Security - Telenor

More documents

Recommendations

Info

Lars R. Knudsen (38) is Professor at the Institute of Informatics at the University of Bergen. He received his M.Sc. and Ph.D. degrees in computer science and mathematics from Aarhus University, Denmark, in 1992, respectively 1994. He has written numerous scientific papers in the area of cryptology and is regarded a world expert in block cipher encryption algorithms. lars.knudsen@ii.uib.no 10 Advanced Encryption Standard (AES). Encryption for our Grandchildren LARS R. KNUDSEN Introduction Encryption used to be something which only the secret services and military had a real interest in and which private citizens only knew from crosswords and puzzles in Sunday newspapers. Today encryption is an important part of the information society. Outside of the secret services the interest in encryption started to blossom at the end of the 1970s. First, IBM (International Business Machines) developed the cryptosystem Lucifer, which later was adapted as a US Federal Information Processing Standard, although slightly modified. This standard was published in January 1977 as the DES (Data Encryption Standard) and is today probably the most used encryption system in the world (at least outside of the secret services). The system is a so-called secret-key cryptosystem, where the same information, or key, is used to encipher (or encrypt) and decipher (or decrypt) the messages. Second, the researchers Whitfield Diffie and Martin Hellman discovered (or re-discovered 1) ) so-called public-key cryptography, where the secret key is split into two parts, a public part and a secret part. The public part of the key is made available to everyone; the secret part stays secret with one party. The public key can be used by everyone to encrypt a message, while the secret key can be used to decrypt the ciphertext and restore the message. The differences between today’s secret-key and public-key cryptosystems are many, but there is a need for both of them. Even though the DES has withstood almost 25 years of cryptanalytic attempts to find shortcuts in the algorithm by cryptanalysts from all over the world, time is running out for the algorithm. The main problem is that the DES was designed to accept keys of only 56 bits, which means that there are 2 56 ≈ 10 17 different keys. Even though this number may seem huge, (as an example, 2 56 seconds are about 2 billion years), it is small enough to enable the design of special-purpose built hardware, which can run through all possible values of the key in a very short time. In 1998 it was estimated that an attacker who is willing to invest one million US dollars, could try all values of the key, one by one, in just half an hour! With a few encrypted messages on hand, one can simply decrypt these under all possible values of the key. The value of the key which yields some meaningful messages is with a high probability the correct one, and the system is broken. Technical Detail In a cryptosystem the message is always first converted to a number. This number is then encrypted by applying some mathematical or non-mathematical operations to it, and the resulting number is then transformed back to cipher-text. The numbers are represented in the binary number system, that is, a number is either a zero or a one. As an example, the number 17 in the decimal number system (the one we use normally) is 10001 in the binary number system. The symbols in the binary number system are called bits. AES – Advanced Encryption Standard In 1997 the American National Institute for Standards and Technology (NIST) decided that it was time to find a substitute for the DES. Surprisingly (at least to this author) NIST invited parties from all over the world to participate in this process and announced a call-for-candidates for the Advanced Encryption Standard (AES). The conditions for the competition were many and included a whole range of documentation requirements and test results. The most important requirements for the system are that there must not be any trapdoors (shortcuts), and that the best attack against the system is the trivial one of trying all keys one by one. A more specific requirement is that the secret keys must be of length of at least 128 bits. This means that there will be at least 2 128 different keys, which is about 10 39 . The above mentioned special-purpose built machines to try all keys one by one will not have a chance of being applicable in practice before 2030 – 2040, or probably even later. NIST also invited the world’s cryptanalysts to participate in the process. The goal of NIST is that the whole process be as open as it can be, and that all aspects of the design and analysis are made public. 1) The English intelligence service claims that they invented the public-key techniques around the same time. Telektronikk 3.2000
The deadline for submitting candidates to the AES was June 15, 1998. Out of a total of 21 submissions, six were discarded because of incomplete documentation. Of the remaining 15, five are from the USA, two from Canada, there is one candidate each from Australia, Belgium, Costa Rica, France, Japan, Korea, and Germany, and then a multinational candidate from Denmark, United Kingdom and Israel. This author represents the Scandinavian colours in this competition. After one year of gathering information about the 15 candidates NIST decided in August 1999 to pick five candidates for a final and last round. This author was involved in the breaking of two of the 15 candidates and in the finding of serious weaknesses in a third candidate. The five candidates for the final round are in alphabetical order. • MARS by IBM, USA; • RC6 by RSA Inc., USA; • Rijndael by researchers from Belgium; • Serpent by researchers from Denmark, UK, Israel; • Twofish by Counterpane, USA. In April 2000 the last conference on the AES took place in New York, USA, and May 15, 2000 was the deadline for sending in comments and analysis of the five candidates. NIST expects to announce the winner(s) some time in the year 2000. Serpent Serpent is a snake; the idea is that Serpent will slither away from all cryptanalytic attacks. My co-authors on Serpent are Ross Anderson from Cambridge University in England and Eli Biham from Technion University in Haifa, Israel. The first version of Serpent (later called Serpent-0) was developed in 1997 and presented at a conference on encryption in Paris, March 1998. The version we submitted to NIST, called Serpent, is a slightly modified version of Serpent-0. Today (July 2000) no one has managed to find any weaknesses of any kind in Serpent. Secret-key cryptosystems are traditionally constructed by running the message through several so-called substitutions and permutations dependent on the value of the secret key. Substitutions are also sometimes called S-boxes and are often implemented in terms of a look-up table, which for every input specifies the function value. The advantage of this approach is that it is relatively easy to choose and use functions with complex mathematical formulae. Permutations are often simple functions which permute (or re-order) the bits of the messages typically, one uses a set of small substitutions each modifying a small piece of the message, but such that the whole text is modified. Subsequently, the pieces are moved Telektronikk 3.2000 around and mixed. This recipe is then repeated a sufficient number of times, until the resulting ciphertext looks like total gibberish (and often more than that). Serpent is constructed as above and has 32 iterations or layers. In each layer the 128-bit text is split into 32 smaller parts of four bits each. The four bits are input to a small S-box, which again returns four (other bits). Then the 32 blocks of four bits are concatenated (put together) and the 128 bits are mixed using a permutation. The nice feature of Serpent is that the 32 S-box evaluations can be done in parallel. Most computers today operate on 32-bit words, which enables us to look up 32 S-box values in parallel; that is, on computers with just one processor. This means that the 32 look-ups are much faster than doing 32 conventional look-ups. On 8-bit processors it is possible to do eight evaluations in parallel. The substitutions and permutations are well chosen, such that all known attacks on block cipher have to give up after 7 to 9 layers. Therefore there is a big safety margin in Serpent, big enough to handle even considerable improvements in the known techniques. On the average PC Serpent is not the fastest algorithm of the final five candidates left in the competition. On the other hand, on other platforms, e.g. in smart card applications, Serpent is one of the fastest; also in hardware Serpent is the fastest of the five. The great advantage of Serpent is that the safety margin protecting against future cryptanalytic improvements is the largest of all five candidates. Licenses? One of the great properties of the AES, apart from high security (if Serpent is chosen!) is that the system must be royalty free and free to use for everybody all over the world. It was a condition to participate in the competition that all patents and rights were waived, in case the algorithm should be selected for the AES. Hidden Trapdoors One of the favourite subjects in the boulevard press when it comes to encryption system is hidden trapdoors. As an example, when the DES was first published there was a lot of debate on the possibility that the American government had put in a trapdoor enabling them to read encrypted traffic without knowing the secret key. However, I am convinced that no such trapdoor exists for the DES, and I guarantee that no such trapdoors have been put into Serpent. It is very hard to break the encryption systems which are constructed according to the state-of-the-art, but it is even more difficult in my opinion to put a trapdoor into a public cryptosystem without being detected. 11
Page 2 and 3: Telektronikk Volume 96 No. 3 - 2000
Page 4 and 5: Øyvind Eilertsen (34) is Research
Page 6 and 7: 4 E(P) = a ⋅ P + b (mod 26) D(C)
Page 8 and 9: 6 In 1997, NIST initiated the proce
Page 10 and 11: 8 decrypt the signed hash value, re
Page 14 and 15: Table 1 Timetable for AES Table 2 T
Page 16 and 17: 14 K m i Stream cipher algorithm Fi
Page 18 and 19: 16 6 Use of Encryption in Telecommu
Page 20 and 21: 18 mode, integrity mode, key divers
Page 22 and 23: 20 7 Beaver, D. Computing with DNA.
Page 24 and 25: 22 In both cases, my trust depends
Page 26 and 27: 24 A number of standard PC applicat
Page 28 and 29: Henning Wright Hansen (28) is Resea
Page 30 and 31: 28 Securing Locally Stored Informat
Page 32 and 33: Figure 3 A simple Public Key Infras
Page 34 and 35: 32 The Policy Control Center An imp
Page 36 and 37: Tønnes Brekne (31) is on leave fro
Page 38 and 39: 36 Sets definable by such predicate
Page 40 and 41: 38 A failure is caused by some type
Page 42 and 43: Figure 1 This figure illustrates th
Page 44 and 45: 42 ating system(s) and/or platform
Page 46 and 47: Message Sender Recipient Message pa
Page 48 and 49: 46 Assume some agent a carries with
Page 50 and 51: 48 gateway from attack, while the i
Page 52 and 53: 50 transfer at the expense of secur
Page 54 and 55: 52 7 FORE Systems. Firewall Switchi
Page 56 and 57: Figure 2-1 Object invocations throu
Page 58 and 59: Figure 4-1 3 Levels of different fi
Page 60 and 61: 58 phase two, in which the client r
Page 62 and 63:
60 5 CORBA Firewall Traversal 5.1 F
Page 64 and 65:
62 7.2 Visibroker Gatekeeper of Inp
Page 66 and 67:
64 References 1 Abie, H. An Overvie
Page 68 and 69:
Cost Figure 1 Minimising total cost
Page 70 and 71:
68 In the coming years it is likely
Page 72 and 73:
70 financial, social, environmental
Page 74 and 75:
Consequence 72 Insignificant Substa
Page 76 and 77:
74 in a one week time-frame, using
show all

Security - Telenor

Create successful ePaper yourself

Delete template?

Save as template?