algoritmo cast rodrigo boccasius. 2/23 agenda introdução especificação do algoritmo...
Post on 17-Apr-2015
112 Views
Preview:
TRANSCRIPT
Algoritmo CAST
Rodrigo Boccasius
2/23
Agenda
IntroduçãoEspecificação do AlgoritmoCriptoanáliseAplicaçõesConsiderações FinaisReferências
3/23
Um breve histórico
CAST (Carlisle Adams and Stafford Tavares)
CAST é uma família de cifradoresCAST64CAST128 (ou CAST5)CAST256 (candidato ao AES)
4/23
Cifragem CAST
Algoritmo de cifragem inspirado no DESFeistel network-like structure (called a
substitution-permutation network)
5/23
CAST x DES (por William Stallings)
CAST uses fixed S-boxes, but ones that are considerably larger than those used in DES. These S-boxes were carefully designed to be nonlinear and resistant to cryptanalysis.
Another interesting feature of CAST-128 is that the round function, differs from round to round, again adding to cryptanalytic strength.
6/23
CAST x DES (por William Stallings)
The subkey-generation process used in CAST-128 is different from that employed in other conventional block encryption algorithms.
The CAST designers made the subkeys as resistant to known cryptanalytic attacks as possible and felt that the use of highly nonlinear S-boxes to generate the subkeys from the main key provided this strength.
7/23
Especificação do algoritmo - 128
ChavesPara chaves entre 40 e 80 bits (incrementos
de 8 em 8 bits), algoritmo usa 12 rodadas;Para chaves maior que 80, algoritmo usa 16
rodadas;Para chaves menores de 128 bits, há zero-
padding na chave;Mistura de operações adição módulo
2/ou exclusivo/adição módulo 232
8/23
2 rodadas do bloco de cifragem do CAST128
9/23
Características
Desejáveis:Strict Avalanche Criterion (alteração de 1 bit na
entrada altera 50% dos bits na saída)Bit Independence Criterion (inexistência de
ligação entre um bit da saída e um bit da entrada)Não é complementar Não possui chaves fracas ou semi-fracasDecriptação é a encriptação com inversão
na ordem das sub-chaves
10/23
Características
Indesejáveis: “CAST seems unlikely to be suitable for
implementation on these processors because it requires 4096 bytes of S-box ROM, which is unreasonably large.” (Performance Analysis of AES candidates on the 6805 CPU core)
11/23
Especificação do algoritmo - 256
CAST256Para a candidatura ao AES, foi necessário
aumentar tamanho do bloco de cifragem para 128 bits
Modificações na rede clássica de Feistel para uma rede “generalizada”
Chaves de 128, 192 ou 256 bits48 rodadas ou 12 quad-rodadas
12/23
13/23
Especificação do algoritmo - 256
Desvantagem potencial:Estruturas diferentes para encriptação e
decriptaçãoSolução encontrada:
Primeira metade dos deslocamentos para a direita, segunda metade para a esquerda
Desempenho da encriptação e da decriptação são iguais.
14/23
Criptoanálise
CAST64 related-key attack conhecido, mas impraticável.
(Related-Key Cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA)
CAST128 Resistente a criptoanálise linear e diferencial.
(Resistance of a CAST-Like Encryption Algorithm to Linear)
CAST256 Embora tenha características diferentes de difusão,
também é resistente (An Analysis of the CAST-256 Cipher)
15/23
Criptoanálise
"It is resistant to both linear and differential cryptanalysis. Currently, there is no known way of breaking CAST short of brute force. There are no known attacks on CAST with reduced rounds – it looks incredibly secure. CAST is now the default cipher in PGP." (PGP Diffie-Hellman vs. RSA FAQ: What is CAST?)
16/23
Aplicações
Diversas ferramentas comerciais de cifragem de dadosTrueCryptCryptoExpert 2004 Lite (CAST only)E4M Disk Encryption
PGP (Pretty Good Privacy)CAST128 é o algoritmo default
17/23
Considerações Finais
RFC 2144 define um teste de manutenção: Definição em pseudo-código Vetores ‘a’ e ‘b’ de 128 bits xL e xR metade mais a esquerda e a direita, respectivamente
Initial a = 01 23 45 67 12 34 56 78 23 45 67 89 34 56 78 9A (hex)Initial b = 01 23 45 67 12 34 56 78 23 45 67 89 34 56 78 9A (hex)
do 1,000,000 times{ aL = encrypt(aL,b) aR = encrypt(aR,b) bL = encrypt(bL,a) bR = encrypt(bR,a)}
Verify a == EE A9 D0 A2 49 FD 3B A6 B3 43 6F B8 9D 6D CA 92 (hex)Verify b == B2 C9 5E B0 0C 31 AD 71 80 AC 05 B8 E8 3D 69 6E (hex)
18/23
Considerações Finais
Ainda seguro, ainda em uso“The large s-boxes are implemented to
efficiently eliminate the permutations found in DES between rounds of substitutions and, as a result, CAST is very efficient algorithm for software implementation.”
19/23
Por que não usar apenas o AES?
Yes, I know, the Rijndael now is the best and generally used (AES) encryption algorithm. Other algorithms are less common and non-standard.
Using Rijndael with a 256-bit encryption key makes me sure that my data won't be broken and read by an unauthorized person in the next thousand of years or, more probably, next 1000000... years.
But, what if I don't need to hide my data from everybody forever? It is quite enough to maintain my encrypted data within the next 50-60 years or so.
It is almost improbable that one day somebody will be able to break a message encrypted with a key of 128 bits in length if the encryption algorithm is good.
20/23
Por que não usar apenas o AES?
So, it is the same for most of the applications whether you use an algorithm with 256-bit key or 128-bit key. Both are practically unbreakable. Why don't I like the strongest ciphers? There are two main reasons: the performance, and the usability.
CAST-128 is three times faster than a AES-256 cipher on the .NET 2.0 platform. Also, CAST-128 is two times faster than the reduced version of the Rijndael algorithm working with a 128-bit key (AES-128).
As for usability, I think it is easier to manipulate keys of 128 bits in length because they are more human readable.
21/23
Referências
Todas as referências foram acessadas em maio/2007
http://jya.com/cast.html
http://www.users.zetnet.co.uk/hopwood/crypto/scan/cs.html#mode
http://citeseer.ist.psu.edu/lee97resistance.html
http://www.thefreecountry.com/security/encryption.shtml
http://www.faqs.org/rfcs/rfc2144.html
22/23
Referências
http://en.wikipedia.org/wiki/CAST-256
http://www.ipa.go.jp/security/rfc/RFC2144EN.html
http://www.mirrors.wiretapped.net/security/cryptography/algorithms/cast/ (Código Fonte)
http://www.netaction.org/encrypt/appendixb.html
http://www.kremlinencrypt.com/algorithms.htm
http://www.scramdisk.clara.net/pgpfaq.html#SubCAST
23/23
Referências
http://www.cryptopp.com/benchmarks.html http://en.wikipedia.org/wiki/Block_size_(cryptography) http://en.wikipedia.org/wiki/Block_cipher http://www.jetico.com/linux/bcrypt-help/c_gloss.htm http://www.codeproject.com/dotnet/CastEncryptor.asp http://community.roxen.com/developers/idocs/rfc/rfc2984.html http://www.commsdesign.com/main/9811/9811feat3.htm http://en.wikipedia.org/wiki/Avalanche_effect http://www.answers.com/topic/feistel-cipher http://www.ciphersbyritter.com/NEWS/95050101.HTM http://www.faqs.org/faqs/cryptography-faq/part07/ http://www.cescomm.co.nz/about/aes.html
top related