分組密碼—DES及分組密碼工作模式

1、2013年4月19日計(jì)算機(jī)安全技術(shù)與實(shí)踐 分組密碼其他內(nèi)容雙重DES，總密鑰量 2112 bit 加 密 解 密DESDESDES-1DES-1雙重DES，絕對(duì)不是一個(gè)DES 加 密 解 密DESDESDES-1DES-1CK3DES中間相遇攻擊，恢復(fù)密鑰DESDESPC?(P,C)是一個(gè)明密文對(duì)中間相遇攻擊，原理DESPC11DESP1C1DESPC22DESP12DESPC256256DESP256256CCC2 =P256K1=1K2=256DESPC11DESPC22DESPC256256DESP256256C 記錄查記錄中間相遇攻擊，總計(jì)算量 256 bit中間相遇攻擊，結(jié)果DESD

2、ESPC2256三重DES(雙密鑰) 加 密 解 密DESDESDES-1DES-1DESDES-1三重DES(三重密鑰) 加 密 解 密DESDESDES-1DES-1DESDES-1K3K3分組密碼工作模式1：ECB時(shí)刻 1 時(shí)刻 2 時(shí)刻 N加密解密加密加密加密解密解密解密ECB的弱點(diǎn)：相同的明文片段得到相同的密文片段原始文件ECB模式加密后的文件資料來(lái)源：/en-us/magazine/cc163522.aspx，轉(zhuǎn)載請(qǐng)注明分組密碼工作模式2：CBC時(shí)刻 1 時(shí)刻 2 時(shí)刻 N加密加密加密解密解密解密加密解密CBC模式加密的優(yōu)點(diǎn)原始文件CBC模式加密后的文件資料來(lái)源：/en-us/ma

3、gazine/cc163522.aspx，轉(zhuǎn)載請(qǐng)注明CBC模式的弱點(diǎn)IV必須為收發(fā)雙方共享IV必須受到保護(hù)分組密碼工作模式3：CFB分組密碼工作模式4：OFB密文有一位取反，則解密后的明文這位也取反，即抗篡改能力弱分組密碼工作模式5：CTR明文不滿(mǎn)一個(gè)字，則丟尾巴不用填充可并行可與計(jì)算可隨機(jī)訪問(wèn)可證明安全加解密相似工作模式反饋特征CBCCFBOFBCRT存儲(chǔ)加密的特征和要求 攻擊者可隨意獲取密文 明文密文的大小一樣 分組單位互相獨(dú)立，可單獨(dú)訪問(wèn) 加密以16字節(jié)的分組為單位 除數(shù)據(jù)分組外，無(wú)其他元數(shù)據(jù) 不同地方的相同明文加密后得到不同密文，但再次寫(xiě)到相同位置時(shí)總是相同密文 由一個(gè)同標(biāo)準(zhǔn)相容的設(shè)備

4、加密數(shù)據(jù)面向存儲(chǔ)設(shè)備的XTS-AESXTS-AESCryptography and Network SecurityChapter 7Fifth Editionby William StallingsLecture slides by Lawrie Brown22Chapter 7 Stream Ciphers and Random Number GenerationThe comparatively late rise of the theory of probability shows how hard it is to grasp, and the many paradoxes show

5、 clearly that we, as humans, lack a well grounded intuition in this matter. In probability theory there is a great deal of art in setting up the model, in solving the problem, and in applying the results back to the real world actions that will follow. The Art of Probability, Richard Hamming23Random

6、 Numbersmany uses of random numbers in cryptography nonces in authentication protocols to prevent replaysession keyspublic key generationkeystream for a one-time padin all cases its critical that these values be statistically random, uniform distribution, independentunpredictability of future values

7、 from previous valuestrue random numbers provide thiscare needed with generated random numbers24Pseudorandom Number Generators (PRNGs)often use deterministic algorithmic techniques to create “random numbers”although are not truly randomcan pass many tests of “randomness”known as “pseudorandom number

8、s”created by “Pseudorandom Number Generators (PRNGs)”25Random & Pseudorandom Number Generators26PRNG Requirementsrandomnessuniformity, scalability, consistencyunpredictabilityforward & backward unpredictabilityuse same tests to checkcharacteristics of the seedsecureif known adversary can determine o

9、utputso must be random or pseudorandom number27Linear CongruentialGeneratorcommon iterative technique using:Xn+1 = (aXn + c) mod mgiven suitable values of parameters can produce a long random-like sequencesuitable criteria to have are:function generates a full-periodgenerated sequence should appear

10、randomefficient implementation with 32-bit arithmeticnote that an attacker can reconstruct sequence given a small number of valueshave possibilities for making this harder28Blum Blum Shub Generatorbased on public key algorithmsuse least significant bit from iterative equation:xi = xi-12 mod n where

11、n=p.q, and primes p,q=3 mod 4unpredictable, passes next-bit testsecurity rests on difficulty of factoring N is unpredictable given any run of bits slow, since very large numbers must be usedtoo slow for cipher use, good for key generation 29Using Block Ciphers as PRNGsfor cryptographic applications,

12、 can use a block cipher to generate random numbersoften for creating session keys from master keyCTRXi = EKViOFBXi = EKXi-130ANSI X9.17 PRG31Stream Ciphersprocess message bit by bit (as a stream) have a pseudo random keystreamcombined (XOR) with plaintext bit by bit randomness of stream key complete

13、ly destroys statistically properties in message Ci = Mi XOR StreamKeyi but must never reuse stream keyotherwise can recover messages (cf book cipher)32Stream Cipher Structure33Stream Cipher Propertiessome design considerations are:long period with no repetitions statistically random depends on large

14、 enough keylarge linear complexityproperly designed, can be as secure as a block cipher with same size keybut usually simpler & faster34RC4a proprietary cipher owned by RSA DSI another Ron Rivest design, simple but effectivevariable key size, byte-oriented stream cipher widely used (web SSL/TLS, wir

15、eless WEP/WPA) key forms random permutation of all 8-bit values uses that permutation to scramble input info processed a byte at a time 35RC4 Key Schedule starts with an array S of numbers: 0.255 use key to well and truly shuffle S forms internal state of the cipher for i = 0 to 255 doSi = iTi = Ki

16、mod keylen)j = 0for i = 0 to 255 do j = (j + Si + Ti) (mod 256) swap (Si, Sj)36RC4 Encryptionencryption continues shuffling array valuessum of shuffled pair selects stream key value from permutationXOR St with next byte of message to en/decrypti = j = 0 for each message byte Mii = (i + 1) (mod 256)j

17、 = (j + Si) (mod 256)swap(Si, Sj)t = (Si + Sj) (mod 256) Ci = Mi XOR St37RC4 Overview38RC4 Securityclaimed secure against known attackshave some analyses, none practical result is very non-linear since RC4 is a stream cipher, must never reuse a key have a concern with WEP, but due to key handling ra

18、ther than RC4 itself 39Natural Random Noisebest source is natural randomness in real world find a regular but random event and monitor do generally need special h/w to do this eg. radiation counters, radio noise, audio noise, thermal noise in diodes, leaky capacitors, mercury discharge tubes etc starting to see such h/w in new CPUs problems of bias or une