密码学与计算机安全 第七讲：现代分组密码

第七讲：现代分组密码1.DES(DataEncryptionStandard)HistorycurrentlythemostwidelyusedblockcipherintheworlddevelopedasaresultoftheNBS(nowNIST)calledforpossibleencryptionalgorithmsforuseinunclassifiedgovernmentapplicationsinMay1973,andagaininAug1974responsewasmostlydisappointing(reworkedclassicalormachineciphers)howeverIBMsubmittedLuciferwasredesignedtobecametheDataEncryptionStandard(DES)7现代分组密码（续）adoptedasa(US)federalstandardinNov76publishedbyNBSasahardwareonlyschemeinJan77byANSIforbothh/w&s/winANSIX3.92-1981(&X3.106-1983modesofuse)subsequentlywidelyadoptedandisinmanystandardsaroundtheworldcfAustralianStandardAS2805.5-1985oneofthelargestusersoftheDESisthebankingindustry,particularlywithEFT,andEFTPOSitisforthisusethattheDEShasprimarilybeenstandardised,withANSIreconfirmingitsusefor5yearperiods-infuturewilluseAES2。DESDesignControversyalthoughthestandardispublic,thedesigncriteriausedareclassifiedwasconsiderablecontroversyoverthedesignparticularlyinthechoiceofa56-bitkey,cf.WDiffie,MHellmanExhaustiveCryptanalysisoftheNBSDataEncryptionStandardIEEEComputer10(6),June1977,pp74-84MHellmanDESwillbetotallyinsecurewithintenyearsIEEESpectrum16(7),Jul1979,pp31-413.DESSecurityrecentanalysishasshowndespitethisthatthechoicewasappropriate,andthatDESiswelldesignedrapidadvancesincomputingspeedthoughhaverenderedthe56bitkeysusceptibletoexhaustivekeysearch,aspredictedbyDiffie&Hellmanhavedemonstratedbreaks:1997onalargenetworkofcomputersinafewmonths1998ondedicatedh/w(EFF)inafewdays1999abovecombinedin22hrs!theDESalsotheoreticallybrokenusingDifferentialorLinearCryptanalysisinpractiseisunlikelytobeaproblemyet4.OverviewoftheDESEncryptionAlgorithmthebasicprocessinencipheringa64-bitdatablockusingtheDESconsistsof:aninitialpermutation(IP)16roundsofacomplexkeydependentcalculationfafinalpermutation,beingtheinverseofIP5.DESKeySchedulethesubkeysusedineachroundareformedbythekeyschedulewhichhas:aninitialpermutationofthekey(PC1)whichselects56-bitsintwo28-bithalves16stagesconsistingof:selecting24-bitsfromeachhalfpermutingthembyPC2foruseinfunctionf,rotatingeachhalfseparatelyeither1or2placesdependingonthekeyrotationscheduleKScanbedescribedfunctionallyas:SKi=PC2(KS(PC1(Key),i))6.PC1PC1isusedtoselect56of64bitssuppliedasthekeyevery8thbitisdiscarded(assumedtobeparity)nb.simplisitics/wimplementationswhichjustconcatenate8bytes,essentiallyonlyhave48-bitsPC1alsosplitsthekeybitsinto2halves(CandD)nb.inDESnumberbitsfrom1(left,MSB)to32/64(right,LSB)57,49,41,33,25,17,9,CHalf1,58,50,42,34,26,18,10,2,59,51,43,35,27,19,11,3,60,52,44,36,63,55,47,39,31,23,15,DHalf7,62,54,46,38,30,22,14,6,61,53,45,37,29,21,13,5,28,20,12,4