1 / 23

Algoritmo CAST

Algoritmo CAST. Rodrigo Boccasius. Agenda. Introdução Especificação do Algoritmo Criptoanálise Aplicações Considerações Finais Referências. Um breve histórico. CAST ( C arlisle A dams and S tafford T avares) CAST é uma família de cifradores CAST64 CAST128 (ou CAST5)

kaseem-burgess
Télécharger la présentation

Algoritmo CAST

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Algoritmo CAST Rodrigo Boccasius

  2. Agenda • Introdução • Especificação do Algoritmo • Criptoanálise • Aplicações • Considerações Finais • Referências

  3. Um breve histórico • CAST (Carlisle Adams and Stafford Tavares) • CAST é uma família de cifradores • CAST64 • CAST128 (ou CAST5) • CAST256 (candidato ao AES)

  4. Cifragem CAST • Algoritmo de cifragem inspirado no DES • Feistel network-like structure (called a substitution-permutation network)

  5. CAST x DES (por William Stallings) • CAST uses fixed S-boxes, but ones that are considerably larger than those used in DES. These S-boxes were carefully designed to be nonlinear and resistant to cryptanalysis. • Another interesting feature of CAST-128 is that the round function, differs from round to round, again adding to cryptanalytic strength.

  6. CAST x DES (por William Stallings) • The subkey-generation process used in CAST-128 is different from that employed in other conventional block encryption algorithms. • The CAST designers made the subkeys as resistant to known cryptanalytic attacks as possible and felt that the use of highly nonlinear S-boxes to generate the subkeys from the main key provided this strength.

  7. Especificação do algoritmo - 128 • Chaves • Para chaves entre 40 e 80 bits (incrementos de 8 em 8 bits), algoritmo usa 12 rodadas; • Para chaves maior que 80, algoritmo usa 16 rodadas; • Para chaves menores de 128 bits, há zero-padding na chave; • Mistura de operações adição módulo 2/ou exclusivo/adição módulo 232

  8. 2 rodadas do bloco de cifragem do CAST128

  9. Características • Desejáveis: • Strict Avalanche Criterion (alteração de 1 bit na entrada altera 50% dos bits na saída) • Bit Independence Criterion (inexistência de ligação entre um bit da saída e um bit da entrada) • Não é complementar • Não possui chaves fracas ou semi-fracas • Decriptação é a encriptação com inversão na ordem das sub-chaves

  10. Características • Indesejáveis: • “CAST seems unlikely to be suitable for implementation on these processors because it requires 4096 bytes of S-box ROM, which is unreasonably large.” (Performance Analysis of AES candidates on the 6805 CPU core)

  11. Especificação do algoritmo - 256 • CAST256 • Para a candidatura ao AES, foi necessário aumentar tamanho do bloco de cifragem para 128 bits • Modificações na rede clássica de Feistel para uma rede “generalizada” • Chaves de 128, 192 ou 256 bits • 48 rodadas ou 12 quad-rodadas

  12. Especificação do algoritmo - 256 • Desvantagem potencial: • Estruturas diferentes para encriptação e decriptação • Solução encontrada: • Primeira metade dos deslocamentos para a direita, segunda metade para a esquerda • Desempenho da encriptação e da decriptação são iguais.

  13. Criptoanálise • CAST64 • related-key attack conhecido, mas impraticável. (Related-Key Cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA) • CAST128 • Resistente a criptoanálise linear e diferencial. (Resistance of a CAST-Like Encryption Algorithm to Linear) • CAST256 • Embora tenha características diferentes de difusão, também é resistente (An Analysis of the CAST-256 Cipher)

  14. Criptoanálise • "It is resistant to both linear and differential cryptanalysis. Currently, there is no known way of breaking CAST short of brute force. There are no known attacks on CAST with reduced rounds – it looks incredibly secure. CAST is now the default cipher in PGP." (PGP Diffie-Hellman vs. RSA FAQ: What is CAST?)

  15. Aplicações • Diversas ferramentas comerciais de cifragem de dados • TrueCrypt • CryptoExpert 2004 Lite (CAST only) • E4M Disk Encryption • PGP (Pretty Good Privacy) • CAST128 é o algoritmo default

  16. Considerações Finais • RFC 2144 define um teste de manutenção: • Definição em pseudo-código • Vetores ‘a’ e ‘b’ de 128 bits • xL e xR metade mais a esquerda e a direita, respectivamente Initial a = 01 23 45 67 12 34 56 78 23 45 67 89 34 56 78 9A (hex) Initial b = 01 23 45 67 12 34 56 78 23 45 67 89 34 56 78 9A (hex) do 1,000,000 times { aL = encrypt(aL,b) aR = encrypt(aR,b) bL = encrypt(bL,a) bR = encrypt(bR,a) } Verify a == EE A9 D0 A2 49 FD 3B A6 B3 43 6F B8 9D 6D CA 92 (hex) Verify b == B2 C9 5E B0 0C 31 AD 71 80 AC 05 B8 E8 3D 69 6E (hex)

  17. Considerações Finais • Ainda seguro, ainda em uso • “The large s-boxes are implemented to efficiently eliminate the permutations found in DES between rounds of substitutions and, as a result, CAST is very efficient algorithm for software implementation.”

  18. Por que não usar apenas o AES? • Yes, I know, the Rijndael now is the best and generally used (AES) encryption algorithm. Other algorithms are less common and non-standard. • Using Rijndael with a 256-bit encryption key makes me sure that my data won't be broken and read by an unauthorized person in the next thousand of years or, more probably, next 1000000... years. • But, what if I don't need to hide my data from everybody forever? It is quite enough to maintain my encrypted data within the next 50-60 years or so. • It is almost improbable that one day somebody will be able to break a message encrypted with a key of 128 bits in length if the encryption algorithm is good.

  19. Por que não usar apenas o AES? • So, it is the same for most of the applications whether you use an algorithm with 256-bit key or 128-bit key. Both are practically unbreakable. Why don't I like the strongest ciphers? There are two main reasons: the performance, and the usability. • CAST-128 is three times faster than a AES-256 cipher on the .NET 2.0 platform. Also, CAST-128 is two times faster than the reduced version of the Rijndael algorithm working with a 128-bit key (AES-128). • As for usability, I think it is easier to manipulate keys of 128 bits in length because they are more human readable.

  20. Referências • Todas as referências foram acessadas em maio/2007 • http://jya.com/cast.html • http://www.users.zetnet.co.uk/hopwood/crypto/scan/cs.html#mode • http://citeseer.ist.psu.edu/lee97resistance.html • http://www.thefreecountry.com/security/encryption.shtml • http://www.faqs.org/rfcs/rfc2144.html

  21. Referências • http://en.wikipedia.org/wiki/CAST-256 • http://www.ipa.go.jp/security/rfc/RFC2144EN.html • http://www.mirrors.wiretapped.net/security/cryptography/algorithms/cast/ (Código Fonte) • http://www.netaction.org/encrypt/appendixb.html • http://www.kremlinencrypt.com/algorithms.htm • http://www.scramdisk.clara.net/pgpfaq.html#SubCAST

  22. Referências • http://www.cryptopp.com/benchmarks.html • http://en.wikipedia.org/wiki/Block_size_(cryptography) • http://en.wikipedia.org/wiki/Block_cipher • http://www.jetico.com/linux/bcrypt-help/c_gloss.htm • http://www.codeproject.com/dotnet/CastEncryptor.asp • http://community.roxen.com/developers/idocs/rfc/rfc2984.html • http://www.commsdesign.com/main/9811/9811feat3.htm • http://en.wikipedia.org/wiki/Avalanche_effect • http://www.answers.com/topic/feistel-cipher • http://www.ciphersbyritter.com/NEWS/95050101.HTM • http://www.faqs.org/faqs/cryptography-faq/part07/ • http://www.cescomm.co.nz/about/aes.html

More Related