Professional Documents
Culture Documents
Mt m (Cryptography) l ngnh khoa hc l ngnh nghin cu cc k thut ton hc nhm cung cp cc dch v bo v thng tin [44]. y l ngnh khoa hc quan trng, c nhiu ng dng trong i sng x hi.
Khoa hc mt m ra i t hng nghn nm. Tuy nhin, trong sut nhiu th k, cc kt qu ca lnh vc ny hu nh khng c ng dng trong cc lnh vc dn s thng thng ca i sng x hi m ch yu c s dng trong lnh vc qun s, chnh tr, ngoi giao... Ngy nay, cc ng dng m ha v bo mt thng tin ang c s dng ngy cng ph bin trong cc lnh vc khc nhau trn th gii, t cc lnh vc an ninh, qun s, quc phng, cho n cc lnh vc dn s nh thng mi in t, ngn hng Vi s pht trin ngy cng nhanh chng ca Internet v cc ng dng giao dch in t trn mng, nhu cu bo v thng tin trong cc h thng v ng dng in t ngy cng c quan tm v c ngha ht sc quan trng. Cc kt qu ca khoa hc mt m ngy cng c trin khai trong nhiu lnh vc khc nhau ca i sng x hi, trong phi k n rt nhiu nhng ng dng a dng trong lnh vc dn s, thng mi...Cc ng dng m ha thng tin c nhn, trao i thng tin kinh doanh, thc hin cc giao dch in t qua mng... tr nn gn gi v quen thuc vi mi ngi. Cng vi s pht trin ca khoa hc my tnh v Internet, cc nghin cu v ng dng ca mt m hc ngy cng tr nn a dng hn, m ra nhiu hng nghin cu chuyn su vo tng lnh vc ng dng c th vi nhng c trng ring. ng dng ca khoa hc mt m khng ch n thun l m ha v gii m thng tin m cn bao gm nhiu vn khc nhau cn c nghin cu v gii quyt, v d nh chng thc ngun gc
ni dung thng tin (k thut ch k in t), chng nhn tnh xc thc v ngi s hu m kha (chng nhn kha cng cng), cc quy trnh gip trao i thng tin v thc hin giao dch in t an ton trn mng... Cc ng dng ca mt m hc v khoa hc bo v thng tin rt a dng v phong ph; ty vo tnh c th ca mi h thng bo v thng tin m ng dng s c cc tnh nng vi c trng ring. Trong , chng ta c th k ra mt s tnh nng chnh ca h thng bo v thng tin: Tnh bo mt thng tin: h thng m bo thng tin c gi b mt. Thng tin c th b pht hin, v d nh trong qu trnh truyn nhn, nhng ngi tn cng khng th hiu c ni dung thng tin b nh cp ny. Tnh ton vn thng tin: h thng bo m tnh ton vn thng tin trong lin lc hoc gip pht hin rng thng tin b sa i. Xc thc cc i tc trong lin lc v xc thc ni dung thng tin trong lin lc. Chng li s thoi thc trch nhim: h thng m bo mt i tc bt k trong h thng khng th t chi trch nhim v hnh ng m mnh thc hin Nhng kt qu nghin cu v mt m cng c a vo trong cc h thng phc tp hn, kt hp vi nhng k thut khc p ng yu cu a dng ca cc h thng ng dng khc nhau trong thc t, v d nh h thng b phiu bu c qua mng, h thng o to t xa, h thng qun l an ninh ca cc n v vi hng tip cn sinh trc hc, h thng cung cp dch v a phng tin trn mng vi yu cu cung cp dch v v bo v bn quyn s hu tr tu i vi thng tin s...
Khi bin son tp sch ny, nhm tc gi chng ti mong mun gii thiu vi qu c gi nhng kin thc tng quan v m ha v ng dng, ng thi trnh by v phn tch mt s phng php m ha v quy trnh bo v thng tin an ton v hiu qu trong thc t.
Bn cnh cc phng php m ha kinh in ni ting c s dng rng ri trong nhiu thp nin qua nh DES, RSA, MD5, chng ti cng gii thiu vi bn c cc phng php mi, c an ton cao nh chun m ha AES, phng php ECC, chun hm bm mt m SHA224/256/384/512 Cc m hnh v quy trnh chng nhn kha cng cng cng c trnh by trong tp sch ny.
Ni dung ca sch gm 10 chng. Sau phn gii thiu tng quan v mt m hc v khi nim v h thng m ha chng 1, t chng 2 n chng 5, chng ta s i su vo tm hiu h thng m ha quy c, t cc khi nim c bn, cc phng php n gin, n cc phng php mi nh Rijndael v cc thut ton ng c vin AES. Ni dung ca chng 6 gii thiu h thng m ha kha cng cng v phng php RSA. Chng 7 s trnh by v khi nim ch k in t cng vi mt s phng php ph bin nh RSA, DSS, ElGamal. Cc kt qu nghin cu ng dng l thuyt ng cong elliptic trn trng hu hn vo mt m hc c trnh by trong chng 8. Chng 9 gii thiu v cc hm bm mt m hin ang c s dng ph bin nh MD5, SHS cng vi cc phng php mi c cng b trong thi gian gn y nh SHA-256/384/512. Trong chng 10, chng ta s tm hiu v h thng chng nhn kha cng cng, t cc m hnh n quy trnh trong thc t ca h thng chng nhn kha cng cng, cng vi mt v d v vic kt hp h thng m ha quy c, h thng m ha kha cng cng v chng nhn kha cng cng xy dng h thng th in t an ton.
Vi b cc v ni dung nu trn, chng ti hi vng cc kin thc trnh by trong tp sch ny s l ngun tham kho hu ch cho qu c gi quan tm n lnh vc m ha v ng dng.
Mc d c gng hon thnh sch vi tt c s n lc nhng chc chn chng ti vn cn nhng thiu st nht nh. Knh mong s cm thng v s gp ca qu c gi.
NHM TC GI: TS. Dng Anh c - ThS. Trn Minh Trit cng vi s ng gp ca cc sinh vin Khoa Cng ngh Thng tin, Trng i hc Khoa hc T nhin, i hc Quc gia thnh ph H Ch Minh. Vn c Phng Hng Nguyn Minh Huy Nguyn Ngc Tng Phan Th Minh c Lng V Minh
Mc lc
Chng 1 Tng quan
1.1 Mt m hc 1.2 H thng m ha (cryptosystem) 1.3 H thng m ha quy c (m ha i xng) 1.4 H thng m ha kha cng cng (m ha bt i xng) 1.5 Kt hp m ha quy c v m ha kha cng cng
15
15 16 18 19 19
20
20 21 22 23 28 29 30 31 31 32 33 33 36 37
39
39 40 42
3.4
3.5
3.6
3.7 3.8
3.3.1 Php cng 3.3.2 Php nhn 3.3.3 a thc vi h s trn GF(28) Phng php Rijndael 3.4.1 Quy trnh m ha 3.4.2 Kin trc ca thut ton Rijndael 3.4.3 Php bin i SubBytes 3.4.4 Php bin i ShiftRows 3.4.5 Php bin i MixColumns 3.4.6 Thao tc AddRoundKey Pht sinh kha ca mi chu k 3.5.1 Xy dng bng kha m rng 3.5.2 Xc nh kha ca chu k Quy trnh gii m 3.6.1 Php bin i InvShiftRows 3.6.2 Php bin i InvSubBytes 3.6.3 Php bin i InvMixColumns 3.6.4 Quy trnh gii m tng ng Cc vn ci t thut ton 3.7.1 Nhn xt Kt qu th nghim
43 43 46 49 50 52 53 55 56 58 59 59 61 62 63 64 66 67 69 72 73 74 74 75
77
77 78 79 86 88 93 94 95 95 96
4.4.3 Branch Number 4.4.4 S lan truyn mu 4.4.5 Trng s vt vi phn v vt tuyn tnh 4.5 Kho st tnh an ton i vi cc phng php tn cng khc 4.5.1 Tnh i xng v cc kha yu ca DES 4.5.2 Phng php tn cng Square 4.5.3 Phng php ni suy 4.5.4 Cc kha yu trong IDEA 4.5.5 Phng php tn cng kha lin quan 4.6 Kt qu th nghim 4.7 Kt lun
115
115 116 117 118 123 135 137 138 139 143 144 144 144 147 148 153 154 154 163 169 169
172
172 174 174 175 182 183 184 186 186
Chng 7 Ch k in t
7.1 Gii thiu 7.2 Phng php ch k in t RSA 7.3 Phng php ch k in t ElGamal 7.3.1 Bi ton logarit ri rc 7.3.2 Phng php ElGamal 7.4 Phng php Digital Signature Standard
191
191 192 193 193 194 194
197
8.1 L thuyt ng cong elliptic 197 8.1.1 Cng thc Weierstrasse v ng cong elliptic 198 8.1.2 ng cong elliptic trn trng R2 199 8.1.3 ng cong elliptic trn trng hu hn 204 8.1.4 Bi ton logarit ri rc trn ng cong elliptic 212 8.1.5 p dng l thuyt ng cong elliptic vo m ha 213 8.2 M ha d liu 213 8.2.1 Thao tc m ha 214 8.2.2 Kt hp ECES vi thut ton Rijndael v cc thut ton m rng 215 8.2.3 Thao tc gii m 215 8.3 Trao i kha theo phng php Diffie - Hellman s dng l thuyt ng cong elliptic (ECDH) 216 8.3.1 M hnh trao i kha Diffie-Hellman 216 8.3.2 M hnh trao i kha Elliptic Curve Diffie - Hellman 217 8.4 Kt lun 218
Chng 9 Hm bm mt m
222
9.1 Gii thiu 222 9.1.1 t vn 222 9.1.2 Hm bm mt m 223 9.1.3 Cu trc ca hm bm 225 9.1.4 Tnh an ton ca hm bm i vi hin tng ng 226 9.1.5 Tnh mt chiu 226 9.2 Hm bm MD5 227 9.2.1 Gii thiu MD5 227 9.2.2 Nhn xt 231 9.3 Phng php Secure Hash Standard (SHS) 232 9.3.1 Nhn xt 235 9.4 H thng chun hm bm mt m SHA 236 9.4.1 tng ca cc thut ton hm bm SHA 236 9.4.2 Khung thut ton chung ca cc hm bm SHA 237 9.4.3 Nhn xt 240 9.5 Kin trc hm bm Davies-Mayer v ng dng ca thut ton Rijndael v cc phin bn m rng vo hm bm 241 9.5.1 Kin trc hm bm Davies-Mayer 241 9.5.2 Hm AES-Hash 242 9.5.3 Hm bm Davies-Mayer v AES-Hash 244 9.6 Xy dng cc hm bm s dng cc thut ton m rng da trn thut ton Rijndael 245
246
246 250 250 252 253 253 254 257 257 258
10.4.3 Kho lu tr chng nhn Certificate Repository (CR) 10.5 Chu trnh qun l giy chng nhn 10.5.1 Khi to 10.5.2 Yu cu v giy chng nhn 10.5.3 To li chng nhn 10.5.4 Hy b chng nhn 10.5.5 Lu tr v khi phc kha 10.6 Cc m hnh CA 10.6.1 M hnh tp trung 10.6.2 M hnh phn cp 10.6.3 M hnh Web of Trust 10.7 ng dng H thng bo v th in t 10.7.1 t vn 10.7.2 Quy trnh m ha th in t 10.7.3 Quy trnh gii m th in t 10.7.4 Nhn xt nh gi
259 259 259 259 262 262 264 264 264 265 266 268 268 269 270 271
Ph lc A Ph lc B Ph lc C Ph lc D Ph lc E
S-box ca thut ton MARS Cc hon v s dng trong thut ton Serpent S-box s dng trong thut ton Serpent S-box ca thut ton Rijndael Hng s v gi tr khi to ca SHA
E.1 Hng s s dng trong SHA E.1.1 Hng s ca SHA-1 E.1.2 Hng s ca SHA-224 v SHA-256 E.1.3 Hng s ca SHA-384 v SHA-512 E.2 Gi tr khi to trong SHA
284
10
11
Hnh 4.6. Minh ha nh l 4.2 vi Wc (a1 ) = 1 (th-ton m rng 256/384/512bit) 105 Hnh 4.7. Minh ha nh l 4.3 (thut ton m rng 256/384/512-bit) Hnh 5.1. Quy trnh m ha MARS Hnh 5.2. Cu trc giai on Trn ti Hnh 5.3. H thng Feistel loi 3 Hnh 5.4. Hm E Hnh 5.5. Cu trc giai on Trn li Hnh 5.6. Cu trc m ha RC6 Hnh 5.7. Chu k th i ca quy trnh m ha RC6 Hnh 5.8. M hnh pht sinh kha Hnh 5.9. Cu trc m ha Hnh 5.10. Chu k th i (i = 0, , 30) ca quy trnh m ha Serpent Hnh 5.11. Cu trc gii m Hnh 5.12. Hm h Hnh 5.13. M hnh pht sinh cc Sbox ph thuc kha Hnh 5.14. M hnh pht sinh subkey Kj Hnh 5.15. Php hon v q Hnh 5.16. Cu trc m ha Hnh 5.17. Hm F (kha 128 bit) Hnh 5.18. So snh quy trnh m ha (a) v gii m (b) Hnh 6.1. M hnh h thng m ha vi kha cng cng Hnh 6.2. Quy trnh trao i kha b mt s dng kha cng cng Hnh 6.3. th so snh chi ph cng ph kha b mt v kha cng cng Hnh 8.1. Mt v d v ng cong elliptic 107 116 125 127 128 130 140 141 146 149 150 153 157 159 160 162 164 166 169 174 187 189 199
12
Hnh 8.2. im v cc Hnh 8.3. Php cng trn ng cong elliptic Hnh 8.4. Php nhn i trn ng cong elliptic Hnh 8.5: So snh mc bo mt gia ECC vi RSA / DSA Hnh 9.1. Khung thut ton chung cho cc hm bm SHA Hnh 10.1. Vn ch s hu kha cng cng Hnh 10.2. Cc thnh phn ca mt chng nhn kha cng cng Hnh 10.3. M hnh Certification Authority n gin Hnh 10.4. Phin bn 3 ca chun chng nhn X.509 Hnh 10.5. Phin bn 2 ca cu trc chng nhn thuc tnh Hnh 10.6. Qu trnh k chng nhn Hnh 10.7. Qu trnh kim tra chng nhn Hnh 10.8. M hnh PKI c bn Hnh 10.9. Mu yu cu chng nhn theo chun PKCS#10 Hnh 10.10. nh dng thng ip yu cu chng nhn theo RFC 2511 Hnh 10.11. Phin bn 2 ca nh dng danh sch chng nhn b hy Hnh 10.12. M hnh CA tp trung Hnh 10.13. M hnh CA phn cp Hnh 10.14. M hnh Web of trust Hnh 10.15. Quy trnh m ha th in t Hnh 10.16. Quy trnh gii m th in t
200 201 203 220 238 247 248 249 251 254 255 256 257 260 261 263 264 266 267 269 270
13
14
Tng quan
Ni dung ca chng 1 gii thiu tng quan cc khi nim c bn v mt m hc v h thng m ha, ng thi gii thiu s lc v h thng m ha quy c v h thng m ha kha cng cng. 1.1 Mt m hc
Mt m hc l ngnh khoa hc ng dng ton hc vo vic bin i thng tin thnh mt dng khc vi mc ch che du ni dung, ngha thng tin cn m ha. y l mt ngnh quan trng v c nhiu ng dng trong i sng x hi. Ngy nay, cc ng dng m ha v bo mt thng tin ang c s dng ngy cng ph bin hn trong cc lnh vc khc nhau trn th gii, t cc lnh vc an ninh, qun s, quc phng, cho n cc lnh vc dn s nh thng mi in t, ngn hng Cng vi s pht trin ca khoa hc my tnh v Internet, cc nghin cu v ng dng ca khoa hc mt m ngy cng tr nn a dng hn, m ra nhiu hng nghin cu chuyn su vo tng lnh vc ng dng c th vi nhng c trng
15
Chng 1
ring. ng dng ca khoa hc mt m khng ch n thun l m ha v gii m thng tin m cn bao gm nhiu vn khc nhau cn c nghin cu v gii quyt: chng thc ngun gc ni dung thng tin (k thut ch k in t), chng nhn tnh xc thc v ngi s hu m kha (chng nhn kha cng cng), cc quy trnh gip trao i thng tin v thc hin giao dch in t an ton trn mng... Nhng kt qu nghin cu v mt m cng c a vo trong cc h thng phc tp hn, kt hp vi nhng k thut khc p ng yu cu a dng ca cc h thng ng dng khc nhau trong thc t, v d nh h thng b phiu bu c qua mng, h thng o to t xa, h thng qun l an ninh ca cc n v vi hng tip cn sinh trc hc, h thng cung cp dch v multimedia trn mng vi yu cu cung cp dch v v bo v bn quyn s hu tr tu i vi thng tin s...
1.2
H thng m ha (cryptosystem)
nh ngha 1.1: H thng m ha (cryptosystem) l mt b nm (P, C, K, E, D) tha mn cc iu kin sau: 1. 2. 3. 4. Tp ngun P l tp hu hn tt c cc mu tin ngun cn m ha c th c Tp ch C l tp hu hn tt c cc mu tin c th c sau khi m ha Tp kha K l tp hu hn cc kha c th c s dng E v D ln lt l tp lut m ha v gii m. Vi mi kha k K , tn ti lut m ha ek E v lut gii m d k D tng ng. Lut m ha ek : P C v lut gii m ek : C P l hai nh x tha mn
d k (ek ( x)) = x, x P
16
Tng quan
Tnh cht 4 l tnh cht chnh v quan trng ca mt h thng m ha. Tnh cht ny bo m mt mu tin x P c m ha bng lut m ha ek E c th c gii m chnh xc bng lut d k D . nh ngha 1.2: Z m c nh ngha l tp hp {0,1,..., m 1} , c trang b php cng (k hiu +) v php nhn (k hiu l ). Php cng v php nhn trong Z m c thc hin tng t nh trong Z , ngoi tr kt qu tnh theo modulo m. V d: Gi s ta cn tnh gi tr 11 13 trong Z16 . Trong Z , ta c kt qu ca php nhn 1113 = 143 . Do 143 15 (mod 16) nn
11 13 = 15 trong Z16 .
Mt s tnh cht ca Z m 1. 2. 3. 4. 5. 6. 7. 8. Php cng ng trong Z m , a, b Z m , a + b Z m Tnh giao hon ca php cng trong Z m , a, b Z m , a + b = b + a Tnh kt hp ca php cng trong Z m , a, b, c Z m , ( a + b) + c = a + (b + c )
Z m c phn t trung ha l 0, a, b Z m , a + 0 = 0 + a = a
Mi phn t a trong Z m u c phn t i l m a Php nhn ng trong Z m , a, b Z m , a b Z m Tnh giao hon ca php nhn trong Z m , a, b Z m , a b = b a Tnh kt hp ca php nhn trong Z m , a, b, c Zm , (a b) c = a (b c )
17
Chng 1
9.
Z m c phn t n v l 1, a, b Z m , a 1 = 1 a = a a, b, c Z m ,
1.3
Trong h thng m ha quy c, qu trnh m ha v gii m mt thng ip s dng cng mt m kha gi l kha b mt (secret key) hay kha i xng (symmetric key). Do , vn bo mt thng tin m ha hon ton ph thuc vo vic gi b mt ni dung ca m kha c s dng.
Vi tc v kh nng x l ngy cng c nng cao ca cc b vi x l hin nay, phng php m ha chun (Data Encryption Standard DES) tr nn khng an ton trong bo mt thng tin. Do , Vin Tiu chun v Cng ngh Quc gia Hoa K (National Institute of Standards and Technology NIST) quyt nh chn mt chun m ha mi vi an ton cao nhm phc v nhu cu bo mt thng tin lin lc ca chnh ph Hoa K cng nh trong cc ng dng dn s. Thut ton Rijndael do Vincent Rijmen v Joan Daeman c chnh thc chn tr thnh chun m ha nng cao (Advanced Encryption Standard AES) t 02 thng 10 nm 2000.
18
Tng quan
1.4
Nu nh vn kh khn t ra i vi cc phng php m ha quy c chnh l bi ton trao i m kha th ngc li, cc phng php m ha kha cng cng gip cho vic trao i m kha tr nn d dng hn. Ni dung ca kha cng cng (public key) khng cn phi gi b mt nh i vi kha b mt trong cc phng php m ha quy c. S dng kha cng cng, chng ta c th thit lp mt quy trnh an ton truy i kha b mt c s dng trong h thng m ha quy c. Trong nhng nm gn y, cc phng php m ha kha cng cng, c bit l phng php RSA [45], c s dng ngy cng nhiu trong cc ng dng m ha trn th gii v c th xem nh y l phng php chun c s dng ph bin nht trn Internet, ng dng trong vic bo mt thng tin lin lc cng nh trong lnh vc thng mi in t.
1.5
Cc phng php m ha quy c c u im x l rt nhanh v kh nng bo mt cao so vi cc phng php m ha kha cng cng nhng li gp phi vn kh khn trong vic trao i m kha. Ngc li, cc phng php m ha kha cng cng tuy x l thng tin chm hn nhng li cho php ngi s dng trao i m kha d dng hn. Do , trong cc ng dng thc t, chng ta cn phi hp c u im ca mi phng php m ha xy dng h thng m ha v bo mt thng tin hiu qu v an ton.
19
Chng 2
Trong chng 1, chng ta tm hiu tng quan v mt m hc v h thng m ha. Ni dung ca chng 2 s gii thiu chi tit hn v h thng m ha quy c (hay cn gi l h thng m ha i xng). Mt s phng php m ha quy c kinh in nh phng php dch chuyn, phng php thay th cng vi cc phng php m ha theo khi c s dng ph bin trong nhng thp nin gn y nh DES, Tripple DES, AES cng c gii thiu trong chng ny. 2.1 H thng m ha quy c
H thng m ha quy c l h thng m ha trong quy trnh m ha v gii m u s dng chung mt kho - kha b mt. Vic bo mt thng tin ph thuc vo vic bo mt kha.
Trong h thng m ha quy c, thng ip ngun c m ha vi m kha k c thng nht trc gia ngi gi A v ngi nhn B. Ngi A s s dng
20
m kha k m ha thng ip x thnh thng ip y v gi y cho ngi B; ngi B s s dng m kha k gii m thng ip y ny. Vn an ton bo mt thng tin c m ha ph thuc vo vic gi b mt ni dung m kha k. Nu ngi C bit c m kha k th C c th m kha thng ip c m ha m ngi A gi cho ngi B. Kha b mt
Thng ip ngun
M ha
Thng ip m ha
Gii m
Thng ip gii m
2.2
Phng php m ha dch chuyn l mt trong nhng phng php lu i nht c s dng m ha. Thng ip c m ha bng cch dch chuyn xoay vng tng k t i k v tr trong bng ch ci.
Trong trng hp c bit k = 3 , phng php m ha bng dch chuyn c gi l phng php m ha Caesar.
21
Chng 2
Thut ton 2.1. Phng php m ha dch chuyn Cho P = C = K = Z n Vi mi kha k K , nh ngha:
ek ( x) = ( x + k ) mod n v d k ( y) = ( y k ) mod n vi x, y Z n
E = {ek , k K } v D = {d k , k K }
M ha dch chuyn l mt phng php m ha n gin, thao tc x l m ha v gii m c thc hin nhanh chng. Tuy nhin, trn thc t, phng php ny c th d dng b ph v bng cch th mi kh nng kha k K . iu ny hon ton c th thc hin c do khng gian kha K ch c n phn t chn la.
V d: m ha mt thng ip c biu din bng cc ch ci t A n Z (26 ch ci), ta s dng P = C = K = Z 26 . Khi , thng ip c m ha s khng an ton v c th d dng b gii m bng cch th ln lt 26 gi tr kha k K . Tnh trung bnh, thng ip c m ha c th b gii m sau khong n / 2 ln th kha k K .
2.3
Phng php m ha thay th (Substitution Cipher) l mt trong nhng phng php m ha ni ting v c s dng t hng trm nm nay. Phng php ny thc hin vic m ha thng ip bng cch hon v cc phn t trong bng ch ci hay tng qut hn l hon v cc phn t trong tp ngun P.
22
Thut ton 2.2. Phng php m ha bng thay th Cho P = C = Zn K l tp hp tt c cc hon v ca n phn t 0,1,..., n 1 . Nh vy, mi kha
K l mt hon v ca n phn t 0,1,..., n 1 .
Vi mi kha K , nh ngha: e ( x) = ( x) v d ( y ) = -1 ( y ) vi x, y Z n E = {e , K } v D = { D , K }
y l mt phng php n gin, thao tc m ha v gii m c thc hin nhanh chng. Phng php ny khc phc im hn ch ca phng php m ha bng dch chuyn l c khng gian kha K nh nn d dng b gii m bng cch th nghim ln lt n gi tr kha k K . Trong phng php m ha thay th c khng gian kha K rt ln vi n! phn t nn khng th b gii m bng cch vt cn mi trng hp kha k. Tuy nhin, trn thc t thng ip c m ha bng phng php ny vn c th b gii m nu nh c th thit lp c bng tn s xut hin ca cc k t trong thng ip hay nm c mt s t, ng trong thng ip ngun ban u!
2.4
Nu nh phng php m ha bng dch chuyn l mt trng hp c bit ca phng php m ha bng thay th, trong ch s dng n gi tr kha k trong s n! phn t, th phng php Affine li l mt trng hp c bit khc ca m ha bng thay th.
23
Chng 2
K = {( a, b ) Z n Z n : gcd ( a, n ) = 1}
Vi mi kha k = (a, b) K , nh ngha: ek ( x ) = ( ax + b) mod n v d k ( x) = (a 1 ( y b)) mod n vi x, y Z n E = {ek , k K } v D = { Dk , k K }
c th gii m chnh xc thng tin c m ha bng hm ek E th ek phi l mt song nh. Nh vy, vi mi gi tr y Z n , phng trnh ax + b y (mod n) phi c nghim duy nht x Z n .
Phng trnh ax + b y (mod n) tng ng vi ax ( y b)(mod n) . Vy, ta ch cn kho st phng trnh ax ( y b)(mod n) .
nh l 2.1: Phng trnh ax + b y (mod n) c nghim duy nht x Z n vi mi gi tr b Z n khi v ch khi a v n nguyn t cng nhau.
Vy, iu kin a v n nguyn t cng nhau bo m thng tin c m ha bng hm ek c th c gii m v gii m mt cch chnh xc.
24
nh l 2.2: Nu n = 1 i m th (n ) =
pie
i =1
i
(pie
m i =1
piei 1 .
Trong phng php m ha Affine, ta c n kh nng chn gi tr b, (n) kh nng chn gi tr a. Vy, khng gian kha K c tt c n (n) phn t.
Vn t ra cho phng php m ha Affine l c th gii m c thng tin c m ha cn phi tnh gi tr phn t nghch o a 1 Z n . Thut ton Euclide m rng c th gii quyt trn vn vn ny [45].
Trc tin, cn kho st thut ton Euclide ( dng c bn) s dng trong vic tm c s chung ln nht ca hai s nguyn dng r0 v r1 vi r0 > r1 . Thut ton Euclide bao gm mt dy cc php chia: r0 = q1r1 + r2 , 0 < r2 < r1 r1 = q2 r2 + r3 , 0 < r3 < r2 rm 2 = qm 1rm 1 + rm , 0 < rm < rm 1 rm 1 = qm rm (2.1)
D dng nhn thy rng: gcd( r0 , r1 ) = gcd(r1 , r2 ) = ... = gcd(rm 1 , rm ) = rm . Nh vy, c s chung ln nht ca r0 v r1 l rm .
25
Chng 2
nh l 2.3: Vi mi j, 0 j m , ta c rj t j r1 (mod r0 ) , vi q j v rj c xc nh theo thut ton Euclide v t j c xc nh theo cng thc truy hi nu trn.
(2.3)
Trong thut ton Euclide, dy s{t j } c th c tnh ng thi vi dy s {q j } v{rj } . Thut ton Euclide m rng di y c s dng xc nh phn t nghch o (nu c) ca mt s nguyn dng a (modulo n). Trong thut ton khng cn s dng n cu trc d liu mng lu gi tr ca dy s {t j } ,{q j } hay {rj } v ti mi thi im, ta ch cn quan tm n gi tr ca hai phn t cui cng ca mi dy ti thi im ang xt.
26
Thut ton 2.4. Thut ton Euclide m rng xc nh phn t nghch o ca a (modulo n) n0 = n a0 = a t0 = 0 t =1 n q= 0 a0 r = n0 qa0 while r > 0 do temp = t0 qt if temp 0 then temp = temp mod n end if if temp < 0 then temp = n ((temp ) mod n) end if t0 = t t = temp n0 = a0 a0 = r n q= 0 a0 r = n0 qa0 end while if a0 1 then a khng c phn t nghch o modulo n else a 1 = t mod n end if
27
Chng 2
2.5
Trong phng php m ha bng thay th cng nh cc trng hp c bit ca phng php ny (m ha bng dch chuyn, m ha Affine,), ng vi mt kha k c chn, mi phn t x P c nh x vo duy nht mt phn t y C . Ni cch khc, ng vi mi kha k K , mt song nh c thit lp t P vo C.
Khc vi hng tip cn ny, phng php Vigenere s dng mt t kha c di m. C th xem nh phng php m ha Vigenere Cipher bao gm m php m ha bng dch chuyn c p dng lun phin nhau theo chu k.
Khng gian kha K ca phng php Vigenere Cipher c s phn t l n m , ln hn hn phng php s lng phn t ca khng gian kha K trong phng php m ha bng dch chuyn. Do , vic tm ra m kha k gii m thng ip c m ha s kh khn hn i vi phng php m ha bng dch chuyn.
Thut ton 2.5. Phng php m ha Vigenere Chn s nguyn dng m. nh ngha P = C = K = (Z n )m K = (k0 , k1 ,..., kr 1 ) (Z n )r
Vi mi kha k = (k0 , k1 ,..., k r 1 ) K , nh ngha: ek ( x1 , x2 ,..., xm ) = (( x1 + k1 ) mod n, ( x2 + k2 ) mod n,..., ( xm + km ) mod n) d k ( y1 , y2 ,..., ym ) = (( y1 k1 ) mod n,( y2 k2 ) mod n,..., ( ym km ) mod n) vi x, y (Z n ) m .
28
2.6
Phng php Hill c Lester S. Hill cng b nm 1929: Cho s nguyn dng m, nh ngha P = C = (Z n ) m . Mi phn t x P l mt b m thnh phn, mi thnh phn thuc Z n . tng chnh ca phng php ny l s dng m t hp tuyn tnh ca m thnh phn trong mi phn t x P pht sinh ra m thnh phn to thnh phn t y C .
Thut ton 2.6. Phng php m ha Hill Chn s nguyn dng m. nh ngha: P = C = (Z n ) m v K l tp hp cc ma trn m m kh nghch k1,1 k 2,1 Vi mi kha k = k m,1 k1, 2 k1,m k 2,m K , nh ngha: k m ,m k1, 2 k1,m k 2, m vi x = ( x1 , x2 ,..., xm ) P k m ,m
k m,2
k m, 2
29
Chng 2
2.7
Nhng phng php m ha nu trn u da trn tng chung: thay th mi k t trong thng ip ngun bng mt k t khc to thnh thng ip c m ha. tng chnh ca phng php m ha hon v (Permutation Cipher) l vn gi nguyn cc k t trong thng ip ngun m ch thay i v tr cc k t; ni cch khc thng ip ngun c m ha bng cch sp xp li cc k t trong .
Thut ton 2.7. Phng php m ha bng hon v Chn s nguyn dng m. nh ngha: P = C = (Z n ) m v K l tp hp cc hon v ca m phn t {1, 2,..., m} Vi mi kha K , nh ngha: e ( x1 , x2 ,..., xm ) = x (1) , x ( 2) ,..., x ( m) v d ( y1 , y2 ,..., ym ) = y1 (1) , y 1 ( 2) ,..., y1 ( m ) vi 1 hon v ngc ca
Phng php m ha bng hon v chnh l mt trng hp c bit ca phng php Hill. Vi mi hon v ca tp hp {1, 2, ..., m} , ta xc nh ma trn k = (ki , j ) theo cng thc sau:
1, neu i = ( j ) ki , j = 0, trong trng hp ngc lai
(2.4)
30
Ma trn k l ma trn m mi dng v mi ct c ng mt phn t mang gi tr 1, cc phn t cn li trong ma trn u bng 0. Ma trn ny c th thu c bng cch hon v cc hng hay cc ct ca ma trn n v I m nn k l ma trn kh nghch. R rng, m ha bng phng php Hill vi ma trn k hon ton tng ng vi m ha bng phng php hon v vi hon v .
2.8 2.8.1
Phng php m ha bng php nhn Phng php m ha bng php nhn Thut ton 2.8. Phng php m ha bng php nhn
Phng php m ha bng php nhn (Multiplicative Cipher) l mt phng php m ha n gin. Khng gian kha K c tt c (n) phn t. Tuy nhin, vic chn kha k = 1 K s khng c ngha trong vic m ha thng nn s lng phn t tht s c s dng trong K l (n) 1 .
Vn c t ra y l an ton ca phng php ny ph thuc vo s lng phn t trong tp kha K. Nu gi tr (n) 1 khng ln th thng tin c m ha c th b gii m bng cch th ton b cc kha k K . nng
31
Chng 2
cao an ton ca phng php ny, gi tr n c s dng phi c (n) ln hay chnh gi tr n phi ln. Khi , mt vn mi c t ra l lm th no thc hin c mt cch nhanh chng cc php ton trn s nguyn ln.
2.8.2
X l s hc
Trong phng php m ha ny, nhu cu tnh gi tr ca biu thc z = (a b) mod n c t ra trong c thao tc m ha v gii m. Nu thc hin vic tnh gi tr theo cch thng thng th r rng l khng hiu qu do thi gian x l qu ln. S dng thut ton php nhn n , ta c th c s dng tnh gi tr biu thc z = (a b) mod n mt cch nhanh chng v hiu qu.
Thut ton 2.9. Thut ton php nhn n tnh gi tr z = (a b) mod n z=0 a = a mod n b = b mod n Biu din b di dng nh phn bl 1 , bl 2 ,..., b2 , b1 , bi {0,1} , 0 i < l
for i = 0 to l 1 if bi = 1 then
z = ( z + a ) mod n
end if
a = (2a) mod n
end for
z = ( z + a ) mod n
32
2.9 2.9.1
Khong nhng nm 1970, tin s Horst Feistel t nn mng u tin cho chun m ha d liu DES vi phng php m ha Feistel Cipher. Vo nm 1976 C quan Bo mt Quc gia Hoa K (NSA) cng nhn DES da trn phng php Feistel l chun m ha d liu [25]. Kch thc kha ca DES ban u l 128 bit nhng ti bn cng b FIPS kch thc kha c rt xung cn 56 bit.
Trong phng php DES, kch thc khi l 64 bit. DES thc hin m ha d liu qua 16 vng lp m ha, mi vng s dng mt kha chu k 48 bit c to ra t kha ban u c di 56 bit. DES s dng 8 bng hng s S-box thao tc.
Qu trnh m ha ca DES c th c tm tt nh sau: Biu din thng ip ngun x P bng dy 64bit. Kha k c 56 bit. Thc hin m ha theo ba giai on: 1. To dy 64 bit x0 bng cch hon v x theo hon v IP (Initial Permutation). Biu din x0 = IP ( x) = L0 R0 , L0 gm 32 bit bn tri ca x0, R0 gm 32 bit bn phi ca x0.
33
Chng 2
L0 x0
R0
Hnh 2.2. Biu din dy 64 bit x thnh 2 thnh phn L v R 2. Thc hin 16 vng lp t 64 bit thu c v 56 bit ca kho k (ch s dng 48 bit ca kho k trong mi vng lp). 64 bit kt qu thu c qua mi vng lp s l u vo cho vng lp sau. Cc cp t 32 bit Li, Ri (vi 1 i 16 ) c xc nh theo quy tc sau: Li = Ri 1 Ri = Li 1 f ( Ri 1 , K i ) (2.5)
vi biu din php ton XOR trn hai dy bit, K1, K2, ..., K16 l cc dy 48 bit pht sinh t kha K cho trc (Trn thc t, mi kha Ki c pht sinh bng cch hon v cc bit trong kha K cho trc). 3. p dng hon v ngc IP 1 i vi dy bit R16 L16 , thu c t y gm 64 bit. Nh vy, y = IP 1 ( R16 L16 ) .
Hm f c s dng bc 2 l hm c gm hai tham s: Tham s th nht A l mt dy 32 bit, tham s th hai J l mt dy 48 bit. Kt qu ca hm f l mt dy 32 bit. Cc bc x l ca hm f ( A, J ) nh sau: Tham s th nht A (32 bit) c m rng thnh dy 48 bit bng hm m rng E. Kt qu ca hm E ( A) l mt dy 48 bit c pht sinh t A bng cch hon v
34
Li-1
Ri-1
Ki
Li
Ri
Hnh 2.3. Quy trnh pht sinh dy Li Ri t dy Li 1 Ri 1 v kha K i Thc hin php ton XOR cho hai dy 48 bit E ( A) v J, ta thu c mt dy 48 bit B. Biu din B thnh tng nhm 6 bit nh sau: B = B1 B2 B3 B4 B5 B6 B7 B8 . S dng tm ma trn S1 , S 2 ,..., S8 , mi ma trn Si c kch thc 4 16 v mi dng ca ma trn nhn 16 gi tr t 0 n 15. Xt dy gm 6 bit B j = b1b2 b3b4 b5 b6 , S j ( B j ) c xc nh bng gi tr ca phn t ti dng r ct c ca Sj, trong , ch s dng r c biu din nh phn l b1b6 , ch s ct c c biu din nh phn l b2 b3b4 b5 . Bng cch ny, ta xc nh c cc dy 4 bit C j = S j (Bj ) , 1 j 8 .
35
Chng 2
Tp
hp
cc
dy
bit
Cj
li,
ta
dy
32
bit
C = C1C2 C3C4 C5C6C7 C8 . Dy 32 bit thu c bng cch hon v C theo mt quy lut P nht nh chnh l kt qu ca hm F ( A, J ) .
Qu trnh gii m chnh l thc hin theo th t o ngc cc thao tc ca qu trnh m ha.
2.9.2
Nhn xt
Do tc tnh ton ca my tnh ngy cng tng cao v DES c s quan tm ch ca cc nh khoa hc ln nhng ngi ph m (cryptanalyst) nn DES nhanh chng tr nn khng an ton. Nm 1997, mt d n tin hnh b kha DES cha n 3 ngy vi chi ph thp hn 250.000 dollars. V vo nm 1999, mt mng my tnh gm 100.000 my c th gii m mt th tn m ha DES cha y 24 gi.
Trong qu trnh tm kim cc thut ton mi an ton hn DES, Tripple DES ra i nh mt bin th ca DES. Tripple DES thc hin ba ln thut ton DES vi 3 kho khc nhau v vi trnh t khc nhau. Trnh t thc hin ph bin l EDE (Encrypt Decrypt Encrypt), thc hin xen k m ha vi gii m (lu l kha trong tng giai on thc hin khc nhau).
36
2.10 Phng php chun m ha nng cao AES tm kim mt phng php m ha quy c mi vi an ton cao hn DES, NIST cng b mt chun m ha mi, thay th cho chun DES. Thut ton i din cho chun m ha nng cao AES (Advanced Encryption Standard) s l thut ton m ha kha quy c, s dng min ph trn ton th gii. Chun AES bao gm cc yu cu sau [23]: o o o o o o o o o Thut ton m ha theo khi 128 bit. Chiu di kha 128 bit, 192 bit v 256 bit. Khng c kha yu. Hiu qu trn h thng Intel Pentium Pro v trn cc nn phn cng v phn mm khc. Thit k d dng (h tr chiu di kha linh hot, c th trin khai ng dng rng ri trn cc nn v cc ng dng khc nhau). Thit k n gin: phn tch nh gi v ci t d dng. Chp nhn bt k chiu di kha ln n 256 bit. M ha d liu thp hn 500 chu k ng h cho mi khi trn Intel Pentium, Pentium Pro v Pentium II i vi phin bn ti u ca thut ton. C kh nng thit lp kha 128 bit (cho tc m ha ti u) nh hn thi gian i hi m ha cc khi 32 bit trn Pentium, Pentium Pro v Pentium II. o o o o Khng cha bt k php ton no lm n gim kh nng trn cc b vi x l 8 bit, 16 bit, 32 bit v 64 bit. Khng bao hm bt k phn t no lm n gim kh nng ca phn cng. Thi gian m ha d liu rt thp di 10/1000 giy trn b vi x l 8 bit. C th thc hin trn b vi x l 8 bit vi 64 byte b nh RAM.
37
Chng 2
Sau khi thc hin hai ln tuyn chn, c nm thut ton c vo vng chung kt, gm c: MARS, RC6, SERPENT, TWOFISH v RIJNDAEL. Cc thut ton ny u t cc yu cu ca AES nn c gi chung l cc thut ton ng vin AES. Cc thut ton ng vin AES c an ton cao, chi ph thc hin thp. Chi tit v cc thut ton ny c trnh by trong Chng 3 - Phng php m ha Rijndael v Chng 5 - Cc thut ton ng c vin AES.
38
Ni dung ca chng 3 trnh by chi tit v phng php m ha Rijndael ca hai tc gi Vincent Rijmen v Joan Daeman. y l gii thut c Vin Tiu chun v Cng ngh Hoa K (NIST) chnh thc chn lm chun m ha nng cao (AES) t ngy 02 thng 10 nm 2000. 3.1 Gii thiu
Vi tc v kh nng x l ngy cng c nng cao ca cc b vi x l hin nay, phng php m ha chun (Data Encryption Standard DES) tr nn khng an ton trong bo mt thng tin. Do , Vin Tiu chun v Cng ngh Hoa K (National Institute of Standards and Technology NIST) quyt nh chn mt chun m ha mi vi an ton cao nhm phc v nhu cu bo mt thng tin lin lc ca Chnh ph Hoa K cng nh trong cc ng dng dn s. Thut ton Rijndael do Vincent Rijmen v Joan Daeman c chnh thc chn tr thnh chun m ha nng cao AES (Advanced Encryption Standard) t ngy 02 thng 10 nm 2000.
39
Chng 3
Phng php m ha Rijndael l phng php m ha theo khi (block cipher) c kch thc khi v m kha thay i linh hot vi cc gi tr 128, 192 hay 256 bit. Phng php ny thch hp ng dng trn nhiu h thng khc nhau t cc th thng minh cho n cc my tnh c nhn.
3.2
Tham s, k hiu, thut ng v hm Php bin i s dng trong m ha v gii m, thc hin vic cng m kha ca chu k vo trng thi hin hnh. di ca m kha ca chu k bng vi kch thc ca trng thi.
AddRoundKey
SubBytes
Php bin i s dng trong m ha, thc hnh vic thay th phi tuyn tng byte trong trng thi hin hnh thng qua bng thay th (S-box).
InvSubBytes
Php bin i s dng trong gii m. y l php bin i ngc ca php bin i SubBytes.
MixColumns
Php bin i s dng trong m ha, thc hin thao tc trn thng tin ca tng ct trong trng thi hin hnh. Mi ct c x l c lp.
InvMixColumns
Php bin i s dng trong gii m. y l php bin i ngc ca php bin i MixColumns.
40
ShiftRows
Php bin i s dng trong m ha, thc hin vic dch chuyn xoay vng tng dng ca trng thi hin hnh vi di s tng ng khc nhau
InvShiftRows
Php bin i s dng trong gii m. y l php bin i ngc ca php bin i ShiftRows.
Nw
S lng byte trong mt n v d liu t. Trong thut ton Rijndael, thut ton m rng 256/384/512 bit v thut ton m rng 512/768/1024 bit, gi tr Nw ln lt l 4, 8 v 16
Kha chnh.
Nb
S lng ct (s lng cc t 8Nw bit) trong trng thi. Gi tr Nb = 4, 6, hay 8. Chun AES gii hn li gi tr ca Nb = 4.
Nk
Nr
S lng chu k, ph thuc vo gi tr Nk and Nb theo cng thc: Nr = max (Nb, Nk)+6.
41
Chng 3
RotWord
Hm c s dng trong qu trnh m rng m kha, thc hin thao tc dch chuyn xoay vng Nw byte thnh phn ca mt t.
SubWord
Hm c s dng trong qu trnh m rng m kha. Nhn vo mt t (Nw byte), p dng php thay th da vo S-box i vi tng byte thnh phn v tr v t gm Nw byte thnh phn c thay th.
XOR
Php nhn hai a thc (mi a thc c bc < Nw) modulo cho a thc xNw + 1.
3.3
n v thng tin c x l trong thut ton Rijndael l byte. Mi byte xem nh mt phn t ca trng Galois GF(28) c trang b php cng (k hiu ) v php nhn (k hiu ). Mi byte c th c biu din bng nhiu cch khc
42
nhau: dng nh phn ({b7b6b5b4b3b2b1b0}), dng thp lc phn ({h1h0}) hay dng a thc c cc h s nh phn
bi x i
i=0
3.3.1
Php cng
Php cng hai phn t trn GF(28) c thc hin bng cch cng (thc cht l php ton XOR, k hiu ) cc h s ca cc n thc ng dng ca hai a thc tng ng vi hai ton hng ang xt. Nh vy, php cng v php tr hai phn t bt k trn GF(28) l hon ton tng ng nhau. Nu biu din li cc phn t thuc GF(28) di hnh thc nh phn th php cng gia {a7a6a5a4a3a2a1a0} vi {b7b6b5b4b3b2b1b0} l {c7c6c5c4c3c2c1c0} vi ci = ai b j , 0 i 7.
3.3.2
Php nhn
Khi xt trong biu din a thc, php nhn trn GF(28) (k hiu ) tng ng vi php nhn thng thng ca hai a thc em chia ly d (modulo) cho mt a thc ti gin (irreducible polynomial) bc 8. a thc c gi l ti gin khi v ch khi a thc ny ch chia ht cho 1 v chnh mnh. Trong thut ton Rijndael, a thc ti gin c chn l m( x) = x8 + x 4 + x3 + x + 1 (3.1)
43
Chng 3
Kt qu nhn c l mt a thc bc nh hn 8 nn c th c biu din di dng 1 byte. Php nhn trn GF(28) khng th c biu din bng mt php ton n gin mc byte.
Php nhn c nh ngha trn y c tnh kt hp, tnh phn phi i vi php cng v c phn t n v l {01}.Vi mi a thc b(x) c h s nh phn vi bc nh hn 8 tn ti phn t nghch o ca b(x), k hiu b-1(x) (c thc hin bng cch s dng thut ton Euclide m rng [45]).
Nhn xt: Tp hp 256 gi tr t 0 n 255 c trang b php ton cng (c nh ngha l php ton XOR) v php nhn nh ngha nh trn to thnh trng hu hn GF(28).
3.3.2.1
Php nhn vi x
bi x i
i =0
(3.2)
(3.3)
x b(x ) = b6 x 7 + b5 x 6 + b4 x 5 + b3 x 4 + b2 x 3 + b1 x 2 + b0 x
44
2.
Trng hp b7 = 1
x b(x ) = b7 x 8 + b6 x 7 + b5 x 6 + b4 x 5 + b3 x 4 + b2 x 3 + b1 x 2 + b0 x mod m( x )
7 8
( = (b x
+ b6 x + b5 x + b 4 x + b3 x + b 2 x + b1 x
) + b x ) m( x )
0
(3.5)
Nh vy, php nhn vi a thc x (hay phn t {00000010} GF(28)) c th c thc hin mc byte bng mt php shift tri v sau thc hin tip php ton XOR vi gi tr {1b}nu b7 = 1 .Thao tc ny c k hiu l
xtime(). Php nhn vi cc ly tha ca x c th c thc hin bng cch p
dng nhiu ln thao tc xtime(). Kt qu ca php nhn vi mt gi tr bt k c xc nh bng cch cng ( ) cc kt qu trung gian ny li vi nhau. Khi , vic thc hin php nhn gia hai phn t a, b bt k thuc GF(28) c th c tin hnh theo cc bc sau: 1. 2. Phn tch mt phn t (gi s l a) ra thnh tng ca cc ly tha ca 2. Tnh tng cc kt qu trung gian ca php nhn gia phn t cn li (l b) vi cc thnh phn l ly tha ca 2 c phn tch t a.
V d:
{57} {13} {57} {02} {57} {04} {57} {08} {57} {10} = = = = = {fe} v xtime({57}) = {ae} xtime({ae}) = {47} xtime({47}) = {8e} xtime({8e}) = {07},
45
Chng 3
Nh vy:
{57} {13} = = = {57} ({01} {02} {10}) {57} {ae} {07} {fe}
3.3.3
ai x i
i =0
v b(x ) =
bi x i
i =0
(3.6)
Hai a thc ny c th c biu din li di dng t gm 4 byte [a0 , a1 , a2 , a3 ] v [b0 , b1 , b2 , b3 ]. Php cng a thc c thc hin bng cch cng (chnh l php ton XOR trn byte) cc h s ca cc n thc ng dng vi nhau: a ( x ) + b( x ) =
(ai bi ) x i
i =0
(3.7)
Php nhn gia a(x) vi b(x) c thc hin thng qua hai bc. Trc tin, thc hin php nhn thng thng c(x ) = a (x )b( x ) . c( x) = c6 x 6 + c5 x 5 + c 4 x 4 + c3 x 3 + c 2 x 2 + c1 x + c0 vi c0 = a 0 b0 c1 = a1 b0 a 0 b1 c 2 = a 2 b0 a1 b1 a 0 b2 c3 = a3 b0 a 2 b1 a1 b2 a 0 b3 . c4 = a3 b1 a 2 b2 a1 b3 c5 = a3 b2 a 2 b3 c6 = a3 b3 (3.9) (3.8)
46
R rng l c(x) khng th c biu din bng mt t gm 4 byte. a thc c(x) c th c a v mt a thc c bc nh hn 4 bng cch ly c(x) modulo cho mt a thc bc 4. Trong thut ton Rijndael, a thc bc 4 c chn l M ( x) = x 4 + 1 . Do x j mod x 4 + 1 = x j mod 4 nn kt qu d(x) = a(x) b(x) c xc nh bng d ( x ) = d 3 x 3 + d 2 x 2 + d1 x + d 0 vi d 0 = a 0 b0 a3 b1 a 2 b2 a1 b3 d1 = a1 b0 a 0 b1 a3 b2 a 2 b3 d 2 = a 2 b0 a1 b1 a 0 b2 a3 b3 d 3 = a3 b0 a 2 b1 a1 b2 a0 b3 (3.11) (3.10)
Trong trng hp a thc a(x) c nh, php nhn d(x) = a(x) b(x) c th c biu din di dng ma trn nh sau d 0 a0 d a 1 = 1 d 2 a2 d 3 a3 a3 a0 a1 a2 a2 a3 a0 a1 a1 b0 a 2 b1 a3 b2 a 0 b3
(3.12)
Do x 4 + 1 khng phi l mt a thc ti gin trn GF(28) nn php nhn vi mt a thc a(x) c nh c chn bt k khng m bo tnh kh nghch. V vy, trong phng php Rijndael chn a thc a(x) c phn t nghch o (modulo M(x)) a(x) = {03}x3 + {01}x2 + {01}x + {02} a-1(x) = {0b}x3 + {0d}x2 + {09}x + {0e} (3.13) (3.14)
47
Chng 3
3.3.3.1
Php nhn vi x
Php nhn vi x tng ng vi php nhn dng ma trn nh trnh by phn trn vi cc gi tr a0 = a2 = a3 = {00} v a1 = {01}. c0 00 c 1 = 01 c 2 00 c3 00 00 00 01 b0 00 00 00 b1 01 00 00 b2 00 01 00 b3
(3.17)
Nh vy, php nhn vi x hay cc ly tha ca x s tng ng vi php dch chuyn xoay vng cc byte thnh phn trong mt t.
Trong thut ton Rijndael cn s dng n a thc x3 (a0 = a1 = a2 = {00} v a3 = {01})trong hm RotWord nhm xoay vng 4 byte thnh phn ca mt t c a vo. Nh vy, nu a vo t gm 4 byte [b0, b1, b2, b3] th kt qu nhn c l t gm 4 byte [b1, b2, b3, b0].
48
3.4
Phng php m ha Rijndael bao gm nhiu bc bin i c thc hin tun t, kt qu u ra ca bc bin i trc l u vo ca bc bin i tip theo. Kt qu trung gian gia cc bc bin i c gi l trng thi (state).
Mt trng thi c th c biu din di dng mt ma trn gm 4 dng v Nb ct vi Nb bng vi di ca khi chia cho 32. M kha chnh (Cipher Key) cng c biu din di dng mt ma trn gm 4 dng v Nk ct vi Nk bng vi di ca kha chia cho 32. Trong mt s tnh hung, ma trn biu din mt trng thi hay m kha c th c kho st nh mng mt chiu cha cc phn t c di 4 byte, mi phn t tng ng vi mt ct ca ma trn.
a 0,0 a 0,1 a0,2 a0,3 a0,4 a0,5 a 1,0 a 1,1 a1,2 a1,3 a1,4 a1,5 a 2,0 a 2,1 a2,2 a2,3 a2,4 a2,5 a 3,0 a 3,1 a3,2 a3,3 a3,4 a3,5
k0,0 k0,1 k0,2 k0,3 k1,0 k1,1 k1,2 k1,3 k2,0 k2,1 k2,2 k2,3 k3,0 k3,1 k3,2 k3,3
Hnh 3.1. Biu din dng ma trn ca trng thi (Nb = 6) v m kha (Nk = 4)
49
Chng 3
3.4.1
Quy trnh m ha
Quy trnh m ha Rijndael s dng bn php bin i chnh: 1. AddRoundKey: cng () m kha ca chu k vo trng thi hin hnh. di ca m kha ca chu k bng vi kch thc ca trng thi. 2. SubBytes: thay th phi tuyn mi byte trong trng thi hin hnh thng qua bng thay th (S-box). 3. MixColumns: trn thng tin ca tng ct trong trng thi hin hnh. Mi ct c x l c lp. 4. ShiftRows: dch chuyn xoay vng tng dng ca trng thi hin hnh vi di s khc nhau.
Mi php bin i thao tc trn trng thi hin hnh S. Kt qu S ca mi php bin i s tr thnh u vo ca php bin i k tip trong quy trnh m ha.
Trc tin, ton b d liu u vo c chp vo mng trng thi hin hnh. Sau khi thc hin thao tc cng m kha u tin, mng trng thi s c tri qua Nr = 10, 12 hay 14 chu k bin i (ty thuc vo di ca m kha chnh cng nh di ca khi c x l). Nr 1 chu k u tin l cc chu k bin i bnh thng v hon ton tng t nhau, ring chu k bin i cui cng c s khc bit so vi Nr 1 chu k trc . Cui cng, ni dung ca mng trng thi s c chp li vo mng cha d liu u ra.
50
1. Thc hin thao tc AddRoundKey u tin trc khi thc hin cc chu k
m ha. 2. Nr 1 chu k m ha bnh thng: mi chu k bao gm bn bc bin i lin tip nhau: SubBytes, ShiftRows, MixColumns, v AddRoundKey. 3. Thc hin chu k m ha cui cng: trong chu k ny thao tc MixColumns c b qua. Trong thut ton di y, mng w[] cha bng m kha m rng; mng in[] v out[] ln lt cha d liu vo v kt qu ra ca thut ton m ha.
Cipher( byte in[4 * Nb], byte out[4 * Nb], word w[Nb * (Nr + 1)]) begin byte state[4,Nb] in // Xem phn 3.4.6 // Xem phn 3.4.2 // Xem phn 3.4.4 // Xem phn 3.4.5 state =
AddRoundKey(state, w) for round = 1 to Nr 1 SubBytes(state) ShiftRows(state) MixColumns(state) end for SubBytes(state) ShiftRows(state) AddRoundKey(state, w + Nr * Nb) out = state end
51
Chng 3
3.4.2
Thut ton Rijndael c xy dng theo kin trc SPN s dng 16 s-box (kch thc 8 8) thay th. Trong ton b quy trnh m ha, thut ton s dng chung bng thay th s-box c nh. Php bin i tuyn tnh bao gm 2 bc: hon v byte v p dng song song bn khi bin i tuyn tnh (32 bit) c kh nng khuch tn cao. Hnh 3.2 th hin mt chu k m ha ca phng php Rijndael.
Trn thc t, trong mi chu k m ha, kha ca chu k c cng (XOR) sau thao tc bin i tuyn tnh. Do chng ta c thc hin thao tc cng kha trc khi thc hin chu k u tin nn c th xem thut ton Rijndael tha cu trc SPN [29].
52
3.4.3
Thao tc bin i SubBytes l php thay th cc byte phi tuyn v tc ng mt cch c lp ln tng byte trong trng thi hin hnh. Bng thay th (S-box) c tnh kh nghch v qu trnh thay th 1 byte x da vo S-box bao gm hai bc: 1. 2. Xc nh phn t nghch o x-1 GF(28). Quy c {00}-1 = {00}. p dng php bin i affine (trn GF(2)) i vi x-1 (gi s x-1 c biu din nh phn l {x7 x6 x5 x4 x3 x2 x1 x0 } ): y 0 1 0 0 0 y 1 1 1 0 0 y 2 1 1 1 0 y 3 = 1 1 1 1 y 4 1 1 1 1 y 5 0 1 1 1 y 0 0 1 1 6 y 7 0 0 0 1 1 1 1 1 x 0 1 0 1 1 1 x1 1 0 0 1 1 x 2 0 0 0 0 1 x 3 0 + 1 0 0 0 x 4 0 1 1 0 0 x5 1 1 1 1 0 x 6 1 1 1 1 1 x 7 0
(3.18)
hay
yi = xi x(i +4) mod 8 x(i +5) mod 8 x(i +6) mod 8 x (i +7) mod 8 ci
(3.19)
vi ci l bit th i ca {63}, 0 i 7.
53
Chng 3
Bng D.1 th hin bng thay th S-box c s dng trong php bin i SubBytes dng thp lc phn.
V d: nu gi tr {xy} cn thay th l {53} th gi tr thay th S-box ({xy}) c xc nh bng cch ly gi tr ti dng 5 ct 3 ca Bng D.1. Nh vy, S-box ({xy}) = {ed}. Php bin i SubBytes c th hin di dng m gi:
SubBytes(byte state[4,Nb]) begin for r = 0 to 3 for c = 0 to Nb - 1 state[r,c] = Sbox[state[r,c]] end for end for end
54
3.4.4
Trong thao tc bin i ShiftRows, mi dng ca trng thi hin hnh c dch chuyn xoay vng i mt s v tr.
(3.20)
55
Chng 3
3.4.5
Trong thao tc bin i MixColumns, mi ct ca trng thi hin hnh c biu din di dng a thc s(x) c cc h s trn GF(28). Thc hin php nhn s ' (x ) = a (x ) s(x ) vi a(x) = {03}x3 + {01}x2 + {01}x + {02} (3.22) (3.21)
(3.23)
56
Hnh 3.5. Thao tc MixColumns tc ng ln mi ct ca trng thi Trong on m chng trnh di y, hm FFmul(x, y) thc hin php nhn (trn trng GF(28)) hai phn t x v y vi nhau
MixColumns(byte state[4,Nb]) begin byte t[4] for c = 0 to Nb 1 for r = 0 to 3 t[r] = state[r,c] end for for r = 0 to 3 state[r,c] = FFmul(0x02, t[r]) t[(r + 2) mod 4] t[(r + 3) mod 4] end for end for end xor xor FFmul(0x03, t[(r + 1) mod 4]) xor
57
Chng 3
3.4.6
Thao tc AddRoundKey
Phng php Rijndael bao gm nhiu chu k m ha lin tip nhau, mi chu k c mt m kha ring (Round Key) c cng kch thc vi khi d liu ang c x l v c pht sinh t m kha chnh (Cipher Key) cho trc ban u. M kha ca chu k cng c biu din bng mt ma trn gm 4 dng v Nb ct. Mi ct ca trng thi hin hnh c XOR vi ct tng ng ca m kha ca chu k ang xt: [ s ' 0,c , s '1,c , s ' 2,c , s '3,c ] = [ s 0,c , s1,c , s 2,c , s 3,c ] [ wround Nb +c ] , vi 0 c < Nb. (3.24)
58
3.5
Cc kha ca mi chu k (RoundKey) c pht sinh t kha chnh. Quy trnh pht sinh kha cho mi chu k gm 2 giai on:: 1. 2. M rng kha chnh thnh bng kha m rng, Chn kha cho mi chu k t bng kha m rng.
3.5.1
Bng kha m rng l mng 1 chiu cha cc t (c di 4 byte), c k hiu l w[Nb*(Nr + 1)]. Hm pht sinh bng kha m rng ph thuc vo gi tr Nk, tc l ph thuc vo di ca m kha chnh.
59
Chng 3
Hm SubWord(W) thc hin vic thay th (s dng S-box) tng byte thnh phn ca t 4 byte c a vo v tr kt qu v l mt t bao gm 4 byte kt qu sau khi thc hic vic thay th. Hm RotWord(W) thc hin vic dch chuyn xoay vng 4 byte thnh phn (a, b, c, d) ca t c a vo. Kt qu tr v ca hm RotWord l mt t gm 4 byte thnh phn l (b, c, d, a).
KeyExpansion(byte key[4 * Nk], word w[Nb * (Nr + 1)], Nk) begin i=0 while (i < Nk) w[i] = word[key[4*i],key[4*i+1], key[4*i+2],key[4*i+3]] i = i + 1 end while i = Nk while (i < Nb * (Nr + 1)) word temp = w[i - 1] if (i mod Nk = 0) then temp = SubWord(RotWord(temp)) xor Rcon[i / Nk] else if (Nk = 8) and (i mod Nk = 4) then temp = SubWord(temp) end if w[i] = w[i - Nk] xor temp i = i + 1 end while end
60
Cc hng s ca mi chu k hon ton c lp vi gi tr Nk v c xc nh bng Rcon[i] = (RC[i], {00}, {00}, {00}) vi RC[i] GF(28) v tha: RC[1]=1 ({01}) RC[i] =x ({02})(RC[i-1]) = x(i1) (3.25)
3.5.2
Xc nh kha ca chu k
Kha ca chu k th i c xc nh bao gm cc t (4 byte) c ch s t Nb * i n Nb * (i + 1) 1 ca bng m kha m rng. Nh vy, m kha ca chu k th i bao gm cc phn t w[ Nb * i ] , w[ Nb * i + 1] ,, w[ Nb * (i + 1) 1] .
Vic pht sinh m kha cho cc chu k c th c thc hin m khng nht thit phi s dng n mng w[ Nb * ( Nr + 1)] . Trong trng hp dung lng b nh hn ch nh cc th thng minh, cc m kha cho tng chu k c th c xc nh khi cn thit ngay trong qu trnh x l m ch cn s dng max( Nk , Nb) * 4 byte trong b nh. Bng kha m rng lun c t ng pht sinh t kha chnh m khng cn phi c xc nh trc tip t ngi dng hay chng trnh ng dng. Vic
61
Chng 3
chn la kha chnh (Cipher Key) l hon ton t do v khng c mt iu kin rng buc hay hn ch no. 3.6 Quy trnh gii m
Quy trnh gii m c thc hin qua cc giai on sau: 1. 2. Thc hin thao tc AddRoundKey u tin trc khi thc hin cc chu k gii m. Nr 1 chu k gii m bnh thng: mi chu k bao gm bn bc bin i lin tip nhau: InvShiftRows, InvSubBytes, AddRoundKey, thao tc
InvMixColumns. 3. Thc hin chu k gii m cui cng. Trong chu k ny, InvMixColumns c b qua. Di y l m gi ca quy trnh gii m:
InvCipher( byte in[4 * Nb], byte out[4 * Nb], word w[Nb * (Nr + 1)]) begin byte state[4,Nb] // Xem phn 3.4.6 // Xem phn 3.6.1 // Xem phn 3.6.2 // Xem phn 3.6.3 state = in AddRoundKey(state, w + Nr * Nb) for round = Nr - 1 downto 1 InvShiftRows(state) InvSubBytes(state) InvMixColumns(state) end for
62
3.6.1
Hnh 3.8. Thao tc InvShiftRows tc ng ln tng dng ca trng thi hin hnh
InvShiftRows chnh l php bin i ngc ca php bin i ShiftRows. Dng u tin ca trng thi s vn c gi nguyn trong khc ba dng cui ca trng thi s c dch chuyn xoay vng theo chiu ngc vi php bin i ShiftRows vi cc di s Nbshift (r, Nb) khc nhau. Cc byte cui dng c a vng ln u dng trong khi cc byte cn li c khuynh hng di chuyn v cui dng.
(3.26)
63
Chng 3
Gi tr ca di s shift(r,Nb) ph thuc vo ch s dng r v kch thc Nb ca khi v c th hin trong Bng 3.1.
InvShiftRows(byte state[4,Nb]) begin byte t[Nb] for r = 1 to 3 for c = 0 to Nb - 1 t[(c + h[r,Nb]) mod Nb] = state[r,c] end for for c = 0 to Nb 1 state[r,c] = t[c] end for end for end
3.6.2
Php bin i ngc ca thao tc SubBytes, k hiu l InvSubBytes, s dng bng thay th nghch o ca S-box trn GF(28), k hiu l S-box-1. Qu trnh thay th 1 byte y da vo S-box-1 bao gm hai bc sau: 1. p dng php bin i affine (trn GF(2)) sau i vi y (c biu din nh phn l {y7 y 6 y5 y 4 y3 y 2 y1 y 0 } ):
64
x 0 0 x 1 1 x 2 0 x3 = 1 x 4 0 x 5 0 x 1 6 x 7 0 hay
0 1 0 0 1 0 1 y 0 1 0 0 1 0 0 1 0 y1 0 1 0 0 1 0 0 1 y 2 1 0 1 0 0 1 0 0 y 3 0 + 1 0 1 0 0 1 0 y 4 0 0 1 0 1 0 0 1 y 5 0 0 0 1 0 1 0 0 y 6 0 1 0 0 1 0 1 0 y 7 0
(3.27)
R rng y chnh l php bin i affine ngc ca php bin i affine bc 1 ca S-box. 2. Gi x l phn t thuc GF(28) c biu din nh phn l {x7 x6 x5 x4 x3 x2 x1 x0 } . Xc nh phn t nghch o x-1 GF(28) vi quy c {00}-1 = {00}
InvSubBytes(byte state[4,Nb]) begin for r = 0 to 3 for c = 0 to Nb - 1 state[r,c] = InvSbox[state[r,c]] end for end for end
65
Chng 3
Bng D.2 th hin bng thay th nghch o c s dng trong php bin i InvSubBytes
3.6.3
InvMixColumns l bin i ngc ca php bin i MixColumns. Mi ct ca trng thi hin hnh c xem nh a thc s(x) bc 4 c cc h s thuc GF(28) v c nhn vi a thc a-1(x) l nghch o ca a thc a(x) (modulo M(x)) c s dng trong php bin i MixColumns. a-1(x) = {0b}x3 + {0d}x2 + {09}x + {0e} Php nhn s ( x) = a 1 ( x ) s ( x) c th c biu din di dng ma trn:
' s 0,c 0e ' s1,c = 09 s ' 0d 2 ,c ' s3,c 0b
(3.29)
(3.30)
Trong on m chng trnh di y, hm FFmul(x, y) thc hin php nhn (trn trng GF(28)) hai phn t x v y vi nhau.
InvMixColumns(byte block[4,Nb]) begin byte t[4] for c = 0 to Nb 1 for r = 0 to 3 t[r] = block[r,c] end for for r = 0 to 3
66
block[r,c] = FFmul(0x0e, t[r]) xor FFmul(0x0b, t[(r + 1) mod 4]) xor FFmul(0x0d, t[(r + 2) mod 4]) xor FFmul(0x09, t[(r + 3) mod 4]) end for end for end
3.6.4
Nhn xt: 1. Php bin i InvSubBytes thao tc trn gi tr ca tng byte ring bit ca trng thi hin hnh, trong khi php bin i InvShiftRows ch thc hin thao tc di chuyn cc byte m khng lm thay i gi tr ca chng. Do , th t ca hai php bin i ny trong quy trnh m ha c th c o ngc. 2. Vi php bin i tuyn tnh A bt k, ta c A( x + k ) = A( x) + A(k ) . T , suy ra
InvMixColumns(state XOR Round Key)= InvMixColumns(state) XOR InvMixColumns(Round Key)
Nh vy, th t ca php bin i InvMixColumns v AddRoundKey trong quy trnh gii m c th c o ngc vi iu kin mi t (4 byte) trong bng m kha m rng s dng trong gii m phi c bin i bi InvMixColumns. Do trong chu k m ha cui cng khng thc hin thao tc MixColumns nn khng
67
Chng 3
cn thc hin thao tc InvMixColumns i vi m kha ca chu k gii m u tin cng nh chu k gii m cui cng.
Vy, quy trnh gii m Rijndael c th c thc hin theo vi trnh t cc php bin i ngc hon ton tng ng vi quy trnh m ha.
EqInvCipher(byte in[4*Nb], byte out[4*Nb], word dw[Nb*(Nr+1)]) begin byte state[4,Nb] state = in AddRoundKey(state, dw + Nr * Nb) for round = Nr - 1 downto 1 InvSubBytes(state) InvShiftRows(state) InvMixColumns(state) AddRoundKey(state, dw + round * Nb) end for InvSubBytes(state) InvShiftRows(state) AddRoundKey(state, dw) out = state end
Trong quy trnh trn, bng m kha m rng dw c xy dng t bng m kha w bng cch p dng php bin i InvMixColumns ln tng t (4 byte) trong w, ngoi tr Nb t u tin v cui cng ca w.
68
for i = 0 to (Nr + 1) * Nb 1 dw[i] = w[i] end for for rnd = 1 to Nr 1 InvMixColumns(dw + rnd * Nb) end for
3.7
Cc vn ci t thut ton
Gi a l trng thi khi bt u chu k m ha. Gi b, c, d, e ln lt l trng thi kt qu u ra sau khi thc hin cc php bin i SubBytes, ShiftRows, MixColumns v AddRoundKey trong chu k ang xt. Quy c: trong trng thi s ( s = a, b, c, d , e ), ct th j c k hiu sj, phn t ti dng i ct j k hiu l si, j. b0, j S [a 0, j ] b S[a ] 1, j = 1, j b2, j S [a 2, j ] b3, j S [a 3, j ]
b0, j c 0, j c b 1, j = 1,( j + shift (1, Nb )) mod Nb c 2 , j b 2 ,( j + shift (2 , Nb )) mod Nb c 3, j b3 ,( j + shift (3, Nb )) mod Nb
(3.31)
(3.32)
d 0, j 02 d 1, j = 01 d 2, j 01 d 3, j 03
(3.33)
69
Chng 3
e0, j d 0, j k 0, j e d k 1, j = 1, j 1, j e 2 , j d 2 , j k 2 , j e3, j d 3, j k 3, j
(3.34)
Kt hp cc kt qu trung gian ca mi php bin i trong cng chu k vi nhau, ta c: e0, j 02 e 1, j = 01 e2, j 01 e3, j 03 S [ a 0, j ] 03 01 01 S a 02 03 01 1,( j + shift (1, Nb ))mod Nb 01 02 03 S a 2,( j + shift (2, Nb ))mod Nb 01 01 02 S a3,( j + shift (3, Nb )) mod Nb
[ [ [
] ] ]
k 0, j k 1, j k 2, j k 3, j
(3.35)
K hiu j[r ] = ( j + shift (r , Nb )) mod Nb , biu thc (3.35) c th vit li nh sau: S [a0, j [0] ] k0, j 03 01 01 S a1, j [1] k 02 03 01 1, j 01 02 03 S a2, j [ 2] k2, j 01 01 02 k a3, j 3 3, j S [ ]
(3.36)
(3.37)
70
nh ngha cc bng tra cu T0, T1, T2, T3 nh sau: S [a ] 02 S[a ] 03 S [a ] , T [a ] = S[a ] 02 , T0 [a ] = 1 S [a ] S[a ] S [a ] 03 S[a ] S [a ] S [a ] S [a ] 03 , T [a ] = S [a ] T2 [a ] = S [a ] 02 3 S [a ] 03 S [a ] S [a ] 02 Khi , biu thc (3.38) c vit li nh sau:
(3.38)
(3.39)
Nh vy, mi ct ej ca trng thi kt qu sau khi thc hin mt chu k m ha c th c xc nh bng bn php ton XOR trn cc s nguyn 32 bit s dng bn bng tra cu T0, T1, T2 v T3.
Cng thc (3.39) ch p dng c cho Nr-1 chu k u. Do chu k cui cng khng thc hin php bin i MixColumns nn cn xy dng 4 bng tra cu ring cho chu k ny: S [a ] 0 0 0 0 S [a ] 0 , U [a ] = , U [a ] = , U [a ] = 0 U 0 [a ] = 1 2 3 0 0 S [a ] 0 0 0 0 S [a ]
(3.40)
71
Chng 3
3.7.1
Nhn xt
K thut s dng bng tra cu gip ci thin tc m ha v gii m mt cch ng k. Ngoi ra, k thut ny cn gip chng li cc phng php ph m da trn thi gian m ha do khi s dng bng tra cu, thi gian m ha d liu bt k u nh nhau. K thut ny c th c s dng trong quy trnh m ha v quy trnh gii m tng ng do s tng ng gia cc bc thc hin ca hai quy trnh ny. Khi , chng ta c th dng chung mt quy trnh cho vic m ha v gii m nhng s dng bng tra khc nhau. Trn thc t, cc bng tra cu c th c lu tr sn hoc c xy dng trc tip da trn bng thay th S-Box cng vi thng tin v cc khun dng tng ng. Trn cc b vi x l 32-bit, nhng thao tc bin i s dng trong quy trnh m ha c th c ti u ha bng cch s dng bn bng tra cu, mi bng c 256 phn t vi kch thc mi phn t l 4 byte. Vi mi phn t a GF(28), t: S [a ] 02 S[a ] 03 S [a ] , T [a ] = S[a ] 02 , T0 [a ] = S [a ] 1 S[a ] S [a ] 03 S[a ] S [a ] S [a ] S [a ] 03 , T [a ] = S [a ] T2 [a ] = S [a ] 02 3 S [a ] 03 S [a ] S [a ] 02
(3.41)
72
Nhn xt: Ti[a] = RotWord(Ti-1[a]) vi i = 1, 2,3 . K hiu RotWordi l hm x l gm i ln thc hin hm RotWord, ta c:
Ti [a ] = RotWord i (T0 [a ])
(3.42)
Nh vy, thay v dng 4 kilobyte lu tr sn c bn bng, ch cn tn 1 kilobyte lu bng u tin, cc bng cn li c th c pht sinh li khi s dng. Cc hn ch v b nh thng khng c t ra, tr mt s t trng hp nh i vi cc applet hay servlet. Khi , thay v lu tr sn bng tra cu, ch cn lu on m x l pht sinh li cc bng ny. Lc , cng thc (3.39) s tr thnh:
e j = k j Ti [ a i , j [i ] ] = k j RotWord i (T0 [ a i , j [i ] ])
3 3 i=0 i =0
(3.43)
3.8
Kt qu th nghim thut ton Rijndael c ghi nhn trn my Pentium 200 MHz (s dng h iu hnh Microsoft Windows 98), my Pentium II 400 MHz, Pentium III 733 MHz (s dng h iu hnh Microsoft Windows 2000 Professional), Pentium IV 2,4GHz (s dng h iu hnh Microsoft Windows XP Service Pack 2).
73
Chng 3
3.9 3.9.1
Vic s dng cc hng s khc nhau ng vi mi chu k gip hn ch kh nng tnh i xng trong thut ton. S khc nhau trong cu trc ca vic m ha v gii m hn ch c cc kha yu (weak key) nh trong phng php DES (xem phn 4.5.1). Ngoi ra, thng thng nhng im yu lin quan n m kha u xut pht t s ph thuc vo gi tr c th ca m kha ca cc thao tc phi tuyn nh trong phng php IDEA (International Data Encryption Algorithm). Trong cc phin bn m rng, cc kha c s dng thng qua thao tc XOR v tt c nhng thao tc phi tuyn u c c nh sn trong S-box m khng ph thuc vo gi tr c th ca m kha (xem phn 4.5.4). Tnh cht phi tuyn cng kh nng khuch tn thng tin (diffusion) trong vic to bng m kha m rng lm cho vic phn tch mt m da vo cc kha tng ng hay cc kha c lin quan tr nn khng kh thi (xem phn 4.5.5). i vi phng php vi phn rt gn, vic phn tch ch yu khai thc c tnh tp trung thnh vng (cluster) ca cc vt vi phn trong mt s phng php m ha. Trong trng hp thut ton Rijndael vi s lng chu k ln hn 6, khng tn ti phng php cng ph mt m no hiu qu hn phng php th v sai (xem phn 4.5.2). Tnh cht phc tp ca biu thc S-box trn GF(28) cng vi hiu ng khuch tn gip cho thut ton khng th b phn tch bng phng php ni suy (xem phn 4.5.3).
74
3.9.2
nh gi
Phng php Rijndael thch hp cho vic trin khai trn nhiu h thng khc nhau, khng ch trn cc my tnh c nhn m in hnh l s dng cc chip Pentium, m c trn cc h thng th thng minh. Trn cc my tnh c nhn, thut ton AES thc hin vic x l rt nhanh so vi cc phng php m ha khc. Trn cc h thng th thng minh, phng php ny cng pht huy u im khng ch nh vo tc x l cao m cn nh vo m chng trnh ngn gn, thao tc x l s dng t b nh. Ngoi ra, tt c cc bc x l ca vic m ha v gii m u c thit k thch hp vi c ch x l song song nn phng php Rijndael cng chng t th mnh ca mnh trn cc h thng thit b mi. Do c tnh ca vic x l thao tc trn tng byte d liu nn khng c s khc bit no c t ra khi trin khai trn h thng big-endian hay little-endian.
Xuyn sut phng php AES, yu cu n gin trong vic thit k cng tnh linh hot trong x l lun c t ra v c p ng. ln ca khi d liu cng nh ca m kha chnh c th ty bin linh hot t 128 n 256-bit vi iu kin l chia ht cho 32. S lng chu k c th c thay i ty thuc vo yu cu ring c t ra cho tng ng dng v h thng c th.
Tuy nhin, vn tn ti mt s hn ch m hu ht lin quan n qu trnh gii m. M chng trnh cng nh thi gian x l ca vic gii m tng i ln hn vic m ha, mc d thi gian ny vn nhanh hn ng k so vi mt s phng php khc. Khi ci t bng chng trnh, do qu trnh m ha v gii m khng ging nhau nn khng th tn dng li ton b on chng trnh m ha cng nh cc bng tra cu cho vic gii m. Khi ci t trn phn cng, vic gii m
75
Chng 3
ch s dng li mt phn cc mch in t s dng trong vic m ha v vi trnh t s dng khc nhau.
Phng php Rijndael vi mc an ton rt cao cng cc u im ng ch khc chc chn s nhanh chng c p dng rng ri trong nhiu ng dng trn cc h thng khc nhau.
76
Trong chng 3, chng ta tm hiu v phng php m ha Rijndael. Ni dung ca chng 4 s trnh by mt s phin bn m rng ca chun m ha Rijndael. Mt s kt qu th nghim cng vi phn phn tch v chng minh kh nng an ton ca phng php Rijndael v cc phin bn m rng ny cng c trnh by trong chng 4. 4.1 Nhu cu m rng phng php m ha Rijndael
Vo thp nin 1970-1980, phng php DES vn c xem l rt an ton v cha th cng ph bng cc cng ngh thi by gi. Tuy nhin, hin nay phng php ny c th b ph v v tr nn khng cn an ton bo v cc thng tin quan trng. y chnh l mt trong nhng l do m NIST quyt nh chn mt thut ton m ha mi thay th DES nhm phc v nhu cu bo mt thng tin ca Chnh ph Hoa K cng nh trong mt s ng dng dn s khc. Phng php m ha Rijndael c nh gi c an ton rt cao v phng php vt cn vn l cch hiu qu nht cng ph thut ton ny. Vi kh nng
77
Chng 4
hin nay ca cc h thng my tnh trn Th gii th gii php vt cn vn l khng kh thi. Tuy nhin, vi s pht trin ngy cng nhanh ca cng ngh thng tin, cc th h my tnh mi ra i vi nng lc v tc x l ngy cng cao, thut ton Rijndael s c th b cng ph trong tng lai. Khi , nhng thng tin quan trng vn c bo mt bng phng php Rijndael cn phi c m ha li bng mt phng php m ha mi an ton hn. Vn ti t chc d liu quan trng c tch ly sau nhiu thp nin l hon ton khng n gin. iu ny dn n yu cu m rng nng cao an ton ca thut ton, chng hn nh tng kch thc kha v kch thc khi c x l. Cc phin bn m rng 256/384/512-bit v phin bn m rng 512/768/1024-bit ca thut ton Rijndael c trnh by di y c chng ti xy dng trn cng c s l thuyt ca thut ton nguyn thy v c kh nng x l cc kha v khi d liu ln hn nhiu ln so vi phin bn gc.
4.2
Trong thut ton m rng 256/384/512-bit ca phng php Rijndael, mi t gm c Nw=8 byte. Mi trng thi c th c biu din di dng mt ma trn gm 8 dng v Nb ct vi Nb bng vi di ca khi chia cho 64. Kha chnh cng c biu din di dng mt ma trn gm 8 dng v Nk ct vi Nk bng vi di ca kha chia cho 64. Ma trn biu din 1 trng thi hay kha c th c kho st di dng mng 1 chiu cc t (Nw byte), mi phn t tng ng vi 1 ct ca ma trn.
78
4.2.1
Quy trnh m ha
Trong quy trnh m ha vn s dng 4 php bin i chnh nh trnh by trong thut ton m ha Rijndael c bn: 1. AddRoundKey: cng ( ) m kha ca chu k vo trng thi hin hnh. di ca m kha ca chu k bng vi kch thc ca trng thi. 2. SubBytes: thay th phi tuyn mi byte trong trng thi hin hnh thng qua bng thay th (S-box). 3. MixColumns: trn thng tin ca tng ct trong trng thi hin hnh. Mi ct c x l c lp. 4. ShiftRows: dch chuyn xoay vng tng dng ca trng thi hin hnh vi di s khc nhau.
Mi php bin i thao tc trn trng thi hin hnh S. Kt qu S ca mi php bin i s tr thnh u vo ca php bin i k tip trong quy trnh m ha.
Trc tin, ton b d liu u vo c chp vo mng trng thi hin hnh. Sau khi thc hin thao tc cng m kha u tin, mng trng thi s c tri qua Nr = 10, 12 hay 14 chu k bin i (ty thuc vo di ca m kha chnh cng nh di ca khi c x l). Nr 1 chu k u tin l cc chu k bin i bnh thng v hon ton tng t nhau, ring chu k bin i cui cng c s khc bit so vi Nr 1 chu k trc . Cui cng, ni dung ca mng trng thi s c chp li vo mng cha d liu u ra.
79
Chng 4
Hnh 4.1 th hin kin trc ca mt chu k bin i trong thut ton Rijndael m rng 256/384/512-bit vi Nb = 4. Quy trnh m ha Rijndael m rng c tm tt li nh sau: 1. 2. 3. Thc hin thao tc AddRoundKey u tin trc khi thc hin cc chu k m ha.
Nr1 chu k m ha bnh thng: mi chu k bao gm 4 bc bin i lin
tip nhau: SubBytes, ShiftRows, MixColumns, v AddRoundKey. Thc hin chu k m ha cui cng: trong chu k ny thao tc MixColumns c b qua.
Hnh 4.1. Kin trc mt chu k bin i ca thut ton Rijndael m rng 256/384/512-bit vi Nb = 4
Trong thut ton di y, mng w[] cha bng m kha m rng; mng in[] v out[] ln lt cha d liu vo v kt qu ra ca thut ton m ha.
80
Cipher(byte in[8 * Nb], byte out[8 * Nb], word w[Nb * (Nr + 1)]) begin byte state[8,Nb] in // Xem phn 4.2.1.4 // Xem phn 4.2.1.1 // Xem phn 4.2.1.2 // Xem phn 4.2.1.3 state =
AddRoundKey(state, w) for round = 1 to Nr 1 SubBytes(state) ShiftRows(state) MixColumns(state) end for SubBytes(state) ShiftRows(state) AddRoundKey(state, w + Nr * Nb) out = state end
4.2.1.1
Thao tc bin i SubBytes l php thay th cc byte phi tuyn v tc ng mt cch c lp ln tng byte trong trng thi hin hnh. Bng thay th (S-box) c tnh kh nghch v qu trnh thay th 1 byte x da vo S-box bao gm hai bc: 1. Xc nh phn t nghch o x1 GF(28). Quy c {00}1 = {00}
81
Chng 4
2.
p dng php bin i affine (trn GF(2)) i vi x1 (gi s x1 c biu din nh phn l {x7 x6 x5 x4 x3 x2 x1 x0 } ):
yi = xi x(i +4) mod 8 x(i +5) mod 8 x(i +6) mod 8 x (i +7) mod 8 ci
(4.2)
vi ci l bit th i ca {63}, 0 i 7.
Bng D.2 th hin bng thay th nghch o c s dng trong php bin i SubBytes. 4.2.1.2 Php bin i ShiftRows
Trong thao tc bin i ShiftRows, mi dng ca trng thi hin hnh c dch chuyn xoay vng vi di khc nhau. Byte Sr,c ti dng r ct c s dch chuyn n ct (c - shift(r, Nb)) mod Nb hay:
(4.3)
shift (r , Nb ) = r mod Nb
(4.4)
82
4.2.1.3
Trong thao tc bin i MixColumns, mi ct ca trng thi hin hnh c biu din di dng a thc s(x) c cc h s trn GF(28). Thc hin php nhn:
s ' ( x ) = a ( x ) s ( x ) vi a(x ) =
0 1 2 Ma = 3 4 5 6 7
a x
i i =0
, a i GF(28)
(4.5)
7 0 1 2 3 4 5 6
6 7 0 1 2 3 4 5
5 6 7 0 1 2 3 4
4 5 6 7 0 1 2 3
3 4 5 6 7 0 1 2
2 3 4 5 6 7 0 1
1 2 3 4 5 6 7 0
(4.6)
83
Chng 4
Ta c:
s ' 0, c s 0, c s '1,c s1,c s ' 2, c s 2 ,c s ' 3,c = M s 3,c , 0 c Nb a s' s 4, c 4 ,c s ' 5 ,c s 5, c s' s 6, c 6, c s ' 7 ,c s 7 ,c
(4.7)
Chng ta c nhiu kh nng chn la a thc a(x) khc nhau m vn m bo tnh hiu qu v an ton ca thut ton. m bo cc tnh cht an ton ca mnh, cc h s ca ma trn ny phi tha cc tnh cht sau: 1. 2. 3. 4. Kh nghch. Tuyn tnh trn GF(2). Cc phn t ma trn (cc h s) c gi tr cng nh cng tt. Kh nng chng li cc tn cng ca thut ton (xem 4.4 - Phn tch mt m vi phn v phn tch mt m tuyn tnh)
on m chng trnh di y th hin thao tc bin i MixColumns vi a thc c trnh by trong cng thc (2.6). Trong on chng trnh ny, hm
FFmul(x,y) thc hin php nhn (trn trng GF(2 )) hai phn t x v y vi
8
nhau.
84
4.2.1.4
Thao tc AddRoundKey
M kha ca chu k c biu din bng 1 ma trn gm 8 dng v Nb ct. Mi ct ca trng thi hin hnh c XOR vi ct tng ng ca m kha ca chu k ang xt: [ s ' 0,c , s '1,c , s ' 2,c , s '3,c , s ' 4,c , s '5,c , s ' 6,c , s ' 7,c ] = [ s 0,c , s1,c , s 2,c , s3,c , s 4,c , s5,c , s 6,c , s 7,c ] [ wround Nb +c ] vi 0 c < Nb, (4.8)
85
Chng 4
Nhn xt: Thao tc bin i ngc ca AddRoundKey cng chnh l thao tc AddRoundKey. Trong on chng trnh di y, hm xbyte(r, w) thc hin vic ly byte th r trong t w.
AddRoundKey(byte state[8,Nb], word rk[]) // rk = w + round * Nb begin for c = 0 to Nb 1 for r = 0 to 7 state[r,c] = state[r,c] xor xbyte(r, rk[c]) end for end for end
4.2.2
Quy trnh pht sinh kha cho mi chu k bao gm hai giai on: 1. 2. M rng kha chnh thnh bng m kha m rng, Chn kha cho mi chu k t bng m kha m rng.
4.2.2.1
Bng kha m rng l mng 1 chiu cha cc t (c di 8 byte), c k hiu l w[Nb*(Nr + 1)]. Hm pht sinh bng kha m rng ph thuc vo gi tr Nk, tc l ph thuc vo di ca m kha chnh.
86
Hm SubWord(W) thay th (s dng S-box) tng byte thnh phn ca mt t (c di 8 byte). Hm RotWord(W) thc hin vic dch chuyn xoay vng 8 byte thnh phn (b0, b1, b 2, b 3, b 4, b 5, b 6, b7) ca t c a vo. Kt qu tr v ca hm RotWord l 1 t gm 8 byte thnh phn l (b1, b 2, b 3, b 4, b 5, b 6, b7, b0).
KeyExpansion(byte key[8 * Nk], word w[Nb * (Nr + 1)], Nk) begin i = 0 while (i < Nk) w[i]=word[ key[8*i] , key[8*i+1], key[8*i+2], key[8*i+3], key[8*i+4], key[8*i+5], key[8*i+6], key[8*i+7]] i = i + 1 end while i = Nk while (i < Nb * (Nr + 1)) word temp = w[i - 1] if (i mod Nk = 0) then temp = SubWord(RotWord(temp)) xor Rcon[i / Nk] else if ((Nk = 8) and (i mod Nk = 4)) then temp = SubWord(temp) end if end if w[i] = w[i - Nk] xor temp i = i + 1 end while end
87
Chng 4
4.2.2.2
Xc nh kha ca chu k
M kha ca chu k th i c xc nh bao gm cc t (8 byte) c ch s t Nb * i n Nb * (i + 1) 1 ca bng m kha m rng. Nh vy, m kha ca chu k th i bao gm cc phn t w[ Nb * i ] , w[ Nb * i + 1] , , w[ Nb * (i + 1) 1] .
w0 w1 w2 w3 w4 w5 w6 w7 w8 w9 w10 w11 w12 w13 w14 w15 w16 w17 ...
Ma khoa chu ky 0 Ma khoa chu ky 1 Ma kho a chu ky 2 ...
4.2.3
Quy trnh gii m c thc hin qua cc giai on sau: 1. Thc hin thao tc AddRoundKey u tin trc khi thc hin cc chu k gii m. 2. Nr 1 chu k gii m bnh thng: mi chu k bao gm bn bc bin i lin tip nhau: InvShiftRows, InvSubBytes, AddRoundKey,
InvMixColumns. 3. Thc hin chu k gii m cui cng. Trong chu k ny, InvMixColumns c b qua. thao tc
88
InvCipher( byte in[8 * Nb], byte out[8 * Nb], word w[Nb * (Nr + 1)]) begin byte state[8,Nb] // Xem phn 0 state = in AddRoundKey(state, w + Nr * Nb) for round = Nr - 1 downto 1
InvShiftRows(state)
InvSubBytes(state)
InvMixColumns(state)
end for
// Xem phn 0
InvShiftRows(state)
InvSubBytes(state) AddRoundKey(state, w) out = state end
4.2.3.1
InvShiftRows l bin i ngc ca bin i ShiftRows. Mi dng ca trng thi c dch chuyn xoay vng theo chiu ngc vi bin i ShiftRows vi di Nbshift (r, Nb) khc nhau. Cc byte cui dng c a vng ln u dng trong khi cc byte cn li c khuynh hng di chuyn v cui dng.
' s r ,(c + shift ( r , Nb)) mod Nb = s r ,c vi 0 < r < 8 v 0 c < Nb
(4.9)
89
Chng 4
InvShiftRows(byte state[8,Nb]) begin byte t[Nb] for r = 1 to 7 for c = 0 to Nb - 1 t[(c + shift[r,Nb]) mod Nb] = state[r,c] end for for c = 0 to Nb 1 state[r,c] = t[c] end for end for end
4.2.3.2
Php bin i ngc ca thao tc SubBytes, k hiu l InvSubBytes, s dng bng thay th nghch o ca S-box trn GF(28) c k hiu l S-box-1. Qu trnh thay th 1 byte y da vo S-box-1 bao gm hai bc sau: 1. p dng php bin i affine (trn GF(2)) sau i vi y (c biu din nh phn l {y 7 y 6 y5 y 4 y3 y 2 y1 y 0 } ): xi = y (i + 2 ) mod 8 y (i +5) mod 8 y ( i + 7) mod 8 d i , vi di l bit th i ca gi tr {05},0 i 7. (4.10)
90
2.
Gi x l phn t thuc GF(28) c biu din nh phn l {x7 x6 x5 x4 x3 x2 x1 x0 } . Xc nh phn t nghch o x-1 GF(28) vi quy c {00}-1 = {00}
Bng D.2 th hin bng thay th nghch o c s dng trong php bin i InvSubBytes
InvSubBytes(byte state[8,Nb]) begin for r = 0 to 7 for c = 0 to Nb - 1 state[r,c] = InvSbox[state[r,c]] end for end for end
4.2.3.3
InvMixColumns l bin i ngc ca php bin i MixColumns. Mi ct ca trng thi hin hnh c xem nh a thc s(x) bc 8 c cc h s thuc GF(28) v c nhn vi a thc a1(x) l nghch o ca a thc a(x) (modulo M ( x ) = x 8 + 1 ) c s dng trong php bin i MixColumns.
Vi a(x) = {05}x7 + {03}x6 + {05}x5 + {04}x4+ {03}x3 + {02}x2 + {02}x + {01} ta c: a-1(x) = {b3}x7 + {39}x6 + {9a}x5 + {a1}x4+ {db}x3 + {54}x2 + {46}x + {2a} (4.12) (4.11)
91
Chng 4
s ' 0, c s 0, c s '1,c s1,c s ' 2, c s 2, c s ' 3,c = M s 3,c , 0 c Nb 1 a s s' 4, c 4, c s ' 5 ,c s 5, c s' s 6, c 6, c s ' 7 ,c s 7 ,c
(4.13)
on chng trnh sau th hin thao tc InvMixColumns s dng a thc a-1(x) trong cng thc (4.12).
InvMixColumns(byte block[8,Nb]) begin byte t[8] for c = 0 to Nb 1 for r = 0 to 7 t[r] = block[r,c] end for for r = 0 to 7 block[r,c] = FFmul(0x2a, t[r]) xor FFmul(0xb3, t[(r + 1) mod 8]) xor FFmul(0x39, t[(r + 2) mod 8]) xor FFmul(0x9a, t[(r + 3) mod 8]) xor FFmul(0xa1, t[(r + 4) mod 8]) xor FFmul(0xdb, t[(r + 5) mod 8]) xor FFmul(0x54, t[(r + 6) mod 8]) xor
92
4.2.4
Quy trnh gii m Rijndael c th c thc hin theo vi trnh t cc php bin i ngc hon ton tng ng vi quy trnh m ha (xem chng minh trong phn 3.6.4-Quy trnh gii m tng ng).
EqInvCipher(byte in[8*Nb], byte out[8*Nb], word dw[Nb*(Nr + 1)]) begin byte state[8,Nb] state = in AddRoundKey(state, dw + Nr * Nb) for round = Nr - 1 downto 1 InvSubBytes(state)
InvShiftRows(state) InvMixColumns(state)
AddRoundKey(state, dw + round * Nb) end for InvSubBytes(state)
InvShiftRows(state)
AddRoundKey(state, dw) out = state end
93
Chng 4
Bng m kha m rng dw c xy dng t bng m kha w bng cch p dng php bin i InvMixColumns ln tng t (8 byte) trong w, ngoi tr Nb t u tin v cui cng ca w.
for i = 0 to (Nr + 1) * Nb 1 dw[i] = w[i] end for for rnd = 1 to Nr 1
4.3
Thut ton m rng 512/768/1024-bit da trn phng php Rijndael c xy dng tng t nh thut ton m rng 256/384/512-bit: Trong thut ton 512/768/1024 bit, mi t c kch thc Nw=16 byte. a thc c chn trong thao tc MixColumns c bc 15 v phi c h s Branch Number l 17. Chng ta c th chn a thc sau minh ha: a(x) = {07}x15 +{09}x14+{04}x13+{09}x12+{08}x11+{03}x10+{02}x9+{08}x8 + {06}x7+{04}x6+{04}x5+{01}x4+{08}x3+{03}x2+{06}x+{05} V a thc nghch o a-1(x) tng ng l a-1(x)={1e}x15+{bc}x14+{55}x13+{8d}x12+{1a}x11+{37}x10+{97}x9+{10}x8+ {f0}x7+{d5}x6+{01}x5+{ad}x4+{59}x3+{82}x2+{59}x+{3a} (4.15) (4.14)
94
4.4 4.4.1
Phn tch mt m vi phn v phn tch mt m tuyn tnh Phn tch mt m vi phn
Phng php phn tch mt m vi phn (Differential Cryptanalysis) c Eli Biham v Adi Shamir trnh by trong [3].
Phng php vi phn ch c th c p dng nu c th d on c s lan truyn nhng khc bit trong cc mu u vo qua hu ht cc chu k bin i vi s truyn (prop ratio [10]) ln hn ng k so vi gi tr 21-n vi n l di khi (tnh bng bit).
Nh vy, m bo an ton cho mt phng php m ha, iu kin cn thit l khng tn ti vt vi phn (differential trail) lan truyn qua hu ht cc chu k c s truyn ln hn ng k so vi gi tr 21n.
i vi phng php Rijndael, cc tc gi chng minh khng tn ti vt vi phn lan truyn qua bn chu k c s truyn ln hn 2-30(Nb+1) [8] vi Nb = n Nw = n 32 . Nh vy, khng tn ti vt vi phn lan truyn qua tm chu k c s truyn ln hn 2-60(Nb+1). iu ny m bo tnh an ton cho thut ton Rijndael.
95
Chng 4
Phn chng minh c trnh by trong 4.4.5-Trng s vt vi phn v vt tuyn tnh cho chng ta cc kt lun sau: i vi thut ton m rng 256/384/512-bit, khng tn ti vt vi phn lan truyn qua bn chu k c s truyn ln hn 2-54(Nb+1) vi Nb = n Nw = n 64 . Nh vy, khng tn ti vt vi phn lan truyn qua tm chu k c s truyn ln hn 2-108(Nb+1). i vi thut ton m rng 512/768/1024-bit, khng tn ti vt vi phn lan truyn qua bn chu k c s truyn ln hn 2-102(Nb+1) vi Nb = n Nw = n 128 . Nh vy, khng tn ti vt vi phn lan truyn qua tm chu k c s truyn ln hn 2-204(Nb+1).
Cc kt lun trn m bo tnh an ton cho thut ton m rng 256/384/512 bit v 512/768/1024-bit i vi phng php phn tch mt m vi phn.
4.4.2
Phng php phn tch mt m tuyn tnh (Linear Cryptanalysis) c Mitsuru Matsui trnh by trong [32].
Phng php tuyn tnh ch c th c p dng nu s tng quan gia u ra vi u vo ca thut ton qua hu ht cc chu k c gi tr rt ln so vi 2-n/2.
96
Nh vy, m bo an ton cho mt phng php m ha, iu kin cn thit l khng tn ti vt tuyn tnh (linear trail [10]) lan truyn qua hu ht cc chu k c s truyn ln hn ng k so vi gi tr 2n/2.
i vi phng php Rijndael, cc tc gi chng minh c rng khng tn ti vt tuyn tnh no lan truyn qua bn chu k vi tng quan ln hn 2-15(Nb + 1) [8]. Nh vy, khng tn ti vt tuyn tnh no lan truyn qua tm chu k vi tng quan ln hn 2-39(Nb+1). iu ny m bo tnh an ton cho thut ton Rijndael.
Phn chng minh c trnh by trong 4.4.4-S lan truyn mu cho chng ta cc kt lun sau: i vi thut ton m rng 256/384/512-bit, khng tn ti vt tuyn tnh lan truyn qua bn chu k vi tng quan ln hn 2-27(Nb+1). Nh vy, khng tn ti vt tuyn tnh no lan truyn qua tm chu k vi tng quan ln hn 2-54(Nb+1). i vi thut ton m rng 512/768/1024-bit, khng tn ti vt tuyn tnh lan truyn qua bn chu k vi tng quan ln hn 2-51(Nb+1). Nh vy, khng tn ti vt tuyn tnh no lan truyn qua tm chu k vi tng quan ln hn 2-102(Nb+1).
Cc kt lun trn m bo tnh an ton cho thut ton m rng 256/384/512 bit v 512/768/1024-bit i vi phng php phn tch mt m tuyn tnh.
97
Chng 4
4.4.3
Branch Number
Xt php bin i tuyn tnh F trn vector cc byte. Mt byte khc 0 c gi l byte hot ng (active). Trng s byte ca mt vector a, k hiu l W(a), l s lng byte hot ng trong vector ny. nh ngha 4.1: Branch Number B ca php bin i tuyn tnh F l o kh nng khuch tn ca F, c nh ngha nh sau: B(F) = mina0 (W(a) + W(F(a))) (4.16)
Nhn xt: Branch Number cng ln th kh nng khuch tn thng tin ca F cng mnh, gip cho h thng SPN cng tr nn an ton hn.
Trong php bin i MixColumns, nu trng thi ban u c 1 byte hot ng th trng thi kt qu nhn c sau khi p dng MixColumns c ti a Nw byte hot ng. Do , ta c: B(MixColumns) Nw + 1 rng 256/384/512 bit v thut ton m rng 512/768/1024 bit. Nh vy, t c mc khuch tn thng tin cao nht, chng ta cn phi chn php bin i MixColumns sao cho h s Branch Number t c gi tr cc i l Nw + 1 . Ni cch khc, Branch Number ca MixColumns trong thut ton Rijndael, thut ton m rng 256/384/512 bit v thut ton m rng 512/768/1024 bit phi t c gi tr ln lt l 5, 9 v 17. Khi , quan h tuyn tnh gia cc bit trong trng thi u vo v u ra ca MixColumns lin quan n cc Nw + 1 byte khc nhau trn cng mt ct. (4.17)
98
4.4.4
S lan truyn mu
Trong phng php vi phn, s lng S-box hot ng c xc nh bng s lng byte khc 0 trong trng thi u vo ca chu k. Gi mu (vi phn) hot ng (difference activity pattern) l mu xc nh v tr cc byte khc 0 trong trng thi v gi trng s byte l s lng byte khc 0 trong mu.
Trong phng php tuyn tnh, s lng S-box hot ng c xc nh bng s lng byte khc 0 trong cc vector c chn trng thi bt u ca chu k [10]. Gi mu (tng quan) hot ng (correlation activity pattern) l mu xc nh v tr cc byte khc 0 trong trng thi v gi trng s byte l s lng byte khc 0 trong mu.
Mi ct trong trng thi c t nht mt byte thnh phn l byte hot ng c gi ct hot ng. Trng s ct ca trng thi a, k hiu l Wc(a), c nh ngha l s lng ct hot ng trong mu. Trng s byte ca ct j ca trng thi a , k hiu l W(a)j, c nh ngha l s lng byte hot ng trong ct ny.
Trng s ca mt vt lan truyn qua cc chu k c tnh bng tng tt c cc trng s ca cc mu hot ng u vo ca mi chu k thnh phn.
99
Chng 4
Hnh 4.3 minh ha s lan truyn cc mu hot ng (bao gm c mu vi phn v mu tng quan) qua tng php bin i trong cc chu k m ha ca thut ton m rng 256/384/512-bit ca phng php Rijndael vi Nb = 6. SubBytes ShiftRows MixColumns AddRoundKey
Hnh 4.3. S lan truyn mu hot ng qua tng php bin i trong thut ton m rng 256/384/512-bit ca phng php Rijndael vi Nb = 6
Mi php bin i thnh phn trong phng php m ha Rijndael c tc ng khc nhau i vi cc mu hot ng v cc trng s: 1. SubBytes v AddRoundKey khng lm thay i cc mu hot ng cng nh gi tr trng s ct v trng s byte ca mu. 2. ShiftRows lm thay i mu hot ng v trng s ct. Do php bin i ShiftRows tc ng ln tng byte ca trng thi mt cch c lp, khng c s tng tc gia cc byte thnh phn trong trng thi ang xt nn khng lm thay i trng s byte. 3. MixColumns lm thay i mu hot ng v trng s byte. Do php bin i MixColumns tc ng ln tng ct ca trng thi mt cch c lp, khng c s tng tc gia cc ct thnh phn trong trng thi ang xt nn khng lm thay i trng s ct.
100
Bng 4.1 tm tt nh hng ca cc php bin i ln mu hot ng. Bng 4.1. nh hng ca cc php bin i ln mu hot ng STT 1 2 3 4 Php bin i SubBytes ShiftRows MixColumns AddRoundKey Mu hot ng Khng C C Khng S nh hng Trng s ct Khng C Khng Khng Trng s byte Khng Khng C Khng
Nh vy, php bin i SubBytes v AddRoundKey khng nh hng n s lan truyn cc mu hot ng trong vt nn chng ta c th b qua cc php bin i ny trong qu trnh kho st cc vt vi phn v vt tuyn tnh di y. Trong php bin i MixColumns, vi mi ct hot ng trong mu u vo (hoc mu u ra) ca mt chu k, tng trng s byte ca ct ny trong mu u vo v u ra b chn di bi Branch Number. Do ShiftRows thc hin vic dch chuyn tt c cc byte thnh phn trong mt ct ca mu n cc ct khc nhau nn php bin i ShiftRows c cc tnh cht c bit sau: 1. Trng s ct ca mu u ra b chn di bi gi tr ti a ca trng s byte ca mi ct trong mu u vo. 2. Trng s ct ca mu u vo b chn di bi gi tr ti a ca trng s byte ca mi ct trong mu u ra.
101
Chng 4
Trong phn di y, mu hot ng u vo ca chu k m ha c k hiu l ai-1, mu hot ng kt qu sau khi thc hin php bin i ShiftRows c k hiu l bi-1, Cc chu k bin i c nh s tng dn bt u t 1. Nh vy, a0 chnh l mu hot ng u vo ca chu k m ha u tin. D dng nhn thy rng mu ai v bi c cng trng s byte, mu bj-1 v aj c cng trng s ct. Trng s ca mt vt lan truyn qua m chu k c xc nh bng tng trng s ca cc mu a0, a1, ..., am-1. Trong cc hnh minh ha di y, ct hot ng c t mu xm cn cc byte hot ng c t mu en. Hnh 4.4 minh ha s lan truyn mu trong mt chu k ca thut ton 256/384/512-bit ca phng php Rijndael. ai
ShiftRows
bi
W (bi ) = W (ai )
}
ai+1
MixColumns
bi
W (bi ) = W (ai )
W (ai +1 ) = W (bi ) c c
W (bi ) j + W (ai +1 ) j B
102
nh l 4.1: Trng s ca vt lan truyn qua hai chu k c Q ct hot ng u vo ca chu k 2 b chn di bi B*Q vi B l Branch Number ca php bin i MixColumns. Wc (a1 ) = Q W (a 0 ) + W (a1 ) B * Q vi B = BranchNumber (MixColumns) (4.18)
Chng minh: Gi B l Branch Number ca php bin i MixColumns. Tng trng s byte ca mi ct tng ng hot ng trong mu b0 v a1 b chn di bi B. Nu trng s ct ca a1 l Q th tng trng s byte ca b0 v a1 b chn di bi B*Q. Do a0 v b0 c cng trng s byte nn tng trng s byte ca a0 v a1 b chn di bi B*Q.
Nh vy, bt k mt vt lan truyn qua hai chu k u c t nht B*Q phn t hot ng.
a0
b0
a1
ShiftRows
MixColumns
W(b0) = W(a0)
103
Chng 4
nh l 4.2: Vi mi vt lan truyn qua hai chu k, tng s ct hot ng trong mu u vo v mu u ra ti thiu l Nb + 1 vi Nb l s lng ct trong trng thi. Wc (a 0 ) + Wc (a 2 ) Nb + 1 (4.19)
Chng minh: Trong mt vt bt k tn ti t nht mt ct hot ng trong mu a1 (hoc b0). Gi ct hot ng ny l ct g. Gi B l Branch Number ca php bin i MixColumns. Tng trng s byte ca ct g trong mu b0 v mu a1 b chn di bi B. W (b0 ) g + W (a1 ) g B (4.20)
Php bin i ShiftRows di chuyn tt c cc byte thnh phn trong mt ct bt k thuc ai n cc ct khc nhau thuc bi v ngc li, mi ct thuc bi li cha cc byte thnh phn ca cc ct khc nhau thuc ai. Trng s ct hay s lng ct hot ng ca ai b chn di bi trng s byte ca mi ct thuc bi v trng s ct ca bi b chn di bi trng s byte ca mi ct thuc ai. D nhin l trng s ct ca ai hay bi u b chn di bi s lng ct Nb ca trng thi. Wc (ai ) min Nb, max j W (bi ) j
c i j i j
(4.21) (4.22)
104
1.
2.
Trng hp 2: Nu W(b0)g < Nb v W(a1)g < Nb th Wc(a0) + Wc(b1) W(b0)g + W(a1)g B (4.26)
Do Nb ch nhn mt trong ba gi tr 4, 6, hay 8 v B ch nhn mt trong ba gi tr l 5, 9 hay 17 (tng ng vi thut ton gc, thut ton m rng 256/384/512-bit hay 512/768/1024-bit). Vy: Wc(a0) + Wc(b1) B Nb + 1 Do a2 v b1 c cng trng s ct nn suy ra Wc(a0) + Wc(b2) Nb + 1 Hnh 4.6 minh ha nh l 4.2 i vi thut ton m rng 256/384/512-bit. a0 b0
MixColumns
(4.27)
(4.28)
a1
ShiftRows
}
b1
W (a1 ) j + W (b0 ) j B
a1
a2
ShiftRows
MixColumns
Wc (a2 ) = Wc (b1 )
105
Chng 4
nh l 4.3: Mi vt lan truyn qua 4 chu k u c ti thiu B (Nw + 1) byte hot ng vi B l Branch Number ca php bin i MixColumns.
Chng minh: p dng nh l 4.1 cho hai chu k u (chu k 1 v 2) v hai chu k sau (chu k 3 v 4), ta c: W (a 0 ) + W (a1 ) BWc (a1 ) W (a 2 ) + W (a3 ) BWc (a3 ) (4.29)
W (a ) B(W (a ) + W (a ))
i c 1 c 3 i =0
(4.30)
Vy, trng s byte ca vt lan truyn qua bn chu k b chn bi B( Nb + 1 ) hay vt lan truyn qua bn chu k c t nht B( Nb + 1 ) byte hot ng. Hnh 4.7 minh ha nh l 4.3 i vi thut ton m rng 256/384/512-bit.
106
Wc (a1 ) + Wc (a3 ) Nb + 1
a0
a1
a2
a3
Hnh 4.7. Minh ha nh l 4.3 (thut ton m rng 256/384/512-bit) 4.4.5 Trng s vt vi phn v vt tuyn tnh
Trong [10], J. Daemen chng minh rng: 1. S truyn ca vt vi phn c th c xp x bng tch s ca cc S-box hot ng 2. tng quan ca vt tuyn tnh c th c xp x bng tch s ca tng quan gia u ra-u vo ca cc S-box hot ng.
Trong chin lc thit k thut ton Rijndael, S-box c chn sao cho gi tr ln nht ca s truyn v gi tr ln nht ca tng quan cng nh cng tt. Bng thay th S-box c chn c gi tr ln nht ca s truyn v gi tr ln nht ca tng quan ln lt l 2-6 v 2-3.
Ngoi ra, s lng S-box hot ng trong vt vi phn hay vt tuyn tnh lan truyn qua bn chu k m ha ca thut ton nguyn thy, phin bn 256/384/512-bit v phin bn 512/768/1024-bit ln lt l 5(Nb+1), 9(Nb+1) v
107
Chng 4
17(Nb+1) vi Nb l s ct trong mt trng thi (phn chng minh c trnh by trong 4.4.4-S lan truyn mu). Nh vy, c th kt lun rng: 1. Mi vt vi phn lan truyn qua bn chu k ca thut ton Rijndael c s truyn ti a l 2-30(Nb+1) 2. Mi vt vi phn lan truyn qua bn chu k ca thut ton m rng 256/384/512-bit c s truyn ti a l 2-54(Nb+1) 3. Mi vt vi phn lan truyn qua bn chu k ca thut ton m rng 512/768/1024-bit c s truyn ti a l 2-102(Nb+1). 4. Mi vt tuyn tnh lan truyn qua bn chu k ca thut ton Rijndael nguyn thy c tng quan ti a l 2-15(Nb+1). 5. Mi vt tuyn tnh lan truyn qua bn chu k ca thut ton m rng 256/384/512-bit c tng quan ti a l 2-27(Nb+1). 6. Mi vt tuyn tnh lan truyn qua bn chu k ca thut ton m rng 512/768/1024-bit c tng quan ti a l 2-51(Nb+1).
4.5 4.5.1
Kho st tnh an ton i vi cc phng php tn cng khc Tnh i xng v cc kha yu ca DES
i xng trong thut ton. S khc nhau trong cu trc ca vic m ha v gii m hn ch c cc kha yu nh trong phng php DES. Tnh cht phi tuyn ca qu trnh pht sinh bng m kha m rng gip hn ch cc phng php phn tch da vo kha tng ng.
108
4.5.2
Phng php m ha Square c J. Daemen, L.R. Knudsen v V. Rijmen gii thiu vo nm 1997 [9]. Trong bi vit ny, cc tc gi trnh by phng php tn cng c bit i vi thut ton m ha Square. Do phng php Rijndael k tha nhiu c tnh ca phng php Square nn phng php tn cng ny cng c th c p dng i vi thut ton Rijndael.
Trong [8], J. Daeman v V. Rijmen trnh by cch p dng phng php tn cng Square cho thut ton Rijndael c ti a 6 chu k m ha. i vi thut ton Rijndael c di 6 chu k m ha, phng php tn cng Square t ra hiu qu hn phng php vt cn tm m kha mc d vi k thut hin nay, phng php tn cng Square vn khng th thc hin c. Vi cc thut ton Rijndael c trn 6 chu k m ha (c t 7 chu k m ha tr ln), phng php vt cn tm m kha vn l phng php hiu qu nht.
4.5.3
Phng php ni suy s dng trong phn tch mt m p dng trn cc thut ton m ha theo khi c Jokobsen v Knudsen trnh by trong [28] vo nm 1997. Phng php ny ch p dng c khi cc thnh phn s dng trong quy trnh m ha c th biu din bng cc biu thc i s. Yu cu chnh ca phng php ny l xy dng c cc a thc (hay biu thc chun ha) da vo cc cp d liu trc v sau khi m ha. Nu cc a thc ny c bc tng i nh th ch cn s dng mt vi cp d liu trc v sau khi m ha xc nh c cc h s (c lp vi m kha) ca a thc ny.
109
Chng 4
Bng thay th S-box c cng thc trn GF(28) l: S(x)= {63}+{8f}x127+{b5}x191+{01}x223+{f4}x239+ {25}x247+{f9}x251+{09}x253+{05}x254 (4.32) Do tnh cht phc tp ca biu thc ny cng vi hiu ng khuch tn trong thut ton nn khng th s dng phng php ni suy tn cng phng php Rijndael.
4.5.4
Trong mt s phng php m ha, v d nh phng php IDEA (International Data Encryption Algorithm), vic chn la m kha gp phi mt s hn ch. Trong cc phng php ny, mt s m kha d hp l nhng khi s dng chng m ha d liu s d dng b phn tch v thng tin cn m ha s khng an ton [10]. Thng thng nhng im yu lin quan n m kha u xut pht t s ph thuc vo gi tr c th ca m kha trong cc thao tc phi tuyn. Trong phng php Rijndael cng nh cc thut ton m rng, cc kha c s dng thng qua thao tc XOR v tt c nhng thao tc phi tuyn u c c nh sn trong bng thay th S-box m khng ph thuc vo gi tr c th ca m kha nn khng c bt k mt hn ch no trong vic chn m kha chnh.
4.5.5
Vo nm 1993, Eli Biham gii thiu mt phng php tn cng mt m s dng cc m kha lin quan [4]. Sau , phng php ny c John Kelsey, Bruce Schneier v David Wagner nghin cu v p dng th trn mt s thut ton m ha [30] vo nm 1996.
110
Trong phng php tn cng kha lin quan, ngi phn tch thc hin vic m ha s dng cc kha phn bit c lin quan vi nhau. i vi phng php Rijndael cng nh cc thut ton m rng, tnh cht phi tuyn cng kh nng khuch tn thng tin trong vic to bng kha m rng lm cho vic phn tch mt m da vo cc kha lin quan tr nn khng kh thi.
4.6
Kt qu th nghim
Nh p dng k thut bng tra cu trong vic ci t cc phin bn m rng ca thut ton Rijndael nn thi gian thc hin vic m ha v thi gian thc hin vic gii m l tng ng vi nhau. Cc th nghim c tin hnh v ghi nhn trn my Pentium 200 MHz (s dng h iu hnh Microsoft Windows 98), my Pentium II 400 MHz, Pentium III 733 MHz (s dng h iu hnh Microsoft Windows 2000 Professional), Pentium IV 2.4GHz (s dng h iu hnh Microsoft Windows XP Service Pack 2). Bng 4.2. Tc x l phin bn 256/384/512-bit trn my Pentium IV 2.4GHz Pentium IV 2.4 GHz Kha Khi (bit) (bit) 256 256 384 256 512 256 C++ #Nhp 1763 2091 2456 Tc (Mbit/giy) 343.9 290.4 257.4 #Nhp 1721 2052 2396 C Tc (Mbit/giy) 353.3 297.8 263.1
111
Chng 4
Bng 4.3. Tc x l phin bn 512/768/1024-bit trn my Pentium IV 2.4 GHz Pentium IV 2.4 GHz Kha Khi (bit) (bit) 512 512 768 512 1024 512 C++ #Nhp 8360 9910 11645 Tc (Mbit/giy) 153.4 130.1 110.7 #Nhp 8160 9730 11364 C Tc (Mbit/giy) 157.4 132.3 113.7
Bng 4.2 v Bng 4.3 th hin tc x l ca phin bn 256/384/512-bit v phin bn 512/768/1024-bit trn my Pentium IV 2.4 GHz. Kt qu c tnh theo n v Mbit/giy v n v nhp dao ng.
Bng 4.4. Bng so snh tc x l ca phin bn 256/384/512-bit Tc x l (Mbit/giy) Pentium II Pentium III 400 MHz 733 MHz C++ C C++ C 55.0 56.4 100.8 103.4 46.4 47.5 85.0 87.1 41.1 42.0 75.3 76.9
Kch thc (bit) Kha Khi 256 256 384 256 512 256
Pentium 200 MHz C++ C 26.9 27.4 22.7 23.3 19.5 20.2
Pentium IV 2.4 GHz C++ C 343.9 353.3 290.4 297.8 257.4 263.1
Bng 4.5. Bng so snh tc x l ca phin bn 512/768/1024-bit Kch thc (bit) Kha Khi 512 512 768 512 1024 512 Pentium 200 MHz C++ C 12.0 12.4 10.6 11.0 8.9 9.2 Tc x l (Mbit/giy) Pentium II Pentium III 400 MHz 733 MHz C++ C C++ C 24.4 25.1 44.7 45.9 20.7 21.6 37.9 38.6 17.6 18.1 32.3 33.1 Pentium IV 2.4 GHz C++ C 153.4 157.4 130.1 132.3 110.7 113.7
112
Kt qu so snh tc x l trn my Pentium 200 MHz (s dng h iu hnh Microsoft Windows 98), my Pentium II 400 MHz, Pentium III 733 MHz (s dng h iu hnh Microsoft Windows 2000 Professional), Pentium IV 2.4GHz (s dng h iu hnh Microsoft Windows XP Service Pack 2) ca phin bn 256/384/512-bit v phin bn 512/768/1024-bit c th hin trong Bng 4.4 v Bng 4.5.
4.7
Kt lun
i vi phin bn nguyn thy ca thut ton m ha Rijndael, phng php hiu qu nht phn tch mt m vn l phng php vt cn tm ra m kha chnh c s dng. Nh vy, nu s dng m kha chnh c 128/192/256 bit th khng gian m kha K cn kho st ln lt c 2128, 2192, 2256 phn t. Mt cch tng t, i vi cc phin bn m rng ca thut ton Rijndael, phng php vt cn tm ra m kha vn l phng php kh thi hn so vi cc phng php khc. i vi phin bn m rng 256/384/512-bit ca thut ton m ha Rijndael, khng gian m kha K cn kho st c 2256, 2384, 2512 phn t ty thuc vo di ca m kha chnh c s dng l 256, 384 hay 512 bit. i vi phin bn m rng 512/768/1024-bit ca thut ton m ha Rijndael, khng gian m kha K cn kho st c 2512, 2768, 21024 phn t ty thuc vo di ca m kha chnh c s dng l 512, 768 hay 1024 bit. Da vo cc s liu thng k trong Bng 3.2, Bng 4.4 v Bng 4.5, chng ta c th nhn thy rng khi tng gp i kch thc khi c x l th thi gian m
113
Chng 4
ha mt khi d liu tng ln hn 4 ln v do tc m ha s gim i hn hai ln. Tuy nhin, iu ny hon ton c th chp nhn c do vic tng kch thc m kha v kch thc khi x l s lm khng gian m kha tng ln ng k v thng tin c m ha s cng an ton hn.
114
Trong chng 3, chng ta kho st phng php m ha Rijndael. Cng vi phng php ny, cn c bn phng php m ha khc c chn vo vng chung kt cc ng c vin ca chun m ha AES, bao gm phng php MARS, RC6, Serpent v TwoFish. Trong ni dung ca chng ny s ln lt gii thiu v bn phng php m ha ng c vin AES ny. 5.1 Phng php m ha MARS
MARS l thut ton m ha kha i xng h tr kch thc khi d liu 128 bit v cho php s dng m kha c kch thc thay i c. Thut ton c thit k trn c s khai thc cc th mnh ca vic thc hin cc php ton trn cc th h my tnh hin nay nhm tng hiu qu ca thut ton so vi cc thut ton m ha quy c trc y.
115
Chng 5
5.1.1
Quy trnh m ha
Thng tin cn m ha
D[3]
D[2]
D[1]
D[0]
Cng kha
Trn ti 8 chu k trn ti khng c kha
Phn li chnh
D[3]
D[2]
D[1]
D[0]
Php cng
Php tr
116
Hnh 5.1 th hin m hnh chung ca quy trnh m ha MARS. D liu u vo v kt qu ca qu trnh m ha u l t c di 32 bit. Tt c cc php ton trong quy trnh m ha v gii m u thc hin trn cc t 32 bit. Trong trng hp kho st d liu m ha di dng mng gm 4 byte, cc tc gi quy c s dng th t lu tr littleendian.
5.1.2
Sbox
Trong qu trnh thit k Sbox, cc phn t trong S-box c chn sao cho S box c cc c tnh tuyn tnh v vi phn an ton chng li cc phng php tn cng. Ph lc A trnh by chi tit ni dung ca S-box c s dng trong thut ton MARS.
Cc Sbox c pht sinh bng cch cho i = 0 n 102, j = 0 n 4, S [5i + j ] = SHA 1(5i c1 c 2 c3) j (5.1)
( y SHA 1(.)j l t th j trong kt qu ca SHA 1). Xem i nh mt s nguyn khng du 32 bit v c1, c2, c3 l cc hng s c nh. Trong khi thc hin ta t c1 = 0xb7415162 , c2 = 0x283f6a88 (l phn khai trin nh phn ca cc phn s e, tng ng) v bin i c3 cho n khi tm c mt Sbox c nhng c tnh tt. Xem SHA1 nh mt php ton trn cc dng byte v s dng quy c littleendian chuyn i gia cc t v cc byte.
th t tng dn, bt u vi c3 = 0 . i vi mi gi tr, pht sinh Sbox v sau c nh n bng cch bin i ton b cc cp (i, j) ca cc mc trong S0, S1
117
Chng 5
theo th t t in v kim tra xem S[i] S[j] c chnh lch 2 hoc nhiu byte zero. Bt k lc no tm c s chnh lch 2 hoc nhiu byte zero th thay th S[i] vi 3S[i] v di chuyn n i k tip. Sau khi dng li, th nghim Sbox li kim tra xem n c tha mn ht cc iu kin 18 trn v tnh single bit correlation (iu kin 9). Gi tr ca c3 gim single bit correlation l c3 = 0x02917d59 . Sbox ny c parity bias 27, single bit bias t cao nht l 1/30, Two consecutive bit bias t cao nht 1/32 v single bit correlation bias nh hn 1/22.
5.1.3
Th tc KeyExpansion thc hin vic m rng mng kha k[] bao gm n t 32 bit (vi n l s bt k trong khong t 4 n 14) thnh mt mng K[] gm 40 t. Cn lu l khng cn c bt k yu cu c bit g v cu trc ca kha gc k[] (v d nh kha khng cn s dng cc bit parity). Ngoi ra, th tc Key Expansion cng m bo rng mi t trong kha c s dng cho php nhn trong th tc m ha c cc c tnh sau y: 1. Hai bit thp nht ca mt t trong kha c s dng trong php nhn c gi tr 1. 2. Khng c t no trong kha cha lin tip 10 bit 0 hoc 10 bit 1.
118
5.1.3.1
Th tc KeyExpansion
Th tc KeyExpansion bao gm cc bc sau: 1. Ban u, ni dung kha gc c chp vo mt mng tm T[] (c di l 15 t), tip theo l s n v cui cng l cc s 0. Ngha l: T [0..n 1] = k[0..n 1], T [n] = n, T [n + 1..14] = 0 2. (5.2)
Sau , cc bc di y c thc hin lp li bn ln. Mi ln lp s tnh gi tr ca 10 t k tip trong kha m rng: a) Mng T[] c bin i s dng cng thc tuyn tnh sau: for i = 0 to 14 T [i ] = T [i ] ((T [i 7 mod15] T [i 2 mod15]) <<< 3) (4i + j ) vi j l s th t ca ln lp (j = 0, 1,) b) K n, mng T[] s c bin i qua bn chu k ca mng Feistel loi 1: T[i]=(T[i] + S[9 bit thp ca T[i1 mod 15]]) <<< 9 vi i = 0, 1, , 14. c) Sau , ly 10 t trong mng T[], sp xp li ri a vo thnh 10 t k tip ca mng kha m rng K[]. K[10j + i] = T[4i mod 15], i = 0,1,,9 vi j l s th t ca ln lp, j = 0,1,
119
Chng 5
3.
Cui cng, xt 16 t dng cho php nhn trong m ha (bao gm cc t K[5], K[7], , K[35]) v bin i chng c hai c tnh nu trn. Cn lu l kh nng t c chn la ngu nhin khng tha c tnh th hai (tc l t c 10 bit lin tip bng 0 hoc bng 1) l khong 1/41. Mi t K[5], K[7], , K[35] c x l nh sau: a) Ghi nhn hai bit thp nht ca K[i] bng cch t j = K [i ] 3 . Sau , xy dng t w da trn K[i] bng cch thay th hai bit thp nht ca K[i] bng gi tr 1, tc l w = K [i ] 3 . b) Xy dng mt mt n M ca cc bit trong w thuc mt dy gm 10 (hoc nhiu hn) bit 0 hoc 1 lin tip. Ta c M = 1 nu v ch nu w thuc mt dy 10 bit 0 hoc 1 lin tc. Sau t li 0 cho cc bit 1 trong M tng ng vi im cui ca ng chy cc bit 0 hoc 1 lin tc trong w, cng lm nh vy i vi 2 bit thp nht v 1 bit cao nht ca M. Nh vy, bit th i ca M c t li gi tr 0 nu i < 2, hoc i = 31 , hoc nu bit th i ca w khc bit th (i + 1) hoc bit th (i 1) .
V d, gi s ta c w = 03113 0121011 ( y 0i, 1i biu din i bit 0 hoc 1 lin tc). Trong trng hp ny, u tin t M = 03125 0 4 , k n, gn li gi tr 1 cho cc bit v tr 4, 15, 16 v 28 c M = 0 411100110 05 . c) Tip theo, s dng mt bng B (gm bn t) c nh sa w. Bn phn t trong B c chn sao cho mi phn t (cng nh cc gi tr xoay chu k khc c xy dng t phn t ny) khng cha by bit 0 hoc mi bit 1 lin tip nhau. C th, cc tc gi s dng bng
120
B[] = {0xa4a8d57b, 0x5b5d193b, 0xc8a8309b, 0x73f9a978}, (y l cc phn t th 265 n 268 trong Sbox). L do chn cc phn t ny l ch c 14 mu 8 bit xut hin hai ln trong cc phn t ny v khng c mu no xut hin nhiu hn hai ln.
S dng hai bit j ( bc (a)) chn mt phn t trong B v s dng nm bit thp nht ca K[i1] quay gi tr ca phn t c chn ny, tc l: p = B[j] <<< (5 bit thp nht ca K[i1]) d) Cui cng, thc hin XOR mu p vi w s dng mt n M v lu kt qu trong K[i]. K [i ] = w ( p M )
Do hai bit thp nht ca M l 0 nn hai bit thp nht ca K[i] s l 1 (do nhng bit ny trong w l 1). Ngoi ra, vic chn gi tr ca mng B bo m rng K[i] khng cha dy mi bit 0 hoc 1 lin tc.
Lu rng th tc ny khng ch m bo rng cc t K[5], K[7],, K[35] c hai c tnh nu trn m cn gi c tnh cht ngu nhin ca cc t ny, tc l khng c bt k mt gi tr ca t n no c xc sut ln hn trong s phn b ng. S dng phng php vt cn, c th kim chng c rng khng c mu 20 bit no xut hin trong cc t ny vi xc xut ln hn 1.23 x 220. Tng t, khng c mu 10 bit no xut hin vi xc sut ln hn 1.06 x 210. Cc yu t ny c s dng trong vic phn tch thut ton.
121
Chng 5
Di y l m gi cho th tc KeyExpansion
KeyExpansion(input: k[], n; output: K[])
// n l s lng t trong mng kha k[], (4 n 14) // K[] l mng cha kha m rng, bao gm 40 t // T[] l mng tm, bao gm 15 t // B[] l mng c nh gm 4 t // Khi to mng B[] B[] = {0xa4a8d57b, 0x5b5d193b, 0xc8a8309b, 0x73f9a978} // Khi to mng T vi gi tr ca mng kha k[] T[0n1] = k[0n1], T[n] = n, T[n+1 14] = 0 // Lp 4 ln, mi ln tnh gi tr 10 t trong mng K[] for j = 0 to 3 for i = 0 to 14 repeat 4 ln for i = 0 to 14 T[i] = (T[i] + S[9 bit thp ca T[i1 mod 15]]) <<< 9 end repeat for i = 0 to 9 K[10j + i] = T[4i mod 15] end for // Sa i cc gi tr kha s s dng trong php nhn // Lu kt qu vo 10 t k tip ca K[] // Bin i tuyn tnh // 4 chu k bin i T[i] = T[i]((T[i7 mod 15] T[i2 mod 15]) <<< 3) (4i+j)
122
for i = 5, 7, 35 j = 2 bit thp nht ca K[i] w = K[i] vi 2 bit thp nht t li l 1 // Pht sinh mt n M M = 1 khi vo ch khi w thuc v dy 10 bit 0 hay 1 lin tip trong w v 2 30 v w 1 = w = w +1
// Chn 1 mu trong mng B, quay gi tr phn t c chn r = 5 bit thp ca K[i 1] p = B[j] <<< r // Thay i K[i] s dng gi tr p v mt n M K[i] = w (p M) end for // s lng bit quay
5.1.4
Quy trnh m ha
Cu trc chung ca vic m ha c m t trong Hnh 5.1 gm ba giai on: trn ti (Forward mixing), phn li chnh (Cryptographic core) v trn li (Backward mixing). Vic m ha chnh nm phn li bao gm cc php bin i c kha. Mt s k hiu s dng trong quy trnh m ha:
123
Chng 5
1.
D[] l mt mng bn t d liu 32 bit. Ban u D cha cc t ca vn bn ban u (thng tin cn m ha). Khi kt thc qu trnh m ha, D cha cc t ca thng tin c m ha.
2. 3.
K[] l mng kha m rng, bao gm 40 t 32 bit. S[] l mt Sbox, bao gm 512 t 32 bit, c chia thnh hai mng: S0 gm 256 t u tin trong Sbox v S1 gm 256 t cn li.
5.1.4.1
Giai on 1: Trn ti
Nu k hiu 4 byte ca cc t ngun bng b0, b1, b2, b3 ( y b0 l byte thp nht v b3 l byte cao nht), sau dng b0, b2 lm ch s trong Sbox S0 v b1, b3 lm ch s trong Sbox S1. u tin XOR S0[b0] vi t ch th nht, sau cng S1[b1] cng vi t ch th nht. K n cng S0[b2] vi t ch th hai v xor S1[b3] vi t ch th 3. Cui cng, quay t ngun 24 bit v bn phi.
i vi chu k k tip, quay bn t v bn phi mt t t ch th nht hin ti tr thnh t ngun k tip, t ch th hai hin ti tr thnh t ch th nht tip theo, t ch th ba hin ti tr thnh t ch th hai tip theo v t ngun hin ti tr thnh t ch th ba tip theo.
124
D[3] K[3]
D[2] K[2]
D[1] K[1] S0 S1 S0 S1 S0 S1 S0
S0 S1
S0 S1 S0 S1
Php cng 8 >>> php quay phi 8 bit 8 <<< php quay tri 8 bit
125
Chng 5
Hn na, sau mi 4 chu k ring bit cng mt t trong cc t ch vi t ngun. C th, sau chu k th nht v chu k th nm cng t ch th 3 vi t ngun v sau chu k th hai v chu k th su cng t ch th nht vi t ngun. L do thc hin thm nhng php trn ln thm vo ny l loi tr mt vi phng php tn cng vi phn chng li giai on ny.
5.1.4.2
Phn li chnh ca quy trnh m ha MARS l mt h thng Feistel loi 3 bao gm 16 chu k. Trong mi chu k s dng mt hm E c xy dng da trn mt t hp ca cc php nhn, php quay ph thuc d liu v Sbox. Hm ny nhn vo mt t d liu v tr ra ba t d liu. Cu trc ca h thng Feistel c th hin trong Hnh 5.3 v hm E c m t trong Hnh 5.4. Trong mi chu k s dng mt t d liu a vo E v cho ra ba t d liu c cng hoc XOR vi ba t d liu khc. Sau khi thc hin xong hm E t ngun c quay 13 bit v bn tri.
m bo rng vic m ha c sc chng chi cc phng php xm nhp vn bn m ha, ba t d liu cho ra t hm E c dng vi mt th t khc hn trong 8 chu k u so vi 8 chu k sau. Ngha l, trong 8 chu k u cng t th nht v t th hai t kt qu hm E vi t ch th nht v th hai, v XOR t th ba t kt qu hm E vi t ch th ba. Trong 8 chu k cui, cng t th nht v t th hai t kt qu hm E vi t ch th ba v th hai, v XOR t th ba t kt qu hm E vi t ch th nht.
126
Ch ti 13 <<< E out1 out2 out3 Ch li 13 <<< E out3 E out3 out2 out1 13 <<< 13 <<<
13 <<< Php quay tri 13 bit Hnh 5.3. H thng Feistel loi 3
5.1.4.3
Hm E
Hm E nhn vo mt t d liu v s dng hai t kha na sinh ra ba t. Trong hm ny dng ba bin tm L, M v R (tng ng vi tri, gia v phi).
127
Chng 5
u tin, R gi gi tr ca t ngun c quay 13 bit v bn tri v M gi gi tr tng ca t ngun v t kha th nht. Sau xem 9 bit thp nht ca M nh mt ch s ca Sbox S 512entry (thu c bng cch kt hp S0 v S1 t giai on trn) v L gi gi tr ca mt mc tng ng trong Sbox.
5 <<<
out3
out2
<<<
out1
S-Box (9 32)
n <<< Php quay tri n bit <<< Php quay ph thuc d liu
Hnh 5.4. Hm E Tip theo nhn t kha th hai (phi cha mt s nguyn l) vi R v quay R 5 bit v bn tri (do 5 bit cao nht ca tch s tr thnh 5 bit thp nht ca R sau khi quay). K n xor R v L, v cng xem 5 bit thp nht ca R nh mt s bit quay trong khong 0 v 31, v quay M v bn tri vi s bit quay ny. Tip theo, quay R 5 bit na v bn tri v XOR vi L. Cui cng, li xem 5 bit thp nht ca R nh mt s bit quay v quay L v bn tri vi s bit quay ny. T kt qu th nht ca hm E l L, th hai l M v th ba l R.
128
Di y l on m gi cho hm E
Efunction(input: in, key1, key2) //S dng 3 bin tm L, M, R M = in + key1
R =(in <<< 13)key2 //nhn vi t th 2 ca kha (s l) m = 9 bit thp ca M L = S[m] R = R <<< 5 R = 5 bit thp ca R //xc nh s bit cn quay M = M <<< r L = L R R = R <<< 5 L = L R r = 5 bit thp ca R //xc nh s bit cn quay L = L <<< r output(L, M, R)
5.1.4.4
Giai on 3: Trn li
Giai on trn li ging giai on trn ti ca quy trnh m ha, ngoi tr cc t d liu c x l theo th t khc. Ngha l, nu a kt qu t giai on trn ti khng dng kha vo giai on trn li khng dng kha theo th t o li (tc l d liu kt qu D[3] a vo d liu vo D[0], d liu kt qu D[2] a vo d liu vo D[1], ) sau hai giai on ny s kh ln nhau. Hnh 5.5 th hin giai on trn li.
129
Chng 5
D[3]
D[2]
D[1] S1 S0 S1 S0 S1 S0
D[0]
S1
S0 S1 S0
Php cng 8 >>> php quay phi 8 bit 8 <<< php quay tri 8 bit Hnh 5.5. Cu trc giai on Trn li
130
Nh giai on trn ti, y cng vy trong mi chu k s dng mt t ngun thay i ba t ch khc. Bn byte ca t ngun c biu din bng b0, b1, b2, b3. Vi b0 v b2 c s dng lm ch s cho Sbox S1; b1 v b3 lm ch s cho
Sbox S0. XOR S1[b0] vi t ch th nht, tr S0[b3] vi t d liu th hai, tr
S1[b2] vi t ch th ba v sau XOR S0[b1] vi t ch th ba. Cui cng, quay t ngun 24 bit v bn tri.
i vi chu k k tip quay bn t v bn phi mt t t ch th nht hin ti tr thnh t ngun k tip, t ch th hai hin ti tr thnh t ch th nht k tip, t ch th ba hin ti tr thnh t ch th hai k tip v t ngun hin ti tr thnh t ch th ba k tip.
Cng nh vy, trc mi bn chu k ring bit tr mt t trong s cc t ch vi t ngun: trc chu k th t v chu k th tm tr t ch th nht vi t ngun v trc chu k th ba v chu k th by tr t ch th ba vi t ngun.
5.1.4.5
Trong on m gi m t quy trnh m ha ca phng php MARS s dng cc k hiu v quy c sau: 1. Cc php ton s dng trong m ha c thc hin trn cc t 32 bit (c xem l s nguyn khng du). Cc bit c nh s t 0 n 31, bit 0 l bit thp nht v bit 31 l bit cao nht. 2. Chng ta biu din: a b l php XOR ca a v b,
131
Chng 5
a b v a b l php OR v AND ca a v b. a + b biu din php cng modulo 232. a b biu din php tr modulo 232. a b biu din php nhn modulo 232. a <<< b v a >>> b biu din php quay ca t 32 bit a sang phi hoc sang tri b bit. (D[3], D[2], D[1], D[0]) (D[0], D[3], D[2], D[1]) biu din php quay mt mng bn t sang phi mt t.
MARSEncrypt(input: D[], K[])
132
Pha (II) Bin i s dng kha //Thc hin 16 chu k bin i c kha
for i = 0 to 15 (out1,out2,out3) = Efunction(D[0], K[2i + 4], K[2i + 5]) D[0] = D[0] <<< 13 D[2] = D[2] + out2 if i < 8 then
//8 chu k u ch ti
133
Chng 5
134
5.1.5
Quy trnh gii m l nghch o ca quy trnh m ha. M gi cho quy trnh gii m ca thut ton MARS tng t vi m gi ca quy trnh m ha ca thut ton
MARSDecrypt(input: D[], K[])
135
Chng 5
Pha (II): Bin i s dng kha //Thc hin 16 chu k bin i c kha
for i = 15 downto 0
//8 chu k u ch li
136
D[0]=D[0] D[3] //Tr t ngun cho D[3] if i = 1 or 5 then D[0] = D[0] D[1]
5.2
Thut ton RC6 tng ng vi cc tham s w/r/b, trong kch thc t l w bit, quy trnh m ha bao gm r chu k v tham s b xc nh chiu di m kha tnh bng byte. p ng yu cu khi tham gia vo vic chn la chun m ha AES, RC6 phi t c kch thc kha b l 16, 24 v 32byte (tng ng vi 128/192/256 bit).
137
Chng 5
RC6w/r/b thc hin trn cc n v bn t w bit s dng su php ton c bn v Logarit c s 2 ca w, k hiu bng lgw. a+b ab ab ab a <<< b a >>> b php cng s nguyn modulo 2w php tr s nguyn modulo 2w php XOR php nhn s nguyn modulo 2w quay chu k trn bn tri b bit quay chu k trn bn phi b bit
5.2.1
RC6 ly cc t t kha ngi s dng cung cp s dng trong sut qu trnh m ha v gii m. Ngi s dng cung cp mt kha c chiu di b byte (0 b 255), thm cc byte zero vo chiu di kha bng vi mt s nguyn (2r + 4) ca cc t, sau nhng byte kha ny c np vo to thnh mt dy c t w bit L[0], , L[c1]. Nh vy byte u tin ca kha s lu vo v tr byte thp ca L[0], v L[c1] s c thm vo cc byte zero v tr cao nu cn. ( rng nu b = 0 th c = 1 v L[0] = 0). S t w bit c pht sinh b sung vo cc kha thc hin mt chu k l 2r + 4 v cc kha ny c gi li trong mng S[0, , 2r + 3].
Hng s P32 = 0xB7E15163 v Q32 = 0x9E3779B9 ging nh "hng s huyn b" trong vic phn b kha. Gi tr P32 pht sinh t vic khai trin nh phn ca e 2 (e l c s ca hm logarit). Gi tr Q32 pht sinh t vic khai trin nh phn ca
1 ( l t s vng).
138
Di y l on m gi cho vic khi to v phn b kha Key schedule ca RC6w/r/b Input: Kha (gm b byte) do ngi dng cung cp c a vo mng L[0,, c1] (gm ct) r l s lng chu k Output: Cc kha chu k w bit S[0, , 2r + 3] Begin S[0] = Pw for i = 1 to 2r + 3 S[i] = S[i 1] + Qw A=B=i=j=0 v = 3 max{c; 2r + 4} for s = 1 to v A = S[i] = (S[i] + A + B) <<< 3 B = L[j] = (L[j] + A + B) <<< (A + B) i = (i + 1) mod (2r + 4) j = (j + 1) mod c end for End
5.2.2
Quy trnh m ha
RC6 lm vic vi bn t w bit A, B, C, D cha cc d liu a vo ban u cng nh d liu m ha a ra cui quy trnh m ha. Byte u tin ca vn bn ban
139
Chng 5
u v vn bn m ha c t vo v tr byte thp nht ca A; byte cui cng ca vn bn ban u v vn bn m ha c t vo byte cao nht ca D.
plaintext:
B Subkey S[0]
D Subkey S[1]
20 chu k m ha
Subkey S[42]
Subkey S[43]
ciphertext:
u tin, t B cng thm vo t kha th nht v t D cng thm vo t kha th hai. Tip theo thc hin 20 chu k lin tc. Trong mi chu k, trc tin quay f (b) = b (2b + 1) sang tri lgw (= 5 cho kch thc t = 32 bit) v tr v lu vo bin t. Tng t, quay f (d ) = d (2d + 1) sang tri lgw v tr v lu vo bin u. K n XOR t A vi t ri quay sang tri u v tr v cng thm vo A t kha th 2i (chu k th i), tng t XOR t C vi u ri quay sang tri t v tr v cng thm vo C t kha th 2i + 1.
140
<<< u
php nhn
vi
chu k
tip
quay
bn
bn
phi
tr
141
Chng 5
Sau khi thc hin xong 20 chu k, t A cng thm vo t kha th 2r + 2 ( y r l s chu k = 20, t kha th 42) v t C cng thm vo t kha th 2r + 3 (t kha th 43). M gi quy trnh m ha RC6w/r/b: Encryption RC6w/r/b Input: D liu cn m ha c lu tr trong bn thanh ghi w bit A, B, C, D r: s lng chu k Cc kha chu k (w bit) S[0, , 2r + 3] Output: Thng tin m ha c lu tr trong bn thanh ghi A, B, C, D Begin B = B + S[0] D = D + S[1] for i = 1 to r t = (B (2B + 1)) <<< lgw u = (D (2D + 1)) <<< lgw A = ((A t) <<< u) + S[2i] C = ((C u) <<< t) + S[2i+ 1] (A, B, C, D) = (B, C, D, A) end for A = A + S[2r + 2] C = C + S[2r + 3] End
142
5.2.3
Quy trnh gii m ca RC6 l nghch o ca quy trnh m ha. Di y l on m gi cho quy trnh gii m RC6w/r/b: Input: Thng tin m ha cn c gii m c lu tr trong bn thanh ghi w bit A, B, C, D r: s lng chu k Cc kha chu k (w bit) S[0, , 2r + 3] Output: D liu c gii m c lu tr trong 4 thanh ghi A, B, C, D begin C = C S[2r + 3] A = A S[2r + 2] for i = r downto 1 (A, B, C, D) = (D, A, B, C) u = (D (2D + 1)) <<< lgw t = (B (2B + 1)) <<< lgw C = ((C S[2i + 1]) >>> t) u A = ((A S[2i]) >>> u) t end for D = D S[1] B = B S[0] end
143
Chng 5
5.3 5.3.1
Serpent l mt h thng 32 chu k thc hin trn 4 t 32 bit, do n a ra kch thc khi l 128 bit. Tt c cc gi tr dng trong vic m ha c xem nh cc dng bit. ng vi mi t 32 bit, ch s bit c nh t 0 n 31, cc khi 128 bit c ch s t 0 n 127 v cc kha 256 bit c ch s t 0 n 255 i vi cc php tnh bn trong, tt c cc gi tr t trong littleendian, t u tin (t c ch s 0) l t thp nht, t cui cng l t cao nht v bit 0 ca t 0 l bit thp nht. ngoi, ta vit mi khi di dng s hexa 128 bit.
Serpent m ha mt vn bn ban u P 128 bit thnh mt vn bn m ha C 128 bit qua 32 chu k vi s iu khin ca 33 subkey 128 bit (K0, , K32). Chiu di kha ngi dng l bin s (nu ta c nh chiu di kha l 128, 192 hoc 256 bit th khi ngi s dng a vo chiu di kha ngn hn, ta t mt bit 1 vo cui MSB, cn li in cc bit 0).
5.3.2
Vic m ha i hi 132 t 32 bit ca ton b kha. u tin t kha ngi s dng cung cp (nu cn ta bin i theo chiu di kha nh nh trnh by trn). Sau ta m rng thnh 33 subkey 128 bit (K0, , K32) bng cch ghi kha K thnh 8 t 32 bit (w8, , w1) v m rng cc t ny thnh kha trung gian w0, , w131 bng cng thc sau: wi =(wi8 wi5 wi3 wi1 i) <<< 11 (5.3)
144
y l phn phn s ca t s vng ( 5 + 1) / 2 hoc s hexa 0x9e3779b9. a thc c s x8 + x7 + x5 + x3 + 1 cng vi php cng ca ch s chu k c chn m bo mt s phn b u n cc bit kha qua cc chu k, loi cc kha yu v cc kha buc.
Nhng kha thc hin mt chu k c suy ra t cc kha trc khi s dng cc
Sbox. S dng Sbox bin i cc kha wi thnh cc t ki ca kha chu k
theo cch sau: {k0, k1, k2, k3} {k4, k5, k6, k7} {k8, k9, k10, k11} {k12, k13, k14, k15} {k16, k17, k18, k19} = S3(w0, w1, w2, w3) = S2(w4, w5, w6, w7) = S1(w8, w9, w10, w11) = S0(w12, w13, w14, w15) = S7(w16, w17, w18, w19) {k124, k125, k126, k127} = S4(w124, w125, w126, w127) {k128, k129, k130, k131} = S3(w128, w129, w130, w131) (5.4)
Ta nh s li cc gi tr 32 bit kj ging cc subkey 128 bit Ki (cho i 0, , r) nh sau: Ki = {k4i, k4i+1, k4i+2, k4i+3} (5.5)
145
Chng 5
K n p dng php hon v u (IP) vo kha thc hin mt chu k nh v cc bit kha vo ng v tr (ct).
w1 w2 w3 w4 w5
32
w6
w7
w8
32
wi1 wi2 wi3 wi4 wi5 wi6 wi7 ( 5 +1)/2 wi8 Counter
32
32
<<< 11 Sbox
146
5.3.3
Sbox
Sbox ca Serpent l php hon v 4 bit. Sbox c pht sinh theo cch sau: s dng mt ma trn gm 32 dy, mi dy 16 phn t. Ma trn c khi gn vi 32 hng ca Sbox DES v c bin i bng cch hon i cc phn t trong dy r ty thuc vo gi tr ca cc phn t trong dy (r + 1) v chui ban u i din cho mt kha. Nu dy kt qu c cc c tnh nh mong mun (vi phn v tuyn tnh), ta lu dy ny nh mt Serpent Sbox. Lp i lp li th tc ny n khi 8 Sbox c pht sinh.
Chnh xc hn, cho serpent[] l mt dy cha 4 bit thp nht (thp nht) ca mi 16 k t ASCII "sboxesforserpent". Cho sbox[][] l mt dy (32 x 16) cha 32 hng ca 8 Sbox DES, y sbox[r][] l hng r. Hm swapentries(, ) dng hon v hai phn t.
Di y l on m gi pht sinh Sbox index = 0 repeat currentsbox = index mod 32; for i = 0 to 15 j = sbox[(currentsbox+1) mod 32][serpent[i]]; swapentries (sbox[currentsbox][i], sbox[currentsbox][j]); end for if sbox[currentsbox][.] c tnh cht theo yu cu then lu li; index = index + 1; until 8 Sboxes c pht sinh xong
147
Chng 5
Ph lc C trnh by ni dung chi tit S-box v S-box nghch o c s dng trong thut ton Serpent.
5.3.4
Quy trnh m ha
Vic m ha bao gm: 1. 2. Php hon v u IP (initial permutation); 32 chu k, mi chu k bao gm mt php trn kha, mt lt duyt qua cc Sbox v mt php bin i tuyn tnh (cho tt c cc chu k tr chu k cui). chu k cui cng, php bin i tuyn tnh ny thay th bng mt php trn kha. 3. Php hon v cui FP (final permutation).
Php hon v u v hon v cui c trnh by chi tit trong Ph lc B - Cc hon v s dng trong thut ton Serpent.
Ta s dng cc k hiu nh sau: Php hon v u IP p dng vo vn bn ban u P cho ra B0 l d liu vo chu k th nht (cc chu k nh s t 0 n 31). D liu ra ca chu k th nht l B1, d liu ra ca chu k th hai l B2, d liu ra ca chu k th i l Bi+1 cho n chu k cui cng. Php bin i tuyn tnh chu k cui cng thay th bng php trn kha c k hiu B32. Php hon v cui FP p dng vo B32 cho ra vn bn m ha C.
148
Kr
128 4 Si 4 32 bn sao ca Sbox Si i=r mod 8 4 Si 4 32 chu k
r=31
Yes
No
Bin i tuyn tnh
K32
Hon v cui cng 128
Hnh 5.9. Cu trc m ha Cho Ki l subkey 128 bit chu k th i v Sbox Si c s dng chu k th i. Cho L l php bin i tuyn tnh. Khi hm thc hin mt chu k c nh ngha nh sau:
149
Chng 5
Hnh 5.8 th hin cc bc thc hin trong chu k th i (i = 0, , 30) ca quy trnh m ha Serpent. Ring chu k th 31, php bin i tuyn tnh c thay bng php cng modulo 2 vi round key.
Mi na byte ca d liu u vo c a qua cng 1 S-box
Kha ca chu k
Hon v ta
Hon v ngc ta
150
mi chu k hm Ri (i {0, , 31}) ch s dng mt bn sao Sbox. V d: R0 s dng bn sao S0, 32 bn sao ca S0 c thc hin song song. Do bn sao th nht ca S0 chn cc bit 0, 1, 2 v 3 ca B0 K0 lm d liu vo v tr ra 4 bit u ca vector trung gian, bn sao k tip ca S0 chn cc bit t 4 n 7 ca B0 K0 lm d liu vo v tr ra 4 bit k tip ca vector trung gian Sau s dng php bin i tuyn tnh bin i vector trung gian ny, kt qu cho ra B1. Tng t R1 s dng 32 bn sao ca S1 thc hin song song trn B1 K1 v s dng php bin i tuyn tnh bin i d liu ra, kt qu cho ra B2.
Xt mt Sbox Si ng dng vo khi Xi 128 bit. u tin tch Xi thnh 4 t 32 bit x0, x1, x2 v x3. ng vi mi v tr ca 32 bit, xy dng mt b 4 bit t mi t v bit v tr x3 l bit cao nht. Sau p dng Sbox Si vo xy dng 4 bit v lu kt qu vo cc bit tng ng ca Yi = (y0, y1, y2, y3).
Php bin i tuyn tnh L trn Yi = (y0, y1, y2, y3) nh ngha nh sau: y0 y0 <<< 13 y2 y2 <<< 3 y1 y0 y1 y2 y3 y2 y3 (y0 << 3) y1 y1 <<< 1 y3 y3 <<< 7 y0 y0 y1 y3 y2 y2 y3 (y1 << 7) y0 y0 <<< 5 y2 y2 <<< 22 Bi+1 (y0, y1, y2, y3) (5.7)
151
Chng 5
Trong cc biu thc trn y, k hiu <<< l php quay tri v << l php dch tri. B tm Sbox (S0S7) c s dng 4 ln. Do sau khi s dng S7 chu k 7, S0 li tip tc c s dng chu k 8, S1 chu k 9 chu k cui cng hm R31 hi khc so vi cc hm cn li: p dng S7 vo B31 K31 v XOR kt qu thu c vi K32. Sau kt qu B32 c hon v bng FP cho ra vn bn m ha.
Vy 32 chu k s dng 8 Sbox khc nhau, mi Sbox nh x 4 bit vo thnh 4 bit ra. Mi Sbox s dng 4 chu k ring bit v trong mi chu k Sbox c s dng 32 ln song song.
Php hon v cui l nghch o ca php hon v u. Do vic m ha c th m t bng cng thc sau: B0 = IP(P) Bi+1 = Ri(Bi) C = FP(B32) Ri(X) = L(Si(X Ki)), i = 0, , 30 Ri(X) = Si(X Ki) K32, i = 31 (5.8)
y Si l kt qu khi p dng Sbox Si mod 8 32 ln song song v L l php bin i tuyn tnh.
152
5.3.5
4 Si1 4
4 Si1 4
K31r 32 chu k
r=31 No
Yes
153
Chng 5
Quy trnh gii m c khc vi quy trnh m ha. C th l nghch o cc Sbox (Sbox 1) phi c s dng theo th t ngc li, cng nh nghch o ca bin i tuyn tnh v nghch o th t cc subkey.
5.4 5.4.1
Giai on to kha pht sinh ra 40 t kha m rng K0, , K39 v bn Sbox ph thuc kha s dng trong hm g. Thut ton Twofish c xy dng i vi chiu di kha N = 128, N = 192 v N = 256 bit. Cc kha c chiu di bt k ngn hn 256 c th c bin i thnh kha 256 bit bng cch in cc s 0 vo cho n khi chiu di.
Ta nh ngha k = N/64. Kha M bao gm 8k byte m0, ..., m8k1. Cc byte ny c bin i thnh 2k t 32 bit. Mi =
m
j =0
( 4i+ j )
. 28 j , I = 0, ..., 2k1
(5.9)
sau bin i thnh hai t vector c chiu di k Me = (M0, M2, , M2k2) Mo = (M1, M3, , M2k1) (5.10)
Mt vector gm k t 32 bit th 3 cng c suy ra t kha bng cch ly ra tng nhm gm 8 byte trong kha, xem nhm cc byte ny l mt vector trn GF(28) v nhn vector ny vi ma trn 48 (thu c t ReedSolomon code). Sau
154
si , 0 si ,1 s i,2 s i,3
(5.11)
s
j =0
i, j
. 28 j
(5.12)
GF(28)
3 2
biu
din
bng
GF(2)[x]/w(x),
vi
w(x) = x + x + x + x + 1 l mt a thc ti gin bc 8 trn GF(2). Php nh x gia cc gi tr byte v cc phn t ca GF(28) thc hin tng t nh i vi php nhn ma trn MDS.
F 3 1E
A1 FC
(5.13)
155
Chng 5
5.4.1.1
Twofish chp nhn bt k chiu di kha ln n 256 bit. i vi kch thc kha khng xc nh ( 128, 192, 256), cc kha ny c thm vo cc s 0 cho chiu di xc nh. V d: mt kha 80 bit m0, ..., m9 s m rng bng cc t mi = 0 vi i = 10, ..., 15 v xem n nh kha 128 bit.
5.4.1.2
Hm h
Hnh 5.12 th hin tng quan v hm h. Hm ny a hai d liu vo, mt l t 32 bit X v mt l danh sch L = (L0, ..., Lk1) ca cc t 32 bit, kt qu tr ra l mt t. Hm ny thc hin k giai on. Trong mi giai on, 4 byte, mi byte thc hin qua mt Sbox c nh v XOR vi mt byte trong danh sch. Cui cng, mt ln na cc byte ny li c thc hin qua mt Sbox c nh v 4 byte nhn vi ma trn MDS nh trong hm g. ng hn, ta chia cc t thnh cc byte
li , j = Li 28 j mod 28 j
x j = X 28 j mod 28
(5.14)
(5.15)
Nu k = 4, ta c: y3, 0 = q1[y4, 0] l3, 0 y3, 1 = q0[y4, 1] l3, 1 y3, 2 = q0[y4, 2] l3, 2 y3, 3 = q1[y4, 3] l3, 3 (5.16)
156
q1
q1
q0 L0
q0
q0
q1
q0 MDS Z
q1
Hnh 5.12. Hm h
157
Chng 5
Nu k 3, ta c: y2, 0 = q1[y3, 0] l2, 0 y2, 1 = q0[y3, 1] l2, 1 y2, 2 = q0[y3, 2] l2, 2 y2, 3 = q1[y3, 3] l2, 3 Trong mi trng hp ta c y0 = q1[q0[q0]y2, 0] l1, 0] l0, 0] y1 = q0[q0[q1]y2, 1] l1, 1] l0, 1] y2 = q1[q1[q0]y2, 2] l1, 2] l0, 2] y3 = q0[q1[q1]y2, 3] l1, 3] l0, 3] (5.18) (5.17)
5.4.1.3
Mi Sbox c nh ngha vi 2, 3 hoc 4 byte ca d liu u vo ca kha ty thuc vo kch thc kha. iu ny thc hin nh sau cho cc kha 128 bit: s0(x) = q1[q0[q0[x] s0, 0] s1, 0] s1(x) = q0[q0[q1[x] s0, 1] s1, 1] s2(x) = q1[q1[q0[x] s0, 2] s1, 2] s3(x) = q0[q1[q1[x] s0, 3] s1, 3] (5.19)
158
S0
q0 x q1 q0 q1 q0 q0 q1 q1
S1
q1 Sbox 0 q0 Sbox 1 q1 Sbox 2 q0 Sbox 3
y si, j l cc byte ly t cc byte kha s dng ma trn RS. rng vi cc byte kha bng nhau s khng c cp Sbox bng nhau. Khi mi si, j = 0 th s0(x) = q1[s11(x)].
i vi kha 128 bit, mi kha N/8 bit dng xc nh cc kt qu hon v 1 byte trong mt php hon v ring bit. V d: trng hp kha 128 bit, Sbox s0 s dng 16 bit ca key material. Mi php hon v s0 trong 216 php hon v c xc nh ring bit, vi s1, s2, s3 cng ging vy.
5.4.1.4
Cc t kha m rng Kj
Ai Bi K2i K2i+1
= 224 + 216 + 28 + 20 = h(2i, Me) = ROL(h((2i+1), Mo), 8) = (Ai + Bi) mod 232 = ROL((Ai + 2Bi) mod 232, 9) (5.20)
159
Chng 5
2i 2i 2i 2i
h q0 q1 q0 q1 M2 q0 q0 q1 q1 M0 q1 q0 q1 q0 K2i
MDS
PHT
2i + 1 2i + 1 2i + 1 2i + 1
h q0 q1 q0 q1 M3 q0 q0 q1 q0 q1 M1 q0 K2i+1
MDS
<<< 8
<<< 9
q1
q1
Hnh 5.14. M hnh pht sinh subkey Kj Hng s s dng nhn i cc byte, i 0, ..., 255, i gm 4 byte bng nhau, mi byte ng vi gi tr i. p dng hm h ln cc t theo dng ny. i vi Ai cc gi tr byte l 2i v i s th hai ca h l Me. Tng t Bi c tnh ton, s dng 2i + 1 nh gi tr byte v Mo nh i s th hai vi mt php quay thm trn 8 bit. Cc gi tr Ai v Bi t hp thnh mt PHT (PseudoHadamard Transform). Mt trong hai kt qu ny quay 9 bit na. Hai kt qu ny to thnh hai t kha m rng.
5.4.1.5
Cc php hon v q0 v q1
Cc php hon v q0 v q1 l cc php hon v c nh trn cc gi tr 8 bit. Chng c xy dng t 4 php hon v 4 bit khc nhau. i vi gi tr d liu vo x, ta xc nh c gi tr d liu ra y tng ng nh sau:
160
a0, b0 = [x/16], x mod 16 a1 b1 a3 b3 y = a0 b0 = a0 ROR4(b0, 1) 8a0 mod 16 = a2 b2 = a2 ROR4(b2, 1) 8a2 mod 16 = 16b4 + a4 (5.21)
y ROR4 l hm quay phi cc gi tr 4 bit. Trc tin, 1 byte c chia thnh hai nhm gm 4 bit. Hai nhm 4 bit ny c kt hp vo trong mt bc trn objective. Sau , mi 4 bit thc hin thng qua Sbox 4 bit c nh ca chnh n (a1 t0, b1 t1). Tip theo tng t cho (a3 t2, b3 t3). Cui cng, hai 4 bit ti kt hp li thnh 1 byte. i vi php hon v q0, cc Sbox 4 bit c cho nh sau: t0 = [ 8 1 7 D 6 F 3 2 0 B 5 9 E C A 4 ] t1 = [ E C B 8 1 2 3 5 F 4 A 6 7 0 9 D ] t2 = [ B A 5 E 6 D 9 0 C 8 F 3 2 4 7 1 ] t3 = [ D 7 F 4 1 2 6 E 9 B 3 0 8 5 C A ] (5.22)
y mi Sbox 4 bit c m t bng mt danh sch cc mc s dng k hiu hexa (cc mc ca d liu vo l danh sch c th t t 0, 1, ..., 15). Tng t, i vi q1 cc Sbox 4 bit c cho nh sau: t0 = t1 = t2 = t3 = [28BDF76E31940AC5] [1E2B4C376DA5F908] [4C75169A0ED82B3F] [B951C3DE647F208A] (5.23)
161
Chng 5
a0
b0
>>>1
a0(0), 0, 0, 0
a1 Sbox t0 a2
b1 Sbox t1 b2
>>>1
a0(0), 0, 0, 0
a3 Sbox t2 a4
b3 Sbox t3 b4
162
5.4.2
Quy trnh m ha
Hnh 5.16 th hin tng quan v quy trnh m ha Twofish. Twofish s dng mt cu trc ta Feistel gm 16 chu k vi b whitening c thm vo giai on trc khi d liu vo v ra. Ch cc phn t phi-Feistel l quay 1 bit. Cc php quay c th c a vo trong hm F to ra mt cu trc Feistel thun ty.
Vn bn ban u a vo l bn t 32 bit A, B, C, D. Trong bc whitening d liu vo, bn t ny XOR vi bn t kha K0..3. K n thc hin tip 16 chu k. Trong mi chu k, hai t A, B l d liu vo ca hm g (u tin t B c quay tri 8 bit). Hm g bao gm bn Sbox (mi Sbox l mt byte) ph thuc kha, theo sau l bc trn tuyn tnh da trn ma trn MDS. Kt hp kt qu tr ra ca hai hm g thng qua bin i ta Hadamard (PHT) ri cng thm vo hai t kha (K2r+8 cho A v K2r+9 cho B chu k r). Sau hai kt qu ny XOR vi hai t C v D (trc khi xor t D vi B, t D c quay tri 1 bit v sau khi XOR t C vi A, t C c quay phi 1 bit). K n hai t A v C, B v D hon i cho nhau thc hin chu k k tip. Sau khi thc hin xong 16 chu k, hon chuyn tr li hai t A v C, B v D, cui cng thc hin php XOR bn t A, B, C, D vi bn t kha K4...7 cho ra bn t A, B, C, D c m ha.
Chnh xc hn, u tin 16 byte ca vn bn ban u P0, ..., P15 chia thnh bn t P0, ..., P3 32 bit s dng quy c littleendian. Pi =
p
j =0
( 4 i+ j )
. 2 8 j , i = 0, ..., 3
(5.24)
163
Chng 5
A K0
B K1
K2
K3 whitening
<<< 1
input
K2r+8
MDS
PHT
g
<<< 8
Sbox 0
Sbox 1
Sbox 2 Sbox 3
MDS
K2r+9 >>> 1
1 chu k
: :
K4 A B
K5
K6
K7 C D
output whitening
164
Trong bc whitening ca d liu vo, cc t ny XOR vi bn t ca kha m rng: R0, i = Pi Ki, i = 0, ..., 3 (5.25)
Vi mi chu k trong 16 chu k, hai t A, B v ch s chu k c s dng lm d liu vo ca hm F. T C XOR vi t kt qu th nht ca hm F v quay phi 1 bit. T th D quay tri 1 bit v XOR vi t kt qu th hai ca hm F. Cui cng, hai t A v C, B v D hon i cho nhau. Do : (Fr, 0, Fr, 1) = Rr+1, 0 Rr+1, 1 Rr+1, 2 Rr+1, 3 = = = = F(Rr, 0, Rr, 1, r) ROR(Rr, 2 Fr, 0, 1) ROL(Rr, 3, 1) Fr, 1 Rr, 0 Rr, 1 (5.26)
r (0, ..., 15), ROR v ROL l hai hm quay phi v tri vi i s th nht l t 32 bit c quay, i s th hai l s bit cn quay. Bc whitening d liu ra khng thc hin thao tc hon chuyn chu k cui m n thc hin php XOR cc t d liu vi bn t kha m rng. Ci = R16, (i+2) mod 4 Ki+4, i = 0, ..., 3 (5.27)
Sau , bn t ca vn bn m ha c ghi ra thnh 16 byte c0, ..., c15 s dng quy c littleendian nh p dng vi vn bn ban u. C i/4 ci = 8( i[mod]4) mod 28, i = 0, ..., 15 2 (5.28)
165
Chng 5
5.4.2.1
Hm F
h
2i 2i 2i 2i
MDS
M2 M0
PHT
2i + 1 2i + 1 2i + 1 2i + 1
MDS
M3 M1
<<< 8
<<< 9
R0
MDS
PHT
F0
S0 g
S1
R1
<<< 8
MDS
F1
166
Hm F l php hon v ph thuc kha trn cc gi tr 64 bit. Hm F nhn vo ba i s gm hai t d liu vo R0 v R1, v s th t r ca chu k dng la chn cc subkey thch hp. R0 c a qua hm g to ra T0. R1 c quay tri 8 bit, sau c a qua hm g sinh ra T1. K n, kt qu T0 v T1 c kt hp s dng PHT v cng thm hai t trong bng kha m rng. T0 T1 F0 F1 = = = = g(R0) g(ROL(R1, 8)) (T0 + T1 + K2r+8) mod 232 (T0 + 2T1 + K2r+9) mod 232, (F0, F1) l kt qu ca F. (5.29)
5.4.2.2
Hm g
Hm g l trung tm ca thut ton Twofish. T d liu vo X c chia thnh 4 byte. Mi byte thc hin thng qua Sbox ph thuc kha ca chnh mnh. Mi
Sbox a 8 bit d liu vo v a ra 8 bit kt qu. 4 byte kt qu c xem nh
mt vector c chiu di bng 4 trn GF(28) v vector ny nhn vi ma trn MDS 4 4 (s dng vng GF(28) cho vic tnh ton). Vector kt qu c xem nh mt t 32 bit v n cng l kt qu ca hm g. xi yi z0 z1 z 2 z 3 Z = = [X/28i] mod 28, i = 0, , 3 si[xi], i = 0, , 3
z .2
i i =0
8i
(5.30)
167
Chng 5
vi si l Sbox ph thuc kha v Z l kt qu ca g. lm r vn ny, ta cn xc nh r mi quan h gia gi tr ca mi byte vi cc phn t ca GF(28). Ta biu din GF(28) di dng GF(2)[x]/v(x) vi v(x) = x8 + x6 + x5 + x3 + 1 l a thc c s (primitive) bc 8 trn GF(2). Phn t a =
a x
i i =0
vi ai GF(2)
5B EF 01 EF
7 a 2i i =0 i
5B 01 EF 5B
(5.31)
Ma trn ny nhn mt gi tr d liu vo 32 bit vi cc hng s 8 bit, tt c cc php nhn ny u thc hin trn GF(28). a thc x8 + x6 + x5 + x3 + 1 l a thc c s bc 8 trn GF(2). Ch c 3 php nhn khc nhau c s dng trong ma trn MDS l: 1. 2. 5B16 = 0101 10112 (th hin trn GF(28) bng a thc x6 + x4 + x3 + x + 1 EF16 = 1110
7 6 5 3
11112
2
(th
hin
trn
GF(28)
bng
thc
168
5.4.3
Quy trnh m ha v gii m ca thut ton Twofish tng t nh nhau. Tuy nhin, quy trnh gii m i hi p dng cc subkey theo th t o ngc v mt s thay i nh trong cu trc m ha (Xem Hnh 5.18)
<<< 1
<<< 1
Hm F
Hm F
>>> 1
>>> 1
(a)
(b)
5.5
Kt lun
Vi bn thut ton trn quy trnh m ha c thc hin qua cc giai on chnh: khi to, phn b kha v m ha. Tng t i vi gii m cng thc hin qua cc giai on chnh: khi to, phn b kha v gii m.
Quy trnh khi to v phn b kha c thc hin da trn kha ngi s dng cung cp pht sinh b subkey phc v cho vic m ha v gii m.
169
Chng 5
MARS gm ba giai on: trn ti (Forward mixing), Phn li chnh (Cryptographic core) v trn li (Backward mixing). o o o Giai on trn ti gm php ton cng kha v 8 chu k trn ti khng dng kha. Giai on ct li chnh gm 8 chu k bin i ti c kha v 8 chu k bin i li c kha. Giai on trn li gm 8 chu k trn li khng dng kha v php ton tr kha. RC6 gm: o o o Php cng kha u. 20 chu k. Php cng kha cui.
SERPENT gm: o o o Php hon v u IP (initial permutation). 32 chu k. Php hon v cui FP (final permutation).
170
Tng quan gia quy trnh m ha v gii m: o Trong phng php MARS v RC6, hai quy trnh ny thc hin tng t nhau (theo th t o ngc) o o Trong SERPENT, hai quy trnh ny khc nhau. Trong phng php TWOFISH, hai quy trnh ny gn nh ging ht nhau.
171
Chng 6
Ni dung ca chng 6 s gii thiu khi nim v h thng m ha kha cng cng. Phng php RSA ni ting cng c trnh by chi tit trong chng ny. cui chng l phn so snh gia h thng m ha quy c v h thng m ha kha cng cng cng vi m hnh kt hp gia hai h thng ny. 6.1 H thng m ha kha cng cng
Vn pht sinh trong cc h thng m ha quy c l vic quy c chung m kha k gia ngi gi A v ngi nhn B. Trn thc t, nhu cu thay i ni dung ca m kha k l cn thit, do , cn c s trao i thng tin v m kha k gia A v B. bo mt m kha k, A v B phi trao i vi nhau trn mt knh lin lc tht s an ton v b mt. Tuy nhin, rt kh c th bo m c s an ton ca knh lin lc nn m kha k vn c th b pht hin bi ngi C!
tng v h thng m ha kha cng cng c Martin Hellman, Ralph Merkle v Whitfield Diffie ti i hc Stanford gii thiu vo nm 1976. Sau ,
172
phng php Diffie-Hellman ca Martin Hellman v Whitfield Diffie c cng b [45]. Nm 1977, trn bo "The Scientific American", nhm tc gi Ronald Rivest, Adi Shamir v Leonard Adleman cng b phng php RSA, phng php m ha kha cng cng ni ting v c s dng rt nhiu hin nay trong cc ng dng m ha v bo v thng tin [39]. RSA nhanh chng tr thnh chun m ha kha cng cng trn ton th gii do tnh an ton v kh nng ng dng ca n.
Mt h thng kha cng cng s dng hai loi kha trong cng mt cp kha: kha cng cng (public key) c cng b rng ri v c s dng trong m ha thng tin, kha ring (private key) ch do mt ngi nm gi v c s dng gii m thng tin c m ha bng kha cng cng. Cc phng php m ha ny khai thc nhng nh x f m vic thc hin nh x ngc f 1 rt kh so vi vic thc hin nh x f. Ch khi bit c m kha ring th mi c th thc hin c nh x ngc f 1 . kha cng cng kha ring
Thng ip gc
M ha
Thng ip m ha
Gii m
Thng ip c gii m
173
Chng 6
Khi p dng h thng m ha kha cng cng, ngi A s dng m kha cng cng m ha thng ip v gi cho ngi B. Do bit c m kha ring nn B mi c th gii m thng ip m A m ha. Ngi C nu pht hin c thng ip m A gi cho B, kt hp vi thng tin v m kha cng cng c cng b, cng rt kh c kh nng gii m c thng ip ny do khng nm c m kha ring ca B.
6.2 6.2.1
Nm 1978, R.L.Rivest, A.Shamir v L.Adleman xut h thng m ha kha cng cng RSA (hay cn c gi l h thng MIT). Trong phng php ny, tt c cc php tnh u c thc hin trn Zn vi n l tch ca hai s nguyn t l p v q khc nhau. Khi , ta c (n) = (p1) (q1)
Thut ton 6.1. Phng php m ha RSA n = pq vi p v q l hai s nguyn t l phn bit. Cho P = C = Z n v nh ngha: K = {((n, p, q, a, b): n = pq, p, q l s nguyn t, ab 1 (mod (n))} Vi mi k = (n, p, q, a, b) K, nh ngha: ek(x) = xb mod n v dk(y) = ya mod n, vi x, y Z n Gi tr n v b c cng b, trong khi gi tr p, q, a c gi b mt
174
Da trn nh ngha phng php m ha RSA, vic p dng vo thc t c tin hnh theo cc bc sau:
Thut ton 6.2. S dng phng php RSA Pht sinh hai s nguyn t c gi tr ln p v q Tnh n = pq v (n) = (p 1) (q 1) Chn ngu nhin mt s nguyn b (1 < b < (n)) tha gcd(b, (n)) = 1 Tnh gi tr a = b1 mod (n) (bng thut ton Euclide m rng) Gi tr n v b c cng b (kha cng cng), trong khi gi tr p, q, a c gi b mt (kha ring)
6.2.2
Tnh cht an ton ca phng php RSA da trn c s chi ph cho vic gii m bt hp l thng tin c m ha s qu ln nn xem nh khng th thc hin c.
V kha l cng cng nn vic tn cng b kha phng php RSA thng da vo kha cng cng xc nh c kha ring tng ng. iu quan trng l da vo n tnh p, q ca n, t tnh c d.
6.2.2.1
Gi s ngi tn cng bit c gi tr (n). Khi vic xc nh gi tr p, q c a v vic gii hai phng trnh sau: n = pq
175
Chng 6
(n ) = ( p 1)(q 1)
Thay q = n/p, ta c phng trnh bc hai: p 2 (n (n ) + 1) p + n = 0
(6.1)
(6.2)
p, q chnh l hai nghim ca phng trnh bc hai ny. Tuy nhin vn pht hin c gi tr (n) cn kh hn vic xc nh hai tha s nguyn t ca n.
6.2.2.2
Thut ton phn tch ra tha s p-1 Thut ton 6.3. Thut ton phn tch ra tha s p-1
Nhp n v B 1. 2. 3. 4. a=2 for j = 2 to B do a = aj mod n d = gcd(a 1, n) if 1 < d < n then d l tha s nguyn t ca n (thnh cng) else khng xc nh c tha s nguyn t ca n (tht bi)
Thut ton Pollard p-1 (1974) l mt trong nhng thut ton n gin hiu qu dng phn tch ra tha s nguyn t cc s nguyn ln. Tham s u vo ca thut ton l s nguyn (l) n cn c phn tch ra tha s nguyn t v gi tr gii hn B.
176
cui vng lp (bc 2), ta c a 2B! (mod n) Suy ra a 2B! (mod p) Do p|n nn theo nh l Fermat, ta c : 2p-1 1 (mod p) Do (p-1)|B!, nn bc 3 ca thut ton, ta c: a 1 (mod p). V th, bc 4: p|(a 1) v p|n, nn nu d = gcd(a 1,n) th d = p. (6.7) (6.6) (6.5) (6.4) (6.3)
V d: Gi s n = 15770708441. p dng thut ton p 1 vi B = 180, chng ta xc nh c a = 11620221425 bc 3 ca thut ton v xc nh c gi tr d = 135979. Trong trng hp ny, vic phn tch ra tha s nguyn t thnh cng do gi tr 135978 ch c cc tha s nguyn t nh khi phn tch ra tha s nguyn t: 135978 = 2 3 131 173
177
Chng 6
Trong thut ton p 1 c B 1 php tnh ly tha modulo, mi php i hi ti a 2log2B php nhn modulo s dng thut ton bnh phng v nhn (xem 6.2.6 - X l s hc). Vic tnh USCLN s dng thut ton Euclide c phc tp O((log n)3). Nh vy, phc tp ca thut ton l O B log B(log n )2 + (log n )3
Tuy nhin xc sut chn gi tr B tng i nh v tha iu kin ( p 1) B! l rt thp. Ngc li, khi tng gi tr B (chng hn nh B n ) th gii thut s thnh cng, nhng thut ton ny s khng nhanh hn gii thut chia dn nh trnh by trn.
Gii thut ny ch hiu qu khi tn cng phng php RSA trong trng hp n c tha s nguyn t p m (p 1) ch c cc c s nguyn t rt nh. Do , chng ta c th d dng xy dng mt h thng m ha kha cng cng RSA an ton i vi gii thut tn cng p 1. Cch n gin nht l tm mt s nguyn t p1 ln, m p = 2p1 + 1 cng l s nguyn t, tng t tm q1 nguyn t ln v q = 2q1 + 1 nguyn t.
6.2.2.3
Vic tnh ra c gi tr d khng d dng, bi v y l kha ring nn nu bit n th c th gii m c mi on tin tng ng. Tuy nhin gii thut ny mang ngha v mt l thuyt, n cho chng ta bit rng nu c d th ta c th tnh cc
178
tha s ca n. Nu iu ny xy ra th ngi s hu kha ny khng th thay i kha cng cng, m phi thay lun s n.
Nhc li: phng trnh x2 1 (mod p) c hai nghim (modulo p) l x = 1 mod p. Tng t, phng trnh x2 1 (mod q) c hai nghim (modulo q) l x = 1 mod q. Do x2 1 (mod n) x2 1 (mod p) x2 1 (mod q) nn ta c x2 1 (mod n) x = 1 (mod p) x = 1 (mod q) (6.9) (6.8)
Nu chn c w l bi s ca p hay q th bc 2 ca thut ton, chng ta c th phn tch c n ra tha s nguyn t ngay. Nu w nguyn t cng nhau vi n, chng ta tnh wr,w2r,w4r, cho n khi tn ti t sao cho: w2 r 1 ( mod n )
t s
(6.10)
Do ab 1 = 2 s r 0 (mod (n)) nn w2 r 1 ( mod n ) . Vy, vng lp while bc 8 ca thut ton thc hin ti a s ln lp.
179
Chng 6
ngc li, v0 l cn bc 2 khng tm thng ca 1 modulo n v chng ta c th phn tch n ra tha s nguyn t.
Thut ton 6.4. Thut ton phn tch ra tha s nguyn t, bit trc gi tr s m gii m a Chn ngu nhin w tha 1 w n 1 Tnh x = gcd(w, n) if 1 < x < n then Chm dt thut ton (thnh cng vi x = q hay x = p) end if Tnh a = A(b) t ab 1 = 2sr vi r l Tnh v = wr mod n if v 1 (mod n) then Chm dt thut ton (tht bi). end if while v <> 1 (mod n) do v0 = v v = v2 mod n if v0 -1(mod n) then Chm dt thut ton (tht bi). else Tnh x = gcd(v0+1, n) Chm dt thut ton (thnh cng vi x = q hay x = p). end if end while
180
6.2.2.4
Siimons v Norris ch ra rng h thng RSA c th b tn thng khi s dng tn cng lp lin tip. l khi i th bit cp kha cng cng {n, b} v t kha C th anh ta c th tnh chui cc t kha sau: C1=Ce (mod n) C2=C1e (mod n) Ci=Ci-1e (mod n) (6.11)
Nu c mt phn t Cj trong chui C1, C2, C3,., Ci sao cho Cj = C th khi anh ta s tm c M = Cj-1 bi v: Cj = Cj-1e (mod n) C = Me (mod n) (6.12)
V d: Gi s anh ta bit {n, b, C}={35, 17, 3},anh ta s tnh: C1 = Ce (mod n) = 317 (mod 35) = 33 C2 = C1e (mod n) = 3317 (mod 35) = 3 V C2 = C nn M = C1 = 33
181
Chng 6
6.2.3
H thng RSA c c im l thng tin khng phi lun c che du. Gi s ngi gi c e = 17, n = 35. Nu anh ta mun gi bt c d liu no thuc tp sau: {1, 6, 7, 8, 13, 14, 15, 20, 21, 22, 27, 28, 29, 34} th kt qu ca vic m ha li chnh l d liu ban u. Ngha l, M = Me mod n.
Cn khi p = 109, q = 97, e = 865 th h thng hon ton khng c s che du thng tin, bi v: M, M = M865 mod (109*97),
Vi mi gi tr n, c t nht 9 trng hp kt qu m ha chnh l d liu ngun ban u. Tht vy, M = Me mod n hay: M = Me mod p v M = Me mod q (6.2) (6.1)
Vi mi e, (6.2) c t nht ba gii php thuc tp {0, 1, -1}. xc nh chnh xc s thng ip khng c che du (khng b thay i sau khi m ha) ta s dng nh l sau: Nu cc thng ip c m ha trong h thng RSA c xc nh bi s modulus n = p.q (p,q l s nguyn t) v kha cng cng e th c: m = [1+gcd(e-1, p-1)][1+gcd(e-1), q-1] thng ip khng b che du.
182
Mu cht c th gii m c thng tin l c c gi tr p v q to nn gi tr n. Khi c c hai gi tr ny, ta c th d dng tnh ra c (n) = (p 1)(q 1) v gi tr a = b1 mod (n) theo thut ton Euclide m rng. Nu s nguyn n c th c phn tch ra tha s nguyn t, tc l gi tr p v q c th c xc nh th xem nh tnh an ton ca phng php RSA khng cn c bo m na. Nh vy, tnh an ton ca phng php RSA da trn c s cc my tnh ti thi im hin ti cha kh nng gii quyt vic phn tch cc s nguyn rt ln ra tha s nguyn t. Tuy nhin, vi s pht trin ngy cng nhanh chng ca my tnh cng nh nhng bc t ph trong lnh vc ton hc, phng php RSA s gp phi nhng kh khn trong vic bo mt thng tin. Nm 1994, Peter Shor, mt nh khoa hc ti phng th nghim AT&T, a ra mt thut ton c th phn tch mt cch hiu qu cc s nguyn rt ln trn my tnh lng t. Mc d my tnh lng t hin cha th ch to c nhng r rng phng php RSA s gp phi nhiu thch thc ln trong tng lai.
6.2.4
Vn s nguyn t
bo m an ton cho h thng m ha RSA, s nguyn n = pq phi ln khng th d dng tin hnh vic phn tch n ra tha s nguyn t. Hin ti, cc thut ton phn tch tha s nguyn t c th gii quyt c cc s nguyn c trn 130 ch s (thp phn). an ton, s nguyn t p v q cn phi ln, v d nh trn 100 ch s. Vn t ra y l gii quyt bi ton: lm th no kim tra mt cch nhanh chng v chnh xc mt s nguyn dng n l s nguyn t hay hp s? Theo nh ngha, mt s nguyn dng n l s nguyn t khi v ch khi n ch chia ht cho 1 v n ( y ch xt cc s nguyn dng). T suy ra, n l s nguyn
183
Chng 6
t khi v ch khi n khng c c s dng no thuc on 2,..., n . Nh vy, ta c: n l s nguyn t i 2,..., n , ( n 0 ( mod i ) ) Vic kim tra mt s nguyn dng n l s nguyn t theo phng php trn s a ra kt qu hon ton chnh xc. Tuy nhin, thi gian x l ca thut ton r rng l rt ln, hoc thm ch khng th thc hin c, trong trng hp n tng i ln. 6.2.5 Thut ton Miller-Rabin
Trn thc t, vic kim tra mt s nguyn dng n l s nguyn t thng p dng cc phng php thuc nhm thut ton Monte Carlo, v d nh thut ton Solovay-Strassen hay thut ton Miller-Robin; trong , thut ton Miller-Robin thng c s dng ph bin hn. Cc thut ton ny u c u im l x l nhanh chng (s nguyn dng n c th c kim tra trong thi gian t l vi log2n, tc l s lng cc bit trong biu din nh phn ca n) nhng vn c kh nng l kt lun ca thut ton khng hon ton chnh xc, ngha l c kh nng mt hp s n li c kt lun l s nguyn t, mc d xc sut xy ra kt lun khng chnh xc l khng cao. Tuy nhin, vn ny c th c khc phc bng cch thc hin thut ton mt s ln ln, ta c th lm gim kh nng xy ra kt lun sai xung di mt ngng cho php v khi , xem nh kt lun c tin cy rt cao. nh ngha 6.1: Thut ton thuc nhm Monte Carlo c s dng trong vic khng nh hay ph nh mt vn no . Thut ton lun a ra cu tr li v cu tr li thu c ch c kh nng hoc l C (yes) hoc l Khng (no).
184
nh ngha 6.2: Thut ton yes-biased Monte Carlo l thut ton Monte Carlo, trong , cu tr li C (Yes) lun chnh xc nhng cu tr li Khng (No) c th khng chnh xc.
Thut ton 6.5. Thut ton Miller-Rabin Phn tch s nguyn dng p di dng n = 2km + 1 vi m l Chn ngu nhin s nguyn dng a {1, 2, ..., n-1} Tnh b = am mod p if b 1 (mod p) then Kt lun p l s nguyn t v dng thut ton end if for i = 0 to k 1 if b p 1 (mod p) then Kt lun p l s nguyn t v dng thut ton else b = b2 mod p end if end for Kt lun p l hp s
Thut ton Miller-Rabin l thut ton yes-biased Monte Carlo i vi v t s nguyn dng n l hp s. Xc sut xy ra kt lun sai, ngha l thut ton a ra kt lun n l s nguyn t khi n tht s l hp s, ch ti a l 25%. Nu p dng thut ton k ln vi cc gi tr a khc nhau m ta vn thu c kt lun n l s nguyn t th xc sut chnh xc ca kt lun ny l 1 1 4k 1 , vi k ln.
185
Chng 6
6.2.6
X l s hc
Trong phng php m ha RSA, nhu cu tnh gi tr ca biu thc z = xb mod n c t ra trong c thao tc m ha v gii m. Nu thc hin vic tnh gi tr theo cch thng thng th r rng l khng hiu qu do thi gian x l qu ln.
Thut ton bnh phng v nhn (square-and-multiply) c th c s dng tnh gi tr biu thc z = xb mod n mt cch nhanh chng v hiu qu
Thut ton 6.6. Thut ton bnh phng v nhn tnh gi tr z = x b mod n Biu din b di dng nh phn bl-1bl-2...b1b0, bi{0, 1}, 0 i < l z=1 x = x mod n for i = l-1 downto 0 z = z2 mod n if bi = 1 then z = zx mod n end if end for
6.3
Cc phng php m ha quy c c u im x l rt nhanh so vi cc phng php m ha kha cng cng. Do kha dng m ha cng c dng gii m nn cn phi gi b mt ni dung ca kha v m kha c gi l kha b
186
mt (secret key). Ngay c trong trng hp kha c trao i trc tip th m kha ny vn c kh nng b pht hin. Vn kh khn t ra i vi cc phng php m ha ny chnh l bi ton trao i m kha.
Ngc li, cc phng php m ha kha cng cng gip cho vic trao i m kha tr nn d dng hn. Ni dung ca kha cng cng (public key) khng cn phi gi b mt nh i vi kha b mt trong cc phng php m ha quy c. S dng kha cng cng, m kha b mt c th c trao i an ton theo quy trnh trong Hnh 6.2.
Khoa b mat
Ma khoa
Khoa b mat
Hnh 6.2. Quy trnh trao i kha b mt s dng kha cng cng
Vn cn li i vi kha cng cng l lm cch no xc nhn c chnh xc ngi ch tht s ca mt kha cng cng (xem Chng 10).
Da vo Bng 6.1, chng ta c th nhn thy rng c c mc an ton tng ng vi mt phng php m ha quy c, mt phng php m ha
187
Chng 6
kha cng cng phi s dng m kha c di ln hn nhiu ln m kha b mt c s dng trong m ha quy c. iu ny c th hin r hn qua th so snh chi ph cn thit cng ph kha b mt v kha cng cng trong Hnh 6.3. Kch thc m kha c tnh da trn m hnh nh gi, c lng chi ph phn tch mt m do Hi ng Nghin cu Quc gia Hoa K (National Research Council) ngh [43]. Bng 6.1. So snh an ton gia kha b mt v kha cng cng Phng php m ha quy c Kch thc Thut ton m kha (bit) 56 DES 70 80 96 112 128 150 168 192 256 SKIPJACK 3DES vi 2 kha IDEA, AES 3DES vi 3 kha AES AES Phng php m ha kha cng cng Kch thc ng dng m kha (bit) 256 384 Phin bn PGP c (kch thc ti thiu) 512 Short DSS, PGP low grade 768 PGP high grade 1024 Long DSS, PGP military grade 1440 2047 PGP alien grade 2880 3000 4096
188
Chi ph
128
256
512
1K
2K
64
Trn thc t, kha cng cng d b tn cng hn kha b mt. tm ra c kha b mt, ngi gii m cn phi c thm mt s thng tin lin quan n cc c tnh ca vn bn ngun trc khi m ha tm ra manh mi gii m thay v phi s dng phng php vt cn m kha. Ngoi ra, vic xc nh xem thng ip sau khi gii m c ng l thng ip ban u trc khi m ha hay khng li l mt vn kh khn. Ngc li, i vi cc kha cng cng, vic cng ph hon ton c th thc hin c vi iu kin c ti nguyn v thi gian x l. Ngoi ra, c th gii m mt thng ip s dng phng php m ha kha cng cng, ngi gii m cng khng cn phi vt cn ton b khng gian m kha m ch cn kho st trn tp con ca khng gian ny.
4K
189
Chng 6
Bn cnh , kha cng cng cn l mc tiu tn cng ng gi i vi nhng ngi gii m hn cc kha b mt. Kha cng cng thng dng m ha cc kha b mt khi thc hin vic trao i m kha b mt. Nu kha cng cng b ph th cc thng ip sau s dng m kha ny cng b gii m. Trong khi , nu ch pht hin c mt m kha b mt th ch c thng ip s dng m kha ny mi b gii m. Trn thc t, m kha b mt thng ch c s dng mt ln nn t c gi tr hn so vi kha cng cng. Tm li, mc d kha cng cng c dng m ha cc thng tin ngn nhng y li l cc thng tin quan trng.
190
Ch k in t
Chng 7 Ch k in t
Ni dung ca chng 7 s gii thiu khi nim v ch k in t cng vi mt s phng php ch k in t ph bin hin nay nh RSA, ElGamal v DSS 7.1 Gii thiu
Ch k in t khng c s dng nhm bo mt thng tin m nhm bo v thng tin khng b ngi khc c tnh thay i to ra thng tin sai lch. Ni cch khc, ch k in t gip xc nh c ngi to ra hay chu trch nhim i vi mt thng ip.
Mt phng php ch k in t bao gm hai thnh phn chnh: thut ton dng to ra ch k in t v thut ton tng ng xc nhn ch k in t.
nh ngha 7.1: Mt phng php ch k in t c nh ngha l mt bnm (P, A, K, S, V) tha cc iu kin sau:
191
Chng 7
1. 2. 3. 4.
P l tp hp hu hn cc thng ip. A l tp hp hu hn cc ch k c th c s dng. Khng gian kha K l tp hp hu hn cc kha c th s dng. Vi mi kha k K, tn ti thut ton ch k sigk S v thut ton xc nhn ch k tng ng verk V. Mi thut ton sigk : P A v verk : P A {true, false} l cc hm tha iu kin: true neu y = sig ( x ) x P, y A : ver ( x, y ) = false neu y sig ( x ) (7.1)
7.2
Phng php ch k in t RSA c xy dng da theo phng php m ha kha cng cng RSA. Thut ton 7.1. Phng php ch k in t RSA n = pq vi p v q l hai s nguyn t l phn bit. Cho P = C = Z n v nh ngha: K = {((n, p, q, a, b): n = pq, p, q l s nguyn t, ab 1 (mod (n))} Gi tr n v b c cng b, trong khi gi tr p, q, a c gi b mt. Vi mi K = (n, p, q, a, b) K, nh ngha: sigK(x) = xa mod n v verK(x, y) = true x yb (mod n), vi x, y Z n
192
Ch k in t
7.3
Phng php ch k in t ElGamal c gii thiu vo nm 1985. Sau , Vin Tiu chun v Cng ngh Quc gia Hoa K (NIST) sa i b sung phng php ny thnh chun ch k in t (Digital Signature Standard DSS). Khc vi phng php RSA c th p dng trong m ha kha cng cng v ch k in t, phng php ElGamal c xy dng ch nhm gii quyt bi ton ch k in t.
7.3.1
Bi ton logarit ri rc
Pht biu bi ton logarit ri rc: Cho s nguyn t p, gi Zp l phn t sinh (generator) v Zp*. Cn xc nh s nguyn dng a Zp1 sao cho
a (mod p)
Khi , a c k hiu l log .
(7.2)
Trn thc t, bi ton logarit ri rc thuc nhm NP hay ni cch khc, cha c thut ton c thi gian a thc no c th gii quyt c vn ny. Vi p c ti thiu 150 ch s v p 1 c tha s nguyn t ln, php ton ly tha modulo p c th xem nh l hm 1 chiu hay vic gii bi ton logarit ri rc trn Zp xem nh khng th thc hin c.
193
Chng 7
7.3.2
Thut ton 7.2. Phng php ch k in t ElGamal Cho p l s nguyn t sao cho vic gii bi ton logarit ri rc trn Zp xem nh khng th thc hin c. Cho Zp* l phn t sinh. Cho P = Zp*, A = Zp* Zp1 v nh ngha K = { (p, , a, ): a (mod p) } Gi tr p, v c cng b, trong khi gi tr a c gi b mt. Vi mi K = (p, , a, ) K v mt s ngu nhin (c gi b mt) k Zp1*, nh ngha: sigK(x,k) = (, ) vi
= k mod p
v
= (x a) k 1 mod (p 1)
Vi x, Zp* v Zp1, nh ngha verK(x, , ) = true x (mod p)
7.4
Phng php Digital Signature Standard (DSS) l s ci tin ca phng php ElGamal. Phng php ny c cng b trn Federal Register vo ngy 19
194
Ch k in t
thng 5 nm 1994 v chnh thc tr thnh phng php chun t ngy 1 thng 12 nm 1994.
Thut ton 7.3. Phng php Digital Sinature Standard Cho p l s nguyn t 512-bit sao cho vic gii bi ton logarit ri rc trn Zp xem nh khng th thc hin c v q l s nguyn t 160-bit l c s ca p 1. Cho Zp* l cn bc q ca 1 modulo p. Cho P = Zq*, A = Zq Zq v nh ngha K = { (p, q, , a, ): a (mod p) } Gi tr p, q, v c cng b, trong khi gi tr a c gi b mt. Vi mi K = (p, , a, ) K v mt s ngu nhin (c gi b mt) k Zq*, nh ngha: sigK(x,k) = (, ) vi
= (k mod p) mod q
v
= (x + a) k 1 mod q
Vi x Zq* v , Zq, nh ngha verK (x, , ) = true e1 e2 mod p mod q = vi e1 = x -1 mod q v e2 = -1 mod q
Mt vn bn in t, v d nh cc hp ng kinh t hay di chc tha k, c th cn c kim tra xc nhn ch k nhiu ln sau mt khong thi gian di nn vn an ton i vi ch k in t cn phi c quan tm nhiu hn. Do mc an ton ca phng php ElGamal ph thuc vo phc tp ca vic tm li
195
Chng 7
gii cho bi ton logarit ri rc nn cn thit phi s dng s nguyn t p ln (ti thiu l 512-bit [43]). Nu s dng s nguyn t p c 512 bit th ch k in t c to ra s c di 1024-bit v khng ph hp vi cc ng dng s dng th thng minh vn c nhu cu s dng ch k ngn hn. Phng php DSS gii quyt vn ny bng cch dng ch k in t 320-bit trn vn bn 160-bit vi cc php tnh ton u c thc hin trn tp con c 2160 phn t ca Zp* vi p l s nguyn t 512-bit.
196
Trong chng 6 v 7, chng ta tm hiu v v khi nim v mt s phng php c th ph bin trong h thng m ha kha cng cng v ch k in t. Trong chng ny, chng ta s tm hiu v vic ng dng l thuyt ton hc ng cong elliptic (elliptic curve) trn trng hu hn vo h thng m ha kha cng cng. 8.1 L thuyt ng cong elliptic
H thng m ha kha cng cng da trn vic s dng cc bi ton kh gii quyt. Vn kh y chnh l vic s lng php tnh cn thit tm ra mt li gii cho bi ton l rt ln. Trong lch s 20 nm ca ngnh m ha bt i xng c nhiu xut khc nhau cho dng bi ton nh vy, tuy nhin ch c hai trong s cc xut cn tn ti vng n ngy ny. Hai bi ton bao gm: bi ton logarit ri rc (discrete logarithm problem) v bi ton phn tch tha s ca s nguyn.
197
Chng 8
Cho n nm 1985, hai nh khoa hc Neal Koblitz v Victor S. Miller c lp nghin cu v a ra xut ng dng l thuyt ton hc ng cong elliptic (elliptic curve) trn trng hu hn [35]. ng cong elliptic cng nh i s hnh hc c nghin cu rng ri trong vng 150 nm tr li y v t c mt s kt qu l thuyt c gi tr. ng cong elliptic c pht hin ln u vo th k 17 di dng cng thc Diophantine: y 2 x3 = c vi c Z .
Tnh bo mt ca h thng m ha s dng ng cong elliptic da trn im mu cht l phc tp ca bi ton logarit ri rc trong h thng i s. Trong sut 10 nm gn y, bi ton ny nhn c s quan tm ch rng ri ca cc nh ton hc hng u trn th gii. Khng ging nh bi ton logarit ri rc trn trng hu hn hoc bi ton phn tch tha s ca s nguyn, bi ton logarit ri rc trn ng cong elliptic cha c thut ton no c thi gian thc hin nh hn cp ly tha. Thut ton tt nht c bit cho n hm nay tn thi gian thc hin cp ly tha [27].
8.1.1
Gi K l mt trng hu hn hoc v hn. Mt ng cong elliptic c nh ngha trn trng K bng cng thc Weierstrass: y 2 + a1 xy + a3 y = x3 + a2 x 2 + a4 x + a6 trong a1 , a2 , a3 , a4 , a5 , a6 K . (8.1)
198
ng cong elliptic trn trng K c k hiu E(K). S lng cc im nguyn trn E k hiu l #E(K), c khi ch n gin l #E. i vi tng trng khc nhau, cng thc Weierstrass c th c bin i v n gin ha thnh cc dng khc nhau. Mt ng cong elliptic l tp hp cc im tha cng thc trn.
8.1.2
ng cong elliptic E trn trng s thc R l tp hp cc im (x, y) tho mn cng thc: y2 = x3 + a4x + a6 vi a4, a6 R (8.2)
cng vi mt im c bit O c gi l im ti v cc (cng l phn t identity). Cp gi tr (x, y) i din cho mt im trn ng cong elliptic v to
199
Chng 8
nn mt phng ta hai chiu (affine) R R. ng cong elliptic E trn R2 c gi l nh ngha trn R, k hiu l E(R). ng cong elliptic trn s thc c th dng th hin mt nhm (E(R), +) bao gm tp hp cc im (x, y) R R vi php cng + trn E(R).
8.1.2.1
Php cng
Hnh 8.2. im v cc
Php cng im (ESUM) c nh ngha trn tp E(R) ca cc im (x, y). im ti v cc O l im cng vi bt k im no cng s ra chnh im .
Nh vy,.
P ( x, y ) E ( R ) , P + O = O + P = P : P ( x, y ) E ( R ) : y = x 3 + a4 x + a6 (8.3)
200
Php cng trn E(R) c nh ngha theo phng din hnh hc. Gi s c hai im phn bit P v Q, P, Q E(R). Php cng trn nhm ng cong elliptic l P + Q = R, R E(R).
201
Chng 8
Th hin php cng ng cong elliptic di dng i s, ta c: P = (x1, y1) Q = (x2, y2) R = P + Q = (x3, y3) trong P, Q, R E(R) v: x3 = 2 x1 x2 y3 = (x1 + x3) y1 (8.6) (8.7) (8.5)
y 2 y1 nu P Q x2 x1
3 x1 + a 4 nu P = Q 2 y1
2
hoc
(8.8)
Thut ton cng trn ng cong elliptic c th hin nh sau: Thut ton 8.1: Thut ton cng im trn ng cong elliptic Input: ng cong elliptic E(R)vi cc tham s a4, a6 E(R) , im P = (x1, y1) E(R) v Q = (x2, y2) E(R) Output: R = P + Q, R = (x3, y3) E(R) If P = O then R Q v tr v gi tr R If Q = O then R P v tr v gi tr R If x1 = x2 then If y1 = y2 then 3 x1 + a 4 2 y1
2
202
8.1.2.2
Php nhn i
203
Chng 8
Xt php nhn i (EDBL): nu cng hai im P, Q E(R) vi P = Q th ng thng L s l tip tuyn ca ng cong elliptic ti im P. Trng hp ny im R s l giao im cn li ca L vi E. Lc R = 2P.
8.1.3
ng cong elliptic c xy dng trn cc trng hu hn. C hai trng hu hn thng c s dng: trng hu hn Fq vi q l s nguyn t hoc q l 2m (m l s nguyn).
Ty thuc vo trng hu hn Fq, vi mi bc ca q, tn ti nhiu ng cong elliptic. Do , vi mt trng hu hn c nh c q phn t v q ln, c nhiu s la chn nhm ng cong elliptic.
8.1.3.1
Cho p l s nguyn t (p > 3), Cho a, b Fp sao cho 4a3 + 27b2 0 trong trng Fp. Mt ng cong elliptic E(Fp) trn Fp (c nh ngha bi cc tham s a v b) l mt tp hp cc cp gi tr (x, y) (x, y Fp) tha cng thc y2 = x3 + ax + b (8.9)
(8.10)
204
Cc php ton ca ng cong elliptic trn Fp cng tng t vi E(R). Tp hp cc im trn E(Fp) to thnh mt nhm tha cc tnh cht sau: o o Tnh ng: a, b G, a + b G. Tnh kt hp: Cc php ton trong nhm c tnh kt hp. Do , (a + b) + c = a + (b + c). o o Phn t trung ha: c mt gi tr 0 G sao cho a + 0 = 0 + a = a, a G. Phn t i: a G , a G gi l s i ca a, sao cho
a + a = a + ( a) = 0 .
A + A + ... + A = O r
(8.11)
8.1.3.2
Mt ng cong elliptic E( F2 m ) trn F2 m c nh ngha bi cc tham s a, b F2 m (vi b 0) l tp cc im (x, y) vi x F2 m , y F2 m tha cng thc: y2 + xy = x3 + ax2 + b (8.12)
205
Chng 8
q + 1 2 q # E ( F2m ) q + 1 + 2 q
(8.13)
Tp hp cc im thuc E( F2 m ) to thnh mt nhm tha cc tnh cht sau: o o o O+O=O (x, y) + O = (x, y), (x, y) E( F2 m ) (x, y) + (x, x + y) = O, (x, y) E( F2 m ). Khi , (x, x + y) l im i ca (x, y) trn E( F2 m ))
Vic x l c thc hin trn hai h ta khc nhau: h ta affine v h ta quy chiu. Vi cc h ta khc nhau, vic tnh ton trn ng cong cng khc nhau.
Cc php ton trn ng cong elliptic trong h ta affine H m ha ng cong elliptic da trn bi ton logarit ri rc trn E( F2 m ) v cc tnh ton c bn trn ng cong elliptic. Php nhn c th hin l mt dy cc php cng v php nhn i cc im ca ng cong elliptic. Ging nh cc php tnh trn ng cong elliptic trn s thc, php cng v php nhn i c nh ngha trn h ta .
206
Xt ng cong elliptic E trn F2 m trong h ta affine. Cho P = (x1, y1), Q = (x2, y2) l hai im trn ng cong elliptic E( F2 m ). im i ca P l P = (x1, y1 + x1) E( F2 m ). Nu Q P th P + Q = R = (x3, y3) E( F2 m ).
y1 + y2 = x + x 1 2 Nu P Q th 2 x3 = + + x1 + x2 + a2 y = (x + x ) + x + y 1 3 3 1 3 y1 = x + x1 1 Nu P = Q th 2 x3 = + + a2 2 y3 = x1 + ( + 1)x3
(8.14)
(8.15)
Thut ton 8.2: Thut ton cng im trong h ta affine Input: ng cong elliptic E( F2 m )vi cc tham s a2, a6 F2 m , im P = (x1, y1) E( F2 m ) v Q = (x2, y2) E( F2 m ) Output: R = P + Q, R = (x3, y3) E ( F2 m ) If P = O then R Q v tr v gi tr R If Q = O then R P v tr v gi tr R If x1 = x2 then If y1 = y2 then
207
Chng 8
2 y1 + x1 v x3 + + a2 x1
End If
ng cong E( F2 m )c th c xem l tng ng vi tp hp cc im E'( F2 m ) trn mt phng chiu P2( F2 m ) tha mn cng thc: y2z + xyz = x3 + a2x2z2 + a6z3 (8.16)
S dng h ta chiu, thao tc tnh nghch o cn cho php cng v php nhn i im trong h affine c th c loi b.
208
Mi im (a, b) E( F2 m ) trong h ta affine c th c xem l b ba (x, y, z) trong E'( F2 m ) trong h ta chiu vi x = a, y = b, z = 1. Hn na, mt im (tx, ty, tz) trong h ta chiu vi t 0 c xem nh trng vi im (x, y, z). Nh vy, chuyn i gia h affine v h ta chiu nh sau: M(a, b) = M'(a, b, 1) N(p, q, r) = N'( p , q ,1 ) = N( p , q ) r r r r (8.17) (8.18)
Phng php trnh by cng thc ca php cng v nhn i trong h ta chiu tng t vi h ta affine.
Cho P' = (x1: y1:z1) E'( F2 m ), Q' = (x2 : y2 : z2) E'( F2 m ) v P' Q' trong P', Q' thuc h ta quy chiu. Do P' = (x1/z1 : y1/z1 : 1), ta c th p dng cng thc cng v nhn cho im P(x1/z1, y1/z1) v Q (x2, y2) cho E( F2 m ) trong h affine tm P' + Q' = R' (x'3: y'3: 1).
209
Chng 8
T ta c:
x' 3 = B2 B A + + + a2 A 2 A z1 y B x y ' 3 = ( 1 + x' 3 ) + x ' 3 + 1 A z1 z1
(8.19)
Trong A = (x2z1 + x1) v B = (y2z1 + y1). t z3 = A3z1 v x3 = x'3z3, y3 = y'3z3, nu P + Q = (x3: y3: z3) th: x3 = AD, y3 = CD + A2(Bx1 + Ay1) z3 = A3z1 vi C = A + B v D = A2(A + a2z1) + z1BC. (8.20)
Tng t 2P = (x3 : y3 : z3) vi x3 = AB, y3 = x14A + B(x12 + y1z1 + A) z3 = A3 Trong A = x1z1 v B = a6z14 + x14. im kt qu c th c chuyn tr li sang h affine bng cch nhn vi z31. Nh vy s khng c thao tc tnh nghch o trong h ta chiu. Do , ch cn 1 php nghch o sau mt dy cc php cng v nhn i chuyn sang h affine. (8.21)
210
Bng 8.1. So snh s lng cc thao tc i vi cc php ton trn ng cong elliptic trong h ta Affine v h ta chiu Thao tc Nhn Nghch o 8.1.3.3 Ta affine ESUM EDBL 2 2 1 1 Ta chiu ESUM EDBL 13 7 0 0
Php nhn ng cong Thut ton 8.3: Thut ton nhn im trong h ta affine
Input:
P E( F2 m ) v c F2 m
Output: Q = c P
c = in= 0 bi 2 i , bi {0, 1}, bn = 1
QP for i = n-1 downto 0 Gn Q Q + Q (Affine EDBL) if bi = 1 then Gn Q Q + P (Affine ESUM) end if end for Tr v Q
(8.22)
211
Chng 8
Thut ton 8.4: Thut ton nhn im trong h ta chiu Input: P E( F2 m ) and c F2 m
Output: Q = c P
c = in= 0 bi 2 i , bi {0, 1}, bn = 1
Biu din P trong h ta chiu: P' Gn Q' P' for i = n-1 downto 0 Q' Q' + Q' (Projective EDBL) if bi = 1 then Q' Q' + P' (Projective ESUM) end if end for Biu din Q' trong h ta affine, ta c Q Tr v Q
8.1.4
Bi ton logarit ri rc trn ng cong elliptic (ECDLP): Cho E l mt ng cong elliptic v P E l mt im c bc n. Cho im Q E, tm s nguyn dng m (2 m n 2) tha mn cng thc Q = m P.
Hin nay cha c thut ton no c xem l hiu qu gii quyt bi ton ny. gii bi ton logarit ri rc trn ng cong ellipse, cn phi kim tra tt c cc gi tr m [2..n 2] . Nu im P c chn la cn thn vi n rt ln th vic gii bi ton ECDLP xem nh khng kh thi. Vic gii bi ton ECDLP kh
212
khn hn vic gii quyt bi ton logarit ri rc trn trng s nguyn thng thng [2].
8.1.5
Cc l thuyt ton hc nn tng ca ng cong elliptic c cc nh khoa hc p dng kh hiu qu vo lnh vc m ha, bo mt (Elliptic Curve Cryptography - ECC). Cc kt qu nghin cu v ng cong elliptic c s dng trong quy trnh m ha d liu, trao i kha v k nhn in t .
8.2
M ha d liu
M hnh m ha d liu s dng ng cong elliptic (Elliptic Curve Encryption Scheme - ECES) bao gm 2 thao tc: m ha v gii m.
Trc khi thc hin vic m ha d liu vi Elliptic Curve, ngi gi v ngi nhn cn phi s hu mt cp kha cng cng kha ring. Cc gi tr sau c quy c chung gia ngi gi v ngi nhn, gi l cc tham s chung ca h thng m ha: ng cong elliptic curve E. im P, P E. im P c bc n (n P = O).
213
Chng 8
Qu trnh to kha c thc hin nh sau: Chn mt s nguyn bt k d, d [2, n 2]. y chnh l kha ring. Tnh gi tr ca im Q = d P E. y chnh l kha cng cng.
8.2.1
Thao tc m ha
Thao tc m ha s m ha mt thng ip bng kha cng cng ca ngi nhn v cc tham s ng cong c quy c thng nht chung gia ngi gi (B) v ngi nhn (A).
Trnh t m ha c thc hin nh sau: B s dng kha cng cng ca A (QA). B chn mt s nguyn bt k k [2, n-2]. B tnh gi tr ca im (x1, y1) = k P. B tnh gi tr ca im (x2, y2) = k QA.x2 l gi tr b mt s c s dng to kha m ha thng ip. B to mt n (mask) Y t gi tr b mt x2. Gi tr ca Y c to thnh t mt hm mask generation. Ty theo vic ci t hm mask generation m Y s c gi tr khc nhau. Y chnh l kha quy c m ha thng ip. B tnh gi tr C = (Y, M). C chnh l thng ip c m ha. Thng thng, (Y, M) = Y M. B gi cho A thng ip m ha C cng vi gi tr (x1, y1).
214
Gi tr k v (x1, y1) c to ra khng phi kha ring v kha cng cng giao dch ca B. y l cp kha cng cng kha ring c pht sinh nht thi (one-time key pair) nhm m ha thng ip. Mi mt thng ip m ha nn s dng mt cp kha cng cng kha ring c pht sinh ngu nhin.
8.2.2
Trong ECES, thng thng hm m ha thc hin thao tc XOR kha vi thng ip. Trn thc t, tng an ton ca thut ton m ha, cc h thng m ha bng ng cong ellipse thay th thao tc XOR thng ip vi kha bng cch kt hp vi mt thut ton m ha i xng hiu qu hn. Trong [27] trnh by phng php ECAES chnh l s kt hp ECES vi AES. Chng ta cng c th s dng cc thut ton m rng 256/384/512-bit v 512/768/1024-bit trong qu trnh m ha ca ECES to ra mt h thng m c an ton rt cao.
8.2.3
Thao tc gii m
Bng vic s dng cc tham s quy c kt hp vi kha b mt ca ngi nhn (A) v gi tr (x1, y1), A thc hin gii m thng ip c m ha bng ECES (C) theo trnh t sau:
Trnh t gii m: A nhn gi tr (x1, y1). A tnh gi tr ca im (x2, y2) = d (x1, y1). x2 l gi tr b mt s c s dng to kha gii m thng ip.
215
Chng 8
S dng cng mt hm to mt n (mask function) nh s dng giai on m ha, A to mt n Y t gi tr b mt x2. Y chnh l kha b mt gii m. A gii m thng ip C ly thng ip M ban u bng cch tnh gi tr M = 1(C, Y). Thng thng, 1(C, Y) = C Y.
8.3
Trao i kha theo phng php Diffie - Hellman s dng l thuyt ng cong elliptic (ECDH) M hnh trao i kha Diffie-Hellman
8.3.1
Nm 1976, Whitfield Diffie v Martin Hellman a ra mt giao thc trao i cc gi tr kha quy c gia cc i tc trn ng truyn c bo mt trung bnh. S ra i ca giao thc trao i kha Diffie-Hellman c xem l bc m u cho lnh vc m ha kha cng cng. Giao thc ny da trn nguyn l ca bi ton logarit ri rc trn trng s nguyn hu hn. Cc thao tc thc hin trao i kha Diffie-Hellman gia hai i tc A v B nh sau: A v B thng nht cc gi tr g v s nguyn t p < g A chn mt s ngu nhin m. A tnh gi tr QA = gm v gi QA cho B B chn mt s ngu nhin n. B tnh gi tr QB = gn v gi QB cho A A nhn c QB v tnh gi tr k = (QB)m = g n m B nhn c QA v tnh gi tr k = (QA)n = g m n k chnh l gi tr b mt c quy c chung.
216
8.3.2
M hnh trao i kha Elliptic curve Diffie-Hellman tng t m hnh trao i kha Diffie-Hellman. ECDH cng da vo nguyn l ca bi ton logarit ri rc nhng p dng trn ng elliptic curve. M hnh ny dng thit lp mt hoc nhiu kha quy c chung gia hai i tc A v B.
Cc thao tc trao i kha bng ECDH c thc hin nh sau: A v B thng nht cc tham s s s dng nh: ng elliptic curve E, v im P(x, y) A chn mt gi tr m ngu nhin. A tnh gi tr im QA = m P v gi QA cho B B chn mt gi tr n ngu nhin. B tnh gi tr im QB = n P v gi QB cho A A nhn c QB v tnh gi tr G = m QB = m n P B nhn c QA v tnh gi tr G = n QA = n m P
Gi s c mt ngi C tn cng vo ng truyn v ly c cc gi tr QA, QB, E, P, C cn ly c m hoc n tm G = m n P. iu chnh l C phi gii bi ton logarit ri rc trn ng cong elliptic. Gii bi ton ny i hi chi ph tnh ton tng ng vi s dng thut ton vt cn trn ng cong elliptic.
217
Chng 8
8.4
Kt lun
H thng m ha kha cng cng ra i gii quyt cc hn ch ca m ha quy c. M ha kha cng cng s dng mt cp kha, mt kha (thng thng l kha ring) dng m ha v mt kha (kha ring) dng gii m. M ha kha cng cng gip trnh b tn cng khi trao i kha do kha gii m (kha ring) khng cn phi truyn hoc chia s vi ngi khc. Ngoi ra, mi ngi ch cn s hu mt cp kha cng cng kha ring v ngi gi thng tin ch cn gi kha cng cng ca ngi nhn do s lng kha cn phi qun l gim kh nhiu. Mi ngi ch cn lu tr bo mt mt kha ring ca chnh mnh.
Tuy nhin, do nhu cu m ha v gii m bng hai kha khc nhau trong cng mt cp kha nn m bo bo mt, kch thc kha cng cng kha ring ln hn rt nhiu so vi kha cng cng. Do tc m ha kha cng cng chm hn tc m ha kha quy c. Tc m ha bng phn mm ca thut ton DES nhanh hn khong 100 ln so vi m ha RSA vi cng mc bo mt.
Bng 8.2. So snh kch thc kha gia m ha quy c v m ha kha cng cng vi cng mc bo mt Kch thc kha (tnh bng bit) 80 112 128 192 1K 2K 3K 7.5K 160 224 256 384
56 512
218
M ha kha cng cng da trn hai vn ln ca ton hc l bi ton logarit ri rc v bi ton phn tch tha s ca s nguyn. Phng php RSA da trn bi ton phn tch tha s ca s nguyn t v c a ra t cui thp nin 70. Phng php ECC da trn bi ton logarit ri rc trn trng s ca ng elliptic curve (ECDLP) ch mi c a ra t nm 1985.
Mt u im ca ECC l kh nng bo mt cao vi kch thc kha nh da vo mc kh gii quyt ca vn ECDLP. y chnh l mt tnh cht rt hu ch i vi xu hng ngy nay l tm ra phng php tng bo mt ca m ha kha cng cng vi kch thc kha c rt gn. Kch thc kha nh hn gip thu gn c kch thc ca chng nhn giao dch trn mng v gim kch thc tham s ca h thng m ha. Kch thc kha nh gip cc h thng bo mt da trn ECC gim thi gian to kha. Thi gian to kha thng rt ln cc h thng RSA.
Bng 8.3. So snh kch thc kha RSA v ECC vi cng mc an ton Thi gian cn tn cng vo kha (n v: nm) 104 108 1011 1020 1078 Kch thc kha RSA / DSA 512 768 1024 2048 21000 ECC 106 132 160 210 600 T l kch thc kha RSA : ECC 5:1 6:1 7:1 10:1 35:1
219
Chng 8
3000
2500 2000 1500 1000 500 0 5x104 4x107 2x1012 4x1016 7x1023
RSA/DSA ECC
Do c kch thc kha nh v kh nng pht sinh kha rt nhanh nn ECC rt c quan tm p dng cho cc ng dng trn mi trng gii hn v thng lng truyn d liu, gii hn v kh nng tnh ton, kh nng lu tr. ECC thch hp vi cc thit b di ng k thut s nh handheld, PDA, in thoi di ng v th thng minh (smart card).
Cc h thng ECC v ang c mt s cng ty ln v vin thng v bo mt trn th gii quan tm pht trin. Ni bt trong s l Certicom (Canada) kt hp vi i hc Waterloo nghin cu v xem ECC nh l chin lc pht
220
trin bo mt chnh ca cng ty. Certicom cung cp dch v bo mt da trn ECC. Ngoi ra, mt s cng ty khc nh Siemens (c), Matsushita (Nht), Thompson (Php) cng nghin cu pht trin ECC. Mi y, RSA Security Laboratory phng th nghim chnh ca RSA bt u nghin cu v a ECC vo sn phm ca mnh.
Tuy nhin, ECC vn c mt s hn ch nht nh. Hn ch ln nht hin nay l vic chn s dng cc tham s ng cong v im quy c chung nh th no tht s t c bo mt cn thit. Hu ht cc ng cong c a ra u tht bi khi p dng vo thc tin. Do hin nay s lng ng cong tht s c s dng khng c phong ph. NIST xut mt s ng cong elliptic curve c kim nh l an ton a vo s dng thc t trong ti liu FIPS 186-2. Ngoi ra, i vi cc tham s mang gi tr nh, mc bo mt ca ECC khng bng RSA (khi e = 3). i vi mt s trng hp RSA vn l la chn tt do RSA chng minh c tnh n nh trong mt khong thi gian kh di.
ECC vn cn non tr v cn c kim nh trong tng lai tuy nhin ECC cung cp kh nng ng dng rt ln trong lnh vc m ha kha cng cng trn cc thit b di ng v smart card. Tng lai ECC s c nghin cu a vo thc tin ph bin hn.
221
Chng 9
Chng 9 Hm bm mt m
Ni dung ca chng 7 trnh by v ch k in t. c th s dng ch k in t vo cc ng dng thc t, chng ta cn s dng cc hm bm mt m. Ni dung ca chng 9 s trnh by v hm bm mt m. Bn cnh cc phng php ph bin nh MD5, SHS, cc phng php mi nh SHA-224, SHA-256/384/512 cng c gii thiu trong chng ny. 9.1 9.1.1 Gii thiu t vn
Trn thc t, cc thng ip s dng ch k in t c di bt k, thm ch ln n vi Megabyte. Trong khi , thut ton ch k in t c trnh by trn y li p dng trn cc thng ip c di c nh v thng tng i ngn, chng hn nh phng php DSS s dng ch k 320 bit trn thng ip 160 bit. gii quyt vn ny, chng ta c th chia nh thng ip cn k thnh cc
222
Hm bm mt m
on nh c di thch hp v k trn tng mnh thng ip ny. Tuy nhin, gii php ny li c nhiu khuyt im v khng thch hp p dng trong thc t:
Nu vn bn cn c k qu di th s lng ch k c to ra s rt nhiu v kt qu nhn c l mt thng ip c kch thc rt ln. Chng hn nh khi s dng phng php DSS th thng ip sau khi c k s c di gp i vn bn nguyn thy ban u!
Hu ht cc phng php ch k in t c an ton cao u i hi chi ph tnh ton cao v do , tc x l rt chm. Vic p dng thut ton to ch k in t nhiu ln trn mt vn bn s thc hin rt lu.
Tng on vn bn sau khi c k c th d dng b thay i th t hay b bt i m khng lm mt i tnh hp l ca vn bn. Vic chia nh vn bn s khng th bo m c tnh ton vn ca thng tin ban u cn c k.
9.1.2
Hm bm mt m
Hm bm mt m l hm ton hc chuyn i mt thng ip c di bt k thnh mt dy bit c di c nh (ty thuc vo thut ton bm). Dy bit ny c gi l thng ip rt gn (message digest) hay gi tr bm (hash value), i din cho thng ip ban u.
D dng nhn thy rng hm bm h khng phi l mt song nh. Do , vi thng ip x bt k, tn ti thng ip x x sao cho h(x)= h(x). Lc ny, ta ni rng c s ng xy ra.
223
Chng 9
Mt hm bm h c gi l an ton (hay t b ng ) khi khng th xc nh c (bng cch tnh ton) cp thng ip x v x tha mn xx v h(x) = h(x). Trn thc t, cc thut ton bm l hm mt chiu, do , rt kh xy dng li thng ip ban u t thng ip rt gn. Hm bm gip xc nh c tnh ton vn d liu ca thng tin: mi thay i, d l rt nh, trn thng ip cho trc, v d nh i gi tr 1 bit, u lm thay i thng ip rt gn tng ng. Tnh cht ny hu ch trong vic pht sinh, kim tra ch k in t, cc on m chng nhn thng ip, pht sinh s ngu nhin, to ra kha cho qu trnh m ha
Hm bm l nn tng cho nhiu ng dng m ha. C nhiu thut ton thc hin hm bm, trong s , phng php SHA-1 v MD5 thng c s dng kh ph bin t thp nin 1990 n nay. 1. Hm bm MD4 (Message Digest 4) v MD5 (Message Digest 5): Hm bm MD4 c Gio s Ron Rivest ngh vo nm 1990. Vo nm 1992, phin bn ci tin MD5 ca thut ton ny ra i. Thng ip rt gn c di 128 bit. Nm 1995, Hans Dobbertin ch ra s ng ngay chnh trong bn thn hm nn ca gii thut (mc d cha tht s ph v c gii thut). Nm 2004, nhm tc gi Xiaoyun Wang, Dengguo Feng, Xuejia Lai v Hongbo Yu cng b kt qu v vic ph v thut ton MD4 v MD5 bng phng php tn cng ng 2 [49].
Trong ti liu [49], nhm tc gi khng ch trnh by kt qu tn cng bng ng i vi phng php MD4, MD5 m cn c thut ton HAVAL-128 v RIPEMD
224
Hm bm mt m
2.
Phng php Secure Hash Standard (SHS): Phng php Secure Hash Standard (SHS) do NIST v NSA xy dng c cng b trn Federal Register vo ngy 31 thng 1 nm 1992 v sau chnh thc tr thnh phng php chun t ngy 13 thng 5 nm 1993. Thng ip rt gn c di 160 bit.
Ngy 26/08/2002, Vin Tiu chun v Cng ngh quc gia ca Hoa K (National Institute of Standard and Technology - NIST) xut h thng chun hm bm an ton (Secure Hash Standard) gm 4 thut ton hm bm SHA-1, SHA256, SHA-384, SHA-512. n 25/03/2004, NIST chp nhn thm thut ton hm bm SHA-224 vo h thng chun hm bm. Cc thut ton hm bm do NIST xut c c t trong ti liu FIPS180-2 [24]. 9.1.3 Cu trc ca hm bm
Hu ht cc hm bm mt m u c cu trc gii thut nh sau: Cho trc mt thng ip M c di bt k. Ty theo thut ton c s dng, chng ta c th cn b sung mt s bit vo thng ip ny nhn c thng ip c di l bi s ca mt hng s cho trc. Chia nh thng ip thnh tng khi c kch thc bng nhau: M1, M2, Ms Gi H l trng thi c kch thc n bit, f l hm nn thc hin thao tc trn khi d liu vi trng thi hin hnh Khi gn H0 bng mt vector khi to no H i = f (H i 1 , M i ) vi i = 1, 2, 3, , s Hs chnh l thng ip rt gn ca thng ip M ban u
225
Chng 9
9.1.4
Nhn xt: Trong mt tp hp m cc phn t mang mt trong N gi tr cho trc vi xc sut bng nhau, chng ta cn khong mt cp phn t c cng gi tr.
Nh vy, phng php hm bm c xem l an ton i vi hin tng ng nu cha c phng php tn cng no c th tm ra cp thng ip c cng gi tr hm bm vi s lng tnh ton t hn ng k so vi ngng 2n/2, vi n l kch thc (tnh bng bit) ca gi tr bm.
Phng php tn cng da vo ng : Tm ra 2 thng ip c ni dung khc nhau nhng cng gi tr bm. K trn mt thng ip, sau , ngi k s khng tha nhn y l ch k ca mnh m ni rng mnh k trn mt thng ip khc. Nh vy, cn phi chn 2 thng ip ng vi nhau trc khi k.
9.1.5
Tnh mt chiu
Hm bm c xem l hm mt chiu khi cho trc gi tr bm, khng th ti to li thng ip ban u, hay cn gi l tin nh (pre-image). Nh vy, trong
226
Hm bm mt m
trng hp l tng, cn phi thc hin hm bm cho khong 2n thng ip tm ra c tin nh tng ng vi mt gi tr bm. Nu tm ra c mt phng php tn cng cho php xc nh c tin nh tng ng vi mt gi tr bm cho trc th thut ton bm s khng cn an ton na. Cch tn cng nhm to ra mt thng ip khc vi thng ip ban u nhng c cng gi tr bm gi l tn cng tin nh th hai (second pre-image attack). 9.2 9.2.1 Hm bm MD5 Gii thiu MD5
Hm bm MD4 (Message Digest 4) c Gio s Rivest ngh vo nm 1990. Vo nm sau, phin bn ci tin MD5 ca thut ton ny ra i. Cng vi phng php SHS, y l ba phng php c u im tc x l rt nhanh nn thch hp p dng trong thc t i vi cc thng ip di. Thng ip ban u x s c m rng thnh dy bit X c di l bi s ca 512. Mt bit 1 c thm vo sau dy bit x, tip n l dy gm d bit 0 v cui cng l dy 64 bit l biu din di ca thng ip x. Dy gm d bit 0 c thm vo sao cho dy X c di l bi s 512. Quy trnh ny c th hin trong Thut ton 9.1. Thut ton 9.1 Thut ton xy dng dy bit X t dy bit x d = (447 x) mod 512 Gi dy 64 bit l l biu din nh phn ca gi tr x mod 264. X = x 1 0d l
227
Chng 9
n v x l trong MD5 l cc t 32-bit nn dy X s c biu din thnh dy cc t X[i] 32 bit: X = X[0] X[1] ... X[N1] vi N l bi s ca 16.
228
Hm bm mt m
Bn chu k bin i trong MD5 hon ton khc nhau v ln lt s dng cc hm F, G, H v I. Mi hm c tham s X, Y, Z l cc t 32 bit v kt qu l mt t 32 bit. F (X, Y, Z) = (X Y) ((X) Z) G(X, Y, Z) = (X Z) (Y ( Z)) H (X, Y, Z) = X Y Z I (X, Y, Z) = Y (X ( Z)) vi quy c: XY XY XY X X+Y X <<< s Php ton AND trn bit gia X v Y Php ton OR trn bit gia X v Y Php ton XOR trn bit gia X v Y Php ton NOT trn bit ca X Php cng (modulo 232) Cc bit ca X c dch chuyn xoay vng sang tri s v tr (0 s < 32) (9.1)
nh ngha cc hm:
FF(a,b,c,d,Mj,s,ti): a = b + ((a + F(b,c,d) + Mj + ti) <<< s) GG(a,b,c,d,Mj,s,ti): a = b + ((a + G(b,c,d) + Mj + ti) <<< s) HH(a,b,c,d,Mj,s,ti): a = b + ((a + H(b,c,d) + Mj + ti) <<< s) II(a,b,c,d,Mj,s,ti): a = b + ((a + I(b,c,d) + Mj + ti) <<< s)
229
Chng 9
Bng 9.1 th hin chi tit bn chu k bin i s dng trong MD5. Bng 9.1. Chu k bin i trong MD5 Chu k 1
FF(a,b,c,d,M0 , 7,0xd76aa478) FF(d,a,b,c,M1 ,12,0xe8c7b756) FF(c,d,a,b,M2 ,17,0x242070db) FF(b,c,d,a,M3 ,22,0xclbdceee) FF(a,b,c,d,M4 , 7,0xf57c0faf) FF(d,a,b,c,M5 ,12,0x4787c62a) FF(c,d,a,b,M6 ,17,0xa8304613) FF(b,c,d,a,M7 ,22,0xfd469501) FF(a,b,c,d,M8 , 7,0x698098d8) FF(d,a,b,c,M9 ,12,0x8b44f7af) FF(c,d,a,b,M10,17,0xffff5bbl) FF(b,c,d,a,M11,22,0x895cd7be) FF(a,b,c,d,M12, 7,0x6b901122) FF(d,a,b,c,M13,12,0xfd987193) FF(c,d,a,b,M14,17,0xa679438e) FF(b,c,d,a,M15,22,0x49b40821)
Chu k 2
GG(a,b,c,d,M1 , 5,0xf61e2562) GG(d,a,b,c,M6 , 9,0xc040b340) GG(c,d,a,b,M11,14,0x265e5a51) GG(b,c,d,a,M0 ,20,0xe9b6c7aa) GG(a,b,c,d,M5 , 5,0xd62fl05d) GG(d,a,b,c,M10, 9,0x02441453) GG(c,d,a,b,M15,14,0xd8ale681) GG(b,c,d,a,M4 ,20,0xeid3fbc8) GG(a,b,c,d,M9 , 5,0x21elcde6) GG(d,a,b,c,M14, 9,0xc33707d6) GG(c,d,a,b,M3 ,14,0xf4d50d87) GG(b,c,d,a,M8 ,20,0x455al4ed) GG(a,b,c,d,M13, 5,0xa9e3e905) GG(d,a,b,c,M2 , 9,0xfcefa3f8) GG(c,d,a,b,M7 ,14,0x676f02d9) GG(b,c,d,a,M12,20,0x8d2a4c8a)
230
Hm bm mt m
Chu k 3
HH(a,b,c,d,M5 , 4,0xfffa3942) HH(d,a,b,c,M8 ,11,0x8771f6811 HH(c,d,a,b,M11,16,0x6d9d6122) HH(b,c,d,a,M14,23,0xfde5380c) HH(a,b,c,d,M1 , 4,0xa4beea44) HH(d,a,b,c,M4 ,11,0x4bdecfa9) HH(c,d,a,b,M7 ,16,0xf6bb4b60) HH(b,c,d,a,M10,23,0xbebfbc70) HH(a,b,c,d,M13, 4,0x289biec6) HH(d,a,b,c,M0 ,11,0xeaal27fa) HH(c,d,a,b,M3 ,16,0xd4ef3085) HH(b,c,d,a,M6 ,23,0x04881d05) HH(a,b,c,d,M9 , 4,0xd9d4d039) HH(d,a,b,c,M12,11,0xe6db99e5) HH(c,d,a,b,M15,16,0xlfa27cf8) HH(b,c,d,a,M2 ,23,0xc4ac5665)
Chu k 4
II(a,b,c,d,M0 , 6,0xf4292244) II(d,a,b,c,M7 ,10,0x432aff97) II(c,d,a,b,M14,15,0xab9423a7) II(b,c,d,a,M5 ,21,0xfc93a039) II(a,b,c,d,M12, 6,0x655b59c3) II(d,a,b,c,M3 ,10,0x8f0ccc92) II(c,d,a,b,M10,15,0xffeff47d) II(b,c,d,a,M1 ,21,0x85845ddl) II(a,b,c,d,M8 , 6,0x6fa87e4f) II(d,a,b,c,M15,10,0xfe2ce6e0) II(c,d,a,b,M6 ,15,0xa3014314) II(b,c,d,a,M13,21,0x4e0811al) II(a,b,c,d,M4 , 6,0xf7537e82) II(d,a,b,c,M11,10,0xbd3af235) II(c,d,a,b,M2 ,15,0x2ad7d2bb) II(b,c,d,a,M9 ,21,0xeb86d391)
9.2.2
Nhn xt
MD4 ch c ba chu k bin i trong khi MD5 c b sung thm chu k th t gip tng mc an ton.
Mi thao tc trong tng chu k bin i ca MD5 s dng cc hng s ti phn bit trong khi MD4 s dng hng s chung cho mi thao tc trong cng
231
Chng 9
chu k bin i (Trong MD4, hng s ti s dng trong mi chu k ln lt l 0, 0x5a827999, 0x6ed9eba1).
Hm G chu k hai ca MD4: G(X, Y, Z) = ((X Y) (X Z) (Y Z)) c thay th bng ((X Z) (Y Z)) nhm gim tnh i xng.
Mi bc bin i trong tng chu k chu nh hng kt qu ca bc bin i trc nhm tng nhanh tc ca hiu ng lan truyn (avalanche).
Cc h s dch chuyn xoay vng trong mi chu k c ti u ha nhm tng tc hiu ng lan truyn. Ngoi ra, mi chu k s dng bn h s dch chuyn khc nhau.
9.3
Phng php Secure Hash Standard (SHS) do NIST v NSA xy dng c cng b trn Federal Register vo ngy 31 thng 1 nm 1992 v sau chnh thc tr thnh phng php chun t ngy 13 thng 5 nm 1993.
Nhn chung, SHS c xy dng trn cng c s vi phng php MD4 v MD5. Tuy nhin, phng php SHS li p dng trn h thng big-endian thay v little-endian nh phng php MD4 v MD5. Ngoi ra, thng ip rt gn kt qu ca hm bm SHS c di 160 bit (nn phng php ny thng c s dng kt hp vi thut ton DSS).
232
Hm bm mt m
Tng t MD5, thng ip ngun x s c chuyn thnh mt dy bit c di l bi s ca 512. Tng nhm gm 16 t-32 bit X[0], X[1],..., X[15] s c m rng thnh 80 t-32 bit W[0], W[1], ..., W[79] theo cng thc: 0 t 15 X [t ], W [t ] = X [ j 3] X [ j 8] X [ j 14] X [ j 16],16 t 79 Trong phin bn ci tin ca SHS, cng thc trn c thay bng: 0 t 15 X [t ], W [t ] = ( X [ j 3] X [ j 8] X [ j 14] X [ j 16]) <<< 1,16 t 79 (9.3) (9.2)
Tng t MD5, phng php SHS s dng bn chu k bin i, trong , mi chu k gm 20 bc bin i lin tip nhau. Chng ta c th xem nh SHS bao gm 80 bc bin i lin tip nhau. Trong on m chng trnh di y, hm f[t] v hng s K[t] c nh ngha nh sau: ( X Y ) ((X ) Z ), X Y Z, f [t ]( X , Y , Z ) = ( X Y ) ( X Z ) (Y Z ), X Y Z, 0x5a827999,0 t 19 0x6ed9eba1,20 t 39 K [t ] = 0x8f1bbcdc,40 t 59 0xca62c1d6,60 t 79
A = 0x67452301; B = 0xefcdab89; C = 0x98badcfe; D = 0x10325476;
0 t 19 20 t 39 40 t 59 60 t 79 (9.4)
(9.5)
233
Chng 9
E = 0xc3d2elf0; for i=0 to N/16 1 for t=0 to 15 do W[t] = X[16*t-j] end for for t=16 to 79 W[t] =(W[t-3] xor W[t-8] xor W[t-14] xor W[t-16])<<<1 a = A b = B c = C d = D e = E for t=0 to 79 TEMP = (a<<<5)+f[t](b,c,d)+e+W[t]+K[t] e d c b a end for A = A+a B = B+b C = C+c D = D+d E = E+e end for = d = c = b <<< 30 = a = TEMP
234
Hm bm mt m
9.3.1
Nhn xt
Phng php SHS rt ging vi MD4 nhng thng ip rt gn c to ra c di 160-bit. C 2 phng php ny u l s ci tin t MD4. Di y l mt s c im so snh gia MD5 v SHS:
Tng t nh MD5, phng php SHS cng b sung thm chu k bin i th t tng mc an ton. Tuy nhin, chu k th t ca SHS s dng li hm f ca chu k th 2.
20 bc bin i trong cng chu k ca phng php SHS s dng hng s chung K[t] trong khi mi bc bin i ca phng php MD5 li dng cc hng s khc nhau.
((X Z) (Y Z)) nhm gim tnh i xng. Phng php SHS vn s dng hm G nh trong MD4. o Trong MD5 v SHS, mi bc bin i chu nh hng bi kt qu ca bc bin i trc tng nhanh hiu ng lan truyn. Hin ti vn cha c phng php tn cng no c th p dng c i vi phng php SHS. Ngoi ra, do thng ip rt gn ca phng php SHS c di 160 bit nn c an ton cao hn i vi phng php tn cng brute-force (k c phng php birthday attack) so vi phng php MD5.
235
Chng 9
9.4 9.4.1
Cc thut ton hm bm SHA gm 2 bc: tin x l v tnh ton gi tr bm. Bc tin x l bao gm cc thao tc: o o o M rng thng ip Phn tch thng ip m rng thnh cc khi m bit Khi to gi tr bm ban u Bc tnh ton gi tr bm bao gm cc thao tc: o Lm N ln cc cng vic sau: To bng phn b thng ip (message schedule) t khi th i. Dng bng phn b thng ip cng vi cc hm, hng s, cc thao tc trn t to ra gi tr bm i. o S dng gi tr bm cui cng to thng ip rt gn.
Thng ip M c m rng trc khi thc hin bm. Mc ch ca vic m rng ny nhm m bo thng ip m rng c di l bi s ca 512 hoc 1024 bit ty thuc vo thut ton.
Sau khi thng ip m rng, thng ip cn c phn tch thnh N khi m-bit trc khi thc hin bm.
236
Hm bm mt m
i vi SHA-1 v SHA-256, thng ip m rng c phn tch thnh N khi 512-bit M(1), M(2),..., M(N). Do 512 bit ca khi d liu u vo c th c th hin bng 16 t 32-bit, M 0 cha 32 bit u ca khi thng ip i, M 1 cha 32 bit k tip...
(i )
(i )
i vi SHA-384 v SHA-512, thng ip m rng c phn tch thnh N khi 1024-bit M(1), M(2),..., M(N). Do 1024 bit ca khi d liu u vo c th c th hin bng 16 t 64-bit,
( M 0i ) cha 64 bit u ca khi thng ip i,
Cc cp thut ton SHA-224 v SHA-256; SHA-384 v SHA-512 c cc thao tc thc hin ging nhau, ch khc nhau v s lng bit kt qu ca thng ip rt gn. Ni cch khc, SHA-224 s dng 224 bit u tin trong kt qu thng ip rt gn sau khi p dng thut ton SHA256. Tng t SHA-384 s dng 384 bit u tin trong kt qu thng ip rt gn sau khi p dng thut ton SHA-512.
9.4.2
Trong cc hm bm SHA, chng ta cn s dng thao tc quay phi mt t, k hiu l ROTR, v thao tc dch phi mt t, k hiu l SHR.
237
Chng 9
Hnh 9.1 th hin khung thut ton chung cho cc hm bm SHA Hnh 9.1. Khung thut ton chung cho cc hm bm SHA
for i = 1 to N for t = 0 to 15
Wt = Mt(i)
end for for t = 16 to scheduleRound
b = H 1(i 1) ( c = H 2i 1)
( d = H 3 i 1) ( e = H 4i 1) ( f = H 5 i 1) ( g = H 6 i 1) ( h = H 7 i 1) for t = 0 to 63 T1 = h + 1(e) + Ch(e, f, g) + Kt + Wt
238
Hm bm mt m
b=a a = T1 + T2
end for
H 0( i ) = a + H 0(i 1)
H 7( i ) = h + H 7( i 1)
end for
Mi thut ton c bng hng s phn b thng ip tng ng. Kch thc bng hng s thng ip (scheduleRound) ca SHA-224 v SHA-256 l 64, kch thc bng hng s thng ip ca SHA-384 v SHA-512 l 80. Chi tit ca tng bng hng s c trnh by trong Ph lc E .
Ch ( x, y, z ) = (x y ) (x z ) Maj(x, y, z ) = ( x y ) (x z ) ( y z )
(9.6)
239
Chng 9
Ch ( x, y, z ) = (x y ) (x z ) Maj( x, y, z ) = ( x y ) ( x z ) ( y z )
(9.7)
Chun SHS c t 5 thut ton bm an ton SHA-1, SHA-2243, SHA-256, SHA384 v SHA-512. Bng 9.2 th hin cc tnh cht c bn ca bn thut ton bm an ton. S khc bit chnh ca cc thut ton l s lng bit bo mt ca d liu c bm iu ny c nh hng trc tip n chiu di ca thng ip rt gn. Khi mt thut ton bm uc s dng kt hp vi thut ton khc i hi phi cho kt qu s lng bit tng ng. V d, nu mt thng ip c k vi thut ton ch k in t cung cp 128 bit th thut ton ch k c th i hi s dng mt thut ton bm an ton cung cp 128 bit nh SHA-256.
Ngoi ra, cc thut ton khc nhau v kch thc khi v kch thc t c s dng.
240
Hm bm mt m
Bng 9.2. Cc tnh cht ca cc thut ton bm an ton Kch thc (bit) Thut ton SHA-1 SHA-224 SHA-256 SHA-384 SHA-512 9.5 Thng ip <2 < 264 < 264 < 2128 < 2128
64
T 32 32 32 64 64
Kin trc hm bm Davies-Mayer v ng dng ca thut ton Rijndael v cc phin bn m rng vo hm bm Kin trc hm bm Davies-Mayer
9.5.1
Hm bm Davies-Mayer [36] l mt kin trc hm bm da trn vic m ha theo khi trong di ca thng ip rt gn (tnh theo bit) bng vi kch thc khi thng ip ng vi thut ton m ha c s dng.
Gi n, k ln lt l kch thc khi v kch thc kha ca thut ton c s dng. Trong hm bm Davies-Mayer khng cn s dng kha. Kha ban u c thit lp mc nh, c gi tr l 2k-1 vi k l kch thc kha (tnh bng bit) ca thut ton. Hm m ha E s dng kha K c k hiu l EK.
" an ton" l vic s dng phng php tn cng vo thng ip rt gn kch thuc n, i hi x l xp x 2n/2
241
Chng 9
Thng ip ban u c chia thnh m khi c kch thc n bit. Davies-Mayer hash chnh l thc hin ln lt m ln thao tc sau:
H i = E X i ( H i 1 ) X i
(9.8)
9.5.2
Hm AES-Hash
Cc thut ton m ha c s dng ch yu vi chc nng chnh l m ha v gii m d liu, tuy nhin cc thut ton ny cn c mt kh nng ng dng khc t c cp n l c s dng nh mt hm bm. Bram Cohen xut vic s dng thut ton thuc chun AES lm hm bm (AES-Hash) vo thng 05 nm 2001.
Theo Bram Cohen[6], AES-Hash m bo cc tnh cht ca mt hm bm: nhn vo thng ip ban u l mt chui bit c di bt k v tr v mt chui bit c di c nh l 256 bit. Mi s thay i d nh nht ca thng ip ban u s lm gi tr bm thay i. Vic tm kim hai thng ip ban u c cng gi tr bm 256 bit i hi phi thc hin 2128 php ton, v cn 2256 php ton tm tin nh ca gi tr bm 256 bit.
AES-Hash c m t da trn kin trc hm bm Davies-Mayer, s dng thut ton Rijndael vi kch thc khi v kha u l 256 bit.
242
Hm bm mt m
Qu trnh thc hin AES-Hash gm cc bc: M rng thng ip. Thng ip c m rng c kch thc bng mt bi s chn nh nht (ln hn kch thc thng ip) ca kch thc khi. Vic ny c thc hin bng cch thm vo cc bit zero vo cui thng ip sao cho kch thc t c l mt bi s l nh nht (ln hn kch thc thng ip) ca 128 bit. Sau thm 128 bit cha gi tr chiu di ban u ca thng ip.
V d: Thng ip ban u (40 bit): 1110 1011 0010 0110 0011 0110 0111 1011 1001 1001 Thng ip m rng s c di: 40 bit ban u + (128 40) bit 0 m rng + 128 bit th hin gi tr 1010002 Thng ip m rng:
1110 1011 0010 0110 0011 0110 0111 1011 1001 1001 000......000 0......00101000 40bit 88bit 128bit
Chia thng ip m rng thnh n khi x1, ... xn, mi khi kch thc 256 bit. p dng Davies-Mayer Hash bng thut ton Rijndael n ln cho n khi.
H i = E X i ( H i 1 ) X i
p dng thao tc b sung cui thu c gi tr bm.
(9.9)
H n +1 = E H n ( H n ) H n
Hn+1 chnh l gi tr bm ca thng ip ban u.
(9.10)
243
Chng 9
9.5.3
Hm bm Davies-Mayer v AES-Hash
Hm bm Davies-Mayer c chng minh rng tm thng ip ban u th 2 c cng kt qu gi tr bm ( di n bit) vi thng ip ban u cho trc (tin nh th hai) cn phi thc hin 2n thao tc, tm cp thng ip c cng gi tr bm cn thc hin 2n/2 thao tc [36]. Do , t c mc bo mt c th chp nhn c th kch thc khi i hi phi ln. Vo thi im hin ti, kch thc khi phi ln hn 80 bit trnh tn cng tin nh th hai v ln hn 160 bit trnh tn cng ng . iu ny c ngha khng th s dng cc thut ton m ha c kch thc khi 64 bit (v d nh DES [25], IDEA...) thc hin Davies-Mayer Hash. Mt iu lu khc l hm bm Davies-Mayer c xem l khng an ton khi s dng cc thut ton DES-X (v d nh 3DES).
AES-Hash p dng Davies-Mayer Hash, s dng thut ton Rijndael 256 bit nn m bo c an ton i vi tn cng tin nh th hai v tn cng ng . Ngoi ra, AES-Hash cn thc hin thao tc b sung cui tng chi ph khi tn cng hm bm. Do , mc an ton bo mt ca hm bm AES-Hash s c tng ng k.
Hin ti, thut ton AES-Hash cha c NIST b sung vo danh sch cc chun hm bm an ton v AES-Hash s dng thut ton Rijndael vi kch thc khi 256 bit, trong khi NIST ch mi quy nh kch thc khi trong chun AES l 128 bit. Tuy nhin, NIST a AES-Hash vo danh sch ngh chun hm bm an ton5.
244
Hm bm mt m
9.6
Mt trong nhng ng dng ca hm bm l bin i chui mt khu c di bt k ca ngi dng thnh mng cc byte c kch thc c nh s dng lm kha ca cc thut ton m ha i xng. i vi cc thut ton m rng da trn thut ton Rijndael, bao gm thut ton m rng 256/384/512-bit v thut ton m rng 512/768/1024-bit, chng ta cn s dng m kha c kch thc l 256, 384, 512, 768 hoc 1024 bit. Nu s dng cc hm bm thng thng (nh nhm cc hm bm SHA hoc AES-HASH) th cha p ng c tt c cc trng hp kch thc m kha ca cc thut ton m rng ny. Vic ghp ni hay bin i gi tr bm ca cc hm bm thng thng ko di chui bit nhn c ra di i hi ca kha khng phi l gii php ti u. Do , gii php c ngh l s dng chnh cc thut ton m rng xy dng cc hm bm c khng gian gi tr bm rng hn, ng thi c kh nng phc v cho vic to kha cho chnh cc thut ton ny t chui mt khu ca ngi dng.
Qu trnh thc hin nhm hm bm ny hon ton tng t nh AES-Hash, ch thay i di ca khi v thao tc m ha thng tin c s dng trong thut ton.
245
Chng 10
Ni dung ca chng 10 trnh by cc vn v chng nhn kha cng cng, bao gm cc loi giy chng nhn kha cng cng, cc thnh phn ca mt c s h tng kha cng cng (PKI), cc quy trnh qun l giy chng nhn v cc m hnh chng nhn kha cng cng. Phn cui chng ny trnh by ng dng kt hp gia h thng m ha quy c v h thng m ha kha cng cng c s dng chng nhn kha cng cng xy dng h thng th in t an ton. 10.1 Gii thiu Khng ging nh cc m kha b mt, m kha cng cng vn c th m bo c an ton thng tin ngay c khi c cng b rng ri. iu ny gip cho vn trao i m kha tr nn d dng hn. Tuy nhin, vn cn tn ti mt s vn lin quan n vic trao i m kha cng cng, c bit l vn lm th no xc nh c ai tht s l ch ca mt m kha.
Mt h thng s dng kha cng cng ch tht s an ton khi xc nh c chnh xc ngi ch s hu ca m kha. Di y l mt trng hp khng an ton trong
246
V d: Gi s C c th nhn c tt c thng tin trao i gia A v B. Khi B gi m kha cng cng xxxx ca mnh cho A, C s nhn ly thng ip ny v gi cho A m kha cng cng yyyy ca mnh. Nh vy, A s cho rng yyyy chnh l kha cng cng ca B v dng m kha ny m ha th gi cho B. Lc ny, C li gii m bc th ca A v m ha mt thng ip khc bng kha cng cng xxxx ca B ri gi cho B. Nh vy, B s nhn c mt thng ip t C thay v t A.
C
Gi khoa cong khai cua C:yyyy Gi khoa cong khai cua B:xxxx
Hnh 10.1. Vn ch s hu kha cng cng Trn thc t, vn ny c gii quyt theo hai cch: o Chng nhn kha cng cng: Kha cng cng c phn phi gm ba thnh phn chnh: h tn hoc nh danh ca ngi s hu tht s ca kha,
247
Chng 10
kha cng cng v ch k in t gip xc nhn c tnh hp l ca hai thnh phn ny (Hnh 10.2). o H thng phn phi kha tin cy: s dng h thng trao i thng tin ng tin cy chuyn m kha cng cng n ngi nhn. Qu trnh trao i ny d dng hn so vi qu trnh trao i m kha b mt v y khng t ra vn bo mt m ch cn m bo c ni dung chnh xc ca m kha cn trao i. Gii php ny thng p dng i vi kha cng cng s c cng kim tra ch k in t trn chng nhn ca cc kha cng cng khc.
Cc chng nhn kha cng cng c k bi mt t chc trung gian c uy tn c gi l CA (Certification Authority). Kha cng cng ca CA s c cung cp cho ngi s dng thng qua h thng phn phi kha tin cy h c th kim tra c cc chng nhn kha cng cng khc do t chc ny k.
Ho ten
Ch ky ien t
Hnh 10.3 minh ha h thng s dng chng nhn kha cng cng. Gi s A cn c kha cng cng ca B. Khi , A s nhn xc nhn kha cng cng ca B t CA Server v s dng kha cng cng ca CA kim tra xem y c tht s l kha
248
M ha kha cng cng c th gp phi vn trong vic phn phi kha nhng vn ny khng nghim trng nh trong vic phn phi kha ca m ha i xng. S chng thc ca kha cng cng c th c thc hin bi mt t chc trung gian th ba ng tin cy. S bo m v tnh xc thc ca ngi s hu kha cng cng c gi l s chng nhn kha cng cng. Ngi hay t chc chng nhn kha cng cng c gi l t chc chng nhn (CA Certification Authority).
B
Ten va khoa cong khai cu a B
CA Server CA
Ch ng nhan khoa cong khai cua B do CA ky
Khoa co ng khai cua CA Chn g nhan gia khoa cong khai cua B do C ky
A
He thong phan phoi ang tin cay
249
Chng 10
10.2 Cc loi giy chng nhn kha cng cng kha cng cng ca mnh c chng nhn, bn i tc phi to ra mt cp kha bt i xng v gi cp kha ny cho t chc CA. Bn i tc phi gi km cc thng tin v bn thn nh tn hoc a ch. Khi t chc CA kim tra tnh xc thc cc thng tin ca bn i tc, n s pht hnh mt giy chng nhn kha cng cng cho bn i tc. Giy chng nhn l mt tp tin nh phn c th d dng chuyn i qua mng my tnh.
T chc CA p dng ch k in t ca n cho giy chng nhn kha cng cng m n pht hnh. Mt t chc CA chng nhn kha cng cng bng cch k nhn n. Nu pha i tc bn kia tin tng vo t chc CA th h c th tin vo ch k ca n.
10.2.1
Chng nhn X.509 l chng nhn kha cng cng ph bin nht. Hip hi vin thng quc t (International Telecommunications Union ITU) ch nh chun X.509 vo nm 1988 [2] y l nh dng phin bn 1 ca chun X.509. Vo nm 1993, phin bn 2 ca chun X.509 c pht hnh vi 2 trng tn nhn dng duy nht c b sung. Phin bn 3 ca chun X.509 c b sung thm trng m rng pht hnh vo nm 1997.
Mt chng nhn kha cng cng kt buc mt kha cng cng vi s nhn din ca mt ngi (hoc mt thit b). Kha cng cng v tn thc th s hu kha ny l hai mc quan trng trong mt chng nhn. Hu ht cc trng khc trong chng
250
Validity Period: Trng ny bao gm hai gi tr ch nh khong thi gian m giy chng nhn c hiu lc. Hai phn ca trng ny l not-before v not-after. Not-before ch nh thi gian m chng nhn ny bt u c hiu lc, Not-after ch nh thi gian m chng nhn ht hiu lc. Cc gi tr thi gian ny c o theo chun thi gian Quc t, chnh xc n tng giy.
251
Chng 10
o Subject Name: l mt X.500 DN, xc nh i tng s hu giy chng nhn m cng l s hu ca kha cng cng. Mt CA khng th pht hnh 2 giy chng nhn c cng mt Subject Name. o Public key: Xc nh thut ton ca kha cng cng (nh RSA) v cha kha cng cng c nh dng tu vo kiu ca n. o Issuer Unique ID v Subject Unique ID: Hai trng ny c gii thiu trong X.509 phin bn 2, c dng xc nh hai t chc CA hoc hai ch th khi chng c cng DN. RFC 2459 ngh khng nn s dng hai trng ny. o Extensions: Cha cc thng tin b sung cn thit m ngi thao tc CA mun t vo chng nhn. Trng ny c gii thiu trong X.509 phin bn 3. o Signature: y l ch k in t c t chc CA p dng. T chc CA s dng kha b mt c kiu quy nh trong trng thut ton ch k. Ch k bao gm tt c cc phn khc trong giy chng nhn. Do , t chc CA chng nhn cho tt c cc thng tin khc trong giy chng nhn ch khng ch cho tn ch th v kha cng cng.
10.2.2
c im chnh ca cc giy chng nhn cht lng l chng quan tm quan ti i tng m chng c pht hnh n. Thc th cui s hu giy chng nhn X.509 hoc RFC 2459 c th l mt ngi hoc mt my. Tuy nhin, cc giy chng nhn cht lng ch c th c pht hnh cho con ngi.
Giy chng nhn cht lng RFC 3039 cung cp cc yu cu chi tit da trn ni dung ca nhiu trng trong chng nhn X.509. Cc trng tn nh xut bn, tn
252
10.2.3
n gin hn chng nhn X.509, giy chng nhn PGP khng h tr phn m rng.
Giy chng nhn X.509 c k bi t chc CA. Trong khi , giy chng nhn PGP c th c k bi nhiu c nhn. Do m hnh tin cy ca giy chng nhn PGP i hi bn phi tin tng vo nhng ngi k giy chng nhn PGP m bn mun dng ch khng ch tin tng vo t chc CA pht hnh chng nhn X.509.
10.2.4
Cc giy chng nhn thuc tnh (Attribute Certificates AC [2]) l cc giy chng nhn in t khng cha kha cng cng. Thay v thao tc chng nhn kha cng cng, ACs ch thao tc chng nhn mt tp hp cc thuc tnh.
Cc thuc tnh trong mt AC c dng chuyn cc thng tin giy php lin quan n ngi gi giy chng nhn.
253
Chng 10
H thng pht hnh, s dng v hy ACs l Privilege Management Infrastructure (PMI). Trong PMI, t chc chng nhn thuc tnh Attribute Authority (AA) pht hnh ACs. Mt AA c th khng ging nh mt CA.
ng c chnh cho vic s dng ACs l cp php. V mt ngi dng c th ch gi mt vai tr no trong t chc trong mt thi gian ngn, nn khc vi giy chng nhn kha cng cng, AC ch c gi tr trong mt vi ngy hoc ngn hn. Hnh 10.5. Phin bn 2 ca cu trc chng nhn thuc tnh
10.3 S chng nhn v kim tra ch k Qu trnh chng nhn ch k din ra theo hai bc. u tin, cc trng ca chng nhn c k v nn bi thut ton trn cho trc. Sau , kt qu xut ca hm trn, c gi l hash digest, c m ha vi kha b mt ca t chc CA pht hnh chng nhn ny.
254
Hash Algorithm
Fran's X.509 Certificate Subject Name Public Key (other fields) Signature
Chng nhn ca CA phi c k bi kha b mt. Kha b mt ny phi thuc quyn s hu ca CA, v thng qua vic k chng nhn ca i tc A, t chc CA ny chng nhn s hin hu ca i tc A.
c mt chng nhn, mt t chc CA ch cn to ra v k giy chng nhn cho chnh n, ch khng cn p dng cho mt CA khc chng nhn. iu ny c hiu nh s t chng nhn (self-certification), v mt giy chng nh th c gi l giy chng nhn t k (self-signed certificate)
255
Chng 10
T chc CA s dng kha b mt ca n k giy chng nhn ca i tc A v dng cng kha b mt k giy chng nhn cho chnh n. Mt i tc B c th kim tra c ch k trn giy chng nhn ca i tc A v ch k trn giy chng nhn ca t chc CA thng qua vic dng kha cng cng trong giy chng nhn ca CA. C hai giy chng nhn ca i tc A v t chc CA to nn mt chui chng nhn. Qu trnh kim tra chng nhn thng yu cu s kim tra ca chui chng nhn. S kim tra kt thc khi mt giy chng nhn t k c kim tra cui chui [2].
256
10.4.1
T chc CA l mt thc th quan trng duy nht trong X.509 PKI. (Public key Infrastructure). T chc CA c nhim v pht hnh, qun l v hy b cc giy chng nhn. thc hin nhim v pht hnh giy chng nhn ca mnh, CA nhn yu cu chng nhn t khch hng. N chng nhn s tn ti ca khch hng v kim tra ni dung yu cu chng nhn ca khch hng. Sau , t chc CA to ra ni dung chng nhn mi cho khch hng v k nhn cho chng nhn . Nu CA c s dng ni lu tr chng nhn th n s lu giy chng nhn mi c to ra ny . T chc CA cng phn phi chng nhn ti khch hng thng qua email hoc a ch URL, ni m khch hng c th ly chng nhn.
257
Chng 10
Khi mt giy chng nhn cn b hy b, t chc CA s to v qun l thng tin hy b cho chng nhn. Khi hy b mt giy chng nhn, CA c th xa chng nhn khi ni lu tr hoc nh du xa. T chc CA lun thng bo cho khch hng rng chng nhn ca h b hy, ng thi cng s thm s lot ca chng nhn b hy vo danh sch cc chng nhn b hy Certificate Revocation List (CRL) [2].
10.4.2
Mt RA l mt thc th ty chn c thit k chia s bt cng vic trn CA. Mt RA khng th thc hin bt k mt dch v no m t chc CA ca n khng thc hin c [2].
Cc nhim v chnh ca RA c th c chia thnh cc loi: cc dch v chng nhn v cc dch v kim tra. Mt RA s chng nhn cc yu cu khc nhau ca cc dch v c trc tip gi n t chc CA ca n. Mt RA c th c xc lp x l cc yu cu chng nhn, cc yu cu hy b chng nhn thay cho mt CA. Sau khi xc minh mt yu cu, tc l xc nh yu cu n t thc th thch hp, mt RA s kim tra tnh hp l ca ni dung yu cu .
Mt RA hot ng nh l mt x l ngoi vi ca CA. Mt RA ch nn phc v cho mt CA. Trong khi , mt CA c th c h tr bi nhiu RA.
Mt CA c th cn chu trch nhim trong s tng tc vi ni lu tr chng nhn v c th k CLRs cng nh k cc giy chng nhn. Thng qua vic chia s bt nhiu nhim v cho cc RA, v thc cht mt CA c th lm tng thi gian tr li ca n cho cc yu cu ca thc th cui.
258
Mt kho chng nhn l mt c s d liu cha cc chng nhn c pht hnh bi mt CA. Kho c th c tt c cc ngi dng ca PKI dng nh ngun trung tm cc chng nhn, v do l ngun cc kha cng cng. Mt kho cng c th c dng nh v tr trung tm ca cc danh sch CRL [2].
Trc khi yu cu mt chng nhn, i tc phi tm hiu v PKI m mnh mun tham gia. i tc phi c a ch ca t chc CA, ca RA v kho lu tr nu chng tn ti. i tc cng cn phi c giy chng nhn ca t chc CA, v c th c chng nhn ca RA. Cui cng, i tc cn phi c cch to ra cp kha bt i xng v la chn cc thuc tnh cho tn phn bit (Distinguised name- DN [2]) ca mnh.
10.5.2
i tc c th yu cu mt chng nhn t CA thng qua nhiu k thut. Trong trng hp pht sinh li, i tc khng cn yu cu, t chc CA s to ra mt giy chng nhn thay cho i tc. K thut ny yu cu t chc CA cng phi pht sinh cp kha bt i xng c c kha cng cng c km theo trong chng nhn.
Hu ht cc CA s dng mt trong hai phng thc tiu chun ca yu cu chng nhn : PKCS #10 v CRMF.
259
Chng 10
Yu cu chng nhn theo chun PKCS #10 [2]: o Version: phin bn ca nh dng yu cu chng nhn. o Subject Name: l mt X.500 DN, xc nh thc th cui yu cu giy chng nhn, ngi s hu kha cng cng. o Public Key: ch ra thut ton ca kha cng cng, cha kha cng Hnh 10.9. Mu yu cu chng nhn cng c nh dng ty thuc vo loi ca n. o o Attributes: bao gm cc thng tin b sung dng xc nh thc th cui. Signature Algorithm: ch ra thut ton m ha c dng bi thc th cui k yu cu chng nhn. o Signature: ch k in t c p dng bi thc th cui yu cu chng nhn. theo chun PKCS#10
260
Yu cu chng nhn theo chun ca CRMF [2]: o Request ID: s c s dng bi i tc v t chc CA lin kt yu cu vi tr li cha chng nhn c yu cu. o Certificate Template : trong yu cu PKCS #10, i tc ch c th ch nh tn v thng tin kha cng cng bao gm trong giy chng nhn. Trong CRMF, i tc c th bao gm bt c trng no ca chng nhn X.509 nh l mt mu chng nhn trong yu cu ca h. o Controls : cung cp cch thc m i tc gi cc chi tit gim st lin quan ti yu cu ca h ti t chc CA. Trng ny c th c dng tng t nh trng thuc tnh trong PKCS #10. Hnh 10.10. nh dng thng ip yu cu chng nhn theo RFC 2511
Proof of Possesion : CRMF h tr bn phng thc i tc chng minh rng h s hu kha b mt tng ng vi kha cng cng trong yu cu. Mi phng thc c s dng ty thuc vo mc ch s dng kha.
Registration Information : l trng ty chn cha cc d liu lin quan n yu cu chng nhn c nh dng trc hoc c thay th.
261
Chng 10
10.5.3 To li chng nhn
i tc c th mun to mi li chng nhn ca mnh v nhiu l do: giy chng nhn ht hn, thm thng tin mi vo chng nhn, xc nhn li kha cng cng hin c, hoc xc nhn kha mi. Khi t chc CA p ng yu cu to mi li ny, n s pht hnh cho i tc mt giy chng nhn mi v c th xut bn giy chng nhn mi ny vo kho lu tr.
Yu cu to li th n gin hn rt nhiu so vi yu cu chng nhn nguyn thy. Khi CA nhn yu cu chng nhn, n phi xc minh s tn ti ca i tc. Nhng khi i tc gi yu cu to li, h c th bao gm giy chng nhn hin c v ch k s dng kha b mt tng ng vi chng nhn . iu c th xem nh s chng nhn tn ti ca i tc. Do , vic to li chng nhn th d cho CA p ng hn.
10.5.4
Hy b chng nhn
Tt c cc chng nhn u c thi hn s dng ca n v chng cui cng s b ht hn. Tuy nhin, cn phi hy b mt chng nhn trc khi n b ht hn. L do chung nht hy mt chng nhn l do s nhn din c xc nhn bi CA thay i.
Certificate Revocation List (CRL) l cch u tin v thng dng nht ph bin thng tin hy b. CRL cha thng tin thi gian nhm xc nh thi im t chc CA pht hnh n. CA k CRL vi cng kha b mt c dng k cc chng nhn. Cc CRL thng c cha trong cng kho vi cc chng nhn nhm d dng cho vic rt trch.
262
CRL Extensions : cc thng tin b sung h tr cho vic dng v qun l cc CRL.
263
Chng 10
10.5.5
Thng qua vic lu tr kha m ha b mt, khch hng c th trnh c trng hp khng gii m c d liu khi b mt kha. lu tr kha, khch hng phi gi kha b mt ti ni lu tr. Bi v cc yu cu lu tr hay khi phc kha u phi c xc minh nn cc ngi dng khng th thao tc trc tip n ni lu tr m phi thng qua RA hoc CA.
264
10.6.2
M hnh phn cp
T chc CA c phn ra thnh nhiu cp, t chc CA cp cao hn s k vo chng nhn kha cng cng ca cc t chc CA con trc tip ca mnh. Mt chng nhn kha cng cng ca ngi s dng s c k bi mt t chc CA cc b.
Khi mt ngi s dng mun kim tra mt chng nhn kha cng cng, h cn kim tra chng nhn kha cng cng ca t chc CA cc b k trn chng nhn ny. lm c iu ny, cn phi kim tra chng nhn kha cng cng ca t chc CA cp cao hn k trn chng nhn kha cng cng ca t chc CA cc b, Vic kim tra c lan truyn ln cc cp cao hn ca t chc CA cho n khi c th kim tra c bng chng nhn kha cng cng ca t chc CA bng kha cng cng c cung cp trc tip cho ngi s dng.
H thng PEM (Privacy Enhanced Mail) v h thng DMS (Defense Message System) ca B Quc phng Hoa K s dng m hnh ny.
265
Chng 10
CA trung ng
CA chi nhanh
CA chi nhanh
CA
CA
CA
CA
Ngi s dung
10.6.3
Bt c ai c c chng nhn kha cng cng c th k vo chng nhn kha cng cng ca ngi khc. y l hng tip cn trong h thng Pertty Good Privacy (PGP) ca CA.
Mi thnh vin tham gia vo h thng ny c th ng vai tr ca CA k vo chng nhn kha cng cng ca mt thnh vin khc. c th tin mt chng nhn kha cng cng l hp l, ta cn phi c c kha cng cng ca ngi k trn
266
V d: Trong hnh sau, A k vo chng nhn kha cng cng ca B, D, F; D k vo chng nhn kha cng cng ca A, C, E; B v C k vo chng nhn kha cng cng ca nhau.
m bo an ton cho h thng, mi thnh vin tham gia vo m hnh ny c trch nhim i vi ch k ca mnh trn chng nhn kha cng cng ca cc thnh vin khc. thc hin iu ny, thng thng: o Tip xc trc tip: Cc thnh vin c th gp nhau trc tip trao i kha cng cng ca mnh v khi h c th k vo chng nhn kha cng cng ca nhau.
267
Chng 10
o K thut Du vn tay (Fingerprinting): Du vn tay l chui gm 128-bits kt qu khi s dng hm bm MD5 i vi m kha cng cng. Du vn tay ca mt ngi A s c cng b rng ri theo nhiu cch khc nhau, chng hn nh trn card visit hay trn trang web ca A Nu ngi B cha tin vo cc ch k trn chng nhn kha cng cng ca A th B co th s dng hm bm MD5 kim tra li m kha ny c ph hp vi du vn tay ca A c cng b hay khng. Nh vo mc an ton ca phng php MD5, nn vic tm mt m kha cng cng khc c cng gi tr du vn tay vi mt m kha cho trc l khng kh thi.
Th tn in t ang ngy cng c s dng rng ri trong cc lnh vc i sng x hi. H thng th in t cho php thc hin cc giao dch thng mi mt cch nhanh chng, hiu qu, gip cc c quan, n v c th lin lc d dng vi nhau, h tr vic trin khai cc n ng thi ti nhiu a im...
Do tm quan trng chin lc ca ni dung cha ng bn trong th in t nn yu cu t ra l phi bo v c tnh b mt v an ton ca cc bc thng ip in t ny. Quy trnh m ha v gii m th in t di y l mt trong cc gii php kh thi nhm gii quyt bi ton bo v th tn in t ([20], [15]).
268
Ma hoa oi xng D lieu can ma hoa Noi dung thong iep a ma hoa
Hnh 10.15 th hin quy trnh m ha th in t. Gi s A mun gi mt thng ip in t b mt cho B v gi s A c c kha cng cng ca B (c th do B trao i trc tip cho A hay thng qua chng nhn kha cng cng ca B). o Giai on 1 M ha thng ip bng mt phng php m ha i xng an ton: My tnh ca A s pht sinh ngu nhin kha b mt K c s dng m ha ton b thng ip cn gi n cho B bng phng php m ha i xng an ton c chn.
269
Chng 10
o Giai on 2 M ha kha b mt K bng mt phng php m ha bt i xng s dng kha cng cng ca B. o Ni dung thng ip sau khi m ha giai on 1 cng vi kha b mt K c m ha giai on 2 s c gi cho B di dng mt bc th in t. 10.7.3 Quy trnh gii m th in t
Ma khoa
Khoa b mat
Giai ma oi xng
Hnh 10.16 th hin quy trnh gii m th in t. o Giai on 1 Gii m kha b mt K: B s dng kha ring ca mnh gii m kha b mt K bng phng php m ha bt i xng m A dng m ha kha K.
270
S dng k thut trn y, ngi gi th c th yn tm rng bc th ca mnh ch c th c gii m bi ngi nhn hp l, bi v ch c ngi ny mi c c m kha ring gii m c kha b mt K v t gii m c ni dung ca thng ip.
271
Ph lc A
Ph lc A
WORD Sbox[ ] = { 0x09d0c479, 0x7dff9be3, 0x85d0582e, 0x0f1f25e5, 0xae5f6bf4, 0xf14902e2, 0x83631f83, 0x4f846450, 0x28f4e826, 0x526687c5, 0x80f6e831, 0xb68556ae, 0xae136749, 0x78a784dc, 0x46cae1d6, 0xc190c6e3, 0xa4ccae59, 0xeafc8ca8, 0x6167d9a8, 0xababa014, 0x8f376cd5, 0x854b3e95, 0xfae527e5, 0x3c4f1d71, 0x5ded0ab8, 0x243cb3e4, 0xfc5d6166, 0x8e531e74, 0x95e8eb8d, 0x1090acef, 0xe5393514, 0x7bcf3729, 0x3afd7d3e, 0xcf3b870f, 0x59a744c1, 0x040a7a10, 0xc33e92b5, 0x386b2c4a, 0x41811896, 0x68fea01b, 0xd7c9cd7a, 0xf003fb3c, 0xa64fc9c6,
0x28c8ffe0, 0xd4268361, 0x2a4b5705, 0x5160372f, 0x0d72ee46, 0x3e981e42, 0x25970205, 0x5c64c3f6, 0x3a60a81c, 0x7eddd12b, 0xab6f04ad, 0xd2250b0d, 0xe82aae86, 0xb69ba84b, 0x2fe28134, 0x07dfb846, 0x3798670d, 0xdb1129d6, 0xd1f45763, 0xb6ccd201, 0x092c237e, 0x05bb9b43, 0x36a1c330, 0x30a2e809, 0x75ce09c8, 0x2b062b97, 0xe35f9288, 0x75fe3578, 0x6699486b, 0xe0670dd8, 0x3af345f0, 0x8bf1d1e0, 0xd2f29e01, 0xb414935c, 0x1d2936a7, 0x6cd81807, 0xd1e0e03d, 0x52e8dd58, 0xe337ef7e, 0xa150a6e5, 0xa619cd9e, 0x4ab7a50b, 0xf6957d49,
272
273
Ph lc A
0x000399bd, 0xca815ab3, 0x108f8fa4, 0xab2701d4, 0xf8b2c3af, 0x2baebff4, 0x01e87da6, 0x9d3b71fd, 0x183c198e, 0x923750af, 0x81b66760, 0xad43507b, 0x054356dc, 0x35830311, 0x63e1d6b8, 0x72698d7d, 0xdcd9433e, 0xa5a96dcc, 0x4e208804, 0x8b7ad4bf, 0x1e62891c, 0xf644f389, 0x42157abe, 0x953194e7, 0xbf447469, 0xde425f73, 0x49dc9a63, 0x0c18588d, 0x3c5cfcaa, 0x4b37802b, 0x692f2f08, 0xedb93ecf, 0x1e760f16, 0x3ab871bd, 0xabb96061, 0xebc977b6, 0x159cf22a, 0xab561187, }; 0x67466880, 0x5a6395e7, 0x10223eda, 0x0262d415, 0xdaf7ef70, 0x70f687cf, 0x6ce91e6a, 0x060e41c6, 0x63eeb240, 0xf9e14236, 0xbb2926c1, 0x718d496a, 0xde7ced35, 0xc96efca2, 0xc80f9778, 0x5e368c31, 0x896f1552, 0x0bef8b46, 0x9a756607, 0xc6403f35, 0x643d2107, 0x0778404e, 0xa2253e2e, 0x77eb92ed, 0xf26d9483, 0xb4e59f43, 0x98c39d98, 0xa421c1ba, 0x7d239ca4, 0x7428ab54, 0x134e578e, 0x2b27248e, 0xb1136601, 0xcfa4d76f, 0x5370f85d, 0x0b98b40f, 0xc298d6e2, 0x14eea0f0, 0xb4174831, 0x302a67c5, 0x92b8b48b, 0xaf224a30, 0xcc97d3b7, 0x386c9156, 0xbb7bcc84, 0xd7590f15, 0x2ddbf49a, 0x7838162b, 0x48a0ce0d, 0x9df057af, 0xd51a138b, 0x686f86ec, 0x79c491fd, 0xf7d95e2e, 0x4bc4ca7a, 0xa169fda7, 0x038e87c8, 0x1848e36d, 0xbf04d6f8, 0x7b78adb8, 0x7bf3f4ae, 0xb3816930, 0xee6faed5, 0x7dbe2d4e, 0x1301c9a2, 0x7aa3865c, 0x0297d9dd, 0xaeee0347, 0x36d9e0bf, 0x170eb1ef, 0x864e1b9b, 0xe31bd782, 0xffb07e37, 0x3a4d0fe6, 0x2b78ef6a, 0xdf0d4164, 0xacf423b2, 0x8bdb446b, 0x7f38d0ee, 0xb3d88aba, 0xe9614b6c, 0xce092ee5, 0xc7922c20, 0x4e03bb47, 0x6d5cba54, 0x59726c72, 0xa6c0496d, 0x44b1bde6, 0x62088cc9, 0x8e77cb68, 0x1b4c67f2, 0xa1d3493f, 0xa6d1baf4, 0x74df40b7, 0x20211e44, 0x80bdb038, 0x21092c8c, 0xa2c52d53, 0x80f594f9, 0xda8d9336, 0x71371235, 0x2d37b185, 0x389b1bbf, 0x71e08558, 0xd7dc2830, 0x4b3fbb85, 0xae8b5fcf, 0x7dc57fd6, 0xd7ea7319, 0x0dbeb469, 0xda30d0fb, 0xdf4fc26b, 0x61a94ac0, 0x19af70ee
274
Ph lc B
0 4 8 12 16 20 24 28 32 36 40 44 48 52 56 60 64 68 72 76 80 84 88 92
275
Ph lc C
Ph lc C
S0 S1 S2 S3 S4 S5 S6 S7 3 15 8 0 1 15 7 1 8 12 6 15 15 5 2 13
276
Ph lc D
Bng D.1. Bng thay th S-box cho gi tr {xy} dng thp lc phn. y 0 1 2 3 4 5 6 7 8 9 a b c d e f 0 63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76 1 ca 82 c9 7d fa 59 47 f0 ad d4 a2 af 9c a4 72 c0 2 b7 fd 93 26 36 3f f7 cc 34 a5 e5 f1 71 d8 31 15 3 04 c7 23 c3 18 96 05 9a 07 12 80 e2 eb 27 b2 75 4 09 83 2c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f 84 5 53 d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf 6 d0 ef aa fb 43 4d 33 85 45 f9 02 7f 50 3c 9f a8 x 7 51 a3 40 8f 92 9d 38 f5 bc b6 da 21 10 ff f3 d2 8 cd 0c 13 ec 5f 97 44 17 c4 a7 7e 3d 64 5d 19 73 9 60 81 4f dc 22 2a 90 88 46 ee b8 14 de 5e 0b db a e0 32 3a 0a 49 06 24 5c c2 d3 ac 62 91 95 e4 79 b e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08 c ba 78 25 2e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8a d 70 3e B5 66 48 03 f6 0e 61 35 57 b9 86 c1 1d 9e e e1 f8 98 11 69 d9 8e 94 9b 1e 87 e9 ce 55 28 Df f 8c a1 89 0d Bf e6 42 68 41 99 2d 0f b0 54 bb 16
277
Ph lc D
Bng D.2. Bng thay th nghch o cho gi tr {xy} dng thp lc phn. y 0 0 1 2 3 4 5 6 x 7 8 9 a b c d e f 1 2 3 4 5 6 7 8 9 a b c d e f 52 09 6a d5 30 36 a5 38 bf 40 a3 9e 81 f3 d7 fb 7c e3 39 82 9b 2f ff 87 34 8e 43 44 c4 de e9 cb 54 7b 94 32 a6 c2 23 3d ee 4c 95 0b 42 fa c3 4e 08 2e a1 66 28 d9 24 b2 76 5b a2 49 6d 8b d1 25 72 f8 f6 64 86 68 98 16 d4 a4 5c cc 5d 65 b6 92 6c 70 48 50 fd ed b9 da 5e 15 46 57 a7 8d 9d 84 90 d8 ab 00 8c bc d3 0a f7 e4 58 05 b8 b3 45 06 d0 2c 1e 8f ca 3f 0f 02 c1 af bd 03 01 13 8a 6b 3a 91 11 41 4f 67 dc ea 97 f2 cf ce f0 b4 e6 73 96 ac 74 22 e7 ad 35 85 e2 f9 37 e8 1c 75 df 6e 47 f1 1a 71 1d 29 c5 89 6f b7 62 0e aa 18 be 1b fc 56 3e 4b c6 d2 79 20 9a db c0 fe 78 cd 5a f4 1f dd a8 33 88 07 c7 31 b1 12 10 59 27 80 ec 5f 60 51 7f a9 19 b5 4a 0d 2d e5 7a 9f 93 c9 9c ef a0 e0 3b 4d ae 2a f5 b0 c8 eb bb 3c 83 53 99 61 17 2b 04 7e ba 77 d6 26 e1 69 14 63 55 21 0c 7d
278
Ph lc E
E.1
E.1.1
Hng s ca SHA-1
0 t 19 20 t 39 40 t 59 60 t 79
Nhng t ny biu din 32 bit u tin ca phn phn s ca cn bc ba ca 64 s nguyn t u tin. Cc hng s bao gm (theo th t t tri sang phi) 428a2f98 3956c25b d807aa98 72be5d74 e49b69c1 2de92c6f 27b70a85 650a7354 a2bfe8a1 d192e819 19a4c116 391c0cb3 748f82ee 90befffa 71374491 59f111f1 12835b01 80deb1fe efbe4786 4a7484aa 2e1b2138 766a0abb a81a664b d6990624 18376c08 4ed8aa4a 78a5636f a4506ceb b5c0fbcf 923f82a4 243185be 9bdc06a7 0fc19dc6 5cb0a9dc 4d2c6dfc 81c2c62e c24b8b70 f4083585 2748774c 5b9cca4f 84c87814 bef9a3f7 e9b5dba5 ab1c5ed5 550c7dc3 c19bf174 240ca1cc 76f988da 53380d13 92722c85 c76c51a3 106aa070 34b0bcb5 682e6ff3 8cc70208 c67178f2
279
Ph lc E
E.1.3 Hng s ca SHA-384 v SHA-512
cn bc ba ca 80 s nguyn t u tin. Cc hng s bao gm (theo th t t tri sang phi) 428a2f98d728ae22 b5c0fbcfec4d3b2f 3956c25bf348b538 923f82a4af194f9b d807aa98a3030242 243185be4ee4b28c 72be5d74f27b896f 9bdc06a725c71235 e49b69c19ef14ad2 0fc19dc68b8cd5b5 2de92c6f592b0275 5cb0a9dcbd41fbd4 983e5152ee66dfab b00327c898fb213f c6e00bf33da88fc2 06ca6351e003826f 27b70a8546d22ffc 4d2c6dfc5ac42aed 650a73548baf63de 81c2c92e47edaee6 a2bfe8a14cf10364 c24b8b70d0f89791 d192e819d6ef5218 7137449123ef65cd e9b5dba58189dbbc 59f111f1b605d019 ab1c5ed5da6d8118 12835b0145706fbe 550c7dc3d5ffb4e2 80deb1fe3b1696b1 c19bf174cf692694 efbe4786384f25e3 240ca1cc77ac9c65 4a7484aa6ea6e483 76f988da831153b5 a831c66d2db43210 bf597fc7beef0ee4 d5a79147930aa725 142929670a0e6e70 2e1b21385c26c926 53380d139d95b3df 766a0abb3c77b2a8 92722c851482353b a81a664bbc423001 c76c51a30654be30 d69906245565a910
280
281
Ph lc E
SHA 224:
( H 00) = c1059ed8 ( H 10) = 367cd507 ( H 20) = 3070dd17 ( H 30) = f70e5939 ( H 40) = ffc00b31 ( H 50) = 68581511 ( H 60) = 64f98fa7 ( H 70) = befa4fa4 SHA 256: ( H 00) = 6a09e667 ( H 10) = bb67ae85 ( H 20) = 3c6ef372 ( H 30) = a54ff53a ( H 40) = 510e527f ( H 50) = 9b05688c ( H 60) = 1f83d9ab ( H 70) = 5be0cd19 SHA-384: H (00 ) = cbbb9d5dc1
H H H H H H H
(0 ) 1 (0 ) 2 (0 ) 3 (0 ) 4 (0 ) 5 (0 ) 6 (0 ) 7
282
H H H H H H H H
(0 ) 0 (0 ) 1 (0 ) 2 (0 ) 3 (0 ) 4 (0 ) 5 (0 ) 6 (0 ) 7
283
[1]
Ross Anderson, Eli Biham, Lars Knudsen (1999), Serpent: A Proposal for the Advanced Encryption Standard.
[2]
Mohan Atreya, Ben Hammond, Stephen Paine, Paul Starrett, Stephen Wu (2002), Digital Signatures, RSA.
[3]
E. Biham, A. Shamir (1991), Differential cryptanalysis of DES-like cryptosystems, Journal of Cryptology, Vol. 4, No. 1, pp. 3-72.
[4]
E. Biham (1993), New types of cryptanalytic attacks using related keys, Advances in Cryptology, Proceedings Eurocrypt'93, LNCS 765, T. Helleseth, Ed., Springer-Verlag, pp. 398-409.
[5]
Carolynn Burwick, Don Coppersmith, Edward D'Avignon, Rosario Gennaro, Shai Halevi, Charanjit Jutla, Stephen M.Matyas Jr., Luke O'Connor, Mohammad Peyravian, David Safford, Nevenko Zunic (1999), MARS a candidate cipher for AES, IBM Corporation.
[6] [7]
Bram Cohen (2001), AES-Hash. Nicolas Courtois, Josef Pieprzyk(2002), Cryptanalysis of Block Ciphers with Overdefined Systems of Equations, ASIACRYPT 2002, pp267287
[8]
284
285
286
287
288
289