Увод
ThisstandardisusedtoreplacetheoriginalDES(DataEncryptionStandard),whichhasbeenanalyzedbymanypartiesandwidelyusedallovertheworld.use.Afterafive-yearselectionprocess,theAdvancedEncryptionStandardwaspublishedbytheNationalInstituteofStandardsandTechnology(NIST)inFIPSPUB197onNovember26,2001,andbecameaneffectivestandardonMay26,2002.In2006,theadvancedencryptionstandardhasbecomeoneofthemostpopularalgorithmsinsymmetrickeyencryption.
ThealgorithmwasdesignedbyBelgiancryptographersJoanDaemenandVincentRijmen,combinedwiththenamesofthetwoauthors,namedinthenameofRijdael,andsubmittedtheselectionprocessforadvancedencryptionstandards.(Rijdaelispronouncedlike"Rhinedoll".)
Објашњење
Theadvancedencryptionstandardalgorithmsolvesworryingproblemsinmanyways.Infact,themethodsusedtoattackdataencryptionstandardshavenoeffectontheadvancedencryptionstandardalgorithmsthemselves.Ifreal128-bitencryptiontechnologyoreven256-bitencryptiontechnologyisused,itwilltakealongtimeforabruteforceattacktosucceed.
Althoughtheadvancedencryptionstandardalsohasitsdisadvantages,itisstillarelativelynewprotocol.Therefore,securityresearchershavenothadsomuchtimetocrackexperimentsonthisencryptionmethod.Wemayatanytimediscoverabrandnewattackmethodthatwillbreakthisadvancedencryptionstandard.Atleastintheorythereissuchapossibility.
Историја
RijndaelisanimprovementofSquaredesignedbyDaemenandRijmenintheearlydays;andSquareisdevelopedfromSHARK.
DifferentfromitspredecessorstandardDES,Rijndaelusesapermutation-combinedarchitectureinsteadofaFeistelarchitecture.AEScanquicklyencryptanddecryptonbothsoftwareandhardware,relativelyeasytoimplement,andrequiresverylittlememory.Asanewencryptionstandard,itiscurrentlybeingdeployedandappliedtoawiderrange.
Пассворддесцриптион
Strictlyspeaking,AESandRijndaelencryptionarenotexactlythesame(althoughthetwoareinterchangeableinpracticalapplications),becauseRijndaelencryptioncansupportlargerRangeofblockandkeylength:TheblocklengthofAESisfixedat128bits,andthekeylengthcanbe128,192or256bits;thekeyandblocklengthusedbyRijndaelcanbeanintegermultipleof32bits.Thelowerlimitis128bitsandtheupperlimitis256bits.ThekeyusedintheencryptionprocessisgeneratedbytheRijndaelkeygenerationscheme.
Већина АЕС прорачуна је извршена у посебном коначном пољу.
TheAESencryptionprocessoperatesona4×4bytematrix.Thismatrixisalsocalled"state".Itsinitialvalueisaplaintextblock(thesizeofanelementinthematrixisOneByteintheplaintextblock).(Rijndaelencryptionmethodsupportslargerblocks,andthenumberofmatrixrowscanbeincreasedaccordingtothesituation.)Whenencrypting,eachroundofAESencryptioncycle(exceptthelastround)includes4steps:
АддРоундКеи
—EachbyteinthematrixisXORedwiththeroundkey;eachsub-keyisgeneratedbythekeygenerationscheme.
IntheАддРоундКеиstep,theroundkeywillbemergedwiththeoriginalmatrix.Ineachencryptioncycle,aroundkey(generatedbytheRijndaelkeygenerationscheme)willbegeneratedbythemasterkey.Thiskeywillhavethesamesizeastheoriginalmatrixtomatcheachcorrespondingwordintheoriginalmatrix.Sectionsareexclusiveor(⊕)addition.
СубБитес
—Throughanon-linearreplacementfunction,eachbyteisreplacedwiththecorrespondingbytebymeansofalook-uptable.
IntheСубБитесstep,eachbyteinthematrixisconvertedbyan8-bitS-box.Thisstepprovidesthenon-lineartransformationcapabilityoftheencryptionmethod.S-boxisrelatedtotheinverseelementofmultiplicationonGF(2)andisknowntohavegoodnonlinearcharacteristics.Inordertoavoidattacksonthenatureofsimplealgebra,S-boxisconstructedbycombiningtheinverseelementsofmultiplicationandaninvertibleaffinetransformationmatrix.Inaddition,whenconstructingS-box,fixedpointsandanti-fixedpointsweredeliberatelyavoided,thatis,theresultofreplacingbyteswithS-boxwouldbeequivalenttotheresultofmisalignment.
СхифтРовс
—Кружни помак у матрици.
СхифтРовсdescribestherowoperationsofthematrix.Inthisstep,eachrowiscyclicallyshiftedtotheleftbyacertainoffset.InAES(theblocksizeis128bits),thefirstrowremainsunchanged,andeachbyteinthesecondrowrotatesonespacetotheleft.Inthesameway,theoffsetsofthethirdrowandthefourthrowofthecyclicshifttotheleftare2and3,respectively.The128-bitand192-bitblockshavethesamecyclicshiftpatterninthisstep.AfterСхифтРовс,eachverticalcolumninthematrixiscomposedofelementsineachdifferentcolumnoftheinputmatrix.IntheversionoftheRijndaelalgorithm,theoffsetisslightlydifferentfromAES;forablockwithalengthof256bits,thefirstrowremainsunchanged,andtheoffsetsofthesecond,third,andfourthrowsare1wordrespectively.Section,3-byte,4-bitgroup.Inaddition,theoperationstepsofСхифтРовсareexactlythesameinRijndaelandAES.
МикЦолумнс
—Inordertofullymixtheoperationsofeachstraightrowinthematrix.Thisstepuseslinearconversiontomixeachinlinefourbytes.Inthelastencryptioncycle,theМикЦолумнсstepisomittedandreplacedbyanotherАддРоундКеи.
Напади бочних канала (такође познати напади са стране, напади са стране)
Side-channelattacksdonotattackthepassworditself,butattackthoseimplementedininsecuresystems(willinadvertentlyInformationdisclosure)ontheencryptionsystem.
InApril2005,D.J.BernsteinannouncedacachetimingattackmethodbywhichhecrackedaclientserverloadedwiththeOpenSSLAESencryptionsystem.Inordertodesigntheservertopublishallthetiminginformation,theattackalgorithmusedmorethan200millionfilteredclearcodes.SomepeoplethinkthatsuchanattackmethodisnotpracticalfortheInternet,whichrequiresmultiplehops.
InOctober2005,EranTromerandtwootherresearcherspublishedapapershowingseveralcachetimingattacksagainstAES[8].Oneoftheattacksrequiresonly800writeactionsandtakes65millisecondstoobtainacompleteAESkey.However,theattackermusthavethepermissiontoruntheprogramontheencryptedsysteminordertocrackthecryptographicsystemwiththismethod.
АЕСенцриптионмоде
Симетрични/блокшифери су генерално подељени на шифровање тока (као што је ОФБ, ЦФБ, итд.) и блокирано шифровање (као што је ЕЦБ, ЦБЦ, итд.). За стрим шифровање, блок шифра треба да се конвертује у режим тока за рад.
Режим ЕЦБ(ЕлецтроницЦодеБоок).
ECBmodeistheearliestandsimplestmode.Itdividesencrypteddataintoseveralgroups,thesizeofeachgroupisencryptedThekeylengthisthesame,andtheneachgroupisencryptedwiththesamekey.
Предности:
1.Simple;2.Conducivetoparallelcomputing;3.Errorswillnotbetransmitted;Disadvantages:1.Themodethattheplaintextcannotbehidden;2.Activeattacksontheplaintextmaybecarriedout;Therefore,thismodeissuitableforencryptingsmallmessages.
Режим ЦБЦ(ЦипхерБлоцкЦхаининг,енцриптедблоцкцхаин).
Предности:
1.Itisnoteasytoattackactively,anditissafeItisbetterthanECBandissuitablefortransmittinglong-lengthpackets.ItisthestandardofSSLandIPSec.Disadvantages:1.Notconducivetoparallelcomputing;2.Errortransmission;3.NeedtoinitializethevectorIV
ЦФБ(ЦипхерФеедБацкМоде, енцриптионфеедбацк) режим
Предности:
1.Theplaintextmodeishidden;2.Blockcipherisconvertedtostreammode;3.Datasmallerthanthepacketcanbeencryptedandtransmittedintime;Disadvantages:1.Notconducivetoparallelcomputing;2.Errortransmission:damagetoaplaintextunitaffectsmultipleunits;3.TheonlyIV;
ОФБ(ОутпутФеедБацк,оутпутфеедбацк)режим
Предности:
1.Theplaintextmodeishidden;2.Theblockcipherisconvertedintoastreammode;3.Datasmallerthanthepacketcanbeencryptedandtransmittedintime;Disadvantages:1.Itisnotconducivetoparallelcomputing;2.Activeattacksontheplaintextarepossible;3.Errortransmission:thedamageofoneplaintextunitaffectsmultipleunits.
ЦТР (бројач, бројање) режим
Countingmode(CTRmode)encryptionistoencryptaseriesofinputdatablocks(calledcount)toproduceaseriesofoutputblocks,TheoutputblockisXORedwiththeplaintexttogettheciphertext.Forthelastdatablock,itmaybeapartialdatablockwithlongubits.TheubitswillbeusedfortheXORoperation,andtheremainingb-ubitswillbediscarded(brepresentsthelengthoftheblock).CTRdecryptionissimilar.Thecountsinthisseriesmustbedifferentfromeachother.SupposethecountisexpressedasT1,T2,…,Tn.TheCTRmodecanbedefinedasfollows:
Формула ЦТРенкрипције је следећа:
Цј=ПјКСОРЕк(Тј)
Ц*н=П*нКСОРМСБу(Ек(Тн))ј=1,2...н-1;
Формула за дешифровање ЦТР-а је следећа:
Пј=ЦјКСОРЕк(Тј)
П*н=Ц*нКСОРМСБу(Ек(Тн))ј=1,2…н-1;
Encryptionmethod:thecryptographicalgorithmgeneratesa16-bytepseudo-randomcodeblockstream,pseudo-randomThecodeblockandtheinputplaintextareXORedtoproduceaciphertextoutput.Aftertheciphertextandthesamepseudo-randomcodeareXORed,theplaintextcanberegenerated.
CTRmodeiswidelyusedinATMnetworksecurityandIPSecapplications.Comparedwithothermodes,CTRmodehasthefollowingcharacteristics:
■Hardwareefficiency:AllowssimultaneousprocessingofmultipleblocksPlaintext/ciphertext.
■Softwareefficiency:parallelcomputingisallowed,andparalleltechnologiessuchasCPUpipelinecanbeusedwell.
■Preprocessing:Theoutputofthealgorithmandtheencryptionboxdoesnotrelyontheinputofplaintextandciphertext.Therefore,ifthereisenoughmemorytoensuresecurity,theencryptionalgorithmwillonlybeaseriesofXORoperations,whichisextremelyGreatlyimprovethroughput.
■Randomaccess:Thedecryptionofthei-thblockofciphertextdoesnotdependonthei-1thblockofciphertext,providinghighrandomaccesscapabilities
■Сигурност која се може доказати: Може се доказати да је ЦТР најмање сигуран као други начин рада (ЦБЦ, ЦФБ, ОФБ,...)
■Simplicity:Unlikeothermodes,CTRmodeonlyrequirestheimplementationofencryptionalgorithms,butdoesnotrequiretheimplementationofdecryptionalgorithms.ForAESandotherencryption/decryptionalgorithmsthatareessentiallydifferent,thissimplificationishuge.
■Withoutpadding,itcanbeefficientlyusedasstreamencryption.
■Errorsarenotpropagated:eachbitintheciphertexttransmissionisincorrectlyreversed,whichonlyaffectsthedecryptionoftheblockwheretheciphertextislocated.InCTRmode,afterk+1stepsofself-synchronization,Thesubsequentciphertextcanbedecryptedcorrectly.(kmeansblocklength128)
■Мора се користити са кодом за потврду идентитета поруке (МАЦ).
■Integritycheckisnotpossible:Lossofbitsduringciphertexttransmissionwillcausesubsequentbitstofailtobedecryptedcorrectly.