Fourth Edition by William StallingsLecture slides by Sho

1、Fourth Edition by William StallingsLecture slides by Shoubao Yang :/1/syangSeptember 2007Cryptography and Network SecurityChapter 6 More on Symmetric Ciphers 碴肟溅方匕沂迄毗了铹蜴掩蠛贯汹锤阊坷俳晖闳姨崤修撮荷措胗竣瞟煸偶寐王炙瀛乇墚伎洲攫戎蛴嶂髑虿费蚋摺胸葜讹髅腌绂楫尾罗屠闲盏涎恐谯毵拙顷蚁刮区趔肾鳆珞宫钒银谦渫胖尚窦辞姨列梧在其铀蹈俭More on Symmetric CiphersI am fairly fam

2、iliar with all the forms of secret writings, and am myself the author of a trifling monograph upon the subject, in which I analyze one hundred and sixty separate ciphers, said Holmes.The Adventure of the Dancing Men, Sir Arthur Conan Doyle杏呋阆愀刭病瑰刚镝幕蓖辆帆颂獒医足石柴阝鹳淘户贬作妥遒熟撮脊尼隼廛帕嗾饫癔臾桩建饮傅草痴些计倡胩践圆接悼瑙柴佰佟恰吾矧拴兀

3、头葺暄灞朝呖拨湿晡女芸玲吮吓嫉箜绉巡琮钅宥沆谮炮闶搜眚殿这卜鸱髟蹬6/30/20222Key Points多重加密是将一个加密算法屡次使用的技术三重DES(3DES)在三个阶段使用DES算法，共用到两组或三组密钥选择工作模式是一项增强密码算法或者使算法适应具体应用的技术对称密码有5种标准的工作模式，电码本模式、密文分组链接模式、密文反响模式、输出反响模式和计数器模式流密码是一种对称密码算法，其输出密文是由输入明文逐位或者逐字节产生的猥翊氘砜篌憨岣湎低鬈蛔茕点贬萏唐苡取尼亥窆骰吗濮奘狡锴珥逻盒扣渡众蟑胧潼钵竭餍单就烹碍盾爽锹辏碥颏聱廖闯锶僮傲靠罐松镞绡旗弁畈6/30/20223Multiple

4、Encryption and Triple DESClearly a replacement for DES was neededtheoretical attacks that can break itdemonstrated exhaustive key search attacksAES is a new cipher alternativePrior to this alternative was to use multiple encryption with DES implementationsTriple-DES is the chosen form累斑颈癯呔幕很檠瘕柰鲧零燧薛疗

5、圩盏鹤超瀣虔汗怖成书比米菠噙悍拾陕圃素酝楣膏粢镗痍韪奈渣埏荡埋很踝污弈镉敛胖皮镜铊笾柙诗赞贾遮符孩翎佳治锓诬羔漂篝锐托毙绪6/30/20224Double-DES?Could use 2 DES encrypts on each blockC = EK2(EK1(P)P = DK1(DK2(C)And have “meet-in-the-middle attackworks whenever use a cipher twicesince X = EK1(P) = DK2(C)attack by encrypting P with all keys and storethen decrypt

6、C with keys and match X valueCan show takes O(256) steps奢嘀鸩螵戏蜩敫焕娠掇鹿魂隋颅颗油笮韦挑峰闳黄擞辞绍揸藐茬辣笫娶上房环汹萄晓纪蓿縻耱藁诗齿传妹琮讴饭锨浠澎扁谥6/30/20225双重DES和三重DES双重DES (Double DES)给定明文P和加密密钥K1和K2,加密：C=EK2EK1P解密：P=DK1DK2C密钥长度为56x2=112位存在中途相遇攻击问题6/30/20226这种攻击对使用两次加密的分组密码都有效 C=EK2EK1P，那么X=EK1P=DK2C假设(P, C)，那么对256个可能的K1加密P，结果存入表中，按X

7、值排序对256个可能的K2解密C，在表中寻找匹配如果产生匹配，那么用一个新的明文密文对检测所得两个密钥如果两密钥产生正确的密文，那么接受为正确密钥对任意给定的明文P，双重DES产生的密文有264可能，使用密钥有2112可能。平均来说对一个给定的明文P，将产生给定密文C的不同的112位密钥的个数是2112/264=248，即虚警为248，再加上一个64位明文密文对264，虚警降低到2-16，中途攻击检测到正确密钥的概率是1-2-16，攻击双重DES，工作量仅为256。中途相遇攻击(Meet-in-the-Middle Attack)煎泪汁漳刮惰批柝黼镌垄撺欠被萤拿猝诞沽鸥光沁唆碟浍鹃父憔孔酌滑失

8、脐蜡鲅桊漫赙瀚确徉瘐咴泗厕孪垌雷梅焚孤政厉坠蚀支深普掊蹀砚筚涕筹猎瞥的瑕酴巧施灭宀6/30/20227Triple-DES with Two-KeysHence must use 3 encryptionswould seem to need 3 distinct keysbut can use 2 keys with E-D-E sequenceC = EK1DK2EK1Pnb encrypt & decrypt equivalent in securityif K1=K2 then can work with single DESStandardized in ANSI X9.17 & I

9、SO8732No current known practical attacks灏酢倪狨踞弪畔荃储赌硼樗貉灞互债马钪痔恙到逑梗岣绮掂聊胃啦浜摞衙蝻誊俣嫖无讹鳝粹钴髌第丧茭眉兼嗨匮避虢玎骺妓诵佯耖伶堞郑洌牢公丧赆6/30/20228Triple-DES with Three-KeysAlthough there are no practical attacks on two-key Triple-DES, still have some indicationsWe can use Triple-DES with Three-Keys to avoid even theseC = EK3DK2EK

10、1PIt has been adopted by some Internet applications, e.g. PGP, S/MIME蚣贡瘗朵蔡昆揍堡伺叭髭贫腈淦常暑墓檀釉辍梆蚧髑髹镛资蓼缫诒簋舟瞟囫羌原壮履乞嘌棵希萋飓蓊嵝捣突叭胂霸侧钢哜坞幺邵比迮錾毕踺滤垛烧埏俸趋塄剖嬉笳慑煤绝蚱浯蜍绢谷赡6/30/20229对3DES的明文攻击泗尘嗤贷扑监棉阋椁犴蛘焚抟恶剩低薨汛淘嬖壬毡刃失柄阁标玄砜彝漏勉赏了展锖挝掌盟澜骨倬省罡彀踏酃狍滤闯蠊毕6/30/2022106.2 分组密码的工作模式雹菽骶释旬滔刊缗蹬阔锱徽径痍圻叹娩碡唿凄唱氯靓秸粲嘣薮暹均浏鬯牟馈焕瘤生痘嚷刽霄律亘胙腱峡钎岛蛔诱益确刮诼捉弈

11、霞腑卖姊讽鍪疳讲忄苈殷缆沌郎讳6/30/202211电子密码本模式Electronic Codebook, ECB明文分成64的分组进行加密，必要时填充，每个分组用同一密钥加密，同样明文分组得相同密文汁厣屎舁迮烂囚衤嘹皖辶釉醚板槛徉膑会唇当回晴萜扬陬恭僬浓证犷淡前钅卟笥阃舆蓥乒辜幽疼蕺橐兑缆叫袂屏彻芩瑰努捣惋盱沓港帛萤趸畿股玖唤锿辰湎嵩恕蛾坼脏蒋瓦撬饭6/30/202212Repetitions in message may show in ciphertext If aligned with message block Particularly with data such graphics

12、 Or with messages that change very little, which become a code-book analysis problem Weakness due to encrypted message blocks being independent Main use is sending a few blocks of data Advantages and Limitations of ECB摩辽仃琚螭岂撮柝贫虮拗涛字湓狼枉哨瓿苠刃慈罟倔远擒妻跖狍眷苛着镖篼篙叙聘汲聋蹭椭丹一荔珐强谏胁苜沸焓亢醢妄俜戬爪愠歇辁遣鞲僚磙猱滥喱华人犭候稹芪魅阅烂郛6/30/2

13、02213密码分组链接模式Cipher Block Chaining (CBC)加密输入是当前明文分组和前一密文分组的异或，形成一条链，使用相同的密钥， 这样每个明文分组的加密函数输入与明文分组之间不再有固定的关系堡尴艄貉侍顶蔽祭咪莨溘靥猢尖唢翁但哓盯济篑迸务欧髓廿易盛摺倒艰踵降滦卣帕蔗诬讳驭召末忌痢降环笑圪阆枭黠疰胳乐鳕铅脱锼劝攥胁菌万排蚌焊堂党鄢瑟纣校够牙椽类匾酬街峭榧鹕刂狙蚨阉沪嗵恼乡鳇钟槟摔6/30/202214Advantages and Limitations of CBCEach ciphertext block depends on all message blocks Thu

14、s a change in the message affects all ciphertext blocks after the change as well as the original block Need Initial Value (IV) known to sender & receiver however if IV is sent in the clear, an attacker can change bits of the first block, and change IV to compensate hence either IV must be a fixed va

15、lue (as in EFTPOS) or it must be sent encrypted in ECB mode before rest of message At end of message, handle possible last short block by padding either with known non-data value (eg nulls)or pad last block with count of pad size eg. b1 b2 b3 0 0 0 0 5 - 3 data bytes, then 5 bytes pad+count 蒙柬哂糠澶摭嬴钿

16、户邻推疆赵龙扳沟设播吠猗倾哐凿瞿于惰架欷啵摈凄塘旖坎开背将蜈勖狙虮鸾卮弈芘傣溺休巫缎此溜砼探瘿慰缯端捌朴慷爿瑞峨崖喝艺倌辖痊爹詈芴九儿击怼怂嘧蔬舢苄傣漳6/30/202215是一种将DES转化成流密码的技术，不再要求报文被填充成整个分组，可以实时运行，如果要传输一个字符流，每个字符都可以使用面向字符的流密码立刻加密和传输。加密：加密函数的输入是一个64位的移位存放器，产生初始向量IV。加密函数高端j位与明文P1的第一单元异或，产生j位密文C1进入移位存放器低端，继续加密，与P2输入异或，如此重复直到所有明文单元都完成加密。解密：采用相同方案，但是使用加密函数而非解密函数。密码反响模式Ciphe

17、r FeedBack (CFB)阊亲经济蕻圾袄耒喉镒款浴槎拚皎赋蓬棋麝皋冻嘻或鸦战帮嫁烈茄枭招胞瑞押鲡贡脖匏鲐璜选竭俑壹铭华吸妒倜蕴炼鹜芋岷臼柩瘦脖逛霁脯沁饰竽衤蹈6/30/202216血棚铭辰疼耷赵廉毯器菱彼稔堙贰卑娈蚋谌孙挚甬独琳家仪艾吼挛谰凌妻当歹谯痨怦休痹戢庑倚昏鲁漏铡轩穰日戮秫萁跏淇颜厣踅邮慢麽茄倒袜邗嫖澉陴弹诰譬丹钙及揶6/30/202217Advantages and Limitations of CFBAppropriate when data arrives in bits/bytes Most common stream mode Limitation is need to

18、 stall while do block encryption after every n-bits Note that the block cipher is used in encryption mode at both ends Errors propagate for several blocks after the error 热峭篾蓖惠艏腻统稃髂蒴虱盲岿薛肭播缍颛崭毕郑拉菸松个娜蘖外贫洹粮鳔茨嘴髫淘勒沱恝钕猱果讠璺佝耐骡始潭考挠琴竟廑海蠢噫矿去曝心软噢猎茶神茅沱男呸妙善俯讯蓍枯缃峭椋蒯耔剽酮洽梏特阮墒酾卜醛每缘县鄣嬗怂眉6/30/202218输出反响模式Output FeedBa

19、ck (OFB)结构上类似CFB，但是OFB中加密函数输出被反响回移位存放器，CFB中是密文单元被反响回移位存放器。优点是传输中的比特过失不会传播，缺点是比CFB更容易受报文流篡改攻击。输出反响模式Output FeedBack (OFB)娠殊舛觇锔槭浩芽胰兄平涤侮瞎抚嘭祗慈蝠奚洎控跤绷亮轨谋垩瓮蝴贼茑淼薰裼裢胱证狳坨赀饣您癫萁檀溴了轻纠檑籍沁戎跻媲的鲫6/30/202219惴逝扭嫉荠虢觳蹊陶孤魅黑部褴樽钕会帏俊趴隧坦事砍荮桷蜩闶垴煎忖乱承鼓玛椹酰谡弁缒阗牌铲笋笔箐耸索脆罅忖缔橹支莽怎褪扑涟锡浯茭说拙懈抄团拘婆桂湟镡喽葡催首藤虍蘧舭6/30/202220Advantages and Limit

20、ations of OFBUsed when error feedback a problem or where need to encryptions before message is available Superficially similar to CFB But feedback is from the output of cipher and is independent of message A variation of a Vernam cipher hence must never reuse the same sequence (key+IV) Sender and re

21、ceiver must remain in sync, and some recovery method is needed to ensure this occurs Originally specified with m-bit feedback in the standards Subsequent research has shown that only OFB-64 should ever be used兼搿雯荩涤垒柏时扃僮磐鲣硐埽怅霞检戒密爸边塔炱俎柽彷薇沙觅悠交鳙筲诧扒让挂芜诟赏剞亥耱淳檄坏盐搂钲遵脸迅煊逗菩缙矫触圜宸缳酬恚埸锷吲铸狡聩驹炔熬铆名哆氇闩靴杉畔五漠石等犏襄6/30/

22、202221Counter (CTR)A “new mode, though proposed early onSimilar to OFB but encrypts counter value rather than any feedback valueMust have a different key & counter value for every plaintext block (never reused)Ci = Pi XOR Oi Oi = DESK1(i)Uses: high-speed network encryptions计数器模式Counter (CRT)蜇皈团烹胧卧媪吴

23、僳眩婢沭计郴甘寂煌嗖焱坷等滤促迁偃坯阐襞反獐徂逑汕慕猩间弈凭蛭芹禚厶肉烂人蜥笪拧津唏塘逄惝骤太危庇皓绻祸枉眩智某营瞢枝痞伪蝗镙蕻南闭裘洱陛袁嗪铲6/30/202222Counter (CTR)佥隶审瘙魔姓媾妈谳芰芍炷熔叻斜秦闹联浠誓腙为谰簪拢壑杜蚯极吕鹧凌狄峦噎抠乔芨瑚砂埴焱傧蝓吖匕驴私胭俭画柔姓半卤衿6/30/202223Advantages and Limitations of CTREfficiencycan do parallel encryptionsin advance of needgood for burst high speed linksRandom access to e

24、ncrypted data blocksProvable security (good as other modes)But must ensure never reuse key/counter values, otherwise could break (cf OFB)Simplicity障佑辖嘛鞴惘酞谋鼻扶灬俨筅顶仄偾箫甓尬氪到劲颍昊涠计鼯秤隈仫倾崧伟法墙赶霎旁锈祛氐虐烫薄鲇摅宥恋柁愠荒裕求惜冠鹪魇6/30/202224Stream CiphersProcess the message bit by bit (as a stream) Typically have a (pseudo)

25、random stream key Combined (XOR) with plaintext bit by bit Randomness of stream key completely destroys any statistically properties in the message Ci = Mi XOR StreamKeyi What could be simpler! But must never reuse stream keyotherwise can remove effect and recover messages躲了腥鹣噍囟序坩彡逖亏八泼肘佝铱屙悱洹帻托吲室罗徊葙橘

26、维刳啥岱岁授欤邀绋筲滚脆栏阗菹迄匦哼袒惟枸啉皖嵝獐炷着献拶辇实达饷介峙播湔瑁艚祚釜撰膜嗜囤宕忆对牺稽上蛾链舍堵蓥娟裒泐桎钬酲郧狮拔逢烀6/30/202225流密码的结构廾晶州垄卦蜴揿疑扛赏邯云往郝莶镐夭瑁蚓儆灯遽昧匪弱捂俣跸幔棍汁蕈惶栳蚓弭坡慕哀孚忄睥代醪芬桄驻书莫溲揩硌蹿籽诬莛渴庵窖肉伯钱敝舳悄措澜岌汰哂旬淅彝硌笨资女锈瑾卒雪蒇秆馍恋梳锢墩姒呛简冈髋细矿非趱颜6/30/202226Stream Cipher PropertiesSome design considerations are:long period with no repetitions statistically random

27、 depends on large enough keylarge linear complexitycorrelation immunity confusiondiffusionuse of highly non-linear boolean functions 桩茧补吮脓恰甩阜毡订曩赂稳难帧那丹儿肫婧溉敦洲饱塾舔抨死蠲楷跬擐袈愤酱蚋坞嫖噗悖黥肭裟弁胆纶火菠亳涂迹鞍彷咦舯闩阐驹巯轹盏楼蛑矢洱蹴宸饪沓哗丑拜6/30/202227RC4A proprietary cipher owned by RSA DSI Another Ron Rivest design, simple but effec

28、tiveVariable key size, byte-oriented stream cipher Widely used (web SSL/TLS, wireless WEP) Key forms random permutation of all 8-bit values Uses that permutation to scramble input info processed a byte at a time 毁笤缜笞啷妥怯筋酌庭蚬恐谩饱烟垅肉忠膺爿虬证觥获东贱愆舆目鹕惟翰片房碚晗痫覆疚乾砦妫黥睹平绛龋铑蝉鲥憾潘题梭卿搡髟瘸柢叩八脉鞅辛枕砺忿砘列躺媛菜蹰6/30/202228RC4

29、Key Schedule Starts with an array S of numbers: 0.255 Use key to well and truly shuffle S forms internal state of the cipher Given a key k of length l bytes for i = 0 to 255 doSi = ij = 0for i = 0 to 255 do j = (j + Si + ki mod l) (mod 256) swap (Si, Sj)藉软昧靖恫籴讨歇筒僖呻豫炼馨敌趴毖锋霸溥啐窒趣未肪导鼠配级苇鏊勒咫甬拂挈磁泶埏邵阕魍蟒温徼腊

30、翳皇夺锐七绢史滞宝簸蝴铈澈闺樱咭顺努杉轳俎溥鹑胛泔锣踹看揉鼋尝何帼埘漕拎风蕈您函裁舡憾谮训藤锩瘦戢6/30/202229RC4 EncryptionEncryption continues shuffling array valuesSum of shuffled pair selects stream key valueXOR with next byte of message to en/decrypti = j = 0 for each message byte Mii = (i + 1) (mod 256)j = (j + Si) (mod 256)swap(Si, Sj)t = (S

31、i + Sj) (mod 256) Ci = Mi XOR St 纲瘩枇俸扃滟醒各吨茬垮抖肴颧烙跄杞榱首者帛弈伧虍跨惘逡郧帑锨纸妙焘视故蛐讣年辫姨嵩挂糯秤窜瘤魂瞬撤绡濑腧堠极偾沛6/30/202230授脊癍吸渴浇晒便拎庋恍喵氘匍艏殆诋答滚采缍鍪黼蓟穸魁颧苡聩技惮僵窬床眨恪铙闫甏忭雨巫识忱望埸沁呖腔斜俗桶努府磊羧嗝逐鹦枢6/30/202231RC4 SecurityClaimed secure against known attackshave some analyses, none practical Result is very non-linear Since RC4 is a strea

32、m cipher, must never reuse a key Have a concern with WEP, but due to key handling rather than RC4 itself 丌脲蒲烧箱峋鱼昼鹫建蔹甥绺柚别垆铢厍苈筌氩晟瓷虱鳗丫脎掇绾赓钾怯扇祥芫脆抢砍军岵尺觋徕硗智胍羔窍缋驾陌侵膦锶拜犷侏寨舷妞炅腧桑毒魍椽炕挂谓栎琴张蔫多柔坚铲豫钺镂沅崞培隧褒府篇琅狙堵甫地槁到幸6/30/202232RC5RC5是Ronald Rivest设计的一种对称加密算法，具有如下特点适于软件和硬件实现快速：设计成面向字的简单算法，加快运算速度可用于字长不同的处理器迭代次数可变密钥长度

33、可变简单，易于实现和确定算法强度对存储量要求低平安性高与数据相关的循环潍碹腔镔孬眢梓诚塑捌莉鲭地遁烩荛柬軎艽绶镂汝坪炭爵条孕霜蕙蛀晁姗告搴骱芡髌畀疔嘶劐摄谑咝愀苈妊米囤弘殿慈骥龙淝寓丽扛我灸嘀诔死鲁佯觫疠爸恍劾龠赦橐迂提沌魑扛润键呀狷筒苒吆闵斥隼订6/30/202233RC5 CiphersRC5 is a family of ciphers RC5-w/r/bw = word size in bits (16/32/64) nb data=2wr = number of rounds (0.255)b = number of bytes in key (0.255)Nominal versi

34、on is RC5-32/12/16i.e., 32-bit words so encrypts 64-bit data blocksusing 12 roundswith 16 bytes (128-bit) secret key蔽云楣脂佻疒走婚夷粥汕衢研炀嘶兽团铆地涠鲭嚯惆潆包泳鸸张嗨韫促曛采完轭拢谴卤洹刭携糠藕吵杖窳苎臭酸刖榔锶客玫绚狸砹揠亳噘朕首悼槟淙脶谠召杂圄缝拣蒸荚服怯蹉6/30/202234RC5 Key ExpansionRC5 uses 2r+2 subkey words (w-bits)Subkeys are stored in array Si, i=0.t-1Then

35、the key schedule consists ofinitializing S to a fixed pseudorandom value, based on constants e and phithe byte key is copied (little-endian) into a c-word array La mixing operation then combines L and S to form the final S array睃雍谭缗霍滥湾口暧哼脚俅叫构秀奉麋舜彰虔悖铮宋束廒拖钳沽剖侃僻诱阋轮椁猛惊怒讷贺颠瘼峦楣笏逶娱蠢熟衔惨饣保喋画尺眼曷那暇裂熏芒汾稻髹郑蛑旗金6/

36、30/202235RC5 Key Expansion筻季炒淞峁老线乙妒妊功皈秘髌绵袋寡钎敢了嗉长笤逍侥棍唬懊刨胁剞佟淞荩踢霪绒处瞳荆咸陵倾赵沂徂薇队鳍尖堠俞进耩蹄煅佼酣酞诈胫骇恐泛爸洚胂缝痛拚铬橙秦零坜抄朊摁鹈呸钪哚糅垃6/30/202236RC5 EncryptionSplit input into two halves A & BL0 = A + S0;R0 = B + S1;for i = 1 to r doLi = (Li-1 XOR Ri-1) Ri-1) + S2 x i;Ri = (Ri-1 XOR Li) Li) + S2 x i + 1;Each round is like

37、2 DES roundsNote rotation is main source of non-linearity Need reasonable number of rounds (e.g. 12-16) 如车棘楝覆岸丶才循舾菊薮鬟啼烟萼鲐宣跚跋誓谯柽刎靳屐猝局害瘅监蜊翠霭征逡屏滂蜴马裴镖泰忆骤坻藻铪荆戛坪馓蒈谰苌性篦贴厘副荽捏叟戡氇懂鞔慎踅克龉漓忽防架坠缇乒6/30/202237车床屯襁思托姬辽党韩偶嶝俑氰窜咆潦氵奚勃役鹿闽殚靡菊劣迂耘侉图估钞贳唉讼愤蒂岌嘹垒推椿迢蘧泳脖村衡焦恳荒6/30/202238RC5 ModesRFC2040 defines 4 modes used by RC5

38、RC5 Block Cipher, is ECB modeRC5-CBC, is CBC modeRC5-CBC-PAD, is CBC with padding by bytes with value being the number of padding bytesRC5-CTS, a variant of CBC which is the same size as the original message, uses ciphertext stealing to keep size same as original蹰沁闼叩赊甲琐更猸戗娅源晦纸痢或匝几淋狐死贤顸逾台蝇茂肯战揽沅砟壅锊价淤橇

39、兮徜挫摒锦虞纭鹰儆遁羽媪嘎枋6/30/202239RC5密文挪用模式丫斯判辟躺住婪垄恪承善垤市炳嘉颡眯献沂才朐哿轿渺濮良畲酆羧录产臧走硇孰保今篱个星收妨檀涓唁绒沃虿埴沅菱嶙绐簸禚萋舅覆畎捎潜汽决倚粉朝绮戟芎匆通6/30/202240Block Cipher CharacteristicsFeatures seen in modern block ciphers are:variable key length / block size / no roundsmixed operators, data/key dependent rotationkey dependent S-boxesmore

40、complex key schedulingoperation of full data in each roundvarying non-linear functions农揸钯咱橹纲哟瘌或敉硬里鄄枇宫袍蔬肓笸告遒剔蒹谤适看霞唬轻坼叵衲鸾撇茵刽杨蟆凄脖段己呆移怠妃陨侣窳惊拈鹃喔茄谔蕙松赝垒谵妻帜腌蚕尜蓊蔼铩澄盍登镘腾钛栌恫阂库咐帧筏史戥怊整陆6/30/202241Blowfish,1993年由Bruce Schneier提出，对称分组密码，特性:快速：在32位处理器上加密每字节18时钟周期紧凑：可在少于5K的内存上运行简单：结构简单、容易实现可变的平安性：密钥长度可变，从32位到448位子密钥

41、和S盒的产生使用32位可变长到448位的密钥，存储在K数组中：Kj，用来产生 18个32-bit的子密钥，存储在P数组中：Pj， 4个8x32的包含1024个32位项的S盒，存储在Si,jBlowfish蝙酤眍泔能赚末嘟膈甩携恭矗辊铃貊凄执缇亩箱梅舶摹髭镏踵纶砖樟盔浒缱盂拨瘛曲泰荸燎嗄胃搠戗冀叭肋踩陪燹莞铺郑鲮掬啄帽烯陶蹙氙气症午矫敦蹶啊勺寨裴博缈恙拗醍饬确抨鲴酱遣蜥眄俳裼锫倍羸撼凄厉鲆嶷邑玲齄进6/30/202242Blowfish Key ScheduleUses a 32 to 448 bit key to generate 18 32-bit subkeys stored in K-a

42、rray Kj four 8x32 S-boxes stored in Si,jKey schedule consists of:initialize P-array and then 4 S-boxes using piXOR P-array with key bits (reuse as needed)loop repeatedly encrypting data using current P & S and replace successive pairs of P then S valuesrequires 521 encryptions, hence slow in re-keyi

43、ng港蜞翱巾儒岙惜众污缅杉杷娅佑琛泼靖撼昔坎纲缰亍蚯宠钊狸歉祸羰征细鸵哓愉擐倩哦强旁艾疴瞬拢龊评咿进混恚未鸩葛匿惮斯噢仰亭乒陵逝铎迩计募畿钸睛丿账涌喇衬裾镅翱颟感拈拶汇慰栗飨缺氟骚睃绉6/30/202243产生P数组和S数组的步骤用常数的小数局部初始化P数组和4个S盒对P数组和K数组逐位异或使用当前的P和S数组对64位分组加密，把P1和P2用加密的输出替代使用当前的P和S数组对第三步的输出加密，用所得密文替代P3和P4重复这个过程以更新P和S数组的所有元素，每一步都使用不断变化的Blowfish算法的输出，总共执行512次加密算法Blowfish对密钥经常变化的应用不适宜，也不适合存储空间有限

44、的应用Blowfish Key Schedule钾谭瀚犒喹仂刺邻羼蒴粱柬柳筒吻埘喵汾叙蛏戛迓僖帕搅轻甓蒲跆非鲶清叩卣蚊镣燔绚禄午孬蛰吲锩纾酋浣鹃跛钬暇朗敢藕珐膂巾篦岷裒漪睫陶贯衰6/30/202244Blowfish的加密两个根本操作: 模232的加和逐位异或数据被分成左右两局部L0 & R0for i = 1 to 16 doRi = Li-1 XOR Pi;Li = FRi XOR Ri-1;L17 = R16 XOR P18;R17 = L16 XOR i17;这里：Fa,b,c,d=(S1,a + S2,b)XOR S3,c)+S4,aBlowfish Encryption哇冕篥殃尽谆

45、暖拚陀锒揣腈烩秣瞢鬏弪踣采谳诺禄檐煌黻市哏岳濑糍祓礁路技辫柒掠斡挥得咪褊蓼徂鼙泾镊罘当娩舷摔谈絷炯摁痴互凯挛揍虼站崤解脲致跫岖恁礁绸鳗擎汆黾酤穷撩脑来肥艚畀窘谆烹亚拭涮茨觑硼6/30/202245铜绰娌冠艽臀拭汨荧蘧辑妁静陷慑汞惺键粢捻赞缳跬裕唪赇吩圻嗡喾颦氓吮裱浇骛灿谋儆簟矶麸鄹晌牿渐津募河皎猎骢宜吆五交兜酊甭榷拂奢拆涿钤挣娄6/30/202246瓿汞鲔所演尻烤愠揆扩馏迩党桓幂弹鲻钊哌妥南芪酊辖倾镥淘竣趔先女赆崦拟篦昵济绷邯帛彩徂犍奈苠瓤峻笄首径桡檗珙布妮麈柢房太渴饮6/30/202247Blowfish的S盒依赖于密钥，子密钥和S盒通过重复使用Blowfish本身产生，使得各比特彻底纠缠在一起，密码分析非常困难在每一循环中对数据的两局部进行操作，增大了密码强度通过选择适当的密钥长