Lecture 7 Overview. Advanced Encryption Standard 10, 12, 14 rounds for 128, 192, 256 bit keys – Regular Rounds (9, 11, 13) – Final Round is different.

Presentation on theme: "Lecture 7 Overview. Advanced Encryption Standard 10, 12, 14 rounds for 128, 192, 256 bit keys – Regular Rounds (9, 11, 13) – Final Round is different."— Presentation transcript:

Lecture 7 Overview

Advanced Encryption Standard 10, 12, 14 rounds for 128, 192, 256 bit keys – Regular Rounds (9, 11, 13) – Final Round is different (10 th, 12 th, 14 th ) Each regular round consists of 4 steps – Byte substitution (BSB) – Shift row (SR) – Mix column (MC) – Add Round key (ARK) CS 450/650 Lecture 7: AES 2

AES Overview Plaintext (128)ARKSubkey 0 Ciphertext (128)ARKSubkey 10 SR BSB 9 rounds CS 450/650 Lecture 7: AES 3

State b0b4b8b12 b1b5b9b13 b2b6b10b14 b3b7b11b15 -128-bit block  4 x 4 matrix -128 bits  16 bytes  b0, b1, b2,.., b15 CS 450/650 Lecture 7: AES 4 S 0,0 S 0,1

Key k0k4k8k12 k1k5k9k13 k2k6k10k14 k3k7k11k15 -128-bit key  4 x 4 matrix -128 bits  16 bytes  k0, k1, k2,.., k15 CS 450/650 Lecture 7: AES 5

Four Operations 1.Byte Substitution – predefined substitution table s[i,j]  s’[i,j] 2.Shift Row – left circular shift 3.Mix Columns – 4 elements in each column are multiplied by a polynomial 4.Add Round Key – Key is derived and added to each column CS 450/650 Lecture 7: AES 6 diffusion diffusion and confusion confusion

Shift Row (128-bit) b0b4b8b12 b1b5b9b13 b2b6b10b14 b3b7b11b15 b0b4b8b12 b5b9b13b1 b10b14b2b6 b15b3b7b11 CS 450/650 Lecture 7: AES 7

Mix Column 2311 1231 1123 3112 S 0,i S 1,i S 2,I S 3,i S’ 0,I S’ 1,I S’ 2,I S’ 3,i = * Multiplying by 1  no change Multiplying by 2  shift left one bit Multiplying by 3  shift left one bit and XOR with original value More than 8 bits  100011011 is subtracted CS 450/650 Lecture 7: AES 8

Add Key b0b4b8b12 b1b5b9b13 b2b6b10b14 b3b7b11b15 k0k4k8k12 k1k5k9k13 k2k6k10k14 k3k7k11k15 b’ x bxbx kxkx = XOR CS 450/650 Lecture 7: AES 9

Key Generation 4 bytes Circular left shift 1byte S-box XOR Round constant CS 450/650 Lecture 7: AES 10

DES vs AES DESAES Date19761999 Block size64 bits128 bits Key length56 bits128, 192, 256, … bits Encryption primitivesSubstitution and permutationSubstitution, shift, bit mixing Cryptographic primitivesConfusion and diffusion DesignOpen Design rationaleClosedOpen Selection processSecretSecret (accepted public comment) SourceIBM, enhanced by NSABelgian cryptographers 11 CS 450/650 Lecture 7: AES

Cryptographic Hash Functions Message Digest Functions – Protect integrity – Create a message digest or fingerprint of a digital document – MD4, MD5, SHA Message Authentication Codes (MACs) – Protect both integrity and authenticity – Produce fingerprints based on both a given document and a secret key CS 450/650 Lecture 7: Hash Functions 12

Message Digest Functions Checksums  fingerprint of a message – If message changes, checksum will not match Most checksums are good in detecting accidental changes made to a message – They are not designed to prevent an adversary from intentionally changing a message resulting a message with the same checksum Message digests are designed to protect against this possibility CS 450/650 Lecture 7: Hash Functions 13

One-Way Hash Functions Example M = “Elvis” H(M) = (“E” + “L” + “V” + “I” + “S”) mod 26 H(M) = (5 + 12 + 22 + 9 + 19) mod 26 H(M) = 67 mod 26 H(M) = 15 H M H(M) = h CS 450/650 Lecture 7: Hash Functions 14

Collision Example x = “Viva” Y = “Vegas” H(x) = H(y) = 2 H xH(x) H yH(y) = CS 450/650 Lecture 7: Hash Functions 15

Collision-resistant, One-way hash fnc. Given M, – it is easy to compute h Given any h, – it is hard to find any M such that H(M) = h Given M1, it is difficult to find M2 – such that H(M1) = H(M2) Functions that satisfy these criteria are called message digest – They produce a fixed-length digest (fingerprint) CS 450/650 Lecture 7: Hash Functions 16

Message Authentication Codes A message authentication code (MAC) is a key-dependent message digest function – MAC(M,k) = h CS 450/650 Lecture 7: Hash Functions 17

A MAC Based on a Block Cipher M1 Encrypt k M1 Encrypt k XOR M1 Encrypt k XOR … MAC CS 450/650 Lecture 7: Hash Functions 18

Lecture 8 Secure Hash Algorithm CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Hesham El-Rewini

Secure Hash Algorithm (SHA) SHA-01993 SHA-11995 SHA-22002 – SHA-224, SHA-256, SHA-384, SHA-512 SHA-1 A message composed of b bits 160-bit message digest CS 450/650 Lecture 8: Secure Hash Algorithm 20

Step 1 -- Padding Padding  the total length of a padded message is multiple of 512 – Every message is padded even if its length is already a multiple of 512 Padding is done by appending to the input – A single bit, 1 – Enough additional bits, all 0, to make the final 512 block exactly 448 bits long – A 64-bit integer representing the length of the original message in bits CS 450/650 Lecture 8: Secure Hash Algorithm 21

Padding (cont.) MessageMessage length10…0 64 bits Multiple of 512 1 bit CS 450/650 Lecture 8: Secure Hash Algorithm 22

Example M = 01100010 11001010 1001 (20 bits) Padding is done by appending to the input – A single bit, 1 – 427 0s – A 64-bit integer representing 20 Pad(M) = 01100010 11001010 10011000 … 00010100

Example Length of M = 500 bits Padding is done by appending to the input: – A single bit, 1 – 459 0s – A 64-bit integer representing 500 Length of Pad(M) = 1024 bits

Step 2 -- Dividing Pad(M) Pad (M) = B 1, B 2, B 3, …, B n Each B i denote a 512-bit block Each B i is divided into 16 32-bit words – W 0, W 1, …, W 15 CS 450/650 Lecture 8: Secure Hash Algorithm 25

Step 3 – Compute W 16 – W 79 To Compute word W j (16<=j<=79) – W j-3, W j-8, W j-14, W j-16 are XORed – The result is circularly left shifted one bit CS 450/650 Lecture 8: Secure Hash Algorithm 26

Step 4 – Initialize A,B,C,D,E A = H 0 B = H 1 C = H 2 D = H 3 E = H 4 CS 450/650 Lecture 8: Secure Hash Algorithm 27

Initialize 32-bit words H 0 = 67452301 H 1 = EFCDAB89 H 2 = 98BADCFE H 3 = 10325476 H 4 = C3D2E1F0 K 0 – K 19 = 5A827999 K 20 – K 39 = 6ED9EBA1 K 40 – K 49 = 8F1BBCDC K 60 – K 79 = CA62C1D6 CS 450/650 Lecture 8: Secure Hash Algorithm 28

Step 5 – Loop For j = 0 … 79 TEMP = CircLeShift_5 (A) + f j (B,C,D) + E + W j + K j E = D; D = C; C = CircLeShift_30(B); B = A; A = TEMP Done +  addition (ignore overflow) CS 450/650 Lecture 8: Secure Hash Algorithm 29

Four functions For j = 0 … 19 – f j (B,C,D) = (B AND C) OR ( B AND D) OR (C AND D) For j = 20 … 39 – f j (B,C,D) = (B XOR C XOR D) For j = 40 … 59 – f j (B,C,D) = (B AND C) OR ((NOT B) AND D) For j = 60 … 79 – f j (B,C,D) = (B XOR C XOR D) CS 450/650 Lecture 8: Secure Hash Algorithm 30

Step 6 – Final H 0 = H 0 + A H 1 = H 1 + B H 2 = H 2 + C H 3 = H 3 + D H 4 = H 4 + E CS 450/650 Lecture 8: Secure Hash Algorithm 31

Done Once these steps have been performed on each 512-bit block (B 1, B 2, …, B n ) of the padded message, – the 160-bit message digest is given by H 0 H 1 H 2 H 3 H 4 CS 450/650 Lecture 8: Secure Hash Algorithm 32

SHA Output size (bits) Internal state size (bits) Block size (bits) Max message size (bits) Word size (bits) RoundsOperations Collisions found SHA-0160 5122 64 − 13280 +, and, or, xor, rot Yes SHA-1160 5122 64 − 13280 +, and, or, xor, rot None (2 52 attack) SHA-2 256/2242565122 64 − 13264 +, and, or, xor, shr, rot None 512/38451210242 128 − 16480 +, and, or, xor, shr, rot None CS 450/650 Lecture 8: Secure Hash Algorithm 33

Similar presentations