the not so happily ever after end of aes security
play

The Not So Happily-Ever After End of AES Security Fairytale Orr - PowerPoint PPT Presentation

May 10, 2023 •191 likes •572 views

Introduction Competition Certificational Results Summary The Not So Happily-Ever After End of AES Security Fairytale Orr Dunkelman Faculty of Mathematics and Computer Science Weizmann Institute of Science Crypto Day 2010 June 9 th ,

  1. Introduction Competition Certificational Results Summary The Not So Happily-Ever After End of AES’ Security Fairytale Orr Dunkelman Faculty of Mathematics and Computer Science Weizmann Institute of Science Crypto Day 2010 — June 9 th , 2010 Orr Dunkelman The End of AES’ Security Fairytale 1/ 43

  2. Introduction Competition Certificational Results Summary Outline 1 Introduction Block Ciphers The History of Block Ciphers 2 The AES Competition Introduction The Candidates The Advanced Encryption Standard The Security of AES 3 Certificational Attacks What a Break is? Certificational Attacks on AES What is a Practical Attack? 4 Our Results Attacks on AES-256 The Key Point Verification Other Attack Scenarios 5 Summary Orr Dunkelman The End of AES’ Security Fairytale 2/ 43

  3. Block History Introduction Competition Certificational Results Summary Block Ciphers ◮ One of the most basic cryptographic algorithms. ◮ A symmetric key algorithm (both sides hold secret information). ◮ Is a transformation of blocks of bits (of size n ) into new blocks of bits (usually of the same size). Formally: E : { 0 , 1 } n × { 0 , 1 } k �→ { 0 , 1 } n or E k : { 0 , 1 } n �→ { 0 , 1 } n . ◮ To deal with more (or less) data, some mode of operation is used (ECB, CBC, counter mode, etc.). Orr Dunkelman The End of AES’ Security Fairytale 4/ 43

  4. Block History Introduction Competition Certificational Results Summary The History of Block Ciphers At the beginning the NSA prevented research in block ciphers, and the block ciphers where chaos, and no public knowledge on how to design a good block cipher was available. And NBS said to IBM, “let there be a block cipher”. ◮ In the mid-70’s, the civil need for a secure block cipher led the US authorities to ask IBM to design a civil block cipher. ◮ The IBM team, headed by Horst Feistel, proposed a block cipher named Lucifer, which had a 64-bit block and 256-bit key. Orr Dunkelman The End of AES’ Security Fairytale 5/ 43

  5. Block History Introduction Competition Certificational Results Summary The History of Block Ciphers (cont.) And the NSA has seen that the Lucifer was not good. And the NSA has told IBM how to make a better cipher. And the NSA saw the cipher, and said “it’s good”. ◮ After Lucifer was rejected (due to security reasons), IBM proposed a new cipher. ◮ The cipher, later selected as the Data Encryption Standard (DES) had a block size of 64 bits, and key size of 56 bits. ◮ Up to the complementation property of DES ∗ it was considered secure, despite the short key size, and the unknown design criteria. ∗ DES K ( P ) = DES K ( P ) Orr Dunkelman The End of AES’ Security Fairytale 6/ 43

  6. Block History Introduction Competition Certificational Results Summary The History of Block Ciphers (cont.) And the land has rested for 14 years During these years, the best attack could have broken DES reduced to 7 out of its 16 rounds. ◮ DES was considered secure enough for practical purposes. ◮ To deal with the short key size, it was suggested to use double and triple encryptions, e.g., 3 DES K 1 , K 2 , K 3 ( P ) = DES K 3 ( DES − 1 K 2 ( DES K 1 ( P ))) Orr Dunkelman The End of AES’ Security Fairytale 7/ 43

  7. Block History Introduction Competition Certificational Results Summary The History of Block Ciphers (cont.) And Eli and Adi said “Let there be differential cryptanalysis”, and showed an attack on the full DES faster than exhaustive search. ◮ Differential cryptanalysis [BS90] was the first evidence that the security of DES was not perfect (offering an attack of 2 47 data and time on the full DES). ◮ Later, linear cryptanalysis [M93] further reduced the confidence in DES’ security (offering an attack of 2 43 data and time on the full DES). Orr Dunkelman The End of AES’ Security Fairytale 8/ 43

  8. Block History Introduction Competition Certificational Results Summary The History of Block Ciphers — The Late 90’s ◮ Somewhere along the 90’s, the way cryptography was used has changed as well. ◮ Cryptography entered each and every household, which resulted in a more hidden change — encryption was done in software rather than in hardware. ◮ DES, as history shows, was designed as an hardware-friendly cipher. At the same time, following its bit operations, it was not so software friendly. ◮ Along with the security issues identified in the early 90’s, a need to replace DES was forming. Orr Dunkelman The End of AES’ Security Fairytale 9/ 43

  9. Block History Introduction Competition Certificational Results Summary The DES Challenges ◮ At the beginning, NIST refused to replace DES, claiming that 56-bit key cipher is sufficiently secure. ◮ As a response, a series of DES challenges were issued by RSA labs. ◮ In each challenge, RSA published a plaintext and its corresponding ciphertext, and offered 10,000$ for the first person to identify the key. ◮ The first challenge was solved in 75 days (involving 14,000–80,000 computers). ◮ The second challenge was solved in 39 days. ◮ The third was solved in 56 hours, using a special machine that the EFF has built (the DES cracker) for 210,000$. Orr Dunkelman The End of AES’ Security Fairytale 10/ 43

  10. Intro Candidates AES Security Introduction Competition Certificational Results Summary The AES Competition ◮ Following the requests for a more software-friendly encryption standard, NIST decided in 1997 to start a competition for a replacement to DES. ◮ The process was discussed thoroughly with the cryptographic community, and it was decided to hold an open competition. ◮ The cryptographic community was invited to submit proposals, and the evaluation process was meant to be open, i.e., everybody would get to analyze and comment about the other candidates. ◮ The block size was set to 128 bits, and three key sizes where required, 128, 192, and 256 bits. The target: Be faster and more secure than 3DES. Orr Dunkelman The End of AES’ Security Fairytale 12/ 43

  11. Intro Candidates AES Security Introduction Competition Certificational Results Summary The Candidates ◮ 21 submissions were sent to NIST, 15 of which satisfied the requirements from the submissions: Candidate Candidate Candidate Candidate Candidate CAST-256 CRYPTON DEAL DFC E2 FROG HPC LOKI97 MAGENTA MARS RC6 Rijndael SAFER++ Serpent TWOFISH ◮ The first phase took a year, and at its end, 5 candidates were picked as finalists as they had merits over the other candidates. Orr Dunkelman The End of AES’ Security Fairytale 13/ 43

  12. Intro Candidates AES Security Introduction Competition Certificational Results Summary The Finalists ◮ MARS — designed by the IBM team (headed by Don Coppersmith). ◮ RC6 — designed by RSA people (headed by Ron Rivest) ◮ Rijndael — designed by K.U. Leuven post-docs (Joan Daeman and Vincent Rijmen). ◮ Serpent — designed by an international academic team (Ross Andresson, Eli Biham, and Lars R. Knudsen). ◮ Twofish — designed by Counterpane (headed by Bruce Schneier). Orr Dunkelman The End of AES’ Security Fairytale 14/ 43

  13. Intro Candidates AES Security Introduction Competition Certificational Results Summary The Finalists — Comparison Candidate Type # of Rounds Best Attack(s) (as of 2000) MARS Generalized Feistel 8 + 16 + 8 11C [KKS00] or 8 + 5 + 8 [KS00] RC6 Generalized Feistel 20 14/14/15 [G+00,KM00] Rijndael SPN 10/12/14 7/8/8 [F+00] Serpent SPN 32 6/8/9 [F+00b] Twofish Feistel 16 6 [F+99] Orr Dunkelman The End of AES’ Security Fairytale 15/ 43

  14. Intro Candidates AES Security Introduction Competition Certificational Results Summary The Finalists — Performance Candidate 32-bit Enc. 32-bit Dec. 8-bit Enc. ASIC fastest cycles cycles cpb MARS 1600 1580 572 RAM/5468 ROM/ 2810 2.95 MGate/225 Mbps RC6 1436 1406 156 RAM/1060 ROM/ 2130 1.64 MGate/203 Mbps Rijndael 1276 1276 66 RAM/980 ROM/ 1560 0.61 MGate/1950 Mbps Serpent 1800 2102 164 RAM/3937 ROM/ 4440 0.53 MGate/931 Mbps Twofish 1254 1162 90 RAM/2808 ROM/ 1940 0.43 MGate/394 Mbps 32-bit machine in use: C code in Linux/GCC-2.7.2.2/Pentium 133 MHz MMX. 8-bit machine: Z80 CPU. ASIC: Results due to [IKM00] in 0.35 µ m . Orr Dunkelman The End of AES’ Security Fairytale 16/ 43

  15. Intro Candidates AES Security Introduction Competition Certificational Results Summary The Selection — Rijndael as the AES ◮ On September 2001, Rijndael was announced as the Advanced Encryption Standard (AES). ◮ Rijndael was deemed to offer sufficient security, and affordable performance, i.e., being the fastest on many platforms and hardware friendly. ◮ Since then, AES implementations were improved: ◮ Software implementations that run at ≈ 10 cycles/byte. ◮ New AES instruction in Westmere Intel CPUs allows encryption at 3.8 cycles/byte (and even 0.7 cycles/byte in counter mode). ◮ Hardware implementations range from 3.1 Kgates (121 Mbps at 152 MHz using 0.13 µ m ) to 44 Gbps (with 250 Kgates). ◮ FGPA performance also extremely good (up to 24 Gbps). Orr Dunkelman The End of AES’ Security Fairytale 17/ 43

  16. Intro Candidates AES Security Introduction Competition Certificational Results Summary The Advanced Encryption Standard ◮ The cipher has an SP (substitution-permutation) network structure. ◮ Block size — 128 bits, Key size — 128, 192, or 256 bits. ◮ Number of rounds depends on the key length (10/12/14, respectively). Orr Dunkelman The End of AES’ Security Fairytale 18/ 43

Recommend

C.S. Lewis one place very happily says you will never tame the lions in your life, unless you let

C.S. Lewis one place very happily says you will never tame the lions in your life, unless you let

In Spite of Appearances God is in Control C.S. Lewis one place very happily says you will never tame the lions in your life, unless you let God be the untamed lion in your life. In other words, unless you fear God, unless you know what he

229 views • 7 slides
of ACE Events: Creating the Happily Ever After Kristine Hobbs, MSW Disclosure Statement

of ACE Events: Creating the Happily Ever After Kristine Hobbs, MSW Disclosure Statement

Resiliency in the Face of ACE Events: Creating the Happily Ever After Kristine Hobbs, MSW Disclosure Statement Kristine Hobbs, LMSW I have no relevant financial relationships with the manufacturers(s) of any commercial products(s)

542 views • 32 slides
Banks and Governments, Happily Ever After October 7, 2011 Anna Gelpern American University

Banks and Governments, Happily Ever After October 7, 2011 Anna Gelpern American University

Banks and Governments, Happily Ever After October 7, 2011 Anna Gelpern American University Washington College of Law Overview Bank-Government Marriage I. A. Bailouts B. Financial Repression C. Regulatory Nexus D. Cross-Border Dimension

654 views • 18 slides
Scene 1 Narrator: Once upon a time, there was a village in China where people lived very happily

Scene 1 Narrator: Once upon a time, there was a village in China where people lived very happily

Scene 1 Narrator: Once upon a time, there was a village in China where people lived very happily and peacefully. The people were mostly farmers, and they grew crops like rice and vegetables for a living. However, every year in summer, they had

180 views • 3 slides
And they lived happily ever after. The tale between market and user research. Once

And they lived happily ever after. The tale between market and user research. Once

And they lived happily ever after. The tale between market and user research. Once upon a time Market Market research came about in the 1920s. research Daniel Starch developed a theory ruled the that advertising had to

416 views • 15 slides
AND THEY LIVED HAPPILY EVER AFTER: REWRITING THE ENDING OF A FAIRYTALE ABOUT THE PROJECT It is a

AND THEY LIVED HAPPILY EVER AFTER: REWRITING THE ENDING OF A FAIRYTALE ABOUT THE PROJECT It is a

AND THEY LIVED HAPPILY EVER AFTER: REWRITING THE ENDING OF A FAIRYTALE ABOUT THE PROJECT It is a collaborative writing project about fairytales.In this project we will choose a fairytale and rewrite the ending of the tale. Each school will use

519 views • 12 slides
Johns Hopkins, 1795 1873 A certain testament, happily free from all definite ideas.

Johns Hopkins, 1795 1873 A certain testament, happily free from all definite ideas.

Johns Hopkins, 1795 1873 A certain testament, happily free from all definite ideas. Charles S. Peirce The Founder Cummins, ca. 1860 1 1 Whitehall ca. 1920 Birthplace and boyhood home of Johns Hopkins, Anne Arundel County 2

498 views • 33 slides
What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

336 views • 6 slides
Security Security as term, Possible Security violations Authentication Criteria for

Security Security as term, Possible Security violations Authentication Criteria for

BS1 WS19/20 topic-based slides Security Security as term, Possible Security violations Authentication Criteria for Trust in Computer Systems Three hearts of Windows Security DACLs A Look at Security System is secure if

988 views • 20 slides
CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

459 views • 18 slides
Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security WS 06/07 Seminar Prof. Dr.-Ing. Jana Dittmann & Dr.-Ing. Claus Vielhauer with support from Tobias Scheidat

419 views • 16 slides
1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

Course Overview Course Requirements EECS 498-7/8 Cryptography and Network Security: www.citi.umich.edu/u/honey/security Principles and Practice (Third Edition) Computer Security Monday & Friday, 9:00 10:30 William Stallings

670 views • 19 slides
A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

452 views • 19 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

644 views • 36 slides
S chool Rove r HAIRDRESSING HEADY STARTS Tonya Ludwick and Jamie Patterson are happily applying

S chool Rove r HAIRDRESSING HEADY STARTS Tonya Ludwick and Jamie Patterson are happily applying

Issue 12, Aug. 13, 2010 "Speech is often repented, silence never." - Danish Proverb ACN 063049669 Maher Road, P. O. Box 771, Gordonvale, North Queensland 4865 tel: (07) 40433777 fax:

290 views • 8 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in distributed systems arises from the desire to share resources Resources must be protected against unauthorized access, as enemies (attackers)

1.16k views • 67 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CPSC 410/611 Operating Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies

419 views • 19 slides
International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International Security What is security? Freedom from threats to core values? Contestation over referent object: Individual? State? System? How is security achieved?

716 views • 11 slides
Security 101 Definition of Information Security Information security is the protection of

Security 101 Definition of Information Security Information security is the protection of

Computing Services Information Security Office Security 101 Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction or disruption. The

469 views • 22 slides
Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety Sensitive Information Not for public or media release F.S. 119.071. Required by law, rule and regulation: Homeland Security Directive 5 and 8.

393 views • 11 slides
Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the computing world, and are parallel to even older problems outside computing Required level of security is always related to what you protect

237 views • 23 slides
Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

ITS335 Intro. to Security Concepts Threats, Attacks, Assets Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 2

965 views • 34 slides

More recommend