1.0 Encryption Standards

advertisement
ICT Standards and Guidelines
Segment 204
Information Integrity / Security
Encryption
(Version 1.0)
Prepared by
Document Information
Document Name:
Information Integrity and Security – Encryption
Segment:
204
Author:
Gabe Leung
Status:
Under final revision
Revision History
Author
Description of change
Date
Version
Salam Yamout
Restructured/Renumbered
11 April 2003
1.0
Table of Contents – Encryption
1.0
2.0
Encryption Standards ............................................................................... 1
1.1
Prelude – Private Key Management ..................................................... 1
1.2
Encryption Implementation Standards ................................................. 1
1.3
Encryption Algorithm ......................................................................... 1
Encryption Algorithms .............................................................................. 2
2.1
RSA ................................................................................................. 2
2.2
DES ................................................................................................. 3
2.2.1 A Note on the DES .................................................................. 4
2.3
Triple DES (FIPS 46-3)....................................................................... 4
2.4
SHA-1 .............................................................................................. 4
2.5
AES ................................................................................................. 4
2.6
Blowfish ........................................................................................... 6
2.6.1 Subkeys ................................................................................. 6
2.6.2 Encryption .............................................................................. 7
2.6.3 Generating the Subkeys: .......................................................... 7
2.7
CAST ............................................................................................... 8
1.0
Encryption Standards
This appendix provides the standards for encryption technology to be deployed. This
includes digital signature standards and encryption standards for data. The objective of
a standard encryption implementation is to ensure the expected degree of safety is in
place.
1.1
Prelude – Private Key Management
The effectiveness of any encryption method is dependent on the ability to keep the
decryption key (private key) from falling into the hands of an unauthorized person.
Once the private key is compromised, the data encrypted with the corresponding public
key is no longer protected. Therefore, private key management is very important. Only
a few persons (preferably no more than two person – the primary and backup) should be
given access to the private key.
1.2
Encryption Implementation Standards
There are two types of encryption implementations: Symmetric and Asymmetric
encryption. Symmetric encryption uses the same key word for encrypting data and
decrypting the encrypted data or cipherdata. It provides faster execution. Asymmetric
encryption uses different keys for encrypting data and decrypting cipherdata.
Asymmetric encryption implementation is more secured than symmetric since the party
encrypting the data need not know the private key of the recipient. The sender simply
use the recipient’s public key (which can be made public without compromising the
security) to encrypt the data and send the cipherdata to the recipient. Decryption of the
data uses the recipient’s private key not the public key.
1.3
Encryption Algorithm
Since the protocols of current Local Area Networks (such as IEEE 802.3 standard with
10BaseT/100Base-T/1000Base-X/1000Base-T, IEEE 802.5, 802.11b, or ISO 9314 FDDI,
etc.) do not encrypt any data within their payload, data to be transmitted over any
network must be encrypted prior to being passed to the next layer.
The strength of the encryption depends on the algorithm used. Several encryption
algorithms are well suited for standard encryption needs, such as encryption for static
document or data. In addition to strong encryption, the algorithm must be fast so that
the performance of application will not be unduly impacted.
The algorithm to be used for encryption must be suitable for both static document and
data, yet has performance acceptable for application data exchange. The algorithm that
has strong encryption and acceptable performance is AES Rijndael with block size of 128
bits and key size of no less than 256 bites. This block-key size requirements provides a
lifetime of
Encryption
Page 1
2.0
Encryption Algorithms
This section provides additional discussions about some popular encryption algorithms.
This section provides technical details of how the various algorithms work. Although
understanding of these technical details is not necessary to implement them, it is
beneficial for technical manager to have a basic idea of how encryption algorithms work.
At the end of each algorithm, there is a short discussion about the pros and cons of that
algorithm. This section will provide the technical manager insight and basis to evaluate
products that implement different algorithms.
2.1
RSA
RSA is a public-key cryptosystem developed by MIT professors Ronald L. Rivest, Adi
Shamir, and Leonard M. Adleman in 1977, in an effort to help ensure Internet security.
RSA uses modular arithmetic and elementary number theory as the basis for encryption
computation.
The "key" of an RSA cipher is three numbers: The first is “Xpub”, the public exponent,
the second is “Xpriv”, the private exponent, and the third is Mod, the modulus. The
“Xpub” and “Xpriv” are also known as primes. The RSA algorithm uses two large primes
and messages of unconditional length.
The message “M” (which must be shorter than Mod) is interpreted as a number. It is
broken into chunks, as necessary, to meet the length requirement. This number is raised
to the power of “Xpub”, modulo Mod, to give “C”, the ciphertext. “C” may in turn be
raised to the power of “Xpriv”, modulo Mod, to give “M”. The public key is the pair
(Xpub, Mod). The private key is the pair (Xpriv, Mod). The private key is generated
using the following formula:
where
“p” and “q” are large (  500 bits) random integrates
“e” is a random number relatively prime to (p-1)(q-1)
The public key is generated as follows:
The public key pair (Xpub, Mod) is therefore (e, n). The Mod, “n”, is also used in
conjunction with “Xpriv”. If we call the “Xpriv” “d”, then the private key pair (Xpriv,
Mod) is (d, n).
The message to be encrypted is divided into blocks of fixed length (cipher block), but no
longer than the number of digits in “Xpub”, and encrypted as follows:
where
“C” is the encrypted text (ciphertext)
Encryption
Page 2
“M” is the plaintext
“j” is the j-th block
The encrypted text can be decrypted using
The RSA is a commonly used encryption algorithm throughout the world, and is generally
supported by most encryption software. However, its safety relies on the user selecting
the key with a sufficiently large size and a non-common key word. The human is
generally considered the weakest link in cryptography. Considering that the public and
private keys are generated through modulus mathematic, it is possible to break the key
through factoring. However, the upper limit is:
where “n” is the length of the number in bits.
From the above equation, the degree of difficulty in factoring the prime increases ten
folds for every 10 bits added. It is recommended that the key length be no less than
500 bit.
Although the RSA is a solid algorithm and produces strong ciphertext, it has been
broken, using brute force and other crypto-analysis techniques. However, by carefully
selection of the key and ensuring that the size of the key is at least 500 bits, the
algorithm is extremely difficult to break. The algorithm is also supported by most Java
packages.
2.2
DES
DES, the Data Encryption Standard, describes the Data Encryption Algorithm (DEA),
defined in the ANSI standard X9.32. The DES is the United States Federal Information
Processing Standard (FIPS 46-3) for encryption of non-classified document and data
(Confidential and Protected Data). The DES is a 16-round fixed sized cipher block with
eight (8) party bits for error checking. The DES uses the DEA algorithm and executes
very quickly. It was the first official U.S. government cipher intended for commercial
use and was the most widely used cryptosystem in the world. The DES can also be used
for single-user encryption, such as to store files on a hard disk in an encrypted form. In
a multi-user environment, secure key distribution may be difficult; public-key
cryptography provides an ideal solution to this problem.
The United States National Institute of Standards and Technology (NIST) FIPS 46-3
reaffirms Triple DES usage as of October 1999, but single DES is permitted only for
legacy systems. FIPS 46-3 includes a definition of triple-DES (TDEA, corresponding to
X9.52). In November of 2001, FIPS 46-3 was replaced by the Advanced Encryption
Standard (AES - FIPS 197). Please see paragraph 11.5 for further discussions about the
AES encryption.
Encryption
Page 3
2.2.1 A Note on the DES
The DES standard specifies a 64-bit block size, but uses only 56-bit key during
execution. Eight (8) bits are stripped off the full 64-bit key for parity. DES, a symmetric
cryptosystem, is a 16-round Feistel that was originally designed for hardware
implementation. When used for communication, both the sender and the receiver must
know the same secret key, which can be used to encrypt and decrypt the message, or to
generate and verify a message authentication code (MAC). It has been found that the
number of rounds is exponentially proportional to the amount of time required to find a
key using a brute-force attack. Therefore, as the number of rounds increases, the
security of the algorithm increases exponentially.
2.3
Triple DES (FIPS 46-3)
Triple DES was the answer to many of the shortcomings of the DES. Since the Triple
DES algorithm is based on the DES, modification of the existing software is very easy. It
also has the advantage of proven reliability and a longer key length that eliminates many
of the shortcut attacks that can be used to reduce the amount of time it takes to break
the DES. However, even this more powerful version of DES may not be strong enough
to protect data for very much longer.
2.4
SHA-1
The Secure Hash Algorithm (SHA) is specified in the Secure Hash Standard (SHS, FIPS
180). The SHA-1, a revision to the SHA that was published in 1994, corrected an
unpublished flaw in the SHA. Its design is very similar to the MD4 family of hash
functions developed by Rivest. The SHA-1 is also described in the ANSI X9.30 (part 2)
standard.
The algorithm takes a message of less than 264 bits in length and produces a 160-bit
message digest. The algorithm is slightly slower than MD5, but the larger message
digest makes it more secure against brute-force collision and inversion attacks. It
should be noted that SHA is a hash algorithm and not an encryption algorithm.
2.5
AES
The AES is the Advanced Encryption Standard (FIPS 197). In November of 2001, AES
designated Rijndael algorithm as the standard algorithm. Therefore, the terms AES
algorithm and Rijndael algorithm are used interchangeably. There are several
algorithms proposed for AES, including RC6, Blowfish, and skipjack. However, Rijndael
is selected because of its flexibility and simplicity.
Rijndael is a symmetric block cipher with a block size of 128 bits. The AES specifies the
algorithm to support variable key sizes: 128, 192, and 256 bits. The algorithm operates
on an internal two-dimensional array called the State. The State consists of four rows of
bytes, each containing Nb bytes, where Nb is the block length divided by 32. In the
State array denoted by the symbol s, each individual byte has two indices, with its row
number r in the range 0 r < 4 and its column number c in the range 0 c < Nb. This
allows an individual byte of the State to be referred to as s[r,c].
Encryption
Page 4
Since AES specifies Nb = 4, the range for c, the column number of the State, is 0 c <
4.
For the AES algorithm, the length of the input block, the output block, and the State is
128 bits. This is represented by Nb = 4, which reflects the number of 32-bit words
(number of columns) in the State.
For the AES algorithm, the length of the Cipher Key, k, is 128, 192, or 256 bits. The key
length is represented by Nk = 4, 6, or 8, which reflects the number of 32-bit words
(number of columns) in the Cipher Key.
Therefore
Nk = k / 32
For the AES algorithm, the number of rounds to be performed during the execution of
the algorithm is dependent on the key size. The number of rounds is represented by Nr,
where Nr = 10 when Nk = 4, Nr = 12 when Nk = 6, and Nr = 14 when Nk = 8.
The only Key-Block-Round combinations that conform to this standard are given in the
Table 1.
Table 1
Key-Block-Round Combination
AES-128
AES-192
AES-256
Key Length
(Nk words)
4
6
8
Block Size
(Nb words)
4
4
4
Number of Rounds
(Nr)
10
12
14
Rijndael consistently outperforms other proposed AES algorithms in both hardware and
software across a wide range of computing environments, regardless of its use in
feedback or non-feedback modes. Its key setup time is excellent, and its key agility is
good. Rijndael's very low memory requirements make it well suited for restricted-space
environments, in which it also demonstrates excellent performance. Rijndael's
operations are among the easiest to defend against power and timing attacks.
Encryption
Page 5
Additionally, it appears that some defense can be provided against such attacks without
significantly impacting Rijndael's performance. Rijndael is designed with some flexibility
in terms of block and key sizes, and the algorithm can accommodate alterations in the
number of rounds, although these features require further study, and are not being
depolyed at this time. Finally, Rijndael's internal round structure appears to have good
potential to benefit from instruction-level parallelism (multiple instructions can be
executed in parallel). The following is the high-level schematic of Rijndael algorithm.
2.6
Blowfish
Blowfish is a variable-length key, 64-bit block cipher. The algorithm consists of two
parts: a key-expansion part and a data- encryption part. Key expansion converts a key
of at most 448 bits into several subkey arrays totaling 4168 bytes.
Data encryption occurs through a 16-round Feistel network. Each round consists of a
key-dependent permutation and a key- and data-dependent substitution. All operations
are XORs and additions on 32-bit words. The only additional operations are four indexed
array data lookups per round.
2.6.1 Subkeys
Blowfish uses a large number of subkeys. These keys must be pre-computed before any
data encryption or decryption.
1. The P-array consists of 18 32-bit subkeys:
P1, P2,..., P18.
2. There are four 32-bit S-boxes with 256 entries each:
Encryption
Page 6
S1,0,
S2,0,
S3,0,
S4,0,
S1,1,...,
S2,1,..,,
S3,1,...,
S4,1,..,,
S1,255;
S2,255;
S3,255;
S4,255.
2.6.2 Encryption
Blowfish is a Feistel network consisting of 16 rounds (see Figure 1). The input is a 64-bit
data element, x.
Divide x into two 32-bit halves: xL, xR
For i = 1 to 16{
xL = xL XOR Pi
xR = F(xL) XOR xR
Swap xL and xR
Swap xL and xR (Undo the last swap.)
xR = xR XOR P17
xL = xL XOR P18
}
Recombine xL and xR
Function F{
Divide xL into four eight-bit quarters: a, b, c, and d
F(xL) = ((S1,a + S2,b mod 232) XOR S3,c) + S4,d mod 232
}
Decryption is exactly the same as encryption, except that P1, P2,..., P18 are used in the
reverse order.
Implementations of Blowfish that require the fastest speeds should unroll the loop and
ensure that all subkeys are stored in cache.
2.6.3 Generating the Subkeys:
The subkeys are calculated using the Blowfish algorithm. The method of generating the
subkeys is as follows:
1. First, initialize the P-array and then the four S-boxes, in order, with a fixed string.
This string consists of the hexadecimal digits of pi (less the initial 3). For example:
P1
P2
P3
P4
=
=
=
=
0x243f6a88
0x85a308d3
0x13198a2e
0x03707344
2. XOR P1 with the first 32 bits of the key, XOR P2 with the second 32-bits of the key,
and so on for all the bits of the key. Repeatedly cycle through the key bits until the
entire P-array has been XORed with key bits. For every short key, there is at least one
equivalent longer key; for example, if A is a 64-bit key, then AA, AAA, etc., are
equivalent keys.
3. Encrypt the all-zero string with the Blowfish algorithm, using the subkeys described in
steps (1) and (2).
Encryption
Page 7
4. Replace P1 and P2 with the output of step (3).
5. Encrypt the output of step (3) using the Blowfish algorithm with the modified subkeys.
6. Replace P3 and P4 with the output of step (5).
7. Continue the process, replacing all entries of the P- array, and then all four S-boxes in
order, with the output of the continuously-changing Blowfish algorithm. In total, 521
iterations are required to generate all required subkeys. For faster execution,
applications can store the subkeys (in protected session name space) rather than
execute this derivation process multiple times.
2.7
CAST
CAST-128 (CAST5) is another popular 64-bit Feistel cipher allowing key sizes up to 128
bits. The name CAST stands for Carlisle Adams and Stafford Tavares, the original
inventors of CAST. CAST-128 consists of 16 non-identical rounds, where each round is
built up by simple operations such as integer and bitwise addition and rotation. CAST256 (CAST6) is a freely available extension of CAST-128 accepting up to 256 bits of key
size and with a 128-bit block size. CAST-256 was one of the original candidates for the
AES. Although no security weaknesses were found, the algorithm did not qualify for the
second round. CAST-256 has the property of strongly favoring security over speed.
Feistel ciphers are a special class of iterated block ciphers where the ciphertext is
calculated from the plaintext by repeated application of the same transformation or
round function. Feistel ciphers are sometimes called DES-like ciphers. The following
figure illustrates the concept of Feistel ciphers.
Feistel Cipher
CAST-128 has been endorsed by the Canadian government as one of the replacement
algorithms for DES. CAST-256 was a candidate for AES in the first round of evaluation.
Encryption
Page 8
Download