lecture 7 overview. advanced encryption standard 10, 12, 14 rounds for 128, 192, 256 bit keys –...

Lecture 7 Overview

Advanced Encryption Standard

• 10, 12, 14 rounds for 128, 192, 256 bit keys– Regular Rounds (9, 11, 13)– Final Round is different (10th, 12th, 14th)

• Each regular round consists of 4 steps– Byte substitution (BSB)– Shift row (SR)– Mix column (MC)– Add Round key (ARK)

CS 450/650 Lecture 7: AES 2

AES Overview

Plaintext (128) ARK Subkey0

Ciphertext (128) ARK Subkey10

SR

BSB

9 rounds


State

b0 b4 b8 b12

b1 b5 b9 b13

b2 b6 b10 b14

b3 b7 b11 b15

-128-bit block 4 x 4 matrix-128 bits 16 bytes b0, b1, b2, .., b15


S0,0 S0,1

Key

k0 k4 k8 k12

k1 k5 k9 k13

k2 k6 k10 k14

k3 k7 k11 k15

-128-bit key 4 x 4 matrix-128 bits 16 bytes k0, k1, k2, .., k15


Four Operations

1. Byte Substitution– predefined substitution table s[i,j] s’[i,j]

2. Shift Row– left circular shift

3. Mix Columns– 4 elements in each column are multiplied by a

polynomial

4. Add Round Key– Key is derived and added to each column


diffusion

diffusion and confusion

confusion

confusion

Shift Row (128-bit)b0 b4 b8 b12

b1 b5 b9 b13

b2 b6 b10 b14

b3 b7 b11 b15

b0 b4 b8 b12

b5 b9 b13 b1

b10 b14 b2 b6

b15 b3 b7 b11


Mix Column

2 3 1 1

1 2 3 1

1 1 2 3

3 1 1 2

S0,i

S1,i

S2,I

S3,i

S’0,I

S’1,I

S’2,I

S’3,i

= *

Multiplying by 1 no change

Multiplying by 2 shift left one bit

Multiplying by 3 shift left one bit and XOR with original value

More than 8 bits 100011011 is subtracted CS 450/650 Lecture 7: AES 8

Add Key

b0 b4 b8 b12

b1 b5 b9 b13

b2 b6 b10 b14

b3 b7 b11 b15

k0 k4 k8 k12

k1 k5 k9 k13

k2 k6 k10 k14

k3 k7 k11 k15

b’x bx kx= XOR


Key Generation

4 bytes 4 bytes 4 bytes 4 bytes

4 bytes 4 bytes 4 bytes 4 bytes

Circular left shift 1byte

S-box

XORXOR

Round constant


DES vs AES

DES AESDate 1976 1999

Block size 64 bits 128 bits

Key length 56 bits 128, 192, 256, … bits

Encryption primitives Substitution and permutation Substitution, shift, bit mixing

Cryptographic primitives

Confusion and diffusion Confusion and diffusion

Design Open Open

Design rationale Closed Open

Selection process Secret Secret (accepted public comment)

Source IBM, enhanced by NSA Belgian cryptographers

11CS 450/650 Lecture 7: AES

Cryptographic Hash Functions

• Message Digest Functions – Protect integrity– Create a message digest or fingerprint of a digital

document– MD4, MD5, SHA

• Message Authentication Codes (MACs) – Protect both integrity and authenticity– Produce fingerprints based on both a given

document and a secret key

CS 450/650 Lecture 7: Hash Functions 12

Message Digest Functions

• Checksums fingerprint of a message– If message changes, checksum will not match

• Most checksums are good in detecting accidental changes made to a message– They are not designed to prevent an adversary

from intentionally changing a message resulting a message with the same checksum• Message digests are designed to protect against this

possibility


One-Way Hash Functions

Example• M = “Elvis”• H(M) = (“E” + “L” + “V” + “I” + “S”) mod 26• H(M) = (5 + 12 + 22 + 9 + 19) mod 26• H(M) = 67 mod 26• H(M) = 15

HHMM H(M) = H(M) = hh


Collision

Example• x = “Viva”• Y = “Vegas”• H(x) = H(y) = 2

HHxx H(x)H(x)

HHyy H(y) H(y)

==


Collision-resistant, One-way hash fnc.

• Given M, – it is easy to compute h

• Given any h, – it is hard to find any M such that H(M) = h

• Given M1, it is difficult to find M2 – such that H(M1) = H(M2)

• Functions that satisfy these criteria are called message digest – They produce a fixed-length digest (fingerprint)


Message Authentication Codes

• A message authentication code (MAC) is a key-dependent message digest function– MAC(M,k) = h


A MAC Based on a Block Cipher

M1

Encrypt

k

M1

Encrypt

k

XOR

M1

Encrypt

k

XOR

… MAC


Lecture 8

Secure Hash Algorithm

CS 450/650

Fundamentals of Integrated Computer Security

Slides are modified from Hesham El-Rewini

Secure Hash Algorithm (SHA)

• SHA-0 1993• SHA-1 1995• SHA-2 2002– SHA-224, SHA-256, SHA-384, SHA-512

SHA-1SHA-1

A message A message composed of composed of b bitsb bits

160-bit 160-bit message message digestdigest

CS 450/650 Lecture 8: Secure Hash Algorithm 20

Step 1 -- Padding

• Padding the total length of a padded message is multiple of 512– Every message is padded even if its length is

already a multiple of 512

• Padding is done by appending to the input– A single bit, 1– Enough additional bits, all 0, to make the final 512

block exactly 448 bits long– A 64-bit integer representing the length of the

original message in bitsCS 450/650 Lecture 8: Secure Hash Algorithm 21

Padding (cont.)

Message Message length1 0…0

64 bits

Multiple of 512

1 bit


Example

• M = 01100010 11001010 1001 (20 bits)

• Padding is done by appending to the input– A single bit, 1– 427 0s– A 64-bit integer representing 20

• Pad(M) = 01100010 11001010 10011000 … 00010100

Example

• Length of M = 500 bits

• Padding is done by appending to the input:– A single bit, 1– 459 0s– A 64-bit integer representing 500

• Length of Pad(M) = 1024 bits

Step 2 -- Dividing Pad(M)

• Pad (M) = B1, B2, B3, …, Bn

• Each Bi denote a 512-bit block

• Each Bi is divided into 16 32-bit words– W0, W1, …, W15


Step 3 – Compute W16 – W79

• To Compute word Wj (16<=j<=79)

– Wj-3, Wj-8, Wj-14 , Wj-16 are XORed

– The result is circularly left shifted one bit


Step 4 – Initialize A,B,C,D,E

• A = H0

• B = H1

• C = H2

• D = H3

• E = H4


Initialize 32-bit words• H0 = 67452301

• H1 = EFCDAB89

• H2 = 98BADCFE

• H3 = 10325476

• H4 = C3D2E1F0

• K0 – K19 = 5A827999

• K20 – K39 = 6ED9EBA1

• K40 – K49 = 8F1BBCDC

• K60 – K79 = CA62C1D6CS 450/650 Lecture 8: Secure Hash Algorithm 28

Step 5 – Loop

For j = 0 … 79 TEMP = CircLeShift_5 (A) + fj(B,C,D) + E + Wj + Kj

E = D; D = C; C = CircLeShift_30(B); B = A; A = TEMP

Done

+ addition (ignore overflow)


Four functions • For j = 0 … 19 – fj(B,C,D) = (B AND C) OR ( B AND D) OR (C AND D)

• For j = 20 … 39 – fj(B,C,D) = (B XOR C XOR D)

• For j = 40 … 59 – fj(B,C,D) = (B AND C) OR ((NOT B) AND D)

• For j = 60 … 79 – fj(B,C,D) = (B XOR C XOR D)


Step 6 – Final

• H0 = H0 + A

• H1 = H1 + B

• H2 = H2 + C

• H3 = H3 + D

• H4 = H4 + E


Done

• Once these steps have been performed on each 512-bit block (B1, B2, …, Bn) of the padded message, – the 160-bit message digest is given by

H0 H1 H2 H3 H4


SHAOutput

size (bits)

Internal state size

(bits)

Block size

(bits)

Max message size (bits)

Word size

(bits)Rounds Operations Collisions

found

SHA-0 160 160 512 264 − 1 32 80 +, and, or, xor, rot Yes

SHA-1 160 160 512 264 − 1 32 80 +, and, or, xor, rot

None (252 attack)

SHA-2

256/224 256 512 264 − 1 32 64 +, and, or, xor, shr, rot None

512/384 512 1024 2128 − 1 64 80 +, and, or, xor, shr, rot None


lecture 7 overview. advanced encryption standard 10, 12, 14 rounds for 128, 192, 256 bit keys –...

Documents