Chip, algorithm bridge security gap

Chip, algorithm bridge security gap
Net-centric, wireless communications and data-networking applications will increasingly rely on encryption technology to ensure reliable and secure communications. Encryption provides a way to foil eavesdroppers and acts as an underlying building block in the prevention of illegal cloning, counterfeiting and theft of service. In communications networks, strong encryption is required for packet and circuit switching as well as broadcast. But with the rapid growth of data traffic, encryption of data with rates of OC-3 (155.52 Mbits/s) and beyond has become essential.

Until now, the Data Encryption Standard (DES) has served ably in a variety of encryption applications. But DES and its variants are old technology-DES was adopted in 1976-and the algorithms' weaknesses and limitations have recently become more apparent. The weaknesses of DES and triple-DES, the most widely used variant, basically fall into two critical categories: security and speed.

To understand the security weakness, one need only look at the 56-bit key length of DES. For several years, it has been widely asserted that the ability to search 56-bit key lengths is well within the capacity of today's technology. In 1998, an ASIC-based system confirmed that assertion. The searching of 56-bit keys will only get easier and cheaper with each step down in silicon geometry.

To mitigate the security weakness of DES, a number of forms of triple-DES, using two or three keys, began to be used. Those resulted in effective key lengths of 112 or 168 bits, removing the threat of exhaustive key search for the foreseeable future. However, the price for a secure triple-DES resulted in 24 rounds of encryption. Moving to 24 rounds accentuated the second weakness of DES and its variants: speed. This is particularly true in feedback modes such as Cipher Block Chaining (CBC), where paralleling the hardware into multiple DES encryption engines limits encryption performance.

The National Institute of Standards and Technology (NIST) has called for a new encryption algorithm to replace DES: the Advanced Encryption Standard. But some aspects of AES bear consideration.

First, the scheduled selection is still years away. And when a selection is made, will government and industry immediately concur or will there be an extended debate? And will cryptographers find modes that are insecure, as occurred with the cryptanalysis of ANSI X9.52 for triple-DES?

Further, are there any potential problems with the requirements and time frames for the selection of AES? For example, AES requires support of key block combinations of 128-128, 192-128, and 256-128, but many of the algorithms by respected cryptographers at the time of the announcement were based on 64-bit block size and one key size. Are cryptographers to rework algorithms in an abbreviated time period?

Third, how appropriate are the evaluation criteria? Will there be any issues with their employment? While NIST has the support of industry and government, only time will tell whether a good algorithm choice will be made.

In the meantime, few choices exist for designers seeking fast encryption and security. None of the existing DES/triple-DES chips has offered an upward migration path to newer, faster, stronger algorithms, and availability of reasonably priced general-purpose encryption chips has been limited. Many designers have struggled with older chips, only to find them obsoleted. One such mainstay chip was the popular VLSI VM009. When it was discontinued several years ago, designers turned to ASIC solutions or to costly, specialized encryption ICs.

What is needed is a high-performance chip that can drop into existing applications as well as provide performance and functionality for newer products. Besides being fast and reasonably priced, the chip needs low-profile packaging and low-power consumption for portable applications.

One example of a chip that meets those baseline criteria is the CDI-2050 from Cognitive Designs Inc. (West Windsor, N.J.). It is suited to a range of applications, can encrypt data at more than 230 Mbits/s, and supports Mitsubishi Electric's fast and secure Misty1 encryption algorithm as well as DES and triple-DES. The CDI-2050 supports DES, triple-DES, and Misty1 in encrypted cypher block, cypher block chaining, cypher feedback or output feedback modes. Although 64-bit data blocks are typically used, 1- and 8-bit blocks are also supported in CFB and OFB mode. The CDI-2050 can compute cryptographic MACs in any of the supported algorithms or modes.

One unique aspect of the CDI- 2050 is the design of a cryptographically oriented direct memory access controller. Besides providing for automatic fetching and storing of data, the DMA controller enables automatic insertion of cryptographic padding before encryption and removal of padding after decryption. Since DES, triple-DES and Misty1 all operate on 64-bit data blocks, the handling of blocks that are not an integer multiple of 64 is easily performed. Such aspects as the chip's register set, wait-state control, endian select and header offsets make the CDI- 2050 flexible enough to support a wide variety of protocols and hardware.

Basically Misty1 is a 128-bit key, 64-bit block cipher developed by Mitsuru Matsui and his colleagues at Mitsubishi Electric. Matsui invented the linear cryptanalysis used for the first successful, experimental attack on DES. Like DES, Misty1 is a symmetric algorithm, as opposed to the asymmetric algorithms that are used for public-key cryptography.

Matsui's goal was to create an algorithm resistant to all known forms of cryptanalytic attack. Another key requirement was to combine efficiency in both hardware and software implementations. Since Misty1 has a compatible block size to DES, the CDI-2050 interface hardware and data registering is common to DES and the system's engines. Algorithm selection is made in the cryptographic mode register of the CDI-2050. The algorithm thus can be seamlessly substituted for any application using 56-bit-key DES as well as two- or three-key triple-DES. But unlike triple-DES, it can support the highest-speed DES applications.

Misty1's 128-bit block size is resistant to the kind of exhaustive key force attack executed on 56-bit-key DES. That resistance, for the foreseeable future, is based on Moore's Law and the resultant expected growth of computing power. In less than 10 years, the expected cost to build a key search machine that can exhaustively search 56-bit keys in less than one day will be approximately $5,000. Further, many security systems designed today will likely be in use for at least 20 years, which makes it advisable that security engineers select algorithms of at least a 90-bit key length.

But key length is only one security criterion. The internal recursive structure of Misty1 is the key to its resistance to differential or linear cryptanalytic attack. Unlike DES, it divides 16-bit data into 9 and 7 bits-unequal division is chosen because bijective functions of odd size are more secure than even (8-bit) functions against both linear and differential analysis. In addition, the algorithm avoids such functions as permutations, which, while simple to perform in hardware, are more time-consuming when using the algorithm in a software implementation.

The algorithm allowed a level of security in eight rounds, which compares favorably to that of 24-round triple-DES but with much higher performance. In fact, in the CDI-2050, Misty1 has a worst-case maximal encryption rate of 235 Mbits/s, compared with 88 Mbits/s for triple-DES.