Aplicaciones típicas que usan los usuarios

The Advanced Encryption Standard (AES) is based on the Rijndael algorithm and is an iterated block cipher with a variable block length and a variable key length. The block length and key length can be independently specified at 128 and 256 bits. The Rijndael Block Cipher was selected by the National Institute of Science and Technology (NIST), mainly because DES was an aging standard and no longer addressed the needs for strong encryption.

Unlike its predecessor DES, AES is a substitution-permutation network, not a Feistel network. It is fast in both software and hardware, is relatively easy to implement, and requires little memory. As a new encryption standard, it is currently being deployed on a large scale.

Due to the fixed block size of 128 bits, AES operates on a 4×4 array of bytes, termed the state (versions of Rijndael with a larger block size have additional columns in the state). Most of AES calculations are done in a special finite field.

The algorithm is based on the following criteria: • resistance against all known attacks;

• speed and compactness of code on a wide range of platforms; • design simplicity.

In most ciphers, the round transformation has the Feistel structure. In this structure, typically, part of the bits of the intermediate state are simply transposed unchanged to another position. The round transformation in the Rijindael algorithm does have a Feistel structure. Instead, the round transformation is composed of three distinct invertible uniform transformations called layers. By uniform, we mean that every bit of the state is treated in a similar way.

The specific choices for the different layers are for a large part based on the application of a wide trail strategy, a design method used to provide resistance against linear and differential cryptanalysis. Here, every layer has its own function as follows:

The linear mixing layer guarantees high diffusion of multiple rounds.

The non-linear layer provides for the parallel application of S-boxes that have optimum worst-case non-linear properties.

The key additional layer is a simple XOR of the round key to the intermediate state.

The ‘state’ of the cipher can be pictured as a rectangular array of bytes which has four rows, the number of columns being denoted by N b which is equal to the block length divided by 32. The cipher key is similarly pictured as a rectangular array with four rows, the number of columns of the cipher key being denoted by N k and equal to the key length divided by 32.

Encryption takes place using four stages:

1. Substitute bytes: Uses an S-box to perform byte-by-byte substitution of the block.

2. Shift rows: A simple permutation. 3. Mix Columns: Substitution.

4. Add round key: Bitwise XOR of current block and portion of the expanded key. The Rijndael cipher is suited for effective implementation on a wide range of pro- cessors with dedicated hardware. On an 8-bit processor, the algorithm can be pro- grammed by simply implementing the different component transformations. This is straight forward for row shift (RowShift) and for the round key addition. The im- plementation of byte-by-byte substitution (ByteSub) requires a table of 256 bytes. The round key addition, ByteSub and RowShift can be effectively combined and executed serially per state byte. The indexing overhead is minimised by explicitly coding the operation for every dtate byte. The different steps of the round trans- formation can be combined in a single set of lookup tables, allowing for very fast implementations on processors with word lengths of 32-bits or above.

The cipher is suited for implemention on dedicated hardware. There are several trade-offs between area and speed that are possible. Because the implementation in software on general purpose processors is usually very fast, the need for hardware implementations is usually limited to two specific cases:

(i) Extremely high speed chips with no area restrictions: the look-up tables can be hardwired and the XOR operations can be conducted in parallel.

(ii) Compact co-processors on a Smart Card to speed up execution: for this platform, typically, the S-box operation can be hardwired.

In the table look-up implementation, it is essential that the only non-linear step (ByteSub) is the first transformation in a round that the rows are shifted before column mixing is applied. In the inverse of a round, the order of the transformations in the round is reversed and, consequently, the non-linear setup will end up being the last step of the inverse round and the rows are shifted after the application of (the inverse of) the column mixing.

AES cryptosystems are expected to perform strongly for all key lengths and block lengths defined. The most efficient key recovery attack for the AES is by ex- haustive key search. This is the most efficient way of obtaining information for given plaintext-ciphertext pairs. The expected effort of exhaustive key search depends on the length of the cipher key:

For a 16-byte key, 2127 applications of the Rijndael algorithm. For a 24-byte key, 2191 applications of the Rijndael algorithm. For a 32-byte key, 2255 applications of the Rijndael algorithm.

The rationale for this is that a considerable safety margin is taken with respect to all known attacks. It is, however, impossible to make non-speculative statements with regard to unknown matters.

The principal advantage of this cipher is that it does not base its security, or any part of it, on obscure and poorly understood interactions between arithmetic operations. The variable block lengths allow the construction of collision-resistant iterated functions. Although the number of rounds is hard-wired in the algorithm specifications, it can be modified as a parameter to enhance security.

In terms of a software application, the cipher and its inverse make use of different codes and/or tables. In hardware, the inverse cipher can only partially re-use the circuitry that implements the cipher. Encryption is performed at the add round key stage; this is the only stage in which the key is used. Thus, ciphering always begins with this round. The other three stages provide confusion, diffusion and non-linearity. Since the key is not used in these stages, no security is provided. The ciphering process can be viewed as alternating operations of XOR encryption of a block followed by scrambling of the block (the other three stages) followed by XOR encryption. This provides for efficiency and strong encryption.

As of 2006, the only successful attacks against AES have been side channel at- tacks. The National Security Agency (NSA) reviewed all the AES finalists, including Rijndael, and stated that all of them were secure enough for US Government non- classified data. In June 2003, the US Government announced that AES may be used for classified information: ‘The design and strength of all key lengths of the AES algorithm (i.e. 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths. The implementation of AES in products intended to protect na- tional security systems and/or information must be reviewed and certified by NSA prior to their acquisition and use. This marks the first time that the public has had access to a cipher approved by NSA for encryption of TOP SECRET information. Many public products use 128-bit secret keys by default; it is possible that NSA suspects a fundamental weakness in keys this short, or they may simply prefer a safety margin for top secret documents (which may require security decades into the

future). The most common way to attack block ciphers is to try various attacks on versions of the cipher with a reduced number of rounds. AES has 10 rounds for 128- bit keys, 12 rounds for 192-bit keys, and 14 rounds for 256-bit keys. By 2006, the best known attacks were on 7 rounds for 128-bit keys, 8 rounds for 192-bit keys, and 9 rounds for 256-bit keys. Some cryptographers worry about the security of AES. They feel that the margin between the number of rounds specified in the cipher and the best known attacks is too small for comfort. There is a risk that some way to improve such attacks might be found and then the cipher could be broken.