密码编码学概要1

CHAPTER6:MORE

ON

SYMMETRIC

CIPHERS南京信息工程大学计算机与软件学院沈剑16.1.多重加密与三重DES算法DES—穷举攻击一种方法AES另一种方法用DES进行多次加密，且使用多个密钥—三重DES(3DES)对简单的多重加密两次加密、两个密钥，如图(Figure

6.1a).给定明文P，两个密钥K1

和K2,密文C如下算得：C

=

E(K2,

E(K1,

P))26.1.多重加密与三重DES算法解密时逆序使用两个密钥:P

=

D(K1,

D(K2,

C))密钥长度:56

x

2=112

bits36.1.多重加密与三重DES算法约化为单次加密有以下说法：对所有的56位密钥，给定K1

和K2,可能存在K3

满足E(K2,

E(K1,

P))=E(K3,

P)

若以上说法成立，则两层加密实际上是不管用的，因为它的效果等同于用一个密钥进行一次DES加密的效果。结论:E(K2,E(K1,P))=E(K3,P)结论不成立，双DES和单DES映射不同。DES的加密就是64-bit映射.共有264

可能的输入,DES加密之后都是唯一的64-bit的映射。264

的输入，共有多少一对一的映射？另一方面，DES为每个密钥定义了一个映射，映射总数为:256>101746.1.多重加密与三重DES算法5中间相遇攻击

双DES的结果和单DES的结果是不同的。但是有一种方法仍然可以攻击，而且可以不依赖与DES的任何特性，并对任意分组密钥都有效。该方称之为中间相遇攻击C

=

E(K2,

E(K1,

P))X

=

E(K1,

P)

=

D(K2,

C)给定明密文对(P,C),攻击如下：1、将P按所有可能的密钥K1

加密，得到的256

个结果按X的值排序放在一个表内。

2、然后将C用所有可能的密钥K2解密，每解密一次就将解密结果与表中的值比较，看看是否有相等的。

3、如果有相等的，就用刚才测试的两个密钥对一个新的明密文对进行验证。如果两个密钥产生了正确的密文，就认定这两个密钥是正确的密钥。6.1.多重加密与三重DES算法使用两个密钥的三重DES对抗中间相遇攻击：使用三个不同的密钥进行三次加密。缺点：密钥长度为56

x

3=168

bits，非常笨拙。

Tuchman建议仅使用两个密钥进行三次加密，过程为：加密-解密-加密

encrypt-decrypt-encrypt(EDE)，如图(Figure

6.1b):C

=

E(K1,

D(K2,

E(K1,

P)))66.1.多重加密与三重DES算法7使用两个密钥的三重DES目前，还没有对3DES的可行攻击方法。

对3DES的穷举攻击的代价是2112

，且差分密码分析的代价是按指数增长的，与单DES相比，超过1052.

虽然对3DES的攻击都不实际，但一些攻击方法也许对以后产生好的攻击方法有所裨益。Merkle

and

Hellman.需要256

选择明密文对。6.1.多重加密与三重DES算法使用两个密钥的三重DES86.1.多重加密与三重DES算法9使用三个密钥的三重DES

虽然对上述的3DES的攻击不实用，但总是觉得双密钥的三重DES有点悬。因此很多人觉得使用三个密钥的三重DES才是最好的方案。C

=

E(K3,

D(K2,

E(K1,

P)))应用PGP和S/MIME,参见Chapter

15.6.2.电码本模式A

block

cipher

algorithm

is

a

basicbuilding

block

for

providing

datasecurity.A

mode

of

operation

is

a

techniquefor

enhancing

the

effect

of

acryptographic

algorithm

oradapting

the

algorithm

for

anapplicationThese

modes

are

intended

for

usewith

any

symmetric

block

cipher,including

triple

DES

and

AES.

Themodes

are

summarized

in

Table6.1.106.2.

Block

Cipher

Modes

ofOperationElectronic

Codebook

ModeThe

simplest

mode

is

the

electronic

codebook

(ECB)

mode

plaintext

is

handled

one

block

at

a

time

and

each

block

of

plaintext

is

encrypted

using

thesame

key

(Figure

6.3).116.2.

Block

Cipher

Modes

ofOperation12Electronic

Codebook

Mode

For

a

message

longer

than

b

bits,

the

procedure

is

simply

to

break

the

messageinto

b-bit

blocks,

padding

the

last

block

if

necessary.The

ECB

method

is

ideal

for

a

short

amount

of

data,

such

as

an

encryption

key.DES

keyThe

most

significant

characteristic

of

ECB

is

that

the

same

b-bit

block

of

plaintext.For

lengthy

messages,

the

ECB

mode

may

not

be

secure.

If

the

message

ishighly

structured,

it

may

be

possible

for

a

cryptanalyst

to

exploit

these

regularities.6.2.

Block

Cipher

Modes

ofOperationCipher

Block

Chaining

Mode

To

overcome

the

security

deficiencies

of

ECB,

we

would

like

a

technique

in

whichthe

same

plaintext

block,

if

repeated,

produces

different

ciphertext

blocks.

A

simple

way

to

satisfy

this

requirement

is

the

cipher

block

chaining

(CBC)

mode(Figure

6.4).

Initialization

Vector

(IV)136.2.

Block

Cipher

Modes

ofOperationCipher

Feedback

Mode

A

stream

cipher

eliminates

the

need

to

pad

a

message

to

be

an

integral

numberof

blocks.

It

also

can

operate

in

real

time.

Thus,

if

a

character

stream

is

beingtransmitted,

each

character

can

be

encrypted

and

transmitted

immediately

usinga

character-oriented

stream

cipher.

One

desirable

property

of

a

stream

cipher

is

that

the

ciphertext

be

of

the

samelength

as

the

plaintext.

Figure

6.5

depicts

the

CFB

scheme.

In

the

figure,

it

is

assumed

that

the

unit

oftransmission

is

s

bits;

a

common

value

is

s

=

8.

As

with

CBC,

the

units

of

plaintextare

chained

together,

so

that

the

ciphertext

of

any

plaintext

unit

is

a

function

of

allthe

preceding

plaintext.

In

this

case,

rather

than

units

of

b

bits,

the

plaintext

isdivided

into

segments

of

s

bits.146.2.

Block

Cipher

Modes

ofOperationOutput

Feedback

ModeThe

output

feedback(OFB)

mode

is

similarin

structure

to

that

ofCFB,

as

illustrated

inFigure

6.6.

As

can

beseen,

it

is

the

output

ofthe

encryption

functionthat

is

fed

back

to

theshift

register

in

OFB,whereas

in

CFB

theciphertext

unit

is

fedback

to

the

shiftregister.156.2.

Block

Cipher

Modes

ofOperationCounter

ModeApplication:

ATM

(asynchronoustransfer

mode)

networksecurity

and

IPSec

(IPsecurity)

Figure

6.7

depicts

the

CTRmode.

A

counter,

equal

to

theplaintext

block

size

is

used.The

only

requirementstated

in

SP

800-38A

is

thatthe

counter

value

must

bedifferent

for

each

plaintextblock

that

is

encrypted.166.3.

Stream

Ciphers

andRC4Stream

Cipher

Structure

A

typical

stream

cipher

encrypts

plaintext

one

byte

at

a

time,

although

a

streamcipher

may

be

designed

to

operate

on

one

bit

at

a

time

or

on

units

larger

than

abyte

at

a

time.

Figure

6.8

is

a

representative

diagram

of

stream

cipher

structure.

In

this

structure

a

key

is

input

to

a

pseudorandom

bit

generator

that

produces

astream

of

8-bit

numbers

that

are

apparently

random.176.3.

Stream

Ciphers

andRC418Stream

Cipher

StructureImportant

design

considerations

for

a

stream

cipher:

The

encryption

sequence

should

have

a

large

period.

A

pseudorandom

number

generatoruses

a

function

that

produces

a

deterministic

stream

of

bits

that

eventually

repeats.

The

keystream

should

approximate

the

properties

of

a

true

random

number

stream

asclose

as

possible.

Note

from

Figure

6.8

that

the

output

of

the

pseudorandom

number

generator

isconditioned

on

the

value

of

the

input

key.

To

guard

against

brute-force

attacks,

the

keyneeds

to

be

sufficiently

long.

With

a

properly

designed

pseudorandom

number

generator,

a

stream

cipher

canbe

as

secure

as

block

cipher

of

comparable

key

length.

The

primary

advantage

ofa

stream

cipher

is

that

stream

ciphers

are

almost

always

faster

and

use

far

lesscode

than

do

block

ciphers.

Table

6.2

compares

execution

times

of

RC4

with

three

well-known

symmetric

blockciphers.

For

applications

that

require

encryption/decryption

of

a

stream

of

data,

such

asover

a

data

communications

channel

or

a

browser/Web

link,

a

stream

ciphermight

be

the

better

alternative.

For

applications

that

deal

with

blocks

of

data,

suchas

file

transfer,

e-mail,

and

database,

block

ciphers

may

be

more

appropriate.6.3.

Stream

Ciphers

andRC419The

RC4

Algorithm

RC4

is

a

stream

cipher

designed

in

1987

by

Ron

Rivest

for

RSA

Security.

It

is

avariable

key-size

stream

cipher

with

byte-oriented

operations.

The

algorithm

isbased

on

the

use

of

a

random

permutation.

RC4

is

used

in

the

SSL/TLS

(Secure

Sockets

Layer/Transport

Layer

Security)

standardsthat

have

been

defined

for

communication

between

Web

browsers

and

servers.

It

is

also

used

in

the

WEP

(Wired

Equivalent

Privacy)

protocol

and

the

newer

WiFiProtected

Access

(WPA)

protocol

that

are

part

of

the

IEEE

802.11

wireless

LAN

standard.RC4

was

kept

as

a

trade

secret

by

RSA

Security.

The

RC4

algorithm

is

remarkably

simply

and

quite

easy

to

explain.

A

variable-length

key