An AES Retrospective
advertisement
An AES Retrospective ECRYPT October 18, 2012 Miles Smid Orion Security Solutions Opening Remarks • Honored to be here • AES the work of many people who were willing to try a new cryptographic development process • This AES process affected how cryptography is studied, developed, analyzed, distributed, and used today • Several issues had to be dealt with along the way 2 The Beginnings 1965 • Cryptography restricted to military applications • U.S. Brooks Act required new standards for computer security • NBS (NIST) viewed cryptography as one of the key computer security areas • Cryptography thought important for US Government data privacy applications 3 The Birth of DES • • • • • Developed by IBM Proposed by NBS in March 1975 Comments requested August 1975 Possible export restrictions Diffie-Hellman controversy over 56-bit key size and possible trap doors • Two workshops in 1976 • DES security estimated to last 10-15 years • Issued as a Federal standard on January 15, 1977 4 DES Matures: 1980’s • DES succeeds but controversy continues • Significantly better than alternatives • Adoption by the U.S. (ANSI X9) Banking community in 1979 • U.S. Treasury adoption in 1984 • ISO Standard DES-1 in 1986 • ISO decision not to standardize cryptographic algorithms 5 DES Reaches Twilight • Third DES 5-year Review (1993) announces that higher security algorithms will be considered at next review • DES cracker breaks a key in 56 hours 1998 • Fourth DES Review recommends Triple DES but allows Single DES for legacy systems in 1999 • Difficult to transition away from DES1 1. Transitioning is still a significant problem in cryptography 6 Escrowed Encryption • FIPS 185 published in 1994 • Cryptography without jeopardizing law enforcement, public safety, and national security • Tamper resistant device (Clipper, Capstone) unique key • Keys held in escrow by Treasury and NIST • Keys provided to law enforcement with court order • Program Manager from NIST 7 Escrow Features • Separation of duties, split knowledge, security clearances, redundancy, physical security, auditing all used • New (but secret) 80-bit crypto-algorithm called Skipjack (BS=64, r=32) • Skipjack “Interim” Review by Brickell, Denning, Kent, Maher, and Tuchman in 1992. “Good for 30-40 years” • SP800-131A SKIPJACK shall not be used for encryption after 2010. Legacy decryption is allowed 8 Escrow Problems • • • • • Classified Algorithm Hardware/Firmware only Government designed Restricted evaluation Academic community not involved in its development and opposed its implementation • NIST discouraged from standards development • Skipjack declassified on June 1998. 9 1996 The Stage is now Set for AES! 10 AES Motivation • A new symmetric algorithm standard was clearly needed, but could NIST develop such a standard? • Academic community must be involved • Algorithm must be public and worldwide royalty- free • More secure than TDES more efficient than TDES 11 Issues 1 • This cooperation between the USG and the academic community in an open process to develop cryptography had not been done before. Would it work? • Would NSA support this open process? – Brian Snow 12 Issues 2 • How does one avoid a key size issue? • How does one specify the requirements that the algorithm must meet? • How does the USG get the academic community involved? – Have a contest – Not for money but for honor 13 First Workshop • NIST request for comments on Developing AES, Jan 2, 1997. • NIST AES Workshop, April 15, 1977 – 128, 192, and 256 bit key sizes – 128 or variable block size – Efficient on 8, 32, and 64-bit processors and special purpose hardware – Simplicity and logic of design – Not many cryptographers – Future meetings in conjunction with Crypto and Fast Software Encryption conferences 14 Formal Call for Candidates Sep 12 1997 • Criteria – Security: Resistance to attack, soundness of math basis, randomness of function – Cost: Speed, Memory, Licensing – Algorithm Implementation Characteristics: flexibility, simplicity, provable security, intellectual property – Reference Implementations 15 Issues 3 • Would the Schedule provide enough time for evaluation? • Would NIST receive any viable candidates? • Should NSA Submit? – Bruce Schneier: Yes – Miles Smid: Hoped not 16 First AES Candidate Conference • • • • • Aug 20-22 1998, Ventura, CA with Crypto 98 21 packages received 6 were incomplete 15 candidates from 10 countries were presented Several faster than single DES with greater key size • Cryptanalysis performed real time!!!!! • Call for Analysis 17 15 Original Candidates Algorithm Submitter CAST-256 Entrust Technologies Inc. CRYPTON Future Systems, Inc. DEAL Richard Outerbridge, Lars Knudsen DFC CNRS – Centre National pour la Recherche Scientifique – Ecole Normale Superieure E2 NTT – Nippon Telegraph and Telephone FROG TecApro Internacional S.A. HPC Rich Schroeppel 18 15 Original Candidates Algorithm Submitter LOK197 Lawrie Brown, Josef Pieprzyk, Jennifer Seberry MAGENTA Deutsche Telekom AG MARS IIBM RC6 RSA Laboratories RIJNDAEL Joan Daemen, Vincent Rijmen SAFER+ Cylink Corporation SERPENT Ross Anderson, Eli Biham, Lars Knudsen TWOFISH Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Neils Ferguson 19 Designs • • • • • Based on previous schemes (5) Feistel Networks (6) Modified Feistel Networks (3) Substitution-Permutation Networks (4) Other Algorithms (2) 20 Software Efficiency 21 Issues 4 • How could royalty free nature of the AES algorithm be guaranteed? – Legal statement from owners giving up royalty rights (some conditional responses) – Public notice to all requesting notification of any infringement – Only selected algorithm must comply 22 Issues 5 • Export of reference implementations – Worked with DOC Bureau of Export Administration – Reference implementations not included without personal use only stipulation – Brian Gladman implementations • What if NSA found classified security issue? – No good solution – Mutual trust 23 Let the Games Begin 24 Second AES Conference • March 22-23, 1999, Rome, Italy before FSE 6 • Crypto Attacks: Major and Minor • Submitter Rebuttals • Security Margin (Rounds-rounds of best attack) • Efficiency 25 Analysis • Claimed Attacks – LOK197, FROG, MAGENTA, DEAL, SAFER + • Weak Keys – DFC, CRYPTON • So far pretty good – MARS, RC2, RIJNDAEL, TWOFISH, E2, CAST 256, SERPENT, HPC 26 Issues 6 • Will tweaks be permitted? – Under certain conditions – Minor adjustments to an algorithm, to correct small deficiencies – Explanation/justification of proposed “tweaks”, and updated spec. are due May 15, 1999. 27 NIST Selects the Finalists • Five candidates had no major or minor security gaps and possessed numerous advantages (Aug 1999) • MARS: IBM • RC6: RSA Laboratories • Rijndael: Daeman, and Rijmen • Serpent: Anderson, Biham, and Knudsen • Twofish: Schneier, Kelsey, Whiting, Wagner, Hall, and Ferguson. 28 Attendee Feedback Form • • • • • Rijndael Serpent Twofish RC6 MARS positive 86 positive 59 positive 31 positive 23 positive 13 negative 10 negative 7 negative 21 negative 37 negative 84 Beauty Contest or Expert Opinion? 29 Issues 7 • NSA announced that it had put 13 person years of labor into studying the candidates • NSA concluded that each finalist appeared to be cryptographically sound • Relief!!! • “None of the finalists is outstandingly superior to the rest”2 2. Report on the Development of the AES, NIST, October 2, 2012 30 Third AES Conference • April 13-14, 2000, New York, NY after FSE 7 • Technical Analysis of Finalists • FPGA Implementations • Full hardware Implementations 31 Issues 8 • Multiple Winners? (Don Johnson) – – – – More flexibility (pick best algorithm for the application) More security with combined algorithms Vendors did not want to support multiple algorithms Rejected by the participants • Runner-up? – Evaluated alternative ready to be implemented – Would still need to be evaluated before using – Rejected by the participants • Rumor (from Europe) of U.S. selection 32 Rijndael Selected October 2, 2000 • Consistently very good performance in both hardware and software • Excellent key setup time and good key agility • Suited to low memory applications • Simple operations • Flexibility in block and key sizes and number of rounds • FIPS 197, Nov 2001 33 Postscripts • ISO changed its decision that cryptographic algorithms were not appropriate for standardization • ECRYPT started Feb 2004 • Some AES “attacks” found but AES appears to be strong • Good cooperation between governments and academia on cryptography continues • Much research beyond crypto-algorithms (e.g., protocols, key management, special applications, etc. • NIST Hash Function Competition 2007-2012 34 Congratulations!!! • Keccak Designers – Guido Bertoni (Italy) of STMicroelectronics – Joan Daemen (Belgium) of STMicroelectronics – Michaëll Peeters (Belgium) of NXP Semiconductors – Gilles Van Assche (Belgium) of STMicroelectronics 35 References • The Data Encryption Standard: Past and Future, proceedings of IEEE, vol 76, no 5, M.E. Smid and D. K. Branstad, May 1988. • Key Escrowing Today, IEEE Communications, vol 32, no 9, p 58-68, Dorothy E. Denning and Miles Smid, September 1994. • Status Report on the First Round of the Development of the Advanced Encryption Standard, Journal of Research of the NIST, vol 104, no 5, Nechvatal et al., Sep-Oct, 1999. • Report on the Development of the Advanced Encryption Standard (AES), Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, Technology Administration, U.S. Department of Commerce, Nechvatal et al., October 2, 2000. 36
