分组密码—DES及分组密码工作模式

1、2013年4月19日计算机安全技术与实践 分组密码其他内容双重DES，总密钥量 2112 bit 加 密 解 密DESDESDES-1DES-1双重DES，绝对不是一个DES 加 密 解 密DESDESDES-1DES-1CK3DES中间相遇攻击，恢复密钥DESDESPC?(P,C)是一个明密文对中间相遇攻击，原理DESPC11DESP1C1DESPC22DESP12DESPC256256DESP256256CCC2 =P256K1=1K2=256DESPC11DESPC22DESPC256256DESP256256C 记录查记录中间相遇攻击，总计算量 256 bit中间相遇攻击，结果DESD

2、ESPC2256三重DES(双密钥) 加 密 解 密DESDESDES-1DES-1DESDES-1三重DES(三重密钥) 加 密 解 密DESDESDES-1DES-1DESDES-1K3K3分组密码工作模式1：ECB时刻 1 时刻 2 时刻 N加密解密加密加密加密解密解密解密ECB的弱点：相同的明文片段得到相同的密文片段原始文件ECB模式加密后的文件资料来源：/en-us/magazine/cc163522.aspx，转载请注明分组密码工作模式2：CBC时刻 1 时刻 2 时刻 N加密加密加密解密解密解密加密解密CBC模式加密的优点原始文件CBC模式加密后的文件资料来源：/en-us/ma

3、gazine/cc163522.aspx，转载请注明CBC模式的弱点IV必须为收发双方共享IV必须受到保护分组密码工作模式3：CFB分组密码工作模式4：OFB密文有一位取反，则解密后的明文这位也取反，即抗篡改能力弱分组密码工作模式5：CTR明文不满一个字，则丢尾巴不用填充可并行可与计算可随机访问可证明安全加解密相似工作模式反馈特征CBCCFBOFBCRT存储加密的特征和要求 攻击者可随意获取密文 明文密文的大小一样 分组单位互相独立，可单独访问 加密以16字节的分组为单位 除数据分组外，无其他元数据 不同地方的相同明文加密后得到不同密文，但再次写到相同位置时总是相同密文 由一个同标准相容的设备

4、加密数据面向存储设备的XTS-AESXTS-AESCryptography and Network SecurityChapter 7Fifth Editionby William StallingsLecture slides by Lawrie Brown22Chapter 7 Stream Ciphers and Random Number GenerationThe comparatively late rise of the theory of probability shows how hard it is to grasp, and the many paradoxes show

5、 clearly that we, as humans, lack a well grounded intuition in this matter. In probability theory there is a great deal of art in setting up the model, in solving the problem, and in applying the results back to the real world actions that will follow. The Art of Probability, Richard Hamming23Random

6、 Numbersmany uses of random numbers in cryptography nonces in authentication protocols to prevent replaysession keyspublic key generationkeystream for a one-time padin all cases its critical that these values be statistically random, uniform distribution, independentunpredictability of future values

7、 from previous valuestrue random numbers provide thiscare needed with generated random numbers24Pseudorandom Number Generators (PRNGs)often use deterministic algorithmic techniques to create “random numbers”although are not truly randomcan pass many tests of “randomness”known as “pseudorandom number

8、s”created by “Pseudorandom Number Generators (PRNGs)”25Random & Pseudorandom Number Generators26PRNG Requirementsrandomnessuniformity, scalability, consistencyunpredictabilityforward & backward unpredictabilityuse same tests to checkcharacteristics of the seedsecureif known adversary can determine o

9、utputso must be random or pseudorandom number27Linear CongruentialGeneratorcommon iterative technique using:Xn+1 = (aXn + c) mod mgiven suitable values of parameters can produce a long random-like sequencesuitable criteria to have are:function generates a full-periodgenerated sequence should appear

10、randomefficient implementation with 32-bit arithmeticnote that an attacker can reconstruct sequence given a small number of valueshave possibilities for making this harder28Blum Blum Shub Generatorbased on public key algorithmsuse least significant bit from iterative equation:xi = xi-12 mod n where

11、n=p.q, and primes p,q=3 mod 4unpredictable, passes next-bit testsecurity rests on difficulty of factoring N is unpredictable given any run of bits slow, since very large numbers must be usedtoo slow for cipher use, good for key generation 29Using Block Ciphers as PRNGsfor cryptographic applications,

12、 can use a block cipher to generate random numbersoften for creating session keys from master keyCTRXi = EKViOFBXi = EKXi-130ANSI X9.17 PRG31Stream Ciphersprocess message bit by bit (as a stream) have a pseudo random keystreamcombined (XOR) with plaintext bit by bit randomness of stream key complete

13、ly destroys statistically properties in message Ci = Mi XOR StreamKeyi but must never reuse stream keyotherwise can recover messages (cf book cipher)32Stream Cipher Structure33Stream Cipher Propertiessome design considerations are:long period with no repetitions statistically random depends on large

14、 enough keylarge linear complexityproperly designed, can be as secure as a block cipher with same size keybut usually simpler & faster34RC4a proprietary cipher owned by RSA DSI another Ron Rivest design, simple but effectivevariable key size, byte-oriented stream cipher widely used (web SSL/TLS, wir

15、eless WEP/WPA) key forms random permutation of all 8-bit values uses that permutation to scramble input info processed a byte at a time 35RC4 Key Schedule starts with an array S of numbers: 0.255 use key to well and truly shuffle S forms internal state of the cipher for i = 0 to 255 doSi = iTi = Ki

16、mod keylen)j = 0for i = 0 to 255 do j = (j + Si + Ti) (mod 256) swap (Si, Sj)36RC4 Encryptionencryption continues shuffling array valuessum of shuffled pair selects stream key value from permutationXOR St with next byte of message to en/decrypti = j = 0 for each message byte Mii = (i + 1) (mod 256)j

17、 = (j + Si) (mod 256)swap(Si, Sj)t = (Si + Sj) (mod 256) Ci = Mi XOR St37RC4 Overview38RC4 Securityclaimed secure against known attackshave some analyses, none practical result is very non-linear since RC4 is a stream cipher, must never reuse a key have a concern with WEP, but due to key handling ra

18、ther than RC4 itself 39Natural Random Noisebest source is natural randomness in real world find a regular but random event and monitor do generally need special h/w to do this eg. radiation counters, radio noise, audio noise, thermal noise in diodes, leaky capacitors, mercury discharge tubes etc starting to see such h/w in new CPUs problems of bias or une