10.20
Most people that using encryption software don’t know much about the algorithm they use. Who created it? Is it safe? While some softwares do offer several algorithms, some other just provide one, some even don’t give much details about their own algorithms.
We’ll try to give a basic approach and details of algorithms that you maybe find in commercial or opensource products
3-Way is a simple and fast cipher designed by Joan Daemen. 3-Way features
a 96-bit key length and a 96-bit block length. 3-Way is an iterated block cipher that repeats some relatively simple operations a specified number of rounds. [url=http://www.cs.berkeley.edu/~daw/]David Wagner[/url], John Kelsey, and [url=http://www.counterpane.com/schneier.html]Bruce Schneier[/url] of [url=http://www.counterpane.com] Counterpane Systems[/url] have discovered a related key attack on 3-Way that requires one related key query and about 222 chosen plaintexts, described in [url=http://www.cs.berkeley.edu/~daw/papers/keysched-icics97.ps]this paper[/url]. 3-Way is unpatented.
Blowfish
Blowfish is a block cipher designed by [url=http://www.counterpane.com/schneier.html]Bruce Schneier[/url], author of [url=http://www.counterpane.com/applied.html]Applied Cryptography[/url]. Blowfish combines a Feistel network, key-dependent S-Boxes, and a non-invertible F function to create what is perhaps one of the most secure algorithms available. Schneier’s paper is available [url=http://www.counterpane.com/bfsverlag.html]here[/url]. Blowfish is also described in the [url=concepts.htm]Concepts of Cryptography[/url] page. The only known attacks against Blowfish are based on its weak
key classes.
CAST, designed by Carlisle Adams and Stafford Taveres, is shaping up to be a solid algorithm. Its design is very similar to Blowfish’s, with key-dependent S-Boxes, a non-invertible f function, and a Feistel network-like structure (called a substitution-permutation network) [url=http://www.cs.berkeley.edu/~daw/]David Wagner[/url], John Kelsey, and [url=http://www.counterpane.com/schneier.html]Bruce Schneier[/url] have discovered a related-key attack on the 64-bit version of CAST that requires approximately 217 chosen plaintexts, one related query, and 248 offline computations (described in [url=http://www.cs.berkeley.edu/~daw/papers/keysched-icics97.ps]this paper[/url]). The attack is infeasible at best. CAST is patented by Entrust Technologies, which has generously [url=http://www.entrust.com/news/files/01_24_97.htm]released it for free use[/url]. The CAST cipher design process is described in [url=http://www.ietf.org/rfc/rfc2144.txt]this paper[/url] and the 128-bit version is described in [url=http://www.entrust.com/resources/pdf/castadd.pdf]this addendum[/url]. Carlisle Adams has submitted a version of CAST ([url=http://www.faqs.org/rfcs/rfc2612.html]CAST-256[/url]) as an AES candidate.
CMEA
CMEA is the encryption algorithm developed by the Telecommunications Industry Association to encrypt digital cellular phone data. It uses a 64-bit key and features a variable block length. CMEA is used to encrypt the control channel of cellular phones. It is distinct from ORYX, an
also insecure stream cipher that is used to encrypt data transmitted over digital cellular phones. It has been broken by [url=http://www.cs.berkeley.edu/~daw/]David Wagner[/url], John Kelsey, and [url=http://www.counterpane.com/schneier.html]Bruce Schneier[/url] of [url=http://www.counterpane.com] Counterpane Systems[/url]. Their paper, which also provides an excellent description of the CMEA algorithm, is available [url=http://www.counterpane.com/cmea-abstract.html]here[/url].
DES
Designed at IBM during the 1970s and officially adopted as the NIST standard encryption algorithm for unclassified data in 1976, DES has become the bastion of the cryptography market. However, DES has since become outdated, its long reign as official NIST algorithm ending in
1997. Though DES accepts a 64-bit key, the key setup routines effectively discard 8 bits, giving DES a 56-bit effective keylength. DES remains widely in use. During the design of DES, the [url=http://www.nsa.gov/]NSA[/url] provided secret S-Boxes. After differential cryptanalysis had been discovered outside the closed fortress of the NSA, it was revealed that the DES S-boxes were designed to be resistant against differential cryptanalysis.
DES is becoming weaker and weaker over time; modern computing power is fast approaching the computational horsepower needed to easily crack DES.
DES was designed to be implemented only in hardware, and is therefore extremely slow in software. A [url=http://www.interhack.net/pubs/des-key-crack/]recent successful effort [/url]to crack DES took several thousand computers several months. The [url=http://www.eff.org]EFF[/url] has sponsored the development of a crypto chip named "Deep Crack" that can process 88 billion DES keys per second and has [url=http://www.eff.org/descracker.html] successfully cracked 56 bit DES[/url] in less than 3 days.
Triple-DES
A variant of DES, [url=http://www.rsasecurity.com/rsalabs/faq/3-2-6.html]Triple-DES[/url] (also 3DES) is based on using DES three times. This means that the input data is encrypted three times. The Triple-DES is considered much stronger than DES, however, it is rather slow compared to some new block ciphers.
DEAL
DEAL is an interesting AES submission and, like all AES submissions, it uses a 128 bit block and accepts 128 bit, 192 bit, and 256 bit keylengths. It uses DES as its inner round function and its authors suggest at least 6, preferably 8 rounds (there are some attacks against DEAL). There is a paper available [url=http://www.mat.dtu.dk/people/Lars.R.Knudsen/papers/deal.ps]here[/url] that describes some attacks, all of which can be cured by using at least 8 rounds.
FEAL
Developed by the Nippon Telephone & Telegraph as an improvement to DES, the Fast Data Encipherment Algorithm (FEAL) is very insecure. FEAL-4, FEAL-8, and FEAL-N are all susceptible to a variety of cryptanalytic attacks, some requiring as little as 12 chosen plaintexts. FEAL is patented.
GOST
GOST is a cryptographic algorithm from Russia that appears to be the Russian analog to DES both politically and technologically. Its designers took no chances, iterating the GOST algorithm for 32 rounds and using a 256 bit key. Although GOST’s conservative design inspires confidence, John Kelsey has discovered a key-relation attack on GOST, described in a post to sci.crypt on 10 February 1996. There are also [url=http://www.cs.berkeley.edu/~daw/papers/keysched-crypto96.ps]weak keys in GOST[/url], but there are too few to be a problem when GOST is used with its standard set of S-boxes. You can read the official GOST algorithm description (translated from Russian) [url=http://www.jetico.sci.fi/gost.zip]here[/url]. There is also a description of the GOST algorithm [url=http://www.funet.fi/pub/crypt/cryptography/papers/gost/tr-94-9.ps.gz]here[/url].
IDEA
IDEA, developed in Zurich, Switzerland by Xuejia Lai and James Massey, is generally regarded to be one of the best and most secure block algorithm available to the public today. It utilizes a 128-bit key and is designed to be resistant to differential cryptanalysis. [url=ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/rijmen/idea.ps.gz]Some attacks[/url] have been made against reduced round IDEA. Unfortunately, IDEA is patented; licensing information can be obtained from [url=http://www.ascom.ch/systec/idea.html]Ascom[/url].
LOKI
LOKI was designed as a possible replacement for DES. It operates on a 64-bit block and a 64-bit key. The first version of LOKI to be released was broken by differential cryptanalysis and was shown to have an 8-bit complementation property (this means that the number of keys that need to be searched in a brute force attack is reduced by 256). LOKI was revised and re-released as LOKI91. LOKI91 is secure against differential cryptanalysis, but LOKI easily falls to a chosen-key attack. The designers of LOKI have proposed [url=http://www.adfa.edu.au/~lpb/research/loki97/]LOKI97[/url] as an AES candidate, but [url=ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/rijmen/loki97.ps.gz]linear and differential attacks[/url] on LOKI97 have already been proposed.
Lucifer
Lucifer was one of the first modern cryptographic algorithms. It was designed at IBM in the 1960s by Horst Feistel, of Feistel network fame. Lucifer is often considered to be a precursor to DES. There are several incarnations of Lucifer, each with the same name, which creates a good
deal of confusion. No version is secure. A paper on the [url=http://www.cs.technion.ac.il/~biham/Reports/cs782.ps.gz]differential cryptanlysis of Lucifer[/url] was written by Ishai Ben-Aroya & Eli Biham.
MacGuffin
MacGuffin is a cipher developed by Matt Blaze and Bruce Schneier as an experiment in cipher design. It uses a Feistel network (see the [url=concepts.htm]cryptography overview[/url] for details), but does not split the input evenly, instead dividing the 64 bit block into one 16 bit part and another 48 bit part. This is called a generalized unbalanced Feistel network (GUFN). Details are available [url=http://www.counterpane.com/macguffin.html]here[/url].
A differential attack on MacGuffin [url=http://www.cs.berkeley.edu/~daw/papers/mcg-paper-draft.ps]has been found[/url] that requires approximately 251.5 chosen plaintexts.
MARS
MARS is [url=http://www.ibm.com/]IBM’s[/url] AES submission. There is a [url=http://www.research.ibm.com/security/mars.html]MARS web page[/url] with a link to the [url=http://www.research.ibm.com/security/mars.ps]MARS paper[/url]. MARS uses 128 bit blocks and supports variable key sizes (from 128 to 1248 bits). MARS is unique in that it combines virtually every design technique known to cryptographers in one algorithm. It
uses addition and subtractions, S-boxes, fixed and data dependent rotations,
and multiplications.
MISTY
Misty is a cryptographic algorithm developed by Mitsubishi Electric
after they broke DES in 1994. It is designed to withstand linear and
differential cryptanalysis, but has not yet been cryptanalysed. As it has not undergone intensive peer review, the usual caution is recommended.
It is being considered for inclusion into the SET 2.0 standard. Visit the [url=http://www.security.melco.co.jp/SecWWW/MISTY/MISTY.htm]MISTY web page[/url] or read the author’s [url=http://www.security.melco.co.jp/SecWWW/MISTY/misty_e_b.pdf]paper on MISTY[/url].
MMB
MMB was designed as an alternative to IDEA that uses a 128-bit block instead of IDEA’s 64-bit block. It was designed using the same principles as IDEA. Unfortunately, it is not as secure as IDEA and several attacks exist against it. Its author, Joan Daemen, abandoned it and designed 3-Way.
NewDES
Although NewDES was developed by Robert Scott to possibly replace DES, NewDES has fallen short of expectations. NewDES has been proven to be weaker than DES, requiring 24 related-key probes and 530 chosen plaintext/ciphertext queries, as described in [url=http://www.cs.berkeley.edu/~daw/papers/keysched-icics97.ps]this paper[/url].
RC2
RC2, like RC4, was formerly a trade secret, but code purporting to be RC2 was posted to sci.crypt. It is archived [url=ftp://sable.ox.ac.uk/pub/crypto/misc/rrc2.tar.gz]here[/url]. [url=http://www.cs.berkeley.edu/~daw/]David Wagner[/url], John Kelsey, and [url=http://www.counterpane.com/schneier.html]Bruce Schneier[/url] [url=http://www.cs.berkeley.edu/~daw/papers/keysched-icics97.ps]have discovered[/url] a related-key attack on RC2 that requires one related-key query and approximately 234 chosen plaintexts. RC2 is not patented by [url=http://www.rsa.com/]RSA Data Security, Inc[/url];
it is just protected as a trade secret.
RC5
RC5 is a group of algorithms designed by Ron Rivest of RSA Data Security that can take on a variable block size, key size, and number of rounds. The block size is generally dependent on the word size of the machine the particular version of RC5 was designed to run on; on 32-bit processors (with 32-bit words), RC5 generally has a 64-bit block size. [url=http://www.cs.berkeley.edu/~daw/]David Wagner[/url], John Kelsey, and [url=http://www.counterpane.com/schneier.html]Bruce Schneier[/url] have [url=http://www.cs.berkeley.edu/~daw/papers/keysched-crypto96.ps]found weak keys[/url] in RC5, with the probability of selecting a weak key to be 2-10r, where r is the number of rounds. For sufficiently large r values (greater than 10), this is not a problem as long as you are not trying to build a hash function based on RC5. Kundsen has also found a differential [url=ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/knudsen/rc5.ps.Z]attack on RC5[/url]. RC5 is described in [url=ftp://ftp.rsa.com/pub/cryptobytes/crypto1n2.pdf]this RSA document[/url]. RC5 is patented by [url=http://www.rsa.com/]RSA Security, Inc[/url].
RC6
RC6 is Ronald Rivest’s AES submission. Like all AES ciphers, RC6 works on 128 bit blocks. It can accept variable length keys. It is very similar to RC5, incorporating the results of various studies on RC5 to improve the algorithm. The studies of RC5 found that not all bits of data are
used to determine the rotation amount (rotation is used extensively in RC5); RC6 uses multiplication to determine the rotation amount and uses all bits of input data to determine the rotation amount, strengthening the avalanche effect.
REDOC
There are two versions of the REDOC algorithm, REDOC II, and REDOC III. REDOC II is considered to be secure; an attack has been made against one round of REDOC II, but could not be extended to all 10 recommended rounds. REDOC II is interesting in that it uses data masks to select the values in the S-boxes. REDOC II uses a 160-bit key and works on an 80-bit block. REDOC III was an attempt to make the painfully slow REDOC II faster. REDOC III, like REDOC III, operates on an 80-bit block, but can accept keys up to 20480 bits. However, REDOC III falls to differential
cryptanalysis, as described in [url=http://www.righto.com/papers/redoc.ps]this paper[/url].
Rijndael
Rijndael is an [url=http://csrc.nist.gov/encryption/aes/]AES winner[/url] by Joan Daemen and [url=http://www.esat.kuleuven.ac.be/~rijmen/index.html]Vincent Rijmen[/url]. The cipher has a variable block and key length, and the authors have demonstrated how to extend the block length and key length by multiples of 32 bits. The design of Rijndael was influenced by the SQUARE algorithm. The authors provide a [url=http://www.esat.kuleuven.ac.be/~rijmen/rijndael/rijndaeldocV2.zip]Rijndael specification[/url] and a more theoretical paper on their [url=http://www.esat.kuleuven.ac.be/~rijmen/rijndael/PropCorr.PDF]design principles[/url]. The authors have vowed to never patent Rijndael.
Safer
Safer was developed by Robert Massey at the request of Cylink Corporation. There are several different versions of Safer, with 40, 64, and 128-bit keys. A weakness in the key schedule was corrected, with an S being added to the original Safer K designation to create Safer SK. There are some [url=ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/knudsen/trunc_dif_saf.ps.Z]attacks[/url] against reduced round variants of Safer. Safer is secure against differential and linear cryptanalysis. However, [url=http://www.counterpane.com/schneier.html]Bruce Schneier[/url], author of [url=http://www.counterpane.com/applied.html]Applied Cryptography[/url], recommends against using Safer because, "Safer was designed for Cylink, and Cylink is tainted by the [url=http://www.nsa.gov/]NSA[/url]."
Serpent
Serpent is an AES submission by Ross Anderson, Eli Biham, and Lars Knudsen. Its authors combined the design principles of DES with the recent development of bitslicing techniques to create a very secure and very fast algorithm. While bitslicing is generally used to encrypt multiple blocks in parallel, the designers of Serpent have embraced the technique of bitslicing and incorporated it into the design of the algorithm itself. Serpent uses 128 bit blocks and 256 bit keys. Like DES, Serpent includes an initial and final permutation of no cryptographic significance; these permutations are used to optimize the data before encryption. Serpent was released at the 5th International Workshop on Fast Software Encryption. This iteration of Serpent was called Serpent
0 and used the original DES S-boxes. After comments, the key schedule of Sperpent was changed slightly and the S-boxes were changed; this new iteration of Serpent is called Serpent 1. Serpent 1 resists both linear and differential attacks. The Serpent paper is available [url=http://www.cl.cam.ac.uk/ftp/users/rja14/serpent.ps.gz]here[/url].
SQUARE
SQUARE is an iterated block cipher that uses a 128-bit key length and a 128-bit block length. The round function of SQUARE is composed of four transformations: a linear transformation, a nonlinear transformation, a byte permutation, and a bitwise round-key addition. SQUARE was designed to be resistant to linear and differential cryptanalysis, and succeeds in this respect. The designers of SQUARE have developed an attack on SQUARE, but it cannot be extended past 6 rounds. A paper on SQUARE is available [url=ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/rijmen/square/paper/fse.ps.gz]here[/url] and there are links to the paper and source code on the designers’ [url=http://www.esat.kuleuven.ac.be/~rijmen/square/index.html]web
site[/url].
Skipjack
In what surely signals the end of the Clipper chip project, the NSA [url=http://www.defenselink.mil/news/Jun1998/b06231998_bt316-98.html]has released[/url] Skipjack, its formerly secret encryption algorithm, to the public. Skipjack uses an 80 bit key. A fuzzy scan of the official NSA paper is available [url=http://csrc.nist.gov/encryption/skipjack/skipjack-kea.htm]here[/url] at the [url=http://www.nist.gov]NIST web site[/url], but it has been [url=http://jya.com/skipjack-spec.htm]transcribed[/url] by the folks over at [url=http://www.jya.com]jya.com[/url]. A reference implementation (in C) is available [url=http://jya.com/skipjack.txt]here[/url], and an optimized version is available [url=http://utter.chaos.org.uk/~markt/crypt/opt2-sj.zip]here[/url].
Eli Biham and Adi Shamir have published [url=http://www.cs.technion.ac.il/~biham/Reports/SkipJack/]some initial cryptanalytic results[/url] (which are growing more and more interesting as time progresses).
Tiny Encryption Algorithm (TEA)
TEA is a cryptographic algorithm designed to minimize memory footprint, and maximize speed. However, the cryptographers from [url=http://www.counterpane.com]Counterpane Systems[/url] have [url=http://www.cs.berkeley.edu/~daw/papers/keysched-crypto96.ps]discovered three related-key attacks [/url]on TEA, the best of which requires only 223 chosen plaintexts and one related key query. The problems arise from the overly simple key schedule. Each TEA key can be found to have three other equivalent keys, as described in [url=http://www.cs.berkeley.edu/~daw/papers/keysched-icics97.ps]a paper[/url] by [url=http://www.cs.berkeley.edu/~daw/]David Wagner[/url], John Kelsey, and [url=http://www.counterpane.com/schneier.html]Bruce Schneier[/url]. This precludes the possibility of using TEA as a hash function. Roger Needham and David Wheeler have proposed [url=http://www.cl.cam.ac.uk/ftp/users/djw3/xtea.ps] extensions to TEA[/url] that counter the above attacks.
Twofish
Twofish is [url=http://www.counterpane.com/]Counterpane Systems'[/url] AES submission. Designed by the Counterpane Team ([url=http://www.counterpane.com/schneier.html]Bruce Schneier[/url], John Kelsey, Doug Whiting, [url=http://www.cs.berkeley.edu/~daw/]David Wagner[/url], Chris Hall, and Niels Ferguson), Twofish has undergone extensive analysis by the Counterpane Team. There is a [url=http://www.schneier.com/paper-twofish-paper.html]paper[/url] available from the [url=http://www.schneier.com/twofish.html]Twofish web page[/url] and [url=http://www.schneier.com/download-twofish.html]source is provided[/url] in optimized C and assembly.