|
|
|
|
|
Josh Benaloh & Brian LaMacchia |
|
|
|
|
|
|
Competition to replace the Data Encryption
Standard (DES) |
|
128-bit block size |
|
Key sizes of 128, 192, and 256 bits |
|
|
|
15 ciphers were submitted |
|
5 finalists were chosen |
|
|
|
|
|
|
MARS (IBM submission) |
|
RC6 (RSA Labs submission) |
|
Rijndael (Joan Daemen and Vincent Rijmen) |
|
Serpent (Anderson, Biham, and Knudsen) |
|
Twofish (Schneier, et. al.) |
|
|
|
|
|
|
|
|
|
|
|
|
MARS (IBM submission) |
|
RC6 (RSA Labs submission) |
|
Rijndael (Joan Daemen and Vincent Rijmen) |
|
Serpent (Anderson, Biham, and Knudsen) |
|
Twofish (Schneier, et. al.) |
|
|
|
|
|
|
4 transformations per round |
|
ByteSub:
nonlinearity |
|
ShiftRow:
inter-column diffusion |
|
MixColumn:
inter-byte diffusion |
|
Round key addition |
|
|
|
|
A single 8-bit to 8-bit (invertible) S-box is
applied to each byte. |
|
|
|
|
An (invertible) linear transform is applied to
each column. |
|
|
|
|
An different cyclic shift is applied to each
row. |
|
|
|
|
The round key is XORed to complete the round. |
|
|
|
|
The key schedule is defined on 4-byte words by |
|
|
|
ki = ki-4 Ä ki-1
when i is not a multiple of 4 |
|
ki = ki-4 Ä f(ki-1)
when i is a multiple of 4 |
|
|
|
|
When using block ciphers in CBC mode, there is
generally a built-in integrity check. |
|
|
|
However, when using block ciphers in ECB mode or
(especially) when using stream ciphers, an external integrity check is
crucial. |
|
|
|
Such an integrity check is called a Message
Authentication Code (MAC). |
|
|
|
|
It is easy for an adversary (even one who can’t
decrypt the ciphertext) to alter the plaintext in a known way. |
|
Bob to Bob’s Bank: Please transfer $0,000,002.00
to the account of my good friend Alice. |
|
|
|
|
It is easy for an adversary (even one who can’t
decrypt the ciphertext) to alter the plaintext in a known way. |
|
Bob to Bob’s Bank: Please transfer $1,000,002.00
to the account of my good friend Alice. |
|
|
|
|
The idea of a check sum is great, but it is
designed to prevent accidental changes in a message. |
|
For cryptographic integrity, we need an
integrity check that is resilient against a smart and determined adversary. |
|
|
|
|
Generally, a one-way hash function is a function
H : {0,1}* ® {0,1}k (typically k is 128 or 160)
such that given an input value x, one cannot find a value x¢ ¹ x such H(x)
= H(x¢ ). |
|
|
|
|
There are many measures for one-way hashes. |
|
|
|
Non-invertability: given y, it’s difficult to find any x such that H(x) = y. |
|
|
|
Collision-intractability: one cannot find a pair of values x¢ ¹ x such that
H(x) = H(x¢ ). |
|
|
|
|
|
SHA-1 was designed by the US Government as part
of the Digital Signature Standard. |
|
SHA-1 is the most-commonly used hash function
today. |
|
It’s the hash function in which we have the most
faith right now. |
|
SHA-1 takes any size input and produces a
160-bit output (the digest value). |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
What’s in the final 32-bit transform? |
|
Take the rightmost word. |
|
Add in the leftmost word rotated 5 bits. |
|
Add in a round-dependent function f of the
middle three words. |
|
|
|
|
|
|
Depending on the round, the “non-linear”
function f is one of the following. |
|
|
|
f(X,Y,Z) = (XÙY) Ú ((ØX)ÙZ) |
|
f(X,Y,Z) = (XÙY) Ú (XÙZ) Ú (YÙZ) |
|
f(X,Y,Z) = X Å Y Å Z |
|
|
|
|
What’s in the final 32-bit transform? |
|
Take the rightmost word. |
|
Add in the leftmost word rotated 5 bits. |
|
Add in a round-dependent function f of the
middle three words. |
|
|
|
|
What’s in the final 32-bit transform? |
|
Take the rightmost word. |
|
Add in the leftmost word rotated 5 bits. |
|
Add in a round-dependent function f of the
middle three words. |
|
Add in a round-dependent constant. |
|
|
|
|
What’s in the final 32-bit transform? |
|
Take the rightmost word. |
|
Add in the leftmost word rotated 5 bits. |
|
Add in a round-dependent function f of the
middle three words. |
|
Add in a round-dependent constant. |
|
Add in a portion of the 512-bit message. |
|
|
|
|
|
|
When using a stream cipher, a (keyed) hash of
the message can be appended to ensure integrity. [Message Authentication Code] |
|
|
|
When forming a digital signature, the signature
need only be applied to a hash of the message. [Message Digest] |
|
|
|
|
One-Way Trapdoor Functions |
|
Public-Key Encryption Schemes |
|
One-Way Permutations |
|
One-Way Functions |
|
One-Way Hash Functions |
|
Pseudo-Random Number-Generators |
|
Secret-Key Encryption Schemes |
|
Digital Signature Schemes |
|
|
|
|
|
|
Now that we have all of these tools available,
how do we actually send a (short) message, perhaps a symmetric key,
encrypted with a public key? |
|
|
|
|
|
|
Recall the Bleichenbacher attack |
|
|
|
00
01 XX XX ... XX 00 YY YY ... YY |
|
|
|
|
Optimal Asymmetric Encryption Protocol |
|
To encrypt the message M, |
|
Select a random value r, |
|
For a PRNG G and one-way hash H, use the public
key to encrypt the following: |
|
MÄG(r) || rÄH(MÄG(r)) |
|
|
|
|
1994:
Secure Sockets Layer (SSL) V2.0 |
|
|
|
1995:
Private Communication Technology (PCT) V1.0 |
|
|
|
1996:
Secure Sockets Layer (SSL) V3.0 |
|
|
|
1997:
Private Communication Technology (PCT) V4.0 |
|
|
|
1999:
Transport Layer Security (TLS) V1.0 |
|
|
|
|
|
|
You (client) |
|
Merchant (server) |
|
|
|
|
You (client) |
|
Merchant (server) |
|
|
|
|
You (client) |
|
Merchant (server) |
|
|
|
|
You (client) |
|
Merchant (server) |
|
|
|
|
You (client) |
|
Merchant (server) |
|
|
|
|
All subsequent secure messages are sent using
the symmetric key and a keyed hash for message authentication. |
|
Notes