为什么AES比DES更安全? [英] Why is AES more secure than DES?
问题描述
我开始学习加密算法和我理解上述算法的工作。难道AES的密钥长度越长?其中AES加密措施使得它比DES不太容易?
I am beginning to learn crypto algorithms and I understand how the above mentioned algorithms work. Is it that the key length of AES is longer? Which steps of AES encryption makes it less vulnerable than DES?
推荐答案
DES被设计成具有56位的有效密钥长度,这是容易的穷举搜索。它也具有抗差分和线性密码分析的一些弱点:它们允许使用,分别收回钥匙,2 47 选择明文或2 43 已知明文。 A 已知明文的是一个加密的块(8字节块,用于DES),这些攻击者知道对应的解密模块。 A 选择明文的是一种已知明文攻击者所在就可以选择自己的解密块。在实际攻击条件下,已知或选择明文不能真正获得如此巨大的数额,因此差分和线性密码分析并不真正影响DES的实际安全;最弱的一点是短键。尽管如此,这些攻击,其中,从一个的的学术观点的,有比穷举密钥搜索的复杂性更小的存在(它使用2 55 平均调用),是被认为是一个缺乏安全性。
DES was designed with an effective key length of 56 bits, which is vulnerable to exhaustive search. It also has some weaknesses against differential and linear cryptanalysis: these allow to recover the key using, respectively, 247 chosen plaintexts, or 243 known plaintexts. A known plaintext is an encrypted block (an 8-byte block, for DES) for which the attacker knows the corresponding decrypted block. A chosen plaintext is a kind of known plaintext where the attacker gets to choose himself the decrypted block. In practical attack conditions, such huge amounts of known or chosen plaintexts cannot really be obtained, hence differential and linear cryptanalysis do not really impact the actual security of DES; the weakest point is the short key. Still, the existence of those attacks, which, from an academic point of view, have less complexity than the exhaustive key search (which uses 255 invocations on average), is perceived as a lack in security.
作为一个侧面说明,差异分析是众所周知的DES设计师和DES硬化反对(因此好成绩的2 47 )。随着今天的标准,我们会考虑它是不够好,因为现在的学术传统,要求攻击的复杂性上面穷举搜索。尽管如此,DES设计师们真的很好。他们不知道的线性分析,这是在1992年发现的松井,以及线性分析更为有效的DES比差分分析,却是魔鬼般难以在实践中应用(2 43 已知明文块,这是64 TB的...)。
As a side note, differential analysis was known to the DES designers, and DES was hardened against it (hence the "good score" of 247). With today's standards, we would consider it as "not good enough" because it is now academic tradition to require attack complexity above exhaustive search. Still, the DES designers were really good. They did not know about linear cryptanalysis, which was discovered by Matsui in 1992, and linear cryptanalysis is more effective on DES than differential cryptanalysis, and yet is devilishly difficult to apply in practice (243 known plaintext blocks, that's 64 terabytes...).
DES的结构性弱点因此它的密钥大小以及其短块大小:用的 N 的比特块,一些加密模式开始时,有2 的ñ麻烦的/ 2 块被加密的相同的密钥。对于64位DES块,这种情况发生加密32千兆字节的价值的数据,一个大而不数量庞大(昨天,我买了一个硬盘,它比大三十次)之后。
The structural weaknesses of DES are thus its key size, and its short block size: with n-bit blocks, some encryption modes begin to have trouble when 2n/2 blocks are encrypted with the same key. For the 64-bit DES blocks, this occurs after encrypting 32 gigabytes worth of data, a big but not huge number (yesterday, I bought a harddisk which is thirty times bigger than that).
这是DES的变体被称为3DES:那是,或多或少,三DES情况下,在一排。这解决了关键尺寸问题:一个3DES密钥由在168位(标称192位,其中24位都应该作为奇偶校验,但是在实践中是完全忽略),并在168位密钥穷举搜索是全出人类科技拿不到的地方。从(重)的学术角度看,有成本2 112 的3DES的攻击,这是不可行的两种。差分和线性密码分析由3DES败(其复杂度的提高相当多的与轮数,和3DES重新presents 48发,比16为平原DES)的
A variant on DES is called 3DES: that's, more or less, three DES instances in a row. This solves the key size issue: a 3DES key consists in 168 bits (nominally 192 bits, out of which 24 bits are supposed to serve as parity check, but are in practice wholly ignored), and exhaustive search on a 168-bit key is wholly out of reach of human technology. From (again) an academic point of view, there is an attack with cost 2112 on 3DES, which is not feasible either. Differential and linear cryptanalysis are defeated by 3DES (their complexity rises quite a bit with the number of rounds, and 3DES represents 48 rounds, vs 16 for the plain DES).
然而,3DES仍然遭受DES的块大小的问题。此外,它是相当慢(DES是为了对硬件实现,而不是软件和3DES甚至三倍速度慢于DES)的
Yet 3DES still suffers from the block size issues of DES. Also, it is quite slow (DES was meant for hardware implementations, not software, and 3DES is even three times slower than DES).
因此,AES被定义为下列要求:
Thus, AES was defined with the following requirements:
- 128位数据块(解决了CBC问题)
- 在接受大小为128,192键和256位(128位足以抵抗穷举密钥搜索;另外两个尺寸大多是一种方法,都符合严格的美国军规)
- 在没有学历的弱点比穷举密钥搜索 差
- 应尽可能快地3DES(AES竟然是比3DES快于软件,一般是5至10倍更快)
AES朝差分和线性密码分析的阻力来自于一个更好的雪崩效应(一个位翻转在某些时候迅速传播到整个内部状态)和特制的,更大的S盒(A S盒的是算法中使用一个小的查找表,是一种简单的方式来增加非线性;在DES,S盒有6位输入和4位输出;在AES,S-框有8位输入和8位输出)。对AES的设计得益于25年的DES的见解和研究。此外,AES通过与15名候选人在世界各地公开的竞争,从尽可能多的研究团队被选中,并分配给该进程的大脑资源的总量是巨大的。最初的DES设计师们天才,但人们可以说,密码学家对AES的总的努力已经远远更大。
The resistance of AES towards differential and linear cryptanalysis comes from a better "avalanche effect" (a bit flip at some point quickly propagates to the complete internal state) and specially crafted, bigger "S-boxes" (a S-box is a small lookup table used within the algorithm, and is an easy way to add non-linearity; in DES, S-boxes have 6-bit inputs and 4-bit outputs; in AES, S-boxes have 8-bit inputs and 8-bit outputs). The design of the AES benefited from 25 years of insights and research on DES. Also, the AES was chosen through an open competition with 15 candidates from as many research teams around the world, and the total amount of brain resources allocated to that process was tremendous. The original DES designers were genius, but one could say that the aggregate effort of cryptographers for the AES has been far greater.
在对哲学的角度来看,我们可以说,是什么让一个加密的原始安全是努力投资于它的设计量。至少,这种努力是创建的感知安全的的:当我使用一个密码,我希望它是安全的,但我也想成为的某种的,这是安全(我想在晚上睡觉)。公共设计和分析过程帮助了很多在构建信任。 NIST(美国机构的这种事情标准化),这个教训好了,并决定再次选择了 SHA-公开竞争3 。
On a philosophical point of view, we could say that what makes a cryptographic primitive secure is the amount of effort invested in its design. At least, that effort is what creates the perception of security: when I use a cryptosystem, I want it to be secure, but I also want to be certain that it is secure (I want to sleep at night). The public design and analysis process helps quite a lot in building that trust. NIST (the US body for standardization of such things) learned that lesson well, and decided to again choose an open competition for SHA-3.
这篇关于为什么AES比DES更安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
