Presentation is loading. Please wait.

Presentation is loading. Please wait.

An AES Retrospective ECRYPT October 18, 2012 Miles Smid Orion Security Solutions.

Similar presentations

Presentation on theme: "An AES Retrospective ECRYPT October 18, 2012 Miles Smid Orion Security Solutions."— Presentation transcript:

1 An AES Retrospective ECRYPT October 18, 2012 Miles Smid Orion Security Solutions

2 Opening Remarks Honored to be here AES the work of many people who were willing to try a new cryptographic development process This AES process affected how cryptography is studied, developed, analyzed, distributed, and used today Several issues had to be dealt with along the way 2

3 The Beginnings 1965 Cryptography restricted to military applications U.S. Brooks Act required new standards for computer security NBS (NIST) viewed cryptography as one of the key computer security areas Cryptography thought important for US Government data privacy applications 3

4 The Birth of DES Developed by IBM Proposed by NBS in March 1975 Comments requested August 1975 Possible export restrictions Diffie-Hellman controversy over 56-bit key size and possible trap doors Two workshops in 1976 DES security estimated to last 10-15 years Issued as a Federal standard on January 15, 1977 4

5 DES Matures: 1980’s DES succeeds but controversy continues Significantly better than alternatives Adoption by the U.S. (ANSI X9) Banking community in 1979 U.S. Treasury adoption in 1984 ISO Standard DES-1 in 1986 ISO decision not to standardize cryptographic algorithms 5

6 DES Reaches Twilight Third DES 5-year Review (1993) announces that higher security algorithms will be considered at next review DES cracker breaks a key in 56 hours 1998 Fourth DES Review recommends Triple DES but allows Single DES for legacy systems in 1999 Difficult to transition away from DES 1 6 1. Transitioning is still a significant problem in cryptography

7 Escrowed Encryption FIPS 185 published in 1994 Cryptography without jeopardizing law enforcement, public safety, and national security Tamper resistant device (Clipper, Capstone) unique key Keys held in escrow by Treasury and NIST Keys provided to law enforcement with court order Program Manager from NIST 7

8 Escrow Features Separation of duties, split knowledge, security clearances, redundancy, physical security, auditing all used New (but secret) 80-bit crypto-algorithm called Skipjack (BS=64, r=32) Skipjack “Interim” Review by Brickell, Denning, Kent, Maher, and Tuchman in 1992. “Good for 30-40 years” SP800-131A SKIPJACK shall not be used for encryption after 2010. Legacy decryption is allowed 8

9 Escrow Problems Classified Algorithm Hardware/Firmware only Government designed Restricted evaluation Academic community not involved in its development and opposed its implementation NIST discouraged from standards development Skipjack declassified on June 1998. 9

10 1996 The Stage is now Set for AES! 10

11 AES Motivation A new symmetric algorithm standard was clearly needed, but could NIST develop such a standard? Academic community must be involved Algorithm must be public and worldwide royalty- free More secure than TDES more efficient than TDES 11

12 Issues 1 This cooperation between the USG and the academic community in an open process to develop cryptography had not been done before. Would it work? Would NSA support this open process? –Brian Snow 12

13 Issues 2 13 How does one avoid a key size issue? How does one specify the requirements that the algorithm must meet? How does the USG get the academic community involved? –Have a contest –Not for money but for honor

14 First Workshop NIST request for comments on Developing AES, Jan 2, 1997. NIST AES Workshop, April 15, 1977 –128, 192, and 256 bit key sizes –128 or variable block size –Efficient on 8, 32, and 64-bit processors and special purpose hardware –Simplicity and logic of design –Not many cryptographers –Future meetings in conjunction with Crypto and Fast Software Encryption conferences 14

15 Formal Call for Candidates Sep 12 1997 Criteria –Security: Resistance to attack, soundness of math basis, randomness of function –Cost: Speed, Memory, Licensing –Algorithm Implementation Characteristics: flexibility, simplicity, provable security, intellectual property –Reference Implementations 15

16 Issues 3 Would the Schedule provide enough time for evaluation? Would NIST receive any viable candidates? Should NSA Submit? –Bruce Schneier: Yes –Miles Smid: Hoped not 16

17 First AES Candidate Conference Aug 20-22 1998, Ventura, CA with Crypto 98 21 packages received 6 were incomplete 15 candidates from 10 countries were presented Several faster than single DES with greater key size Cryptanalysis performed real time!!!!! Call for Analysis 17

18 15 Original Candidates AlgorithmSubmitter CAST-256Entrust Technologies Inc. CRYPTONFuture Systems, Inc. DEALRichard Outerbridge, Lars Knudsen DFCCNRS – Centre National pour la Recherche Scientifique – Ecole Normale Superieure E2NTT – Nippon Telegraph and Telephone FROGTecApro Internacional S.A. HPCRich Schroeppel 18

19 15 Original Candidates AlgorithmSubmitter LOK197Lawrie Brown, Josef Pieprzyk, Jennifer Seberry MAGENTADeutsche Telekom AG MARSIIBM RC6RSA Laboratories RIJNDAELJoan Daemen, Vincent Rijmen SAFER+Cylink Corporation SERPENTRoss Anderson, Eli Biham, Lars Knudsen TWOFISHBruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Neils Ferguson 19

20 Designs Based on previous schemes (5) Feistel Networks (6) Modified Feistel Networks (3) Substitution-Permutation Networks (4) Other Algorithms (2) 20

21 Software Efficiency 21

22 Issues 4 How could royalty free nature of the AES algorithm be guaranteed? –Legal statement from owners giving up royalty rights (some conditional responses) –Public notice to all requesting notification of any infringement –Only selected algorithm must comply 22

23 Issues 5 Export of reference implementations –Worked with DOC Bureau of Export Administration –Reference implementations not included without personal use only stipulation –Brian Gladman implementations What if NSA found classified security issue? –No good solution –Mutual trust 23

24 24 Let the Games Begin

25 Second AES Conference March 22-23, 1999, Rome, Italy before FSE 6 Crypto Attacks: Major and Minor Submitter Rebuttals Security Margin (Rounds-rounds of best attack) Efficiency 25

26 Analysis Claimed Attacks –LOK197, FROG, MAGENTA, DEAL, SAFER + Weak Keys –DFC, CRYPTON So far pretty good –MARS, RC2, RIJNDAEL, TWOFISH, E2, CAST 256, SERPENT, HPC 26

27 Issues 6 Will tweaks be permitted? –Under certain conditions –Minor adjustments to an algorithm, to correct small deficiencies –Explanation/justification of proposed “tweaks”, and updated spec. are due May 15, 1999. 27

28 NIST Selects the Finalists Five candidates had no major or minor security gaps and possessed numerous advantages (Aug 1999) MARS: IBM RC6: RSA Laboratories Rijndael: Daeman, and Rijmen Serpent: Anderson, Biham, and Knudsen Twofish: Schneier, Kelsey, Whiting, Wagner, Hall, and Ferguson. 28

29 Attendee Feedback Form Rijndael positive 86 negative 10 Serpentpositive 59negative 7 Twofishpositive 31negative 21 RC6positive 23negative 37 MARSpositive 13negative 84 29 Beauty Contest or Expert Opinion?

30 Issues 7 NSA announced that it had put 13 person years of labor into studying the candidates NSA concluded that each finalist appeared to be cryptographically sound Relief!!! “None of the finalists is outstandingly superior to the rest” 2 30 2. Report on the Development of the AES, NIST, October 2, 2012

31 Third AES Conference April 13-14, 2000, New York, NY after FSE 7 Technical Analysis of Finalists FPGA Implementations Full hardware Implementations 31

32 Issues 8 Multiple Winners? (Don Johnson) –More flexibility (pick best algorithm for the application) –More security with combined algorithms –Vendors did not want to support multiple algorithms –Rejected by the participants Runner-up? –Evaluated alternative ready to be implemented –Would still need to be evaluated before using –Rejected by the participants Rumor (from Europe) of U.S. selection 32

33 Rijndael Selected October 2, 2000 Consistently very good performance in both hardware and software Excellent key setup time and good key agility Suited to low memory applications Simple operations Flexibility in block and key sizes and number of rounds FIPS 197, Nov 2001 33

34 Postscripts ISO changed its decision that cryptographic algorithms were not appropriate for standardization ECRYPT started Feb 2004 Some AES “attacks” found but AES appears to be strong Good cooperation between governments and academia on cryptography continues Much research beyond crypto-algorithms (e.g., protocols, key management, special applications, etc. NIST Hash Function Competition 2007-2012 34

35 Congratulations!!! Keccak Designers –Guido Bertoni (Italy) of STMicroelectronics –Joan Daemen (Belgium) of STMicroelectronics –Michaëll Peeters (Belgium) of NXP Semiconductors –Gilles Van Assche (Belgium) of STMicroelectronics 35

36 References The Data Encryption Standard: Past and Future, proceedings of IEEE, vol 76, no 5, M.E. Smid and D. K. Branstad, May 1988. Key Escrowing Today, IEEE Communications, vol 32, no 9, p 58-68, Dorothy E. Denning and Miles Smid, September 1994. Status Report on the First Round of the Development of the Advanced Encryption Standard, Journal of Research of the NIST, vol 104, no 5, Nechvatal et al., Sep-Oct, 1999. Report on the Development of the Advanced Encryption Standard (AES), Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, Technology Administration, U.S. Department of Commerce, Nechvatal et al., October 2, 2000. 36

Download ppt "An AES Retrospective ECRYPT October 18, 2012 Miles Smid Orion Security Solutions."

Similar presentations

Ads by Google