Rätt Enkelt

Veckans begrepp: AES

Skrivet måndag 12 september 2005, 15:08

Krypterings-standarden DES ersattes 2001 av AES. Då hade National Institute of Standards and Technology (NIST) utvärderat femton symmetriska algoritmer och slutligen valt Rijndael som den bäst lämpade. Nycklarna kan vara 128, 192 eller 256 bitar långa, jämfört med DES’ 56 bitar.

Under urvalsprocessen för AES valde man i första omgången bort algoritmer med möjliga defekter (DEAL, FROG, HPC, LOKI97, MAGENTA) samt ytterligare algoritmer som inte passade av olika anledningar (CAST-256, CRYPTON, DFC, E2, SAFER+). Slutligen gick ett par algoritmer vidare till ”finalen”:

• MARS: ”MARS demonstrates very good performance on 32-bit platforms, and its speed excels on platforms that provide strong support for 32-bit variable rotations and multiplications. The algorithm also has the flexibility to handle key sizes much higher than the required 256 bits. Some concerns about MARS include its performance on platforms that do not provide the support needed, as well as the algorithmic complexity.”
• RC6: ”RC6 is very fast on 32-bit platforms, and it is the fastest performer on any platform providing the needed support. ... Additionally, this algorithm is extremely flexible in the sense that the key size, block size, and number of rounds are all fully parameterized. Some concerns about RC6 include the relatively low security margin, declining performance on platforms that do not provide strong support for 32-bit variable rotations and multiplications, and the lack of low-end smart card suitability.”
• Rijndael: ”Fast key setup, and consistently excellent performance across all platforms considered ... The algorithm’s low RAM and ROM requirements also make it very suitable for smart cards. The ability to handle additional key and block sizes also contributes to the algorithm’s outstanding flexibility.”
• Serpent: ”Serpent has one of the strongest overall security profiles and is extremely well suited for smart cards. It is designed to allow bitslice implementations, in which the S-boxes can be computed by logical operations rather than table lookups. Such optimized versions should allow relatively efficient parallel computation of the S-boxes, especially on 32-bit platforms. Nevertheless, its slow speed remains a minus.”
• Twofish: ”It possesses a large security margin, and ... no major or minor security gaps were evident. In terms of performance, Twofish is very fast across almost all platforms. Low RAM and ROM requirements make it suitable for smart cards and other restricted memory environments. Another advantage is Twofish’s flexibility, since it admits several modes of implementation to accommodate various space/time tradeoffs.”

Slutligen valde man så Rijndael med följande motivering (utdrag):

Rijndael appears to be consistently a very good performer in both hardware and software across a wide range of computing environments regardless of its use in feedback or nonfeedback modes. Its key setup time is excellent, and its key agility is good. Rijndael’s very low memory requirements make it very well suited for restricted-space environments, in which it also demonstrates excellent performance. Rijndael’s operations are among the easiest to defend against power and timing attacks. Additionally, it appears that some defense can be provided against such attacks without significantly impacting Rijndael’s performance.

Ännu har ingen knäckt AES-algoritmen, men det finns vissa frågetecken som diskuteras bland annat av Bruce Schneier, Nicolas T. Courtois och på Wikipedia. Inte heller den gamla standarden DES är knäckt, men en ”brute force”-attack tog endast 22 timmar för ”Deep Crack” 1999. Hade den ursprungliga DES-algoritmen från IBM fått behålla 128-bitarsnycklar hade den fortfarande varit säker – kanske till och med säkrare än AES. (National Security Agency, som hjälpte till med att kontrollera DES, minskade nyckellängden till 56 bitar.)

Läs fler artiklar om: aes, datatsäkerhet, rijndael