DEA (ANSI), DEA-1 (ISO) Lucifer descendant (IBM), NSA evaluated reviewed every 5 years 1983 – recertified, 1987 – recertified “last time” after public outcry 1993 – recertified, still no alternatives 1999 – reaffirmed 3DES, AES not finished yet
IV should be unique, but doesn’t have to be secret (pseudo random, timestamp value, counter, …) ADV: decryption parallelizable, random access DIS: synchronization, noise
N-bit OFB: smaller than block processing No need to pad. Doesn’t need decryption operation.
Nonce: usually message number combined with additional data to guarantee uniqueness N-bit CTR: smaller than block processing No need to pad. Doesn’t need decryption operation.
N-bit CFB: smaller than block processing No need to pad. Doesn’t need decryption operation.
double encryption – meet in the middle attach 2^n+1 instead of 2^2n tripple encryption – 2key or 3key cascading – beware of algorithm interactions
Rijndael – Joan Daemen, Vincent Rijmen (Netherlands) Serpent – Ross Anderson (Cambridge, UK) Twofish – Bruce Schneier (Counterpane Inc) MARS – Don Coppersmith (IBM) RC6 – Ron Rivest (RSA Labs)
much slower: expensive operations, sparse key space (much longer keys) eliptic curve crypto – same ciphers, different number field (faster)
no good for a small set of plaintexts (dictionary attack) encryption key is public => attacker can get as much chosen plaintext as she wants
Rivest, Shamir, Adelman use small e to optimize encryption/verification don’t use the same key to encrypt and sign; decrypting c is the same operation as signing c ! don’t reuse n (more material for cryptanalysis) not good with small messages; if modular reduction doesn’t occur (good chance with small e), the plaintext can be recoverd by simple (non-modular) e-th root computation; in fact any kind of structure in the message seems to facilitate attacks; messages should be protected against that using suitable “encoding” (PKCS#1 v2.1 – OAEP)
MD-strengthening: with inclusion of the length no encoded input is a prefix of another encoded input “ length extension attack”: if M2 = M1’ || X => h(M2) = h ( h (M1) || X)) M1’ means, the original M1 message padded as prescribed by the hash function possible fixes: h(h(M), M) – expensive, or h(h(M)) - weaker; MACs usually address the weakness as well
can get digest value in progress can clone a digest in progress blockSize, digestSize
CBC-MAC: encrypt the message in CBC mode and throw away all but last block of ciphertext. don’t forget MD-strengthening and paddding SSL 3.0 MAC (1996) hash(MAC_write_secret + pad_2 + (hash(MAC_write_secret + pad_1 + seq_num + type + length + content))
- all usual hash API applies
- expand the digest to match the bit-size of n (seed a random generator with the digest and use as many bytes as possible)
man-in-the-middle attack small subgroup attack - small order g ss is in that subgroup, if the group is small enough, it can be searched for solution: safe primes p = 2q + 1; q prime optimization - using smaller, but sufficiently large subgroups: p = Nq + 1; q prime (> 160b); N suitably large integer find g of order q (mod p), thus g > 1 and g^q=1 (mod p) then any r^e = r^(e mod q) (mod p), for any r from the subgroup. consequently 1 < x < q always check that received value belongs to the subgroup, i.e. 1 < r < p and r^q = 1