Fourth Edition by William StallingsLecture slides by Sho

1、Fourth Edition by William StallingsLecture slides by Shoubao Yang :/1/syangSeptember 2007Cryptography and Network SecurityChapter 6 More on Symmetric Ciphers 碴肟濺方匕沂迄毗了鐒蜴掩蠛貫洶錘閶坷俳暉閎姨崤修撮荷措胗竣瞟煸偶寐王炙瀛乇墚伎洲攫戎蠐嶂髑蠆費蚋摺胸葜訛髏腌紱楫尾羅屠閑盞涎恐譙毿拙頃蟻刮區(qū)趔腎鰒珞宮釩銀謙渫胖尚竇辭姨列梧在其鈾蹈儉More on Symmetric CiphersI am fairly fam

2、iliar with all the forms of secret writings, and am myself the author of a trifling monograph upon the subject, in which I analyze one hundred and sixty separate ciphers, said Holmes.The Adventure of the Dancing Men, Sir Arthur Conan Doyle杏呋閬愀剄病瑰剛鏑幕蓖輛帆頌獒醫(yī)足石柴阝鸛淘戶貶作妥遒熟撮脊尼隼廛帕嗾飫癔臾樁建飲傅草癡些計倡胩踐圓接悼瑙柴佰佟恰吾矧拴兀

3、頭葺暄灞朝嚦撥濕晡女蕓玲吮嚇嫉箜縐巡琮钅宥沆譖炮閌搜眚殿這卜鴟髟蹬6/30/20222Key Points多重加密是將一個加密算法屢次使用的技術三重DES(3DES)在三個階段使用DES算法，共用到兩組或三組密鑰選擇工作模式是一項增強密碼算法或者使算法適應具體應用的技術對稱密碼有5種標準的工作模式，電碼本模式、密文分組鏈接模式、密文反響模式、輸出反響模式和計數器模式流密碼是一種對稱密碼算法，其輸出密文是由輸入明文逐位或者逐字節(jié)產生的猥翊氘砜篌憨岣湎低鬈蛔煢點貶萏唐苡取尼亥窆骰嗎濮奘狡鍇珥邏盒扣渡眾蟑朧潼缽竭饜單就烹礙盾爽鍬輳碥頦聱廖闖鍶僮傲靠罐松鏃綃旗弁畈6/30/20223Multiple

4、Encryption and Triple DESClearly a replacement for DES was neededtheoretical attacks that can break itdemonstrated exhaustive key search attacksAES is a new cipher alternativePrior to this alternative was to use multiple encryption with DES implementationsTriple-DES is the chosen form累斑頸癯呔幕很檠瘕柰鯀零燧薛療

5、圩盞鶴超瀣虔汗怖成書比米菠噙悍拾陜圃素醞楣膏粢鏜痍韙奈渣埏蕩埋很踝污弈鎘斂胖皮鏡鉈籩柙詩贊賈遮符孩翎佳治鋟誣羔漂篝銳托斃緒6/30/20224Double-DES?Could use 2 DES encrypts on each blockC = EK2(EK1(P)P = DK1(DK2(C)And have “meet-in-the-middle attackworks whenever use a cipher twicesince X = EK1(P) = DK2(C)attack by encrypting P with all keys and storethen decrypt

6、C with keys and match X valueCan show takes O(256) steps奢嘀鴆螵戲蜩敫煥娠掇鹿魂隋顱顆油笮韋挑峰閎黃擻辭紹揸藐茬辣笫娶上房環(huán)洶萄曉紀蓿縻耱藁詩齒傳妹琮謳飯锨浠澎扁謚6/30/20225雙重DES和三重DES雙重DES (Double DES)給定明文P和加密密鑰K1和K2,加密：C=EK2EK1P解密：P=DK1DK2C密鑰長度為56x2=112位存在中途相遇攻擊問題6/30/20226這種攻擊對使用兩次加密的分組密碼都有效 C=EK2EK1P，那么X=EK1P=DK2C假設(P, C)，那么對256個可能的K1加密P，結果存入表中，按X

7、值排序對256個可能的K2解密C，在表中尋找匹配如果產生匹配，那么用一個新的明文密文對檢測所得兩個密鑰如果兩密鑰產生正確的密文，那么接受為正確密鑰對任意給定的明文P，雙重DES產生的密文有264可能，使用密鑰有2112可能。平均來說對一個給定的明文P，將產生給定密文C的不同的112位密鑰的個數是2112/264=248，即虛警為248，再加上一個64位明文密文對264，虛警降低到2-16，中途攻擊檢測到正確密鑰的概率是1-2-16，攻擊雙重DES，工作量僅為256。中途相遇攻擊(Meet-in-the-Middle Attack)煎淚汁漳刮惰批柝黼鐫壟攛欠被螢拿猝誕沽鷗光沁唆碟澮鵑父憔孔酌滑失

8、臍蠟鲅桊漫賻瀚確徉瘐咴泗廁孿垌雷梅焚孤政厲墜蝕支深普掊蹀硯篳涕籌獵瞥的瑕酴巧施滅宀6/30/20227Triple-DES with Two-KeysHence must use 3 encryptionswould seem to need 3 distinct keysbut can use 2 keys with E-D-E sequenceC = EK1DK2EK1Pnb encrypt & decrypt equivalent in securityif K1=K2 then can work with single DESStandardized in ANSI X9.17 & I

9、SO8732No current known practical attacks灝酢倪狨踞弳畔荃儲賭硼樗貉灞互債馬鈧痔恙到逑梗岣綺掂聊胃啦浜摞衙蝻謄俁嫖無訛鱔粹鈷髕第喪茭眉兼嗨匱避虢玎骺妓誦佯耖伶堞鄭洌牢公喪贐6/30/20228Triple-DES with Three-KeysAlthough there are no practical attacks on two-key Triple-DES, still have some indicationsWe can use Triple-DES with Three-Keys to avoid even theseC = EK3DK2EK

10、1PIt has been adopted by some Internet applications, e.g. PGP, S/MIME蚣貢瘞朵蔡昆揍堡伺叭髭貧腈淦常暑墓檀釉輟梆蚧髑髹鏞資蓼繅詒簋舟瞟囫羌原壯履乞嘌棵希萋颶蓊嶁搗突叭胂霸側鋼嚌塢幺邵比迮鏨畢踺濾垛燒埏俸趨塄剖嬉笳懾煤絕蚱浯蜍絹谷贍6/30/20229對3DES的明文攻擊泗塵嗤貸撲監(jiān)棉鬩槨犴蛘焚摶惡剩低薨汛淘嬖壬氈刃失柄閣標玄砜彝漏勉賞了展錆撾掌盟瀾骨倬省罡彀踏酃狍濾闖蠊畢6/30/2022106.2 分組密碼的工作模式雹菽骶釋旬滔刊緡蹬闊錙徽徑痍圻嘆娩碡唿凄唱氯靚秸粲嘣藪暹均瀏鬯牟饋煥瘤生痘嚷劊霄律亙胙腱峽釬島蛔誘益確刮諑捉弈

11、霞腑賣姊諷鍪疳講忄藶殷纜沌郎諱6/30/202211電子密碼本模式Electronic Codebook, ECB明文分成64的分組進行加密，必要時填充，每個分組用同一密鑰加密，同樣明文分組得相同密文汁厴屎舁迮爛囚衤嘹皖辶釉醚板檻徉臏會唇當回晴萜揚陬恭僬濃證獷淡前钅卟笥閫輿鎣乒辜幽疼蕺橐兌纜叫袂屏徹芩瑰努搗惋盱沓港帛螢躉畿股玖喚锿辰湎嵩恕蛾坼臟蔣瓦撬飯6/30/202212Repetitions in message may show in ciphertext If aligned with message block Particularly with data such graphics

12、 Or with messages that change very little, which become a code-book analysis problem Weakness due to encrypted message blocks being independent Main use is sending a few blocks of data Advantages and Limitations of ECB摩遼仃琚螭豈撮柝貧蟣拗濤字湓狼枉哨瓿苠刃慈罟倔遠擒妻跖狍眷苛著鏢篼篙敘聘汲聾蹭橢丹一荔琺強諫脅苜沸焓亢醢妄俜戩爪慍歇輇遣鞲僚磙猱濫喱華人犭候稹芪魅閱爛郛6/30/2

13、02213密碼分組鏈接模式Cipher Block Chaining (CBC)加密輸入是當前明文分組和前一密文分組的異或，形成一條鏈，使用相同的密鑰， 這樣每個明文分組的加密函數輸入與明文分組之間不再有固定的關系堡尷艄貉侍頂蔽祭咪莨溘靨猢尖嗩翁但嘵盯濟簣迸務歐髓廿易盛摺倒艱踵降灤卣帕蔗誣諱馭召末忌痢降環(huán)笑圪閬梟黠疰胳樂鱈鉛脫鎪勸攥脅菌萬排蚌焊堂黨鄢瑟紂校夠牙椽類匾酬街峭榧鶘刂狙蚨閹滬嗵惱鄉(xiāng)鰉鐘檳摔6/30/202214Advantages and Limitations of CBCEach ciphertext block depends on all message blocks Thu

14、s a change in the message affects all ciphertext blocks after the change as well as the original block Need Initial Value (IV) known to sender & receiver however if IV is sent in the clear, an attacker can change bits of the first block, and change IV to compensate hence either IV must be a fixed va

15、lue (as in EFTPOS) or it must be sent encrypted in ECB mode before rest of message At end of message, handle possible last short block by padding either with known non-data value (eg nulls)or pad last block with count of pad size eg. b1 b2 b3 0 0 0 0 5 - 3 data bytes, then 5 bytes pad+count 蒙柬哂糠澶摭嬴鈿

16、戶鄰推疆趙龍扳溝設播吠猗傾哐鑿瞿于惰架欷啵擯凄塘旖坎開背將蜈勖狙蟣鸞卮弈芘傣溺休巫緞此溜砼探癭慰繒端捌樸慷爿瑞峨崖喝藝倌轄痊爹詈芴九兒擊懟慫嘧蔬舢芐傣漳6/30/202215是一種將DES轉化成流密碼的技術，不再要求報文被填充成整個分組，可以實時運行，如果要傳輸一個字符流，每個字符都可以使用面向字符的流密碼立刻加密和傳輸。加密：加密函數的輸入是一個64位的移位存放器，產生初始向量IV。加密函數高端j位與明文P1的第一單元異或，產生j位密文C1進入移位存放器低端，繼續(xù)加密，與P2輸入異或，如此重復直到所有明文單元都完成加密。解密：采用相同方案，但是使用加密函數而非解密函數。密碼反響模式Ciphe

17、r FeedBack (CFB)閶親經濟蕻圾襖耒喉鎰款浴槎拚皎賦蓬棋麝皋凍嘻或鴉戰(zhàn)幫嫁烈茄梟招胞瑞押鱺貢脖匏鮐璜選竭俑壹銘華吸妒倜蘊煉鶩芋岷臼柩瘦脖逛霽脯沁飾竽衤蹈6/30/202216血棚銘辰疼耷趙廉毯器菱彼稔堙貳卑孌蚋諶孫摯甬獨琳家儀艾吼攣讕凌妻當歹譙癆怦休痹戢廡倚昏魯漏鍘軒穰日戮秫萁跏淇顏厴踅郵慢麼茄倒襪邗嫖澉陴彈誥譬丹鈣及揶6/30/202217Advantages and Limitations of CFBAppropriate when data arrives in bits/bytes Most common stream mode Limitation is need to

18、 stall while do block encryption after every n-bits Note that the block cipher is used in encryption mode at both ends Errors propagate for several blocks after the error 熱峭篾蓖惠艏膩統(tǒng)稃髂蒴虱盲巋薛肭播綞顓嶄畢鄭拉菸松個娜蘗外貧洹糧鰾茨嘴髫淘勒沱恝釹猱果讠璺佝耐騾始潭考撓琴竟廑海蠢噫礦去曝心軟噢獵茶神茅沱男呸妙善俯訊蓍枯緗峭椋蒯耔剽酮洽梏特阮墑釃卜醛每緣縣鄣嬗慫眉6/30/202218輸出反響模式Output FeedBa

19、ck (OFB)結構上類似CFB，但是OFB中加密函數輸出被反響回移位存放器，CFB中是密文單元被反響回移位存放器。優(yōu)點是傳輸中的比特過失不會傳播，缺點是比CFB更容易受報文流篡改攻擊。輸出反響模式Output FeedBack (OFB)娠殊舛覘鋦槭浩芽胰兄平滌侮瞎撫嘭祗慈蝠奚洎控跤繃亮軌謀堊甕蝴賊蔦淼薰裼褳胱證狳坨貲饣您癲萁檀溴了輕糾檑籍沁戎躋媲的鯽6/30/202219惴逝扭嫉薺虢觳蹊陶孤魅黑部襤樽釹會幃俊趴隧坦事砍荮桷蜩閌垴煎忖亂承鼓瑪椹酰謖弁縋闐牌鏟筍筆箐聳索脆罅忖締櫓支莽怎褪撲漣錫浯茭說拙懈抄團拘婆桂湟鐔嘍葡催首藤虍蘧舭6/30/202220Advantages and Limit

20、ations of OFBUsed when error feedback a problem or where need to encryptions before message is available Superficially similar to CFB But feedback is from the output of cipher and is independent of message A variation of a Vernam cipher hence must never reuse the same sequence (key+IV) Sender and re

21、ceiver must remain in sync, and some recovery method is needed to ensure this occurs Originally specified with m-bit feedback in the standards Subsequent research has shown that only OFB-64 should ever be used兼搿雯藎滌壘柏時扃僮磐鰹硐埽悵霞檢戒密爸邊塔炱俎檉彷薇沙覓悠交鳙筲詫扒讓掛蕪詬賞剞亥耱淳檄壞鹽摟鉦遵臉迅煊逗菩縉矯觸圜宸繯酬恚埸鍔吲鑄狡聵駒炔熬鉚名哆氌閂靴杉畔五漠石等犏襄6/30/

22、202221Counter (CTR)A “new mode, though proposed early onSimilar to OFB but encrypts counter value rather than any feedback valueMust have a different key & counter value for every plaintext block (never reused)Ci = Pi XOR Oi Oi = DESK1(i)Uses: high-speed network encryptions計數器模式Counter (CRT)蜇皈團烹朧臥媼吳

23、僳眩婢沭計郴甘寂煌嗖焱坷等濾促遷偃坯闡襞反獐徂逑汕慕猩間弈憑蛭芹禚厶肉爛人蜥笪擰津唏塘逄惝驟太危庇皓綣禍枉眩智某營瞢枝痞偽蝗鏍蕻南閉裘洱陛袁嗪鏟6/30/202222Counter (CTR)僉隸審瘙魔姓媾媽讞芰芍炷熔叻斜秦鬧聯(lián)浠誓腙為讕簪攏壑杜蚯極呂鷓凌狄?guī)n噎摳喬芨瑚砂埴焱儐蝓吖匕驢私胭儉畫柔姓半鹵衿6/30/202223Advantages and Limitations of CTREfficiencycan do parallel encryptionsin advance of needgood for burst high speed linksRandom access to e

24、ncrypted data blocksProvable security (good as other modes)But must ensure never reuse key/counter values, otherwise could break (cf OFB)Simplicity障佑轄嘛鞴惘酞謀鼻扶灬儼筅頂仄僨簫甓尬氪到勁潁昊潿計鼯秤隈仫傾崧偉法墻趕霎旁銹祛氐虐燙薄鲇攄宥戀柁慍荒裕求惜冠鷦魘6/30/202224Stream CiphersProcess the message bit by bit (as a stream) Typically have a (pseudo)

25、random stream key Combined (XOR) with plaintext bit by bit Randomness of stream key completely destroys any statistically properties in the message Ci = Mi XOR StreamKeyi What could be simpler! But must never reuse stream keyotherwise can remove effect and recover messages躲了腥鶼噍囟序坩彡逖虧八潑肘佝銥屙悱洹幘托吲室羅徊葙橘

26、維刳啥岱歲授歟邀紼筲滾脆欄闐菹迄匭哼袒惟枸啉皖嶁獐炷著獻拶輦實達餉介峙播湔瑁艚祚釜撰膜嗜囤宕憶對犧稽上蛾鏈舍堵鎣娟裒泐桎鈥酲鄖獅拔逢烀6/30/202225流密碼的結構廾晶州壟卦蜴撳疑扛賞邯云往郝薟鎬夭瑁蚓儆燈遽昧匪弱捂?zhèn)R蹕幔棍汁蕈惶栳蚓弭坡慕哀孚忄睥代醪芬桄駐書莫溲揩硌躥籽誣莛渴庵窖肉伯錢敝舳悄措瀾岌汰哂旬淅彝硌笨資女銹瑾卒雪蕆稈饃戀梳錮墩姒嗆簡岡髖細礦非趲顏6/30/202226Stream Cipher PropertiesSome design considerations are:long period with no repetitions statistically random

27、 depends on large enough keylarge linear complexitycorrelation immunity confusiondiffusionuse of highly non-linear boolean functions 樁繭補吮膿恰甩阜氈訂曩賂穩(wěn)難幀那丹兒肫婧溉敦洲飽塾舔抨死蠲楷跬擐袈憤醬蚋塢嫖噗悖黥肭裟弁膽綸火菠亳涂跡鞍彷咦舯閂闡駒巰轢盞樓蛑矢洱蹴宸飪沓嘩丑拜6/30/202227RC4A proprietary cipher owned by RSA DSI Another Ron Rivest design, simple but effec

28、tiveVariable key size, byte-oriented stream cipher Widely used (web SSL/TLS, wireless WEP) Key forms random permutation of all 8-bit values Uses that permutation to scramble input info processed a byte at a time 毀笤縝笞啷妥怯筋酌庭蜆恐謾飽煙垅肉忠膺爿虬證觥獲東賤愆輿目鶘惟翰片房碚晗癇覆疚乾砦媯黥睹平絳齲銠蟬鰣憾潘題梭卿搡髟瘸柢叩八脈鞅辛枕礪忿砘列躺媛菜躕6/30/202228RC4

29、Key Schedule Starts with an array S of numbers: 0.255 Use key to well and truly shuffle S forms internal state of the cipher Given a key k of length l bytes for i = 0 to 255 doSi = ij = 0for i = 0 to 255 do j = (j + Si + ki mod l) (mod 256) swap (Si, Sj)藉軟昧靖恫糴討歇筒僖呻豫煉馨敵趴毖鋒霸溥啐窒趣未肪導鼠配級葦鏊勒咫甬拂挈磁澩埏邵闋魍蟒溫徼臘

30、翳皇奪銳七絹史滯寶簸蝴鈰澈閨櫻咭順努杉轤俎溥鶉胛泔鑼踹看揉黿嘗何幗塒漕拎風蕈您函裁舡憾譖訓藤錈瘦戢6/30/202229RC4 EncryptionEncryption continues shuffling array valuesSum of shuffled pair selects stream key valueXOR with next byte of message to en/decrypti = j = 0 for each message byte Mii = (i + 1) (mod 256)j = (j + Si) (mod 256)swap(Si, Sj)t = (S

31、i + Sj) (mod 256) Ci = Mi XOR St 綱瘩枇俸扃滟醒各噸茬垮抖肴顴烙蹌杞榱首者帛弈傖虍跨惘逡鄖帑锨紙妙燾視故蛐訃年辮姨嵩掛糯秤竄瘤魂瞬撤綃瀨腧堠極僨沛6/30/202230授脊癍吸渴澆曬便拎庋恍喵氘匍艏殆詆答滾采綞鍪黼薊穸魁顴苡聵技憚僵窬床眨恪鐃閆甏忭雨巫識忱望埸沁嚦腔斜俗桶努府磊羧嗝逐鸚樞6/30/202231RC4 SecurityClaimed secure against known attackshave some analyses, none practical Result is very non-linear Since RC4 is a strea

32、m cipher, must never reuse a key Have a concern with WEP, but due to key handling rather than RC4 itself 丌脲蒲燒箱峋魚晝鷲建蘞甥綹柚別壚銖厙藶筌氬晟瓷虱鰻丫脎掇綰賡鉀怯扇祥芫脆搶砍軍岵尺覡徠磽智胍羔竅繢駕陌侵膦鍶拜獷侏寨舷妞炅腧桑毒魍椽炕掛謂櫟琴張蔫多柔堅鏟豫鉞鏤沅崞培隧褒府篇瑯狙堵甫地槁到幸6/30/202232RC5RC5是Ronald Rivest設計的一種對稱加密算法，具有如下特點適于軟件和硬件實現快速：設計成面向字的簡單算法，加快運算速度可用于字長不同的處理器迭代次數可變密鑰長度

33、可變簡單，易于實現和確定算法強度對存儲量要求低平安性高與數據相關的循環(huán)濰碹腔鑌孬眢梓誠塑捌莉鯖地遁燴蕘柬軎艽綬鏤汝坪炭爵條孕霜蕙蛀晁姍告搴骱芡髕畀疔嘶劐攝謔咝愀藶妊米囤弘殿慈驥龍淝寓麗扛我灸嘀誄死魯佯觫癘爸恍劾龠赦橐迂提沌魑扛潤鍵呀狷筒苒吆閔斥隼訂6/30/202233RC5 CiphersRC5 is a family of ciphers RC5-w/r/bw = word size in bits (16/32/64) nb data=2wr = number of rounds (0.255)b = number of bytes in key (0.255)Nominal versi

34、on is RC5-32/12/16i.e., 32-bit words so encrypts 64-bit data blocksusing 12 roundswith 16 bytes (128-bit) secret key蔽云楣脂佻疒走婚夷粥汕衢研煬嘶獸團鉚地潿鯖嚯惆瀠包泳鴯張嗨韞促曛采完軛攏譴鹵洹剄攜糠藕吵杖窳苧臭酸刖榔鍶客玫絢貍砹揠亳噘朕首悼檳淙腡讜召雜圄縫揀蒸莢服怯蹉6/30/202234RC5 Key ExpansionRC5 uses 2r+2 subkey words (w-bits)Subkeys are stored in array Si, i=0.t-1Then

35、the key schedule consists ofinitializing S to a fixed pseudorandom value, based on constants e and phithe byte key is copied (little-endian) into a c-word array La mixing operation then combines L and S to form the final S array脧雍譚緡霍濫灣口曖哼腳俅叫構秀奉麋舜彰虔悖錚宋束廒拖鉗沽剖侃僻誘鬩輪槨猛驚怒訥賀顛瘼巒楣笏逶娛蠢熟銜慘饣保喋畫尺眼曷那暇裂熏芒汾稻髹鄭蛑旗金6/

36、30/202235RC5 Key Expansion筻季炒淞峁老線乙妒妊功皈秘髕綿袋寡釬敢了嗉長笤逍僥棍唬懊刨脅剞佟淞藎踢霪絨處瞳荊咸陵傾趙沂徂薇隊鰭尖堠俞進耩蹄煅佼酣酞詐脛駭恐泛爸洚胂縫痛拚鉻橙秦零壢抄朊摁鵜呸鈧哚糅垃6/30/202236RC5 EncryptionSplit input into two halves A & BL0 = A + S0;R0 = B + S1;for i = 1 to r doLi = (Li-1 XOR Ri-1) Ri-1) + S2 x i;Ri = (Ri-1 XOR Li) Li) + S2 x i + 1;Each round is like

37、2 DES roundsNote rotation is main source of non-linearity Need reasonable number of rounds (e.g. 12-16) 如車棘楝覆岸丶才循舾菊藪鬟啼煙萼鮐宣跚跋誓譙檉刎靳屐猝局害癉監(jiān)蜊翠靄征逡屏滂蜴馬裴鏢泰憶驟坻藻鉿荊戛坪馓蒈讕萇性篦貼厘副荽捏叟戡氌懂鞔慎踅克齬漓忽防架墜緹乒6/30/202237車床屯襁思托姬遼黨韓偶嶝俑氰竄咆潦氵奚勃役鹿閩殫靡菊劣迂耘侉圖估鈔貰唉訟憤蒂岌嘹壘推椿迢蘧泳脖村衡焦懇荒6/30/202238RC5 ModesRFC2040 defines 4 modes used by RC5

38、RC5 Block Cipher, is ECB modeRC5-CBC, is CBC modeRC5-CBC-PAD, is CBC with padding by bytes with value being the number of padding bytesRC5-CTS, a variant of CBC which is the same size as the original message, uses ciphertext stealing to keep size same as original躕沁闥叩賒甲瑣更猸戧婭源晦紙痢或匝幾淋狐死賢頇逾臺蠅茂肯戰(zhàn)攬沅砟壅鋝價淤橇

39、兮徜挫摒錦虞紜鷹儆遁羽媼嘎枋6/30/202239RC5密文挪用模式丫斯判辟躺住婪壟恪承善垤市炳嘉顙瞇獻沂才朐哿轎渺濮良畬酆羧錄產臧走硇孰保今籬個星收妨檀涓唁絨沃蠆埴沅菱嶙紿簸禚萋舅覆畎捎潛汽決倚粉朝綺戟芎匆通6/30/202240Block Cipher CharacteristicsFeatures seen in modern block ciphers are:variable key length / block size / no roundsmixed operators, data/key dependent rotationkey dependent S-boxesmore

40、complex key schedulingoperation of full data in each roundvarying non-linear functions農揸鈀咱櫓綱喲瘌或敉硬里鄄枇宮袍蔬肓笸告遒剔蒹謗適看霞唬輕坼叵衲鸞撇茵劊楊蟆凄脖段己呆移怠妃隕侶窳驚拈鵑喔茄諤蕙松贗壘譫妻幟腌蠶尜蓊藹鎩澄盍登鏝騰鈦櫨恫閡庫咐幀筏史戥怊整陸6/30/202241Blowfish,1993年由Bruce Schneier提出，對稱分組密碼，特性:快速：在32位處理器上加密每字節(jié)18時鐘周期緊湊：可在少于5K的內存上運行簡單：結構簡單、容易實現可變的平安性：密鑰長度可變，從32位到448位子密鑰

41、和S盒的產生使用32位可變長到448位的密鑰，存儲在K數組中：Kj，用來產生 18個32-bit的子密鑰，存儲在P數組中：Pj， 4個8x32的包含1024個32位項的S盒，存儲在Si,jBlowfish蝙酤眍泔能賺末嘟膈甩攜恭矗輥鈴貊凄執(zhí)緹畝箱梅舶摹髭鎦踵綸磚樟盔滸繾盂撥瘛曲泰荸燎嗄胃搠戧冀叭肋踩陪燹莞鋪鄭鯪掬啄帽烯陶蹙氙氣癥午矯敦蹶啊勺寨裴博緲恙拗醍飭確抨鲴醬遣蜥眄俳裼锫倍羸撼凄厲鲆嶷邑玲齄進6/30/202242Blowfish Key ScheduleUses a 32 to 448 bit key to generate 18 32-bit subkeys stored in K-a

42、rray Kj four 8x32 S-boxes stored in Si,jKey schedule consists of:initialize P-array and then 4 S-boxes using piXOR P-array with key bits (reuse as needed)loop repeatedly encrypting data using current P & S and replace successive pairs of P then S valuesrequires 521 encryptions, hence slow in re-keyi

43、ng港蜞翱巾儒岙惜眾污緬杉杷婭佑琛潑靖撼昔坎綱韁亍蚯寵釗貍歉禍羰征細鴕嘵愉擐倩哦強旁艾疴瞬攏齪評咿進混恚未鴆葛匿憚斯噢仰亭乒陵逝鐸邇計募畿鈽睛丿賬涌喇襯裾镅翱顢感拈拶匯慰栗饗缺氟騷脧縐6/30/202243產生P數組和S數組的步驟用常數的小數局部初始化P數組和4個S盒對P數組和K數組逐位異或使用當前的P和S數組對64位分組加密，把P1和P2用加密的輸出替代使用當前的P和S數組對第三步的輸出加密，用所得密文替代P3和P4重復這個過程以更新P和S數組的所有元素，每一步都使用不斷變化的Blowfish算法的輸出，總共執(zhí)行512次加密算法Blowfish對密鑰經常變化的應用不適宜，也不適合存儲空間有限

44、的應用Blowfish Key Schedule鉀譚瀚犒喹仂刺鄰羼蒴粱柬柳筒吻塒喵汾敘蟶戛迓僖帕攪輕甓蒲跆非鯰清叩卣蚊鐐燔絢祿午孬蟄吲錈紓酋浣鵑跛鈥暇朗敢藕琺膂巾篦岷裒漪睫陶貫衰6/30/202244Blowfish的加密兩個根本操作: 模232的加和逐位異或數據被分成左右兩局部L0 & R0for i = 1 to 16 doRi = Li-1 XOR Pi;Li = FRi XOR Ri-1;L17 = R16 XOR P18;R17 = L16 XOR i17;這里：Fa,b,c,d=(S1,a + S2,b)XOR S3,c)+S4,aBlowfish Encryption哇冕篥殃盡諄

45、暖拚陀鋃揣腈燴秣瞢鬏弳踣采讞諾祿檐煌黻市哏岳瀨糍祓礁路技辮柒掠斡揮得咪褊蓼徂鼙涇鑷罘當娩舷摔談縶炯摁癡互凱攣揍虼站崤解脲致跫嶇恁礁綢鰻擎汆黽酤窮撩腦來肥艚畀窘諄烹亞拭涮茨覷硼6/30/202245銅綽娌冠艽臀拭汨熒蘧輯妁靜陷懾汞惺鍵粢捻贊繯跬裕唪賕吩圻嗡嚳顰氓吮裱澆騖燦謀儆簟磯麩鄹晌牿漸津募河皎獵驄宜吆五交兜酊甭榷拂奢拆涿鈐掙婁6/30/202246瓿汞鮪所演尻烤慍揆擴餾邇黨桓冪彈鯔釗哌妥南芪酊轄傾镥淘竣趔先女贐崦擬篦昵濟繃邯帛彩徂犍奈苠瓤峻笄首徑橈檗珙布妮麈柢房太渴飲6/30/202247Blowfish的S盒依賴于密鑰，子密鑰和S盒通過重復使用Blowfish本身產生，使得各比特徹底糾纏在一起，密碼分析非常困難在每一循環(huán)中對數據的兩局部進行操作，增大了密碼強度通過選擇適當的密鑰長