Advanced Encryption Standard

Thesynonymaes(AdvancedEncryptionStandard)generallyreferstotheAdvancedEncryptionStandard.

Introduction

ThisstandardisusedtoreplacetheoriginalDES(DataEncryptionStandard),whichhasbeenanalyzedbymanypartiesandwidelyusedallovertheworld.use.Afterafive-yearselectionprocess,theAdvancedEncryptionStandardwaspublishedbytheNationalInstituteofStandardsandTechnology(NIST)inFIPSPUB197onNovember26,2001,andbecameaneffectivestandardonMay26,2002.In2006,theadvancedencryptionstandardhasbecomeoneofthemostpopularalgorithmsinsymmetrickeyencryption.

ThealgorithmwasdesignedbyBelgiancryptographersJoanDaemenandVincentRijmen,combinedwiththenamesofthetwoauthors,namedinthenameofRijdael,andsubmittedtheselectionprocessforadvancedencryptionstandards.(Rijdaelispronouncedlike"Rhinedoll".)

Explanation

Theadvancedencryptionstandardalgorithmsolvesworryingproblemsinmanyways.Infact,themethodsusedtoattackdataencryptionstandardshavenoeffectontheadvancedencryptionstandardalgorithmsthemselves.Ifreal128-bitencryptiontechnologyoreven256-bitencryptiontechnologyisused,itwilltakealongtimeforabruteforceattacktosucceed.

Althoughtheadvancedencryptionstandardalsohasitsdisadvantages,itisstillarelativelynewprotocol.Therefore,securityresearchershavenothadsomuchtimetocrackexperimentsonthisencryptionmethod.Wemayatanytimediscoverabrandnewattackmethodthatwillbreakthisadvancedencryptionstandard.Atleastintheorythereissuchapossibility.

History

RijndaelisanimprovementofSquaredesignedbyDaemenandRijmenintheearlydays;andSquareisdevelopedfromSHARK.

DifferentfromitspredecessorstandardDES,Rijndaelusesapermutation-combinedarchitectureinsteadofaFeistelarchitecture.AEScanquicklyencryptanddecryptonbothsoftwareandhardware,relativelyeasytoimplement,andrequiresverylittlememory.Asanewencryptionstandard,itiscurrentlybeingdeployedandappliedtoawiderrange.

Passworddescription

Strictlyspeaking,AESandRijndaelencryptionarenotexactlythesame(althoughthetwoareinterchangeableinpracticalapplications),becauseRijndaelencryptioncansupportlargerRangeofblockandkeylength:TheblocklengthofAESisfixedat128bits,andthekeylengthcanbe128,192or256bits;thekeyandblocklengthusedbyRijndaelcanbeanintegermultipleof32bits.Thelowerlimitis128bitsandtheupperlimitis256bits.ThekeyusedintheencryptionprocessisgeneratedbytheRijndaelkeygenerationscheme.

MostAEScalculationsaredoneinaspecialfinitefield.

TheAESencryptionprocessoperatesona4×4bytematrix.Thismatrixis​​alsocalled"state".Itsinitialvalueisaplaintextblock(thesizeofanelementinthematrixisOneByteintheplaintextblock).(Rijndaelencryptionmethodsupportslargerblocks,andthenumberofmatrixrowscanbeincreasedaccordingtothesituation.)Whenencrypting,eachroundofAESencryptioncycle(exceptthelastround)includes4steps:

AddRoundKey

—Eachbyteinthematrixis​​XORedwiththeroundkey;eachsub-keyisgeneratedbythekeygenerationscheme.

IntheAddRoundKeystep,theroundkeywillbemergedwiththeoriginalmatrix.Ineachencryptioncycle,aroundkey(generatedbytheRijndaelkeygenerationscheme)willbegeneratedbythemasterkey.Thiskeywillhavethesamesizeastheoriginalmatrixtomatcheachcorrespondingwordintheoriginalmatrix.Sectionsareexclusiveor(⊕)addition.

SubBytes

—Throughanon-linearreplacementfunction,eachbyteisreplacedwiththecorrespondingbytebymeansofalook-uptable.

IntheSubBytesstep,eachbyteinthematrixis​​convertedbyan8-bitS-box.Thisstepprovidesthenon-lineartransformationcapabilityoftheencryptionmethod.S-boxisrelatedtotheinverseelementofmultiplicationonGF(2)andisknowntohavegoodnonlinearcharacteristics.Inordertoavoidattacksonthenatureofsimplealgebra,S-boxisconstructedbycombiningtheinverseelementsofmultiplicationandaninvertibleaffinetransformationmatrix.Inaddition,whenconstructingS-box,fixedpointsandanti-fixedpointsweredeliberatelyavoided,thatis,theresultofreplacingbyteswithS-boxwouldbeequivalenttotheresultofmisalignment.

ShiftRows

—Circularlyshifteachrowinthematrix.

ShiftRowsdescribestherowoperationsofthematrix.Inthisstep,eachrowiscyclicallyshiftedtotheleftbyacertainoffset.InAES(theblocksizeis128bits),thefirstrowremainsunchanged,andeachbyteinthesecondrowrotatesonespacetotheleft.Inthesameway,theoffsetsofthethirdrowandthefourthrowofthecyclicshifttotheleftare2and3,respectively.The128-bitand192-bitblockshavethesamecyclicshiftpatterninthisstep.AfterShiftRows,eachverticalcolumninthematrixis​​composedofelementsineachdifferentcolumnoftheinputmatrix.IntheversionoftheRijndaelalgorithm,theoffsetisslightlydifferentfromAES;forablockwithalengthof256bits,thefirstrowremainsunchanged,andtheoffsetsofthesecond,third,andfourthrowsare1wordrespectively.Section,3-byte,4-bitgroup.Inaddition,theoperationstepsofShiftRowsareexactlythesameinRijndaelandAES.

MixColumns

—Inordertofullymixtheoperationsofeachstraightrowinthematrix.Thisstepuseslinearconversiontomixeachinlinefourbytes.Inthelastencryptioncycle,theMixColumnsstepisomittedandreplacedbyanotherAddRoundKey.

Side-channelattacks(alsoknownasside-channelattacks,side-channelattacks)

Side-channelattacksdonotattackthepassworditself,butattackthoseimplementedininsecuresystems(willinadvertentlyInformationdisclosure)ontheencryptionsystem.

InApril2005,D.J.BernsteinannouncedacachetimingattackmethodbywhichhecrackedaclientserverloadedwiththeOpenSSLAESencryptionsystem.Inordertodesigntheservertopublishallthetiminginformation,theattackalgorithmusedmorethan200millionfilteredclearcodes.SomepeoplethinkthatsuchanattackmethodisnotpracticalfortheInternet,whichrequiresmultiplehops.

InOctober2005,EranTromerandtwootherresearcherspublishedapapershowingseveralcachetimingattacksagainstAES[8].Oneoftheattacksrequiresonly800writeactionsandtakes65millisecondstoobtainacompleteAESkey.However,theattackermusthavethepermissiontoruntheprogramontheencryptedsysteminordertocrackthecryptographicsystemwiththismethod.

AESencryptionmode

Symmetric/blockciphersaregenerallydividedintostreamencryption(suchasOFB,CFB,etc.)andblockencryption(suchasECB,CBC,etc.).Forstreamencryption,theblockcipherneedstobeconvertedintostreammodetowork.Forblockencryption(orblockencryption),ifyouwanttoencryptdatathatexceedstheblocksize,youneedtoinvolvepaddingandchainencryptionmodes.

ECB(ElectronicCodeBook)mode

ECBmodeistheearliestandsimplestmode.Itdividesencrypteddataintoseveralgroups,thesizeofeachgroupisencryptedThekeylengthisthesame,andtheneachgroupisencryptedwiththesamekey.

Advantages:

1.Simple;2.Conducivetoparallelcomputing;3.Errorswillnotbetransmitted;Disadvantages:1.Themodethattheplaintextcannotbehidden;2.Activeattacksontheplaintextmaybecarriedout;Therefore,thismodeissuitableforencryptingsmallmessages.

CBC(CipherBlockChaining,encryptedblockchain)mode

Advantages:

1.Itisnoteasytoattackactively,anditissafeItisbetterthanECBandissuitablefortransmittinglong-lengthpackets.ItisthestandardofSSLandIPSec.Disadvantages:1.Notconducivetoparallelcomputing;2.Errortransmission;3.NeedtoinitializethevectorIV

CFB(CipherFeedBackMode,encryptionfeedback)mode

Advantages:

1.Theplaintextmodeishidden;2.Blockcipherisconvertedtostreammode;3.Datasmallerthanthepacketcanbeencryptedandtransmittedintime;Disadvantages:1.Notconducivetoparallelcomputing;2.Errortransmission:damagetoaplaintextunitaffectsmultipleunits;3.TheonlyIV;

OFB(OutputFeedBack,outputfeedback)mode

Advantages:

1.Theplaintextmodeishidden;2.Theblockcipherisconvertedintoastreammode;3.Datasmallerthanthepacketcanbeencryptedandtransmittedintime;Disadvantages:1.Itisnotconducivetoparallelcomputing;2.Activeattacksontheplaintextarepossible;3.Errortransmission:thedamageofoneplaintextunitaffectsmultipleunits.

CTR(Counter,counting)mode

Countingmode(CTRmode)encryptionistoencryptaseriesofinputdatablocks(calledcount)toproduceaseriesofoutputblocks,TheoutputblockisXORedwiththeplaintexttogettheciphertext.Forthelastdatablock,itmaybeapartialdatablockwithlongubits.TheubitswillbeusedfortheXORoperation,andtheremainingb-ubitswillbediscarded(brepresentsthelengthoftheblock).CTRdecryptionissimilar.Thecountsinthisseriesmustbedifferentfromeachother.SupposethecountisexpressedasT1,T2,…,Tn.TheCTRmodecanbedefinedasfollows:

TheCTRencryptionformulaisasfollows:

Cj=PjXOREk(Tj)

C*n=P*nXORMSBu(Ek(Tn))j=1,2...n-1;

TheCTRdecryptionformulaisasfollows:

Pj=CjXOREk(Tj)

P*n=C*nXORMSBu(Ek(Tn))j=1,2…n-1;

Encryptionmethod:thecryptographicalgorithmgeneratesa16-bytepseudo-randomcodeblockstream,pseudo-randomThecodeblockandtheinputplaintextareXORedtoproduceaciphertextoutput.Aftertheciphertextandthesamepseudo-randomcodeareXORed,theplaintextcanberegenerated.

CTRmodeiswidelyusedinATMnetworksecurityandIPSecapplications.Comparedwithothermodes,CTRmodehasthefollowingcharacteristics:

■Hardwareefficiency:AllowssimultaneousprocessingofmultipleblocksPlaintext/ciphertext.

■Softwareefficiency:parallelcomputingisallowed,andparalleltechnologiessuchasCPUpipelinecanbeusedwell.

■Preprocessing:Theoutputofthealgorithmandtheencryptionboxdoesnotrelyontheinputofplaintextandciphertext.Therefore,ifthereisenoughmemorytoensuresecurity,theencryptionalgorithmwillonlybeaseriesofXORoperations,whichisextremelyGreatlyimprovethroughput.

■Randomaccess:Thedecryptionofthei-thblockofciphertextdoesnotdependonthei-1thblockofciphertext,providinghighrandomaccesscapabilities

■Provablesecurity:ItcanbeprovedthatCTRisatleastassecureasothermodes(CBC,CFB,OFB,...)

■Simplicity:Unlikeothermodes,CTRmodeonlyrequirestheimplementationofencryptionalgorithms,butdoesnotrequiretheimplementationofdecryptionalgorithms.ForAESandotherencryption/decryptionalgorithmsthatareessentiallydifferent,thissimplificationishuge.

■Withoutpadding,itcanbeefficientlyusedasstreamencryption.

■Errorsarenotpropagated:eachbitintheciphertexttransmissionisincorrectlyreversed,whichonlyaffectsthedecryptionoftheblockwheretheciphertextislocated.InCTRmode,afterk+1stepsofself-synchronization,Thesubsequentciphertextcanbedecryptedcorrectly.(kmeansblocklength128)

■Mustbeusedwiththemessageauthenticationcode(MAC).

■Integritycheckisnotpossible:Lossofbitsduringciphertexttransmissionwillcausesubsequentbitstofailtobedecryptedcorrectly.

Related Articles
TOP