Въведение
ThisstandardisusedtoreplacetheoriginalDES(DataEncryptionStandard),whichhasbeenanalyzedbymanypartiesandwidelyusedallovertheworld.use.Afterafive-yearselectionprocess,theAdvancedEncryptionStandardwaspublishedbytheNationalInstituteofStandardsandTechnology(NIST)inFIPSPUB197onNovember26,2001,andbecameaneffectivestandardonMay26,2002.In2006,theadvancedencryptionstandardhasbecomeoneofthemostpopularalgorithmsinsymmetrickeyencryption.
ThealgorithmwasdesignedbyBelgiancryptographersJoanDaemenandVincentRijmen,combinedwiththenamesofthetwoauthors,namedinthenameofRijdael,andsubmittedtheselectionprocessforadvancedencryptionstandards.(Rijdaelispronouncedlike"Rhinedoll".)
Обяснение
Theadvancedencryptionstandardalgorithmsolvesworryingproblemsinmanyways.Infact,themethodsusedtoattackdataencryptionstandardshavenoeffectontheadvancedencryptionstandardalgorithmsthemselves.Ifreal128-bitencryptiontechnologyoreven256-bitencryptiontechnologyisused,itwilltakealongtimeforabruteforceattacktosucceed.
Althoughtheadvancedencryptionstandardalsohasitsdisadvantages,itisstillarelativelynewprotocol.Therefore,securityresearchershavenothadsomuchtimetocrackexperimentsonthisencryptionmethod.Wemayatanytimediscoverabrandnewattackmethodthatwillbreakthisadvancedencryptionstandard.Atleastintheorythereissuchapossibility.
История
RijndaelisanimprovementofSquaredesignedbyDaemenandRijmenintheearlydays;andSquareisdevelopedfromSHARK.
DifferentfromitspredecessorstandardDES,Rijndaelusesapermutation-combinedarchitectureinsteadofaFeistelarchitecture.AEScanquicklyencryptanddecryptonbothsoftwareandhardware,relativelyeasytoimplement,andrequiresverylittlememory.Asanewencryptionstandard,itiscurrentlybeingdeployedandappliedtoawiderrange.
Описание на паролата
Strictlyspeaking,AESandRijndaelencryptionarenotexactlythesame(althoughthetwoareinterchangeableinpracticalapplications),becauseRijndaelencryptioncansupportlargerRangeofblockandkeylength:TheblocklengthofAESisfixedat128bits,andthekeylengthcanbe128,192or256bits;thekeyandblocklengthusedbyRijndaelcanbeanintegermultipleof32bits.Thelowerlimitis128bitsandtheupperlimitis256bits.ThekeyusedintheencryptionprocessisgeneratedbytheRijndaelkeygenerationscheme.
Повечето AES изчисления са извършени в специално ограничено поле.
TheAESencryptionprocessoperatesona4×4bytematrix.Thismatrixisalsocalled"state".Itsinitialvalueisaplaintextblock(thesizeofanelementinthematrixisOneByteintheplaintextblock).(Rijndaelencryptionmethodsupportslargerblocks,andthenumberofmatrixrowscanbeincreasedaccordingtothesituation.)Whenencrypting,eachroundofAESencryptioncycle(exceptthelastround)includes4steps:
AddRoundKey
—EachbyteinthematrixisXORedwiththeroundkey;eachsub-keyisgeneratedbythekeygenerationscheme.
IntheAddRoundKeystep,theroundkeywillbemergedwiththeoriginalmatrix.Ineachencryptioncycle,aroundkey(generatedbytheRijndaelkeygenerationscheme)willbegeneratedbythemasterkey.Thiskeywillhavethesamesizeastheoriginalmatrixtomatcheachcorrespondingwordintheoriginalmatrix.Sectionsareexclusiveor(⊕)addition.
Подбайтове
—Throughanon-linearreplacementfunction,eachbyteisreplacedwiththecorrespondingbytebymeansofalook-uptable.
IntheПодбайтовеstep,eachbyteinthematrixisconvertedbyan8-bitS-box.Thisstepprovidesthenon-lineartransformationcapabilityoftheencryptionmethod.S-boxisrelatedtotheinverseelementofmultiplicationonGF(2)andisknowntohavegoodnonlinearcharacteristics.Inordertoavoidattacksonthenatureofsimplealgebra,S-boxisconstructedbycombiningtheinverseelementsofmultiplicationandaninvertibleaffinetransformationmatrix.Inaddition,whenconstructingS-box,fixedpointsandanti-fixedpointsweredeliberatelyavoided,thatis,theresultofreplacingbyteswithS-boxwouldbeequivalenttotheresultofmisalignment.
ShiftRows
—Кръгово преместванеteachrow в матрицата.
ShiftRowsdescribestherowoperationsofthematrix.Inthisstep,eachrowiscyclicallyshiftedtotheleftbyacertainoffset.InAES(theblocksizeis128bits),thefirstrowremainsunchanged,andeachbyteinthesecondrowrotatesonespacetotheleft.Inthesameway,theoffsetsofthethirdrowandthefourthrowofthecyclicshifttotheleftare2and3,respectively.The128-bitand192-bitblockshavethesamecyclicshiftpatterninthisstep.AfterShiftRows,eachverticalcolumninthematrixiscomposedofelementsineachdifferentcolumnoftheinputmatrix.IntheversionoftheRijndaelalgorithm,theoffsetisslightlydifferentfromAES;forablockwithalengthof256bits,thefirstrowremainsunchanged,andtheoffsetsofthesecond,third,andfourthrowsare1wordrespectively.Section,3-byte,4-bitgroup.Inaddition,theoperationstepsofShiftRowsareexactlythesameinRijndaelandAES.
MixColumns
—Inordertofullymixtheoperationsofeachstraightrowinthematrix.Thisstepuseslinearconversiontomixeachinlinefourbytes.Inthelastencryptioncycle,theMixColumnsstepisomittedandreplacedbyanotherAddRoundKey.
Атаки на странични канали (известни също атаки на странични канали, атаки на странични канали)
Side-channelattacksdonotattackthepassworditself,butattackthoseimplementedininsecuresystems(willinadvertentlyInformationdisclosure)ontheencryptionsystem.
InApril2005,D.J.BernsteinannouncedacachetimingattackmethodbywhichhecrackedaclientserverloadedwiththeOpenSSLAESencryptionsystem.Inordertodesigntheservertopublishallthetiminginformation,theattackalgorithmusedmorethan200millionfilteredclearcodes.SomepeoplethinkthatsuchanattackmethodisnotpracticalfortheInternet,whichrequiresmultiplehops.
InOctober2005,EranTromerandtwootherresearcherspublishedapapershowingseveralcachetimingattacksagainstAES[8].Oneoftheattacksrequiresonly800writeactionsandtakes65millisecondstoobtainacompleteAESkey.However,theattackermusthavethepermissiontoruntheprogramontheencryptedsysteminordertocrackthecryptographicsystemwiththismethod.
Режим на криптиране AES
Симетрични/блокови шифри обикновено се разделят на поточно криптиране (като OFB, CFB и т.н.) и блоково криптиране (като ECB, CBC и т.н.). За поточно криптиране, блоковият шифър трябва да бъде преобразуван в поточен режим, за да работи.
Режим ECB (ElectronicCodeBook).
ECBmodeistheearliestandsimplestmode.Itdividesencrypteddataintoseveralgroups,thesizeofeachgroupisencryptedThekeylengthisthesame,andtheneachgroupisencryptedwiththesamekey.
Предимства:
1.Simple;2.Conducivetoparallelcomputing;3.Errorswillnotbetransmitted;Disadvantages:1.Themodethattheplaintextcannotbehidden;2.Activeattacksontheplaintextmaybecarriedout;Therefore,thismodeissuitableforencryptingsmallmessages.
CBC (CipherBlockChaining, криптиран блокчейн) режим
Предимства:
1.Itisnoteasytoattackactively,anditissafeItisbetterthanECBandissuitablefortransmittinglong-lengthpackets.ItisthestandardofSSLandIPSec.Disadvantages:1.Notconducivetoparallelcomputing;2.Errortransmission;3.NeedtoinitializethevectorIV
CFB(CipherFeedBackMode,encryptionfeedback)режим
Предимства:
1.Theplaintextmodeishidden;2.Blockcipherisconvertedtostreammode;3.Datasmallerthanthepacketcanbeencryptedandtransmittedintime;Disadvantages:1.Notconducivetoparallelcomputing;2.Errortransmission:damagetoaplaintextunitaffectsmultipleunits;3.TheonlyIV;
OFB(OutputFeedBack,outputfeedback)режим
Предимства:
1.Theplaintextmodeishidden;2.Theblockcipherisconvertedintoastreammode;3.Datasmallerthanthepacketcanbeencryptedandtransmittedintime;Disadvantages:1.Itisnotconducivetoparallelcomputing;2.Activeattacksontheplaintextarepossible;3.Errortransmission:thedamageofoneplaintextunitaffectsmultipleunits.
Режим CTR (брояч, броене).
Countingmode(CTRmode)encryptionistoencryptaseriesofinputdatablocks(calledcount)toproduceaseriesofoutputblocks,TheoutputblockisXORedwiththeplaintexttogettheciphertext.Forthelastdatablock,itmaybeapartialdatablockwithlongubits.TheubitswillbeusedfortheXORoperation,andtheremainingb-ubitswillbediscarded(brepresentsthelengthoftheblock).CTRdecryptionissimilar.Thecountsinthisseriesmustbedifferentfromeachother.SupposethecountisexpressedasT1,T2,…,Tn.TheCTRmodecanbedefinedasfollows:
Формулата за криптиране на CTR е следната:
Cj=PjXOREk(Tj)
C*n=P*nXORMSBu(Ek(Tn))j=1,2...n-1;
Формулата за декриптиране на CTR е следната:
Pj=CjXOREk(Tj)
P*n=C*nXORMSBu(Ek(Tn))j=1,2…n-1;
Encryptionmethod:thecryptographicalgorithmgeneratesa16-bytepseudo-randomcodeblockstream,pseudo-randomThecodeblockandtheinputplaintextareXORedtoproduceaciphertextoutput.Aftertheciphertextandthesamepseudo-randomcodeareXORed,theplaintextcanberegenerated.
CTRmodeiswidelyusedinATMnetworksecurityandIPSecapplications.Comparedwithothermodes,CTRmodehasthefollowingcharacteristics:
■Hardwareefficiency:AllowssimultaneousprocessingofmultipleblocksPlaintext/ciphertext.
■Softwareefficiency:parallelcomputingisallowed,andparalleltechnologiessuchasCPUpipelinecanbeusedwell.
■Preprocessing:Theoutputofthealgorithmandtheencryptionboxdoesnotrelyontheinputofplaintextandciphertext.Therefore,ifthereisenoughmemorytoensuresecurity,theencryptionalgorithmwillonlybeaseriesofXORoperations,whichisextremelyGreatlyimprovethroughput.
■Randomaccess:Thedecryptionofthei-thblockofciphertextdoesnotdependonthei-1thblockofciphertext,providinghighrandomaccesscapabilities
■Доказуема сигурност: Може да се докаже, че CTR е най-малко сигурен като други режими (CBC, CFB, OFB,...)
■Simplicity:Unlikeothermodes,CTRmodeonlyrequirestheimplementationofencryptionalgorithms,butdoesnotrequiretheimplementationofdecryptionalgorithms.ForAESandotherencryption/decryptionalgorithmsthatareessentiallydifferent,thissimplificationishuge.
■Withoutpadding,itcanbeefficientlyusedasstreamencryption.
■Errorsarenotpropagated:eachbitintheciphertexttransmissionisincorrectlyreversed,whichonlyaffectsthedecryptionoftheblockwheretheciphertextislocated.InCTRmode,afterk+1stepsofself-synchronization,Thesubsequentciphertextcanbedecryptedcorrectly.(kmeansblocklength128)
■Трябва да се използва с кода за удостоверяване на съобщението (MAC).
■Integritycheckisnotpossible:Lossofbitsduringciphertexttransmissionwillcausesubsequentbitstofailtobedecryptedcorrectly.