algoritmo cast n.
Skip this Video
Loading SlideShow in 5 Seconds..
Algoritmo CAST PowerPoint Presentation
Download Presentation
Algoritmo CAST

Loading in 2 Seconds...

  share
play fullscreen
1 / 23
Download Presentation

Algoritmo CAST - PowerPoint PPT Presentation

kaseem-burgess
177 Views
Download Presentation

Algoritmo CAST

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Algoritmo CAST Rodrigo Boccasius

  2. Agenda • Introdução • Especificação do Algoritmo • Criptoanálise • Aplicações • Considerações Finais • Referências

  3. Um breve histórico • CAST (Carlisle Adams and Stafford Tavares) • CAST é uma família de cifradores • CAST64 • CAST128 (ou CAST5) • CAST256 (candidato ao AES)

  4. Cifragem CAST • Algoritmo de cifragem inspirado no DES • Feistel network-like structure (called a substitution-permutation network)

  5. CAST x DES (por William Stallings) • CAST uses fixed S-boxes, but ones that are considerably larger than those used in DES. These S-boxes were carefully designed to be nonlinear and resistant to cryptanalysis. • Another interesting feature of CAST-128 is that the round function, differs from round to round, again adding to cryptanalytic strength.

  6. CAST x DES (por William Stallings) • The subkey-generation process used in CAST-128 is different from that employed in other conventional block encryption algorithms. • The CAST designers made the subkeys as resistant to known cryptanalytic attacks as possible and felt that the use of highly nonlinear S-boxes to generate the subkeys from the main key provided this strength.

  7. Especificação do algoritmo - 128 • Chaves • Para chaves entre 40 e 80 bits (incrementos de 8 em 8 bits), algoritmo usa 12 rodadas; • Para chaves maior que 80, algoritmo usa 16 rodadas; • Para chaves menores de 128 bits, há zero-padding na chave; • Mistura de operações adição módulo 2/ou exclusivo/adição módulo 232

  8. 2 rodadas do bloco de cifragem do CAST128

  9. Características • Desejáveis: • Strict Avalanche Criterion (alteração de 1 bit na entrada altera 50% dos bits na saída) • Bit Independence Criterion (inexistência de ligação entre um bit da saída e um bit da entrada) • Não é complementar • Não possui chaves fracas ou semi-fracas • Decriptação é a encriptação com inversão na ordem das sub-chaves

  10. Características • Indesejáveis: • “CAST seems unlikely to be suitable for implementation on these processors because it requires 4096 bytes of S-box ROM, which is unreasonably large.” (Performance Analysis of AES candidates on the 6805 CPU core)

  11. Especificação do algoritmo - 256 • CAST256 • Para a candidatura ao AES, foi necessário aumentar tamanho do bloco de cifragem para 128 bits • Modificações na rede clássica de Feistel para uma rede “generalizada” • Chaves de 128, 192 ou 256 bits • 48 rodadas ou 12 quad-rodadas

  12. Especificação do algoritmo - 256 • Desvantagem potencial: • Estruturas diferentes para encriptação e decriptação • Solução encontrada: • Primeira metade dos deslocamentos para a direita, segunda metade para a esquerda • Desempenho da encriptação e da decriptação são iguais.

  13. Criptoanálise • CAST64 • related-key attack conhecido, mas impraticável. (Related-Key Cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA) • CAST128 • Resistente a criptoanálise linear e diferencial. (Resistance of a CAST-Like Encryption Algorithm to Linear) • CAST256 • Embora tenha características diferentes de difusão, também é resistente (An Analysis of the CAST-256 Cipher)

  14. Criptoanálise • "It is resistant to both linear and differential cryptanalysis. Currently, there is no known way of breaking CAST short of brute force. There are no known attacks on CAST with reduced rounds – it looks incredibly secure. CAST is now the default cipher in PGP." (PGP Diffie-Hellman vs. RSA FAQ: What is CAST?)

  15. Aplicações • Diversas ferramentas comerciais de cifragem de dados • TrueCrypt • CryptoExpert 2004 Lite (CAST only) • E4M Disk Encryption • PGP (Pretty Good Privacy) • CAST128 é o algoritmo default

  16. Considerações Finais • RFC 2144 define um teste de manutenção: • Definição em pseudo-código • Vetores ‘a’ e ‘b’ de 128 bits • xL e xR metade mais a esquerda e a direita, respectivamente Initial a = 01 23 45 67 12 34 56 78 23 45 67 89 34 56 78 9A (hex) Initial b = 01 23 45 67 12 34 56 78 23 45 67 89 34 56 78 9A (hex) do 1,000,000 times { aL = encrypt(aL,b) aR = encrypt(aR,b) bL = encrypt(bL,a) bR = encrypt(bR,a) } Verify a == EE A9 D0 A2 49 FD 3B A6 B3 43 6F B8 9D 6D CA 92 (hex) Verify b == B2 C9 5E B0 0C 31 AD 71 80 AC 05 B8 E8 3D 69 6E (hex)

  17. Considerações Finais • Ainda seguro, ainda em uso • “The large s-boxes are implemented to efficiently eliminate the permutations found in DES between rounds of substitutions and, as a result, CAST is very efficient algorithm for software implementation.”

  18. Por que não usar apenas o AES? • Yes, I know, the Rijndael now is the best and generally used (AES) encryption algorithm. Other algorithms are less common and non-standard. • Using Rijndael with a 256-bit encryption key makes me sure that my data won't be broken and read by an unauthorized person in the next thousand of years or, more probably, next 1000000... years. • But, what if I don't need to hide my data from everybody forever? It is quite enough to maintain my encrypted data within the next 50-60 years or so. • It is almost improbable that one day somebody will be able to break a message encrypted with a key of 128 bits in length if the encryption algorithm is good.

  19. Por que não usar apenas o AES? • So, it is the same for most of the applications whether you use an algorithm with 256-bit key or 128-bit key. Both are practically unbreakable. Why don't I like the strongest ciphers? There are two main reasons: the performance, and the usability. • CAST-128 is three times faster than a AES-256 cipher on the .NET 2.0 platform. Also, CAST-128 is two times faster than the reduced version of the Rijndael algorithm working with a 128-bit key (AES-128). • As for usability, I think it is easier to manipulate keys of 128 bits in length because they are more human readable.

  20. Referências • Todas as referências foram acessadas em maio/2007 • http://jya.com/cast.html • http://www.users.zetnet.co.uk/hopwood/crypto/scan/cs.html#mode • http://citeseer.ist.psu.edu/lee97resistance.html • http://www.thefreecountry.com/security/encryption.shtml • http://www.faqs.org/rfcs/rfc2144.html

  21. Referências • http://en.wikipedia.org/wiki/CAST-256 • http://www.ipa.go.jp/security/rfc/RFC2144EN.html • http://www.mirrors.wiretapped.net/security/cryptography/algorithms/cast/ (Código Fonte) • http://www.netaction.org/encrypt/appendixb.html • http://www.kremlinencrypt.com/algorithms.htm • http://www.scramdisk.clara.net/pgpfaq.html#SubCAST

  22. Referências • http://www.cryptopp.com/benchmarks.html • http://en.wikipedia.org/wiki/Block_size_(cryptography) • http://en.wikipedia.org/wiki/Block_cipher • http://www.jetico.com/linux/bcrypt-help/c_gloss.htm • http://www.codeproject.com/dotnet/CastEncryptor.asp • http://community.roxen.com/developers/idocs/rfc/rfc2984.html • http://www.commsdesign.com/main/9811/9811feat3.htm • http://en.wikipedia.org/wiki/Avalanche_effect • http://www.answers.com/topic/feistel-cipher • http://www.ciphersbyritter.com/NEWS/95050101.HTM • http://www.faqs.org/faqs/cryptography-faq/part07/ • http://www.cescomm.co.nz/about/aes.html