|
Enciphering is one of the cores (and, for certain, to the most effective) methods of protection of confidentiality of the data, i.e. protection of the data against unapproved acquaintance. Enciphering represents transformation of the open data in closed (according to a certain algorithm of enciphering with participation of a unique element - an enciphering key) that is called "зашифрованием"; return transformation - reception of the open data from ciphered - is called "расшифрованием" (decoding), a certain key also participates in this operation.
The key зашифрования is connected by a certain parity with a key расшифрования; further we will consider only those algorithms of enciphering in which a key расшифрования and a key зашифрования coincide (symmetric enciphering).
The enciphering key "personalises" algorithm of enciphering - without knowledge of a demanded key of enciphering difficult enough to decipher the data. Degree of complexity of reception of the open data from ciphered (and receptions of a key of enciphering in the presence of a certain data set - about it more low) is one of the basic characteristics of algorithms of enciphering and is called it криптостойкостью.
The science about counteraction to cryptographic methods of protection (which enciphering concerns also) is called криптоанализом. Actually, криптоанализ represents a set of mathematical methods of opening of algorithms of enciphering. Here the same is obviously traced evolutionary counteraction, as in case of the reservation and a shell: appear more and more proof (without loss in other important characteristics - for example, in speed) algorithms of enciphering in reply to which more and more perfect methods of their breaking are invented.
Let's consider modern криптоаналитические methods for what we will begin with classification of attacks to algorithms of enciphering.
Attacks to algorithms of enciphering
Carrying out attack, криптоаналитик the decision of following problems can set as the purpose:
1. Reception of a clear text from the ciphered.
2. Calculation of a key of enciphering.
Generally, the second of the listed problems is essentially more difficult, than the first. However, having an enciphering key, криптоаналитик can decipher subsequently all data ciphered by the found key. Such attack (in case of its successful realisation) is called as full disclosing of algorithm of enciphering.
Attacks to algorithms of enciphering can be classified depending on that set of the information which the malefactor before realisation of the attack has. First of all, криптоаналитические attacks can be divided on two categories:
Category 1. Криптоаналитик has only possibility of passive listening of a certain channel on which the ciphered data (see fig. 1) are sent. As a result the malefactor has only a set шифртекстов, ciphered on a certain key. Such attack is called as attack with known шифртекстом. It is most difficult, but the given variant of attack is most extended, as it is most "vital" - in overwhelming majority of real cases криптоаналитик has no possibility to receive more than the data.
Fig. 1. Passive interception of the ciphered data.
Category 2. Assumes that at криптоаналитика there is a certain ciphering device with the stitched key of enciphering which is the attack purpose. The cryptographic smart card can be such device, for example. Криптоаналитик can carry out with шифратором defined (supposed шифратором and its technical environment, and also tactical conditions of realisation of attack) actions for reception of the information demanded to it, for example, to "banish" through шифратор any clear texts for reception corresponding to them шифртекстов (fig. 2 see).
Fig. 2. Active influence on шифратор.
Depending on the data which криптоаналитик can "extract" at шифратора, there are following kinds of attacks:
1. Attack with known clear text. Assumes presence at криптоаналитика a quantity of pairs texts, each of which represents a clear text and corresponding to it шифртекст.
2. Attack with the chosen clear text. At криптоаналитика there is a possibility of a choice of clear texts for reception corresponding to them шифртекстов (as it can be useful криптоаналитику, it will be considered more low).
3. Adaptive attack with a clear text choice. Криптоаналитик can choose not simply clear texts for зашифрования, but also do it repeatedly, taking into account results of the analysis before the received data.
4. Attack with a choice шифртекста. Криптоаналитик can choose шифртексты and, banishing them through шифратор, to receive a way расшифрования clear texts corresponding to them.
5. Adaptive attack with a choice шифртекста. By analogy to the attacks described earlier clearly that криптоаналитик can repeatedly choose шифртексты for them расшифрования taking into account the previous results.
Theoretically, possibilities криптоаналитика can and not be limited listed above; more serious variants of influence криптоаналитика on шифратор will be considered in one of the subsequent parts of given article.
Quantitative estimation криптостойкости algorithms of enciphering
Криптостойкость is the quantitative characteristic of algorithms of enciphering - for opening of concrete algorithm of enciphering under certain conditions (including, defined криптоаналитическим a method) the certain number of resources is required. Resources in this case are following sizes:
1. The quantity of the information necessary for realisation of attack - we will tell, steam of the known or chosen texts how many is necessary.
2. Time necessary for realisation of attack. It is usually measured in quantity of test operations of enciphering by the attacked algorithm which performance at observance of other necessary conditions will allow to calculate an enciphering key, for example.
3. The memory necessary for storage of the information used at attack. Is also the important characteristic as many attacks can make rather essential demands to memory.
Set of these three sizes characterises concrete attack to concrete algorithm of enciphering. And the best (demanding the minimum set of resources) from possible attacks to algorithm characterises it криптостойкость.
Hereinafter it is meant that the algorithm of enciphering attacking is known - the key is unknown only. The overwhelming majority криптоаналитических methods (which will be considered in the subsequent parts of article) are based on thorough knowledge криптоаналитиком attacked algorithm. There is also one more important characteristic of algorithm of enciphering - how much шифртексты, received with its help, differ from casual sequence. And, the given characteristic can be expressed quantitatively in the same three types of resources described above, however, it already a theme of separate article.
Криптоанализ the modified algorithms
There are many algorithms of enciphering which are криптографически proof. In known work the concept proof (strong) algorithm is defined so:
1. The algorithm is криптографически proof if there are no methods of its opening, except "a brute force" method (brute force) which will be considered in the following part of article.
2. Besides, the size of a key of algorithm is big enough that the brute force method became impossible at a current level of development of computer facilities.
However, for example, happens it is necessary to compare among themselves two or more криптографически proof algorithm of enciphering (as, for example, at open competition for choice the new standard of enciphering of USA AES). In this case use other characteristic (more likely qualitative, than quantitative) - a stock криптостойкости (security margin).
It is known that the overwhelming majority of modern algorithms of enciphering consists of certain quantity of rounds, in each of which repeat same (or similar) transformations over the ciphered data. For stock definition криптостойкости analyze algorithm with the truncated number of rounds - i.e. updating of investigated algorithm in which the quantity of rounds is reduced in comparison with the concrete quantity of rounds provided in algorithm. The stock криптостойкости can be defined as a parity initial quantity of rounds of investigated algorithm to a maximum quantity of rounds of its updatings which are not криптографически the proof.
Other variant of definition of a stock криптостойкости - the analysis of updatings of investigated algorithm with minor alterations of structure of a round. One of most vivid examples - opening of algorithm Skipjack-3XOR in the presence of only 29 chosen clear texts and corresponding to them шифртекстов performance of all about one million test operations of enciphering. To modern measures, thanks to given attack Skipjack-3XOR it is possible to consider as rather weak algorithm, and after all it differs from known and enough widespread algorithm of enciphering Skipjack of all that are removed from structure of the last of only 3 concrete operations XOR (bit-by-bit logic operation "excluding or") from provided by algorithm Skipjack 320 (!) Similar operations. Accordingly, were (however, not proved) assumptions of an insufficient stock криптостойкости at algorithm Skipjack. However, in case of the analysis of algorithms with similar updatings the stock криптостойкости can be considered only as the qualitative characteristic having indirect enough relation to investigated algorithm of enciphering.
|
|