Security Engineering. Ross Anderson. Читать онлайн. Newlib. NEWLIB.NET

Автор: Ross Anderson
Издательство: John Wiley & Sons Limited
Серия:
Жанр произведения: Зарубежная компьютерная литература
Год издания: 0
isbn: 9781119642817
Скачать книгу
to have followed this playbook; by selecting an algorithm that was only just strong enough mathematically and whose safe implementation requires skill and care, the US government saw to it that firms in Russia, China, Japan and elsewhere will end up using systems that are less secure because less skill and effort has been invested in the implementation. However, this was probably luck rather than Machiavellian cunning: the relevant committee at NIST would have had to have a lot of courage to disregard the vote and choose another algorithm instead. Oh, and the NSA has since 2005 approved AES with 128-bit keys for protecting information up to SECRET and with 192-bit or 256-bit keys for TOP SECRET. So I recommend that you use AES instead of GOST, or Camellia, or even Serpent. The definitive specification of AES is Federal Information Processing Standard 197, and its inventors have written a book describing its design in detail [507].

      5.4.3 Feistel ciphers

      Many block ciphers use a more complex structure, which was invented by Feistel and his team while they were developing the Mark XII IFF in the late 1950s and early 1960s. Feistel then moved to IBM and founded a research group that produced the Data Encryption Standard (DES) algorithm, which is still a mainstay of payment system security.

Schematic illustration of the Feistel cipher structure. psi Superscript negative 1 Baseline left-parenthesis f 1 comma f 2 comma period period period comma f Subscript 2 k minus 1 Baseline comma f Subscript 2 k Baseline right-parenthesis equals psi left-parenthesis f Subscript 2 k Baseline comma f Subscript 2 k minus 1 Baseline comma period period period comma f 2 comma f 1 right-parenthesis

      In other words, to decrypt, we just use the round functions in the reverse order. Thus the round functions f Subscript i do not have to be invertible, and the Feistel structure lets us turn any one-way function into a block cipher. This means that we are less constrained in trying to choose a round function with good diffusion and confusion properties, and which also satisfies any other design constraints such as code size, software speed or hardware gate count.

       5.4.3.1 The Luby-Rackoff result

      The key theoretical result on Feistel ciphers was proved by Mike Luby and Charlie Rackoff in 1988. They showed that if f Subscript i were random functions, then psi left-parenthesis f 1 comma f 2 comma f 3 right-parenthesis was indistinguishable from a random permutation under chosen-plaintext attack, and this result was soon extended to show that psi left-parenthesis f 1 comma f 2 comma f 3 comma f 4 right-parenthesis was indistinguishable under chosen plaintext/ciphertext attack – in other words, it was a pseudorandom permutation. (I omit a number of technicalities.)

      In engineering terms, the effect is that given a really good round function, four rounds of Feistel are enough. So if we have a hash function in which we have confidence, it is straightforward to construct a block cipher from it: use four rounds of keyed hash in a Feistel network.

       5.4.3.2 DES

      The DES algorithm is widely used in banking and other payment applications. The ‘killer app’ that got it widely deployed was ATM networks; from there it spread to prepayment meters, transport tickets and much else. In its classic form, it is a Feistel cipher, with a 64-bit block and 56-bit key. Its round function operates on 32-bit half blocks and consists of three operations:

       first, the block is expanded from 32 bits to 48;

       next, 48 bits of round key are mixed in using exclusive-or;

       the result is passed through a row of eight S-boxes, each of which takes a six-bit input and provides a four-bit output;

       finally, the bits of the output are permuted according to a fixed pattern.

      DES was introduced in 1974 and immediately caused controversy. The most telling criticism was that the key is too short. Someone who wants to find a 56 bit key using brute force, that is by trying all possible keys, will have a total exhaust time of 2 Superscript 56 encryptions and an average solution time of half that, namely 2 Superscript 55 encryptions. Whit Diffie and Martin Hellman argued in 1977 that a DES keysearch machine could be built with a million chips, each testing a million keys a second; as a million is about 2 Superscript 20, this would take on average 2 Superscript 15 seconds, or a bit over 9 hours, to find the key. They argued that such a machine could be built for $20 million in 1977 [557]. IBM, whose scientists invented DES, retorted that they would charge the US government $200 million to