Introduction
ThisstandardisusedtoreplacetheoriginalDES(DataEncryptionStandard),whichhasbeenanalyzedbymanypartiesandwidelyusedallovertheworld.use.Afterafive-yearselectionprocess,theAdvancedEncryptionStandardwaspublishedbytheNationalInstituteofStandardsandTechnology(NIST)inFIPSPUB197onNovember26,2001,andbecameaneffectivestandardonMay26,2002.In2006,theadvancedencryptionstandardhasbecomeoneofthemostpopularalgorithmsinsymmetrickeyencryption.
ThealgorithmwasdesignedbyBelgiancryptographersJoanDaemenandVincentRijmen,combinedwiththenamesofthetwoauthors,namedinthenameofRijdael,andsubmittedtheselectionprocessforadvancedencryptionstandards.(Rijdaelispronouncedlike"Rhinedoll".)
Explanation
Theadvancedencryptionstandardalgorithmsolvesworryingproblemsinmanyways.Infact,themethodsusedtoattackdataencryptionstandardshavenoeffectontheadvancedencryptionstandardalgorithmsthemselves.Ifreal128-bitencryptiontechnologyoreven256-bitencryptiontechnologyisused,itwilltakealongtimeforabruteforceattacktosucceed.
Althoughtheadvancedencryptionstandardalsohasitsdisadvantages,itisstillarelativelynewprotocol.Therefore,securityresearchershavenothadsomuchtimetocrackexperimentsonthisencryptionmethod.Wemayatanytimediscoverabrandnewattackmethodthatwillbreakthisadvancedencryptionstandard.Atleastintheorythereissuchapossibility.
History
RijndaelisanimprovementofSquaredesignedbyDaemenandRijmenintheearlydays;andSquareisdevelopedfromSHARK.
DifferentfromitspredecessorstandardDES,Rijndaelusesapermutation-combinedarchitectureinsteadofaFeistelarchitecture.AEScanquicklyencryptanddecryptonbothsoftwareandhardware,relativelyeasytoimplement,andrequiresverylittlememory.Asanewencryptionstandard,itiscurrentlybeingdeployedandappliedtoawiderrange.
Passworddescription
Strictlyspeaking,AESandRijndaelencryptionarenotexactlythesame(althoughthetwoareinterchangeableinpracticalapplications),becauseRijndaelencryptioncansupportlargerRangeofblockandkeylength:TheblocklengthofAESisfixedat128bits,andthekeylengthcanbe128,192or256bits;thekeyandblocklengthusedbyRijndaelcanbeanintegermultipleof32bits.Thelowerlimitis128bitsandtheupperlimitis256bits.ThekeyusedintheencryptionprocessisgeneratedbytheRijndaelkeygenerationscheme.
MostAEScalculationsaredoneinaspecialfinitefield.
TheAESencryptionprocessoperatesona4×4bytematrix.Thismatrixisalsocalled"state".Itsinitialvalueisaplaintextblock(thesizeofanelementinthematrixisOneByteintheplaintextblock).(Rijndaelencryptionmethodsupportslargerblocks,andthenumberofmatrixrowscanbeincreasedaccordingtothesituation.)Whenencrypting,eachroundofAESencryptioncycle(exceptthelastround)includes4steps:
AddRoundKey
—EachbyteinthematrixisXORedwiththeroundkey;eachsub-keyisgeneratedbythekeygenerationscheme.
IntheAddRoundKeystep,theroundkeywillbemergedwiththeoriginalmatrix.Ineachencryptioncycle,aroundkey(generatedbytheRijndaelkeygenerationscheme)willbegeneratedbythemasterkey.Thiskeywillhavethesamesizeastheoriginalmatrixtomatcheachcorrespondingwordintheoriginalmatrix.Sectionsareexclusiveor(⊕)addition.
SubBytes
—Throughanon-linearreplacementfunction,eachbyteisreplacedwiththecorrespondingbytebymeansofalook-uptable.
IntheSubBytesstep,eachbyteinthematrixisconvertedbyan8-bitS-box.Thisstepprovidesthenon-lineartransformationcapabilityoftheencryptionmethod.S-boxisrelatedtotheinverseelementofmultiplicationonGF(2)andisknowntohavegoodnonlinearcharacteristics.Inordertoavoidattacksonthenatureofsimplealgebra,S-boxisconstructedbycombiningtheinverseelementsofmultiplicationandaninvertibleaffinetransformationmatrix.Inaddition,whenconstructingS-box,fixedpointsandanti-fixedpointsweredeliberatelyavoided,thatis,theresultofreplacingbyteswithS-boxwouldbeequivalenttotheresultofmisalignment.
ShiftRows
—Circularlyshifteachrowinthematrix.
ShiftRowsdescribestherowoperationsofthematrix.Inthisstep,eachrowiscyclicallyshiftedtotheleftbyacertainoffset.InAES(theblocksizeis128bits),thefirstrowremainsunchanged,andeachbyteinthesecondrowrotatesonespacetotheleft.Inthesameway,theoffsetsofthethirdrowandthefourthrowofthecyclicshifttotheleftare2and3,respectively.The128-bitand192-bitblockshavethesamecyclicshiftpatterninthisstep.AfterShiftRows,eachverticalcolumninthematrixiscomposedofelementsineachdifferentcolumnoftheinputmatrix.IntheversionoftheRijndaelalgorithm,theoffsetisslightlydifferentfromAES;forablockwithalengthof256bits,thefirstrowremainsunchanged,andtheoffsetsofthesecond,third,andfourthrowsare1wordrespectively.Section,3-byte,4-bitgroup.Inaddition,theoperationstepsofShiftRowsareexactlythesameinRijndaelandAES.
MixColumns
—Inordertofullymixtheoperationsofeachstraightrowinthematrix.Thisstepuseslinearconversiontomixeachinlinefourbytes.Inthelastencryptioncycle,theMixColumnsstepisomittedandreplacedbyanotherAddRoundKey.
Side-channelattacks(alsoknownasside-channelattacks,side-channelattacks)
Side-channelattacksdonotattackthepassworditself,butattackthoseimplementedininsecuresystems(willinadvertentlyInformationdisclosure)ontheencryptionsystem.
InApril2005,D.J.BernsteinannouncedacachetimingattackmethodbywhichhecrackedaclientserverloadedwiththeOpenSSLAESencryptionsystem.Inordertodesigntheservertopublishallthetiminginformation,theattackalgorithmusedmorethan200millionfilteredclearcodes.SomepeoplethinkthatsuchanattackmethodisnotpracticalfortheInternet,whichrequiresmultiplehops.
InOctober2005,EranTromerandtwootherresearcherspublishedapapershowingseveralcachetimingattacksagainstAES[8].Oneoftheattacksrequiresonly800writeactionsandtakes65millisecondstoobtainacompleteAESkey.However,theattackermusthavethepermissiontoruntheprogramontheencryptedsysteminordertocrackthecryptographicsystemwiththismethod.
AESencryptionmode
Symmetric/blockciphersaregenerallydividedintostreamencryption(suchasOFB,CFB,etc.)andblockencryption(suchasECB,CBC,etc.).Forstreamencryption,theblockcipherneedstobeconvertedintostreammodetowork.Forblockencryption(orblockencryption),ifyouwanttoencryptdatathatexceedstheblocksize,youneedtoinvolvepaddingandchainencryptionmodes.
ECB(ElectronicCodeBook)mode
ECBmodeistheearliestandsimplestmode.Itdividesencrypteddataintoseveralgroups,thesizeofeachgroupisencryptedThekeylengthisthesame,andtheneachgroupisencryptedwiththesamekey.
Advantages:
1.Simple;2.Conducivetoparallelcomputing;3.Errorswillnotbetransmitted;Disadvantages:1.Themodethattheplaintextcannotbehidden;2.Activeattacksontheplaintextmaybecarriedout;Therefore,thismodeissuitableforencryptingsmallmessages.
CBC(CipherBlockChaining,encryptedblockchain)mode
Advantages:
1.Itisnoteasytoattackactively,anditissafeItisbetterthanECBandissuitablefortransmittinglong-lengthpackets.ItisthestandardofSSLandIPSec.Disadvantages:1.Notconducivetoparallelcomputing;2.Errortransmission;3.NeedtoinitializethevectorIV
CFB(CipherFeedBackMode,encryptionfeedback)mode
Advantages:
1.Theplaintextmodeishidden;2.Blockcipherisconvertedtostreammode;3.Datasmallerthanthepacketcanbeencryptedandtransmittedintime;Disadvantages:1.Notconducivetoparallelcomputing;2.Errortransmission:damagetoaplaintextunitaffectsmultipleunits;3.TheonlyIV;
OFB(OutputFeedBack,outputfeedback)mode
Advantages:
1.Theplaintextmodeishidden;2.Theblockcipherisconvertedintoastreammode;3.Datasmallerthanthepacketcanbeencryptedandtransmittedintime;Disadvantages:1.Itisnotconducivetoparallelcomputing;2.Activeattacksontheplaintextarepossible;3.Errortransmission:thedamageofoneplaintextunitaffectsmultipleunits.
CTR(Counter,counting)mode
Countingmode(CTRmode)encryptionistoencryptaseriesofinputdatablocks(calledcount)toproduceaseriesofoutputblocks,TheoutputblockisXORedwiththeplaintexttogettheciphertext.Forthelastdatablock,itmaybeapartialdatablockwithlongubits.TheubitswillbeusedfortheXORoperation,andtheremainingb-ubitswillbediscarded(brepresentsthelengthoftheblock).CTRdecryptionissimilar.Thecountsinthisseriesmustbedifferentfromeachother.SupposethecountisexpressedasT1,T2,…,Tn.TheCTRmodecanbedefinedasfollows:
TheCTRencryptionformulaisasfollows:
Cj=PjXOREk(Tj)
C*n=P*nXORMSBu(Ek(Tn))j=1,2...n-1;
TheCTRdecryptionformulaisasfollows:
Pj=CjXOREk(Tj)
P*n=C*nXORMSBu(Ek(Tn))j=1,2…n-1;
Encryptionmethod:thecryptographicalgorithmgeneratesa16-bytepseudo-randomcodeblockstream,pseudo-randomThecodeblockandtheinputplaintextareXORedtoproduceaciphertextoutput.Aftertheciphertextandthesamepseudo-randomcodeareXORed,theplaintextcanberegenerated.
CTRmodeiswidelyusedinATMnetworksecurityandIPSecapplications.Comparedwithothermodes,CTRmodehasthefollowingcharacteristics:
■Hardwareefficiency:AllowssimultaneousprocessingofmultipleblocksPlaintext/ciphertext.
■Softwareefficiency:parallelcomputingisallowed,andparalleltechnologiessuchasCPUpipelinecanbeusedwell.
■Preprocessing:Theoutputofthealgorithmandtheencryptionboxdoesnotrelyontheinputofplaintextandciphertext.Therefore,ifthereisenoughmemorytoensuresecurity,theencryptionalgorithmwillonlybeaseriesofXORoperations,whichisextremelyGreatlyimprovethroughput.
■Randomaccess:Thedecryptionofthei-thblockofciphertextdoesnotdependonthei-1thblockofciphertext,providinghighrandomaccesscapabilities
■Provablesecurity:ItcanbeprovedthatCTRisatleastassecureasothermodes(CBC,CFB,OFB,...)
■Simplicity:Unlikeothermodes,CTRmodeonlyrequirestheimplementationofencryptionalgorithms,butdoesnotrequiretheimplementationofdecryptionalgorithms.ForAESandotherencryption/decryptionalgorithmsthatareessentiallydifferent,thissimplificationishuge.
■Withoutpadding,itcanbeefficientlyusedasstreamencryption.
■Errorsarenotpropagated:eachbitintheciphertexttransmissionisincorrectlyreversed,whichonlyaffectsthedecryptionoftheblockwheretheciphertextislocated.InCTRmode,afterk+1stepsofself-synchronization,Thesubsequentciphertextcanbedecryptedcorrectly.(kmeansblocklength128)
■Mustbeusedwiththemessageauthenticationcode(MAC).
■Integritycheckisnotpossible:Lossofbitsduringciphertexttransmissionwillcausesubsequentbitstofailtobedecryptedcorrectly.