为什么 AES 比 DES 更安全? [英] Why is AES more secure than DES?
问题描述
我开始学习加密算法,并且了解上述算法的工作原理.AES的密钥长度更长吗?AES 加密的哪些步骤使其比 DES 更不容易受到攻击?
I am beginning to learn crypto algorithms and I understand how the above mentioned algorithms work. Is it that the key length of AES is longer? Which steps of AES encryption makes it less vulnerable than DES?
推荐答案
DES被设计为有效密钥长度为56位,容易受到详尽搜索.它也有一些针对差分和线性密码分析的弱点:它们允许分别使用 247 个选择的明文或 243 个已知明文来恢复密钥.已知明文是一个加密块(一个 8 字节块,对于 DES),攻击者知道其对应的解密块.选择的明文是一种已知的明文,攻击者可以在其中选择自己解密的块.在实际的攻击条件下,无法真正获得如此大量的已知或选择的明文,因此差分和线性密码分析不会真正影响DES的实际安全性;最薄弱的一点是短键.尽管如此,从学术角度来看,这些攻击的复杂性低于穷举键搜索(平均使用 255 次调用),被视为缺乏安全感.
DES was designed with an effective key length of 56 bits, which is vulnerable to exhaustive search. It also has some weaknesses against differential and linear cryptanalysis: these allow to recover the key using, respectively, 247 chosen plaintexts, or 243 known plaintexts. A known plaintext is an encrypted block (an 8-byte block, for DES) for which the attacker knows the corresponding decrypted block. A chosen plaintext is a kind of known plaintext where the attacker gets to choose himself the decrypted block. In practical attack conditions, such huge amounts of known or chosen plaintexts cannot really be obtained, hence differential and linear cryptanalysis do not really impact the actual security of DES; the weakest point is the short key. Still, the existence of those attacks, which, from an academic point of view, have less complexity than the exhaustive key search (which uses 255 invocations on average), is perceived as a lack in security.
附带说明,DES 设计者知道差异分析,并且 DES 对其进行了强化(因此好分数"为 247).按照今天的标准,我们会认为它不够好",因为现在的学术传统要求攻击复杂性高于穷举搜索.尽管如此,DES 的设计者还是很优秀的.他们不知道 Matsui 在 1992 年发现的线性密码分析,线性密码分析在 DES 上比差分密码分析更有效,但在实践中应用起来非常困难(243 个已知明文块, 那是 64 TB...).
As a side note, differential analysis was known to the DES designers, and DES was hardened against it (hence the "good score" of 247). With today's standards, we would consider it as "not good enough" because it is now academic tradition to require attack complexity above exhaustive search. Still, the DES designers were really good. They did not know about linear cryptanalysis, which was discovered by Matsui in 1992, and linear cryptanalysis is more effective on DES than differential cryptanalysis, and yet is devilishly difficult to apply in practice (243 known plaintext blocks, that's 64 terabytes...).
因此,DES 的结构弱点在于它的密钥大小和它的短块大小:对于 n 位块,一些加密模式在 2n/2 块使用相同的密钥加密.对于 64 位 DES 块,这发生在加密 32 GB 的数据之后,这是一个很大但不是很大的数字(昨天,我买了一个比这大 30 倍的硬盘).
The structural weaknesses of DES are thus its key size, and its short block size: with n-bit blocks, some encryption modes begin to have trouble when 2n/2 blocks are encrypted with the same key. For the 64-bit DES blocks, this occurs after encrypting 32 gigabytes worth of data, a big but not huge number (yesterday, I bought a harddisk which is thirty times bigger than that).
DES 的一种变体称为 3DES:即或多或少地连续三个 DES 实例.这解决了密钥大小问题:3DES 密钥包含 168 位(名义上是 192 位,其中 24 位应该用作奇偶校验,但实际上完全忽略),并且对 168 位密钥的详尽搜索是完全超出了人类技术的范围.从(再次)学术角度来看,在 3DES 上存在成本为 2112 的攻击,这也是不可行的.差分密码分析和线性密码分析被 3DES 打败了(它们的复杂度随着轮数的增加而上升很多,3DES 代表 48 轮,而普通 DES 是 16 轮).
A variant on DES is called 3DES: that's, more or less, three DES instances in a row. This solves the key size issue: a 3DES key consists in 168 bits (nominally 192 bits, out of which 24 bits are supposed to serve as parity check, but are in practice wholly ignored), and exhaustive search on a 168-bit key is wholly out of reach of human technology. From (again) an academic point of view, there is an attack with cost 2112 on 3DES, which is not feasible either. Differential and linear cryptanalysis are defeated by 3DES (their complexity rises quite a bit with the number of rounds, and 3DES represents 48 rounds, vs 16 for the plain DES).
然而 3DES 仍然存在 DES 的块大小问题.此外,它也很慢(DES 用于硬件实现,而不是软件,3DES 甚至比 DES 慢三倍).
Yet 3DES still suffers from the block size issues of DES. Also, it is quite slow (DES was meant for hardware implementations, not software, and 3DES is even three times slower than DES).
因此,AES 被定义为具有以下要求:
Thus, AES was defined with the following requirements:
- 128 位块(解决 CBC 问题)
- 接受大小为 128、192 和 256 位的密钥(128 位足以抵抗详尽的密钥搜索;另外两种大小主要是为了遵守严格的美国军事法规)
- 没有比详尽的关键字搜索更糟糕的学术弱点
- 应该与 3DES 一样快(事实证明,AES 在软件中比 3DES 快得多,通常快 5 到 10 倍)
AES 对差分和线性密码分析的抵抗力来自于更好的雪崩效应"(在某些时候有点翻转会迅速传播到完整的内部状态)和特制的、更大的S-box"(一个 S-box 是算法中使用的一个小型查找表,是一种添加非线性的简单方法;在 DES 中,S-box 有 6 位输入和 4 位输出;在 AES 中,S-盒子有 8 位输入和 8 位输出).AES 的设计得益于 25 年来对 DES 的见解和研究.此外,AES 是通过与来自世界各地多个研究团队的 15 名候选人的公开竞争选出的,分配给该过程的大脑资源总量是巨大的.最初的 DES 设计者是天才,但可以说密码学家为 AES 付出的努力要大得多.
The resistance of AES towards differential and linear cryptanalysis comes from a better "avalanche effect" (a bit flip at some point quickly propagates to the complete internal state) and specially crafted, bigger "S-boxes" (a S-box is a small lookup table used within the algorithm, and is an easy way to add non-linearity; in DES, S-boxes have 6-bit inputs and 4-bit outputs; in AES, S-boxes have 8-bit inputs and 8-bit outputs). The design of the AES benefited from 25 years of insights and research on DES. Also, the AES was chosen through an open competition with 15 candidates from as many research teams around the world, and the total amount of brain resources allocated to that process was tremendous. The original DES designers were genius, but one could say that the aggregate effort of cryptographers for the AES has been far greater.
从哲学的角度来看,我们可以说,使密码原语安全的是在其设计中投入的精力.至少,这种努力创造了安全感:当我使用密码系统时,我希望它是安全的,但我也希望确定它是安全的安全(我想晚上睡觉).公共设计和分析过程对建立这种信任有很大帮助.NIST(美国此类事物的标准化机构)很好地吸取了教训,并决定再次为 SHA-3.
On a philosophical point of view, we could say that what makes a cryptographic primitive secure is the amount of effort invested in its design. At least, that effort is what creates the perception of security: when I use a cryptosystem, I want it to be secure, but I also want to be certain that it is secure (I want to sleep at night). The public design and analysis process helps quite a lot in building that trust. NIST (the US body for standardization of such things) learned that lesson well, and decided to again choose an open competition for SHA-3.
这篇关于为什么 AES 比 DES 更安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
