为什么 AES 比 DES 更安全?
我开始学习加密算法,并且了解上述算法的工作原理。是不是AES的密钥长度比较长? AES 加密的哪些步骤使其比 DES 更不易受到攻击?
I am beginning to learn crypto algorithms and I understand how the above mentioned algorithms work. Is it that the key length of AES is longer? Which steps of AES encryption makes it less vulnerable than DES?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
DES 的有效密钥长度为 56 位,很容易受到穷举搜索的攻击。它对于差分和线性密码分析也有一些弱点:这些弱点允许分别使用 247 个选定的明文或 243 个已知的明文来恢复密钥。 已知明文是一个加密块(对于 DES,是一个 8 字节块),攻击者知道其相应的解密块。 选择的明文是一种已知的明文,攻击者可以选择自己的解密块。在实际攻击情况下,无法真正获得如此大量的已知或选择的明文,因此差分和线性密码分析并不会真正影响DES的实际安全性;最弱点是快捷键。尽管如此,从学术角度来看,这些攻击的存在比穷举密钥搜索(平均使用 255 次调用)的复杂性要低。被认为缺乏安全感。
附带说明一下,差分分析是 DES 设计者所熟知的,并且 DES 对此进行了强化(因此获得了 247 的“好分”)。按照今天的标准,我们会认为它“不够好”,因为现在学术传统要求攻击复杂性高于穷举搜索。尽管如此,DES 设计师还是非常优秀的。他们不知道松井在 1992 年发现的线性密码分析,线性密码分析在 DES 上比差分密码分析更有效,但在实践中应用起来非常困难(243 已知明文块,即 64 TB...)。
因此,DES 的结构弱点在于其密钥大小和较短的块大小:对于 n 位块,某些加密模式在 2n 时开始出现问题/2 块使用相同的密钥加密。对于 64 位 DES 块,这种情况发生在加密了 32 GB 的数据之后,这是一个很大但不是很大的数字(昨天,我买了一个比这个大三十倍的硬盘)。
DES 的一个变体称为 3DES:或多或少,连续三个 DES 实例。这解决了密钥大小问题:3DES 密钥由 168 位组成(名义上为 192 位,其中 24 位应该用作奇偶校验,但实际上完全被忽略),并且对 168 位密钥进行穷举搜索是完全超出了人类科技的能力范围。 (再次)从学术角度来看,对 3DES 进行成本为 2112 的攻击也是不可行的。差分和线性密码分析被 3DES 打败(它们的复杂性随着轮数的增加而增加很多,3DES 代表 48 轮,而普通 DES 为 16 轮)。
然而 3DES 仍然面临 DES 的块大小问题。而且,它的速度相当慢(DES 是用于硬件实现,而不是软件,3DES 甚至比 DES 慢三倍)。
因此,AES 的定义满足以下要求:
AES对差分和线性的抵抗力密码分析来自于更好的“雪崩效应”(在某个时刻的一点翻转会快速传播到完整的内部状态)和特制的、更大的“S盒”(一个S盒是一个小的查找算法中使用的表,是添加非线性的简单方法;在 DES 中,S 盒具有 6 位输入和 4 位输出;在 AES 中,S 盒具有 8 位输入和 8 位输出)。 AES 的设计得益于 25 年对 DES 的见解和研究。此外,AES 是通过公开竞争选出的,来自世界各地的研究团队共 15 名候选者,分配给这个过程的大脑资源总量是巨大的。最初的 DES 设计者是天才,但可以说密码学家为 AES 付出的努力要大得多。
从哲学的角度来看,我们可以说,密码原语之所以安全,是因为在其设计上投入了大量的精力。至少,这种努力创造了安全感:当我使用密码系统时,我希望它是安全的,但我也想确定它是安全的安全(我想晚上睡觉)。公共设计和分析过程对建立这种信任有很大帮助。 NIST(美国此类事物的标准化机构)吸取了教训,并决定再次选择公开竞赛SHA- 3.。
DES was designed with an effective key length of 56 bits, which is vulnerable to exhaustive search. It also has some weaknesses against differential and linear cryptanalysis: these allow to recover the key using, respectively, 247 chosen plaintexts, or 243 known plaintexts. A known plaintext is an encrypted block (an 8-byte block, for DES) for which the attacker knows the corresponding decrypted block. A chosen plaintext is a kind of known plaintext where the attacker gets to choose himself the decrypted block. In practical attack conditions, such huge amounts of known or chosen plaintexts cannot really be obtained, hence differential and linear cryptanalysis do not really impact the actual security of DES; the weakest point is the short key. Still, the existence of those attacks, which, from an academic point of view, have less complexity than the exhaustive key search (which uses 255 invocations on average), is perceived as a lack in security.
As a side note, differential analysis was known to the DES designers, and DES was hardened against it (hence the "good score" of 247). With today's standards, we would consider it as "not good enough" because it is now academic tradition to require attack complexity above exhaustive search. Still, the DES designers were really good. They did not know about linear cryptanalysis, which was discovered by Matsui in 1992, and linear cryptanalysis is more effective on DES than differential cryptanalysis, and yet is devilishly difficult to apply in practice (243 known plaintext blocks, that's 64 terabytes...).
The structural weaknesses of DES are thus its key size, and its short block size: with n-bit blocks, some encryption modes begin to have trouble when 2n/2 blocks are encrypted with the same key. For the 64-bit DES blocks, this occurs after encrypting 32 gigabytes worth of data, a big but not huge number (yesterday, I bought a harddisk which is thirty times bigger than that).
A variant on DES is called 3DES: that's, more or less, three DES instances in a row. This solves the key size issue: a 3DES key consists in 168 bits (nominally 192 bits, out of which 24 bits are supposed to serve as parity check, but are in practice wholly ignored), and exhaustive search on a 168-bit key is wholly out of reach of human technology. From (again) an academic point of view, there is an attack with cost 2112 on 3DES, which is not feasible either. Differential and linear cryptanalysis are defeated by 3DES (their complexity rises quite a bit with the number of rounds, and 3DES represents 48 rounds, vs 16 for the plain DES).
Yet 3DES still suffers from the block size issues of DES. Also, it is quite slow (DES was meant for hardware implementations, not software, and 3DES is even three times slower than DES).
Thus, AES was defined with the following requirements:
The resistance of AES towards differential and linear cryptanalysis comes from a better "avalanche effect" (a bit flip at some point quickly propagates to the complete internal state) and specially crafted, bigger "S-boxes" (a S-box is a small lookup table used within the algorithm, and is an easy way to add non-linearity; in DES, S-boxes have 6-bit inputs and 4-bit outputs; in AES, S-boxes have 8-bit inputs and 8-bit outputs). The design of the AES benefited from 25 years of insights and research on DES. Also, the AES was chosen through an open competition with 15 candidates from as many research teams around the world, and the total amount of brain resources allocated to that process was tremendous. The original DES designers were genius, but one could say that the aggregate effort of cryptographers for the AES has been far greater.
On a philosophical point of view, we could say that what makes a cryptographic primitive secure is the amount of effort invested in its design. At least, that effort is what creates the perception of security: when I use a cryptosystem, I want it to be secure, but I also want to be certain that it is secure (I want to sleep at night). The public design and analysis process helps quite a lot in building that trust. NIST (the US body for standardization of such things) learned that lesson well, and decided to again choose an open competition for SHA-3.