Embed Size (px)
Citation preview
An AES RetrospectiveAn AES Retrospective
ECRYPTECRYPT
October 18, 2012October 18, 2012Miles SmidMiles Smid
Orion Security SolutionsOrion Security Solutions
Opening RemarksOpening Remarks
• Honored to be here• AES the work of many people who were
willing to try a new cryptographic development process
• This AES process affected how cryptography is studied, developed, analyzed, distributed, and used today
• Several issues had to be dealt with along the way
22
The Beginnings 1965The Beginnings 1965
• Cryptography restricted to military applications
• U.S. Brooks Act required new standards for computer security
• NBS (NIST) viewed cryptography as one of the key computer security areas
• Cryptography thought important for US Government data privacy applications
33
The Birth of DESThe Birth of DES• Developed by IBM• Proposed by NBS in March 1975• Comments requested August 1975• Possible export restrictions• Diffie-Hellman controversy over 56-bit key
size and possible trap doors• Two workshops in 1976• DES security estimated to last 10-15 years• Issued as a Federal standard on January 15,
1977
44
DES Matures: 1980’sDES Matures: 1980’s
• DES succeeds but controversy continues
• Significantly better than alternatives
• Adoption by the U.S. (ANSI X9) Banking community in 1979
• U.S. Treasury adoption in 1984
• ISO Standard DES-1 in 1986
• ISO decision not to standardize cryptographic algorithms
55
DES Reaches TwilightDES Reaches Twilight
• Third DES 5-year Review (1993) announces that higher security algorithms will be considered at next review
• DES cracker breaks a key in 56 hours 1998• Fourth DES Review recommends Triple DES but
allows Single DES for legacy systems in 1999• Difficult to transition away from DES1
66
1. Transitioning is still a significant problem in cryptography
Escrowed EncryptionEscrowed Encryption• FIPS 185 published in 1994• Cryptography without jeopardizing law
enforcement, public safety, and national security• Tamper resistant device (Clipper, Capstone)
unique key• Keys held in escrow by Treasury and NIST• Keys provided to law enforcement with court
order• Program Manager from NIST
77
Escrow FeaturesEscrow Features• Separation of duties, split knowledge, security
clearances, redundancy, physical security, auditing all used
• New (but secret) 80-bit crypto-algorithm called Skipjack (BS=64, r=32)
• Skipjack “Interim” Review by Brickell, Denning, Kent, Maher, and Tuchman in 1992. “Good for 30-40 years”
• SP800-131A SKIPJACK shall not be used for encryption after 2010. Legacy decryption is allowed
88
Escrow ProblemsEscrow Problems• Classified Algorithm• Hardware/Firmware only• Government designed• Restricted evaluation• Academic community not involved in its
development and opposed its implementation• NIST discouraged from standards
development• Skipjack declassified on June 1998.
99
19961996
The Stage is now Set for The Stage is now Set for AES!AES!
1010
AES MotivationAES Motivation• A new symmetric algorithm standard was
clearly needed, but could NIST develop such a standard?
• Academic community must be involved
• Algorithm must be public and worldwide royalty- free
• More secure than TDES more efficient than TDES
1111
Issues 1Issues 1
• This cooperation between the USG and the academic community in an open process to develop cryptography had not been done before. Would it work?
• Would NSA support this open process?– Brian Snow
1212
Issues 2Issues 2
1313
• How does one avoid a key size issue?
• How does one specify the requirements that the algorithm must meet?
• How does the USG get the academic community involved?– Have a contest– Not for money but for honor
First WorkshopFirst Workshop• NIST request for comments on Developing AES,
Jan 2, 1997.• NIST AES Workshop, April 15, 1977
– 128, 192, and 256 bit key sizes– 128 or variable block size– Efficient on 8, 32, and 64-bit processors and
special purpose hardware– Simplicity and logic of design– Not many cryptographers– Future meetings in conjunction with Crypto
and Fast Software Encryption conferences
1414
Formal Call for CandidatesFormal Call for CandidatesSep 12 1997Sep 12 1997
• Criteria
– Security: Resistance to attack, soundness of math basis, randomness of function
– Cost: Speed, Memory, Licensing
– Algorithm Implementation Characteristics: flexibility, simplicity, provable security, intellectual property
– Reference Implementations
1515
Issues 3Issues 3
• Would the Schedule provide enough time for evaluation?
• Would NIST receive any viable candidates?
• Should NSA Submit?
– Bruce Schneier: Yes
– Miles Smid: Hoped not
1616
First AES Candidate ConferenceFirst AES Candidate Conference
• Aug 20-22 1998, Ventura, CA with Crypto 98• 21 packages received• 6 were incomplete• 15 candidates from 10 countries were presented• Several faster than single DES with greater key
size• Cryptanalysis performed real time!!!!!• Call for Analysis
1717
15 Original Candidates15 Original CandidatesAlgorithm Submitter
CAST-256 Entrust Technologies Inc.
CRYPTON Future Systems, Inc.
DEAL Richard Outerbridge, Lars Knudsen
DFC CNRS – Centre National pour la Recherche Scientifique – Ecole Normale Superieure
E2 NTT – Nippon Telegraph and Telephone
FROG TecApro Internacional S.A.
HPC Rich Schroeppel
1818
15 Original Candidates15 Original CandidatesAlgorithm Submitter
LOK197 Lawrie Brown, Josef Pieprzyk, Jennifer Seberry
MAGENTA Deutsche Telekom AG
MARS IIBM
RC6 RSA Laboratories
RIJNDAEL Joan Daemen, Vincent Rijmen
SAFER+ Cylink Corporation
SERPENT Ross Anderson, Eli Biham, Lars Knudsen
TWOFISH Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Neils Ferguson
1919
DesignsDesigns
• Based on previous schemes (5)
• Feistel Networks (6)
• Modified Feistel Networks (3)
• Substitution-Permutation Networks (4)
• Other Algorithms (2)
2020
Software EfficiencySoftware Efficiency
2121
Issues 4Issues 4
• How could royalty free nature of the AES algorithm be guaranteed?– Legal statement from owners giving up royalty
rights (some conditional responses)– Public notice to all requesting notification of
any infringement – Only selected algorithm must comply
2222
Issues 5Issues 5
• Export of reference implementations– Worked with DOC Bureau of Export
Administration
– Reference implementations not included without personal use only stipulation
– Brian Gladman implementations
• What if NSA found classified security issue?– No good solution
– Mutual trust
2323
2424
Let the Games Begin
Second AES ConferenceSecond AES Conference
• March 22-23, 1999, Rome, Italy before FSE 6
• Crypto Attacks: Major and Minor
• Submitter Rebuttals
• Security Margin (Rounds-rounds of best attack)
• Efficiency
2525
AnalysisAnalysis
• Claimed Attacks– LOK197, FROG, MAGENTA, DEAL, SAFER +
• Weak Keys– DFC, CRYPTON
• So far pretty good– MARS, RC2, RIJNDAEL, TWOFISH, E2,
CAST 256, SERPENT, HPC
2626
Issues 6Issues 6
• Will tweaks be permitted?– Under certain conditions– Minor adjustments to an algorithm, to correct
small deficiencies– Explanation/justification of proposed “tweaks”,
and updated spec. are due May 15, 1999.
2727
NIST Selects the FinalistsNIST Selects the Finalists• Five candidates had no major or minor security
gaps and possessed numerous advantages (Aug 1999)
• MARS: IBM• RC6: RSA Laboratories• Rijndael: Daeman, and Rijmen• Serpent: Anderson, Biham, and Knudsen• Twofish: Schneier, Kelsey, Whiting, Wagner,
Hall, and Ferguson.
2828
Attendee Feedback FormAttendee Feedback Form
• Rijndael positive 86 negative 10
• Serpent positive 59 negative 7
• Twofish positive 31 negative 21
• RC6 positive 23 negative 37
• MARS positive 13 negative 84
2929
Beauty Contest or Expert Opinion?
Issues 7Issues 7
• NSA announced that it had put 13 person years of labor into studying the candidates
• NSA concluded that each finalist appeared to be cryptographically sound
• Relief!!!
• “None of the finalists is outstandingly superior to the rest”2
3030
2. Report on the Development of the AES, NIST, October 2, 2012
Third AES Conference Third AES Conference
• April 13-14, 2000, New York, NY after FSE 7
• Technical Analysis of Finalists
• FPGA Implementations
• Full hardware Implementations
3131
Issues 8Issues 8• Multiple Winners? (Don Johnson)
– More flexibility (pick best algorithm for the application)– More security with combined algorithms– Vendors did not want to support multiple algorithms– Rejected by the participants
• Runner-up?– Evaluated alternative ready to be implemented– Would still need to be evaluated before using– Rejected by the participants
• Rumor (from Europe) of U.S. selection
3232
Rijndael SelectedRijndael SelectedOctober 2, 2000October 2, 2000
• Consistently very good performance in both hardware and software
• Excellent key setup time and good key agility
• Suited to low memory applications
• Simple operations
• Flexibility in block and key sizes and number of rounds
• FIPS 197, Nov 2001
3333
PostscriptsPostscripts• ISO changed its decision that cryptographic
algorithms were not appropriate for standardization
• ECRYPT started Feb 2004• Some AES “attacks” found but AES appears to be
strong• Good cooperation between governments and
academia on cryptography continues• Much research beyond crypto-algorithms (e.g.,
protocols, key management, special applications, etc.
• NIST Hash Function Competition 2007-2012
3434
Congratulations!!!Congratulations!!!
• Keccak Designers– Guido Bertoni (Italy) of STMicroelectronics– Joan Daemen (Belgium) of STMicroelectronics– Michaëll Peeters (Belgium) of NXP
Semiconductors– Gilles Van Assche (Belgium) of
STMicroelectronics
3535
ReferencesReferences• The Data Encryption Standard: Past and Future, proceedings
of IEEE, vol 76, no 5, M.E. Smid and D. K. Branstad, May 1988.
• Key Escrowing Today, IEEE Communications, vol 32, no 9, p 58-68, Dorothy E. Denning and Miles Smid, September 1994.
• Status Report on the First Round of the Development of the Advanced Encryption Standard, Journal of Research of the NIST, vol 104, no 5, Nechvatal et al., Sep-Oct, 1999.
• Report on the Development of the Advanced Encryption Standard (AES), Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, Technology Administration, U.S. Department of Commerce, Nechvatal et al., October 2, 2000.
3636
