An AES Retrospective
Download
Report
Transcript An AES Retrospective
An AES Retrospective
ECRYPT
October 18, 2012
Miles Smid
Orion Security Solutions
Opening Remarks
• Honored to be here
• AES the work of many people who were
willing to try a new cryptographic
development process
• This AES process affected how
cryptography is studied, developed,
analyzed, distributed, and used today
• Several issues had to be dealt with along
the way
2
The Beginnings 1965
• Cryptography restricted to military
applications
• U.S. Brooks Act required new standards
for computer security
• NBS (NIST) viewed cryptography as one
of the key computer security areas
• Cryptography thought important for US
Government data privacy applications
3
The Birth of DES
•
•
•
•
•
Developed by IBM
Proposed by NBS in March 1975
Comments requested August 1975
Possible export restrictions
Diffie-Hellman controversy over 56-bit key
size and possible trap doors
• Two workshops in 1976
• DES security estimated to last 10-15 years
• Issued as a Federal standard on January 15,
1977
4
DES Matures: 1980’s
• DES succeeds but controversy continues
• Significantly better than alternatives
• Adoption by the U.S. (ANSI X9) Banking
community in 1979
• U.S. Treasury adoption in 1984
• ISO Standard DES-1 in 1986
• ISO decision not to standardize
cryptographic algorithms
5
DES Reaches Twilight
• Third DES 5-year Review (1993) announces that
higher security algorithms will be considered at
next review
• DES cracker breaks a key in 56 hours 1998
• Fourth DES Review recommends Triple DES but
allows Single DES for legacy systems in 1999
• Difficult to transition away from DES1
1. Transitioning is still a significant problem in cryptography
6
Escrowed Encryption
• FIPS 185 published in 1994
• Cryptography without jeopardizing law
enforcement, public safety, and national security
• Tamper resistant device (Clipper, Capstone)
unique key
• Keys held in escrow by Treasury and NIST
• Keys provided to law enforcement with court
order
• Program Manager from NIST
7
Escrow Features
• Separation of duties, split knowledge, security
clearances, redundancy, physical security, auditing
all used
• New (but secret) 80-bit crypto-algorithm called
Skipjack (BS=64, r=32)
• Skipjack “Interim” Review by Brickell, Denning, Kent,
Maher, and Tuchman in 1992. “Good for 30-40
years”
• SP800-131A SKIPJACK shall not be used for
encryption after 2010. Legacy decryption is allowed
8
Escrow Problems
•
•
•
•
•
Classified Algorithm
Hardware/Firmware only
Government designed
Restricted evaluation
Academic community not involved in its
development and opposed its implementation
• NIST discouraged from standards
development
• Skipjack declassified on June 1998.
9
1996
The Stage is now Set for
AES!
10
AES Motivation
• A new symmetric algorithm standard was
clearly needed, but could NIST develop such
a standard?
• Academic community must be involved
• Algorithm must be public and worldwide
royalty- free
• More secure than TDES more efficient than
TDES
11
Issues 1
• This cooperation between the USG and
the academic community in an open
process to develop cryptography had not
been done before. Would it work?
• Would NSA support this open process?
– Brian Snow
12
Issues 2
• How does one avoid a key size issue?
• How does one specify the requirements
that the algorithm must meet?
• How does the USG get the academic
community involved?
– Have a contest
– Not for money but for honor
13
First Workshop
• NIST request for comments on Developing AES,
Jan 2, 1997.
• NIST AES Workshop, April 15, 1977
– 128, 192, and 256 bit key sizes
– 128 or variable block size
– Efficient on 8, 32, and 64-bit processors and
special purpose hardware
– Simplicity and logic of design
– Not many cryptographers
– Future meetings in conjunction with Crypto
and Fast Software Encryption conferences
14
Formal Call for Candidates
Sep 12 1997
• Criteria
– Security: Resistance to attack, soundness
of math basis, randomness of function
– Cost: Speed, Memory, Licensing
– Algorithm Implementation Characteristics:
flexibility, simplicity, provable security,
intellectual property
– Reference Implementations
15
Issues 3
• Would the Schedule provide enough time
for evaluation?
• Would NIST receive any viable
candidates?
• Should NSA Submit?
– Bruce Schneier: Yes
– Miles Smid: Hoped not
16
First AES Candidate Conference
•
•
•
•
•
Aug 20-22 1998, Ventura, CA with Crypto 98
21 packages received
6 were incomplete
15 candidates from 10 countries were presented
Several faster than single DES with greater key
size
• Cryptanalysis performed real time!!!!!
• Call for Analysis
17
15 Original Candidates
Algorithm
Submitter
CAST-256
Entrust Technologies Inc.
CRYPTON
Future Systems, Inc.
DEAL
Richard Outerbridge, Lars Knudsen
DFC
CNRS – Centre National pour la
Recherche Scientifique – Ecole
Normale Superieure
E2
NTT – Nippon Telegraph and
Telephone
FROG
TecApro Internacional S.A.
HPC
Rich Schroeppel
18
15 Original Candidates
Algorithm
Submitter
LOK197
Lawrie Brown, Josef Pieprzyk,
Jennifer Seberry
MAGENTA
Deutsche Telekom AG
MARS
IIBM
RC6
RSA Laboratories
RIJNDAEL
Joan Daemen, Vincent Rijmen
SAFER+
Cylink Corporation
SERPENT
Ross Anderson, Eli Biham, Lars
Knudsen
TWOFISH
Bruce Schneier, John Kelsey, Doug
Whiting, David Wagner, Chris Hall,
Neils Ferguson
19
Designs
•
•
•
•
•
Based on previous schemes (5)
Feistel Networks (6)
Modified Feistel Networks (3)
Substitution-Permutation Networks (4)
Other Algorithms (2)
20
Software Efficiency
21
Issues 4
• How could royalty free nature of the AES
algorithm be guaranteed?
– Legal statement from owners giving up royalty
rights (some conditional responses)
– Public notice to all requesting notification of
any infringement
– Only selected algorithm must comply
22
Issues 5
• Export of reference implementations
– Worked with DOC Bureau of Export
Administration
– Reference implementations not included without
personal use only stipulation
– Brian Gladman implementations
• What if NSA found classified security issue?
– No good solution
– Mutual trust
23
Let the Games Begin
24
Second AES Conference
• March 22-23, 1999, Rome, Italy before
FSE 6
• Crypto Attacks: Major and Minor
• Submitter Rebuttals
• Security Margin (Rounds-rounds of best
attack)
• Efficiency
25
Analysis
• Claimed Attacks
– LOK197, FROG, MAGENTA, DEAL, SAFER +
• Weak Keys
– DFC, CRYPTON
• So far pretty good
– MARS, RC2, RIJNDAEL, TWOFISH, E2,
CAST 256, SERPENT, HPC
26
Issues 6
• Will tweaks be permitted?
– Under certain conditions
– Minor adjustments to an algorithm, to correct
small deficiencies
– Explanation/justification of proposed “tweaks”,
and updated spec. are due May 15, 1999.
27
NIST Selects the Finalists
• Five candidates had no major or minor security
gaps and possessed numerous advantages
(Aug 1999)
• MARS: IBM
• RC6: RSA Laboratories
• Rijndael: Daeman, and Rijmen
• Serpent: Anderson, Biham, and Knudsen
• Twofish: Schneier, Kelsey, Whiting, Wagner,
Hall, and Ferguson.
28
Attendee Feedback Form
•
•
•
•
•
Rijndael
Serpent
Twofish
RC6
MARS
positive 86
positive 59
positive 31
positive 23
positive 13
negative 10
negative 7
negative 21
negative 37
negative 84
Beauty Contest or Expert Opinion?
29
Issues 7
• NSA announced that it had put 13 person
years of labor into studying the candidates
• NSA concluded that each finalist appeared
to be cryptographically sound
• Relief!!!
• “None of the finalists is outstandingly
superior to the rest”2
2. Report on the Development of the AES, NIST, October 2, 2012
30
Third AES Conference
• April 13-14, 2000, New York, NY after FSE
7
• Technical Analysis of Finalists
• FPGA Implementations
• Full hardware Implementations
31
Issues 8
• Multiple Winners? (Don Johnson)
–
–
–
–
More flexibility (pick best algorithm for the application)
More security with combined algorithms
Vendors did not want to support multiple algorithms
Rejected by the participants
• Runner-up?
– Evaluated alternative ready to be implemented
– Would still need to be evaluated before using
– Rejected by the participants
• Rumor (from Europe) of U.S. selection
32
Rijndael Selected
October 2, 2000
• Consistently very good performance in both
hardware and software
• Excellent key setup time and good key agility
• Suited to low memory applications
• Simple operations
• Flexibility in block and key sizes and number
of rounds
• FIPS 197, Nov 2001
33
Postscripts
• ISO changed its decision that cryptographic
algorithms were not appropriate for
standardization
• ECRYPT started Feb 2004
• Some AES “attacks” found but AES appears to be
strong
• Good cooperation between governments and
academia on cryptography continues
• Much research beyond crypto-algorithms (e.g.,
protocols, key management, special applications,
etc.
• NIST Hash Function Competition 2007-2012
34
Congratulations!!!
• Keccak Designers
– Guido Bertoni (Italy) of STMicroelectronics
– Joan Daemen (Belgium) of STMicroelectronics
– Michaëll Peeters (Belgium) of NXP
Semiconductors
– Gilles Van Assche (Belgium) of
STMicroelectronics
35
References
• The Data Encryption Standard: Past and Future, proceedings
of IEEE, vol 76, no 5, M.E. Smid and D. K. Branstad, May
1988.
• Key Escrowing Today, IEEE Communications, vol 32, no 9, p
58-68, Dorothy E. Denning and Miles Smid, September 1994.
• Status Report on the First Round of the Development of the
Advanced Encryption Standard, Journal of Research of the
NIST, vol 104, no 5, Nechvatal et al., Sep-Oct, 1999.
• Report on the Development of the Advanced Encryption
Standard (AES), Computer Security Division, Information
Technology Laboratory, National Institute of Standards and
Technology, Technology Administration, U.S. Department of
Commerce, Nechvatal et al., October 2, 2000.
36