1 / 36

An AES Retrospective

An AES Retrospective. ECRYPT October 18, 2012 Miles Smid Orion Security Solutions. Opening Remarks. Honored to be here AES the work of many people who were willing to try a new cryptographic development process

karif
Download Presentation

An AES Retrospective

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An AES Retrospective ECRYPT October 18, 2012 Miles Smid Orion Security Solutions

  2. Opening Remarks • Honored to be here • AES the work of many people who were willing to try a new cryptographic development process • This AES process affected how cryptography is studied, developed, analyzed, distributed, and used today • Several issues had to be dealt with along the way

  3. The Beginnings 1965 • Cryptography restricted to military applications • U.S. Brooks Act required new standards for computer security • NBS (NIST) viewed cryptography as one of the key computer security areas • Cryptography thought important for US Government data privacy applications

  4. The Birth of DES • Developed by IBM • Proposed by NBS in March 1975 • Comments requested August 1975 • Possible export restrictions • Diffie-Hellman controversy over 56-bit key size and possible trap doors • Two workshops in 1976 • DES security estimated to last 10-15 years • Issued as a Federal standard on January 15, 1977

  5. DES Matures: 1980’s • DES succeeds but controversy continues • Significantly better than alternatives • Adoption by the U.S. (ANSI X9) Banking community in 1979 • U.S. Treasury adoption in 1984 • ISO Standard DES-1 in 1986 • ISO decision not to standardize cryptographic algorithms

  6. DES Reaches Twilight • Third DES 5-year Review (1993) announces that higher security algorithms will be considered at next review • DES cracker breaks a key in 56 hours 1998 • Fourth DES Review recommends Triple DES but allows Single DES for legacy systems in 1999 • Difficult to transition away from DES1 1. Transitioning is still a significant problem in cryptography

  7. Escrowed Encryption • FIPS 185 published in 1994 • Cryptography without jeopardizing law enforcement, public safety, and national security • Tamper resistant device (Clipper, Capstone) unique key • Keys held in escrow by Treasury and NIST • Keys provided to law enforcement with court order • Program Manager from NIST

  8. Escrow Features • Separation of duties, split knowledge, security clearances, redundancy, physical security, auditing all used • New (but secret) 80-bit crypto-algorithm called Skipjack (BS=64, r=32) • Skipjack “Interim” Review by Brickell, Denning, Kent, Maher, and Tuchman in 1992. “Good for 30-40 years” • SP800-131A SKIPJACK shall not be used for encryption after 2010. Legacy decryption is allowed

  9. Escrow Problems • Classified Algorithm • Hardware/Firmware only • Government designed • Restricted evaluation • Academic community not involved in its development and opposed its implementation • NIST discouraged from standards development • Skipjack declassified on June 1998.

  10. 1996 The Stage is now Set for AES!

  11. AES Motivation • A new symmetric algorithm standard was clearly needed, but could NIST develop such a standard? • Academic community must be involved • Algorithm must be public and worldwide royalty- free • More secure than TDES more efficient than TDES

  12. Issues 1 • This cooperation between the USG and the academic community in an open process to develop cryptography had not been done before. Would it work? • Would NSA support this open process? • Brian Snow

  13. Issues 2 • How does one avoid a key size issue? • How does one specify the requirements that the algorithm must meet? • How does the USG get the academic community involved? • Have a contest • Not for money but for honor

  14. First Workshop • NIST request for comments on Developing AES, Jan 2, 1997. • NIST AES Workshop, April 15, 1977 • 128, 192, and 256 bit key sizes • 128 or variable block size • Efficient on 8, 32, and 64-bit processors and special purpose hardware • Simplicity and logic of design • Not many cryptographers • Future meetings in conjunction with Crypto and Fast Software Encryption conferences

  15. Formal Call for CandidatesSep 12 1997 • Criteria • Security: Resistance to attack, soundness of math basis, randomness of function • Cost: Speed, Memory, Licensing • Algorithm Implementation Characteristics: flexibility, simplicity, provable security, intellectual property • Reference Implementations

  16. Issues 3 • Would the Schedule provide enough time for evaluation? • Would NIST receive any viable candidates? • Should NSA Submit? • Bruce Schneier: Yes • Miles Smid: Hoped not

  17. First AES Candidate Conference • Aug 20-22 1998, Ventura, CA with Crypto 98 • 21 packages received • 6 were incomplete • 15 candidates from 10 countries were presented • Several faster than single DES with greater key size • Cryptanalysis performed real time!!!!! • Call for Analysis

  18. 15 Original Candidates

  19. 15 Original Candidates

  20. Designs • Based on previous schemes (5) • Feistel Networks (6) • Modified Feistel Networks (3) • Substitution-Permutation Networks (4) • Other Algorithms (2)

  21. Software Efficiency

  22. Issues 4 • How could royalty free nature of the AES algorithm be guaranteed? • Legal statement from owners giving up royalty rights (some conditional responses) • Public notice to all requesting notification of any infringement • Only selected algorithm must comply

  23. Issues 5 • Export of reference implementations • Worked with DOC Bureau of Export Administration • Reference implementations not included without personal use only stipulation • Brian Gladman implementations • What if NSA found classified security issue? • No good solution • Mutual trust

  24. Let the Games Begin

  25. Second AES Conference • March 22-23, 1999, Rome, Italy before FSE 6 • Crypto Attacks: Major and Minor • Submitter Rebuttals • Security Margin (Rounds-rounds of best attack) • Efficiency

  26. Analysis • Claimed Attacks • LOK197, FROG, MAGENTA, DEAL, SAFER + • Weak Keys • DFC, CRYPTON • So far pretty good • MARS, RC2, RIJNDAEL, TWOFISH, E2, CAST 256, SERPENT, HPC

  27. Issues 6 • Will tweaks be permitted? • Under certain conditions • Minor adjustments to an algorithm, to correct small deficiencies • Explanation/justification of proposed “tweaks”, and updated spec. are due May 15, 1999.

  28. NIST Selects the Finalists • Five candidates had no major or minor security gaps and possessed numerous advantages (Aug 1999) • MARS: IBM • RC6: RSA Laboratories • Rijndael: Daeman, and Rijmen • Serpent: Anderson, Biham, and Knudsen • Twofish: Schneier, Kelsey, Whiting, Wagner, Hall, and Ferguson.

  29. Attendee Feedback Form • Rijndael positive 86 negative 10 • Serpent positive 59 negative 7 • Twofish positive 31 negative 21 • RC6 positive 23 negative 37 • MARS positive 13 negative 84 Beauty Contest or Expert Opinion?

  30. Issues 7 • NSA announced that it had put 13 person years of labor into studying the candidates • NSA concluded that each finalist appeared to be cryptographically sound • Relief!!! • “None of the finalists is outstandingly superior to the rest”2 2. Report on the Development of the AES, NIST, October 2, 2012

  31. Third AES Conference • April 13-14, 2000, New York, NY after FSE 7 • Technical Analysis of Finalists • FPGA Implementations • Full hardware Implementations

  32. Issues 8 • Multiple Winners? (Don Johnson) • More flexibility (pick best algorithm for the application) • More security with combined algorithms • Vendors did not want to support multiple algorithms • Rejected by the participants • Runner-up? • Evaluated alternative ready to be implemented • Would still need to be evaluated before using • Rejected by the participants • Rumor (from Europe) of U.S. selection

  33. Rijndael SelectedOctober 2, 2000 • Consistently very good performance in both hardware and software • Excellent key setup time and good key agility • Suited to low memory applications • Simple operations • Flexibility in block and key sizes and number of rounds • FIPS 197, Nov 2001

  34. Postscripts • ISO changed its decision that cryptographic algorithms were not appropriate for standardization • ECRYPT started Feb 2004 • Some AES “attacks” found but AES appears to be strong • Good cooperation between governments and academia on cryptography continues • Much research beyond crypto-algorithms (e.g., protocols, key management, special applications, etc. • NIST Hash Function Competition 2007-2012

  35. Congratulations!!! • Keccak Designers • Guido Bertoni (Italy) of STMicroelectronics • Joan Daemen (Belgium) of STMicroelectronics • Michaëll Peeters (Belgium) of NXP Semiconductors • Gilles Van Assche (Belgium) of STMicroelectronics

  36. References • The Data Encryption Standard: Past and Future, proceedings of IEEE, vol 76, no 5, M.E. Smid and D. K. Branstad, May 1988. • Key Escrowing Today, IEEE Communications, vol 32, no 9, p 58-68, Dorothy E. Denning and Miles Smid, September 1994. • Status Report on the First Round of the Development of the Advanced Encryption Standard, Journal of Research of the NIST, vol 104, no 5, Nechvatal et al., Sep-Oct, 1999. • Report on the Development of the Advanced Encryption Standard (AES), Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, Technology Administration, U.S. Department of Commerce, Nechvatal et al., October 2, 2000.

More Related