Applied CryptographyApplied Cryptography

Example: AESExample: AES

Advanced Encryption StandardAdvanced Encryption Standard

"It seems very simple.""It seems very simple."

"It is very simple. But if you don't know what "It is very simple. But if you don't know what the key is it's virtually indecipherable."the key is it's virtually indecipherable."

——Talking to Strange Men, Talking to Strange Men, Ruth RendellRuth Rendell

OriginsOrigins

clear a replacement for DES was neededclear a replacement for DES was needed have theoretical attacks that can break ithave theoretical attacks that can break it have demonstrated exhaustive key search attackshave demonstrated exhaustive key search attacks

can use Triple-DES – but slow, has small blockscan use Triple-DES – but slow, has small blocks US NIST issued call for ciphers in 1997US NIST issued call for ciphers in 1997 15 candidates accepted in Jun 98 15 candidates accepted in Jun 98 5 were shortlisted in Aug-99 5 were shortlisted in Aug-99 Rijndael Rijndael was selected as the AES in Oct-2000was selected as the AES in Oct-2000 issued as FIPS PUB 197 standard in Nov-2001 issued as FIPS PUB 197 standard in Nov-2001

AES RequirementsAES Requirements

private key private key symmetricsymmetric block cipher block cipher 128-bit data, 128/192/256-bit keys 128-bit data, 128/192/256-bit keys stronger & faster than Triple-DES stronger & faster than Triple-DES active life of 20-30 years (+ archival use) active life of 20-30 years (+ archival use) provide full specification & design details provide full specification & design details both C & Java implementationsboth C & Java implementations NIST have released all submissions & NIST have released all submissions &

unclassified analysesunclassified analyses

AES Evaluation CriteriaAES Evaluation Criteria

initial criteria:initial criteria: securitysecurity – effort for practical cryptanalysis – effort for practical cryptanalysis costcost – in terms of computational efficiency – in terms of computational efficiency algorithm & implementationalgorithm & implementation characteristics characteristics

final criteriafinal criteria general securitygeneral security ease of software & hardwareease of software & hardware implementation implementation implementation attacksimplementation attacks flexibility (in en/decrypt, keying, other factors)flexibility (in en/decrypt, keying, other factors)

AES ShortlistAES Shortlist

after testing and evaluation, shortlist in Aug-99: after testing and evaluation, shortlist in Aug-99: MARS (IBM) - complex, fast, high security margin MARS (IBM) - complex, fast, high security margin RC6 (USA) - v. simple, v. fast, low security margin RC6 (USA) - v. simple, v. fast, low security margin Rijndael (Belgium) - clean, fast, good security margin Rijndael (Belgium) - clean, fast, good security margin Serpent (Euro) - slow, clean, v. high security margin Serpent (Euro) - slow, clean, v. high security margin Twofish (USA) - complex, v. fast, high security margin Twofish (USA) - complex, v. fast, high security margin

then subject to further analysis & commentthen subject to further analysis & comment saw contrast between algorithms with saw contrast between algorithms with

few complex rounds verses many simple rounds few complex rounds verses many simple rounds which refined existing ciphers verses new proposalswhich refined existing ciphers verses new proposals

The AES Cipher - Rijndael The AES Cipher - Rijndael

designed by Rijmen-Daemen in Belgium designed by Rijmen-Daemen in Belgium has has 128/192/256 (3 cases need 128/192/256 (3 cases need 9/11/13 rounds) 9/11/13 rounds)

bit keys, bit keys, 128 bit data128 bit data an an iterativeiterative rather than rather than feistelfeistel cipher cipher

processes processes data as data as block of 4 columns of 4 bytesblock of 4 columns of 4 bytes operates on entire data block in every roundoperates on entire data block in every round

designed to be:designed to be: resistant against known attacksresistant against known attacks speed and code compactness on many CPUsspeed and code compactness on many CPUs design simplicitydesign simplicity

RijndaelRijndael data block of data block of 4 columns of 4 bytes is 4 columns of 4 bytes is statestate key is key is expandedexpanded to array of to array of words (32 bits)words (32 bits) has 9/11/13 rounds in which state undergoes: has 9/11/13 rounds in which state undergoes:

byte substitutionbyte substitution (1 S-box used on every byte) (1 S-box used on every byte) shift rowsshift rows (permute bytes between groups/columns) (permute bytes between groups/columns) mix columnsmix columns (subs using matrix multiply of groups) (subs using matrix multiply of groups) add round keyadd round key (XOR state with key material) (XOR state with key material) view as alternating XOR key & scramble data bytesview as alternating XOR key & scramble data bytes

initial XOR key material & incomplete last roundinitial XOR key material & incomplete last round with fast XOR & table lookup implementationwith fast XOR & table lookup implementation

RijndaelRijndael

1. Byte Substitution1. Byte Substitution

a simple substitution of each bytea simple substitution of each byte uses one table of uses one table of 16x16 bytes16x16 bytes containing a containing a

permutation of all 256 8-bit valuespermutation of all 256 8-bit values each byte of state is replaced by byte indexed each byte of state is replaced by byte indexed

by by row (left 4-bits) & column (right 4-bits)row (left 4-bits) & column (right 4-bits) eg. eg. byte {95} is replaced by byte in row 9 column 5byte {95} is replaced by byte in row 9 column 5 which has value {2A}which has value {2A}

S-box S-box constructed using defined transformation constructed using defined transformation of values in GF(2of values in GF(288))

designed to be resistant to all known attacksdesigned to be resistant to all known attacks

Byte SubstitutionByte Substitution

2. Shift Rows2. Shift Rows

a circular a circular byte shift in each rowbyte shift in each row 11stst row is unchanged row is unchanged 22ndnd row does 1 byte circular shift to left row does 1 byte circular shift to left 3rd row does 2 byte circular shift to left3rd row does 2 byte circular shift to left 4th row does 3 byte circular shift to left4th row does 3 byte circular shift to left

decrypt inverts using shifts to rightdecrypt inverts using shifts to right since state is processed by columns, this step since state is processed by columns, this step

permutes bytes between the columnspermutes bytes between the columns

Shift RowsShift Rows

3. Mix Columns3. Mix Columns

each columneach column is processed separately is processed separately each byte is each byte is replaced replaced by a value by a value

dependent on all 4 bytes in the columndependent on all 4 bytes in the column effectively a effectively a matrix multiplicationmatrix multiplication in GF(2 in GF(288) )

using prime poly m(x) =using prime poly m(x) =xx88+x+x44+x+x33+x+1+x+1

Mix ColumnsMix Columns

Mix ColumnsMix Columns

can express each col as 4 equationscan express each col as 4 equations to derive each new byte in colto derive each new byte in col

decryptiondecryption requires use of requires use of inverse matrixinverse matrix with larger coefficients, hence a little harderwith larger coefficients, hence a little harder

have an alternate characterization have an alternate characterization each column a 4-term polynomialeach column a 4-term polynomial with coefficients in GF(2with coefficients in GF(288) ) and polynomials multiplied modulo (xand polynomials multiplied modulo (x44+1)+1)

4. Add Round Key4. Add Round Key

XOR state with 128-bits of the round keyXOR state with 128-bits of the round key again processed by column (though again processed by column (though

effectively a series of byte operations)effectively a series of byte operations) inverse for decryption identicalinverse for decryption identical

since XOR own inverse, with reversed keyssince XOR own inverse, with reversed keys designed to be as simple as possibledesigned to be as simple as possible

a form of Vernam cipher on expanded keya form of Vernam cipher on expanded key requires other stages for complexity / securityrequires other stages for complexity / security

Add Round KeyAdd Round Key

AES RoundAES Round

5. AES 5. AES Key ExpansionKey Expansion

takes 128-bit (16-byte) key and expands takes 128-bit (16-byte) key and expands into into array of 44 words (each word has 4 array of 44 words (each word has 4 bytes)bytes)

start by copying key into first 4 wordsstart by copying key into first 4 words then loop creating words that depend on then loop creating words that depend on

values in previous & 4 places backvalues in previous & 4 places back in 3 of 4 cases just XOR these togetherin 3 of 4 cases just XOR these together 11stst word in 4 has word in 4 has rotate + S-box + XORrotate + S-box + XOR round round

constant on previous, before XOR 4constant on previous, before XOR 4 thth back back

AES Key Expansion (First 8 AES Key Expansion (First 8 words generation procedure)words generation procedure)

Key ExpansionKey Expansion Rationale Rationale

designed to resist known attacksdesigned to resist known attacks design criteria includeddesign criteria included

knowing part key insufficient to find many moreknowing part key insufficient to find many more invertible transformationinvertible transformation fast on wide range of CPU’sfast on wide range of CPU’s use round constants to break symmetryuse round constants to break symmetry diffuse key bits into round keysdiffuse key bits into round keys enough non-linearity to hinder analysisenough non-linearity to hinder analysis simplicity of descriptionsimplicity of description

AES AES DecryptionDecryption

AES decryption is not identical to AES decryption is not identical to encryption since encryption since steps done in reversesteps done in reverse

but can define an equivalent inverse but can define an equivalent inverse cipher with steps as for encryptioncipher with steps as for encryption but using inverses of each stepbut using inverses of each step with a different key schedulewith a different key schedule

works since result is unchanged whenworks since result is unchanged when swap byte substitution & shift rowsswap byte substitution & shift rows swap mix columns & add (tweaked) round keyswap mix columns & add (tweaked) round key

AES DecryptionAES Decryption

Implementation AspectsImplementation Aspects

can efficiently implement on 8-bit CPUcan efficiently implement on 8-bit CPU byte substitution works on bytes using a table byte substitution works on bytes using a table

of 256 entriesof 256 entries shift rows is simple byte shiftshift rows is simple byte shift add round key works on byte XOR’sadd round key works on byte XOR’s mix columns requires matrix multiply in mix columns requires matrix multiply in GF(2GF(288) )

which works on byte values, can be simplified which works on byte values, can be simplified to use table lookups & byte XOR’sto use table lookups & byte XOR’s

Implementation AspectsImplementation Aspects

can more efficiently implement on 32-bit CPUcan more efficiently implement on 32-bit CPU redefine steps to use redefine steps to use 32-bit words32-bit words can precompute 4 tables of 256-wordscan precompute 4 tables of 256-words then each column in each round can be computed then each column in each round can be computed

using 4 table lookups + 4 XORsusing 4 table lookups + 4 XORs at a cost of 4Kb to store tablesat a cost of 4Kb to store tables

designers believe this very efficient designers believe this very efficient implementation was a key factor in its selection implementation was a key factor in its selection as the AES cipheras the AES cipher

Triple-DES with Three-KeysTriple-DES with Three-Keys

although are no practical attacks on two-although are no practical attacks on two-key Triple-DES have some indicationskey Triple-DES have some indications

can use Triple-DES with Three-Keys to can use Triple-DES with Three-Keys to avoid even theseavoid even these C = EC = EK3K3(D(DK2K2(E(EK1K1(P)))(P)))

has been adopted by some Internet has been adopted by some Internet applications, eg PGP, S/MIMEapplications, eg PGP, S/MIME

Modes of OperationModes of Operation

block ciphers encrypt block ciphers encrypt fixed sizefixed size blocks blocks eg. DES encrypts 64-bit blocks with 56-bit key eg. DES encrypts 64-bit blocks with 56-bit key

need some way to en/decrypt need some way to en/decrypt arbitrary arbitrary amountsamounts of data in practise of data in practise

ANSI X3.106-1983 ANSI X3.106-1983 Modes of UseModes of Use (now (now FIPS 81)FIPS 81) defines defines 4 possible modes4 possible modes

subsequently 5 defined for AES & DESsubsequently 5 defined for AES & DES have have blockblock and and streamstream modes modes

Electronic Codebook Book (ECB)Electronic Codebook Book (ECB)

message is broken into independent message is broken into independent blocks which are encrypted blocks which are encrypted

each block is a value which is substituted, each block is a value which is substituted, like a codebooklike a codebook, hence name , hence name

each block is encoded independently of each block is encoded independently of the other blocksthe other blocks CCii = DES = DESK1K1(P(Pii))

uses: secure transmission of uses: secure transmission of single valuessingle values

Electronic Codebook Book (ECB)Electronic Codebook Book (ECB)

Advantages and Limitations of Advantages and Limitations of ECBECB

message repetitions may show in ciphertextmessage repetitions may show in ciphertext if aligned with message block if aligned with message block particularly with particularly with data such graphicsdata such graphics or with or with messages that change very littlemessages that change very little, which , which

become a code-book analysis problem become a code-book analysis problem weakness is weakness is due to the encrypted message due to the encrypted message

blocks being independentblocks being independent main use is sending only main use is sending only a few blocksa few blocks of data of data

Cipher Block Cipher Block Chaining Chaining (CBC) (CBC)

message is broken into blocks message is broken into blocks linked togetherlinked together in encryption operation in encryption operation each previous cipher blocks is each previous cipher blocks is chainedchained

with current plaintext block, hence name with current plaintext block, hence name use use Initial Vector (IV)Initial Vector (IV) to start process to start process

CCii = DES = DESK1K1(P(Pii XOR C XOR Ci-1i-1))

CC-1-1 = IV = IV

uses: bulk data encryption, authenticationuses: bulk data encryption, authentication

Cipher Block Chaining (CBC)Cipher Block Chaining (CBC)

Message PaddingMessage Padding

at end of message must handle a possible at end of message must handle a possible last short block last short block which is not as large as blocksize of cipherwhich is not as large as blocksize of cipher pad either with known non-data value (eg nulls)pad either with known non-data value (eg nulls) or pad last block along with count of pad sizeor pad last block along with count of pad size

• eg. [ b1 b2 b3 0 0 0 0 5] eg. [ b1 b2 b3 0 0 0 0 5] • means have 3 data bytes, then 5 bytes pad+countmeans have 3 data bytes, then 5 bytes pad+count

this may require an extra entire block over this may require an extra entire block over those in messagethose in message

there are other, more esoteric modes, there are other, more esoteric modes, which avoid the need for an extra blockwhich avoid the need for an extra block

Advantages and Limitations of Advantages and Limitations of CBCCBC

a ciphertext block depends on a ciphertext block depends on allall blocks blocks before itbefore it

any change to a block affects all following any change to a block affects all following ciphertext blocksciphertext blocks

need need Initialization VectorInitialization Vector (IV) (IV) which must be known to sender & receiver which must be known to sender & receiver if sent in clear, attacker can change bits of first block, if sent in clear, attacker can change bits of first block,

and change IV to compensate and change IV to compensate hence IV must either be a fixed value (as in EFTPOS) hence IV must either be a fixed value (as in EFTPOS) or must be sent encrypted in ECB mode before rest of or must be sent encrypted in ECB mode before rest of

messagemessage

Cipher FeedBack (CFB)Cipher FeedBack (CFB)

message is treated as a message is treated as a stream of bitsstream of bits added to the output of the added to the output of the block cipherblock cipher result is feed back for next stageresult is feed back for next stage (hence name) (hence name) standard allows any number of bit (1,8, 64 or standard allows any number of bit (1,8, 64 or

128 etc) to be feed back 128 etc) to be feed back denoted CFB-1, CFB-8, CFB-64, CFB-128 etc denoted CFB-1, CFB-8, CFB-64, CFB-128 etc

most efficient to use all bits in block (64 or 128)most efficient to use all bits in block (64 or 128)CCii = P = Pii XOR DES XOR DESK1K1(C(Ci-1i-1))

CC-1-1 = IV = IV uses: stream data encryption, authenticationuses: stream data encryption, authentication

Cipher FeedBack (CFB)Cipher FeedBack (CFB)

Advantages and Limitations of Advantages and Limitations of CFBCFB

appropriate when data arrives in appropriate when data arrives in bits/bytesbits/bytes most common stream mode most common stream mode limitation is need to stall while do block limitation is need to stall while do block

encryption after every n-bits encryption after every n-bits note that the block cipher is used in note that the block cipher is used in

encryptionencryption mode at mode at bothboth ends ends errors propagate for several blocks after errors propagate for several blocks after

the error the error

Output FeedBack (OFB)Output FeedBack (OFB)

message is treated as a stream of bits message is treated as a stream of bits output of cipher is added to message output of cipher is added to message output is then feed back (hence name) output is then feed back (hence name) feedback is independent of message feedback is independent of message can be computed in advancecan be computed in advance

CCii = P = Pii XOR O XOR Oii

OOii = DES = DESK1K1(O(Oi-1i-1))

OO-1-1 = IV = IV

uses: stream encryption on noisy channelsuses: stream encryption on noisy channels

Output FeedBack (OFB)Output FeedBack (OFB)

Advantages and Limitations of Advantages and Limitations of OFBOFB

bit errors do not propagate bit errors do not propagate more vulnerable to message stream modificationmore vulnerable to message stream modification a variation of a Vernam cipher a variation of a Vernam cipher

hence must hence must nevernever reuse the same sequence reuse the same sequence (key+IV) (key+IV)

sender & receiver must remain in syncsender & receiver must remain in sync originally specified with m-bit feedbackoriginally specified with m-bit feedback subsequent research has shown that only subsequent research has shown that only full full

block feedbackblock feedback (ie CFB-64 or CFB-128) should (ie CFB-64 or CFB-128) should ever be usedever be used

Counter (CTR)Counter (CTR)

a “new” mode, though proposed early ona “new” mode, though proposed early on similar to OFB but encrypts counter value similar to OFB but encrypts counter value

rather than any feedback valuerather than any feedback value must have a different key & counter value must have a different key & counter value

for every plaintext block (never reused)for every plaintext block (never reused)CCii = P = Pii XOR O XOR Oii

OOii = DES = DESK1K1(i)(i)

uses: high-speed network encryptionsuses: high-speed network encryptions

Counter (CTR)Counter (CTR)