Úvod
ThisstandardisusedtoreplacetheoriginalDES(DataEncryptionStandard),whichhasbeenanalyzedbymanypartiesandwidelyusedallovertheworld.use.Afterafive-yearselectionprocess,theAdvancedEncryptionStandardwaspublishedbytheNationalInstituteofStandardsandTechnology(NIST)inFIPSPUB197onNovember26,2001,andbecameaneffectivestandardonMay26,2002.In2006,theadvancedencryptionstandardhasbecomeoneofthemostpopularalgorithmsinsymmetrickeyencryption.
ThealgorithmwasdesignedbyBelgiancryptographersJoanDaemenandVincentRijmen,combinedwiththenamesofthetwoauthors,namedinthenameofRijdael,andsubmittedtheselectionprocessforadvancedencryptionstandards.(Rijdaelispronouncedlike"Rhinedoll".)
Vysvětlení
Theadvancedencryptionstandardalgorithmsolvesworryingproblemsinmanyways.Infact,themethodsusedtoattackdataencryptionstandardshavenoeffectontheadvancedencryptionstandardalgorithmsthemselves.Ifreal128-bitencryptiontechnologyoreven256-bitencryptiontechnologyisused,itwilltakealongtimeforabruteforceattacktosucceed.
Althoughtheadvancedencryptionstandardalsohasitsdisadvantages,itisstillarelativelynewprotocol.Therefore,securityresearchershavenothadsomuchtimetocrackexperimentsonthisencryptionmethod.Wemayatanytimediscoverabrandnewattackmethodthatwillbreakthisadvancedencryptionstandard.Atleastintheorythereissuchapossibility.
Dějiny
RijndaelisanimprovementofSquaredesignedbyDaemenandRijmenintheearlydays;andSquareisdevelopedfromSHARK.
DifferentfromitspredecessorstandardDES,Rijndaelusesapermutation-combinedarchitectureinsteadofaFeistelarchitecture.AEScanquicklyencryptanddecryptonbothsoftwareandhardware,relativelyeasytoimplement,andrequiresverylittlememory.Asanewencryptionstandard,itiscurrentlybeingdeployedandappliedtoawiderrange.
Popis hesla
Strictlyspeaking,AESandRijndaelencryptionarenotexactlythesame(althoughthetwoareinterchangeableinpracticalapplications),becauseRijndaelencryptioncansupportlargerRangeofblockandkeylength:TheblocklengthofAESisfixedat128bits,andthekeylengthcanbe128,192or256bits;thekeyandblocklengthusedbyRijndaelcanbeanintegermultipleof32bits.Thelowerlimitis128bitsandtheupperlimitis256bits.ThekeyusedintheencryptionprocessisgeneratedbytheRijndaelkeygenerationscheme.
Většina výpočtů AES se provádí ve speciálním konečném poli.
TheAESencryptionprocessoperatesona4×4bytematrix.Thismatrixisalsocalled"state".Itsinitialvalueisaplaintextblock(thesizeofanelementinthematrixisOneByteintheplaintextblock).(Rijndaelencryptionmethodsupportslargerblocks,andthenumberofmatrixrowscanbeincreasedaccordingtothesituation.)Whenencrypting,eachroundofAESencryptioncycle(exceptthelastround)includes4steps:
AddRoundKey
—EachbyteinthematrixisXORedwiththeroundkey;eachsub-keyisgeneratedbythekeygenerationscheme.
IntheAddRoundKeystep,theroundkeywillbemergedwiththeoriginalmatrix.Ineachencryptioncycle,aroundkey(generatedbytheRijndaelkeygenerationscheme)willbegeneratedbythemasterkey.Thiskeywillhavethesamesizeastheoriginalmatrixtomatcheachcorrespondingwordintheoriginalmatrix.Sectionsareexclusiveor(⊕)addition.
SubBytes
—Throughanon-linearreplacementfunction,eachbyteisreplacedwiththecorrespondingbytebymeansofalook-uptable.
IntheSubBytesstep,eachbyteinthematrixisconvertedbyan8-bitS-box.Thisstepprovidesthenon-lineartransformationcapabilityoftheencryptionmethod.S-boxisrelatedtotheinverseelementofmultiplicationonGF(2)andisknowntohavegoodnonlinearcharacteristics.Inordertoavoidattacksonthenatureofsimplealgebra,S-boxisconstructedbycombiningtheinverseelementsofmultiplicationandaninvertibleaffinetransformationmatrix.Inaddition,whenconstructingS-box,fixedpointsandanti-fixedpointsweredeliberatelyavoided,thatis,theresultofreplacingbyteswithS-boxwouldbeequivalenttotheresultofmisalignment.
ShiftRows
—Kruhově posouvejte v matici.
ShiftRowsdescribestherowoperationsofthematrix.Inthisstep,eachrowiscyclicallyshiftedtotheleftbyacertainoffset.InAES(theblocksizeis128bits),thefirstrowremainsunchanged,andeachbyteinthesecondrowrotatesonespacetotheleft.Inthesameway,theoffsetsofthethirdrowandthefourthrowofthecyclicshifttotheleftare2and3,respectively.The128-bitand192-bitblockshavethesamecyclicshiftpatterninthisstep.AfterShiftRows,eachverticalcolumninthematrixiscomposedofelementsineachdifferentcolumnoftheinputmatrix.IntheversionoftheRijndaelalgorithm,theoffsetisslightlydifferentfromAES;forablockwithalengthof256bits,thefirstrowremainsunchanged,andtheoffsetsofthesecond,third,andfourthrowsare1wordrespectively.Section,3-byte,4-bitgroup.Inaddition,theoperationstepsofShiftRowsareexactlythesameinRijndaelandAES.
MixColumns
—Inordertofullymixtheoperationsofeachstraightrowinthematrix.Thisstepuseslinearconversiontomixeachinlinefourbytes.Inthelastencryptioncycle,theMixColumnsstepisomittedandreplacedbyanotherAddRoundKey.
Útoky bočního kanálu (také známé jako útoky bočním kanálem, útoky bočním kanálem)
Side-channelattacksdonotattackthepassworditself,butattackthoseimplementedininsecuresystems(willinadvertentlyInformationdisclosure)ontheencryptionsystem.
InApril2005,D.J.BernsteinannouncedacachetimingattackmethodbywhichhecrackedaclientserverloadedwiththeOpenSSLAESencryptionsystem.Inordertodesigntheservertopublishallthetiminginformation,theattackalgorithmusedmorethan200millionfilteredclearcodes.SomepeoplethinkthatsuchanattackmethodisnotpracticalfortheInternet,whichrequiresmultiplehops.
InOctober2005,EranTromerandtwootherresearcherspublishedapapershowingseveralcachetimingattacksagainstAES[8].Oneoftheattacksrequiresonly800writeactionsandtakes65millisecondstoobtainacompleteAESkey.However,theattackermusthavethepermissiontoruntheprogramontheencryptedsysteminordertocrackthecryptographicsystemwiththismethod.
Režim šifrování AES
Symetrické/blokové šifry jsou obecně rozděleny na proudové šifrování (jako OFB, CFB atd.) a blokové šifrování (jako je ECB, CBC atd.). Pro proudové šifrování je třeba blokovou šifru převést na proudový režim, aby fungoval.
Režim ECB (ElectronicCodeBook).
ECBmodeistheearliestandsimplestmode.Itdividesencrypteddataintoseveralgroups,thesizeofeachgroupisencryptedThekeylengthisthesame,andtheneachgroupisencryptedwiththesamekey.
výhody:
1.Simple;2.Conducivetoparallelcomputing;3.Errorswillnotbetransmitted;Disadvantages:1.Themodethattheplaintextcannotbehidden;2.Activeattacksontheplaintextmaybecarriedout;Therefore,thismodeissuitableforencryptingsmallmessages.
CBC (CipherBlockChaining, encryptedblockchain) režim
výhody:
1.Itisnoteasytoattackactively,anditissafeItisbetterthanECBandissuitablefortransmittinglong-lengthpackets.ItisthestandardofSSLandIPSec.Disadvantages:1.Notconducivetoparallelcomputing;2.Errortransmission;3.NeedtoinitializethevectorIV
CFB (CipherFeedBackMode, šifrovací zpětná vazba) režim
výhody:
1.Theplaintextmodeishidden;2.Blockcipherisconvertedtostreammode;3.Datasmallerthanthepacketcanbeencryptedandtransmittedintime;Disadvantages:1.Notconducivetoparallelcomputing;2.Errortransmission:damagetoaplaintextunitaffectsmultipleunits;3.TheonlyIV;
Režim OFB(OutputFeedBack,OutputFeedback).
výhody:
1.Theplaintextmodeishidden;2.Theblockcipherisconvertedintoastreammode;3.Datasmallerthanthepacketcanbeencryptedandtransmittedintime;Disadvantages:1.Itisnotconducivetoparallelcomputing;2.Activeattacksontheplaintextarepossible;3.Errortransmission:thedamageofoneplaintextunitaffectsmultipleunits.
Režim CTR (počítadlo, počítání).
Countingmode(CTRmode)encryptionistoencryptaseriesofinputdatablocks(calledcount)toproduceaseriesofoutputblocks,TheoutputblockisXORedwiththeplaintexttogettheciphertext.Forthelastdatablock,itmaybeapartialdatablockwithlongubits.TheubitswillbeusedfortheXORoperation,andtheremainingb-ubitswillbediscarded(brepresentsthelengthoftheblock).CTRdecryptionissimilar.Thecountsinthisseriesmustbedifferentfromeachother.SupposethecountisexpressedasT1,T2,…,Tn.TheCTRmodecanbedefinedasfollows:
Vzorec CTR šifrování je následující:
Cj=PjXOREk(Tj)
C*n=P*nXORMSBu(Ek(Tn))j=1,2...n-1;
Vzorec dešifrování CTR vypadá takto:
Pj=CjXOREk(Tj)
P*n=C*nXORMSBu(Ek(Tn))j=1,2…n-1;
Encryptionmethod:thecryptographicalgorithmgeneratesa16-bytepseudo-randomcodeblockstream,pseudo-randomThecodeblockandtheinputplaintextareXORedtoproduceaciphertextoutput.Aftertheciphertextandthesamepseudo-randomcodeareXORed,theplaintextcanberegenerated.
CTRmodeiswidelyusedinATMnetworksecurityandIPSecapplications.Comparedwithothermodes,CTRmodehasthefollowingcharacteristics:
■Hardwareefficiency:AllowssimultaneousprocessingofmultipleblocksPlaintext/ciphertext.
■Softwareefficiency:parallelcomputingisallowed,andparalleltechnologiessuchasCPUpipelinecanbeusedwell.
■Preprocessing:Theoutputofthealgorithmandtheencryptionboxdoesnotrelyontheinputofplaintextandciphertext.Therefore,ifthereisenoughmemorytoensuresecurity,theencryptionalgorithmwillonlybeaseriesofXORoperations,whichisextremelyGreatlyimprovethroughput.
■Randomaccess:Thedecryptionofthei-thblockofciphertextdoesnotdependonthei-1thblockofciphertext,providinghighrandomaccesscapabilities
■Prokazatelná bezpečnost: Lze dokázat, že CTR je přinejmenším jako zajištění ostatních režimů (CBC, CFB, OFB,...)
■Simplicity:Unlikeothermodes,CTRmodeonlyrequirestheimplementationofencryptionalgorithms,butdoesnotrequiretheimplementationofdecryptionalgorithms.ForAESandotherencryption/decryptionalgorithmsthatareessentiallydifferent,thissimplificationishuge.
■Withoutpadding,itcanbeefficientlyusedasstreamencryption.
■Errorsarenotpropagated:eachbitintheciphertexttransmissionisincorrectlyreversed,whichonlyaffectsthedecryptionoftheblockwheretheciphertextislocated.InCTRmode,afterk+1stepsofself-synchronization,Thesubsequentciphertextcanbedecryptedcorrectly.(kmeansblocklength128)
■Musí být použit s kódem pro ověření zprávy (MAC).
■Integritycheckisnotpossible:Lossofbitsduringciphertexttransmissionwillcausesubsequentbitstofailtobedecryptedcorrectly.