ICT Standards and Guidelines Segment 204 Information Integrity / Security Encryption (Version 1.0) Prepared by Document Information Document Name: Information Integrity and Security – Encryption Segment: 204 Author: Gabe Leung Status: Under final revision Revision History Author Description of change Date Version Salam Yamout Restructured/Renumbered 11 April 2003 1.0 Table of Contents – Encryption 1.0 2.0 Encryption Standards ............................................................................... 1 1.1 Prelude – Private Key Management ..................................................... 1 1.2 Encryption Implementation Standards ................................................. 1 1.3 Encryption Algorithm ......................................................................... 1 Encryption Algorithms .............................................................................. 2 2.1 RSA ................................................................................................. 2 2.2 DES ................................................................................................. 3 2.2.1 A Note on the DES .................................................................. 4 2.3 Triple DES (FIPS 46-3)....................................................................... 4 2.4 SHA-1 .............................................................................................. 4 2.5 AES ................................................................................................. 4 2.6 Blowfish ........................................................................................... 6 2.6.1 Subkeys ................................................................................. 6 2.6.2 Encryption .............................................................................. 7 2.6.3 Generating the Subkeys: .......................................................... 7 2.7 CAST ............................................................................................... 8 1.0 Encryption Standards This appendix provides the standards for encryption technology to be deployed. This includes digital signature standards and encryption standards for data. The objective of a standard encryption implementation is to ensure the expected degree of safety is in place. 1.1 Prelude – Private Key Management The effectiveness of any encryption method is dependent on the ability to keep the decryption key (private key) from falling into the hands of an unauthorized person. Once the private key is compromised, the data encrypted with the corresponding public key is no longer protected. Therefore, private key management is very important. Only a few persons (preferably no more than two person – the primary and backup) should be given access to the private key. 1.2 Encryption Implementation Standards There are two types of encryption implementations: Symmetric and Asymmetric encryption. Symmetric encryption uses the same key word for encrypting data and decrypting the encrypted data or cipherdata. It provides faster execution. Asymmetric encryption uses different keys for encrypting data and decrypting cipherdata. Asymmetric encryption implementation is more secured than symmetric since the party encrypting the data need not know the private key of the recipient. The sender simply use the recipient’s public key (which can be made public without compromising the security) to encrypt the data and send the cipherdata to the recipient. Decryption of the data uses the recipient’s private key not the public key. 1.3 Encryption Algorithm Since the protocols of current Local Area Networks (such as IEEE 802.3 standard with 10BaseT/100Base-T/1000Base-X/1000Base-T, IEEE 802.5, 802.11b, or ISO 9314 FDDI, etc.) do not encrypt any data within their payload, data to be transmitted over any network must be encrypted prior to being passed to the next layer. The strength of the encryption depends on the algorithm used. Several encryption algorithms are well suited for standard encryption needs, such as encryption for static document or data. In addition to strong encryption, the algorithm must be fast so that the performance of application will not be unduly impacted. The algorithm to be used for encryption must be suitable for both static document and data, yet has performance acceptable for application data exchange. The algorithm that has strong encryption and acceptable performance is AES Rijndael with block size of 128 bits and key size of no less than 256 bites. This block-key size requirements provides a lifetime of Encryption Page 1 2.0 Encryption Algorithms This section provides additional discussions about some popular encryption algorithms. This section provides technical details of how the various algorithms work. Although understanding of these technical details is not necessary to implement them, it is beneficial for technical manager to have a basic idea of how encryption algorithms work. At the end of each algorithm, there is a short discussion about the pros and cons of that algorithm. This section will provide the technical manager insight and basis to evaluate products that implement different algorithms. 2.1 RSA RSA is a public-key cryptosystem developed by MIT professors Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman in 1977, in an effort to help ensure Internet security. RSA uses modular arithmetic and elementary number theory as the basis for encryption computation. The "key" of an RSA cipher is three numbers: The first is “Xpub”, the public exponent, the second is “Xpriv”, the private exponent, and the third is Mod, the modulus. The “Xpub” and “Xpriv” are also known as primes. The RSA algorithm uses two large primes and messages of unconditional length. The message “M” (which must be shorter than Mod) is interpreted as a number. It is broken into chunks, as necessary, to meet the length requirement. This number is raised to the power of “Xpub”, modulo Mod, to give “C”, the ciphertext. “C” may in turn be raised to the power of “Xpriv”, modulo Mod, to give “M”. The public key is the pair (Xpub, Mod). The private key is the pair (Xpriv, Mod). The private key is generated using the following formula: where “p” and “q” are large ( 500 bits) random integrates “e” is a random number relatively prime to (p-1)(q-1) The public key is generated as follows: The public key pair (Xpub, Mod) is therefore (e, n). The Mod, “n”, is also used in conjunction with “Xpriv”. If we call the “Xpriv” “d”, then the private key pair (Xpriv, Mod) is (d, n). The message to be encrypted is divided into blocks of fixed length (cipher block), but no longer than the number of digits in “Xpub”, and encrypted as follows: where “C” is the encrypted text (ciphertext) Encryption Page 2 “M” is the plaintext “j” is the j-th block The encrypted text can be decrypted using The RSA is a commonly used encryption algorithm throughout the world, and is generally supported by most encryption software. However, its safety relies on the user selecting the key with a sufficiently large size and a non-common key word. The human is generally considered the weakest link in cryptography. Considering that the public and private keys are generated through modulus mathematic, it is possible to break the key through factoring. However, the upper limit is: where “n” is the length of the number in bits. From the above equation, the degree of difficulty in factoring the prime increases ten folds for every 10 bits added. It is recommended that the key length be no less than 500 bit. Although the RSA is a solid algorithm and produces strong ciphertext, it has been broken, using brute force and other crypto-analysis techniques. However, by carefully selection of the key and ensuring that the size of the key is at least 500 bits, the algorithm is extremely difficult to break. The algorithm is also supported by most Java packages. 2.2 DES DES, the Data Encryption Standard, describes the Data Encryption Algorithm (DEA), defined in the ANSI standard X9.32. The DES is the United States Federal Information Processing Standard (FIPS 46-3) for encryption of non-classified document and data (Confidential and Protected Data). The DES is a 16-round fixed sized cipher block with eight (8) party bits for error checking. The DES uses the DEA algorithm and executes very quickly. It was the first official U.S. government cipher intended for commercial use and was the most widely used cryptosystem in the world. The DES can also be used for single-user encryption, such as to store files on a hard disk in an encrypted form. In a multi-user environment, secure key distribution may be difficult; public-key cryptography provides an ideal solution to this problem. The United States National Institute of Standards and Technology (NIST) FIPS 46-3 reaffirms Triple DES usage as of October 1999, but single DES is permitted only for legacy systems. FIPS 46-3 includes a definition of triple-DES (TDEA, corresponding to X9.52). In November of 2001, FIPS 46-3 was replaced by the Advanced Encryption Standard (AES - FIPS 197). Please see paragraph 11.5 for further discussions about the AES encryption. Encryption Page 3 2.2.1 A Note on the DES The DES standard specifies a 64-bit block size, but uses only 56-bit key during execution. Eight (8) bits are stripped off the full 64-bit key for parity. DES, a symmetric cryptosystem, is a 16-round Feistel that was originally designed for hardware implementation. When used for communication, both the sender and the receiver must know the same secret key, which can be used to encrypt and decrypt the message, or to generate and verify a message authentication code (MAC). It has been found that the number of rounds is exponentially proportional to the amount of time required to find a key using a brute-force attack. Therefore, as the number of rounds increases, the security of the algorithm increases exponentially. 2.3 Triple DES (FIPS 46-3) Triple DES was the answer to many of the shortcomings of the DES. Since the Triple DES algorithm is based on the DES, modification of the existing software is very easy. It also has the advantage of proven reliability and a longer key length that eliminates many of the shortcut attacks that can be used to reduce the amount of time it takes to break the DES. However, even this more powerful version of DES may not be strong enough to protect data for very much longer. 2.4 SHA-1 The Secure Hash Algorithm (SHA) is specified in the Secure Hash Standard (SHS, FIPS 180). The SHA-1, a revision to the SHA that was published in 1994, corrected an unpublished flaw in the SHA. Its design is very similar to the MD4 family of hash functions developed by Rivest. The SHA-1 is also described in the ANSI X9.30 (part 2) standard. The algorithm takes a message of less than 264 bits in length and produces a 160-bit message digest. The algorithm is slightly slower than MD5, but the larger message digest makes it more secure against brute-force collision and inversion attacks. It should be noted that SHA is a hash algorithm and not an encryption algorithm. 2.5 AES The AES is the Advanced Encryption Standard (FIPS 197). In November of 2001, AES designated Rijndael algorithm as the standard algorithm. Therefore, the terms AES algorithm and Rijndael algorithm are used interchangeably. There are several algorithms proposed for AES, including RC6, Blowfish, and skipjack. However, Rijndael is selected because of its flexibility and simplicity. Rijndael is a symmetric block cipher with a block size of 128 bits. The AES specifies the algorithm to support variable key sizes: 128, 192, and 256 bits. The algorithm operates on an internal two-dimensional array called the State. The State consists of four rows of bytes, each containing Nb bytes, where Nb is the block length divided by 32. In the State array denoted by the symbol s, each individual byte has two indices, with its row number r in the range 0 r < 4 and its column number c in the range 0 c < Nb. This allows an individual byte of the State to be referred to as s[r,c]. Encryption Page 4 Since AES specifies Nb = 4, the range for c, the column number of the State, is 0 c < 4. For the AES algorithm, the length of the input block, the output block, and the State is 128 bits. This is represented by Nb = 4, which reflects the number of 32-bit words (number of columns) in the State. For the AES algorithm, the length of the Cipher Key, k, is 128, 192, or 256 bits. The key length is represented by Nk = 4, 6, or 8, which reflects the number of 32-bit words (number of columns) in the Cipher Key. Therefore Nk = k / 32 For the AES algorithm, the number of rounds to be performed during the execution of the algorithm is dependent on the key size. The number of rounds is represented by Nr, where Nr = 10 when Nk = 4, Nr = 12 when Nk = 6, and Nr = 14 when Nk = 8. The only Key-Block-Round combinations that conform to this standard are given in the Table 1. Table 1 Key-Block-Round Combination AES-128 AES-192 AES-256 Key Length (Nk words) 4 6 8 Block Size (Nb words) 4 4 4 Number of Rounds (Nr) 10 12 14 Rijndael consistently outperforms other proposed AES algorithms in both hardware and software across a wide range of computing environments, regardless of its use in feedback or non-feedback modes. Its key setup time is excellent, and its key agility is good. Rijndael's very low memory requirements make it well suited for restricted-space environments, in which it also demonstrates excellent performance. Rijndael's operations are among the easiest to defend against power and timing attacks. Encryption Page 5 Additionally, it appears that some defense can be provided against such attacks without significantly impacting Rijndael's performance. Rijndael is designed with some flexibility in terms of block and key sizes, and the algorithm can accommodate alterations in the number of rounds, although these features require further study, and are not being depolyed at this time. Finally, Rijndael's internal round structure appears to have good potential to benefit from instruction-level parallelism (multiple instructions can be executed in parallel). The following is the high-level schematic of Rijndael algorithm. 2.6 Blowfish Blowfish is a variable-length key, 64-bit block cipher. The algorithm consists of two parts: a key-expansion part and a data- encryption part. Key expansion converts a key of at most 448 bits into several subkey arrays totaling 4168 bytes. Data encryption occurs through a 16-round Feistel network. Each round consists of a key-dependent permutation and a key- and data-dependent substitution. All operations are XORs and additions on 32-bit words. The only additional operations are four indexed array data lookups per round. 2.6.1 Subkeys Blowfish uses a large number of subkeys. These keys must be pre-computed before any data encryption or decryption. 1. The P-array consists of 18 32-bit subkeys: P1, P2,..., P18. 2. There are four 32-bit S-boxes with 256 entries each: Encryption Page 6 S1,0, S2,0, S3,0, S4,0, S1,1,..., S2,1,..,, S3,1,..., S4,1,..,, S1,255; S2,255; S3,255; S4,255. 2.6.2 Encryption Blowfish is a Feistel network consisting of 16 rounds (see Figure 1). The input is a 64-bit data element, x. Divide x into two 32-bit halves: xL, xR For i = 1 to 16{ xL = xL XOR Pi xR = F(xL) XOR xR Swap xL and xR Swap xL and xR (Undo the last swap.) xR = xR XOR P17 xL = xL XOR P18 } Recombine xL and xR Function F{ Divide xL into four eight-bit quarters: a, b, c, and d F(xL) = ((S1,a + S2,b mod 232) XOR S3,c) + S4,d mod 232 } Decryption is exactly the same as encryption, except that P1, P2,..., P18 are used in the reverse order. Implementations of Blowfish that require the fastest speeds should unroll the loop and ensure that all subkeys are stored in cache. 2.6.3 Generating the Subkeys: The subkeys are calculated using the Blowfish algorithm. The method of generating the subkeys is as follows: 1. First, initialize the P-array and then the four S-boxes, in order, with a fixed string. This string consists of the hexadecimal digits of pi (less the initial 3). For example: P1 P2 P3 P4 = = = = 0x243f6a88 0x85a308d3 0x13198a2e 0x03707344 2. XOR P1 with the first 32 bits of the key, XOR P2 with the second 32-bits of the key, and so on for all the bits of the key. Repeatedly cycle through the key bits until the entire P-array has been XORed with key bits. For every short key, there is at least one equivalent longer key; for example, if A is a 64-bit key, then AA, AAA, etc., are equivalent keys. 3. Encrypt the all-zero string with the Blowfish algorithm, using the subkeys described in steps (1) and (2). Encryption Page 7 4. Replace P1 and P2 with the output of step (3). 5. Encrypt the output of step (3) using the Blowfish algorithm with the modified subkeys. 6. Replace P3 and P4 with the output of step (5). 7. Continue the process, replacing all entries of the P- array, and then all four S-boxes in order, with the output of the continuously-changing Blowfish algorithm. In total, 521 iterations are required to generate all required subkeys. For faster execution, applications can store the subkeys (in protected session name space) rather than execute this derivation process multiple times. 2.7 CAST CAST-128 (CAST5) is another popular 64-bit Feistel cipher allowing key sizes up to 128 bits. The name CAST stands for Carlisle Adams and Stafford Tavares, the original inventors of CAST. CAST-128 consists of 16 non-identical rounds, where each round is built up by simple operations such as integer and bitwise addition and rotation. CAST256 (CAST6) is a freely available extension of CAST-128 accepting up to 256 bits of key size and with a 128-bit block size. CAST-256 was one of the original candidates for the AES. Although no security weaknesses were found, the algorithm did not qualify for the second round. CAST-256 has the property of strongly favoring security over speed. Feistel ciphers are a special class of iterated block ciphers where the ciphertext is calculated from the plaintext by repeated application of the same transformation or round function. Feistel ciphers are sometimes called DES-like ciphers. The following figure illustrates the concept of Feistel ciphers. Feistel Cipher CAST-128 has been endorsed by the Canadian government as one of the replacement algorithms for DES. CAST-256 was a candidate for AES in the first round of evaluation. Encryption Page 8