signature algorithm:

Publish signature generation and verification function Non-forgery of a signature only depends on the secrecy of

the private key (i.e. the signature generation key)

● Enables brute-force attack

● Public review process vs. non-disclosed algorithms(security by obscurity)

Advanced Encryption Standard (AES) - fbi · Advanced Encryption Standard (AES) ... How to apply the...

Documents

Transcript of Advanced Encryption Standard (AES) - fbi · Advanced Encryption Standard (AES) ... How to apply the...