The document discusses the Advanced Encryption Standard (AES) algorithm known as Rijndael. It describes the key components of AES including its variable block and key sizes, operations at the byte level using Galois fields, addition and multiplication polynomials, and the round transformation layers consisting of byte substitution, shifting rows, mixing columns, and adding the round key. The document also covers the AES key schedule for expanding the cipher key and selecting round keys.
The document discusses the Advanced Encryption Standard (AES) algorithm known as Rijndael. It describes the key components of AES including its variable block and key sizes, operations at the byte level using Galois fields, addition and multiplication polynomials, and the round transformation layers consisting of byte substitution, shifting rows, mixing columns, and adding the round key. The document also covers the AES key schedule for expanding the cipher key and selecting round keys.
The document discusses the Advanced Encryption Standard (AES) algorithm known as Rijndael. It describes the key components of AES including its variable block and key sizes, operations at the byte level using Galois fields, addition and multiplication polynomials, and the round transformation layers consisting of byte substitution, shifting rows, mixing columns, and adding the round key. The document also covers the AES key schedule for expanding the cipher key and selecting round keys.
The document discusses the Advanced Encryption Standard (AES) algorithm known as Rijndael. It describes the key components of AES including its variable block and key sizes, operations at the byte level using Galois fields, addition and multiplication polynomials, and the round transformation layers consisting of byte substitution, shifting rows, mixing columns, and adding the round key. The document also covers the AES key schedule for expanding the cipher key and selecting round keys.
University of South Florida Spring, 2003 Class 4 - Asymmetric ciphers AES (Rijndael) • Rijndael is an iterated block cipher with a variable block length and a variable key length. – The block length and the key length can be independently specified to 128, 192, or 256 bits. • Several operations in Rijndael are defined at byte level, with bytes representing elements in the finite Galois field GF(28), which is representative of the eight bits in a byte. – Other operations are defined in terms of four-byte words.
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP AES (Rijndael) • Addition corresponds with the simple bit-wise XOR at the byte level. • In the polynomial representation, multiplication in GF(28) corresponds with multiplication of polynomials modulo an irreducible binary polynomial of degree 8. – A polynomial is irreducible if it has no divisors other than 1 and itself. – See Stallings, pgs. 143-164
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP AES (Rijndael) • For Rijndael, this irreducible polynomial is called m(x) and given by: – m(x) = (x8 + x4 + x3 + x + 1) or – '11B' in hexadecimal representation • The result will be a binary polynomial of degree below 8. – Unlike addition, there is no simple operation for this at the byte level.
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP AES (Rijndael) • The round transformation of Rijndael does not have a Feistel structure. • Instead, the round transformation is composed of three distinct invertible uniform transformations, called layers. – "Uniform" here means that every bit of the State is treated in a similar way.
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP AES - Layers • Linear mixing layer: Guarantees high diffusion over multiple rounds. • Non-linear layer: Uses parallel application of non-linear S-boxes. • Key addition layer: Simple XOR of the Round Key to the intermediate State.
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP AES - Round • A round is composed of four different transformations. In pseudo C notation these are as follows: Round(State,RoundKey) { ByteSub(State); ShiftRow(State); MixColumn(State); AddRoundKey(State,RoundKey); // XORing the Round Key to the State } CIS 4930-902 - Computer Security - University of South Florida Spring, 2003 - Jeremy Rasmussen, CISSP AES - Round • The final round of the cipher is slightly different. It is defined by:
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP AES - Round • In this notation, the "functions" (Round, ByteSub, ShiftRow,...) operate on arrays pointed to by State and RoundKey parameters. • The ByteSub transformation is a non-linear byte substitution, operating on each of the State bytes independently. • In ShiftRow, the rows of the State are cyclically shifted over different offsets. CIS 4930-902 - Computer Security - University of South Florida Spring, 2003 - Jeremy Rasmussen, CISSP AES - Round • In MixColumn, the columns of the State are considered as polynomials over GF(28) and multiplied modulo x4 + 1 with a fixed polynomial c( x ), given by: • c(x) = '03' x3 + '01' x2 + '01' x + '02'. – This polynomial is coprime to x4 + 1 and therefore invertible.
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP AES - Key Schedule • Round Keys are derived from the Cipher Key by means of a key schedule. • Key schedule has two components: – Key Expansion and – Round Key Selection. • The total number of Round Key bits is equal to the block length multiplied by the number of rounds plus 1 – For example, for a block length of 128 bits and 10 rounds, 1408 Round Key bits are needed. CIS 4930-902 - Computer Security - University of South Florida Spring, 2003 - Jeremy Rasmussen, CISSP AES - Key Schedule • The Cipher Key is expanded into an Expanded Key. • Round Keys are taken from this Expanded Key in the following way: – The first Round Key consists of the first Nb words • (Nb = block length ) – The second one consists of the following Nb words – And so on...
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP AES - putting it all together • The cipher consists of: An initial Round Key addition, Nr-1 Rounds, and a final round. • In pseudo C code: Rijndael(State,CipherKey) { KeyExpansion(CipherKey,ExpandedKey); AddRoundKey(State,ExpandedKey); For( i=1 ; i<Nr ; i++ ) Round(State,ExpandedKey + Nb*i); FinalRound(State,ExpandedKey + Nb*Nr). }
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP AES - decryption • Since Rijndael is invertible, the decryption process just reverses the steps described.
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP AES - Links • For more information on AES (Rijndael): – Rijndael home page: http://www.esat.kuleuven.ac.be/~rijmen/rijndael/ – NIST AES home page: http://csrc.nist.gov/encryption/aes/ – Schneier Cryptogram page on possible crack to Rijndael: http://www.counterpane.com/crypto-gram-0209.html#1
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP Public Key Cryptography
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP Crypto Key Management • The longer a cryptographic variable (or key) is used, the more likely it is to be compromised – Successful attack – More likely: stolen or coerced • Keys must be produced, distributed, and held in secret; destroyed after use • Public key cryptography--a means of distributing secret key
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP Public key cryptography • Introduced by Diffie & Hellman in 1976 (NSA probably using it prior to this) • Assume we have two integer functions, E and D, that operate on messages (or integers), M.
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP Public key cryptography • Make the following assumptions: 1. D(E(M)) = M 2. E(D(M)) = M 3. Given E, it is not possible to determine D 4. Given D, it is not possible to determine E • Each person has a pair of functions that satisfies the above conditions • Each person makes his E function public, but keeps his D function secret
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP Public key cryptography • When person A wants to send a message M to person B: – A looks up EB in a published list and computes EB(M). – By property (2) stated above: DB((EB(M)) = M, so B can decrypt the message – By property (2) stated above: No one else can figure out DB, so only B can read
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP Signing a message • A wants to send a message M to B, and the identity of A is important to prove, but A doesn’t care if anyone else sees the contents, then: – A computes DA(M) [digital signature] – Sends DA(M) along with M to B – B looks up A’s public function EA, uses it to decrypt EAD(DA(M)) = M, compares this with M, and if the two match, B can be sure M came from A
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP Signing a message • Note that the likelihood of producing a fictitious X such that EA(X)= M is infinitesimally small
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP Signing a secret message • A computes a signature S = DA(M) • A concatenates this to message M to form M,S • A then encrypts both the message and signature using B’s public key EB(M,S) and sends to B • B applies his private function DB(EB(M,S)) = M,S • B then computes EA(S) = EA(DA(M)) = M and compares it to the decrypted message M; if they match he knows A sent the message
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP Signing a secret message • Note that signing a message could be a very long process if the message is large; so, alternately, A could compute a one-way hash of message before sending. • A hash is a function that returns a fixed-sized value for an arbitrarily large message; it also has these characteristics: – Given M, it’s easy to compute h = H(M) – Given h, it’s hard to compute M such that H(M) = h – Given M, it’s hard to find another message M’ such that H(M) = H(M’)
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP Signing a secret message • A computes message digest (one-way hash); MD = H(M) • A computes signature S = DA(MD) • A concatenates this to message M and message digest MD to form M,MD, S • A then encrypts both the message and signature using B’s public key EB(M, S) and sends to B (message digest may or may not be encrypted) • B applies his private function DB(EB(M,S)) = M,S • B then computes EA(S) = EA(DA(MD)) = MD and compares it to the included MD; if they match he knows A sent the message
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP Public key functions • Do such functions really exist to meet 1, 2, 3, and 4 mentioned previously? • Yes, if we relax conditions 3 and 4. • It need only be computationally infeasible to recover D from E (and vice-versa) • Such functions do exist. One is the RSA algorithm, named for developers Rivest, Shmair, and Adleman
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP Description of RSA • Take two large prime numbers, p and q • By large, we mean hundreds of digits (only very large numbers make it computationally infeasible to meet conditions 3 and 4) • Prime number: has no divisors but itself and 1; all are odd (except 2) • Define a number n as the product of p and q: – n = pq • Define another number t as: – t = (p-1)(q-1)
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP Description of RSA • Example: let p = 3 and q = 7 – These are not large primes, but the concept is the same – Then, n = 21, and t = 12 – Next step in RSA algorithm: select an number e that has no common divisors with t • Can’t take 1, 2, 3, or 4; how about 5 – Next step is: find an integer d such that ed-1 is evenly divisible by t [Denoted as “ed = 1 mod t”] • Try 1: (5*1)-1 / 12; no • Try 2: (5*2)-1 / 12; no • Try 3: (5*3)-1 / 12; no • Try 4: (5*4)-1 / 12; no • Try 5: (5*5)-1 / 12; yes [Note that e and d not often the same as they are in our example]
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP Description of RSA • OK, now the numbers d, p, and q are all kept secret • They are used to create the user’s secret D function • The numbers e and n are not secret; they are used to create the public E function • e is usually called the public key • d is usually called the secret key • n is called the modulus • Once p and q are used to produce n and t, they are no longer needed, but they should be destroyed and not made public
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP Description of RSA • To encrypt the message, you convert the message into a string of integers m1, m2, … all smaller than n. You then compute: ci = E(mi) = mie mod n • That is, you raise mi to the eth power and then divide by n • The remainder is ci = E(mi). • In our example, we suppose that m1 = 9. Thus, we compute: c1 = 95 mod 21 = 59049 mod 21 • 59049 = 89979 * 21 + 18; thus ci = 18 mod 21
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP Description of RSA • The decryption function D(ci) = cid mod n • So, in our example: 18d mod n = 185 mod 21 = 1889668 mod 21 • 1889568 = 889979*21 + 9; thus D(18) = 9, the message we started with • To demonstrate that the decryption function always works to decrypt the message (I.e., properties 1 and 2 before), requires a result from number theory: Euler’s Generalization of Fermat’s Little Theorem
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP Description of RSA • Security of RSA depends on resistance of n to being factored • If one can factor n into its prime factors, p and q, then one can compute t, then easily find d • So, it’s important to select p and q such that it’s not likely anyone can factor n • In 1983, the best factoring algorithm by the best computers could factor a number of about 71 decimal (235 binary) digits • By 1994, 129 digits (428 bits) were being factored
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP Description of RSA • Current implementations of RSA generate p and q on the order of 256 to 1024 bits, so n is about 512 to 2048 bits. • Attacking RSA by factoring the modulus n is a form of algebraic attack • Algebraic attack reduces search space of a brute-force attack • Factoring a number, n, takes at most on the order of square root of n calculations or about 1050 for a 100-digit number – While still a very large number, it is a vast improvement over brute force
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP A word on hashes...
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP Hashes • A hash is the mathematical transformation of an arbitrarily long string of characters into a short, fixed-length value. • Hashing is used to index and retrieve items in a database because it is faster to find the item using the shorter hashed key than to find it using the original value. • It is also used in many encryption algorithms.
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP Hashes • A hash guarantees integrity, but necessarily authenticity (unless it is cryptographically “signed”) • A hash may be thought of as simply a more advanced form of a checksum—one which cannot be reproduced easily with false data.
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP Hashes • Two key things about hashes: – Hashing is a one-way operation. While the hash uniquely represents the input value, there should be no way to "reverse engineer" the hash to find out what the input value was. – A good hash function also should not produce the same hash value from two different inputs. If it does, this is known as a collision. A hash function that offers an extremely low risk of collision may be considered acceptable.
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP Re-hashing hashes • A hash is produced by running a message through a mathematical function (a hashing algorithm) that produces a fixed-length message digest • E.g., 128 bits in MD5, developed by Ron Rivest, and 160 bits in SHA-1, developed by NIST).
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP How hashes work • Here are some relatively simple hash functions that have been used: – Division-remainder method: The size of the number of items in the table is estimated. That number is then used as a divisor into each original value or key to extract a quotient and a remainder. The remainder is the hashed value. – Folding: This method divides the original value (digits in this case) into several parts, adds the parts together, and then uses the last four digits (or some other arbitrary number of digits that will work ) as the hashed value or key.
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP How hashes work • Here are some relatively simple hash functions that have been used: – Radix transformation: Where the value or key is digital, the number base (or radix) can be changed resulting in a different sequence of digits. High-order digits could be discarded to fit a hash value of uniform length. – Digit rearrangement: This is simply taking part of the original value or key such as digits in positions 3 through 6, reversing their order, and then using that sequence of digits as the hash value or key. CIS 4930-902 - Computer Security - University of South Florida Spring, 2003 - Jeremy Rasmussen, CISSP A simplistic hashing example • Here is a simple example of a hash: – In this example, the hash will be produced by incrementing each counter for the number of digits of that type in the message. When the counter reaches 10, it rolls over to zero again. Here’s our “arbitrarily long” input message: – 23858291437590214705689014278590784392 17589743218957142390677
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP Hashing example Count 0 1 2 3 4 5 6 7 8 9 0 X X X X X X X X X X 1 X X X X X X X X X X 2 X X X X X X X X X 3 X X X X X X X X X 4 X X X X X X X X X 5 X X X X X X X X 6 X X X X X X X 7 X X X X 8 X X 9 X
• Fixed Length Hash = 4675452989
• If even one bit of the input changed, the hash would change by at least two digits. • This is a simple example, and probably easily cryptanalzed, but you get the idea.
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP Digital signatures • Used to verify that a message really comes from the claimed sender • Digital signature of a document is created by computing a message digest (MD) from the document, and concatenating it with information about the signer, a timestamp, etc. • MD is encrypted using private key; recipient uses public key to decrypt
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP Digital signatures • Resulting string is then encrypted using the private key of the signer using a suitable algorithm. The resulting encrypted block of bits is the signature. • It is often distributed together with information about the public key that was used to sign it.
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP Digital signature algorithms • Signing is not necessarily just “encryption with a private key” • Can be done in different ways, for example, in which two parties each generate a number separately, and use a combination of the two numbers, along with their secret number, to verify messages • El Gamal: the early example of this • From El Gamal, the Digital Signature Algorithm (DSA) was developed
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP Discrete Log Problem • Another tough problem that turns out to be quicker is the discrete logarithm problem. • Given a number b, the base, and x, the log- arithm, one can easily compute bx or bx mod N for any N. • It turns out to be very difficult to solve the reverse problem for large integers. • That is, given a large integer y and a base b, find x so that bx, = y Mod N.
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP Discrete Log Problem • The known procedures (algorithms) require about the same level of computation as finding the factors of a large integer. • Diffie and Hellman exploited this difficulty to define their public key distribution algorithm.
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP Diffie-Hellman Key Exchange • S and T want to exchange a secret cryptovariable for use in a conventional symmetric encryption system, say a DES encryption device. • S and T together select a large prime p and a base b. • The numbers p and b are assumed to be public knowledge. • Next S chooses a number s and keeps it secret. T chooses a number t and keeps it secret. The numbers s and t must be between 1 and p-1.
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP Diffie-Hellman Key Exchange • Sarah and Tanya then compute (respectively): • x = bs Mod p (S) • y = bt Mod p (T) • In the next step of the process S and T exchange the numbers x and y; T sends y to S, and S sends x to T.
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP Diffie-Hellman Key Exchange • Now S can compute – ys = bts Mod p • And T can compute – Xt = bst Mod p • But, – bts Mod p = bst Mod p = K, which becomes their common key
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP Diffie-Hellman Key Exchange • In order for a third party to recover K, that party must solve the discrete logarithm problem to recover s and t. • To be more precise, solving the discrete logarithm problem is sufficient to recover the key, but it might not be necessary. It is not known if there is another way to find bst given bs and bt. • It is conjectured that the latter problem is at least as difficult as the discrete logarithm problem.
CIS 4930-902 - Computer Security - University of South Florida
Spring, 2003 - Jeremy Rasmussen, CISSP Digital signature algorithms
• Some signing algorithms can also be used for
public key encryption algorithms because they are reversible • RSA is such an algorithm
CIS 4930-902 - Computer Security - University of South Florida