Keep Your Data Secure with the New Adva need En crypti onStan dardJames McCaffreySUMMARYThe Advaneed Encryption Standard (AES) is a National Institute of Standards and Tech no logy specificati on for the en cryptio n of electr onic data. It is expected to become the accepted means of encrypting digital information, including financial, telecom muni catio ns, and gover nment data. This article prese nts an overview of AES and explains the algorithms it uses..After reading this article you will be able to en crypt data using AES, test AES-based software, and use AES en crypti on in your systems.Note that the code presented in this article and any other implementation based on this article is subject to applicable Federal cryptographic module export controls (see Commercial En crypti on Export Con trols for the exact regulati on s).AES is a new cryptographic algorithm that can be used to protect electr onic data. Specifically, AES is an iterative, symmetric-key block cipher that can use keys of 128, 192, and 256 bits, and en crypts and decrypts data in blocks of 128 bits (16 bytes) Uni ike public-key ciphers, which use a pair of keys, symmetric-key ciphers use the same key to en crypt and decrypt data. En crypted data returned by block ciphers have the same nu mber of bits that the in put data had. Iterative ciphers use a loop structur that repeatedly performs permutati ons and substitutio ns of the in put data. Figure 1 shows AES in action encrypting and then decrypting a 16-byte block of data using a192-bit key.Figure 1 Some DataAES is the successor to the older Data Encryption Standard (DES). DES was approved as a Federal standard in 1977 and remained viable until 1998 when a comb in ati on of adva ncesi n hardware, software, and crypta nalysis theory allowed a DES-e ncrypted message to be decrypted in 56 hours. Since that time nu merous other successful attacks on DES-encrypted data have been made and DES is now considered past its useful lifetime.In late 1999, the Rijn dael (pr onoun ced "ra in doll") algorithm, created by researchers Joa n Daeme n and Vincent Rijme n, was selected by the NIST as the proposal that best met the design criteria of security, implementation efficiency, versatility, and simplicity. Although the terms AES and Rijn dael are sometimes used in tercha ngeab y, they are distinct. AES is widely expected to become the de facto standard for encrypting all forms of electronic data including data used in commercial applications such as banking and finan cial tran sact ions, telecom muni cati ons, and private and Federal in formatio n.Overview of the AES AlgorithmThe AES algorithm is based on permutations and substitutions. Permutations are rearra ngeme nts of data, and substituti ons replace one unit of data with ano ther. AES performs permutations and substitutions using several different techniques. To illustrate these tech niq ues, let's walk through a con crete example of AES en crypti on using the data show n in Figure 1.The following is the 128-bit value that you will encrypt with the indexes array:00 11 22 33 44 55 66 77 88 99 aa bb cc dd ee ff 0123456789 10 11 12 13 14 15The 192-bit key value is:00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 0123456789 10 11 12 13 14 15 16 17 18 19 20 21 22 23Figure 2 SboxWhen the AES constructor is called, two tables that will be used by the encryption method are initialized. The first table is a substitution box named Sbox. It is a 16 16 matrix. The first five rows and colu mns of Sbox are show n in Figure 2. Behi nd the sce nes, the en cryptio n rout ine takes the key array and uses it to gen erate a "key schedule" table n amed w[], show n in Figure 3.Figure 3 Key Sched.The first Nk (6) rows of w[] are seededwith the original key value (0x00 through 0x17) and the remai ning rows are gen erated from the seed key. The variable Nk representsthe size of the seed key in32-bit words. You'll see exactly how w[] is gen erated later whe n I exam ine the AES impleme ntati on. The point is that there are now many keys to use in stead of just one. These new keys are called the round keys to distinguish them from the original seed key.Figure 4 StateThe AES en crypti on rout ine beg ins by copy ing the 16-byte in put array into a 44 byte matrix named State (see Figure 4). The AES encryption algorithm is named Cipher and operates on State[] and can be described in pseudocode (see Figure 5).The encryption algorithm performs a preliminary processing step that's called AddRoundKey in the specification. AddRoundKey performs a byte-by-byte XOR operation on the State matrix using the first four rows of the key schedule, and XORs in put State[r,c] with round keys table w[c,r].For example, if the first row of the State matrix holds the bytes { 00, 44, 88, cc }, and the first column of the key schedule is { 00, 04, 08, 0c }, then the new value of State[0,2] is the result of XORing State[0,2] (0x88) with w[2,0] (0x08), or 0x80:1 0 0 0 1 0 0 00 0 0 0 1 0 0 0 XOR1 0 0 0 0 0 0 0The main loop of the AES en crypti on algorithm performs four differe nt operati ons on the State matrix, called SubBytes, ShiftRows, MixColu mns, and AddRou ndKey in the specification. The AddRoundKey operation is the same as the preliminary AddRo un dKey except that each time AddRo un dKey is called, the n ext four rows of the key schedule are used. The SubBytes routi ne is a substituti on operati on that takes each byte in the State matrix and substitutes a new byte determined by the Sbox table. For example, if the value of State[0,1] is 0x40 and you want to find its substitute, you take the value at State[0,1] (0x40) and let x equal the left digit (4) and y equal the right digit (0). Then you use x and y as indexes into the Sbox table to find thesubstituti on value, as show n in Figure 2.ShiftRows is a permutation operation that rotates bytes in the State matrix to the left. Figure 6 shows how ShiftRows works on State[]. Row 0 of State is rotated 0 positions to the left, row 1 is rotated 1 position left, row 2 is rotated 2 positions left, and row 3 is rotated 3 positi ons left.Figure 6 Running ShiftRows on StateThe MixColumns operation is a substitution operation that is the trickiest part of the AES algorithm to understand. It replaces each byte with the result of mathematical field additions and multiplications of values in the byte's column. I will explain the details of special field addition and multiplication in the next section.Suppose the value at State[0,1] is 0x09, and the other values in colu mn 1 are 0x60, 0xe1, and 0x04; then the new value for State[0,1] is shown in the following: State[0,1] = (State[0,1] * 0x01) + (State[1,1] * 0x02) +(State[2,1] * 0x03) +(State[3,1] * 0x01) = (0x09 * 0x01) + (0x60 * 0x02) +(0xe1 * 0x03) +(0x04 * 0x01)=0x57The addition and multiplication are special mathematical field operations, not the usual additi on and multiplicatio n on in tegers.The four operations SubBytes, ShiftRows, MixColumns, and AddRoundKey are called in side a loop that executes Nr time—the nu mber of rounds for a give n key size, less 1. The number of rounds thatthe encryption algorithm uses is either 10, 12, or 14 and depe nds on whether the seed key size is 128, 192, or 256 bits. In this example, becauseNr equals 12, the four operations are called 11 times. After this iteration completes, the encryption algorithm finishes by calling SubBytes,ShiftRows, and AddRo un dKey before copy ing the State matrix to the output parameter.In summary, there are four operations that are at the heart of the AES encryption algorithm. AddRo un dKey substitutes groups of 4 bytes using round keys gen erated from the seed key value. SubBytes substitutes in dividual bytes using a substituti on table. ShiftRows permutes groups of 4 bytes by rotating 4-byte rows. MixColumns substitutes bytes using a comb in ati on of both field additi on and multiplicati on.Field Addition and Multiplication in GF(28)As you've see n, the AES en cryptio n algorithm uses fairly straightforward tech niq ues for substitution and permutation, except for the MixColumns routine. The MixColumns routine uses special addition and multiplication. The addition and multiplication used by AES are based on mathematical field theory. In particular, AES is based on a field called GF(28).The GF(28) field con sists of a set of 256 values from 0x00 to 0xff, plus addition and multiplication, hence the (28). GF stands for Galois Field, named after the mathematicia n who foun ded field theory. One of the characteristics of GF(28) is that the result of an additi on or multiplicati on operati on must be in the set {0x00 ... 0xff}. Although the theory of fields is rather deep, the net result for GF(28) addition is simple: GF(28) addition is just the XOR operatio n.Multiplication in GF(28) is trickier, however. As you'll see later in the C# implementation, the AES encryption and decryption routines need to know how to multiply by only the seven con sta nts0x01,0x02, 0x03, 0x09, 0x0b, 0x0d, and 0x0e. So in stead of expla ining GF(28) multiplicati on theory in gen eral, I will expla in it just for these seve n specific cases.Multiplication by 0x01 in GF(28) is special; it corresponds to multiplication by 1 in no rmal arithmetic and works the same wa—a ny value times 0x01 equals itself.Now let's look at multiplicati on by 0x02. As in the case of additi on, the theory is deep, but the net result is fairly simple. If the value being multiplied is less than 0x80, then the result of multiplication is just the value left-shifted 1 bit position. If the value being multiplied is greater tha n or equal to 0x80, the n the result of multiplicati on is the value left-shifted 1 bit position XORed with the value 0x1b. This prevents "field overflow" and keeps the product of the multiplicati on in ran ge.Once you've established addition and multiplication by 0x02 in GF(28), you can use them to define multiplication by any constant. To multiply by 0x03 in GF(28), you can decompose 0x03 as powers of 2 and additi ons. To multiply an arbitrary byte b by0x03, observe that 0x03 = 0x02 + 0x01. Thus:b * 0x03 = b * (0x02 + 0x01)=(b * 0x02) + (b * 0x01)This can be done because you know how to multiply by 0x02 and 0x01 and how to perform addition. Similarly, to multiply an arbitrary byte b by 0x0d, you do this: b * 0x0d = b * (0x08 + 0x04 + 0x01) =(b * 0x08) + (b * 0x04) + (b * 0x01)=(b * 0x02 * 0x02 * 0x02) + (b * 0x02 * 0x02) + (b * 0x01)The other multiplications needed for the AES MixColumns routine in the encryption and decrypti on algorithm follow the same gen eral patter n, as show n here: b * 0x09 = b * (0x08 + 0x01) =(b * 0x02 * 0x02 * 0x02) + (b * 0x01)b * 0x0b = b * (0x08 + 0x02 + 0x01)=(b * 0x02 * 0x02 * 0x02) + (b * 0x02) + (b * 0x01)b * 0x0e = b * (0x08 + 0x04 + 0x02)=(b * 0x02 * 0x02 * 0x02) + (b * 0x02 * 0x02) + (b * 0x02)To summarize, addition in GF(28) is the XOR operation. Multiplication in GF(28) reduces to additi ons and multiplicati ons by 0x02, where multiplicati on by 0x02 is a conditional 1-bit left shift. The AES specification contains a lot of additional in formatio n about operati ons in GF(28).Key Expa nsionThe AES en crypti on and decrypti on algorithms use a key schedule gen erated from the seed key array of bytes. The AES specification refers to this as the KeyExpansion routi ne. Gen erat ing, in esse nee, multiple keys from an in itial key in stead of using a sin gle key greatly in creases the diffusi on of bits. Although not overwhel min gly difficult, understanding KeyExpansion is one of the trickier parts of the AES algorithm. In high-level pseudocode, the KeyExpansion routine looks like the followi ng:KeyExpansion(byte[] key, byte[][4] w){copy the seed key into the first rows of wfor each remai ning row of w{use two of the previous rows to create a new row}}The "use two of the previous rows to create a new row" routine makes use of two subrouti nes, RotWord and SubWord, and a table of con sta nts n amed Rcon (for "ro und constants"). Let's look at each of these three items and then come back to the KeyExpa nsion routi ne as a whole.The RotWord routine is simple. It accepts an array of 4 bytes and rotates them 1 positi on left. Because the round schedule table w[] has four colu mns, RotWord rotates a row of w[] to the left. Notice that the RotWord function used by KeyExpansion is very similar to the ShiftRows routine used by the encryption algorithm except that it works on a sin gle row of the key schedule w[] in stead of the en tire en cryptio n state table State[].The SubWord routi ne performs a byte-by-byte substituti on on a give n row of the key schedule table w[] using the substitution table Sbox. The substitutions in KeyExpa nsion operate exactly like those in the en crypti on algorithm. The in put byte to be substituted is separatedi nto an (x,y) pair which are used as in dexes into the substituti on table Sbox. For example, substituti on for 0x27 results in x = 2 and y = 7, and Sbox[2,7] retur ns 0xcc.The KeyExpa nsion rout ine uses an array Rcon [], called the round con sta nt table These con sta nts are 4 bytes each to match with a row of the key schedule table. The AES KeyExpa nsion routi ne requires 11 round con sta nts. You can see these con sta nts listed in Figure 7.Figure 7 In itializ ing RconThe leftmost byte of each round constant is a power of 2 in the GF(28) field. Another way of looking at it is to observe that each value is the previous value times 0x02, as described in the previous sect ion discuss ing multiplicati on in GF(28). Notice that 0x80 x 0x02 = 0x1b is 0x80 left-shifted 1 bit followed by an XOR with 0x1b, as described earlier.Now let's take a closer look at the loop in side KeyExpa nsion. In more detailed pseudocode tha n before, the loop is:for (row = Nk; row < (4 * N叶1); ++row){temp = w[row-1]if (row % Nk == 0)temp = SubWord(RotWord(temp)) xor Rcon[ row/Nk] else if (Nk == 8 and row % Nk == 4)temp = SubWord(temp)w[row] = w[row-Nk] xor temp }Ignoring the if clause for a mome nt, you'll see that each row of the key schedule table w[] is the result of XORi ng the previous row with the row Nk (4, 6, or 8 depe nding on the key size) rows before. The first part of the if conditional modifies every fourth, sixth, or eighth row of the key schedule with SubWord, RotWord, and XORing with a round constant, depending on whether the key size is 128, 192, or 256 bits. The sec ond part of the con diti onal will modify rows 12, 20, 28 and so on — every eighth row— for a 256-bit key to add additional variability to the key schedule.Let's see how KeyExpa nsion gets started with the example prese nted at the begi nning of this article. The seed key is the 192-bit / 6-word value:00 01 02 03 04 05 06 07 08 09 0a Ob 0c 0d 0e Of 10 11 12 13 14 15 16 17The key schedule byte table w[] has the dimensions 4 columns and Nb x (Nr + 1) equals 4 (12 + 1), or 52 rows. The KeyExpansion routine copies the values in theseed key into the first rows of the key schedule byte table w[]. Because my seed key is 192 bits (24 bytes), and the w[] table always has 4 columns, in this case KeyExapansion copies the seed key into the first 6 rows of w[]. Now let's see how the KeyExpansion routine fills the rest of the key schedule table. In my example, the first calculated row is row 6 because rows 0 to 5 were filled with the seed key values: temp = w[row-1] = 14 15 16 17The condition (row % Nk == 0) is true, so first the RotWord subroutine is applied: temp = 15 16 17 14The n SubWord is applied:temp = 59 47 f0 faThen XORed with Rcon[row / Nk] = Rcon[6 / 6] = 01 00 00 00:temp = 58 47 f0 faThis is then XORed with w[row-Nk] = w[6-6] = 00 01 02 03, yielding the following result:w[6] = 58 46 f2 f9The process repeats itself for all of the remaining rows in key schedule table w[]. To summarize, an importa nt part of AES en crypti on and decrypti on is the gen erati on of multiple round keys from the initial seed key. This KeyExpansion algorithm gen erates a key schedule and uses substitutio n and permutati on in a way that is similar in most respects to the en crypti on and decryptio n algorithms.Con clusi onThe new AES will certai nly become the de facto sta ndard for en crypt ing all forms of electronic information, replacing DES. AES-encrypted data is unbreakable in the sense that no known crypta nalysis attack can decrypt the AES cipher text without using a brute-force search through all possible 256-bit keys.AES is an importa nt adva nce and using and un dersta nding it will greatly in crease the reliability and safety of your software systems.用新的高级加密标准(AES保持你的数据安全James McCaffrey摘要AES( The Advaneed Encryption Standard是美国国家标准与技术研究所用于加密电子数据的规范。