lecture 7 overview. advanced encryption standard 10, 12, 14 rounds for 128, 192, 256 bit keys –...
TRANSCRIPT
Advanced Encryption Standard
• 10, 12, 14 rounds for 128, 192, 256 bit keys– Regular Rounds (9, 11, 13)– Final Round is different (10th, 12th, 14th)
• Each regular round consists of 4 steps– Byte substitution (BSB)– Shift row (SR)– Mix column (MC)– Add Round key (ARK)
CS 450/650 Lecture 7: AES 2
AES Overview
Plaintext (128) ARK Subkey0
Ciphertext (128) ARK Subkey10
SR
BSB
9 rounds
CS 450/650 Lecture 7: AES 3
State
b0 b4 b8 b12
b1 b5 b9 b13
b2 b6 b10 b14
b3 b7 b11 b15
-128-bit block 4 x 4 matrix-128 bits 16 bytes b0, b1, b2, .., b15
CS 450/650 Lecture 7: AES 4
S0,0 S0,1
Key
k0 k4 k8 k12
k1 k5 k9 k13
k2 k6 k10 k14
k3 k7 k11 k15
-128-bit key 4 x 4 matrix-128 bits 16 bytes k0, k1, k2, .., k15
CS 450/650 Lecture 7: AES 5
Four Operations
1. Byte Substitution– predefined substitution table s[i,j] s’[i,j]
2. Shift Row– left circular shift
3. Mix Columns– 4 elements in each column are multiplied by a
polynomial
4. Add Round Key– Key is derived and added to each column
CS 450/650 Lecture 7: AES 6
diffusion
diffusion and confusion
confusion
confusion
Shift Row (128-bit)b0 b4 b8 b12
b1 b5 b9 b13
b2 b6 b10 b14
b3 b7 b11 b15
b0 b4 b8 b12
b5 b9 b13 b1
b10 b14 b2 b6
b15 b3 b7 b11
CS 450/650 Lecture 7: AES 7
Mix Column
2 3 1 1
1 2 3 1
1 1 2 3
3 1 1 2
S0,i
S1,i
S2,I
S3,i
S’0,I
S’1,I
S’2,I
S’3,i
= *
Multiplying by 1 no change
Multiplying by 2 shift left one bit
Multiplying by 3 shift left one bit and XOR with original value
More than 8 bits 100011011 is subtracted CS 450/650 Lecture 7: AES 8
Add Key
b0 b4 b8 b12
b1 b5 b9 b13
b2 b6 b10 b14
b3 b7 b11 b15
k0 k4 k8 k12
k1 k5 k9 k13
k2 k6 k10 k14
k3 k7 k11 k15
b’x bx kx= XOR
CS 450/650 Lecture 7: AES 9
Key Generation
4 bytes 4 bytes 4 bytes 4 bytes
4 bytes 4 bytes 4 bytes 4 bytes
Circular left shift 1byte
S-box
XORXOR
Round constant
CS 450/650 Lecture 7: AES 10
DES vs AES
DES AESDate 1976 1999
Block size 64 bits 128 bits
Key length 56 bits 128, 192, 256, … bits
Encryption primitives Substitution and permutation Substitution, shift, bit mixing
Cryptographic primitives
Confusion and diffusion Confusion and diffusion
Design Open Open
Design rationale Closed Open
Selection process Secret Secret (accepted public comment)
Source IBM, enhanced by NSA Belgian cryptographers
11CS 450/650 Lecture 7: AES
Cryptographic Hash Functions
• Message Digest Functions – Protect integrity– Create a message digest or fingerprint of a digital
document– MD4, MD5, SHA
• Message Authentication Codes (MACs) – Protect both integrity and authenticity– Produce fingerprints based on both a given
document and a secret key
CS 450/650 Lecture 7: Hash Functions 12
Message Digest Functions
• Checksums fingerprint of a message– If message changes, checksum will not match
• Most checksums are good in detecting accidental changes made to a message– They are not designed to prevent an adversary
from intentionally changing a message resulting a message with the same checksum• Message digests are designed to protect against this
possibility
CS 450/650 Lecture 7: Hash Functions 13
One-Way Hash Functions
Example• M = “Elvis”• H(M) = (“E” + “L” + “V” + “I” + “S”) mod 26• H(M) = (5 + 12 + 22 + 9 + 19) mod 26• H(M) = 67 mod 26• H(M) = 15
HHMM H(M) = H(M) = hh
CS 450/650 Lecture 7: Hash Functions 14
Collision
Example• x = “Viva”• Y = “Vegas”• H(x) = H(y) = 2
HHxx H(x)H(x)
HHyy H(y) H(y)
==
CS 450/650 Lecture 7: Hash Functions 15
Collision-resistant, One-way hash fnc.
• Given M, – it is easy to compute h
• Given any h, – it is hard to find any M such that H(M) = h
• Given M1, it is difficult to find M2 – such that H(M1) = H(M2)
• Functions that satisfy these criteria are called message digest – They produce a fixed-length digest (fingerprint)
CS 450/650 Lecture 7: Hash Functions 16
Message Authentication Codes
• A message authentication code (MAC) is a key-dependent message digest function– MAC(M,k) = h
CS 450/650 Lecture 7: Hash Functions 17
A MAC Based on a Block Cipher
M1
Encrypt
k
M1
Encrypt
k
XOR
M1
Encrypt
k
XOR
… MAC
CS 450/650 Lecture 7: Hash Functions 18
Lecture 8
Secure Hash Algorithm
CS 450/650
Fundamentals of Integrated Computer Security
Slides are modified from Hesham El-Rewini
Secure Hash Algorithm (SHA)
• SHA-0 1993• SHA-1 1995• SHA-2 2002– SHA-224, SHA-256, SHA-384, SHA-512
SHA-1SHA-1
A message A message composed of composed of b bitsb bits
160-bit 160-bit message message digestdigest
CS 450/650 Lecture 8: Secure Hash Algorithm 20
Step 1 -- Padding
• Padding the total length of a padded message is multiple of 512– Every message is padded even if its length is
already a multiple of 512
• Padding is done by appending to the input– A single bit, 1– Enough additional bits, all 0, to make the final 512
block exactly 448 bits long– A 64-bit integer representing the length of the
original message in bitsCS 450/650 Lecture 8: Secure Hash Algorithm 21
Padding (cont.)
Message Message length1 0…0
64 bits
Multiple of 512
1 bit
CS 450/650 Lecture 8: Secure Hash Algorithm 22
Example
• M = 01100010 11001010 1001 (20 bits)
• Padding is done by appending to the input– A single bit, 1– 427 0s– A 64-bit integer representing 20
• Pad(M) = 01100010 11001010 10011000 … 00010100
Example
• Length of M = 500 bits
• Padding is done by appending to the input:– A single bit, 1– 459 0s– A 64-bit integer representing 500
• Length of Pad(M) = 1024 bits
Step 2 -- Dividing Pad(M)
• Pad (M) = B1, B2, B3, …, Bn
• Each Bi denote a 512-bit block
• Each Bi is divided into 16 32-bit words– W0, W1, …, W15
CS 450/650 Lecture 8: Secure Hash Algorithm 25
Step 3 – Compute W16 – W79
• To Compute word Wj (16<=j<=79)
– Wj-3, Wj-8, Wj-14 , Wj-16 are XORed
– The result is circularly left shifted one bit
CS 450/650 Lecture 8: Secure Hash Algorithm 26
Step 4 – Initialize A,B,C,D,E
• A = H0
• B = H1
• C = H2
• D = H3
• E = H4
CS 450/650 Lecture 8: Secure Hash Algorithm 27
Initialize 32-bit words• H0 = 67452301
• H1 = EFCDAB89
• H2 = 98BADCFE
• H3 = 10325476
• H4 = C3D2E1F0
• K0 – K19 = 5A827999
• K20 – K39 = 6ED9EBA1
• K40 – K49 = 8F1BBCDC
• K60 – K79 = CA62C1D6CS 450/650 Lecture 8: Secure Hash Algorithm 28
Step 5 – Loop
For j = 0 … 79 TEMP = CircLeShift_5 (A) + fj(B,C,D) + E + Wj + Kj
E = D; D = C; C = CircLeShift_30(B); B = A; A = TEMP
Done
+ addition (ignore overflow)
CS 450/650 Lecture 8: Secure Hash Algorithm 29
Four functions • For j = 0 … 19 – fj(B,C,D) = (B AND C) OR ( B AND D) OR (C AND D)
• For j = 20 … 39 – fj(B,C,D) = (B XOR C XOR D)
• For j = 40 … 59 – fj(B,C,D) = (B AND C) OR ((NOT B) AND D)
• For j = 60 … 79 – fj(B,C,D) = (B XOR C XOR D)
CS 450/650 Lecture 8: Secure Hash Algorithm 30
Step 6 – Final
• H0 = H0 + A
• H1 = H1 + B
• H2 = H2 + C
• H3 = H3 + D
• H4 = H4 + E
CS 450/650 Lecture 8: Secure Hash Algorithm 31
Done
• Once these steps have been performed on each 512-bit block (B1, B2, …, Bn) of the padded message, – the 160-bit message digest is given by
H0 H1 H2 H3 H4
CS 450/650 Lecture 8: Secure Hash Algorithm 32
SHAOutput
size (bits)
Internal state size
(bits)
Block size
(bits)
Max message size (bits)
Word size
(bits)Rounds Operations Collisions
found
SHA-0 160 160 512 264 − 1 32 80 +, and, or, xor, rot Yes
SHA-1 160 160 512 264 − 1 32 80 +, and, or, xor, rot
None (252 attack)
SHA-2
256/224 256 512 264 − 1 32 64 +, and, or, xor, shr, rot None
512/384 512 1024 2128 − 1 64 80 +, and, or, xor, shr, rot None
CS 450/650 Lecture 8: Secure Hash Algorithm 33